CS代考 FIT3031/FIT5037 NETWORK SECURITY

FIT3031/FIT5037 NETWORK SECURITY
Overview of Computer Network and Security
Dr Xingliang of Software Systems and Cybersecurity
L01: Outline and Learning Outcomes
• Recap: Computer network and communication • Recap: Security architecture
• Define security: Security Models
• Security Goals
• Examples of Goals & Adversary Capabilities
• encryption
• for networks
• Overview: Standards & Protocols in Network Security
Computer Network and Communication (Recap)
• massiveconnecteddevices (network edge)
• Communicationlinks
• fiber,copper,radio,satellite (physical media)
• Packetswitches
• router(networkcore),switch
• Protocols
• controlsending,receivingof msgs, e.g., TCP, IP, HTTP…
• standard:RFC,IETF
mobile network
global ISP
home network
regional ISP
institutional network
Computer Networking: A Top Down Approach, ,
Computer Network and Communication (Recap) • Communicationmedium
• themeansbywhichinformationistransmittedbetweenthe sender and the receiver
• Datatransmission
• theprocessofsendingdataoveracommunicationmediumto one or more hosts
• Dataencoding
• theprocessofapplyingaspecificcode,e.g.,letters,symbols and numbers, to data for conversion into an equivalent cipher
• Bandwidth(capacity):
• numberofbitssent(orreceived)perunittime(bits/secorbps)
• Latency(delay):
• propagationtimefordatatotravelalongthelink(seconds)
1. backdoors, design flaws, implementation pitfalls, inadequate security controls, worms, viruses
2. pool input handling, cryptographic flaws
3. weak authentication, session injection, id spoofing
4. packet injection/crafting
5. IP spoofing, SYN flood, DDoS
6. MAC spoofing, free connection in Wireless media, flood
7. loss of power, physical theft of data, physical damage, input logging
Source: TechTarget.com
OSI Model for Network – Threats and Vulnerabilities
Security is not in the list of Internet design goals
• DARPAInternetDesignGoals,publishedinACM SIGCOMM (flagship conference in networks) 1988
• interconnection,failureresilience,multipletypes of service, variety of networks, management of resources, cost-effective, low entry-cost, accountability for resources
• Whysecurityisnotthere
• designedforconnectivity
• networkdesignedwithimplicittrust(small/ cooperative network)
Internet (Global Network) Security
• Anyonecanconnect
• massivehostsrunidenticalsoftware-singlevulnerability can sabotage an entire network
• mostusersdonothavesecurityknowledgeandawareness
• moreproblems:Isthehostallowedtoaccesstheserver? Are they who they say they are? Is the data from trusted source? Has it been modified?
• Focusonnetworksecurity
• creatingasecurechannelforcommunication
• protectingnetworkresourcesandlimitingconnectivity • Exclusion:socialengineering…
• Systematic,definitionsof
• securityrequirements(goals)& • mechanismstoachievesecurity
• Includesdefinitionsof
• securityattacks
• securitymechanisms:toprevent,detect,
• securityservices(goals)
X.800 Security Architecture for OSI (Recap)
Q: Which security go
Types of Network Attacks
als each attack are targeting on?
Attack Surfaces
• Network attack surface:
• vulnerabilities over an enterprise network, wide-area network, or the Internet, e.g., network protocol vulnerabilities, disruption of communications links, and various forms of intruder attacks.
• Software attack surface:
• vulnerabilities in application, utility, or operating system code, e.g., Interfaces, SQL, and Web forms
• Human attack surface:
• vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders.
