Chapter 8: Network SecurityChapter 8 roadmapWhat is network security?Friends and enemies: Alice, Bob, TrudyWho might Bob, Alice be?There are bad guys (and girls) out there!Slide 7The language of cryptographySymmetric key cryptographySlide 10PuzzleSlide 12Symmetric key crypto: DESSymmetric key crypto: DESSlide 15AES: Advanced Encryption StandardPublic Key CryptographyPublic key cryptographyPublic key encryption algorithmsRSA: Encryption, decryptionRSA: How?RSA: Choosing keysRSA example:RSA: another important propertySlide 25AuthenticationSlide 27Authentication: another trySlide 29Slide 30Slide 31Authentication: yet another trySlide 33Slide 34Authentication: ap5.0ap5.0: security holeSlide 37Slide 38Digital SignaturesSlide 40Digital Signatures (more)Message DigestsInternet checksum: poor crypto hash functionSlide 44Hash Function AlgorithmsSlide 46Trusted IntermediariesKey Distribution Center (KDC)Slide 49Certification AuthoritiesSlide 51A certificate contains:Slide 53FirewallsFirewalls: WhyPacket FilteringSlide 57Application gatewaysLimitations of firewalls and gatewaysSlide 60Internet security threatsSlide 62Slide 63Slide 64Slide 65Slide 66Slide 67Slide 68Slide 69Secure e-mailSlide 71Slide 72Secure e-mail (continued)Slide 74Pretty good privacy (PGP)Secure sockets layer (SSL)SSL (continued)IPsec: Network Layer SecurityAuthentication Header (AH) ProtocolESP ProtocolIEEE 802.11 securityWired Equivalent Privacy (WEP):WEP data encryption802.11 WEP encryptionBreaking 802.11 WEP encryption802.11i: improved security802.11i: four phases of operationEAP: extensible authentication protocolNetwork Security (summary)8: Network Security8-1Chapter 8: Network SecurityChapter goals: understand principles of network security: cryptography and its many uses beyond “confidentiality”authenticationmessage integritykey distributionsecurity in practice:firewallssecurity in application, transport, network, link layers8: Network Security8-2Chapter 8 roadmap8.1 What is network security?8.2 Principles of cryptography8.3 Authentication8.4 Integrity8.5 Key Distribution and certification8.6 Access control: firewalls8.7 Attacks and counter measures8.8 Security in many layers8: Network Security8-3What is network security?Confidentiality: only sender, intended receiver should “understand” message contentssender encrypts messagereceiver decrypts messageAuthentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detectionAccess and Availability: services must be accessible and available to users8: Network Security8-4Friends and enemies: Alice, Bob, Trudywell-known in network security worldBob, Alice (lovers!) want to communicate “securely”Trudy (intruder) may intercept, delete, add messagessecuresendersecurereceiverchanneldata, control messagesdatadataAliceBobTrudy8: Network Security8-5Who might Bob, Alice be?… well, real-life Bobs and Alices!Web browser/server for electronic transactions (e.g., on-line purchases)on-line banking client/serverDNS serversrouters exchanging routing table updatesother examples?8: Network Security8-6There are bad guys (and girls) out there!Q: What can a “bad guy” do?A: a lot!eavesdrop: intercept messagesactively insert messages into connectionimpersonation: can fake (spoof) source address in packet (or any field in packet)hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in placedenial of service: prevent service from being used by others (e.g., by overloading resources)more on this later ……8: Network Security8-7Chapter 8 roadmap8.1 What is network security?8.2 Principles of cryptography8.3 Authentication8.4 Integrity8.5 Key Distribution and certification8.6 Access control: firewalls8.7 Attacks and counter measures8.8 Security in many layers8: Network Security8-8The language of cryptographysymmetric key crypto: sender, receiver keys identicalpublic-key crypto: encryption key public, decryption key secret (private)plaintextplaintextciphertextKAencryptionalgorithmdecryption algorithmAlice’s encryptionkeyBob’s decryptionkeyKB8: Network Security8-9Symmetric key cryptographyceasar cipher: substitute w/ offset of kplaintext: abcdefghijklmnopqrstuvwxyzPlaintext: bob. i love you. aliceciphertext: viv. c fipy sio. ufcwyE.g.:Q: How hard to break this simple cipher?: brute force (how hard?) other?plaintext: uvwxyzabcdefghijklmnopqrst8: Network Security8-10Symmetric key cryptographysubstitution cipher: substituting one thing for anothermonoalphabetic cipher: substitute one letter for anotherplaintext: abcdefghijklmnopqrstuvwxyzciphertext: mnbvcxzasdfghjklpoiuytrewqPlaintext: bob. i love you. aliceciphertext: nkn. s gktc wky. mgsbcE.g.:Q: How hard to break this simple cipher?: brute force (how hard?) other?8: Network Security8-11Puzzle64! = 1.2680e+89Come up with a cryptographic scheme that has 64!^2 possible keys64^4?How long will it take to crack these, in days, if it you can test 1 key per second?1.6*10^178/864001.6*10^356/864008: Network Security8-12Symmetric key cryptographysymmetric key crypto: Bob and Alice share same (symmetric) key: Ke.g., key is knowing substitution pattern in mono alphabetic substitution cipherQ: how do Bob and Alice agree on key value?plaintextciphertextKA-Bencryptionalgorithmdecryption algorithmA-BKA-Bplaintextmessage, mK (m)A-BK (m)A-Bm = K ( ) A-B8: Network Security8-13Symmetric key crypto: DESDES: Data Encryption StandardUS encryption standard [NIST 1993]56-bit symmetric key, 64-bit plaintext inputHow secure is DES?DES Challenge: 56-bit-key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 monthsno known “backdoor” decryption approachmaking DES more secure:use three keys sequentially (3-DES) on each datumuse cipher-block chaining8: Network Security8-14Symmetric key crypto: DESinitial permutation 16 identical “rounds” of function application, each using different 48 bits of keyfinal permutationDES operation8: Network Security8-15PuzzleIs it possible to encrypt a value that is IMPOSSIBLE to recover?8: Network Security8-16AES: Advanced Encryption Standardnew (Nov. 2001) symmetric-key NIST standard, replacing DESprocesses data in 128 bit blocks128, 192, or