Jiri J. Cejka

Internet and Security

I. Communication Introduction

II. Internet Introduction

III. Security Introduction

IV. Cryptography

V. Public Cryptography

Jiri J. Cejka

Chapter 1 Internet and Security

Communication Introduction

– Communication Theory

– Communication OSI Model

Jiri J. Cejka

Communication theory Case 1

Two army problem

Time Synchronisation

Solution ?

Red Army

B

Red Army

A

Blue Army

Jiri J. Cejka

Communication theory Case 2

Connection Management

Telephone call simulation

Protocol

A B

Connect request

Connect response

Connect indication

Connect confirm Connect response Connect confirm

Data request

Data request (Acknowledgment)

Data indication

Data indication

Disconnect response

Disconnect indication Disconnect request

time

Jiri J. Cejka

Communication Model - 1

Network topology

Interconnection

1 2

3

4

5

Jiri J. Cejka

Communication Model - 2

OSI Standard compared with TCP/IP

Seven Layers:

7. Application

6. Presentation 5. Session

4. Transport Datagram TCP (Internet Control Protocol)

3. Network Packet IP(ARP),X.25

2. Link Frames CSMA/CD

1. Physical Bits, modems 10011100001000100001

Frame Data Area Frame Header

Datagram Data Area Datagram Header

ICMP

Header

ICMP

Data

Jiri J. Cejka

Communication Model - 3

Layer Two - Data Link - Frames

Frame-level

1

2

3

4

6

7

Host

Frame-level

Access

Node

Node

Switcher

Bridge

Host

Access

Node

5

Frame-level

Jiri J. Cejka

Communication Model - 4

Layer Three - Data Packets

1

2

3

4

5

6

7

Host Packet level

1-3-4-7

Access

Node

Node

Switcher

Router

Host

Access

Node

Packet level

2-3-4-5-6

Acknowledgment

Acknowledgment

Jiri J. Cejka

Communication Model - 5

Sliding windows

– Datagram

– Transport

– Data Link

Acknowledged

Sent

Not Sent

Messages

Source

1

2

3

4

5 6

4Ack 2

3

4

5

1

Acknowledged

7

6 Sent

Not Sent Destination

Messages

Packets

Frames

Jiri J. Cejka

Chapter 2 Internet and Security

Internet Introduction

– What is Internet- history, popularity of usage

– Role of Internet - security

Jiri J. Cejka

Internet Introduction

What is Internet?

Why has it become so popular?

Is Internet secure enough to build

business on it?

If Yes:

– HOW do I guarantee Security and Privacy

– WHEN should I start to invest into it?

Jiri J. Cejka

What is Internet

Definition of Internet

Development 1970 - DARPA

Two fundamental design observation:

– No single network can serve all users

– Users desire universal interconnections

1 2

3

4

5

Jiri J. Cejka

Internet Architecture

User’s view

– each computer appears to attach to a single network

Structure of networks and gateways

Address assignment:

IP Address: <net-id> <host-id>

Host : 193.73.248.10

Network: 193.73.248.0

Gateway: 193.73.248.1

Host Host

Gateway

Physical network

INTERNET

Jiri J. Cejka

The reasons for the worldwide use

The Flexibility of underlying protocols

Public and free Access

– bright spectrum of users

– modern design methods

Progress in computing technology

Development of modern GUI driven

languages

– usage of HTTP, HTML, URL

Jiri J. Cejka

Chapter 3 Internet and Security

Security Introduction

– Security Methods

– Security Model

Jiri J. Cejka

Security Introduction

“Public” Internet access versus “Security”

– Privacy and Integrity

– Authentication and Availability

– Data Integrity and Audit techniques

– Physical security and Management practices.

Jiri J. Cejka

Security Methods

Optimal combination of tools

and methods

Cryptography

– Transaction security

Firewalls and routers – Unauthorised access

Operating systems – Internal sources

1. Intruder has

access to Your system 4. Intercepted

on the destination

INTERNET

2. Wiretapped during

the transmission

3.Stolen while

waiting at server

Message Origination Message Destination

2. Wiretapped during

the transmission

INTERNET

Jiri J. Cejka

Security Methods

Usage of:

– Firewalls

– Filtering

routers

Filtering Router

INTERNET

External User(s)

Firewall Proxy

Server

DNS Functions

Bank Internal Networks

Server of

Service Provider

Internal User

Internal System

Filtering Router of

Service Provider

Secured Area

Jiri J. Cejka

Security Methods

INTERNET

External

Network

External

User(s)

