Documente Academic
Documente Profesional
Documente Cultură
Security
A note on the use of these ppt slides:
Were making these slides freely available to all (faculty, students, readers).
Theyre in PowerPoint form so you see the animations; and can add, modify,
and delete slides (including this one) and slide content to suit your needs.
They obviously represent a lot of work on our part. In return for use, we only
ask the following:
If you use these slides (e.g., in a class) that you mention their source
(after all, wed like people to use our book!)
If you post any slides on a www site, that you note that they are adapted
from (or perhaps identical to) our slides, and note our copyright of this
material.
Thanks and enjoy! JFK/KWR
All material copyright 1996-2012
J.F Kurose and K.W. Ross, All Rights Reserved
Computer
Networking: A
Top Down
Approach
6th edition
Jim Kurose, Keith
Ross
Addison-Wesley
March 2012
8-1
Chapter 8: Network
Security
Chapter goals:
security in practice:
firewalls and intrusion detection systems
security in application, transport, network, link
layers
Network Security
8-2
Chapter 8 roadmap
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8-3
8-4
Alice
Bob
channel
data
secure
sender
data, control
messages
secure
s
receiver
data
Trudy
Network Security
8-5
Network Security
8-6
8-7
Chapter 8 roadmap
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8-8
encryption
algorithm
Bobs
K decryption
Bkey
ciphertext
decryption plaintext
algorithm
m plaintext message
KA(m) ciphertext, encrypted with key KA
m = KB(KA(m))
Network Security
8-9
Breaking an encryption
scheme
cipher-text only
attack: Trudy has
ciphertext she can
analyze
two approaches:
brute force:
search through all
keys
statistical analysis
known-plaintext attack:
Trudy has plaintext
corresponding to
ciphertext
e.g., in
monoalphabetic
cipher, Trudy
determines pairings
for a,l,i,c,e,b,o,
chosen-plaintext attack:
Trudy can get ciphertext
for chosen plaintext
Network Security
8-10
KS
plaintext
message, m
encryption
algorithm
ciphertext
K
(m)
decryption plaintext
algorithm
m = KS(KS(m))
8-11
plaintext:
abcdefghijklmnopqrstuvwxyz
ciphertext:
mnbvcxzasdfghjklpoiuytrewq
e.g.:
8-12
cycling pattern:
e.g., n=4: M1,M3,M4,M3,M2; M1,M3,M4,M3,M2; ..
Network Security
8-13
Network Security
8-14
Symmetric key
crypto: DES
DES operation
initial permutation
16 identical rounds of
function application,
each using different
48 bits of key
final permutation
Network Security
8-15
Network Security
8-16
requires sender,
receiver know shared
secret key
Q: how to agree on
key in first place
(particularly if never
met)?
radically different
approach [DiffieHellman76, RSA78]
sender, receiver do
not share secret key
public encryption
key known to all
private decryption
key known only to
receiver
Network Security
8-17
key
plaintext
message, m
encryption
algorithm
ciphertext
+
B
K (m)
- Bobs private
B key
decryption
algorithm
plaintext
message
+
m = KB (K (m))
B
Network Security
8-18
+
need KB( ) and K ( ) such that
B
- +
K (K (m)) = m
B B
8-19
Prerequisite: modular
arithmetic
thus
(a mod n)d mod n = ad mod n
example: x=14, n=10, d=2:
(x mod n)d mod n = 42 mod 10 = 6
xd = 142 = 196 xd mod 10 = 6
Network Security
8-20
example:
8-21
KB
Network Security
8-22
RSA: encryption,
decryption
Network Security
8-23
RSA example:
Bob chooses p=5, q=7. Then n=35, z=24.
e=5 (so e, z relatively prime).
d=29 (so ed-1 exactly divisible by z).
encrypting 8-bit messages.
encrypt:
decrypt:
bit pattern
me
0000l000
12
24832
c
17
481968572106750915091411825223071697
c = me mod n
17
m = cd mod n
12
Network Security
8-24
thus,
cd mod n = (me mod n)d mod n
= med mod n
= m(ed mod z) mod n
= m1 mod n
=m
Network Security
8-25
+
+ K (K (m)) = m = K (K (m))
B B
B B
result is the
same!
Network Security
8-26
+
+ K (K (m)) = m = K (K (m))
B B
B B
Why
Network Security
8-27
Network Security
8-28
intensive
DES is at least 100 times faster than RSA
use public key cryto to establish secure
connection, then establish second key
symmetric session key for encrypting data
session key, KS
8-29
Chapter 8 roadmap
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8-30
Authenticatio
n
I am Alice
Failure scenario??
