Understanding Cryptography: Key Distribution, Public Key Encryption, and Message Integrity, Slides of Computer Networks

Download Understanding Cryptography: Key Distribution, Public Key Encryption, and Message Integrity and more Slides Computer Networks in PDF only on Docsity! Computer Networking Technology II Security Docsity.com Security in Networks • Any two nodes (hosts, routers, etc.) might need to exchange data securely – Secure email, transfer routing tables, military secrets, private data (SSN, Visa), DNS servers, etc. all need secure communication • Security has many aspects – End-point Authentication: If Bob and Carol are communicating, how do they know it’s really Bob and Carol? Docsity.com Non-network Example • Consider the problem of a bomb on a plane – Prevent: might prevent the problem by 1) scanning luggage and passengers, 2) requiring security checks for airport employees, and 3) controlling access to planes on the ground – Detect: detect the problem by 1) a bomb going off, or 2) someone identifying they have a bomb – Mitigate: Reduce damage by 1) reducing altitude before the bomb goes off, 2) design the plane to avoid duplicate systems next to each other Docsity.com Non-network Example • This illustrates some important principles – Security costs effort and money – Security is often inconvenient, even annoying • Security measures often directly reduce productivity – Security often affects systems beyond the immediately obvious ones – Design of the system is often affected by security risks, even if they are rare events Docsity.com Security vs classification • In discussing security, the notion of classification (e.g. Confidential, Secret, Top Secret, etc.) can emerge • Systems to handle classified material are known as ‘trusted’ systems – look for that keyword – Often based on old standards such as the Rainbow Series’ Orange Book Docsity.com Cryptography • At the receiving end, the cipher text is turned back into plain text using a decryption algorithm, KB) Docsity.com Keys • A key is a string of characters, numbers, and other ASCII symbols that feeds into the encryption and decryption algorithms • The longer the key (in bits), the harder it is to break – DES uses a 56-bit key – RC5-64 is a 64-bit key, RC5-72 is 72-bit – RSA and AES use up to 128-bit keys – PGP uses up to 4096-bit keys (great crypto paper) Docsity.com Keys • There are two major encryption approaches – symmetric key and public key • Symmetric key means that KA = KB – The same key is used by both sender and receiver • Public key encryption requires a public key that anyone can know, plus different private keys for sender and receiver – Public key requires longer keys for equal security Docsity.com Key Breaking Approaches • There are three ways to approach breaking an encrypted message – Cipher-text-only attack – you only have the ciphertext, and little or no clue what it contains – Known-plaintext attack – when some of the message contents are known, such as certain names, words or phrases that should appear – Chosen-plaintext attack – when you can feed text (‘The quick brown fox jumps over the lazy dog’) into the cipher, and see what it produces Docsity.com Symmetric Key Crypto • The Caesar cipher was very simple • Just move the alphabet down some number of characters, ‘k’ – A  G (for k = 6) – Then B  H, C  I, D  J, etc. – Wrap around when you get to T  Z, U  A • If you know this is the type of cipher, there are only 25 different possible keys! Docsity.com Symmetric Key Crypto • Improve on this with a monoalphabetic cipher • Each letter corresponds to some other letter, but they aren’t in order – A  V, B  L, C  R, or whatever • This makes 26! (= 4.03E26 or 4.03x1026) key combinations in theory, but patterns of common words make it a lot easier to break than that would suggest Docsity.com DES • Each of the 48-bit keys (K1 to K16) are different parts of the overall 56-bit key Docsity.com DES Code-Breaking Tests • In 1997 it took under four months to break a DES-encrypted message by brute force (keep trying keys until one works) – In February 1998 it took 41 days – In July 1998 it took 56 hours – In January 1999 it took 22.25 hours, though using nearly 100,000 PC’s Docsity.com Triple-DES • Ok, so DES isn’t perfect • Triple-DES (3DES) runs DES three times with different keys – Makes for a 168-bit key! – Used for PPP encryption Docsity.com Public Key Encryption • So all this symmetric key stuff is good, but how to you exchange the keys securely? • Easier if we can show part of our key publicly • First public key approach was the 1976 Diffie-Hellman Key Exchange algorithm – Sender and receiver have public keys – Each receiver also uses a private key to decrypt a message Docsity.com Public Key Encryption poo e eee eee eee eee eee ee Ke Bob's public key Ce - Bob's private Ke key ! 