computer network security

Computer Network Computer Network SecuritySecurity

Hyun-Sung KimHyun-Sung KimDept. of Computer EngineeringDept. of Computer Engineering

Kyungil UniversityKyungil [email protected]@kiu.ac.kr

22/60/60

Computer Network SecurityComputer Network Security

Hyun-Sung Kim, Kyungil UniversityHyun-Sung Kim, Kyungil University

Index

Necessity of network security Services for network security Security techniques for Internet

service Secure Internet banking

example

33/60/60



Necessity

Web service, Mail service, Telnet service…

Router

Router

Client B

Mobile Node

Internet

mail server

web serverTelnet server

Router

.

.

.

.

.

.

Client A

Basic concernsBasic concerns

55/60/60



Necessity

Basic Scenario Request services to a remote server

– Attack : Make the server down by requiring multiple service requests

Router

Router

Client B

Mobile Node

Internet

mail server


Router

.

.

.

.

.

.

Client A

– Defense : Heavy traffic control– Security hole : Other kinds of

attacks that could break down the server

66/60/60



Defense(Firewall)

Blocking incoming access by potential attackers– IP check, Port check

Router

Router

Client B

Mobile Node

Internet

mail server


Router

.

.

.

Client A

Firewall

Firewall

Firewall

77/60/60



Defense(IDS)

Detecting unauthorized access to a computer network– Packet analysis, Event analysis

Router

Router

Client B

Mobile Node

Internet

server

server

Router

.

.

.

Client A

Firewall

Firewall

Firewall

IDS

IDS

IDS

88/60/60



Internet

6. Report 5. Database 4. Alert 3. Log 2. Detection

Engine 1. Network

Packet

Defense(N-IDS)

Router

Mobile Node

Client AFirewallIDS

IDS

99/60/60



6. Report

5. Database

4. Alert

3. Log

2. Detection Engine

1. Network Packet

Defense(N-IDS)

Internet

IDS

Data linkheader

Internetheader

Transportheader

Applicationheader Data

… …

srcport

dstport

FIN

SYN

“SYN FIN SCAN Attack”

SYN FIN SCAN Attack was detected from 155.230.90.99to 203.230.91.25 at 23:00 34 June 2004

Storing data for the data forensic

1010/60/60



Defense(Virus)

Detecting instruction sequence for lots of types of virus– Checks all the files on disk and instructions in memory

Router

Router

Client B

Mobile Node

Internet

server

server

Router

.

.

.

Client A

Firewall

Firewall

Firewall

IDS

IDS

IDS

1111/60/60



Is that all about the security ?

InternetInternetRouter

Client B

server

server

Router

Firewall

Firewall

IDS

IDS

Router

Mobile Node

Client AFirewallIDS

Other concernsOther concerns

1313/60/60



Necessity

Scenario 1 Access to a remote server by

Telnet

– Attack : Illegal user try to login a Telnet server

Router

Router

Client B

Mobile Node

Internet

mail server


Router

.

.

.

.

.

.

Client A

– Defense : Three times of login failure check

– Security hole : Un-continuous login attempts

1414/60/60



Necessity

Scenario 2 Access to files which has no permission

– Attack : Unauthorized user try illegal access to files

Router

Router

Client B

Mobile Node

Internet

mail server


Router

.

.

.

.

.

.

Client A

– Defense : Role control– Security hole : Is there any method

to break the defense mechanism?

1515/60/60



Necessity

Scenario 3 Sending a very important

information over Internet

– Attack : Illegal user try to listen the information

Router

Router

Client B

Mobile Node

Internet

mail server


Router

.

.

.

.

.

.

Client A

3510 2211…

– Defense : Encoding & decoding– Security hole : Is there any method to

break the defense mechanism?

1616/60/60



Necessity

Scenario 4 Sending a very important information

over Internet

– Attack : Illegal user try to modify the information

Router

Router

Client B

Mobile Node

Internet

mail server


Router

.

.

.

.

.

.

Client A

3510 2211…

– Defense : Encryption

– Security hole : Is there any method to break the defense mechanism?

1717/60/60



Necessity

Scenario 5 Repudiate what he did

– Attack : User denies what he did

Router

Router

Client B

Mobile Node

Internet

mail server


Router

.

.

.

.

.

.

Client A

3510 2211…

– Defense : Signature

– Security hole : Is there any method to break the defense mechanism?

