Network Security. HIT Shimrit Tzur-David

Network Security

HIT

Shimrit Tzur-David

Network Security

Goals:

• Understand principles of network security:

– cryptography and its many uses beyond

“confidentiality”

– authentication

– message integrity – key distribution

• Security in practice:

– firewalls

– security in application, transport, network, link layers

What is Network Security?

Confidentiality: only sender, intended receiver should

“understand” message contents – sender encrypts message

– receiver decrypts message

Authentication: sender, receiver want to confirm identity of each other

Message Integrity: sender, receiver want to ensure

message not altered (in transit, or afterwards) without detection

Friends and Enemies: Alice, Bob, Trudy

• Well-known in network security world

• Bob, Alice (lovers!) want to communicate “securely”

• Trudy (intruder) may intercept, delete, add messages

secure

sender secure

receiver channel data, control

messages

data data

Alice Bob

Trudy

Who might Bob, Alice be?

• Web browser/server for electronic transactions (e.g., on-line purchases)

• On-line banking client/server

• DNS servers

• Routers exchanging routing table updates

• …

There are Bad Guys Out There!

Q: What can a “bad guy” do?

A: a lot!

– eavesdrop: intercept messages

– actively insert messages into connection

– impersonation: can fake (spoof) source address in packet (or any field in packet)

– hijacking: “take over” ongoing connection by

removing sender or receiver, inserting himself in place

– denial of service: prevent service from being used by others (e.g., by overloading resources)

Notations

• cryptography - the principles and methods of

transforming an intelligible message into one that is unintelligible, and then retransforming that message back to its original form.

• plaintext - the original intelligible message

• ciphertext - the transformed message

• cipher - an algorithm for transforming an intelligible message into one that is unintelligible by

transposition and/or substitution methods

• key - some critical information used by the cipher,

Notations – Cont.

• encipher (encode) - the process of converting plaintext to ciphertext using a cipher and a key

• decipher (decode) - the process of converting

ciphertext back into plaintext using a cipher and a key

• cryptanalysis - the study of principles and methods of transforming an unintelligible message back into an intelligible message without knowledge of the key.

Also called code-breaking

• cryptology - both cryptography and cryptanalysis

• code - an algorithm for transforming an intelligible message into an unintelligible one using a code-book

Notations – Cont.

• C = E

(P) - the encryption of the plaintext P using key K gives the ciphertext C.

• P = D

(C) - the decryption of C to get the plaintext

• D

(E

(P)) = P

• E and D are mathematical functions of two

parameters: the key and the message.

The Language of Cryptography

symmetric key crypto: sender, receiver keys identical public-key crypto: encryption key public, decryption

key secret (private)

plaintext ciphertext plaintext

K_A

encryption

algorithm decryption

algorithm Alice’s

encryption key

Bob’s

decryption

K_B key

Symmetric Key Cryptography

symmetric key crypto: Bob and Alice share know same (symmetric) key: K

• e.g., key is knowing substitution pattern in mono alphabetic substitution cipher

plaintext ciphertext

K_A-B

encryption

algorithm decryption

algorithm

A-B

K_A-B

plaintext message, m

K (m)_A-B m = K _A-B(K (m)_A-B )

Symmetric Key Cryptography

substitution cipher: substituting one thing for another

– monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq

Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc E.g.:

Q: How hard to break this simple cipher?:

‰ brute force (how hard?)

‰ other?

Monoalphabetic Substitution

• There are 26! possible keys is in use.

• A computer would take ~10¹⁰ years to try all the keys.

• Nevertheless, given a surprisingly small amount of ciphertext, the cipher can be broken easily.

• The basic attack takes advantage of the statistical

properties of natural languages. In English, e is the most common letter, followed by t, o, a, n, i, etc. The most

common two-letter combinations are th, in, er, re, and an.

The most common three-letter combinations are the, ing, and, and ion.

Transposition Ciphers

• Substitution ciphers preserve the order of the plaintext symbols.

• Transposition ciphers, in contrast, reorder the letters but do not disguise them.

• The columnar transposition:

The Columnar Transposition

• The cipher is keyed by a word or phrase not containing any repeated letters.

• In the example, MEGABUCK is the key.

• The purpose of the key is to number the columns,

column 1 being under the key letter closest to the start of the alphabet, and so on.

