1 / 117

Chapter 10

Chapter 10. Network Security. Chapter 10: Outline. 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS. Chapter 10: Objective.

jaafar
Télécharger la présentation

Chapter 10

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 10 Network Security .

  2. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS

  3. Chapter 10: Objective • We introduce network security. We discuss security goals, types of attacks, and services provided by network security. • We introduce the first goal of security, confidentiality. We discuss symmetric-key ciphers and asymmetric-key ciphers. • We discuss other aspects of security: message integrity, message authentication, digital signature, entity authentication, and key management. • We apply what we have learned in the first three sections to the top three layers of the TCP/IP suite. • Finally, we discuss firewalls: packet-filter and proxy.

  4. 10-1 INTRODUCTION Information is an asset that has a value like any other asset. As an asset, information needs to be secured from attacks. To be secured, information needs to be hidden from unauthorized access (confidentiality), protected from unauthorized change (integrity), and available to an authorized entity when it is needed (availability).

  5. 10.1.1 Security Goals Let us first discuss three security goals: • Confidentiality • Integrity • Availability

  6. 10.1.2 Attacks Our three goals of security, confidentiality, integrity, and availability, can be threatened by security attacks. Although the literature uses different approaches to categorizing the attacks, we divide them into three groups related to the security goals. Figure 10.1 shows the taxonomy.

  7. 10.1.2 (continued) • Attacks Threatening Confidentiality • Snooping • Traffic Analysis • Attacks Threatening Integrity • Modification • Masquerading • Replaying • Repudiation • Attacks Threatening Availability • Denial of Service

  8. Figure 10.1: Taxonomy of attacks with relation to security goals

  9. 10.1.3 Services and Techniques ITU-T defines some security services to achieve security goals and prevent attacks. Each of these services is designed to prevent one or more attacks while maintaining security goals. The actual implementation of security goals needs some techniques. Two techniques are prevalent today: • Cryptography • Steganography

  10. 10-2 CONFIDENTIALITY We now look at the first goal of security, confidentiality. Confidentiality can be achieved using ciphers. Ciphers can be divided into two broad categories: symmetric-key and asymmetric-key.

  11. 10.2.1 Symmetric-Key Ciphers A symmetric-key cipher uses the same key for both encryption and decryption, and the key can be used for bidirectional communication, which is why it is called symmetric. Figure 10.2 shows the general idea behind a symmetric-key cipher.

  12. 10.2.1 (continued) • Traditional Symmetric-Key Ciphers • Substitution Ciphers • Transposition Ciphers • Stream and Block Ciphers • Modern Symmetric-Key Ciphers • Modern Block Ciphers • Data Encryption Standard (DES) • Modern Stream Ciphers

  13. Figure 10.2: General idea of a symmetric-key cipher

  14. Figure 10.3: Symmetric-key encipherment as locking and unlocking with the same key

  15. Figure 10.4: Representation of plaintext and ciphertext characters in modulo 26

  16. Example 10.1 Use the additive cipher with key = 15 to encrypt the message “hello”.

  17. Example 10.2 Use the additive cipher with key = 15 to decrypt the message “WTAAD”.

  18. Figure 10.5: An example key for a monoalphabetic substitution cipher

  19. Example 10.3 We can use the key in Figure 10.5 to encrypt the message

  20. Example 10.4 Assume that Alice and Bob agreed to use an autokey cipher with initial key value k1 = 12. Now Alice wants to send Bob the message “Attack is today”. The three occurrences of “t” are encrypted differently.

  21. Figure 10.6: Transposition cipher

  22. Figure 10.7: A modern block cipher

  23. Figure 10.8: Components of a modern block cipher

  24. Figure 10.9: General structure of DES

  25. Figure 10.10: DES function

  26. Figure 10.11: Key generation

  27. Example 10.5 We choose a random plaintext block and a random key, and determine (using a program) what the ciphertext block would be (all in hexadecimal) as shown below.

  28. Example 10.6 To check the effectiveness of DES when a single bit is changed in the input, we use two different plaintexts with only a single bit difference (in a program). The two ciphertexts are completely different without even changing the key. Although the two plaintext blocks differ only in the rightmost bit, the ciphertext blocks differ in 29 bits.

  29. Figure 10.12: One-time pad

  30. 10.2.2 Asymmetric-Key Ciphers In previous sections we discussed symmetric-key ciphers. In this section, we start the discussion of asymmetric-key ciphers. Symmetric- and asymmetric-key ciphers will exist in parallel and continue to serve the community. We actually believe that they are complements of each other; the advantages of one can compensate for the disadvantages of the other.

  31. 10.2.2 (continued) • General Idea • Plaintext/Ciphertext • Encryption/Decryption • Need for Both • RSA Cryptosystem • Procedure • Applications

  32. Figure 10.13: Locking and unlocking in asymmetric-key cryptosystem

  33. Figure 10.14: General idea of asymmetric-key cryptosystem

  34. Figure 10.15: Encryption, decryption, and key generation in RSA

  35. Example 10.7 For the sake of demonstration, let Bob choose 7 and 11 as p and q and calculate n = 7 × 11 = 77, φ(n) = (7 − 1)(11 − 1), or 60. If he chooses e to be 13, then d is 37. Note that e × d mod 60 = 1. Now imagine that Alice wants to send the plaintext 5 to Bob. She uses the public exponent 13 to encrypt 5. This system is not safe because p and q are small.

  36. Example 10.8 Here is a more realistic example calculated using a computer program in Java. We choose a 512-bit p and q, calculate n and φ(n). We then choose e and calculate d. Finally, we show the results of encryption and decryption. The integer p is a 159-digit number.

  37. Example 10.8 (continued)

  38. Example 10.8 (continued)

  39. Example 10.8 (continued)

  40. 10-3 OTHER ASPECTS OF SECURITY The cryptography systems that we have studied so far provide confidentiality. However, in modern communication, we need to take care of other aspects of security, such as integrity, message and entity authentication, non-repudiation, and key management. We briefly discuss these issues in this section.

  41. 10.3.1 Message Integrity There are occasions where we may not even need secrecy but instead must have integrity: the message should remain unchanged. For example, Alice may write a will to distribute her estate upon her death. The will does not need to be encrypted. After her death, anyone can examine the will. The integrity of the will, however, needs to be preserved. • Message and Message Digest • Hash Functions

  42. Figure 10.16: Message and digest

  43. 10.3.2 Message Authentication A digest can be used to check the integrity of a message—that the message has not been changed. To ensure the integrity of the message and the data origin authentication—that Alice is the originator of the message, not somebody else—we need to include a secret shared by Alice and Bob (that Eve does not possess) in the process; we need to create a message authentication code (MAC). • HMAC

  44. Figure 10.17: Message authentication code

  45. 10.3.3 Digital Signature Another way to provide message integrity and message authentication (and some more security services, as we will see shortly) is a digital signature. A MAC uses a secret key to protect the digest; a digital signature uses a pair of private-public keys.

  46. 10.3.3 (continued) • Comparison • Inclusion • Verification Method • Relationship • Duplicity • Process • Signing the Digest • Services • Message Authentication • Message Integrity • Non-repudiation

  47. 10.3.3 (continued) • RSA Digital Signature Scheme • Digital Signature Standard (DSS)

  48. Figure 10.18: Digital signature process

  49. Figure 10.19: Signing the digest

  50. Figure 10.20: Using a trusted center for non-repudiation

More Related