21-networksecurity

8/6/2019 21-NetworkSecurity

1/61

Data and ComputerData and Computer

CommunicationsCommunications

Eighth EditionEighth Editionby William Stallingsby William Stallings

Lecture slides by Lawrie BrownLecture slides by Lawrie Brown

Chapter 21Chapter 21 Network SecurityNetwork Security


2/61

Network SecurityNetwork Security

To guard against the baneful influence exerted bystrangers is therefore an elementary dictate of savageprudence. Hence before strangers are allowed to entera district, or at least before they are permitted to

mingle freely with the inhabitants, certain ceremoniesare often performed by the natives of the country forthe purpose of disarming the strangers of their magical

powers, or of disinfecting, so to speak, the tainted

atmosphere by which they are supposed to besurrounded.

The Golden Bough, Sir James George Frazer


3/61

Security RequirementsSecurity Requirements

confidentialityconfidentiality -- protect data content/accessprotect data content/access

integrityintegrity -- protect data accuracyprotect data accuracy

availabilityavailability -- ensure timely serviceensure timely service authenticityauthenticity -- protect data originprotect data origin


4/61

Passive AttacksPassive Attacks

eavesdropping on transmissionseavesdropping on transmissions

to obtain informationto obtain information

release of possibly sensitive/confidentialrelease of possibly sensitive/confidentialmessage contentsmessage contents

traffic analysis which monitors frequency andtraffic analysis which monitors frequency andlength of messages to get info on senderslength of messages to get info on senders

difficult to detectdifficult to detect

can be prevented using encryptioncan be prevented using encryption


5/61

Active AttacksActive Attacks

masquerademasquerade pretending to be a different entitypretending to be a different entity

replayreplaymodification of messagesmodification of messages

denial of servicedenial of service

easy to detecteasy to detect detection may lead to deterrentdetection may lead to deterrent

hard to preventhard to prevent focus on detection and recoveryfocus on detection and recovery


6/61

Symmetric EncryptionSymmetric Encryption


7/61

Requirements for SecurityRequirements for Security

strong encryption algorithmstrong encryption algorithm

even known, unable to decrypt without keyeven known, unable to decrypt without key

even if many plaintexts & ciphertexts availableeven if many plaintexts & ciphertexts available sender and receiver must obtain secretsender and receiver must obtain secret

key securelykey securely

once key is known, all communicationonce key is known, all communicationusing this key is readableusing this key is readable


8/61

Attacking EncryptionAttacking Encryption

cryptanalysiscryptanalysis

relay on nature of algorithm plus some knowledge ofrelay on nature of algorithm plus some knowledge ofgeneral characteristics of plaintextgeneral characteristics of plaintext

attempt to deduce plaintext or keyattempt to deduce plaintext or key

brute forcebrute force

try every possible key until plaintext is recoveredtry every possible key until plaintext is recovered

rapidly becomes infeasible as key size increasesrapidly becomes infeasible as key size increases

5656--bit key is not securebit key is not secure


9/61

Block CiphersBlock Ciphers

most common symmetric algorithmsmost common symmetric algorithms

process plain text in fixed block sizesprocess plain text in fixed block sizes

producing block of cipher text of equal sizeproducing block of cipher text of equal sizemost important current block ciphers:most important current block ciphers:

DataData Encryption StandardEncryption Standard (DES)(DES)

Advanced Encryption StandardAdvanced Encryption Standard


10/61

Data Encryption StandardData Encryption Standard

US standardUS standard

64 bit plain text blocks64 bit plain text blocks

56 bit key56 bit key broken in 1998 by Electronic Frontierbroken in 1998 by Electronic Frontier

FoundationFoundation special purpose US$250,000 machinespecial purpose US$250,000 machine

with detailed published descriptionwith detailed published description

less than three daysless than three days

DES now worthlessDES now worthless


11/61

Triple DEATriple DEA

ANSI X9.17 (1985)ANSI X9.17 (1985)

incorporated in DEA standard 1999incorporated in DEA standard 1999

uses 2 or 3 keysuses 2 or 3 keys 3 executions of DEA algorithm3 executions of DEA algorithm

effective key lengtheffective key length 112 or112 or 168 bit168 bit

slowslow block size (64 bit) now too smallblock size (64 bit) now too small


12/61

Advanced EncryptionAdvanced Encryption

StandardStandard NIST issued call for proposals for an AdvancedNIST issued call for proposals for an Advanced

