21-networksecurity
TRANSCRIPT
-
8/6/2019 21-NetworkSecurity
1/61
Data and ComputerData and Computer
CommunicationsCommunications
Eighth EditionEighth Editionby William Stallingsby William Stallings
Lecture slides by Lawrie BrownLecture slides by Lawrie Brown
Chapter 21Chapter 21 Network SecurityNetwork Security
-
8/6/2019 21-NetworkSecurity
2/61
Network SecurityNetwork Security
To guard against the baneful influence exerted bystrangers is therefore an elementary dictate of savageprudence. Hence before strangers are allowed to entera district, or at least before they are permitted to
mingle freely with the inhabitants, certain ceremoniesare often performed by the natives of the country forthe purpose of disarming the strangers of their magical
powers, or of disinfecting, so to speak, the tainted
atmosphere by which they are supposed to besurrounded.
The Golden Bough, Sir James George Frazer
-
8/6/2019 21-NetworkSecurity
3/61
Security RequirementsSecurity Requirements
confidentialityconfidentiality -- protect data content/accessprotect data content/access
integrityintegrity -- protect data accuracyprotect data accuracy
availabilityavailability -- ensure timely serviceensure timely service authenticityauthenticity -- protect data originprotect data origin
-
8/6/2019 21-NetworkSecurity
4/61
Passive AttacksPassive Attacks
eavesdropping on transmissionseavesdropping on transmissions
to obtain informationto obtain information
release of possibly sensitive/confidentialrelease of possibly sensitive/confidentialmessage contentsmessage contents
traffic analysis which monitors frequency andtraffic analysis which monitors frequency andlength of messages to get info on senderslength of messages to get info on senders
difficult to detectdifficult to detect
can be prevented using encryptioncan be prevented using encryption
-
8/6/2019 21-NetworkSecurity
5/61
Active AttacksActive Attacks
masquerademasquerade pretending to be a different entitypretending to be a different entity
replayreplaymodification of messagesmodification of messages
denial of servicedenial of service
easy to detecteasy to detect detection may lead to deterrentdetection may lead to deterrent
hard to preventhard to prevent focus on detection and recoveryfocus on detection and recovery
-
8/6/2019 21-NetworkSecurity
6/61
Symmetric EncryptionSymmetric Encryption
-
8/6/2019 21-NetworkSecurity
7/61
Requirements for SecurityRequirements for Security
strong encryption algorithmstrong encryption algorithm
even known, unable to decrypt without keyeven known, unable to decrypt without key
even if many plaintexts & ciphertexts availableeven if many plaintexts & ciphertexts available sender and receiver must obtain secretsender and receiver must obtain secret
key securelykey securely
once key is known, all communicationonce key is known, all communicationusing this key is readableusing this key is readable
-
8/6/2019 21-NetworkSecurity
8/61
Attacking EncryptionAttacking Encryption
cryptanalysiscryptanalysis
relay on nature of algorithm plus some knowledge ofrelay on nature of algorithm plus some knowledge ofgeneral characteristics of plaintextgeneral characteristics of plaintext
attempt to deduce plaintext or keyattempt to deduce plaintext or key
brute forcebrute force
try every possible key until plaintext is recoveredtry every possible key until plaintext is recovered
rapidly becomes infeasible as key size increasesrapidly becomes infeasible as key size increases
5656--bit key is not securebit key is not secure
-
8/6/2019 21-NetworkSecurity
9/61
Block CiphersBlock Ciphers
most common symmetric algorithmsmost common symmetric algorithms
process plain text in fixed block sizesprocess plain text in fixed block sizes
producing block of cipher text of equal sizeproducing block of cipher text of equal sizemost important current block ciphers:most important current block ciphers:
DataData Encryption StandardEncryption Standard (DES)(DES)
Advanced Encryption StandardAdvanced Encryption Standard
-
8/6/2019 21-NetworkSecurity
10/61
Data Encryption StandardData Encryption Standard
US standardUS standard
64 bit plain text blocks64 bit plain text blocks
56 bit key56 bit key broken in 1998 by Electronic Frontierbroken in 1998 by Electronic Frontier
FoundationFoundation special purpose US$250,000 machinespecial purpose US$250,000 machine
with detailed published descriptionwith detailed published description
