1 Chapter 10 Network Security

2 Security Requirements zConfidentiality zIntegrity zAvailability

3 Security Threats

4 Encryption – Ingredients (Conventional)

5 Encryption – Basics zRequirements yStrong encryption algorithm ySender and receiver must obtain secret key securely yOnce key is known, all communication using this key is readable zAttacks yCrypt analysis yBrute force

6 Encryption – Algorithms zBlock cipher yProcess plain text in fixed block sizes producing block of cipher text of equal size zSchemes/algorithms  DES – Data Encryption Standard  DEA – Data Encryption Algoritm  TDEA – Triple Data Encryption Algoritm

7 Encryption - DES Algorithm

8 Encryption – Strength of DES zDeclared insecure in 1998 zElectronic Frontier Foundation zDES Cracker machine zDES now worthless zAlternatives include TDEA

9 Encryption – Location of Encryption Devices

10 Encryption – Key Distribution zKey selected by A and delivered to B zThird party selects key and delivers to A and B zUse old key to encrypt and transmit new key from A to B zUse old key to transmit new key from third party to A and B

11 Encryption – Automatic Key Distribution

12 Authentication – Basics zProtection against active attacks zAuthentication allows receiver to verify that message is authentic yMessage has not been altered yMessage is from authentic source yMessage timeliness zAuthentication may be achieved using encryption

13 Authentication – Without Encryption zAdvantages of authentication without encryption yEncryption is slow yEncryption hardware expensive yEncryption hardware optimized to large data yAlgorithms covered by patents yAlgorithms subject to export controls (from USA) zAuthentication tag generated and appended to each message

14 Authentication – Using Message Authentication Code

15 Authen- tication - Using One Way Hash

16 Authentication – Secure Hash Functions zHash function must have following properties yCan be applied to any size data block yProduce fixed length output yEasy to compute yNot feasible to reverse yNot feasible to find two message that give the same hash zExample: The SHA-1 Secure Hash Function

17 Public Key Encryption – Basics zBased on mathematical algorithms zAsymmetric yUse two separate keys yOne key made public yOther key kept private zEither key can be used for encryption, the other for decryption zInfeasible to determine decryption key given encryption key and algorithm

18 Public Key Encryption - Ingredients

19 Public Key Encryption – Digital Signature zSender encrypts message with their private key zReceiver can decrypt using senders public key zThis authenticates sender, who is only person who has the matching key

20 Public Key Encryption – RSA Algorithm

21 Public Key Encryption – RSA Example

22 IP Security – Basics zIPSec zExample applications ySecure branch office connectivity over Internet ySecure remote access over Internet yExtranet and intranet connectivity yEnhanced electronic commerce security

23 IP Security – Scope and Modes zIPSec scope yAuthentication header (AH) yEncapsulated security payload (ESP) yKey exchange zTransport mode yProtection for upper layer protocols yExtends to payload of IP packet yEnd to end between hosts zTunnel mode yProtection for IP packet  Entire packet treated as payload for “ outer ” IP packet  No routers examine “ inner ” packet yMay be implemented at firewall

24 Summary zIntro yRequirements (CIA) yAttacks and defences zEncryption (incl. DES) zAuthentication (incl. MAC and one way hash) zPublic-key encryption (incl. digital signatures) zIP security