750 likes | 923 Views
חישוב ציון תרגילי בית:. מי שלא יגיש את הפרויקט בזמן ( PA3 ): ממוצע של כל 7 תרגילי הבית מי שיגיש את הפרויקט בזמן ( PA3 ): ממוצע של 6 תרגילי בית: הפרויקט ( PA3 ) חמשת הטובים (מתוך ששת) התרגילים האחרים משקל כל תרגיל (מתוך השישה) יהיה זהה ( 1/6 ) הערה: חייבים להקפיד על הגשה בזמן!.
E N D
חישוב ציון תרגילי בית: מי שלא יגיש את הפרויקט בזמן (PA3): ממוצע של כל 7 תרגילי הבית מי שיגיש את הפרויקט בזמן (PA3): ממוצע של 6 תרגילי בית: הפרויקט (PA3) חמשת הטובים (מתוך ששת) התרגילים האחרים משקל כל תרגיל (מתוך השישה) יהיה זהה (1/6) הערה: חייבים להקפיד על הגשה בזמן!
Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer: secure e-mail transport layer: Internet commerce, SSL, SET network layer: IP security Firewalls Chapter 7: Network security Lecture 13: Network Security
What is network security? Confidentiality: only sender, intended receiver should “understand” message contents • sender encrypts message • receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access and Availability: services must be accessible and available to users Lecture 13: Network Security
src:B dest:A payload Internet security threats Packet sniffing: • broadcast media • promiscuous NIC reads all packets passing by • can read all unencrypted data (e.g. passwords) • e.g.: C sniffs B’s packets C A B Lecture 13: Network Security
src:B dest:A payload Internet security threats IP Spoofing: • can generate “raw” IP packets directly from application, putting any value into IP source address field • receiver can’t tell if source is spoofed • e.g.: C pretends to be B C A B Lecture 13: Network Security
SYN SYN SYN SYN SYN SYN SYN Internet security threats Denial of service (DOS): • flood of maliciously generated packets “swamp” receiver • Distributed DOS (DDOS): multiple coordinated sources swamp receiver • e.g., C and remote host SYN-attack A C A B Lecture 13: Network Security
Cryptography Principles Lecture 13: Network Security
Friends and enemies: Alice, Bob, Trudy • well-known in network security world • Bob, Alice (lovers!) want to communicate “securely” • Trudy (intruder) may intercept, delete, add messages Alice Bob data, control messages channel secure sender secure receiver data data Trudy Lecture 13: Network Security
Who might Bob, Alice be? • … well, real-life Bobs and Alices! • Web browser/server for electronic transactions (e.g., on-line purchases) • on-line banking client/server • DNS servers • routers exchanging routing table updates • other examples? Lecture 13: Network Security
K K A B The language of cryptography Alice’s encryption key Bob’s decryption key symmetric key crypto: sender, receiver keys identical public-key crypto: encryption key public, decryption key secret (private) encryption algorithm decryption algorithm ciphertext plaintext plaintext Lecture 13: Network Security
Symmetric Key Cryptography Lecture 13: Network Security
Symmetric key cryptography substitution cipher: substituting one thing for another • monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq E.g.: Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc • Q: How hard to break this simple cipher?: • brute force (how hard?) • other? Lecture 13: Network Security
Perfect cipher [Shannon 1948] • Definition: • Let C = E[M] • Pr[C=c] = Pr[C=c | M] • Example: one time pad • Generate random bits b1 ... bn • E[M1 ... Mn] = (M1 b1 ... Mn bn ) • Cons: size • Pseudo Random Generator • G(R) = b1 ... bn • Indistinguishable from random (efficiently) Lecture 13: Network Security
Symmetric key crypto: DES DES: Data Encryption Standard • US encryption standard [NIST 1993] • 56-bit symmetric key, 64 bit plaintext input • How secure is DES? • DES Challenge: 56-bit-key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 months • no known “backdoor” decryption approach • making DES more secure • use three keys sequentially (3-DES) on each datum • use cipher-block chaining Lecture 13: Network Security
DES operation Symmetric key crypto: DES initial permutation 16 identical “rounds” of function application, each using different 48 bits of key final permutation Lecture 13: Network Security
Block Cipher chaining • How do we encode a large message • Would like to guarantee integrity • Encoding: • Ci = E[Mi Ci-1] • Decoding: • Mi = D[Ci] Ci-1 • Malfunctions: • Loss • Reorder/ integrity Lecture 13: Network Security
Cipher Block Chaining Mode Cipher block chaining. (a) Encryption. (b) Decryption. 7: Network Security 17