less than three daysless than three days
DES now worthlessDES now worthless
-
8/6/2019 21-NetworkSecurity
11/61
Triple DEATriple DEA
ANSI X9.17 (1985)ANSI X9.17 (1985)
incorporated in DEA standard 1999incorporated in DEA standard 1999
uses 2 or 3 keysuses 2 or 3 keys 3 executions of DEA algorithm3 executions of DEA algorithm
effective key lengtheffective key length 112 or112 or 168 bit168 bit
slowslow block size (64 bit) now too smallblock size (64 bit) now too small
-
8/6/2019 21-NetworkSecurity
12/61
Advanced EncryptionAdvanced Encryption
StandardStandard NIST issued call for proposals for an AdvancedNIST issued call for proposals for an Advanced
Encryption Standard (AES) in 1997Encryption Standard (AES) in 1997
security strength equal to or better than 3DESsecurity strength equal to or better than 3DES
significantly improved efficiencysignificantly improved efficiency
symmetric block ciphersymmetric block cipher withwith block length 128 bitsblock length 128 bits
key lengths 128, 192, and 256 bitskey lengths 128, 192, and 256 bits
evaluation include security, computational efficiency,evaluation include security, computational efficiency,memory requirements, hardware and softwarememory requirements, hardware and softwaresuitability, and flexibilitysuitability, and flexibility
AESAES issued as FIPS 197 in 2001issued as FIPS 197 in 2001
-
8/6/2019 21-NetworkSecurity
13/61
AES DescriptionAES Description
assume key length 128 bitsassume key length 128 bits
input a 128input a 128--bit blockbit block ((square matrix of bytes)square matrix of bytes)
copied into state arraycopied into state array, m, modified at each stageodified at each stage
after final stage, state copied to outputafter final stage, state copied to output
128128--bit key (square matrix of bytes)bit key (square matrix of bytes)
expanded into array of 44 32expanded into array of 44 32--bit key schedule wordsbit key schedule words
byte orderingbyte ordering by columnby column 1st 4 bytes of1st 4 bytes of 128128--bit input occupy 1st columnbit input occupy 1st column
1st 4 bytes of expanded key1st 4 bytes of expanded key occupy 1st columnoccupy 1st column
-
8/6/2019 21-NetworkSecurity
14/61
AESAES
EncryptionEncryption
andand
DecryptionDecryption
-
8/6/2019 21-NetworkSecurity
15/61
AES Encryption RoundAES Encryption Round
-
8/6/2019 21-NetworkSecurity
16/61
Location of EncryptionLocation of Encryption
DevicesDevices
-
8/6/2019 21-NetworkSecurity
17/61
Link EncryptionLink Encryption
each communication link equipped at both endseach communication link equipped at both ends
all traffic secureall traffic secure
high level of securityhigh level of security requires lots of encryption devicesrequires lots of encryption devices
message must be decrypted at each switch tomessage must be decrypted at each switch toread address (virtual circuit number)read address (virtual circuit number)
security vulnerable at switchessecurity vulnerable at switches particularly on public switched networkparticularly on public switched network
-
8/6/2019 21-NetworkSecurity
18/61
End to End EncryptionEnd to End Encryption
encryption done at ends of systemencryption done at ends of system
data in encrypted form crosses networkdata in encrypted form crosses networkunalteredunaltered
destination shares key with source to decryptdestination shares key with source to decrypt host can only encrypt user datahost can only encrypt user data
otherwise switching nodes could not read header orotherwise switching nodes could not read header orroute packetroute packet
hence traffic pattern not securehence traffic pattern not secure
solution is to use both link and end to endsolution is to use both link and end to end
-
8/6/2019 21-NetworkSecurity
19/61
Key DistributionKey Distribution
symmetric encryption needs key distributionsymmetric encryption needs key distribution
protected for access by othersprotected for access by others
changed frequentlychanged frequently
possibilities for key distributionpossibilities for key distribution
1.1. key selected by A and delivered to Bkey selected by A and delivered to B
2.2. third party selects key and delivers to A and Bthird party selects key and delivers to A and B
3.3. use old key to encrypt & transmit new key from A to Buse old key to encrypt & transmit new key from A to B4.4. use old key to transmit new key from third party to Ause old key to transmit new key from third party to A
and Band B
