1 Lecture #22: Network Security

2 A classic lesson The chain is only as strong as its weakest link!

3 In the past... l The networks were primarily used by university researchers for sending and by corporate employees for sharing printers. l The sky was clear and the people were happy and carefree. But now... l But now, as billions are using networks for banking, shopping, and filing their tax returns, network security is looming on the horizon as a potentially massive problem.

4 Security problems sources

5 Security areas l Network security problems can be divided roughly into four closely intertwined areas: –secrecy –authentication –nonrepudiation –integrity control. l Secrecy, also called confidentiality, has to do with keeping information out of the hands of unauthorized users. l Authentication deals with determining whom you are talking to before revealing sensitive information or entering into a business deal. l Nonrepudiation deals with signatures: How do you prove that your customer really placed EXACTLY THIS electronic order? l Integrity control – Is this message EXACTLY THE SAME as it was originally sent?

6 Security on the network layers l Physical layer security – hardware solutions. For example: EM-shielding. l All other layers use security methods mainly based on the cryptography. l (the name of this science comes from the Greek words for ''secret writing'' )

7Cryptography l Contributors to the modern Cryptography: military military diplomatic corps diplomatic corps diarists diarists lovers lovers

8 Cryptography (2) l Symmetric-key encryption model Kerckhoff's (1883) principle: All algorithms must be public; only the keys are secret!

9 Cryptography (3) l A simple substitution cipher l Each of the symbols in the plaintext, is mapped onto some other symbol. An example for 26 letters: plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z ciphertext: Q W E R T Y U I O P A S D F G H J K L Z X C V B N M

10 Cryptography (4) l A transposition cipher

11 Cryptography (5) An unbreakable symmetric-key method: one-time pad. It uses a very long key which is bit- XORed with the message. l Disadvantages: Impossible to remember and difficult to store the key. l Example: l The use of a one-time pad for encryption and the possibility of getting any possible plaintext from the ciphertext by the use of some other pad.

12 Symmetric-Key Algorithms l DES – The Data Encryption Standard l AES – The Advanced Encryption Standard l Cipher Modes l Other Ciphers l Cryptanalysis

13 Data Encryption Standard l (a) General outline. (b) Detail of one iteration. The circled + means exclusive OR (XOR).

14 Triple DES l (a) Triple encryption using DES. (b) Decryption.

15 AES – The Advanced Encryption Standard l Rules for AES proposals: 1. The algorithm must be a symmetric block cipher. 2. The full design must be public. 3. Key lengths of 128, 192, and 256 bits supported. 4. Both software and hardware implementations required 5. The algorithm must be public or licensed on nondiscriminatory terms.

16Cryptanalysis l Some common symmetric-key cryptographic algorithms:

17 Public-Key Algorithms - RSA 1. Choose two large primes, p and q (typically 1024 bits). 2. Compute n = p x q and z = (p - 1) x (q - 1). 3. Choose a number relatively prime to z and call it d. 4. Find e such that e x d = 1 mod z. l An example of the RSA (Rivest, Shamir, Adleman) algorithm: l p = 3, q = 11, n = 33, z = 20, d= 7

18 Public-Key Digital Signatures l The goal: To verify the message’s integrity. l Example:

19 Message Digests l Another way to assure the message’s integrity. l Examples of message digest functions: MD5 (Rivest, 1992) and SHA-1 (NIST, 1993).

20 Problems with Public-Key Encryption l A way for Trudy to subvert public-key encryption. The intruder

21Certificates l A possible certificate and its signed hash. l CA = Certification Authority Example: Bulgarian Academic Certification Authority (

22X.509 l The basic fields of an X.509 certificate:

23 Public-Key Infrastructures (PKI) l (a) A hierarchical PKI. (b) A chain of certificates.

24IPsec l The IPsec authentication header in transport mode for IPv4.

25 IPsec (2) l (a) ESP in transport mode. (b) ESP in tunnel mode. l ESP = Encapsulating Security Payload

26Firewalls l A firewall consisting of two packet filters and an application gateway.

27 Virtual Private Networks l (a) A leased-line private network. (b) A virtual private network.

Security l Packet encryption using WEP (Wired Equivalent Privacy).

