Network Security

Lecture 1 - NETW4006 Dr.Alex Roney Mathews

NETW4006-Lecture01

Protocols
Warm Welcome. Self Introduction. Treat me as a friend. Language Probs.. Subject Probs.. No Failures. Black Board (Bb) Notes Handouts -Exams Wish you a colorful success semester.

Grading Policy and Text Book

Grading Policy
   

Assignments Popup Quizzes Lab Assessment Mid Exam  Final exam

(10%) (10%) (10 %) (20%) (50%)

Text Book &References

Linux Network Security Peter G. Smith Charles River Media Principle of Information Security Second Edition Michael E. Whitman and Herbert J. Mattord Thomson Course Technology William Stallings Cryptography and Network SecurityPrentice Hall

NETW4006-Lecture01

Content
Common Definitions Cryptographic System Strength Symmetric and Asymmetric Encryption Signature Key Signing and X.509 Standard Common Standards References
NETW4006-Lecture01 5

Common Definitions (1)

Encipher/Encrypt: Transform data into unreadable format. Decipher/Decrypt: Transform data into readable format. Algorithm: Set of mathematical enciphering and deciphering. Plaintext: The original data. Ciphertext: Plaintext that has been encrypted following the enciphering algorithm to the message. Cryptanalysis: Attempt to figure out the message without the key. NETW4006-Lecture01 6 rules that dictate

Common Definitions (2)

Key: The key is the sequence of characters used by the encryption algorithm to encrypt plaintext into space, ciphertext. ciphertext An algorithm contains a key space which is a range of values that can be used to construct a key. Key is a random value within the key space range. The larger the key space, the more values can be used, and the safer the key Key space: All possible values to construct keys. Cryptosystem: The hardware and software that implement the cryptographic (encryption/decryption) transformations. Work factor: Definition of the amount of time, effort and resources necessary to break a cryptosystem
NETW4006-Lecture01 7

Common Definitions (3)

Confidentiality: The fact of ensuring that information is accessible only to those authorized to have access Authenticity: The quality of actually coming from the source which is claimed Integrity: The assurance that information has not been accidentally or maliciously altered or destroyed Non-Repudiation: The non-repudiation is a way to guarantee that the sender of the message can not later deny having sent the message or having furnished the signature of a message
NETW4006-Lecture01 8

Encryption - Decryption

10

Cryptography..
Cipher Mechanism based up on a Policy..

A
Authentication Confidentiality Integrity
11

Non Repudiation .

Cryptography..
A C I N C A I N
Confidentiality is Privacy So
12

P A I N

Cryptography..
See..

13

Cryptography..
Privacy
A
Message

Both r looking for privacy

Will not allow any 3rd party to see the message.

14

Cryptography..
Authentication

A & B has to authenticate themselves B should get the confidence that this i.e. message is from A.

15

Cryptography..
Integrity There is no chance for modifications..
A B

16

Cryptography..
Example: if the message is 1+1 = 2 1+1 = 2; (1+1=2) 1, 1 = 2 1+1 = 2

It should be

17

What ever the message A is sending B should get the same.

Crypto..
Data Flow..

..

There are chances- not to receive info at recipient

Just for interrupting the flow, not for modification. i.e. wont alter
18

Crypto..
Flow..
C taps the message modify it - sends it .. Imp thing is B will not get any info.. Blindly he believe , its from

C send a message to B- stating its from A Fake or false identification B blindly believe its from A

19

Cryptographic System Strength

Strength of encryption comes from: Algorithm, secrecy of key, length of key, initialization vectors, and how they all work together. Improper protection of the key can seriously weaken the cryptosystem Goals of cryptosystems: confidentiality, authenticity, integrity, non repudiation
NETW4006-Lecture01 20

Symmetric and Asymmetric Encryption (1)

Symmetric ciphers use a Pre-Shared-Key (PSK). The same key is used for both encrypting and decrypting
Primary advantage: faster than asymmetric ciphers ciphers, hard to break with large key. how Primary disadvantage: difficult to distribute key (how to securely transmit the key?). Can we re-key on key?). longer connections, to protect against the key being broken? Cannot authenticate or provide nonrepudiation Includes: DES (Date Encryption Standard), Triple DES, IDEA (International Data Encryption Algorithm), RC4 RC5 RC4, RC5, AES (Advanced Encryption Standard)
NETW4006-Lecture01 21

How exchange the key ???

