1 / 65

Computer Networks (CSE-4711) Lecture-Segment-8- Network Security

Computer Networks (CSE-4711) Lecture-Segment-8- Network Security. Instructor: Sazid Zaman Khan Lecturer, Department of Computer Science and Engineering, IIUC. Cryptography .

lacey
Download Presentation

Computer Networks (CSE-4711) Lecture-Segment-8- Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Computer Networks (CSE-4711)Lecture-Segment-8- Network Security Instructor: SazidZaman Khan Lecturer, Department of Computer Science and Engineering, IIUC

  2. Cryptography • When Julius Caesar sent messages to his generals, he didn't trust his messengers. So he replaced every A in his messages with a D, every B with an E, and so on through the alphabet. Only someone who knew the "shift by 3" rule could decipher his messages. • And so we begin.

  3. Encryption and Decryption • Data that can be read and understood without any special measures is called plaintext or cleartext. The method of disguising plaintext in such a way as to hide its substance is called encryption. Encrypting plaintext results in unreadable gibberish called ciphertext. You use encryption to ensure that information is hidden from anyone for whom it is not intended, even those who can see the encrypted data. The process of reverting ciphertext to its original plaintext is called decryption. 

  4. Cryprography • Cryptography is the science of using mathematics to encrypt and decrypt data. Cryptography enables you to store sensitive information or transmit it across insecure networks (like the Internet) so that it cannot be read by anyone except the intended recipient. • While cryptography is the science of securing data, cryptanalysis is the science of analyzing and breaking secure communication. Classical cryptanalysis involves an interesting combination of analytical reasoning, application of mathematical tools, pattern finding, patience, determination, and luck. Cryptanalysts are also called attackers. • Cryptology embraces both cryptography and cryptanalysis.

  5. Strong Cryptography • There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files (weak cryptography), and cryptography that will stop major governments from reading your files (Just an example of Strong Cryptography).

  6. How Cryptography works • A cryptographic algorithm, or cipher, is a mathematical function used in the encryption and decryption process. A cryptographic algorithm works in combination with a key — a word, number, or phrase — to encrypt the plaintext. The same plaintext encrypts to different ciphertext with different keys. The security of encrypted data is entirely dependent on two things: the strength of the cryptographic algorithm and the secrecy of the key. • A cryptographic algorithm, plus all possible keys and all the protocols that make it work comprise a cryptosystem.

  7. How Cryptography works

  8. Substitution Cipher / Caesar’s Cipher • An extremely simple example of conventional cryptography is a substitution cipher. A substitution cipher substitutes one piece of information for another. This is most frequently done by offsetting letters of the alphabet. Two examples are Captain Midnight's Secret Decoder Ring, which you may have owned when you were a kid, and Julius Caesar's cipher. In both cases, the algorithm is to offset the alphabet and the key is the number of characters to offset it. • For example, if we encode the word "SECRET" using Caesar's key value of 3, we offset the alphabet so that the 3rd letter down (D) begins the alphabet. • So starting with • ABCDEFGHIJKLMNOPQRSTUVWXYZ • and sliding everything up by 3, you get • DEFGHIJKLMNOPQRSTUVWXYZABC • where D=A, E=B, F=C, and so on.

  9. Substitution Cipher / Caesar’s Cipher • Using this scheme, the plaintext, "SECRET" encrypts as "VHFUHW." To allow someone else to read the ciphertext, you tell them that the key is 3. • Obviously, this is exceedingly weak cryptography by today's standards, but it worked for Caesar, and it illustrates how conventional cryptography works.

  10. Transposition Cipher • A columnar transposition, also known as a row-column transpose, is a very simple cipher to perform by hand. First, you write your message in columns. Then, you just rearrange the columns. For example. I have the message, "Which wristwatches are swiss wristwatches." You convert everything to upper case and write it without spaces. When you write it down, make sure to put it into columns and number them. Let's use five columns.

  11. Transposition Cipher

  12. Transposition Cipher • Now, you just read the columns down in the order that you number them. Above, you will see the key is 4 2 5 3 1, which means you write down the last column first, then the second, then the fourth, the first, and finally the middle. When you are all done, you will get "HTHESTHHRASWRASCSCRSSCWWWESWWEIITAIIT".

  13. Another Transposition cipher

  14. Transposition Ciphers A transposition cipher (Here the word MEGABUCK is the key, A is first alphabet (1), B is second (2))

  15. One time Pads • There is only one unbreakable cipher, which provides perfect secrecy as defined above. This is the One-time pad. • This method is immune to all present and future attacks no matter how much computational power the intruder has.

