Chapter 7: Network security Foundations o what is security? o cryptography d authentication D message integrity o key distribution and certification Security in practice: O application layer: secure e-mail o transport layer: Internet commerce, SSL, SET D network layer: IP security 7: Network Security 1
7: Network Security 1 Chapter 7: Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer: secure e-mail transport layer: Internet commerce, SSL, SET network layer: IP security
Friends and enemies: Alice Bob. Trudy Dato Data control, data messages Secure Secure sencer eceiver channe 网 Alice Trudy o well-known in network security world o Bob, Alice (lovers! )want to communicate"securely o Trudy, the intruder"may intercept, delete, add messages 7: Network Security 2
7: Network Security 2 Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate “securely” Trudy, the “intruder” may intercept, delete, add messages Figure 7.1 goes here
What is network security? Secrecy: only sender, intended receiver should understand"msa contents o sender encrypts msg o receiver decrypts msg Authentication: sender receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards)without detection 7: Network Security 3
7: Network Security 3 What is network security? Secrecy: only sender, intended receiver should “understand” msg contents sender encrypts msg receiver decrypts msg Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection
Internet security threats Packet sniffing broadcast media o promiscuous NIC reads all packets passing by o can read all unencrypted data(e.g. passwords) oe.g. C sniffs B's packets A srC:Bdest: Payload B 7: Network Security 4
7: Network Security 4 Internet security threats Packet sniffing: broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (e.g. passwords) e.g.: C sniffs B’s packets A B C src:B dest:A payload
Internet security threats IP Spoofing: o can generate raw"IP packets directly from application, putting any value into IP source address field o receiver can 't tell if source is spoofed oe.g. C pretends to be B src: B dest: a payload B 7: Network Security 5
7: Network Security 5 Internet security threats IP Spoofing: can generate “raw” IP packets directly from application, putting any value into IP source address field receiver can’t tell if source is spoofed e.g.: C pretends to be B A B C src:B dest:A payload
Internet security threats Denial of service(DOS: o flood of maliciously generated packets "swamp receiver o Distributed DOS(DDOS): multiple coordinated Sources swamp receiver oe.g. C and remote host SyN-attack A A ADC SYN SYN SYN SYN SYN SYN SYN 7: Network Security 6
7: Network Security 6 Internet security threats Denial of service (DOS): flood of maliciously generated packets “swamp” receiver Distributed DOS (DDOS): multiple coordinated sources swamp receiver e.g., C and remote host SYN-attack A A B C SYN SYN SYN SYN SYN SYN SYN
The language of cryptography plaintext VA B→ plaintext ciphertext Encryption Decryption algorithm algoritnm channe Alice Tr symmetric key crypto: sender, receiver keys identical public-key cryp to: encry ypt key public, decrypt key secret 7: Network Security 7
7: Network Security 7 The language of cryptography symmetric key crypto: sender, receiver keys identical public-key crypto: encrypt key public, decrypt key secret Figure 7.3 goes here plaintext plaintext ciphertext K A K B
Symmetric key cryptograph substitution cipher: substituting one thing for another o monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewg E.g. Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc Q: How hard to break this simple cipher? brute force(how hard? ° other? 7: Network Security 8
7: Network Security 8 Symmetric key cryptography substitution cipher: substituting one thing for another monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc E.g.: Q: How hard to break this simple cipher?: •brute force (how hard?) •other?
Symmetric key crypto: DES DES: Data Encryption Standard D US encryption standard [NIST 1993 0 56-bit symmetric key, 64 bit plaintext input 门 How secure is Des? o DES Challenge: 56-bit-key-encrypted phrase CStrong cryptography makes the world a safer place")decrypted(brute force)in 4 months o no known"backdoor"decryption approach o making DES more secure o use three keys sequentially (3-DES)on each datum o use cipher-block chaining 7: Network Security 9
7: Network Security 9 Symmetric key crypto: DES DES: Data Encryption Standard US encryption standard [NIST 1993] 56-bit symmetric key, 64 bit plaintext input How secure is DES? DES Challenge: 56-bit-key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 months no known “backdoor” decryption approach making DES more secure use three keys sequentially (3-DES) on each datum use cipher-block chaining
64-bit input 56bit key termite Symmetric Key L1 RI crypto: DES 48-bit KI fILL, RL, KID DES operation 12R2 initial permutation 48-bit K2 2R2K2 16 identical"rounds"of function application 13 each using different 48 bits of key final permutation 48-bit K16 t7R17 permu:e 64-bit output /: Network Security 10
7: Network Security 10 Symmetric key crypto: DES initial permutation 16 identical “rounds” of function application, each using different 48 bits of key final permutation DES operation