Network SecurityNetwork Security

introduction introduction cryptography cryptography authentication authentication key exchange key exchange required reading: text section 7.1 required reading: text section 7.1

Network SecurityNetwork Security

intruder may intruder may

eavesdrop eavesdrop remove, modify, and/or insert messages remove, modify, and/or insert messages read and playback messages read and playback messages

important issues: important issues:

cryptography: secrecy of info being transmitted cryptography: secrecy of info being transmitted authentication: proving who you are and having authentication: proving who you are and having

correspondent prove his/her/itscorrespondent prove his/her/its identity identity

Security in Computer Networks Security in Computer Networks

User resources:User resources: login passwords often transmitted unencrypted in login passwords often transmitted unencrypted in

TCP packets between applications (e.g., telnet, ftp) TCP packets between applications (e.g., telnet, ftp) passwords provide little protection passwords provide little protection

Network resources: Network resources: often completely unprotected from intruder eavesdropping, often completely unprotected from intruder eavesdropping,

injection of false messages injection of false messages mail spoofs, router updates, ICMP messages, network mail spoofs, router updates, ICMP messages, network

management messages management messages

Bottom line: Bottom line: intruder attaching his/her machine (access to OS code, root intruder attaching his/her machine (access to OS code, root

privileges) onto network can override many system-privileges) onto network can override many system-provided security measures provided security measures

users must take a more active role users must take a more active role

EncryptionEncryption

plaintext:plaintext: unencrypted message unencrypted message

ciphertext:ciphertext: encrypted form of message encrypted form of message

intruder may intruder may intercept ciphertext transmission intercept ciphertext transmission intercept plaintext/ciphertext pairs intercept plaintext/ciphertext pairs obtain encryption decryption algorithms obtain encryption decryption algorithms

A simple encryption algorithm A simple encryption algorithm

substitution cipher: substitution cipher:

abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz

poiuytrewqasdfghjklmnbvczxpoiuytrewqasdfghjklmnbvczx replace each plaintext character inmessage with matching replace each plaintext character inmessage with matching

ciphertext character: ciphertext character:

plaintext:plaintext: Charlotte, my loveCharlotte, my love

ciphertext:ciphertext: iepksgmmy, dz sgbyiepksgmmy, dz sgby

key is pairing between plaintext characters key is pairing between plaintext characters and ciphertext characters and ciphertext characters

symmetric key:symmetric key: sender and receiver use sender and receiver use same key same key

26! (approx 10**26) different possible keys: 26! (approx 10**26) different possible keys: unlikely to be broken by random trys unlikely to be broken by random trys

substitution cipher subject to decryption using substitution cipher subject to decryption using observed frequency of letters observed frequency of letters 'e' most common letter, ;the' most common word 'e' most common letter, ;the' most common word

DES: Data Encryption Standard DES: Data Encryption Standard

encrypts data in 64-bit chunks encrypts data in 64-bit chunks encryption/decryption algorithm is a published encryption/decryption algorithm is a published

standard standard everyone knows how to do it everyone knows how to do it

substitution cipher over 64-bit chunks: 56-bit substitution cipher over 64-bit chunks: 56-bit key determines which of 56! Substitution key determines which of 56! Substitution ciphers used ciphers used substitution: 19 stages of transformations, 16 substitution: 19 stages of transformations, 16

involving functions of keyinvolving functions of key

decryption done by reversing encryption steps decryption done by reversing encryption steps sender and receiver must use same key sender and receiver must use same key

Key Distribution Problem Key Distribution Problem

problem: how do communicant agree on problem: how do communicant agree on symmetric key? symmetric key? N communicants implies N keys N communicants implies N keys

trusted agent distribution: trusted agent distribution: keys distributed by centralized trusted agent keys distributed by centralized trusted agent any communicant need only know key to any communicant need only know key to

communicate with trusted agent communicate with trusted agent for communication between I and j, trusted agent for communication between I and j, trusted agent

will provide a key will provide a key

we will cover in more detail shortly we will cover in more detail shortly

Public Key CryptographyPublic Key Cryptography

separate encryption/decryption keys separate encryption/decryption keys receiver makes known (!) its encryption key receiver makes known (!) its encryption key receiver keeps its decryption key secret receiver keeps its decryption key secret

to send to receiver B, encrypt message M to send to receiver B, encrypt message M using B's publicly available key, EB using B's publicly available key, EB send EB(M) send EB(M)

to decrypt, B applies its private decrypt key to decrypt, B applies its private decrypt key DB to receiver message: DB to receiver message: compute DB( EB(M) ) gives M compute DB( EB(M) ) gives M

knowing encryption key does not help with decryption: knowing encryption key does not help with decryption: decryption is a non-trivial inverseof encryption decryption is a non-trivial inverseof encryption

only receiver can decrypt message only receiver can decrypt message question: good encryption/decryption algorithms question: good encryption/decryption algorithms

