ECE 428 Network Security

Transcription

1 ECE 428 Network Security 1

2 Learning objectives Security requirements and tools Symmetric-key (secret key) cryptography Substitution, transposition, and product ciphers (DES) Public key cryptography: RSA algorithm Entity authentication using cryptography Symmetric-key distribution protocols Digital signature Public-key certification Internet Security IP/Transport/Application layers 2

3 Privacy (Confidentiality) Security Requirements Ability to keep info. exchanged between parties private Observer should not be able to recover info. Stronger: an observer cannot determine the parties. User Authentication Ability of the parties to ascertain their identities. Data Authentication (Data Integrity) Ability to ascertain that information exchanged has not been subject to addition, deletion, modification, or undue delay. Non-repudiation Ability to prevent an authorized party from denying a communication session s existence and contents. Access control (DoS) 3

4 Security tools Privacy (Confidentiality) Encryption: A process of transformation: C = E K (M) Decryption: Recover the original msg.: M = D K (C) Idea: It should be computationally infeasible for an observer of C to recover either K or M (in a reasonable time). Data Authentication (Data Integrity) Hashing Create a message digest H(M). Even a 1-bit change in M will produce a large change (50%) in H(M). Non-repudiation (User integrity) Digital signatures 4

5 Passive Types of Attackers Intercept information as it passes. If data is encrypted, try to break it. Active Attacker listens. May try to do nasty things. Add, delete, modify, delay, or create messages 5

6 Properties of cryptographic systems Conventional cryptographic systems (symmetric) Encryption: C = E K (M) Decryption: M = D K (C) Confusion Process of substituting characters or symbols to make Diffusion Complex relationship between ciphertext and key Complex relationship between ciphertext and plaintext Process of spreading the effect of plaintext or key as widely as possible over ciphertext 6

7 Kerckhoff s Principle Attacker knows everything about cryptosystem except the key. All algorithms are public. Only the keys are secret. 7

8 Sender Cryptography (Secret writing) Receiver Alice Bob Plaintext Key Key Plaintext Encryption Alg. Cipher Ciphertext Eve Internet Ciphertext Decryption Crypto. world: Symmetric-key (secret-key) Asymmetric-key (public-key) 8

9 Symmetric-key Cryptography The same key is used by both parties. Traditional ciphers: Unit of data is a character Transpositional cipher: Characters Substitution cipher (Caesar cipher) Data Encryption Standard (DES) 9

10 Transposition Rearrange the order of the letters according to some predetermined pattern. A common method is columnar transposition. Write M in a matrix, then rearrange the columns. Key: It is the order in which columns are read. 10

11 Key Transpositional cipher: Example Encryption A F I T R S R G I E O E A A O N S D D U R E Plaintext Decryption O E A A O N S A F I T G I E R R S R E D D U Ciphertext Key:

12 Substitution Cipher Idea: Message symbols are mapped into permuted set of symbols. Monoalphabetic: A P, B W, C E, D K, Polyalphabetic: Vigenere cipher (16 th century cipher) Example: K = CIPHER {2, 8, 15, 7, 4, 17} Plaintext = thiscryptosystemisnotsecure Encryption: Add the key to the plain text mod V P X Z G I A X I V W P 12

13 Substitution Cipher Polyalphabetic: Hill Cipher (1929) Idea: Encryption: y = xk x and y are rows of m elements; K is an m x m matrix Decryption: x = yk -1 Example: K = 11 8 K -1 = 7 18 Plaintext: July = 9, 20, 11, Encryption of Ju: [9, 20]K = [3, 4] = DE Encryption of ly: [11, 24]K = [11, 22] = LW Encrypted text: DELW 13

14 Cryptanalysis of Ciphers 14% Observation letters do not appear equally in English text. 0 A C E G I K M O Q S U W Y 14

15 Cryptanalysis of Substitution Cipher Analyze a large volume of ciphertext for letter frequency. If frequencies are close to natural English only mapped to different letters, try replacement. Consider digram and trigram frequencies. 15

