Communication Networks II Network Security

Download Report

Transcript Communication Networks II Network Security 

ECE544: Communication Networks-II
Spring 2009
H. Liu
Lecture 10 (Network Security)
Includes teaching materials from D. Raychaudhuri
Today’s Lecture
• Introduction
– Security Services and Mechanisms, Security Attacks
– Model for Internet Security
•
Cryptography
– Symmetric Key algorithms: DES, 3DES, RC4, etc.
– Asymmetric Key algorithms: Public-keys, Hash Algorithms,
Digital signatures
• Security Protocols
– Authentication,
– Mail Security (PGP), TSL(SSL), IP security (IPSec), 802.11i
• System Security
– viruses, intruders, worms
– Firewalls
Introduction, Security Services
• Confidentiality
– Protection of transmitted data
• Integrity
– Assuring that received message was not modified, reordered,
duplicated, replayed, delayed. Keep data integrity, originality,
timelines.
• Authentication
– Assuring that communication is authentic. Authentication entails
integrity.
• Access Control
– Ability to limit and control access to system
• Availability
– Loss of or reduction of availability (denial of service)
• Non-repudiation and nonforgeability
– Disprove a bogus denial (repudiation) of a transaction or disprove
claim of a bogus (forged) transaction
Introduction, Security Mechanisms
• Encryption
– DES, RC4, AES
• Hash algorithms
– MD5, SHA
• Public key algorithms
– RSA
•
•
•
•
Message integrity
Digital signatures & certificates
Public key distribution
Authentication algorithms
– Kerberos
Introduction, Security Attacks
• Interruption
– System is destroyed or becomes unavailable or usable,
blocking the communication. Link high-jacking
• Interception
– Unauthorized party gains access to communication, attack
on confidentiality, decrypting communication, traffic analysis
• Modification
– Unauthorized party not only gains access but also tampers
with communication. Changing value in data file
• Fabrication
– Unauthorized party inserts counterfeit information into
communication, attack on integrity. Creating artificial
messages.
Security Threats
Security Threats
Cryptography, Conventional Encryption Model
• Cryptography:
– Operation used for transforming plaintext to ciphertext
• Substitution: elements in plaintext are mapped into another
element
• Transposition: elements in plaintext are rearranged
– Number of key used
• Both sender and receiver use the same key, system is symmetric
single-key, secret-key or conventional encryption
• Sender and receiver each uses a different key, system is
asymmetric key
– Way in which the plaintext is processed
• Block cipher, input data processed block by block
• Stream cipher, input data processed continuously
• Cryptanalysis
– Process (science) to break encryption
Conventional Encryption
Ciphertext=Plaintext  Key
Plaintext=Ciphertext  Key
= (Plaintext Key) Key
= Plaintext (Key  Key)
= Plaintext
Classical Encryption Techniques
• Cesar Cipher
– Plain:
– Cipher:
meet me after the party
PHHW PH DIWHU WKH SDUWB
C=E(p)=(p+3) mod(26)
P=m+3 (m, 1-n,2-l, 3-o, “P”)
• Polyalphabetic Cipher
– Key:
– Plain
– Cipher
deceptiondeceptiond
meetmeaftertheparty
qjhxcyjuhiwwkujjghc
C=E(kp),  is exclusive-or(XOR)
• Rotor Machines: Famous “ENIGMA”
These techniques became very weak around and after
World War II.
Modern Security Taxonomy
Security
Cryptography
algorithms
Secret
key
(e.g., DES)
Public
key
(e.g., RSA)
Security
services
Message
digest
(e.g., MD5)
Privacy
Authentication
Message
integrity
Modern Cryptographic Algorithms
Cryptography
Algorithms
Secret Key (Symmetric)
•Symmetric key
•Block cipher
(DES, AES)
•Stream ciphers
(RC4)
Hash algorithms
Authentication
and integrity
checking
(MD5, SHA)
Public
Key(Asymmetric)
•Asymmetric key
•Public-Private keys
(RSA)
What Cryptography Does?
• Diffusion:
– Statistical structure of the plaintext is dissipated into long
range, each plaintext digit affects many ciphertext digits.
