Network%20Security

About This Presentation

Title:

Network%20Security

Description:

r No shared secret between the origin and the recipient. no need to manage secret keys but integrity of K' must be assured with an off ... – PowerPoint PPT presentation

Number of Views:266

Avg rating:3.0/5.0

Slides: 110

Provided by: Bou142

Category:

more less

Transcript and Presenter's Notes

Title: Network%20Security

1
Network Security
Refik MOLVA Institut Eurécom B.P. 193 06904
Sophia Antipolis Cedex - France Refik.Molva_at_eureco
m.fr ÓInstitut Eurecom 2002
2
Outline
THEORY 1. Symmetric Cryptography 2. Asymmetric
Cryptography 3. Hash Functions and Integrity 4.
Authentication 5. Key Management APPLICATIONS 6.
Internet Security Using Firewalls 7. Internet
Security with Cryptographic Mechanisms 9.
Multicast Security
3
Security Services
7498-2 ISO standard defines r security
services and mechanisms in the context of OSI r
function placement in OSI layers does not cover
the security of standalone systems. r
authentication r access control r
confidentiality r integrity r
non-repudiation
4
Services vs. Layers
1. Application Layer Security r finest
granularity (user and program verification) r
end-to-end security r non-transparent to
applications 2. Transport Layer r medium
level granularity (end-users are not visible) r
end-to-end security r transparent to
applications 3. Network Layer r low
granularity r no end-to-end security
(hop-by-hop security relies on intermediate
systems) r transparent to applications 4.
Physical Layer r like network layer security,
plus r ease of integration r limited
functionality (hardware only)
5
Cryptography
The art of writing in or deciphering secret code
by transforming the message content. Different
from steganography which aims at hiding the
message without transforming it.
Cryptography Cryptanalysis encryption code
breaking decryption Cryptology
Cryptography is the building block for most
security mechanisms.
6
Symmetric Cryptography
r secret-key based
K
P
C
P
E
D
r The same key is required both for encryption
and decryption r Secrecy of K is essential ?
requirement for secret key management using an
on-line trusted third party (TTP) r K must be
shared by at least two parties ? no signature

7
DES
E (encryption)
k1
k2
k15
k16
R1
R2
R15
R16
Output 64-bit
IP-1
Input 64-bit
IP
R1
R2
R16
R15
k16
k15
k2
k1
D (decryption)
IP initial permutation, IP-1(IP(x)) x Ri
key-dependent functions ki 16 sub-keys(48
bits) (key schedule) result of shift and select
operations on 56-bit K
8
Advanced Encryption Standard (AES)

Rijndael - Winner of an extensive selection
process
New encryption standard (FIPS 197) - replacement
to DES May 26, 2002
Triple DES is still a valid standard (FIPS 46-3)
Key size 128, 192, or 256 bits
10, 12 or 14 rounds, depending on the key size.
byte-oriented cipher operations in each round
Round function
8x8 S-box applied to each byte
rows of the array shifted
columns of the array mixed
subkey bytes XORed into each byte of the array
column mixing is omitted in the last round.

9
AES-Rijndael Performance

a machine that could recover a DES key in a
second then it would take that machine
approximately 149 thousand-billion (149 trillion)
years to crack a 128-bit AES key. To put that
into perspective, the universe is believed to be
less than 20 billion years old.
Key setup time
200 keys /msec in 32 bit C / Apple G4 PowerPC
Encryption speed
52 Mbits/s in 32 bit C / Apple PowerPC
4.8 Mbits/s in Java / Intel Pentium Pro 200

10
Asymmetric Cryptography
r public-key cryptography
K
K
P
C
P
E
D
r Different keys for encryption and decryption r
Each user has a secret key (K) and a public key
(K) r No shared secret between the origin and
the recipient þ no need to manage secret keys
but integrity of K must be assured with an
off-line trusted third party (TTP) þ digital
signature is possible