RSA: public key RSA: public key encryption/decryption encryption/decryption

RSA: a public key algorithm for encrypting/decrypting RSA: a public key algorithm for encrypting/decrypting

entity wanting to receive encrypted messages: entity wanting to receive encrypted messages:

choose two prime numbers, p, q greater than 10**100 choose two prime numbers, p, q greater than 10**100 compute n=pq and z = (p-1)(q-1) compute n=pq and z = (p-1)(q-1) choose number d which has no common factors with z choose number d which has no common factors with z compute e such that ed = 1 mod z, i.e., compute e such that ed = 1 mod z, i.e.,

integer-remainder( (ed) / ((p-1)(q-1)) ) = 1integer-remainder( (ed) / ((p-1)(q-1)) ) = 1, i.e., , i.e.,

ed = k(p-1)(q-1) +1ed = k(p-1)(q-1) +1

three numbers: three numbers: e, n made public e, n made public d kept secret d kept secret

RSA (continued)RSA (continued)

to encrypt:to encrypt: divide message into i blocks, bi of size k: 2**k < n divide message into i blocks, bi of size k: 2**k < n encrypt: encrypt: encrypt(bi) = bi**e mod nencrypt(bi) = bi**e mod n

to decrypt: to decrypt: bi = encrypt(bi)**dbi = encrypt(bi)**d

to break RSA to break RSA need to know p, q, given pq=n, n known need to know p, q, given pq=n, n known factoring 200 digit n into primes takes 4 billion years using factoring 200 digit n into primes takes 4 billion years using

known methods known methods

RSA exampleRSA example

choose p=3, q=11, gives n=33, (p-1)(q-1)=z=20 choose p=3, q=11, gives n=33, (p-1)(q-1)=z=20 choose d = 7 since 7 and 20 have no common factors choose d = 7 since 7 and 20 have no common factors compute e = 3, so that ed = k(p-1)(q-1)+1 (note: k=1 compute e = 3, so that ed = k(p-1)(q-1)+1 (note: k=1

here) here)

Further notes on RSAFurther notes on RSA

why does RSA work?why does RSA work? crucial number theory result: of crucial number theory result: of p, qp, q prime then prime then bi**((p-1)(q-1)) mod bi**((p-1)(q-1)) mod

pq = 1pq = 1 using using mod pqmod pq arithmetic: arithmetic: (b**e)**d = b**(ed) (b**e)**d = b**(ed)

= b**(k(p-1)(q-1)+1) for some k = b**(k(p-1)(q-1)+1) for some k

= b b**(p-1)(q-1) b**(p-1)(q-1) ... b**(p-1)(q-1) = b b**(p-1)(q-1) b**(p-1)(q-1) ... b**(p-1)(q-1)

= b 1 1 ... 1 = b 1 1 ... 1

= b = b

Note:Note: we can also encrypt with d and encrypt with e. we can also encrypt with d and encrypt with e. this will be useful shortly this will be useful shortly

How to break RSA?How to break RSA?

Brute force: get B's public key Brute force: get B's public key for each possible bi in plaintext, compute bi**e for each possible bi in plaintext, compute bi**e for each observed bi**e, we then know bi for each observed bi**e, we then know bi more: choose size of bi "big enough" more: choose size of bi "big enough"

man-in-the-middle: intercept keys, spoof identity:man-in-the-middle: intercept keys, spoof identity:

AuthenticationAuthentication

Question:Question: how does a receiver know that remote how does a receiver know that remote communicating entity is who it is claimed to be?communicating entity is who it is claimed to be?

Approach 1:Approach 1: peer-peer key-based authentication peer-peer key-based authentication A, B (only) know secure key for encryption/decryption A, B (only) know secure key for encryption/decryption A sends encrypted msf to B and B decrypts: A sends encrypted msf to B and B decrypts:

A to B: msg = encrypt("I am A")A to B: msg = encrypt("I am A")

B computes: if decrypt(msg)=="I am A"B computes: if decrypt(msg)=="I am A"

then A is verifiedthen A is verified

else A is fradulentelse A is fradulent

failure scenarios? failure scenarios?