-
8/6/2019 21-NetworkSecurity
20/61
Automatic Key DistributionAutomatic Key Distribution
-
8/6/2019 21-NetworkSecurity
21/61
Traffic PaddingTraffic Padding
addresses concern about traffic analysisaddresses concern about traffic analysis
though link encryption reduces opportunitythough link encryption reduces opportunity
attacker can still assess traffic volumeattacker can still assess traffic volume traffic padding produces ciphertexttraffic padding produces ciphertext
continuouslycontinuously
if no plaintext, sends random dataif no plaintext, sends random datamakes traffic analysis impossiblemakes traffic analysis impossible
-
8/6/2019 21-NetworkSecurity
22/61
Message AuthenticationMessage Authentication
protection against active attacks withprotection against active attacks with
falsification of datafalsification of data
falsification of sourcefalsification of source authentication allows receiver to verify thatauthentication allows receiver to verify that
message is authenticmessage is authentic
has not been alteredhas not been altered
is from claimed/authentic sourceis from claimed/authentic source
timelinesstimeliness
-
8/6/2019 21-NetworkSecurity
23/61
Authentication UsingAuthentication Using
Symmetric EncryptionSymmetric Encryption assume sender & receiver only know keyassume sender & receiver only know key
only sender could have encryptedonly sender could have encrypted
message for other partymessage for other partymessage must include one of:message must include one of:
error detection codeerror detection code
sequence numbersequence number time stamptime stamp
-
8/6/2019 21-NetworkSecurity
24/61
Authentication WithoutAuthentication Without
EncryptionEncryption authentication tag generated and appended toauthentication tag generated and appended to
each messageeach message
message not encryptedmessage not encrypted
useful when dont want encryption because:useful when dont want encryption because: messages broadcast to multiple destinationsmessages broadcast to multiple destinations
have one destination responsible for authenticationhave one destination responsible for authentication
one side heavily loadedone side heavily loaded
encryption adds to workloadencryption adds to workload can authenticate random messagescan authenticate random messages
programs authenticated without encryption can beprograms authenticated without encryption can beexecuted without decodingexecuted without decoding
-
8/6/2019 21-NetworkSecurity
25/61
Message Authentication CodeMessage Authentication Code
generate authentication code based on sharedgenerate authentication code based on sharedkey and messagekey and message
common key shared between A and Bcommon key shared between A and B
if only sender and receiver know key and codeif only sender and receiver know key and codematches:matches:
receiver assured message has not alteredreceiver assured message has not altered
receiver assured message is from alleged senderreceiver assured message is from alleged sender if message has sequence number, receiver assuredif message has sequence number, receiver assured
of proper sequenceof proper sequence
can use various algorithms, eg. DEScan use various algorithms, eg. DES
-
8/6/2019 21-NetworkSecurity
26/61
Message Authentication CodeMessage Authentication Code
-
8/6/2019 21-NetworkSecurity
27/61
One Way Hash FunctionOne Way Hash Function
accepts variable size message and producesaccepts variable size message and producesfixed size tag (message digest)fixed size tag (message digest) but without use of a secret keybut without use of a secret key
send digest with messagesend digest with message in manner that validates authenticityin manner that validates authenticity
advantages of authentication without encryptionadvantages of authentication without encryption encryption is slowencryption is slow
encryption hardware expensiveencryption hardware expensive encryption hardware optimized for large data setsencryption hardware optimized for large data sets
algorithms covered by patentsalgorithms covered by patents
algorithms subject to export controls (from USA)algorithms subject to export controls (from USA)
-
8/6/2019 21-NetworkSecurity
28/61
UsingUsingOneOne
WayWayHashHash
FunctionsFunctions
-
8/6/2019 21-NetworkSecurity
29/61
Secure Hash FunctionsSecure Hash Functions
produce a fingerprint of message/fileproduce a fingerprint of message/file