Encryption Standard (AES) in 1997Encryption Standard (AES) in 1997

security strength equal to or better than 3DESsecurity strength equal to or better than 3DES

significantly improved efficiencysignificantly improved efficiency

symmetric block ciphersymmetric block cipher withwith block length 128 bitsblock length 128 bits

key lengths 128, 192, and 256 bitskey lengths 128, 192, and 256 bits

evaluation include security, computational efficiency,evaluation include security, computational efficiency,memory requirements, hardware and softwarememory requirements, hardware and softwaresuitability, and flexibilitysuitability, and flexibility

AESAES issued as FIPS 197 in 2001issued as FIPS 197 in 2001


13/61

AES DescriptionAES Description

assume key length 128 bitsassume key length 128 bits

input a 128input a 128--bit blockbit block ((square matrix of bytes)square matrix of bytes)

copied into state arraycopied into state array, m, modified at each stageodified at each stage

after final stage, state copied to outputafter final stage, state copied to output

128128--bit key (square matrix of bytes)bit key (square matrix of bytes)

expanded into array of 44 32expanded into array of 44 32--bit key schedule wordsbit key schedule words

byte orderingbyte ordering by columnby column 1st 4 bytes of1st 4 bytes of 128128--bit input occupy 1st columnbit input occupy 1st column

1st 4 bytes of expanded key1st 4 bytes of expanded key occupy 1st columnoccupy 1st column


14/61

AESAES

EncryptionEncryption

andand

DecryptionDecryption


15/61

AES Encryption RoundAES Encryption Round


16/61

Location of EncryptionLocation of Encryption

DevicesDevices


17/61

Link EncryptionLink Encryption

each communication link equipped at both endseach communication link equipped at both ends

all traffic secureall traffic secure

high level of securityhigh level of security requires lots of encryption devicesrequires lots of encryption devices

message must be decrypted at each switch tomessage must be decrypted at each switch toread address (virtual circuit number)read address (virtual circuit number)

security vulnerable at switchessecurity vulnerable at switches particularly on public switched networkparticularly on public switched network


18/61

End to End EncryptionEnd to End Encryption

encryption done at ends of systemencryption done at ends of system

data in encrypted form crosses networkdata in encrypted form crosses networkunalteredunaltered

destination shares key with source to decryptdestination shares key with source to decrypt host can only encrypt user datahost can only encrypt user data

otherwise switching nodes could not read header orotherwise switching nodes could not read header orroute packetroute packet

hence traffic pattern not securehence traffic pattern not secure

solution is to use both link and end to endsolution is to use both link and end to end


19/61

Key DistributionKey Distribution

symmetric encryption needs key distributionsymmetric encryption needs key distribution

protected for access by othersprotected for access by others

changed frequentlychanged frequently

possibilities for key distributionpossibilities for key distribution

1.1. key selected by A and delivered to Bkey selected by A and delivered to B

2.2. third party selects key and delivers to A and Bthird party selects key and delivers to A and B

3.3. use old key to encrypt & transmit new key from A to Buse old key to encrypt & transmit new key from A to B4.4. use old key to transmit new key from third party to Ause old key to transmit new key from third party to A

and Band B


20/61

Automatic Key DistributionAutomatic Key Distribution


21/61

Traffic PaddingTraffic Padding

addresses concern about traffic analysisaddresses concern about traffic analysis

though link encryption reduces opportunitythough link encryption reduces opportunity

attacker can still assess traffic volumeattacker can still assess traffic volume traffic padding produces ciphertexttraffic padding produces ciphertext

continuouslycontinuously

if no plaintext, sends random dataif no plaintext, sends random datamakes traffic analysis impossiblemakes traffic analysis impossible


22/61

Message AuthenticationMessage Authentication

protection against active attacks withprotection against active attacks with

falsification of datafalsification of data

falsification of sourcefalsification of source authentication allows receiver to verify thatauthentication allows receiver to verify that

message is authenticmessage is authentic

has not been alteredhas not been altered

is from claimed/authentic sourceis from claimed/authentic source

timelinesstimeliness


23/61

Authentication UsingAuthentication Using

Symmetric EncryptionSymmetric Encryption assume sender & receiver only know keyassume sender & receiver only know key

only sender could have encryptedonly sender could have encrypted

message for other partymessage for other partymessage must include one of:message must include one of:

error detection codeerror detection code

sequence numbersequence number time stamptime stamp


24/61

Authentication WithoutAuthentication Without

EncryptionEncryption authentication tag generated and appended toauthentication tag generated and appended to

each messageeach message

message not encryptedmessage not encrypted

useful when dont want encryption because:useful when dont want encryption because: messages broadcast to multiple destinationsmessages broadcast to multiple destinations

have one destination responsible for authenticationhave one destination responsible for authentication

one side heavily loadedone side heavily loaded

encryption adds to workloadencryption adds to workload can authenticate random messagescan authenticate random messages

programs authenticated without encryption can beprograms authenticated without encryption can beexecuted without decodingexecuted without decoding