11
Asymmetric Cryptography
r each user U has a secret key KSU and a
public key KPU r everybody can access KPU
(public database) r only U knows KSU
Name A, Key KPa Name B, Key KPb Name C,
Key KPc
A, KPa
EKPa (message)
A, KPa
EKPa (message)
A
KSa
r DKSu (EKPu(X)) x et EKPu (DKSu(X)) x
12
Asymmetric Cryptography
Public-key algorithms are based on one-way
functions. V One-way functions (OWF) f X ?Y
is one-way if f(x) is easy to compute for all x
in X but for essentially all y in Im(f) it is
computationally infeasible to find x in X such
that f(x) y.
f
y f(x)
X
f-1
Example discrete exponential (Diffie-Hellman)
f axmod n
X
y f(x)
f logay
13
Trapdoor OWF
f is a trapdoor one-way function if f is a OWF
with the additional property that given some
extra information called trapdoor it becomes easy
to compute the reverse of f (x such that f(x)
y). Example f(x) x5mod n n pq , p and q
are large primes f is a OWF (it is infeasible
to compute f-1) but if p and q are known f-1
becomes easy to compute (cf. RSA). No proof of
existence for OWF. Security of public-key
schemes is based on OWF. ? no proof of security
for public-key schemes
14
The DIFFIE-HELLMAN Algorithm
r pioneer of public key algorithms
r A and B set a shared secret (axy mod p )
without exchanging secret information. r axy
mod p can be used as a secret key with a
symmetrical algorithm to encrypt data. r relies
on the difficulty of computing discrete log.
15
RSA
r message structured in n bit blocks r for each
block P of cleartext V encryption C P e
mod r V decryption P C d mod r r main
property (non-trivial) (xe)d º (xd)e º x (mod
r) þ security relies on the choice of r, e and d
16
RSA - Principle
1. pick two very large (100 digits) prime numbers
p,q 2. compute r pq 3. compute F(r) (p-1)
(q-1) 4. pick e, small number, prime with F(r),
e lt F(r) 5. compute d d.e º 1 (mod
F(r)) Why (x e)d º (xd)e º x (mod r)
? Euler's Theorem a F(r) º 1 (mod r) ?
am.F(r)1 º a (mod r) from 5. d.e e.d
m. F(r)1 so (xe)d º (xd)e º x
(mod r) Note m must be invertible, property
can be demonstrated with general m using Chinese
Remaindering.
17
RSA - Example
1. p 17, q 13 2. r 221 3. F(r) (p-1)
(q-1) 192 4. e 11 5. d 35 , d.e ( 1 (mod
192)
e 11
d 35
P 123
C 12311(mod 221)
C 11535(mod 221)
E
D
P 123
C 115
18
RSA
r security ? factoring r (512 bits, 154 digits)
into p and q r best known factoring algorithm 1
M years r 512-bit chips
1000 times slower than DES in hardware 100 times
slower than DES in software
19
El Gamal Public Key Encryption
p is prime, x and y in Zp-1 a is a generator in
Zp. bay mod p KPB ( p, a, b) is the public
key. KSB y is the secret key.
r DH key agreement in encryption
Known by A x (random) axy mod p

Known by B y ay mod p

Public Key (p, a, ay mod p)
m1DH key agreement m2encrypted message
Encryption m1 ax mod p m2 m.axy mod p
Decryption m1 Þ axy mod p m m2.(m1y)-1 mod p
m.axy.((ax)y)-1 mod p
20
Symmetric vs. Asymmetric Cryptography
Symmetric Cryptography r secret key shared by
(at least) two parties Pros r key is short
(64-128 bits) r fast encryption/decryption
r extensive history r perfect secrecy
exists Cons r key distribution(by on-line
TTP) is mandatory r no signature (possible
only with additional means) Asymmetric
Cryptography r one private key, one public key
per party Pros r no requirement for secret
key distribution r digital signature is
possible Cons r key is long (gt 512 bits)
r computationally intensive r security relies
on the difficulty of number-theoretic problems,
no perfect secrecy
21
Symmetric vs. Asymmetric Cryptography Summary
Use Asymmetric Cryptography for r key
distribution (for symmetric keys) r digital
signature Use Symmetric Cryptography for r
bulk data encryption r data integrity
22
Plaintext
23
DES-ECB Encryption
24
DES-CBC Encryption
25
CBC Mode
Cipher Block Chaining 64-bit blocks
Cn-1
Cn-1
64 bits
64 bits
K
K
P
P
C
Å
Å
E
D
Cn
Pn
Pn
r Ci E K(Pi Å Ci-1) r C0 EK(P0 Å IV), IV
(Initialization Vector) transmitted in
cleartext r Pi DK(Ci) Å Ci-1 r chaining
effect Ci depends on all the Pj with j i r
last block of C depends on all the plaintext
blocks r converts DES into a stream cipher r 1
E/D operation per 64 bits
26
CBC- Error propagation

r Decryption of Pi requires Ci and Ci-1
Error extension
error in block Ci or loss of complete block Ci
only Pi and Pi1 are affected
subsequent blocks are not affected
(self-synchronization)
new vulnerability
controlled modification by the intruder -
transmission error
on bit i of block Cj results in loss of Pj and
complementing of bit i in Pj1.
no self-synchronization on bit slips
all subsequent blocks are lost
? requirement for framing and error control on C
r Relationship between Error Control and CBC
Encryption

