8-1
Network Security
All material copyright 1996-2012
J.F Kurose and K.W. Ross, All Rights Reserved
George Parisis
School of Engineering and Informatics
University of Sussex
8-2 Network Security
Network Security
Objectives:
v understand principles of network security:
§ cryptography and its many uses beyond
“confidentiality”
§ authentication
§ message integrity
v security in practice:
§ firewalls and intrusion detection systems
§ security in application, transport, network layers
8-3 Network Security
Network Security
v What is network security?
v Principles of cryptography
v Message integrity, authentication
v Securing e-mail
v Securing TCP connections: SSL
v Network layer security: IPsec
v Operational security: firewalls and IDS
8-4 Network Security
What is network security?
confidentiality: only sender, intended receiver should
“understand” message contents
§ sender encrypts message
§ receiver decrypts message
authentication: sender, receiver want to confirm
identity of each other
message integrity: sender, receiver want to ensure
message not altered (in transit, or afterwards) without
detection
access and availability: services must be accessible
and available to users
8-5 Network Security
Friends and enemies: Alice, Bob,
Trudy
v well-known in network security world
v Bob, Alice want to communicate “securely”
v Trudy (intruder) may intercept, delete, add messages
secure
sender
secure
receiver
channel data, control
messages
data data
Alice Bob
Trudy
8-6 Network Security
Who might Bob, Alice be?
v … well, real-life Bobs and Alices!
v Web browser/server for electronic
transactions (e.g., on-line purchases)
v on-line banking client/server
v DNS servers
v routers exchanging routing table updates
8-7 Network Security
There are bad guys out there!
Q: What can a “bad guy” do?
A: A lot!
§ eavesdrop: intercept messages
§ actively insert messages into connection
§ impersonation: can fake (spoof) source
address in packet (or any field in packet)
§ hijacking: “take over” ongoing connection
by removing sender or receiver, inserting
himself in place
§ denial of service: prevent service from being
used by others (e.g., by overloading
resources)
8-8 Network Security
Network Security
v What is network security?
v Principles of cryptography
v Message integrity, authentication
v Securing e-mail
v Securing TCP connections: SSL
v Network layer security: IPsec
v Operational security: firewalls and IDS
8-9 Network Security
The language of cryptography
m plaintext message
KA(m) ciphertext, encrypted with key KA
m = KB(KA(m))
plaintext plaintext ciphertext
K
A
encryption
algorithm
decryption
algorithm
Alice’s
encryption
key
Bob’s
decryption
key
K
B
8-10 Network Security
Breaking an encryption
scheme
v cipher-text only attack:
Trudy has ciphertext
she can analyze
v two approaches:
§ brute force: search
through all keys
§ statistical analysis
v known-plaintext attack:
Trudy has plaintext
corresponding to
ciphertext
§ e.g., in monoalphabetic
cipher, Trudy
determines pairings for
a,l,i,c,e,b,o,
v chosen-plaintext attack:
Trudy can get ciphertext
for chosen plaintext
8-11 Network Security
Symmetric key cryptography
symmetric key crypto: Bob and Alice share same
(symmetric) key: K
v e.g., key is knowing substitution pattern in mono
alphabetic substitution cipher
Q: how do Bob and Alice agree on key value?
plaintext ciphertext
K S
encryption
algorithm
decryption
algorithm
S
K S
plaintext
message, m
K (m)
S
m = KS(KS(m))
8-12 Network Security
Simple encryption scheme
substitution cipher: substituting one thing for another
§ monoalphabetic cipher: substitute one letter for another
plaintext: abcdefghijklmnopqrstuvwxyz
ciphertext: mnbvcxzasdfghjklpoiuytrewq
Plaintext: bob. i love you. alice
ciphertext: nkn. s gktc wky. mgsbc
e.g.:
Encryption key: mapping from set of 26
letters to set of 26 letters
8-13 Network Security
A more sophisticated encryption approach
v n substitution ciphers, M1,M2,…,Mn
v cycling pattern:
§ e.g., n=4: M1,M3,M4,M3,M2; M1,M3,M4,M3,M2; ..
v for each new plaintext symbol, use subsequent
subsitution pattern in cyclic pattern
§ dog: d from M1, o from M3, g from M4
Encryption key: n substitution ciphers, and
cyclic pattern
8-14 Network Security
Symmetric key crypto: DES
DES: Data Encryption Standard
v US encryption standard [NIST 1993]
v 56-bit symmetric key, 64-bit plaintext input
v block cipher with cipher block chaining
v how secure is DES?
§ DES Challenge: 56-bit-key-encrypted phrase
decrypted (brute force) in less than a day
v making DES more secure:
§ 3DES: encrypt 3 times with 3 different keys
8-15
Block Ciphers
Network Security
8-16 Network Security
Symmetric key
crypto: DES
initial permutation
16 identical “rounds” of
function application,
each using different
48 bits of key
final permutation
DES operation
8-17 Network Security
AES: Advanced Encryption Standard
v symmetric-key NIST standard, replaced DES
(Nov 2001)
v processes data in 128 bit blocks
v 128, 192, or 256 bit keys
v brute force decryption (try each key) taking 1
sec on DES, takes 149 trillion years for AES
8-18 Network Security
Public Key Cryptography
symmetric key crypto
v requires sender,
receiver know shared
secret key
v Q: how to agree on key
in first place (particularly
if never “met”)?
public key crypto
v radically different
approach [Diffie-
Hellman76, RSA78]
v sender, receiver do
NOT share secret key
v public key known to
all
v private key known
only to receiver
8-19 Network Security
Public key cryptography
plaintext
message, m
ciphertext encryption
algorithm
decryption
algorithm
Bob’s public
key
plaintext
message K (m)
B
+
K
B
+
Bob’s private
key
K
B
–
m = K (K (m))
B
+
B
–
8-20 Network Security
Public key encryption
algorithms
need K ( ) and K ( ) such that B B
. .
given public key K , it should be
impossible to compute private
key K
B
B
requirements:
1
2
RSA: Rivest, Shamir, Adelson algorithm
+ –
K (K (m)) = m
B B
– +
+
–
8-21 Network Security
Prerequisite: modular
arithmetic
v x mod n = remainder of x when divide by n
v facts:
[(a mod n) + (b mod n)] mod n = (a+b) mod n
[(a mod n) – (b mod n)] mod n = (a-b) mod n
[(a mod n) * (b mod n)] mod n = (a*b) mod n
v thus
(a mod n)d mod n = ad mod n
v example: x=14, n=10, d=2:
(x mod n)d mod n = 42 mod 10 = 6
xd = 142 = 196 xd mod 10 = 6
8-22 Network Security
RSA: getting ready
v message: just a bit pattern
v bit pattern can be uniquely represented by an integer
number
v thus, encrypting a message is equivalent to
encrypting a number
example:
v m= 10010001 . This message is uniquely
represented by the decimal number 145.
v to encrypt m, we encrypt the corresponding number,
which gives a new number (the ciphertext).
8-23 Network Security
RSA: Creating public/private key pair
1. choose two large prime numbers p, q.
(e.g., 1024 bits each)
2. compute n = pq, z = (p-1)(q-1)
3. choose e (with e