Security Outline Homework 1, selected solutions Encryption Algorithms

Slides:



Advertisements
Similar presentations
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Advertisements

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Katz, Stoica F04 EE 122: (More) Network Security November 5, 2003.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
INE1020: Introduction to Internet Engineering 6: Privacy and Security Issues1 Lecture 9: E-commerce & Business r E-Commerce r Security Issues m Secure.
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
CSS432 Network Security Textbook Ch8
Network Security. Cryptography Cryptography functions Secret key (e.g., DES) Public key (e.g., RSA) Message digest (e.g., MD5) Security services Privacy:
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
4-Jun-164/598N: Computer Networks Differentiated Services Problem with IntServ: scalability Idea: segregate packets into a small number of classes –e.g.,
Chapter 8 – Network Security Two main topics Cryptographic algorithms and mechanisms Firewalls Chapter may be hard to understand if you don’t have some.
Encryption No. 1  Seattle Pacific University Encryption: Protecting Your Data While in Transit Kevin Bolding Electrical Engineering Seattle Pacific University.
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
CS 6401 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Some Backgrounds on Network Security Rocky K. C. Chang 12 February 2003.
EE 122: Lecture 24 (Security) Ion Stoica December 4, 2001.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Key management issues in PGP
Basics of Cryptography
Security Outline Encryption Algorithms Authentication Protocols
Security Outline Encryption Algorithms Authentication Protocols
Advanced Computer Networks
Cryptography Why Cryptography Symmetric Encryption
Cryptography and Network Security
Secure Sockets Layer (SSL)
Cryptographic Hash Function
What is network security?
Authentication Applications
Cryptography and Security Technologies
Basic Network Encryption
S/MIME T ANANDHAN.
Message Digest Cryptographic checksum One-way function Relevance
Network Security Basics
PART VII Security.
1DT057 Distributed Information System Chapter 8 Network Security
Taxonomy of real time applications
Security.
Enabling Technology1: Cryptography
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
The Secure Sockets Layer (SSL) Protocol
Intro to Cryptography Some slides have been taken from:
Outline Using cryptography in networks IPSec SSL and TLS.
CDK: Chapter 7 TvS: Chapter 9
Public-Key, Digital Signatures, Management, Security
Security Outline Encryption Algorithms Authentication Protocols
Chapter 3 - Public-Key Cryptography & Authentication
Basic Network Encryption
Advanced Computer Networks
Fluency with Information Technology Lawrence Snyder
Security: Integrity, Authentication, Non-repudiation
Security: Public Key Cryptography
One-way Hash Function Network Security.
Review of Cryptography: Symmetric and Asymmetric Crypto Advanced Network Security Peter Reiher August, 2014.
Presentation transcript:

Security Outline Homework 1, selected solutions Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls CS 640

Homework #1 Solutions 1:6 1:13 1:14 Propagation delay is 2x103 m/(2x108 m/s) = 1x10-5 s = 10us. 100B/10us = 10MB/s = 80Mbps. For 512 B pkt. = 409.6Mbps 1:13 (a) RTTmin = 2x385,000,000m/ 3x108 m/s = 2.57s (b) Delay x BW product = 2.57s x 100Mbps = 257Mb = 32MB (c) This is the amount of data the sender can send before it would be possible to receive a response (d) At least one RTT until we begin receiving data, then 25MB/100Mbps = 2.0s to finish sending so 2.0s + 2.57s = 4.57s 1:14 (a) Delay: the message exchange is short (b) Bandwidth: particularly for large files (c) Delay: directories are typically of modest size (d) Delay: file attributes are typically much smaller than their size CS 640

Homework #1 Solutions contd. 1:23 (a) 640 x 480 x 3 x 30 B/s = 27.6MB/s (b) 160 x 120 x 1 x 5 B/s = 96KB/s (c) 650MB/75min = 8.7MB/min = 144KB/s (d) (assume 3 bytes/pixel) 8 x 10 x 72 x 72 x 3 = 1.24MB. At 14.4Kbps = 1.8KBps this would take 691 seconds (for 1 byte/pixel, 230 seconds) 9:15 Existing SMTP headers that help resist forgeries include mainly the RECEIVED header which gives a list of the hosts through which the message has actually passed by IP address. A mechanism to identify the specific user of the machine would also be beneficial. 9:22 When the server initiates a close, it results in connections state remaining on the system. HTTP 1.1 provides content-length in header which enables a client to close a connection in which case server need not maintain state. The notion of content length could be adopted by a Request/Reply protocol CS 640

Why do we care about Security? “Toto… I have a feeling we’re not in Kansas anymore.” Dorothy, The Wizard of Oz “The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” The Art of War, Sun Tzu There are bad guys out there who can easily take advantage of you. Reference: Cryptography and Network Security, Principles and Practice, William Stallings, Prentice Hall CS 640

Overview Security services in networks Privacy: preventing unauthorized release of information Authentication: verifying identity of the remote participant Integrity: making sure message has not been altered Cryptography functions – building blocks for security Privacy/Authentication Secret key (e.g., Data Encryption Standard (DES)) Public key (e.g., Rivest, Shamir and Adleman (RSA)) Integrity Message digest/hash (e.g., Message Digest version 5 (MD5)) Security Cryptography algorithms Public key (e.g., RSA) Secret (e.g., DES) Message digest (e.g., MD5) services Authentication Privacy integrity CS 640

