Chapter 10. Network Security

Transcription

1 Chapter 10 Network Security 10.1.

2 Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2

3 Chapter 10: Objective We introduce network security. We discuss security goals, types of attacks, and services provided by network security. We introduce the first goal of security, confidentiality. We discuss symmetric-key ciphers and asymmetric-key ciphers. We discuss other aspects of security: message integrity, message authentication, digital signature, entity authentication, and key management. We apply what we have learned in the first three sections to the top three layers of the TCP/IP suite. Finally, we discuss firewalls: packet-filter and proxy. 10.3

4 10-1 INTRODUCTION Information is an asset that has a value like any other asset. As an asset, information needs to be secured from attacks. To be secured, information needs to be hidden from unauthorized access (confidentiality), protected from unauthorized change (integrity), and available to an authorized entity when it is needed (availability). 10.4

5 Security Goals Let us first discuss three security goals: Confidentiality Integrity Availability 10.5

6 Attacks Our three goals of security, confidentiality, integrity, and availability, can be threatened by security attacks. Although the literature uses different approaches to categorizing the attacks, we divide them into three groups related to the security goals. Figure 10.1 shows the taxonomy. 10.6

7 (continued) Attacks Threatening Confidentiality Snooping Traffic Analysis Attacks Threatening Integrity Modification Masquerading Replaying Repudiation Attacks Threatening Availability Denial of Service 10.7

8 Figure 10.1: Taxonomy of attacks with relation to security goals 10.8

9 Services and Techniques ITU-T defines some security services to achieve security goals and prevent attacks. Each of these services is designed to prevent one or more attacks while maintaining security goals. The actual implementation of security goals needs some techniques. Two techniques are prevalent today: Cryptography Steganography 10.9

10 10-2 CONFIDENTIALITY We now look at the first goal of security, confidentiality. Confidentiality can be achieved using ciphers. Ciphers can be divided into two broad categories: symmetric-key and asymmetric-key

11 Symmetric-Key Ciphers A symmetric-key cipher uses the same key for both encryption and decryption, and the key can be used for bidirectional communication, which is why it is called symmetric. Figure 10.2 shows the general idea behind a symmetric-key cipher

12 (continued) Traditional Symmetric-Key Ciphers Substitution Ciphers Transposition Ciphers Stream and Block Ciphers Modern Symmetric-Key Ciphers Modern Block Ciphers Data Encryption Standard (DES) Modern Stream Ciphers 10.12

13 Figure 10.2: General idea of a symmetric-key cipher 10.13

14 Figure 10.3: Symmetric-key encipherment as locking and unlocking with the same key 10.14

15 Figure 10.4: Representation of plaintext and ciphertext characters in modulo

16 Example 10.1 Use the additive cipher with key = 15 to encrypt the message hello

17 Example 10.2 Use the additive cipher with key = 15 to decrypt the message WTAAD

18 Figure 10.5: An example key for a monoalphabetic substitution cipher 10.18

19 Example 10.3 We can use the key in Figure 10.5 to encrypt the message 10.19

20 Example 10.4 Assume that Alice and Bob agreed to use an autokey cipher with initial key value k 1 = 12. Now Alice wants to send Bob the message Attack is today. The three occurrences of t are encrypted differently

21 Figure 10.6: Transposition cipher 10.21

22 Figure 10.7: A modern block cipher 10.22

23 Figure 10.8: Components of a modern block cipher 10.23

24 Figure 10.9: General structure of DES 10.24

25 Figure 10.10: DES function 10.25

26 Figure 10.11: Key generation 10.26

27 Example 10.5 We choose a random plaintext block and a random key, and determine (using a program) what the ciphertext block would be (all in hexadecimal) as shown below

28 Example 10.6 To check the effectiveness of DES when a single bit is changed in the input, we use two different plaintexts with only a single bit difference (in a program). The two ciphertexts are completely different without even changing the key. Although the two plaintext blocks differ only in the rightmost bit, the ciphertext blocks differ in 29 bits