• Confusion:
– Seeks to make the relationship between the statistics of
ciphertext and the encrypted value as complex as possible.
P1  K = C1
P2  K = C2
C1  C2=P1  P2
Key sizes and Brute Force Attacks
Key
Length
(bits)
Junior Cracker
10^3 Processors
32
56 (DES)
64
90
96
128
6 months
2 minutes
7 x 10^6 years
70 years
10^9 years
10^4 years
10^17 years
10^12 years
10^18 years
8 x 10^13 years
10^28 years
3 x 10^23 years
Average Cracker
Senior Cracker
World’s Best
Cracker
Single Processor
10^4 Processors 10^6 Special
Purpose
Processors
Best Possible
With Current
Technology
2 days
2 seconds
10^4 years
8 months
10^7 years
100 years
10^15 years
10^10 years
10^16 years
8 x 10^11 years
10^26 years
3 x 10^21 years
20 minutes
Real time
700 years
2 minutes
10^5 years
15 minutes
10^13 years
10^3 years
10^14 years
8 x 10^4 years
10^24 years
3 x 10^4 years
4 hours
Real time
7 x 10^3 years
6 hours
10^6 years
3 months
10^14 years
10^7 years
10^15 years
8 x 10^8 years
10^25 years
3 x 10^18 years
Block Ciphers
• Block of fixed-length plaintext (typically 64 bits or 128 bits) is
treated as a whole and used to produce a ciphertext block of
equal length.
• Example: DES(Data Encryption Standard), AES(Advance
Encryption Technique)
Encryption
Plaintext
Blocks
Of
plaintext
Secret
Key
Blocks
Of
ciphertext
Mode of Operation of Block Ciphers
• Electronic codebook (ECB) mode: The message is
divided into blocks and each block is encrypted
separately.
– Disadvantage: identical plaintext blocks are encrypted into
identical ciphertext blocks; thus, it does not hide data
patterns well.
• Cipher block chaining (CBC)
Initialization
vector (IV)
Key
Plaintext block 1
Plaintext block 2
Plaintext block 3
+
+
+
Block cipher
encryption
Ciphertext block 1
Key
Block cipher
encryption
Ciphertext block 2
Key
Block cipher
encryption
Ciphertext block 3
Single Round of DES Algorithm
32 bits
R(i-1)
32 bits
L(i-1)
28 bits
D(i-1)
28 bits
C(i-1)
Left shift (s)
Expansion
Left shift (s)
48 bits
F
Permutation
Construction
K(i)
Choice/Perm
L(i)
R(i)
C(i)
L(i)=R(i-1), R(i)=L(i-1)  F(R(i-1),K(i)
D(i)
3DES & AES
• 3DES: DES key is 56 bit, not good enough, but
widely available in HW and SW, so use three times
with different keys.
encrypting
Plaintext
Input
DES
decrypting
DES
encrypting
DES
Ciphertext
Output
Shared
Secret
Key1
Shared
Secret
Key2
Shared
Secret
Key3
• Advanced encryption standard (AES): key length:
128, 192, or 256 bits; block size: 128 bits
Stream Ciphers
• Encrypt a digital data stream one bit or one byte at a
time
• Example: RC4(Rivest Cipher-4)
Plaintext
Encryption
Key stream
Key Gen
Shared Key
Ciphertext
Hash Algorithms
• Encryption does not provide data integrity, need
message authentication.