must have the following properties:must have the following properties: can be applied to any size data blockcan be applied to any size data block
produce fixed length outputproduce fixed length output easy to computeeasy to compute
not feasible to reversenot feasible to reverse
not feasible to find two messages with thenot feasible to find two messages with thesame hashsame hash
giving weak & strong hash functionsgiving weak & strong hash functions
also used for data integrityalso used for data integrity
-
8/6/2019 21-NetworkSecurity
30/61
Secure Hash AlgorithmSecure Hash Algorithm
Secure Hash Algorithm (SHA)Secure Hash Algorithm (SHA) SHA defined in FIPS 180 (1993), 160SHA defined in FIPS 180 (1993), 160--bit hashbit hash
SHASHA--1 defined in FIPS 1801 defined in FIPS 180--1 (1995)1 (1995)
SHASHA--256, SHA256, SHA--384, SHA384, SHA--512 defined in FIPS512 defined in FIPS180180--2 (2002), 256/384/5122 (2002), 256/384/512--bit hashesbit hashes
SHASHA--1 being phased out, attack known1 being phased out, attack known
SHASHA--512 processes input message512 processes input message with total size less than 2with total size less than 2128128 bitsbits
in 1024 bit blocksin 1024 bit blocks
to produce a 512to produce a 512--bit digestbit digest
-
8/6/2019 21-NetworkSecurity
31/61
SHASHA--512 Hash Function512 Hash Function
-
8/6/2019 21-NetworkSecurity
32/61
Public KeyPublic Key EncryptionEncryption
-
8/6/2019 21-NetworkSecurity
33/61
Public Key EncryptionPublic Key Encryption --
Operation
Operation
public key is used for encryptionpublic key is used for encryption
private key is used for decryptionprivate key is used for decryption
infeasible to determine decryption key giveninfeasible to determine decryption key givenencryption key and algorithmencryption key and algorithm
steps:steps:
user generates pair of keysuser generates pair of keys
user places one key in public domainuser places one key in public domain to send a message to user, encrypt using public keyto send a message to user, encrypt using public key
user decrypts using private keyuser decrypts using private key
-
8/6/2019 21-NetworkSecurity
34/61
Digital SignaturesDigital Signatures
-
8/6/2019 21-NetworkSecurity
35/61
Digital SignaturesDigital Signatures
sender encrypts message with private keysender encrypts message with private key
receiver decrypts with senders public keyreceiver decrypts with senders public key
authenticates senderauthenticates sender does not give privacy of datadoes not give privacy of data
must send both original and encrypted copiesmust send both original and encrypted copies
more efficient to sign authenticatormore efficient to sign authenticator a secure hash of messagea secure hash of message
send signed hash with messagesend signed hash with message
-
8/6/2019 21-NetworkSecurity
36/61
RSARSA
AlgorithmAlgorithm
-
8/6/2019 21-NetworkSecurity
37/61
RSA ExampleRSA Example
-
8/6/2019 21-NetworkSecurity
38/61
RSA SecurityRSA Security
brute force search of all keysbrute force search of all keys
given size of parameters is infeasiblegiven size of parameters is infeasible
but larger keys do slow calculationsbut larger keys do slow calculations factor n to recover p & qfactor n to recover p & q
a hard problema hard problem
well known 129 digit challenge broken in 1994well known 129 digit challenge broken in 1994
key size of 1024key size of 1024--bits (300 digits) currentlybits (300 digits) currentlysecure for most appssecure for most apps
-
8/6/2019 21-NetworkSecurity
39/61
Public Key CertificatesPublic Key Certificates
-
8/6/2019 21-NetworkSecurity
40/61
Secure Sockets Layer /Secure Sockets Layer /
Transport
Layer Security
Transport
Layer Security
Secure Sockets Layer (SSL) is a widely used setSecure Sockets Layer (SSL) is a widely used setof general purpose security protocolsof general purpose security protocols
use TCPuse TCP to provideto provide reliable endreliable end--toto--end serviceend service
Transport Layer Security (TLS) inTransport Layer Security (TLS) in RFC 2246RFC 2246
two implementationtwo implementation optionsoptions
incorporated in underlying protocol suiteincorporated in underlying protocol suite
embedded in specific packagesembedded in specific packages minor differences betweenminor differences between SSLv3SSLv3 andand TLSTLS
-
8/6/2019 21-NetworkSecurity
41/61
SSL ArchitectureSSL Architecture
-
8/6/2019 21-NetworkSecurity
42/61
SSL Connection and SessionSSL Connection and Session
