Network Security

Network Security
Ms(computer Network & communication)
Lecture # 1 (introduction) Computer Security:

The generic name for the collection of tools designed to protect data and to thwart hacker is called computer security
Network security: The process of protecting data during transmission over the network from the unauthorized
user access is called network security
Internet security: measures to protect data during their transmission over a collection of interconnected
networks
Security Trends
Aspects of Security: There are three main Aspects of security

1) Security attack 2) Security services 3) Security mechanism Threat: Indication of an approaching or imminent menace. (2) Negative event that can cause a risk to become a loss, expressed as an aggregate of risk, consequences of risk, and the likelihood of the occurrence of the event. A threat may be a natural phenomenon such as an earthquake, flood, storm, or a man made incident such as fire, power failure, sabotage, etc. Security Attack: Any action that can compromise the security of information owned by an organization is called security attack security attack over a network can be categorized into two groups Passive attack Active attack Passive attack: Passive attacks are in the nature of eavesdropping on, OR monitoring of transmission its goal is to obtain access only to information that is being transmitted over the network
Usman institute of Technology
written by : Javaid ahmad cell # : 03428268556
Network Security
Active attack: Active attack is that type of attack that involve some type of modification of the data stream and the creation of false stream
Passive attack
Active attack
Security Services: A processing or communication service that enhances the security of data processing system and the information transfers of an organization X.800 defined a service as a service provided by a protocol layer of communicating open system which ensures adequate security of the system for of data transfer RFC 2828 provides the following definition a processing or communication service that is provided by a system to give a specific kind of protection to system resources X.800 security service is (Authentication, Data integrity, Data confidentiality, Non repudiation, Availability, and Access control) Security services of X.800 Data confidentiality: It ensures that the information in the computer is only be accessible for reading only by the authorized parties i.e. printing displaying E.t.c Data Integrity: It ensures that the information of Asset in a computer can only be modified by the authorized parties i.e. (writing, changing, deleting, insertion) Authentication: it ensures that parties in a information services can ascertain the identity of parties trying to access information services Availability: Availability requires that computer system assets are available to authorized parties Availability is a requirement intended to assure that systems work promptly and service is not denied to authorize users. Access Control: It ensures that which user is authorized for the accessing of which machine data i.e. the users are in kept in bound that he can use only that service for which he is authorized Non repudiation: it ensures that A task done by a user can deny it later
Network Security
Security mechanism: A process or a device that is designed to detect prevent or recover from a security attack no single mechanism can support all service required but one can support many services
Model for network security:
Lecture # 2 security attributes & basics of cryptography Key Security Attributes: The key security attributes are the following
Confidentiality Integrity Authentication Availability Non Repudiation Access control Note: it is defined in the Lecture 1 in detail
Key concepts in cryptography: The following are the key concepts in cryptography
Cryptosystem Encryption and Decryption Cryptography Crypt analysis Cryptology Cryptosystem: Cryptosystem is the process of converting the message into UN understandable form i.e. only the authorized people can see it through some secret key the original message is called plaintext while the UN understandable form is called ciphertext and it is done through encryption the people who are allowed to see the text is called receiver and can monitor it through decryption and those people who are not allowed to see the message is called attacker Encryption: The Process of converting plaintext into cipher text is called Encryption plaintext is the text before the encryption while the cipher text is the text is the text after encryption Decryption: The process of converting the Cipher text into plaintext is called Decryption Cryptography: Many schemes used for encryption Constitute the area of study is known as Cryptography OR The applying of encryption and decryption on a data is known as cryptography and such a system is called cryptographic system Cryptography is the art of creating and using cryptosystems.
