FIT3031/FIT5037 NETWORK SECURITY
Overview of Computer Network and Security
Dr Xingliang of Software Systems and Cybersecurity
L01: Outline and Learning Outcomes
• Recap: Computer network and communication • Recap: Security architecture
• Define security: Security Models
• Security Goals
• Examples of Goals & Adversary Capabilities
• encryption
• for networks
• Overview: Standards & Protocols in Network Security
Computer Network and Communication (Recap)
• massiveconnecteddevices (network edge)
• Communicationlinks
• fiber,copper,radio,satellite (physical media)
• Packetswitches
• router(networkcore),switch
• Protocols
• controlsending,receivingof msgs, e.g., TCP, IP, HTTP…
• standard:RFC,IETF
mobile network
global ISP
home network
regional ISP
institutional network
Computer Networking: A Top Down Approach, ,
Computer Network and Communication (Recap) • Communicationmedium
• themeansbywhichinformationistransmittedbetweenthe sender and the receiver
• Datatransmission
• theprocessofsendingdataoveracommunicationmediumto one or more hosts
• Dataencoding
• theprocessofapplyingaspecificcode,e.g.,letters,symbols and numbers, to data for conversion into an equivalent cipher
• Bandwidth(capacity):
• numberofbitssent(orreceived)perunittime(bits/secorbps)
• Latency(delay):
• propagationtimefordatatotravelalongthelink(seconds)
1. backdoors, design flaws, implementation pitfalls, inadequate security controls, worms, viruses
2. pool input handling, cryptographic flaws
3. weak authentication, session injection, id spoofing
4. packet injection/crafting
5. IP spoofing, SYN flood, DDoS
6. MAC spoofing, free connection in Wireless media, flood
7. loss of power, physical theft of data, physical damage, input logging
Source: TechTarget.com
OSI Model for Network – Threats and Vulnerabilities
Security is not in the list of Internet design goals
• DARPAInternetDesignGoals,publishedinACM SIGCOMM (flagship conference in networks) 1988
• interconnection,failureresilience,multipletypes of service, variety of networks, management of resources, cost-effective, low entry-cost, accountability for resources
• Whysecurityisnotthere
• designedforconnectivity
• networkdesignedwithimplicittrust(small/ cooperative network)
Internet (Global Network) Security
• Anyonecanconnect
• massivehostsrunidenticalsoftware-singlevulnerability can sabotage an entire network
• mostusersdonothavesecurityknowledgeandawareness
• moreproblems:Isthehostallowedtoaccesstheserver? Are they who they say they are? Is the data from trusted source? Has it been modified?
• Focusonnetworksecurity
• creatingasecurechannelforcommunication
• protectingnetworkresourcesandlimitingconnectivity • Exclusion:socialengineering…
• Systematic,definitionsof
• securityrequirements(goals)& • mechanismstoachievesecurity
• Includesdefinitionsof
• securityattacks
• securitymechanisms:toprevent,detect,
• securityservices(goals)
X.800 Security Architecture for OSI (Recap)
Q: Which security go
Types of Network Attacks
als each attack are targeting on?
Attack Surfaces
• Network attack surface:
• vulnerabilities over an enterprise network, wide-area network, or the Internet, e.g., network protocol vulnerabilities, disruption of communications links, and various forms of intruder attacks.
• Software attack surface:
• vulnerabilities in application, utility, or operating system code, e.g., Interfaces, SQL, and Web forms
• Human attack surface:
• vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders.
X.800 Security Architecture for OSI (Recap)
• Definitionsof
• securityattacks
• securitymechanisms:toprevent,detect, recover
• securityservices(goals)
• Example:
• security attack: eavesdropping
• security service: confidentiality
• security mechanism: encryption
Example: Networks
Threats, Attacks, Vulnerabilities, Risks (Recap)
• Threats & Attacks against Networks
• passive attacks: eavesdropping, traffic analysis • active attacks: denial of service (DoS), injection
• Vulnerabilities of Networks
• e.g. lack of AUTH, anyone can make requests
• Risks of threats against Networks • likelihood of attacks &
• consequence of attacks
• Prevention
• to avoid the breach of security (pre-emptive) e.g. cryptography
• Detection
• monitor always, to detect attempts / breaches (during) e.g. IDS
• Recovery
• investigate a security breach (post attack)
• recover from consequences of attack
• e.g. forensics, incidence response, intrusion tolerance
… prevent …
Generic types of security mechanisms (Recap)
• Security is always relative to
• set of desired properties / goals (GOL)
• attacker with specific capabilities (CAP)
• If people say their system is secure
• secure in terms of what?
