COMPUTER NETWORKS Network Security Technology Network Management Source Encryption E(K,P) Decryption D(K,C) Destination The author of these slides is Dr. Mark Pullen of George Mason University. Permission is hereby granted to reproduce the slides for any not-for-profit academic purpose, so long as this notice is contained in any document containing the slides, and each slide remains intact as provided, including the copyright label. Permission for any other use, either in machine-readable or printed form, must be obtained from the author in writing. 1
Network Security Technology 2
Network Security Basics Review Confidentiality - information disclosed only to those intended. Integrity - information cannot be modified without being detected. Authentication - ensure that communicating parties are who they say they are. Access Control - ensure that authenticated users are given access only to appropriate information. Nonrepudiation - stronger form of authentication which ensures that a party involved in some communication cannot later claim non-involvement Key Distribution Key Distribution - establish session keys between communicating parties. 3
Security Tools Message Authentication Codes or Message Hashes - digest of a message that is unlikely to match digest of a different message Encryption - scrambling data so its contents cannot be understood by a third party Encryption Keys - pattern unknown to a third party Key exchange algorithms - safe ways to pass keys between trusted parties 4
Encryption Systems and Keys An encryption system is a collection of encoding and decoding functions parameterized by keys. Basic building blocks of encryption algorithms are letter substitution codes and transpositions. An encryption system is only as secure as the keys; hence, keys must be distributed in a secure fashion. Could deliver by hand. Alternatively, could distribute using encrypted system believed to be secure (normally this involves a different key that was originally distributed by hand) 5
Cryptography Messages sent in plaintext are transformed into ciphertext. encryption decryption plaintext ciphertext plaintext Most systems involve a cryptography algorithm and a key. Algorithms may be well known and widely published but difficult to break. 6
Hardware CRC Generation Circuit Generator Polynomial: D 16 + D 12 +D 5 +1 Output FCS at end of data open switch to shift out result 15 14 13 12 11 - XOR gate... 5 4... 0 Input DATA:0010 0101 1001 0100 7
A Simple Encryption System feedback positions form a secret key which will also decrypt 15 14 13 12 11... 5 4... 0 Output stream of ciphertext data XOR gate Input stream of plaintext data this is a simple example of a symmetric key algorithm the algorithm is known, the key is kept secret also called secret key encryption for this reason 8
Breaking an Encryption Scheme Definition: good guys are those who send the message, bad guys are those who try to break the message. Breaking the code usually requires trying a very large number of combinations to find a match when the bad guys have more information it is to their advantage normally they know the algorithm but not the key There are different types of attacks possible. Ciphertext only. Known plaintext, when the bad guys have some <plaintext, ciphertext> pair. Chosen plaintext, when the bad guys can encrypt the message and see the result 9
Breaking an Encryption Scheme A good cryptosystem should be able to defend against all three types of attacks Known plaintext makes a good yardstick can break code by trying all keys and comparing results more likely case than chosen plaintext Example of times to break a code: trials/second time to break 1 40,000 years 10 3 40 years 10 6 12 days 10 9 18 minutes 10 12 1 second 10
Data Encryption Standard (DES) DES is a symmetric-key block cipher developed by the US National Institutes of Standards and Technology (NIST). Input is 64 bit blocks of plaintext and 56 bit key Three phase algorithm Initial permutation of the input. 16 iterations of permutation and substitution using S-boxes. Final permutation of the output. 11
DES Iterations On each iteration, the block is divided into left and right 32 bit sections. The right side R i of the block becomes the left side of the next block. The left side of the block is XORed with a 32-bit value. This can be represented as L i = R i 1 ( ) R = L 1 f R 1, K i i i i 12
Public Key Cryptography Encryption and decryption algorithms are well known The encryption key is made public but the decryption key is kept secret For this to be secure, deducing the decryption algorithm from the encryption algorithm must be difficult Public Key Algorithms are based on functions that are easy to compute but very hard to find the inverse for example the problem of factoring the product of two large prime numbers (RSA algorithm) 13
Public Key Encryption DATA Encode encrypted data DECODE DATA Public Key Directory - Names with Keys Private Key 14
RSA Public Key Algorithm The Algorithm is initialized by the following steps: Choose two large prime numbers p and q Compute n = p q and z = (p-1)(q-1) Choose d such that gcd(z,d) = 1, i.e., z and d are relatively prime Find e such that e d = 1 mod z The numbers e and n are made public and encryption of a plain text P, where P is a member {0,1,...,n-1}, is performed by computing C = P e mod n Decryption is performed by computing P = C d mod n An eavesdropper only knows e and n. The task of computing d is equivalent to factoring n into p and q, which is known to be difficult 15
Why does RSA work? First, notice that when n = pq and z = (p-1)(q-1), and p and q are prime, z is the called the totient function, the number of numbers relatively prime to n. The numbers d and e are picked because de = 1 mod z From number theory x de = x mod n RSA encryption consists of taking x and raising it to the power of e. Then, if we take the result and raise it to the power of d (i.e., decrypt), we get x. 16
Public Key Encryption Example Let p = 3 and q = 11. Then, n = 33 and z =20. A choice for d is d =7, which yields e = 3. (7 * 3 = 1 mod 20) (The larger p and q, the more secure the encryption; this example is not very secure.) The encryption rule is C = P 3 mod 33 and decryption is done by P = C 7 mod 33. Example: Let P be the position of a letter in the alphabet, A =1, B =2,... Z = 26 Text P P^3 C C^7 P Text T 20 8000 14 105413504 20 T A 1 1 1 1 1 A S 19 6859 28 13492928512 19 S C 3 27 27 10460353203 3 C 17
