Professional Documents
Culture Documents
Goals:
❒ understand principles of network security:
❍ cryptography and its many uses beyond
“confidentiality”
❍ authentication
❍ message integrity
❒ security in practice:
❍ firewalls and intrusion detection systems
❍ security in application, transport, network, link
layers
Security in Wireless System
Alice Bob
channel data, control
messages
Trudy
Who might Bob, Alice be?
❒ … well, real-life Bobs and Alices!
❒ Web browser/server for electronic
transactions (e.g., on-line purchases)
❒ on-line banking client/server
❒ DNS servers
❒ routers exchanging routing table updates
❒ other examples?
There are bad guys (and girls) out there!
Q: What can a “bad guy” do?
A: A lot! See section 1.6
❍ eavesdrop: intercept messages
❍ actively insert messages into connection
❍ impersonation: can fake (spoof) source address in
packet (or any field in packet)
❍ hijacking: “take over” ongoing connection by
removing sender or receiver, inserting himself in
place
❍ denial of service: prevent service from being
used by others (e.g., by overloading resources)
Security in Wireless System
m plaintext message
KA(m) ciphertext, encrypted with key KA
m = KB(KA(m))
8
Simple encryption scheme
substitution cipher: substituting one thing for another
❍ monoalphabetic cipher: substitute one letter for another
plaintext: abcdefghijklmnopqrstuvwxyz
ciphertext: mnbvcxzasdfghjklpoiuytrewq
10
Breaking an encryption scheme
❒ Cipher-text only ❒ Known-plaintext attack:
attack: Trudy has trudy has some plaintext
ciphertext that she corresponding to some
can analyze ciphertext
❒ Two approaches: ❍ eg, in monoalphabetic
cipher, trudy determines
❍ Search through all
pairings for a,l,i,c,e,b,o,
keys: must be able to
differentiate resulting ❒ Chosen-plaintext attack:
plaintext from trudy can get the
gibberish cyphertext for some
❍ Statistical analysis chosen plaintext
11
Types of Cryptography
❒ Crypto often uses keys:
❍ Algorithm is known to everyone
❍ Only “keys” are secret
❒ Hash functions
❍ Involves the use of no keys
❍ Nothing secret: How can this be useful?
12
Symmetric key cryptography
KS KS
13
Two types of symmetric ciphers
❒ Stream ciphers
❍ encrypt one bit at time
❒ Block ciphers
❍ Break plaintext message in equal-size blocks
❍ Encrypt each block as a unit
14
Stream Ciphers
pseudo random
keystream
key generator keystream
16
Block ciphers
❒ Message to be encrypted is processed in blocks of
k bits (e.g., 64-bit blocks).
❒ 1-to-1 mapping is used to map k-bit block of
plaintext to k-bit block of ciphertext
Example with k=3:
18
From Kaufman
Prototype function et al
64-bit input
S1 S2 S3 S4 S5 S6 S7 S8
8-bit to
64-bit intermediate 8-bit
mapping
Loop for
n rounds 64-bit output
19
Why rounds in prototype?
❒ If only a single round, then one bit of input
affects at most 8 bits of output.
❒ In 2nd round, the 8 affected bits get
scattered and inputted into multiple
substitution boxes.
❒ How many rounds?
❍ How many times do you need to shuffle cards
❍ Becomes less efficient as n increases
20
Encrypting a large message
❒ Why not just break message in 64-bit blocks,
encrypt each block separately?
❍ If same block of plaintext appears twice, will give same
cyphertext.
❒ How about:
❍ Generate random 64-bit number r(i) for each plaintext
block m(i)
❍ Calculate c(i) = KS( m(i) ⊕ r(i) )
❍ Transmit c(i), r(i), i=1,2,…
❍ At receiver: m(i) = KS(c(i)) ⊕ r(i)
❍ Problem: inefficient, need to send c(i) and r(i)
21
Cipher Block Chaining (CBC)
❒ CBC generates its own random numbers
❍ Have encryption of current block depend on result of previous block
22
Cipher Block Chaining
❒ cipher block: if input m(1) = “HTTP/1.1” c(1) = “k329aM02”
t=1 block
block repeated, will cipher
…
produce same cipher m(17) = “HTTP/1.1” c(17) = “k329aM02”
t=17 block
text: cipher
24
Symmetric key
crypto: DES
DES operation
initial permutation
16 identical “rounds” of
function application,
each using different 48
bits of key
final permutation
25
AES: Advanced Encryption Standard
26
Public Key Cryptography
27
Public key cryptography
+ Bob’s public
K
B key
- Bob’s private
K
B key
28
Public key encryption algorithms
Requirements:
+ . .