Network Security
Cryptography is the art or science of keeping messages secret Cryptography deals with Security Standards Methods, Principals for Security Cryptography deals with all aspects of secure messaging, authentication, electronic money, and other applications. Cryptanalysis: The technique used for deciphering a message without any knowledge of enciphering details is called cryptanalysis OR the art of breaking cryptosystem through disguise cryptanalysis attack are brute force known text , Cryptology: The area of cryptography and cryptanalysis together are called cryptology and is the branch of mathematics that studies the mathematical foundations of cryptographic methods Cryptology = Cryptography + cryptanalysis LECTURE # 3 Symmetric key Block Cipher and DES:
Simple Cryptography diagram:
Cryptography Requirements: The following are the requirements for the cryptography Sender Plaintext Encryption algorithm Cipher text Decryption algorithm Receiver Categories of cryptography: The following are the categories of the cryptography 1) Symmetric Cryptography 2) A-symmetric Cryptography Symmetric Cryptography: decryption it is that type of cryptography which used the shared secret key for encryption and
In it the problem is that in it the key must be securely distribute among sender and receiver if the number of user is more then it is difficult to use it because it is used for a limited number of user formula to find a unique secret key . n(n-1)/2 Requirements of Symmetric Cryptography: The requirements of symmetric cryptography is the following 1. 2. Strong encryption algorithm A secret key known Private key
Network Security
The key must be secure and known only to sender and receiver and the key must be distribute through a secure channel A-Symmetric key Cryptography: it is that type of cryptography which used pair of keys for encryption and decryption the pair keys are the private and public key the sender encrypt the plaintext using the public key of the receiver and send the data and then the receiver decrypt the cipher text using his/her own private key
Key used in Cryptography: the symmetric key cryptography used only private key while the A-symmetric key cryptography used the paired key private and public key the public key is shared and known to everyone while the private key is only known to Receiver the public key is distributed normally through certificates Traditional Cipher: The hierarchy of traditional cipher is the following
Substitution cipher: A Substitution cipher replaces one symbol with another Monoalphabatic Cryptography: In Monoalphabatic cryptography a letter is Replaced by the same letter if it is repeated again and again Example: plaintext = HELLO , Cipher text = KHOOR It is Monoalphabetic because both occurs of L,s are encrypted on O,s Polyalphabatic cryptography: In polyalphabatic cryptography a letter is replaced by the different letter if it is repeated again and again Example : Plaintext = HELLO, Ciphertext = ABNZF It is polyalphabatic because in it a word L is replaced by different letter N,Z is shown in the example Shiftcipher: it is just like ceaser cipher but it use the shift cipher with the key the key will be any selected value it it each letter is shifted the time according to the key
Network Security
Plaintext = HELL0, ciphertext = KHOOT Here the key used is letter + 3
Transposition Ciphers: as from the name it is indicated that it is nothing but the transposition of the letter i.e. it is the reorder of symbols in a block of symbols i.e take the following example
Plaintext : HELLO MY DEAR Simply remove the spces Devide the plaintext into a block and the number of bits in each block depend on the key i.e. here we have 4 bits in the block Add the padding bits if bits are less in the last block
Ciphertext: the blocks are HELL OMYD EARZ the key concept for the encryption is that replaced 1 by 2 2 by 3 3 by 1 4 by 2 So the cipher text becomes as Ciphertext = ELHL MDOY AZER It is nothing but only the transposition P-Box: P-Box stand for permutation box it is used for the purpose of transposition of bits in cryptography it is implement of both on hardware and software the encryption algoritham are normally embedded in the hardware the p-boxes are the following
Network Security
S-Box: S-Box stand for substitution boxes it is used for the pupose of substition during the cryptography its
components are the Encoder , Decorder, P-BOX
Data Encryption Standard (DES):