29 Figure 10.12: One-time pad 10.29

30 Asymmetric-Key Ciphers In previous sections we discussed symmetric-key ciphers. In this section, we start the discussion of asymmetric-key ciphers. Symmetric- and asymmetric-key ciphers will exist in parallel and continue to serve the community. We actually believe that they are complements of each other; the advantages of one can compensate for the disadvantages of the other

31 (continued) General Idea Plaintext/Ciphertext Encryption/Decryption Need for Both RSA Cryptosystem Procedure Applications 10.31

32 Figure 10.13: Locking and unlocking in asymmetric-key cryptosystem 10.32

33 Figure 10.14: General idea of asymmetric-key cryptosystem 10.33

34 Figure 10.15: Encryption, decryption, and key generation in RSA 10.34

35 Example 10.7 For the sake of demonstration, let Bob choose 7 and 11 as p and q and calculate n = 7 11 = 77, φ(n) = (7 1)(11 1), or 60. If he chooses e to be 13, then d is 37. Note that e d mod 60 = 1. Now imagine that Alice wants to send the plaintext 5 to Bob. She uses the public exponent 13 to encrypt 5. This system is not safe because p and q are small

36 Example 10.8 Here is a more realistic example calculated using a computer program in Java. We choose a 512-bit p and q, calculate n and φ(n). We then choose e and calculate d. Finally, we show the results of encryption and decryption. The integer p is a 159-digit number

37 Example 10.8 (continued) 10.37

38 Example 10.8 (continued) 10.38

39 Example 10.8 (continued) 10.39

40 10-3 OTHER ASPECTS OF SECURITY The cryptography systems that we have studied so far provide confidentiality. However, in modern communication, we need to take care of other aspects of security, such as integrity, message and entity authentication, non-repudiation, and key management. We briefly discuss these issues in this section

41 Message Integrity There are occasions where we may not even need secrecy but instead must have integrity: the message should remain unchanged. For example, Alice may write a will to distribute her estate upon her death. The will does not need to be encrypted. After her death, anyone can examine the will. The integrity of the will, however, needs to be preserved. Message and Message Digest Hash Functions 10.41

42 Figure 10.16: Message and digest Insecure channel Channel immune to change 10.42

43 Message Authentication A digest can be used to check the integrity of a message that the message has not been changed. To ensure the integrity of the message and the data origin authentication that Alice is the originator of the message, not somebody else we need to include a secret shared by Alice and Bob (that Eve does not possess) in the process; we need to create a message authentication code (MAC). HMAC 10.43

44 Figure 10.17: Message authentication code M + MAC Insecure channel 10.44

45 Digital Signature Another way to provide message integrity and message authentication (and some more security services, as we will see shortly) is a digital signature. A MAC uses a secret key to protect the digest; a digital signature uses a pair of privatepublic keys

46 (continued) Comparison Inclusion Verification Method Relationship Duplicity Process Signing the Digest Services Message Authentication Message Integrity Non-repudiation 10.46

47 (continued) RSA Digital Signature Scheme Digital Signature Standard (DSS) 10.47

48 Figure 10.18: Digital signature process (M, S) 10.48

49 Figure 10.19: Signing the digest 10.49

50 Figure 10.20: Using a trusted center for non-repudiation (M, S A ) (M, S T ) 10.50

51 Figure 10.21: The RSA signature on the message digest 10.51

52 Entity Authentication Entity authentication is a technique designed to let one party verify the identity of another party. An entity can be a person, a process, a client, or a server. The entity whose identity needs to be proven is called the claimant; the party that tries to verify the identity of the claimant is called the verifier

53 (continued) Entity versus Message Authentication Verification Categories Passwords Challenge-Response Using a Symmetric-Key Cipher Using an Asymmetric-Key Cipher Using Digital Signatures 10.53

