Post on 18-Jan-2015
description
Network Security and Network Security and CryptographyCryptography
By Adam ReaganBy Adam ReaganCIS 504 – Data CommunicationsCIS 504 – Data Communications
The College of Saint Rose, Albany NYThe College of Saint Rose, Albany NYSpring 2008Spring 2008
A Need For SecurityA Need For Security
Growing computer use implies a need for Growing computer use implies a need for automated tools for protecting files and other automated tools for protecting files and other informationinformation
The use of networks and The use of networks and communications facilities for carrying communications facilities for carrying data between users and computers is data between users and computers is also growingalso growing
Network security measures are needed Network security measures are needed to protect data during transmissionto protect data during transmission
TCP/IP Communications SecurityTCP/IP Communications Security
Traffic is typically secured by using Traffic is typically secured by using SSL SSL or or VPNVPN
Secure Sockets LayerSecure Sockets Layer Older and more widely used protocolOlder and more widely used protocol Communicating applications have to be written to use Communicating applications have to be written to use
SSLSSL Applications do SSL processingApplications do SSL processing FlexibleFlexible
Virtual Private NetworksVirtual Private Networks Security is implemented at the IP or Data Link LayerSecurity is implemented at the IP or Data Link Layer
Aspects of SecurityAspects of Security
AttackAttack
MechanismMechanism
ServiceService
Security AttackSecurity Attack
Any action that compromises the security of Any action that compromises the security of informationinformationTwo examples:Two examples: PassivePassive - - Attempt to learn or make use of Attempt to learn or make use of
information from the system but does not affect information from the system but does not affect system resourcessystem resources
Monitor transmission to obtain message contents or Monitor transmission to obtain message contents or traffic analysistraffic analysisEavesdroppingEavesdroppingDifficult to detect because there is no alteration of dataDifficult to detect because there is no alteration of data
ActiveActive - Attempt to alter system resources or - Attempt to alter system resources or affect their operationaffect their operation
Modification of messages in transitModification of messages in transitDenial of serviceDenial of service
Other Types of AttacksOther Types of Attacks
InterruptionInterruption
An asset of the system is destroyed or An asset of the system is destroyed or becomes unavailablebecomes unavailable
Attack on Attack on availabilityavailability
Examples:Examples: Destruction of a piece of hardware (i.e. hard Destruction of a piece of hardware (i.e. hard
disk)disk) Cutting of a communication lineCutting of a communication line Disabling a file management systemDisabling a file management system
InterceptionInterception
An unauthorized person, program, or An unauthorized person, program, or computer gains access to an assetcomputer gains access to an asset
Attack on Attack on confidentialityconfidentiality
ExamplesExamples Wiretapping to capture data in a networkWiretapping to capture data in a network
ModificationModification
An asset is intercepted AND tamperedAn asset is intercepted AND tampered
Attack on Attack on integrityintegrity
Examples:Examples: Changing values in a data fileChanging values in a data file Altering a program to change performanceAltering a program to change performance Altering content of messages in transitAltering content of messages in transit
FabricationFabrication
An unauthorized party inserts counterfeit An unauthorized party inserts counterfeit objects into a systemobjects into a system
Attack on Attack on authenticityauthenticity
ExampleExample Addition of records to a data fileAddition of records to a data file
Security MechanismSecurity Mechanism
Designed to detect, prevent, or recover Designed to detect, prevent, or recover from a security attackfrom a security attack
Most security mechanisms make use of Most security mechanisms make use of cryptographic techniquescryptographic techniques