Most widely used encryption scheme Adopted as Federal Information Processing Standard (FIPS) for the United States in 1976 64-bit data block 56-bit key Based on Feistel Network The decryption follows the same process as the encryption. Now considered insecure for many applications To be replaced by AES
DES is the archetypal block cipher an algorithm that takes a fixed-length string of plaintext bits and transforms it through a series of complicated operations into another ciphertext bitstring of the same length. In the case of DES, the block size is 64 bits. DES also uses a key to customize the transformation, so that decryption can supposedly only be performed by those who know the particular key used to encrypt. The key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits are used solely for checking parity, and are thereafter discarded. Hence the effective key length is 56 bits, and it is never quoted as such. Every 8th bit of the selected key is discarded, i.e. positions 8, 16, 24, 32, 40, 48, 56, 64 are removed from the 64 bit key leaving behind only the 56 bit key.
Network Security
Example: Let M be the plain text message M = 0123456789ABCDEF, where M is in hexadecimal (base 16) format. Rewriting M in binary format, we get the 64-bit block of text: M = 0000 0001 0010 0011 0100 L = 0000 0001 R = 1000 1001 1010 1011 1100 1101 1110 1111 0101 0110 0010 0111 1000 0011 1001 1010 0100 1011 1100 0101 1101 0110 1110 1111 0111
The first bit of M is "0". The last bit is "1". We read from left to right. DES operates on the 64-bit blocks using key sizes of 56- bits. The keys are actually stored as being 64 bits long, but every 8th bit in the key is not used (i.e. bits numbered 8, 16, 24, 32, 40, 48, 56, and 64). However, we will nevertheless number the bits from 1 to 64, going left to right, in the following calculations. But, as you will see, the eight bits just mentioned get eliminated when we create subkeys. Example: Let K be the hexadecimal key K = 133457799BBCDFF1. This gives us as the binary key (setting 1 = 0001, 3 = 0011, etc., and grouping together every eight bits, of which the last one in each group will be unused): K = 00010011 00110100 01010111 01111001 10011011 10111100 11011111 11110001 The DES algorithm uses the following steps: Step 1: Create 16 subkeys, each of which is 48-bits long. The 64-bit key is permuted according to the following table, PC-1. Since the first entry in the table is "57", this means that the 57th bit of the original key K becomes the first bit of the permuted key K+. The 49th bit of the original key becomes the second bit of the permuted key. The 4th bit of the original key is the last bit of the permuted key. Note only 56 bits of the original key appear in the permuted key. PC-1
57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 19 11 3 60 52 44 36
63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4
Example: From the original 64-bit key K = 00010011 00110100 01010111 01111001 10011011 10111100 11011111 11110001 we get the 56-bit permutation K+ = 1111000 0110011 0010101 0101111 0101010 1011001 1001111 0001111 Next, split this key into left and right halves, C0 and D0, where each half has 28 bits.
Network Security
Example: From the permuted key K+, we get C0 = D0 = 0101010 1011001 1001111 0001111 1111000
0110011
0010101
0101111
With C0 and D0 defined, we now create sixteen blocks Cn and Dn, 1<=n<=16. Each pair of blocks Cn and Dn is formed from the previous pair Cn-1 and Dn-1, respectively, for n = 1, 2, ..., 16, using the following schedule of "left shifts" of the previous block. To do a left shift, move each bit one place to the left, except for the first bit, which is cycled to the end of the block. Iteration Number Number of Left Shifts
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
