3.69k likes | 3.7k Views
This section provides an introduction to network security, covering topics such as computer security, security attacks, security mechanisms, and security services. It also explores the importance of confidentiality, authentication, and integrity in network communication.
E N D
Network Security Section 1: Introduction to Network Security
Text Books • Network Security: Private Communication in a Public World, Charlie Kaufman, Pearson Education Inc., 2002 • Network Security: A Complete Reference – Roberta Bragg, Mark Rhodes-Ousley, Keith Strassberg – Tata McGraw-Hill 2004. • Cryptography and Network Security/3e – William Stallings, Pearson Ed. 2003.
Outline For this Section • Computer Security, Laws and Crime • Attacks, services and mechanisms • Security attacks and security services • Methods of defense • Model for internetwork security, Internet standards and Request for comments. • Cryptographic algorithms • Secure protocols • Authentication, access control.
Security is it a New Concept? • Lock the Doors and Windows. Control access • Role Based Access - Only Mom is allowed to enter • Don’t talk to strangers - even if you see some one you know Look beyond. • Don’t share your secrets – keep sniffers at bay • Don’t accept gifts from strangers • Play nice with others • Leave your valuables at home. Don’t steal • Keep your shots up to date • If you see something wrong, call the police.
Levels of Security • Information security • Early days, security was provided by physical access restrictions. • With networking this changed. • Computer security • Restriction to shared resource • Physical security • Network security • Protection of data during transmission. • Infrastructure setup for security. Eg. Bastion host Are these definitions enough?
More Classifications • Three D’s of security • Detection: tool based by monitoring • Defense: patching and updating • Deterrence: laws and policy making • Classification based on business • Business agility • Return on investment • Risk management and business continuity planning • Customer confidence
Attack, Services and Mechanisms • Security attack: any action that will compromise the security of information. • Security mechanism: A mechanism that is designed to detect , prevent, or recover from a security attack. • Security services: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.
Security Attacks Normal flow of Information source destination
Security Attacks … • Unauthorized party gets access to information • This is an attack on confidentiality • The attacker could be a person or program. • Eg. of this could be unauthorized copying of files. Interception
Security Attacks … • The system is destroyed or becomes unavailable • This is an attack on availability. • This could be a destruction of a piece of hardware or cutting a communication line. Interruption
Security Attacks … Modification • An unauthorized party gains access to information and also modifies it. • This is an attack on integrity of information. • Modification of program or date files to operate or contain different information.
Security Attacks … Fabrication • An unauthorized party injects fabricated information into the system. • This is an attack on authenticity. • Examples of this is insertion of spurious messages, addition of records to a file etc.
Attack Types • Passive Attack: • This type of attack does not involve the parties concerned. • Does not alter the information flowing between the parties. • Active Attack • This type of attack involves the other parties concerned. • The information flow is altered.
Passive Attack • This type of attacks are hard to detect since it does not involve the other party or alter the data. • This kind of attack can be prevented rather than detected. • Examples are Eavesdropping or monitoring of traffic. • The objective of the opponent is to obtain the information that is being transmitted. • Release of message content – Opponent getting to know the contents. • Traffic analysis – the link traffic profile and information gathering is done by the opponent.
Active Attack • This is easier to detect since the information stream is altered and involves the other party. • Harder to prevent since no absolute protection is available with the current buggy systems. • Involves some modification of the data stream or creation of a false stream. • Masquerading – The entity pretends to be a different entity. Eg. Use a sniffer on a telnet stream • Replay – passive capture of data, alter and then retransmit.
Security Services • Confidentiality (privacy) – is the protection of transmitted data from passive attacks. • Authentication (who created or sent the data) – is assuring that the communication is authentic. • Integrity (has not been altered) – will ensure that the messages are received with no duplication, insertion, modification. Reordering or replays. • Connection oriented service – addresses DoS and modifications (duplication, insertion, modification and reordering problems handled). • Connectionless service - deals with only individual messages and only assures against modification. This is because it only deals with individual packets.
Security Mechanisms • Separation • Physical separation • Temporal separation • Logical separation • cryptographic separation • combinations of all above • Share all or nothing • share via access limitations • share by capabilities (tokens) • limit use of an object
Design Issues in the Model • Design an algorithm for performing the security-related transformation. The algorithm should be such that an opponent cannot defeat its purpose. • Generate the secret information to be used with the algorithm. • Develop methods for the distribution and sharing of the secret information. • Specify a protocol to be used by the two principles that makes use of the security algorithm and the secret information to achieve a particular security service.
Other Considerations • Network Design Considerations • Designing for acceptable risk. • Use of network models with security (LAN/WAN more secure?, Dedicated/non-dedicated?, segregation and isolation) • Host hardening • Firewalls, Packet filtering • Choice of network devices • Choice of routers and other hardware • Routing protocols • Intrusion detection systems (IDS) • Host based IDS • Network based IDS
Security HighlightedKevin Mitnick • FBI arrested Kevin in February 1995 • stealing 20,000 credit-card numbers through the Internet. Valued at over one million dollars. • broke into the computer of Tsutomu Shimomura, a computer-security expert. • managed to get access to a set of utility programs, that would basically give him the tools necessary to break-in almost anywhere. • may have distributed these tools to other hackers.
The Downside!! • Kevin served five years in a Federal correctional institution before being released in January 2000. • Now charges $15,000 for a one hour talk !!
Security Highlighted - Kevin Mitnick • FBI arrested Kevin in February 1995 • stealing 20,000 credit-card numbers through the Internet • valued at over one million dollars.
