Network Security Roadmap

goals:
1. What is network security?
 understand principles of network security:
2. Principles of cryptography
 cryptography and its many uses beyond “confidentiality”
 authentication 3. Authentication
 message integrity 4. Integrity
 key distribution 5. Key Distribution and certification
 security in practice: 6. Access control: firewalls
 firewalls
7. Attacks and counter measures
 security in application, transport, network, link layers
8. Security in many layers

1 2

What is network security? Friends and enemies: Alice, Bob, Trudy

Confidentiality: only sender, intended receiver should  well-known in network security world
“understand” message contents  Bob, Alice want to communicate “securely”
 sender encrypts message  Trudy (intruder) may intercept, delete, add messages
 receiver decrypts message
Authentication: sender, receiver want to confirm Alice Bob
data, control
identity of each other channel
messages
Message Integrity: sender, receiver want to ensure secure secure
data data
message not altered (in transit, or afterwards) sender receiver
without detection
Access and Availability: services must be accessible
and available to users Trudy
3 4

Who might Bob, Alice be? There are bad guys (and girls) out there!
Q: What can a “bad guy” do?
 In real-life Bob and Alice may be two A: a lot!
persons who need secrecy in commn.  eavesdrop: intercept messages
 Web browser/server for electronic  actively insert messages into connection
transactions (e.g., on-line purchases)  impersonation: can fake (spoof) source
 on-line banking client/server address in packet (or any field in packet)
 DNS servers  hijacking: “take over” ongoing connection
 routers exchanging routing table updates
by removing sender or receiver, inserting
himself in place
 other examples? (ARP requestor and
 denial of service: prevent service from
responder, Network Managements etc….) being used by others (e.g., by
overloading resources)
5 6

1
 The language of cryptography
Alice’s Bob’s
K encryption
Principles of cryptography A
key
K decryption
B key

plaintext encryption ciphertext decryption plaintext

algorithm algorithm

symmetric key crypto: sender, receiver keys identical

public-key crypto: encryption key public, decryption key
secret (private)
7 8

Symmetric key cryptography Symmetric key cryptography

Substitution Cipher: substituting one thing for another
 monoalphabetic cipher: substitute one letter for KA-B
KA-B
another
plaintext: abcdefghijklmnopqrstuvwxyz
plaintext encryption ciphertext decryption plaintext
message, m algorithm algorithm
ciphertext: mnbvcxzasdfghjklpoiuytrewq K (m)
A-B
m=K
A-B
( KA-B(m) )

E.g.: Plaintext: bob. Let us meet at cc

symmetric key crypto: Bob and Alice share/know
ciphertext: nkn. Gcu vi hccu mu bb same (symmetric) key: KA-B
Q: How hard to break this simple cipher?:  e.g., key is knowing substitution pattern in mono
 brute force (how hard?) alphabetic substitution cipher
 other? (Statistical info from language)  Q: how do Bob and Alice agree on key value?
9 10

Symmetric key crypto: DES Symmetric key

DES: Data Encryption Standard crypto: DES
 US encryption standard [NIST 1993]
 56-bit symmetric key, 64-bit plaintext input (block cipher)
DES operation
 How secure is DES? initial permutation
16 identical “rounds”
 DES Challenge: 56-bit-key-encrypted phrase (“Strong of function
cryptography makes the world a safer place”) decrypted application, each
(using brute force) in 4 months using different 48
 no known “backdoor” decryption approach bits of key
 making DES more secure: Exchange 2 halves
 use three keys sequentially (3-DES) on each datum
final permutation
 Or using two keys in EDE mode
 use cipher-block chaining

11 12

2
 Objectives

❏ To review a short history of DES The Data Encryption Standard (DES) is a symmetric-
symmetric-
key block cipher published by the National Institute of
❏ To define the basic structure of DES Standards and Technology (NIST).
(NIST).

❏ To describe the details of building elements of DES

❏ To describe the round keys generation process

Topics discussed in this section:
❏ To analyze DES 6.1.1 History
6.1.2 Overview

Next few slides are taken from DC&N by B. A. Forouzan

6.1.1 History 6.1.2 Overview

In 1973, NIST published a request for proposals for a DES is a block cipher, as shown in Figure 6.1.
national symmetric-key cryptosystem. A proposal from
IBM, a modification of a project called Lucifer, was Figure 6.1 Encryption and decryption with DES
accepted as DES. DES was published in the Federal
Register in March 1975 as a draft of the Federal
Information Processing Standard (FIPS).

6-2 DES STRUCTURE 6-2 Continue

Figure 6.2 General structure of DES

The encryption process is made of two permutations (P-(P-
boxes), which we call initial and final permutations, and
sixteen Feistel rounds.
rounds.