25/61

Message Authentication CodeMessage Authentication Code

generate authentication code based on sharedgenerate authentication code based on sharedkey and messagekey and message

common key shared between A and Bcommon key shared between A and B

if only sender and receiver know key and codeif only sender and receiver know key and codematches:matches:

receiver assured message has not alteredreceiver assured message has not altered

receiver assured message is from alleged senderreceiver assured message is from alleged sender if message has sequence number, receiver assuredif message has sequence number, receiver assured

of proper sequenceof proper sequence

can use various algorithms, eg. DEScan use various algorithms, eg. DES


26/61

Message Authentication CodeMessage Authentication Code


27/61

One Way Hash FunctionOne Way Hash Function

accepts variable size message and producesaccepts variable size message and producesfixed size tag (message digest)fixed size tag (message digest) but without use of a secret keybut without use of a secret key

send digest with messagesend digest with message in manner that validates authenticityin manner that validates authenticity

advantages of authentication without encryptionadvantages of authentication without encryption encryption is slowencryption is slow

encryption hardware expensiveencryption hardware expensive encryption hardware optimized for large data setsencryption hardware optimized for large data sets

algorithms covered by patentsalgorithms covered by patents

algorithms subject to export controls (from USA)algorithms subject to export controls (from USA)


28/61

UsingUsingOneOne

WayWayHashHash

FunctionsFunctions


29/61

Secure Hash FunctionsSecure Hash Functions

produce a fingerprint of message/fileproduce a fingerprint of message/file

must have the following properties:must have the following properties: can be applied to any size data blockcan be applied to any size data block

produce fixed length outputproduce fixed length output easy to computeeasy to compute

not feasible to reversenot feasible to reverse

not feasible to find two messages with thenot feasible to find two messages with thesame hashsame hash

giving weak & strong hash functionsgiving weak & strong hash functions

also used for data integrityalso used for data integrity


30/61

Secure Hash AlgorithmSecure Hash Algorithm

Secure Hash Algorithm (SHA)Secure Hash Algorithm (SHA) SHA defined in FIPS 180 (1993), 160SHA defined in FIPS 180 (1993), 160--bit hashbit hash

SHASHA--1 defined in FIPS 1801 defined in FIPS 180--1 (1995)1 (1995)

SHASHA--256, SHA256, SHA--384, SHA384, SHA--512 defined in FIPS512 defined in FIPS180180--2 (2002), 256/384/5122 (2002), 256/384/512--bit hashesbit hashes

SHASHA--1 being phased out, attack known1 being phased out, attack known

SHASHA--512 processes input message512 processes input message with total size less than 2with total size less than 2128128 bitsbits

in 1024 bit blocksin 1024 bit blocks

to produce a 512to produce a 512--bit digestbit digest


31/61

SHASHA--512 Hash Function512 Hash Function


32/61

Public KeyPublic Key EncryptionEncryption


33/61

Public Key EncryptionPublic Key Encryption --

Operation

Operation

public key is used for encryptionpublic key is used for encryption

private key is used for decryptionprivate key is used for decryption

infeasible to determine decryption key giveninfeasible to determine decryption key givenencryption key and algorithmencryption key and algorithm

steps:steps:

user generates pair of keysuser generates pair of keys

user places one key in public domainuser places one key in public domain to send a message to user, encrypt using public keyto send a message to user, encrypt using public key

user decrypts using private keyuser decrypts using private key


34/61

Digital SignaturesDigital Signatures


35/61

Digital SignaturesDigital Signatures

sender encrypts message with private keysender encrypts message with private key

receiver decrypts with senders public keyreceiver decrypts with senders public key

authenticates senderauthenticates sender does not give privacy of datadoes not give privacy of data

must send both original and encrypted copiesmust send both original and encrypted copies

more efficient to sign authenticatormore efficient to sign authenticator a secure hash of messagea secure hash of message

send signed hash with messagesend signed hash with message


36/61

RSARSA

AlgorithmAlgorithm


37/61

RSA ExampleRSA Example


38/61

RSA SecurityRSA Security

brute force search of all keysbrute force search of all keys

given size of parameters is infeasiblegiven size of parameters is infeasible

but larger keys do slow calculationsbut larger keys do slow calculations factor n to recover p & qfactor n to recover p & q

a hard problema hard problem

well known 129 digit challenge broken in 1994well known 129 digit challenge broken in 1994

key size of 1024key size of 1024--bits (300 digits) currentlybits (300 digits) currentlysecure for most appssecure for most apps