Diffie-Hellman key exchange protocol • Goal: Allow strangers establish a shared secret key for later communication • Assume two parties (Alice and Bob) want to establish a secret key. • Alice and Bob agree on two large numbers, n and g • usually, these are publicly known, and have some additional conditions applied (e.g., n must be prime) Lecture 13: Network Security
Diffie-Hellman Key Exchange • Alice picks large x, Bob picks large y (e.g., 512 bits) Lecture 13: Network Security
Man in the middle attack • Eavesdropper can’t determine secret key (gxy mod n) from (gx mod n) or (gy mod n) • However, how does Alice and Bob know if there is a third party adversary in between? Lecture 13: Network Security
Exponentiation • Compute gx mod n Expg,n (x) • Assume x = 2y + b • Let z = Expg,n (y) • R=z2 • If (b=1) R = g R mod n • Return R • Complexity: logarithmic in x Lecture 13: Network Security
Public Key Cryptography Lecture 13: Network Security
Public Key Cryptography symmetric key crypto • requires sender, receiver know shared secret key • Q: how to agree on key in first place (particularly if never “met”)? public key cryptography • radically different approach [Diffie-Hellman76, RSA78] • sender, receiver do not share secret key • encryption key public (known to all) • decryption key private (known only to receiver) Lecture 13: Network Security
+ K (m) B - + m = K (K (m)) B B Public key cryptography + Bob’s public key K B - Bob’s private key K B encryption algorithm decryption algorithm plaintext message plaintext message, m ciphertext Lecture 13: Network Security
d (e (m)) = m B B 1 2 need public and private keys for d ( ) and e ( ) . . B B Public key encryption algorithms Two inter-related requirements: need d ( ) and e ( ) such that . . B B RSA: Rivest, Shamir, Adelson algorithm Lecture 13: Network Security
+ - K K B B RSA: Choosing keys 1. Choose two large prime numbers p, q. (e.g., 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) 3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”). 4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ). 5.Public key is (n,e).Private key is (n,d). Lecture 13: Network Security
1. To encrypt bit pattern, m, compute d e c = m mod n m = c mod n e (i.e., remainder when m is divided by n) Magic happens! d e m = (m mod n) mod n RSA: Encryption, decryption 0. Given (n,e) and (n,d) as computed above 2. To decrypt received bit pattern, c, compute d (i.e., remainder when c is divided by n) Lecture 13: Network Security
d e m = c mod n c = m mod n d c RSA example: Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z). e m m letter encrypt: l 17 1524832 12 c letter decrypt: 17 12 l 481968572106750915091411825223072000 Lecture 13: Network Security
d e m = (m mod n) mod n RSA: Why • Number theory result: • IF pq = n, p and q primes then: • x y mod n = x (y mod (p-1)(q-1) ) mod n • (m e)d mod n = m (ed mod (p-1)(q-1)) mod n • But ed – 1 divisible by (p-1)(q-1) i.e., ed mod (p-1)(q-1) = 1 • = m 1 mod n = m Lecture 13: Network Security
modified Diffie-Hellman Key Exchange • Encrypt 1 with Bob’s public key, 2 with Alice’s public key • Prevents man-in-the-middle attack • Actually, nonces and a third message are needed to fully complete this exchange (in a few slides) Lecture 13: Network Security
Authentication Lecture 13: Network Security
Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0:Alice says “I am Alice” “I am Alice” Failure scenario?? Lecture 13: Network Security
Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0:Alice says “I am Alice” in a network, Bob can not “see” Alice, so Trudy simply declares herself to be Alice “I am Alice” Lecture 13: Network Security
Alice’s IP address “I am Alice” Authentication: another try Protocol ap2.0:Alice says “I am Alice” in an IP packet containing her source IP address Failure scenario?? Lecture 13: Network Security
Alice’s IP address “I am Alice” Authentication: another try Protocol ap2.0:Alice says “I am Alice” in an IP packet containing her source IP address Trudy can create a packet “spoofing” Alice’s address Lecture 13: Network Security
Alice’s password Alice’s IP addr “I’m Alice” Alice’s IP addr OK Authentication: another try Protocol ap3.0:Alice says “I am Alice” and sends her secret password to “prove” it. Failure scenario?? Lecture 13: Network Security
