Upload
mohd-arif
View
896
Download
1
Embed Size (px)
DESCRIPTION
Citation preview
Data Security
Understanding Data Communications and Understanding Data Communications and Networks – Networks – William A. Shay William A. Shay (3E)(3E)
Data Security
Data Security‘To ensure that the data is received meaningfullyonly by the intended recipient’Approach – Alter (encrypt) the message (un-intelligible even if intercepted)
- Algorithms- Public key encryption- Secure Transfer over internet
Data SecurityDefinitions:Definitions:‘Changing the encrypted data into its original form – decryption’Plaintext P- original formCipher-text C - encrypted data
Encryption algorithm and key Ek, changes P to CC = Ek(P), Decryption algorithm and key Dk’, changes C to PP = Dk’(C), in many cases k = k’
Data SecurityMono-alphabetic cipher:Mono-alphabetic cipher:‘Replaces each plaintext character with another’- Add 1 to ASCII code of each character- A turns into B, B to C, …- Simple but Rarely used in serious applications- Relatively easy to decipher- Commonly used letters: E, T, O, A, N => if
certain letters appear frequently in cipher-text, probably it is one of these (than Q or Z)
Data SecurityMono-alphabetic cipher:Mono-alphabetic cipher:P = PLEASE ADD MONEY TOC = {;RSDR\SFF\,PMRU\YP\=> \ 4 times=> S Twice => R Thrice=> P TwiceThey may be substitutions of common characters, even blank spaces
Data SecurityMono-alphabetic cipher:Mono-alphabetic cipher:‘Try various combinations of common ones’{;EADE\AFF\,ONEU\YO…(R by E, S by A, P by O)“Replace ‘\’ by blank spaces”{;EADE AFF ,ONEU YOClues: ‘Two letter word ends with O, Three letter
word begins with A followed by repeated letter’{;EADE ADD ,ONEU TO=> With educated guesses, message can be
decrypted
Data SecurityMono-alphabetic cipher:Mono-alphabetic cipher:Drawbacks: preserving particular letter
sequences, frequency with which letters occurPoly-alphabetic Cipher:Poly-alphabetic Cipher:‘Change the frequencies and break-up common
sequences’A plaintext character is not always replaced with
the same one cipher-text character.Replacement = f (P, its position in the message)
Data SecurityPoly-alphabetic Cipher:Poly-alphabetic Cipher:For (int i = 0; i < length of P; i++)
C[i] = P[i] + K + (i mod 3)Assume, K =1.1 is added for positions 0, 3, 6, … 2 is added for positions 1, 4, 7, … 3 is added for positions 2, 5, 8, … THEMTHENTHEY -> UJHNVKFPWIG\=> Repetition has reduced, but still present
Data SecurityPoly-alphabetic Cipher:Poly-alphabetic Cipher:‘THE’ appears as UJH, VKF, WIGIf there were more ‘THE’, the pattern would repeat.Also, there are other patterns:First letters of each ‘THE’ cipher-text are
consecutive – UVW, (also the 2nd one as JKI, and the 3rd one as HFG)
=> Clues for decryption
Data SecurityTransposition Cipher:Transposition Cipher:‘Rearranges the P letters of a message (not Replacing them)’One way – store characters in a 2-dimensional array with m-columns=> First m-characters in 1st row, next m-
characters in 2nd row, …..Determine a permutation of numbers 1 to m:p1, p2, ……, pm
Data SecurityTransposition Cipher:Transposition Cipher:Transmit p1 column first, then p2, ……, then pm.P = ‘FOLLOW THE YELLOW BRICK ROAD’
F O L L OW T H E
Y E L LO W B RI C K RO A D
Data SecurityTransposition Cipher:Transposition Cipher:Transmit columns 2, 4, 3, 1, 5 (permutation)O YWCALHLB LTE KDFW OIOOELRRIf, receiver knows the permutation and the
number of columns -> reconstruct the message
Drawbacks: letter frequencies are preserved, also by grouping the characters in different columns for sequences like ‘THE, IS’ are helpful for guessed-decryption.
