CS716 Advanced Computer Networks

By Dr. Amir Qayyum

1

Lecture No. 40

Security
Outline
Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Overview
Cryptography functions
Secret key (e.g. DES) Public key (e.g. RSA) Message digest (e.g. MD5)

Security services
Privacy: preventing unauthorized release of information Authentication: verifying identity of the remote participant Integrity: making sure message has not been altered

Taxonomy of Network Security

Security

Cryptography algorithms Secret key (e.g. DES) Public key (e.g. RSA) Message digest (e.g. MD5) Privacy

Security services Authentication Message integrity

Secret Key Encryption

Secret Key Encryption (DES)

Plaintext Plaintext

Encrypt with secret key Ciphertext

Decrypt with secret key

DES Algorithm
Initial permutation

64-bit key (56-bits + 8-bit parity) 16 rounds

Round 1

Round 2

Each Round
56-bit key
L 1 i R 1 i
F +

Ki

Round 16

Li

Ri

Final permutation
8

Expansion Phase of DES

4-bit chunk

Expanded to 6 bits by stealing a bit from left and right chunks

9

Secret Key Encryption

Plaintext Block 3 Plaintext Block 2

Plaintext Block 1
Plaintext Block 0

Encryption Function

Blocks of Ciphertext

Initialization Vector
(For block 0 only) 10

Cipher Block Chaining (CBC)

Repeat for larger messages
Block

Block 2

Block 3

Block 4 +

IV

DES

DES

DES

DES

Cipher 1

Cipher 2

Cipher

Cipher 4

11

Public Key Encryption

12

Public Key Authentication

13

Public Key Encryption (RSA)

Plaintext Plaintext Encrypt with public key Decrypt with private key

Ciphertext

Encryption & Decryption c = memod n m = cdmod n

14

RSA (cont)
Choose two large prime numbers p and q (each 256 bits) Multiply p and q together to get n Choose the encryption key e, such that e and (p - 1) (q - 1) are relatively prime.
Two numbers are relatively prime if they have no common factor greater than one
15

RSA (cont)
Compute decryption key d such that d = e-1mod ((p - 1) (q - 1)) Construct public key as (e, n) Construct private key as (d, n) Discard (do not disclose) original primes p and q
16

Message Digest
Cryptographic checksum
Just as a regular checksum protects the receiver from accidental changes to the message, a cryptographic checksum protects the receiver from malicious changes to the message.

17

Message Digest
One-way function
Given a cryptographic checksum for a message, it is virtually impossible to figure out what message produced that checksum; it is not computationally feasible to find two messages that hash to the same cryptographic checksum.

18

Message Digest
Relevance
If you are given a checksum for a message and you are able to compute exactly the same checksum for that message, then it is highly likely this message produced the checksum you were given.

19

Overview of Message Digest Operation

Initial digest (constant)
Message (padded)

512 bits 512 bits

Transform

512 bits

Transform

Transform

Message digest
20

Authentication Protocols
Three-way handshake
Client Server

21

Third Party Authentication

Trusted third party (Kerberos)
S
A, B

22

Public Key Authentication

A B

23

Message Integrity

24

Message Integrity Protocols

Keyed MD5
Sender: m + MD5 (m + k) + E(E(k, rcv pub), private) Receiver Recovers random key using the senders public key Applies MD5 to the concatenation of this random key message
25

Message Integrity Protocols

MD5 with RSA signature Sender: m + E(MD5(m), private)
Receiver Decrypts signature with senders public key Compares result with MD5 checksum sent with message

26

Tree-structured CA Hierarchy

27

Authentication

28

Session Key Communication

29

Session Key Communication

30

Key Distribution Center

31