• secure against what types of attackers?
Defining security: Security Models
Defining security: Security Models
• Securityisalwaysrelativeto
• set of desired properties / goals (GOL)
• adversary with specific capabilities (CAP)
• Security Model: GOL-CAP
• define security goals
• need to know what security you want to achieve
• define adversarial capabilities
• need to know who is your opponent
• Security is a generic term, be specific • specify what is the goal
• Security Goals examples (Recap) • Secrecy / Confidentiality (CONF)
• Integrity (INT)
• Authentication (AUTH) • Non-Repudiation (NR) • Availability (AVL)
Security Goals
Security Goals examples (Recap) • Security Goals examples (Recap)
• Secrecy / Confidentiality (CONF) • achieved by encryption
• Integrity (INT)
• achieved by Message Authentication Code (MAC) • achieved indirectly by digital signature
• Authentication (AUTH)
• achieved by digital signature, biometrics, password
• Non-Repudiation (NR)
• achieved by digital signature, biometrics, …
• Encryption:
• c = E(p,k) • where
• p = plaintext, k = key, c = ciphertext
• Sender Tx performs c = E(p,k)
• Recipient Rx performs p = E-1(c,k)
Example: Encryption (Recap)
Challenger(System/Users/)
Choose p0, p1
Guess d as value of b
Flip a coin b ∈ {0,1} c* ← E(pb, k)
If d = b, adversary wins
Example: Encryption
Security Model for CONFidentiality
Example: Encryption
Security Goal of CONFidentiality
• Different variants of security goals for CONF • plaintext secrecy
• even if know c, cannot know p • key secrecy
• even if know some c and p, cannot know k • indistinguishability (IND)
• evenifknowc=E(p,k)wherepisp0 orp1, cannot know if it is p0 or p1
• Indistinguishability (IND)
• evenifknowc=E(p,k)wherepisp0 orp1, cannot know if it is p0 or p1
• useful for e-voting:
• even if know party name p0 or p1, and intercept encrypted vote c = E(p,k), cannot tell if choice (vote) was p0 or p1
Example: Encryption
Security Goal of CONFidentiality: IND
• Security Goal for Encryption: IND
• Adversarial Capability against Encryption
• can see ciphertext c = E(p,k) via eavesdropping
• can exploit good guys (Tx,Rx) to do encryption/
decryption with k for any p/c given by attacker
• encryption/decryption oracle
Example: Encryption Goal & Capability
• Kerckhoffs’s principle:
the cipher method must not be required to be secret, and it must
be able to fall into the hands of the enemy without inconvenience.
• It is not realistic to assume that the encryption algorithm will remain secret
• e.g., secure communication between multiple parties: leaked by insiders, reverse engineering…
• It is easier for users to change a key than to replace an encryption algorithm
• The same encryption algorithm is friendly for large-scale deployment
Example: Encryption Goal & Capability
Example: Encryption Adversarial Capability
• encryption/decryptionoracle:
• can exploit good guys (Tx,Rx) to do encryption/ decryption with k for any p/c given by attacker
• in the movies, e.g., Matrix
• oracle: someone knows what you don’t know • for security
• oracle: someone who can do what you can’t do
• what can’t the adversary do?
