Network Security - kondor.etf.rs

slurpslapoutΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 28 μέρες)

71 εμφανίσεις

Network Security

Network Security


Information secrecy
-
only specified parties
know the information exchanged. Provided by
criptography.


Information integrity
-
the information is
unaltered received by the specified party.
Provided by digital signatures.


Authenticaton
-
user is communicating with the
user with whom he/she thinks is
communicating.







Cryptography

The encryption model (for a symmetric
-
key cipher).

Symmetric
-
Key Algorithms


Transmitting and receiving users have the same key
that they agreed on somehow.


Plain text,
P
, is encrypted by the transmitting user
based on key,
K
, and becomes
E
K
(
P
). Receiver is
decrypting
E
K
(
P
) using the same key, and obtains
plaintext
P
=
D
K
(
E
K
(
P
)). Function P is impossible (or
very hard) to guess from
E
K
(
P
).


DES


Data Encryption Standard


Key has 64 bits


AES


Advanced Encryption Standard


Key has 128 bits




Public
-
Key Algorithms


Each user has a public and a private key.


Plain text,
P
, is encrypted by the transmitting
user based on the public key of the receiving
user,
Bpub
, and becomes
E
Bpub
(
P
).


Receiving user is decrypting the message using
its private key
Bpri

and obtains plaintext
P
=
D
Bpri
(
E
Bpub
(
P
)).



Public
-
Key Algorithms


RSA (Rivest,Shamir, Adleman)

1.
Choose two large prime numbers
p

and
q

(typically
1024 bits)

2.
Compute
n
=
p
x
q

and
z
=(
p
-
1)x(
q
-
1)

3.
Choose a number relatively prime to
z

and call it
d
.

4.
Find
e

such that
e
x
d
=1mod
z

5.
Public key is (
n
,
e
), private key is (
n
,
d
)

6.
Encryption is
C
=
P
e
mod
n


7.
Decryption is
P
=
C
d

mod
n


Learning Shared Keys


Encryption using a symmetric shared key is much
faster. Users can exchange the shared key, either by
using public keys or key distribution centers (KDC).


Transmitting user encrypts the shared
-
key using
public key of the receiving user. Receiving user
decrypts the message and learns the shared key.


KDC has a key for each user. User A sends encrypted
request that it wants to communicate with user B.
KDC sends the shared key,
S
, and encrypted pair
E
B
(
A
,
S
).


Digital Signatures


Ensure to the receiving party that it is
receive the exact information that was sent
my the transmitting party.


For example, transmitting user adds to the
plaintext the signature which is the
encrypted plaintext using its private key.
Receiving user decrypts the signature
using the public key of the transmitting
user, and compares with the plaintext.

Public
-
Key Signatures

Digital signatures using public
-
key cryptography.

,
P

,
P

,
P
)

P

Digital Signatures Using

Message Digests (MD5,SHA
-
1)


Forming the signature by encrypting the entire plaintext
is time consuming, and incurs an inefficient
communication.


For this reason, a message digest is derived from the
plaintext (message). Message digest is a function of the
plaintext such that it is computationaly infeasible to
find two messages with the same message digest
(hash). Singature is encrypted hash.


Since the message digest is much shorter than the
message itself, the signature takes less time to compute
and less bandwidth to transfer.


Authentication Protocol

(Shared Key)


User A sends to user B “I am A”, and nonce
R
A
.


B sends a nonce
R
B

and HASH(
R
A
,
R
B
,
A
,
B,S
) to
A.


A sends HASH(
R
A
,
R
B
,S
) and sends it to B


Authentication Protocol

(Public Key)


User A sends to user B “I am A”, and
R
A
.


B sends a nonce
R
B

and

E
Bpriv
(
R
A
,R
B
,A,B
) to A.


A decrypts encrypted part of the message to
check if it is B and sends encrypted nonces
using its private key
E
Apriv
(
R
A
,R
B
) and sends it to
B.


B decrypts encrypted message and checks if this
is really A.

Management of Public Keys


How users learn real public keys of
other users.


Certificate comprises the public key
and basic data about some user, and is
signed by the certificate authority (CA).


X.509 defines certificate’s format.


Public key infrastructures comprises
CAs that are organized hierarchicaly.


Certificates

A possible certificate and its signed hash.

+ Alg for hashing,

Certificate Authority,

Time validity

Public
-
Key Infrastructures

(a)

A hierarchical PKI.
(b)

A chain of certificates.


Network Security in Practice


IPsec


Firewalls


Virtual Private Networks (VPNs)


E
-
mail security (Pretty Good
Privacy
-
PGP)


DNS security


WWW security (Secure Sockets
Layer
-
SSL)




IPsec based on

Authentication Header Protocol

The IPsec authentication header in transport mode for IPv4.

Determines security association


with IP source address


and security protocol

Using encrypted message disgest


based on a shared key


IPsec based on

Encapsulation Security Payload Protocol

(a)

ESP in transport mode.
(b)

ESP in tunnel mode.

Firewalls


Two types: packet filtering, and
application gateways.


Packet filtering is done based on IP
addresses, TCP or UDP ports, ICMP
message type, TCP SYN or ACK bits
(first segment has ACK=0 so this
prevents outside users to open TCP
connections with inside servers).


Application gateways may restrict
certain applications to certain users.

Virtual Private Networks

(a)

A leased
-
line private network.
(b)

A virtual private network.

E
-
mail Security

PGP


Pretty Good Privacy

PGP in operation for sending a message.

International Data

Encryption Alg

Secure DNS

An example RRSet for
bob.com
. The
KEY

record is Bob's
public key. The
SIG

record is the top
-
level

com

server's signed
hash of
A

and
KEY

records to verify their authenticity.

SSL

A simplified version of the SSL connection establishment subprotocol.