Chapter 10 Network Security 10.1.
Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2
Chapter 10: Objective We introduce network security. We discuss security goals, types of attacks, and services provided by network security. We introduce the first goal of security, confidentiality. We discuss symmetric-key ciphers and asymmetric-key ciphers. We discuss other aspects of security: message integrity, message authentication, digital signature, entity authentication, and key management. We apply what we have learned in the first three sections to the top three layers of the TCP/IP suite. Finally, we discuss firewalls: packet-filter and proxy. 10.3
10-1 INTRODUCTION Information is an asset that has a value like any other asset. As an asset, information needs to be secured from attacks. To be secured, information needs to be hidden from unauthorized access (confidentiality), protected from unauthorized change (integrity), and available to an authorized entity when it is needed (availability). 10.4
10.1.1 Security Goals Let us first discuss three security goals: Confidentiality Integrity Availability 10.5
10.1.2 Attacks Our three goals of security, confidentiality, integrity, and availability, can be threatened by security attacks. Although the literature uses different approaches to categorizing the attacks, we divide them into three groups related to the security goals. Figure 10.1 shows the taxonomy. 10.6
10.1.2 (continued) Attacks Threatening Confidentiality Snooping Traffic Analysis Attacks Threatening Integrity Modification Masquerading Replaying Repudiation Attacks Threatening Availability Denial of Service 10.7
Figure 10.1: Taxonomy of attacks with relation to security goals 10.8
10.1.3 Services and Techniques ITU-T defines some security services to achieve security goals and prevent attacks. Each of these services is designed to prevent one or more attacks while maintaining security goals. The actual implementation of security goals needs some techniques. Two techniques are prevalent today: Cryptography Steganography 10.9
10-2 CONFIDENTIALITY We now look at the first goal of security, confidentiality. Confidentiality can be achieved using ciphers. Ciphers can be divided into two broad categories: symmetric-key and asymmetric-key. 10.10
10.2.1 Symmetric-Key Ciphers A symmetric-key cipher uses the same key for both encryption and decryption, and the key can be used for bidirectional communication, which is why it is called symmetric. Figure 10.2 shows the general idea behind a symmetric-key cipher. 10.11
10.2.1 (continued) Traditional Symmetric-Key Ciphers Substitution Ciphers Transposition Ciphers Stream and Block Ciphers Modern Symmetric-Key Ciphers Modern Block Ciphers Data Encryption Standard (DES) Modern Stream Ciphers 10.12
Figure 10.2: General idea of a symmetric-key cipher 10.13
Figure 10.3: Symmetric-key encipherment as locking and unlocking with the same key 10.14
Figure 10.4: Representation of plaintext and ciphertext characters in modulo 26 10.15
Example 10.1 Use the additive cipher with key = 15 to encrypt the message hello. 10.16
Example 10.2 Use the additive cipher with key = 15 to decrypt the message WTAAD. 10.17
Figure 10.5: An example key for a monoalphabetic substitution cipher 10.18
Example 10.3 We can use the key in Figure 10.5 to encrypt the message 10.19
Example 10.4 Assume that Alice and Bob agreed to use an autokey cipher with initial key value k 1 = 12. Now Alice wants to send Bob the message Attack is today. The three occurrences of t are encrypted differently. 10.20
Figure 10.6: Transposition cipher 10.21
Figure 10.7: A modern block cipher 10.22
Figure 10.8: Components of a modern block cipher 10.23
Figure 10.9: General structure of DES 10.24
Figure 10.10: DES function 10.25
Figure 10.11: Key generation 10.26
Example 10.5 We choose a random plaintext block and a random key, and determine (using a program) what the ciphertext block would be (all in hexadecimal) as shown below. 10.27
Example 10.6 To check the effectiveness of DES when a single bit is changed in the input, we use two different plaintexts with only a single bit difference (in a program). The two ciphertexts are completely different without even changing the key. Although the two plaintext blocks differ only in the rightmost bit, the ciphertext blocks differ in 29 bits. 10.28
