Title: Chapter 8: Network Security
1Chapter 8 Network Security
 Chapter goals
 understand principles of network security
 cryptography and its many uses beyond
confidentiality  authentication
 message integrity
 security in practice
 firewalls and intrusion detection systems
 security in application, transport, network, link
layers
2Chapter 8 roadmap
 8.1 What is network security?
 8.2 Principles of cryptography
 8.3 Message integrity
 8.4 Securing email
 8.5 Securing TCP connections SSL
 8.6 Network layer security IPsec
 8.7 Securing wireless LANs
 8.8 Operational security firewalls and IDS
3Friends and enemies Alice, Bob, Trudy
 wellknown in network security world
 Bob, Alice (lovers!) want to communicate
securely  Trudy (intruder) may intercept, delete, add
messages
Alice
Bob
data, control messages
channel
secure sender
secure receiver
data
data
Trudy
4There are bad guys (and girls) out there!
 Q What can a bad guy do?
 A a lot!
 eavesdrop intercept messages
 actively insert messages into connection
 impersonation can fake (spoof) source address in
packet (or any field in packet)  hijacking take over ongoing connection by
removing sender or receiver, inserting himself in
place  denial of service prevent service from being
used by others (e.g., by overloading resources)
5What is network security?
 Confidentiality only sender, intended receiver
should understand message contents  sender encrypts message
 receiver decrypts message
 Authentication sender, receiver want to confirm
identity of each other  Message integrity sender, receiver want to
ensure message not altered (in transit, or
afterwards) without detection  Access and availability services must be
accessible and available to users
6Chapter 8 roadmap
 8.1 What is network security?
 8.2 Principles of cryptography
 8.3 Message integrity
 8.4 Securing email
 8.5 Securing TCP connections SSL
 8.6 Network layer security IPsec
 8.7 Securing wireless LANs
 8.8 Operational security firewalls and IDS
7The language of cryptography
Alices encryption key
Bobs decryption key
encryption algorithm
decryption algorithm
ciphertext
plaintext
plaintext
 symmetric key crypto sender, receiver keys
identical  publickey crypto encryption key public,
decryption key secret (private)
8Symmetric key cryptography
 substitution cipher substituting one thing for
another  monoalphabetic cipher substitute one letter for
another
plaintext abcdefghijklmnopqrstuvwxyz
ciphertext mnbvcxzasdfghjklpoiuytrewq
E.g.
Plaintext bob. i love you. alice
ciphertext nkn. s gktc wky. mgsbc
Key the mapping from the set of 26 letters to
the set of 26 letters
 Q How hard to break this simple cipher?
 brute force (how hard?) or other?
9Polyalphabetic encryption
 n monoalphabetic cyphers, M1,M2,,Mn
 Cycling pattern
 e.g., n5, M1,M3,M4,M3,M2 M1,M3,M4,M3,M2
 For each new plaintext symbol, use subsequent
monoalphabetic pattern in cyclic pattern  dog d from M1, o from M3, g from M4
 Key the n ciphers and the cyclic pattern
10Symmetric key cryptography
encryption algorithm
decryption algorithm
ciphertext
plaintext
plaintext message, m
K (m)
AB
 symmetric key crypto Bob and Alice share know
same (symmetric) key K  e.g., key is knowing substitution pattern in mono
alphabetic substitution cipher  Q how do Bob and Alice agree on key value?
AB
11Two types of symmetric ciphers
 Stream ciphers
 encrypt one bit at time
 Block ciphers
 Break plaintext message in equalsize blocks
 Encrypt each block as a unit
12Stream Ciphers
pseudo random
keystream generator
key
keystream
 Combine each bit of keystream with bit of
plaintext to get bit of ciphertext  m(i) ith bit of message
 ks(i) ith bit of keystream
 c(i) ith bit of ciphertext
 c(i) ks(i) ? m(i) (? exclusive or)
 m(i) ks(i) ? c(i)
13RC4 Stream Cipher
 RC4 is a popular stream cipher
 Extensively analyzed and considered good
 Key can be from 1 to 256 bytes
 Used in WEP for 802.11
 Can be used in SSL
14Block ciphers
 How many possible mappings are there for k3?
 How many 3bit inputs?
 How many permutations of the 3bit inputs?