16 Product Cipher m1 m2 m3 S 1 P 1 S 2 P t-1 S t S11 S21 St1 c1 c2 S12 S22 St2 S13 S23 St3 m12 S14 S24 St4 c12 16

17 Data Encryption Standard: History Late 1960s: IBM set up a security project headed by Horst Feistel. 1971: Alg. LUCIFER sold to Lloyd s for use in cash-dispensing. 1971: Another project headed by Tuchmann/Meyer to refine LUCI 1973: NBS (now NIST) issued an RFP for cipher standard IBM submitted the Tuchmann/Meyer work 1977: NBS accepted Tuchmann/Meyer work as DES (56-bit key) S-boxes were classified 1994: NIST reaffirmed DES for federal use for another 5 years 1999 NIST wanted to use DES for legacy systems Use 3DES for others. 17

18 Feistel Network and DES 18

19 Figure 1: Classical Feistel Network 19

20 Figure 2: Feistel Encryption and Decryption 20

21 [ A B] C A [ B C] D D 0 E 0 E Example of Reversibility LE16 RE15 RE16 LE15 F ( RE15, K16 ) LD RD LE RD LD F( RD, K ) RE F( RE, K ) [ LE F( RE, K )] F( RE, K )

22 Figure 3: General Depiction of DES Encryption Algorithm 22

23 Figure 4: Single Round of DES Algorithm 23

24 Figure 5: Calculation of F(R,K) 24

25 Table 1: Permutation Tables for DES 25

26 Table 2: Definition of DES S-Boxes 26

27 Table 3: DES Key Schedule Calculation 27

28 F-box design criteria Good Avalanche property A change in 1 bit of the input should produce a change in many output bits. Special case: Strict Avalanche Condition (SAC) Any output bit j should change with probability 0.5 when any single input bit is inverted. Bit Independence Criterion (BIC) Note Output bits j and k should change independently when any single input bit i is inverted. SAC and BIC strengthen the confusion process. 28

29 S-box design criteria Guaranteed Avalanche (GA) of order r 1 bit change in input provides at least r bit change in output. GA in the range of order 2-5 provides strong diffusion property. If two inputs to an S-box differ in exactly 1 bit, The outputs must differ in at least 2 bits. Each row of an S-box should include all 16 possible bit combinations. Box size Larger box: more resistant to cryptanalysis, but more difficult to design. For practical reason it is 6 x 4. 29

30 The 4 o/p bits of each S-box P-box design criteria affect SIX different S-boxes on the next round, and no two affect the same S-box. The 4 o/p bits from each S-box at round i are distributed by P-box so that 2 of them affect middle bits of round i+1, and the other 2 bits affect end bits. (Affect => to provide input for) 30

31 Triple DES 64-bit plaintext 64-bit plaintext Encrypt DES K1 Decrypt DES K1 Decrypt DES K2 Encrypt DES K2 Encrypt DES K1 Decrypt DES K1 64-bit ciphertext 64-bit ciphertext 31

32 Advanced Encryption Standard Size of data block: 128 bits Key sizes 128 bits (10 rounds) 192 bits (12 rounds) 256 bits (14 rounds) Structure of round i 128-bit data Byte Substitution Byte Permutation MixColumn AddRoundKey 128-bit data Ki 32

33 Public-key cryptography In public-key crypto: the two keys are different Public key: use to encrypt Private key: use to decrypt Every user has two keys Distribute the public key. Keep your private key a secret. 33

34 Public-key cryptography: The RSA algorithm Rivest, Shamir, and Adleman alg. (commonly used) Sender wants to send plaintext P Public key: (N, e) P < N Encryption alg.: C = P e mod N (C is the remainder of mod.) Transmit ciphertext C. Receiver receives ciphertext C Private key: (N, d) Decryption alg.: P = C d mod N P is the plaintext received. 34

35 Public-key cryptography: The RSA algorithm Choosing Public and Private keys Choose two large prime numbers p and q. Compute N = p x q. Choose e < N such that e and (p 1)(q 1) are relatively prime Relatively prime: no common factor except 1 Example: 25 and 27 are relatively prime. Choose d such that (e x d) mod [(p 1)(q 1)] = 1 35