• The plaintext is written horizontally, in rows, padded to fill the matrix if need be.

• The ciphertext is read out by columns, starting with the column whose key letter is the lowest.

Breaking Transposition Cipher

• Step 1: The cryptanalyst must be aware that he is dealing with a transposition cipher.

– By looking at the frequency of E, T, A, O, I, N, etc., it is easy to see if they fit the normal pattern for plaintext.

• Step 2: Make a guess at the number of columns

– the plaintext phrase milliondollars occurs somewhere in the message

• Step 3: Order the columns

– By frequency

One-Time Pads

• Unbreakable cipher

– Choose a random bit string as the key.

– Convert the plaintext into a bit string

– Compute the XOR of these two strings, bit by bit.

• The resulting ciphertext cannot be broken.

• The reason derives from information theory: there is simply no information in the message because all

possible plaintexts of the given length are equally likely.

Public Key Cryptography

symmetric key crypto

• requires sender,

receiver know shared secret key

• Q: how to agree on key in first place

(particularly if never

“met”)?

public key cryptography

• radically different approach [Diffie-

Hellman76, RSA78]

• sender, receiver do not share secret key

• public encryption key known to all

• private decryption key known only to receiver

Public Key Cryptography

plaintext

message, m encryption ciphertext

algorithm decryption

algorithm

Bob’s public key

plaintext message K (m)_B⁺

K _B⁺

Bob’s private K _B^- key

m = K _B^-(^{K (m)}_B⁺ )

Public Key Encryption Algorithms

need K and K such that

given public key K , it should be impossible to compute private key K

Requirements:

1

2

RSA: Rivest, Shamir, Adelson algorithm

B+

B-

K (K (m)) = m

B B

- +

B+ -

B-

RSA: Choosing keys

1. Choose two large prime numbers p, q.

(e.g., 1024 bits each)

2. Compute n = pq, z = (p-1)(q-1)

3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”).

4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ).

5. Public key is (n,e). Private key is (n,d).

-

RSA: Encryption, Decryption

0. Given (n,e) and (n,d) as computed above 1. To encrypt bit pattern, m, compute

c = m e mod n (i.e., remainder when me is divided by n) 2. To decrypt received bit pattern, c, compute

m = c d mod n (i.e., remainder when cd is divided by n)

m = (m e mod n)d _mod n Magic

happens!

c

RSA Example:

Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime).

d=29 (so ed-1 exactly divisible by z).

letter m me c = m mod ne

l 12 248832 17

c m = c mod nd

17 481968572106750915091411825223071697 12

cd letter

l encrypt:

decrypt:

RSA: Why is that

(m e mod n) d_mod n = m edmod n

Useful number theory result: If p,q prime and n = pq, then: x ymod n = x y mod (p-1)(q-1) mod n

= m ed mod (p-1)(q-1) mod n

= m 1 mod n

= m

(using number theory result above)

(since we chose ed to be divisible by (p-1)(q-1) with remainder 1 )

RSA: Another Important Property

The following property will be very useful later:

K _B^-

(

)

(

)

use public key first, followed

by private key

use private key first, followed

by public key Result is the same!

Authentication

Goal: Bob wants Alice to “prove” her identity to him

Protocol ap1.0: Alice says “I am Alice”

Failure scenario??

“I am Alice”

Authentication

Goal: Bob wants Alice to “prove” her identity to him

Protocol ap1.0: Alice says “I am Alice”

in a network, Bob can not “see”

Alice, so Trudy simply declares

herself to be Alice

“I am Alice”

Authentication: Another Try

Protocol ap2.0: Alice says “I am Alice” in an IP packet containing her source IP address

Failure scenario??

“I am Alice”

Alice’s IP address

Authentication: another try

Protocol ap2.0: Alice says “I am Alice” in an IP packet containing her source IP address

Trudy can create a packet

“spoofing”

Alice’s address

“I am Alice”

Alice’s IP address

Authentication: another try

Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it.

Failure scenario??

“I’m Alice”

Alice’s

IP addr Alice’s password

Alice’s OK

IP addr

Authentication: another try

Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it.

playback attack: Trudy records Alice’s packet

and later

plays it back to Bob

“I’m Alice”

Alice’s

IP addr Alice’s password

Alice’s OK

IP addr

“I’m Alice”

Alice’s

IP addr Alice’s password

Authentication: yet another try

Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it.