• Hash algorithms produce a FINGERPRINT of the
message, entity
–
–
–
–
Can be applied to a block of data of any size
Produces fixed length output (message digest)
Relatively easy to compute both HW and SW
It should be infeasible to compute message from hash (oneway property)
– Computationally infeasible to find any message pair whose
have same hash values (strong collision resistance)
• Collision: any two messages that produce the same digest
– MD5: 128-bit digest; SHA-1: 160-bit digest
Hash Algorithms(one-way functions)
• Integrity checking, authentication of the message
Message => MD5 output (128bit)
1234567890 => 7c12772809c1c0c3deda6103b10fdfa1
1234567891 => eac9407dc999ae35ba5e6851e28d7c53
Plaintext
Hash function
Hash function
Compare if both same
Plaintext
At source
Hash
value
Plaintext
Hash
value
At destination
Encrypting the message
digest to create an
authenticator
Hash Algorithms(one-way functions)
Initial “ digest”
(constant)
Message (padded)
512 bits
Transform
…
Transform
Transform
Message digest
512 bits
…
512 bits
Other kinds of authenticators
Message authentication
code (MAC): use a hashlike
function that takes a secret
value (known only by
sender and receiver) as
parameter to generate MAC
Hashed message
authentication code
(HMAC)
secret
plaintext
concatenate
plaintext
secret
plaintext
secret
MAC algorithm
Hash algorithm
MAC to append to message
HMAC to append to message
View of Public Key Scheme
•
•
A pair of keys
– Keep the decryption keys secret (private key) so only owner can
decrypt message
– Make encryption key public (public key) so anyone can encrypt
messages for the owner
Public key ciphers: RSA, ElGamal
Public-Key Cipher for Authentication
• Additional property of public key cipher
– Private key can be used with encryption algorithm to encrypt
messages so they can only be decrypted using the public key
•
Use the private key to encrypt a message digest => digital signature
– Nonrepudiation like a written signature
Comparison between Public Key and
Symmetric Key Algorithms
•Public-key ciphers are several orders of magnitude slower than symmetrickey ciphers
•Use for authentication and confidentially distribute symmetric keys
•Public-key such as RSA need much larger keys, at least 1024 bits to be
secure
Effort to crack
~10-100 Mbps DES
~100 Kbps RSA
64
128
512
Key length (bits)
2K
Key Distribution
•
•
Depend on short-lived session key or longer-lived
pre-distributed keys
Distribution
• A key could be selected by A and physically
delivered to B.
• A third party could select the key and physically
deliver it to A and B.
• If A and B have previously used a key, one party
could transmit the new key to the other, encrypted
using the old key.
• If A and B each have an encrypted connection to
a third party C, C could deliver a key on the
encrypted links to A and B.
Pre-distribution of Public Keys
• How can I trust a public key?
– Public-key certificate: a certificate binding between public
key and identity that is digitally signed by a certificate
authority (CA)
– X.509 certificate
•
•
•
•
•
The identity of the entity being certified
The public key of the entity being certified
The identity of the signer
The digital signature
A digital signature algorithm identifier (which cryptographic
hash and which cipher)
• Expiration time of the certificate
– Public key infrastructure: a complete scheme for certifying
binding between public keys and identities
• Out of band, Certificate
Certificate Authorities
IPRA = Internet Policy
Registration Authority (root)
PCA n= policy certification authority
CA = certification authority
IPRA
PCA1
CA
User
PCA2
CA
User
User
CA
PCA3
CA
CA
CA
CA
User
User
User
CA
User
User
Certificate Revocation:
•Why: Someone has discovered your private key
•How
•CA issues a Certificate revocation list (CRL) that is a digitally signed list of
revoked certificates.
•Online Certificate Status Protocol (OCSP) : communicate with, and between
OCSP servers to check a certificate’s validity.
