Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key



Similar documents
What is network security?

Chapter 7: Network security

Internet Programming. Security

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

CSE/EE 461 Lecture 23

Principles of Network Security

SECURITY IN NETWORKS

Network Security. HIT Shimrit Tzur-David

What is network security?

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Chapter 10. Network Security

Network Security #10. Overview. Encryption Authentication Message integrity Key distribution & Certificates Secure Socket Layer (SSL) IPsec

Lecture 9 - Network Security TDTS (ht1)

CS 3251: Computer Networking 1 Security Protocols I

Security: Focus of Control. Authentication

CRYPTOGRAPHY IN NETWORK SECURITY

Cornerstones of Security

Part 2 D(E(M, K),K ) E(M, K) E(M, K) Plaintext M. Plaintext M. Decrypt with private key. Encrypt with public key. Ciphertext

Properties of Secure Network Communication

Application Layer (1)

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

Network Security Protocols

Overview. SSL Cryptography Overview CHAPTER 1

CS 758: Cryptography / Network Security

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt

Chapter 17. Transport-Level Security

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Getting the most from Apple Mail

Network Security - Secure upper layer protocols - Background. Security. Question from last lecture: What s a birthday attack? Dr.

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Client Server Registration Protocol

EXAM questions for the course TTM Information Security May Part 1

Information Security

Content Teaching Academy at James Madison University

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Network Security. Network Security. Security in Computer Networks

Chapter 7 Transport-Level Security

SubmitedBy: Name Reg No Address. Mirza Kashif Abrar T079 kasmir07 (at) student.hh.se

Chapter 8 Network Security

TELE 301 Network Management. Lecture 18: Network Security

Managing and Securing Computer Networks. Guy Leduc. Chapter 3: Securing applications. Chapter goals: security in practice:

Elements of Security

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

NETWORK SECURITY. Farooq Ashraf. Department of Computer Engineering King Fahd University of Petroleum and Minerals Dhahran 31261, Saudi Arabia

Chapter 8. Network Security

Chapter 8. Cryptography Symmetric-Key Algorithms. Digital Signatures Management of Public Keys Communication Security Authentication Protocols

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

NETWORK ADMINISTRATION AND SECURITY

Is your data safe out there? -A white Paper on Online Security

Security in Distributed Systems. Network Security

Transport Level Security

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Network Security Fundamentals

WS_FTP Professional 12. Security Guide

Security vulnerabilities in the Internet and possible solutions

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Key Management (Distribution and Certification) (1)

CS 161 Computer Security Spring 2010 Paxson/Wagner MT2

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Overview of Network Security

INTRODUCTION TO CRYPTOGRAPHY

ELECTRONIC COMMERCE OBJECTIVE QUESTIONS

T Cryptography and Data Security

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Computer Networks. Secure Systems

Authentication applications Kerberos X.509 Authentication services E mail security IP security Web security

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Introduction to Cryptography

THE UNIVERSITY OF TRINIDAD & TOBAGO

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CS5008: Internet Computing

Security in Computer Networks

How To Protect Your Data From Attack

Network Security Technology Network Management

Chapter 32 Internet Security

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

How To Understand And Understand The Security Of A Key Infrastructure

First Semester Examinations 2011/12 INTERNET PRINCIPLES

As enterprises conduct more and more

How To Use Pretty Good Privacy (Pgp) For A Secure Communication

Network Security. Raj Jain. The Ohio State University. Columbus, OH Raj Jain 31-1

Network Security. Outline of the Tutorial

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

Savitribai Phule Pune University

SSL/TLS: The Ugly Truth

PGP (Pretty Good Privacy) INTRODUCTION ZHONG ZHAO

Transcription:

Friends and Enemies Security Outline Encryption lgorithms Protocols Message Integrity Protocols Key Distribution Firewalls Figure 7.1 goes here ob, lice want to communicate securely Trudy, the intruder may intercept, delete, add messages Spring 2007 CSE30264 1 Spring 2007 CSE30264 2 Overview Cryptography functions Secret key (e.g., DES) Public key (e.g., RS) Message digest (e.g., MD5) public key Security services Privacy: preventing unauthorized release of information : verifying identity of the remote participant Integrity: making sure message has not been altered Security private key Secret Key (DES) Cryptography algorithms Security services Secret key (e.g., DES) Public key (e.g., RS) Message digest (e.g., MD5) Privacy Message integrity Spring 2007 CSE30264 3 Spring 2007 CSE30264 4 Symmetric Key 64-bit key (56-bits 8-bit parity) 16 rounds Each Round Substitution cipher: substituting one thing for another monoalphabetic cipher: substitute one letter for another Round 1 Initial permutation plaintext: abcdefghijklmnopqrstuvwxyz Round 2 L i 1 R i 1 F K i ciphertext: mnbvcxzasdfghjklpoiuytrewq 56-bit key E.g.: : bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc Round 16 Final permutation L i R i Spring 2007 CSE30264 5 Spring 2007 CSE30264 6 1

