Chapter 8 roadmap - PowerPoint PPT Presentation

1 / 110
About This Presentation
Title:

Chapter 8 roadmap

Description:

Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity & end point authentication 8.4 Securing e-mail – PowerPoint PPT presentation

Number of Views:232
Avg rating:3.0/5.0
Slides: 111
Provided by: JimKuro130
Category:

less

Transcript and Presenter's Notes

Title: Chapter 8 roadmap


1
Chapter 8 roadmap
  • 8.1 What is network security?
  • 8.2 Principles of cryptography
  • 8.3 Message integrity end point authentication
  • 8.4 Securing e-mail
  • 8.5 Securing TCP connections SSL
  • 8.6 Network layer security IPsec
  • 8.7 Securing wireless LANs
  • 8.8 Operational security firewalls and IDS

2
What is network security?
  • Confidentiality only sender, intended receiver
    should understand message contents
  • sender encrypts message
  • receiver decrypts message
  • Authentication sender, receiver want to confirm
    identity of each other
  • Message Integrity sender, receiver want to
    ensure that any message that is altered (in
    transit, or afterwards) will be detected
  • Access control and Availability services
    accessible and available to authorized users

3
Friends and enemies Alice, Bob, Trudy
  • well-known in network security world
  • Bob, Alice want to communicate securely
  • Trudy (intruder) may intercept, delete, insert,
    modify messages

Alice
Bob
data, control messages
channel
secure sender
secure receiver
data
data
Trudy
4
Who might Bob, Alice be?
  • well, real-life Bobs and Alices!
  • Web browser/server for electronic transactions
    (e.g., on-line purchases)
  • on-line banking client/server
  • DNS servers
  • routers exchanging routing table updates
  • other examples?

5
What can a bad guy do?
  • eavesdrop intercept messages
  • actively insert messages into connection
  • impersonation can fake (spoof) source address in
    packet (or any field in packet)
  • hijacking take over ongoing connection by
    removing sender or receiver, inserting itself in
    its place, or inserting itself in the middle
  • denial of service prevent service from being
    used by others (e.g., by overloading resources)

6
Chapter 8 roadmap
  • 8.1 What is network security?
  • 8.2 Principles of cryptography
  • 8.3 Message integrity end point authentication
  • 8.4 Securing e-mail
  • 8.5 Securing TCP connections SSL
  • 8.6 Network layer security IPsec
  • 8.7 Securing wireless LANs
  • 8.8 Operational security firewalls and IDS

7
The language of cryptography
Alices encryption key
Bobs decryption key
encryption algorithm
decryption algorithm
ciphertext
plaintext
plaintext
  • symmetric key crypto sender, receiver keys
    identical
  • public-key crypto encryption key is public,
    decryption key is private (also called asymmetric
    key crypto)

8
Symmetric key cryptography
encryption algorithm
decryption algorithm
ciphertext
plaintext
plaintext message, m
K (m)
A-B
  • symmetric key crypto Bob and Alice share (know)
    the same key
  • standards DES, AES, RC4, IDEA,

9
Public Key Cryptography
  • symmetric key crypto
  • requires sender and receiver to share a secret
    key
  • Q how to agree on key in first place
    (particularly if never met)?
  • public key cryptography
  • radically different approach Diffie-Hellman76,
    RSA78
  • sender, receiver do not share secret key
  • a public key for encrypting (or verifying)
  • a private key for decrypting (or signing)

10
Public key cryptography

Bobs public key
K
B
-
Bobs private key
K
B
encryption algorithm
decryption algorithm
plaintext message
plaintext message, m
ciphertext
11
Public key encryption algorithms
Requirements
.
.

-
  • need K ( ) and K ( ) such that

B
B

given public key K , it should be impossible to
compute private key K
B
-
B
RSA Rivest, Shamir, Adleman algorithm
12
RSA another important property
The following property will be very useful later
use public key first, followed by private key
use private key first, followed by public key
Result is the same!
13
Session keys
  • RSA requires exponentiation which is
    computationally intensive
  • e.g., DES is at least 100 times faster than
  • RSA
  • Session key, KS
  • Bob and Alice use RSA to exchange a symmetric key
    KS
  • Once both have KS, they use symmetric key crypto
    for confidential communication

14
Chapter 8 roadmap
  • 8.1 What is network security?
  • 8.2 Principles of cryptography
  • 8.3 Message integrity end point authentication
  • 8.4 Securing e-mail
  • 8.5 Securing TCP connections SSL
  • 8.6 Network layer security IPsec
  • 8.7 Securing wireless LANs
  • 8.8 Operational security firewalls and IDS