1 need K B( ) and K - ( ) such that
B
- +
K (K (m)) = m
B B
+
2 given public key KB , it should be
impossible to compute private
-
key K B
31
RSA: Creating public/private key
pair
1. Choose two large prime numbers p, q.
(e.g., 1024 bits each)
Magic d
m = (m e mod n) mod n
happens!
c
33
RSA example:
Bob chooses p=5, q=7. Then n=35, z=24.
e=5 (so e, z relatively prime).
d=29 (so ed-1 exactly divisible by z).
d
Bob decrypts: c c m = cd mod n
17 481968572106750915091411825223071697 12 34
Why does RSA work?
❒ Must show that cd mod n = m
where c = me mod n
❒ Fact: for any x and y: xy mod n = x(y mod z) mod n
❍ where n= pq and z = (p-1)(q-1)
❒ Thus,
cd mod n = (me mod n)d mod n
= med mod n
= m(ed mod z) mod n (result of number theory)
= m1 mod n
=m
35
RSA: another important property
The following property will be very useful later:
- + + -
K (K (m)) = m = K (K (m))
B B B B
36
- + + -
Why K (K (m)) = m = K (K (m)) ?
B B B B
37
Why is RSA Secure?
❒ Suppose you know Bob’s public key (n,e). How hard is
it to determine d?
❒ Essentially need to find factors of n without knowing
the two factors p and q.
❒ Fact: factoring a big number is hard.
39
Security in Wireless System
41
Message Digests
large
H: Hash
message
❒ Function H( ) that takes as Function
m
input an arbitrary length
message and outputs a
fixed-length string: H(m)
“message signature”
❒ Note that H( ) is a many- ❒ Desirable properties:
to-1 function ❍ Easy to calculate
❒ H( ) is often called a “hash ❍ Irreversibility: Can’t
function” determine m from H(m)
❍ Collision resistance:
Computationally difficult to
produce m and m’ such that
H(m) = H(m’)
❍ Seemingly random output
42
Internet checksum: poor message
digest
Internet checksum has some properties of hash function:
➼ produces fixed length digest (16-bit sum) of input
➼ is many-to-one
❒ But given message with given hash value, it is easy to find another
message with same hash value.
❒ Example: Simplified checksum: add 4-byte chunks at a time:
44
Message Authentication Code (MAC)
s
message s = shared secret
s
message
message H( )
H( ) compare
❒ Authenticates sender
❒ Verifies message integrity
❒ No encryption !
❒ Also called “keyed hash”
❒ Notation: MDm = H(s||m) ; send m||MDm
45
HMAC
❒ Popular MAC standard
❒ Addresses some subtle security flaws
46
Example: OSPF
❒ Recall that OSPF is an Attacks:
intra-AS routing ❒ Message insertion
protocol ❒ Message deletion
❒ Each router creates
❒ Message modification
map of entire AS (or
area) and runs
shortest path ❒ How do we know if an
algorithm over map. OSPF message is
❒ Router receives link- authentic?
state advertisements
(LSAs) from all other
routers in AS.
47
OSPF Authentication
❒ Within an Autonomous ❒ Cryptographic hash
System, routers send with MD5
OSPF messages to each ❍ 64-bit authentication
other. field includes 32-bit
❒ OSPF provides sequence number
authentication choices ❍ MD5 is run over a
concatenation of the
❍ No authentication
OSPF packet and
❍ Shared password: shared secret key
inserted in clear in 64-
bit authentication field
❍ MD5 hash then
in OSPF packet appended to OSPF
packet; encapsulated in
❍ Cryptographic hash
IP datagram
48
End-point authentication
❒ Want to be sure of the originator of the
message – end-point authentication.
❒ Assuming Alice and Bob have a shared
secret, will MAC provide end-point
authentication.
❍ We do know that Alice created the message.
❍ But did she send it?
49
Playback attack
MAC =
f(msg,s) Transfer $1M
from Bill to Trudy MAC
R
MAC =
f(msg,s,R) Transfer $1M
from Bill to Susan MAC
Digital Signatures
52
Digital Signatures
Simple digital signature for message m:
❒ Bob signs m by encrypting with his private key
- -
KB, creating “signed” message, KB(m)
-
Bob’s message, m K B Bob’s private -
K B(m)
key
Dear Alice
Bob’s message,
Oh, how I have Public key m, signed
missed you. I think of
you all the time! … encryption (encrypted) with
(blah blah blah) algorithm his private key
Bob
53
Digital signature = signed message digest
Alice verifies signature and
Bob sends digitally signed integrity of digitally signed
message: message:
large
message H: Hash encrypted
m function H(m)
msg digest
-
KB(H(m))
Bob’s digital large
private signature message
- Bob’s
key KB (encrypt) m digital
public
+ signature
key KB
encrypted H: Hash (decrypt)
msg digest function
-
+ KB(H(m))
H(m) H(m)
equal
?
