Evolution of Network, Internet, Security and Public cryptography
Transcript of Evolution of Network, Internet, Security and Public cryptography
Jiri J. Cejka
Internet and Security
I. Communication Introduction
II. Internet Introduction
III. Security Introduction
IV. Cryptography
V. Public Cryptography
Jiri J. Cejka
Chapter 1 Internet and Security
Communication Introduction
– Communication Theory
– Communication OSI Model
Jiri J. Cejka
Communication theory Case 1
Two army problem
Time Synchronisation
Solution ?
Red Army
B
Red Army
A
Blue Army
Jiri J. Cejka
Communication theory Case 2
Connection Management
Telephone call simulation
Protocol
A B
Connect request
Connect response
Connect indication
Connect confirm Connect response Connect confirm
Data request
Data request (Acknowledgment)
Data indication
Data indication
Disconnect response
Disconnect indication Disconnect request
time
Jiri J. Cejka
Communication Model - 1
Network topology
Interconnection
1 2
3
4
5
Jiri J. Cejka
Communication Model - 2
OSI Standard compared with TCP/IP
Seven Layers:
7. Application
6. Presentation 5. Session
4. Transport Datagram TCP (Internet Control Protocol)
3. Network Packet IP(ARP),X.25
2. Link Frames CSMA/CD
1. Physical Bits, modems 10011100001000100001
Frame Data Area Frame Header
Datagram Data Area Datagram Header
ICMP
Header
ICMP
Data
Jiri J. Cejka
Communication Model - 3
Layer Two - Data Link - Frames
Frame-level
1
2
3
4
6
7
Host
Frame-level
Access
Node
Node
Switcher
Bridge
Host
Access
Node
5
Frame-level
Jiri J. Cejka
Communication Model - 4
Layer Three - Data Packets
1
2
3
4
5
6
7
Host Packet level
1-3-4-7
Access
Node
Node
Switcher
Router
Host
Access
Node
Packet level
2-3-4-5-6
Acknowledgment
Acknowledgment
Jiri J. Cejka
Communication Model - 5
Sliding windows
– Datagram
– Transport
– Data Link
Acknowledged
Sent
Not Sent
Messages
Source
1
2
3
4
5 6
4Ack 2
3
4
5
1
Acknowledged
7
6 Sent
Not Sent Destination
Messages
Packets
Frames
Jiri J. Cejka
Chapter 2 Internet and Security
Internet Introduction
– What is Internet- history, popularity of usage
– Role of Internet - security
Jiri J. Cejka
Internet Introduction
What is Internet?
Why has it become so popular?
Is Internet secure enough to build
business on it?
If Yes:
– HOW do I guarantee Security and Privacy
– WHEN should I start to invest into it?
Jiri J. Cejka
What is Internet
Definition of Internet
Development 1970 - DARPA
Two fundamental design observation:
– No single network can serve all users
– Users desire universal interconnections
1 2
3
4
5
Jiri J. Cejka
Internet Architecture
User’s view
– each computer appears to attach to a single network
Structure of networks and gateways
Address assignment:
IP Address: <net-id> <host-id>
Host : 193.73.248.10
Network: 193.73.248.0
Gateway: 193.73.248.1
Host Host
Gateway
Physical network
INTERNET
Jiri J. Cejka
The reasons for the worldwide use
The Flexibility of underlying protocols
Public and free Access
– bright spectrum of users
– modern design methods
Progress in computing technology
Development of modern GUI driven
languages
– usage of HTTP, HTML, URL
Jiri J. Cejka
Chapter 3 Internet and Security
Security Introduction
– Security Methods
– Security Model
Jiri J. Cejka
Security Introduction
“Public” Internet access versus “Security”
– Privacy and Integrity
– Authentication and Availability
– Data Integrity and Audit techniques
– Physical security and Management practices.
