310 likes | 511 Views
Network Security. Sorina Persa Group 3250. Overview. Security services Security threats Encryption Conventional encryption Conventional encryption algorithms Public key encryption Public key encryption algorithms Message authentication IPv4 and IPv6 security.
E N D
Network Security Sorina Persa Group 3250
Overview • Security services • Security threats • Encryption • Conventional encryption • Conventional encryption algorithms • Public key encryption • Public key encryption algorithms • Message authentication • IPv4 and IPv6 security
Security Services • Confidentiality • Integrity • Authentication • Access control • Non-repudiation • Availability
Security threats Information source Information destination a) Normal flow b) Interruption c) Interception d) Modification e) Fabrication
Security threats • Interruption – attack on availability • Interception – attack on confidentiality • Modification – attack on integrity • Fabrication – attack on authenticity
Security threats • Passive attacks – eavesdropping on or monitoring of transmissions • Release of message contents • Traffic analysis • Active attacks – modification of the data stream or creation of a false stream • Masquerade • Replay • Modification of message • Denial of service
Encryption Encryption = the tool used for network and communication security It protects against passive attacks Types: • Conventional encryption • Public-key encryption • Hybrid of the precedent ones
Conventional Encryption • Two parties share a single encryption/decryption key Encryption algorithm (e.g. DES) Transmitted ciphertext Decryption algorithm Plaintext input Plaintext output Secret key Secret key
Conventional encryption • Approaches to attacking a conventional encryption scheme: • Cryptanalysis – relies on the nature of the algorithms and some plaintext-ciphertext pairs • Brute-force attacks – try every possible key Time for key search Time required at 1 encryption/sec Time required at 106 encryptions/sec Key size (bits) Number of alternative keys 32 232 = 4.3x109 231 sec = 35.8 mins 2.15 millisecs 56 256 = 7.2x1016 1142 years 10.01 hours 128 3.4x1038 5.4x1024 years 5.4x1018 years
Conventional encryption algorithms • Block ciphers – process the plaintext input in fixed-size blocks and produce a block of ciphertext of equal size for each plaintext block • It is symmetric • DES (Data encryption standard) • DEA (Data encryption algorithm) • TDEA (Triple data encryption algorithm) • AES (Advanced encryption standard)
DEA • DES was developed by NIST • DEA key size is 56 bits and the blocks are of 64 bits • Since 1977, every 5 years, NIST approved DES for use • In 1997, NIST solicited a new secret key algorithm called Advanced Encryption Standard (it uses 128-bit block size and a key length of minimum 128 bits) • In 1998 EFF (Electronic Frontier Foundation) announced that it had broken DES • In October 2000, successor to DES was selected and it was called Rijndael • Double and triple DES is also common • Triple DEA uses 3 keys and 3 executions of DEA: • C = Ek3[Dk2[Ek1[P]]] • Its key length is of 168 bits
Location of encryption devices • Link encryption • Decrypt each packet at every switch • End-to-end encryption • the source encrypts and the destination decrypts • Hybrid • Both link and end-to-end are needed • High security
Key distribution For encryption to work over a network, the two parties (sender and receiver) must exchange and share the same keys, while protecting access to the keys from others. • A key could be selected by A and physically distributed to B • A third party could select the key and physically deliver it to A and B. • If A and B have previously and recently used a key, one party could transmit the new key to the other, encrypted using the old key • If A and B could have an encrypted connection to a third party C, C could deliver a key on the encrypted link to A and B
Public key encryption • Public key algorithms are based on mathematical function rather than on simple operations on bit patterns • Public key cryptography is asymmetric, involving the use of two separate keys • The key ingredients are similar to that of conventional secret key algorithms, except that there are two keys – a public key and a private key used as input to the encryption and the decryption algorithm
Public key encryption Encryption algorithm (e.g. RSA) Transmitted ciphertext Decryption algorithm Plaintext input Plaintext output Destination’s public key Destination’s private key
Public key encryption • Steps: • Generation of a pair of keys to be used for encryption and decryption of message • Placing one of the keys in a public register and maintaining a collection of public keys from the other users • Encrypting the message with the destination’s public key • When the destination receives the message, it decrypts it with the private key
Digital signature Encryption algorithm (e.g. RSA) Transmitted ciphertext Decryption algorithm Plaintext input Plaintext output Source’s private key Source’s public key Safe from alteration but not safe from eavesdropping
Public key encryption algorithms • RSA – invented in 1973 by three MIT professors • In contrast to DES, RSA uses sophisticated mathematics instead of simple manipulation and substitution • Mostly 1024 bit keys are used • Public key encryption and decryption using RSA is 1000 times slower than secret key methods using DES • DSA (Digital signature algorithm) – used for digital signatures • DSA was proposed by NIST
Hybrid of Conventional and Public key encryption • A encrypts the message using conventional encryption with a one-time conventional session key • A encrypts the session key using public key encryption with B’s public key • Attach the encrypted session key to the message and send it to B
Message Authentication and Hash function • It protects against active attacks • It proves that the message has not been altered and that the source is authentic • MAC (Message Authentication Code) K M M M MAC algo K Compare MAC algo MAC
One-way Hash Function • It accepts a variable-size message M as input and produces a fixed-size message digest H(M) as output • H(M) is sent with the message • It does not take a secret key as input • The message digest can be encrypted using • Conventional encryption • Public-key encryption • Secret value
Message digest encrypted using conventional encryption M M M H Compare H K K E D
Message digest encrypted using public-key encryption M M M H Compare H Kprivate Kpublic E D
Message digest encrypted using secret value M M M H Compare H
Secure Hash Function • Requirements: • H can be applied to a block of data of any size • H produces a fixed-length output • H(x) is easy to compute for every x • For any given code h, it is computationally infeasible to find x such that H(x)=h • For any given block x, it is computationally infeasible to find y!=x with H(y)=H(x) • It is computationally infeasible to find any pair (x,y) s.t. H(x)=H(y) • One of the most important hash function is SHA-1 (every bit of the hash code is a function of every bit in the input)
IPv4 and IPv6 security • Need to secure the network infrastructure against unauthorized monitoring and control of network traffic and the need to secure end-user-to-end-user traffic using authentication and encryption mechanisms • In response, IAB included authentication and encryption as necessary security features in IPv6 • IPSec provides the capability to secure communication across a LAN, across private and public WANs and across the Internet • The principal feature of IPSec: it can encrypt and/or authenticate all traffic at the IP level
IPv4 and IPv6 security • IPSec’s main facilities: • AH (Authentication Header) – an authentication-only function • Provides support for data integrity and authentication of IP packets • ESP (Encapsulating Security Payload) – a combined authentication/encryption function • Provides confidentiality services, including confidentiality of message contents and limited traffic flow confidentiality • A key exchange function • Manual key management • Automated key management
Security association • It is a one-way relationship between a sender and a receiver that affords security services to the traffic carried on it • It can be identified by: • SPI (Security parameters index) • IP destination address: only unicast addresses are allowed • Security protocol identifier: AH or ESP SA
IPv4 and IPv6 security • AH and ESP support two modes of use: • Transport mode • Provides protection primarily for upper-layer protocols • Provides protection to the payload of an IP packet • Typically used for end-to-end communication between hosts • Tunnel mode • Provides protection to the entire IP packet • Used when one or both ends of an SA is a security gateway, such as a firewall or router that implements IPSec