SSL ConnectionSSL Connection a transport connection providing suitable servicea transport connection providing suitable service
are peerare peer--toto--peerpeer, t, transientransient
associated with one sessionassociated with one session
multiple secure connectionsmultiple secure connections between parties possiblebetween parties possible
SSL sessionSSL session an association between client and serveran association between client and server
createdcreated byby Handshake ProtocolHandshake Protocol
define set of cryptographic security parametersdefine set of cryptographic security parameters to avoid negotiation of new security parameters forto avoid negotiation of new security parameters for
each connectioneach connection
multiple simultaneous sessions between partiesmultiple simultaneous sessions between parties
possible but not used in practicepossible but not used in practice
-
8/6/2019 21-NetworkSecurity
43/61
SSL Record ProtocolSSL Record Protocol
provides confidentiality serviceprovides confidentiality service
used to encrypt SSL payload dataused to encrypt SSL payload data
provides message integrity serviceprovides message integrity service usedused to form message authentication codeto form message authentication code
(MAC)(MAC)
Handshake Protocol defines shared secretHandshake Protocol defines shared secretkeys for each of above serviceskeys for each of above services
-
8/6/2019 21-NetworkSecurity
44/61
SSL Record ProtocolSSL Record Protocol
Operation
Operation
-
8/6/2019 21-NetworkSecurity
45/61
Record Protocol HeaderRecord Protocol Header
content type (8 bits)content type (8 bits)
change_cipher_spec, alert, handshake, andchange_cipher_spec, alert, handshake, andapplication_dataapplication_data
no distinctionno distinction betweenbetween applications (eg. HTTP)applications (eg. HTTP) content of application datacontent of application data opaque to SSLopaque to SSL
major version (8 bits)major version (8 bits) SSL v3 is 3SSL v3 is 3
minor version (8 bits)minor version (8 bits) -- SSLv3 value is 0SSLv3 value is 0
compressed length (16 bits)compressed length (16 bits)
maximum 2maximum 21414 + 2048+ 2048
-
8/6/2019 21-NetworkSecurity
46/61
Change Cipher Spec ProtocolChange Cipher Spec Protocol
usesuses Record ProtocolRecord Protocol
single messagesingle message
single byte value 1single byte value 1 causecause pending state to be copied intopending state to be copied into
current statecurrent state
updates cipher suite to be used on thisupdates cipher suite to be used on thisconnectionconnection
-
8/6/2019 21-NetworkSecurity
47/61
Alert ProtocolAlert Protocol
convey SSLconvey SSL--related alerts to peer entityrelated alerts to peer entity
alertalert messages compressed and encryptedmessages compressed and encrypted
two bytestwo bytes
first byte warning(1) or fatal(2)first byte warning(1) or fatal(2) if fatal, SSL immediately terminates connectionif fatal, SSL immediately terminates connection
other connections on session may continueother connections on session may continue
nono new connections on sessionnew connections on session
second byte indicates specific alertsecond byte indicates specific alert eg.eg. fatal alert is an incorrect MACfatal alert is an incorrect MAC
eg.eg. nonfatal alert is close_notify messagenonfatal alert is close_notify message
-
8/6/2019 21-NetworkSecurity
48/61
Handshake ProtocolHandshake Protocol
most complex protocolmost complex protocol
allows parties to authenticate each otherallows parties to authenticate each other
and negotiate encryption and MACand negotiate encryption and MACalgorithmalgorithm and cryptographic keysand cryptographic keys
series of messages with four phases:series of messages with four phases:
phase 1 Initiate Connectionphase 1 Initiate Connection phase 2 Certificate/Key Exchangephase 2 Certificate/Key Exchange
phase 3 Client Verifies Certificate, Parametersphase 3 Client Verifies Certificate, Parameters
phase 4 Complete Secure Connection Setupphase 4 Complete Secure Connection Setup
-
8/6/2019 21-NetworkSecurity
49/61
SSLSSL
HandshakeHandshake
ProtocolProtocol
-
8/6/2019 21-NetworkSecurity
50/61
SSL Handshake ProtocolSSL Handshake Protocol
ParametersParameters
versionversion
randomrandom
session IDsession ID ciphersuiteciphersuite
compression methodcompression method
-
8/6/2019 21-NetworkSecurity
51/61
IPv4 and IPv6 SecurityIPv4 and IPv6 Security