1 ! 1 i} 1 1 ¥ a off plaintext Asse iat) ciphertext eliaeyautld plaintext me algorithm K*(m) een message m = Kg(K,(m)) Why does this provide confidentiality? ® Docsity.com Public Key Encryption • Two main concerns with public key ciphers – An intruder can easily know a receiver’s public key, and the encryption method, so a chosen-plaintext attack is possible – Hence private keys, and verifying the sender of a message are critical – the digital signature • The best known public key algorithm is RSA – Named for Rivest, Shamir, and Adleman Docsity.com RSA • So the theory isn’t too weird, just tedious because of the large numbers involved • Finding large prime numbers is a critical element of many crypto schemes – RSA is no exception • Also important is how to choose d and e • Such issues are beyond our scope here Docsity.com RSA vs DES • RSA is 100 times slower than DES in software, and 1000 to 10,000 times slower than DES in hardware – Hence RSA is often used with DES or AES • For example, a DES session key KS can be sent via public RSA key, and then the rest of the transmission can be done using DES Docsity.com Why does RSA work? • The trick is that p and q are prime, so – 1 = mod (p-1)(q-1) = mod z • And we chose ed so that (ed-1)/z has no remainder, hence ed mod (z) = 1 • Encryption followed by decryption of message m therefore gives – (m^e)^d = m^1 mod n = m (the original message) Docsity.com Digital Signature • For Fred to sign a message, m, he applies his private key to encrypt the message – The result is the signed message • To recover the message, apply his public key • Yes, this is the reverse of the way to send an encrypted message – Which was use the public key to create cipher text, then use the private key to decode it Docsity.com Digital Signature • Why does this work backward? – The application of public and private keys is just math operations – in this case, doing them in either order results in recovering the original message • Since only Fred knows his private key (we hope!), that proves the message was generated by him – Don’t share a private key – EVER!!! Docsity.com Message Digests • Digital signatures are very computationally expensive • Want a way for large volumes of data to verify the sender of a message, and make sure the data wasn’t changed • A message digest does this, while being cheaper than a full blown digital signature – A message digest is a cryptographic hash function, like checksums and CRC codes Docsity.com Message Digests • To improve on this approach, create the hash of the message (m) AND a secret authentication key (s) – H(m+s) = a Message Authentication Code, MAC – This MAC is unrelated to the link layer MAC address • HMAC (noted later) is a popular standard for generating MACs Is a MAC encrypted? Docsity.com Message Digests • So two mechanisms are used in the message digest – The application of private and public keys is used “to verify the sender of a message” – The hash function is used to “make sure the data wasn’t changed” • The MD5 algorithm (Ron Rivest) is widely used for creating 128-bit message digests – See RFC 1321, if really bored on a long flight Docsity.com Message Digests • If MD5 isn’t good enough for you, try SHA-1, which has a 160-bit message digest – Based on MD4 (which preceded MD5) – Stands for Secure Hash Algorithm, defined by FIPS 180-2 – SHA can handle message sizes up to 264 or 2128 bits (that’s 1.8E19 or 3.4E38 bits) • Still not secure enough? – SHA-512 has, yes, 512-bit message digests Docsity.com Key Distribution Center (KDC) – Alice now knows the one-time session key, and sends the encrypted key to Bob – Bob decodes it, and now also knows the one-time session key – Now Alice and Bob can communicate securely using R1 • Sneaky, huh? • The critical (and risky) part is that the KDC knows everyone’s secret key Docsity.com Key Distribution Center (KDC) KDC e = Ky xpc(A,B) > GEHL Haenerates _ ie ee Alice xoc(R1, tS ) Bob knows to knows use R1 to RI Ke xnc(A.R1) > communicate with Alice Alice and Bob communicate: using R1 as session key for shared symmetric encryption ® Docsity.com Public Key Certification • Public keys can be made available many places – Email signature lines, web pages, or put in a public key server • But if I tell you XYZ123 is my public key, how do you know it’s really mine, and not someone else’s? – That’s the role of public key certification – to verify the identity of a public key Docsity.com Certification Authority (CA) • The ITU and IETF both have standards for certificate authorities – ITU X.509 and RFC 1422, respectively – Verisign is among the better known CAs Docsity.com Authentication • Authentication is proving your identity – Over a network, no one can tell if you’re you! • Assume we’re dealing with live communication – A