CSE401n:Computer Networks

Slides:



Advertisements
Similar presentations
Network Security7-1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,
Advertisements

Cryptography. 8: Network Security8-2 The language of cryptography symmetric key crypto: sender, receiver keys identical public-key crypto: encryption.
1 CS 854 – Hot Topics in Computer and Communications Security Fall 2006 Introduction to Cryptography and Security.
Network Security Hwajung Lee. What is Computer Networks? A collection of autonomous computers interconnected by a single technology –Interconnected via:
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.
7: Network Security1 Chapter 7: Network security Foundations: r what is security? r cryptography r authentication r message integrity Security in practice:
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Authentication Digital Signature Key distribution.
1 Network Security What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures.
8: Network Security Security. 8: Network Security8-2 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides.
Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
1 ITC242 – Introduction to Data Communications Week 11 Topic 17 Chapter 18 Network Security.
Network Security understand principles of network security:
Public Key Cryptography
8: Network Security8-1 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students,
Review and Announcement r Ethernet m Ethernet CSMA/CD algorithm r Hubs, bridges, and switches m Hub: physical layer Can’t interconnect 10BaseT & 100BaseT.
8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.
Lecture 24 Cryptography CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose and Keith Ross and Dave Hollinger.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
Lecture 23 Cryptography CPE 401 / 601 Computer Network Systems Slides are modified from Jim Kurose & Keith Ross.
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
7: Network Security1 Chapter 7: Network security Foundations: r what is security? r cryptography r authentication r message integrity r key distribution.
Internet and Intranet Protocols and Applications Lecture 10 Network (Internet) Security April 3, 2002 Joseph Conron Computer Science Department New York.
1-1 1DT066 Distributed Information System Chapter 8 Network Security.
8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.
 This Class  Chapter 8. 2 What is network security?  Confidentiality  only sender, intended receiver should “understand” message contents.
22-1 Last time □ SMTP ( ) □ DNS This time □ P2P □ Security.
Network Security7-1 Chapter 8: Network Security Chapter goals: r understand principles of network security: m cryptography and its many uses beyond “confidentiality”
Day 37 8: Network Security8-1. 8: Network Security8-2 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key:
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 1: Principles of cryptography.
Network Security7-1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,
23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.
Prof. Younghee Lee 1 1 Computer Networks u Lecture 13: Network Security Prof. Younghee Lee * Some part of this teaching materials are prepared referencing.
ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Lecture 11 Network Security (1)
1-1 1DT066 Distributed Information System Chapter 8 Network Security.
1 Security and Cryptography: basic aspects Ortal Arazi College of Engineering Dept. of Electrical & Computer Engineering The University of Tennessee.
Upper OSI Layers Natawut Nupairoj, Ph.D. Department of Computer Engineering Chulalongkorn University.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 2: Message integrity.
Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 28 Omar Meqdadi Department of Computer Science and Software Engineering.
1 Network Security Basics. 2 Network Security Foundations: r what is security? r cryptography r authentication r message integrity r key distribution.
Network Security7-1 Today r Reminders m Ch6 Homework due Wed Nov 12 m 2 nd exams have been corrected; contact me to see them r Start Chapter 7 (Security)
+ Security. + What is network security? confidentiality: only sender, intended receiver should “understand” message contents sender encrypts message receiver.
8: Network Security8-1 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students,
Network Security7-1 Chapter 8: Network Security Chapter goals: r Understand principles of network security: m cryptography and its many uses beyond “confidentiality”
Network Security7-1 Chapter 7: Network Security Chapter goals: r understand principles of network security: m cryptography and its many uses beyond “confidentiality”
 Last Class  Chapter 7 on Data Presentation Formatting and Compression  This Class  Chapter 8.1. and 8.2.
Network Security. 2 Why Network Security?  Malicious people share your network  Problem made more severe the more the Internet became commercialized.
Cryptography services Lecturer: Dr. Peter Soreanu Students: Raed Awad Ahmad Abdalhalim
8: Network Security8-1 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students,
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
Chapter 8: Network Security
What is network security?
Chapter 7 Network Security
Basic Network Encryption
Chapter 8: Network Security
Network Security Basics
Chapter 7: Network security
1DT057 Distributed Information System Chapter 8 Network Security
Review and Announcement
Protocol ap1.0: Alice says “I am Alice”
Basic Network Encryption
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Chapter 8: Network Security
Chapter 8 roadmap 8.1 What is network security?
Chapter 8: Network Security
Presentation transcript:

