8-1Network Security Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students, readers). They’re in PowerPoint form so you can add, modify, and delete slides (including this one) and slide content to suit your needs. They obviously represent a lot of work on our part. In return for use, we only ask the following:  If you use these slides (e.g., in a class) in substantially unaltered form, that you mention their source (after all, we’d like people to use our book!)  If you post any slides in substantially unaltered form on a www site, that you note that they are adapted from (or perhaps identical to) our slides, and note our copyright of this material. Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.

8-2Network Security Chapter 8: Network Security Chapter goals:  understand principles of network security:  cryptography and its many uses beyond “confidentiality”  authentication  message integrity  security in practice:  firewalls and intrusion detection systems  security in application, transport, network, link layers

8-3Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing wireless LANs 8.8 Operational security: firewalls and IDS

8-4Network Security What is network security? Confidentiality: only sender, intended receiver should “understand” message contents  sender encrypts message  receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access and availability: services must be accessible and available to users

8-5Network Security Friends and enemies: Alice, Bob, Trudy  well-known in network security world  Bob, Alice (lovers!) want to communicate “securely”  Trudy (intruder) may intercept, delete, add messages secure sender secure receiver channel data, control messages data Alice Bob Trudy

8-6Network Security Who might Bob, Alice be?  … well, real-life Bobs and Alices!  Web browser/server for electronic transactions (e.g., on-line purchases)  on-line banking client/server  DNS servers  routers exchanging routing table updates  other examples?

8-7Network Security There are bad guys (and girls) out there! Q: What can a “bad guy” do? A: A lot! See section 1.6  eavesdrop: intercept messages  actively insert messages into connection  impersonation: can fake (spoof) source address in packet (or any field in packet)  hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place  denial of service: prevent service from being used by others (e.g., by overloading resources)

8-8Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing wireless LANs 8.8 Operational security: firewalls and IDS

8-9Network Security The language of cryptography m plaintext message K A (m) ciphertext, encrypted with key K A m = K B (K A (m)) plaintext ciphertext K A encryption algorithm decryption algorithm Alice’s encryption key Bob’s decryption key K B

8-10Network Security Simple encryption scheme substitution cipher: substituting one thing for another  monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc E.g.: Key: the mapping from the set of 26 letters to the set of 26 letters

8-11Network Security Polyalphabetic encryption  n monoalphabetic ciphers, M 1,M 2,…,M n  Cycling pattern:  e.g., n=4, M 1,M 3,M 4,M 3,M 2 ; M 1,M 3,M 4,M 3,M 2 ;  For each new plaintext symbol, use subsequent monoalphabetic pattern in cyclic pattern  dog: d from M 1, o from M 3, g from M 4  Key: the n ciphers and the cyclic pattern

8-12Network Security Breaking an encryption scheme  Cipher-text only attack: Trudy has ciphertext that she can analyze  Two approaches:  Search through all keys: must be able to differentiate resulting plaintext from gibberish  Statistical analysis  Known-plaintext attack: Trudy has some plaintext corresponding to some ciphertext  e.g., in monoalphabetic cipher, Trudy determines pairings for a,l,i,c,e,b,o,  Chosen-plaintext attack: Trudy can get the ciphertext for some chosen plaintext

8-13Network Security Types of Cryptography  Crypto often uses keys:  Algorithm is known to everyone  Only “keys” are secret  Public key cryptography  Involves the use of two keys  Symmetric key cryptography  Involves the use one key  Hash functions  Involves the use of no keys  Nothing secret: How can this be useful?

8-14Network Security Symmetric key cryptography symmetric key crypto: Bob and Alice share same (symmetric) key: K  e.g., key is knowing substitution pattern in mono alphabetic substitution cipher Q: how do Bob and Alice agree on key value? plaintext ciphertext K S encryption algorithm decryption algorithm S K S plaintext message, m K (m) S m = K S (K S (m))

8-15Network Security Two types of symmetric ciphers  Stream ciphers  encrypt one bit at time  Block ciphers  Break plaintext message in equal-size blocks  Encrypt each block as a unit

8-16Network Security Stream Ciphers  Combine each bit of keystream with bit of plaintext to get bit of ciphertext  m(i) = ith bit of message  ks(i) = ith bit of keystream  c(i) = ith bit of ciphertext  c(i) = ks(i)  m(i) (  = exclusive or)  m(i) = ks(i)  c(i) keystream generator key keystream pseudo random

8-17Network Security RC4 Stream Cipher  RC4 is a popular stream cipher  Extensively analyzed and considered good  Key can be from 1 to 256 bytes  Used in WEP for  Can be used in SSL

8-18Network Security Block ciphers  Message to be encrypted is processed in blocks of k bits (e.g., 64-bit blocks).  1-to-1 mapping is used to map k-bit block of plaintext to k-bit block of ciphertext Example with k=3: input output input output What is the ciphertext for ?