Authentication Using Nonces Authentication Using Nonces

to prove that A is alive, B sends "once-in-a-lifetime-only" number (nonce) to A, to prove that A is alive, B sends "once-in-a-lifetime-only" number (nonce) to A, which Aencodes and returns to Bwhich Aencodes and returns to B

A to B: msg = encrypt("I am A")A to B: msg = encrypt("I am A")B compute: if decrypt(msg)=="I am A"B compute: if decrypt(msg)=="I am A" then A is OK so farthen A is OK so farB to A: once-in-a-lifetime value, nB to A: once-in-a-lifetime value, nA to B: msg2 = encrypt(n)A to B: msg2 = encrypt(n)B computes: if decrypt(msg2)==nB computes: if decrypt(msg2)==n then A is verifiedthen A is verified else A is fradulentelse A is fradulent

note similarities to three way handshake and initial sequence number choice note similarities to three way handshake and initial sequence number choice problems with nonces? problems with nonces?

Authentication Using Public KeysAuthentication Using Public Keys

B wants to authenticate A B wants to authenticate A

A has made its encryption key EA known A has made its encryption key EA known

A alone knows DA A alone knows DA

symmetry: DA( EA(n) ) = EA ( DA(n) ) symmetry: DA( EA(n) ) = EA ( DA(n) )

A to B: msg = "I am A"A to B: msg = "I am A"

B to A: once-in-a-lifetime value, nB to A: once-in-a-lifetime value, n

A to B: msg2 = DA(n)A to B: msg2 = DA(n)

B computes: if EA (DA(n))== nB computes: if EA (DA(n))== n

then A is verifiedthen A is verified

else A is fradulentelse A is fradulent

Digital Signatures Using Public Digital Signatures Using Public KeysKeys

Goals of digital signature: Goals of digital signature: sender can not repudiate message never sent ("I never sent sender can not repudiate message never sent ("I never sent

that") that") receiver can not fake a received message receiver can not fake a received message

Suppose A wants B wants to "sign" a message M Suppose A wants B wants to "sign" a message M

B sends DA(M) to AB sends DA(M) to A

A computes if EA ( DA(M)) == MA computes if EA ( DA(M)) == M

then A has signed Mthen A has signed M

Question:Question: can A plausibly deny having sent M? can A plausibly deny having sent M?

Symmetric key exchange: trusted Symmetric key exchange: trusted serverserver

problem:problem: how do distributed entitues agree on a key? how do distributed entitues agree on a key?

assume:assume: each entity has its own single key, which only each entity has its own single key, which only it and trusted server knowit and trusted server know

server: server: will generate a one-time session key that A and B will generate a one-time session key that A and B

use to encrypt communication use to encrypt communication will use A and B's single keys to communicate will use A and B's single keys to communicate

session key to A, B session key to A, B

Symmetric Key exchange: trusted Symmetric Key exchange: trusted serverserver

Preceding scenario: Preceding scenario:

1.1. A sends encrypted msg to S, containing A, B, nonce RA: EA(A,B,RA) A sends encrypted msg to S, containing A, B, nonce RA: EA(A,B,RA)

2. 2. S decrypts using DA, generates one time session key, K, sends S decrypts using DA, generates one time session key, K, sends nonce, key, and B-encrypted encoding of key to A: nonce, key, and B-encrypted encoding of key to A: EA(RA,B,K,EB(K,A)) EA(RA,B,K,EB(K,A))

3. 3. A decrypts msg from S using DA and verifies nonce. Extracts K, A decrypts msg from S using DA and verifies nonce. Extracts K, saves it and send EB(K,A) to B. saves it and send EB(K,A) to B.

