Lecture 9 - Network Security TDTS (ht1)

Transcription

1 Lecture 9 - Network Security TDTS (ht1) Prof. Dr. Christoph Schuba Linköpings University/IDA Schuba@IDA.LiU.SE Reading: Office hours: [Hal05] ; ; am on Oct. 4+5, 11+12, Nov. 1+2, 8+9 or by appointment via -1-

2 Overview Security Goals Encryption Technologies Non-repudiation Authentication Public Key Certification Privacy Network and Web Security -2-

3 Security Goals Confidentiality: Property that data is not disclosed in an unauthorized manner Integrity: Property that resources/data have not been modified in an unauthorized manner Authenticity: Assertion about entity identities or the origin of information Non-repudiation: Concept that integrity and origin of data are verifiable Availability: Timely, reliable access to resources by authorized entities -3-

4 Encryption Technologies The model: see [Fig. 10.1] Terminology: plaintext (P, m) vs. ciphertext (C, c) encryption E() vs. decryption D() key K active vs. passive attacks eavesdropping, masquerading -4-

5 Figure 10.1 Data encryption terminology -5-

6 Two Types of Cryptosystems Conventional cryptosystems: EK and DK Both EK and DK must remain secret EK = DK or EK DK Public-key cryptosystems: RS and RP RS RP One key (private key) must remain private Other key (public key) can be published -6-

7 Conventional Cryptosystems (aka Private Key Systems) Age-old Technology: Substitution, Transposition, and Product Ciphers Benefits: Well studied and understood High performance Drawbacks: Key distribution problem -7-

8 Substitution Ciphers Each characters in the plaintext is substituted for another character in the ciphertext Four classical types: Simple substitution cipher (aka monoalphabetic cipher) Homophonic substitution cipher Polygram substitution cipher Polyalphabetic substitution cipher -8-

9 Simple Subsitution Cipher Caesar Cipher (B.C.) Each plaintext character is replaced by the character 3 to the right, modulo 26 c = E(m) := (m+3) % 26 m = D(c) := (c+23) % 26 ROT13 Every letter is rotated 13 places c = E(m) := (m+13) % 26 m = D(c) := (c+13) % 26-9-

10 Homophonic Substitution Cipher Duchy of Mantua (1401) Same as monoalphabetic substitution cipher, but each plaintext character maps to several characters of ciphertext, any of which can be chosen Example: Encryption: A -> 5, 13, 25, or 56 B -> 7, 19, 31, or 42 Used to smooth out observable statistical patterns

11 Polygram Substitution Cipher Leon Battista (1568) Blocks of plaintext characters are mapped to corresponding blocks of ciphertext characters Example: Encryption: ABA -> RTQ ABB -> SLL Examples: Vignère cipher (1586) Beaufort cipher

12 Polyalphabetic Substitution Cipher Monoalphabetic ciphers with multiple keys Trick: increase the number of keys (period) to get better security In the extreme: Running Key Cipher: Increase the period to the length of the plaintext

13 Transposition Ciphers The plaintext remains the same, but the order of characters is modified Example: Encryption: Write plaintext in rows, then read it out in columns Decryption: Write ciphertext in columns, then read it out in rows What is the key? Rotor machines, e.g., Enigma (WW II)

14 Excursion: Enigma

15 Product Ciphers Use a combination of substitutions and transpositions Transpositions aka permutations (P-Boxes) Three types [Fig (a)]: (i) straight (ii) expanded (iii) compressed Subsitutions: defined through S-Boxes Needed to reduce the size of keys! See [Fig (b)]

16 Figure 10.2 Product cipher components: (a) P-box examples

17 Figure 10.2 Product cipher components: (b) S-box example

18 Example of a Product Cipher See [Fig. 10.3]: a combination of substitutions and transpositions Combination of P-Boxes and S-Boxes Popular technology: DES - Data Encryption Standard AES - Advanced Encryption Standard IDEA - International Data Encryption Algorithm and many more

19 Figure 10.3 Example of a product cipher

20 The Data Encryption Standard NIST: 1972 and 1974: Call for proposals 1976: Federal Standard, ratified ANSI 1981 Block cipher: data blocks are 64 bits Key size: 56 bits Key is used to select 16 keys of 48 bits each see [Fig (a)]

21 Figure 10.4 DES algorithm principles: (a) overall schematic

22 Figure 10.4 DES algorithm principles: (b) substitution schematic

23 Figure 10.4 DES algorithm principles: (c) substitution operation

24 Triple DES Problem: brute force attack against a 56-bit long key is now feasible Interim solution: apply DES multiple (three) times, giving it an effective security of 112 bits Illustrated in [Fig. 10.5]

25 Figure 10.5 Triple DES schematic

26 DES Modes of Operation (Chaining) Electronic Code Book (ECB) ciphertext blocks are independent of each other Chain Block Cipher (CBC) current plaintext is x-or'ed with previous ciphertext to gain stream integrity properties Cipher Feedback Mode (CFM) similar to CBC, but operating on 8-bit boundaries Detailed figures in [Hal05 Fig. 10.6]

