Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security Sorina Persa Group 3250 Group 3250.

Published byCody Bates Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Security Sorina Persa Group 3250 Group 3250."— Presentation transcript:

1 Network Security Sorina Persa Group 3250 Group 3250

2 Overview Security services Security services Security threats Security threats Encryption Encryption Conventional encryption Conventional encryption Conventional encryption algorithms Conventional encryption algorithms Public key encryption Public key encryption Public key encryption algorithms Public key encryption algorithms Message authentication Message authentication IPv4 and IPv6 security IPv4 and IPv6 security

3 Security Services Confidentiality Confidentiality Integrity Integrity Authentication Authentication Access control Access control Non-repudiation Non-repudiation Availability Availability

4 Security threats Information source Information destination a) Normal flow b) Interruption c) Interception d) Modificatione) Fabrication

5 Security threats Interruption – attack on availability Interruption – attack on availability Interception – attack on confidentiality Interception – attack on confidentiality Modification – attack on integrity Modification – attack on integrity Fabrication – attack on authenticity Fabrication – attack on authenticity

6 Security threats Passive attacks – eavesdropping on or monitoring of transmissions Passive attacks – eavesdropping on or monitoring of transmissions Release of message contents Release of message contents Traffic analysis Traffic analysis Active attacks – modification of the data stream or creation of a false stream Active attacks – modification of the data stream or creation of a false stream Masquerade Masquerade Replay Replay Modification of message Modification of message Denial of service Denial of service

7 Encryption Encryption = the tool used for network and communication security It protects against passive attacks Types: Conventional encryption Conventional encryption Public-key encryption Public-key encryption Hybrid of the precedent ones Hybrid of the precedent ones

8 Conventional Encryption Two parties share a single encryption/decryption key Two parties share a single encryption/decryption key Encryption algorithm (e.g. DES) Decryption algorithm Plaintext input Secret key Plaintext output Transmitted ciphertext

9 Conventional encryption Approaches to attacking a conventional encryption scheme: Approaches to attacking a conventional encryption scheme: Cryptanalysis – relies on the nature of the algorithms and some plaintext-ciphertext pairs Cryptanalysis – relies on the nature of the algorithms and some plaintext-ciphertext pairs Brute-force attacks – try every possible key Brute-force attacks – try every possible key Time for key search Key size (bits) Number of alternative keys Time required at 1 encryption/  sec Time required at 10 6 encryptions/  sec 32 2 32 = 4.3x10 9 2 31  sec = 35.8 mins 2.15 millisecs 56 2 56 = 7.2x10 16 1142 years 10.01 hours 128 3.4x10 38 5.4x10 24 years 5.4x10 18 years

10 Conventional encryption algorithms Block ciphers – process the plaintext input in fixed-size blocks and produce a block of ciphertext of equal size for each plaintext block Block ciphers – process the plaintext input in fixed-size blocks and produce a block of ciphertext of equal size for each plaintext block It is symmetric It is symmetric DES (Data encryption standard) DES (Data encryption standard) DEA (Data encryption algorithm) DEA (Data encryption algorithm) TDEA (Triple data encryption algorithm) TDEA (Triple data encryption algorithm) AES (Advanced encryption standard) AES (Advanced encryption standard)

11 DEA DES was developed by NIST DES was developed by NIST DEA key size is 56 bits and the blocks are of 64 bits DEA key size is 56 bits and the blocks are of 64 bits Since 1977, every 5 years, NIST approved DES for use Since 1977, every 5 years, NIST approved DES for use In 1997, NIST solicited a new secret key algorithm called Advanced Encryption Standard (it uses 128-bit block size and a key length of minimum 128 bits) In 1997, NIST solicited a new secret key algorithm called Advanced Encryption Standard (it uses 128-bit block size and a key length of minimum 128 bits) In 1998 EFF (Electronic Frontier Foundation) announced that it had broken DES In 1998 EFF (Electronic Frontier Foundation) announced that it had broken DES In October 2000, successor to DES was selected and it was called Rijndael In October 2000, successor to DES was selected and it was called Rijndael Double and triple DES is also common Double and triple DES is also common Triple DEA uses 3 keys and 3 executions of DEA: Triple DEA uses 3 keys and 3 executions of DEA: C = E k3 [D k2 [E k1 [P]]] C = E k3 [D k2 [E k1 [P]]] Its key length is of 168 bits Its key length is of 168 bits

