Chapter 9people.ysu.edu/~mawelton/CSIS3755/CSIS 3755 - Chapter 9.pdf · 2010-10-14 · Describe the role encryption plays in a firewall architecture Explain how digital certificates

FIREWALLS & NETWORK SECURITY with

Intrusion Detection and VPNs, 2nd ed.

Chapter 9 Encryption and Firewalls

Learning Objectives

Describe the role encryption plays in a firewall

architecture

Explain how digital certificates work and why

they are important security tools

Analyze the workings of SSL, PGP, and other

popular encryption schemes

Discuss Internet Protocol Security (IPSec) and

identify its protocols and modes

Firewalls & Network Security, 2nd ed. - Chapter 9 Slide 2

Firewalls and Encryption

Hackers take advantage of a lack of encryption

Encryption:

– Preserves data integrity

– Increases confidentiality

– Is relied upon by user authentication

– Plays a fundamental role in enabling VPNs

Slide 3 Firewalls & Network Security, 2nd ed. - Chapter 9

Hacker and an Unencrypted Packet


Hacker and an Encrypted Packet


The Cost of Encryption

CPU resources and time

Bastion host that hosts the firewall should be robust enough to manage encryption and other security functions

Encrypted packets may need to be padded to uniform length to ensure that some algorithms work effectively

Can result in slowdowns

Monitoring can burden system administrator


Preserving Data Integrity

Even encrypted sessions can go wrong as a

result of man-in-the-middle attacks

Encryption can perform nonrepudiation using a

digital signature


Maintaining Confidentiality

Encryption conceals information to render it

unreadable to all but intended recipients


Authenticating Network Clients

Firewalls need to trust that the person‘s claimed

identity is genuine

Firewalls that handle encryption can be used to

identify individuals who have ―digital ID cards‖

that include encrypted codes

– Digital signatures

– Public keys

– Private keys


Enabling Virtual Private Networks

(VPNs)

As an integral part of VPNs, encryption:

– Enables the firewall to determine whether the

user who wants to connect to the VPN is actually

authorized to do so

– Encodes payload of information to maintain

privacy


Firewalls & Network Security, 2nd ed. - Chapter 9 11

Principles of Cryptography

Encryption: the process of converting an original message into a form that cannot be understood by unauthorized individuals

Cryptology, the science of encryption, encompasses two disciplines:

– Cryptography: describes the processes involved in encoding and decoding messages so that others cannot understand them

– Cryptanalysis: the process of deciphering the original message (plaintext) from an encrypted message (ciphertext) without knowing the algorithms and keys used to perform the encryption


Encryption Definitions

Algorithm: the mathematical formula or method used to convert an unencrypted message into an encrypted message

Cipher: the transformation of the individual components (characters, bytes, or bits) of an unencrypted message into encrypted components

Ciphertext or cryptogram: the unintelligible encoded message resulting from an encryption

Cryptosystem: the set of transformations necessary to convert an unencrypted message into an encrypted message


Encryption Definitions (continued)

Decipher: to decrypt or convert ciphertext to plaintext

Encipher: to encrypt or convert plaintext to ciphertext

Key or cryptovariable: the information used in conjunction with the algorithm to create the ciphertext from the plaintext; it can be a series of bits used in a mathematical algorithm or the knowledge of how to manipulate the plaintext

Keyspace: the entire range of values that can possibly be used to construct an individual key

Encryption Definitions (continued)

Plaintext: the original unencrypted message that

is encrypted and results from successful

decryption

Steganography: the process of hiding

messages, usually within graphic images

Work factor: the amount of effort (usually

expressed in units of time) required to perform

cryptanalysis on an encoded message


Cryptographic Notation

M represents original message; C represents

ciphertext; E represents encryption process; D

represents the decryption process; K represents

a key

So…

E(M) = C encrypting a message results in

cyphertext

D(C) = M and D[E(M)] = M

E(M,K) = C specifies encrypting the message with

a key; keys can be annotated K1, K2, etc. in

the case of multiple keys Firewalls & Network Security, 2nd ed. - Chapter 9 Slide 15