15
Message Integrity
  • Allows communicating parties to verify that
    received messages are authentic.
  • Content of message has not been altered
  • Source of message is who/what you think it is
  • Message has not been replayed
  • Sequence of messages is maintained
  • Lets first consider message digests

16
Message Digests
  • Function H( ) that takes as input an arbitrary
    length message and outputs a fixed-length string
  • Note that H( ) is a many-to-1 function
  • H( ) is often called a hash function
  • Desirable properties of crypto hash function
  • Easy to calculate
  • Irreversible Cant determine m from H(m)
  • Collision resistant computationally difficult to
    produce m and m such that
  • H(m) H(m)
  • Seemingly random output

17
Internet checksum poor crypto hash function
  • Internet checksum has some properties of hash
    function
  • produces fixed length digest (16-bit sum) of
    message
  • is many-to-one

But for a message with given hash value, it is
easy to find another message with same hash
value. Simple checksum example
message
ASCII format
message
ASCII format
I O U 1 0 0 . 9 9 B O B
49 4F 55 31 30 30 2E 39 39 42 4F 42
49 4F 55 39 30 30 2E 31 39 42 4F 42
I O U 9 0 0 . 1 9 B O B
B2 C1 D2 AC
B2 C1 D2 AC
different messages but identical checksums!
18
Message Authentication Code (MAC)
(shared secret)
s
(message)
s
(shared secret)
19
Crypto hash functions in practice
  • MD5 hash function widely used (RFC 1321)
  • computes 128-bit message digest in 4-step
    process.
  • arbitrary 128-bit string x, appears difficult to
    construct msg m whose MD5 hash is equal to x
  • recent (2005) attacks on MD5, may not be
    collision resistant
  • SHA-1 is also used
  • US standard NIST, FIPS PUB 180-1
  • 160-bit message digest
  • more robust algorithms such as SHA224, SHA256,
    SHA384 and SHA512

20
Digital Signatures objective
  • Like hand-written signatures
  • sender (Bob) digitally signs document with his
    own private key, establishing he is document
    owner/creator.
  • verifiable, nonforgeable recipient (Alice) can
    prove to someone that Bob, and no one else
    (including Alice), must have signed document

21
Digital Signatures
  • simple digital signature for message m
  • Bob signs m by encrypting with his private key
    KB, creating signed message, KB(m)

-
-
Bobs private key
Bobs message, m
(m)
Dear Alice Oh, how I have missed you. I think of
you all the time! (blah blah blah) Bob
Bobs message, m, signed (encrypted) with his
private key
public key encryption algorithm
22
Digital Signatures (more)
-
  • suppose Alice receives msg m, digital signature
    KB(m)
  • Alice verifies m by using Bobs public key KB to
    check KB(KB(m) ) m.
  • if verified, whoever signed m must have used
    Bobs private key.



-
  • Alice thus verifies that
  • Bob signed m.
  • No one else signed m.
  • Bob signed m and not m.
  • non-repudiation
  • Alice can take m, and signature KB(m) to court
    and prove that Bob signed m or he let someone
    else use his private key.

-
23
Digital signature
  • Alice verifies signature and integrity of
    digitally signed message

Bob sends digitally signed message
H(m)
Bobs private key
Bobs public key
equal ?
24
Public Key Certification
  • public key problem
  • When Alice obtains Bobs public key (from web
    site, e-mail, diskette), how does she know it is
    Bobs public key, not Trudys?
  • solution
  • trusted certification authority (CA)

25
Certification Authorities
  • Certification Authority (CA) binds public key to
    a particular entity, E.
  • E registers its public key with CA.
  • E provides proof of identity to CA.
  • CA creates certificate binding E to its public
    key.
  • certificate containing Es public key digitally
    signed by CA CA says This is Es public key.

Bobs public key
CA private key
certificate for Bobs public key, signed by CA
-
Bobs identifying information
26
Certification Authorities
  • when Alice wants Bobs public key
  • gets Bobs certificate (Bob or elsewhere).
  • apply CAs public key to Bobs certificate, get
    Bobs public key

Bobs public key
CA public key

Chain of authorities, root certificate
27
Chapter 8 roadmap
  • 8.1 What is network security?
  • 8.2 Principles of cryptography
  • 8.3 Message integrity end point authentication
  • 8.4 Securing e-mail
  • 8.5 Securing TCP connections SSL
  • 8.6 Network layer security IPsec
  • 8.7 Securing wireless LANs
  • 8.8 Operational security firewalls and IDS