12 Location of encryption devices Link encryption Decrypt each packet at every switch End-to-end encryption the source encrypts and the destination decrypts Hybrid Both link and end-to- end are needed High security

13 Key distribution For encryption to work over a network, the two parties (sender and receiver) must exchange and share the same keys, while protecting access to the keys from others. A key could be selected by A and physically distributed to B A key could be selected by A and physically distributed to B A third party could select the key and physically deliver it to A and B. A third party could select the key and physically deliver it to A and B. If A and B have previously and recently used a key, one party could transmit the new key to the other, encrypted using the old key If A and B have previously and recently used a key, one party could transmit the new key to the other, encrypted using the old key If A and B could have an encrypted connection to a third party C, C could deliver a key on the encrypted link to A and B If A and B could have an encrypted connection to a third party C, C could deliver a key on the encrypted link to A and B

14 Public key encryption Public key algorithms are based on mathematical function rather than on simple operations on bit patterns Public key algorithms are based on mathematical function rather than on simple operations on bit patterns Public key cryptography is asymmetric, involving the use of two separate keys Public key cryptography is asymmetric, involving the use of two separate keys The key ingredients are similar to that of conventional secret key algorithms, except that there are two keys – a public key and a private key used as input to the encryption and the decryption algorithm The key ingredients are similar to that of conventional secret key algorithms, except that there are two keys – a public key and a private key used as input to the encryption and the decryption algorithm

15 Public key encryption Encryption algorithm (e.g. RSA) Decryption algorithm Plaintext input Destination’s public key Destination’s private key Plaintext output Transmitted ciphertext

16 Public key encryption Steps: Steps: Generation of a pair of keys to be used for encryption and decryption of message Generation of a pair of keys to be used for encryption and decryption of message Placing one of the keys in a public register and maintaining a collection of public keys from the other users Placing one of the keys in a public register and maintaining a collection of public keys from the other users Encrypting the message with the destination’s public key Encrypting the message with the destination’s public key When the destination receives the message, it decrypts it with the private key When the destination receives the message, it decrypts it with the private key

17 Digital signature Encryption algorithm (e.g. RSA) Decryption algorithm Plaintext input Source’s private key Source’s public key Plaintext output Transmitted ciphertext Safe from alteration but not safe from eavesdropping

18 Public key encryption algorithms RSA – invented in 1973 by three MIT professors RSA – invented in 1973 by three MIT professors In contrast to DES, RSA uses sophisticated mathematics instead of simple manipulation and substitution In contrast to DES, RSA uses sophisticated mathematics instead of simple manipulation and substitution Mostly 1024 bit keys are used Mostly 1024 bit keys are used Public key encryption and decryption using RSA is 1000 times slower than secret key methods using DES Public key encryption and decryption using RSA is 1000 times slower than secret key methods using DES DSA (Digital signature algorithm) – used for digital signatures DSA (Digital signature algorithm) – used for digital signatures DSA was proposed by NIST DSA was proposed by NIST

19 Hybrid of Conventional and Public key encryption A encrypts the message using conventional encryption with a one-time conventional session key A encrypts the message using conventional encryption with a one-time conventional session key A encrypts the session key using public key encryption with B’s public key A encrypts the session key using public key encryption with B’s public key Attach the encrypted session key to the message and send it to B Attach the encrypted session key to the message and send it to B

20 Message Authentication and Hash function It protects against active attacks It protects against active attacks It proves that the message has not been altered and that the source is authentic It proves that the message has not been altered and that the source is authentic MAC (Message Authentication Code) MAC (Message Authentication Code) M MAC algo MAC K MM MAC algo Compare K

21 One-way Hash Function It accepts a variable-size message M as input and produces a fixed-size message digest H(M) as output It accepts a variable-size message M as input and produces a fixed-size message digest H(M) as output H(M) is sent with the message H(M) is sent with the message It does not take a secret key as input It does not take a secret key as input The message digest can be encrypted using The message digest can be encrypted using Conventional encryption Conventional encryption Public-key encryption Public-key encryption Secret value Secret value