• something that requires a secret, i.e. k
• encryption/decryptionoracle:
• can exploit good guys (Tx,Rx) to do encryption/ decryption with k for any p/c given by attacker
• someone who can do what adversary can’t do
• adversary can’t do encryption/decryption
• Tx/Rx can do encryption/decryption because of knowing k
• adversary exploits Tx/Rx to do encryption/ decryption for him
Example: Encryption Adversarial Capability
• Security Goal for Encryption: IND
• Adversarial Capability against Encryption
• can see ciphertext c = E(p,k) only
• ciphertext-only (CO) attack capability
• can also access encryption/decryption oracle
• chosen-plaintext attack (CPA) capability
• chosen-ciphertext attack (CCA) capability
Example: Encryption
Goal & Capability (in summary)
• Security Goal: IND
• Adversarial Capability: CCA • Security Model: IND-CCA
• used to prove security for encryption
• expected even for industry standards, e.g.,
• IEEE P1363 • ISO 18033-2
Example: Encryption
Goal & Capability: IND-CCA
Example: Networks Goal & Capability
• Security Goal for Networks • Availability (AVL)
• Adversarial Capability against Networks
• passiveattacksareeavesdropping
• e.g: release of message contents, traffic analysis • are hard to detect so aim to prevent
• activeattacksmodify/fakedata
• e.g: masquerade, replay, modification, denial of service • hard to prevent so aim to detect and/or recovery
• Authentication: PKI [Week 3]
• Email: e.g. PGP, hybrid cryptography [Week 4]
• IP (Internet Protocol): e.g. IPSec & VPN [Week 5] • Web: e.g. SSL/TLS [Week 6]
• Wireless: [Week 7] • WiFi:IEEE802.11
Standards & Protocols for Network Security Applications
TCP attacks [Week 8]
• Intrusiondetectionsystems[Week9]
DNS attacks [Week 8]
Firewalls [Week 10]
Advanced phishing attacks and Cryptographic
Standards & Protocols for Network Security Applications
W2 Lecture Topic
• Lecture2
– Cryptography Foundations for Network Security
FIT3031/FIT5037 NETWORK SECURITY
Cryptography Foundations for Network Security
Dr Xingliang of Software Systems and Cybersecurity
• CONFidentiality in Network:
• Goal + Adversarial Capabilities
• Cipher Modes
• IND-CPA and IND-CCA Security Model
• Integrity and Authentication in Network
L02: Outline and Learning Outcomes
“cryptography is about communication in the presence of adversaries.” —-
• Narrow definition:
• secure communication over insecure communication channels
• Broad definition:
• a way to provide formal guarantees in the presence of an attacker
What is cryptography?
Confidentiality
Authentication
One-time Pad Stream Ciphers Block Ciphers
Message Authentication Code
Encryption with Public Key
Digital Signature
Digital Signature + Nonce
Cryptography Overview
dentiality
• Prevention
• to avoid the breach of security (pre-emptive) e.g. cryptography
• Detection
• monitor always, to detect attempts / breaches (during) e.g. IDS
• Recovery
•investigate a security breach (post attack)
•recover from consequences of attack
•e.g. forensics, incidence response, intrusion tolerance
… prevent …
Generic types of security mechanisms (Recap)*
• Cryptography: mostly preventive / detective
• Security Goals
• Secrecy / Confidentiality (CONF)
• prevent secret m revealed
• Integrity (INT)
• detect if info changed illegitimately, prevent not know
• Authentication (AUTH)
• detect if other side authentic, prevent impersonation
• Non-Repudiation (NR)
• detect if linked to p
Security Goals (Recap)*
erson, prevent repudiation
CONF: goal, adversarial capability, mechanism • Ultimate goal: CONF
• confidential message m remains confidential
• Security problem (Adversarial capability): • channel insecure, can be eavesdropped
• so cannot send m directly
• Mechanism to overcome problem • so, transform m before sending
• so that adversary cannot undo the transform
• but Recipient Rx needs to undo
• how to do selective reversal (certain party can undo?)
