Download presentation
Presentation is loading. Please wait.
1
Lecture 10: Network Security
2
Security properties Confidentiality Authenticity Integrity
only the sender and the receiver understand the contents of the message Authenticity the message is from whom it claims to be Integrity the message was not changed along the way
3
Outline Building blocks Providing security properties
Securing Internet protocols Operational security
4
Outline Building blocks Providing security properties
Securing Internet protocols Operational security
5
Encryption & decryption
“Dear Bob, ...” “Dear Bob, ...” encryption algorithm decryption algorithm communication channel Alice Bob
6
Encryption & decryption
plaintext plaintext encryption algorithm decryption algorithm ciphertext ciphertext Alice Bob
7
Encryption & decryption
Encryption algorithm: input: plaintext, output: ciphertext Decryption algorithm: input: ciphertext, output: plaintext Ciphertext: ideally, should reveal no information about the message
8
Symmetric key cryptography
plaintext plaintext encryption algorithm decryption algorithm ciphertext ciphertext Alice key key Bob
9
Symmetric key cryptography
plaintext plaintext encryption algorithm decryption algorithm key key ciphertext ciphertext key{ } key{ } plaintext = plaintext
10
Symmetric key cryptography
Alice and Bob share the same key used both for the encryption and decryption algorithm Used to “scramble” the plaintext RC4, AES, Blowfish
11
Symmetric key cryptography
Challenge: how to share a key? out of band not always an option
12
Asymmetric key cryptography
plaintext plaintext encryption algorithm decryption algorithm ciphertext ciphertext Alice Bob key+ key-
13
Asymmetric key cryptography
plaintext plaintext encryption algorithm decryption algorithm key+ key- ciphertext ciphertext key-{ } key+{ } plaintext = plaintext
14
Asymmetric key cryptography
Alice and Bob use different keys public (key+) and private (key-) key There is a special relationship between them key-{ key+{ plaintext } } = plaintext key+{ key-{ plaintext } } = plaintext RSA, DSA
15
Asymmetric key cryptography
Challenge: computationally expensive sophisticated encryption/decryption algorithms based on number theory
16
Cryptographic hash function
Dear Bob, Cheers, Alice hash function tru46hj#$% hash
17
Cryptographic hash function
Dear Bob, Cheers, Alice Dear Bob, Thanks, Celine Dear Bob, Best wishes, Dabir hash function Dear Bob, hash
18
Cryptographic hash function
Dear Bob, Cheers, Alice hash function tru46hj#$% hash ?
19
Cryptographic hash function
Maps larger input to smaller hash Hash should not reveal information on input Should be hard to identify 2 inputs that lead to the same hash
20
Building blocks Symmetric key encryption/decryption
Alice and Bob share the same key challenge: exchanging the key Asymmetric key encryption/decryption Alice and Bob use different keys challenge: computationally expensive Cryptographic hash function produces a hash of the original message that’s different from encryption
21
Outline Building blocks Providing security properties
Securing Internet protocols Operational security
22
Providing confidentiality
plaintext plaintext encryption algorithm decryption algorithm key key ciphertext ciphertext ciphertext Alice Bob Eve
23
Providing confidentiality
plaintext plaintext encryption algorithm decryption algorithm ciphertext ciphertext Alice Bob Bob_key+ Bob_key-
24
Providing confidentiality
plaintext plaintext encryption algorithm decryption algorithm ciphertext ciphertext Alice Bob Manuel Bob_key+ Bob_key-
25
Man in the middle Alice Manuel Bob plaintext plaintext plaintext
decryption algorithm encryption algorithm decryption algorithm encryption algorithm Manuel_key- Bob_key- ciphertext ciphertext ciphertext ciphertext ciphertext ciphertext Manuel_key+ Bob_key+ Alice Manuel Bob
26
Providing confidentiality
With symmetric key crypto Alice encrypts message with shared key only Bob can decrypt it With asymmetric key crypto Alice encrypts message with Bob’s public key only Bob can decrypt it (with his private key) but beware of man-in-the-middle attacks
27
Providing authenticity
Persa Alice Bob I am Alice
28
Providing authenticity
Persa Alice Bob I am Alice Alice’s IP address
29
Providing authenticity
Alice Bob I am Alice key
30
Providing authenticity
Alice Bob I am Alice hjdfk678vnx key{ I am Alice } key{ I am Alice } = hjdfk678vnx
31
Providing authenticity
Persa Bob I am Alice hgdja key{ I am Alice } != hgdja
32
Providing authenticity
Alice Bob I am Alice key{ I am Alice }
33
Providing authenticity
Alice Bob I am Alice 46873astubv hash{key|I am Alice} hash{ key | I am Alice } = 46873astubv
34
Providing authenticity
Alice Bob I am Alice hash{key|I am Alice} Message Authentication Code (MAC)
35
