SECURITY IN MANY LAYERS

Fundamental tools in Network Security

Symmetric Key & Public key cryptography Authentication Key distribution Message integrity Digital signatures

SECURITY IN MANY LAYERS- deals with use of the above tools in the top 4 layers of IP, namely Application layer Transport Layer Network layer Data link layer

SECURE E-MAIL
Most important security features when designing a secure e-mail system:
-> CONFIDENTIALITY

Assurance that a third person doesnt read the message

-> SENDER AUTHENTICATION

Assurance that the message came from the right person

-> MESSAGE INTEGRITY

Assurance that message is not modified

- RECEIVER AUTHENTICATION

Confidentiality
a) Encrypt message symmetric key technology by sender & Decryption by receiver

b) Public key cryptography

c) Session key

 Session Key: Sender i) selects a symmetric session key , ii) Encrypts message m using iii) Encrypts
Ks with public key

Ks

Ks

iv)Concatenates encrypted message and encrypted symmetric key to form package v) Sends package to receivers e-mail id

Secure e-mail (PGP or GPG)

Alice wants to send confidential e-mail, m, to Bob.

KS K (. )
S

KS(m )

KS(m ) Internet

KS ( ) KS -

KS

+ KB

+ KB ( )

+
+ KB(KS )

+ KB(KS ) KB

KB( )

Alice:

symmetric private key, KS. encrypts message with KS (for efficiency) also encrypts KS with Bobs public key. sends both KS(m) and KB(KS) to Bob.
generates random

8: Network Security

8-7

 Receiver i) Uses his private key to decrypt symmetric key ii) Uses
Ksto decrypt message m

Ks

Secure e-mail

Alice wants to send confidential e-mail, m, to Bob.

KS K (. )
S

KS(m )

KS(m ) Internet

KS ( ) KS -

KS

+ KB

+ KB ( )

+
+ KB(KS )

+ KB(KS ) KB

KB( )

Bob:
uses his private key to decrypt and recover K S uses K to decrypt K (m) to recover m S S
8: Network Security 8-9

Sender Authentication & Integrity

Making use of Digital signature and message Digest Digital signature A cryptographic technique( like a handwritten signature), to indicate the creator of the document, that is verifiable, non forgeable and non repudiable. message Digest protects the data.

Digital Signatures
Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator. verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document

Simple digital signature for message m: Bob signs m by encrypting with his private key KB, creating signed message, KB(m) Bobs message, m Dear Alice ---text--------Bob K
- Bobs private B key

K (m) Bobs message, m, signed (encrypted) with his private key

Public key encryption algorithm

Message Digests
Computationally expensive to public-key-encrypt long messages Goal: fixed-length, easy- tocompute digital fingerprint apply hash function H to m, get fixed size message digest, H(m).

large message m

H: Hash Function

H(m)

Hash function properties: many-to-1 produces fixed-size msg digest (fingerprint) given message digest x, computationally infeasible to find m such that x = H(m)
8: Network Security 8-13

 Sender: i) Applies hash function H to message m to obtain message digest ii) Signs the result of hash function with private key to create digital signature iii) Concatenates original message with signature to form package iv)Sends to receivers e-mail id

Secure e-mail (continued)

Alice

wants to provide sender authentication message integrity.

KA

H(.)

. K ()
A

KA(H(m))

KA(H(m)) Internet

+ KA KA( ) +

H(m )

+
m

compare H( )

H(m )

Alice digitally signs message. sends both message (in the clear) and digital signature.
8: Network Security 8-15

 Receiver: i) Applies senders public key to signed message digest ii) Compares the result with his own hash H If two results are same, receiver can be confident that message came from the correct sender and is unaltered

Secure e-mail (continued)

Alice

wants to provide secrecy, sender authentication, message integrity.

m H( )

KA

KA( )

KA(H(m))

+
m KS

KS ( )

KS

+ KB

+ KB( )

+
+ KB(KS )

Internet

Alice uses three keys: her private key, Bobs public key, newly created symmetric key
8: Network Security 8-17

Pretty good privacy (PGP - commercial) or Gnu Privacy Guard (GPG - free)
Internet e-mail encryption scheme, de-facto standard. uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described. provides secrecy, sender authentication, integrity. inventor, Phil Zimmerman,
A PGP signed message:
---BEGIN PGP SIGNED MESSAGE--Hash: SHA1 Bob: Hai how do you do? Am going on vacation ---BEGIN PGP SIGNATURE--Version: PGP 5.0 Charset: noconv yhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJh FEvZP9t6n7G6m5Gw2 ---END PGP SIGNATURE---

8: Network Security

8-18

secure sockets layer (ssl)

Provides data encryption and authentication between a web client and web server. Can be viewed as a layer between application layer and transport layer.

FEATURES
SSL server authentication : i) allows the user to confirm server identity ii) SSL enabled browser maintains a list of CAs and their public keys Iii) browser - > certificate - > server iv) thus server is authenticated before user submits payment details SSL provides mechanism for detecting tampering with the information by an intruder

SSL client authentication : i) allows server to confirm user identity ii) it is optional iii) makes use of client certificates, issued by CAs

Encrypted SSL session : i) all information sent between browser and server is encrypted by the sending software and decrypted by receiving software ii) important to both customer and merchant

HOW SSL WORKS?

Bob browses alices secure page and sends SSL version number and cryptographic preferences Bob has a list of trusted CAs and a public key for each CA.Checks his list with the received certificate for alice Alice sends bob her servers SSL version number, cryptographic preferences & certificate

Bob generates a random symmetric key & encrypts it using alice public key

Alice extracts the symmetric key