1.A can select a key and physically deliver it to B 2. A third party can select the key and physically deliver it to A and B 3. If A and B have previously and recently used a key, one party can transmit the new key to the other, encrypted using the old key
NETW4006-Lecture01 22

Symmetric and Asymmetric Encryption (2)

Asymmetric ciphers use a public/private key-pair Keys key-pair. are mathematically linked such that what is encrypted with one is only decrypted by the other. Keys are linked so that it is computationally hard to guess the private key having the public key
You must keep your private key secret Often encrypted secret. with a pass-phrase You disclose your public key to whoever wants to communicate with you You can have your public key signed by a mutually trusted Certificate Authority (CA) (see next) so people can be certain that it is really your key

NETW4006-Lecture01

23

Symmetric and Asymmetric Encryption (3)



 

Advantages: Better at key distribution, better scalability for large systems, can provide authentication and non-repudiation Disadvantages: Asymmetric ciphers are many times slower than symmetric ciphers Includes: RSA (Rivest, Shamir, Adelman), Diffie Hellman, El Gamal, DSA (Digital Signature Algorithm), Knapsack, PGP (Pretty Good Privacy).
NETW4006-Lecture01 24

Symmetric and Asymmetric Encryption (4)

Plaintext
Secret Key

Ciphertext

Figure 1: Symmetric Encryption

Private Key

Ciphertext

Plaintext
Public Key

Figure 2: Confidentiality with Asymmetric Encryption

Private Key

Plaintext
Public Key

CipherText

Figure 3: Authentication with Asymmetric Encryption

NETW4006-Lecture01 25

Signature (1)
Message = M Hash(M) Private Key 5a44ef150d fingerprint ALICE Signature Message = M

BOB Message = M Hash(M)

5a44ef150d

comparison
Signature Public Key 5a44ef150d

NETW4006-Lecture01

26

Signature (2)
Signature = Hash value encrypted with the senders private key Hash = A hash function transforms a message M of arbitrary length to a numeric fingerprint (called a digest) of fixed length (128 bits for MD5). A hash function must have the following properties to be used in cryptographic transformations: a) Make computationally impossible or very difficult to find two messages producing the same fingerprint b) Make computationally impossible or very difficult to reverse the hash function

NETW4006-Lecture01

27

Signature (3)
Due to a) and b) hash functions are used to ensure the integrity of a message when transmitted through a non secure channel Act of signing means encrypting messages hash value with private key


Ensures integrity, authentication, and nonnonrepudiation: repudiation: Ensures that message was not altered and also came from Bob Hash includes: DSS (Digital Signature Standard), MD2 (Message Digest 2), MD4, MD5, SHA (Secure Hash Algorithm)
NETW4006-Lecture01 28

Key Signing and PKC (1)

Certificate is a document provided by a trustworthy authority (organization). The certificate associates (organization). the public key of an asymmetric ciphering algorithm to information related to a subject (user name, server name, E-mail address, etc.). The goal of a certificate is the authenticated association between a subject and its public key Certification Authority (CA): Trusted entity that issues certificates
Multiple issuers pose validation problem: Alices CA is Cathy, Bobs CA is Don; how can Alice validate Bobs certificate? Have Cathy and Don cross-certify: Each issues certificate for the other
NETW4006-Lecture01 29

Key Signing and PKC (2)

A digital certificate is usually signed by a CA (CAs private key), in order to prove that the CA generated the certificate (non-repudiation) CAs signature: This is achieved by the CA hashing the certificate (the hash value will change if anything in the certificate changes), and then encrypting the hash value of the certificate with the CA private key. The CA includes the resulting digital signature in the certificate, making it signed and provides it to the requester.
NETW4006-Lecture01 30

Key Signing and PKC (3)

Verification of the CAs signature: The CA signature can be verified by a third party by decrypting the digital signature with the CAs public key, and comparing the certificate hash value to the result of the hash function applied to the certificate. If there is a difference, either the certificate has been altered (integrity) or the signature has been generated with a private key that does not match the CAs public key. Usually the main CA certificates containing the CA public key are already installed in the Netscape Communicator, Firefox and Internet Explorer, allowing the automatic verification of the CAs signature. signature. A key/certificate can be signed by multiple parties. This creates a web of trust: users posting new public key have someone they know who signs the new key after verifying the users identity and also that the new key is genuine. This is especially used for PGP users.
NETW4006-Lecture01 31

X.509 Standard (1)

Definition: X.509 is the ITU (International Telecommunication Union) standard that specifies the content of a numeric certificate. Key certificate fields in X.509v3
Version Serial number (unique) Signature algorithm identifier: hash algorithm (ex: MD5) Issuers name: uniquely identifies issuer (CA) Interval of validity Subjects name; uniquely identifies subject (Alice) Subjects public key Signature
Identifies algorithm used to sign the certificate (ex: RSA) Signature (enciphered hash)
NETW4006-Lecture01 32