E
D
Error control
Error control
D
E
27
CFB Mode
Cipher Feedback n variable block size for
C and P, n 64
shift register
shift register
64 bits
64 bits
64
64
K
K
E
E
n
n
64
64
Select n left bits
Select n left bits
n
n
P
P
C
Å
Å
n
n
n
1 E/D operation / n bits s0 initial value of
the register, transmitted in cleartext
28
OFB Mode
Output Feedback variable quantum size (n 64)
shift register
shift register
64 bits
64
64
n
n
K
K
E
E
64
64
Select n left bits
Select n left bits
n
n
P
P
C
Å
Å
n
n
n
1 E/D operation per n bits s0 initial value of
the register, transmitted in cleartext s0 must be
different for each new message stream cipher
one-time pad with pseudo-random number generation
29
Outline
THEORY 1. Symmetric Cryptography 2. Asymmetric
Cryptography 3. Hash Functions and Integrity 4.
Authentication 5. Key Management
APPLICATIONS 6. Internet Security Using
Firewalls 7. Internet Security with
Cryptographic Mechanisms 8. Multicast Security
?
30
Hash Functions
message
Arbitrary length
h
message digest
fixed length (n ³ 128 bits)
Main purpose Modification Detection Codes
(MDC), Manipulation Detection Codes or Message
Integrity Check (MIC) Objective data
integrity with additional security means h(m)
serves as a representative of message m if m
changes, h(m) changes with high
probability Security properties one-way
given y, finding x h(x) y is difficult.
collision resistence it is difficult to find x
¹ x' h(x) h(x').
31
General Model for Building Hash Functions
H0
f
fixed length input
H1
fixed length input
f
H (iterated hash function)
Hn h(x)
Additional input preprocessing by adding
padding and length block
32
Message Authentication Codes

Encryption of MAC
MAC EK(h(M)) with DES or RSA
Keyed hashing
MAC h(K1 M K2)
Examples from Internet
r Keyed MD5 (RFC 1828, 08/1995)

r HMAC (RFC 2104, 02/1997)
HMAC ( K , text ) H ( K xor pad1 H ( K
xor pad2 text ) )
33
Data integrity
K
MDCunkeyed hash
MAC function
message
unsecured channel
message
MAC
MDC function
message
K
message
MDC
E
unsecured channel
MDC function
message
secured channel
MDC
unsecured channel
34
Outline
THEORY 1. Symmetric Cryptography 2. Asymmetric
Cryptography 3. Hash Functions and Integrity 4.
Authentication 5. Key Management
APPLICATIONS 6. Internet Security Using
Firewalls 7. Internet Security with
Cryptographic Mechanisms 8. Multicast Security
?
35
Authentication Protocols (1/2)

Secret function of a predictable item

B
A
hK(time stamp or counter)

Synchronization requirement
synchronized clocks ? very difficult with
distributed systems
how to secure a global time service ?

counters ? losses
how to secure re-synchronization?
Protocol requires only 1 message

36
Authentication Protocols (2/2)

Secret function of an unpredictable item (nonce
random number used only once)

N
A
B
hK(N)

No need for synchronization
2 messages
Mutual authentication

A
B
Na
hK(Na), Nb
hK(Nb)
37
S/key
One-time password authentication technique based
on a secure hash function
K is secret h is a public one-way hash function
it is computationally infeasible to derive
hi-1(K) from hi(K)
Authentication server
User
knows K
SKu hn(k)
accept if h(M) SKu
Sku M( hn-1(K))
accept if h(M) SKu
Sku M( hn-2(K))
...
Only the user who knows K can generate the hi(K)
values in the reverse order hn(K), hn-1(K),
hn-2(K),, h(K)
38
Passive Devices
r storage of non-secret verification value W in
the device WOWF(S), S is a secret kept by the
user r verification by a reader r
authentication - user enters secret value S -
reader computes VOWF(S) - reader compares V
with W stored in the device r magnetic stripe
cards r cards with a memory chip
39
Active Devices
r Able to run cryptographic algorithms and strong
authentication protocols r Eliminate the risk of
exhaustive attacks and replay on the PIN 1.
Personal computers 2. Tokens 3. Smart
cards Principle r PIN-based verification of
the user by the personal device. PIN is not
disclosed outside the protected area. r Personal
device runs the authentication protocol on behalf
of the user through untrusted environments.
Strong authentication protocols resist to attacks
from hostile public environment.
40
Tokens
User relay between (untrusted) public terminal
and the personal token
cheap and easy to retrofit on existing
systems - ergonomics
41
Smart Cards