Figure 10.12: One-time pad 10.29
10.2.2 Asymmetric-Key Ciphers In previous sections we discussed symmetric-key ciphers. In this section, we start the discussion of asymmetric-key ciphers. Symmetric- and asymmetric-key ciphers will exist in parallel and continue to serve the community. We actually believe that they are complements of each other; the advantages of one can compensate for the disadvantages of the other. 10.30
10.2.2 (continued) General Idea Plaintext/Ciphertext Encryption/Decryption Need for Both RSA Cryptosystem Procedure Applications 10.31
Figure 10.13: Locking and unlocking in asymmetric-key cryptosystem 10.32
Figure 10.14: General idea of asymmetric-key cryptosystem 10.33
Figure 10.15: Encryption, decryption, and key generation in RSA 10.34
Example 10.7 For the sake of demonstration, let Bob choose 7 and 11 as p and q and calculate n = 7 11 = 77, φ(n) = (7 1)(11 1), or 60. If he chooses e to be 13, then d is 37. Note that e d mod 60 = 1. Now imagine that Alice wants to send the plaintext 5 to Bob. She uses the public exponent 13 to encrypt 5. This system is not safe because p and q are small. 10.35
Example 10.8 Here is a more realistic example calculated using a computer program in Java. We choose a 512-bit p and q, calculate n and φ(n). We then choose e and calculate d. Finally, we show the results of encryption and decryption. The integer p is a 159-digit number. 10.36
Example 10.8 (continued) 10.37
Example 10.8 (continued) 10.38
Example 10.8 (continued) 10.39
10-3 OTHER ASPECTS OF SECURITY The cryptography systems that we have studied so far provide confidentiality. However, in modern communication, we need to take care of other aspects of security, such as integrity, message and entity authentication, non-repudiation, and key management. We briefly discuss these issues in this section. 10.40
10.3.1 Message Integrity There are occasions where we may not even need secrecy but instead must have integrity: the message should remain unchanged. For example, Alice may write a will to distribute her estate upon her death. The will does not need to be encrypted. After her death, anyone can examine the will. The integrity of the will, however, needs to be preserved. Message and Message Digest Hash Functions 10.41
Figure 10.16: Message and digest Insecure channel Channel immune to change 10.42
10.3.2 Message Authentication A digest can be used to check the integrity of a message that the message has not been changed. To ensure the integrity of the message and the data origin authentication that Alice is the originator of the message, not somebody else we need to include a secret shared by Alice and Bob (that Eve does not possess) in the process; we need to create a message authentication code (MAC). HMAC 10.43
Figure 10.17: Message authentication code M + MAC Insecure channel 10.44
10.3.3 Digital Signature Another way to provide message integrity and message authentication (and some more security services, as we will see shortly) is a digital signature. A MAC uses a secret key to protect the digest; a digital signature uses a pair of privatepublic keys. 10.45
10.3.3 (continued) Comparison Inclusion Verification Method Relationship Duplicity Process Signing the Digest Services Message Authentication Message Integrity Non-repudiation 10.46
10.3.3 (continued) RSA Digital Signature Scheme Digital Signature Standard (DSS) 10.47
Figure 10.18: Digital signature process (M, S) 10.48
Figure 10.19: Signing the digest 10.49
Figure 10.20: Using a trusted center for non-repudiation (M, S A ) (M, S T ) 10.50
Figure 10.21: The RSA signature on the message digest 10.51
10.3.4 Entity Authentication Entity authentication is a technique designed to let one party verify the identity of another party. An entity can be a person, a process, a client, or a server. The entity whose identity needs to be proven is called the claimant; the party that tries to verify the identity of the claimant is called the verifier. 10.52
10.3.4 (continued) Entity versus Message Authentication Verification Categories Passwords Challenge-Response Using a Symmetric-Key Cipher Using an Asymmetric-Key Cipher Using Digital Signatures 10.53
Figure 10.22: Unidirectional, symmetric-key authentication 10.54
Figure 10.23: Unidirectional, asymmetric-key authentication 10.55