Message Integrity
•
-
Digital signature
- Sender uses private key to sign message
- Hash using MD5 or SHA-1 to get message
digest
- then use the private key to encrypt the
digest to create the digital signature
- Receiver decrypts with public key, e.g RSA
Keyed MD5
- Sender transmits m + MD5(m+k)
- k is a secret key known to both sender &
receiver
- Receiver matches secret key to confirm
Integrity & Authentication
• Integrity: data integrity, originality and timeliness
– Modify, replay, suppress-replay (delay message) attack
• To authenticate originality and timeliness
– Include timestamp and/or a nonce (a random number)
– Challenge-response protocol
Alice
Bob
TA
TA
TA
Digitally signed
using Bob’s private
key, or
encrypt using a
shared symmetric
key in a response
message
Authentication
• Authentication
–
–
–
–
Three-way hand shake
Trusted third party or key distribution center (KDC)
Public Key Authentication (RSA)
Digital signatures
• Session-key establishment through initial
authentication protocol
Authentication Protocols
• Public key authentication (1)
– No secret shared key needed
– Assume that Alice and Bob’s public key has been predistributed
Alice
Bob
SA[TA, IDA]
SB[TB, IDB, EA(session key)]
– A and B’s clocks being
synchronized
Public-Key Authentication Protocol (2)
• Three-way handshake: does not depend on clock
synchronization
Alice
Bob
SA[TA, IDA]
SB[TA, TB, IDB]
SA[TB, EB(session key)]
Symmetric-Key Authentication Protocols
• A entity share a master key with the key distribution center
(KDC)
• Needham-Schroeder authentication protocol
Alice
KDC
Bob
Authentication with KERBEROS
Kerberos Authentication System
Alice
AS
TGS
Bob
• AS: authentication
server
• TGS: ticket-granting
server
• Master key between
client and KDC can
be derived from
password
• Timestamp
• K(X-Y): session key
shared by X-Y
Diffie-Hellman Key Agreement
• Establish a session key without using any
predistributed keys
– Global public elements, prime number p and generator g
– g must be a primitive root of p: for every number n from 1
through p-1, there must be some value k such as
• n = gk mod p
• For example, p = 5, g = 2
– 1 = 20 mod 5
– 2 = 21 mod 5
– 3 = 23 mod 5
– 4 = 22 mod 5
Diffie-Hellman Key Agreement Protocol
•
Diffie-Hellman Key Establishment
– Alice generates a random private number a, Bob generates a random private
number b
• a, b belongs to {1, …p-1}
– Alice sends Bob ga mod p
– Bob sends Alice gb mod p
– Alice compute gab mod p = (gb mod p)a mod p
– Bob computes gba mod p = (ga mod p)b mod p
– Key: gab mod p = gba mod p
•
Prevent the man-in-the-middle attack: fixed
Diffie-Hellman
– Certify the Diffie-Hellman public parameters
• Alice: p, g, ga mod p
• Bob: p, g, gb mod p
Alice
Mallory
Bob
Man-in-the-middle attack
Security System
• Application layer:
– Pretty Good Privacy (PGP): email security
– Secure Shell (SSH): secure remote login
• Transport Layer
– Transport Layer Security (TLS)
– Secure Socket Layer (SSL)
• Network Layer
– IPsec
• Link layer
– 802.11i
Overview of PGP(Pretty Good Privacy)
• Consist of five services:
– Authentication
– Confidentiality
– Compression
– E-mail compatibility
– Segmentation
E-mail Security(PGP)
• Alice sends an email to Bob
– Digitally sign using Alice’s private key
• Hash using MD5 or SHA-1 to get message digest and then use
the private key to encrypt the digest to create digital signature
– Encrypt using a newly generated one-time session key
– Encrypt the session key using Bob’s public key and append
that to email
– Use base64 encoding to obtain an ASCII-compatible
representation
Web-Based Security SSL,TLS and WTLS
•
•
•
•
SSL was originated by Netscape
TLS working group was formed within IETF
SSLv3.0 served as the basis for TLS version 1.0
Wireless TLS (WTLS) Protocol
Applications (e.g. HTTP)
Secure transport layer
TCP
IP
Subnet
TLS Handshake Protocol
Client
• Negotiate
– Data integrity hash: MD5
or SHA, used to
implement HMACs
– Symmetric-key cipher:
DES, 3DES, or AES
– Session-key
establishment approach:
Diffie-Hellman, fixed
Diffie-Hellman, publickey authentication
protocols
• Establish shared master
secret
– Derive session keys
Server
TLS Record Protocol
• Provide confidentiality and integrity
• Messages from the application layer
– Fragmented or coalesced into blocks of an appropriate
size
– Optionally compressed
– Integrity-protected using HMAC
– Encrypted using a symmetric-key cipher
– Passed to the transport layer (TCP)
IP Layer Security (IPSec)
•
•
Suite of protocols developed by IETF to address security at the IP level,
and provide secure communications across the Internet
IPSec supports the following features
