ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Lecture 11 Network Security (1)

Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking

Lecture 11

Network Security (1)


Outline• Network Security Concepts

• Principles of cryptography

• Authentication

• Integrity

• Key Distribution and certification

• Security in many layers


Network Security• Confidentiality (Secrecy): only sender, intended receiver

should “understand” message contents– sender encrypts message– receiver decrypts message

• Authentication: sender, receiver want to confirm identity of each other

• Message Integrity: sender, receiver want to ensure message is not altered (in transit, or afterwards) without detection

• Access and Availability: services must be accessible and available to users


Friends and Enemies• well-known in network security world• “A” and “B” want to communicate “securely”• “C” (intruder) may intercept (passive intruder), delete,

add messages (active intruder)

securesender

securereceiver

channel data, control messages

data dataA

B

C


Who Might A, B and C be?

Possible A and B

• real-life human users

• Web browser/server for electronic transactions (e.g., on-line purchases)

• on-line banking client/server

• DNS servers

• routers exchanging routing table updates

Possible C– eavesdrop: intercept

messages– actively insert messages into

connection– impersonation: can fake

(spoof) source address in packet (or any field in packet)

– hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place

– denial of service: prevent service from being used by others (e.g., by overloading resources)




• Authentication

• Integrity




The Language of Cryptography

symmetric key cryptography: sender, receiver keys identical

public-key cryptography: encryption key public, decryption key secret (private)

plaintext plaintextciphertext

KA

encryptionalgorithm

decryption algorithm

A’s encryptionkey

B’s decryptionkey

KB

C


Symmetric Key Cryptography

• substitution cipher: substituting one thing for another– Caesar cipher: taking each letter in the plaintext message

and substituting the letter that is k letters later (allowing wraparound), i.e. if k=4, then the letter "a" in plaintext becomes "d" in cipher text; "b" in plaintext becomes "e" in cipher text, and so on.

– monoalphabetic cipher: substitute one letter for another

plaintext: abcdefghijklmnopqrstuvwxyz

ciphertext: mnbvcxzasdfghjklpoiuytrewq

Plaintext: hello thereciphertext: acggk uacoc

E.g.:


Symmetric Key Cryptography• Vigenere ciphers: uses multiple monoalphabetic ciphers,

with a specific monoalphabetic cipher to encode a letter in a specific position in the plaintext message.

• Example: two different Caesar ciphers C1( k=6) and C2(k=20), used in the repeating pattern C1, C2, C2. i.e. the first letter of plaintext is to encoded using C1, the second and third using C2. The pattern then repeats.

Plaintext: hello thereciphertext: mxeqh mmxkj


Symmetric Key Cryptography

• Transposition Cipher:


Symmetric Key Cryptography: DESDES: Data Encryption Standard: US

encryption standard [NIST 1993]

DES operation• 56-bit symmetric key, 64-bit plaintext input

• initial permutation 16 identical “rounds” of function application, each using different 48 bits of key final permutation

• How secure is DES?– DES Challenge: 56-bit-key-encrypted

phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 months

– no known “backdoor” decryption approach

• making DES more secure:– use three keys sequentially (3-DES) on

each datum


Public Key Cryptography

symmetric key cryptography• requires sender, receiver know

shared secret key

• Q: how to agree on key in first place (particularly if never “met”)

public key cryptography• radically different approach

[Diffie-Hellman76, RSA78]• sender, receiver do not

share secret key• public encryption key

known to all• private decryption key

known only to receiver


Public Key Cryptography

plaintextmessage, m

ciphertextencryptionalgorithm

decryption algorithm

B’s public key

plaintextmessageK (m)

B+

K B+

B’s privatekey

K B-

m = K (K (m))B+

B-


Public Key Encryption Algorithms

• Requirements:1. need K+

B(.) and K-B(.) such that

2. given public key K+B it should be impossible

to compute private key K-B

RSA: Rivest, Shamir, Adelson algorithm

K (K (m)) = m BB

- +


RSA: Encryption DecryptionChoosing Keys• Choose two large prime numbers p, q. (e.g., 1024 bits each)• Compute n = pq, z = (p-1)(q-1)• Choose e (with e<n) that has no common factors with z. (e, z are

“relatively prime”).• Choose d such that ed-1 is exactly divisible by z. (in other words: ed

mod z = 1 ).• Public key is (n,e). Private key is (n,d).

K B+ K

B-

Encryption/Decryption1. Given (n,e) and (n,d) as computed above2. To encrypt bit pattern, m, compute

c= me mod n (i.e., remainder when me is divided by n)3. To decrypt received bit pattern, c, compute

m = cd mod n (i.e., remainder when cd is divided by n)


RSA Example

B chooses p=5, q=7. Then n=35, z=24.– e=5 (so e, z relatively prime).– d=29 (so ed-1 exactly divisible by z).

letter m me c = m mod ne

l 12 248832 17

c m = c mod nd

17 481968572106750915091411825223071697 12

cdletter

l

encrypt:

decrypt:


RSA: Property

• Why is that m = (m mod n)

e mod n

d

(m mod n)

e mod n = m mod n

d ed

Useful number theory result: If p,q prime and n = pq, then:

x mod n = x mod ny y mod (p-1)(q-1)

= m mod n

ed mod (p-1)(q-1)

= m mod n1

= m

(using number theory result above)

(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )


RSA: Property

RSA also holds the following property:

K (K (m)) = m BB

- +K (K (m))

BB+ -

=

use public key first, followed

by private key

use private key first,

followed by public key

Result is the same!

