Home> Schools> Washington University in St. Louis> Computer Science and Engineering (CSE) > CSE 473S> Network Security Part II: Standards
WUSTL CSE 473S - Network Security Part II: Standards
School name Washington University in St. Louis
Course Cse 473s- Introduction to Computer Networks
Pages 24

Unformatted text preview:

Network Security Part II: StandardsOverviewDES and 3DESAdvanced Encryption Standard (AES)AES (cont)AES Encryption RoundSecure Hash Algorithm 1 (SHA-1)SSL and TLSSSL Protocol StackSSL Record Protocol OperationRecord Protocol HeaderChange Cipher Spec ProtocolAlert ProtocolHandshake ProtocolSlide 15IPSecIPSec (Cont)Security AssociationAuthentication HeaderAH ICV ComputationESP PacketSummaryReading AssignmentHomework18-1©2005 Raj JainCSE473sWashington University in St. LouisNetwork SecurityNetwork SecurityPart II: StandardsPart II: StandardsRaj Jain Washington UniversitySaint Louis, MO [email protected] slides are available on-line at:http://www.cse.wustl.edu/~jain/cse473-05/18-2©2005 Raj JainCSE473sWashington University in St. LouisOverviewOverviewSecret Key Encryption:Data encryption standard (DES)Triple DES (3DES)Advanced Encryption Standard (AES)Hashing:Secure Hash Algorithm 1 (SHA1)Secure Socket Layer (SSL)Secure IP (IPSec)18-3©2005 Raj JainCSE473sWashington University in St. LouisDES and 3DESDES and 3DESData Encryption Standard (DES)64 bit plain text blocks, 56 bit keyBroken in 1998 by Electronic Frontier FoundationTriple DES (3DES)Uses 2 or 3 keys and 3 executions of DESEffective key length 112 or 168 bitBlock size (64 bit) too small  Slow18-4©2005 Raj JainCSE473sWashington University in St. LouisAdvanced Encryption Standard (AES)Advanced Encryption Standard (AES)Designed in 1997-2001 by National Institute of Standards and Technology (NIST)Federal information processing standard (FIPS 197)Symmetric block cipher, Block length 128 bitsKey lengths 128, 192, and 256 bits18-5©2005 Raj JainCSE473sWashington University in St. LouisAES (cont)AES (cont)Add round key 1Substitute BytesShift RowsMix columnsAdd round key iPlain TextCipher TextRepeat10TimesTable LookupShift left/right by 0, 1, or 2Byteij = fn(Byte1j, byte2j, byte3j, byte4j)11 12 13 1421 22 23 2431 32 33 3441 42 43 44128b = 16B4×4 Array18-6©2005 Raj JainCSE473sWashington University in St. LouisAES Encryption RoundAES Encryption RoundStateSub BytesStateShift RowsStateMix ColumnsStateAdd Round KeyState18-7©2005 Raj JainCSE473sWashington University in St. LouisSecure Hash Algorithm 1 (SHA-1)Secure Hash Algorithm 1 (SHA-1)Data processed in 512 bit blocks  160 bit hash1-512 bit Padding + 64 bit length (Data < 264 b)Padding(1 to 512b)Msg Len512b 512b 512b 512b160b18-8©2005 Raj JainCSE473sWashington University in St. LouisSSL and TLSSSL and TLSSecure Socket Layer (SSL)Reliable end-to-end secure service over TCPEmbedded in specific packages, E.g., Netscape and Microsoft Explorer and most Web serversTransport Layer Security (TLS) defined in RFC 2246Minor differences between SSLv3 and TLSSession = Multiple end-to-end TCP connectionsFour Protocols:Handshake protocol: Exchange shared secret keyRecord protocol: Provide end-to-end encryptionChange cipher spec protocol: Updates cipher suite Alert protocol: Warnings and fatal errors to peer18-9©2005 Raj JainCSE473sWashington University in St. LouisSSL Protocol StackSSL Protocol Stack18-10©2005 Raj JainCSE473sWashington University in St. LouisSSL Record Protocol OperationSSL Record Protocol OperationEach upper-layer message fragmented 214 bytes (16384 bytes) or lessCompression optionally appliedCompressed message plus MAC encrypted using symmetric encryptionPrepend header18-11©2005 Raj JainCSE473sWashington University in St. LouisRecord Protocol HeaderRecord Protocol HeaderContent Type: change_cipher_spec, alert, handshake, and application_dataMajor Version: SSL v3 is 3Minor Version: SSLv3 value is 0Compressed Length: Maximum 214 + 2048 ContentTypeMajorVersionMinorVersionCompressedLength8b 8b 8b 16bData18-12©2005 Raj JainCSE473sWashington University in St. LouisChange Cipher Spec ProtocolChange Cipher Spec ProtocolCause pending state to be copied into current stateUpdates cipher suite to be used on this connectionSingle message: Single byte value 1Uses Record Protocol18-13©2005 Raj JainCSE473sWashington University in St. LouisAlert ProtocolAlert ProtocolConvey SSL-related alerts to peer entityTwo bytesFirst byte: warning(1) or fatal(2) If fatal, SSL immediately terminates connectionOther connections on session may continueNo new connections on sessionSecond byte indicates specific alertExample: Incorrect MAC  fatal alert18-14©2005 Raj JainCSE473sWashington University in St. LouisHandshake ProtocolHandshake ProtocolNegotiate security parametersVersion: Highest SSL version understood by clientRandom: 28 bytes from secure random number generator32-bit timestamp: Used during key exchange to prevent replay attacksSession ID: Variable-length Nonzero  update existing connection or create new connection on sessionZero  establish new connection on new sessionCipher Suite: Cryptographic algorithms supportedCompression Methods supported18-15©2005 Raj JainCSE473sWashington University in St. LouisHandshake ProtocolHandshake ProtocolPhase 1: Exchange Protocol version, session ID, cipher suite, compression method and initial random numbersPhase 2: Certificate Phase 3: Certificate Phase 4: Change to new parameters Client HelloServer HelloCertificateServer key ExchangeCertificate RequestServer Hello DoneCertificateClient Key ExchangeCertificate verifyChange Cypher SpecFinishedChange Cipher specFinishedClient Server18-16©2005 Raj JainCSE473sWashington University in St. LouisIPSecIPSecSecure IP: A series of proposals from IETFSeparate Authentication and privacyAuthentication Header (AH) ensures data integrity and data origin authenticationEncapsulating Security Protocol (ESP) ensures confidentiality, data origin authentication, connectionless integrity, and anti-replay serviceAuthenticatedEncryptedIPHeaderAH ESPOriginalIP Header*OriginalData* Optional18-17©2005 Raj JainCSE473sWashington University in St. LouisIPSec (Cont)IPSec (Cont)Two Modes: Tunnel mode, Transport modeTunnel Mode  Original IP header encryptedTransport mode  Original IP header removed. Only transport data encrypted.Supports a variety of encryption algorithmsBetter suited for WAN VPNs (vs Access VPNs)A reference implementation (Cerberus) IPSec and interoperability tester are available from NISTCerberus = three headed dog guarding the underworld18-18©2005 Raj JainCSE473sWashington University in