Encryption or encryption-like Encryption or encryption-like transformations of information are the transformations of information are the most common means of providing securitymost common means of providing security
More to come…More to come…
Security ServiceSecurity Service
Enhances the security of data processing Enhances the security of data processing systems and the information transfers of systems and the information transfers of an organizationan organization
Intended to counter security attacksIntended to counter security attacks
Make use of one or more security Make use of one or more security mechanisms to provide the servicemechanisms to provide the service
Examples of ServicesExamples of Services
ConfidentialityConfidentiality Information in a computer system and transmitted information Information in a computer system and transmitted information
are accessible only for reading by authorized partiesare accessible only for reading by authorized parties
AuthenticationAuthentication Origin of a message or file is correctly identified, with assurance Origin of a message or file is correctly identified, with assurance
that the identity is not falsethat the identity is not false
IntegrityIntegrity Only authorized parties are able to modify computer system Only authorized parties are able to modify computer system
assets and transmitted informationassets and transmitted information
AvailabilityAvailability Requires that computer system assets be available to authorized Requires that computer system assets be available to authorized
parties upon requestparties upon request
Conventional EncryptionConventional Encryption
Encryption scheme consists of 5 main features:Encryption scheme consists of 5 main features: PlaintextPlaintext – Original message – Original message Encryption AlgorithmEncryption Algorithm – Used to convert plaintext – Used to convert plaintext
into ciphertextinto ciphertext KeyKey – Information used to determine the functional – Information used to determine the functional
output of algorithmoutput of algorithmSecurity depends on secrecy of the key, not secrecy of Security depends on secrecy of the key, not secrecy of the algorithmthe algorithm
CiphertextCiphertext – Coded message – Coded message Decryption AlgorithmDecryption Algorithm – Used to recover plaintext – Used to recover plaintext
from ciphertextfrom ciphertext
Conventional Encryption Conventional Encryption TechniquesTechniques
SymmetricSymmetric, or , or Single-Key Single-Key encryptionencryption
Only one key is used to encrypt and Only one key is used to encrypt and decrypt messagesdecrypt messages
Therefore, sender and receiver share the Therefore, sender and receiver share the common keycommon key
The key is kept private from everyone elseThe key is kept private from everyone else
Single-Key Encryption SchematicSingle-Key Encryption Schematic
Substitution CiphersSubstitution Ciphers
Plaintext is replaced by different letters, Plaintext is replaced by different letters, numbers, or symbolsnumbers, or symbols
If plaintext is If plaintext is viewed as a sequence of bits, viewed as a sequence of bits, then substitution involves replacing then substitution involves replacing plaintext bit patterns with ciphertext bit plaintext bit patterns with ciphertext bit patternspatterns
Caesar CipherCaesar Cipher
Earliest known substitution cipherEarliest known substitution cipher
Developed by Julius Caesar for military Developed by Julius Caesar for military purposespurposes
Replace each letter by the letter which is 3 Replace each letter by the letter which is 3 positions ahead of itpositions ahead of it
Example:Example: Plaintext = MEET ME AFTER THE TOGA PARTYPlaintext = MEET ME AFTER THE TOGA PARTY Ciphertext = PHHW PH DIWHU WKH WRJD SDUWBCiphertext = PHHW PH DIWHU WKH WRJD SDUWB
Transposition CipherTransposition Cipher
Permutation ciphers Permutation ciphers
Hide the message by rearranging the letter Hide the message by rearranging the letter order WITHOUT altering the actual letters order WITHOUT altering the actual letters usedused
More recognizable because frequency More recognizable because frequency distribution is the same as the original text distribution is the same as the original text