This means, for example, C3 and D3 are obtained from C2 and D2, respectively, by two left shifts, and C16 and D16 are obtained from C15 and D15, respectively, by one left shift. In all cases, by a single left shift is meant a rotation of the bits one place to the left, so that after one left shift the bits in the 28 positions are the bits that were previously in positions 2, 3,..., 28, 1. Example: From original pair C0 and D0 we obtain: C0 = 1111000011001100101010101111 D0 = 0101010101100110011110001111 C1 = 1110000110011001010101011111 D1 = 1010101011001100111100011110
Network Security
C2 = 1100001100110010101010111111 D2 = 0101010110011001111000111101 C3 = 0000110011001010101011111111 D3 = 0101011001100111100011110101 C4 = 0011001100101010101111111100 D4 = 0101100110011110001111010101 C5 = 1100110010101010111111110000 D5 = 0110011001111000111101010101 C6 = 0011001010101011111111000011 D6 = 1001100111100011110101010101 C7 = 1100101010101111111100001100 D7 = 0110011110001111010101010110 C8 = 0010101010111111110000110011 D8 = 1001111000111101010101011001 C9 = 0101010101111111100001100110 D9 = 0011110001111010101010110011 C10 = 0101010111111110000110011001 D10 = 1111000111101010101011001100 C11 = 0101011111111000011001100101 D11 = 1100011110101010101100110011 C12 = 0101111111100001100110010101 D12 = 0001111010101010110011001111 C13 = 0111111110000110011001010101 D13 = 0111101010101011001100111100 C14 = 1111111000011001100101010101 D14 = 1110101010101100110011110001 C15 = 1111100001100110010101010111 D15 = 1010101010110011001111000111 C16 = 1111000011001100101010101111 D16 = 0101010101100110011110001111
We now form the keys Kn, for 1<=n<=16, by applying the following permutation table to each of the concatenated pairs CnDn. Each pair has 56 bits, but PC-2 only uses 48 of these. PC-2
14 17 11 24
1 5
10
Network Security
3 28 15 23 19 12 16 6 21 10 4 26 8
7 27 20 13 2
41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32 Therefore, the first bit of Kn is the 14th bit of CnDn, the second bit the 17th, and so on, ending with the 48th bit of Kn being the 32th bit of CnDn. Example: For the first key we have C1D1 = 1110000 1100110 0101010 1011111 1010101 0110011 0011110 0011110 which, after we apply the permutation PC-2, becomes K1 = 000110 110000 001011 101111 111111 000111 000001 110010 For the other keys we have K2 = 011110 011010 111011 011001 110110 111100 100111 100101 K3 = 010101 011111 110010 001010 010000 101100 111110 011001 K4 = 011100 101010 110111 010110 110110 110011 010100 011101 K5 = 011111 001110 110000 000111 111010 110101 001110 101000 K6 = 011000 111010 010100 111110 010100 000111 101100 101111 K7 = 111011 001000 010010 110111 111101 100001 100010 111100 K8 = 111101 111000 101000 111010 110000 010011 101111 111011 K9 = 111000 001101 101111 101011 111011 011110 011110 000001 K10 = 101100 011111 001101 000111 101110 100100 011001 001111 K11 = 001000 010101 111111 010011 110111 101101 001110 000110 K12 = 011101 010111 000111 110101 100101 000110 011111 101001 K13 = 100101 111100 010111 010001 111110 101011 101001 000001 K14 = 010111 110100 001110 110111 111100 101110 011100 111010 K15 = 101111 111001 000110 001101 001111 010011 111100 001010 K16 = 110010 110011 110110 001011 000011 100001 011111 110101 So much for the subkeys. Now we look at the message itself. Step 2: Encode each 64-bit block of data. There is an initial permutation IP of the 64 bits of the message data M. This rearranges the bits according to the following table, where the entries in the table show the new arrangement of the bits from their initial order. The 58th bit of M becomes the first bit of IP. The 50th bit of M becomes the second bit of IP. The 7th bit of M is the last bit of IP. IP
58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4
11
Network Security
62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1
59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7 Example: Applying the initial permutation to the block of text M, given previously, we get M = 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 IP = 1100 1100 0000 0000 1100 1100 1111 1111 1111 0000 1010 1010 1111 0000 1010 1010 1010 1011 1100 1101 1110 1111