Common Ciphers

In encryption, the most commonly used algorithms include three functions: substitution, transposition, and XOR

In a substitution cipher, you substitute one value for another; a monoalphabetic substitution uses only one alphabet and a polyalphabetic substitution use two or more alphabets

The transposition cipher (or permutation cipher) simply rearranges the values within a block to create the ciphertext; this can be done at the bit level or at the byte (character) level


Common Ciphers (continued)

In the XOR cipher conversion, the bit stream is subjected to a Boolean XOR function against some other data stream, typically a key stream

XOR works as follows: – ‗0‘ XOR‘ed with ‗0‘ results in a ‗0‘ (0 0 = 0)

– ‗0‘ XOR‘ed with ‗1‘ results in a ‗1‘ (0 1 = 1)



Simply put, if the two values are the same, you get ―0‖; if not, you get ―1‖

This process is reversible; that is, if you XOR the ciphertext with the key stream, you get the plaintext


Vernam Cipher

Also known as the one-time pad, the Vernam

cipher was developed at AT&T and uses a set

of characters that are used for encryption

operations only one time and then discarded

The values from this one-time pad are added to

the block of text, and the resulting sum is

converted to text


Book or Running Key Cipher

Another method, used in the occasional spy

movie, is the use of text in a book as the

algorithm to decrypt a message

The key relies on two components:

– Knowing which book to use

– A list of codes representing the page number,

line number, and word number of the plaintext

word


Symmetric Encryption

The previous methods of encryption/decryption require the same algorithm and key be used to both encipher/decipher the message

This is known as private key encryption or symmetric encryption

In this approach, the same key—a secret key—is used to encrypt and decrypt the message

Usually extremely efficient, requiring simple processing to encrypt or decrypt the message

Main challenge is getting a copy of the key to the receiver, a process that must be conducted out-of-band to avoid interception


Symmetric Encryption (continued)


The Technology of Symmetric

Encryption

Data Encryption Standard (DES) – Developed in 1977 by IBM

– Based on the Data Encryption Algorithm (DEA), which uses a 64-bit block size and a 56-bit key

– Federally approved standard for nonclassified data

– Cracked in 1997 when developers of a new algorithm, Rivest-Shamir-Aldeman, offered $10,000 to whomever was first to crack it

– Fourteen thousand users collaborated over the Internet to finally break the encryption

Triple DES (3DES) was developed as an improvement to DES and uses as many as three keys in succession


The Technology of Symmetric

Encryption (continued)

Advanced Encryption Standard (AES)

– Successor to 3DES

– Based on Rijndael Block Cipher, which features a variable block length and a key length of either 128, 192, or 256 bits

In 1998, it took a special computer designed by the Electronic Freedom Frontier more than 56 hours to crack DES; it would take the same computer approximately 4,698,864 quintillion years to crack AES


Asymmetric Encryption

Also known as public key encryption

Uses two different but related keys

Either key can be used to encrypt or decrypt

If Key A is used to encrypt message, then only Key B can decrypt; if Key B is used to encrypt message, then only Key A can decrypt

This technique is most valuable when one of the keys is private and the other is public

Problem: it requires four keys to hold a single conversation between two parties, and the number of keys grows geometrically as parties are added


Public Key Encryption


Digital Signatures

When asymmetric process is reversed, that the message was sent by organization owning the private key cannot be refuted (nonrepudiation)

Digital signatures: encrypted messages verified as authentic by independent facility (registry)

Digital certificate: electronic document, similar to digital signature, attached to file certifying that file is from the organization it claims to be from and has not been modified from original format

Certificate Authority (CA): agency that manages issuance of certificates and serves as electronic notary public to verify their origin and integrity


Digital Signatures (continued)


Public Key Infrastructure

Public key infrastructure (PKI) is the entire set of hardware, software, and cryptosystems necessary to implement public key encryption