36 Example Select two prime numbers: p = 17, q = 11. Calculate N = p*q = 17*11 = 187. Calculate (N) = (p-1)*(q-1) = 16*10 = 160. (N) is Euler s Totem Function Select e such that (Choose e = 7) e is relatively prime to (N) and e < N. Determine d such that d*e 1 mod 160 and d < 160 Let d = 23, because 23*7 = 161 = 1* The two keys are: Public key: [e, N] = [7, 187] Private key: [d, N] = [23, 187] 36

37 Example Choose a 1-byte message M = (= 88 in decimal) Encrypt: C = 88 7 mod 187 = [(88 4 mod 187) * (88 2 mod 187) * (88 1 mod 187)] mod 187. = [ 132 * 77 * 88 ] mod 187. = 11 (decimal): Decrypt: M = mod 187 = [(11 5 mod 187) * (11 5 mod 187) * (11 5 mod 187) * (11 5 mod 187) * (11 3 mod 187)] mod 187 = [ 44 * 44 * 44 * 44 * 22] mod 187 = 88 Another pair of keys: Public: [157, 187] Private: [53, 187] 37

38 Public-key cryptography: The RSA algorithm Choosing a prime number Choose a random number M in the desired range. If M is prime, we are done. If not, search around M (What is the search space?) Result from number theory: The primes near M are spaced on the average one every ln(m) integers. Since even numbers can be ignored, one needs to test ln(m)/2 odd integers around M. Example: for M = 2 200, ln(m)/2 = 70 searches. Finding relatively primes Prob. of two random numbers being relatively prime =

39 Secret Key (Dis)Advantages of Crypto Systems Advantages Efficient; Often used for long messages Disadvantages Public Key Large number of keys: N users N(N-1)/2 symmetric keys Problem in key distribution Advantages No need for a shared symmetric key between each user pair Fewer number of keys Disadvantages Association between entity and public key be verified 39

40 Entity Authentication Identity of a party is verified for the entire duration of access. Two approaches Password Challenge text: 1-way and 2-way authentication 40

41 Entity Authentication with Symmetric-key Crypto. First approach (Password authentication) Alice sends (Alice, password) encrypted with the symmetric key to Bob. Security flaw Eve intercepts the message Eve replays the message at a later time: Replay attack 41

42 Entity Authentication with Symmetric-key Crypto. Second approach (1-way authentication) Use challenge text (nonce) Nonce: A large random number that is used only once. Alice Bob Alice xyz Encrypt(xyz) 42

43 Entity Authentication with Symmetric-key Crypto. Second approach (2-way authentication) Alice Bob Alice, X Y, encrypt(x) encrypt(y) 43

44 Symmetric-key distribution Issues in key distribution: Assume N parties N(N 1)/2 secret keys Each party stores (N 1) keys A symmetric key is useful if it is treated as a session key. Example protocols: for securely acquiring keys Diffie-Hellman Protocol Key Distribution Center (KDC) Needham-Schroeder Protocol 44

45 Diffie-Hellman Protocol Executed over the Internet Alice N and G are large primes known to both. Bob R1 = G x mod N R1 R2 R2 = G y mod N K = (R2) x mod N K = (R1) y mod N K = G xy mod N Proved: (G x mod N) y mod N = (G y mod N) x mod N = G xy mod N 45

46 Diffie-Hellman: Man-in-the-Middle Attack Alice Eve Bob R1 = G x mod N K1 = (R2) x mod N R1 R2 R2 = G z mod N K1 = (R1) z mod N K2 = (R3) z mod N R2 R3 R3 = G y mod N K2 = (R2) y mod N K1 = G xz mod N K2 = G zy mod N 46

47 Diffie-Hellman: Man-in-theMiddle Attack Diffie-Hellman Strength Difficult to break: finding x from R1 and y from R2 is difficult. Weakness: Sending R1 and R2 as plaintext. Man-in-the-Middle attack Eve can fool Alice and Bob by creating two keys. Key 1: Alice Eve Key 2: Eve Bob => Trusted 3 rd party. Idea behind KDC. 47

