1 / 36

Link Encryption

Link Encryption. What is Link Security? Link security objectives by link encryption In-line encryptor hardware Point to point deployment IP-routed development Key Recovery from Internet Cryptograph chapter 3.

zeki
Télécharger la présentation

Link Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Link Encryption What is Link Security? Link security objectives by link encryption In-line encryptor hardware Point to point deployment IP-routed development Key Recovery from Internet Cryptograph chapter 3

  2. ISO/OSI Layer Review – 7 layersInternational Standard Organisation/Open System Interconnection • The 7-layer is shown on right. • There are many protocols in each layer. • For example, High Level Data link Control (HDLC) in Data link layer

  3. Internet Protocol – 5 layers • Internet protocol reduces to five layers. • Link Security refers to the security measure in data link layer (ISO/OSI, layer 2) or Network Interface (Internet Protocol, layer 2)

  4. Internet Cryptographic Protocols

  5. What is a protocol? • It means “The proper way of handling data transfer between two parties. “ • Assume two parties, Sender and Receiver are sending message. Below is the proper procedure inlcuding the error handling (in this case, retransmit)

  6. What is link security protocol? • It is designed to hide secrets (means, encrypt for you) • It intends to protect data against forgery (false data). • It can simply fit into existing Internet applications. • In Data link layer (ISO/OSI layer 2) or Network Interface

  7. Security Objectives of link security (1) • Maintain confidentiality on an isolated set of computers. • The computer contains sensitive data and needs to exchange with others. • Use a simple but secure protocol • Communications with outsiders is unwanted and to be blocked • To prevent the data from happening through accident, carelessness or overt (公開) attempt. Purpose Reason

  8. Security Objectives (2) • Hide data traffic as much as possible • Shield everything possible about the data sent • Safety and familiarity is more important than cost • Use a well-established technique that is simple to understand and implement. Action

  9. In-line Encryptor – must be a pair • It is a building block for link encryption. • It is a hardware device (not a software) • One port accepts plaintext, while the other produce ciphertext. (vice versa) encrypted message

  10. Example of a pair of in-line encryptorthrough the Internet, usually it is used through a leased line (from PCCW) encrypted message

  11. In-line Encryptor (real products) • Code encryptor (a small device with two network data link connections.) • In-line encryptor

  12. Inside in-line encryptor

  13. Features of in-line encryptor • Separate the plaintext and ciphertext ports (that is why there are two ports) • Use a stream cipher or block cipher • In practice, a block cipher such as RC4 is used in commercial setting. (it uses DES (data encryption standard algorithm)

  14. Link level Vulnerabilities (means weakness) There are a few attacks, Below are some of them: • Replay Attacks • Rewrite Attacks • Convert Signalling Attacks

  15. Replay Attacks – resend a few times • If the message is an encrypted, why should we care about replay? • The reason is that: • If an outsider captures the encrypted message and re-send it, he/she might attack the system.

  16. Example of Replay Attacks False copies

  17. Example of Replay Attacks - Explanation • Alice sends a message of “pay Chan Tai Man” to Bob. She sends one genuine (true) message. • Play-it-again Sam captures the encrypted message and re-sends twice to Bob. • Bob and his colleagues will then pay Chan Tai Man three times. • Of course, Sam will have certain benefits of doing this.

  18. How to solve this? – Replay attack • Each plaintext message must have an extra information such as message number. • If the receiver receives a duplicated message, it is discarded. • This will solve it in TCP/IP (layers 3 & 4). It has this feature to solve this problem. 2 data2 3 data3 2 data2 2 data2

  19. Rewrite Attacks • If an hacker knows the contents, he/she can modify the encrypted message. • Say for example, the encrypted message of pay 1000 is 89^&oiu, he/she can modify 89^&aiu by changing o to a. The resulting plaintext message is 9000. (This assumes that 89^&aiu will produce 9000.)

  20. Example of Rewrite • Here, the encrypted message is modified via a switcher.

  21. How to resolve this? - rewrite There are many methods. Below are some of them • Avoid products using other modes. Always use block ciphers or Vernam techniques. (crude rewrite attacks are still possible with block mode.); or • Insert a random number into each packet, include it in the packet checksum and encrypt the resulting packet; or • Use Message Digest that you learnt in lecture 4; or • Use digital signature to authenticate the source of data. (the message is signed)

  22. Convert Signaling Attacks • The attack is done by inserting a subverted program (spy software) into a host on the plaintext side of an encryptor • The program collects sensitive data and then transmits it to the program outside the security boundary.

  23. Example – subverted program

  24. Deployment – Point to point between sender and receiver Arrangement • This deployment uses a pair of trusted lines between a pair of hosts. • There is no need to connect to the Internet. • For example, you can apply for a leased line via Pacific Century Cyber Work (PCCW) between two computers (example from Central to Kowloon Tong). Now, it uses VPN, a pair of encryptors through the Internet)

  25. Point to point – Connection • Each host’s data link is connected to the plaintext port of in-line encryptor. It is commonly used in military applications. Protect

  26. Point to point limitation • It is hard to use as it limits between two in-line encryptors. (between two points) • You don’t have any choice on the encryption.

  27. Deployment Example: Ip routed • Link encryption can also be applied to links carrying IP traffic. (means network layer) • This yields a flexible networking environment. (any workstation in the network can access.) • For example, assume that there are two networks that are connected by a pair of routers. • Any workstation, server etc can access the remote networking components through the leased line that is protected by the in-line encryptors. solution to extend the number of workstations

  28. Ip routed network diagram (to any host within the network) This arrangement is more flexible

  29. Site protection – Ip routed • Given in the previous slide, the machines (server and workstations) are within the protected boundary of the site. • The in-line encryptors are used to further to protect from unnecessary physical access. (messages are encrypted.)

  30. Site Protection – Unsafe arrangement • The workstation out of physical protection is unsafe.

  31. Key Recovery – how to get the key • The protection of in-line encryptors lies in the key used. • Key recovery means the keys that are used to encrypt the data is recovered by someone else without notice.

  32. Escrowed Encryption No need to memorise • Escrowed encryption is the system or method by which secret keys are stored to be used for key recovery. • That is to say, the secret keys are held in escrow (a separate organisation) until an authorised person (FBI or CIA in US) accesses it. • There is no commercial value as the encryption lasts for the transfer of data, but is used by government to decrypt the encrypted message (for anti-terrorism).

  33. Example – sequence no need to memorise • The FBI first stores the ciphertext and then uses the family key (product of in-line encryptor) to obtain the session key. • Different manufacturer will produce different family keys for their products • FBI then approaches escrow agency to obtain the sender’s key based on device ID. • FBI then use the key to together with the session key to decrypt the ciphertext.

  34. Example – picture

  35. Summary • Link Security – between two parties, layer 2 • Link security objectives – extend the security coverage • In-line encryptor – a pair of devices, to encrypt/decrypt message, there is no need to configure, and no need to encrypt document, it is done by the in-line encryptors. • Point to point – there is a limitation of the use of in-line encryptor, only to known location, The solution is to extend by IP routed • Key Recovery - less common in business, but is required by U.S. law to recover ciphertext for in-line encryptors

  36. Next Week IPSec (Security at the IP Layer, Layer 3) In-line encryptor This Week

More Related