54 Figure 10.22: Unidirectional, symmetric-key authentication 10.54

55 Figure 10.23: Unidirectional, asymmetric-key authentication 10.55

56 Figure 10.24: Digital signature, unidirectional authentication 10.56

57 Key Management We discussed symmetric-key and asymmetric-key cryptography in the previous sections. However, we have not yet discussed how secret keys in symmetric-key cryptography, and public keys in asymmetric-key cryptography, are distributed and maintained. This section touches on these two issues

58 (continued) Symmetric-Key Distribution Key Distribution Center (KDC) Symmetric-Key Agreement Diffie-Hellman Key Agreement Public-Key Distribution Public Announcement Certification Authority X

59 Figure 10.25: Multiple KDCs 10.59

60 Figure 10.26: Creating a session key using KDC 10.60

61 Figure 10.27: Diffie-Hellman method 10.61

62 Example 10.9 Let us give a trivial example to make the procedure clear. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume that g = 7 and p = 23. The steps are as follows: 1. Alice chooses x = 3 and calculates R 1 = 7 3 mod 23 = 21. Bob chooses y = 6 and calculates R 2 = 7 6 mod 23 = Alice sends the number 21 to Bob

63 Example 10.9 (continued) 3. Bob sends the number 4 to Alice. 4. Alice calculates the symmetric key K = 4 3 mod 23 = 18. Bob calculates the symmetric key K = 21 6 mod 23 = 18. Conclusion: The value of K is the same for both Alice and Bob; g xy mod p = 7 18 mod 23 =

64 Figure 10.28: Certification authority 10.64

65 10-4 INTERNET SECURITY In this section, we discuss how the principles of cryptography are applied to the Internet. We discuss security in the application layer, transport layer, and network layer. Security at the data-link layer is normally a proprietary issue and is implemented by the designers of LANs and WANs

66 Application-Layer Security This section discusses two protocols providing security services for s: Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME)

67 (continued) Security Cryptographic Algorithms Cryptographic Secrets Certificates Pretty Good Privacy (PGP) Scenarios Segmentation Key Rings PGP Algorithms PGP Certificates and Trusted Model PGP Packets Applications of PGP 10.67

68 (continued) S/MIME Cryptographic Message Syntax (CMS) Key Management Cryptographic Algorithms Applications of S/MIME 10.68

69 Figure 10.29: A plaintext message 10.69

70 Figure 10.30: An authenticated message 10.70

71 Figure 10.31: A compressed message 10.71

72 Figure 10.32: A confidential message 10.72

73 Figure 10.33: Key rings in PGP 10.73

74 Figure 10.34: Trust model 10.74

75 Figure 10.35: Signed-data content type 10.75

76 Figure 10.36: Enveloped-data content type 10.76

77 Figure 10.37: Digested-data content type 10.77

78 Figure 10.38: Authenticated-data content type 10.78

79 Example The following shows an example of an enveloped-data in which a small message is encrypted using triple DES

80 Transport-Layer Security Two protocols are dominant today for providing security at the transport layer: the Secure Sockets Layer (SSL) protocol and the Transport Layer Security (TLS) protocol. The latter is actually an IETF version of the former. We discuss SSL in this section; TLS is very similar. Figure shows the position of SSL and TLS in the Internet model

81 (continued) SSL Architecture Services Key Exchange Algorithms Encryption/Decryption Algorithms Hash Algorithms Cipher Suite Compression Algorithms Cryptographic Parameter Generation Sessions and Connections 10.81

82 (continued) Four Protocols Handshake Protocol ChangeCipherSpec Protocol Alert Protocol Record Protocol 10.82

83 Figure 10.39: Location of SSL and TLS in the Internet model 10.83

84 Figure 10.40: Calculation of master secret from pre-master secret 10.84

85 Figure 10.41: Calculation of key material from master secret 10.85

86 Figure 10.42: Extractions of cryptographic secrets from key material 10.86

87 Figure 10.43: Four SSL protocols 10.87

88 Figure 10.44: Handshake Protocol 10.88

89 Figure 10.45: Processing done by the Record Protocol 10.89

90 Network-Layer Security We need security at the network layer for three reasons. First, not all client/server programs are protected at the application layer. Second, not all client/server programs at the application layer use the services of TCP to be protected by the transport-layer security. Third, many applications, such as routing protocols, directly use the service of IP; they need security services at the IP layer. IP Security is a collection of protocols designed by the Internet Engineering 10.90