28
Authentication challenge-response
Goal avoid playback attack
Nonce number (R) used only once in a lifetime
To prove that Alice is live, Bob sends Alice
nonce, R. Alice must return R, encrypted with
shared secret key
I am Alice
R
Alice is live, and only Alice knows key to
encrypt nonce, so it must be Alice!
29
Authentication using nonce and public key crypto ?
I am Alice
Bob computes
R
and knows only Alice could have the private key
to encrypt R such that
send me your public key
30
Security hole
  • Man (woman) in the middle attack Trudy poses as
    Alice (to Bob) and as Bob (to Alice)

I am Alice
I am Alice
R
R
Send me your public key
Send me your public key
Trudy gets
sends m to Alice encrypted with Alices public key
31
Security hole (cont.)
  • Difficult to detect - Bob receives everything
    that Alice sends, and vice versa. (e.g., so Bob,
    Alice can meet later and recall conversation)
  • problem is that Trudy receives all messages as
    well
  • public key needs to come from a trustworthy
    source, such as, a public key certificate

32
Chapter 8 roadmap
  • 8.1 What is network security?
  • 8.2 Principles of cryptography
  • 8.3 Message integrity end point authentication
  • 8.4 Securing TCP connections SSL
  • 8.5 Network layer security IPsec
  • 8.6 Securing wireless LANs
  • 8.7 Operational security firewalls and IDS

33
Chapter 8 roadmap
  • 8.1 What is network security?
  • 8.2 Principles of cryptography
  • 8.3 Message integrity end point authentication
  • 8.4 Securing TCP connections SSL
  • 8.5 Network layer security IPsec
  • 8.6 Securing wireless LANs
  • 8.7 Operational security firewalls and IDS

34
Secure sockets layer
  • provides transport layer security to any
    TCP-based application
  • e.g., between Web browsers, servers for
    e-commerce (https)
  • two variants SSL 3.0, TLS 1.2
  • security services
  • server authentication, confidentiality,
    integrity, client authentication (optional)

Application
Application
SSL/TLS
secure socket
TCP
TCP
TCP socket
IP
IP
TCP API
TCP enhanced with SSL
35
SSL handshake
  • Bob (client) establishes TCP connection to Alice
    (server)
  • Bob authenticates Alice from her CA signed
    certificate
  • Bob creates, encrypts (using Alices public key),
    sends pre-master secret to Alice
  • (nonces not shown in messages)

TCP SYN
TCP SYNACK
TCP ACK
SSL hello
certificate
create Pre-master secret (PMS)
KA(PMS)
decrypt using KA- to get PMS
36
SSL key derivations
  • Master secret generated from pre-master secret,
    server and client nonces
  • Alice, Bob use shared master secret to generate 4
    symmetric keys
  • EB Bob-gtAlice data encryption key
  • EA Alice-gtBob data encryption key
  • MB Bob-gtAlice MAC key
  • MA Alice-gtBob MAC key
  • encryption and MAC algorithms negotiable between
    Bob, Alice

37
More detail
  • Actually two finished messages (encrypted),
    before transfer of application data, to detect
    any tampering of handshake messages
  • client sends a MAC of all handshake messages
  • server sends a MAC of all handshake messages

38
SSL record protocol
  • SSL record protocol provides transport service to
    SSL Handshake protocol, application data, and
    other protocols (e.g., Alert protocol for ending
    session)
  • Type is for demultiplexing
  • Application data undergo
  • Fragmentation into blocks
  • Compression ( Optionally )
  • Computing MAC ( Message Authentication Code )
  • using entire record MAC key value of sequence
    counter
  • Encryption
  • Type, Version, and Length fields are left in the
    clear
  •                     

39
Chapter 8 roadmap
  • 8.1 What is network security?
  • 8.2 Principles of cryptography
  • 8.3 Message integrity end point authentication
  • 8.4 Securing e-mail
  • 8.5 Securing TCP connections SSL
  • 8.6 Network layer security IPsec
  • 8.7 Securing wireless LANs
  • 8.8 Operational security firewalls and IDS

40
What is confidentiality at the network-layer?
  • Between two network entities
  • Sending entity encrypts the payloads of
    datagrams. Payload could be
  • TCP segment, UDP segment, ICMP message, OSPF
    message, and so on.
  • All data sent from one network entity to the
    other would be hidden
  • Web pages, e-mail, P2P file transfers, TCP SYN
    packets, and so on.
  • That is, blanket coverage.