1818/60/60



Relation of service and mechanism

E-money E-contract Intrusion DetectionE-commerce Biometric Mobile SecurityE-auction Secure Multimedia VPNE-vote Firewall

AlgorithmsDES AES SEEDElGamal RSA ECCHash Function PRG

MechanismsEncryption Digital SignatureAccess Control AuthenticationKey-Exchange

ServicesAuthentication Non-repudiationAccess Control ConfidentialityIntegrity

Applications

1919/60/60



Security services

Authentication -> Scenario 1 Access control -> Scenario 2 Confidentiality -> Scenario 3 Integrity -> Scenario 4 Non-repudiation -> Scenario 5

2020/60/60



Security services

Authentication– An assurance that the identity is not

false– Ensures that the origin is correctly

identified Non-repudiation

– Requires that neither the sender nor the receiver of a message be able to deny the transmission

2121/60/60



Security services

Confidentiality– Ensures that the information are

accessible only by authorized parties Integrity

– Ensures that the only authorized parties are able to modify information

2222/60/60



Mechanisms

Encryption Digital signature Authentication Key-exchange

2323/60/60



Mechanisms

EncryptionEncryption– DES, AES, SEED, ElGamal, RSA, ECC

Digital signatureDigital signature– Public-key cryptosystem

AuthenticationAuthentication– Public-key cryptosystem

Key-exchangeKey-exchange– Diffie-Hellman key-exchange protocol

CryptographyCryptography

ConfidentialityConfidentiality

IntegrityIntegrity

2525/60/60



Cryptography

Internet

Router

Client B

server

server

Router

Firewall

Firewall

IDS

IDS

Router

Mobile Node

Client AFirewallIDS

Un-secure channel => Secure Channel(Symmetric-key and Public-key systemSymmetric-key and Public-key system)

2626/60/60



Cryptography

Symmetric-key cryptosystemSymmetric-key cryptosystem

EncryptionEncryptionAlgorithmAlgorithm

plaintext plaintextciphertext

The same key(K)The same key(K)

DecryptionDecryptionAlgorithmAlgorithm

CC=E(=E(PP,K),K) PP=D(=D(CC,K),K)Sender Receiver

KK KK

2727/60/60



Cryptography

Symmetric-key cryptosystemSymmetric-key cryptosystem– Caesar CipherCaesar Cipher(Basic scheme)(Basic scheme)

KeyKey => 3

Plain text : meet me after the partyCipher text : phhw ph diwhu wkh sduwb

Encryption algorithm : Addition Decryption algorithm : Subtraction

2828/60/60



Cryptography

Symmetric-key cryptosystemSymmetric-key cryptosystem– ProblemsProblems in Caesar Cipher

• The key size is so small : -25 ~ 25 (about 50 keys)• Weak at the brute force attack

– SolutionsSolutions• Enlarge the key size• Apply more complex operations

2929/60/60



Cryptography

Symmetric-key cryptosystemSymmetric-key cryptosystem– DES(Data Encryption Standard)DES(Data Encryption Standard)

• Key size : 56 bits• Basic operations

– Transposition– Substitution– XOR– Shift

• USA standardUSA standard – DES : from 1977 to 1998– AES : 2001 draft

3030/60/60



DES(Data Encryption DES(Data Encryption Standard)Standard)

Initial permutation

Round 1

Round 2

Round 16

32-bit swap

Inverse IP

Permuted choice 2

Permuted choice 2

Permuted choice 2

Left circular shift

Left circular shift

Left circular shift

Permuted choice 1

K1K1

K2K2

K3K3

64-bits 64-bits plaintextplaintext

64-bits 64-bits ciphertextciphertext

56-bits 56-bits keykey

3131/60/60



DES(Data Encryption DES(Data Encryption Standard)Standard)

Li-1

KKi

32-bits32-bits 28-bits28-bits

Ri-1 Ci-1 Di-1

28-bits28-bits32-bits32-bits

Li Ri Ci Di

substition/choice(S-box)

permutation/contractionpermuted choice 2

expansion/permutation

left shift left shift

permutation

XOR

XOR

48484848

4848

3232

3232

3232/60/60



Cryptography

Symmetric-key cryptosystemSymmetric-key cryptosystem– The strength of DES

Key size Number of One Encryption 10Key size Number of One Encryption 1066 Encryption Encryption Alternative Keys per micro sec per micro secAlternative Keys per micro sec per micro sec

32bits 223 = 4.3 * 109 35.8 minutes 2.15ms 56bits 256bits 25656 = 7.2 * 10 = 7.2 * 101616 1142years 10.01h 1142years 10.01h 128bits 2128bits 2128128 = 3.4 * 10 = 3.4 * 103838 10 102424years 5.4 * 10years 5.4 * 101818 years years

3333/60/60



Cryptography

Is DES secure enoughsecure enough?– No!