4. 4. B decrypts msg using DB, extracts K, generates new nonce RB, B decrypts msg using DB, extracts K, generates new nonce RB, sends EK(RB) to A sends EK(RB) to A

5. 5. A decrypts using K, extracts RB, computes RB-1 and encrypts using A decrypts using K, extracts RB, computes RB-1 and encrypts using K. Sends EK(RB-1) to B K. Sends EK(RB-1) to B

6. 6. B decrypts using K and verifies RB-1 B decrypts using K and verifies RB-1

Public key exchange: trusted Public key exchange: trusted serverserver

public key retrieval subject to man-in-middle attack public key retrieval subject to man-in-middle attack locate all public keys in trusted server locate all public keys in trusted server everyone has server's encryption key (ED public) everyone has server's encryption key (ED public) suppose A wants to send to B using B's "public" key suppose A wants to send to B using B's "public" key

Clipper Chip: technical aspectsClipper Chip: technical aspects

US gov't proposed federal information processing US gov't proposed federal information processing standard (voluntary) standard (voluntary)

obviously need to encrypt many things passed over obviously need to encrypt many things passed over phone line phone line

encryption technique for Clipper (skipjack algorithm) encryption technique for Clipper (skipjack algorithm) highly classified highly classified

voluntarily installed in telecommunications equipment voluntarily installed in telecommunications equipment (existing products) (existing products)

call setup:call setup: A and B want to communicate A and B want to communicate A, B use standard public key techniques to agree on A, B use standard public key techniques to agree on

a session key a session key session key encrypted using clipped chips unit key session key encrypted using clipped chips unit key encrypted session key and unencrypted unit ID put encrypted session key and unencrypted unit ID put

into LEAF (Law Enforcement Access Field) which is into LEAF (Law Enforcement Access Field) which is sent sent

note: LEAF redundant, A and B know session K note: LEAF redundant, A and B know session K session key transmitted so it can be intercepted! session key transmitted so it can be intercepted!

session communication encrypted using session key session communication encrypted using session key

Privacy issuesPrivacy issues

Clipper I:Clipper I: device manufacturers split unit chip key in half: device manufacturers split unit chip key in half: unit chip key hardwired into tamper proof, non reverse-unit chip key hardwired into tamper proof, non reverse-

engineerable chip engineerable chip half in escrow at NIST, half at Treasury half in escrow at NIST, half at Treasury gov't wants to wiretap machine with known unit ID gov't wants to wiretap machine with known unit ID

gov't (e.g., FBI) presents court orders to both agencies, gets unit chip gov't (e.g., FBI) presents court orders to both agencies, gets unit chip key key

uses chip key to determine session key from LEAF uses chip key to determine session key from LEAF unencrypts using session key unencrypts using session key

US gov't outlawed export of greater-than-40-bit key technology US gov't outlawed export of greater-than-40-bit key technology Oct 96: 56 bit key technology selectively exportable for two Oct 96: 56 bit key technology selectively exportable for two

year trial basis year trial basis

Protection against Intruders: Protection against Intruders: FirewallsFirewalls

firewall: network components (host/router+software) firewall: network components (host/router+software) sitting between inside ("us") and outside ("them) sitting between inside ("us") and outside ("them)

packet filtering firewalls: drop packets on basis of packet filtering firewalls: drop packets on basis of source or destination address (i.e., IP address, port) source or destination address (i.e., IP address, port)

application gateways: application specific code application gateways: application specific code intercepts, processes and/or relays application intercepts, processes and/or relays application specific packets specific packets

e.g., email of telnet gateways e.g., email of telnet gateways application gateway code can be security hardened application gateway code can be security hardened can log all activity can log all activity

Security: Internet activitySecurity: Internet activity

IP layer: IP layer: authentication of header: receiver can authenticate sender using authentication of header: receiver can authenticate sender using

messageauthentication code (MAC) messageauthentication code (MAC) encryption of contents: DES, RFC 1829 encryption of contents: DES, RFC 1829

API API SSL - secure socket layer: support for authentication and encryption SSL - secure socket layer: support for authentication and encryption

port numbers: 443 for http with SSL, 465 for smtp with SSL port numbers: 443 for http with SSL, 465 for smtp with SSL

Application Layer Application Layer Privacy Enhanced Mail Privacy Enhanced Mail secure http: supports many authentication, encryption schemes secure http: supports many authentication, encryption schemes

Security: conclusionSecurity: conclusionkey concerns: key concerns: encyption encyption authentication authentication key exchange key exchange

also: also: increasingly an important area as network connectivity increases increasingly an important area as network connectivity increases digital signatures, digital cash, authentication, biometrics increasingly digital signatures, digital cash, authentication, biometrics increasingly

important important an important social concern an important social concern further reading: further reading:

Crypto Policy Perspectives: S. Landau et al., Aug 1994 CACM Crypto Policy Perspectives: S. Landau et al., Aug 1994 CACM Internet Security, R. Oppliger, CACM May 1997 Internet Security, R. Oppliger, CACM May 1997 www.eff.org www.eff.org