48 Key Distribution Centre: for a session key Alice KDC Bob (KA: Sym key) Alice, Bob (KB: Sym key) KA(KAB, KB(Alice, Bob, KAB)) ticket KB(Alice, Bob, KAB) Vulnerable to replay attack. 48

49 Needham-Schroeder Protocol: for a session key Alice (KA: Sym. Key) (KB: Sym. Key) Bob Alice KB(RB) RA, Alice, Bob, KB(RB) KA(RA,Bob,KAB,KB(KAB,Alice,RB)) KDC KAB(R1), KB(KAB, Alice, RB) KAB(R1 1, R2) KAB(R2 1) 49

50 Other Services from a Secure System Message authentication The receiver needs to be sure of the sender s identity. Message integrity The data must arrive at the receiver exactly as they were sent. Nonrepudiation The receiver must be able to prove that a received message came from a specific sender. Achieved using digital signature 50

51 Digital Signature When you send a document, sign (encrypt) it. Sign the whole document. The sender uses his private key to encrypt the message. The receiver uses the public key to decrypt the message. Authentication using DS Alice (encrypts with own private key) Bob (Decrypts with Alice s public key) If Eve tries to impersonate Alice» Eve (encrypts with own private key) Bob (Decrypt with Alice s public key): Bob rejects the message 51

52 Digital Signature Nonrepudiation using DS A trusted 3 rd party saves the messages received by Bob from Alice. In case of a dispute Bob appeals to the 3 rd party. Bob shows that encrypting and decrypting the saved message with Alice s private and public keys can create a duplicate of the saved message. 52

53 Alice Signing the digest Message Hash Digest Alice s private key Encrypt + Message Transmit to Bob Bob Internet Hash function examples: Message Digest 5 (MD5) Secure Hash Alg. 1 (SHA1) Message Alice s public key Decrypt Hash Digest Compare Digest 53

54 Public-key Certification Bob owns two items: <private key, public key> The public key is distributed Problem Maintaining the association <Bob, public key> Susceptible to impersonation by Eve. Bob wants two things He wants people to know his public key. He wants no one to accept a public key forged as Bob s. Certification Authority Binds <Public key, Bob> Has a well-known public key <= Unforgeable. 54

55 Certification Authority (CA) Bob CA: message is Bob s ID CA Bob: asks for Bob s public key Bob CA: Bob sends PKCA(public key) CA Writes the public key of Bob on a certificate (C) Makes a message digest from the certificate (D). Encrypts the digest with its own private key (ED). CA Bob: <C, ED> Bob announces <C, ED> to others Want Bob s public key Create a digest from C: D1 Decrypt ED with CA s public key: D2 If D1 == D2, the certificate is valid for Bob and not for an imposter. 55

56 Certification Authority (CA): X.509 CA solves the problem of public-key fraud. Side effect: Certificates may be in different format X.509 describes certificates in a structured way Version: Version # of X.509 Serial number: The unique ID used by the CA Signature: The certificate signature Issuer: The name of the CA defined by X.509 Validity Period: Start and end period Subject: The entity whose public key is being certified Public key: The public key and the algorithms that use it 56

57 Kerberos: Authentication protocol + KDC Request ticket for TGS 1 Alice 3 Request service 6 5 Receive service AS 2 Alice-TGS session key and ticket Request ticket for Bob for TGS 4 TGS Alice-Bob session key and ticket for Bob Bob (Server) 57

58 (KA: Sym. Key of Alice generated on the fly) Alice Kerberos Example AS TGS Server (Bob) Alice KA(KS, KTG(Alice,KS)) KS: Session key for comm with TGS Timestamp: prevents replay by Eve KS(T), Bob, KTG(Alice,KS) KS(Bob,KAB), KB(Alice,KAB) KAB(T), KB(Alice,KAB) KAB(T + 1) 58

59 Security in the Internet IP layer security Complicated: multiple services (TCP, OSPF, ICMP) Not effective unless there is wider participation IPSec: prevailing technology Transport layer security Secure Socket Layer (SSL) Transport Layer Security (TSL) Application layer security Pretty Good Privacy (PGP) 59