Topics discussed in this section:

6.2.1 Initial and Final Permutations
6.2.2 Rounds
6.2.3 Cipher and Reverse Cipher
6.2.4 Examples

3
 6.2.1 Initial and Final Permutations 6.2.1 Continue

Figure 6.3 Initial and final permutation steps in DES

Table 6.1 Initial and final permutation tables

6.2.1 Continued 6.2.1 Continued

Example 6.1 Example 6.2

Prove that the initial and final permutations are the inverse of
Find the output of the final permutation box when the input is each other by finding the output of the initial permutation if the
given in hexadecimal as:
as: input is

Solution Solution
Only bit 25 and bit 63 are 1s; the other bits are 0s. In the final The input has only two 1s; the output must also have only two 1s.
permutation, bit 25 becomes bit 64 and bit 63 becomes bit 15 15.. Using Table 6.1, we can find the output related to these two bits
bits..
The result is Bit 15 in the input becomes bit 63 in the output.
output. Bit 64 in the
input becomes bit 25 in the output.
output. So the output has only two 1s,
bit 25 and bit 63
63.. The result in hexadecimal is

6.2.1 Continued 6.2.2 Rounds

DES uses 16 rounds. Each round of DES is a Feistel cipher.

Note
The initial and final permutations are straight P-boxes that are
inverses
of each other.
Figure 6.4
They have no cryptography significance in DES. A round in DES
(encryption site)

4
 6.2.2 Continued 6.2.2 Continue
DES Function
Expansion P-box
The heart of DES is the DES function. The DES function
applies a 48-bit key to the rightmost 32 bits to produce a Since RI−1 is a 32-bit input and KI is a 48-bit key, we first
32-bit output. need to expand RI−1 to 48 bits.

Figure 6.5 Figure 6.6 Expansion permutation

DES function

6.2.2 Continue 6.2.2 Continue

Although the relationship between the input and output can Whitener (XOR)
be defined mathematically, DES uses Table 6.2 to define After the expansion permutation, DES uses the XOR
this P-box. operation on the expanded right section and the round key.
Note that both the right section and the key are 48-bits in
Table 6.6 Expansion P-box table
length. Also note that the round key is used only in this
operation.

6.2.2 Continue 6.2.2 Continue

S-Boxes Figure 6.8 S-box rule

The S-boxes do the real mixing (confusion). DES uses 8 S-
boxes, each with a 6-bit input and a 4-bit output. See
Figure 6.7.

Figure 6.7 S-boxes

5
 6.2.2 Continue 6.2.2 Continued
Example 6.3
Table 6.3 shows the permutation for S-box 1. For the rest of
the boxes see the textbook. The input to S-box 1 is 10001
00011
1. What is the output?

Table 6.3 S-box 1

Solution
If we write the first and the sixth bits together, we get 11 in
binary, which is 3 in decimal
decimal.. The remaining bits are 0001 in
binary, which is 1 in decimal
decimal.. We look for the value in row 3,
column 1, in Table 6.3 (S-
(S-box 1). The result is 12 in decimal,
which in binary is 1100
1100.. So the input 100011 yields the output
1100..
1100

6.2.2 Continued 6.2.2 Continue

Example 6.4
Straight Permutation
The input to S-box 8 is 000000.
000000. What is the output?
Table 6.11 Straight permutation table

Solution
If we write the first and the sixth bits together, we get 00 in
binary, which is 0 in decimal
decimal.. The remaining bits are 0000 in
binary, which is 0 in decimal
decimal.. We look for the value in row 0,
column 0, in Table 6.10 (S(S--box 8). The result is 13 in decimal,
which is 1101 in binary.
binary. So the input 000000 yields the output
1101..
1101

6.2.3 Cipher and Reverse Cipher 6.2.3 Continued

Figure 6.9 DES cipher and reverse cipher for the first approach
Using mixers and swappers, we can create the cipher and
reverse cipher, each having 16 rounds.

First Approach
To achieve this goal, one approach is to make the last
round (round 16) different from the others; it has only a
mixer and no swapper.

Note

In the first approach, there is no swapper in the last round.

6
 6.2.3 Continued 6.2.3 Continued

Algorithm 6.1 Pseudocode for DES cipher

Algorithm 6.1 Pseudocode for DES cipher (Continued)

6.2.3 Continued 6.2.3 Continued

Algorithm 6.1 Pseudocode for DES cipher (Continued) Algorithm 6.1 Pseudocode for DES cipher (Continued)

6.2.3 Continued 6.2.3 Continued

Alternative Approach
We can make all 16 rounds the same by including one
swapper to the 16th round and add an extra swapper after
that (two swappers cancel the effect of each other).
Figure 6.10
Key Generation Key generation

The round-key generator creates sixteen 48-bit keys out of

a 56-bit cipher key.

7
 6.2.3 Continued 6.2.3 Continued

Table 6.12 Parity-bit drop table

Table 6.14 Key-compression table

Table 6.13 Number of bits shifts

6.2.3 Continued 6.2.3 Continued

Algorithm 6.2 Algorithm for round-key generation

Algorithm 6.2 Algorithm for round-key generation (Continue)

6.2.4 Examples 6.2.4 Continued

Example 6.5 Example 6.5 Continued
We choose a random plaintext block and a random key, and
determine what the ciphertext block would be (all in Table 6.15 Trace of data for Example 6.5 (Conintued
hexadecimal)::
hexadecimal)

Table 6.15 Trace of data for Example 6.5

8
 6.2.4 Continued
6-3 DES ANALYSIS
Example 6.6
Let us see how Bob, at the destination, can decipher the Critics have used a strong magnifier to analyze DES
DES..
ciphertext received from Alice using the same key
key.. Table 6.16
Tests have been done to measure the strength of some
shows some interesting points
points..
desired properties in a block cipher
cipher..

