Network Security

1
Network Security

• Bijendra Jain
• (bnj_at_cse.iitd.ernet.in)

2
Lecture 1 Introduction
3
Top-level issues

• Safety, security and privacy
• Security policy
• threats, both external and internal
• economic gains
• cost of securing resources
• cryptographic methods vs. physical security
• Information security
• nature of resources (HW, SW, information)
• during storage, access and communication
• limited to a single computer vs. network security
• various layers (physical through application
  layers)

4
Security threats

• Intentional vs. accidental
• Various forms of violations
• Non-destructive
• Destructive
• Repudiation
• Denial of service
• Threat techniques
• crypt-analysis
• snooping
• masquerading
• replay attacks
• virus, worms
• etc.

5
Security services

• Services (or functions) vs. mechanisms
• Security functions
• confidentiality
• authentication
• integrity
• non-repudiation
• access control
• availability

6
Security mechanisms

• Physical controls
• Audit trails
• Fraud detection (data mining)
• Steganography
• Encryption
• private-key vs. public-key encryption
• key generation, exchange, and management
• certification
• Firewalls
• etc.

7
Lecture 2 Symmetric-key encryption
8
Cryptographic systems

• Symmetric vs. asymmetric encryption
• Number of keys used
• Key lengths
• Block vs. stream cipher
• Crypt-analysis (assume algorithm is known)
• ciphertext (only)
• plaintext ciphertext
• chosen plaintext ciphertext
• chosen ciphertext plaintext

9
Symmetric cryptographic system

• Symmetric encryption
• Plaintext, X
• Ciphertext, Y
• Secret keys for encryption, decryption, K

10
Asymmetric cryptographic system

• Asymmetric encryption
• Plaintext, X
• Ciphertext, Y
• Two keys K1, and K2. One is secret, other is
  public
• One of them (secret or public) is used to
  encrypt, the other for decryption
• Helps with confidentiality, digital signatures

11
Symmetric encryption

• Substitution cipher
• Transposition cipher
• DES
• Triple DES
• Blowfish, RC5, RC4, etc.

12
Substitution cipher

• Ceasar cipher
• encrypt C ? (pk) mod n
• decrypt p ? (C-k) mod n
• assumes set of n characters
• easily breakable in n-1 steps
• Substitute using n x n table
• encrypt Ci ? lookup_encrypt(pi)
• decrypt pj ? lookup_decrypt(Cj)
• 26! Different keys
• may be broken using known relative frequency of
  each character
• To counter
• use multiple symbols to substitute
• substitute multiple symbols at a time
• e.g. two letter strings at a time

13
Transposition cipher

• Transposition example
• To make it more secure
• transposition it multiple times
• combine it with substitution ciphers

14
DES

• Combination of several substitution and
  transposition ops
• Applied to each block of size 64 bits
• Key is 56 bits
• Uses portions of key at different steps
• Uses techniques referred to by diffusion and
  confusion
• Developed by IBM 1971-73, accepted by NBS (USA)
  as a standard in 1977
• Primarily a block cipher

15
DES encryption algorithm
16
Cipher Block Chaining

• Primarily a block cipher
• May be used in block chaining mode

17
Strength of DES

• Key size of 56 bits appears to be too small
• In 1993 Weiner developed HW device for 100K with
  5760 search engines to break it in 35 hours
• In 1997, 70,000 systems on Internet discovered
  the key in less than 96 days (part of plaintext
  is given)
• Automating the process is difficult, unless
  plaintext is known
• Perhaps breakable by studying and exploiting
  weakness
• Differential cryptanalysis
• Linear cryptanalysis
• Trapdoor
• US Govt changed the original design
• Continues to enjoy wide acceptibility
• Particularly with triple-DES (used in PGP)

18
Double-DES

• Two stages of encryption, using two different keys

19
Double-DES

• two stages cannot be reduced to one stage
• for given K1, K2, there is no K s.t. EK2(EK1(P))
  EK(P)
• Meet-in-the-middle attack
• Let C EK2(EK1(P)), and X EK1(P) DK2(C)
• Let known P and C
• Search for K1 and K2 such that X EK1(P)
  DK2(C)
• Complexity is O(256 256), not O(2128)

20
Triple-DES

• Three stages of encryption, using two different
  keys

21
IDEA

• International data encryption algorithm (IDEA)
• developed in 1991, gaining ground
• block cipher
• better understood
• US government has had no role in its design
• design principle
• block size 64 bits
• key length 128 bits
• more emphasis on diffusion and confusion
• uses three operations
• exclusive-OR, addition, multiplication
• some effort to make HW implementation easier

22
RC5

• developed by Rivest, in 1994
• suitable for HW or SW implementation on
  microprocessors
• simple
• different word length
• low memory
• high level of security
• simpler determination of strength
• variable no. of rounds, key length

23
Blowfish

• Developed in 1993
• block cipher
• up to 448 bit keys
• no known attacks
• simple, fast and compact

24
Summary symmetric key encryption

• Since the same key is used to encrypt and
  decrypt, the system is also know as private-key
  encryption
• Symmetric key encryption
• uses shared secret keys
• also known as private-key encryption
• Primarily used for purpose of confidentiality
• but may be used to authenticate as well, but may
  be repudiated
• Key sharing or management is an issue
• particularly when the no. of clients sharing the
  key is large

25
Application to confidentiality

• Private-key encryption may be used to provide
  confidentiality of messages during transfer over
  LANs and/or WANs
• At issue
• what information
• User data vs. headers
• Identity of correspondents vs. node/route
  identity
• in what layer, and between what points
• Link-layer vs. end-to-end vs. application level
• Assumption data over physical network is
  accessible
• Wireless links
• Employee of the network service provider
• Your own colleagues

26
Link-level vs. end-to-end confidentiality
27
Link-level vs. end-to-end confidentiality
28
Traffic confidentiality

• Issues
• Identity of communicating entities
• Identity of hosts, routers
• Traffic volumes, patterns
• Link-level encryption offers better
  confidentiality
• Padding may be used to hide patterns and
  volumes

29
Key distribution

• Secret key must be distributed between the
  communicating entities, say A and B
• Link level encryption requires L number of keys
  to be distributed, one for each device at the end
  of a link
• Host-to-host encryption requires N(N-1)/2 keys
  to be distributed
• Two techniques
• Physical delivery (works only in a very limited
  environs)
• A delivers it to B
• A trusted third party C delivers the key to A and
  to B
• Electronic delivery using an established secure
  connection or session
• A delivers it to B after suitably encrypting it
• A trusted third party C delivers the key to A and
  to B using secure channels to A and to B.

30
Key distribution

• Electronic distribution by B to A, though process
  initiated by A
• Above
• N1 and N2 are nonce,
• MKm is the master key used by A and B
• KS is the new session key
• F is a well-known function, such as ADD 1

31
Key distribution

• Electronic distribution by trusted third party C
  to A and to B

32
Key distribution

• Above
• KA and KB are keys used by A and B, respectively,
  to communicate with C
• IDA identifies entity A

33
Key distribution

• Secure operation of these schemes, against
• Masquerade
• replay attacks
• Other issues
• Hierarchy of keys
• Lifetime of a session key
• Generation of Nonce or Random numbers

34
Thanks