Network Security by Georgi Todorov Dowling College Oakdale
-
Upload
sandra4211 -
Category
Documents
-
view
929 -
download
3
description
Transcript of Network Security by Georgi Todorov Dowling College Oakdale
Network SecurityNetwork Security
by Georgi TodorovDowling College
Oakdale, NY, 11769http://mcs.dowling.edu/POCS/
by Georgi TodorovDowling College
Oakdale, NY, 11769http://mcs.dowling.edu/POCS/
POCS Seminar Series 2006POCS Seminar Series 2006
Creative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 License
Outline
The Network Security Problem
Cryptography
Modern Cryptography
Symmetric-Key Algorithms
Cryptanalysis
Public-Key Algorightms
by Georgi Todorov Creative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 License
Outline
Digital Signatures
IPSec
Firewalls
VPN
Wireless security
by Georgi Todorov Creative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 License
Outline
Kerberos
PGP
SSL
Practical: GnuPG
by Georgi Todorov Creative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 License
The Network Security Problem
Computer Networks (before) - university researchers, corporate employees.
Computer Networks (now) - millions use it for banking, shopping, tax returns etc.
The Network Security Problem
Security is concerned with preventing unauthorized access or use of information or resources.
Reasons for security problems: for fun, for revenge, for theft
NOTE!!!
The biggest problems in security are caused by incompetent employees, bad security procedures, and inside attacks rather than decoding encrypted messages stolen from tapped phone lines.
Cryptography“Cryptography or cryptology is a field of mathematics and computer science concerned with information security and related issues, particularly encryption and authentication.” - Wikipedia [1]
The term comes from Greek and it means “secret writing”, hence cryptology -> “the study of secret writing”
Cryptanalysis is the study of codebreaking
Modern CryptographyModern cryptography includes the following main areas of study:
Symmetric-key cryptography
Public-key cryptography
Cryptanalysis
Cryptographic primitives
Cryptographic protocols
Symmetric-key algorithm
“Symmetric-key algorithms are a class of algorithms for cryptography that use trivially related cryptographic keys for both decryption and encryption.” - Wikipedia [2]
Two types:
Stream ciphers - one bit at a time
Block ciphers - number of bits(64) as a single unit
Symmetric-key algorithm
Hundreds or thousands of times faster
Encryption functions are reversible
Same input produces same output
DES, AES
Symmetric-key algorithm - DES (Data Encryption Standard)Developed by IBM and adopted by the U.S. Government in january 1977
Encoding:
Text is divided into 64 bits
First stage: Permutation of the text
16 rounds of processing: key(last32bits); XOR(first32bits,key(last32bits));Flip pair
Last stage: inverse permutation
Problems: too short -> 3DES (2 keys)
Symmetric-key algorithm - AES (Advanced Encryption Standard)Developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen
Operates on a 4x4 array of bytes (or more for more than 128 bit key size). Each round of AES excluding the last one consist of four steps:
AddRoundKey, SubBytes, ShiftRows, MixColumns
For more info:http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
CryptanalysisDifferential cryptanalysis -> technique for attacking any block cipher, stream ciphers and cryptographic hash functions. How differences in an input can affect the resultant difference at the output.
DES can be successfully broken with an effort on the order of 2^47 chosen plaintexts.
Linear cryptanalysis -> works by XORing certain bits in the plaintext and ciphertext together.
It can break DES in only 2^43 known plaintexts
Electrical power consumtion (3 volts for 1 and 0 for 0)-> very powerful
Timing analysis - if, else -> different timing
Public-Key Algorithms
Based on the computational complexity of number theory
Encryption (public) key is different from the decryption(private) key. One cannot be forged by the other but one is inverse of the other.
Diffie-Hellman key exchange protocol -> the first to show that public-key cryptography was possible
Public-Key Algorithms - RSA
(Rivest, Shamir, Adleman)
MIT 1978
It has survived ALL ATTEMPTS to break it.
One big disadvantage -> quite slow (at least 1024 bit keys)
Widely used today
Public-Key Algorithms - RSA
(Rivest, Shamir, Adleman)
Summary:
Choose to large prime numbers p and q such that p != q, randomly and independently from each other
compute n = p*q
compute the totient Ф(n) = (p-1)(q-1)
Choose an integer e such that 1 < e < Ф(n), which is comprime to Ф(n)
Compute d such that de = 1 mod Ф(n).
Public-Key Algorithms - RSA
(Rivest, Shamir, Adleman)Summary:
Public key consists of n and ePrivate key consists of n and d
Example:p = 61 — first prime number (to be kept secret or deleted securely)q = 53 — second prime number (to be kept secret or deleted securely)n = pq = 3233 — modulus (to be made public)e = 17 — public exponent (to be made public)d = 2753 — private exponent (to be kept secret)The public key is (e, n). The private key is d. The encryption function is:encrypt(m) = m^e mod n = m^17 mod 3233where m is the plaintext. The decryption function is:decrypt(c) = c^d mod n = c^2753 mod 3233where c is the ciphertext.To encrypt the plaintext value 123, we calculateencrypt(123) = 123^17 mod 3233 = 855To decrypt the ciphertext value 855, we calculatedecrypt(855) = 855^2753 mod 3233 = 123
Public-Key Algorithms - RSA
(Rivest, Shamir, Adleman)
Security:
The RSA problem -> taking eth roots module a composite n: m^e=c mod n where (e,n) is the public key, and c is the ciphertext.