Communication between smart card and
authentication server is
transparent for the user
After the user verification, the smart card runs
the strong authenticationprotocol
symmetrical (DES) or asymmetrical (RSA)
algorithm
nonce-, time stamp-, or counter-based
The card can perform other services
data encryption
digital signature
message integrity
Advanced smart cards include
an operating system
a file system with access control
a Java virtual machine
the most secure and user-friendly
- cost of deployment, retrofitting a reader
is required on each terminal

42
Digital Signature
Generation of As signature on message M S
EKSa(h(M)) r h is an unkeyed hash function
(MD5, SHA-1, . . .) r KSa is As private RSA
key Verification of As signature by any other
party r compute h(M) r using As public key
KPa, check if DKPa(S) h(M)
43
Outline
THEORY 1. Symmetric Cryptography 2. Asymmetric
Cryptography 3. Hash Functions and Integrity 4.
Authentication 5. Key Management
APPLICATIONS 6. Internet Security Using
Firewalls 7. Internet Security with
Cryptographic Mechanisms 8. Multicast Security
?
44
Key Management
Most security mechanisms are based on
cryptography. Cryptography requires generation
distribution storage
archival deletion . . . . . . of (secret
and public) keys
45
Key Generation
random number generation problem a random bit
generator can be used to generate random
numbers a random bit generator outputs a
sequence of statistically independent and
unbiased bits. Solutions physical
sources biased, de-skewing is necessary
impractical pseudorandom bit
generators Based on a truly random binary
sequence of length k, generate a sequence of
length l gtgt k using a deterministic
algorithm. The output sequence appears
to be random. Among all possible outputs
(if it were truly random) only a fraction 2k/2l
can be generated. The goal is
to expand the truly random "seed" to a longer
pseudorandom sequence.
46
Pseudorandom Bit Generators (PRBG)

Security properties
resistance to statistical tests the output of
a pseudorandom bit generator should not be
distinguishable from a truly random sequence of
the same length by a polynomial-time algorithm.
resistance to next-bit test the next bit of
the output sequence cannot be predicted based on
the bit sequence that is already generated using
a polynomial-time algorithm.
the two conditions are equivalent
a PRBG that fulfills one of these properties is
said cryptographically secure.
in addition the k-bit seed must be large enough
so that an exhaustive search over possible seeds
is infeasible.
Ex linear congruence
xn axn-1 b mod p
is not secure because given a partial
output sequence, the remainder of the
output bits can be predicted.

47
RSA-based Cryptographically Secure PRBG
npq, e are defined like in the basic RSA
algorithm. Generation of an l bit pseudorandom
sequence 1. pick a random integer x0 in 1,
n-1 as the seed 2. For i from 1 to l do 2.1.
xi xei-1 mod n 2.2. zi the least
significant bit of xi output sequence z1, z2,
, zl The security property (resistance to
next-bit test) is proven based on the difficulty
of factorization.
48
Practical Secure PRBGs
Use one-way hash functions. random_numbern
h(sn) n 0, 1, 2, s is the secret
seed. predictable after re-initialization
Þ the initialization must be randomized
(Kerberos) K DESK (universal
time) RnDESK(n) n 0, 1, 2, Þ
based on the secret key K These PRBGs are not
cryptographically secure because there is no
proof of the PRBG security property but they are
sufficiently secure for most applications.
49
Key Distribution

Symmetrical cryptography
distribution of secret keys
key distribution must assure the
confidentiality of secret keys
key distribution service must be on-line
Asymmetrical cryptography
distribution of public keys
key distribution must assure the integrity
of public keys
key distribution service can be off-line

50
Distribution of Secret Keys

Problem how to distribute a secret session key
Kab to parties A and B who do not share a secret
channel ?
Complexity a new session key is needed for each
new session and per security function
(authentication, data confidentiality, integrity)
Alternatives (n number of parties)
Manual complexity of initial key installation
O(n2)
Hybrid scheme (O(n))
Algorithmic (O(n))
Key server (O(n))