8-19Network Security Prototype function 64-bit input S1S1 8bits S2S2 S3S3 S4S4 S7S7 S6S6 S5S5 S8S8 64-bit intermediate 64-bit output Loop for n rounds 8-bit to 8-bit mapping From Kaufman et al

8-20Network Security Public Key Cryptography symmetric key crypto  requires sender, receiver know shared secret key  Q: how to agree on key in first place (particularly if never “met”)? public key cryptography  radically different approach [Diffie- Hellman76, RSA78]  sender, receiver do not share secret key  public encryption key known to all  private decryption key known only to receiver

8-21Network Security Public key cryptography plaintext message, m ciphertext encryption algorithm decryption algorithm Bob’s public key plaintext message K (m) B + K B + Bob’s private key K B - m = K ( K (m) ) B + B -

8-22Network Security Public key encryption algorithms need K ( ) and K ( ) such that B B.. given public key K, it should be impossible to compute private key K B B Requirements: 1 2 RSA: Rivest, Shamir, Adelson algorithm + - K (K (m)) = m B B

8-23Network Security Prerequisite: modular arithmetic  x mod n = remainder of x when divide by n  Facts: [(a mod n) + (b mod n)] mod n = (a+b) mod n [(a mod n) - (b mod n)] mod n = (a-b) mod n [(a mod n) * (b mod n)] mod n = (a*b) mod n  Thus (a mod n) d mod n = a d mod n  Example: x=14, n=10, d=2: (x mod n) d mod n = 4 2 mod 10 = 6 x d = 14 2 = 196 x d mod 10 = 6

8-24Network Security RSA: getting ready  A message is a bit pattern.  A bit pattern can be uniquely represented by an integer number.  Thus encrypting a message is equivalent to encrypting a number. Example  m= This message is uniquely represented by the decimal number 145.  To encrypt m, we encrypt the corresponding number, which gives a new number (the ciphertext).

8-25Network Security RSA: Creating public/private key pair 1. Choose two large prime numbers p, q. (e.g., 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) 3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”). 4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ). 5. Public key is (n,e). Private key is (n,d). K B + K B -

8-26Network Security RSA: Encryption, decryption 0. Given (n,e) and (n,d) as computed above 1. To encrypt message m (<n), compute c = m mod n e 2. To decrypt received bit pattern, c, compute m = c mod n d m = (m mod n) e mod n d Magic happens! c

8-27Network Security RSA example: Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z). bit pattern m m e c = m mod n e c m = c mod n d c d encrypt: decrypt: Encrypting 8-bit messages.

8-28Network Security Why does RSA work?  Must show that c d mod n = m where c = m e mod n  Fact: for any x and y: x y mod n = x (y mod z) mod n  where n= pq and z = (p-1)(q-1)  Thus, c d mod n = (m e mod n) d mod n = m ed mod n = m (ed mod z) mod n = m 1 mod n = m

8-29Network Security RSA: another important property The following property will be very useful later: K ( K (m) ) = m B B - + K ( K (m) ) B B + - = use public key first, followed by private key use private key first, followed by public key Result is the same!

8-30Network Security Follows directly from modular arithmetic: (m e mod n) d mod n = m ed mod n = m de mod n = (m d mod n) e mod n K ( K (m) ) = m B B - + K ( K (m) ) B B + - = Why ?