Failure scenario??

“I’m Alice”

Alice’s

IP addr encrypted password

Alice’s OK

IP addr

Authentication: another try

Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it.

record playbackand still works!

“I’m Alice”

Alice’s

IP addr encrypted password

Alice’s OK

IP addr

“I’m Alice”

Alice’s

IP addr encrypted password

Authentication: Yet Another Try

Goal: avoid playback attack

Failures, drawbacks?

Nonce: number (R) used only once –in-a-lifetime

ap4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key

“I am Alice”

R

K (R)_A-B Alice is live, and only Alice knows key to encrypt nonce, so it must

be Alice!

Authentication: ap5.0

ap4.0 requires shared symmetric key

• Can we authenticate using public key techniques?

ap5.0: use nonce, public key cryptography

“I am Alice”

R Bob computes

K (R)_A^-

“send me your public key”

K _A⁺

(K (R)) = R_A^- K _A⁺

and knows only Alice could have the private

key, that encrypted R such that

(K (R)) = RA K A+ -

ap5.0: Security Hole

Man (woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice)

I am Alice I am Alice

R

K (R)T-

Send me your public key

K T+ K (R)A-

Send me your public key

K A+

K (m)+T m = K (K (m))T +

T Trudy gets- sends m to Alice

encrypted with Alice’s public key K (m)+A

m = K (K (m))A + A

-

R

ap5.0: Security Hole

Man (woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice)

Difficult to detect:

‰ Bob receives everything that Alice sends, and vice versa. (e.g., so Bob, Alice can meet one week later and recall conversation)

‰ problem is that Trudy receives all messages as well!

Message Integrity: Digital Signatures

Cryptographic technique analogous to hand- written signatures.

• Sender (Bob) digitally signs document,

establishing he is the document’s owner/creator.

• verifiable, non-forgeable: recipient (Alice) can prove to someone that Bob, and no one else

(including Alice), must have signed document

Digital Signatures

Simple digital signature for message m:

• Bob signs m by encrypting with his private key K_B^-, creating “signed” message, K_B^-(m)

Dear Alice

Oh, how I have missed you. I think of you all the time! …(blah blah blah),

Bob

Bob’s message, m

Public key encryption

algorithm

Bob’s private K _B^- key

Bob’s message, m, signed (encrypted)

with his private key

K _B^-(m)

40

Digital Signatures – Cont.

• Suppose Alice receives msg m, digital signature K_B(m)

• Alice verifies m signed by Bob by applying Bob’s public key K_B to K_B(m) then checks K_B(K_B(m) ) = m.

• If K_B(K_B(m) ) = m, whoever signed m must have used Bob’s private key.

+ +

-

-

- -

+

Alice thus verifies that:

9 Bob signed m.

9 No one else signed m.

9 Bob signed m and not m’.

Non-repudiation:

9 Alice can take m, and signature K_B^-(m) to court and

Message Digests

Computationally expensive to public-key-encrypt

long messages

Goal: fixed-length, easy- to-compute digital

“fingerprint”

• Apply hash function H to m, get fixed size message digest, H(m).

Hash function properties:

• many-to-1

• produces fixed-size msg digest (fingerprint)

• given message digest x, computationally

large message

m

H: Hash Function

H(m)

Internet Checksum: Poor Crypto Hash Function

Internet checksum has some properties of hash function:

¾ produces fixed length digest (16-bit sum) of message

¾ is many-to-one

But given message with given hash value, it is easy to find another message with same hash value:

I O U 1 0 0 . 9 9 B O B

49 4F 55 31 30 30 2E 39 39 42 D2 42 message ASCII format

B2 C1 D2 AC

I O U 9 0 0 . 1 9 B O B

49 4F 55 39 30 30 2E 31 39 42 D2 42 message ASCII format

B2 C1 D2 AC different messages

but identical checksums!

Bob sends digitally signed message:

Alice verifies signature and integrity of digitally signed message:

large message

m ^{functionH: Hash} H(m) digital signature (encrypt)

Bob’s private

key K _B^-

+ ^K_B^-(H(m))

encrypted msg digest

K_B-(H(m)) encrypted msg digest large

message m H: Hash function

H(m)

digital signature (decrypt)

H(m)

Bob’s public

key K _B⁺

Digital Signature = Signed Msg Digest