Data SecurityBit-Level ciphering:Bit-Level ciphering:‘Previous methods are applicable to character
sequences’‘Files may contain raw bits (execution files), This
method handles them’- Encryption key is a randomly chosen bit-string- Message bit string is divided into substrings- Length is the same as that of the key
Data Security
Encrypted string = message string XOR key- Decryption: Encrypted string XOR key- E (algorithm) is same as D (algorithm)- pi is a plaintext bit, if encryption key contains
‘0’ in that position: pi XOR 0 XOR 0 = pi
if encryption key contains ‘1’ in that position: pi XOR 1 XOR 1 = pi XOR (1 XOR 1) = pi XOR 0 = pi
Data Security
‘Security depends partly on the length of the key’
- Short key => many substrings => more chance of repetition of the encrypted substring, susceptible
- In extreme case, the key length = message length => each bit is encrypted uniquely
- If the key-bits are random => unbreakable code (but long key needs to be transferred)
Data Security
Data Encryption Standards (DES):Data Encryption Standards (DES):‘Approach is to keep the key short compared to the
message and to use complex procedure to encrypt the message’
- Based on ‘block-cipher’- Divides the message into 64-bit blocks, uses a key
to employ a complex transformation.- It uses transposition (rearrangement) and
substitution (replacing one bit-group with another
Data SecuritySteps:- Transposition on the block data and the key- 16 successive encryptions with different keys
derived from the original, output of one fed to the next input
- Swap (32 bits)- Reverse transposition (of the 1st step)
Data SecurityEncryption operations:data = C64 = L32 R32, K56 = key(R32: transpose, duplicate bits) results in R48(K56: shift on each half, transpose) results in K56R48 XOR K48 (first) = X48Divide into 8 (6-bit) groups Substitute each by 4-bit valueCombine into a 32-bit string, transpose = X32
Data Security
L32 XOR X32 = X32Form final 64 bits = R32 X32‘Idea was to develop a method with many
convoluted steps’- If the same 64-bit block occurs more than
once, it generates the same cipher-text.‘Cipher Block Chaining (CBC)’ disrupts that
pattern.
Data SecurityCBC:Initialization vector (IV):Block 1 XOR IV -> DES -> Block 1CBlock 1C XOR Block 2 -> DES -> Block 2C Block 2C XOR Block 3 -> DES -> Block 3C …Cipher-text = f (plaintext, its position)=> Same plain text in different positions means
different cipher text also
Data Security
• DES Effectiveness: Brute force method of attack – trying all possible keys -> 256 possible keys, it was possible to break the code in hours using gigahertz processors.
• Using 128-bit key => 9.5 * 1015 years to try all possible keys @ 1015 keys per second
Data Security
Public Key Encryption (PKE):Public Key Encryption (PKE):‘Knowing the encryption key and the algorithm
renders decryption easy’‘PKE makes decryption algorithm and key
determination difficult even when encryption algorithm and key are known’
- Many sources can send message using same Ek. Only the receiver knows the Dk’.
Data SecurityRSA algorithm:- Uses modulo-arithmetic and factorization of
very large numbers- Cipher-text is easy to calculate but difficult to
break1.Assign simple code to letters (1 to 26 for ‘a’ to
‘z’)2.Choose ‘n’ (200 or more digits) as a product of
two large prime numbers p, q.
Data Security
For simplicity, n = p * q = 11 * 7 = 773. Find a number K that is relatively prime (no
common factors except 1) to (p-1) * (q-1). Choose k = 7 as the encryption key (there is always a k)
4. Divide the message into components (with many letters in one, avoids repetition), For simplicity: “hello” divided as h, e, l, l, o
Data Security
5. For each component, concatenate all the binary code of each letter and interpret it as an integer. Here, integers are: 8, 5, 12, 12, 15.