X.800 Security Architecture for OSI (Recap)
• Definitionsof
• securityattacks
• securitymechanisms:toprevent,detect, recover
• securityservices(goals)
• Example:
• security attack: eavesdropping
• security service: confidentiality
• security mechanism: encryption
Example: Networks
Threats, Attacks, Vulnerabilities, Risks (Recap)
• Threats & Attacks against Networks
• passive attacks: eavesdropping, traffic analysis • active attacks: denial of service (DoS), injection
• Vulnerabilities of Networks
• e.g. lack of AUTH, anyone can make requests
• Risks of threats against Networks • likelihood of attacks &
• consequence of attacks
• Prevention
• to avoid the breach of security (pre-emptive) e.g. cryptography
• Detection
• monitor always, to detect attempts / breaches (during) e.g. IDS
• Recovery
• investigate a security breach (post attack)
• recover from consequences of attack
• e.g. forensics, incidence response, intrusion tolerance
… prevent …
Generic types of security mechanisms (Recap)
• Security is always relative to
• set of desired properties / goals (GOL)
• attacker with specific capabilities (CAP)
• If people say their system is secure
• secure in terms of what?
• secure against what types of attackers?
Defining security: Security Models
Defining security: Security Models
• Securityisalwaysrelativeto
• set of desired properties / goals (GOL)
• adversary with specific capabilities (CAP)
• Security Model: GOL-CAP
• define security goals
• need to know what security you want to achieve
• define adversarial capabilities
• need to know who is your opponent
• Security is a generic term, be specific • specify what is the goal
• Security Goals examples (Recap) • Secrecy / Confidentiality (CONF)
• Integrity (INT)
• Authentication (AUTH) • Non-Repudiation (NR) • Availability (AVL)
Security Goals
Security Goals examples (Recap) • Security Goals examples (Recap)
• Secrecy / Confidentiality (CONF) • achieved by encryption
• Integrity (INT)
• achieved by Message Authentication Code (MAC) • achieved indirectly by digital signature
• Authentication (AUTH)
• achieved by digital signature, biometrics, password
• Non-Repudiation (NR)
• achieved by digital signature, biometrics, …
• Encryption:
• c = E(p,k) • where
• p = plaintext, k = key, c = ciphertext
• Sender Tx performs c = E(p,k)
• Recipient Rx performs p = E-1(c,k)
Example: Encryption (Recap)
Challenger(System/Users/)
Choose p0, p1
Guess d as value of b
Flip a coin b ∈ {0,1} c* ← E(pb, k)
If d = b, adversary wins
Example: Encryption
Security Model for CONFidentiality
Example: Encryption
Security Goal of CONFidentiality
• Different variants of security goals for CONF • plaintext secrecy
• even if know c, cannot know p • key secrecy
• even if know some c and p, cannot know k • indistinguishability (IND)
• evenifknowc=E(p,k)wherepisp0 orp1, cannot know if it is p0 or p1
• Indistinguishability (IND)
• evenifknowc=E(p,k)wherepisp0 orp1, cannot know if it is p0 or p1
• useful for e-voting:
• even if know party name p0 or p1, and intercept encrypted vote c = E(p,k), cannot tell if choice (vote) was p0 or p1
Example: Encryption
Security Goal of CONFidentiality: IND
• Security Goal for Encryption: IND
• Adversarial Capability against Encryption
• can see ciphertext c = E(p,k) via eavesdropping
• can exploit good guys (Tx,Rx) to do encryption/
decryption with k for any p/c given by attacker
• encryption/decryption oracle
Example: Encryption Goal & Capability
• Kerckhoffs’s principle:
the cipher method must not be required to be secret, and it must
be able to fall into the hands of the enemy without inconvenience.
• It is not realistic to assume that the encryption algorithm will remain secret
• e.g., secure communication between multiple parties: leaked by insiders, reverse engineering…
• It is easier for users to change a key than to replace an encryption algorithm
• The same encryption algorithm is friendly for large-scale deployment
Example: Encryption Goal & Capability
Example: Encryption Adversarial Capability
• encryption/decryptionoracle:
• can exploit good guys (Tx,Rx) to do encryption/ decryption with k for any p/c given by attacker
• in the movies, e.g., Matrix
• oracle: someone knows what you don’t know • for security
• oracle: someone who can do what you can’t do
• what can’t the adversary do?