41
Virtual Private Network (VPN)
42
IPsec services
  • Origin authentication
  • Data integrity
  • Replay attack prevention
  • Confidentiality
  • Two protocols providing different service models
  • authentication header (AH) protocol
  • encapsulation security payload (ESP) protocol

43
IPsec Transport Mode
  • IPsec datagrams emitted and received by two end
    systems.
  • Protects upper level protocols of these end
    systems

44
IPsec tunneling mode (1)
  • End routers are IPsec aware. Hosts need not be.

45
IPsec tunneling mode (2)
IPsec
IPsec
  • Also tunneling mode.

46
Two protocols
  • Authentication Header (AH) protocol
  • provides source authentication data integrity
    but not confidentiality
  • 51 in protocol field of IP header
  • Encapsulation Security Protocol (ESP)
  • provides source authentication, data integrity,
    and confidentiality
  • 50 in protocol field of IP header

47
Four combinations are possible
Transport mode with AH Transport mode with ESP
Tunnel modewith AH Tunnel modewith ESP
Most common andmost important
48
Security association
  • Before sending data, a logical connection is
    established from sending entity to receiving
    entity, called security association (SA)
  • SAs are unidirectional
  • Both sending and receiving entities maintain
    state information for the SA
  • Recall that TCP endpoints also maintain state
    information.
  • IP is connectionless IPsec is connection-oriented
  • How many SAs in VPN for headquarters, branch
    office, and n traveling salesperson?

49
Example SA from R1 to R2
  • R1 stores SA state info
  • 32-bit identifier for SA Security Parameter
    Index (SPI)
  • the origin interface of the SA (200.168.1.100)
  • destination interface of the SA (193.68.2.23)
  • type of encryption to be used (for example, 3DES
    with CBC)
  • encryption key
  • type of integrity check (for example, HMAC with
    MD5)
  • authentication key

50
Security Association Database (SAD)
  • Endpoint holds state of its SAs in a SAD
  • With n salespersons, 2 2n SAs in R1s SAD
  • When sending IPsec datagram, R1 accesses SAD to
    determine how to process datagram.
  • When IPsec datagram arrives to R2, R2 examines
    SPI in IPsec datagram, indexes SAD with SPI, and
    processes datagram accordingly.

51
IPsec datagram tunnel mode, ESP
52
Inside the enchilada
  • ESP header
  • SPI, so receiving entity knows what to do
  • Sequence number, to thwart replay attacks
  • ESP trailer Padding for block ciphers
  • next header identifies protocol in payload field
  • Use shared keys to encrypt and create ESP MAC
    field

53
Summary IPsec services
  • Suppose Trudy sits somewhere between R1 and R2.
    She doesnt know the keys.
  • Will Trudy be able to see contents of original
    datagram? How about source, destination IP
    addresses, transport protocol, application port?
  • Flip bits without detection?
  • Masquerade as R1 using R1s IP address?
  • Replay a datagram?

54
Athentication methods
  • PSK (pre-shared key)
  • PKI (public key infrastructure)
  • pubic/private keys and certificates

55
IKE Key Management in IPsec
  • In previous examples, we manually established
    IPsec SAs in IPsec endpoints
  • Example SA
  • SPI 12345
  • Source IP 200.168.1.100
  • Dest IP 193.68.2.23
  • Protocol ESP
  • Encryption algorithm 3DES-cbc
  • HMAC algorithm MD5
  • Encryption key 0x7aeaca
  • HMAC key0xc0291f
  • Such manual keying is impractical for large VPN
    with, say, hundreds of people.
  • Instead use IPsec IKE (Internet Key Exchange)

56
Two Phases of IKE
  • Phase I Establish bi-directional IKE SA
  • IKE SA is different from IPsec SA,
  • also called ISAKMP security association
  • Each endpoint has private and public keys
  • Use Diffie-Hellman algorithm to establish a
    shared secret
  • (Mutual authentication is not done in phase I)

57
Diffie-Hellman algorithm
  • Publicly known large prime number p and number g
    that is prime root mod p
  • Alice and Bob independently choose private keys,
    a and b, respectively and exchange their public
    keys
  • public key of Alice is ga mod p
  • public key of Bob is gb mod p
  • Shared secret known only to Alice and Bob is
  • gab mod p (gb mod p)a mod p (ga mod p)b
    mod p
  • Note that in phase I, public keys of Alice and
    Bob have not been authenticated

58
Two Phases of IKE (cont.)
  • Phase I Establish bi-directional IKE SA
  • Phase II The endpoints reveal their identities
    to each other and mutually authenticate using
    public key certificates
  • Identities are not revealed to passive sniffers
    since messages are sent over encrypted IKE SA
    channel between the endpoints