39/61

Public Key CertificatesPublic Key Certificates


40/61

Secure Sockets Layer /Secure Sockets Layer /

Transport

Layer Security

Transport

Layer Security

Secure Sockets Layer (SSL) is a widely used setSecure Sockets Layer (SSL) is a widely used setof general purpose security protocolsof general purpose security protocols

use TCPuse TCP to provideto provide reliable endreliable end--toto--end serviceend service

Transport Layer Security (TLS) inTransport Layer Security (TLS) in RFC 2246RFC 2246

two implementationtwo implementation optionsoptions

incorporated in underlying protocol suiteincorporated in underlying protocol suite

embedded in specific packagesembedded in specific packages minor differences betweenminor differences between SSLv3SSLv3 andand TLSTLS


41/61

SSL ArchitectureSSL Architecture


42/61

SSL Connection and SessionSSL Connection and Session

SSL ConnectionSSL Connection a transport connection providing suitable servicea transport connection providing suitable service

are peerare peer--toto--peerpeer, t, transientransient

associated with one sessionassociated with one session

multiple secure connectionsmultiple secure connections between parties possiblebetween parties possible

SSL sessionSSL session an association between client and serveran association between client and server

createdcreated byby Handshake ProtocolHandshake Protocol

define set of cryptographic security parametersdefine set of cryptographic security parameters to avoid negotiation of new security parameters forto avoid negotiation of new security parameters for

each connectioneach connection

multiple simultaneous sessions between partiesmultiple simultaneous sessions between parties

possible but not used in practicepossible but not used in practice


43/61

SSL Record ProtocolSSL Record Protocol

provides confidentiality serviceprovides confidentiality service

used to encrypt SSL payload dataused to encrypt SSL payload data

provides message integrity serviceprovides message integrity service usedused to form message authentication codeto form message authentication code

(MAC)(MAC)

Handshake Protocol defines shared secretHandshake Protocol defines shared secretkeys for each of above serviceskeys for each of above services


44/61

SSL Record ProtocolSSL Record Protocol

Operation

Operation


45/61

Record Protocol HeaderRecord Protocol Header

content type (8 bits)content type (8 bits)

change_cipher_spec, alert, handshake, andchange_cipher_spec, alert, handshake, andapplication_dataapplication_data

no distinctionno distinction betweenbetween applications (eg. HTTP)applications (eg. HTTP) content of application datacontent of application data opaque to SSLopaque to SSL

major version (8 bits)major version (8 bits) SSL v3 is 3SSL v3 is 3

minor version (8 bits)minor version (8 bits) -- SSLv3 value is 0SSLv3 value is 0

compressed length (16 bits)compressed length (16 bits)

maximum 2maximum 21414 + 2048+ 2048


46/61

Change Cipher Spec ProtocolChange Cipher Spec Protocol

usesuses Record ProtocolRecord Protocol

single messagesingle message

single byte value 1single byte value 1 causecause pending state to be copied intopending state to be copied into

current statecurrent state

updates cipher suite to be used on thisupdates cipher suite to be used on thisconnectionconnection


47/61

Alert ProtocolAlert Protocol

convey SSLconvey SSL--related alerts to peer entityrelated alerts to peer entity

alertalert messages compressed and encryptedmessages compressed and encrypted

two bytestwo bytes

first byte warning(1) or fatal(2)first byte warning(1) or fatal(2) if fatal, SSL immediately terminates connectionif fatal, SSL immediately terminates connection

other connections on session may continueother connections on session may continue

nono new connections on sessionnew connections on session

second byte indicates specific alertsecond byte indicates specific alert eg.eg. fatal alert is an incorrect MACfatal alert is an incorrect MAC

eg.eg. nonfatal alert is close_notify messagenonfatal alert is close_notify message