later issue is whether a message in the past was really sent – the digital signature problem • Here, authentication is done via messages (duh!) from an authentication protocol Docsity.com Authentication • The authentication protocol has to confirm the identities before communication occurs • We’ll look at increasingly complex versions of an authentication protocol, “ap”, much like we did for TCP last term – Don’t worry, no finite state diagrams this time Docsity.com Ap3.0 • Ok, how about using a password to authenticate the user? – If the sender sends a password, it could be intercepted, and later used to fraudulently authenticate a spy – Many passwords (HTTP, Telnet, FTP) are sent in plain text, or are trivially encoded • Sniffing packets on a server is an easy way to steal passwords Docsity.com Ap3.1 • Um, so encrypt the password! – (Assuming a symmetric cipher is used) • Nope, no good – A sniffer could record the cipher text of the password, and replay it to log in (a playback attack) – Even though the sniffer doesn’t learn what the password is, they can still impersonate the sender Docsity.com Ap4.0 • Well, the problem was reusing the same password over and over – what if it’s unique? • What if we have a sequence or set of passwords, and use each one only once? • Use a nonce – a number used by the protocol only once EVER, like this – Sender sends message to receiver – Receiver chooses a nonce, R, and replies Docsity.com Ap5.0 • Can we achieve the good outcome of ap4.0 using public key encryption? • Try this: – Sender sends message to receiver – Receiver chooses a nonce, R, and replies – Sender uses private key to encrypt the nonce, and sends it back to receiver – Receiver uses sender’s public key to compute R and authenticates the sender Docsity.com Ap5.0 • So what’s wrong? Try this scenario – Thief sends message impersonating sender to receiver – Receiver chooses nonce, R, and replies with it – Thief intercepts message, uses her private key to encode the message, and sends it to receiver – Receiver asks sender for public key, but it’s intercepted by the Thief, who sends their public key – Thief is authenticated as the sender! Docsity.com Ap5.0 • The goodness of ap5.0 is limited by the availability of public keys • Similarly, a man-in-the-middle or bucket brigade attack puts the Thief in the middle of the real conversation, unknown to either side – Worse, neither sender nor receiver will know their content was seen by the Thief in the middle Docsity.com Firewalls • The goals of a firewall are generally – All traffic into and out of the organization must pass through a firewall – Only authorized traffic will be allowed to pass – The firewall itself is immune to attack • Firewalls are inherently paranoid – The default setting is to allow nothing in or out! Docsity.com Firewalls • Firewalls fall in three categories – Packet filters (network level) – Stateful filters – Application gateways • First look at packet filtering – Most organizations have a firewall at the boundary to the public Internet (plus possibly others internally) Docsity.com Firewalls • Packet filters can look at each packet’s – Source and/or destination IP addresses – Type of protocol (transport or application) – Source and/or destination port number – TCP flag bits – SYN, ACK, etc. – ICMP message type • Rules can vary for inbound vs outbound traffic, or for different router interfaces Docsity.com Firewalls • Even a simple firewall (Cisco PIX 501, about $400) can control (see handout) – Which interfaces are active, and at what speeds – IP addresses allowed to take data in – IP addresses allowed to send data out – Which protocols are allowed to operate – Which ports are allowed for each protocol – Use of authentication servers (e.g. RADIUS) – If the firewall acts as an HTTP or DHCP server Docsity.com Firewalls – Use of a virtual private network (VPN), and what types of encryption are used (DES, 3DES, AES) – IP addresses of the interfaces – Where NAT is running inside the network – SNMP server information • Licensing issues include how many interfaces are active (2+), how many hosts can be connected (10, 50, or unlimited), allowable throughput, and whether VPN is available Docsity.com Stateful Packet Filters • Stateful filters track each TCP connection, and decide in the context of that connection how to apply filtering rules – Do so by creating a connection table with each connection’s source and destination IP and port number – An access control list can define the rules for allowable IP, port, transport protocol, flags, etc. Docsity.com Intrusion Detection Systems • An IDS does deep packet inspection, looking at packet message contents instead of just headers – An IDS can be signature-based, where it keeps a database of attack signatures for various forms of attack – Or