Providing authenticity
Alice Bob I am Alice Alice_key-{ I am Alice } 687retwyw Alice_key+{ 687retwyw } = I am Alice
36
Providing authenticity
Persa Bob I am Alice ghdj67d%^& Alice_key+{ ghdj67d%^& } != I am Alice
37
Providing authenticity
Alice Bob I am Alice Alice_key-{ I am Alice }
38
Providing authenticity
Alice Bob I am Alice Alice_key-{ hash{ I am Alice } } Digital signature
39
Providing authenticity
Alice Bob I am Alice key
40
Providing authenticity
Alice Bob I am Alice key{ I am Alice }
41
Providing authenticity
Alice Bob I am Alice hash{key|I am Alice} Message Authentication Code (MAC)
42
Providing authenticity
Alice Bob I am Alice Alice_key-{ I am Alice }
43
Providing authenticity
Alice Bob I am Alice Alice_key-{ hash{ I am Alice } } Digital signature
44
Providing authenticity
Alice Bob Meet me after class hash{ key|Meet me after class }
45
Providing authenticity
Alice Bob I have something to say nonce Meet me after class hash{ key|nonce|Meet me after class }
46
Providing authenticity
With symmetric key crypto Alice appends hash of message + shared key Bob verifies that it is correct (using shared key) With asymmetric key crypto Alice encrypts hash of message with her private key, appends to unencrypted message Bob verifies that it is correct (using Alice’s public key)
47
Providing authenticity
Nonce for avoiding replay attacks Bob sends Alice a nonce (random number) Alice appends hash of message + shared key + nonce
48
hash{ key|Meet me after class }
Providing integrity Alice Bob Meet me after class hash{ key|Meet me after class }
49
Alice_key-{ hash{ Meet me after class} }
Providing integrity Alice Bob Meet me after class Alice_key-{ hash{ Meet me after class} }
50
Providing integrity With the same mechanisms that provide authenticity
51
Man in the middle Alice Manuel Bob plaintext plaintext plaintext
decryption algorithm encryption algorithm decryption algorithm encryption algorithm Manuel_key- Bob_key- ciphertext ciphertext ciphertext ciphertext ciphertext ciphertext Manuel_key+ Bob_key+ Alice Manuel Bob
52
Public key certification
Trusted certificate authority (CA) digitally signs that key+ is Bob’s public key using the CA’s private key CA’s public key is obtained out of band web browsers pre-configured with CA public keys
53
Outline Building blocks Providing security properties
Securing Internet protocols Operational security
54
Securing email (confidentiality)
shared_key{ } message Alice + Bob_key+{ } shared_key
55
Securing email (confidentiality)
shared_key{ } shared_key{ } message Bob - Bob_key-{ } Bob_key+{ } shared_key
56
Securing email (auth & integrity)
Alice_key-{ } hash{ } message Alice + message
57
Securing email (auth & integrity)
Alice_key+{ } Alice_key-{ } hash{ } message Bob - hash{ } message
58
Bob_key+{ shared_key }
Securing Alice_key-{ } hash{ } message Alice + shared_key{ ... } message + Bob_key+{ shared_key }
59
store_key+{ shared_master_key }
Securing TCP Alice online store SYN SYN ACK ACK SSL hello certificate store_key+{ shared_master_key }
60
Securing TCP Server sends its certificate
includes its public key Client creates and sends a shared master key encrypts it with server’s public key Both use master key to create 4 session keys 1 key for encrypting client --> server data 1 key for creating MAC for client --> server data same for server --> client data
61
Securing TCP Alice online store key2{ } place order, hash{ key1|...}
cancel order, key2{ } hash{ key1|...}
62
Securing TCP Alice online store key2{ } place order,
hash{ key1| #1, ...} cancel order, key2{ } hash{ key1| #2, ...}
63
Securing TCP Client organizes data in records
each record has a sequence number Creates MAC for each record + sequence # using one of the 4 session keys Encrypts the data + MAC for each record using (another) one of the 4 session keys
64
hash{ key2, key1{ IP packet } }
Securing IP key1{ IP packet }, hash{ key2, key1{ IP packet } } IP packet IP packet Alice Bob
65
Securing IP 2 IP routers establish a “secure tunnel”
usually between branch offices of a company Source encrypts each IP packet using a shared key Source creates MAC for encrypted IP packet using another shared key
66
Key ideas Combination of symmetric/asymmetric keys
asymmetric key crypto to exchange shared keys symmetric key crypto for confidentiality, authenticity, & integrity symmetric key crypto is faster Seq. numbers to avoid reordering attacks organize data in records with seq. numbers compute MAC on record data + seq. number
67
Outline Building blocks Providing security properties
Securing Internet protocols Operational security
68
Firewalls action src IP dst IP proto src port dst port flag allow
167.67/16 any TCP > 1023 80 all allow any 167.67/16 TCP 80 > 1023 ACK deny all all all all all all
Similar presentations