59
Chapter 8 roadmap
  • 8.1 What is network security?
  • 8.2 Principles of cryptography
  • 8.3 Message integrity end point authentication
  • 8.4 Securing e-mail
  • 8.5 Securing TCP connections SSL
  • 8.6 Network layer security IPsec
  • 8.7 Securing wireless LANs
  • 8.8 Operational security firewalls and IDS

60
IEEE 802.11 security
  • first attempt at Wi Fi security Wired Equivalent
    Privacy (WEP)
  • Many weaknesses
  • Pre-shared key only for authentication
  • Most recent standard 802.11i (WPA2)

61
WEP weaknesses
  • RC4 stream encryption, based on XOR of plaintext
    and key, is subject to known plaintext attack
  • Append 24-bit initialization vector (IV) to
    40-bit (or 104-bit) secret to generate key for
    each frame
  • There are only 224 unique keys
  • 24-bit IV, one per frame, is transmitted in
    plaintext -gt reuse occurs quickly
  • other weaknesses, e.g., no message integrity
    protection

62
802.11i (WPA2)
  • Provides AES block encryption and message
    integrity
  • Allows key distribution in addition to pre-shared
    key
  • use of an authentication server separate from
    access point, in addition to local authentication
    by access point

63
EAP extensible authentication protocol
  • EAP end-end client (mobile) to authentication
    server protocol
  • EAP sent over separate links
  • mobile-to-AP (EAP over LAN)
  • AP to authentication server (RADIUS over UDP)

wired network
EAP TLS
EAP
RADIUS
EAP over LAN (EAPoL)
IEEE 802.11
UDP/IP
64
802.11i four phases of operation
AP access point
STA client station
AS Authentication server
wired network
STA and AS mutually authenticate,
together generate Master Key (MK). AP serves as a
relay
STA derives Pairwise Master Key (PMK)
AS derives same PMK, sends to AP
65
Chapter 8 roadmap
  • 8.1 What is network security?
  • 8.2 Principles of cryptography
  • 8.3 Message integrity end point authentication
  • 8.4 Securing e-mail
  • 8.5 Securing TCP connections SSL
  • 8.6 Network layer security IPsec
  • 8.7 Securing wireless LANs
  • 8.8 Operational security firewalls and IDS

66
Firewalls
isolates organizations internal net from larger
Internet, allowing some packets to pass, blocking
others (i.e., access control)
firewall


67
Three types of firewalls
  • stateless packet filters
  • stateful packet filters
  • application gateways

68
Stateless packet filtering
Should arriving packet be allowed in? Departing
packet let out?
  • internal network connected to Internet via router
    firewall
  • router filters packet-by-packet, decision to
    forward/drop packet based on
  • source IP address, destination IP address
  • TCP/UDP source and destination port numbers
  • ICMP message type
  • TCP SYN and ACK bits

69
Stateless packet filtering example
  • example 1 block incoming and outgoing datagrams
    with IP protocol field 17 and with either
    source or dest port 23.
  • all incoming, outgoing UDP flows and telnet
    connections are blocked.
  • example 2 Block inbound TCP segments with ACK0.
  • prevents external clients from making TCP
    connections with internal clients, but allows
    internal clients to connect to outside.

70
Stateless packet filtering more examples

Policy Firewall Setting
No outside Web access. Drop all outgoing packets to any IP address, port 80
No incoming TCP connections, except those for institutions public Web server only. Drop all incoming TCP SYN packets except those with destination IP 130.207.244.203, port 80
Prevent Web-radios from eating up the available bandwidth. Drop all incoming UDP packets - except DNS and router broadcasts.
Prevent your network from being used for a smurf DoS attack. Drop all ICMP packets going to a broadcast address (e.g. 130.207.255.255).
Prevent your network from being tracerouted Drop all outgoing ICMP TTL expired traffic
71
Access Control Lists
  • ACL table of rules, applied top to bottom to
    incoming packets (action, condition) pairs

action source address dest address protocol source port dest port flag bit
allow 222.22/16 outside of 222.22/16 TCP gt 1023 80 any
allow outside of 222.22/16 222.22/16 TCP 80 gt 1023 ACK
allow 222.22/16 outside of 222.22/16 UDP gt 1023 53 ---
allow outside of 222.22/16 222.22/16 UDP 53 gt 1023 ----
deny all all all all all all
72
Stateful packet filtering
  • stateless packet filter memoryless
  • admits packets that make no sense, e.g., dest
    port 80, ACK bit set, even though no TCP
    connection established

action source address dest address protocol source port dest port flag bit
allow outside of 222.22/16 222.22/16 TCP 80 gt 1023 ACK
  • stateful packet filter track status of every TCP
    connection
  • track connection setup (SYN), teardown (FIN) can
    determine whether incoming, outgoing packets
    make sense
  • timeout inactive connections at firewall no
    longer admit packets