Rail Fence CipherRail Fence Cipher
Write letters out diagonally over a number Write letters out diagonally over a number of rowsof rows
Then read off cipher row by rowThen read off cipher row by row
Example:Example:M E M A T R H T G P R YM E M A T R H T G P R Y
E T E F E T E O A A T E T E F E T E O A A T
Ciphertext = Ciphertext = MEMATRHTGPRYETEFETEOAATMEMATRHTGPRYETEFETEOAAT
Data Encryption Standard (DES)Data Encryption Standard (DES)
Selected as an official Federal Information Processing Selected as an official Federal Information Processing Standard (FIPS) for the U.S. in 1976Standard (FIPS) for the U.S. in 1976Block cipher (as opposed to a Stream cipher, where Block cipher (as opposed to a Stream cipher, where plaintext is processed on bit or byte at a time)plaintext is processed on bit or byte at a time)
Plaintext is processed in 64-bit blocksPlaintext is processed in 64-bit blocks
The algorithm used is called the Data Encryption The algorithm used is called the Data Encryption Algorithm (DEA)Algorithm (DEA)
Transforms 64-bit input in a series of steps into a 64-bit outputTransforms 64-bit input in a series of steps into a 64-bit output The same steps are used to decrypt messagesThe same steps are used to decrypt messages Sender and receiver share the same key (Symmetric)Sender and receiver share the same key (Symmetric)
Now considered to be insecureNow considered to be insecure Key size is 56 bits, considered to be too smallKey size is 56 bits, considered to be too small
TDES and AESTDES and AES
TDESTDES Triple DES – Use algorithm 3 timesTriple DES – Use algorithm 3 times 3 different keys (56-bits each)3 different keys (56-bits each) 168 bits total (192 if parity bits are included)168 bits total (192 if parity bits are included) Superceded by Superceded by AESAES
AESAES Advanced Encryption StandardAdvanced Encryption Standard Fixed block size of 128 bitsFixed block size of 128 bits Key size can be 128, 192, or 256 bitsKey size can be 128, 192, or 256 bits
Public-Key CryptographyPublic-Key Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Two keys are used for encryption and Two keys are used for encryption and decryption of messagesdecryption of messages One is public, the other privateOne is public, the other private Keys are related mathematically, but the Keys are related mathematically, but the
private key cannot be practically derived from private key cannot be practically derived from the public keythe public key
A message encrypted with the public key can A message encrypted with the public key can only be decrypted by using the private keyonly be decrypted by using the private key
Number TheoryNumber Theory
Prime NumbersPrime Numbers Basic building blocks of numbersBasic building blocks of numbers An integer An integer p p > 1 is prime if its only divisors are > 1 is prime if its only divisors are
±±1 and 1 and ±±pp Occur at random intervals along the number Occur at random intervals along the number
lineline
Number TheoryNumber Theory
Relatively Prime NumbersRelatively Prime Numbers Two integers are relatively prime if their only Two integers are relatively prime if their only
common factor is 1common factor is 1 If a and be are integersIf a and be are integers
a and b are relatively prime if gcd(a, b) = 1a and b are relatively prime if gcd(a, b) = 1
gcd = greatest common divisorgcd = greatest common divisor
Example:Example: 8 and 15 are relatively prime because the divisors of 8 8 and 15 are relatively prime because the divisors of 8
are 1, 2, 4, and 8. The divisors of 15 are 1, 3, 5, and 15. are 1, 2, 4, and 8. The divisors of 15 are 1, 3, 5, and 15. Therefore, 1 is the greatest common divisorTherefore, 1 is the greatest common divisor
Euler Totient FunctionEuler Totient Function
ΦΦ(n)(n)
Returns the number of positive integers Returns the number of positive integers that are relatively prime to that are relatively prime to nn
For a prime number For a prime number pp ΦΦ(p) = p – 1(p) = p – 1 Since all numbers less than Since all numbers less than p p are relatively are relatively
prime to prime to pp
The RSA AlgorithmThe RSA Algorithm