54
Digital Signatures (more)
-
❒ Suppose Alice receives msg m, digital signature KB(m)
❒ If KB(K
+B(m)
- ) = m, whoever signed m must have used Bob’s private
key.
55
Public-key certification
❒ Motivation: Trudy plays pizza prank on Bob
❍ Trudy creates e-mail order:
Dear Pizza Store, Please deliver to me four
pepperoni pizzas. Thank you, Bob
❍ Trudy signs order with her private key
❍ Trudy sends order to Pizza Store
❍ Trudy sends to Pizza Store her public key, but says
it’s Bob’s public key.
❍ Pizza Store verifies signature; then delivers four
pizzas to Bob.
❍ Bob doesn’t even like Pepperoni
56
Certification Authorities
❒ Certification authority (CA): binds public key to
particular entity, E.
❒ E (person, router) registers its public key with CA.
❍ E provides “proof of identity” to CA.
❍ CA creates certificate binding E to its public key.
❍ certificate containing E’s public key digitally signed by CA
– CA says “this is E’s public key”
Bob’s digital
+
public +
signature KB
key KB (encrypt)
CA
certificate for
K-
Bob’s private
identifying key CA Bob’s public key,
information signed by CA
57
Certification Authorities
❒ When Alice wants Bob’s public key:
❍ gets Bob’s certificate (Bob or elsewhere).
❍ apply CA’s public key to Bob’s certificate, get
Bob’s public key
+ digital Bob’s
KB signature public
+
(decrypt) K B key
CA
public +
K CA
key
58
Certificates: summary
❒ Primary standard X.509 (RFC 2459)
❒ Certificate contains:
❍ Issuer name
❍ Entity name, address, domain name, etc.
❍ Entity’s public key
❍ Digital signature (signed with issuer’s private
key)
❒ Public-Key Infrastructure (PKI)
❍ Certificates and certification authorities
❍ Often considered “heavy”
59
Chapter 8 roadmap
KS
+ Internet - KS
KS
+
KB( ) . + +
-
KB( ).
KB(KS ) KB(KS )
K+B K-B
Alice:
generates random symmetric private key, KS.
encrypts message with KS (for efficiency)
also encrypts KS with Bob’s public key.
sends both KS(m) and KB(KS) to Bob.
Secure e-mail
Alice wants to send confidential e-mail, m, to Bob.
KS
+ Internet - KS
KS
+
KB( ) . + +
-
KB( ).
KB(KS ) KB(KS )
K+B K-B
Bob:
uses his private key to decrypt and recover KS
uses KS to decrypt KS(m) to recover m
Secure e-mail (continued)
• Alice wants to provide sender authentication message
integrity.
K-A K+A
m .
H( )
-
KA( ) . -
KA(H(m))
-
KA(H(m)) + .
KA ( ) H(m )
+ Internet - compare
m H( ). H(m )
m
m .
H( ) .
-
KA ( )
-
KA(H(m))
KS
+ KS( ) .
m + Internet
KS
+
KB( ) . +
KB(KS )
K+B
Alice uses three keys: her private key, Bob’s public key, newly
created symmetric key
Chapter 8 roadmap
66
SSL and TCP/IP
Application Application
SSL
TCP
TCP
IP IP
67
Could do something like PGP:
-
KA
-
m .
H( )
-.
K ()
A
KA(H(m))
KS
+ KS( ) .
m + Internet
KS
+
KB ( )
. +
KB(KS )
+
KB
lic key KA
+
A lic e’s pu b
Cert ificate of
❒ MS = master secret
❒ EMS = encrypted master secret
70
Toy: Key derivation
❒ Considered bad to use same key for more than one
cryptographic operation
❍ Use different keys for message authentication code
(MAC) and encryption
❒ Four keys:
❍ Kc = encryption key for data sent from client to server
72
Toy: Sequence Numbers
❒ Attacker can capture and replay record or
re-order records
❒ Solution: put sequence number into MAC:
❍ MAC = MAC(Mx, sequence number||data)
❍ Note: no sequence number field
❒ Attacker could still replay all of the
records
❍ Use random nonce
73
Toy: Control information
❒ Truncation attack:
❍ attacker forges TCP connection close segment
❍ One or both sides thinks there is less data than
there actually is.