Network Security
8-31
Authenticatio
n
I am Alice
in a network,
Bob can not see Alice,
so Trudy simply declares
herself to be Alice
Network Security
8-32
Authentication: another
try
Alices
IP address
I am Alice
Failure scenario??
Network Security
8-33
Authentication: another
try
Alices
IP address
Network Security
8-34
Authentication: another
try
Alices
Alices
Im Alice
IP addr password
Alices
IP addr
OK
Failure scenario??
Network Security
8-35
Authentication: another
try
Alices
Alices
Im Alice
IP addr password
Alices
IP addr
OK
Alices
Alices
Im Alice
IP addr password
Network Security
8-36
Authentication: yet
another try
Alices encrypted
Im Alice
IP addr password
Alices
IP addr
OK
Failure scenario??
Network Security
8-37
Authentication: yet
another try
Alices encrypted
Im Alice
IP addr password
Alices
IP addr
OK
record
and
playback
still works!
Alices encrypted
Im Alice
IP addr password
Network Security
8-38
Authentication: yet
another try
8-39
Authentication: ap5.0
ap4.0 requires shared symmetric key
can we authenticate using public key
techniques?
ap5.0: use nonce, public key cryptography
I am Alice
R
Bob computes
+ -
K A (R)
send me your public key
KA
K A(K A(R)) = R
and knows only Alice
could have the private
key, that encrypted R
such that
+ K (K (R)) = R
A A
Network Security
8-40
ap5.0: security
hole
man
(or woman) in the middle attack: Trudy
I am Alice
R
K (R)
A
K (R)
T
+
K
T
- +
m = K (K (m))
A A
+
K (m)
A
+
A
Trudy gets
- +
m = K (K (m))
T T
sends m to Alice
encrypted with
Alices public key
+
K (m)
T
Network Security
8-41
ap5.0: security
hole
man
(or woman) in the middle attack: Trudy
difficult to detect:
Bob
8-42
Chapter 8 roadmap
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8-43
Digital
signatures
cryptographic technique analogous to
hand-written signatures:
Network Security
8-44
Digital
signatures
Bobs message, m
Dear Alice
Oh, how I have missed
you. I think of you all the
time! (blah blah blah)
Bob
- Bobs private
KB
key
Public key
encryption
algorithm
m,K B(m)
Bobs message,
m, signed
(encrypted) with
his private key
Network Security
8-45
Digital
signatures
suppose Alice receives msg m, with signature: m,
KB(m)
Alice
If KBthus
(KB(m)
) =that:
m, whoever
verifies
Bob
signed
m
used
Bobs
private
key.
Network Security
8-46
Message digestslarge
message
m
computationally expensive
to public-key-encrypt
long messages
to-compute digital
fingerprint
apply hash function H to
m, get fixed size
message digest, H(m).
H: Hash
Function
H(m)
8-47
ASCII format
49 4F 55 31
30 30 2E 39
39 42 D2 42
B2 C1 D2 AC
message
IOU9
00.1
9BOB
different messages
but identical checksums!
ASCII format
49 4F 55 39
30 30 2E 31
39 42 D2 42
B2 C1 D2 AC
Network Security
8-48
H(m)
large
message
m
KB
encrypted
msg digest
KB(H(m))
Bobs
public
key
KB
KB(H(m))
H(m)
H(m)
equal
?
Network Security
8-49
8-50
I am Alice
R
K (R)
A
K (R)
T
+
K
T
- +
m = K (K (m))
A A
+
K (m)
A
+
A
Trudy gets
- +
m = K (K (m))
T T
sends m to Alice
encrypted with
Alices public key
+
K (m)
T
Network Security
8-51
Public-key certification
Network Security
8-52
Certification
authorities
Bobs
identifying
information
KB
KB
CA
private
key
CA
certificate for
Bobs public key,
signed by CA
Network Security
8-53
Certification
authorities
when Alice wants Bobs public key:
KB
CA
public
key
K+
CA
Network Security
8-54
Chapter 8 roadmap
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8-55
Secure e-mail
KS
KS ( )
KB ( )
K+
B
KS(m )
KS(m )
+
+
KB(KS )
KS ( )
Internet
KB(KS )
KS
-
KB ( )
K-B
Alice:
generates random symmetric private key, K
S
encrypts message with KS (for efficiency)
also encrypts KS with Bobs public key
sends both KS(m) and KB(KS) to Bob
Network Security
8-56
Secure e-mail
KS
KS ( )
KB ( )
K+
B
+
+
KB(KS )
KS(m )
KS(m )
KS ( )
Internet
KS
-
KB ( )
KB(KS )
K-B
Bob:
uses his private key to decrypt and
recover KS
uses KS to decrypt KS(m) to recover m
Network Security
8-57
KA-
H( )
K ( .)
