Introduction to OSI

OSI Model
Computer and telephone networks have changed from human operated to computer controlled Terminals and network components consists of complex hardware and software components Equipment from different vendors must be interoperable => free competition OSI standardization (ISO IS 7498 BRM and CCITT X.200)

Background
Layered architecture used in 60s in operating system research Layered and structured programming with adding details progressively Using service through interface, hides implementation from user ARPA net, TCP/IP, IBM SNA, SDLC, LAN, distributed information system Object oriented programming

Layered Model Benefits

Standardization Modularity, manageability, independence of layers, flexibility Feasibility, reuse, implementation framework, development environment Cons? Extra interfaces, computational complexity, memory, bureaucracy of standardization

Basic Concepts
Service Number of functions available

Service access point Place where service is available

Service user Upper layer

Service provider Each layer to layers above

Service Primitives Primitives compose service

Service Interfaces (Vertical) User data (Service Data Unit, SDU) Service providers identifier (Protocol Control Information, PCI) Appended before user data to compose PDU

Data unit (Protocol Data Unit, PDU) PCI + SDU = PDU (encapsulation)

Interface Control Information, ICI Appended before PDU to compose IDU

Interface Data Unit, IDU ICI + PDU = IDU

 The layer-n entity passes an interface data unit (IDU) to the layer-(n1) entity. The IDU consists of a protocol data unit (PDU) and some interface control information (ICI). The ICI is information, such as the length of the SDU, and the addressing information that the layer below needs to perform its function. The PDU is the data that the layer-n entity wishes to pass across the network to its peer entity. It consists of the layer-n header and the data that layer n received from layer (n+1). The layer-n PDU becomes the layer-(n1) service data unit (SDU), because it is the data unit that will be serviced by layer n. When layer n1 receives the layer-n IDU, it strips off and "considers" the ICI, adds the header information for its peer entity across the network, adds ICI for the layer below, and passes the resulting IDU to the layer n2 entity. Problems can occur in the data path between two network stations, including errant, restricted, or even halted communication.

Protocols
Protocol used for messaging between layers N protocol connects N service to N-1 service E.g. transport protocol connects service provided by transport layer to service on network layer

Described with state machine E.g. Finite State Automaton (FSA) M = (S, I, t, s0, F)

Protocol Mechanisms State machine modeling, definition, mechanisms Flow control, error control Retransmission, windowing

Error correction, fault tolerance, error detection

Mechanisms, operational principles

Primitives, logic Creating and closing connection, data transfer

Services, interfaces, layers OSI Model Layers 7 layers, each layer has own services Layers communicate with each other from one end node to another using protocol and exchanging PDUs PDU is coded bit array, frame Lower layers (1-3) communicate between end nodes and network nodes (NA protocols) Upper layers communicate between end nodes

Physical layer, transfers bits (V.24, X.21) Data link layer, errorless transfer of data between terminal and node or between nodes, framing (LAPB, LLC) Network layer, routing, adapting protocols, packaging (IP) Transport layer, reliable data transfer between end nodes, ordering packets, flow control, recovery from faults (UDP, TCP) Session layer, controlling dialog e.g. using tokens, synchronization (transferring big files), often integrated to other layers Presentation layer, coding used by applications Application layer, applications comprising from application service elements (ASE) (X.500, FTAM)

Introduction to TCP/IP
OSI and Protocol Stack

Link Layer Network Layer

: includes device driver and network interface card : handles the movement of packets, i.e. Routing

Transport Layer : provides a reliable flow of data between two hosts Application Layer: handles the details of the particular application Packet Encapsulation The data is sent down the protocol stack Each layer adds to the data by pre pending headers

Ethernet
Computer <-> Computer communication on same network Each device has unique MAC address (48-bit) example: 00-C0-4F-48-47-93

ARP: Address Resolution Protocol

ARP provides mapping

32bit IP address <-> 48bit MAC address

128.97.89.153 <-> 00-C0-4F-48-47-93 ARP cache

maintains the recent mappings from IP addresses to MAC addresses

Protocol
1. 2. ARP request broadcast on Ethernet Destination host ARP layer responds

IP: Internet Protocol

In OSI reference model terminology -the TCP/IP protocol suite covers the network and transport layers. TCP/IP can be used on many data-link layers (can support many network hardware implementations). Internet protocol IP is the network layer packet delivery service (host-to-host). translation between different data-link protocols.

IP address
IP is a network layer - it must be capable of providing communication between hosts on different kinds of networks (different data-link implementations). The address must include information about what network the receiving host is on. This is what makes routing feasible. IP addresses are logical addresses (not physical) 32 bits. Includes a network ID and a host ID. Every host must have a unique IP address. IP addresses are assigned by a central authority (American Registry for Internet Numbers for North America).

Unreliable connectionless datagram delivery service Responsible for routing of data through intermediate networks and computers.

