CSCI-E46: Applied Network Security. Class 1: Introduction Cryptography Primer 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 1

Similar documents
Computer Security: Principles and Practice

CRYPTOGRAPHY IN NETWORK SECURITY

IT Networks & Security CERT Luncheon Series: Cryptography

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

7! Cryptographic Techniques! A Brief Introduction

Lecture 9: Application of Cryptography

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Cryptography & Digital Signatures

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Public Key Cryptography Overview

CSCE 465 Computer & Network Security

Cryptography & Network Security

An Introduction to Cryptography as Applied to the Smart Grid

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Message Authentication Codes

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Cryptography and Network Security Chapter 12

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Overview. SSL Cryptography Overview CHAPTER 1

Content Teaching Academy at James Madison University

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Message Authentication

Department of Computer & Information Sciences. CSCI-445: Computer and Network Security Syllabus

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

Lecture 6 - Cryptography

Cryptography & Network Security. Introduction. Chester Rebeiro IIT Madras

Authentication requirement Authentication function MAC Hash function Security of

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Fundamentals of Computer Security

Cryptography and Network Security Chapter 9

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

CIS433/533 - Computer and Network Security Cryptography

Cryptography and Network Security Chapter 11. Fourth Edition by William Stallings

Chapter 7: Network security

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

AN IMPLEMENTATION OF HYBRID ENCRYPTION-DECRYPTION (RSA WITH AES AND SHA256) FOR USE IN DATA EXCHANGE BETWEEN CLIENT APPLICATIONS AND WEB SERVICES

Lukasz Pater CMMS Administrator and Developer

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Ky Vu DeVry University, Atlanta Georgia College of Arts & Science

Authentication, digital signatures, PRNG

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Cryptography and Network Security

Center for Internet Security. INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO

Practice Questions. CS161 Computer Security, Fall 2008

SECURITY IN NETWORKS

Network Security. HIT Shimrit Tzur-David

Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Public Key Cryptography and RSA. Review: Number Theory Basics

Secure Network Communications FIPS Non Proprietary Security Policy

Introduction to Computer Security

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

Cryptography: Motivation. Data Structures and Algorithms Cryptography. Secret Writing Methods. Many areas have sensitive information, e.g.

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Introduction to Encryption

PGP (Pretty Good Privacy) INTRODUCTION ZHONG ZHAO

Expert Reference Series of White Papers. Fundamentals of the PKI Infrastructure

Public Key (asymmetric) Cryptography

Chapter 8. Network Security

Cryptography and Network Security Chapter 11

Introduction to Cryptography

Chapter 17. Transport-Level Security

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

The Mathematics of the RSA Public-Key Cryptosystem

Chapter 8 Network Security. Slides adapted from the book and Tomas Olovsson

SSL A discussion of the Secure Socket Layer

Message authentication and. digital signatures

The Misuse of RC4 in Microsoft Word and Excel

AC76/AT76 CRYPTOGRAPHY & NETWORK SECURITY DEC 2014

Advanced Topics in Cryptography and Network Security

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CS 758: Cryptography / Network Security

Table of Contents. Bibliografische Informationen digitalisiert durch

Savitribai Phule Pune University

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

Notes on Network Security Prof. Hemant K. Soni

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

What is network security?

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

An Introduction to Cryptography and Digital Signatures

Cryptographic Hash Functions Message Authentication Digital Signatures

How To Encrypt Data With Encryption

Hash Functions. Integrity checks

Introduction to Network Security. 1. Introduction. And People Eager to Take Advantage of the Vulnerabilities

Cryptography and Network Security

Modeling and verification of security protocols

Usable Crypto: Introducing minilock. Nadim Kobeissi HOPE X, NYC, 2014

CPSC 467b: Cryptography and Computer Security

A Novel Approach to combine Public-key encryption with Symmetric-key encryption

DRAFT Standard Statement Encryption

Symmetric Key cryptosystem

Overview of Public-Key Cryptography

Transcription:

CSCI-E46: Applied Network Security Class 1: Introduction Cryptography Primer 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 1

Welcome to CSCI-E46 Classroom & Schedule 53 Church Street L01 Wednesdays, 5:30pm-7:30pm Office Hours Before/after class or by appointment TA Session On-line, scheduling TBD 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 2

Welcome to CSCI-E46 Expectations Familiarity with Linux/UNIX CLI and Windows GUI Understanding of networking topics by way of Successful completion of CSCI-E45[ab] or permission of instructor Objectives Provide a solid overview of the concepts, threats, and controls inherent to network security Keep topics interesting through use of in-class lecture, demonstration, and lab work 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 3

Readings Course Text Computer Security: Principles and Practice, 3 rd Edition, William Stallings Safari Books Online http://ezp-prod1.hul.harvard.edu/login?url=http://nrs.harvard.edu/urn-3:hul.eresource:safarixx Additional readings listed in module on Canvas 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 4

Canvas All course material and grading will be posted to the course site https://canvas.harvard.edu/courses/8096 Each Week readings will be available at midnight on Thursday slides will be posted prior to lecture live video of the lecture available for streaming recorded video posted for review 1-2 days after lecture Discussion forums available for questions and collaborating with your classmates 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 5

Class Participation Wednesdays, 5:30-7:30pm @ 53 Church Street L01 Timely discussion topics to open each lecture Questions and discussion throughout lecture encouraged! Be courteous, silence your phones and take calls outside ~10 minute break at half-way point On-campus and remote students Attendance and in-class participation not graded! 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 6

Tasks/Assignments Tasks Assigned most lecture weeks (10 total) Majority of class participation score Assignments 3 assignments, 1 quiz 20% of final grade 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 7

Labs 5 labs Environments Local (your laptop/desktop) Amazon Web Services (AWS) Resources VirtualBox https://www.virtualbox.org/wiki/downloads AWS Educate https://aws.amazon.com/education/awseducate/apply/ 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 8

Exams Midterm Exam On-line Week of 03/17 Essay, short answer, true/false, multiple choice Final Exam Week of 04/05 Same format as midterm Not cumulative 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 9

Grading Class Participation/Tasks 20% Labs 20% Assignments/Quiz 20% Midterm Exam 20% Final Exam 20% Total 100% 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 10

Plagiarism and Academic Integrity Unless otherwise specified, all work must be completed independently Please review the Harvard Extension School Academic Integrity Policy https://www.extension.harvard.edu/resources-policies/student-conduct/academic-integrity Do not cheat, you will be caught and reported! If found responsible, no credit for affected material Academic suspension 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 11

Course Schedule Week Dates Topic 1 01/27 Introductions, Cryptography Primer 2 01/28 02/03 Networking Primer 3 02/04 02/10 Network Security Controls and Architecture 4 02/11 02/17 Enterprise Identity and Authentication 5 02/18 02/24 (In)Secure Protocols 6 02/25 03/02 Network-based Threats 7 03/03 03/09 Reconnaissance and Social Attacks 8 03/10 03/16 Spring Break 9 03/17 03/23 Midterm Exam 10 03/24 03/30 Exploitation and Persistence 11 03/31 04/06 Instrumenting the Network 12 04/07 04/13 Intrusion Detection 13 04/14 04/20 Firewalling and Access Control 14 04/21 04/27 Wireless Security 15 04/28 04/04 Cloud Security and Future Trends 16 04/05 05/11 Final Exam 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 12

Introductions About Me Director, Infrastructure Design & Engineering @ MIT 15+ years of systems, networking, and security experience E-mail: davidlaporte@fas.harvard.edu Phone: 617.838.3171 Teaching/Lab Assistant Scott Doliner Email: TBD 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 13

Today... Discussion Cryptography Primer 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 14

Cryptography Primer Random numbers Symmetric encryption Public-key (asymmetric) encryption Beyond encryption Message authentication codes Hash functions Digital Signatures 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 15