X.509 Standard (2)

X.509 Certificate Creation (for Alice)
Alice request certificate from CA CA creates certificate CA generates hash of certificate CA encrypts hash with private key

X.509 Certificate Validation (by Bob)

Bob obtains CAs public key: The one for the particular signature algorithm (ex: RSA) Deciphers signature: Gives hash of certificate (1) Re-computes hash from certificate (2) and compare with hash of certificate: If (1) and (2) differ, certificate no valid Checks interval of validity: This confirms that certificate is current otherwise certificate no valid Checks Certificate Revocation List (CRL): This confirms that the certificate has not been revoked
NETW4006-Lecture01 33

Common Standards (1)

DES (Data Encryption Standard) Early 1970s by IBM NSA (National Security Agency) rumor of backdoor: Passed the test of time 128 bits to 64 bits down to 56 bits key has the power! Block cipher: 56 bits + 8 parity bits key Key space 2^56 Crypt() function in Unix and Linux: key and salt (cf. next lecture) No longer seen as safe encryption method
NETW4006-Lecture01 34

Common Standards (2)

2DES and 3DES
DES 2 or 3 times

3DES widely used, 2DES is flawed 168 (3*56)-bit key effective key size is 112 bits Billion of billion computational power

NETW4006-Lecture01

35

Common Standards (3)

AES (Advance Encryption Standard) Block cipher Belgian: Joan Daemen and Vincent Rijmen US government to replace DES by NSA for top secret Rijndael algorithm
blocks of 128 bits and key of 128,192, 256 bits

Faster than 3DES

NETW4006-Lecture01 36

Common Standards (4)

RC2 (Ron's Code) Ron's Code RC2 in 1980s to replace DES Leaked in Internet in 1996 key attack RC4 1987 by RSA security Symmetric key (up to 256 bits) streaming cipher Internet Leak in 1994 ARCFOUR WEP (Wired Equivalent Privacy) and SSL (Secure Socket Layer) 2001: 1st. Output bytes non random implementations discard 256 bytes of output
NETW4006-Lecture01 37

Common Standards (5)

RC5 Block cipher with key up to 2040 bits Simple algorithm easy cryptanalysis Break is not easy! NSA offers a prize Patented RC6 Block cipher base on RC5 Aim: meet the standard required by AES Strong encryption Patented but free to use (RSA)
NETW4006-Lecture01 38

Common Standards (6)

RSA (Rivest, Shamir, Adleman) (Rivest, Adleman) 1997: asymmetric basis for PKC Until 2000: more popular in Europe than USA Difficulty to factorize large prime numbers (key) Brute-force computation takes long 256-bit key: a few hours in home PC 512-bit key: no problem if more PCs Minimum length is1024

NETW4006-Lecture01

39

Common Standards (7)

Blowfish Block cipher in 1993 by Bruce Schneier Public 64-bit block size 32 and 448-bit key length One of the fastest But 4 KB of RAM not for smart cards and embedded devices
NETW4006-Lecture01 40

Common Standards (8)

IDEA (International Data Encryption Algorithm) Early 1990s Block cipher of 128-bit key Revision: PES (Proposed Encryption Standard) Early version of PGP (Pretty Good Privacy) Others algorithms are preferred
Patented Flaws are known not so fast
NETW4006-Lecture01 41

Common Standards (9)

MD2 (Message Digest 2) 1989 by Rivest 28-bit digest and 8-bit systems not useful MD4 Successor in 1990 128-bit digital fingerprint Digest length of 128 bits basis of MD5 and SHA 1991 weakness discovered short live

NETW4006-Lecture01

42

Common Standards (10)

MD5 USA law: no export of DES based-softwares Alternative stronger than DES 128-bit digital fingerprint Small M modification different checksum Linux: software integrity 1994: vulnerable to collision commercial implication: on-line shopping and banking when used for signing digital certificates 2004: MD5CRK project to prove collision can occurs Replacement is needed
NETW4006-Lecture01 43

Common Standards (11)

SHA (Secure Hash Algorithm) By NSA: message digest similar to MD5 160-bit digest of M of up to 26 bits 1993 SHA-0 has a flaw not revealed 1995 revised version SHA-1 No weakness so far NIST (National Institute of Standards and Technology): 3 variants based on digest SHA-256, SHA-384, SHA-512

NETW4006-Lecture01

44