Figure 10.24: Digital signature, unidirectional authentication 10.56
10.3.5 Key Management We discussed symmetric-key and asymmetric-key cryptography in the previous sections. However, we have not yet discussed how secret keys in symmetric-key cryptography, and public keys in asymmetric-key cryptography, are distributed and maintained. This section touches on these two issues. 10.57
10.3.5 (continued) Symmetric-Key Distribution Key Distribution Center (KDC) Symmetric-Key Agreement Diffie-Hellman Key Agreement Public-Key Distribution Public Announcement Certification Authority X.509 10.58
Figure 10.25: Multiple KDCs 10.59
Figure 10.26: Creating a session key using KDC 10.60
Figure 10.27: Diffie-Hellman method 10.61
Example 10.9 Let us give a trivial example to make the procedure clear. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume that g = 7 and p = 23. The steps are as follows: 1. Alice chooses x = 3 and calculates R 1 = 7 3 mod 23 = 21. Bob chooses y = 6 and calculates R 2 = 7 6 mod 23 = 4. 2. Alice sends the number 21 to Bob. 10.62
Example 10.9 (continued) 3. Bob sends the number 4 to Alice. 4. Alice calculates the symmetric key K = 4 3 mod 23 = 18. Bob calculates the symmetric key K = 21 6 mod 23 = 18. Conclusion: The value of K is the same for both Alice and Bob; g xy mod p = 7 18 mod 23 = 18. 10.63
Figure 10.28: Certification authority 10.64
10-4 INTERNET SECURITY In this section, we discuss how the principles of cryptography are applied to the Internet. We discuss security in the application layer, transport layer, and network layer. Security at the data-link layer is normally a proprietary issue and is implemented by the designers of LANs and WANs. 10.65
10.4.1 Application-Layer Security This section discusses two protocols providing security services for e-mails: Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME). 10.66
10.4.1 (continued) E-mail Security Cryptographic Algorithms Cryptographic Secrets Certificates Pretty Good Privacy (PGP) Scenarios Segmentation Key Rings PGP Algorithms PGP Certificates and Trusted Model PGP Packets Applications of PGP 10.67
10.4.1 (continued) S/MIME Cryptographic Message Syntax (CMS) Key Management Cryptographic Algorithms Applications of S/MIME 10.68
Figure 10.29: A plaintext message 10.69
Figure 10.30: An authenticated message 10.70
Figure 10.31: A compressed message 10.71
Figure 10.32: A confidential message 10.72
Figure 10.33: Key rings in PGP 10.73
Figure 10.34: Trust model 10.74
Figure 10.35: Signed-data content type 10.75
Figure 10.36: Enveloped-data content type 10.76
Figure 10.37: Digested-data content type 10.77
Figure 10.38: Authenticated-data content type 10.78
Example 10.10 The following shows an example of an enveloped-data in which a small message is encrypted using triple DES.. 10.79
10.4.2 Transport-Layer Security Two protocols are dominant today for providing security at the transport layer: the Secure Sockets Layer (SSL) protocol and the Transport Layer Security (TLS) protocol. The latter is actually an IETF version of the former. We discuss SSL in this section; TLS is very similar. Figure 10.39 shows the position of SSL and TLS in the Internet model. 10.80
10.4.2 (continued) SSL Architecture Services Key Exchange Algorithms Encryption/Decryption Algorithms Hash Algorithms Cipher Suite Compression Algorithms Cryptographic Parameter Generation Sessions and Connections 10.81
10.4.2 (continued) Four Protocols Handshake Protocol ChangeCipherSpec Protocol Alert Protocol Record Protocol 10.82
Figure 10.39: Location of SSL and TLS in the Internet model 10.83
Figure 10.40: Calculation of master secret from pre-master secret 10.84
Figure 10.41: Calculation of key material from master secret 10.85
Figure 10.42: Extractions of cryptographic secrets from key material 10.86
Figure 10.43: Four SSL protocols 10.87
Figure 10.44: Handshake Protocol 10.88
Figure 10.45: Processing done by the Record Protocol 10.89
10.4.3 Network-Layer Security We need security at the network layer for three reasons. First, not all client/server programs are protected at the application layer. Second, not all client/server programs at the application layer use the services of TCP to be protected by the transport-layer security. Third, many applications, such as routing protocols, directly use the service of IP; they need security services at the IP layer. IP Security is a collection of protocols designed by the Internet Engineering 10.90
