Security in Communication Networks

Transcription

1 Networks Prof. Dr. Otto Spaniol Dipl. Inform. Roland Büschkes Dipl. Inform. Christian Cseh Dipl.-Math. techn. Roland Stenzel General Information 2 / 33 Lecture course: Networks Principal lecturer: Prof. Dr. Otto Spaniol Number of lectures: 4 hours per week Lecture locations: AH II, AH V Lecture times: Monday, (a.m.) (a.m.), Tuesday (a.m.) (p.m.) Exercises: Dipl. Inform. Roland Büschkes, Dipl. Inform. Christian Cseh, Dipl.- Math. techn. Roland Stenzel Number: 2 hours per week Locations: AH IV Times: Wednesday (a.m.) (p.m.) (Starting date: October 25, 2000) Subject: A basic introduction to contemporary cryptology and computer network security 1

2 References 3 / 33 C. Kaufman, R. Perlman and M. Spencier: Network Security: Private Communication in a Public World, Prentice-Hall, 1995 O. Spaniol. M. Günes: Skript der Vorlesung Sicherheit in Kommunikationsnetze, 1988 B. Schneier: Applied Cryptography: Protocols, Algorithms, and Source Code in C, (2nd Edition), John Wiley & Sons, 1996 R. Oppliger: Internet and Intranet Security, Artech House, 1998 D. R. Stinson: Cryptograhy: Theory and Practice, CRC Press, 1995 W. R. Cheswick and S.M. Bellovin: Firewalls and Internet Security, Addison-Wesley, 1994 R. G. Bace: Intrusion Detection, Macmillan Technical Publishing, 2000 Topics 4 / 33 Topics: Introduction Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Security Handshake Protocols Anonymity/Privacy Transport Layer Security Application Layer Security Firewall Intrusion Detection Mobile Agents Mobile Communication Electronic Commerce Network Layer Security 2

3 Contents 5 / 33 Prologue Protection of Subscribers Protection of Network Designing Security in Layered Protocols (Internet) Challenging Areas Prologue: Networks 6 / 33 This course discusses questions concerning security in data communications The subjects of this lecture include: Protection of Subscribers Cryptography (Secret Key, Public Key) Digital Signature Authentication/Identification (Security Handshake Protocols) Anonymity/Privacy Protection of Networks Access Control Firewall Intrusion Detection Designing Security in Layered Protocols (Internet) IPSEC, SSL, PGP,... Challenging Areas: mobile agents, mobile communication, electronic commerce 3

4 Prologue: Internet 7 / 33 Necessity is the mother of invention, and computer networks are the mother of modern cryptography. - R. L. Rivest The Story of the Internet: During the latter half of the 1980's ARPANET moved from the research domain into a transcontinental reality In November 1988 the "Internet worm" brought the ARPANET to its knees Since then an almost continuous stream of security-related incidents has affected thousands of computer systems and networks throughout the world (see for more information By 2000, the Internet had grown from 60,000 host computer systems to over 93 million (see Many companies and private users now rely on the Internet for their daily business and private communication (sharing financial, business, or personal information) Attacks: illegal gain of information, unrecognized change of information, disturbance of the functionality (Confidentiality, Integrity, Availability) Prologue: Attacks on Computer Stand-alone computer system (UNIX operating system): Only legitimate user with physical access to the computer system is able to log in by providing name and password Intruder must have physical access and the login information Networked computer (UNIX operating system): System makes available some basic network services: telnetd: remote terminal access service, provided at port 23 sendmail: electronic mail service, provided at port 25 httpd: WWW, provided at port 80 nsfd: network file service, provided at port 2049 Intruder does not need physical access Intruder can use any TCP/IP service offered by the system 8 / 33 4

5 Prologue: Attacks on Computer Only an intruder, who is able to physically access or connect to a computer system can attack it. By adding more network connections, more vulnerabilities are added automatically. Networked computer system run software that is inherently more complex and error prone. Intruder must know and be able to exploit just one single bug (administrator or security expert must know and fix each bug). 9 / 33 Passive Attack: Prologue: Attacks on Networks passive wiretapping attack: the intruder is able to interpret the data and to extract the information traffic analysis attack: intruder can observe who communicates with whom (e.g. two companies begin to exchange a large number of messages merging) available programs: etherfind, tcpdump,... Active Attack: modify, extend, delete, and replay data units influence or modify routing tables denial of service attack (flood a receiver) Network router Alice 10 / 33 intruder 5

