• No results found

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23"

Copied!
23
0
0

Loading.... (view fulltext now)

Download now ( 23 Page )

Full text

(1)

Network Security

Computer Networking Lecture 08

HKU SPACE Community College

March 19, 2012

HKU SPACE CC CN Lecture 08 1/23

(2)

Outline

Introduction

Cryptography Algorithms Secret Key Algorithm Message Digest

Public Key Cryptography

Security Protocols

Authentication Algorithms Message Integrity Protocols

Remaining Issues

(3)

Introduction

Some expected network security services:

Secrecy(orconfidentiality): Prevent others from reading information shared between two participants.

Authentication: Verifying someone’s identity.

Message integrity: Assure that the message received has not be altered after it was generated.

Nonrepudiation: A sender should not be able to falsely deny later that he sent a message.

Most of the security services require cryptographic tools as building blocks.

Regarding the usage of cryptographic tools, there are two approaches:

Keep the cryptographic algorithm (method) secret. (The preferred one)

The cryptographic algorithm is not a secret, but the key is.

HKU SPACE CC CN Lecture 08 3/23

(4)

Introduction (Cont’d)

The scope of the security issues (from networking point of view):

Concern mainly the communication between two parties.

Concern attacks against protocols, not those against

cryptographic algorithms or cryptographic techniques used to implement the algorithms.

Types of attacks against protocols:

Passive attacks (eavesdropping), e.g., ciphertext-only attacks Active attacks, e.g., pretend to be someone else, introduce new messages in the protocol, delete existing messages, substituting one message for another, replay old messages, etc.

(5)

Cryptography Algorithms

One kind of cryptography algorithms is to process original data into some unintelligible form. The process is called encryption and the recovery of the original data is calleddecryption.

The idea of encryption

plaintextencryption

−→ ciphertextdecryption

−→ plaintext Another kind of cryptography algorithms is to produce a unique piece data (signature) based on some given data.

HKU SPACE CC CN Lecture 08 5/23

(6)

Cryptography Algorithms (Cont’d)

Requirements of the algorithms are:

to keep the key secret is enough to ensure the privacy of the data;

to be able to prevent the attacker from deducing the key, either by

making the algorithm complicated (DES) making the algorithm be “one-way” (MD5)

Common cryptography algorithms are:

Secret key algorithms:

Data Encryption Standard (DES)

International Data Encryption Algorithm (IDEA) Public key algorithm: RSA

Message digest: MD5 (also call cryptographic checksum)

(7)

Secret Key (Symmetric) Cryptography

Given:

Alice and Bob agree on a cryptosystem.

Alice and Bob agree on a key (secret).

Encryption and decryption using the key.

M −→ EK(M) −→ DK(EK(M)) −→ M Problems:

Keys must be distributed in secret.

Compromising of keys means compromising all aspects of security.

Number of keys is not scalable to the user population size.

HKU SPACE CC CN Lecture 08 7/23

(8)

Secret Key (Symmetric) Cryptography (Cont’d)

Example: an 64-bit DES (Data Encryption Standard) Alice and Bob use the same algorithm and the same key to encrypt and decrypt.

The only approach to attack is to search the entire key space.

When more than 64 bits are required, use a cipher block chaining (CBC).

The ciphertext for block i is XORed with the plaintext for block i+1 before running it through DES.

An initialization vector (IV) is used in lieu of the nonexisting block 0. This number is randomly generated by a sender and it is sent along with the encrypted message.

Triple-DES, i.e., encrypt the data three times.

(9)

Secret Key (Symmetric) Cryptography (Cont’d)

Figure: Outline of DES.

HKU SPACE CC CN Lecture 08 9/23

(10)

Secret Key (Symmetric) Cryptography (Cont’d)

Figure: CBC for large messages.

(11)

Message Digest (Cryptographic Checksum)

Message digest is a technique which can be used to verify whether a message has been malicious changed during the transmission (integrity).

Message digest usesone-way hash functions as its fundamental building block.

One-way functions are relatively easy to compute (given x , compute f (x )), but significantly harder to reverse (given f (x ), compute x )

For example, given integers x and y , it is easy to compute the product of x and y but hard to factorize a large integer.

Given a cryptographic checksum for a message, it is not computationally feasible to find two messages that hash to the same cryptographic checksum.

Example: MD5

HKU SPACE CC CN Lecture 08 11/23

(12)

Message Digest (Cryptographic Checksum) (Cont’d)

(13)

Public Key (Asymmetric) Cryptography

In this method, two keys are used: a private key and a public key.

It is computationally hard to deduce the private key from the public key.

In the secrecy service, the encryption is done by using the public key and the decryption is done by using the private key.

M −→ Epub(M) −→ Dpri(Epub(M)) −→ M Mathematically, the process bases on one-way functions.

The public-key algorithm is slow. Symmetric algorithms are at least 1000 times faster.

HKU SPACE CC CN Lecture 08 13/23

(14)

Public Key Cryptography - RSA

RSA stands for Rivest, Shamir and Adleman. They are the inventors of the algorithm.