91 (continued) Two Modes Transport Mode Tunnel Mode Comparison Two Security Protocols Authentication Header (AH) Encapsulating Security Payload (ESP) IPv4 and IPv6 AH versus ESP 10.91

92 (continued) Services Provided by IPSec Access Control Message Integrity Entity Authentication Confidentiality Replay Attack Protection Security Association Idea of Security Association Security Association Database (SAD) Security Policy Security Policy Database 10.92

93 (continued) Internet Key Exchange (IKE) Virtual Private Network (VPN) 10.93

94 Figure 10.46: IPSec in transport mode 10.94

95 Figure 10.47: Transport mode in action 10.95

96 Figure 10.48: IPSec in tunnel mode 10.96

97 Figure 10.49: Tunnel mode in action 10.97

98 Figure 10.50: Transport mode versus tunnel mode 10.98

99 Figure 10.51: Authentication Header (AH) protocol 10.99

100 Figure 10.52: Encapsulating Security Payload (ESP)

101 Table 10.1: IPSec services

102 Figure 10.53: Simple SA

103 Figure 10.54: SAD

104 Figure 10.55: Security Policy Database

105 Figure 10.56: Outbound processing

106 Figure 10.57: Inbound processing

107 Figure 10.58: IKE components

108 Figure 10.59: Virtual private network

109 10-5 FIREWALLS All previous security measures cannot prevent Eve from sending a harmful message to a system. To control access to a system we need firewalls. A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others

110 Figure 10.60: Firewall

111 Packet-Filter Firewalls A firewall can be used as a packet filter. It can forward or block packets based on the information in the network-layer and transport-layer headers: source and destination IP addresses, source and destination port addresses, and type of protocol (TCP or UDP). A packet-filter firewall is a router that uses a filtering table to decide which packets must be discarded (not forwarded). Figure shows an example of a filtering table for this kind of a firewall

112 Figure 10.61: Packet-filter firewall

113 Proxy Firewalls The packet-filter firewall is based on the information available in the network layer and transport layer headers (IP and TCP/UDP). However, sometimes we need to filter a message based on the information available in the message itself (at the application layer). One solution is to install a proxy computer to filter the messages

114 Figure 10.62: Proxy firewall

115 Chapter 10: Summary The three goals of security can be threatened by security attacks. Two techniques have been devised to protect information against attacks: cryptography and steganography. In a symmetric-key cipher the same key is used for encryption and decryption, and the key can be used for bidirectional communication. We can divide traditional symmetric-key ciphers into two broad categories: substitution ciphers and transposition ciphers. In an asymmetric key cryptography there are two separate keys: one private and one public. Asymmetric-key cryptography means that Bob and Alice cannot use the same set of keys for two-way communication

116 Chapter 10: Summary (continued) Other aspects of security include integrity, message authentication, entity authentication, and key management. The Pretty Good Privacy (PGP), invented by Phil Zimmermann, provides with privacy, integrity, and authentication. Another security service designed for electronic mail is Secure/Multipurpose Internet Mail Extension (S/MIME). A transport-layer security protocol provides end-to-end security services for applications that use the services of a reliable transport-layer protocol such as TCP. Two protocols are dominant today for providing security at the transport layer: Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

117 Chapter 10: Summary (continued) IP Security (IPSec) is a collection of protocols designed by the IETF to provide security for a packet at the network level. IPSec operates in transport or tunnel mode. IPSec defines two protocols: Authentication Header (AH) Protocol and Encapsulating Security Payload (ESP) Protocol. A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter others. A firewall is usually classified as a packet-filter firewall or a proxy firewall