 Answer 40,320 not very many!
 In general, 2k! mappings huge for k64
 Problem
 Table approach requires table with 264 entries,
each entry with 64 bits  Table too big instead use function that
simulates a randomly permuted table
15Prototype function
From Kaufman et al
8bit to 8bit mapping
16Why rounds in prototpe?
 If only a single round, then one bit of input
affects at most 8 bits of output.  In 2nd round, the 8 affected bits get scattered
and inputted into multiple substitution boxes.  How many rounds?
 How many times do you need to shuffle cards
 Becomes less efficient as n increases
17Symmetric key crypto DES
 initial permutation
 16 identical rounds of function application,
each using different 48 bits of key  final permutation
18Symmetric key crypto DES
 DES Data Encryption Standard
 US encryption standard NIST 1993
 56bit symmetric key, 64bit plaintext input
 How secure is DES?
 DES Challenge 56bitkeyencrypted phrase
(Strong cryptography makes the world a safer
place) decrypted (brute force) in 4 months  no known backdoor decryption approach
 making DES more secure
 use three keys sequentially (3DES) on each datum
 use cipherblock chaining
19AES Advanced Encryption Standard
 new (Nov. 2001) symmetrickey NIST standard,
replacing DES  processes data in 128 bit blocks
 128, 192, or 256 bit keys
 brute force decryption (try each key) taking 1
sec on DES, takes 149 trillion years for AES
20Public key cryptography
 symmetric key crypto
 requires sender, receiver know shared secret key
 Q how to agree on key in first place
(particularly if never met)?
 public key cryptography
 radically different approach DiffieHellman76,
RSA78  sender, receiver do not share secret key
 public encryption key known to all
 private decryption key known only to receiver
21Public key cryptography
Bobs public key
K
B

Bobs private key
K
B
encryption algorithm
decryption algorithm
plaintext message
plaintext message, m
ciphertext
22Public key encryption algorithms
Requirements
.
.

 need K ( ) and K ( ) such that
B
B
given public key K , it should be impossible to
compute private key K
B

B
RSA Rivest, Shamir, Adleman algorithm
23RSA Choosing keys
1. Choose two large prime numbers p, q.
(e.g., 1024 bits each)
2. Compute n pq, z (p1)(q1)
3. Choose e (with eltn) that has no common
factors with z. (e, z are relatively prime).
4. Choose d such that ed1 is exactly divisible
by z. (in other words ed mod z 1 ).
5. Public key is (n,e). Private key is (n,d).
24RSA Encryption, decryption
0. Given (n,e) and (n,d) as computed above
2. To decrypt received bit pattern, c, compute
d
(i.e., remainder when c is divided by n)
Magic happens!
c
25RSA example
Bob chooses p5, q7. Then n35, z24.
e5 (so e, z relatively prime). d29 (so ed1
exactly divisible by z.
e
m
m
letter
encrypt
l
12
1524832
17
c
letter
decrypt
17
12
l
481968572106750915091411825223071697
26Prerequisite modular arithmetic
 x mod n remainder of x when divide by n
 Facts
 (a mod n) (b mod n) mod n (ab) mod n
 (a mod n)  (b mod n) mod n (ab) mod n
 (a mod n) (b mod n) mod n (ab) mod n
 Thus
 (a mod n)d mod n ad mod n
 Example x14, n10, d2(x mod n)d mod n 42
mod 10 6xd 142 196 xd mod 10 6
27RSA Why is that
Useful number theory result If p,q prime and n
pq, then
(using number theory result above)
(since we chose ed to be divisible by (p1)(q1)
with remainder 1 )
28RSA another important property
The following property will be very useful later
use public key first, followed by private key
use private key first, followed by public key
Result is the same!
29Why is RSA Secure?
Why
?
 Follows directly from modular arithmetic
 (me mod n)d mod n med mod n mde mod n
 (md mod n)e mod n
 Suppose you know Bobs public key (n,e). How hard
is it to determine d?  Essentially need to find factors of n without
knowing the two factors p and q.  Fact factoring a big number is hard.