27 Two Types of Cryptosystems Conventional cryptosystems: EK and DK Both EK and DK must remain secret EK = DK or EK DK Public-key cryptosystems: RS and RP RS RP One key (private key) must remain private Other key (public key) can be published

28 Figure 10.8 RSA schematic

29 Public-key Cryptosystems (aka Public Key Systems) Fairly recent technology (1976) DH, RSA, ECC Benefits: Very flexible Can provide confidentiality, integrity, authenticity, and non-repudiation services Drawbacks: Lower performace than conventional cryptography

30 Public-key Cryptography Alice and Bob (X) each have their own + private/public key pair (K X,K X): Private Key Public Key + K K Alice A A + K K Bob B B Confidentiality, Integrity, and Autenticity are then accomplished by combining encryptions and decryptions in the right combination

31 Security Goals Notation: {m}k means that message m is X encrypted by X using his own private key K-X Confidentiality and Integrity: A->B: {m}k+b Authenticity and Nonrepudiation: A->B: {m}k-a All four goals at once: A->B: {{m}k-a}k+b

32 More on Authentication Authenticity: Assertion about entity identities or the origin of information Authentication using a public key system: [Fig ] Authentication using a private key system: [Fig ]

33 Figure User authentication using a public key scheme

34 The Kerberos System Concept of a Trusted Third Party Key Dristribution Server Tickets and Ticket Granting Server Service Server

35 Figure User authentication using Kerberos: (a) terminology and message exchange

36 Figure User authentication using Kerberos: (b) key and ticket definitions

37 Figure User authentication using Kerberos: (c) message contents

38 Hash Functions and Message Authentication Codes (MAC) Many names, same basic building block: hash function, one-way hash function, compression function, contraction function, message digest, fingerprint, cryptographic checksum, message integrity check, manipulation detection code Properties: hash value := H(pre-image) One-way: Computing H() is easy, H-1() is hard Collision-free: It's hard to find two pre-images with same hash value Hash function definition is public MAC: H(pre-image secret key)

39 Public Key Certification Problem: + Assertion of the binding: K to A A Possible attack in [Fig ] Countermeasure: Certificate: digitally signed binding between public keys and their principals Content: issuer name, serial#, subject name, public key, validity period, signature Typically organized in a hierarchy: Public key certification hierarchy (PKI)

40 Figure A possible threat when using a public key system

41 Public-key Certification Hierarchy Certificate Issuer name Subject Subject's public key Signature {m}k-issuer

42 Public-key Certification Hierarchy Subject: Subject's public key: Certificate Issuer name Subject Subject's public key Signature {m}k-issuer

43 Public-key Certification Hierarchy m := (alice@student.liu.se, K+alice@student.liu.se ) ca-student.liu.se Certificate Issuer name Subject alice@student.liu.se K+alice@student.liu.se {m}k-ca-student.liu.se Subject's public key Signature {m}k-issuer

44 Public-key Certification Hierarchy ca-liu.se ca-student.liu.se K+ca-student.liu.se {m}k-ca-liu.se Certificate Issuer name Subject ca-student.liu.se {m}k-ca-student.liu.se Subject's public key Signature {m}k-issuer

45 Public-key Certification Hierarchy ca-se ca-liu.se K+ca-liu.se {m}k-ca-se ca-liu.se ca-student.liu.se K+ca-student.liu.se {m}k-ca-liu.se Certificate Issuer name Subject ca-student.liu.se {m}k-ca-student.liu.se Subject's public key Signature {m}k-issuer

46 Public-key Certification Hierarchy ca-se ca-liu.se K+ca-liu.se {m}k-ca-se ca-liu.se ca-student.liu.se K+ca-student.liu.se {m}k-ca-liu.se Certificate Issuer name {m}k-ca-student.liu.se Subject Subject's public key Signature {m}k-issuer ca-student.liu.se Well known: K+ca-se

47 Privacy Confidentiality: Property that data is not disclosed in an unauthorized manner Important application with day to day value Most popular examples: PGP: Pretty good privacy (PGP) Combination of MD5, RSA, IDEA, Base64, and ZivLempel PEM: Privacy enhanced mail Internet Standard See [Fig ] for details

48 Network Security IP Security (IPSec) IPSec history: SKIP vs. IPSec and IPv6 vs. IPv4 Technical contents: Authentication Header (AH) Encapsulating Security Payload (ESP) Security Association (SA) Security Parameter Index (SPI) Internet Key Exchange (IKE) Integrated into network layer End-to-End vs. Tunnel modes

49 Figure AH protocol header position and contents in transport mode

50 Web Security Secure Socket Layer (SSL) History: SSL vs. TLS (Transport Layer Security) Netscape and the IETF Layered on top of TCP Ever noticed http vs. https in a URL? Notion of a session

51 Figure The secure socket layer (SSL) protocol: (a) protocol stack

52 SSL - Protocol Phases Authentication (using a CA) Cryptographic algorithm negotiation Session Key exchange Transaction initiation Transaction information transfer

53 Figure The secure socket layer (SSL) protocol: (b) outline of the authentication and transaction initiation phases

54 Questions?