Topics discussed in this section:

6.3.1 Properties
6.3.2 Design Criteria
6.3.3 DES Weaknesses

6.3.1 Properties 6.3.1 Continued

Example 6.7 Continued
Two desired properties of a block cipher are the avalanche
effect and the completeness. Although the two plaintext blocks differ only in the rightmost bit,
the ciphertext blocks differ in 29 bits.
bits. This means that changing
approximately 1.5 percent of the plaintext creates a
Example 6.7 change of approximately 45 percent in the ciphertext
ciphertext..

To check the avalanche effect in DES, let us encrypt two plaintext Table 6.17 Number of bit differences for Example 6.7
blocks (with the same key) that differ only in one bit and observe
the differences in the number of bits in each round
round..

6.3.1 Continued 6.3.2 Design Criteria

S-Boxe
Completeness effect The design provides confusion and diffusion of bits from
Completeness effect means that each bit of the ciphertext each round to the next.
needs to depend on many bits on the plaintext.
P-Boxes
They provide diffusion of bits.

Number of Rounds
DES uses sixteen rounds of Feistel ciphers. the ciphertext is
thoroughly a random function of plaintext and ciphertext.

9
 6.3.3 DES Weaknesses 6.3.3 Continued
Example 6.8
During the last few years critics have found some Let us try the first weak key in Table 6.18 to encrypt a block two
weaknesses in DES. times.. After two encryptions
times
Weaknesses in Cipher Design with the same key the original plaintext block is created
created.. Note
1. Weaknesses in S-boxes that we have used the encryption algorithm two times, not one
encryption followed by another decryption.
decryption.
2. Weaknesses in P-boxes
3. Weaknesses in Key

6.3.3 Continued 6.3.3 Continued

Figure 6.11 Double encryption and decryption with a weak key

6.3.3 Continued 6.3.3 Continued

Figure 6.12 A pair of semi-weak keys in encryption and decryption

10
 6.3.3 Continued 6.3.3 Continued
Example 6.9

What is the probability of randomly selecting a weak, a semi

semi--
weak, or a possible weak key?
Solution

DES has a key domain of 256. The total number of the above keys
are 64 (4 + 12 + 48)
48). The probability of choosing one of these
keys is 8.8 × 10−16, almost impossible
impossible..

6.3.3 Continued
6-4 Multiple DES
Example 6.10

Let us test the claim about the complement keys.

keys. We have used The major criticism of DES regards its key length length..
an arbitrary key and plaintext to find the corresponding Fortunately DES is not a group
group.. This means that we can
ciphertext.. If we have the key complement and the plaintext, we
ciphertext use double or triple DES to increase the key size.
size.
can obtain the complement of the previous ciphertext (Table
6.20)
20).

Topics discussed in this section:

6.4.1 Double DES
6.4.4 Triple DES

6-4 Continued 6.4.1 Double DES

A substitution that maps every possible input to every The first approach is to use double DES (2DES).
possible output is a group
group..
Meet-in-the-Middle Attack
Figure 6.13 Composition of mapping However, using a known-plaintext attack called meet-in-
the-middle attack proves that double DES improves this
vulnerability slightly (to 257 tests), but not tremendously (to
2112).

11
 6.4.1 Continued 6.4.1 Continued

Figure 6.14 Meet-in-the-middle attack for double DES

Figure 6.15 Tables for meet-in-the-middle attack

6.4.2 Triple DES 6.4.2 Continuous

Figure 6.16 Triple DES with two keys

Triple DES with Three Keys
The possibility of known-plaintext attacks on triple DES
with two keys has enticed some applications to use triple
DES with three keys. Triple DES with three keys is used by
many applications such as PGP (See Chapter 16).

6.5.1 Brute-Force Attack

6-5 Security of DES

We have discussed the weakness of short cipher key in

DES, as the first important block cipher, has gone DES. Combining this weakness with the key complement
through much scrutiny.
scrutiny. Among the attempted attacks, weakness, it is clear that DES can be broken using 255
three are of interest:
interest: brute-
brute-force, differential encryptions.
cryptanalysis, and linear cryptanalysis.
cryptanalysis.

Topics discussed in this section:

6.5.1 Brute-Force Attack
6.5.2 Differential Cryptanalysis
6.5.3 Linear Cryptanalysis

12
 6.5.2 Differential Cryptanalysis 6.5.3 Linear Cryptanalysis

It has been revealed that the designers of DES already Linear cryptanalysis is newer than differential
knew about this type of attack and designed S-boxes and cryptanalysis. DES is more vulnerable to linear
chose 16 as the number of rounds to make DES specifically cryptanalysis than to differential cryptanalysis. S-boxes are
resistant to this type of attack. not very resistant to linear cryptanalysis. It has been shown
that DES can be broken using 243 pairs of known plaintexts.
However, from the practical point of view, finding so many
Note pairs is very unlikely.
We show an example of DES differential cryptanalysis in
Appendix N. Note
We show an example of DES linear cryptanalysis in Appendix
N.