CSE401n:Computer Networks Lecture 20 Network Security-1 Network Security-1/1

Friends and enemies: Alice, Bob, Trudy Figure 7.1 goes here well-known in network security world Bob, Alice (lovers!) want to communicate “securely” Trudy, the “intruder” may intercept, delete, add messages Network Security-1/2

What is network security? Confidentiality: only sender, intended receiver should “understand” msg contents sender encrypts msg receiver decrypts msg Authentication: sender, receiver want to confirm identity of each other. Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access and Availability: services must be accessible and available to users Network Security-1/3

There are bad guys (and girls) out there! Q: What can a “bad guy” do????? A: a lot!!!!!! Network Security-1/4

Internet security threats Mapping: before attacking: “case the joint” – find out what services are implemented on network Use ping to determine what hosts have addresses on network Port-scanning: try to establish TCP connection to each port in sequence (see what happens) nmap (http://www.insecure.org/nmap/) mapper: “network exploration and security auditing” Countermeasures? Network Security-1/5

Internet security threats Packet sniffing: broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (e.g. passwords) e.g.: C sniffs B’s packets A C src:B dest:A payload B Countermeasures? Network Security-1/6

Internet security threats IP Spoofing: can generate “raw” IP packets directly from application, putting any value into IP source address field receiver can’t tell if source is spoofed e.g.: C pretends to be B A C src:B dest:A payload B Countermeasures? Network Security-1/7

Internet security threats Denial of service (DOS): flood of maliciously generated packets “swamp” receiver Distributed DOS (DDOS): multiple coordinated sources swamp receiver e.g., C and remote host SYN-attack A A C SYN SYN SYN SYN SYN B SYN Countermeasures? SYN Network Security-1/8

The language of cryptography K B plaintext K A plaintext ciphertext Figure 7.3 goes here symmetric key crypto: sender, receiver keys identical public-key crypto: encrypt key public, decrypt key secret Network Security-1/9

Symmetric key cryptography substitution cipher: substituting one thing for another monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq E.g.: Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc Q: How hard to break this simple cipher?: brute force (how hard?) other? Network Security-1/10

Symmetric key crypto: DES DES: Data Encryption Standard US encryption standard [NIST 1993] 56-bit symmetric key, 64 bit plaintext input How secure is DES? DES Challenge: 56-bit-key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 months no known “backdoor” decryption approach making DES more secure use three keys sequentially (3-DES) on each datum use cipher-block chaining Network Security-1/11

Symmetric key crypto: DES DES operation initial permutation 16 identical “rounds” of function application, each using different 48 bits of key final permutation Network Security-1/12

AES: Advanced Encryption Standard New symmetric-key NIST standard (replacing DES) Processes data in 128 bit blocks 128, 192, or 256 bit keys Brute force decryption (try each key) taking 1 sec on DES, takes 149 trillion years for AES Network Security-1/13

Public Key Cryptography symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if never “met”)? public key cryptography radically different approach [Diffie-Hellman76, RSA78] sender, receiver do not share secret key encryption key public (known to all) decryption key private (known only to receiver) Network Security-1/14

Public key cryptography Figure 7.7 goes here Network Security-1/15

Public key encryption algorithms Two inter-related requirements: . . 1 need d ( ) and e ( ) such that B B d (e (m)) = m B 2 need public and private keys for d ( ) and e ( ) . B RSA: Rivest, Shamir, Adelson algorithm Network Security-1/16