73
Stateful packet filtering
  • ACL augmented to indicate need to check
    connection state table before admitting packet

action source address dest address proto source port dest port flag bit check conxion
allow 222.22/16 outside of 222.22/16 TCP gt 1023 80 any
allow outside of 222.22/16 222.22/16 TCP 80 gt 1023 ACK x
allow 222.22/16 outside of 222.22/16 UDP gt 1023 53 ---
allow outside of 222.22/16 222.22/16 UDP 53 gt 1023 ---- x
deny all all all all all all
74
Application gateways
gateway-to-remote host telnet session
host-to-gateway telnet session
  • Make policy decisions based on application or
    application data
  • Example allow select internal users to telnet
    outside.
  • common examples mail server, web cache

application gateway
router and filter
1. Require all telnet users to telnet through
gateway. 2. For authorized users, gateway sets up
telnet connection to dest host. Gateway relays
data between 2 connections 3. Router filters all
telnet connections not originating from gateway.
75
Limitations of firewalls and gateways
  • If multiple apps need special treatment, each
    needs its own gateway
  • client software must know how to contact gateway.
  • e.g., must set IP address of proxy in Web browser
  • IP spoofing router cant know if data really
    come from claimed source
  • filters often use all or nothing policy for UDP
  • tradeoff degree of communication with outside
    world, level of security
  • many highly protected sites still suffer from
    attacks

76
Intrusion detection systems
  • packet filtering
  • operates on TCP/IP headers only
  • no correlation check among sessions
  • IDS intrusion detection system
  • deep packet inspection look at packet contents
    (e.g., check character strings in packet against
    database of known viruses, attack strings)
  • examine correlation among multiple packets to
    detect
  • port scanning
  • network mapping
  • DoS attack

77
Intrusion detection systems
  • multiple IDSs different types of checking at
    different locations

application gateway
firewall

Internet

internal network
Web server
IDS sensors
DNS server
FTP server
demilitarized zone
78
Network Security (summary)
  • Basic techniques...
  • cryptography (symmetric and public)
  • message integrity
  • end-point authentication
  • . used in many different security scenarios
  • secure email
  • secure transport (SSL)
  • IP sec
  • 802.11
  • Operational Security firewalls and IDS

79
End of Chapter 8
80
Unused slides
81
Chapter 8 Network Security
  • Chapter goals
  • understand principles of network security
  • cryptography and its many uses beyond
    confidentiality
  • message integrity
  • authentication
  • security in practice
  • security in application, transport, network, link
    layers
  • firewalls and intrusion detection systems

82
A certificate contains
  • Serial number (unique to issuer)
  • info about certificate owner, including algorithm
    and key value itself (not shown)
  • info about certificate issuer
  • valid dates
  • digital signature by issuer

83
IPsec datagram
  • Focus for now on tunnel mode with ESP

84
Firewall objectives
  • prevent denial of service attacks
  • SYN flooding attacker establishes many bogus TCP
    connections, no resources left for real
    connections
  • prevent illegal modification/access of internal
    data.
  • e.g., attacker replaces CIAs homepage with
    something else
  • allow only authorized access to inside network
    (set of authenticated users/hosts)
  • three types of firewalls
  • stateless packet filters
  • stateful packet filters
  • application gateways

85
IEEE 802.11 security
  • War-driving drove around Bay area with laptop
    and 802.11 card Shipley 2001
  • more than 9000 accessible from public roadways
  • 85 use no encryption/authentication
  • packet-sniffing and various attacks easy
  • Securing 802.11
  • encryption, authentication
  • first attempt at Wi Fi security Wired Equivalent
    Privacy (WEP) has weaknesses
  • recent standard 802.11i (WPA2)

86
Wired Equivalent Privacy (WEP)
  • authentication as in protocol ap4.0
  • host requests authentication from access point
  • access point sends 128 bit nonce
  • host encrypts nonce using shared symmetric key
  • access point decrypts nonce, authenticates host
  • no key distribution mechanism
  • authentication knowing the shared key is enough