Multiple Encryption with DES Double-DES

 DES is not secure enough.  Consider 2-DES with two keys:
C = EK2(EK1(P))
 The once large key space, 256, is now too small.
 Decryption: P = DK1(DK2(C))
 In 2001, NIST published the Advanced
Encryption Standard (AES) as an alternative.  Key length: 56 x 2 = 112 bits

 But users in commerce and finance are not  This should have thwarted brute-force
ready to give up on DES. attacks?
 Wrong!
 Solution: to use multiple DES with multiple keys

75 76

Meet-in-the-Middle Attack on
Triple DES with Two Keys
2DES
 2-DES: C = EK2(EK1(P))  A straightforward implementation would be:
 So, X = EK1(P) = DK2(C) C = EK1(EK2(EK1(P)))
 Given a known pair (P, C), attack as follows:  In practice: C = EK1(DK2(EK1(P)))
 Encrypt P with all 256 possible keys for K1.  Also referred to as EDE encryption

 Decrypt C with all 256 possible keys for K2.  Reason: if K1=K2, then 3DES = 1DES. Thus, a 3DES
 If EK1’(P) = DK2’(C), try the keys on another (P’, C’). software can be used as a single-DES.
 If works, (K1’, K2’) = (K1, K2) with high probability.  Standardized in ANSI X9.17 & ISO8732
 Takes O(256) steps; not much more than attacking 1-  No current known practical attacks
DES.
 What about the meet-in-the-middle attack?

77 78

13
 Meet-in-the-Middle Attack on 3DES
Triple DES with Three Keys
K1 K2 K1
 Encryption: C = EK3(DK2(EK1(P))).
A B
P E D E C  If K1 = K3, we have 3DES with 2 keys.
Given known (Plaintext, Ciphertext) pairs i.e. (P, C), (P’, C’) etc.
 If K1 = K2 = K3, we have the regular DES.
1. For each possible key for K1, encrypt P to produce a possible
value for A.
 So, 3DES w/ 3keys is backward compatible
2. Using this A, and C, attack the 2-DES to obtain a pair of keys with 3DES w/ 2 keys and with the regular DES
(K2, K1’).
3. If K1’ = K1, try the key pair (K1, K2) on another (C’,P’).  Some internet applications have adopted 3DES
4. If it works, (K1, K2) is the key pair with high probability.
with three keys.
 E.g. PGP and S/MIME.
5. It takes O(255 x 256) = O(2111) steps on average.
79 80

Diffie-Hellman Key exchange protocol

AES: Advanced Encryption Standard
 Given a prime no ‘p’ and its primitive root ‘a’
 new (Nov. 2001) symmetric-key NIST (i.e. a1, a2 … ap-1 mod p generates 1 thro p-1 in
some order), e.g. 3 is 7’s primitive root. 31, 32
standard, replacing DES
… 37-1 mod 7 generates 3,2,6,4,5, and 1.
 Based on Galois Field  A select an integer x and compute X= ax mod p
 processes data in 128 bit blocks and sends X, a and p to B
 128, 192, or 256 bit keys  B select an integer y and compute Y= ay mod p
and sends this to A
 brute force decryption (try each key)
 Both side compute Yx mod p and Xy mod p
taking 1 sec on DES, takes 149 trillion respectively and use as the key.
years for AES
 Therefore, both side compute axy mod p as
81
the key. 82

Man in the middle attack in Diffie-Hellmen protocol

Public Key Cryptography
 A select an integer x and compute X= ax mod p
and sends X, a and p to B symmetric key crypto public key cryptography
 T (an intruder) intercept it and forwards Z= az  requires sender,  radically different
mod p, a and p to B receiver know shared approach [Diffie-
 B select an integer y and compute Y= ay mod p secret key Hellman76, RSA78]
and sends this to A  Q: how to agree on  sender, receiver do not
key in first place share secret key
 T (an intruder) intercept it and forwards Z= az (particularly if never  public encryption key
mod p to A “met”)? known to all
 Both side compute Zx mod p and Zy mod p  private decryption key
respectively and use as the key. known only to receiver
 Therefore, A computes axz mod p as the key,
and B computes ayz mod p as the key. 83 84

14
 Public key cryptography Public key encryption algorithms

K
+ Bob’s public
B key
Requirements:
-
K Bob’s private
B key
+ . .
1 need KB( ) and K - ( ) such that
B
- +
K (K (m)) = m
B B
plaintext encryption ciphertext decryption plaintext +
message, m algorithm + algorithm message 2 given public key KB , it should be
K (m)
B - +
m = K B(K (m)) impossible to compute
B -
private key KB

RSA: Rivest, Shamir, Adelson algorithm

85 86

RSA: Choosing keys RSA: Encryption, decryption

1. Choose two large prime numbers p, q. 0. Given (n,e) and (n,d) as computed above
(e.g., 1024 bits each)
1. To encrypt bit pattern, m, compute
2. Compute n = pq, z = (p-1)(q-1) e
c = m e mod n (i.e., remainder when m is divided by n)
3. Choose e (with e<n) that has no common factors
with z. (e, z are “relatively prime”). 2. To decrypt received bit pattern, c, compute
d
m = c d mod n (i.e., remainder when c is divided by n)
4. Choose d such that ed-1 is exactly divisible by z.
(in other words: ed mod z = 1 ).
Magic d
5. Public key is (n,e). Private key is (n,d). m = (m e mod n) mod n
happens!
+ - c
KB KB
87 88