Network Security Section 2: Cryptography
Outline • Importance of Cryptography • Encryption algorithms and principles (DEA, BlowFish) • Ciphering • Public key cryptography principles and algorithms. • Digital signatures
What is Cryptography? June 20, 2006 Hi ! Happy to see you all in Sri Lanka. Many thanks for your invitation letter and for the spring examination packages. All new entry forms are ready for final dispatch to the syndicate by tonight. Things are improving here, though there's room for improvement still; just give us three or four more years and we can do great things! Please don't let these wretched 16+important proposals destroy your basic pattern. Certainly this sort of change, if implemented immediately, would bring chaos. Yours sincerely,
Obvious Solution For Information Security • Develop hardware and software to ensure the following • Conceal the context of message from all except the sender and recipient. • Verify the correctness of the message to the recipient via authentication. • Use hidden writing encryption such as digital signatures. And digital watermarks. • The above expectation is embodied in two forms • Conventional or symmetric encryption • Public key or asymmetric encryption.
Conventional Encryption Scheme Ingredients • Plaintext – the original message • Encryption algorithm – performs various substitutions and transformations to the plaintext • Secret key – used for above • Ciphertext – scrambled message depending on the key and plaintext. For the same text, two different keys will generate two ciphertexts. • Decryption algorithm – encryption algorithm run in the reverse. Uses a Secret key + ciphertext to produce plaintext. • Note that the security depends on the secrecy of the key and not on the secrecy of the algorithm.
Requirements for Secure use of Conventional Encryption • A strong Encryption Algorithm: • Opponent knows the algorithm by default. • May also have access to the ciphertext • However the opponent should not be able to decipher the text or figure out the key. • This should be the case if the opponent has several ciphertext which have been encrypted using the same key. • Secure Key Handling: • The sender and receiver should obtain copies of the key securely. • If the key is known the ciphertext can be decoded.
Advantages and Disadvantages of Conventional Encryption Methods • It is assumed to be impractical to decrypt a message on the basis of the cipertext plus the algorithm. The time you spend on deciphering is too large hence a deterrent. That is the algorithm need not be kept a secret. • The features such as the above makes the conventional method widely applicable. • Low cost on chip implementations of this algorithm is available due to the algorithm being available. • The principle problem is the secrecy of the key. • The fundamental requirement of all algorithms is that the process should be reversible (no information should be lost).
Classification of Cryptographic Systems (1) • Based on the type of operations used to transform plaintext to ciphertext • Substitution – each element in the plaintext (bit, letter, or groups of these) is mapped into another element. • Transposition – Elements in the plaintext are rearranged.
Classification of Cryptographic Systems (2) • The number of keys used • Symmetric – the sender and receiver uses same key. • Asymmetric – the sender and receiver use two separate keys. • The manner in which the plaintext is processed • Block cipher processes • A stream cipher process.
Are we Safe Now? (1) • Cryptanalysis is defined as the approaches to attacking a conventional encryption method. (just when you thought it was safe!!!) • These procedures will attempt to discover the plaintext or the encryption key. If a crypt is broken, all present, future and past encryptions using this key is compromised
Are we Safe Now? (2) • The attacks on a conventional encryption scheme can be categorized into: • Cryptanalysis: This type of attack relies on the nature of the algorithm and perhaps some knowledge of the general characteristics of plaintext. • Brute-Force attack: All possible key combinations are tried on ciphertext until plaintext is obtained.
Brute Force Search • always possible to simply try every key • most basic attack, proportional to key size • assume either know / recognise plaintext
Unconditional Security • no matter how much computer power is available, the cipher cannot be broken. • That is the ciphertext provides insufficient information to uniquely determine the corresponding plaintext. • We note that no algorithm is unconditionally secure. • if it is then it cannot be uniquely decrypted.
Computational Security • given limited computing resources (eg time needed for calculations is greater than age of universe), the cipher cannot be broken. • Or in a milder case, the cost of breaking the cipher exceeds the value of the encrypted data or the required time to break the cipher exceeds the useful lifetime of the information.
Classical Substitution Ciphers • where letters of plaintext are replaced by other letters or by numbers or symbols • or if plaintext is viewed as a sequence of bits, then substitution involves replacing plaintext bit patterns with ciphertext bit patterns
Machine Cipher LanguageJefferson Cylinder • developed in 1790s, • comprised of 36 disks • each with a random alphabet • order of disks was the key • message was set in one row • another row became cipher
Caesar Cipher (1) • earliest known substitution cipher • by Julius Caesar • first attested use in military affairs • replaces each letter by 3rd letter on • example: meet me after the toga party PHHW PH DIWHU WKH WRJD SDUWB
Caesar Cipher (2) • can define transformation as: a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y Z A B C • mathematically give each letter a number a b c d e f g h i j k l m 0 1 2 3 4 5 6 7 8 9 10 11 12 n o p q r s t u v w x y Z 13 14 15 16 17 18 19 20 21 22 23 24 25 • then have Caesar cipher as: C = E(p) = (p + k) mod (26) – encryption algorithm E p = D(C) = (C – k) mod (26) – decryption algorithm D
Cryptanalysis of Caesar Cipher • only have 25 possible cipher keys • A maps to A,B,..Z • could simply try each in turn • The task is made easier since the language of plaintext is also known. • a brute force search • given ciphertext, just try all shifts of letters • do need to recognize when the plaintext is obtained
eg. break ciphertext "GCUA VQ DTGCM" Example Cryptanalysis