51
Hybrid scheme
Use public-key cryptography to distribute secret
session keys. Use secret key (symmetrical)
cryptography for bulk data encryption.
52
Algorithmic Key Distribution
g, p
Perfect forward secrecy breaking any long-term
key (signature key) does not threaten the secrecy
of past session keys (Kab). No forward secrecy
with the hybrid scheme.
53
Key distribution with a key server

Trust in key server
security of session keys
entity authentication

54
Key distribution with a key server
Key Server Ka Kb
1. A, B
A Ka
B Kb

Kab session key Ka, Kb terminal keys
Trust in key server
Kab is fresh and kept secret
B (resp. A) believes whoever proves knowledge of
secret Kab is A (resp. B).
Key distribution must be strongly linked with
authentication.

55
Public-key Integrity Problem
Problem
A X

The integrity of public keys must be assured.
Solutions
Authentication trees
Public-key certification

56
Identity Certificate

Public Key certificate of entity A (keyKPa)
created by X
signed by trusted party X using secret key KSx
can be checked by using public key KPX
Prerequisite for verifying a certificate KPX
must be known and trusted.
identity certificates are required for all
services implemented using public-key encryption
(entity authentication, data origin
authentication, data integrity, non-repudiation
of origin, key distribution)
the security of these services entirely relies
on the validity (integrity) of the certificate
that includes the public key.
On the contrary of a common belief, a
certificate alone does not prove anything, it
must be used together with a mechanism like an
authentication protocol through which the owner
of the public-key demonstrates his knowledge of
the corresponding private key.

57
TTP Functions

Certification Authority (CA)
Registration Authority (RA)
Name Service
Certificate Directory
Key Generator

58
Certification Scenario
Key pair generated by user
2 identity validation, public-key (proof of
knowledge of private key)
3 name, public-key
RA
(integrity-protection, entity authentication)
4 Certificate
User
CA
1 key pair
Certificate Directory
KG
59
Certificate Chains
Problem A and B belong to domains managed by CA
X and CA Y. No direct cross certificate exists
between X and Y. But cross certificates exist
from Y to Z and from Z to X.
Domain 3
CAZ
Domain 1
Domain 2
CAX
CAY
A gets KPZ by verifying CX(Z) using KPX that is
trusted a priori. He gets KPY by verifying CZ(Y)
using KPZ. He finally verifies B' s public-key in
CY(B) using KPY.
60
Hierarchical Model
U
V U issues
Root
Y
W
X
Z
B
A
D
C

Alternative domain partitionings
single domain all chains start at Root all
users trust a priori only KPRoot.
multiple domains chain between two domains
start from the closest common node each user
trusts a priori his closest authority and Root.
Drawbacks
certificate chains can be too long
lack of centralization in real life situations

61
Outline
THEORY 1. Symmetric Cryptography 2. Asymmetric
Cryptography 3. Hash Functions and Integrity 4.
Authentication 5. Key Management
APPLICATIONS 6. Internet Security Using
Firewalls 7. Internet Security with
Cryptographic Mechanisms 8. Multicast Security
?
62
Internet Security Directions
Cryptographic security protect only sensitive
resources using logical means
Secure virtual channel using cryptography
e-commerce
HTTP SMTP FTP TELNET
DNS SNMP RIP BGP
TCP/UDP OSPF
IP
Data Link
Internet

Pros
flexible (service type and security level)
end-to-end (application and user security)
no impact on global network
Cons
deployment (retrofitting in end-systems)
cost of migration (protocol impact)

63
Internet Security Directions
Domain Control Isolate trusted network from
untrusted Internet by filtering traffic across
the border
Intranet (trusted)
Internet (untrusted)
Filter

Pros
no impact on the intranet components
no impact on application software and users
ease of deployment for company intranets
Cons
impediment to the global network concept
no end-to-end security
insufficient for e-commerce applications

64
Filtering Components

Traffic filtering based on (combination of)
packet filters
application gateways
circuit gateways

65
Packet Filters

Function integrated with packet forwarding
Principle
for each IP packet received from a local
interface
check the packet against the set of access rules
forward, discard and/or log the packet according
to the result of the rule-based verification
Access rules are based on (a selection of)
information of the TCP/IP header
- source and destination IP addresses
- source and destination port numbers
- protocol type (TCP/UDP)
- flags (ACK, SYN)
the identity of the incoming interface
direction of the packet (in/out)
implemented by
router (CISCO)
IP forwarding algorithm in a host (Linux)