• Mechanism to overcome problem: Encryption • transformm:Encrypt(m)
• sothatadversarycannotundothetransform
• transformdependsonsecret:Encrypt(m,k) • butRecipientRxneedstoundo
• Encrypt()mustbeinvertible
• Encrypt(m,k)→c • Decrypt(c,k)→m
Goal: Secrecy / Confidentiality (CONF)
• Secret-keyencryption:(fast,keydistributionproblem) • Encrypt(m,k)→c
• Decrypt(c,k)→m
• e.g.,blockciphers:AES
• e.g.,streamciphermodes:RC4
• Public-keyencryption:(slower,nokeydistributionproblem) • Encrypt(m,pk)→c
• Decrypt(c,sk)→m
• e.g.,RSA,ElGamal
Encryption Types (Recap)*
• BlockCipher:
• Encrypt(m,k)→c • Decrypt(c,k)→m • nbitstonbits
• CipherMode:howblockcipherusedasbuildingblock
• arbitrarylengthinput
• eachn-bitblockprocessedbyblockcipher,e.g.,CBC,CFB, OFB, CTR
Block Cipher & Modes (Recap)*
• Breaklargestringsintoblocksandaddpaddingifnecessary
nows where padding starts?
Block Cipher & Modes (Recap)*
• Howdecryptionsoftwarek
7 bytes of 0x07 are added as the padding data
• CipherBlock Chaining
• C1 = E(P1 ⊕IV) • C2 = E(P2 ⊕C1) • C3 = E(P3 ⊕C2)
Block Cipher & Modes
• CipherBlock Chaining
• C1 = E(P1 ⊕IV)
• C2 = E(P2 ⊕C1)
• C3 = E(P3 ⊕C2)
• Q:what information will be leaked if IV is reused?
• Q:howcanRx
Block Cipher & Modes
• CipherBlock Chaining
• C1 = E(P1 ⊕IV)
• C2 = E(P2 ⊕C1)
• C3 = E(P3 ⊕C2)
• Q:priorto decryption, if 1 bit of Ci flipped, how many bits of Pi will be flipped after decryption?
Block Cipher & Modes
• Goal(Recap)
• Ultimate:secrecyofplaintextp • Inpractice:secrecyofkeyk
• AdversarialCapabilities
• Mostbasic:ciphertext-only(CO)adversary • canseeciphertextc[byeavesdropping]
• Q:anyaccesstooracle?
Adversarial Capability against Encryption
System/Users/Challenger
c* [Eavesdrop]
Secret message p* c* ← E(p*, k)
Adversarial Capability against Encryption: Ciphertext-Only (CO) Adversary
• AdversarialCapabilities
• Morepowerful:known-plaintextadversary(KPA)or
chosen-plaintext attacker (CPA)
• canseeciphertextc
• canruntheencryption/decryptionfunctionsforselected
• Q:anyaccesstooracle?
Cryptanalysis: Analyse the Security of Ciphers
Adversarial Capability against Encryption: Chosen-Plaintext Adversary (CPA)
Challenger(System/Users/) Flip a coin b ∈ {0,1}
c* ← E(pb, k)
If d = b, adversary wins
Adversary Choose p0, p1
Adv can only call the encryption oracle!
An encryption scheme is CPA-secure, if the successful probability of Adv is <= 1/2+neg(λ).
Guess d as value of b
• AdversarialCapabilities
• Morepowerful:chosen-plaintextadversary(CPA)
• canchooseplaintextsandgetthecorrespondingencryption outputs, i.e., ciphertexts
• Q:anyaccesstooracle? or
• Morepowerful:chosen-ciphertextadversary(CCA)
• Additionally:canchoosesomeciphertextsandgetthe
corresponding decryption outputs, i.e., plaintexts
• Q:anyaccesstooracle?
Cryptanalysis: Analyse the Security of Ciphers
Adversarial Capability against Encryption: Chosen-Ciphertext Adversary (CCA)
Challenger(System/Users/) Adversary
Adv can call the encryption/decryption oracle for plaintext/ciphertext!
Flip a coin b ∈ {0,1} p0, p1 Choose p0, p1 c* ← E(pb, k) c*
Continue to have enc/dec oracle access, but not c*
If d = b, adversary wins d Guess d as value of b
IND-CCA: an encryption scheme is CCA-secure, if the successful probability of Adv is <=1/2+neg(λ).
Problem with symmetric key ciphers (Recap)* Key distribution problem
How two hosts can share secret key?
• if they are far apart
• & channel insecure
Why they have to share secret key?