❒ Solution: record types, with one type for
closure
❍type 0 for data; type 1 for closure
❒ MAC = MAC(Mx, sequence||type number||data)
74
Toy SSL: summary
hello
certificate, nonce
KB +(MS) = EMS
type 0, seq 1, data
bob.com
type 0, seq 2, data
s e q 1, data
encrypted
typ e 0,
close
ty p e 1 , se q 2 ,
75
Toy SSL isn’t complete
❒ How long are the fields?
❒ What encryption protocols?
❒ No negotiation
❍ Allow client and server to support different
encryption algorithms
❍ Allow client and server to choose together
specific algorithm before data transfer
76
Most common symmetric ciphers in
SSL
❒ DES – Data Encryption Standard: block
❒ 3DES – Triple strength: block
❒ RC2 – Rivest Cipher 2: block
❒ RC4 – Rivest Cipher 4: stream
77
SSL Cipher Suite
❒ Cipher Suite
❍ Public-key algorithm
❍ Symmetric encryption algorithm
❍ MAC algorithm
78
Real SSL: Handshake (1)
Purpose
1. Server authentication
2. Negotiation: agree on crypto algorithms
3. Establish keys
4. Client authentication (optional)
79
Real SSL: Handshake (2)
1. Client sends list of algorithms it supports, along with
client nonce
2. Server chooses algorithms from list; sends back:
choice + certificate + server nonce
3. Client verifies certificate, extracts server’s public
key, generates pre_master_secret, encrypts with
server’s public key, sends to server
4. Client and server independently compute encryption
and MAC keys from pre_master_secret and nonces
5. Client sends a MAC of all the handshake messages
6. Server sends a MAC of all the handshake messages
80
Real SSL: Handshaking (3)
Last 2 steps protect handshake from tampering
❒ Client typically offers range of algorithms,
some strong, some weak
❒ Man-in-the middle could delete the stronger
algorithms from list
❒ Last 2 steps prevent this
❍ Last two messages are encrypted
81
Real SSL: Handshaking (4)
❒ Why the two random nonces?
❒ Suppose Trudy sniffs all messages between
Alice & Bob.
❒ Next day, Trudy sets up TCP connection with
Bob, sends the exact same sequence of
records,.
❍ Bob (Amazon) thinks Alice made two separate
orders for the same thing.
❍ Solution: Bob sends different random nonce for
each connection. This causes encryption keys to be
different on the two days.
❍ Trudy’s messages will fail Bob’s integrity check.
82
SSL Record Protocol
data
data data
MAC MAC
fragment fragment
data
MAC
handshake: ClientK
eyExchange
ChangeCipherS
pec
handshake: Finish
ed
pec
Everything ChangeCipherS
henceforth : Finishe d
handshake
is encrypted
application_dat
a
ata
application_d
86
Chapter 8 roadmap
❒ Authentication options
❍ Encrypted password
❍ Preinstalled public key
❒ Tunnels and port redirection
❍ Redirect the connections of other applications
❍ Automatic redirection of X connections -> secure access of
remote GUI
88
Back to SSH: Architecture
ssh-connect ssh-connect
ssh-userauth ssh-userauth
ssh-trans ssh-trans
TCP TCP
ssh-trans
server authentication, confidentiality, integrity
ssh-userauth
authenticates the client-side user
ssh-connect
multiplexes the encrypted tunnel into several
logical channels (enables port redirection)
89
ssh-trans
❒ Server authentication
❍ each server host must have a host key
❍ server host key is used during key exchange to verify
that the client is really communicating with the
correct server.
❍ the client must have prior knowledge of the server's
public host key:
• client has a local database that associates each host name (as
typed by the user) with the corresponding public host key (file
known_hosts)
• host name - key association can be certified by a trusted
certification authority.
❒ Danger if the client talks to an unknown host
❍ man-in-the-middle attack
90
ssh-trans
❒ Confidentiality
❍ data encrypted using a one-time secret session key
❒ Key exchange phase
❍ Diffie-Hellman method to create a secret key K
❒ Encryption
❍ symmetric encryption using K
❍ several ciphers can be used
❒ Integrity
❍ MAC (Message Authentication Code) included with each
packet
❍ computed from the shared secret key, packet sequence
number, the contents of the packet
91
ssh-userauth
❒ Password
❍ username, password on the remote system
92
ssh-connect
❒ Multiple channels multiplexed into a single connection at
the ssh-trans level
❒ Channels identified by numbers on each end
❒ Channels are individually flow-controlled
❍ window size - amount of data to send
93
SSH: Summary
❒ Excellent security
❍ Encryption
❍ Two-way authentication
❍ Should be used instead of telnet/rlogin
94
Network Security (summary)
Basic techniques…...
❍ cryptography (symmetric and public)
❍ message integrity
❍ end-point authentication
95