Alice’s password Alice’s IP addr “I’m Alice” Alice’s IP addr OK Authentication: another try Protocol ap3.0:Alice says “I am Alice” and sends her secret password to “prove” it. Alice’s password Alice’s IP addr “I’m Alice” playback attack: Trudy records Alice’s packet and later plays it back to Bob Lecture 13: Network Security
encrypted password Alice’s IP addr “I’m Alice” Alice’s IP addr OK Authentication: yet another try Protocol ap3.1:Alice says “I am Alice” and sends her encryptedsecret password to “prove” it. Failure scenario?? Lecture 13: Network Security
encrypted password Alice’s IP addr “I’m Alice” Alice’s IP addr OK Authentication: another try Protocol ap3.1:Alice says “I am Alice” and sends her encrypted secret password to “prove” it. encrypted password Alice’s IP addr “I’m Alice” record and playback still works! Lecture 13: Network Security
K (R) A-B Authentication: yet another try Goal:avoid playback attack Nonce:number (R) used only once –in-a-lifetime ap4.0:to prove Alice “live”, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key “I am Alice” R Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice! Failures, drawbacks? Lecture 13: Network Security
- K (R) A + + K K A A - - + (K (R)) = R K (K (R)) = R A A A Authentication: ap5.0 ap4.0 requires shared symmetric key • can we authenticate using public key techniques? ap5.0: use nonce, public key cryptography “I am Alice” Bob computes R and knows only Alice could have the private key, that encrypted R such that “send me your public key” Lecture 13: Network Security
- - K (R) K (R) A T + + K K A T - - + + m = K (K (m)) m = K (K (m)) + + A T A T K (m) K (m) A T ap5.0: security hole Man (woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice) I am Alice I am Alice R R Send me your public key Send me your public key Trudy gets sends m to Alice encrypted with Alice’s public key Lecture 13: Network Security
ap5.0: security hole Man (woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice) • Difficult to detect: • Bob receives everything that Alice sends, and vice versa. (e.g., so Bob, Alice can meet one week later and recall conversation) • problem is that Trudy receives all messages as well! Lecture 13: Network Security
Message Integrity (Signatures etc) Lecture 13: Network Security
Cryptographic technique analogous to hand-written signatures. Sender (Bob) digitally signs document, establishing he is document owner/creator. Verifiable, nonforgeable: recipient (Alice) can verify that Bob, and no one else, signed document. Assumption: eB(dB(m)) = dB(eB(m)) RSA Simple digital signature for message m: Bob decrypts m with his private key dB, creating signed message, dB(m). Bob sends m and dB(m) to Alice. Digital Signatures Lecture 13: Network Security
Suppose Alice receives msg m, and digital signature dB(m) Alice verifies m signed by Bob by applying Bob’s public key eB to dB(m) then checks eB(dB(m) ) = m. If eB(dB(m) ) = m, whoever signed m must have used Bob’s private key. Alice thus verifies that: Bob signed m. No one else signed m. Bob signed m and not m’. Non-repudiation: Alice can take m, and signature dB(m) to court and prove that Bob signed m. Digital Signatures (more) Lecture 13: Network Security
Computationally expensive to public-key-encrypt long messages Goal: fixed-length,easy to compute digital signature, “fingerprint” apply hash function H to m, get fixed size message digest, H(m). Hash function properties: Many-to-1 Produces fixed-size msg digest (fingerprint) Given message digest x, computationally infeasible to find m such that x = H(m) computationally infeasible to find any two messages m and m’ such that H(m) = H(m’). Message Digests Lecture 13: Network Security
Internet checksum would make a poor message digest. Too easy to find two messages with same checksum. MD5 hash function widely used. Computes 128-bit message digest in 4-step process. arbitrary 128-bit string x, appears difficult to construct msg m whose MD5 hash is equal to x. SHA-1 is also used. US standard 160-bit message digest Hash Function Algorithms Lecture 13: Network Security
Digital signature = signed message digest H: Hash function H: Hash function large message m large message m + - digital signature (decrypt) digital signature (encrypt) K K B B encrypted msg digest encrypted msg digest + - - KB(H(m)) KB(H(m)) H(m) H(m) Bob sends digitally signed message: Alice verifies signature and integrity of digitally signed message: H(m) Bob’s private key Bob’s public key equal ? Lecture 13: Network Security
Key Distribution Centers Lecture 13: Network Security