Jiri J. Cejka
Security Methods
Optimal combination of tools
and methods
Cryptography
– Transaction security
Firewalls and routers – Unauthorised access
Operating systems – Internal sources
1. Intruder has
access to Your system 4. Intercepted
on the destination
INTERNET
2. Wiretapped during
the transmission
3.Stolen while
waiting at server
Message Origination Message Destination
2. Wiretapped during
the transmission
INTERNET
Jiri J. Cejka
Security Methods
Usage of:
– Firewalls
– Filtering
routers
Filtering Router
INTERNET
External User(s)
Firewall Proxy
Server
DNS Functions
Bank Internal Networks
Server of
Service Provider
Internal User
Internal System
Filtering Router of
Service Provider
Secured Area
Jiri J. Cejka
Security Methods
INTERNET
External
Network
External
User(s)
POLICIES, PROCEDURES, ADMINISTRATION
PHYSICALSECURITY
Network Access Layer
WORKSTATION
SECURITY System Access Layer
Application Access Layer
AUDIT
TRIAL
SECURITY
MONITORING
HOST
Data
Software
CHANGE
CONTROL
Access Control
Tables
Software
Jiri J. Cejka
Security Methods
WEB Security Control Points
C2
Firewall #2
INTERNET
B2
External Web
Server
E1
Any External
Company
Web Server
A1
Web Client
Browser
D1
Any External
Internet User’s
Web Client Browser
COMPANY
INTERNAL
NETWORK
A Company
E2
Any Web
Server
C1
Firewall #1
B1
Internal Web
Server
Jiri J. Cejka
Chapter 4 Internet and Security
Cryptography Basics
– History and different Kinds of security
Cryptography Standards
– Private Cryptography
– Public Cryptography
Jiri J. Cejka
Cryptography Basics
How does simple cryptography works
– Message to be encrypted (plaintext)
– Message after it is encrypted (ciphertext)
– Encryption Algorithm (mathematical function)
– Key (number, password, phrase)
Cryptography goal
– impossible: plaintext from ciphertext
Encryption Algorithm
Plaintext
Ciphertext
Key
Jiri J. Cejka
Cryptography Basics
Unbreakable Codes
– Code Word - Code Meaning
– one shot
– restricted to simple information
Ciphers
– Technique of scrambling Message
– Truly cryptography
Jiri J. Cejka
History of Cryptography
Substitution ciphers
– Earliest ciphers 2000 B.C.
– Julius Ceasar - Shift alphabet
– Rennaisance Freemasons -Secret cipher
– G. Washington - Assigned numbers
One-Time Pads - Vernam cipher
– Each page used once
– “Hotline” Stream of numbers as pads
–each number defines shift of a letter
–fix length numbers: Cryptographic Key
A B C D E
0 1 2 3 4
N O P
1. Launch
2. Target
05 08 14 20 01
Jiri J. Cejka
Breaking the code
Key Length Length: Variants: Efficiency:
– Eurocard 4 digits 10.000 14 bits
– UNIX password 8 char 6.3x10^16 56 bits
Breaking the code
– Brute force attack
– Cryptanalysis
–Know plaintext attack
–Chosen plaintext attack
–Differential Cryptanalysis
Plaintext Ciphertext
Key
Jiri J. Cejka
Private Cryptography
Algorithms
Private Key Algorithms
– Key distribution
– Types of Private Cryptography
–DES, Triple DES 1977 : 56-bit key length
–RC2, RC4 Rivest code: 1-1024 bit length
–IDEA 1990 Zurich: 128 bit key
Jiri J. Cejka
Sending secret message only after
prior arrangement - key exchange
Number of the keys: n*(n-1)/2
Key could be intercepted
Distribution of Keys
– Key Distribution Center
– (session key)
Problems with Private Cryptography
A’s private Key
Session Key
B’s private Key
Key Distribution Center KDC
Jiri J. Cejka
Public Cryptography
1970 Breakthrough - Asymmetric
Algorithms
Generate Keys
– Public Key
– Private Key
Public Key
from person B
INTERNET
Own Secret Key
from person B
Person A Person B
1. Message is
Encrypted 2. Message is
Decrypted
Jiri J. Cejka
Public Key Systems
1974 Ralph Merkle “Jigsaw puzzle”
– Secure communication over insecure channels
1975 Diffie-Hellman
– Exponential Key exchange
– Multi-user cryptographic techniques
– (1975 Private system as Standard DES)
1977 Rivest, Shamir, Adleman: RSA
– Easy to multiply two large prime numbers
– Difficult to find its prime factors.
Jiri J. Cejka
Ralph Merkle’s Puzzles 1. Alice send open message to Bob.
2. Alice creates 1.000000 Encryption Keys.
3. Each key is hidden in one puzzle.
-each Puzzle takes 2 Minutes to solve.
4. All puzzles are sent to Bob.
5. Bob chooses one puzzle and
unscrambles one key.
6. Bob encrypts previous message
with his key.
7. Message is sent to Alice.
8. Alice tries all keys until one fits.(850).
Eavesdropper has to try all 1000000 puzzleseach taking
him two minutes to solve!
Alice
1.
2.
:
1000.000
Bob
850
850
1
2. 3.
4. 5.
6.
7.
8.
Jiri J. Cejka
Diffie-Hellman Multi-user
1. Alice and Bob agrees on two numbers.
They are known and public: a, q.
2. Each part chooses a secret number X: X1, X2
and transmits the results of mathematical formula
involving a, q, and X.
3. Both participants compute number K as
function of (X1 and Y2) or (X2, Y1).
Eavesdropper knows a,q,Y1 and Y2 nut does not know X1
or X2: he cannot compute number K.