• do (encrypt) with secret key,
• so undo (decrypt) need same secret key
• Q:Howmanykeysneedtobegeneratedfornhostsif each of them communicates with the rest of n-1 hosts?
• Can remove the need to share the secret key?
• then no key distribution problem
• Enc with one key, dec no need that key
• Enc with one key, dec use a different key
• is that possible?
Removing the Key Distribution Problem (Recap)*
The textbook RSA PKE Cipher (Recap)*
• output public key pk and private key sk
• c=E(p,pk)=ppk modn
• p=E-1(c,sk)=csk modn
Homomorphic property
• E(p0) ⊗ E(p1) = E(p0 • p1)
where • is some operation in the plaintext domain and
⊗ is some operation in the ciphertext domain
• useful to get privacy-preserving property
• computation over encrypted data
• saving communication cost for privacy-preserving networked applications
RSA: Homomorphic property
• Let E(p0) x E(p1) = E(p0 x p1) where x denotes multiplication
• RSA Encryption:
• c=E(p,pk)=ppk modn
E(p0) x E(p1)
= (p0pk mod n) x (p1pk mod n) = (p0 x p1)pk mod n
= E(p0 x p1)
So RSA is homomorphic
IND-CPA (in)security for textbook RSA
System/Users/Challenger Flip a coin b ∈ {0,1}
c* ← E(pb, pk)
Adversary Choose p0, p1
c0 = p0pk mod n
c1 = p1pk mod n Check if ci equals c*
Set d = i such that: ci equals c*
If d = b, adversary wins
• Q: Why attack in IND-CPA model works against RSA?
• Encryptioncanbedonebyanyone • RSA’sencryptionisdeterministic
• So prevent attack by ...
• Stop encryption being doable by everyone?
• but then defeats purpose of PKE
• Make the encryption to be non-deterministic
• Q: can decryption be non-deterministic?
Textbook RSA vs IND-CPA
• here, Encryption is probabilistic (non-deterministic) • encrypt same message p under same public key,
gives different ciphertext c each time
e.g. Encrypt now c1 = E(p,pk) Encrypt later c2 = E(p,pk)
where c1 ≠ c2
both c1 and c2 have to decrypt back to p,
• so decryption is deterministic ... it is the same p that is obtained each time
Probabilistic PKE
IND-CPA security vs Probabilistic PKE
System/Users/Challenger Flip a coin b ∈ {0,1}
c* ← E(pb, pk; r0)
Adversary Choose p0, p1
c0 = E(p0, pk; r1)
c1 = E(p1, pk; r2) Check if ci equals c*?
Set d = i such that: ci equals c*
If d = b, adversary wins
• Attack (previous slide) no longer works
• adversarycannotcheckforequality
• internalrandomnessrensuresthatthough input p and public key e are same, output c differs each time
Probabilistic PKE vs IND-CCA insecurity
AUTHentication + IN Exchange (Recap)
Symmetric Key: Hash Message Authentication Code for Integrity (Recap)
• Cryptographic hash function:
• one-way,andcollisionresistance
• Q:whatisthedifferencewithencryption?
• Alice checks the MAC sent from Bob: • identify the sender is Bob
• Q: is it secure in the network environment?
Hash Message Authentication Code for Authentication?
MAC: xz1s5a I am bob!
Bob’s MAC and replays it?
global ISP
MAC Replay Attack and Countermeasure
MAC: xz1s5a
• If the attacker obtains
• Countermeasure: nonce + challenge-response protocol
Challenge-response Protocol
1. Alice sends a nonce (i.e., challenge) to Bob every time Bob would like to communicate
2. Bob then computes: Hash(key, “I’m bob”||nonce)
3. Alice receives the above hash value and re-computes it for verification
As each time the hash value will be different due to the
nonce, the replay attack is mitigated.
The textbook RSA Signature
• output public key pk and private key sk
• s=Sign(p,sk)=psk modn
• p=?Verify(p,s,pk)=spk modn=(psk)pk modn
• Integrity check:
• Shared secret
• 80 bit key for high security (2010)
• ~1,000,000 ops/s on 1GHz proc
• 10x speedup in HW (A