1 / 31

Learning outcomes

Learning outcomes. At the end of this session, you should be able to: Describe the reasons for having system and network security Relate security services to security attacks Describe the basic operation of encryption through Feistel cypher structure

ophira
Download Presentation

Learning outcomes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Learning outcomes At the end of this session, you should be able to: • Describe the reasons for having system and network security • Relate security services to security attacks • Describe the basic operation of encryption through Feistel cypher structure • Compare different symmetric encryption algorithms: DES and AES • Design a simple encryption algorithm Internet Management & Security 06

  2. Introduction With the high availability of resources on the Internet, security has become a very relevant issue. The main aim is to protect the resources on the Internet so that they cannot: • Be accessed • Be changed • Be deleted by non-authorised or malicious users Internet Management & Security 06

  3. Vulnerability of systems and networks D Malicious user Malicious user A B Malicious user Malicious user C Internet Management & Security 06

  4. Types of Security Attacks • Attacks can be categorised as : • Passive Security Attacks • Active Security Attacks Internet Management & Security 06

  5. Passive security attacks • A passive attack is an attack where an unauthorized attacker monitors or listens in on the communication between two parties. Internet Management & Security 06

  6. Passive security attacks Passive attacks • Obtain information being transmitted or stored in a system • Do not alter the contents of messages or files • Difficult to detect Solution: • Prevent the attack: data confidentiality • Encrypt information, strongly authenticate access Internet Management & Security 06

  7. Active security attacks Active attacks requires the attacker to be able to transmit data to one or both of the parties, or block the data stream in one or both directions. • Modify or delete data stored or being transmitted • Masquerade • Replay • Modification • Denial of service • Easier to detect • Harder to prevent Internet Management & Security 06

  8. Active security attacks • the attacker can stop all or parts of the data sent by the communicating parties. • This attacker can e.g. try to take the place of the client (or server) when the authentication procedure has been performed. • Without integrity checks of the received data, the server will not detect that the origin of the data is not the authenticated person. • A clever programmer can, with not to much effort, implement a system like this on a computer acting as a gateway (bridge) between two subnets. Internet Management & Security 06

  9. Active security attacks • The following are examples of different attacks this person could impose. • Inserting his own data into the data stream. • Playback of data from another connection. • Playback of data that had previously been sent in the same and opposite direction on the same connection. • Deletion of data. • Man-in-the-middle attack. • The man-in-the-middle-attack is an attack where the intruder sits in the middle of the communication link, intercepting messages and substituting them with his own messages. In this way, he tries to fool the parties to believe they are talking to each other directly, while they really are talking to the attacker him-selves. Internet Management & Security 06

  10. Active security attacks Solution: • Authentication • Access control • Data confidentiality • Data integrity • Non-repudiation • Availability Internet Management & Security 06

  11. Conclusions Security strategies are important because they: • help maintain good performance of resources on a network • guarantee users that their information is safe and private • deter potential attacks on resources Internet Management & Security 06

  12. Resources • Stallings W., Network Security Essentials, 2nd Edition, Prentice Hall, 2002 (Chapter 1) • RFC 2828 Internet Security Glossary • http://www.pvv.ntnu.no/~asgaut/crypto/thesis/node1.html Internet Management & Security 06

  13. Cryptography Cryptography modifies the content of a message according to a predetermined pattern only known by sender and receiver with the aim to prevent other parties from reading the content An encrypted message is: 1 Transformed 2 Transmitted 3 Unchanged The predetermined pattern or key needs to be transmitted separately Internet Management & Security 06

  14. Symmetric cryptography Process of cryptography: • Message • Encryption algorithm • Secret key • Cipher text • Decryption algorithm (the success of the process relies on the secrecy of the key, but it must be known by the sender and the receiver) Internet Management & Security 06

  15. Cryptography on the Internet An iterated block cipher maybe be used to get a few rounds of security Internet Management & Security 06

  16. Iterated Block Cipher • An iterated block cipher is one that encrypts a plaintext block by a process that has several rounds. • In each round, the same transformation or round function is applied to the data using a subkey. • The set of subkeys are usually derived from the user-provided secret key by a key schedule. • The number of rounds in an iterated cipher depends on the desired security level and the consequent trade-off with performance. • In most cases, an increased number of rounds will improve the security offered by a block cipher, but for some ciphers the number of rounds required to achieve adequate security will be too large for the cipher to be practical or desirable. Internet Management & Security 06