60 IPSec Provides a framework and mechanism No concrete encryption or authentication method Requires a logical connection between two hosts Security Association (SA) protocol: signaling protocol Connectionless IP Connection-oriented IP Simplex connection Elements of a conn.: ID, security protocol type, source IP addr Operates in two modes Transport mode: security service to the upper-layer Tunnel mode: security service to the tunneled packets 60

61 IPSec: two modes Original IP packet IP Header The rest of the packet Transport mode IP Header IPSec header The rest of the packet Tunnel mode New IP Header IPSec header IP Header The rest of the packet 61

62 IPSec: two security protocols Two security protocols Authentication Header (AH) Encapsulating Security Payload (ESP) Authentication Header protocol Authenticate the source host Ensure the integrity of the payload in the IP packet Does not provide privacy (no encryption) What does it do? Calculate a message digest (use a hash function + sym. key) Insert the digest in the AH header (location is mode dependent) 62

63 Protocol = 51 Used in calculating digest => Packet carries an AH IPSec: AH IP Header IPSec header The rest of the packet even length Padding Protocol = Original protocol field 8 bits 8 bits 16 bits Next header Payload length Reserved Security parameter index (conn. ID) Sequence number Authentication data (Digest) (Variable length) Payload (length in 4-byte multiples) Seq. number: prevents playback, not repeated in a retransmitted packet, and does not wraparound when limit is reached (new conn.) 63

64 Original IP packet IP Header IPSec: ESP Rest of the payload 50 IP Header ESP Header Rest of the payload Authenticated Encrypted ESP Trailer Authentication Data 32 bits Security parameter index Sequence number Padding 32 bits 8 bits 8 bits Pad length Next header in bytes 64

65 Transport Layer Security (TLS) Application (HTTP) TLS TCP IP General Idea Two parties agree on THREE protocols - Entity authentication protocol (2-way) - Message authentication protocol - Encrypt/Decrypt protocol 65

66 Transport Layer Security (TLS) Application (HTTP) TLS Handshake Protocol Change cipher spec Protocol Alert Protocol TLS Record Protocol TCP 66

67 TLS: Entity authentication (Handshake protocol) Client Server Phase I Phase II Establish security capabilities Server authentication and key exchange Phase III Client authentication and key exchange Phase IV Finalizing the handshaking protocol 67

68 TLS: Entity auth. (Handshake protocol) Phase I Client/ server announce their security capabilities. Choose that are agreeable to both. Establish a session ID. Choose a cipher suite. Choose a compression method. 68

69 TLS: Entity auth. (Handshake protocol) Phase II The server authenticates itself. The server may send its certificate, its public key, and request a certificate from the client. Phase III The client authenticates itself (if required) May send a secret to be used in calculation of session keys. Phase IV Exchange messages to establish cipher specs to allow them to use the keys. 69

70 TLS: Entity auth. (Handshake protocol) Parameters Session ID: arbitrary byte sequence chosen by server Peer certificate: an X509 certificate of the peer (null?) Compression method: (optional) used before encrypt. Cipher spec.: data encryption algorithm (null/des/..), message digest algorithm (MD5/SHA) Master secret: A 48-byte secret between client/server 70

71 TLS: Entity authentication (Handshake protocol) Client Server ClientHello Certificate ClientKeyExchange CertificateVerify Finished optional ServerHello Certificate ServerKeyExchange CertificateRequest ServerHelloDone Finished Application data Source: Communication Networks, Leon-Garcia, Widjaja 71

72 TLS: Record Protocol Data from above Optional Compression Compressed data Hash Compressed data Digest Encryption Header Encrypted data 72

73 Application layer security Pretty Good Privacy (PGP) Developed for sending Provides all the four aspects of security privacy, integrity, authentication, and nonrepudiation Digital signature (hash + public-key encrypt.) Integrity, authentication, and non-repudiation Secret-key + public-key encryption privacy 73

74 PGP at the sender (Alice) + One-time Secret key Encrypt Bob s public key Encrypt + Transmit Hash Digest Encrypt Alice s Signed digest private key Digital signature Privacy 74