48/61

Handshake ProtocolHandshake Protocol

most complex protocolmost complex protocol

allows parties to authenticate each otherallows parties to authenticate each other

and negotiate encryption and MACand negotiate encryption and MACalgorithmalgorithm and cryptographic keysand cryptographic keys

series of messages with four phases:series of messages with four phases:

phase 1 Initiate Connectionphase 1 Initiate Connection phase 2 Certificate/Key Exchangephase 2 Certificate/Key Exchange

phase 3 Client Verifies Certificate, Parametersphase 3 Client Verifies Certificate, Parameters

phase 4 Complete Secure Connection Setupphase 4 Complete Secure Connection Setup


49/61

SSLSSL

HandshakeHandshake

ProtocolProtocol


50/61

SSL Handshake ProtocolSSL Handshake Protocol

ParametersParameters

versionversion

randomrandom

session IDsession ID ciphersuiteciphersuite

compression methodcompression method


51/61

IPv4 and IPv6 SecurityIPv4 and IPv6 Security

IP Security extensions (IPSec) for IPv4/v6IP Security extensions (IPSec) for IPv4/v6

developed in response to observed weaknessesdeveloped in response to observed weaknesses

to stop unauthorized traffic monitoring, secureto stop unauthorized traffic monitoring, secureuser traffic with authentication & encryptionuser traffic with authentication & encryption

example uses:example uses:

secure branch office connectivity over Internetsecure branch office connectivity over Internet

secure remote access over Internetsecure remote access over Internet extranet and intranet connectivityextranet and intranet connectivity

enhanced electronic commerce securityenhanced electronic commerce security

can encrypt / authenticate all traffic at IP levelcan encrypt / authenticate all traffic at IP level


52/61

IPSec FacilitiesIPSec Facilities

Authentication Header (AH)Authentication Header (AH)

authentication only serviceauthentication only service

Encapsulated Security Payload (ESP)Encapsulated Security Payload (ESP) combined authentication & encryption servicecombined authentication & encryption service

generally used for virtual private networksgenerally used for virtual private networks

key exchangekey exchange both manual and automatedboth manual and automated

in RFCs 2401,2402,2406,2408 (1998)in RFCs 2401,2402,2406,2408 (1998)


53/61

Security Association (SA)Security Association (SA)

oneone--way senderway sender--receiver relationshipreceiver relationship

for twofor two--way, need two security associationsway, need two security associations

three SA identification parametersthree SA identification parameters security parameter index (in AH/ESP header)security parameter index (in AH/ESP header)

IP destination address (unicast only)IP destination address (unicast only)

security protocol identifier (AH or ESP)security protocol identifier (AH or ESP) SA uniquely identified by dest address inSA uniquely identified by dest address in

IPv4/6 header and SPI in AH/ESP headerIPv4/6 header and SPI in AH/ESP header


54/61

SA ParametersSA Parameters

sequence number countersequence number counter

sequence counter overflowsequence counter overflow

antianti--reply windowsreply windowsAH informationAH information

ESP informationESP information

lifetime of this associationlifetime of this association

IPSec protocol modeIPSec protocol mode

path MTUpath MTU


55/61

Authentication HeaderAuthentication Header


56/61

Encapsulating SecurityEncapsulating Security

PayloadPayload


57/61

WiFi Protected AccessWiFi Protected Access

WiFi Protected Access (WPA) extensionsWiFi Protected Access (WPA) extensionsto address 802.11 security issuesto address 802.11 security issues

based on current 802.11i standardbased on current 802.11i standard

addresses authentication, key management,addresses authentication, key management,data transfer privacydata transfer privacy

uses authentication server and a moreuses authentication server and a more

robust protocolrobust protocol

encryption with AES or 104encryption with AES or 104--bit RC4bit RC4


58/61

WiFi Protected AccessWiFi Protected Access


59/61

802.11i Access Control802.11i Access Control


60/61

802.11i Privacy & Integrity802.11i Privacy & Integrity

have Temporal Key Integrity Protocolhave Temporal Key Integrity Protocol(TKIP) or WPA(TKIP) or WPA--11

s/w only changes to existing equipments/w only changes to existing equipment

using same RC4 algorithm as older WEPusing same RC4 algorithm as older WEP

and Counter Mode CBC MAC (CCMP) orand Counter Mode CBC MAC (CCMP) orWPAWPA--2 using AES encryption2 using AES encryption

both add message integrity code (MIC)both add message integrity code (MIC)

generated using Michael algorithmgenerated using Michael algorithm


61/61

SummarySummary

security requirements and attackssecurity requirements and attacks

confidentiality using symmetric encryptionconfidentiality using symmetric encryption

message authentication & hash functionsmessage authentication & hash functions publicpublic--key encryption & digital signatureskey encryption & digital signatures

secure socket layer (SSL)secure socket layer (SSL)

IPSecIPSecWiFi Protected AccessWiFi Protected Access

21-networksecurity

Documents