6 Protection of Confidentiality: Prologue: Security Requirements Message contents should be kept confidential; i.e., only the communication partners may see it. Sender and/or addressee of messages should remain anonymous, and third parties (including the network operator(s)) should be unable to observe their communication. Neither potential communication partners nor third parties (including the network operator(s)) should be able to locate mobile stations or their users. Protection of Integrity: Forging message contents (including sender s address) should be detected. The recipient of a message should be able to prove that a particular message has been sent, and if that the addressee has received the message. Nobody can cheat the network operator(s) in terms of usage fees. On the other hand, the network operator(s) can only charge fees for correctly delivered services. Protection of Availability The communication network enables communication between all parties who wish to communicate and who are allowed to do so. 11 / 33 Prologue: Realization of Data Protection Requirements 12 / 33 Known techniques for Confidentiality: Cryptography, anonymity techniques Integrity: Cryptography, digital signatures, access control and authentication codes Availability: Fault-tolerant systems, access control, firewall, intrusion detection Cryptography Secrecy Steganography: Hide message, e.g., in a picture Encryption: enc_algorithm: (plaintext, key) ciphertext Authentication Identification, entity authentication: Who is currently on the other end of this connection? Message authentication: Who created this message? Digital Signature: Convince a third party about who created this message. 6

7 Prologue: Trusted Domains 13 / 33 Protection against every possible attacker is impossible. Before the design of a protection technique it is necessary to identify trusted domains. A trusted domain comprises systems or parts of systems (e.g. security module). No attackers are assumed within a trusted domain (restriction of the attacker). A trusted domain is always related to a single user or group of users. Trusted Domain Source Untrusted Area Trusted Domain Destination Protection technique Protection technique 14 / 33 Protection of Subscribers 7

8 Protection of subscribers: Shared-key Encryption Scheme 15 / 33 One-time pad, DES, IDEA etc. Can handle data volumes of several Gigabyte/s, but security is questionable Key sizes of bit Key distribution: secret channel needs key distribution center or public-key scheme random secur. param. Key generator Secret Channel Trusted Domain or error Decryption algorithm ( Encryption algorithm Protection of subscribers: Shared-key Authentication Scheme 16 / 33 Message authentication codes Specific constructions, or based on block ciphers or keyed hash functions Limitation: third party cannot check authenticity random secur. param. Key generator Secret Channel Trusted Domain Auth. algorithm Test algorithm ok or error 8

9 Protection of subscribers: Cryptographic Hash Functions 17 / 33 Hash Function H: variable length in, fixed length out ( 128 bit) easy One-way: H easy to compute infeasible to invert Collision resistant Practical hash functions: SHA, MD5, etc. Cryptographic primitive H: collision-resistant one-way hash-function fixed H: H(x) simulates a random oracle variable H: Keyed hash functions, family of hash functions infeasible Protection of subscribers: Public-key Encryption Scheme 18 / 33 RSA, Diffie-Hellman/El Gamal ca. 10-times slower than symmetric schemes Key size of bit for RSA Typically used to exchange a shared key for a symmetric scheme random secur. param. Trusted Domain Key generator Authenticated Channel Trusted Domain or error Decryption algorithm ( Encryption algorithm 9

10 Protection of subscribers: Digital Signature Scheme 19 / 33 Digital Signature: A hash value (collision-resistant) of a message is encrypted with the secret key of a public-key encryption scheme. RSA, El Gamal, etc. Asymmetry allows third party to check authenticity (since public key is known to all). random secur. param. Trusted Domain Key generator Authenticated Channel Trusted Domain Signature algorithm Test algorithm ok or error Protection of subscribers: Anonymity 20 / 33 Multi-party protocol: collectively use of cryptographic protocols Anonymity: The sender and/or the recipient of a communication can remain anonymous. Unobservability Nobody (not even the network operator) can trace communication relations. Untraceability Alice Bob Unobservable by Outsiders 10

11 21 / 33 Protection of networks Protection of networks: Access Control 22 / 33 General: Authentication refers to the process of verifying the claimed identity of a principal User Computer knows (proof of knowledge) possesses (proof of possession) biometric characteristics (proof by property) User System (via network) password-based (Name A, Password B) address-based (Name A, Address B) cryptographic: Name: A Challenge: X Response: Y=f(X) 11