30Still Need Secret Session keys
 Exponentiation is computationally intensive
 DES is at least 100 times faster than RSA
 Session key, KS
 Bob and Alice use RSA to exchange a symmetric key
KS  Once both have KS, they use symmetric key
cryptography
31Chapter 8 roadmap
 8.1 What is network security?
 8.2 Principles of cryptography
 8.3 Message integrity
 8.4 Securing email
 8.5 Securing TCP connections SSL
 8.6 Network layer security IPsec
 8.7 Securing wireless LANs
 8.8 Operational security firewalls and IDS
32Message Integrity
 Bob receives msg from Alice, wants to ensure
 message originally came from Alice
 message not changed since sent by Alice
 Cryptographic Hash
 takes input m, produces fixed length value, H(m)
 e.g., as in Internet checksum
 computationally infeasible to find two different
messages, x, y such that H(x) H(y)  equivalently given m H(x), (x unknown), can
not determine x.  note Internet checksum fails this requirement!
33Internet checksum poor crypto hash function
 Internet checksum has some properties of hash
function  produces fixed length digest (16bit sum) of
message  is manytoone
But given message with given hash value, it is
easy to find another message with same hash
value
message
ASCII format
message
ASCII format
I O U 9 0 0 . 1 9 B O B
49 4F 55 39 30 30 2E 31 39 42 4F 42
I O U 1 0 0 . 9 9 B O B
49 4F 55 31 30 30 2E 39 39 42 4F 42
B2 C1 D2 AC
B2 C1 D2 AC
different messages but identical checksums!
34Message Digests
large message m
H Hash Function
 Computationally expensive to publickeyencrypt
long messages  Goal fixedlength, easy tocompute digital
fingerprint  apply hash function H to m, get fixed size
message digest, H(m).
H(m)
 Hash function properties
 manyto1
 But given message digest x H(m), its
infeasible to find m that H(m) H(m)  Data integrity cannot replace m with m
35Message Authentication Code
(shared secret)
s
(message)
s
(shared secret)
36HMAC
 Popular MAC standard
 Addresses some subtle security flaws
 Concatenates secret to front of message.
 Hashes concatenated message
 Concatenates the secret to front of digest
 Hashes the combination again.
37MACs in practice
 MD5 hash function widely used (RFC 1321)
 computes 128bit MAC in 4step process.
 arbitrary 128bit string x, appears difficult to
construct msg m whose MD5 hash is equal to x  recent (2005) attacks on MD5
 SHA1 is also used
 US standard NIST, FIPS PUB 1801
 160bit MAC
 Partial attack
38Digital Signatures
 cryptographic technique analogous to handwritten
signatures.  sender (Bob) digitally signs document,
establishing he is document owner/creator.  verifiable, nonforgeable recipient (Alice) can
prove to someone that Bob, and no one else
(including Alice), must have signed document
39Digital Signatures
 simple digital signature for message m
 Bob signs m by encrypting with his private key
KB, creating signed message, KB(m)


Bobs private key
Bobs message, m
(m)
Dear Alice Oh, how I have missed you. I think of
you all the time! (blah blah blah) Bob
Bobs message, m, signed (encrypted) with his
private key
public key encryption algorithm
40Digital Signatures (more)

 suppose Alice receives msg m, digital signature
KB(m)  Alice verifies m signed by Bob by applying Bobs
public key KB to KB(m) then checks KB(KB(m) )
m.  if KB(KB(m) ) m, whoever signed m must have
used Bobs private key.



 Alice thus verifies that
 Bob signed m.
 No one else signed m.
 Bob signed m and not m.
 nonrepudiation
 Alice can take m, and signature KB(m) to court
and prove that Bob signed m.

41Digital signature signed MAC
 Alice verifies signature and integrity of
digitally signed message
Bob sends digitally signed message
H(m)
Bobs private key
Bobs public key
equal ?
42Authentication
 Goal Bob wants Alice to prove her identity to
him
Protocol ap1.0 Alice says I am Alice
I am Alice
Failure scenario??
43Authentication
 Goal Bob wants Alice to prove her identity to
him
Protocol ap1.0 Alice says I am Alice
in a network, Bob can not see Alice, so Trudy
simply declares herself to be Alice
I am Alice
44Authentication another try
Protocol ap2.0 Alice says I am Alice in an IP
packet containing her source IP address
Failure scenario??