IP Routing

Routing Table Destination IP address IP address of a next-hop router Flags Network interface specification

ICMP : Internet Control Message Protocol Used to report problems with delivery of IP Datagrams within an IP network Used by Ping, Tracerout commands

Types and Codes Echo Request (type=8, code=0) Echo Reply(type=0, code=0) Destination Unreachable(type=3, code=0) Time Exceeded(type=11, code=0) : Time-to-Live =0

TCP : Transmission Control Protocol Protocol 1. 2. 3. Set up connection Transfer data Close connection Connection-Oriented, Reliable, Byte Stream Service

TCP: State Diagram

HTTP : Hyper Text Transfer Protocol Stateless Transaction Protocol Each transaction creates a new connection Steps in Transaction 1. 2. Establish connection Request Method <URL> <CR> 3. Response Response Code <Data> <CR> 4. Close connection Common Request Methods GET, PUT, POST Response Categories Informational Successful Redirection Client Error Server Error :100 :200 :300 :400 (eg. 404 Not found) :500

Cryptography
Hidden writing Increasingly used to protect information Can ensure confidentiality Integrity and Authenticity too

Dates back to at least 2000 B.C. Pen and Paper Cryptography Examples Scytale Atbash Caesar Vigenre

Invention of cipher machines Examples Confederate Armys Cipher Disk Japanese Red and Purple Machines German Enigma

Computers! Examples Lucifer Rijndael RSA ElGamal

Speak Like a Crypto Geek Plaintext A message in its natural format readable by an attacker Ciphertext Message altered to be unreadable by anyone except the intended recipients Key Sequence that controls the operation and behavior of the cryptographic algorithm Keyspace Total number of possible values of keys in a crypto algorithm Initialization Vector Random values used with ciphers to ensure no patterns are created during encryption Cryptosystem The combination of algorithm, key, and key management functions used to perform cryptographic operations Cryptosystem Services Confidentiality Integrity Authenticity Nonrepudiation Access Control

Types of Cryptography
Stream-based Ciphers One at a time, please Mixes plaintext with key stream Good for real-time services

Block Ciphers Amusement Park Ride Substitution and transposition

Encryption Systems Substitution Cipher Convert one letter to another Cryptoquip

Transposition Cipher Change position of letter in text Word Jumble

Monoalphabetic Cipher Caesar

Polyalphabetic Cipher Viennese

Modular Mathematics Running Key Cipher

One-time Pads Randomly generated keys

Steganography Hiding a message within another medium, such as an image No key is required Example Modify color map of JPEG image

Cryptographic Methods
Symmetric Same key for encryption and decryption Key distribution problem

10

Asymmetric Mathematically related key pairs for encryption and decryption Public and private keys

Hybrid Combines strengths of both methods Asymmetric distributes symmetric key Also known as a session key

Symmetric provides bulk encryption Example: SSL negotiates a hybrid method

Attributes of Strong Encryption Confusion Change key values each round Performed through substitution Complicates plaintext/key relationship

Diffusion Change location of plaintext in ciphertext Done through transposition

Symmetric Algorithms DES 3DES AES IDEA Blowfish RC4 RC5 CAST SAFER Twofish Modes: ECB, CBC, CFB, OFB, CM

11

Asymmetric Algorithms Diffie-Hellman RSA El Gamal Elliptic Curve Cryptography (ECC)

Hashing Algorithms MD5 SHA-1 HAVAL Computes between 128 and 256 bit hash Between 3 and 5 rounds Computes 160-bit hash value NIST approved message digest algorithm Computes 128-bit hash value Widely used for file integrity checking

RIPEMD-160 Developed in Europe published in 1996 Patent-free

Cryptanalysis The study of methods to break cryptosystems Often targeted at obtaining a key Attacks may be passive or active Kerckhoffs Principle The only secrecy involved with a cryptosystem should be the key

Cryptosystem Strength How hard is it to determine the secret associated with the system?

Brute force Trying all key values in the keyspace

Frequency Analysis Guess values based on frequency of occurrence

Dictionary Attack Find plaintext based on common words

12

Replay Attack Repeating previous known values

Factoring Attacks Find keys through prime factorization

Ciphertext-Only Known Plaintext Format or content of plaintext available

Chosen Plaintext Attack can encrypt chosen plaintext

Chosen Ciphertext Decrypt known ciphertext to discover key

Differential Power Analysis Side Channel Attack Identify algorithm and key length

Social Engineering Humans are the weakest link

RNG Attack Predict IV used by an algorithm

Temporary Files May contain plaintext

E-mail Security Protocols Privacy Enhanced Email (PEM) Pretty Good Privacy (PGP) S/MIME Requires public key infrastructure Supported by most e-mail clients Based on a distributed trust model Each user generates a key pair

Network Security Link Encryption Encrypt traffic headers + data Transparent to users

13

End-to-End Encryption Encrypts application layer data only Network devices need not be aware

SSL/TLS Supports mutual authentication Secures a number of popular network services

IPSec Security extensions for TCP/IP protocols Supports encryption and authentication Used for VPNs

14