87
WEP data encryption
  • Host/AP share 40 bit symmetric key
    (semi-permanent)
  • Host appends 24-bit initialization vector (IV) to
    create 64-bit keya new IV for each frame
  • 64 bit key used to generate (by RC4) a stream of
    keys, ki(IV)
  • ki(IV) used to encrypt ith byte, di, in frame
  • ci di XOR ki(IV)
  • Each frame contains its IV (in the clear) and
    encrypted data

88
802.11 WEP encryption
Sender-side WEP encryption
89
Breaking 802.11 WEP encryption
  • security hole
  • 24-bit IV, one IV per frame, -gt IVs eventually
    reused
  • IV transmitted in plaintext -gt IV reuse detected
  • attack
  • Trudy causes Alice to encrypt known plaintext d1
    d2 d3 d4
  • Trudy sees ci di XOR ki(IV)
  • Trudy knows ci di, so can compute ki(IV)
  • Trudy knows encrypting key sequence k1(IV),
    k2(IV), k3(IV)
  • Next time IV is used, Trudy can decrypt
  • plus other weaknesses
  • (e.g., no message integrity protection)

90
R1 converts original datagraminto IPsec datagram
  • Appends to back of original datagram (which
    includes original header fields) an ESP trailer
    field.
  • Encrypts result using algorithm key specified
    by SA.
  • Appends to front of this encrypted quantity the
    ESP header, creating enchilada.
  • Creates authentication MAC over the whole
    enchilada, using algorithm and key specified in
    SA
  • Appends MAC to back of enchilada, forming
    payload
  • Creates brand new IP header, with all the classic
    IPv4 header fields, which it appends before
    payload.

91
IPsec sequence numbers
  • For new SA, sender initializes seq. to 0
  • Each time datagram is sent on SA
  • Sender increments seq counter
  • Places value in seq field
  • Goal
  • Prevent attacker from sniffing and replaying a
    packet
  • Receipt of duplicate, authenticated IP packets
    may disrupt service
  • Method
  • Destination checks for duplicates
  • But doesnt keep track of ALL received packets
    instead uses a window

92
Security Policy Database (SPD)
  • Policy For a given datagram, sending entity
    needs to know if it should use IPsec.
  • Needs also to know which SA to use
  • May use source and destination IP address
    protocol number.
  • Info in SPD indicates what to do with arriving
    datagram
  • Info in the SAD indicates how to do it.

93
IKE PSK and PKI
  • Authentication (proof who you are) with either
  • pre-shared secret (PSK) or
  • with PKI (pubic/private keys and certificates).
  • With PSK, both sides start with secret
  • then run IKE to authenticate each other and to
    generate IPsec SAs (one in each direction),
    including encryption and authentication keys
  • With PKI, both sides start with public/private
    key pair and certificate.
  • run IKE to authenticate each other and obtain
    IPsec SAs (one in each direction).
  • Similar with handshake in SSL.

93
94
Symmetric key crypto
  • DES Data Encryption Standard
  • U.S. encryption standard NIST 1993
  • 64 bit plaintext input, 56-bit symmetric key
  • cipher-block chaining for sequence of 64-bit data
    units
  • XOR encrypted nth data unit with n1st data unit
    the result is then encrypted
  • Triple-DES (3DES)
  • use three keys sequentially -- output of one key
    operation as input of next key operation
  • Other symmetric key systems RC4, IDEA, ,
  • AESrecent (Nov. 2001) NIST standard to succeed
    DES, 128-bit data, 128, 192, or 256 bit keys

95
Message integrity authenticity
  • Bob receives msg from Alice, wants to ensure
  • message originally came from Alice
  • message not changed since sent by Alice
  • Cryptographic Hash
  • takes input m, produces fixed length value, H(m),
    called message digest
  • e.g., as in Internet checksum
  • computationally infeasible to find two different
    messages, x, y such that H(x) H(y)
  • Equivalently given x H(m), cannot find m such
    that H(m)x
  • note Internet checksum fails this requirement

96
IPsec Security Association
  • For both AH and ESP, source, destination
    handshake
  • create network-layer unidirectional logical
    channel called a security association (SA)
  • source and dest share a symmetric key
  • Internet Key Exchange protocol (RFC 2409) allows
    the use of signatures, public keys, or a
    pre-shared key
  • Uniquely determined by
  • security protocol (AH or ESP)
  • source IP address
  • 32-bit connection ID (Security Parameter Index)