– Two security protocols: 1) Authentication Header (AH), and 2)
Encapsulating Security Payload (ESP)
– Two modes of operation: 1) Transport, and 2) Tunnel
– Two key management protocols: 1) Internet Key Exchange (IKE), and
2) IP Security Association and Key Management Protocol (ISAKMP)
– Six security services: 1) Access control, 2) Connectionless message
integrity, 3) Data origin authentication, 4) Rejection of replayed packets,
5) Confidentiality (encryption), and 6) Limited traffic flow confidentiality
– Security policies that determine how machines communicate via IPSec,
and the security services they can access
– Support for IPSec features is optional (mandatory) for IPv4 (IPv6)
IP Security Overview
• Benefits of IPSec
– Transparent to applications (below transport layer (TCP,
UDP)
– Protect narrow streams (e.g. Packets belong to a paticular
TCP connection being sent between a pair of host) or wide
streams (e.g. All packets flowing between a pair of
gateways/routers)
• IPSec can assure that:
– A router or neighbor advertisement comes from an
authorized router
– A redirect message comes from the router to which the initial
packet was sent
– A routing update is not forged
IP Security Scenario
IPSec Modes
Transport Mode SA
Tunnel Mode SA
AH
Authenticates IP payload and
selected portions of IP header and
IPv6 extension headers
Authenticates entire inner IP
packet plus selected portions
of outer IP header
ESP
Encrypts IP payload and any IPv6
extesion header
Encrypts inner IP packet
ESP with
authentication
Encrypts IP payload and any IPv6
extesion header. Authenticates IP
payload but no IP header
Encrypts inner IP packet.
Authenticates inner IP packet.
IPSec Services
Security Protocol
Services
AH
ESP (Encryption
only)
ESP (Encryption
plus
Authentication)



Access Control
Connectionless
Integrity


Data Origin
Authentication


Rejection of
Replayed Attacks







Confidentiality
Limited Traffic Flow
Confidentiality
IPSec Headers
SPI
SeqNum
NextHdr
PayloadLength
Reserved
SPI
SeqNum
PayloadData
Padding (0– 255 bytes)
PadLength
AuthenticationData
IP Sec Authentication header
AuthenticationData
IP Sec ESP header
NextHdr
IPSec Headers in AH
Tunnel Mode (AH Authentication)
End-to-end versus End-to-Intermediate
Authentication
Wireless Security (WEP)
•Wired equivalent privacy(WEP)
-Designed to provide link layer security for IEEE
802.11 networks
Plaintext
Message
CRC-32
XOR
Generated Key=RC4(iv, ssk)
IV
Ciphertext
WEP Frame
What is WEP?
IV
IV
(24-bit)
Plaintext
Seed
Key Stream

(MPDU+32)
(64-bit)
CIPHERTEXT
(DATA +ICV)
||
Integrity
Algorithm
(CRC-32)
(ICV)
Shared Secret Key(40-bit)
Key
Stream

Plaintext
WEP (64-bit)
PRNG
(ICV)
Integrity (ICV’)
Algorithm
Seed
IV
||
CIPHERTEXT
(DATA +ICV)
=
?
Yes
WEP Encipherment/Decipherment Block Diagram
Pseudo-random Number Generator (PRNG)
Integrity Check Value (ICV)
Encrypted Transmission
Shared Secret
Key (40-bit)
||
WEP
PRNG
Security services provided with WEP
•Privacy: RC4 with 40-bit SSK (or 104-bit SSK in
WEP2)
•Integrity: CRC-32
•Authentication:
Open system or SSK based
•Access Control: SSK based
•Non-repudiation: None
•Replay: None
SSK Authentication Mechanism
Weaknesses of existing WEP
•RC4 is stream cipher with 40-bit (or 104-bit) SSK
- 40-bit is short, 104 bit long but not that secure
- 24-bit IV can be exhausted (at 16M packet)
- Produces equivalent ciphertext from equivalent
plaintext streams, IP packets have many common
data streams
•CRC-32 is linear, CRC(X+Y)=CRC(X)+CRC(Y)
•No automatic key distribution mechanism
•No user authentication
Too much faith in “shared secret key”
Wireless security (802.11i)
AP
STA
•
802.11i or Wi-Fi
Protected Access 2
(WPA2) or Robust
Security Network (RSN)
Beacon
Association Request
–
–
–
•
•
Authentication
Message integrity
Confidentiality
(AES, much more
secure than RC4)
Pre-shared key (PSK)
mode
802.1X controlled
access
– 802.1X for
authentication
(entailing the use
of EAP (extensible
authentication
protocol) and an
authentication
server),
AS
Association Response
802. 1x EAP Auth
and obtain
pairwise master
key
802.1X EAP Request
802.1X EAP Response
Access Request
EAP Authentication Protocol Exchange
Accept (Keys)
802.1x Success
pairwise master key obtained
Four-way handshake and session key
(Pairwise Keys /Group Keys) establishment
Secure Communications (encrypted, data
integrity)
Firewalls
• Effective means of protection a local system or
network of systems from network-based security
threats by providing access control and restricting
which messages to pass between the site and the
rest of the network
• Special router sits between a site and the rest of the
network.