66
Application Gateways

Opposite approach to packet filtering
Instead of a general purpose mechanism for all
kind of traffic, a special purpose access control
mechanism is used for each application.
Idea
Application gateway is a proxy server. Each proxy
server acts as an intermediate between the client
and the actual server. Proxy server performs
varoous verifications on the application protocol
between the client and server.
Generic operation of an application gateway
the client first connects to proxy server
proxy server performs authentication and access
control verification
if the client is authorized, proxy server
connects to the actual destination
further communication between the client and the
actual server is relayed through the proxy server
and some optional filtering can be applied on the
data exchange.
An application gateway is a process, not a host.
There is an application gateway for each
application protocol that is authorized.
Application gateways can be combined with a
packet filter.

67
Application Gateways
Simpler Packet Filtering Basic model for packet
filtering with application gateways
Network 1 (untrusted)
Interface 1
Packet Filter
Interface 3
Interface 2
Application Gateway Host
Network 2 (trusted)
Authorized connections
68
Circuit Gateways

generic proxy for all TCP based applications
Basic principle
client-server connections are forced to pass
through the gateway by a change in the transport
layer software of the client.
relaying takes place at the transport
layer(TCP).
the layers above TCP (application) are not
affected at all.
Encapsulation of client-server connection by
client-gateway connection

Server
GW
Client
Connection request (dataserver name)
Verification
Connection request
establish relay
Connection response
Connection response
Data
Data
relay
69
Packet filtering Firewall
Local Network
Packet Filter Router
Internet

Router blocks all or most access to internal
network.
Router can allow selective access to services.
Usually inherently danagerous services as NIS,
NFS, X11 are blocked

70
Dual-Homed Gateway
Proxy Servers bastion Host
Local Network
Internet
Firewall

Gateway host has a separate interface (network
adapter) to each network.
Packet (IP) forwarding on the gateway is
disabled.
Proxy server performs application layer access
control.
Default condition only traffic authorized by
application gateways can cross the boundary
In a simple setup proxy servers for telnet, ftp,
http and a mail server can be located on the
firewall.

71
Screened Host Firewall
Proxy Servers Bastion Host
Packet Filter Router
Local Network
Internet
Open Services
Firewall

packet filter "forces" all inbound packets to
connect to the gateway or "bastion host".
packet filter lets out only packets from the
gateway.
Proxy servers performs application layer access
control.
Main difference from Dual-homed Gateway
no true network isolation

72
Screened Subnet Firewall
Buffer Subnet De-militarized Zone (DMZ)
Proxy Servers Bastion Host
External Packet Filter Router
Internal Packet Filter Router
Local Network
Internet
Open Services
De-militarized Zone

Internal packet filter "forces" all exit packets
to connect to the gateway.
External packet filter "forces" all entry
packets to connect to the gateway or to open
services.
External packet filter lets out only packets
from the gateway or from open services.
Internal packet filter lets in only packets from
the gateway.
Proxy servers perform application layer access
control.

73
Other Useful Tools

TCP_WRAPPER
host-based access control and logging for
TCP-based services
located at each host
integrated with inetd
Tripwire
host-based integrity verification
detects modification of essential files
based on hashing
SATAN, ISS
vulnerability testing on UNIX networks
based on well-known security flaws
COPS
vulnerability testing on UNIX systems
ISS Real Secure, Netranger, etc.
network intrusion detection

74
Outline
THEORY 1. Symmetric Cryptography 2. Asymmetric
Cryptography 3. Hash Functions and Integrity 4.
Authentication 5. Key Management
APPLICATIONS 6. Internet Security Using
Firewalls 7. Internet Security with
Cryptographic Mechanisms 8. Multicast Security
?
75
Cryptographic Security
Domain Name System
Routing Information Protocol
EGP BGP
SNMP
Routing Security
Transmission Control Protocol
User Datagram Protocol
ICMP IGMP
OSPF
Transport Layer Security
ARP RARP
Internet Protocol
Internet Layer Security
xDSL
Ethernet
Data Link Layer
ATM
76
Internet Layer Security Architecture

IPsec
RFC 2401 - Architecture Document
IP Authentication Header (IP AH)
IP Encapsulating Security Payload (ESP)
Keyed Hash Functions
Key management and Security Associations
No protection for ARP in IPv4
Secure equivalent in IPv6 using ICMP

77
IP Authentication Header

Cryptographic Authentication for IPv4 and IPv6
Datagrams
RFC 2402
Services provided
support for variable functions and parameters
(SPI)
data origin authentication
data integrity
replay detection
Services not provided
confidentiality
traffic secrecy