22 Message digest encrypted using conventional encryption M H E MM H Compare D KK

23 Message digest encrypted using public-key encryption M H E MM H Compare D K private K public

24 Message digest encrypted using secret value M H MM H Compare

25 Secure Hash Function Requirements: Requirements: H can be applied to a block of data of any size H can be applied to a block of data of any size H produces a fixed-length output H produces a fixed-length output H(x) is easy to compute for every x H(x) is easy to compute for every x For any given code h, it is computationally infeasible to find x such that H(x)=h For any given code h, it is computationally infeasible to find x such that H(x)=h For any given block x, it is computationally infeasible to find y!=x with H(y)=H(x) For any given block x, it is computationally infeasible to find y!=x with H(y)=H(x) It is computationally infeasible to find any pair (x,y) s.t. H(x)=H(y) It is computationally infeasible to find any pair (x,y) s.t. H(x)=H(y) One of the most important hash function is SHA-1 (every bit of the hash code is a function of every bit in the input) One of the most important hash function is SHA-1 (every bit of the hash code is a function of every bit in the input)

26 IPv4 and IPv6 security Need to secure the network infrastructure against unauthorized monitoring and control of network traffic and the need to secure end-user-to-end-user traffic using authentication and encryption mechanisms Need to secure the network infrastructure against unauthorized monitoring and control of network traffic and the need to secure end-user-to-end-user traffic using authentication and encryption mechanisms In response, IAB included authentication and encryption as necessary security features in IPv6 In response, IAB included authentication and encryption as necessary security features in IPv6 IPSec provides the capability to secure communication across a LAN, across private and public WANs and across the Internet IPSec provides the capability to secure communication across a LAN, across private and public WANs and across the Internet The principal feature of IPSec: it can encrypt and/or authenticate all traffic at the IP level The principal feature of IPSec: it can encrypt and/or authenticate all traffic at the IP level

27 IPv4 and IPv6 security IPSec’s main facilities: IPSec’s main facilities: AH (Authentication Header) – an authentication-only function AH (Authentication Header) – an authentication-only function Provides support for data integrity and authentication of IP packets Provides support for data integrity and authentication of IP packets ESP (Encapsulating Security Payload) – a combined authentication/encryption function ESP (Encapsulating Security Payload) – a combined authentication/encryption function Provides confidentiality services, including confidentiality of message contents and limited traffic flow confidentiality Provides confidentiality services, including confidentiality of message contents and limited traffic flow confidentiality A key exchange function A key exchange function Manual key management Manual key management Automated key management Automated key management

28 Security association It is a one-way relationship between a sender and a receiver that affords security services to the traffic carried on it It is a one-way relationship between a sender and a receiver that affords security services to the traffic carried on it It can be identified by: It can be identified by: SPI (Security parameters index) SPI (Security parameters index) IP destination address: only unicast addresses are allowed IP destination address: only unicast addresses are allowed Security protocol identifier: AH or ESP SA Security protocol identifier: AH or ESP SA

29 IPv4 and IPv6 security AH and ESP support two modes of use: AH and ESP support two modes of use: Transport mode Transport mode Provides protection primarily for upper-layer protocols Provides protection primarily for upper-layer protocols Provides protection to the payload of an IP packet Provides protection to the payload of an IP packet Typically used for end-to-end communication between hosts Typically used for end-to-end communication between hosts Tunnel mode Tunnel mode Provides protection to the entire IP packet Provides protection to the entire IP packet Used when one or both ends of an SA is a security gateway, such as a firewall or router that implements IPSec Used when one or both ends of an SA is a security gateway, such as a firewall or router that implements IPSec

Download ppt "Network Security Sorina Persa Group 3250 Group 3250."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Chapter 18: Network Security Business Data Communications, 5e.

Chapter 18: Network Security Business Data Communications, 5e.
Information Security and Management 11

Information Security and Management 11
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Cryptography and Network Security

Cryptography and Network Security
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.
Lecture 22 Internet Security Protocols and Standards modified from slides of Lawrie Brown.

Lecture 22 Internet Security Protocols and Standards modified from slides of Lawrie Brown.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Chapter 20: Network Security Business Data Communications, 4e.

Chapter 20: Network Security Business Data Communications, 4e.

Similar presentations

Ads by Google