Random Numbers random numbers used in cryptographic key generation requirements: randomness based on statistical tests for uniform distribution and independence unpredictability successive values not related to previous clearly true for real random sequences true random number generators use a nondeterministic source e.g. radiation, leaky capacitors, thermal noise 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 16

Pseudorandom Numbers an algorithm is used to create pseudorandom numbers satisfy statistical randomness tests likely to be predictable since based on initial seed value eg. time or system state Source: http://www.dirsig.org/docs/ne w/subsamples.html 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 17

Symmetric Encryption Same key used for encryption and decryption 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 18

Symmetric Encryption Historical Implementations Caesar Cipher (ROT13) Enigma Machine Modern Implementations DES Old US federal standard 56-bit key Extremely vulnerable to brute force attacks Deprecated in favor of 3DES in 1999 Triple DES (3DES) Encrypt, decrypt, encrypt using DES Effective 168-bit key (56-bit * 3) AES Current US federal standard (2002) Result of public competition (was Rijndael ) 128, 192, and 256-bit key lengths Blowfish, IDEA, etc. Source: http://en.wikipedia.org/wiki/caesar_ cipher 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 19

Symmetric Encryption Fast, easily implemented in hardware Key distribution Difficult to securely transport shared key to recipient Key management, (n 2 -n)/2 2 participants, 1 key 3 participants, 3 keys and then it gets much worse 10,000,000,000,000,000 100,000,000,000,000 1,000,000,000,000 10,000,000,000 100,000,000 1,000,000 10,000 100 1 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 20

Attacking Symmetric Encryption cryptanalysis rely on nature of the algorithm plus some knowledge of plaintext characteristics even some sample plaintext-ciphertext pairs exploits characteristics of algorithm to deduce specific plaintext or key brute-force attack try all possible keys on some ciphertext until get an intelligible translation into plaintext 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 21

Public Key Encryption Two keys ( public and private ) are used Keys are complementary Private key can decrypt public key encrypted messages Public key can decrypt private key encrypted messages In practice Public key is used to encrypt messages Private key is used to decrypt messages Example: Bob wants to send Alice a message. He encrypts the message with Alice s public key. Alice receives the message and decrypts using her private key. 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 22

Public Key Encryption Two different keys used for encryption/decryption 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 23

Public Key Requirements computationally easy to create key pairs computationally easy for sender knowing public key to encrypt messages computationally easy for receiver knowing private key to decrypt ciphertext computationally infeasible for opponent to determine private key from public key computationally infeasible for opponent to otherwise recover original message useful if either key can be used for each role 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 24

Public Key Encryption Originated in the 1970s at British Government Government Communications Headquarters (GCHQ) This remained secret until 1997 Proposed in 1976 by Whitfield Diffie and Matin Hellman RSA algorithm published in 1978 by Rivest, Shamir, and Adleman Patent expired in 2000 DSS/DSA developed by NSA useful only in digital signatures, not encryption Elliptic Curve based on solutions to y 2 =x 3 + ax + b less computationally intensive and efficiently implemented in hardware not as well vetted as factoring-based approaches, so not yet widely implemented 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 25

Public Key Encryption RSA Uses product of two large prime numbers Keys derived mathematically from product Depends upon difficulty of factoring large numbers Not provably unbreakable Discovery of short-cut in factoring large numbers would undermine entire system Key lengths can be increased to mitigate increases in brute-force capabilities RSA Laboratories currently recommends key sizes of 1024 bits for corporate use and 2048 bits for extremely valuable keys like the root key pair used by a certifying authority. Several recent standards specify a 1024- bit minimum for corporate use. RSA website 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 26

Public Key Encryption Extremely slow, orders of magnitude slower than symmetric algorithms Key distribution Separate keys eliminates need for secure transport Key management, 2n total keys, n+1 keys/participant 2 participants, 4 keys, 3 keys/participant 10 participants, 20 keys, 11 keys/participant Only one key (the participant s private key) need be kept secret Remaining keys can be centrally maintained 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 27