K is used as a session key for private key encryption algorithm
such as DES.
Alice Bob Numbers a, q
K =Y2(exp( X1)(mod q)
1.
2.
3.
X1
Y1 = a(exp(X1))(mod q)
X2
Y2=f(a,q,X2)
K=f(X2,Y1)
Jiri J. Cejka
Data Encryption Standard DES
Description of nationwide Standard System
1960 IBM Private encryption system
– Lucifer 1974 on a chip for market
– length set to 128 bits
1975 NSA and NIST design of DES
Architecture of DES : P-box, S-box
DES controversy 128 Bits-> 56 bit Key
– How secure is DES now
Jiri J. Cejka
Rivest, Shamir, Adelman: RSA
1977 U.S. patent to MIT
Company RSA DSI marketing
– computation intensive
– chip production unsuccessful
– RSA Bidzos MailSafe
Phil Zimmermann PGP
– Encryption on microprocessor
– PGP Public key algorithm on PC
– Export law, International Version
Jiri J. Cejka
How Does RSA works?
Each the person has to create key pair consisting of
public and secret key.
1. Alice chooses very large two prime numbers P and Q per random. P=47, Q=71.
2. Encryption modulus is created multiplying: N = P * Q. N=3337.
3. The encryption key is created : e is prime to (P-1) * (Q-1) e = 3220
4. Using Euclid algorithm decryption key d is found :
d = e(exp-1) *(mod ((P-1) * (Q-1))) d = 1019
5. Then Public key = (N,e)
Secret key = d.
Then Bob encrypts number X: X(exp e)(mod N) -> A
Alice decrypts A: A(exp d)(mod N) -> X
Jiri J. Cejka
Privacy and Public Policy
FBI’s Digital Telephony Plan
– History if wiretapping
– 1995 Cryptography and Constitution
NSA’s Clipper Chip
– After DES a new public technology standard
– Algorithm “Skipjack” 80 bits
– Escrowed Encryption Standard EES
–Using Family Key, Chip Key and Session Key
– Public usage Administration - Market
Jiri J. Cejka
Clipper Chip EES
1. Session Key Conversation
- different for each conversation
- SKIPJACK (NSA algorithm)
2. Clipper Chip Telephone Session
2.1 UniqueChip A Key
2.2. Chip A Serial Nr
2.3 Checksum
2.4 Family key common to all chips
creates Law Enforcement Access Field
3. Escrowed Encryption Standard EES
3.1 Family Key Master Key held by government
3.2. Decrypts LEAF and gives Serial Number
3.3. Two companies give two fragment of Chips key
3.4. Agent creates Chip key and under permission decrypts Session key
Chip B Key 14365275890364789
14365275890364789
Serial Nr B
Checksum
B A
LEAF A LEAF B
Family Key
Jiri J. Cejka
Digital Signature Standard - DSS
Proposed by NIST in 1991
Federal Information Process. Standard
FIPS
– Developed in fact by NSA
Digital Signature Algorithm - DSA
– Slower then RSA
– Opposition against DSA might contain back door
– Used as digital signature only
– Using Secure Hash Algorithm SHA 160 bit length
Jiri J. Cejka
Comparison Public-Secret Cryptography
Advantages:
– Increased security: Secret key is not transmitted
–Secret key : sharing the secrecy with other side
– Authentication: method for digital signatures
– Legal binding for Public-key
–Authentication of signature: non-repudiation
–Kerberos authenticate only access: not legally bounded
Disadvantages
– Speed: solution is combination of secret-public key
Jiri J. Cejka
Cryptography
“Without strong cryptography no one will
have the confidence
– to use networks to conduct business
– to engage in commercial transactions electronically
– to transmit sensitive personal information”.