RSA example: RSA: Why is that m = (m e mod n)

d
mod n

Bob chooses p=5, q=7. Then n=35, z=24. Useful number theory result: If p,q prime and
e=5 (so e, z relatively prime). n = pq, then: y y mod (p-1)(q-1)
d=29 (so ed-1 exactly divisible by z. x mod n = x mod n

e
(m mod n) d mod n = m edmod n
letter m me c = me mod n
encrypt: ed mod (p-1)(q-1)
l 12 1524832 17 = m mod n
(using number theory result above)
d 1
decrypt:
c c m = cd mod n letter = m mod n
17 481968572106750915091411825223071697 12 l (since we chose ed to be divisible by
(p-1)(q-1) with remainder 1 )

= m
89 90

15
RSA: another important property
The following property will be very useful later:

- +
K (K (m)) = m = K (K (m))
+ - Authentication
B B B B

use public key use private key

first, followed first, followed
by private key by public key

Result is the same!

91 92

Authentication Authentication
Goal: Bob wants Alice to “prove” her identity Goal: Bob wants Alice to “prove” her identity
to him to him
Protocol 1.0: Alice says “I am Alice” Protocol 1.0: Alice says “I am Alice”

“I am Alice” in a network,
Failure scenario?? Bob can not “see”
Alice, so Trudy simply
“I am Alice” declares
herself to be Alice

93 94

Authentication: another try Authentication: another try

Protocol 2.0: Alice says “I am Alice” in an IP packet Protocol 2.0: Alice says “I am Alice” in an IP packet
containing her source IP address containing her source IP address

Alice’s
IP address
“I am Alice”

Failure scenario?? Trudy can create

a packet
Alice’s
“spoofing”
IP address
“I am Alice” Alice’s address

95 96

16
 Authentication: another try Authentication: another try
Protocol 3.0: Alice says “I am Alice” and sends her Protocol 3.0: Alice says “I am Alice” and sends her
secret password to “prove” it. secret password to “prove” it.

Alice’s Alice’s Alice’s Alice’s

“I’m Alice” “I’m Alice”
IP addr password IP addr password
playback attack: Trudy
Alice’s Failure scenario?? Alice’s records Alice’s packet
OK OK
IP addr IP addr and later
plays it back to Bob

Alice’s Alice’s
“I’m Alice”
IP addr password

97 98

Authentication: yet another try Authentication: another try

Protocol 3.1: Alice says “I am Alice” and sends her Protocol 3.1: Alice says “I am Alice” and sends her
encrypted secret password to “prove” it. encrypted secret password to “prove” it.

Alice’s encrypted Alice’s encrypted

IP addr password
“I’m Alice”
IP addr password
“I’m Alice” record
and
Alice’s Failure scenario?? Alice’s playback
OK OK
IP addr IP addr
still works!

Alice’s encrypted
“I’m Alice”
IP addr password

99 100

Authentication: yet another try Authentication: Protocol 5.0

Goal: avoid playback attack Protocol 4.0 requires shared symmetric key
Nonce: number (R) used only once –in-a-lifetime  can we authenticate using public key techniques?
4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice 5.0: use nonce, public key cryptography
must return R, encrypted with shared secret key
“I am Alice”
Bob computes
“I am Alice” + -
R KA(KA (R)) = R
-
R K A (R) and knows only Alice
“send me your public key”
could have the private
KA-B(R) Alice is live, and key, that encrypted R
+
only Alice knows KA such that
key to encrypt + -
K (K (R)) = R
nonce, so it must A A
Failures, drawbacks? be Alice!
101 102

17
 Protocol 5.0: security hole Protocol5.0: security hole
Man (woman) in the middle attack: Trudy poses as Man (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice) Alice (to Bob) and as Bob (to Alice)

I am Alice I am Alice
R -
K (R)
T
R - Send me your public key
K (R) + Difficult to detect:
A K
Send me your public key
T  Bob receives everything that Alice sends, and vice
+
K versa. (e.g., so Bob, Alice can meet one week later and
A +
K (m) recall conversation)
Trudy gets T
- +  problem is that Trudy receives all messages as well!
+ m = K (K (m))
K (m)
A sends T T Alice
m to
- + encrypted with
m = K (K (m))
A A Alice’s public key
103 104

Digital Signatures
Cryptographic technique similar to
Message integrity hand-written signatures.
 sender (Bob) digitally signs document,
establishing he is document
owner/creator.
 verifiable, nonforgeable: recipient
(Alice) can prove to someone that
Bob, and no one else (including Alice),
must have signed document
105 106

Digital Signatures Digital Signatures (more)

-
 Suppose Alice receives msg m, digital signature KB(m)
Simple digital signature for message m:
 Alice verifies m signed by Bob by applying Bob’s
 Bob signs m by encrypting with his private key + - + -
- -
KB, creating “signed” message, KB(m) public key KB to KB(m) then checks KB(KB(m) ) = m.
+ -
 If KB(KB(m) ) = m, whoever signed m must have used
-
Bob’s message, m K B Bob’s private -
K B(m) Bob’s private key.
key
Dear Alice
Bob’s message, Alice thus verifies that:
How are you? Here is the Public key m, signed
content of the message.
encryption (encrypted) with  Bob signed m.
…(blah blah blah)
algorithm his private key  No one else signed m.
Bob
 Bob signed m and not m’.
Non-repudiation:
-
 Alice can take m, and signature KB(m) to
court and prove that Bob signed m.
107 108