10.4.3 (continued) Two Modes Transport Mode Tunnel Mode Comparison Two Security Protocols Authentication Header (AH) Encapsulating Security Payload (ESP) IPv4 and IPv6 AH versus ESP 10.91
10.4.3 (continued) Services Provided by IPSec Access Control Message Integrity Entity Authentication Confidentiality Replay Attack Protection Security Association Idea of Security Association Security Association Database (SAD) Security Policy Security Policy Database 10.92
10.4.3 (continued) Internet Key Exchange (IKE) Virtual Private Network (VPN) 10.93
Figure 10.46: IPSec in transport mode 10.94
Figure 10.47: Transport mode in action 10.95
Figure 10.48: IPSec in tunnel mode 10.96
Figure 10.49: Tunnel mode in action 10.97
Figure 10.50: Transport mode versus tunnel mode 10.98
Figure 10.51: Authentication Header (AH) protocol 10.99
Figure 10.52: Encapsulating Security Payload (ESP) 10.100
Table 10.1: IPSec services 10.101
Figure 10.53: Simple SA 10.102
Figure 10.54: SAD 10.103
Figure 10.55: Security Policy Database 10.104
Figure 10.56: Outbound processing 10.105
Figure 10.57: Inbound processing 10.106
Figure 10.58: IKE components 10.107
Figure 10.59: Virtual private network 10.108
10-5 FIREWALLS All previous security measures cannot prevent Eve from sending a harmful message to a system. To control access to a system we need firewalls. A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others. 10.109
Figure 10.60: Firewall 10.110
10.5.1 Packet-Filter Firewalls A firewall can be used as a packet filter. It can forward or block packets based on the information in the network-layer and transport-layer headers: source and destination IP addresses, source and destination port addresses, and type of protocol (TCP or UDP). A packet-filter firewall is a router that uses a filtering table to decide which packets must be discarded (not forwarded). Figure 10.61 shows an example of a filtering table for this kind of a firewall. 10.111
Figure 10.61: Packet-filter firewall 10.112
10.5.2 Proxy Firewalls The packet-filter firewall is based on the information available in the network layer and transport layer headers (IP and TCP/UDP). However, sometimes we need to filter a message based on the information available in the message itself (at the application layer). One solution is to install a proxy computer to filter the messages. 10.113
Figure 10.62: Proxy firewall 10.114
Chapter 10: Summary The three goals of security can be threatened by security attacks. Two techniques have been devised to protect information against attacks: cryptography and steganography. In a symmetric-key cipher the same key is used for encryption and decryption, and the key can be used for bidirectional communication. We can divide traditional symmetric-key ciphers into two broad categories: substitution ciphers and transposition ciphers. In an asymmetric key cryptography there are two separate keys: one private and one public. Asymmetric-key cryptography means that Bob and Alice cannot use the same set of keys for two-way communication. 10.115
Chapter 10: Summary (continued) Other aspects of security include integrity, message authentication, entity authentication, and key management. The Pretty Good Privacy (PGP), invented by Phil Zimmermann, provides e-mail with privacy, integrity, and authentication. Another security service designed for electronic mail is Secure/Multipurpose Internet Mail Extension (S/MIME). A transport-layer security protocol provides end-to-end security services for applications that use the services of a reliable transport-layer protocol such as TCP. Two protocols are dominant today for providing security at the transport layer: Secure Sockets Layer (SSL) and Transport Layer Security (TLS). 10.116
Chapter 10: Summary (continued) IP Security (IPSec) is a collection of protocols designed by the IETF to provide security for a packet at the network level. IPSec operates in transport or tunnel mode. IPSec defines two protocols: Authentication Header (AH) Protocol and Encapsulating Security Payload (ESP) Protocol. A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter others. A firewall is usually classified as a packet-filter firewall or a proxy firewall. 10.117