• There are potential weaknesses• Key size is not secure enough

Is there any alternativeany alternative?– Yes!

• Enlarge key size from 56 to 128 => Triple DES

• AES

3434/60/60



Cryptography

Symmetric-key cryptosystemSymmetric-key cryptosystem


plaintext plaintextciphertextDecryptionDecryptionAlgorithmAlgorithm

C=E(P,K)C=E(P,K) P=D(C,K)P=D(C,K)Sender Receiver

The same keyThe same key

KK KK

3535/60/60



Cryptography

Public-key cryptosystemPublic-key cryptosystem


plaintext plaintextciphertext

Public-key(PUPublic-key(PURR))


CC=E(=E(PP,,PUPURR)) PP=D(=D(CC,,PRPRRR))Sender Receiver

Private-key (PRPrivate-key (PRRR))PUPURR PUPUSS

PRPRRRPRPRSS

3636/60/60



Cryptography

Public-key cryptosystemPublic-key cryptosystem– RSA(Rivest, Shamir, Adleman)RSA(Rivest, Shamir, Adleman)

Input size : less than or equal to nEncryption : C = Me mod nDecryption : M = Cd mod n = (Me)d mod n

Public-key = {e,n}, Private-key = {d,n}

3737/60/60



Cryptography

Public-key cryptosystemPublic-key cryptosystem– RSA(Rivest, Shamir, Adleman)RSA(Rivest, Shamir, Adleman)

* Key Generation• Select p,q, both prime• Calculate n=p*q• Calculate (n)=(p-1)(q-1)• Select integer e, which gcd((n),e)=1; 1<e<(n)• Calculate d, d=e-1 mod (n)• Public key = {e,n}, Private key = {d,n}

3838/60/60



Cryptography

Key GenerationKey Generation– Select p,q, both prime– Calculate n=p*q– Calculate (n)=(p-1)(q-1)– Select integer e, which gc

d((n),e)=1; 1<e<(n)– Calculate d, d=e-1 mod

(n)– Public key = {e,n}{e,n}, Private

key = {d,n}{d,n}

ExampleExample– p=7, q=17– n=pq=7*17=119 (n)=6*16=96– e=5– Determine dde = 1 mod 96d = 77, 77*5=385 mod 96– Public key = {5,119}{5,119}, Priv

ate key = {77,119}{77,119}

3939/60/60



M=19M=19 6666

Sender Receiver

{5,119}{5,119}EncryptioEncryptionn

191955 mod mod 119119

191955=2476099/119=2476099/119

20807 with a remainder20807 with a remainder

of 66of 66

{77,119}{77,119}

66667777 mod 119 mod 119

DecryptioDecryptionn M=19M=19

RSA(Rivest, Shamir, Adleman)RSA(Rivest, Shamir, Adleman)

4040/60/60



Cryptography

Public-key cryptosystemPublic-key cryptosystem– The security of RSAThe security of RSA

• Brute force• Mathematical attacks

– The factoring problem, finding large two primes from p and q

• Timing attacks

4141/60/60



Cryptography

Is RSA secure enoughsecure enough?– Yes!

• But, requires the large key size, 1024

Is there any alternativeany alternative?– Yes!

• ECC with much less key size, 160 bits

4242/60/60



Cryptography

Symmetric-key Symmetric-key systemsystem– One key is used

– Disadvantage• Difficult to share the

key

– Advantage• High speed,

substitution and transposition

Public-key systemPublic-key system– Two keys are used

– Advantage• Easy to share the

public key

– Disadvantage• Low speed,

exponentiation


Digital signatureDigital signature

AuthenticationAuthentication

4444/60/60



Cryptography

Public-key cryptosystemPublic-key cryptosystem– Digital signature and Digital signature and

authenticationauthentication


plaintext plaintextSignedtextDecryptionDecryptionAlgorithmAlgorithm

Public-key(PUPublic-key(PUSS))

PP=D(=D(CC,,PUPUSS))Sender ReceiverCC=E(=E(PP,,PRPRSS))