29 Authentication Protocols l Authentication Based on a Shared Secret Key l Establishing a Shared Key: Diffie-Hellman l Authentication Using a Key Distribution Center l Authentication Using Kerberos l Authentication Using Public-Key Cryptography

30 Establishing a Shared Key: The Diffie-Hellman Key Exchange l The bucket brigade or man-in-the-middle attack.

31 Authentication Using a Key Distribution Center l A first attempt at an authentication protocol using a KDC.

32 Authentication Using Kerberos l The operation of Kerberos V4.

33 Authentication Using Public-Key Cryptography l Mutual authentication using public-key cryptography.

34 Unsecured network protocols: Unsecured network protocols: Ethernet DLL protocols Ethernet DLL protocols IPv4 IPv4 Telnet, FTP, DNS, SMTP, POP3/IMAP, HTTP, NNTP, SNMP v1,2 etc. Telnet, FTP, DNS, SMTP, POP3/IMAP, HTTP, NNTP, SNMP v1,2 etc. Secured network protocols: IPsec, IPv6 IPsec, IPv6 HTTPS, DNSsec, TLS/SSL, SSH, S/MIME. HTTPS, DNSsec, TLS/SSL, SSH, S/MIME.

35 Security l PGP – Pretty Good Privacy l PEM – Privacy Enhanced Mail l S/MIME

36 security: PGP – Pretty Good Privacy l PGP in operation for sending a message.

37 PGP – Pretty Good Privacy (2) l A PGP message.

38 Web Security l Threats l Secure Naming l SSL – The Secure Sockets Layer l Mobile Code Security

39 Secure Naming (a) Normal situation. (b) An attack based on breaking into DNS and modifying Bob's record.

40 Secure Naming (2) l How Trudy spoofs Alice's ISP.

41 Secure DNS (DNSsec) Proof of where the data originated. Public key distribution. Transaction and request authentication. Example of DNSsec RRSet for bob.com : The KEY record is Bob's public key. The SIG record is the top- level com server's signed has of the A and KEY records to verify their authenticity.

42 Self-Certifying Names l A self-certifying URL containing a hash of server's name and public key.

43 SSL—The Secure Sockets Layer l Layers (and protocols) for a home user browsing with SSL.

44 SSL (2) l A simplified version of the SSL connection establishment subprotocol.

45 SSL (3) l Data transmission using SSL.

46 Java Applet Security l Applets inserted into a Java Virtual Machine interpreter inside the browser.

47 Social Issues l Privacy l Freedom of Speech l Copyright

48 Anonymous R ers l Users who wish anonymity chain requests through multiple anonymous r ers.

49 Freedom of Speech l Possibly banned material: 1. Material inappropriate for children or teenagers. 2. Hate aimed at various ethnic, religious, sexual, or other groups. 3. Information about democracy and democratic values. 4. Accounts of historical events contradicting the government's version. 5. Manuals for picking locks, building weapons, encrypting messages, etc.

50 Steganography - hiding messages (a) Three zebras and a tree. (b) Three zebras, a tree, and the complete text of five plays by William Shakespeare.

51Copyright l The granting to the creators of IP (Intellectual Property), including writers, artists, composers, musicians, photographers, cinematographers, choreographers, and others, the exclusive right to exploit their IP for some period of time, typically the life of the author plus 50 years (or 75 years in the case of corporate ownership). l After the copyright of a work expires, it passes into the public domain and anyone can use or sell it as they wish.

52 Copyright (2) l Examples: l Napster, torrents, eMule and other P2P- like networks violate the copyright! (Because they hold some kind of centralized databases which help the people to find the desired IP-material for free downloading.)

53 End-user security rules Don’t write your password on paper! Don’t write your password on paper! Don’t tell your password to anybody! (even to your sysadmin). Don’t tell your password to anybody! (even to your sysadmin). Don’t use short or easy to guess passwords! Don’t use short or easy to guess passwords! examples of good passwords: The g1rL fr Θ m !panemA Macro$oft L!nuX ;-) Change your password frequently! Change your password frequently! Don’t loose your private key! Don’t loose your private key! Never leave your computer unattended while logged in! Never leave your computer unattended while logged in! Beware of viruses, trojan horses, worms etc. fauna! Beware of viruses, trojan horses, worms etc. fauna! Apply the recent security updates and patches to your OS and software! Apply the recent security updates and patches to your OS and software! Always remember that there is no 100% Security!