8-31Network Security Why is RSA Secure?  suppose you know Bob’s public key (n,e). How hard is it to determine d?  essentially need to find factors of n without knowing the two factors p and q.  fact: factoring a big number is hard. Generating RSA keys  have to find big primes p and q  approach: make good guess then apply testing rules (see Kaufman)

8-32Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing wireless LANs 8.8 Operational security: firewalls and IDS

8-33Network Security Message Integrity  allows communicating parties to verify that received messages are authentic.  Content of message has not been altered  Source of message is who/what you think it is  Message has not been replayed  Sequence of messages is maintained  let’s first talk about message digests

8-34Network Security Message Digests  function H( ) that takes as input an arbitrary length message and outputs a fixed-length string: “message signature”  note that H( ) is a many-to-1 function  H( ) is often called a “hash function” desirable properties:  easy to calculate  irreversibility: Can’t determine m from H(m)  collision resistance: computationally difficult to produce m and m’ such that H(m) = H(m’)  seemingly random output large message m H: Hash Function H(m)

8-35Network Security Internet checksum: poor message digest Internet checksum has some properties of hash function: ü produces fixed length digest (16-bit sum) of input ü is many-to-one  but given message with given hash value, it is easy to find another message with same hash value.  e.g.,: simplified checksum: add 4-byte chunks at a time: I O U B O B 49 4F E D2 42 message ASCII format B2 C1 D2 AC I O U B O B 49 4F E D2 42 message ASCII format B2 C1 D2 AC different messages but identical checksums!

8-36Network Security Hash Function Algorithms  MD5 hash function widely used (RFC 1321)  computes 128-bit message digest in 4-step process.  SHA-1 is also used.  US standard [ NIST, FIPS PUB 180-1]  160-bit message digest

8-37Network Security Message Authentication Code (MAC) message H( ) s message s H( ) compare s = shared secret  Authenticates sender  Verifies message integrity  No encryption !  Also called “keyed hash”  Notation: MD m = H(s||m) ; send m||MD m

8-38Network Security HMAC  popular MAC standard  addresses some subtle security flaws  operation:  concatenates secret to front of message.  hashes concatenated message  concatenates secret to front of digest  hashes combination again

8-39Network Security Example: OSPF  Recall that OSPF is an intra-AS routing protocol  Each router creates map of entire AS (or area) and runs shortest path algorithm over map.  Router receives link- state advertisements (LSAs) from all other routers in AS. Attacks:  Message insertion  Message deletion  Message modification  How do we know if an OSPF message is authentic?

8-40Network Security OSPF Authentication  within an Autonomous System, routers send OSPF messages to each other.  OSPF provides authentication choices  no authentication  shared password: inserted in clear in 64- bit authentication field in OSPF packet  cryptographic hash  cryptographic hash with MD5  64-bit authentication field includes 32-bit sequence number  MD5 is run over a concatenation of the OSPF packet and shared secret key  MD5 hash then appended to OSPF packet; encapsulated in IP datagram

8-41Network Security End-point authentication  want to be sure of the originator of the message – end-point authentication  assuming Alice and Bob have a shared secret, will MAC provide end-point authentication?  we do know that Alice created message.  … but did she send it?

8-42Network Security MAC Transfer $1M from Bill to Trudy MAC Transfer $1M from Bill to Trudy Playback attack MAC = f(msg,s)

8-43Network Security “I am Alice” R MAC Transfer $1M from Bill to Susan MAC = f(msg,s,R) Defending against playback attack: nonce

8-44Network Security Digital Signatures cryptographic technique analogous to hand- written signatures.  sender (Bob) digitally signs document, establishing he is document owner/creator.  goal is similar to that of MAC, except now use public-key cryptography  verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document

8-45Network Security Digital Signatures simple digital signature for message m:  Bob signs m by encrypting with his private key K B, creating “signed” message, K B (m) - - Dear Alice Oh, how I have missed you. I think of you all the time! …(blah blah blah) Bob Bob’s message, m Public key encryption algorithm Bob’s private key K B - Bob’s message, m, signed (encrypted) with his private key K B - (m)

8-46Network Security Public-key certification  motivation: Trudy plays pizza prank on Bob  Trudy creates order: Dear Pizza Store, Please deliver to me four pepperoni pizzas. Thank you, Bob  Trudy signs order with her private key  Trudy sends order to Pizza Store  Trudy sends to Pizza Store her public key, but says it’s Bob’s public key.  Pizza Store verifies signature; then delivers four pizzas to Bob.  Bob doesn’t even like Pepperoni

8-47Network Security Certification Authorities  Certification authority (CA): binds public key to particular entity, E.  E (person, router) registers its public key with CA.  E provides “proof of identity” to CA.  CA creates certificate binding E to its public key.  certificate containing E’s public key digitally signed by CA – CA says “this is E’s public key” Bob’s public key K B + Bob’s identifying information digital signature (encrypt) CA private key K CA - K B + certificate for Bob’s public key, signed by CA