97
Authentication Header (AH) Protocol
  • provides source authentication, data integrity,
    no confidentiality
  • AH header inserted between IP header, data field.
  • IP header protocol field 51
  • intermediate routers process datagrams as usual
  • AH header includes
  • connection identifier
  • authentication data MAC calculated over original
    IP datagram, AH header fields and symmetric key
    (except IP TTL field)
  • next header field specifies type of data (e.g.,
    TCP, UDP, ICMP)
  • sequence number

98
ESP Protocol
  • provides secrecy, host authentication, data
    integrity.
  • data, ESP trailer encrypted.
  • next header field is in ESP trailer.
  • ESP authentication field is similar to AH
    authentication field.
  • Protocol 50 in IP header.

authenticated
encrypted
ESP header
IP header
TCP/UDP segment
99
Many more details
  • We have decribed the IPsec transport mode for
    security association between hosts for IPv4
  • IPsec tunnel model is for security association
    between routers
  • IPsec for IPv6

100
Symmetric key cryptography
  • substitution cipher substituting one thing for
    another
  • monoalphabetic cipher substitute one letter for
    another

plaintext abcdefghijklmnopqrstuvwxyz
ciphertext mnbvcxzasdfghjklpoiuytrewq
E.g.
Plaintext bob. i love you. alice
ciphertext nkn. s gktc wky. mgsbc
  • Q How hard to break this simple cipher?
  • brute force (how hard?)
  • other?

101
Symmetric key crypto DES
  • DES Data Encryption Standard
  • US encryption standard NIST 1993
  • 56-bit symmetric key, 64-bit plaintext input
  • How secure is DES?
  • DES Challenge 56-bit-key-encrypted phrase
    (Strong cryptography makes the world a safer
    place) decrypted (brute force) in 4 months
  • no known backdoor decryption approach
  • making DES more secure
  • use three keys sequentially (3-DES) on each datum
  • use cipher-block chaining

102
Symmetric key crypto DES
  • initial permutation
  • 16 identical rounds of function application,
    each using different 48 bits of key
  • final permutation

103
AES Advanced Encryption Standard
  • new (Nov. 2001) symmetric-key NIST standard,
    replacing DES
  • processes data in 128 bit blocks
  • 128, 192, or 256 bit keys
  • brute force decryption (try each key) taking 1
    sec on DES, takes 149 trillion years for AES

104
Block Cipher
64-bit input
8bits
8bits
8bits
8bits
8bits
8bits
8bits
8bits
loop for n rounds
8 bits
8 bits
8 bits
8 bits
8 bits
8 bits
8 bits
8 bits
  • one pass through one input bit affects eight
    output bits

64-bit scrambler
64-bit output
  • multiple passes each input bit afects all output
    bits
  • block ciphers DES, 3DES, AES

105
Cipher Block Chaining
  • cipher block if input block repeated, will
    produce same cipher text

m(1) HTTP/1.1
c(1) k329aM02
t1
block cipher

m(17) HTTP/1.1
c(17) k329aM02
t17
block cipher
  • cipher block chaining XOR ith input block, m(i),
    with previous block of cipher text, c(i-1)
  • c(0) transmitted to receiver in clear
  • what happens in HTTP/1.1 scenario from above?

m(i)
c(i-1)
block cipher
c(i)
106
RSA Choosing keys
1. Choose two large prime numbers p, q.
(e.g., 1024 bits each)
2. Compute n pq, z (p-1)(q-1)
3. Choose e (with eltn) that has no common
factors with z. (e, z are relatively prime).
4. Choose d such that ed-1 is exactly divisible
by z. (in other words ed mod z 1 ).
5. Public key is (n,e). Private key is (n,d).
107
RSA Encryption, decryption
0. Given (n,e) and (n,d) as computed above
2. To decrypt received bit pattern, c, compute
d
(i.e., remainder when c is divided by n)
Magic happens!
c
108
RSA example
Bob chooses p5, q7. Then n35, z24.
e5 (so e, z relatively prime). d29 (so ed-1
exactly divisible by z.
e
m
m
letter
encrypt
l
12
1524832
17
c
letter
decrypt
17
12
l
481968572106750915091411825223071697
109
RSA Why is that
Useful number theory result If p,q prime and n
pq, then
(using number theory result above)
(since we chose ed to be divisible by (p-1)(q-1)
with remainder 1 )
110
SSL three phases
  • 3. Data transfer

TCP byte stream
b1b2b3 bn
MB
d
block n bytes together
compute MAC
EB
encrypt d, MAC, SSL seq.
SSL seq.
SSL record format
Type Ver Len
encrypted using EB
unencrypted
Write a Comment
User Comments (0)
About PowerShow.com