6. Encrypt the message by raising each number to the power of k (modulo n)
Encrypted message = 57 47 12 12 71 Decryption:1. Find a value k’ such that (k * k’) – 1 is evenly
divisible by (p-1) * (q-1). K’ is the decryption key .
Data Security
Here, (p-1) * (q-1) = 60, k’ = 43 works well. (there is always a k’)
2. Raise each encrypted number to the power of k’ (modulo n)
Results are the original numbers 8, 5, 12, 12, 15.Potential problem: How to find 71 43 modulo 77?Break the power in 2, 4, 8, …Find the modulo for lowest to the highest.
Data Security
• How secure is RSA?‘n’ and ‘k’ are needed for encryption, If they are intercepted, K’ could be deduced.However, it needs ‘p’ and ‘q’ – the factors of ‘n’.• If ‘n’ is large (200 or more digits) => difficult,
time-consuming
Data Security
Transport layer security (TLS) and Server Authentication:
‘To ensure access to the proper encryption methods and keys to protect privacy’
‘Also to ascertain the legitimacy of the site connected to’
‘Secure Sockets Layer (SSL) and Transport Layer Security Protocols, X.509 certificates’
Data Security‘TLS and SSL lies between application layer and
transport layer’Sender side: encrypts the message from application
layer and passes it to the transport layer Receiver side: receives the message from transport
layer and passes the decrypted message to the application layer
‘TLS has the ability to revert to SSL 3.0, there are some low level differences’
Data Security
X.509 certificate:‘Electronic ID to prove that a site is what it
claims to be’‘Certificate Authority (CA) issues certificates’‘Consumer maintains a list of trustworthy CAs in
his computer’‘Trusted CA list is developed over the time’‘Certificate contains a period of validity and two
fingerprints’
Data Security‘Authentication is the process of validating the
identity of the message-source’‘Fingerprints are values calculated using some
algorithms for authentication’Browser:
- downloads the server certificate- checks the period of validity- checks the fingerprints- checks the CA
‘All must be affirmative in order to proceed’
Data Security‘An initial set of exchange takes place between
the server and the client – handshake’‘Handshake defines the cryptographic routines,
key exchanges, and authentication process’1. Client to server: highest TLS (SSL) version
available, a list of encryption algorithms, a list of key exchange algorithms, and a list of supported compression methods.
Data Security2. Server chooses each one of the above items from
the suggested list of the client. It also sends its certificate.
3. Client needs to authenticate the certificate. Issuing CA attaches a digital signature / Fingerprints to it. Two methods are used to provide extra security. Also, it verifies the domain name in the certificate with that of server.
4. Client sends key to server.5. If required, server may authenticate the client.6. Both client and server exchanges session-keys.
Data Security
7. Both sides confirm this arrangements and start secure-communication.
# If user A wants to send an encrypted message to user B, the plaintext is encrypted with the public key of _.
a) User A b) User B c) The network d) (a) or (b)
Data SecurityFirewallsFirewalls‘Machines are at risk when they are not actively
doing anything’‘Risk comes from malicious attacks disrupting
activities, causing harm’‘Challenge is to prevent attacks from being
successful’‘All internet traffic has to pass through special
machine(s) – Firewall’
Data Security‘It examines passing traffic to look for possible
threats’‘The challenge is to identify the threats’IP – layer 3, TCP – layer 4IP packet contains data, source and destination
addresses, layer 4 protocol (TCP / UDP) using it.
Server is identified by IP address and the specific service by port number
Data SecurityTelnet – Port 23, FTP - Port 21, SMTP - Port 25 Some approaches:Packet Filtering:‘Examine the header of each packet and decide’Decision may base on:
- Address field- port number- transport protocol represented
Data SecurityExample decisions:- Allow any incoming packet with TCP port
designation of 23 (allowing remote login to any machine)
- Allow any incoming packet with TCP port designation of 23 with destination address found in a maintained list. Implication?
- Allow any outgoing packet with destination address found in a maintained list. Implication?