Here the 58th bit of M is "1", which becomes the first bit of IP. The 50th bit of M is "1", which becomes the second bit of IP. The 7th bit of M is "0", which becomes the last bit of IP. Next divide the permuted block IP into a left half L0 of 32 bits, and a right half R0 of 32 bits. Example: From IP, we get L0 and R0 L0 = 1100 1100 R0 = 1111 0000 1010 1010 1111 0000 1010 1010 0000 0000 1100 1100 1111 1111
We now proceed through 16 iterations, for 1<=n<=16, using a function f which operates on two blocks--a data block of 32 bits and a key Kn of 48 bits--to produce a block of 32 bits. Let + denote XOR addition, (bit-by-bit addition modulo 2). Then for n going from 1 to 16 we calculate Ln Rn = Ln-1 + f(Rn-1,Kn) = Rn-1
This results in a final block, for n = 16, of L16R16. That is, in each iteration, we take the right 32 bits of the previous result and make them the left 32 bits of the current step. For the right 32 bits in the current step, we XOR the left 32 bits of the previous step with the calculation f . Example: For n = 1, we have K1 = L1 = R1 = L0 + f(R0,K1) 000110 R0 110000 1111 001011 0000 101111 1010 111111 1010 000111 1111 0000 000001 1010 110010 1010
It remains to explain how the function f works. To calculate f, we first expand each block Rn-1 from 32 bits to 48 bits. This is done by using a selection table that repeats some of the bits in Rn-1 . We'll call the use of this selection table the function E. Thus E(Rn-1) has a 32 bit input block, and a 48 bit output block. Let E be such that the 48 bits of its output, written as 8 blocks of 6 bits each, are obtained by selecting the bits in its inputs in order according to the following table: E BIT-SELECTION TABLE
32
1 2
4 5
12
Network Security
4 8 5 6 7 8 9
9 10 11 12 13
12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1 Thus the first three bits of E(Rn-1) are the bits in positions 32, 1 and 2 of Rn-1 while the last 2 bits of E(Rn-1) are the bits in positions 32 and 1. Example: We calculate E(R0) from R0 as follows: R0 = 1111 0000 1010 E(R0) = 011110 100001 010101 010101 011110 100001 010101 010101 1010 1111 0000 1010 1010
(Note that each block of 4 original bits has been expanded to a block of 6 output bits.) Next in the f calculation, we XOR the output E(Rn-1) with the key Kn: Kn + E(Rn-1). Example: For K1 , E(R0), we have K1 = 000110 110000 001011 101111 111111 000111 000001 110010 E(R0) = 011110 100001 010101 010101 011110 100001 010101 010101 K1+E(R0) = 011000 010001 011110 111010 100001 100110 010100 100111. We have not yet finished calculating the function f . To this point we have expanded Rn-1 from 32 bits to 48 bits, using the selection table, and XORed the result with the key Kn . We now have 48 bits, or eight groups of six bits. We now do something strange with each group of six bits: we use them as addresses in tables called "S boxes". Each group of six bits will give us an address in a different S box. Located at that address will be a 4 bit number. This 4 bit number will replace the original 6 bits. The net result is that the eight groups of 6 bits are transformed into eight groups of 4 bits (the 4-bit outputs from the S boxes) for 32 bits total. Write the previous result, which is 48 bits, in the form: Kn + E(Rn-1) =B1B2B3B4B5B6B7B8, where each Bi is a group of six bits. We now calculate S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) where Si(Bi) referres to the output of the i-th S box. To repeat, each of the functions S1, S2,..., S8, takes a 6-bit block as input and yields a 4-bit block as output. The table to determine S1 is shown and explained below:
13
Network Security
S1