  17. Feistel Cipher • Feistel ciphers are a special class of iterated block ciphers where the cipher text is calculated from the plaintext by repeated application of the same transformation or round function. • Feistel ciphers are also sometimes called DES-like ciphers. • In a Feistel cipher, the text being encrypted is split into two halves. • The round function f is applied to one half using a subkey and the output of f is exclusive-ored with the other half. • The two halves are then swapped. Each round follows the same pattern except for the last round where there is no swap. • A nice feature of a Feistel cipher is that encryption and decryption are structurally identical, though the subkeys used during encryption at each round are taken in reverse order during decryption. • It is possible to design iterative ciphers that are not Feistel ciphers, yet whose encryption and decryption (after a certain re-ordering or re-calculation of variables) are structurally the same Internet Management & Security 06

  18. Feistel Cipher Structure Let F be the round function and let be the sub-keys for the rounds respectively. Then the basic operation is as follows: Split the plaintext block into two equal pieces, (L0, R0)For each round , compute. Then the ciphertext is (Rn,Ln). (Commonly the two pieces Rn and Ln are not switched after the last round.)Decryption of a ciphertext (Rn,Ln) is accomplished by computing for Then (L0,R0) is the plaintext again. Internet Management & Security 06

  19. Data Encryption Standard (DES) • An algorithm described in this standard specifies both enciphering and deciphering operations which are based on a binary number called a key. • A key consists of 64 binary digits ("O"s or "1"s) of which 56 bits are randomly generated and used directly by the algorithm. • The other 8 bits, which are not used by the algorithm, are used for error detection. • The 8 error detecting bits are set to make the parity of each 8-bit byte of the key odd, i.e., there is an odd number of "1"s in each 8-bit byte1. • Authorised users of encrypted computer data must have the key that was used to encipher the data in order to decrypt it. • The encryption algorithm specified in this standard is commonly known among those using the standard. • The unique key chosen for use in a particular application makes the results of encrypting data using the algorithm unique. • Selection of a different key causes the cipher that is produced for any given set of inputs to be different. The cryptographic security of the data depends on the security provided for the key used to encipher and decipher the data. Internet Management & Security 06

  20. Data Encryption Standard (DES) • Data can be recovered from cipher only by using exactly the same key used to encipher it. • Unauthorised recipients of the cipher who know the algorithm but do not have the correct key cannot derive the original data algorithmically. • However, anyone who does have the key and the algorithm can easily decipher the cipher and obtain the original data. • A standard algorithm based on a secure key thus provides a basis for exchanging encrypted computer data by issuing the key used to encipher it to those authorized to have the data. Internet Management & Security 06

  21. Data Encryption Standard (DES) It is a symmetric block cipher algorithm: • 64 bit code • 56 bit key • Sixteen rounds (iterations), hence 16 subkeys need to be generated Advantages: No one has found a fatal weakness of the algorithm Disadvantages: It has been broken by “brute-force” (256 possible keys) in 1998 by the Electronic Frontier Foundation with their DES-cracker Internet Management & Security 06

  22. Triple DES • What we all call Triple DES is EDE (encrypt, decrypt, encrypt). • The way that it works is that you take three 56-bit keys, and encrypt with K1, decrypt with K2 and encrypt with K3. • There are two-key and three-key versions. • Think of the two-key version as merely one where K1=K3. Note that if K1=K2=K3, then Triple DES is really Single DES. Internet Management & Security 06

  23. Triple DES • The same as DES but it uses three executions of the full DES algorithm with three different keys • Used in financial applications C=EK3[DK2 [EK1[P]]] C – cipher text P – plaintext EK[X] – encryption of X using key K DK[X] – decryption of X using key K • Advantage – effective key of 128 bits • Disadvantage – more processing power needed Internet Management & Security 06

  24. Advanced Encryption Standard (AES) AES – first thought of to replace 3DES with a lighter algorithm that provides the same security as 3DES • Block length – 128 bits • Supports keys of – 128, 192 and 256 bits (most common key is 128) • NOT a Feistel structure Internet Management & Security 06

  25. AES Internet Management & Security 06

  26. AES Internet Management & Security 06

  27. AES Internet Management & Security 06

  28. AES Internet Management & Security 06

  29. Other symmetric algorithms • IDEA • Blowfish • RC5 Internet Management & Security 06

  30. Conclusions • Encrypted information has more probabilities of remaining private • Most common symmetrical encryption algorithms use Feistel’s cipher • The length of the block and the key determine the efficiency of the cipher based algorithms • AES solves the problem of processing power and key sizes • The transmission of the key remains a problem Internet Management & Security 06

  31. Resources Stallings W., Network Security Essentials, 2nd Edition, Prentice Hall, 2002 (Chapter 2) FIPS Advanced Encryption Standard, http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf FIPS DES Data Encryption Standard, http://www.itl.nist.gov/fipspubs/fip46-2.htm http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci968714,00.html Internet Management & Security 06

More Related