Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 14 Network Encryption

Published byNoah Marsh Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 14 Network Encryption"— Presentation transcript:

1 Chapter 14 Network Encryption

2 Communications Security
Physical protection works for local networks Impractical for long-distance communications Types of attacks Passive – eavesdropping or sniffing Active – maliciously create or modify data Crypto techniques protect data when outside our physical control Confidentiality, Integrity Authenticity, Nonrepudiation

3 Crypto by Layers

4 Applying Crypto Layers
We get different results when we apply crypto at different layers Different key distribution requirements Data protected in different places and ways Transparency – does crypto interfere? Network transparency: can the network still carry our traffic with the crypto applied? Application transparency: is crypto applied without affecting the application?

5 Layer 2: Link Encryption

6 Layer 3: Network Encryption

7 Layer 4: Transport Encryption

8 Layer 7: Application Encryption

9 Administrative and Policy Issues
Scope of sniffing protection Traffic filtering – does the crypto interfere? Automatic encryption – must we rely on the end user to enable crypto for sensitive data? Access to Internet sites – full, automatic encryption makes Internet access impossible End-to-end crypto – do we need to associate crypto operations with end users? Keying – do end users need to manage keys? We will review all of these at the end

10 Crypto Keys on the Network
The key management problem Ensure that the right people have keys Prevent attackers from uncovering keys Key distribution objectives Ensure that keys are changed periodically Change keys when access rights change The default keying risk: keys installed by vendor Default keys work “out of the box” Attackers also have copies of the default keys

11 Key Distribution Strategies
One big cryptonet – share the same secret key with everyone who must communicate safely Groups of cryptonets – share the same key among smaller communities of users Pairwise key sharing – one per endpoint pair Key distribution center – a shared server that distributes working keys to approved users Public key distribution – use public key techniques to distribute keys

12 Key Distribution Techniques
Manual keying Distribute all keys ‘by hand’ in person or via trustworthy couriers – often a starting point Simple rekeying Unreliable tricks to replace an existing key Secret-key techniques Wrapping, KDCs, hashing Public-key techniques Diffie-Hellman, RSA

13 Simple Rekeying: Weak Self-rekeying
Use a PRNG to transform the current key into a new one Separate endpoints can apply the same PRNG to yield the same key New keys encrypted with old Generate a new, random key Use previous key to encrypt it for distribution Both techniques may leak all traffic if old keys are disclosed

14 Stronger Secret Key Building Blocks
Key Wrapping Use wrapping technique from Chapter 8 to protect keys carried in network messages Traffic encrypting Key (TEK) wrapped by KEK Key Distribution Center (KDC) The center distributes wrapped keys Authorized users share a secret with the KDC Shared Secret Hashing Generate a new key using a one-way hash

15 Key Wrapping

16 Key Distribution Center

17 Shared Secret Hashing

18 Public Key Building Blocks
Anonymous Diffie-Hellman secret sharing D-H inherently constructs a shared secret We can use it to construct a temporary shared secret for any two endpoints RSA key wrapping (encapsulation) One endpoint (the client) creates a secret key shared with the other endpoint (the server) Only the server needs a public key pair Client needs a copy of the server’s public key

19 Anonymous Diffie-Hellman

20 RSA Key Wrapping

21 Trade-Off: Public and Secret Keys
Limited resources Clearly defined user community Revocation must be timely and reliable Small user community Trustworthy servers are available Public Key User community can’t be identified ahead of time Large community, and Untrustworthy server computer Inefficient revocation is an acceptable risk

22 Application Layer Encryption

23 Email key wrapping and encryption
[Insert figure 14.16]

24 Transport Layer Security: SSL/TLS
Secure Sockets Layer (SSL) Developed by Netscape in 1994 Part of commercial client/server Web package First really successful public-key application Inherited by the IETF Now called Transport Layer Security (TLS) Three-part protocol Handshake protocol – key exchange Record protocol – data exchange Alert protocol – errors and session shutdown

25 SSL Handshake Protocol

26 SSL Key Construction

27 SSL Record Transmission

28 Network Layer Encryption
Provides both application transparency and network transparency Primary use: Virtual Private Networks (VPNs) Network carries plaintext inside a site VPN gateway encrypts data between sites “proxy encryption” Remote users use VPN crypto to access site IPsec – IP Security Protocol Used for Internet VPNs

29 Example VPN

30 Encryption by an IPsec Gateway

31 IPsec Encrypted Packet

32 Internet Key Exchange (IKE) Protocol

33 Wireless LAN Encryption
Wireless Equivalent Privacy (WEP) Introduced with early Wi-Fi products Used RC4 and 40-bit keys Later increased to 128-bit keys (WEP 2) Successful attacks in early 2000s Wireless Protected Access (WPA, WPA2) First WPA designed to work with existing Wi-Fi hardware (still used RC4) WPA2 uses AES, improved integrity protection, and improved key exchange

34 WPA2 Crypto Format

35 Crypto Policy: Sniffing

36 Crypto Policy: Automatic Encryption

37 Crypto Policy: Others

38 End of Chapter 14

Download ppt "Chapter 14 Network Encryption"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Security S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.

Security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.

Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

Similar presentations

Ads by Google