Column Number Row No. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 If S1 is the function defined in this table and B is a block of 6 bits, then S1(B) is determined as follows: The first and last bits of B represent in base 2 a number in the decimal range 0 to 3 (or binary 00 to 11). Let that number be i. The middle 4 bits of B represent in base 2 a number in the decimal range 0 to 15 (binary 0000 to 1111). Let that number be j. Look up in the table the number in the i-th row and j-th column. It is a number in the range 0 to 15 and is uniquely represented by a 4 bit block. That block is the output S1(B) of S1 for the input B. For example, for input block B = 011011 the first bit is "0" and the last bit "1" giving 01 as the row. This is row 1. The middle four bits are "1101". This is the binary equivalent of decimal 13, so the column is column number 13. In row 1, column 13 appears 5. This determines the output; 5 is binary 0101, so that the output is 0101. Hence S1(011011) = 0101. The tables defining the functions S1,...,S8 are the following: S1
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13
S2
15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9
S3
14
Network Security
10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12
S4
7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14
S5
2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3
S6
12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13
S7
4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
15
Network Security
1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12
S8
13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11 Example: For the first round, we obtain as the output of the eight S boxes: K1 + E(R0) = 011000 010001 011110 111010 100001 100110 010100 100111. S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) = 0101 1100 1000 0010 1011 0101 1001 0111 The final stage in the calculation of f is to do a permutation P of the S-box output to obtain the final value of f: f = P(S1(B1)S2(B2)...S8(B8)) The permutation P is defined in the following table. P yields a 32-bit output from a 32-bit input by permuting the bits of the input block. P
16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25 Example: From the output of the eight S boxes: S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) = 0101 1100 1000 0010 1011 0101 1001 0111 we get
16
Network Security
f = 0010 0011 0100 1010 1010 1001 1011 1011 R1 = L0 + f(R0 , K1 ) = 1100 1100 0000 0000 1100 1100 1111 1111 + 0010 0011 0100 1010 1010 1001 1011 1011 = 1110 1111 0100 1010 0110 0101 0100 0100
In the next round, we will have L2 = R1, which is the block we just calculated, and then we must calculate R2 =L1 + f(R1, K2), and so on for 16 rounds. At the end of the sixteenth round we have the blocks L16 and R16. We then reverse the order of the two blocks into the 64-bit block R16L16 and apply a final permutation IP-1 as defined by the following table: IP-1
40 39 38 37 36 35 34 33
8 48 16 56 24 64 32 7 47 15 55 23 63 31 6 46 14 54 22 62 30 5 45 13 53 21 61 29 4 44 12 52 20 60 28 3 43 11 51 19 59 27 2 42 10 50 18 58 26 1 41 9 49 17 57 25
That is, the output of the algorithm has bit 40 of the preoutput block as its first bit, bit 8 as its second bit, and so on, until bit 25 of the preoutput block is the last bit of the output. Example: If we process all 16 blocks using the method defined previously, we get, on the 16th round, L16 = 0100 0011 R16 = 0000 1010 0100 1100 1101 1001 1001 0101 0100 0010 0011 0010 0011 0100
We reverse the order of these two blocks and apply the final permutation to R16L16 = 00001010 01001100 11011001 10010101 01000011 01000010 00110010 00110100 IP-1 = 10000101 11101000 00010011 01010100 00001111 00001010 10110100 00000101 which in hexadecimal format is 85E813540F0AB405. This is the encrypted form of M = 0123456789ABCDEF: namely, C = 85E813540F0AB405.
17
Network Security
Decryption is simply the inverse of encryption, follwing the same steps as above, but reversing the order in which the subkeys are applied.
Avalanche Effect: A desirable property of an encryption algorithm is that a small change in either the plaintext
or the key should produce a significant changes in ciphertext. DES is considered insecure for many applications Concerns Key size Nature of the algorithm
Attacks
Brute-force attack Linear cryptanalysis Differential cryptanalysis Timing attack
Main weakness of DES Key Size:

56-bit keys: there are 2 = 7.2 x 10 possible values brute force search is hard, but (more and more) feasible 44 Software (200MHZ Pentium) 2 encryptions per year 1PC: 2000 years, 200 PCs: 10 years, 6000 PCs: 3 months Hardware (FPGA), Cost = $10 000 less than 2 years Hardware (ASIC), Cost = $250 000 1 key in about 50 hours for 1 million $: I key in hour
56 16
DES Modes of Use:

DES Modes of Use are either: Block Modes o Splits messages in blocks (CBC) Stream Modes On byte stream messages (CFB, OFB)
Lecture # 4 AES:
Confidentiality using symmetric key: If we e to apply symmetric key for the confidentiality we need to decide
what to encrypt and where the encryption function should be located i.e what is the points of vulnerability on which we apply the encryption as shown in the figure symmetric key is used for confidentiality basically
18
Network Security
Points of vulnerability:
Snooping from the other workstation Reprogramming switches or router to capture data from the network Use dial in to LAN or physical tapes link in working area External router links to enter to communication to snoop In wireless link risk of eavasdropping is greater These are the points of vulnerability which can computes the secrecy of data over network so we place encryption on network
Placement of Encryption: Two major placements and two major alternatives data over the network is in the
form of packet from sender to reciever as shown in the figure
So there are two major places for the placement of encryption 1) Link encryption 2) End to end encryption Link encryption: using the link encryption approach the communication link is equipped on both ends with an encryption device thus all traffic over the network is secured using the link to be more effective the message is encrypted with different keys i.e. let we have three nodes then from node1 to node2 we use the key K1 and from node2 to node3 we use the key K2 and so on generally we can say that each pair of nodes that share a link should share a unique key as shown in the figure
Disadvantage: its disadvantage is that each time the message must be decrypted each time it enters to a switch beacuase the switch must read the address in the packet header to route the frame so message is vulnerable at each switch if working with a public network i.e. the user has no control over the node End to End encryption: in End to end encryption the encrption process is carried out at the two ends system the source terminal encrpts the data and then this encrypted data is passed though the network to the destination terminal the destinationt terminal shares a key with the source and make able to source terminal to encrypt the data this plan seems to secure the transmission against attack on the network link or switches but still it have a
19
Network Security
weak spot consider a host connects to Another Host then the data is in the form of packet will moves from one host to another host consisting of header and some other data now the question is that what part of packet will be encrypted so the answer is that source terminal may only encrypt the data and leave the packet header clear i.e. unencrypted so in end to end encryption the data is protected but the traffic pattern in Not due to clear packet header as shown in figure
Ideally both at once: To achieve greater security both link and end to end encryption are needed combinely as shown in figure
Applying both at once the source terminal encrypts the user data portion of a packet using end to end encryption and then the entire packet is then encrypted using a link encryption i.e. on each switch link encryption is used to read header to route the packet again for sending it to next switch to thus the user data is most secure Logical Placement of Link and end to end encryption: 1) End to end Encryption: in OSI model the end to end encryption occurrs either at layer 3,4,6,7 2) Link Encryption: in OSI model the link encryption occurrs either at layer 1 or 2
Traffic Analysis: it is the process of monitoring of communication between any two parties by a third
unauthorized party so the third party can derieved by traffic analysis the following types of information Identities of partners How frequently the partners are communicating Message pattern, message length, or quantity of message that suggest important information is being exchanged The events that correlate with special conversations between particulur partner so Link encryption encrypts the packet header reduces the traffic analysis Traffic padding is also an opponnent to reduce traffic analysis
Key distribution in Symmetric key encryption: The communication between two parties using a symmetric
key required a shared secret key between it which must be protected from the access of other users so for it a system is used to distribute key called key distribution techniques it is a term refers to the means of delievering a key to two parties who wish to exchange data without allowing other to see the key
20
Network Security
Key distribution method in symmetric encryption: Let two parties A and B want to communicate and they need to share a secret key then it can be done by the following methods 1) A can select a key and physically deliever it to B 2) A third party can select a key and physicallry deliever it to A and B 3) If A and B have previously and recently used a key one party can transmit the new key to other encrypted using old key 4) If A and B each has an encrypted connection to a third party C, C can deliever a key on the encrypted links to A and B Key distribution Scenario:
Public key cryptography: : it is that type of cryptography which used pair of keys for encryption and decryption
the pair keys are the private and public key the sender encrypt the plaintext using the public key of the receiver and send the data and then the receiver decrypt the cipher text using his/her own private key
Public key cryptography general characteristics: 1. 2. 3. 4. 5. Use pair of keys private and public private key known only to reciever while the public is known to every one Keys will be related with each other but it is infeasible to find private key from the public key It is easy computationally easy to encrypt decrypt message when keys are known It is trapdoor one way functions one way functions are those functions which is easy to calculate from one side but it very difficult to compute from the other side It is more secure than the symmetric key
21
Network Security