18
 Message Digests Internet checksum: poor crypto hash
large
message
H: Hash
Function
function
m
Computationally expensive Internet checksum has some properties of hash function:
to public-key-encrypt  produces fixed length digest (16-bit sum) of message
H(m)
long messages  is many-to-one
Goal: fixed-length, easy- Hash function properties:
to-compute digital  many-to-1
But given message with given hash value, it is easy to find
“fingerprint” another message with same hash value:
 produces fixed-size msg
 apply hash function H digest (fingerprint) message ASCII format message ASCII format
to m, get fixed size  given message digest x, IOU1 49 4F 55 31 IOU9 49 4F 55 39
message digest, H(m). computationally impossible 00.9 30 30 2E 39 00.1 30 30 2E 31
to find m, such that x = 9BOB 39 42 D2 42 9BOB 39 42 D2 42
H(m) B2 C1 D2 AC
B2 C1 D2 AC different messages
 Given m, no one can find m’ but identical checksums!
such that H(m’)=H(m) 109 110

Digital signature = signed message digest

Hash Function Algorithms
Alice verifies signature and
Bob sends digitally signed integrity of digitally signed  MD5 hash function widely used (RFC 1321)
message: message:
 computes 128-bit message digest in 4-step
large
message H: Hash
H(m) encrypted process.
m function msg digest
-  arbitrary 128-bit string x, appears difficult to
KB(H(m))
Bob’s digital large
construct msg m whose MD5 hash is equal to x.
private signature message  SHA-1 is also used.
- Bob’s
key KB (encrypt) m digital
public
+ signature  US standard [NIST, FIPS PUB 180-1]
key KB
encrypted H: Hash (decrypt)
 160-bit message digest
msg digest function
+ -
KB(H(m))
H(m) H(m)

equal
?
111 112

Trusted Intermediaries
Symmetric key problem: Public key problem:
Key distribution and certification  How do two entities  When Alice obtains
establish shared secret Bob’s public key (from
key over network? web site, e-mail,
Solution: diskette), how does she
know it is Bob’s public
 trusted key distribution
key, not Trudy’s?
center (KDC) acting as
intermediary between Solution:
entities  trusted certification
authority (CA)

113 114

19
Key Distribution Center (KDC) Key Distribution Center (KDC)
 Alice, Bob need shared symmetric key. Q: How does KDC allow Bob, Alice to determine shared
 KDC: server shares different secret key with each
symmetric secret key to communicate with each other?
registered user (many users)
KDC
 Alice, Bob know own symmetric keys, KA-KDC KB-KDC , for generates
KA-KDC(A,B)
communicating with KDC. R1

KDC Alice KA-KDC(R1, KB-KDC(A,R1) )

Bob knows to
KA-KDC KP-KDC knows use R1 to
KX-KDC R1 KB-KDC(A,R1) communicate
KP-KDC KB-KDC
KY-KDC with Alice

KZ-KDC
Alice and Bob communicate: using R1 as
KA-KDC KB-KDC
session key for shared symmetric encryption
115 116

Certification Authorities Certification Authorities

 Certification authority (CA): binds public key to  When Alice wants Bob’s public key:
particular entity, E.  gets Bob’s certificate (Bob or elsewhere).
 E (person, router) registers its public key with CA.  apply CA’s public key to Bob’s certificate, get
 E provides “proof of identity” to CA. Bob’s public key
 CA creates certificate binding E to its public key.
 certificate containing E’s public key digitally signed by CA + digital Bob’s
– CA says “this is E’s public key” KB signature public
+
(decrypt) KB key
Bob’s digital
+
public signature KB CA
key
+
KB (encrypt) public +
K CA
key
CA
certificate for
Bob’s private -
K CA
identifying key Bob’s public key,
information signed by CA
117 118

A certificate contains:
 Serial number (unique to issuer)
 info about certificate owner, including algorithm
and key value itself (not shown)
 info about Access control: firewalls
certificate
issuer
 valid dates
 digital
signature by
issuer

119 120

20
 Firewalls Firewalls: Why
firewall prevent denial of service attacks:
isolates organization’s internal net from larger  SYN flooding: attacker establishes many false
Internet, allowing some packets to pass, TCP connections, no resources left for “real”
blocking others. connections.
prevent illegal modification/access of internal data.
 e.g., attacker replaces CIA’s (Central Intelligent
Agency) homepage with something else
allow only authorized access to inside network (set of
authenticated users/hosts)
administered public
network Internet two types of firewalls:
 application-level
firewall
 packet-filtering
121 122

Should arriving
Packet Filtering packet be allowed Packet Filtering
in? Departing packet
let out?  Example 1: block incoming and outgoing
datagrams with IP protocol field = 17 and with
either source or dest port = 23.
 All incoming and outgoing UDP flows and telnet
connections are blocked.
 Example 2: Block inbound TCP segments with
 internal network connected to Internet via ACK=0.
router firewall
 Prevents external clients from making TCP
 router filters packet-by-packet, decision to
forward/drop packet based on: connections with internal clients, but allows
 source IP address, destination IP address internal clients to connect to outside.
 TCP/UDP source and destination port numbers
 ICMP message type
 TCP SYN and ACK bits
123 124

