Computer NetworksNetwork SecurityOutlineWhat is network security?Friends and enemies: Alice, Bob, TrudyWho might Bob, Alice be?There are bad guys (and girls) out there!Slide 8The language of cryptographySymmetric key cryptographySlide 11Symmetric key crypto: DESSymmetric key crypto: DESBlock CipherAES: Advanced Encryption StandardCipher Block ChainingPublic key cryptographySlide 18Public key encryption algorithmsRSA: Choosing keysRSA: Encryption, decryptionRSA example:RSA: Why is thatRSA: another important propertySlide 25Message IntegrityMessage Authentication CodeMACs in practiceDigital SignaturesSlide 31Digital Signatures (more)PowerPoint PresentationPublic Key CertificationCertification AuthoritiesSlide 36A certificate contains:Slide 38AuthenticationSlide 40Authentication: another trySlide 42Slide 43Slide 44Authentication: yet another trySlide 46Slide 47Authentication: ap5.0ap5.0: security holeSlide 50Slide 51Secure e-mailSlide 53Secure e-mail (continued)Slide 55Pretty good privacy (PGP)EndSlide 58Secure sockets layer (SSL)SSL: three phasesSlide 61Slide 62Slide 63IPsec: Network Layer SecurityAuthentication Header (AH) ProtocolESP ProtocolSlide 67IEEE 802.11 securityWired Equivalent Privacy (WEP):WEP data encryption802.11 WEP encryptionBreaking 802.11 WEP encryption802.11i: improved security802.11i: four phases of operationEAP: extensible authentication protocolSlide 76FirewallsFirewalls: WhyStateless packet filteringStateless packet filtering: exampleStateless packet filtering: more examplesAccess Control ListsStateful packet filteringSlide 84Application gatewaysLimitations of firewalls and gatewaysIntrusion detection systemsSlide 88Network Security (summary)Computer NetworksNetwork Security8-2Network SecurityGoals: understand principles of network security: cryptography and its many uses beyond “confidentiality”authenticationmessage integritysecurity in practice:firewalls and intrusion detection systemssecurity in application, transport, network, link layers8-3Outline1 What is network security?2 Principles of cryptography3 Message integrity4 End point authentication5 Securing e-mail6 Securing TCP connections: SSL7 Network layer security: Ipsec8 Securing wireless LANs9 Operational security: firewalls and IDS8-4What is network security?Confidentiality: only sender, intended receiver should “understand” message contentssender encrypts messagereceiver decrypts messageAuthentication: sender, receiver want to confirm identity of each other Message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detectionAccess and availability: services must be accessible and available to users8-5Friends and enemies: Alice, Bob, Trudywell-known in network security worldBob and Alice want to communicate “securely”Trudy (intruder) may intercept, delete, add messagessecuresendersecurereceiverchanneldata, control messagesdatadataAliceBobTrudy8-6Who might Bob, Alice be?… well, real-life Bobs and Alices!Web browser/server for electronic transactions (e.g., on-line purchases)on-line banking client/serverDNS serversrouters exchanging routing table updatesother examples?8-7There are bad guys (and girls) out there!Q: What can a “bad guy” do?A: a lot!eavesdrop: intercept messagesactively insert messages into connectionimpersonation: can fake (spoof) source address in packet (or any field in packet)hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in placedenial of service: prevent service from being used by others (e.g., by overloading resources)8-8Outline1 What is network security?2 Principles of cryptography3 Message integrity4 End point authentication5 Securing e-mail6 Securing TCP connections: SSL7 Network layer security: Ipsec8 Securing wireless LANs9 Operational security: firewalls and IDS8-9The language of cryptographysymmetric key crypto: sender, receiver keys identicalpublic-key crypto: encryption key public, decryption key secret (private)plaintextplaintextciphertextKAencryptionalgorithmdecryption algorithmAlice’s encryptionkeyBob’s decryptionkeyKB8-10Symmetric key cryptographysubstitution cipher: substituting one thing for anothermonoalphabetic cipher: substitute one letter for anotherplaintext: abcdefghijklmnopqrstuvwxyzciphertext: mnbvcxzasdfghjklpoiuytrewqPlaintext: bob. how are you? aliceciphertext: nkn. akr moc wky? mgsbcE.g.:Q: How hard to break this simple cipher?: brute force (how hard?) other?8-11Symmetric key cryptographysymmetric key crypto: Bob and Alice share know same (symmetric) key: Ke.g., key is knowing substitution pattern in mono alphabetic substitution cipherQ: how do Bob and Alice agree on key value?plaintextciphertextKA-Bencryptionalgorithmdecryption algorithmA-BKA-Bplaintextmessage, mK (m)A-BK (m)A-Bm = K ( ) A-B8-12Symmetric key crypto: DESDES: Data Encryption StandardUS encryption standard [NIST 1993]56-bit symmetric key, 64-bit plaintext inputHow secure is DES?DES Challenge: 56-bit-key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 monthsno known “backdoor” decryption approachmaking DES more secure:use three keys sequentially (3-DES) on each datumuse cipher-block chaining8-13Symmetric key crypto: DESinitial permutation 16 identical “rounds” of function application, each using different 48 bits of keyfinal permutationDES operation8-14Block Cipherone pass through: one input bit affects eight output bits64-bit inputT18bits8 bits8bits8 bits8bits8 bits8bits8 bits8bits8 bits8bits8 bits8bits8 bits8bits8 bits64-bit scrambler64-bit outputloop for n roundsT2T3T4T6T5T7T8multiple passes: each input bit affects all output bits block ciphers: DES, 3DES, AES8-15AES: Advanced Encryption Standardnew (Nov. 2001) symmetric-key NIST standard, replacing DESprocesses data in 128 bit blocks128, 192, or 256 bit keysbrute force decryption (try each key) takes 149 trillion years for AES8-16Cipher Block Chainingcipher block: if input block repeated, will produce same cipher text:t=1m(1) = “HTTP/1.1”blockcipherc(1) = “k329aM02”…cipher block chaining: XOR ith input block, m(i), with previous block of cipher text, c(i-1)c(0) transmitted to receiver in clearwhat happens in “HTTP/1.1” scenario from above?+m(i)c(i)t=17m(17) =
View Full Document
Unlocking...