8: Network Security 8-1Chapter 8Network SecurityA note on the use of these ppt slides:We’re making these slides freely available to all (faculty, students, readers). They’re in PowerPoint form so you can add, modify, and delete slides (including this one) and slide content to suit your needs. They obviously represent a lot of work on our part. In return for use, we only ask the following: If you use these slides (e.g., in a class) in substantially unaltered form, that you mention their source (after all, we’d like people to use our book!) If you post any slides in substantially unaltered form on a www site, that you note that they are adapted from (or perhaps identical to) our slides, and note our copyright of this material.Thanks and enjoy! JFK/KWRAll material copyright 1996-2007J.F Kurose and K.W. Ross, All Rights ReservedComputer Networking: A Top Down Approach ,4th edition. Jim Kurose, Keith RossAddison-Wesley, July 2007.8: Network Security 8-2Chapter 8: Network SecurityChapter goals: ❒understand principles of network security: ❍cryptography and its many uses beyond “confidentiality”❍authentication❍message integrity❒security in practice:❍firewalls and intrusion detection systems❍security in application, transport, network, link layers8: Network Security 8-3Chapter 8 roadmap8.1 What is network security?8.2 Principles of cryptography8.3 Message integrity8.4 End point authentication8.5 Securing e-mail8.6 Securing TCP connections: SSL8.7 Network layer security: IPsec8.8 Securing wireless LANs8.9 Operational security: firewalls and IDS8: Network Security 8-4What is network security?Confidentiality: only sender, intended receiver should “understand” message contents❍sender encrypts message❍receiver decrypts messageAuthentication: sender, receiver want to confirm identity of each other Message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detectionAccess and availability: services must be accessible and available to users8: Network Security 8-5Friends and enemies: Alice, Bob, Trudy❒well-known in network security world❒Bob, Alice (lovers!) want to communicate “securely”❒Trudy (intruder) may intercept, delete, add messagessecuresendersecurereceiverchanneldata, control messagesdatadataAliceBobTrudy8: Network Security 8-6Who might Bob, Alice be?❒… well, real-life Bobs and Alices!❒Web browser/server for electronic transactions (e.g., on-line purchases)❒on-line banking client/server❒DNS servers❒routers exchanging routing table updates❒other examples?8: Network Security 8-7There are bad guys (and girls) out there!Q: What can a “bad guy” do?A: a lot!❍eavesdrop: intercept messages❍actively insert messages into connection❍impersonation: can fake (spoof) source address in packet (or any field in packet)❍hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place❍denial of service: prevent service from being used by others (e.g., by overloading resources)more on this later ……8: Network Security 8-8Chapter 8 roadmap8.1 What is network security?8.2 Principles of cryptography8.3 Message integrity8.4 End point authentication8.5 Securing e-mail8.6 Securing TCP connections: SSL8.7 Network layer security: IPsec8.8 Securing wireless LANs8.9 Operational security: firewalls and IDS8: Network Security 8-9The language of cryptographysymmetric key crypto: sender, receiver keys identicalpublic-key crypto: encryption key public, decryption key secret (private)plaintextplaintextciphertextKAencryptionalgorithmdecryption algorithmAlice’s encryptionkeyBob’s decryptionkeyKB8: Network Security 8-10Symmetric key cryptographysubstitution cipher: substituting one thing for another❍monoalphabetic cipher: substitute one letter for anotherplaintext: abcdefghijklmnopqrstuvwxyzciphertext: mnbvcxzasdfghjklpoiuytrewqPlaintext: bob. i love you. aliceciphertext: nkn. s gktc wky. mgsbcE.g.:Q: How hard to break this simple cipher?: brute force (how hard?) other?8: Network Security 8-11Symmetric key cryptographysymmetric key crypto: Bob and Alice share know same (symmetric) key: K❒e.g., key is knowing substitution pattern in mono alphabetic substitution cipher❒Q: how do Bob and Alice agree on key value?plaintextciphertextKA-Bencryptionalgorithmdecryption algorithmA-BKA-Bplaintextmessage, mK (m)A-BK (m)A-Bm = K ( ) A-B8: Network Security 8-12Symmetric key crypto: DESDES: Data Encryption Standard❒US encryption standard [NIST 1993]❒56-bit symmetric key, 64-bit plaintext input❒How secure is DES?❍DES Challenge: 56-bit-key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 months❍no known “backdoor” decryption approach❒making DES more secure:❍use three keys sequentially (3-DES) on each datum❍use cipher-block chaining8: Network Security 8-13Symmetric key crypto: DESinitial permutation 16 identical “rounds” of function application, each using different 48 bits of keyfinal permutationDES operation8: Network Security 8-14AES: Advanced Encryption Standard❒new (Nov. 2001) symmetric-key NIST standard, replacing DES❒processes data in 128 bit blocks❒128, 192, or 256 bit keys❒brute force decryption (try each key) taking 1 sec on DES, takes 149 trillion years for AES8: Network Security 8-15Block Cipher❒one pass through: one input bit affects eight output bits64-bit inputT18bits8 bits8bits8 bits8bits8 bits8bits8 bits8bits8 bits8bits8 bits8bits8 bits8bits8 bits64-bit scrambler64-bit outputloop for n roundsT2T3T4T6T5T7T8❒multiple passes: each input bit afects all output bits ❒block ciphers: DES, 3DES, AES8: Network Security 8-16Cipher Block Chaining❒cipher block: if input block repeated, will produce same cipher text:t=1m(1) = “HTTP/1.1”blockcipherc(1) = “k329aM02”…❒cipher block chaining: XOR ith input block, m(i), with previous block of cipher text, c(i-1)❍c(0) transmitted to receiver in clear❍what happens in “HTTP/1.1” scenario from above?+m(i)c(i)t=17m(17) = “HTTP/1.1”blockcipherc(17) = “k329aM02”blockcipherc(i-1)8: Network Security 8-17Public key cryptographysymmetric key crypto❒requires sender, receiver know shared secret key❒Q: how to agree on key in first place (particularly if never “met”)?public key cryptography❒radically different approach [Diffie-Hellman76, RSA78]❒sender, receiver do not
View Full Document
Unlocking...