Lecture #22: Network Security Lecture #22: Network Security

(1)

1

Lecture #22: Network Security

(2)

A classic lesson A classic lesson

The The chain chain is only as strong is only as strong as its

as its weakest weakest link! link!

(3)

3

In the past ...



The networks were primarily used by university The networks were primarily used by university researchers for sending e-mail and by

researchers for sending e-mail and by

corporate employees for sharing printers.



The sky was clear and the people were happy The sky was clear and the people were happy and carefree.

and carefree.

But now ...



But now, as billions are using networks for But now, as billions are using networks for

banking, shopping, and filing their tax returns, banking, shopping, and filing their tax returns,

network security is looming on the horizon as a network security is looming on the horizon as a

potentially massive problem.

(4)

Security problems sources

(5)

5

Security areas Security areas



Network security problems can be divided roughly into four Network security problems can be divided roughly into four closely intertwined areas:

closely intertwined areas:

– secrecysecrecy

– authenticationauthentication – nonrepudiationnonrepudiation – integrity controlintegrity control..



Secrecy Secrecy , also called confidentiality, has to do with keeping , also called confidentiality, has to do with keeping information out of the hands of unauthorized users.

information out of the hands of unauthorized users.



Authentication Authentication deals with determining whom you are talking to deals with determining whom you are talking to before revealing sensitive information or entering into a

before revealing sensitive information or entering into a business deal.

business deal.



Nonrepudiation Nonrepudiation deals with signatures: How do you prove that deals with signatures: How do you prove that your customer really placed EXACTLY THIS electronic order?

your customer really placed EXACTLY THIS electronic order?



Integrity control Integrity control – Is this message EXACTLY THE SAME as it – Is this message EXACTLY THE SAME as it was originally sent?

was originally sent?

(6)

Security on the network layers Security on the network layers



Physical layer Physical layer security – hardware solutions. security – hardware solutions.

For example: EM-shielding.



All other layers All other layers use security methods mainly use security methods mainly based on the

based on the cryptography cryptography . .



(the name of this science comes from the (the name of this science comes from the Greek words for ''secret writing'' )

Greek words for ''secret writing'' )

(7)

7

Cryptography Cryptography

 Contributors to the modern Contributors to the modern Cryptography:

Cryptography:

• military military

• diplomatic corps diplomatic corps

• diarists diarists

• lovers lovers

(8)

Cryptography (2)

(9)

9

Cryptography (3) Cryptography (3)



A simple A simple substitution cipher substitution cipher



Each of the symbols in the plaintext, is mapped Each of the symbols in the plaintext, is mapped onto some other symbol.

onto some other symbol.

An example for 26 letters:

plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z ciphertext:

ciphertext: Q W E R T Y U I O P A S D F G H J K L Z X C V B N MQ W E R T Y U I O P A S D F G H J K L Z X C V B N M

(10)

Cryptography (4)

(11)

11

Cryptography (5) Cryptography (5)

An unbreakable symmetric-key method:

one-time pad

one-time pad . It uses a very long key which is . It uses a very long key which is bit- bit- XOR XOR ed with the message. ed with the message.



Disadvantages: Impossible to remember and difficult Disadvantages: Impossible to remember and difficult to store the key.

to store the key.



Example: Example:



The use of a one-time pad for encryption and the possibility of The use of a one-time pad for encryption and the possibility of getting any possible plaintext from the ciphertext by the use of getting any possible plaintext from the ciphertext by the use of

some other pad.

(12)

Symmetric-Key Algorithms Symmetric-Key Algorithms

 DES DES – The Data Encryption Standard – The Data Encryption Standard

 AES AES – The Advanced Encryption – The Advanced Encryption Standard

Standard

 Cipher Modes Cipher Modes

 Other Ciphers Other Ciphers

Cryptanalysis

(13)

13

Data Encryption Standard Data Encryption Standard



(a) (a) General outline. General outline.

(b) (b) Detail of one iteration. Detail of one iteration.

The circled + means The circled + means exclusive OR (XOR) exclusive OR (XOR) . .

(14)

Triple DES Triple DES



(a) (a) Triple encryption using DES. Triple encryption using DES.

(b) (b) Decryption. Decryption.

(15)

15

AES – The Advanced Encryption Standard AES – The Advanced Encryption Standard



Rules for AES proposals: Rules for AES proposals:

1. 1. The algorithm must be a symmetric The algorithm must be a symmetric block cipher.

block cipher.

2. 2. The full design must be public. The full design must be public.

3. 3. Key lengths of 128, 192, and 256 bits Key lengths of 128, 192, and 256 bits supported.

supported.

4. 4. Both software and hardware Both software and hardware implementations required

implementations required

5. 5. The algorithm must be public or licensed The algorithm must be public or licensed on nondiscriminatory terms.

on nondiscriminatory terms.

(16)

Cryptanalysis Cryptanalysis



Some common symmetric-key cryptographic Some common symmetric-key cryptographic algorithms:

algorithms:

(17)

17

Public-Key Algorithms - RSA Public-Key Algorithms - RSA

1. 1. Choose two large Choose two large primes primes , , p p and and q (typically 1024 bits). q (typically 1024 bits).