• Design goals:
– All traffic between inside and outside must pass through the
firewall (physically blocking all access to the local network
except via the firewall)
– Only authorized traffic (defined by the local security police)
will be allowed to pass
Firewall Configurations
•
•
•
•
•
Allow different kinds of access to different users (general public, business partners,
remotely-located employees)
Multiple zones of trust
– Internal network
– Demilitarized zone (DMZ)
– The rest of the internet
Packet filtering
– FILTER(IP addr in, port #, IP addr out, port #), Often referred to as layer 4
switching…
– Use of wild cards such as (128.20.*.*,*, *,*) means block all traffic from 128.20
net
Stateful firewall
– Keep track of the state of each connection. An incoming packet addressed to a
dynamically assigned port would then be allowed only if it is a valid response in
the current state of a connection on that port.
Proxy firewalls
– Permits access to certain pages in a website, but not others…
Remote employee
Internet
Company site
Random external user
Firewall Design Principles
• Information systems undergo a steady evolution
(from small LAN`s to Internet connectivity)
• Strong security features for all workstations and
servers not established
• The firewall is inserted between the premises
network and the Internet
• Aims:
– Establish a controlled link
– Protect the premises network from Internet-based attacks
– Provide a single choke point
Viruses and ”Malicious Programs”
• Computer “Viruses” and related programs have the ability to
replicate themselves on an ever increasing number of
computers. They originally spread by people sharing floppy
disks. Now they spread primarily over the Internet.
• Other “Malicious Software (Malware)” may be installed by hand
on a single machine. They may also be built into widely
distributed commercial software packages. These are very hard
to detect before the payload activates (Trojan Horses, Trap
Doors, and Logic Bombs).
Taxonomy of Malicious Software
Malicious
Software
Need Host
Program
Trapdoors
Logic
Bombs
Independent
Trojan
Horses
Viruses
Bacteria
Worms
Virus, Worm, Anti-malware applications
• Malicious software (Malware)
• Virus - code that copies itself into other programs. Executed as part of
the execution of that piece of software.
• A “Bacteria” replicates until it fills all disk space, or CPU cycles.
• Worm - a complete program that replicates itself across the network
(usually riding on email messages or attached documents, e.g., macro).
• Spyware-without authorization, collects and transmit private info about a
computer system or its users.
• Trojan Horse - instructions in an otherwise good program that cause bad
things to happen (sending your data or password to an attacker over the
net).
• Logic Bomb - malicious code that activates on an event (e.g., date).
• Trap Door (or Back Door) - undocumented entry point written into code
for debugging that can allow unwanted users.
• Easter Egg - extraneous code that does something “cool.” A way for
programmers to show that they control the product.
• Anti-malware applications
• Observe programs for suspicious behavior
• Search for segments of code from known malware
Homework
• 8.7
• 8.8
• 8.10
• 8.11
• 8.14
References
• Textbook
• Crytography and Network Security, William Stallings, Printice
Hall
• www.williamstallings.com
• Internet Cryptography, Richard E. Smith, Addisson-Wesley
• Applied Cryptography, Bruce Schneier, Wiley