Repeat for larger messages Public Key (RS) IV lock 1 lock 2 lock 3 lock 4 public key private key DES Cipher 1 DES DES DES Cipher 2 Cipher 3 Cipher 4 Encryption & Decryption c = m e mod n m = c d mod n Spring 2007 CSE30264 7 Spring 2007 CSE30264 8 RS (cont) Choose two large prime numbers p and q (each 256 bits) Multiply p and q together to get n Choose the encryption key e, such that e and (p - 1) x (q - 1) are relatively prime. Two numbers are relatively prime if they have no common factor greater than one Compute decryption key d such that d*e = 1 mod ((p - 1) x (q - 1)) Construct public key as (e, n) Construct private key as (d, n) Discard (do not disclose) original primes p and q RS Example ob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z). encrypt: decrypt: letter m m e c = m e mod n l 12 1524832 17 c c d m = c d mod n 17 481968572106750915091411825223072000 12 letter l Spring 2007 CSE30264 9 Spring 2007 CSE30264 10 Cryptographic checksum Message Digest just as a regular checksum protects the receiver from accidental changes to the message, a cryptographic checksum protects the receiver from malicious changes to the message. One-way function given a cryptographic checksum for a message, it is virtually impossible to figure out what message produced that checksum; it is not computationally feasible to find two messages that hash to the same cryptographic checksum. Relevance if you are given a checksum for a message and you are able to compute exactly the same checksum for that message, then it is highly likely this message produced the checksum you were given. Spring 2007 CSE30264 11 Goal: ob wants lice to prove her identity to him Spring 2007 CSE30264 12 2

E(y, CHK) E(x, Public ) I am lice encrypt(password) Spring 2007 CSE30264 13 Spring 2007 CSE30264 14 Protocols Trusted third party (Kerberos) Three-way handshake S Client Server, ClientId, E (, CHK) E((T, L, K, ), K ), E((T, L, K, ), K ) Y E((, T), K ), E ((T, L, K, ), K ) E(SK, SHK) E(T 1, K ) Spring 2007 CSE30264 15 Spring 2007 CSE30264 16 Public key authentication x Spring 2007 CSE30264 17 Spring 2007 CSE30264 18 3

Message Integrity Protocols Digital signature using RS special case of a message integrity where the code can only have been generated by one participant compute signature with private key and verify with public key Keyed MD5 sender: m MD5(m k) E(E(k,rcv_public), snd_private) receiver recovers random key using the sender s public key applies MD5 to the concatenation of this random key message MD5 with RS signature sender: m E(MD5(m), private) receiver decrypts signature with sender s public key compares result with MD5 checksum sent with message Certificate Public Key Distribution special type of digitally signed document: I certify that the public key in this document belongs to the entity named in this document, signed X. the name of the entity being certified the public key of the entity the name of the certification authority a digital signature Certification uthority (C) administrative entity that issues certificates useful only to someone that already holds the C s public key. Spring 2007 CSE30264 19 Spring 2007 CSE30264 20 Key Distribution (cont) Chain of Trust if X certifies that a certain public key belongs to Y, and Y certifies that another public key belongs to Z, then there exists a chain of certificates from X to Z someone that wants to verify Z s public key has to know X s public key and follow the chain Certificate Revocation List Serial number (unique to issuer) Certificate info about certificate owner, including algorithm and key value itself (not shown) info about certificate issuer valid dates digital signature by issuer Spring 2007 CSE30264 21 Spring 2007 CSE30264 22 Pretty Good Privacy (PGP) Pretty Good Privacy (PGP) PGP designed by Phillip Zimmerman for electronic mail Uses three known techniques: IDE for encrypting email message International Data Exchange lgorithm block cipher with 64-bit blocks similar in concept but different in details from DES uses 128-bit keys patented, but free for non-commercial use RS public key encryption permits keys up to 2,047 bits in length Digital signatures use MD5 or SH-1 PGP generates a random 128-bit symmetric key, used by IDE for each email message PGP generates its own public/private key pairs Keys are stored locally using a hashed pass phrase PGP does not use conventional certificates (too expensive) Instead, users generate and distribute their own public keys sign each other s public keys save trusted public keys on public-key ring users build a web of trust users determine how much to trust Spring 2007 CSE30264 23 Spring 2007 CSE30264 24 4