Published by Ron Rivest, Adi Shamir, and Published by Ron Rivest, Adi Shamir, and Len Adleman in 1978Len Adleman in 1978
Best known and widely used public-key Best known and widely used public-key schemescheme
Block cipher in which plaintext and Block cipher in which plaintext and ciphertext are integers between 0 and ciphertext are integers between 0 and nn – – 1 for some 1 for some nn
RSA Key GenerationRSA Key Generation
1) Select to prime numbers: 1) Select to prime numbers: p, qp, q Private, chosenPrivate, chosen
2) Calculate 2) Calculate n = pqn = pq Public, calculatedPublic, calculated
3) Calculate 3) Calculate ΦΦ(n) = (p(n) = (p-1-1)(q)(q-1-1))4) Select an integer 4) Select an integer e e such that:such that:
gcd(gcd(ΦΦ(n), e) = (n), e) = 1 and 1 < 1 and 1 < e e < < ΦΦ(n)(n) Public, chosenPublic, chosen
5) Calculate 5) Calculate d d where where d = ed = e-1-1modmodΦΦ(n)(n) ed = ed = 1 mod 1 mod ΦΦ(n)(n) Private, calculatedPrivate, calculated
The keys generated are denoted:The keys generated are denoted: KU = {KU = {e, ne, n} (Public Key)} (Public Key) KR = {KR = {d, nd, n} (Private Key)} (Private Key)
RSA Encryption/DecryptionRSA Encryption/Decryption
To encrypt a message M the sender:To encrypt a message M the sender: Obtains Obtains public keypublic key of recipient KU={ of recipient KU={e,ne,n} } Computes: C = MComputes: C = Mee mod n mod n
Where 0Where 0≤≤MM<<nn
To decrypt the ciphertext C the owner:To decrypt the ciphertext C the owner: Uses their private key KR={Uses their private key KR={d,nd,n} } Computes: M = CComputes: M = Cdd mod n mod n
An ExampleAn Example
1) Let 1) Let p = p = 7 and 7 and q = q = 17172) 2) n = pq = n = pq = 7 x 17 = 1197 x 17 = 1193) 3) ΦΦ(n) = (p(n) = (p-1-1)(q)(q-1-1)) = 6 X 16 = 96 = 6 X 16 = 964) Let 4) Let e = e = 55 gcd(gcd(ΦΦ(n), e) = (n), e) = gcd(96,5) =gcd(96,5) = 11 1 < 51 < 5 < 96< 96
5) 5) d = ed = e-1-1modmodΦΦ(n)(n) Therefore, Therefore, de = de = 1 mod 961 mod 96 d = 77d = 77
77 x 5 = 385 = 4 x 96 + 177 x 5 = 385 = 4 x 96 + 1
Example - Key GenerationExample - Key Generation
The two resulting keys are as follows:The two resulting keys are as follows: Public Key: KU = {Public Key: KU = {e,ne,n} = {5, 119}} = {5, 119} Private Key: KR = {Private Key: KR = {d,nd,n} = {77, 119}} = {77, 119}
Example - EncryptionExample - Encryption
To encrypt a message M, where M = 19:To encrypt a message M, where M = 19: C = MC = Mee mod n mod n 191955 mod 119 = 2476099 mod 119 mod 119 = 2476099 mod 119 2476099 / 119 = 20807 with a remainder of 662476099 / 119 = 20807 with a remainder of 66 Therefore, C = 66Therefore, C = 66
Example - DecryptionExample - Decryption
M = CM = Cdd mod n mod n
66667777mod 119 = (1.27 x 10mod 119 = (1.27 x 10140140) mod 119) mod 119
(1.27 x 10(1.27 x 10140140) / 119 = (1.06 x 10) / 119 = (1.06 x 10138138) with a ) with a remainder of 19remainder of 19
Therefore, M = 19Therefore, M = 19
SummarySummary
Valuable information is constantly being Valuable information is constantly being exchanged between usersexchanged between users
A means to protect this information during A means to protect this information during transmission is criticaltransmission is critical
Methods of security that were developed years Methods of security that were developed years ago are still being used (DES, RSA)ago are still being used (DES, RSA)
The need for more complex The need for more complex encryption/decryption methods may be needed encryption/decryption methods may be needed as advances in technology continue to flourishas advances in technology continue to flourish
ResourcesResources
http://en.wikipedia.org/wiki/Data_Encryption_Stahttp://en.wikipedia.org/wiki/Data_Encryption_Standardndardhttp://en.wikipedia.org/wiki/Rsahttp://en.wikipedia.org/wiki/Rsahttp://www.redbooks.ibm.com/abstracts/http://www.redbooks.ibm.com/abstracts/sg246168.htmlsg246168.htmlStallings, William. Stallings, William. Cryptography and Internet Cryptography and Internet Security: Principles and Practice, Security: Principles and Practice, 2e. Upper 2e. Upper Saddle River, NJ: Prentice-Hall, 1999Saddle River, NJ: Prentice-Hall, 1999Stallings, William. Stallings, William. Network Security Essentials: Network Security Essentials: Applications and Standards, 3e.Applications and Standards, 3e.