CISC 370 - Class Today

04/21/23 1R. Smith - University of St Thomas - Minnesota

CISC 370 - Class Today CISC 370 - Class Today

• Final Lab is Ready!Final Lab is Ready!• Returning Homework: Ch 12, 13Returning Homework: Ch 12, 13• Finishing up network security: crypto protocolsFinishing up network security: crypto protocols• Saving the NetSaving the Net

Homework, LabsHomework, Labs

• Final Lab is ReadyFinal Lab is Ready– Print the Lab Sheet and fill it inPrint the Lab Sheet and fill it in– Noisy Hub – plug it in at start, unplug it at endNoisy Hub – plug it in at start, unplug it at end

• Some are missing recent homeworksSome are missing recent homeworks– This This really really trashes your gradetrashes your grade– I will give partial credit if you hand in A7 or later assignmentsI will give partial credit if you hand in A7 or later assignments– This won’t move you from a C to an A, but it will improve This won’t move you from a C to an A, but it will improve

thingsthings


Homework ProblemsHomework Problems

• 12.3 – talked about it in class12.3 – talked about it in class– ““official answer” has “ACK” delay (?) – weird on circuitsofficial answer” has “ACK” delay (?) – weird on circuits– Only looks at the ‘interesting’ case of DGs vs CircuitsOnly looks at the ‘interesting’ case of DGs vs Circuits

• 12.412.4– 1 phone call every 30 minutes; 6 minutes per call1 phone call every 30 minutes; 6 minutes per call– Average: one phone uses 3 minutes of every hour = 0.05Average: one phone uses 3 minutes of every hour = 0.05– 20 phones use 1 “channel’s” worth of bandwidth20 phones use 1 “channel’s” worth of bandwidth– If 10% is long distance, 1 channel supports 200 phonesIf 10% is long distance, 1 channel supports 200 phones– # channels = ceil(1Mhz / 3400 hz) = 295# channels = ceil(1Mhz / 3400 hz) = 295– Total phones = 295 * 200 = 59,000Total phones = 295 * 200 = 59,000

• 12.5 – ignores call setup delay12.5 – ignores call setup delay


Chapter 13Chapter 13

• 13.413.4– A. N = X / ceil(X / L) * (L + H); optimally L / (L + H)A. N = X / ceil(X / L) * (L + H); optimally L / (L + H)

• ATM: L=48, H=5, Nopt = .91ATM: L=48, H=5, Nopt = .91– B. N = X / (X + H + Hv)B. N = X / (X + H + Hv)– C. Sawtooth curve for N fixed; N variable carries whole C. Sawtooth curve for N fixed; N variable carries whole

messagemessage• Wanted to see Wanted to see points plottedpoints plotted

• 13.513.5– A. L / (L+H)A. L / (L+H)– B. D = 8L / R (8 bits per byte)B. D = 8L / R (8 bits per byte)


Network EncryptionNetwork Encryption

• We get different We get different results by putting results by putting cryptography in cryptography in different places different places in the protocol in the protocol architecturearchitecture

March 2005 5R. Smith - University of St Thomas - Minnesota

ApplicationApplication

Device DriverDevice Driver

TCP/UDP LayerTCP/UDP Layer

IP LayerIP Layer

Link LayerLink Layer

ProtocolProtocolStackStack


The Encryption ProcessThe Encryption Process

• Convert plaintext to ciphertext with a keyConvert plaintext to ciphertext with a key


CryptanalysisCryptanalysis

• Known ciphertext attackKnown ciphertext attack– a.k.a. ciphertext-only attack – classic attacka.k.a. ciphertext-only attack – classic attack– Newspaper cryptogramsNewspaper cryptograms– You have ciphertext, no plaintextYou have ciphertext, no plaintext

• Known plaintext attackKnown plaintext attack– You have You have somesome plaintext for some intercepted ciphertext plaintext for some intercepted ciphertext– The attack used against ENIGMA to reduce the problemThe attack used against ENIGMA to reduce the problem

Security and the Protocol StackSecurity and the Protocol Stack

Classic layer-oriented Classic layer-oriented examples of crypto examples of crypto

protocolsprotocols• Application: PGPApplication: PGP

– encrypts application dataencrypts application data

• Trans->App: SSLTrans->App: SSL– encrypts the connectionencrypts the connection

• IP Layer: IPSECIP Layer: IPSEC– encrypts routable packetsencrypts routable packets

• Link Layer: WEP/WPALink Layer: WEP/WPA– encrypts LAN packetsencrypts LAN packets