KA(H(m))
KA(H(m))
+
m
K+
A
Internet
KA ( )
H(m )
compare
H( )
H(m )
Network Security
8-58
KA
H( )
KA ( )
KA(H(m))
KS
KS ( )
m
KS
KB ( )
K+
B
Internet
KB(KS )
8-59
Chapter 8 roadmap
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8-60
deployed security
protocol
supported by almost all
browsers, web servers
https
billions $/year over SSL
mechanisms:
[Woo 1994],
implementation: Netscape
variation -TLS: transport
layer security, RFC 2246
provides
confidentiality
integrity
authentication
original
goals:
Web e-commerce
transactions
encryption (especially
credit-card numbers)
Web-server
authentication
optional client
authentication
minimum hassle in
doing business with
new merchant
available to all TCP
applications
secure socket interface
Network Security
8-61
Application
SSL
TCP
IP
normal application
TCP
IP
application with SSL
8-62
H( )
.
K ()
-
KA(H(m))
KS( )
m
KS
KS
KB ( )
KB
Internet
KB(KS )
Network Security
8-63
8-64
rtificate
public key ce
KB +(MS) = EMS
Network Security
8-65
four keys:
Kc = encryption key for data sent from client to
server
Mc = MAC key for data sent from client to server
Ks = encryption key for data sent from server to
client
Ms = MAC key for data sent from server to client
8-66
length
data
MAC
Network Security
8-67
8-68
type
data
MAC
Network Security
8-69
encrypted
bob.com
data
se
Network Security
8-70
Network Security
8-71
cipher suite
public-key algorithm
symmetric encryption
algorithm
MAC algorithm
Network Security
8-72
Network Security
8-73
2.
3.
4.
5.
6.
8-74
Network Security
8-75
8-76
data
fragment
record
header
data
fragment
MAC
encrypted
data and MAC
record
header
MAC
encrypted
data and MAC
8-77
2 bytes
3 bytes
SSL version
length
data
MAC
8-78
Real SSL
connectio
n
handshake: ClientHel
lo
ServerHello
:
e
k
a
h
s
d
n
a
h
Certificate
handshake:
lloDone
e
rH
e
rv
e
S
:
handshake
handshake: Client
KeyExchange
ChangeCipherS
pec
everything
henceforth
is encrypted
handshake: Finishe
pec
ChangeCipherS
inished
F
:
e
k
a
h
s
d
han
application_data
a
application_d
ta
notify
Network Security
8-79
Key derivation
Network Security
8-80
Chapter 8 roadmap
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8-81
What is network-layer
confidentiality ?
blanket coverage
Network Security
8-82
motivation:
institutions often want private networks
for security.
costly: separate routers, links, DNS
infrastructure.
VPN:
Network Security
8-83
Secure
payloa
d
router w/
IPv4 and IPsec
IP er
ad
he
IPsec
heade
r
pa
ylo
ad
e
cur
Se load
y
pa
router w/
IPv4 and IPsec
laptop
w/ IPsec
salesperson
in hotel
ec
IPs der
a
he
IP
heade
r
IPsec
header
IP r
e
ad
he
Secur
e
paylo
ad
public
Internet
he IP
ad
er
ad
ylo
pa
headquarters
branch office
Network Security
8-84
IPsec services
data integrity
origin authentication
replay attack prevention
confidentiality
two protocols providing different service
models:
AH
ESP
Network Security
8-85
IPsec
IPsec
Network Security
8-86
IPsec
IPsec
IPsec
IPsec
hosts IPsec-aware
Network Security
8-87
Network Security
8-88
Host mode
with ESP
Tunnel mode
with AH
Tunnel mode
with ESP
8-89
8-90
Example SA from R1 to R2
Internet
headquarters
200.168.1.100
R1
193.68.2.23
security association
172.16.1/24
branch office
R2
172.16.2/24
8-91
8-92
IPsec datagram
focus for now on tunnel mode with ESP
enchilada authenticated
encrypted
new IP
header
ESP
hdr
SPI
original
IP hdr
Seq
#
Original IP
datagram payload
padding
ESP
trl
ESP
auth
pad
next
length header
Network Security
8-93
What happens?