Systems are based on public key cryptosystems and include digital certificates and certificate authorities

Public Key Infrastructure (continued)

Can increase an organization‘s ability to protect

its information assets by providing:

– Authentication: digital certificates authenticate

identity of each party in an online transaction

– Integrity: digital certificate asserts content signed

by the certificate has not been altered in transit

– Confidentiality: keeps information confidential by

ensuring it is not intercepted during transmission

– Authorization: digital certificates can replace user

IDs and passwords, enhance security, and

reduce overhead

– Nonrepudiation: certificates validate actions Firewalls & Network Security, 2nd ed. - Chapter 9 29


Hybrid Systems

Pure asymmetric key encryption not widely used except in area of certificates; instead, typically employed in conjunction with symmetric key encryption, creating a hybrid system

Hybrid process currently in use is based on Diffie-Hellman key exchange, which provides method to exchange private keys using public key encryption without exposure to third parties

In this method, asymmetric encryption is used to exchange symmetric keys, so two entities can conduct quick, efficient, secure communications based on symmetric encryption; Diffie-Hellman provided the foundation for subsequent developments in public key encryption


Hybrid Encryption


Using Cryptographic Controls

Generation of unbreakable ciphertext is possible only if proper key management infrastructure has been constructed and cryptosystems are operated and managed correctly

Cryptographic controls can be used to support several aspects of business: – Confidentiality and integrity of e-mail and its

attachments

– Authentication, confidentiality, integrity, and nonrepudiation of e-commerce transactions

– Authentication and confidentiality of remote access through VPN connections

– Higher standard of authentication when used to supplement access control systems


E-mail Security

Secure Multipurpose Internet Mail Extensions (S/MIME) builds on Multipurpose Internet Mail Extensions (MIME); adds encryption and authentication via digital signatures

Privacy Enhanced Mail (PEM) proposed by Internet Engineering Task Force (IETF) as a standard that will function with public key cryptosystems; uses 3DES and RSA for key exchanges and digital signatures

Pretty Good Privacy (PGP): uses IDEA Cipher, a 128-bit symmetric key block encryption algorithm with 64-bit blocks for message encoding; RSA for symmetric key exchange and digital signatures


Securing the Web

Secure Electronic Transactions (SET)

– Developed by MasterCard and VISA in 1997 to provide protection from electronic payment fraud

– Encrypts credit card transfers with DES and uses RSA for key exchange

Secure Sockets Layer (SSL)

– Developed by Netscape in 1994 to provide security for online electronic commerce transactions

– Uses several algorithms; mainly relies on RSA for key transfer and IDEA, DES, or 3DES for encrypted symmetric key-based data transfer


Securing the Web (continued)

Secure Hypertext Transfer Protocol (SHTTP) – An encrypted version of HTTP

– Provides secure e-commerce transactions and encrypted Web pages for secure data transfer over the Web, using several different algorithms

Secure Shell (SSH) – Uses tunneling to provide security for remote

access connections over public networks

– Provides authentication services between a client and a server

– Used to secure replacement tools for terminal emulation, remote management, and file transfer applications



IP Security (IPSec): primary and now dominant

cryptographic authentication and encryption product

of IETF‘s IP Protocol Security Working Group

IPSec combines several different cryptosystems:

– Diffie-Hellman key exchange for deriving key material

between peers on a public network

– Public key cryptography for signing the Diffie-Hellman

exchanges to guarantee the identity of the two parties

– Bulk encryption algorithms for encrypting the data

– Digital certificates signed by a certificate authority to

act as digital ID cards



IPSec has two components:

– The IP Security protocol itself, which specifies

the information to be added to an IP packet and

indicates how to encrypt packet data

– The Internet Key Exchange, which uses

asymmetric key exchange and negotiates the

security associations



IPSec works in two modes of operation:

