程序代写代做代考 scheme chain algorithm dns 8-1

8-1

Network Security

All material copyright 1996-2012
J.F Kurose and K.W. Ross, All Rights Reserved

George Parisis
School of Engineering and Informatics

University of Sussex

8-2 Network Security

Network Security
Objectives:
v  understand principles of network security:

§  cryptography and its many uses beyond
“confidentiality”

§  authentication
§  message integrity

v  security in practice:
§  firewalls and intrusion detection systems
§  security in application, transport, network layers

8-3 Network Security

Network Security

v  What is network security?
v  Principles of cryptography
v  Message integrity, authentication
v  Securing e-mail
v  Securing TCP connections: SSL
v  Network layer security: IPsec
v  Operational security: firewalls and IDS

8-4 Network Security

What is network security?

confidentiality: only sender, intended receiver should
“understand” message contents
§  sender encrypts message
§  receiver decrypts message

authentication: sender, receiver want to confirm
identity of each other

message integrity: sender, receiver want to ensure
message not altered (in transit, or afterwards) without
detection

access and availability: services must be accessible
and available to users

8-5 Network Security

Friends and enemies: Alice, Bob,
Trudy

v  well-known in network security world
v  Bob, Alice want to communicate “securely”
v  Trudy (intruder) may intercept, delete, add messages

secure
sender

secure
receiver

channel data, control
messages

data data

Alice Bob

Trudy

8-6 Network Security

Who might Bob, Alice be?

v … well, real-life Bobs and Alices!
v  Web browser/server for electronic

transactions (e.g., on-line purchases)
v  on-line banking client/server
v  DNS servers
v  routers exchanging routing table updates

8-7 Network Security

There are bad guys out there!
Q: What can a “bad guy” do?
A: A lot!

§  eavesdrop: intercept messages
§  actively insert messages into connection
§  impersonation: can fake (spoof) source

address in packet (or any field in packet)
§  hijacking: “take over” ongoing connection

by removing sender or receiver, inserting
himself in place

§  denial of service: prevent service from being
used by others (e.g., by overloading
resources)

8-8 Network Security

Network Security

v  What is network security?
v  Principles of cryptography
v  Message integrity, authentication
v  Securing e-mail
v  Securing TCP connections: SSL
v  Network layer security: IPsec
v  Operational security: firewalls and IDS

8-9 Network Security

The language of cryptography

m plaintext message
KA(m) ciphertext, encrypted with key KA
m = KB(KA(m))

plaintext plaintext ciphertext

K
A

encryption
algorithm

decryption
algorithm

Alice’s
encryption
key

Bob’s
decryption
key

K
B

8-10 Network Security

Breaking an encryption
scheme
v  cipher-text only attack:

Trudy has ciphertext
she can analyze

v  two approaches:
§  brute force: search

through all keys
§  statistical analysis

v  known-plaintext attack:
Trudy has plaintext
corresponding to
ciphertext
§  e.g., in monoalphabetic

cipher, Trudy
determines pairings for
a,l,i,c,e,b,o,

v  chosen-plaintext attack:
Trudy can get ciphertext
for chosen plaintext

8-11 Network Security

Symmetric key cryptography

symmetric key crypto: Bob and Alice share same
(symmetric) key: K

v  e.g., key is knowing substitution pattern in mono
alphabetic substitution cipher

Q: how do Bob and Alice agree on key value?

plaintext ciphertext

K S

encryption
algorithm

decryption
algorithm

S

K S

plaintext
message, m

K (m)
S

m = KS(KS(m))

8-12 Network Security

Simple encryption scheme
substitution cipher: substituting one thing for another

§  monoalphabetic cipher: substitute one letter for another

plaintext: abcdefghijklmnopqrstuvwxyz

ciphertext: mnbvcxzasdfghjklpoiuytrewq

Plaintext: bob. i love you. alice
ciphertext: nkn. s gktc wky. mgsbc

e.g.:

Encryption key: mapping from set of 26
letters to set of 26 letters

8-13 Network Security

A more sophisticated encryption approach

v  n substitution ciphers, M1,M2,…,Mn
v  cycling pattern:

§  e.g., n=4: M1,M3,M4,M3,M2; M1,M3,M4,M3,M2; ..
v  for each new plaintext symbol, use subsequent

subsitution pattern in cyclic pattern
§  dog: d from M1, o from M3, g from M4

Encryption key: n substitution ciphers, and
cyclic pattern

8-14 Network Security

Symmetric key crypto: DES
DES: Data Encryption Standard
v  US encryption standard [NIST 1993]
v  56-bit symmetric key, 64-bit plaintext input
v  block cipher with cipher block chaining
v  how secure is DES?

§  DES Challenge: 56-bit-key-encrypted phrase
decrypted (brute force) in less than a day

v  making DES more secure:
§  3DES: encrypt 3 times with 3 different keys

8-15

Block Ciphers

Network Security

8-16 Network Security

Symmetric key
crypto: DES

initial permutation
16 identical “rounds” of

function application,
each using different
48 bits of key

final permutation

DES operation

8-17 Network Security

AES: Advanced Encryption Standard

v  symmetric-key NIST standard, replaced DES
(Nov 2001)

v  processes data in 128 bit blocks
v  128, 192, or 256 bit keys
v  brute force decryption (try each key) taking 1

sec on DES, takes 149 trillion years for AES

8-18 Network Security

Public Key Cryptography

symmetric key crypto
v  requires sender,

receiver know shared
secret key

v  Q: how to agree on key
in first place (particularly
if never “met”)?

public key crypto
v  radically different

approach [Diffie-
Hellman76, RSA78]

v  sender, receiver do
NOT share secret key

v  public key known to
all

v  private key known
only to receiver

8-19 Network Security

Public key cryptography

plaintext
message, m

ciphertext encryption
algorithm

decryption
algorithm

Bob’s public
key

plaintext
message K (m)

B
+

K
B
+

Bob’s private
key

K
B

m = K (K (m))
B
+

B

8-20 Network Security

Public key encryption
algorithms

need K ( ) and K ( ) such that B B
. .

given public key K , it should be
impossible to compute private
key K

B

B

requirements:

1

2

RSA: Rivest, Shamir, Adelson algorithm

+ –

K (K (m)) = m
B B

– +

+

8-21 Network Security

Prerequisite: modular
arithmetic
v  x mod n = remainder of x when divide by n
v  facts:

[(a mod n) + (b mod n)] mod n = (a+b) mod n
[(a mod n) – (b mod n)] mod n = (a-b) mod n
[(a mod n) * (b mod n)] mod n = (a*b) mod n

v  thus
(a mod n)d mod n = ad mod n
v  example: x=14, n=10, d=2:

(x mod n)d mod n = 42 mod 10 = 6
xd = 142 = 196 xd mod 10 = 6

8-22 Network Security

RSA: getting ready
v  message: just a bit pattern
v  bit pattern can be uniquely represented by an integer

number
v  thus, encrypting a message is equivalent to

encrypting a number
example:
v  m= 10010001 . This message is uniquely

represented by the decimal number 145.
v  to encrypt m, we encrypt the corresponding number,

which gives a new number (the ciphertext).

8-23 Network Security

RSA: Creating public/private key pair

1. choose two large prime numbers p, q.
(e.g., 1024 bits each)
2. compute n = pq, z = (p-1)(q-1)

3. choose e (with e