(md)e mod n = m = (me)d mod n




• Authentication

• Integrity




Authentication• Goal: B wants A to “prove” its identity to him• authentication must be done solely on the basis

of messages and data exchanged as part of an authentication protocol.

– Protocol ap1.0: A says “I am A”

A B

C

“I am A”

“I am A”

in a network,B can not “see” A, so

C simply declaresitself to be A


Authentication• Protocol ap2.0: A says “I am A” in an IP packet

containing its source IP address

A B

C

“I am A”A’s

IP address

C can createa packet

“spoofing” with A’s address

“I am A”A’s

IP address


AuthenticationProtocol ap3.0: A says “I am A” and sends her secret

password to “prove” it.

“I’m A”A’s IP addr

A’s password

OKA’s IP addr

A B

C

playback attack: C records A’s packet

and laterplays it back to B


A’s password

OKA’s IP addr


A’s password

A B


Authentication

• Protocol ap3.1: A says “I am A” and sends her encrypted secret password to “prove” it.

C


encrypted password

OKA’s IP addr


encrypted password

A Brecord

andplayback

still works!


Authentication• Goal: avoid playback attack• Nonce: number (R) used only once –in-a-lifetime• ap4.0: to prove A is “alive”, B sends nonce, R to A. A

must return R, encrypted with shared secret key

“I am A”

R

K (R)A-B

A is live, and only A knows

key to encrypt nonce, so it must be A!

AB


Authentication

ap4.0 requires shared symmetric key • can we authenticate using public key techniques?ap5.0: use nonce, public key cryptography

“I am A”

RB computes

K (R)A-

“send me your public key”

K A+

(K (R)) = RA

-K A

+

and knows only A could have the

private key, that encrypted R such that

(K (R)) = RA-

K A+

AB


Authentication: Security Hole• Intruder in the middle attacks: C poses as A (to B) and

as B (to A)

I am A I am A

R

CK (R)

-

Send me your public key

CK

+A

K (R)-

Send me your public key

AK

+

CK (m)+

Cm = K (K (m))+

C-

C gets

sends m to A encrypted with A’s public key

AK (m)+

Am = K (K (m))+

A-

R

CA B


Authentication: Security Hole

• Intruder in the middle attacks: C poses as A (to B) and as B (to A)

Difficult to detect:• B receives everything that A sends, and vice

versa. (e.g., so B, and A can meet one week later and recall conversation)

• problem is that C receives all messages as well!

CA B




• Authentication

• Integrity




Digital SignaturesCryptographic technique analogous to hand-written

signatures.• sender (B) digitally signs document, establishing he is document

owner/creator. • verifiable, non-forgeable: recipient (A) can prove to someone that B,

and no one else (including A), must have signed document

Simple digital signature for message m:• B signs m by encrypting with his private key K-

B, creating “signed” message, K-

B(m)

Dear A

Oh, how I have missed you. I think of you all the time! …(blah blah blah)

B

B’s message, m

Public keyencryptionalgorithm

B’s privatekey

K B-

B’s message, m, signed

(encrypted) with his private key

K B-(m)


Digital Signatures

• Suppose A receives message m, digital signature K-B(m)

• A verifies m signed by B by applying B’s public key K+B

to K-B (m) then checks K+

B(K-B(m) ) = m.

• If K+B(K-

B(m) ) = m, whoever signed m must have used

B’s private key.A thus verifies that:

B signed m.No one else signed m.B signed m and not m’.

Non-repudiation:A can take m, and signature KB(m) to court and prove

that B signed m.


Message Digests

Computationally expensive to public-key-encrypt long messages Goal: fixed-length, easy- to-compute digital

“fingerprint”• apply hash function H to m, get fixed size

message digest, H(m).Hash function properties:• many-to-1• produces fixed-size message digest (fingerprint)• given message digest x, computationally

infeasible to find m such that x = H(m)

large message

m

H: HashFunction

H(m)


Digital Signature = Signed Message Digest

large message

mH: Hashfunction H(m)

digitalsignature(encrypt)

B’s private

key K B-

+

B sends digitally signed message:

A verifies signature and integrity of digitally signed message:

KB(H(m))-

encrypted msg digest

KB(H(m))-

encrypted msg digest

large message

m

H: Hashfunction

H(m)

digitalsignature(decrypt)

H(m)

B’s public

key K B+

equal ?


Internet Checksum: Poor Hash Function• Internet checksum has some properties of hash function:

produces fixed length digest (16-bit sum) of message is many-to-one

• But given message with given hash value, it is easy to find another message with same hash value:

I O U 10 0 . 99 B O B

49 4F 55 3130 30 2E 3939 42 D2 42

message ASCII format

B2 C1 D2 AC

I O U 90 0 . 19 B O B

49 4F 55 3930 30 2E 3139 42 D2 42

message ASCII format

B2 C1 D2 ACdifferent messagesbut identical checksums!


Hash Function Algorithms• MD5 hash function widely used (RFC 1321)

– computes 128-bit message digest in 4-step process.

– arbitrary 128-bit string x, appears difficult to construct message m whose MD5 hash is equal to x.

• SHA-1 is also used.– US standard [NIST, FIPS PUB 180-1]– 160-bit message digest


Reading Material• Chapter 7 – text3 (Kurose)

• Chapter 8 – text2 (Tanenbaum)

Documents

ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Lecture 11 Network Security (1)