45Authentication another try
Protocol ap2.0 Alice says I am Alice in an IP
packet containing her source IP address
Trudy can create a packet spoofing Alices
address
46Authentication another try
Protocol ap3.0 Alice says I am Alice and sends
her (encrypted) secret password to prove it.
Failure scenario??
47Authentication another try
Protocol ap3.0 Alice says I am Alice and sends
her (encrypted) secret password to prove it.
Alices password
Alices IP addr
Im Alice
playback attack Trudy records Alices packet and
later plays it back to Bob
48Authentication yet another try
Goal avoid playback attack
Nonce number (R) used only once inalifetime
ap4.0 to prove Alice live, Bob sends Alice
nonce, R. Alice must return R, encrypted with
shared secret key
I am Alice
R
Alice is live, and only Alice knows key to
encrypt nonce, so it must be Alice!
Failures, drawbacks?
49Twoway Authentication
1 Request from Alice 2 4 Challege (a nonce)
from Bob Alice, resp 3 5 Response from Alice
Bob, resp (authenticated afterwards)
50What if we do it in three steps?
 Alice request and challenges Bob first
 Bob responses (and get authenticated) and
challenges Alice next  Alice responses (is she authenticated?)
51Reflection Attack
 Trudy gets challenged (steps 1 and 2) in session
one.  Trudy fools Bob to answer his own challenge (in
steps 3 and 4) in session two.  Trudy can now proceed with the first session.
52Authentication ap5.0
 ap4.0 requires shared symmetric key
 can we authenticate using public key techniques?
 ap5.0 use nonce, public key cryptography
I am Alice
Bob computes
R
and knows only Alice could have the private key,
that encrypted R such that
send me your public key
53Ap5.0 Security Hole
 Trudy plays pizza prank on Bob
 Trudy creates email order Dear Pizza Store,
Please deliver to me four pepperoni pizzas. Thank
you, Bob  Trudy signs order with her private key
 Trudy sends order to Pizza Store
 Trudy sends to Pizza Store her public key, but
says its Bobs public key.  Pizza Store verifies signature then delivers
four pizzas to Bob.  Bob doesnt even like Pepperoni
54ap5.0 security hole
 Man (woman) in the middle attack Trudy poses as
Alice (to Bob) and as Bob (to Alice)
I am Alice
I am Alice
R
R
Send me your public key
Send me your public key
Trudy gets
sends m to Alice encrypted with Alices public key
55ap5.0 security hole
 Man (woman) in the middle attack Trudy poses as
Alice (to Bob) and as Bob (to Alice)
 Difficult to detect
 Bob receives everything that Alice sends, and
vice versa. (e.g., so Bob, Alice can meet one
week later and recall conversation)  problem is that Trudy receives all messages as
well!
56Public Key Certification
 public key problem
 When Alice obtains Bobs public key (from web
site, email, diskette), how does she know it is
Bobs public key, not Trudys?  solution
 trusted certification authority (CA)
57Certification Authorities
 Certification Authority (CA) binds public key to
particular entity, E.  E registers its public key with CA.
 E provides proof of identity to CA.
 CA creates certificate binding E to its public
key.  certificate containing Es public key digitally
signed by CA CA says This is Es public key.
Bobs public key
CA private key
certificate for Bobs public key, signed by CA

Bobs identifying information
58Certification Authorities
 when Alice wants Bobs public key
 gets Bobs certificate (Bob or elsewhere).
 apply CAs public key to Bobs certificate, get
Bobs public key
Bobs public key
CA public key
59Trusted Intermediaries
 Symmetric key problem
 How do two entities establish shared secret key
over network?  Solution
 trusted key distribution center (KDC) acting as
intermediary between entities
 Public key problem
 When Alice obtains Bobs public key (from web
site, email, diskette), how does she know it is
Bobs public key, not Trudys?  Solution
 trusted certification authority (CA)
60Chapter 8 roadmap
 8.1 What is network security?
 8.2 Principles of cryptography
 8.3 Message integrity
 8.4 Securing email
 8.5 Securing TCP connections SSL
 8.6 Network layer security IPsec
 8.7 Securing wireless LANs
 8.8 Operational security firewalls and IDS
61Secure email
 Alice wants to send confidential email, m, to
Bob.