Asymmetric/Symmetric Hybrid Public key systems offer major benefits in key management and distribution, at the cost of speed Symmetric systems offer speed, but distribution and management do not scale In many protocols, the benefits of each are exploited through use of a session key Use public-key system to establish secure channel Transmit symmetric session key to perform bulk encryption eg., SSL, PGP 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 28

Digital Envelope 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 29

Beyond Encryption Message encryption provides confidentiality, but how to assure integrity and non-repudiation? Encryption of the message does not provide either Reordering of the encrypted blocks may result in a properly decrypted, coherent, and incorrect message Message authentication guarantees: contents unaltered from authentic source timely and in correct sequence Can be accomplished with or without encryption 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 30

Message Authentication Codes Parties agree upon a secret key Use the secret key and the input message to generate a small block of data (MAC) Transmit message and MAC Recipient uses input message and secret key to regenerate MAC If they match The receiver is assured that the message has not been altered. The receiver is assured that the message is from the alleged sender. If the message includes a sequence number, then the receiver can be assured of the proper sequence. 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 31

Message Authentication Codes Note that the message/mac bundle is unencrypted 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 32

Hash Functions A hash function generates a fixed length value ( fingerprint ) from a variable length input MD5, 128-bits SHA1, 160-bits SHA-256, 256-bits SHA-384, 384-bits SHA-512, 512-bits 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 33

Secure Hash Functions A secure hash function has the following properties applied to any size data H produces a fixed-length output H(x) is relatively easy to compute for any given x one-way property (pre-image resistance) computationally infeasible to find x such that H(x) = h weak collision resistance (second pre-image resistance) given x, computationally infeasible to find y x such that H(y) = H(x) strong collision resistance computationally infeasible to find any pair (x, y) such that H(x) = H(y) Since there is no secret key involved in generation of the hash value, additional steps are necessary to provide message authentication 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 34

Keyed Hash A secret key (previously agreed upon) is added to the input message before hash function is performed Recipient adds same key to message before computing hash value No encryption necessary Bypasses any encryption export issues Lower CPU requirements Functionally equivalent to MAC 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 35

Digital Signatures A digital signature is a hash value encrypted with the private key of the sender Leverages hash function and public key encryption to provide message authentication Example: Bob wants to send Alice a message. He generates a hash value of the message and encrypts it with his private key. This digital signature is appended to the message. Alice receives the message, removes the digital signature, and decrypts it using Bob s public key. If the hash values match, Alice can be assured that the message was received intact, in order, and from Bob. 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 36

Digital Signatures 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 37

Attacks Against Hashes attack approaches birthday attack name comes from the observation that there is a probability of > 1/2 that 2 people in a group of 23 share a birthday attack works where hash output is not evenly distributed cryptanalysis exploit logical weakness in algorithm brute-force attacks collision attack create two inputs that generate same hash value pre-image attack create input based on known hash value Source: http://en.wikipedia.org/wiki/file:birthday_paradox.svg 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 38

References Various images and content from: Computer Security: Principles and Practice, Third Edition. William Stallings, Pearson, 2014 Chapters 1, 2 See Chapter 21 in Stallings for more in-depth information on public-key cryptography and message authentication 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 39

Task 1: VirtualBox, Kali, and Introductions 1) Download and install VirtualBox 2) Download, verify, and install Kali Linux 3) Introduce yourself! Please say hello in the Introductions discussion forum and let me us know what you hope to take from the class. Additional task details in the Canvas assignment link 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 40

For next class Topic Networking Refresher Readings Computer Security, Principles and Practice Appendix F TCP/IP Illustrated, Vol. 1: The Protocols (Safari) Chapters 2, 4, 8 (ICMPv4 only), 10, 11, 12 Background/reference material, review as appropriate Additional Readings on Canvas 1/26/16 CSCI-E46: APPLIED NETWORK SECURITY, SPRING 2016 41

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information