IP Security extensions (IPSec) for IPv4/v6IP Security extensions (IPSec) for IPv4/v6
developed in response to observed weaknessesdeveloped in response to observed weaknesses
to stop unauthorized traffic monitoring, secureto stop unauthorized traffic monitoring, secureuser traffic with authentication & encryptionuser traffic with authentication & encryption
example uses:example uses:
secure branch office connectivity over Internetsecure branch office connectivity over Internet
secure remote access over Internetsecure remote access over Internet extranet and intranet connectivityextranet and intranet connectivity
enhanced electronic commerce securityenhanced electronic commerce security
can encrypt / authenticate all traffic at IP levelcan encrypt / authenticate all traffic at IP level
-
8/6/2019 21-NetworkSecurity
52/61
IPSec FacilitiesIPSec Facilities
Authentication Header (AH)Authentication Header (AH)
authentication only serviceauthentication only service
Encapsulated Security Payload (ESP)Encapsulated Security Payload (ESP) combined authentication & encryption servicecombined authentication & encryption service
generally used for virtual private networksgenerally used for virtual private networks
key exchangekey exchange both manual and automatedboth manual and automated
in RFCs 2401,2402,2406,2408 (1998)in RFCs 2401,2402,2406,2408 (1998)
-
8/6/2019 21-NetworkSecurity
53/61
Security Association (SA)Security Association (SA)
oneone--way senderway sender--receiver relationshipreceiver relationship
for twofor two--way, need two security associationsway, need two security associations
three SA identification parametersthree SA identification parameters security parameter index (in AH/ESP header)security parameter index (in AH/ESP header)
IP destination address (unicast only)IP destination address (unicast only)
security protocol identifier (AH or ESP)security protocol identifier (AH or ESP) SA uniquely identified by dest address inSA uniquely identified by dest address in
IPv4/6 header and SPI in AH/ESP headerIPv4/6 header and SPI in AH/ESP header
-
8/6/2019 21-NetworkSecurity
54/61
SA ParametersSA Parameters
sequence number countersequence number counter
sequence counter overflowsequence counter overflow
antianti--reply windowsreply windowsAH informationAH information
ESP informationESP information
lifetime of this associationlifetime of this association
IPSec protocol modeIPSec protocol mode
path MTUpath MTU
-
8/6/2019 21-NetworkSecurity
55/61
Authentication HeaderAuthentication Header
-
8/6/2019 21-NetworkSecurity
56/61
Encapsulating SecurityEncapsulating Security
PayloadPayload
-
8/6/2019 21-NetworkSecurity
57/61
WiFi Protected AccessWiFi Protected Access
WiFi Protected Access (WPA) extensionsWiFi Protected Access (WPA) extensionsto address 802.11 security issuesto address 802.11 security issues
based on current 802.11i standardbased on current 802.11i standard
addresses authentication, key management,addresses authentication, key management,data transfer privacydata transfer privacy
uses authentication server and a moreuses authentication server and a more
robust protocolrobust protocol
encryption with AES or 104encryption with AES or 104--bit RC4bit RC4
-
8/6/2019 21-NetworkSecurity
58/61
WiFi Protected AccessWiFi Protected Access
-
8/6/2019 21-NetworkSecurity
59/61
802.11i Access Control802.11i Access Control
-
8/6/2019 21-NetworkSecurity
60/61
802.11i Privacy & Integrity802.11i Privacy & Integrity
have Temporal Key Integrity Protocolhave Temporal Key Integrity Protocol(TKIP) or WPA(TKIP) or WPA--11
s/w only changes to existing equipments/w only changes to existing equipment
using same RC4 algorithm as older WEPusing same RC4 algorithm as older WEP
and Counter Mode CBC MAC (CCMP) orand Counter Mode CBC MAC (CCMP) orWPAWPA--2 using AES encryption2 using AES encryption
both add message integrity code (MIC)both add message integrity code (MIC)
generated using Michael algorithmgenerated using Michael algorithm
-
8/6/2019 21-NetworkSecurity
61/61
SummarySummary
security requirements and attackssecurity requirements and attacks
confidentiality using symmetric encryptionconfidentiality using symmetric encryption
message authentication & hash functionsmessage authentication & hash functions publicpublic--key encryption & digital signatureskey encryption & digital signatures
secure socket layer (SSL)secure socket layer (SSL)
IPSecIPSecWiFi Protected AccessWiFi Protected Access