Jiri J. Cejka
Chapter 5 Internet and Security
Public Cryptography PGP
– Public and Secret Key
– Pass Phrase
– Random Bit & Session Key generation
– Digital Signature
– Key Rings & Key Certification
– Web of Trust
Jiri J. Cejka
Public Cryptography Pretty Good Privacy PGP
Generating of Keys
– Public Key
– Secret Key
Distribution of Keys
– Public key ring
– Trust
– Validity
Own Secret Key
from person B
Public Key
from person B
INTERNET
Person A Person B
1. Message is
Encrypted 2. Message is
Decrypted
Jiri J. Cejka
PGP - Public and Secret key
Generating of Public and Secret key: pgp -kg
1. Set-up the length : 512, 1024 bits: 1,2,3
2. Define User ID: <[email protected]>
3. Defined he Pass Phrase : Text string
4. Generate random number: Text, time
Key identifications:
Type Bits keyID Date User ID
pub 512 C7A966DD 1996/10/09 [email protected] added to pubring.asc
sec 512 HIAF12EG 1996/10/09 [email protected] added to secring.asc
Public Key
from person B
INTERNET
Own Secret Key
from person B
Person A Person B
1. Message is
Encrypted 2. Message is
Decrypted
Jiri J. Cejka
PGP- Session Key
Encrypting the message
using Session Key:
pgp -eat <file name> <public key id>
- e Session key automatically
- a Result as text file
- t Source as text file
<filename.asc>
1.Session Key is
randomly generated
Own Secret Key
from person B
Person A
Person B
4. Both encryption are
bundled together and
sent to person B
5. Message is
Decrypted 2. Message is encrypted
using IDEA algorithm
3. Session Key encrypted
using RSA algorithm
and B’s Public Key
INTERNET
Jiri J. Cejka
PGP-Pass Phrase Decrypting the message
Secret Key decryption/encryption
pgp <file name.asc>
- Secret Key is required to read file
- Pass Phrase is needed to unlock RSA key
- Using MD5 hash function 128-bit code
is generated from the Pass Phrase
- IDEA algorithm decrypts Secret Key
Local usage of Pass Phrase
1. Encrypting of text file
pgp -c <your file>
-Pass Phrase required
2. Decrypting of text file
pgp <your file.pgp>
-Pass Phrase required
INTERNET
Person A Person B
2.Secret Key is decrypted after encrypted message came
1.Secret Key is encrypted during generation Public/Private key using Pass Phrase
3. Message is decrypted using B’s Secret Key
Jiri J. Cejka
INTERNET
4. Seal is
encrypted
using A’s
Public Key
Person A
Person B 2. The number is
encrypted using
secret key into a
“seal”
1. MessageDigest function
is run over the message
producing 128-bit number
6. Both digest numbers
are compared
- if they are same
message is authentic.
14365275890364789
3. The signature block
“seal” is added to the
message ready to be
sent in readable form
14365275890364789 14365275890364789
5. Message
Digest function
creates new
128-bit number
PGP-Digital Signature Authentication of message
- Message Digest Function MD5
unique 128 bit code created
- Code encrypted with Secret Key
- Pass Phrase is required
pgp -sta <file name>
- result in <file name.asc>
- Signature decrypted with Public Key
pgp <file name.asc>
- Automatic check with text file
Signing and Encrypting -most secure
pgp -se <file name>
Jiri J. Cejka
Locally created
keys stored
on Secret Ring
14365275890364789
1. Pass Phrase opens secret key-ring to
change any identifications:
- From Path Phrase MD5 function counts
128 bit code to decrypt IDEA encryption
2. To Encrypt Text file a random bit
generates a Session key to Encrypt file
using IDEA
3. Message is encrypted using Session
Key and
conventional IDEA algorithm
4. The Session Key is encrypted using
RSA and Recipient’s Public key
5. Using MD5 Function and Secret Key
generates Digital Signature
PGP- Key Rings
Received
keys
stored on
Public Ring
Random bit
generator
“Any secret text..”
MD5
RSA
IDEA
MD5
Jiri J. Cejka
PGP- Key Certification
Public Key Certification is built into
PGP:
- Validity - Identification that the key
received really belongs to the person to
whom it says it belongs.
- Trust - Measure of how much you believe
honesty and judgment of the person created
the key.
INTERNET
Person A Person B
14365275889 14365275890 1436524789
Jiri J. Cejka
John
John does not believe Phil’s
certification
John trusts Jane
John does not trust Chris.
John does not trust any person
certification by Chris
Jane certifies Phil
Certifying and Distributing of Public Keys:
- John’s trusts
- John’s belief of identity
- No trust, no belief of identify
Jane
Phil
Phil certifies Lori
Lori
PGP-Web of Trust
John believes Jane’s certification of Phil
Chris
Jiri J. Cejka
Adding Key with Signatures on Public ring
pgp -ka <file name.pgp>
Key Fingeprint is displayed - Key’s unique Digest of 128 bits code
Key can be certified personally
- RSA Secret Key has to be unlocked - Pass Phrase is needed
Level of Trust has to be added: 1= Not known, 2= No, 3=Usually, 4= Always.
Viewing Public key ring and Signatures pgp -kc
Type bits/KeyID Date User ID
pub 512/ 33681029 1994/08/28 Name1 <[email protected]>
sig! A71712F9 1994/12/28 Name2 <[email protected]>
Key ID Trust Validity User ID
33681029 marginal complete Name1 <[email protected]>
complete complete Name2<[email protected]>
pgp -kvv Viewing Fingerprint
PGP- Adding Public Key
Jiri J. Cejka
“Only those defenses are good, certain and
durable, which depend on yourself alone
and your own ability”.
The Prince
- Nicollo Machiavelli
Internet Security Resume