Factoring Large numbers -> As of 2005 the largest number factored b general-purpose methods was 663 bits long, using state-of-the-art distributed methods. No polunomail-time method is known so far!
Digital Signatures
Symmetric-Key signatures - > requires central authority that knows everything and whom everyone trusts
Public-Key signatures -> eliminates the requirement of aa central authority
Message DigestOne-way hash function
Simpler than signature
Properties:
Given P, it is easy to compute MD(P)
Given MD(P), it is effectively impossible to find P
Given P no one can find P’ such that MD(P’)=MD(P)
A change to the input of even 1 bit produces a very different output
MD5 and SHA-1
IPSec
“IPsec (IP security) is a standard for securing Internet Protocol (IP) communications by encrypting and/or authenticating all IP packets. IPsec provides security at the network layer.” - Wikipedia [3]
Two modes: Tunnel mode: port-to-port communications securityTransparent mode: end-to-end security
Dominant use in VPNs
Mandatory part in IPv6
Firewalls
Description by Andy Tanenbaum: “Firewalls are just a modern adaptation of that old medieval security standby: digging a deep moat around your castle. This design forced everyone entering or leaving the castle to passover a single drawbridge, where they could be inspected by the I/O police.” [4]
Network layer firewalls do not allow packets to pass through unless they match the rules. These rules are defined by the administrator, or build-in ones are used
Application layer firewalls may stop all packets coming from or to an application (browser, ftp, mail)
Proxies may act as firewall
NAT -> Network Address Translation -> multiple hosts behind a single IP
VPN - Virtual Private Network
A overlay network on top of a public network with the properties of a private network.
Based on virtual circuits
Used to connect remote sites of a company
Secure VPN protocols include:
IPsec
SSL (OpenVPN, tun/tap)
PPTP(M$)
Wireless Security
WEP (Wired Equivalent Privacy) - Stream cipher based on the RC4 algorithm
64bit WEP uses 40 bit key plus 24bit initialization vector forming RC4 traffic key.
After US Gov. restrictions were lifted, 128bit web with 104bit key size was introduced
Average break time 3 min
WPA and WPA2 (Wi-Fi Protected Access)128-bit key and 48-bit IV plus Temporal Key Integrity Protocol
Personal -> pre-shared key
Enterprise -> 802.11X authentication
Requires strong password for Personal
Kerberos
Authentication protocol which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner
Builds on symmetric-key cryptography and requires trusted third party
Uses: OpenSSH, NFS, PAM, SOKS, Apache, Devicot IMAP3 and POP3 server and others
Kerberos
Outline:Client and three servers(Authentication server, ticket-granting server and required service server)
client sends name to AS
AS sends session key and ticket to client encrypted with client’s secret key(ask for pwd and rm from system)
Client decrypts session and ticket and sends to TGS, encrypted with TGS’ secret key asking for ticket with SS
TGS returns two versions of the session key for client and SS, one encrypted with Client’s secret key and the other encrypted with SS’ secret key.
Now Client and SS can talk
If Client wants to talk to another SS, he sends a new ticket request directly to TGS
PGP - Pretty Good Privacy
PGP provides cryptographic privacy, compression and authentication
Uses both public-key and symmetric-key cryptography
Outline:PGP generates MD5 of the message and encrypts the result with sender’s private RSA key
Encrypted hash and message are concatenated and compressed.
An IDEA message key is generated and used to encrypt the compressed with IDEA in cipher feedback mode
Also the key is encrypted with the recipient's public key.
Both are concatenated and converted to base64 and sent.
The recipient reverses base64, decrypts the IDEA with his private key, deripts the archive, extracts, and decrypts the hash using senders public key, than generates a new hash and compares both.
PGP - Pretty Good Privacy
Supported RSA lengths:
1. Casual(384 bits): can be broken easily today.
2. Commercial(512 bits): breakable by three-letter organizations
3. Military ( 1024 bits): Not breakable by anyone on earth
4. Alien (2048 bits): Not breakable by anyone on other planets, either
Many public key servers are available
SSL - Secure Sockets Layer/Transport Layer
Security (TLS)SSL exchanges records; each record can be optionally compressed, encrypted and packed with message authentication code. It also contains content_type field that specifies which upper layer protocol is being used.
Phases:
Peer negotiation for algorithm support
Public key encryption-based key exchange and certificate-based authentication
Symmetric cipher-based traffic encryption
Supported protocols:
RSA, Diffie-Hellman, DSA, Fortezza, RC2, RC4, IDEA, DES, 3DES, AES, MD5, SHA
SSL runs on layers beneath application protocols (HTML,SMTP,NNTP) and above the TCP transport protocol, which forms part of the TCP/IP protocol suite.
It can add security to any protocol that uses reliable connections.
GnuPG
GnuPG - Complete implementation of the OpenPGP Internet standard
'GnuPG' currently supports ElGamal (signature and encrytion), DSA, AES, 3DES. Blowfish, Twofish, CASTS, MD5, SHA-1, RIPE-MD-160 and TIGER, and has language support for sixteen different languages.
http://eudoragpg.sourceforge.net/ver2.0/en/download/index.html -> Eudora plugin
http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html -> Apple Mail
http://enigmail.mozdev.org/download.html -> Mozilla, General Windows GnuPG
References
[1] http://en.wikipedia.org/wiki/Cryptography
[2] http://en.wikipedia.org/wiki/Symmetric_key_algorithm
[3] http://en.wikipedia.org/wiki/IPsec
[4] Andrew Tanenbaum, “Computer Networks 4th Edition”, CH8,