an anomaly-based IDS looks for statistically unusual packet patterns Docsity.com Intrusion Detection Systems • The network between a packet filter and an IDS can be called the DMZ (demilitarized zone) – Public web servers are typically inside the DMZ • Snort is an open source IDS Docsity.com Network Attacks • Many kinds of attacks on computer networks are possible – Can attack common operating systems – Can attack applications – Can attack the network itself • We’ll focus on the latter – Disclaimer: Naturally this isn’t intended to be a user’s guide to hacking, but is intended to help you be proactive to protect your network Docsity.com Packet Sniffing • A packet sniffer receives all packets coming into or leaving a host – Promiscuous mode allows it to receive all passing frames – Unencrypted user names and passwords can be found this way No, packet sniffing! Docsity.com Packet Sniffing • To detect Packet Sniffing, need to detect network interfaces (NICs) that are in promiscuous mode • One way is to send ICMP Echo Request messages to all hosts, with a correct IP address, but wrong MAC address – Hosts that Reply are likely to be in promiscuous mode • Encrypt data when sniffing may be present Docsity.com Spoofing • IP Spoofing is deliberately changing the IP address a datagram claims to be from • This is used to hide the true source of an attack, such as denial-of-service • Spoofing is preventable with ingress filtering – Have a router check to see if the packet came from the correct interface to have come from the claimed source IP address – Still, not very powerful if router has few interfaces Docsity.com Distributed DoS • Sneakier yet is the distributed DoS attack – A master attacker gains access to many unsuspecting hosts (e.g. via password sniffing) – The master installs a DoS application on each slave host – When a signal is sent, all of the slaves start a DoS attack against the same server • Since many hosts are involved in the attack, it’s very difficult to defend against this Docsity.com Hijacking • Hijacking a connection means you take over one side of it, without the other side being aware of the subterfuge – An attacker monitors a connection to find out ACK and sequence numbers, IP addresses, etc. – They DoS attack one sender to keep them from responding, and start communicating with the other sender in place of the original host • The other sender may not be able to tell someone else is present! Docsity.com Case Studies • All of the top four layers of protocols (App, Transport, Network, Link) can provide security to varying degrees – All layers above the secure one benefit from its security – Higher layer security needed for user-level protection; lower layers harder to implement • We’ll look at case studies in each layer – E-mail, SSL, IPsec, and 802.11 Docsity.com Case Study: Secure E-mail • Now ignore confidentiality for a moment, and consider sender authentication and message integrity – Sender applies a hash function (MD5) to a message, and signs it with their private key – Receiver applies sender’s public key, and compares the received hash value with that generated locally – This accomplishes both desired functions Docsity.com Case Study: Secure E-mail • Now combine the two approaches – Sender generates a hash of their message and applies their private key to the hash – The hash + message then has their symmetric key applied – Receiver gets the message, undoes the symmetric encryption, applies the sender’s public key to recover the sent hash, and compares to the locally generated hash • Easy, huh? Docsity.com Case Study: Secure E-mail • So to provide secure email we’re using three technologies – Hash functions & digital signatures – Symmetric key crypto – Public key crypto • Does it work? Yup! – And it has since 1991 Docsity.com Pretty Good Privacy (PGP) • Key certification is done partially by mutual assurance – A user can certify a user/key combination – Some have mutual key signing parties (yippee) • But most people advertise their public keys via email or personal web sites Docsity.com Secure Sockets Layer (SSL) • Secure Sockets Layer provide security at the transport layer • Secure business transactions (stock trades, finance, etc.) are a key motivation – Otherwise sensitive info could be stolen, or a false storefront could trick real customers • SSL was created by Netscape to provide encryption and authentication between a web browser and a web server Docsity.com Secure Sockets Layer (SSL) • SSL starts with a handshake phase to negotiate which crypto algorithm will be used (DES, IDEA, etc.), and authenticates the server to the client – During the session, all data is encrypted using keys negotiated during handshake • SSL 3.0 is the basis for the Transport Layer Security (TLS) protocol, RFC 4346 (new) Docsity.com