2. 2. Compute Compute n = p x q n = p x q and and z = (p - 1) x (q - 1) z = (p - 1) x (q - 1) . .

3. 3. Choose a number relatively prime to Choose a number relatively prime to z z and call it and call it d d . .

4. 4. Find Find e e such that such that e x d = 1 mod z e x d = 1 mod z . .



An example of the An example of the RSA RSA (Rivest, Shamir, Adleman) (Rivest, Shamir, Adleman) algorithm: algorithm:



p = 3, q = 11, n = 33, z = 20 p = 3, q = 11, n = 33, z = 20 , , d= 7 d= 7

(18)

Public-Key Digital Signatures Public-Key Digital Signatures



The goal: The goal: To verify the message’s integrity. To verify the message’s integrity.



Example: Example:

(19)

19

Message Digests Message Digests



Another way to assure the message’s integrity. Another way to assure the message’s integrity.



Examples of message digest functions: Examples of message digest functions:

MD5 MD5 (Rivest, 1992) and (Rivest, 1992) and SHA-1 SHA-1 (NIST, 1993). (NIST, 1993).

(20)

Problems with Public-Key Encryption Problems with Public-Key Encryption



A way for Trudy to subvert public-key encryption. A way for Trudy to subvert public-key encryption.

The intruder

(21)

21

Certificates Certificates



A possible certificate and its signed hash. A possible certificate and its signed hash.



CA CA = Certification Authority = Certification Authority

Example:

Example: Bulgarian Academic Certification Authority Bulgarian Academic Certification Authority (http://ca.acad.bg)

(http://ca.acad.bg)

(22)

X.509 X.509



The basic fields of an X.509 certificate: The basic fields of an X.509 certificate:

(23)

23

Public-Key Infrastructures (PKI) Public-Key Infrastructures (PKI)



(a) (a) A hierarchical PKI. A hierarchical PKI. (b) (b) A chain of certificates. A chain of certificates.

(24)

IPsec IPsec



The The IPsec IPsec authentication header in transport mode for IPv4. authentication header in transport mode for IPv4.

(25)

25

IPsec (2) IPsec (2)



(a) (a) ESP ESP in transport mode. in transport mode. (b) (b) ESP ESP in tunnel mode. in tunnel mode.



ESP = Encapsulating Security Payload ESP = Encapsulating Security Payload

(26)

Firewalls Firewalls



A firewall consisting of two packet filters and an A firewall consisting of two packet filters and an application gateway.

application gateway.

(27)

27

Virtual Private Networks Virtual Private Networks



(a) (a) A leased-line private network. A leased-line private network. (b) (b) A virtual private network. A virtual private network.

(28)

802.11 Security 802.11 Security



Packet encryption using Packet encryption using WEP WEP (Wired Equivalent Privacy).

(Wired Equivalent Privacy).

(29)

29

Authentication Protocols Authentication Protocols



Authentication Based on a Shared Authentication Based on a Shared Secret Key

Secret Key



Establishing a Shared Key: Establishing a Shared Key:

Diffie-Hellman Diffie-Hellman



Authentication Using a Authentication Using a

Key Distribution Center Key Distribution Center



Authentication Using Authentication Using Kerberos Kerberos



Authentication Using Public-Key Authentication Using Public-Key Cryptography

Cryptography

(30)

Establishing a Shared Key:

The Diffie-Hellman Key Exchange The Diffie-Hellman Key Exchange



The bucket brigade or The bucket brigade or man-in-the-middle man-in-the-middle attack.

attack.

(31)

31

Authentication Using a Key Authentication Using a Key

Distribution Center Distribution Center



A first attempt at an authentication protocol A first attempt at an authentication protocol using a KDC.

using a KDC.

(32)

Authentication Using Kerberos Authentication Using Kerberos



The operation of Kerberos V4. The operation of Kerberos V4.

(33)

33

Authentication Using Public-Key Authentication Using Public-Key

Cryptography Cryptography



Mutual authentication using public-key Mutual authentication using public-key cryptography.

cryptography.

(34)

Unsecured network protocols:

• Ethernet DLL protocols Ethernet DLL protocols

• IPv4 IPv4

• Telnet, FTP, DNS, SMTP, POP3/IMAP, Telnet, FTP, DNS, SMTP, POP3/IMAP, HTTP, NNTP, SNMP v1,2 etc.

HTTP, NNTP, SNMP v1,2 etc.

Secured network protocols:

• IPsec, IPv6 IPsec, IPv6

• HTTPS, DNSsec, TLS/SSL, SSH, S/MIME. HTTPS, DNSsec, TLS/SSL, SSH, S/MIME.

(35)

35

E-Mail Security E-Mail Security

 PGP PGP – Pretty Good Privacy – Pretty Good Privacy

 PEM PEM – Privacy Enhanced Mail – Privacy Enhanced Mail

 S/MIME S/MIME

(36)

E-mail security:

PGP – Pretty Good Privacy PGP – Pretty Good Privacy



PGP in operation for sending a message. PGP in operation for sending a message.