Private-key (PRPrivate-key (PRSS))PUPURR PUPUSS

PRPRRRPRPRSS

4545/60/60



Encryption vs. Digital Encryption vs. Digital signaturesignature EncryptionEncryption



Sender Receiver

PUPURR PRPRRR




Sender Receiver

PRPRSS PUPUSS


Confidentiality withConfidentiality with


4747/60/60



First step for Digital signatureFirst step for Digital signature


Sender

PRPRSS

Receiver


Second step for EncryptionSecond step for Encryption

Sender


PUPURR

PUPUSS

PRPRRR


Non-repudiationNon-repudiation

4949/60/60



Cryptography

Public-key distribution with a Public-key distribution with a trusted third party(Certificate trusted third party(Certificate authority)authority)

User A User B

PUPUAA

CCAA==EEPRPRCACA[Time[Time11,ID,IDAA,PU,PUAA]]

PUPUBB

CCBB==EEPRPRCACA[Time[Time22,ID,IDBB,PU,PUBB]]

CCAA

CCBB

CACA

PUPUCACA PUPUCACA


Key exchangeKey exchange

5151/60/60



Cryptography

With a certificateWith a certificate


Sender

PUPURR

KeKeyy


Receiver

KeKeyy

Ciphered Ciphered KeyKey

PRPRRR

5252/60/60



Cryptography

Diffie-Hellman key exchange protocolDiffie-Hellman key exchange protocol

Select Select private private XAXACalculate Calculate public YApublic YAYA=YA=XAXA mod qmod q

Select Select private XBprivate XBCalculate Calculate public YBpublic YBYB=YB=XBXB mod qmod q

YAYA

YBYB

User AUser A User BUser B

Generate secret keyGenerate secret keyKK=(YB)=(YB)XAXA mod qmod q

Generate secret keyGenerate secret keyKK=(YA)=(YA)XBXB mod qmod q

Secure Internet Secure Internet BankingBanking

5454/60/60



Secure Internet Banking

User authentication Issue a certificate Key-exchange Transaction Additional security with a secret

card

5555/60/60




User authenticationUser authentication

Banking serverBanking serverAccept or rejectAccept or reject

Login requestLogin request(ID, Password)(ID, Password)

SSLSSL

CACACertificate RequestCertificate Request

Issues a certificateIssues a certificate

5656/60/60




Key exchangeKey exchange

Banking serverBanking server

Exchange a keyExchange a keyfor the sessionfor the session

E(PUE(PUC C ,Key),Key)CertificateCertificate

5757/60/60




TransactionTransaction

Banking serverBanking server

CC=E(M,=E(M,KeyKey))

CC=E(M,=E(M,KeyKey,,Alt.KeyAlt.Key))

Secret CardSecret Card

1:8975 2:1348 3:1796 4:2465 5:2696 6:3147

…28:1323 29:1369 30:1416

5858/60/60



Relation of service and Relation of service and mechanismmechanism

Algorithms

Mechanisms

Services

Applications

E-money E-contract Intrusion DetectionE-commerce Biometric Mobile SecurityE-auction Secure Multimedia VPNE-vote Firewall

Authentication ConfidentialityIntegrity Non-repudiationAccess Control

Encryption Digital SignatureAccess Control AuthenticationKey-Exchange

DES AES SEEDElGamal RSA ECCHash Function PRG

5959/60/60



Relation of service and Relation of service and mechanismmechanism

AlgorithmsAlgorithms

MechanismsMechanisms

ServicesServices

Symmetric-keySymmetric-key&&

Public-keyPublic-keyCryptosystemCryptosystem

DES, AESDES, AESRSA, ECCRSA, ECC

EncryptionEncryptionKey exchangeKey exchange

ConfidentialityConfidentiality

Symmetric-keySymmetric-key&&


DES, AESDES, AESRSA, ECCRSA, ECC

EncryptionEncryptionKey exchangeKey exchange

IntegrityIntegrity


RSA, ECC,RSA, ECC,DSSDSS

DigitalDigitalSignatureSignature

AuthenticationAuthentication


RSA, ECC,RSA, ECC,DSSDSS

DigitalDigitalSignatureSignature

Non-repudiationNon-repudiation

Thank you !Thank you !

Hyun-Sung KimHyun-Sung Kim

[email protected]@kiu.ac.kr

computer network security

Documents

kyungil universityis

kyungil universitydefensenids

client adefense

client a3510

illegal access

computer engineeringkyungil

illegal user

unauthorized user