ApplicationApplication

Device DriverDevice Driver

TCP/UDP LayerTCP/UDP Layer

IP LayerIP Layer

Link LayerLink Layer

WEP/WPAWEP/WPA

IPSECIPSEC

SSLSSL

PGPPGP

ProtocolProtocolStackStack

How Crypto works in the stackHow Crypto works in the stack

• ““Above” a crypto layerAbove” a crypto layer– Data is assumed to be in plaintext formData is assumed to be in plaintext form

• ““At” a crypto layerAt” a crypto layer– We convert between plaintext and ciphertextWe convert between plaintext and ciphertext– We have access to some keysWe have access to some keys– We generate some plaintext headersWe generate some plaintext headers– Some header info may be encrypted or protected otherwiseSome header info may be encrypted or protected otherwise

• ““Below” the crypto layerBelow” the crypto layer– New network headers are added in plaintextNew network headers are added in plaintext


How it works GeographicallyHow it works Geographically

• Application layer encryptionApplication layer encryption– ““End to end security” – routable, and inaccessible to othersEnd to end security” – routable, and inaccessible to others– Defeats intermediate virus scans, intrusion detectionDefeats intermediate virus scans, intrusion detection– Applied at the discretion of the end user (usually)Applied at the discretion of the end user (usually)

• Socket layer encryptionSocket layer encryption– Application-application security – similar to application layerApplication-application security – similar to application layer– Often applied automatically under control of the serverOften applied automatically under control of the server– Sometimes it is a user-level optionSometimes it is a user-level option

• IPSEC – IP Security ProtocolsIPSEC – IP Security Protocols– Internet layer security – protects routable packets, per-packetInternet layer security – protects routable packets, per-packet– Protects all Internet application traffic equallyProtects all Internet application traffic equally– Often a substitute for inter-site leased linesOften a substitute for inter-site leased lines


IP Security Protocol – IPSECIP Security Protocol – IPSEC

• Security protection that’s IP routableSecurity protection that’s IP routable• We authenticate the IP addressesWe authenticate the IP addresses• We encrypt everything inside the IP headerWe encrypt everything inside the IP header


Separate HeadersSeparate Headers

• AH – Authentication HeaderAH – Authentication Header– Keeps the packet intactKeeps the packet intact

• ESP – Encapsulating Security PayloadESP – Encapsulating Security Payload– A ‘generic’ security format, originally just for encryptionA ‘generic’ security format, originally just for encryption– Now does both encryption and authenticationNow does both encryption and authentication


Authentication Header – ‘AH’Authentication Header – ‘AH’

• Protects unchanging bits of the IP headerProtects unchanging bits of the IP header• ““SPI” – Security Parameter IndexSPI” – Security Parameter Index

– Identifies the keying and hash algorithm to useIdentifies the keying and hash algorithm to use


Encapsulating Security Payload- ESPEncapsulating Security Payload- ESP(8 bit bytes) SPI

Sequence Number

Payload Data (variable)

Padding (variable)

Pad Length Next Header

Integrity Check (variable)


• Modern style, including integrity protectionModern style, including integrity protection– Internal format still depends on the crypto usedInternal format still depends on the crypto used– SPI picks the crypto format; the format determines variablesSPI picks the crypto format; the format determines variables

• Main problem: how long is the integrity check?Main problem: how long is the integrity check?• May be length = 0, especially if the crypto does it alreadyMay be length = 0, especially if the crypto does it already


Secret Key ManagementSecret Key Management

• Two elementsTwo elements– How do you assign individual keysHow do you assign individual keys– How do you update keysHow do you update keys

• Assignment – how many keys do we need?Assignment – how many keys do we need?– ““One Big Cryptonet”One Big Cryptonet”– Pairwise user-userPairwise user-user– Pairwise user-server (“key distribution center)Pairwise user-server (“key distribution center)

• Updating – given the assignment strategiesUpdating – given the assignment strategies– ManualManual– AutomaticAutomatic


Automatic key updatingAutomatic key updating

• How do we get the new key?How do we get the new key?– Internal updateInternal update

• use a ‘pseudo random number generator’use a ‘pseudo random number generator’• ““Forward secrecy” problemForward secrecy” problem

– Random updateRandom update• Use a new, randomly generated keyUse a new, randomly generated key• Share with the cryptonetShare with the cryptonet

• How do we transmit random keys?How do we transmit random keys?– Chained updateChained update

• Send it using the existing crypto keySend it using the existing crypto key• ““Forward secrecy” problemForward secrecy” problem

