chapter 14 network encryption. communications security physical protection works for local networks...
TRANSCRIPT
![Page 1: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/1.jpg)
Chapter 14Network
Encryption
![Page 2: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/2.jpg)
Communications Security
• Physical protection works for local networks– Impractical for long-distance communications
• Types of attacks– Passive – eavesdropping or sniffing– Active – maliciously create or modify data
• Crypto techniques protect data when outside our physical control– Confidentiality, Integrity– Authenticity, Nonrepudiation
![Page 3: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/3.jpg)
Crypto by Layers
![Page 4: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/4.jpg)
Applying Crypto Layers
• We get different results when we apply crypto at different layers– Different key distribution requirements– Data protected in different places and ways
• Transparency – does crypto interfere?– Network transparency: can the network still
carry our traffic with the crypto applied?– Application transparency: is crypto applied
without affecting the application?
![Page 5: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/5.jpg)
Layer 2: Link Encryption
![Page 6: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/6.jpg)
Layer 3: Network Encryption
![Page 7: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/7.jpg)
Layer 4: Transport Encryption
![Page 8: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/8.jpg)
Layer 7: Application Encryption
![Page 9: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/9.jpg)
Administrative and Policy Issues
• Scope of sniffing protection• Traffic filtering – does the crypto interfere?• Automatic encryption – must we rely on the end
user to enable crypto for sensitive data?• Access to Internet sites – full, automatic
encryption makes Internet access impossible• End-to-end crypto – do we need to associate
crypto operations with end users?• Keying – do end users need to manage keys?
We will review all of these at the end
![Page 10: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/10.jpg)
Crypto Keys on the Network
• The key management problem– Ensure that the right people have keys– Prevent attackers from uncovering keys
• Key distribution objectives– Ensure that keys are changed periodically– Change keys when access rights change
• The default keying risk: keys installed by vendor– Default keys work “out of the box”– Attackers also have copies of the default keys
![Page 11: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/11.jpg)
Key Distribution Strategies
• One big cryptonet – share the same secret key with everyone who must communicate safely
• Groups of cryptonets – share the same key among smaller communities of users
• Pairwise key sharing – one per endpoint pair• Key distribution center – a shared server that
distributes working keys to approved users• Public key distribution – use public key
techniques to distribute keys
![Page 12: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/12.jpg)
Key Distribution Techniques
• Manual keying– Distribute all keys ‘by hand’ in person or via
trustworthy couriers – often a starting point• Simple rekeying
– Unreliable tricks to replace an existing key• Secret-key techniques
– Wrapping, KDCs, hashing• Public-key techniques
– Diffie-Hellman, RSA
![Page 13: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/13.jpg)
Simple Rekeying: Weak
• Self-rekeying– Use a PRNG to transform the current key into
a new one– Separate endpoints can apply the same
PRNG to yield the same key• New keys encrypted with old
– Generate a new, random key– Use previous key to encrypt it for distribution
• Both techniques may leak all traffic if old keys are disclosed
![Page 14: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/14.jpg)
Stronger Secret Key Building Blocks
• Key Wrapping– Use wrapping technique from Chapter 8 to
protect keys carried in network messages– Traffic encrypting Key (TEK) wrapped by KEK
• Key Distribution Center (KDC)– The center distributes wrapped keys– Authorized users share a secret with the KDC
• Shared Secret Hashing– Generate a new key using a one-way hash
![Page 15: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/15.jpg)
Key Wrapping
![Page 16: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/16.jpg)
Key Distribution Center
![Page 17: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/17.jpg)
Shared Secret Hashing
![Page 18: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/18.jpg)
Public Key Building Blocks
• Anonymous Diffie-Hellman secret sharing– D-H inherently constructs a shared secret– We can use it to construct a temporary shared
secret for any two endpoints• RSA key wrapping (encapsulation)
– One endpoint (the client) creates a secret key shared with the other endpoint (the server)
– Only the server needs a public key pair– Client needs a copy of the server’s public key
![Page 19: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/19.jpg)
Anonymous Diffie-Hellman
![Page 20: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/20.jpg)
RSA Key Wrapping
![Page 21: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/21.jpg)
Trade-Off: Public and Secret Keys
Secret Key• Limited resources• Clearly defined user
community• Revocation must be
timely and reliable• Small user community• Trustworthy servers
are available
Public Key• User community can’t
be identified ahead of time
• Large community, and
• Untrustworthy server computer
• Inefficient revocation is an acceptable risk
![Page 22: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/22.jpg)
Application Layer Encryption
![Page 23: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/23.jpg)
Email key wrapping and encryption
• [Insert figure 14.16]
![Page 24: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/24.jpg)
Transport Layer Security: SSL/TLS
• Secure Sockets Layer (SSL)– Developed by Netscape in 1994– Part of commercial client/server Web package– First really successful public-key application
• Inherited by the IETF– Now called Transport Layer Security (TLS)
• Three-part protocol– Handshake protocol – key exchange– Record protocol – data exchange– Alert protocol – errors and session shutdown
![Page 25: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/25.jpg)
SSL Handshake Protocol
![Page 26: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/26.jpg)
SSL Key Construction
![Page 27: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/27.jpg)
SSL Record Transmission
![Page 28: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/28.jpg)
Network Layer Encryption
• Provides both application transparency and network transparency
• Primary use: Virtual Private Networks (VPNs)– Network carries plaintext inside a site– VPN gateway encrypts data between sites
• “proxy encryption”– Remote users use VPN crypto to access site
• IPsec – IP Security Protocol– Used for Internet VPNs
![Page 29: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/29.jpg)
Example VPN
![Page 30: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/30.jpg)
Encryption by an IPsec Gateway
![Page 31: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/31.jpg)
IPsec Encrypted Packet
![Page 32: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/32.jpg)
Internet Key Exchange (IKE) Protocol
![Page 33: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/33.jpg)
Wireless LAN Encryption
• Wireless Equivalent Privacy (WEP)– Introduced with early Wi-Fi products– Used RC4 and 40-bit keys– Later increased to 128-bit keys (WEP 2)– Successful attacks in early 2000s
• Wireless Protected Access (WPA, WPA2)– First WPA designed to work with existing Wi-
Fi hardware (still used RC4)– WPA2 uses AES, improved integrity
protection, and improved key exchange
![Page 34: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/34.jpg)
WPA2 Crypto Format
![Page 35: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/35.jpg)
Crypto Policy: Sniffing
![Page 36: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/36.jpg)
Crypto Policy: Automatic Encryption
![Page 37: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/37.jpg)
Crypto Policy: Others
![Page 38: Chapter 14 Network Encryption. Communications Security Physical protection works for local networks –Impractical for long-distance communications Types](https://reader035.vdocuments.net/reader035/viewer/2022062322/5697bff61a28abf838cbe185/html5/thumbnails/38.jpg)
End of Chapter 14