– Transport mode: only IP data is encrypted—not

the IP headers themselves; allows intermediate

nodes to read source and destination addresses

– Tunnel mode: entire IP packet is encrypted and

inserted as payload in another IP packet

IPSec and other cryptographic extensions to

TCP/IP often used to support a virtual private

network (VPN), a private, secure network

operated over a public, insecure network


Securing Authentication

A final use of cryptosystems is to provide

enhanced and secure authentication

One approach to this issue is provided by

Kerberos, which uses symmetric key encryption

to validate an individual user‘s access to various

network resources

It keeps a database containing the private keys

of clients and servers that are in the

authentication domain that it supervises


Kerberos

Kerberos system knows these private keys and

can authenticate one network node (client or

server) to another

Kerberos also generates temporary session

keys—that is, private keys given to the two

parties in a conversation

Kerberos (continued)


Kerberos (continued)


Attacks on Cryptosystems

Historically, attempts to gain unauthorized

access to secure communications have used

brute force attacks in which the ciphertext is

repeatedly searched for clues that can lead to

the algorithm‘s structure (ciphertext attacks)

This process, known as frequency analysis, can

be used along with published frequency of

occurrence patterns of various languages and

can allow an experienced attacker to quickly

crack almost any code if the individual has a

large enough sample of the encoded text


Attacks on Cryptosystems (continued)

Occasionally, an attacker may obtain duplicate

texts, one in ciphertext and one in plaintext,

which enable the individual to reverse-engineer

the encryption algorithm in a known-plaintext

attack scheme

Alternatively, an attacker may conduct a

selected-plaintext attack by sending a potential

victim a specific text that they are sure the

victim will forward on to others; the attacker then

intercepts the encrypted message and

compares it to the original plaintext



Man-in-the-middle attack: method used to

intercept the transmission of a public key or

even to insert a known key structure in place of

the requested public key

Correlation attacks: collection of brute-force

methods that attempt to deduce statistical

relationships between the structure of the

unknown key and the ciphertext that is the

output of the cryptosystem



In a dictionary attack, the attacker encrypts

every word in a dictionary using the same

cryptosystem as used by the target

In a timing attack, the attacker eavesdrops

during a victim‘s session and uses statistical

analysis of the user‘s typing patterns and inter-

keystroke timings to discern sensitive session

information


Defending from Attacks


No matter how sophisticated encryption and

cryptosystems have become, however, they

have retained the same flaw that the first

systems contained thousands of years ago: if

you discover the key, that is, the method used

to perform the encryption, you can determine

the message

Thus, key management is not so much the

management of technology but rather the

management of people


Chapter Summary

Encryption: process of rendering information

unreadable to all but the intended recipients;

purpose is to preserve the integrity and

confidentiality of information and/or make the

process of authenticating users more effective

Firewalls use encryption both to provide

protection for data in transit and to help keep

firewall secure

Encryption of data incurs costs since it requires

processing time to encrypt and decrypt the data

being protected

Chapter Summary (continued)

Cryptology: science of encryption

Cryptography: complex process of making and

using codes

Applying concealing techniques in encryption and

decoding ciphertext is called decryption

Process used to decrypt data when the process

and/or keys are unknown is called cryptanalysis

Cryptographic controls: techniques and tools used

to implement cryptographic protections; used to

secure e-mail, Web access, Web applications, file

transfers, remote access procedures like VPNs Firewalls & Network Security, 2nd ed. - Chapter 9 Slide 49

Chapter Summary (continued)

Cryptographic control systems often subject to

attack

Many methods of attack have evolved

– Brute computational approaches

– Use of weaknesses often found in

implementation of cryptographic controls

Some attacks attempt to inject themselves

between the parties of a secured

communication channel

Other attacks combine multiple brute-force

approaches into one correlation attack


Documents

Chapter 9people.ysu.edu/~mawelton/CSIS3755/CSIS 3755 - Chapter 9.pdf · 2010-10-14 · Describe the role encryption plays in a firewall architecture Explain how digital certificates