Internet
headquarters
200.168.1.100
R1
branch office
193.68.2.23
security association
172.16.1/24
R2
172.16.2/24
enchilada authenticated
encrypted
new IP
header
ESP
hdr
SPI
original
IP hdr
Seq
#
Original IP
datagram payload
padding
ESP
trl
ESP
auth
pad
next
length header
Network Security
8-94
Network Security
8-95
ESP
hdr
SPI
original
IP hdr
Seq
#
Original IP
datagram payload
padding
ESP
trl
ESP
auth
pad
next
length header
8-96
goal:
prevent attacker from sniffing and replaying a packet
receipt of duplicate, authenticated IP packets may
disrupt service
method:
destination checks for duplicates
doesnt keep track of all received packets; instead
uses a window
Network Security
8-97
8-98
8-99
IKE phases
IPsec summary
Chapter 8 roadmap
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
keystream
generator
keystream
keystream
generator
keystreampacket
IV
Key
ID
data
ICV
MAC payload
Network Security 8-108
d2
d3
dN
CRC1 CRC4
c1
c2
c3
cN
cN+1 cN+4
802.11
IV
header
&
WEP-encrypted data
plus ICV
IV
Key
ID
data
ICV
MAC payload
receiver extracts IV
inputs IV, shared secret key into pseudo random
generator, gets keystream
XORs keystream with encrypted data to decrypt
data + ICV
verifies integrity of data with ICV
note: message integrity approach used here is
different from MAC (message authentication
code) and signatures (using PKI).
Network Security 8-110
End-point authentication w/
nonce
WEP authentication
authentication request
nonce (128 bytes)
nonce encrypted shared key
success if decrypted value equals nonce
Notes:
not
8-112
attack:
Trudy causes Alice to encrypt known plaintext d 1 d2
d3 d4
Trudy sees: ci = di XOR kiIV
Trudy knows ci di, so can compute kiIV
Trudy knows encrypting key sequence k 1IV k2IV k3IV
Next time IV is used, Trudy can decrypt!
802.11i: improved
security
STA:
client station
AS:
wired
network
Authentication
server
1 Discovery of
security capabilities
2 STA and AS mutually authenticate, together
generate Master Key (MK). AP serves as pass through
3 STA derives
Pairwise Master
Key (PMK)
4 STA, AP use PMK to derive
Temporal Key (TK) used for message
encryption, integrity
3 AS derives
same PMK,
sends to AP
EAP TLS
EAP
EAP over LAN (EAPoL)
IEEE 802.11
RADIUS
UDP/IP
Network Security 8-116
Chapter 8 roadmap
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
Firewalls
firewall
isolates organizations internal net from
larger Internet, allowing some packets to
pass, blocking others
administered
network
public
Internet
Firewalls: why
prevent denial of service attacks:
SYN flooding: attacker establishes many bogus
TCP connections, no resources left for real
connections
prevent illegal modification/access of internal data
e.g., attacker replaces CIAs homepage with
something else
allow only authorized access to inside network
set of authenticated users/hosts
three types of firewalls:
stateless packet filters
stateful packet filters
Network Security
application gateways
8-119
Firewall Setting
Drop all incoming UDP packets except DNS and router broadcasts.
source
address
dest
address
allow
222.22/16
outside of
222.22/16
allow
outside of
222.22/16
allow
222.22/16
allow
outside of
222.22/16
222.22/16
deny
all
all
222.22/16
outside of
222.22/16
protocol
source
port
dest
port
flag
bit
TCP
> 1023
80
TCP
80
> 1023
ACK
UDP
> 1023
53
---
UDP
53
> 1023
----
all
all
all
all
any
source
address
dest
address
outside of
222.22/16
222.22/16
protocol
source
port
dest
port
flag
bit
TCP
80
> 1023
ACK
source
address
dest
address
proto
source
port
dest
port
allow
222.22/16
outside of
222.22/16
TCP
> 1023
80
allow
outside of
222.22/16
TCP
80
> 1023
ACK
allow
222.22/16
UDP
> 1023
53
---
allow
outside of
222.22/16
222.22/16
UDP
53
> 1023
----
deny
all
all
all
all
all
all
222.22/16
outside of
222.22/16
flag
bit
check
conxion
any
Application gateways
host-to-gateway
telnet session
filters packets on
application data as well
as on IP/TCP/UDP fields.
example: allow select
internal users to telnet
outside.
application
gateway
gateway-to-remote
host telnet session
Application gateways
host-to-gateway
filter packets on
application data as welltelnet session
as on IP/TCP/UDP fields.
example: allow select
internal users to telnet
outside
application
gateway
router and filter
gateway-to-remote
host telnet session
Limitations of firewalls,
gateways
Intrusion detection
systems
packet filtering:
Intrusion detection
systems
multiple IDSs: different types of
checking at different locations
firewall
internal
network
IDS
sensors
Internet
Web
DNS
server FTP server
server
demilitarized
zone
Network Security 8-130
Network Security
(summary)
basic techniques...
secure email
secure transport (SSL)
IP sec
802.11