  16. One time pad • In a One-time pad, the key size is equal to the size of the data to be encrypted. A key is used only once to encrypt data. This one-time key is random. When Alice wants to send an encrypted message (a sentence in English) to Bob, Alice generates a random sequence of bits, equal in length to the message and XOR’s this key and the message. To decrypt, Bob then XOR’s the cipher text with this One-time random key and the plain text is retrieved.

  17. One time pad (you get it after converting your English message to bits)

  18. Why one time pad is unbreakable? • If Eve gets hold of the cipher text in transit, she may decide to get the plain text by brute forcing. If the message is n-bits, Eve can one by one, try all n-bit sequences as the key. But this will create every sentence in English of that length (But Eve does not know which one is the message). In other words, given any sentence in English (constructed from n-bits), there will be a key that will transform the given cipher text to that sentence. Hence even knowing the cipher text requires Eve to guess the plaintext and provides absolutely no additional information.

  19. Use of one time pads • The reason One-time pad is rarely used is because it requires the key to be transferred securely before the cipher text is transmitted, and since the key length is equal to the message length, key distribution becomes a problem

  20. Public key cryptography • Rather than using the same key to both encrypt and decrypt the data, the RSA system uses a matched pair of encryption and decryption keys. Each key performs a one-way transformation upon the data. Each key is the inverse function of the other; what one does, only the other can undo. • The RSA Public Key is made publicly available by its owner, while the RSA Private Key is kept secret. To send a private message, an author scrambles the message with the intended recipient's Public Key. Once so encrypted, the message can only be decoded with the recipient's Private Key. • Inversely, the user can also scramble data using their Private Key; in other words, RSA keys work in either direction. This provides the basis for the "digital signature," for if the user can unscramble a message with someone's Public Key, the other user must have used their Private Key to scramble it in the first place. Since only the owner can utilize their own private key, the scrambled message becomes a kind of electronic signature -- a document that nobody else can produce. 

  21. Public key cryptography (Encoding and Decoding)

  22. Public-key Algorithms • RSA algorithm • Named according to it’s Authors: Rivest, Shamir, Adleman

  23. Relatively prime numbers • Two integers a and b are said to be relatively prime, mutually prime, or coprime (also spelled co-prime) if the only positive integer that evenly divides both of them is 1 - they have no common positive factors other than 1.

  24. RSA Method Summary • P (big P) your plaintext message. Choose two large primes, p (small p) and q • Compute n = p × q and z = ( p − 1) × (q − 1). • Choose number relatively prime to z call it d. • Find e such that e × d = 1 mod z (after doing mod the result is 1.) • To encrypt your message P, compute Ciphertext, C=Pe (mod n). • To decrypt C and get back message P, use this P= Cd (mod n).

  25. RSA example according to the algorithm (Detail in Tanenbaum’s book, they chose p=3,q=11, but for better security choose larger prime numbers) An example of the RSA algorithm

  26. Digital signatures • The user can also scramble data using their Private Key; in other words, RSA keys work in either direction. This provides the basis for the "digital signature," for if the user can unscramble a message with someone's Public Key, the other user must have used their Private Key to scramble it in the first place. Since only the owner can utilize their own private key, the scrambled message becomes a kind of electronic signature -- a document that nobody else can produce.

  27. Digital certificates

  28. Digital certificates

  29. How digital certificates and SSL ensure trust and security on internet • When you installed your operating system or browser, a list of trusted CAs probably came with it. This list can be modified at will; you can remove whom you don't trust, add others, or even make your own CA (though you will be the only one trusting this CA, so it's not much use for public website). In this CA list, the CA's public key is also stored.

  30. How digital certificates and SSL ensure trust on internet • SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—for example, a web server (website) and a browser. SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving one vulnerable to eavesdropping.

  31. See example of How digital certificates and SSL ensure trust on internet • Sheet_secure_transact_best

  32. Pre-installed CAs Public Key: (RSA 1024-bit) 30 81 89 02 81 81 00 cc 5e d1 11 5d 5c 69 d0 ab d3 b9 6a 4c 99 1f 59 98 30 8e 16 85 20 46 6d 47 3f d4 85 20 84 e1 6d b3 f8 a4 ed 0c f1 17 0f 3b f9 a7 f9 25 d7 c1 cf 84 63 f2 7c 63 cf a2 47 f2 c6 5b 33 8e 64 40 04 68 c1 80 b9 64 1c 45 77 c7 d8 6e f5 95 29 3c 50 e8 34 d7 78 1f a8 ba 6d 43 91 95 8f 45 57 5e 7e c5 fb ca a4 04 eb ea 97 37 54 30 6f bb 01 47 32 33 cd dc 57 9b 64 69 61 f8 9b 1d 1c 89 4f 5c 67 02 03 01 00 01

  33. Some Key Management concepts (public)-upto slide-40 • public-key encryption helps address key distribution problems • have two aspects of this: • distribution of public keys • use of public-key encryption to distribute secret keys