• something that requires a secret, i.e. k
• encryption/decryptionoracle:
• can exploit good guys (Tx,Rx) to do encryption/ decryption with k for any p/c given by attacker
• someone who can do what adversary can’t do
• adversary can’t do encryption/decryption
• Tx/Rx can do encryption/decryption because of knowing k
• adversary exploits Tx/Rx to do encryption/ decryption for him
Example: Encryption Adversarial Capability
• Security Goal for Encryption: IND
• Adversarial Capability against Encryption
• can see ciphertext c = E(p,k) only
• ciphertext-only (CO) attack capability
• can also access encryption/decryption oracle
• chosen-plaintext attack (CPA) capability
• chosen-ciphertext attack (CCA) capability
Example: Encryption
Goal & Capability (in summary)
• Security Goal: IND
• Adversarial Capability: CCA • Security Model: IND-CCA
• used to prove security for encryption
• expected even for industry standards, e.g.,
• IEEE P1363 • ISO 18033-2
Example: Encryption
Goal & Capability: IND-CCA
Example: Networks Goal & Capability
• Security Goal for Networks • Availability (AVL)
• Adversarial Capability against Networks
• passiveattacksareeavesdropping
• e.g: release of message contents, traffic analysis • are hard to detect so aim to prevent
• activeattacksmodify/fakedata
• e.g: masquerade, replay, modification, denial of service • hard to prevent so aim to detect and/or recovery
• Authentication: PKI [Week 3]
• Email: e.g. PGP, hybrid cryptography [Week 4]
• IP (Internet Protocol): e.g. IPSec & VPN [Week 5] • Web: e.g. SSL/TLS [Week 6]
• Wireless: [Week 7] • WiFi:IEEE802.11
Standards & Protocols for Network Security Applications
TCP attacks [Week 8]
• Intrusiondetectionsystems[Week9]
DNS attacks [Week 8]
Firewalls [Week 10]
Advanced phishing attacks and Cryptographic
Standards & Protocols for Network Security Applications
W2 Lecture Topic
• Lecture2
– Cryptography Foundations for Network Security
FIT3031/FIT5037 NETWORK SECURITY
Cryptography Foundations for Network Security
Dr Xingliang of Software Systems and Cybersecurity
• CONFidentiality in Network:
• Goal + Adversarial Capabilities
• Cipher Modes
• IND-CPA and IND-CCA Security Model
• Integrity and Authentication in Network
L02: Outline and Learning Outcomes
“cryptography is about communication in the presence of adversaries.” —-
• Narrow definition:
• secure communication over insecure communication channels
• Broad definition:
• a way to provide formal guarantees in the presence of an attacker
What is cryptography?
Confidentiality
Authentication
One-time Pad Stream Ciphers Block Ciphers
Message Authentication Code
Encryption with Public Key
Digital Signature
Digital Signature + Nonce
Cryptography Overview
dentiality
• Prevention
• to avoid the breach of security (pre-emptive) e.g. cryptography
• Detection
• monitor always, to detect attempts / breaches (during) e.g. IDS
• Recovery
•investigate a security breach (post attack)
•recover from consequences of attack
•e.g. forensics, incidence response, intrusion tolerance
… prevent …
Generic types of security mechanisms (Recap)*
• Cryptography: mostly preventive / detective
• Security Goals
• Secrecy / Confidentiality (CONF)
• prevent secret m revealed
• Integrity (INT)
• detect if info changed illegitimately, prevent not know
• Authentication (AUTH)
• detect if other side authentic, prevent impersonation
• Non-Repudiation (NR)
• detect if linked to p
Security Goals (Recap)*
erson, prevent repudiation
CONF: goal, adversarial capability, mechanism • Ultimate goal: CONF
• confidential message m remains confidential
• Security problem (Adversarial capability): • channel insecure, can be eavesdropped
• so cannot send m directly
• Mechanism to overcome problem • so, transform m before sending
• so that adversary cannot undo the transform
• but Recipient Rx needs to undo
• how to do selective reversal (certain party can undo?)