 Alice
 generates random symmetric private key, KS.
 encrypts message with KS (for efficiency)
 also encrypts KS with Bobs public key.
 sends both KS(m) and KB(KS) to Bob.
62Secure email
 Alice wants to send confidential email, m, to
Bob.
 Bob
 uses his private key to decrypt and recover KS
 uses KS to decrypt KS(m) to recover m
63Secure email (continued)
 Alice wants to provide sender authentication
message integrity.
 Alice digitally signs message.
 sends both message (in the clear) and digital
signature.
64Secure email (Put it all together)PGP Phil
Zimmerman
 Alice wants to provide secrecy, sender
authentication, message integrity.
Alice uses three keys her private key, Bobs
public key, newly created symmetric key Q What
does Bob have to do?
65Chapter 8 roadmap
 8.1 What is network security?
 8.2 Principles of cryptography
 8.3 Message integrity
 8.4 Securing email
 8.5 Securing TCP connections SSL
 8.6 Network layer security IPsec
 8.7 Securing wireless LANs
 8.8 Operational security firewalls and IDS
66SSL Secure Sockets Layer
 Widely deployed security protocol
 Supported by almost all browsers and web servers
 https
 Tens of billions spent per year over SSL
 Originally designed by Netscape in 1993
 Number of variations
 TLS transport layer security, RFC 2246
 Provides
 Confidentiality
 Integrity
 Authentication
 Original goals
 Had Web ecommerce transactions in mind
 Encryption (especially creditcard numbers)
 Webserver authentication
 Optional client authentication
 Minimum hassle in doing business with new
merchant  Available to all TCP applications
 Secure socket interface
67SSL and TCP/IP
 SSL provides application programming interface
(API)  to applications
 C and Java SSL libraries/classes readily
available
68Could do something like PGP
KS
m
m
Internet
KS
 But want to send byte streams interactive data
 Want a set of secret keys for the entire
connection  Want certificate exchange part of protocol
handshake phase
69Toy SSL a simple secure channel
 Handshake Alice and Bob use their certificates
and private keys to authenticate each other and
exchange shared secret  Key Derivation Alice and Bob use shared secret
to derive set of keys  Data Transfer Data to be transferred is broken
up into a series of records  Connection Closure Special messages to securely
close connection
70Toy A simple handshake
hello
certificate
KB(MS) EMS
 MS master secret
 EMS encrypted master secret
71Toy Key derivation
 Considered bad to use same key for more than one
cryptographic operation  Use different keys for message authentication
code (MAC) and encryption  Four keys
 Kc encryption key for data sent from client to
server  Mc MAC key for data sent from client to server
 Ks encryption key for data sent from server to
client  Ms MAC key for data sent from server to client
 Keys derived from key derivation function (KDF)
 Takes master secret and (possibly) some
additional random data and creates the keys
72Toy Data Records
 Why not encrypt data in constant stream as we
write it to TCP?  Where would we put the MAC? If at end, no message
integrity until all data processed.  For example, with instant messaging, how can we
do integrity check over all bytes sent before
displaying?  Instead, break stream in series of records
 Each record carries a MAC
 Receiver can act on each record as it arrives
 Issue in record, receiver needs to distinguish
MAC from data  Want to use variablelength records
length
data
MAC
73Toy Sequence Numbers
 Attacker can capture and replay record or
reorder records  Solution put sequence number into MAC
 MAC MAC(Mx, sequencedata)
 Note no sequence number field
 Attacker could still replay all of the records
 Use random nonce
74Toy Control information
 Truncation attack
 attacker forges TCP connection close segment
 One or both sides thinks there is less data than
there actually is.  Solution record types, with one type for closure
 type 0 for data type 1 for closure
 MAC MAC(Mx, sequencetypedata)
length
type
data
MAC
75Toy SSL summary
bob.com
encrypted
76Toy SSL isnt complete
 How long are the fields?
 What encryption protocols?
 No negotiation
 Allow client and server to support different
encryption algorithms  Allow client and server to choose together
specific algorithm before data transfer
77Network Security (summary)
 Basic techniques...
 cryptography (symmetric and public)
 message integrity
 endpoint authentication
 . used in many different security scenarios
 secure email
 secure transport (SSL)
 IP sec
 802.11
 Operational Security firewalls and IDS