Why public key cryptography use: The basic purpose of using public key cryptography is that in it a pair of keys is used one used for encrypting(public) the plaintext and the other for decrypting for decrypting (private) so for a secure communication you have to share only the public key and the priavte key is visible only by the reciever i.e. each person private key will be secured and only be visible by the him so due to this it is more secure than the priavte key cryptography Public key Applications: the following are the applications of public key Encryption / decryption to provide secrecy Digital signature to provide authentication and non repudiation Key exchange to agree on a session key LECTURE # 5 Key management in Public key cryptography: Key management is basically the process of key distribution so there are actually two distinct aspects to the use of public key cryptography The distribution of public keys The use of public key encryption to distribute secret key Distribution of Public key,s: Several techniques have been proposed for the distribution of public keys which can be grouped into the following schemes 1) 2) 3) 4) Publicly announcement Publicly available directory Public key authority Public key certificate
Publicly Announcement: It is one approach for the public key distribution is that public key is publicly announced i.e. any participient can send his public key to any other participient to broadcast the key to the community at large as shown in figure
i.e. in it the public key is announced publicly but it have a major weakness anyone can forge such a public key announcement so it have a problem of forgery means that A can upload announced the key that it is the key of B while this statement is not right it also have the problem of updation Publicly available directory: it is another approach for public key distribution i.e. in it public keys are available in a public directory the public directory have the responsibility of some trusted entity or organization i.e. it include the following elements 1) The authority maintains a directory with a [name, public key] entry for each participient 2) Each participient register a public key with the dirctory authority registration would have to be in person or by some form of secure authenticated communication 3) A participient may replace the existing key with a new one
22
Network Security
4) Participient could also access the directory electronically It is more secure than the publicly announced but still it have vulnerabilities i.e. it have the problem for the adversary to tamper with the record kept by the authority i.e. still the forgery and updation problem are found see the figure
Public key Authority: it have stronger security than the public key distribution it is just like public key distribution but in public key distribution the whole control is maintained by the control directory but in it the addition is that each participient reliably knows a public key for authority with only the authority knowing the corresponding private key the following steps occurr 1) A send a timestamped message to the public key authority containing a request for the current public key of B 2) Authority response with a message which is encrypted using the authority private key PR auth thus A is able to decrypt the Message using the authority public key and issured that the message is originated the authority include B,s public key PUB which A can use use to decrypt message destined for B The original request which enable A to know that the original request timeslot was not altered before reception but the authority and also that it is not and lod message 3) A stores B public key and uses it to encrypt message to B containing an identifier of A IDA and a Nonce N1 used to identify the message uniquely 4) B retrieves A public key using the same method so A and B public key are exchanged 5) B send a message encrypted with PUA containing A nonce N1 as well as a new once generated by B known N2 to assure A that it is correspondent to B 6) A returns N2 encrypted using B public key to assure B that it is correspondent to A as shown in figure
Both A and B can save the each other public key for future use using a technique known as caching its disadvantages is that it is just like bottleneck the user must appeal the authority for a public key for every other
23
Network Security
user that it wishes to control so as before directory for Names and public keys maintained maintained by the authority is vulnerable to tampering Public key Certificate: To remove the disadvantage in Public key authority is to use certificates that can be used by the participient to exchange keys without contacting a public key authority a certificate consist of a public key plus an identifier of the key owner with the whole block signed by the third party the third party is typically a certificate authority i.e. govt agency OR a financial institution i.e. A user can present his public key to the authority in a secure manner and obtain a certificate which then the user can publish so anyone needed the public key of a user can obtain the certificate and verify that the certificate was created by the authority it follow the schemes Any participient can read a certificate to determine the name and public key of the certificate owner Any participient can verify that the certificate originated from the certificate authority and is not encountered Only the certificate authority can create and update certificates Any participient can verify the currency of certificate For participient A the authority provide a certificate fo the form CA = E(PRAUTH[T||IDA||PUA]) while the PRauth is the private key used by the authority and T is timestamped A can then pass the certificate to any other participient who reads and verifies the certificate as follows D(PUAUTH , CA) = D(PUAUTH,[ [T||IDA||PUA]) = (T||IDA||PUA)
RSA:
24

Network Security

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Network Security

Загружено:

Авторское право:

Доступные форматы

Network Security

Ms(computer Network & communication)

Lecture # 1 (introduction) Computer Security:

Aspects of Security: There are three main Aspects of security

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Model for network security:

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Simple Cryptography diagram:

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Data Encryption Standard (DES):

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Column Number Row No. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556

Ms(computer Network & communication)

Main weakness of DES Key Size:

DES Modes of Use:

Usman institute of Technology

written by : Javaid ahmad cell # : 03428268556