(37)

37

PGP – Pretty Good Privacy (2) PGP – Pretty Good Privacy (2)



A PGP message. A PGP message.

(38)

Web Security Web Security

 Threats Threats

 Secure Naming Secure Naming

 SSL – The Secure Sockets Layer SSL – The Secure Sockets Layer

 Mobile Code Security Mobile Code Security

(39)

39

Secure Naming Secure Naming

(a) (a) Normal situation. Normal situation.

(b) (b) An attack based on breaking into DNS and modifying Bob's record. An attack based on breaking into DNS and modifying Bob's record.

(40)

Secure Naming (2) Secure Naming (2)



How Trudy spoofs Alice's ISP. How Trudy spoofs Alice's ISP.

(41)

41

Secure DNS (DNSsec) Secure DNS (DNSsec)

Proof of where the data originated.

Public key distribution.

Transaction and request authentication.

Example of DNSsec RRSet for

Example of DNSsec RRSet for bob.com bob.com : :

The The KEY KEY record is Bob's public key. The record is Bob's public key. The SIG SIG record is the top- record is the top- level

level com com server's signed has of the server's signed has of the A A and and KEY KEY records to verify records to verify their authenticity.

their authenticity.

(42)

Self-Certifying Names Self-Certifying Names



A A self-certifying URL self-certifying URL containing a hash of server's name and containing a hash of server's name and public key.

public key.

(43)

43

SSL—The Secure Sockets Layer SSL—The Secure Sockets Layer



Layers (and protocols) for a home user Layers (and protocols) for a home user browsing with

browsing with SSL SSL . .

(44)

SSL (2) SSL (2)



A simplified version of the SSL connection A simplified version of the SSL connection establishment subprotocol.

establishment subprotocol.

(45)

45

SSL (3) SSL (3)



Data transmission using Data transmission using SSL SSL . .

(46)

Java Applet Security Java Applet Security



Applets inserted into a Java Virtual Machine Applets inserted into a Java Virtual Machine interpreter inside the browser.

interpreter inside the browser.

(47)

47

Social Issues Social Issues

 Privacy Privacy

 Freedom of Speech Freedom of Speech

 Copyright Copyright

(48)

Anonymous Remailers Anonymous Remailers



Users who wish anonymity chain requests Users who wish anonymity chain requests

(49)

49

Freedom of Speech Freedom of Speech



Possibly Possibly banned banned material: material:

1.1.

Material inappropriate for children or Material inappropriate for children or teenagers.

teenagers.

2.2.

Hate aimed at various ethnic, religious, sexual, Hate aimed at various ethnic, religious, sexual, or other groups.

or other groups.

3.3.

Information about democracy and democratic Information about democracy and democratic values.

values.

4.4.

Accounts of historical events contradicting the Accounts of historical events contradicting the government's version.

government's version.

5.5.

Manuals for picking locks, building weapons, Manuals for picking locks, building weapons, encrypting messages, etc.

encrypting messages, etc.

(50)

Steganography Steganography - - hiding messages hiding messages

(a) (a) Three zebras and a tree. Three zebras and a tree.

(51)

51

Copyright Copyright



The granting to the creators of The granting to the creators of IP IP (Intellectual (Intellectual Property), including writers, artists, composers, Property), including writers, artists, composers,

musicians, photographers, cinematographers, musicians, photographers, cinematographers,

choreographers, and others, the exclusive right choreographers, and others, the exclusive right

to exploit their IP for some period of time, to exploit their IP for some period of time,

typically

typically the life of the author plus 50 the life of the author plus 50 years

years (or 75 years in the case of corporate (or 75 years in the case of corporate ownership).

ownership).



After the copyright of a work expires, it passes After the copyright of a work expires, it passes into the

into the public domain public domain and anyone can use or and anyone can use or sell it as they wish.

sell it as they wish.

(52)

Copyright (2) Copyright (2)



Examples: Examples:



Napster Napster , , torrents torrents , , eMule eMule and other P2P- and other P2P- like networks violate the copyright!

like networks violate the copyright!

(Because they hold some kind of centralized (Because they hold some kind of centralized

databases which help the people to find the desired databases which help the people to find the desired

IP-material for free downloading.)

(53)

53

End-user security rules End-user security rules



Don’t write your password on paper! Don’t write your password on paper!



Don’t tell your password to anybody! Don’t tell your password to anybody!

(even to your sysadmin).



Don’t use short or easy to guess passwords! Don’t use short or easy to guess passwords!

examples of

examples of good good passwords: passwords:

The g1rL fr

The g1rL fr Θ Θ m !panemA m !panemA Macro$oft L!nuX ;-)

Macro$oft L!nuX ;-)



Change your password frequently! Change your password frequently!



Don’t loose your Don’t loose your private key private key ! !



Never leave your computer unattended while logged in! Never leave your computer unattended while logged in!



Beware of Beware of viruses viruses , , trojan horses, worms trojan horses, worms etc. fauna! etc. fauna!