• Mechanism to overcome problem: Encryption • transformm:Encrypt(m)
• sothatadversarycannotundothetransform
• transformdependsonsecret:Encrypt(m,k) • butRecipientRxneedstoundo
• Encrypt()mustbeinvertible
• Encrypt(m,k)→c • Decrypt(c,k)→m
Goal: Secrecy / Confidentiality (CONF)
• Secret-keyencryption:(fast,keydistributionproblem) • Encrypt(m,k)→c
• Decrypt(c,k)→m
• e.g.,blockciphers:AES
• e.g.,streamciphermodes:RC4
• Public-keyencryption:(slower,nokeydistributionproblem) • Encrypt(m,pk)→c
• Decrypt(c,sk)→m
• e.g.,RSA,ElGamal
Encryption Types (Recap)*
• BlockCipher:
• Encrypt(m,k)→c • Decrypt(c,k)→m • nbitstonbits
• CipherMode:howblockcipherusedasbuildingblock
• arbitrarylengthinput
• eachn-bitblockprocessedbyblockcipher,e.g.,CBC,CFB, OFB, CTR
Block Cipher & Modes (Recap)*
• Breaklargestringsintoblocksandaddpaddingifnecessary
nows where padding starts?
Block Cipher & Modes (Recap)*
• Howdecryptionsoftwarek
7 bytes of 0x07 are added as the padding data
• CipherBlock Chaining
• C1 = E(P1 ⊕IV) • C2 = E(P2 ⊕C1) • C3 = E(P3 ⊕C2)
Block Cipher & Modes
• CipherBlock Chaining
• C1 = E(P1 ⊕IV)
• C2 = E(P2 ⊕C1)
• C3 = E(P3 ⊕C2)
• Q:what information will be leaked if IV is reused?
• Q:howcanRx
Block Cipher & Modes
• CipherBlock Chaining
• C1 = E(P1 ⊕IV)
• C2 = E(P2 ⊕C1)
• C3 = E(P3 ⊕C2)
• Q:priorto decryption, if 1 bit of Ci flipped, how many bits of Pi will be flipped after decryption?
Block Cipher & Modes
• Goal(Recap)
• Ultimate:secrecyofplaintextp • Inpractice:secrecyofkeyk
• AdversarialCapabilities
• Mostbasic:ciphertext-only(CO)adversary • canseeciphertextc[byeavesdropping]
• Q:anyaccesstooracle?
Adversarial Capability against Encryption
System/Users/Challenger
c* [Eavesdrop]
Secret message p* c* ← E(p*, k)
Adversarial Capability against Encryption: Ciphertext-Only (CO) Adversary
• AdversarialCapabilities
• Morepowerful:known-plaintextadversary(KPA)or
chosen-plaintext attacker (CPA)
• canseeciphertextc
• canruntheencryption/decryptionfunctionsforselected
• Q:anyaccesstooracle?
Cryptanalysis: Analyse the Security of Ciphers
Adversarial Capability against Encryption: Chosen-Plaintext Adversary (CPA)
Challenger(System/Users/) Flip a coin b ∈ {0,1}
c* ← E(pb, k)
If d = b, adversary wins
Adversary Choose p0, p1
Adv can only call the encryption oracle!