POLICIES, PROCEDURES, ADMINISTRATION

PHYSICALSECURITY

Network Access Layer

WORKSTATION

SECURITY System Access Layer

Application Access Layer

AUDIT

TRIAL

SECURITY

MONITORING

HOST

Data

Software

CHANGE

CONTROL

Access Control

Tables

Software

Jiri J. Cejka

Security Methods

WEB Security Control Points

C2

Firewall #2

INTERNET

B2

External Web

Server

E1

Any External

Company

Web Server

A1

Web Client

Browser

D1

Any External

Internet User’s

Web Client Browser

COMPANY

INTERNAL

NETWORK

A Company

E2

Any Web

Server

C1

Firewall #1

B1

Internal Web

Server

Jiri J. Cejka

Chapter 4 Internet and Security

Cryptography Basics

– History and different Kinds of security

Cryptography Standards

– Private Cryptography

– Public Cryptography

Jiri J. Cejka

Cryptography Basics

How does simple cryptography works

– Message to be encrypted (plaintext)

– Message after it is encrypted (ciphertext)

– Encryption Algorithm (mathematical function)

– Key (number, password, phrase)

Cryptography goal

– impossible: plaintext from ciphertext

Encryption Algorithm

Plaintext

Ciphertext

Key

Jiri J. Cejka

Cryptography Basics

Unbreakable Codes

– Code Word - Code Meaning

– one shot

– restricted to simple information

Ciphers

– Technique of scrambling Message

– Truly cryptography

Jiri J. Cejka

History of Cryptography

Substitution ciphers

– Earliest ciphers 2000 B.C.

– Julius Ceasar - Shift alphabet

– Rennaisance Freemasons -Secret cipher

– G. Washington - Assigned numbers

One-Time Pads - Vernam cipher

– Each page used once

– “Hotline” Stream of numbers as pads

–each number defines shift of a letter

–fix length numbers: Cryptographic Key

A B C D E

0 1 2 3 4

N O P

1. Launch

2. Target

05 08 14 20 01

Jiri J. Cejka

Breaking the code

Key Length Length: Variants: Efficiency:

– Eurocard 4 digits 10.000 14 bits

– UNIX password 8 char 6.3x10^16 56 bits

Breaking the code

– Brute force attack

– Cryptanalysis

–Know plaintext attack

–Chosen plaintext attack

–Differential Cryptanalysis

Plaintext Ciphertext

Key

Jiri J. Cejka

Private Cryptography

Algorithms

Private Key Algorithms

– Key distribution

– Types of Private Cryptography

–DES, Triple DES 1977 : 56-bit key length

–RC2, RC4 Rivest code: 1-1024 bit length

–IDEA 1990 Zurich: 128 bit key

Jiri J. Cejka

Sending secret message only after

prior arrangement - key exchange

Number of the keys: n*(n-1)/2

Key could be intercepted

Distribution of Keys

– Key Distribution Center

– (session key)

Problems with Private Cryptography

A’s private Key

Session Key

B’s private Key

Key Distribution Center KDC

Jiri J. Cejka

Public Cryptography

1970 Breakthrough - Asymmetric

Algorithms

Generate Keys

– Public Key

– Private Key

Public Key

from person B

INTERNET

Own Secret Key

from person B

Person A Person B

1. Message is

Encrypted 2. Message is

Decrypted

Jiri J. Cejka

Public Key Systems

1974 Ralph Merkle “Jigsaw puzzle”

– Secure communication over insecure channels

1975 Diffie-Hellman

– Exponential Key exchange

– Multi-user cryptographic techniques

– (1975 Private system as Standard DES)

1977 Rivest, Shamir, Adleman: RSA

– Easy to multiply two large prime numbers

– Difficult to find its prime factors.

Jiri J. Cejka

Ralph Merkle’s Puzzles 1. Alice send open message to Bob.

2. Alice creates 1.000000 Encryption Keys.

3. Each key is hidden in one puzzle.

-each Puzzle takes 2 Minutes to solve.

4. All puzzles are sent to Bob.

5. Bob chooses one puzzle and

unscrambles one key.

6. Bob encrypts previous message

with his key.

7. Message is sent to Alice.

8. Alice tries all keys until one fits.(850).

Eavesdropper has to try all 1000000 puzzleseach taking

him two minutes to solve!

Alice

1.

2.

:

1000.000

Bob

850

850

1

2. 3.

4. 5.

6.

7.

8.

Jiri J. Cejka

Diffie-Hellman Multi-user

1. Alice and Bob agrees on two numbers.

They are known and public: a, q.

2. Each part chooses a secret number X: X1, X2

and transmits the results of mathematical formula

involving a, q, and X.

3. Both participants compute number K as

function of (X1 and Y2) or (X2, Y1).

Eavesdropper knows a,q,Y1 and Y2 nut does not know X1

or X2: he cannot compute number K.

K is used as a session key for private key encryption algorithm

such as DES.