75 PGP at the receiver (Bob) Encrypted (secret key) Bob s private key Decrypt Encrypted (message + digest) Alice s public key One-time Secret key Decrypt Decrypt Hash Digest Compare Digest 75

76 Need for a firewall Firewalls Digital Signature + encryption cannot prevent Eve from sending a harmful message to a system. Firewall A router or a computer + packet filtering mechanism Installed on the outer edge of an internal network Internet Outgoing packets Firewall Incoming packets Internal network 76

77 Firewall Example of packet filtering Drop all packets from a specific host Drop some kinds of packets to a specific host Two classes of firewall Packet-filter firewall: TCP/IP level Proxy-based firewall: Application level 77

78 Packet-filter firewall Internet 1 2 Internal network Interface Source IP Source port Destination IP Destination port * * * * * * * * * * * (any) 23 (Telenet) * 80 (HTTP) 1. Incoming packets from network are blocked. 2. Incoming packets destined for internal TELENET server are blocked. 3. Incoming packets destined for internal host are blocked internal use only. 4. Outgoing packets destined for an HTTP server are blocked Your employer does not want you to browse the Internet. 78

79 Application level? Enforce policies Proxy Firewall Ex.: Users with previous business relations with the company can have access others are blocked Packet-level filtering is not good enough. 79

80 Proxy Firewall Errors Internet Firewall All HTTP packets HTTP Proxy (Application Gateway) Accepted packets HTTP Server 80

81 Extra slides for RSA 81

82 Background material for the RSA algorithm Given a positive integer n, Zn = {0, 1, 2,, n-1} Known as residue classes modulo n. Two integers are relatively prime if their only common positive integer factor is 1. Examples: 25 and 27 are relatively prime; 18 and 4 are not. Two integers a and b are said to be congruent modulo n (n > 0), if (a mod n) = (b mod n). This is written as a b mod n. Examples: 73 4 mod mod 10 Properties: (i) a b mod n if n (a-b) (Note: n x means n divides x.) (ii) if (a + b) (a + c) mod n then b c mod n (iii) if (a x b) (a x c) mod n then b c mod n, if a is relatively prime to n (iv) For a prime number p, let Zp be the set as defined above. For each w Zp, w 0, Multiplicative inverse of w (denoted by w -1 ) is z Zp, such that w x z 1 mod p 82

83 Fermat s Theorem/ Euler s Totient Function (n) If p is a prime and a is a +ve integer not divisible p, then An alternative form of the theorem a p-1 1 mod p Fermat s Theorem If p is prime and a is any positive integer, then a p a mod p For a positive integer n, (n) is the number of positive integers less than n and relatively prime to n. For a prime p, (p) = p-1. Let p and q be two different primes. For n = pq, (n) = (pq) = = (p-1)x(q-1) = (p) x (q). proof not shown Example: (35) = (7) x (5) = 6x4 =

84 Euler s Theorem For every a and n that are relatively prime: a (n) 1 mod n Example: a = 3; n = 10; (n=10) = (2x5) = (2-1)x(5-1) = 4; 3 4 = 81 1 mod 10 An alternative form of the theorem a (n) + 1 a mod n Important result: p and q are primes; n = pq and m an integer, 0 < m < n m k (n) + 1 m mod n k is an arbitrary integer 84

85 Public-key cryptography: Extended Euclid s Alg. Euclid s algorithm finds gcd(m, b) If gcd(m, b) = 1, then b has a b -1, such that bb -1 1 mod m (b -1 is called the multiplicative inverse of b.) Algorithm 1. (A1, A2, A3) (1, 0, m); (B1, B2, B3) (0, 1, b) 2. if B3 = 0 return A3 = gcd(m, b); no inverse 3. if B3 = 1 return B3 = gcd(m, b); B2 holds b Q = A3/B3 5. (T1, T2, T3) (A1 QB1, A2 QB2, A3 QB3) 6. (A1, A2, A3) (B1, B2, B3) 7. (B1, B2, B3) (T1, T2, T3) 8. goto 2 85