78
IP AH
0
8
16
24
Security Parameter Index (SPI)
Sequence Number
Authentication Data (variable)
mutable fields
Auth.Data
000
IP Datagram
000000000000
Secure Hash Function
79
IP AH

Transport mode AH placement in the IP datagram

IPv4
Original IP Header
AH
TCP
Data
coverage of authentication (except for mutable
fields)
IPv6
Original IP Header
Hop-by-hop extensions
End-to-end extensions
AH
TCP
Data
coverage of authentication (except for mutable
fields)

Tunnel mode AH placement in the IP datagram

Encapsulating IP Header
Original IP Header
Extension fields
TCP
Data
AH

coverage of authentication (except for mutable
fields)
80
IP AH
Secure Hash Function alternatives

Keyed MD5 (RFC 1828)

n x 512
512
Key padding
IP packet
Key
padding
MD5
Authentication Data (128 bits)

HMAC (RFC 2104)

Asymmetric or Symmetric Encryption of MD5 output

81
IP Encapsulating Security Payload

RFC 2406
Services provided
data confidentiality
data integrity with replay detection
traffic confidentiality (optional)

0
8
16
24
Security Parameter Index (SPI)
Coverage of Authentication
Sequence Number
Coverage of Confidentiality
Payload
Padding
Authentication Data (variable)
82
IP ESP
ESP header
ESP payload
ESP trailer
Auth. Data
Original IP Header
IPv4
SPI
Seq.Nr.
TCP
Data
Padding
Transport Mode
Coverage of confidentiality
Coverage of authentication
ESP header
ESP payload
ESP trailer
AuthData
IPv6
Original IP Header
Hop-by-hop extensions
Padding
Data
end-to-end extensions
SPI
Seq.Nr.
TCP
Coverage of confidentiality
Coverage of authentication
ESP header
ESP trailer
Original IP datagram
Tunnel Mode
New IP Header
new extensions
AuthData
original IP Header
SPI
Seq.Nr.
Padding
Data
TCP
Coverage of confidentiality
Coverage of authentication
83
End-to-end security with IPsec
Internet or Intranet
Transport Mode
Tunnel Mode
ULH
ULH
IP1
AH
AH
IP1
IP2
ULH
ULH
IP1
ESP
IP1
ESP
IP2
ULH
AH
ESP
IP1
One or more SAs applied to the same traffic
stream
IP1 original IP header IP2 encapsulating
IP header
ULH Upper Layer Header
84
Simple virtual private network with IPsec
Tunnel Mode
ULH
IP1
AH
IP2
IP1
ESP
IP2
ULH
85
Remote access with IPsec
Internet
Intranet
SG
86
Internet Security Architecture
Domain Name System
Routing Information Protocol
EGP BGP
SNMP
Routing Security
Transmission Control Protocol
User Datagram Protocol
ICMP IGMP
OSPF
Transport Layer Security
ARP RARP
Internet Protocol
Internet Layer Security
xDSL
Ethernet
Data Link Layer
ATM
87
Transport Layer Security (TLS) Protocol

RFC 2246
Based on Secure Sockets Layer (SSL) from Netscape
Communications
Services provided
peer entity authentication
data confidentiality
data integrity (replay detection)
generation/distribution of session keys
security parameter negotiation
Two sub-layers
TLS Record Protocol
TLS Handshake Protocol
Record sub-layer encapsulates Application Data
and Handshake Protocol

88
TLS Handshake Protocol

Session Negotiation between peer Transport
Entities
A session consists of
session Id
X509 public-key certificate of the peer
compression algorithm
encryption algorithm
MAC algorithm (MD5, SHA, etc.)
cryptographic attributes
- Session data are used by the TLS Record Layer
for encryption and integrity protection of higher
layer protocols
- A session can be reused by several transport
connections.