 Example 3: Designing a
packet filtering rules set
Packet Filtering for a network with IP Application gateways gateway-to-remote
address 222.22/16. host telnet session
host-to-gateway
 Allow 111.11/16 address to
telnet session
access the subnet
Rule Source Destn Action 222.22.22/24  Filters packets on
Disallow 111.11.11/24

address to access the application data as well application
gateway
router and filter
R1 111.11/16 222.22.22/24 Permit network. as on IP/TCP/UDP fields.
 For all other addresses
R2 111.11.11/24 222.22/16 Deny disallow access.  Example: allow selected
 What will be the actions internal users to telnet
for the following incoming
R3 0.0.0.0/0 0.0.0.0/0 Deny
pkts? outside.
 S:111.11.11.1, D: 222.22.6.6
 S:111.11.11.1, D:222.22.22.2 1. Require all telnet users to telnet through gateway.
 S:111.11.6.6, D:222.22.22.2
 S:111.11.6.6, D:222.22.6.6 2. For authorized users, gateway sets up telnet connection to
The packets will be processed dest host. Gateway relays data between 2 connections
by matching the rules one 3. Router filter blocks all telnet connections not originating
after another, and the first from gateway.
matched rule will be fired.

125 126

21
Limitations of firewalls and gateways

 IP spoofing: router  filters often use all or

can’t know if data nothing policy for UDP. Attacks and counter measures
“really” comes from  tradeoff: degree of
claimed source communication with
 if multiple app’s. need outside world, level of
special treatment, each security
has own app. gateway.  many highly protected
 client software must sites still suffer from
know how to contact attacks.
gateway.
 e.g., must set IP address
of proxy in Web
browser
127 128

Internet security threats Internet security threats

Mapping: Mapping: countermeasures
 before attacking: “case the joint” – find out  record traffic entering network
what services are implemented on network  lookfor suspicious activity (IP addresses, ports
 Use ping to determine what hosts have being scanned sequentially)
addresses on network
 Port-scanning: try to establish TCP connection
to each port in sequence (see what happens)
 nmap (http://www.insecure.org/nmap/) mapper:
“network exploration and security auditing”

Countermeasures?

129 130

Internet security threats Internet security threats

Packet sniffing: Packet sniffing: countermeasures
 broadcast media  allhosts in organization run software that
checks periodically if host interface in
 promiscuous NIC reads all packets passing by
promiscuous mode.
 can read all unencrypted data (e.g. passwords)  one host per segment of broadcast media
 e.g.: C sniffs B’s packets (switched Ethernet at hub)

A C A C

src:B dest:A payload src:B dest:A payload

B B
Countermeasures?
131 132

22
Internet security threats Internet security threats
IP Spoofing: IP Spoofing: ingress filtering
 can generate “raw” IP packets directly from  routers should not forward outgoing packets
application, putting any value into IP source with invalid source addresses (e.g., datagram
address field source address not in router’s network)
 receiver can’t tell if source is spoofed  great, but ingress filtering can not be mandated
 e.g.: C pretends to be B for all networks

A C A C

src:B dest:A payload src:B dest:A payload

B B
Countermeasures?
133 134

Internet security threats Internet security threats

Denial of service (DOS): Denial of service (DOS): countermeasures
 flood of maliciously generated packets “swamp”  filterout flooded packets (e.g., SYN) before
receiver reaching host: throw out good with bad
 traceback to source of floods (most likely an
 Distributed DOS (DDOS): multiple coordinated
innocent, compromised machine)
sources swamp receiver
 e.g., C and remote host SYN-attack A

A C A C
SYN SYN
SYN SYN
SYN SYN SYN SYN SYN SYN

B B
SYN SYN
Countermeasures?
SYN SYN
135 136

Secure e-mail
Alice wants to send confidential e-mail, m, to Bob.
Security in many layers


KS
Secure email
m KS( ) . KS(m ) KS(m )
KS( ) . m
Secure sockets
+ -
IPsec Internet KS

Security in 802.11 KS K (.)

+
B + +
-
KB( ) .
KB(KS ) KB(KS )
+ -
KB
KB

Alice:
 generates random symmetric private key, KS.
 encrypts message with KS (for efficiency)
 also encrypts KS with Bob’s public key.
 sends both KS(m) and KB(KS) to Bob.
137 138

23
Secure e-mail Secure e-mail (continued)
 Alice wants to send confidential e-mail, m, to Bob. • Alice wants to provide sender authentication
KS message integrity.

m KS( ). KS(m ) KS(m )

KS( ) . m -
KA KA
+
- -
+ Internet
- KS m .
H( )
-
KA( ). KA(H(m)) KA(H(m)) +
KA( ). H(m )

KS
+
KB( ). + +
-
KB( ) . + Internet
- compare
KB(KS ) KB(KS )
H(.)
+ K
-
KB B m H(m )
m
Bob:
 uses his private key to decrypt and recover KS • Alice digitally signs message.
 uses KS to decrypt KS(m) to recover m
• sends both message (in the clear) and digital signature.