RSA: Choosing keys 1. Choose two large prime numbers p, q. (e.g., 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) 3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”). 4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ). 5. Public key is (n,e). Private key is (n,d). Network Security-1/17

RSA: Encryption, decryption 0. Given (n,e) and (n,d) as computed above 1. To encrypt bit pattern, m, compute c = m mod n e (i.e., remainder when m is divided by n) 2. To decrypt received bit pattern, c, compute m = c mod n d d (i.e., remainder when c is divided by n) m = (m mod n) e mod n d Magic happens! Network Security-1/18

Bob chooses p=5, q=7. Then n=35, z=24. RSA example: Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z. e c = m mod n e letter m m encrypt: l 12 1524832 17 c d m = c mod n d c letter decrypt: 17 12 481968572106750915091411825223072000 l Network Security-1/19

RSA: Why: m = (m mod n) e mod n d Number theory result: If p,q prime, n = pq, then x mod n = x mod n y y mod (p-1)(q-1) (m mod n) e mod n = m mod n d ed = m mod n ed mod (p-1)(q-1) (using number theory result above) = m mod n 1 (since we chose ed to be divisible by (p-1)(q-1) with remainder 1 ) = m Network Security-1/20

Protocol ap1.0: Alice says “I am Alice” Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” Failure scenario?? Network Security-1/21

Authentication: another try Protocol ap2.0: Alice says “I am Alice” and sends her IP address along to “prove” it. Failure scenario?? Network Security-1/22

Authentication: another try Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it. Failure scenario? Network Security-1/23

Authentication: yet another try Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it. I am Alice encrypt(password) Failure scenario? Network Security-1/24

Authentication: yet another try Goal: avoid playback attack Nonce: number (R) used only once in a lifetime ap4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key Figure 7.11 goes here Failures, drawbacks? Network Security-1/25

Authentication: ap5.0 ap4.0 requires shared symmetric key problem: how do Bob, Alice agree on key can we authenticate using public key techniques? ap5.0: use nonce, public key cryptography Figure 7.12 goes here Network Security-1/26

ap5.0: security hole Man (woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice) Figure 7.14 goes here Network Security-1/27

Digital Signatures Cryptographic technique analogous to hand-written signatures. Sender (Bob) digitally signs document, establishing he is document owner/creator. Verifiable, nonforgeable: recipient (Alice) can verify that Bob, and no one else, signed document. Simple digital signature for message m: Bob encrypts m with his public key dB, creating signed message, dB(m). Bob sends m and dB(m) to Alice. Network Security-1/28

Digital Signatures (more) Suppose Alice receives msg m, and digital signature dB(m) Alice verifies m signed by Bob by applying Bob’s public key eB to dB(m) then checks eB(dB(m) ) = m. If eB(dB(m) ) = m, whoever signed m must have used Bob’s private key. Alice thus verifies that: Bob signed m. No one else signed m. Bob signed m and not m’. Non-repudiation: Alice can take m, and signature dB(m) to court and prove that Bob signed m. Network Security-1/29

Message Digests Computationally expensive to public-key-encrypt long messages Goal: fixed-length,easy to compute digital signature, “fingerprint” apply hash function H to m, get fixed size message digest, H(m). Hash function properties: Many-to-1 Produces fixed-size msg digest (fingerprint) Given message digest x, computationally infeasible to find m such that x = H(m) computationally infeasible to find any two messages m and m’ such that H(m) = H(m’). Network Security-1/30

Digital signature = Signed message digest Bob sends digitally signed message: Alice verifies signature and integrity of digitally signed message: Network Security-1/31

Hash Function Algorithms MD5 hash function widely used. Computes 128-bit message digest in 4-step process. arbitrary 128-bit string x, appears difficult to construct msg m whose MD5 hash is equal to x. SHA-1 is also used. US standard 160-bit message digest Internet checksum would make a poor message digest. Too easy to find two messages with same checksum. Network Security-1/32

Good Luck Reference: KR 7.1-7.4 7.7 Network Security-1/33