– KEK-based updateKEK-based update• Use a separate “key encrypting key”Use a separate “key encrypting key”• Data is only sent with “data keys” or “session keys”Data is only sent with “data keys” or “session keys”• Only use KEK to send newly generated sessionOnly use KEK to send newly generated session


Key Distribution Center (KDC)Key Distribution Center (KDC)

• Each user has a unique personal keyEach user has a unique personal key– Contacts KDC to get a session key Contacts KDC to get a session key – KDC sends keys encrypted with users’ personal keysKDC sends keys encrypted with users’ personal keys

• ExampleExample– Bob wants to talk to AliceBob wants to talk to Alice– Bob contacts KDC, says “I want to talk to Alice”Bob contacts KDC, says “I want to talk to Alice”– KDC sends two copies of the session keyKDC sends two copies of the session key

• One encrypted with Bob’s personal keyOne encrypted with Bob’s personal key• One encrypted with Alice’s personal keyOne encrypted with Alice’s personal key

• This is the basis of KerberosThis is the basis of Kerberos– Encrypted keys are called “tickets”Encrypted keys are called “tickets”


• Uses a pair of keys: the Uses a pair of keys: the Private KeyPrivate Key and the and the Public KeyPublic Key

• Usually, one key of the pair decrypts what Usually, one key of the pair decrypts what the other key encrypts, and vice versathe other key encrypts, and vice versa

• ““Asymmetric EncryptionAsymmetric Encryption””

EncryptionEncryptionProcedureProcedure

ClearClearTextText

ClearClearTextText

Public Key EncryptionPublic Key Encryption

CipherCipherTextText

Public Public KeyKey

DecryptionDecryptionProcedureProcedure

Private Private KeyKey

Public Key Protocols/ApplicationsPublic Key Protocols/Applications

• IPSEC: used for key exchangeIPSEC: used for key exchange– ““Diffie Hellman” public key techniqueDiffie Hellman” public key technique

– Produce temporary public/private keys Produce temporary public/private keys

– Use the security to set up IPSEC security associations (SPIs)Use the security to set up IPSEC security associations (SPIs)

• SSL: protects Web, FTP, e-mail, shell (SSH)..SSL: protects Web, FTP, e-mail, shell (SSH)..– Usually RSA public key techniqueUsually RSA public key technique

– Uses a web server’s public key to set up a shared secretUses a web server’s public key to set up a shared secret

– Uses regular crypto to protect the actual data transfersUses regular crypto to protect the actual data transfers

• PGP, PEM, S/MIME: protect files and e-mailPGP, PEM, S/MIME: protect files and e-mail– Usually RSA public key techniqueUsually RSA public key technique

– Encrypt a file with regular (symmetric) cryptoEncrypt a file with regular (symmetric) crypto

– Encrypt the key with recipients’ public keysEncrypt the key with recipients’ public keys

– ““Sign” the message with author’s private keySign” the message with author’s private key



““Saving the Net”Saving the Net”

• CaveatsCaveats

• There’s particular rhetorical stuff going onThere’s particular rhetorical stuff going on

• This commentary reflects a whole set of This commentary reflects a whole set of attitudes and, well, prejudices that are common attitudes and, well, prejudices that are common in Internet engineering circlesin Internet engineering circles


““Saving the Net”Saving the Net”

• Whose ‘side’ is the author on?Whose ‘side’ is the author on?

• What is Scenario #1?What is Scenario #1?– Who wins?Who wins?

• What is Scenario #2?What is Scenario #2?– Who is harmed by ‘bypass’ traffic?Who is harmed by ‘bypass’ traffic?

• What is Scenario #3?What is Scenario #3?– What is this ‘war’ between pipes, place, and publishing?What is this ‘war’ between pipes, place, and publishing?


Other ConceptsOther Concepts

• ““Unregulated” versus “Unrestricted”Unregulated” versus “Unrestricted”• Net NeutralityNet Neutrality• ConvergenceConvergence• Public vs private ownershipPublic vs private ownership• Regulated monopoly vs something elseRegulated monopoly vs something else• Internet as ‘place’ vs ‘carrier’Internet as ‘place’ vs ‘carrier’


Creative Commons LicenseCreative Commons License

This work is licensed under the Creative This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United Commons Attribution-Share Alike 3.0 United

States License. To view a copy of this license, States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-visit http://creativecommons.org/licenses/by-

sa/3.0/us/ or send a letter to Creative sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Commons, 171 Second Street, Suite 300, San

Francisco, California, 94105, USA.Francisco, California, 94105, USA.

Documents

CISC 370 - Class Today