Data SecurityThe above specifies criteria to allow packets.=> Blocks unless otherwise specified (default)Alternative: Allows unless otherwise specified
(default)- Block any incoming packet with TCP port
designation of 23. Implication?- Block any incoming packet with source
address found in a maintained list. Implication?
Data Security- Block any incoming packet with destination
address found in a maintained list. Implication?
- Block any outgoing packet with source and destination addresses found in a maintained list. Implication?
Better ‘default’ approach? Block packet – nothing will pass unless explicitly stated,
Ensures more security.
Data SecurityApplication Level Gateway:Packet filtering works at layer 3, making decision on
packet contents, inflexible on an action within an application.
Gateway provides that flexibility, works at a higher layer.
‘Allow for file transfer – download files but not upload’
‘More logic into a firewall that understands the applications and their abilities – called proxy server’
Data Security
‘Special programs for each type of application it needs to watch.’
‘It examines application layer requests and allows (denies) based on the information provided to the firewall’
‘A gateway program for each application’- Main advantage: flexibility- Significant overhead
Data SecurityStateful Inspection:‘Works at the network layer and avoids
overhead’‘It examines the contents of a packet in the
context of what has happened previously’Example: a ‘ping’ command response indicates
that a device is reachable and the time needed for a round-trip’
=> Command sends an echo request and site responds with echo response
Data Security
Stateful inspection ensures that a response packet is not allowed unless there was a previous request.
Also the source and the destination should reverse in these two events. (security against denial-of-service attack)
Data SecurityVirusesViruses‘A collection of instructions attached to an
executable file that does something not intended originally’
Virus attachment to a file -> infected fileWorms usually appear as a separate program,
intruding a system, threatening security.‘Infected file contains a branch instruction to
unintended tasks, and branches to some point of the original code’ - diagram
Data Security‘User may not be aware of the virus unless it
causes a major distraction’‘Worst viruses avoid massive, immediate
destruction, rather making small, unnoticeable changes over time’
‘As such, even back-ups may be infected’‘Virus may probe file system looking for
executable files on disk, if found, it duplicates itself and stores a copy in the file’
Data Security
Memory Resident viruses:‘Resides in memory, attacks a file when it enters
the memory’It needs to be referenced to be executed. It may use the interrupt mechanism to do so.‘Modifies the Interrupt table with vectors
pointing to the virus instead’
Data Security
Early Antivirus programs worked by looking for signature – a sequence of bytes contained in the virus- at the beginning and end of file.
Signatures were encrypted and the decryption algorithm was added to virus.
Antivirus programs looked for byte patterns of decryption algorithm, examined decrypted result and look for signatures – proved quite successful
Data SecurityVirus Sources:Virus Sources:‘Individuals trying to invade a system’‘It spreads by sharing resources – through
removable disks, networks’‘Prevention is the best approach’Internet worm:Internet worm:‘Replicates quickly throughout internet, clogging
communications, forcing system shut down’
Data Security
One approach taken by the worm:‘Used an utility program that allows one user to
obtain information of other user’‘A flaw that did not check for buffer-overflow
was exploited’‘The worm was able to overflow the buffer and
overwrote part of the system stack’‘The original return address was lost, pointing to
some instructions in the buffer’
Data Security
‘This enabled it to copy itself and infect new machines’
Data Security# # Mono- alphabetic cipher has no real value
where serious security is needed. T/F# # Public key encryption allows different people
to use the same encryption key even when they are not supposed to know what another person is sending. T/F
## Any block cipher that encrypts a block at a time is essentially a substitution cipher, replacing one block with another. T/F
Data Security## An encryption method that uses longer key is
more secure than one that uses a shorter key. T/F
# # The most serious viruses destroy a lot of data very quickly. T/F
## Firewalls are commonly used to protect a network against incoming viruses. T/F
Data Security
## A _ can forward or block packets based on the information in the network and transport layer headers.
a) Proxy Firewall b) Packet filter firewallc) Message Digest d) Private key
# # A _ can forward or block packets based on the information in the message itself.
a) Proxy Firewall b) Packet filter firewallc) Message Digest d) Private key