Server
Client
ClientHello
ServerHello Certificate ServerKeyExchange
Certificate ClientKeyExchange
Application Data
89
WWW Security
server
browser
CGI
gateway program
applet
HTTP url
Local resources
Local resources

Vulnerabilities
HTTP risks due to communication over Internet
CGI malicious script can expose server
resources
Java malicious applet can expose client
resources

90
HTTP and CGI Security

Client-server communication
Standard authentication by the server
uuencoded cleartext passwords
domain-based access control
per subtree of the html document directory
application layer Secure HTTP
transport layer SSL Netscape (see Transport
Layer Security)
proxy server to filter traffic at domain
boundary
CGI
restricted access to cgi-bin directory
user-provided parameter verification in the cgi
scripts
limited use of setuid bit with cgi scripts
limited use of process creation in cgi scripts
hide source of cgi scripts from the net

91
Mobile Code
Client
Browser
Network
Applet
Libraries
Malicious applet (executable content) can
cause - diclosure of client information -
modification of client information - denial of
service on client resources Flexibility and
power at the cost of higher risk
92
Java Security

Language features
object-oriented data encapsulation
type-safety
final attribute
absence of pointers
garbage collection
namespace encapsulation
Protection against malicious Applets Sandbox
Approach
Bytecode Verifier
converts bytecode from the network into
local class, checking
stack overflows
pointers
access restrictions
object and method access
Class Loader
protects integrity of local classes
forces class import from origin node
signature verification by subtyped
SignedClassLoader
Security Manager

93
Outline
THEORY 1. Symmetric Cryptography 2. Asymmetric
Cryptography 3. Hash Functions and Integrity 4.
Authentication 5. Key Management
APPLICATIONS 6. Internet Security Using
Firewalls 7. Internet Security with
Cryptographic Mechanisms 8. Multicast Security
?
94
Multicast Security

Key Management
Data Origin Authentication
Data Confidentiality

95
Key Management

Security requirements
membership (JOIN/LEAVE) security
Containment.
Scalability
Processing cost
Membership dynamics
No group-wide re-key message
Treat the group as single entity
Existing algorithms
one key for the whole group
the group is a set of subgroups different keys
in each subgroup

96
Multicast Key management

Keygraphs Wong et al. 98

K0 Group Key
u4s keys K3,K34, K1234,K0
u4 JOINS trivial
u4 LEAVES
K34, K1234,K0K3 ? u3
K1234, K0K12 ? u1, u2
K0K5678 ? u5,u6,u7,u8
advantage number of re-key messages are in the
logarithmic order
there is no containment.

K1234 K5678
K12 K34 K56 K78
K1 K2 K3 K4 K5 K6 K7 K8
u7
u1
u2
u3
u4
u5
u6
u8
97
Multicast Key ManagementSub-group approach

Iolus Mittra, 97
intermediate nodes involved in key distribution

GSC (Group Security Controller)
defines the groups and the GSI
GSI (Group Security Intermediary)
1- decrypt M with the key of the group
2 - recrypt M with the key of the other
group hes involved in.

K1
GSC
GSI
GSI
K3
K2
GSI
GSI
GSI
K6
K4
K5

advantage containment scalability
disadvantage we have to trust GSIs

98
Multicast Key Management Sub-group Approach

Molva et al. 99
Based on asymmetric algorithms

a1
Source sends
a2
a3
a4
a5
a6
a7
Recipients in subgroup
S4
99
Multicast Key Management (4/4)

MARKS Briscoe 99

access to segments between s4 and s8
using t2 and t10
k4 t10 k5 L(L(t2)) etc.
L and R are one-way functions.

t0
R
L
t1
t2
L
L
R
R
t3
t4
t5
t6
R
L
R
L
L
L
R
R
t7
t8
t9
t10
t11
t12
t13
t14
k4 k5 k6 k7
k8
k1 k2 k3
100
Broadcast Encryption(2/3)

k-resilient scheme Fiat et al. 1994

Every user ui is assigned a set of keys Ki
S sends MK and a key envelope
to a user set T
Each users in T retrieves K
from the key envelope using Ki
mathematically proven k-resilient.

S
..
u1
u2
u3
un
101
Broadcast encryption(3/3)

f-redundant key cover schemes Abdalla et al.
2000

k(ui) Kj \ ui?Kj
S ?u2,u6,u10,u12 M
S computes Cmin(K) and sends the same message
encrypted with the keys in Cmin(K) (minimal key
cover).
gt f-redundancy some of users outside the
intended destination group will be able to access
M

?u8
?u5
K1
?u2
?u9
?u3
?u4
K2
K5
?u10
?u6
?u13
K3
?u11
?u7
K4
?u12
U
U universe of users ui Ki sets of users (one
key per set)
102
Data Encryption (1/3)

Pannetrat et al. 2002 Based on same idea as the
key distribution algorithm using intermediate
nodes
Symmetric encryption in XOR-Counter mode.
Apply several layers of encryption at the source
and recipients.
Only two operations in the intermediate elements
One decryption
One encryption

103
Data Encryption (2/3)