21 -Security21 Security8: Network Security 8-1Chapter 8Chapter 8Network SecurityyA note on the use of these ppt slides:We’re making these slides freely available to all (faculty, students, readers). gy(y )They’re in PowerPoint form so you can add, modify, and delete slides (including this one) and slide content to suit your needs. They obviously represent a lot of work on our part. In return for use, we only ask the following: If you use these slides (e.g., in a class) in substantially unaltered form, th t ti th i ( ft ll ’d lik l t b k!)Computer Networking: A Top Down Approach Featuring the Internet, that you mention their source (after all, we’d like people to use our book!) If you post any slides in substantially unaltered form on a www site, that you note that they are adapted from (or perhaps identical to) our slides, and note our copyright of this material.Thanks and enjoy! JFK/KWRg3rdedition. Jim Kurose, Keith RossAddison-Wesley, July 2004 8: Network Security 8-2Thanks and enjoy! JFK/KWRAll material copyright 1996-2004J.F Kurose and K.W. Ross, All Rights Reserved2004.What is network security?What s network secur ty?Confidentiality:- only sender, intended receiver should “understand” message contents sender encrypts message receiver decrypts message Message Integrity:- sender, receiver want to ensure message not altered (in tit ft d) itht dttitransit, or afterwards) without detectionAuthentication:- sender, receiver want to confirm identity of each other d l b lAccess and Availability:- services must be accessible and available to usersAhi dh h i l fi8: Network Security 8-3Achieved through a continuous cycle of protection,detection, and response.Friends and enemies: Alice, Bob, Trudy,, y well-known in network security worldBob Alice (lovers!) want to communicate “securely”Bob, Alice (lovers!) want to communicate securely Trudy (intruder) may intercept, delete, add messageschanneldata, control messagesAliceBobsecuresendersecurereceivermessagesdatadatarece verTd8: Network Security 8-4Trudy8: Network Security 8-5http://xkcd.comWho might Bob, Alice be?Who m ght Bob, Al ce be?… well real-lifeBobs and Alices!… well, reallifeBobs and Alices! Web browser/server for electronic transactions (e.g., on-line purchases)(.g.,p) on-line banking client/serverDNS serversDNS servers routers exchanging routing table updates8: Network Security 8-6There are bad guys (and girls) out there!gy ( g )Q: What can a “bad guy” do?A:a lot!A:a lot!eavesdrop:intercept messages actively insertmessages into connectionygimpersonation:can fake (spoof) source address in packet (or any field in packet)hijacking:“take over” ongoing connection by hijacking:take over ongoing connection by removing sender or receiver, inserting himself in placedil f i t i f b i denial of service: prevent service from being used by others (e.g., by overloading resources)more on this later 8: Network Security 8-7more on this later ……The language of cryptographygg f ypgpyKAlice’s encryptionBob’s decryptionKplaintextplaintextciphertextKAencryptiondecryption encryptionkeydecryptionkeyKBplaintextpla ntextpypalgorithmypalgorithmsymmetric key crypto: sender, receiver keys identicalpublic-key crypto: encryption key public, decryption key secret (private)8: Network Security 8-8secret (private)Symmetric key cryptographyymm y yp g p ysubstitution cipher: substituting one thing for anotherlhbti ih btitt ltt f th monoalphabetic cipher: substitute one letter for anotherplaintext: abcdefghijklmnopqrstuvwxyzciphertext: mnbvcxzasdfghjklpoiuytrewqEPlaintext: bob. i love you. aliceciphertext: nkn. s gktc wky. mgsbcE.g.:Q: How hard to break this simple cipher?: brute force (how hard?)h?8: Network Security 8-9 other?Symmetric key cryptographyymm y yp g p yKKABplaintextciphertextKA-Bencryptiondecryption KA-Bplaintextppypalgorithmypalgorithmpant tmessage, mK (m)A-BK (m)A-Bm = K ()A-Bsymmetric key crypto: Bob and Alice share same (symmetric) key: KA-B(y ) y e.g., key is knowing substitution pattern in mono alphabetic substitution cipherAB8: Network Security 8-10Symmetric key crypto: DESyyypDES: Data Encryption StandardUS ti t d d [NIST 1993]US encryption standard [NIST 1993] 56-bit symmetric key, 64-bit plaintext inputHow secure is DES?How secure is DES? DES Challenge: 56-bit-key-encrypted phrase (“Strong cryptography makes the world a safer gypgpyplace”) decrypted (brute force) in 4 months making DES more secure: t k ti ll (3DES) h d t use two keys sequentially (3-DES) on each datum use cipher-block chaining8: Network Security 8-11Symmetric key Symmetric key crypto: DESinitial permutation DES operationp16 identical “rounds” of function application, each using different each using different 48 bits of keyfinal permutationp8: Network Security 8-12AES: Advanced Encryption StandardEEypnew (Nov. 2001) symmetric-key NIST new (Nov. 2001) symmetrickey NIST standard, replacing DESprocesses data in 128 bit blocksp 128, 192, or 256 bit keysbrute force decryption (try each key) brute force decryption (try each key) taking 1 sec on DES, takes 149 trillion years for AES8: Network Security 8-13Public Key CryptographyKy yp g pysymmetrickey cryptopublickey cryptographyyyyp requires sender, receiver know shared st kpublickey cryptography radically different approach [Diffie-H ll 76 RSA78]secret key Q: how to agree on key in first place Hellman76, RSA78] sender, receiver do notshare secret keyn f rst place (particularly if never “met”)?notshare secret keypublic encryption key known toallprivatedecryption key known only to receiver or sender8: Network Security 8-14receiver or senderPublic key cryptographyyypgpyBob’s publick K B+key KBBob’s privatekey K B-plaintextciphertextencryptiondecryption plaintextplaintextmessage, mciphertextencryptionalgorithmdecryption algorithmplaintextmessageK (m)B+m = K (K (m))B+B-8: Network Security 8-15Public key encryption algorithmsyyp gmRequirements:need K ( ) and K ( ) such thatBB..q1+-BK (K (m)) = mBB-++given public key K , it should be impossible to compute it k K B2+-private key K BRSA:Rivest Shamir Adleman algorithm8: Network Security 8-16RSA:Rivest, Shamir, Adleman algorithmRSA: Choosing keysRSA Choos ng keys1. Choose two large prime numbers p, q.( 1024 bi h)(e.g., 1024 bits each)2. Compute n