  34. digital signature (encrypt) PK PK B B Certification Authorities • Certification authority (CA): binds public key to particular entity, E. • E (person, router) registers its public key with CA. • E provides “proof of identity” to CA. • CA creates certificate binding E to its public key. • certificate containing E’s public key digitally signed by CA – CA says “this is E’s public key” Bob’s public key CA private key certificate for Bob’s public key, signed by CA Bob’s identifying information RK CA

  35. digital signature (decrypt) PK B Certification Authorities • When Alice wants Bob’s public key: • gets Bob’s certificate (Bob or elsewhere). • apply CA’s public key to Bob’s certificate, get Bob’s public key Bob’s public key PK B CA public key PK CA

  36. A Certificate e.g. User Name: login.yahoo.com Certificate Version: V3 Validity Period: Jan 28, 05 – Jan 29, 06 Serial No: 4b5c94d17508e86594593d777e4d7dc4 User’s Public Key: RSA (1024 bits) 30 81 89 02 81 81 00 be 33 b1 6b a6 f4 15 e9 54 d3 06 a4 c4 55 f2 ae db 4d 38 b2 ce 83 f9 06 cd ad a7 f6 d9 54 76 aa 0c f4 85 e1 b9 3a b1 30 b4 56 c3 e4 ae 5a 3a 98 8e 47 52 f5 be 72 5d 38 c1 a8 51 91 85 3b 28 7c f1 f4 a5 5b 19 74 8d 36 38 89 ae 26 3e 41 7a c1 b8 54 a9 4c 4e 69 6c 96 51 a5 12 f7 bc e5 78 45 c2 8f 83 f2 ac 39 b3 04 7a 44 20 d7 c8 ac 78 eb c7 ce 9c a5 25 48 33 ed 76 b9 6f 68 ef fc 80 6f 02 03 01 00 01 Other attributes: e.g. signing algorithm: sha1RSA CA’s name: Secure Server Certification Authority, RSA Data Security, Inc. CA’s signature: 1024-bit data CertA = < IDA, PKA, Validity Period,… SignCA(IDA, PKA, Validity Period, …) >

  37. Public-Key Certificates Certificate Authority IDBob, PKBob IDAlice, PKAlice CertAlice CertAlice CertBob Alice Bob CertAlice = < IDAlice, SN, Expiry, PKAlice, SigCA(IDAlice, SN, Expiry, PKAlice) >

  38. Distribution of Secret Keys usingPublic Key

  39. Distribution of Secret Keys usingPublic Key • public-key cryptography can be used for secrecy or authentication • but public-key algorithms are slow • We want to use symmetric key encryption algorithm encrypt bulk message • Because symmetric key encryption algorithms are hundreds of times faster than public key encryption algorithms • So two communicating parties usually • negotiate a symmetric key (called session key) with the help of public key algorithms • Then use the session key to encrypt messages • For each new session (e.g. login your online banking service again after closing the web browser), a new session key will be established

  40. Public-Key Distribution of Secret Keys CertAlice CertBob session key negotiation … Bob Alice Public key encrypted Message flows … Session key encrypted

  41. Authentication protocols • Authentication is a fundamental aspect of system security. It confirms the identity of any user trying to log on to a domain or access network resources. Authentication protocols define how different authentication methods work.

  42. Public Key infrastructure (PKI) • A public key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates.

  43. Public Key infrastructure (PKI) • A PKI consists of: • A Certificate Authority (CA) that both issues and verifies the digital certificates • A registration authority which verifies the identity of users requesting information from the CA • A central directory—i.e., a secure location in which to store and index keys • A certificate management system • A certificate policy

  44. Goals of IPSec (IP security) • to verify sources of IP packets • authentication • to prevent replaying of old packets • to protect integrity and/or confidentiality of packets • data Integrity/Data Encryption

  45. The IPSec Security Model (end to end is secure, in the middle, not) Secure Insecure

  46. IPSec Architecture ESP AH Encapsulating Security Payload Authentication Header IPSec Security Policy IKE The Internet Key Exchange

  47. IPSec Architecture • IPSec provides security in three situations: • Host-to-host, host-to-gateway and gateway-to-gateway • IPSec operates in two modes: • Transport mode (for end-to-end) • Tunnel mode (for VPN)

  48. IPsec Architecture Transport Mode Router Router Tunnel Mode

  49. Various Packets Original IP header TCP header data Transport mode IP header IPSec header TCP header data Tunnel mode IP header IPSec header IP header TCP header data

  50. IPSec • It is a collection of protocols • Authentication Header (AH) • RFC 2402 • Encapsulating Security Payload (ESP) • RFC 2406 • Internet Key Exchange (IKE) • RFC 2409 • IP Payload Compression (IPcomp) • RFC 3137

More Related