The algorithm’s outline goes as follows:

Choose two large prime numberspandq.

Multiplyp andq together to getn.

Choose the encryption keye, such thate and(p −1)×(q −1) are relatively prime.

Compute decryption keyd such that d = e−1 mod ((p −1)×(q −1)).

Construct private key as(e, n).

Construct public key as(d , n).

Discard (do not disclose) original primespandq.

To encrypt: c = me mod n.

To decrypt: m = cd mod n.

(15)

Security Protocols

Using the cryptography algorithms, we can design protocols to provide different security services.

For the secrecy service, the secret key and the public key algorithms can be used.

For the authentication service, we introduce here three protocols: two based on secret key algorithms and the other on public key algorithms.

For the integrity, we also introduce three protocols.

Besides the permanent keys, in a protocol, sometimes, the two participants may also establish session keys for ensuring the privacy between their communication.

HKU SPACE CC CN Lecture 08 15/23

(16)

Authentication Algorithm (1)

Assumption: both client and server already share a secret key.

Approach:

Each side generate a random number encrypted with the secret key.

See whether the other side can decrypt it.

Successful if CHK = SHK (client and server handshaking keys) SK: Session key

(17)

Authentication Algorithm (1)

Figure: Three-way handshake.

HKU SPACE CC CN Lecture 08 17/23

(18)

Authentication Algorithm (2)

This approach is based on a trusted third party (authentication server).

Assumptions: A shares a secret key with S, and so is B with S.

Notations in the messages:

A, B: The participants’ identities T: Timestamp

L: Lifetime

K: Session key for A and B

KA, KB: A’s secret key shared with S and B’s secret key shared with S, respectively.

(19)

Authentication Algorithm (2)

Figure: Trusted third party.

HKU SPACE CC CN Lecture 08 19/23

(20)

Authentication Algorithm (3)

Assumptions: Public key algorithm is used.

A picks a random number and encrypts it with B’s public key.

B does the same to A.

(21)

Message Integrity Protocols

Digital Signature Using RSA

special case of a message integrity where the code can only have been generated by one participant,

compute signature with private key and verify with public key.

Keyed MD5

sender: m + MD5(m + k) + E(k, private);

receiver: recovers random key using the sender’s public key then applies MD5 to the concatenation of this random key message.

MD5 with RSA signature

sender: m + E(MD5(m), private);

receiver: decrypts signature with sender’s public key

then compares result with MD5 checksum sent with message.

HKU SPACE CC CN Lecture 08 21/23

(22)

Remaining Issues

For the private key approach, how does a pair of participants generates and manages their shared secret key?

Use RSA key exchange with digital signatures.

Diffie-Hellman key exchange

For the public key approach, how can one obtain another’s true public key or how can one reliably advertise one’s public key to others?

Digital certificates

Certification authority (a trusted third party approach)

(23)

Acknowledgments

Part of this slide set is referenced, prepared or/and extracted from the books: Computer Networks - A Systems

Approach and the book Routing in the Internet. Also, some images and information are sourced from the Internet.

This set of slides is for teaching purpose only.

HKU SPACE CC CN Lecture 08 23/23

References

Download now ( PDF - 23 Page - 344.61 KB )

Related documents

MARKETING. MARKETING with FESTIVAL and EVENT MANAGEMENT. Master of Science in. Master of Science in MARKETING with SALES MANAGEMENT

The Business School, Edinburgh Napier University has been collaborating with the College of Business and Finance, HKU SPACE in offering a number of programmes at Bachelor’s

Postgraduate Diploma in SERVICES AND RETAIL MARKETING DIGITAL AND SOCIAL MEDIA MARKETING FASHION AND LUXURY BRAND MANAGEMENT

The programmes also prepare students for further education (e.g. MSc Marketing offered jointly by HKU SPACE and Edinburg Napier University, MSc in Marketing offered jointly by

Eliciting tacit knowledge from special education teachers

Based on this research, the storytelling and scenario are found to be effective methods for eliciting tacit knowledge compared to interview method.. This is

The University of Hong Kong. Master of Sports Administration (2008 / 2009) (Course No. HS /81) Subject to Approval

The overall aim of the Ohio Master of Sports Administration programme (Ohio Hong Kong MSA) in conjunction with HKU SPACE is to train and prepare sports executives to meet

Science Curriculum at HKU

- For 6901, Science subjects, i.e., Mathematics, Biology, Chemistry, Physics, Combined Science or Integrated Science are weighed slightly heavier. - Students under the

Processing and integrity of DC/DF GBAS for CAT II/III operations

Figure 71 – GAST

An Analysis of Students\u27 Writing Skill in Descriptive Text of the Second Year Students at SMPN 2 Bangun Purba

The first point is that VWXGHQWV¶ writing skill in descriptive text of the second year students at SMPN 2 Bangun Purba in terms of four out of five

Department of Information Technology and Electrical Engineering. Master Energy Science and Technology

On behalf of the Department of Information Technology and Electrical Engineering, the Department of Mechanical and Process Engineering, the Energy Science Center and all