Pretty Good Privacy (PGP) PGP (cont) Encryption and authentication for email. Create a random k Original message Sender identity and message integrity confirmed if checksums match Encrypt message using DES with k Decrypt message using DES with k Calculate MD5 checksum over message contents Calculate MD5 checksum on received message and compare against received value Encryptk using RS with recipient s public key Decrypt E(k) using RS with my private key k Sign checksum using RS with senderõs private key Decrypt signed checksum with senderõs public key Encode message E (k ) in SCII for transmission Convert SCII message Transmitted message Transmitted message Spring 2007 CSE30264 25 Spring 2007 CSE30264 26 PGP GPG: Gnu Privacy Guard Internet e-mail encryption scheme, a de-facto standard. Uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described. Provides secrecy, sender authentication, integrity. Inventor, Phil Zimmerman, was target of 3-year federal investigation. PGP signed message: ---EGIN PGP SIGNED MESSGE--- Hash: SH1 ob:my husband is out of town tonight.passionately yours, lice ---EGIN PGP SIGNTURE--- Version: PGP 5.0 Charset: noconv yhhjrhhgjghgg/12epjlo8ge4v3mqj hfevzp9t6n7g6m5gw2 ---END PGP SIGNTURE--- GPG is primarily meant for securing email: can also use it to encrypt/decrypt/sign any message... free alternative to PGP http://www.gpg.org llows you to: create public/private key pairs encrypt/decrypt messages sign/check messages Spring 2007 CSE30264 27 Spring 2007 CSE30264 28 GPG Create your own public/private key pair: gpg --gen-keys you will be asked several questions: which kind of key you want, which size, how long it will stay valid, username, email address, etc. (keep default values) then it will ask you for a passphrase: type any passphrase (e.g., I like rabbits very much ) your private key will be encrypted with the passphrase before storing on disk GPG will ask you for your passphrase each time it needs to access your private key Distributing Your Public Key You can give it to anyone: people who may want to communicate with you using GPG never hand out your private key What s my public key? gpg --export --armor <Your_Name> You can add somebody else s public key to your keyring: gpg --import <filename> You can list the keys in your keyring: gpg --list-keys Spring 2007 CSE30264 29 Spring 2007 CSE30264 30 5

Encryption/Decryption with GPG Encryption: must specify the destination of your message, message will be encrypted with the recipients public key (key must be in keyring) gpg --armor --encrypt -r <recipient> < <file_to_encrypt> Decryption: GPG will use your private key to decrypt a received file, you will be asked for your passphrase gpg --decrypt < <file_to_decrypt> Signatures with GPG Sign a message (you will be asked for your passphrase): gpg --output <output_file> --clearsign <document_to_sign> message and signature will be written to output_file Check a signature: gpg --verify <document_to_check> You can encrypt and sign a document: gpg --armor --sign --encrypt -r cpoellab@cse.nd.edu < message To decrypt and check: gpg --decrypt <encrypted_and_signed_message> Spring 2007 CSE30264 31 Spring 2007 CSE30264 32 Secure Shell (SSH) Remote login service (replaces telnet and rlogin). Provides authentication, integrity, and confidentiality. SSH version 2: SSH-TRNS, SSH-UTH, SSH-CONN. Transport Layer Security (TLS) Secure Socket Layer (SSL). Secure HTTP (HTTPS). Handshake protocol and record protocol. Host pplication client SSH Direct connection Forwarded connection pplication server SSH Host pplication (e.g., HTTP) Secure transport layer TCP IP Subnet Spring 2007 CSE30264 33 Spring 2007 CSE30264 34 Firewalls Firewall Proxy-ased Firewalls Problem: complex policy Example: web server Rest of the Internet Local site Remote company user Firewall Internet Company net Web server Filter-ased Solution example ( 192.12.13.14, 1234, 128.7.6.5, 80 ) (*,*, 128.7.6.5, 80 ) default: forward or not forward? how dynamic? Random external user Solution: proxy External client Firewall Proxy External HTTP/TCP connection Design: transparent vs. classical Limitations: attacks from within Local server Internal HTTP/TCP connection Spring 2007 CSE30264 35 Spring 2007 CSE30264 36 6

Denial of Service flood of maliciously generated packets swamp receiver Distributed DOS (DDOS): multiple coordinated sources swamp receiver e.g., C and remote host -attack C Spring 2007 CSE30264 37 Packet Sniffing broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (e.g. passwords) e.g.: C sniffs s packets src: dest: Spring 2007 CSE30264 38 C payload IP Spoofing can generate raw IP packets directly from application, putting any value into IP source address field receiver can t tell if source is spoofed e.g.: C pretends to be C src: dest: payload Spring 2007 CSE30264 39 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information