139 140

Secure e-mail (continued) Pretty good privacy (PGP)

• Alice wants to provide secrecy, sender authentication,
 Internet e-mail encryption
message integrity. scheme, de-facto standard. A PGP signed message:
-
KA  uses symmetric key ---BEGIN PGP SIGNED MESSAGE--
- cryptography, public key -
m H( ). -
KA( ). KA(H(m))
KS
cryptography, hash function,
and digital signature as
Hash: SHA1
described. Bob: This message is
+ KS( ) .  provides secrecy, sender
authentication, integrity.
digitally signed using
PGP.
 inventor, Phil Zimmerman, was -Alice
m + Internet target of 3-year federal
---BEGIN PGP SIGNATURE---
investigation.
K (.)
+ Version: PGP 5.0
KS B + Charset: noconv
KB(KS ) yhHJRHhGJGhgg/12EpJ+lo8gE4vB3
+
KB
mqJhFEvZP9t6n7G6m5Gw2
---END PGP SIGNATURE---
Alice uses three keys: her private key, Bob’s public
key, newly created symmetric key
141 142

Secure sockets layer (SSL) SSL (continued)

Encrypted SSL session:  SSL: basis of IETF
 transport layer  server authentication:  Browser generates Transport Layer
security to any TCP-  SSL-enabled browser symmetric session key, Security (TLS).
includes public keys for
based app using SSL trusted CAs.
encrypts it with server’s  SSL can be used for
services.  Browser requests
public key, sends non-Web applications,
 used between Web
server certificate, encrypted key to server. e.g., IMAP.
issued by trusted CA.
browsers, servers for  Using private key, server  Client authentication
 Browser uses CA’s
e-commerce (shttp). public key to extract decrypts session key. can be done with client
 security services:
server’s public key from  Browser, server know certificates.
certificate.
server authentication session key
 check your browser’s

data encryption  All data sent into TCP
 security menu to see socket (by client or server)
 client authentication its trusted CAs. encrypted with session key.
(optional)
143 144

24
 IPsec: Network Layer Security Authentication Header (AH) Protocol

 Network-layer secrecy:
 provides source AH header includes:
 sending host encrypts the
 For both AH and ESP, source, authentication, data  connection identifier
destination handshake: integrity, no
data in IP datagram  authentication data:
 create network-layer confidentiality
 TCP and UDP segments; source- signed message
logical channel called a
ICMP and SNMP  AH header inserted digest calculated over
security association (SA)
messages. between IP header,
 Each SA unidirectional. original IP datagram.
 Network-layer authentication
 Uniquely determined by: data field.  next header field:
 destination host can
authenticate source IP  security protocol (AH or  protocol field: 51 specifies type of data
address ESP)  intermediate routers (e.g., TCP, UDP, ICMP)
 source IP address
 Two principle protocols: process datagrams as
 32-bit connection ID
 authentication header usual
(AH) protocol
 encapsulation security IP header AH header data (e.g., TCP, UDP segment)
payload (ESP) protocol
145 146

ESP Protocol IEEE 802.11 security

 provides secrecy, host  ESP authentication  War-driving: drive around Bay area, see what 802.11
authentication, data field is similar to AH networks available?
integrity. authentication field.  More than 9000 accessible from public roadways
 data, ESP trailer  Protocol = 50.  85% use no encryption/authentication
encrypted.
 packet-sniffing and various attacks easy!
 next header field is in ESP
 Securing 802.11
trailer.
authenticated  encryption, authentication
encrypted  first attempt at 802.11 security: Wired Equivalent

ESP ESP ESP Privacy (WEP): a failure

IP header TCP/UDP segment
header trailer authent.  current attempt: 802.11i

147 148

Wired Equivalent Privacy (WEP): WEP data encryption

 authentication as in protocol ap4.0  Host/AP share 40 bit symmetric key (semi-

 host
requests authentication from access point permanent)
 access point sends 128 bit nonce  Host appends 24-bit initialization vector (IV) to
 host encrypts nonce using shared symmetric key
create 64-bit key
IV
 64 bit key used to generate stream of keys, ki
 access point decrypts nonce, authenticates host
 no key distribution mechanism
 kiIV
used to encrypt ith byte, di, in frame:
 authentication: knowing the shared key is enough
ci = di XOR kiIV
 IV and encrypted bytes, ci sent in frame

149 150

25
 802.11 WEP encryption Breaking 802.11 WEP encryption

IV
Security hole:
(per frame)  24-bit IV, one IV per frame, -> IV’s eventually reused
key sequence generator
 IV transmitted in plaintext -> IV reuse detected
KS: 40-bit
secret ( for given KS, IV)

 Attack:
symmetric
k1IV k2IV k3IV … kNIV kN+1IV… kN+1IV 802.11 WEP-encrypted data
key IV
header plus CRC
 Trudy causes Alice to encrypt known plaintext d1 d2
plaintext
frame data d1 d2 d3 … dN CRC1 … CRC4
plus CRC d3 d4 …
IV
 Trudy sees: ci = di XOR ki
c1 c2 c3 … cN cN+1 … cN+4

 Trudy knows ci di, so can compute kiIV

Sender-side WEP
Figure 7.8-new1: 802.11encryption
WEP protocol
 Trudy knows encrypting key sequence k1IV k2IV k3IV …
 Next time IV is used, Trudy can decrypt!

151 152

Network Security (summary)

Basic techniques…...
 cryptography (symmetric and public)
 authentication
 message integrity
 key distribution
…. used in many different security scenarios
 secure email
 secure transport (SSL)
 IP sec
 802.11

153

26