8-48Network Security Certification Authorities  when Alice wants Bob’s public key:  gets Bob’s certificate (Bob or elsewhere).  apply CA’s public key to Bob’s certificate, get Bob’s public key Bob’s public key K B + digital signature (decrypt) CA public key K CA + K B +

8-49Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing wireless LANs 8.8 Operational security: firewalls and IDS

8-50Network Security Secure Bob:  uses his private key to decrypt and recover K S  uses K S to decrypt K S (m) to recover m  Alice wants to send confidential , m, to Bob. K S ( ). K B ( ) K S (m ) K B (K S ) + m KSKS KSKS KBKB + Internet K S ( ). K B ( ). - KBKB - KSKS m K S (m ) K B (K S ) +

8-51Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing wireless LANs 8.8 Operational security: firewalls and IDS

8-52Network Security SSL: Secure Sockets Layer  widely deployed security protocol  supported by almost all browsers, web servers  https  billions $/year over SSL  original design:  Netscape, 1993  variation -TLS: transport layer security, RFC 2246  provides  confidentiality  integrity  authentication  original goals:  Web e-commerce transactions  encryption (especially credit-card numbers)  Web-server authentication  optional client authentication  minimum hassle in doing business with new merchant  available to all TCP applications  secure socket interface

8-53Network Security SSL and TCP/IP Application TCP IP Normal Application Application SSL TCP IP Application with SSL SSL provides application programming interface (API) to applications C and Java SSL libraries/classes readily available

8-54Network Security Could do something like PGP:  but want to send byte streams & interactive data  want set of secret keys for entire connection  want certificate exchange as part of protocol: handshake phase H( ). K A ( ). - + K A (H(m)) - m KAKA - m K S ( ). K B ( ). + + K B (K S ) + KSKS KBKB + Internet KSKS

8-55Network Security Toy SSL: a simple secure channel  handshake: Alice and Bob use their certificates, private keys to authenticate each other and exchange shared secret  key derivation: Alice and Bob use shared secret to derive set of keys  data transfer: data to be transferred is broken up into series of records  connection closure: special messages to securely close connection

8-56Network Security Toy: A simple handshake  MS = master secret  EMS = encrypted master secret hello certificate K B + (MS) = EMS

8-57Network Security Real SSL: Handshake (1) Purpose 1. server authentication 2. negotiation: agree on crypto algorithms 3. establish keys 4. client authentication (optional)

8-58Network Security Virtual Private Networks (VPNs)  institutions often want private networks for security.  costly: separate routers, links, DNS infrastructure.  VPN: institution’s inter-office traffic is sent over public Internet instead  encrypted before entering public Internet  logically separate from other traffic

8-59Network Security IP header IPsec header Secure payload IP header IPsec header Secure payload IP header IPsec header Secure payload IP header payload IP header payload headquarters branch office salesperson in hotel Public Internet laptop w/ IPsec Router w/ IPv4 and IPsec Router w/ IPv4 and IPsec Virtual Private Network (VPN)

8-60Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing wireless LANs 8.8 Operational security: firewalls and IDS

8-61Network Security WEP Design Goals  symmetric key crypto  confidentiality  end host authorization  data integrity  self-synchronizing: each packet separately encrypted  given encrypted packet and key, can decrypt; can continue to decrypt packets when preceding packet was lost (unlike Cipher Block Chaining (CBC) in block ciphers)  efficient  can be implemented in hardware or software

8-62Network Security Review: Symmetric Stream Ciphers  combine each byte of keystream with byte of plaintext to get ciphertext  m(i) = ith unit of message  ks(i) = ith unit of keystream  c(i) = ith unit of ciphertext  c(i) = ks(i)  m(i) (  = exclusive or)  m(i) = ks(i)  c(i)  WEP uses RC4 keystream generator key keystream

8-63Network Security WEP Authentication AP authentication request nonce (128 bytes) nonce encrypted shared key success if decrypted value equals nonce Not all APs do it, even if WEP is being used. AP indicates if authentication is necessary in beacon frame. Done before association.

8-64Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing wireless LANs 8.8 Operational security: firewalls and IDS

8-65Network Security Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others firewall administered network public Internet firewall

8-66Network Security Firewalls: Why prevent denial of service attacks:  SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections prevent illegal modification/access of internal data.  e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network (set of authenticated users/hosts) three types of firewalls:  stateless packet filters  stateful packet filters  application gateways