Issues in Security Threat models Key distribution How are bad guys trying to do bad things to you? Key distribution How do folks get their keys? Implementation and verification How can we be sure systems are secure? Non-goal = details of crypto algorithms We are not going to focus on proving anything about crypto algorithms See Prof. Bach CS 640

Crypto 101 Cryptographic algorithms determine how to generate encoded text (ciphertext) from plaintext using keys (string of bits) Can only be decrypted by key holders Algorithms Published and stable Keys must be kept secret Keys cannot be deduced Large keys make breaking code VERY hard Computational efficiency CS 640

Secret Key (DES) Plaintext Encrypt with secret key Ciphertext Decrypt with Approach: Make algorithm so complicated that none of the original structure of plaintext exists in ciphertext CS 640

Encrypt 64 bit blocks of plaintext with 64-bit key (56-bits + 8-bit parity) 16 rounds Each Round Initial permutation Round 1 Round 2 Round 16 56-bit key Final permutation … + F L i – 1 R K L,R = 32 bit halves of 64 bit block K = 48 bits of 64 bit key F = combiner function + = XOR CS 640

Encryption steps are the same as decryption Repeat for larger messages (cipher block chaining) IV = initialization vector = random number generated by sender Block 1 IV DES Cipher 2 3 4 + CS 640

Public Key (RSA) One of the coolest algorithms ever! Encryption Plaintext Encrypt with public key Ciphertext Decrypt with private key One of the coolest algorithms ever! Encryption ciphertext = c = memod n (<e, n> = public key) Decryption Message = m = cdmod n (<d, n> = private key) M < n Larger messages treated as concatenation of multiple n sized blocks CS 640

RSA contd. Choose two large prime numbers p and q (each 256 bits) Multiply p and q together to get n Choose the encryption key e, such that e and (p - 1) x (q - 1) are relatively prime. Two numbers are relatively prime if they have no common factor greater than one Compute decryption key d such that d = e-1mod ((p - 1) x (q - 1)) Construct public key as (e, n) Construct public key as (d, n) Discard (do not disclose) original primes p and q CS 640

RSA contd. See example in book for applying RSA Many others as well Remember – always encrypt with public key and decrypt with private key Security based on premise that factoring is hard The bigger the key the harder it is to factor The bigger the key is more computationally expensive it is to encrypt/decrypt CS 640

Message Digest Cryptographic checksum One-way function Relevance a fixed length sequence of bits which is used to protect the receiver from accidental changes to the message; a cryptographic checksum protects the receiver from malicious changes to the message. One-way function given a cryptographic checksum for a message, it is virtually impossible to figure out what message produced that checksum; it is not computationally feasible to find two messages that hash to the same cryptographic checksum. Relevance if you are given a checksum for a message and you are able to compute exactly the same checksum for that message, then it is highly likely this message produced the checksum you were given. CS 640

Authentication Protocols Three-way handshake (uses secret key - eg. password) E(m,k) = encrypt message m with key k; C/SHK = client/server handshake key; x, y = random numbers; SK = session key Client authenticates server Server authenticates client CHK = SHK CS 640

Trusted third party (Kerberos) A and B share secret keys (KA, KB) with trusted third party S A,B =ID’s; T = timestamp; L = lifetime, K = session key S A B B A , E (( T , L , K E , B (( T ), , K L , ), K , A A ), K ) B E (( A , E T (( ), T , K L ), , K , A ), K ) A authenticated to B B K ) + 1, B authenticated to A E ( T CS 640

Public key authentication (using eg. RSA) B authenticated to A CS 640

Message Integrity Protocols Digital signature using RSA special case of a message integrity where the code can only have been generated by one participant compute signature with private key and verify with public key Keyed MD5 (uses MD5 and RSA) sender: m + MD5(m + k) + E(k, private) where k = random number receiver recovers random key using the sender’s public key applies MD5 to the concatenation of this random key message MD5 with RSA signature sender: m + E(MD5(m), private) decrypts signature with sender’s public key compares result with MD5 checksum sent with message CS 640

Key Distribution – a first step How can we be sure a key belongs to the entity that purports to own it? Solution = certificates special type of digitally signed document: “I certify that the public key in this document belongs to the entity named in this document, signed X.” X is the name of the entity doing the certification Only useful to the entity which knows the public key for X Certificates themselves do not solve key distribution problem but they are a first step Certified Authority (CA) administrative entity that issues certificates useful only to someone that already holds the CA’s public key. CS 640

Key Distribution (cont) Chain of Trust if X certifies that a certain public key belongs to Y, and Y certifies that another public key belongs to Z, then there exists a chain of certificates from X to Z someone that wants to verify Z’s public key has to know X’s public key and follow the chain X.509 is a standard for certificates Certificate Revocation List Means for removing certificates Periodically updated by CA CS 640

Firewalls Filter-Based Solution Apply a set of rules to packets Rest of the Internet Local site Firewall Filter-Based Solution Apply a set of rules to packets Look at packet headers example of rules default: forward or not forward? how dynamic? action ourhost port theirhost comment block allow OUR_GW 25 * BLASTER We don’t trust this system Connects to our SMTP srvr CS 640

Proxy-Based Firewalls Problem: complex policy Example: web server Solution: proxy Design: transparent vs. classical Limitations: attacks from within Company net Firewall W eb server Random external user Remote company Internet External client External HTTP/TCP connection Proxy Firewall Internal HTTP/TCP connection Local server CS 640