Alice Bob Numbers a, q

K =Y2(exp( X1)(mod q)

1.

2.

3.

X1

Y1 = a(exp(X1))(mod q)

X2

Y2=f(a,q,X2)

K=f(X2,Y1)

Jiri J. Cejka

Data Encryption Standard DES

Description of nationwide Standard System

1960 IBM Private encryption system

– Lucifer 1974 on a chip for market

– length set to 128 bits

1975 NSA and NIST design of DES

Architecture of DES : P-box, S-box

DES controversy 128 Bits-> 56 bit Key

– How secure is DES now

Jiri J. Cejka

Rivest, Shamir, Adelman: RSA

1977 U.S. patent to MIT

Company RSA DSI marketing

– computation intensive

– chip production unsuccessful

– RSA Bidzos MailSafe

Phil Zimmermann PGP

– Encryption on microprocessor

– PGP Public key algorithm on PC

– Export law, International Version

Jiri J. Cejka

How Does RSA works?

Each the person has to create key pair consisting of

public and secret key.

1. Alice chooses very large two prime numbers P and Q per random. P=47, Q=71.

2. Encryption modulus is created multiplying: N = P * Q. N=3337.

3. The encryption key is created : e is prime to (P-1) * (Q-1) e = 3220

4. Using Euclid algorithm decryption key d is found :

d = e(exp-1) *(mod ((P-1) * (Q-1))) d = 1019

5. Then Public key = (N,e)

Secret key = d.

Then Bob encrypts number X: X(exp e)(mod N) -> A

Alice decrypts A: A(exp d)(mod N) -> X

Jiri J. Cejka

Privacy and Public Policy

FBI’s Digital Telephony Plan

– History if wiretapping

– 1995 Cryptography and Constitution

NSA’s Clipper Chip

– After DES a new public technology standard

– Algorithm “Skipjack” 80 bits

– Escrowed Encryption Standard EES

–Using Family Key, Chip Key and Session Key

– Public usage Administration - Market

Jiri J. Cejka

Clipper Chip EES

1. Session Key Conversation

- different for each conversation

- SKIPJACK (NSA algorithm)

2. Clipper Chip Telephone Session

2.1 UniqueChip A Key

2.2. Chip A Serial Nr

2.3 Checksum

2.4 Family key common to all chips

creates Law Enforcement Access Field

3. Escrowed Encryption Standard EES

3.1 Family Key Master Key held by government

3.2. Decrypts LEAF and gives Serial Number

3.3. Two companies give two fragment of Chips key

3.4. Agent creates Chip key and under permission decrypts Session key

Chip B Key 14365275890364789

14365275890364789

Serial Nr B

Checksum

B A

LEAF A LEAF B

Family Key

Jiri J. Cejka

Digital Signature Standard - DSS

Proposed by NIST in 1991

Federal Information Process. Standard

FIPS

– Developed in fact by NSA

Digital Signature Algorithm - DSA

– Slower then RSA

– Opposition against DSA might contain back door

– Used as digital signature only

– Using Secure Hash Algorithm SHA 160 bit length

Jiri J. Cejka

Comparison Public-Secret Cryptography

Advantages:

– Increased security: Secret key is not transmitted

–Secret key : sharing the secrecy with other side

– Authentication: method for digital signatures

– Legal binding for Public-key

–Authentication of signature: non-repudiation

–Kerberos authenticate only access: not legally bounded

Disadvantages

– Speed: solution is combination of secret-public key

Jiri J. Cejka

Cryptography

“Without strong cryptography no one will

have the confidence

– to use networks to conduct business

– to engage in commercial transactions electronically

– to transmit sensitive personal information”.

Jiri J. Cejka

Chapter 5 Internet and Security

Public Cryptography PGP

– Public and Secret Key

– Pass Phrase

– Random Bit & Session Key generation

– Digital Signature

– Key Rings & Key Certification

– Web of Trust

Jiri J. Cejka

Public Cryptography Pretty Good Privacy PGP

Generating of Keys

– Public Key

– Secret Key

Distribution of Keys

– Public key ring

– Trust

– Validity

Own Secret Key

from person B

Public Key

from person B

INTERNET

Person A Person B

1. Message is

Encrypted 2. Message is

Decrypted

Jiri J. Cejka

PGP - Public and Secret key

Generating of Public and Secret key: pgp -kg

1. Set-up the length : 512, 1024 bits: 1,2,3

2. Define User ID: <name@comp.com>

3. Defined he Pass Phrase : Text string

4. Generate random number: Text, time

Key identifications:

Type Bits keyID Date User ID

pub 512 C7A966DD 1996/10/09 name@company.com added to pubring.asc

sec 512 HIAF12EG 1996/10/09 name@company.com added to secring.asc

Public Key

from person B

INTERNET

Own Secret Key

from person B

Person A Person B

1. Message is

Encrypted 2. Message is

Decrypted

Jiri J. Cejka

PGP- Session Key

Encrypting the message

using Session Key:

pgp -eat <file name> <public key id>

- e Session key automatically

- a Result as text file

- t Source as text file

<filename.asc>

1.Session Key is

randomly generated

Own Secret Key

from person B

Person A

Person B

4. Both encryption are

bundled together and

sent to person B

5. Message is

Decrypted 2. Message is encrypted

using IDEA algorithm

3. Session Key encrypted

using RSA algorithm

and B’s Public Key

INTERNET

Jiri J. Cejka

PGP-Pass Phrase Decrypting the message

Secret Key decryption/encryption

pgp <file name.asc>

- Secret Key is required to read file

- Pass Phrase is needed to unlock RSA key

- Using MD5 hash function 128-bit code

is generated from the Pass Phrase

- IDEA algorithm decrypts Secret Key

Local usage of Pass Phrase

1. Encrypting of text file

pgp -c <your file>

-Pass Phrase required

2. Decrypting of text file

pgp <your file.pgp>

-Pass Phrase required

INTERNET

Person A Person B

2.Secret Key is decrypted after encrypted message came

1.Secret Key is encrypted during generation Public/Private key using Pass Phrase

3. Message is decrypted using B’s Secret Key

Jiri J. Cejka

INTERNET

4. Seal is

encrypted

using A’s

Public Key

Person A

Person B 2. The number is

encrypted using

secret key into a

“seal”

1. MessageDigest function

is run over the message

producing 128-bit number

6. Both digest numbers

are compared

- if they are same

message is authentic.

14365275890364789

3. The signature block

“seal” is added to the

message ready to be

sent in readable form

14365275890364789 14365275890364789

5. Message

Digest function

creates new

128-bit number

PGP-Digital Signature Authentication of message

- Message Digest Function MD5

unique 128 bit code created

- Code encrypted with Secret Key

- Pass Phrase is required

pgp -sta <file name>

- result in <file name.asc>

- Signature decrypted with Public Key

pgp <file name.asc>

- Automatic check with text file

Signing and Encrypting -most secure

pgp -se <file name>

Jiri J. Cejka

Locally created

keys stored

on Secret Ring

14365275890364789

1. Pass Phrase opens secret key-ring to

change any identifications:

- From Path Phrase MD5 function counts

128 bit code to decrypt IDEA encryption

2. To Encrypt Text file a random bit

generates a Session key to Encrypt file

using IDEA

3. Message is encrypted using Session

Key and

conventional IDEA algorithm

4. The Session Key is encrypted using

RSA and Recipient’s Public key

5. Using MD5 Function and Secret Key

generates Digital Signature

PGP- Key Rings

Received

keys

stored on

Public Ring

Random bit

generator

“Any secret text..”

MD5

RSA

IDEA

MD5

Jiri J. Cejka

PGP- Key Certification

Public Key Certification is built into

PGP:

- Validity - Identification that the key

received really belongs to the person to

whom it says it belongs.

- Trust - Measure of how much you believe

honesty and judgment of the person created

the key.

INTERNET

Person A Person B

14365275889 14365275890 1436524789

Jiri J. Cejka

John

John does not believe Phil’s

certification

John trusts Jane

John does not trust Chris.

John does not trust any person

certification by Chris

Jane certifies Phil

Certifying and Distributing of Public Keys:

- John’s trusts

- John’s belief of identity

- No trust, no belief of identify

Jane

Phil

Phil certifies Lori

Lori

PGP-Web of Trust

John believes Jane’s certification of Phil

Chris

Jiri J. Cejka

Adding Key with Signatures on Public ring

pgp -ka <file name.pgp>

Key Fingeprint is displayed - Key’s unique Digest of 128 bits code

Key can be certified personally

- RSA Secret Key has to be unlocked - Pass Phrase is needed

Level of Trust has to be added: 1= Not known, 2= No, 3=Usually, 4= Always.

Viewing Public key ring and Signatures pgp -kc

Type bits/KeyID Date User ID

pub 512/ 33681029 1994/08/28 Name1 <name1@.comp1.com>

sig! A71712F9 1994/12/28 Name2 <name2@.comp2.com>

Key ID Trust Validity User ID

33681029 marginal complete Name1 <name1@comp1.com>

complete complete Name2<name2@comp2.com>

pgp -kvv Viewing Fingerprint

PGP- Adding Public Key

Jiri J. Cejka

“Only those defenses are good, certain and

durable, which depend on yourself alone

and your own ability”.

The Prince

- Nicollo Machiavelli

Internet Security Resume