An encryption scheme is CPA-secure, if the successful probability of Adv is <= 1/2+neg(λ). Guess d as value of b • AdversarialCapabilities • Morepowerful:chosen-plaintextadversary(CPA) • canchooseplaintextsandgetthecorrespondingencryption outputs, i.e., ciphertexts • Q:anyaccesstooracle? or • Morepowerful:chosen-ciphertextadversary(CCA) • Additionally:canchoosesomeciphertextsandgetthe corresponding decryption outputs, i.e., plaintexts • Q:anyaccesstooracle? Cryptanalysis: Analyse the Security of Ciphers Adversarial Capability against Encryption: Chosen-Ciphertext Adversary (CCA) Challenger(System/Users/) Adversary Adv can call the encryption/decryption oracle for plaintext/ciphertext! Flip a coin b ∈ {0,1} p0, p1 Choose p0, p1 c* ← E(pb, k) c* Continue to have enc/dec oracle access, but not c* If d = b, adversary wins d Guess d as value of b IND-CCA: an encryption scheme is CCA-secure, if the successful probability of Adv is <=1/2+neg(λ). Problem with symmetric key ciphers (Recap)* Key distribution problem How two hosts can share secret key? • if they are far apart • & channel insecure Why they have to share secret key? • do (encrypt) with secret key, • so undo (decrypt) need same secret key • Q:Howmanykeysneedtobegeneratedfornhostsif each of them communicates with the rest of n-1 hosts? • Can remove the need to share the secret key? • then no key distribution problem • Enc with one key, dec no need that key • Enc with one key, dec use a different key • is that possible? Removing the Key Distribution Problem (Recap)* The textbook RSA PKE Cipher (Recap)* • output public key pk and private key sk • c=E(p,pk)=ppk modn • p=E-1(c,sk)=csk modn Homomorphic property • E(p0) ⊗ E(p1) = E(p0 • p1) where • is some operation in the plaintext domain and ⊗ is some operation in the ciphertext domain • useful to get privacy-preserving property • computation over encrypted data • saving communication cost for privacy-preserving networked applications RSA: Homomorphic property • Let E(p0) x E(p1) = E(p0 x p1) where x denotes multiplication • RSA Encryption: • c=E(p,pk)=ppk modn E(p0) x E(p1) = (p0pk mod n) x (p1pk mod n) = (p0 x p1)pk mod n = E(p0 x p1) So RSA is homomorphic IND-CPA (in)security for textbook RSA System/Users/Challenger Flip a coin b ∈ {0,1} c* ← E(pb, pk) Adversary Choose p0, p1 c0 = p0pk mod n c1 = p1pk mod n Check if ci equals c* Set d = i such that: ci equals c* If d = b, adversary wins • Q: Why attack in IND-CPA model works against RSA? • Encryptioncanbedonebyanyone • RSA’sencryptionisdeterministic • So prevent attack by ... • Stop encryption being doable by everyone? • but then defeats purpose of PKE • Make the encryption to be non-deterministic • Q: can decryption be non-deterministic? Textbook RSA vs IND-CPA • here, Encryption is probabilistic (non-deterministic) • encrypt same message p under same public key, gives different ciphertext c each time e.g. Encrypt now c1 = E(p,pk) Encrypt later c2 = E(p,pk) where c1 ≠ c2 both c1 and c2 have to decrypt back to p, • so decryption is deterministic ... it is the same p that is obtained each time Probabilistic PKE IND-CPA security vs Probabilistic PKE System/Users/Challenger Flip a coin b ∈ {0,1} c* ← E(pb, pk; r0) Adversary Choose p0, p1 c0 = E(p0, pk; r1) c1 = E(p1, pk; r2) Check if ci equals c*? Set d = i such that: ci equals c* If d = b, adversary wins • Attack (previous slide) no longer works • adversarycannotcheckforequality • internalrandomnessrensuresthatthough input p and public key e are same, output c differs each time Probabilistic PKE vs IND-CCA insecurity AUTHentication + IN Exchange (Recap) Symmetric Key: Hash Message Authentication Code for Integrity (Recap) • Cryptographic hash function: • one-way,andcollisionresistance • Q:whatisthedifferencewithencryption? • Alice checks the MAC sent from Bob: • identify the sender is Bob • Q: is it secure in the network environment? Hash Message Authentication Code for Authentication? MAC: xz1s5a I am bob! Bob’s MAC and replays it? global ISP MAC Replay Attack and Countermeasure MAC: xz1s5a • If the attacker obtains • Countermeasure: nonce + challenge-response protocol Challenge-response Protocol 1. Alice sends a nonce (i.e., challenge) to Bob every time Bob would like to communicate 2. Bob then computes: Hash(key, “I’m bob”||nonce) 3. Alice receives the above hash value and re-computes it for verification As each time the hash value will be different due to the nonce, the replay attack is mitigated. The textbook RSA Signature • output public key pk and private key sk • s=Sign(p,sk)=psk modn • p=?Verify(p,s,pk)=spk modn=(psk)pk modn • Integrity check: • Shared secret • 80 bit key for high security (2010) • ~1,000,000 ops/s on 1GHz proc • 10x speedup in HW (A