12 Protection of networks: Firewall A Firewall represents a barrier between a privately owned and protected network and another network (e.g. the Internet). Purpose: prevent unwanted and unauthorized communication into or out of the protected network. Assume: Firewall is a trusted domain. 23 / 33 intranet Internet Firewall Accessibility Security Protection of networks: Intrusion Detection System (IDS) IDS is a burglar alarm for computers and networks Functional components An analysis engine that finds signs of intrusion. A response component that generates reactions based on the outcome of the analysis engine. Analysis engine: Offline: analysis of stored log data. Online: on the fly analysis of observed data. Response capabilities after analysis: Alarm Deny operation Attack Recognition: learning of attack patterns or usual habit of users Privacy problem 24 / 33 12

13 25 / 33 Design Security in Layered Protocols Design Security in Layered Protocols 26 / 33 There are always alternative ways to provide a service... Services may need to be provided at more than one layer. Security functionality should not duplicate communications functionality. Application Presentation Session Transport Network Data Link Physical The OSI reference model Application TCP & UDP IP, ICMP Data Link Physical The TCP/IP reference model User Programs Operating System Peripherals and network equipment 13

14 Design Security in Layered Protocols 27 / 33 Higher layers are more application dependent and technology independent. End-to-end security is easier provided at higher layers; link (point-to-point) security at lower layers. Higher layers are more likely implemented in software; lower layers in hardware. Higher layer encryption cannot protect lower layer headers; lower layer encryption may have to trust intermediate nodes. Application PGP, PEM,... Application Transport SSH, SSL,... Transport IP AH, ESP IP PGP = Pretty Good Privacy, PEM = Privacy Enhanced Mail, SSH = Secure Shell, SSL= Secure Socket Layer, AH = Authentication Header, ESP = Encapsulating Security Payload 28 / 33 Challenging Areas 14

15 Challenging Areas: mobile agents 29 / 33 Development of applications in distributed systems: Yesterday: Host-based computing. Today: Client/server computing. Tomorrow: Agent-based computing (most promising). A software agent is a program that acts on behalf of a (human) user A mobile agent is a program which represents a user in a computer network, is capable of migrating autonomously (under its own control) from node to node in the network, is able to perform some computation on behalf of the user. Application: online shopping, real-time device control, distributed scientific computing, etc. Major problem: security Challenging Areas: mobile agents - security problems 30 / 33 Insecure Networks (protection of users) Privacy: Sensitive data contained within an agent dispatched by a user may be compromised, due to eavesdropping on insecure networks, or if the agent executes on a malicious server. Integrity: The agent's code, control flow and results could be altered by servers for malicious purposes. Threats to host resources (protection of network): unauthorized access damage to resources denial of service annoyance attacks Security mechanisms: privacy and integrity mechanisms (to protect secret data and code), authentication mechanisms (to establish the identities of communicating parties) authorization mechanisms (controlled access to server resources). 15

16 Challenging Areas: electronic commerce 31 / 33 Electronic commerce (e-commerce) use networks (typically the Internet) to market goods and services without the need to be physically present at the point of sale. What will be used in the digital world? The same types as in the paper world cash, for small and anonymous payments, cheques, credit cards, money transfer orders, payment-like systems: vouchers, coupons. Same metaphor, i.e., same business model, at least as cost-effective, at least as secure, privacy protecting. Security problems: payment integrity and privacy Challenging Areas: mobile communication 32 / 33 Mobile phones have become a mass product (very soon: 100% coverage). GSM (Global System for Mobile Communication) is the best known and most widely used mobile communication standard. Emphasis on security functions dealing with eavesdropping and unauthorized use: Protection of Subscriber encryption of communication on the radio interface, i.e. between mobile station and base station, concealing the users identity on the radio interface, i.e. temporary valid identity code (TMSI) is used for the identification of a mobile user. Protection of Network access control by means of a personal smart card (called subscriber identity module, SIM) and PIN (personal identification number), authentication of the users towards the network carrier and generation of a session key in order to prevent abuse. 16

17 Challenging Areas: mobile communication 33 / 33 Security Problems and known attacks on GSM: IMSI Catcher: discloses the identities of all users within a radio cell. SIM Cloning and interception of authentication data: attempts to make phone calls at the expense of other users. Billing and Privacy (who communicates with whom and how long). Protection of location information. Future: The Universal Mobile Telecommunication System (UMTS) integrates the existing mobile radio networks and the Internet. UMTS supports new services with higher data rates. The standardization process for UMTS remains open chance to define appropriate security function (better than in GSM). The installation of appropriate security functions after standardization would result in higher costs and unnecessary compromises. 17