View Full Document

WUSTL CSE 473S - Network Security Part II: Standards

School: Washington University in St. Louis
Course: Cse 473s- Introduction to Computer Networks
Pages: 24
Documents in this Course
High-Speed LANs Part III: LLC and Bridging

High-Speed LANs Part III: LLC and Bridging

24 pages

Internet Protocol Version 6

Internet Protocol Version 6

24 pages

Lab Homework 8E

Lab Homework 8E

7 pages

Wireless LANs

Wireless LANs

42 pages

Data Link Control Protocols

Data Link Control Protocols

33 pages

Hypertext Transfer Protocol (HTTP)

Hypertext Transfer Protocol (HTTP)

19 pages

Data Communications and Networking Overview

Data Communications and Networking Overview

27 pages

Data Transmission

Data Transmission

29 pages

Routing in Switched Networks

Routing in Switched Networks

29 pages

CSE 473S Lab Assignment 2

CSE 473S Lab Assignment 2

2 pages

Signal Encoding Techniques

Signal Encoding Techniques

25 pages

Introduction to Computer Networks

Introduction to Computer Networks

22 pages

Introduction to Computer Networks

Introduction to Computer Networks

19 pages

Network Security Part I: Concepts

Network Security Part I: Concepts

23 pages

Wireless LANs

Wireless LANs

42 pages

Network Management (SNMP)

Network Management (SNMP)

16 pages

Cellular Wireless Networks

Cellular Wireless Networks

30 pages

ATM Networks: An Overview

ATM Networks: An Overview

23 pages

High-Speed LANs Part II

High-Speed LANs Part II

25 pages

Lab Assignment 1

Lab Assignment 1

8 pages

Data Link Control Protocols

Data Link Control Protocols

33 pages

Data Transmission

Data Transmission

29 pages

Internet Protocol Version 6 (IPv6)

Internet Protocol Version 6 (IPv6)

24 pages

Load more
Download Network Security Part II: Standards
Our administrator received your request to download this document. We will send you the file to your email shortly.

Please select your school

Login

Join to view Network Security Part II: Standards and access 3M+ class-specific study document.

Continue Continue
or
We will never post anything without your permission.
Don't have an account?

We couldn't create a GradeBuddy account using Facebook because there is no email address associated with your Facebook account.

Link an email address with your Facebook below or create a new account.

Sign Up

Join to view Network Security Part II: Standards 2 2 and access 3M+ class-specific study document.

Continue Continue
or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?

We couldn't create a GradeBuddy account using Facebook because there is no email address associated with your Facebook account.

Link an email address with your Facebook below or create a new account.