Using Public Key Encryption Non-repudiation Since the encryption and decryption are inverses, given that I encode my identity with my private key, the fact that you can decode my identity with my public key proves that I sent the message. Confidentiality Further, if I encrypt data with your public key after encrypting the same data with my private key, then only you can decrypt the data and only you can find out that the data was from me. Key Distribution If the data I double encrypt is a private symmetric encryption key, then only you and I will be able to decrypt data encrypted with that private symmetric encryption key. 18
Using Public Key Encryption Public-key encryption takes much more computation than symmetric-key encryption but it scales well because only one key per party is needed and it can be published (in fact it should be) to be completely secure, you must trust the source of the key (this implies significant infrastructure) also provides non-repudiation by contrast symmetric-key encryption requires one key for every pair of parties and the key must be kept secret Therefore public-key encryption is normally used for small amounts of data, for example encrypting a symmetric key for distribution encrypting a message hash as a signature 19
Security and the Protocol Stack For effective security, the whole system must be considered Encryption can be used at any layer (or more than one) Application Presentation Session Transport Network Data Link Control Physical Peer Connection (secured) Physical Link Application Presentation Session Transport Network Data Link Control Physical 20
Link Encryption (layer 2) Plaintext P ABCDE... Ciphertext C K%U@Y... Plaintext P ABCDE... Source Encryption E(K,P) Decryption D(K,C) Destination Unguarded Link KEY K KEY K Keys are used in location pairs Crypto circuit can be similar to CRC generator (symmetric key) 21
End-To-End Encryption (layer 3) WS Crypto NETWORK Crypto WS Crypto HDR DATA WS Body of packet encrypted, header in clear Community of sites all have the same key 22
Firewall Security (layer 3) WS Firewall NETWORK Firewall WS Firewall HDR DATA WS Body of packet in clear, header in clear or substituted by firewall Community of sites established by tables in firewalls Packet may contain authentication or be encrypted by firewall 23
Message Authentication Protects against faking data and transactions. Could use encryption; but this is expensive. Use message authentication code: message sent in plaintext but authentication tag is added for integrity. Could be used when you don t need to encrypt or can t decrypt all messages, or as a way of broadcasting a message so that other parties can t fake the source. 24
Message Authentication Code Use a secret shared key K to generate a small block of code. The code is a function of the message and the key. Message plus the code is sent to the receiver. If you can decode the message correctly, you know Message has not been altered Message is from the alleged sender Integrity through sequence numbers 25
Secure Hash Functions Produce a fingerprint of the file May not require shared secret keys. To be practical, should be applied to a block of any size and produce a fixed length output. Requirements: Difficult to find x such that H(x) = m (hard to generate a message given a code) For any x, difficult to find x <> y with H(x)=H(y) (prevents forgery) 26
Message-Digest 5 (MD5) Algorithm takes an arbitrary input, chops it into 512 bit blocks, and outputs a 128 bit message digest. Requires 5 steps: Append padding bits so that its length is 448 mod 512. Use a 1 followed by 0s. Append length, up to 64 bits. Resulting message is multiple of 512 bits, or 16 32-bit words Message Padding Length 27
MD5 Algorithm Initialize 4 32-bit buffers with constant values. Process the message in 512 bit blocks. Each block is processed 4 different rounds, using a different function each time, i.e. F(X,Y,Z) = (X Y ) (~X Z ) Each function uses bitwise operations and takes three 32 bit words: the output from the previous round, the 32-bit word, and one element from a 64 element table. Output is the final value. 28
MD5 Operation constant Padded Message 4 rounds per 32bit word digest * * * digest 512 bits 512 bits * * * * * * * * * * * * * * * * * * Message Digest 29
Encryption Used For Packet Authentication (layer 3) Packet Auth Algorithm Packet Auth KEY NETWORK Packet Auth Auth Algorithm Packet Validation KEY 30
Encryption by the Application (Layer 7) Privacy-Enhanced Mail Dear Fred, $#AX3qvd.! email encoder stack KEY NETWORK $#AX3qvd.! Dear Fred, stack decoder email KEY 31
Network Management 32
Network Management Components One or more managed objects each has a NM agent or proxy agent process At least one NM Station (NMS) a computer system, typically a workstation hosting one or more NM applications A NM protocol A database definition for management information (Management Information Base) determines the structure and content of management information 33
Network Management Functions per ITU-T 6 Fault 6 Configuration 6 Accounting 6 Performance 6 Security 34
Dimensions Of Network Management FUNCTIONS Fault Configuration Accounting Performance Security Network System SCOPE Application Monitor ROLES Control 35
Network Monitoring Network monitoring is the basis for all other network management functions Network Management systems may lack network control, but must have network monitoring Key network monitoring design issues what to monitor how to access the monitored objects what data to collect what to do with the data collected 36
Simple Network Management Protocol (SNMP) Purpose: ease/consistency of managing Internet resources Each managed object has SNMP agent and Management Information Base (MIB) Remote management program (usually a console) can query status, direct changes Security authentication required for changes Standardized network management software available to visualize status OSI network management (CMIP CMIP) is usable in the Internet as CMOT but SNMP is much more popular 37
Good Network Management Tools Support standards (at least SNMP) Run on multiple platforms Integrate with other management tools Example: HP OpenView powerful graphic network status display 38
Extra-Credit Project INT2: firewall packet filter one community of trust per NW network (list of subnets) firewall runs in router members of community do not accept packets from non-members 39