# Communication Networks Lecture 15-Network Security

Document Sample

```					                                                                    Network Security
Communication Networks                                             Overview

Lecture 15- Network Security                                       • Introduction
– substitution ciphers
– transposition ciphers
HuCheng
hc@seu.edu.cn           • Cryptographic principles
Lingming             • Secret-key algorithms
trio@seu.edu.cn             – DES: data encryption standard
• Public-key algorithm
– RSA: Rivest, Shamir and Adleman
• Authentication protocols
Spring, 2002                      ftp://www.cnasic.com:2121           • Digital signatures

Network Security : Introduction                                     The Weakness of Open network
Four security areas:                                           Stealing Information and eavesdropping
Secrecy
– keeping information from unauthorized users
Impersonate users,clients,servers
Authentication                                                 Modify information before arrives
– determine origin of message ( who am I talking to ? )
Redirect information to others
Non repudiation
– dealing with signature : how do I prove you wrote the     Denial-Of-Service attacks
letter, and made the deal ?
Integrity control
– Is your message not modified ?

The Solutions of these Problems                                    Network Security : Introduction
Where to put security ?
Eavesdropping                        Encryption                      Secrecy can be put in transport layer, but not in
lower layers (because decoding required at each
router)
Impersonation                     Authentication                     authentication and signature checks has to be put
in application layer
Four attack categories:
Interruption (DOS)
Modification                  Digital Signature
Interception (Eavesdropping )
Modification
Fabrication ( Impersonate )
DOS                                IP Filter
plaintext: the message to be encrypted
key : the encryption function is often
parameterized by a key
ciphertext : output of the encryption process
cryptanalysis : art of breaking ciphers
cryptology ; art of designing encryption
methods (cryptography) and breaking them
(cryptanalysis

Plain text : P                                                  Substitution ciphers
Key : K                                                            • shift alphabet by k letters ( Caesar cipher )
Encryption method : E
• permuted alphabet
Decryption method : D
– mono alphabetic substitution
Cipher text : Ek (P) = C
– 26 ! ~ 4 x 1026 possible keys
It follows : Dk (Ek (P)) = P
Decipher
Crypt analyst is assumed to know encryption method ( but not       • use known frequencies of letters ; eg. e is most common
the key )                                                          letter
Three decipher options:                                            • use frequent patterns of 2 or 3 letters (digrams and
• cipher text only Ci for some i                                trigrams)
• known plaintext ( Pi, Ci ) for some i                         • use likely word
• chosen plaintext (Pi, Ci ) for any i
Note : substitution preserves order of symbols

Traditional Cryptography                                        Transposition cipher
Transposition cipher
reorders symbols, but do not change them
example : the columnar
transportation, fig 7-3
write rows
Traditional Cryptography                                           Cryptographic principles
One time Pads : easy unbreakable cipher                            Two fundamental principles of any cryptographic
Consider plaintext P                                               system:
Choose random bitstring as key K, |K| = |P|
C = P (XOR) K                                                      C needs redundancy i.e c ¡Ê C for which Dk (C) is not
can not be broken :                                                valid
it does not contain any information at all !                         – otherwise it would be easy to generate valid messages
– each letter occurs with some frequency                          – however, redundancy makes deciphering easier
Problems:                                                               for any key K, DK (C) has to make sense otherwise K cannot be
key is difficult to memorise                                            valid
|K|>> |P|                                                               add random string as redundancy
– gigabit networks needs one CD per 5 seconds !!!               Re-playing messages must be avoided
sensitivity to lost/inserted bits => loss of synchronization
– use time stamp with time out

Secret-key Algorithms                                              Secret-key Algorithms
Based on transition and substitution
However:
• Traditionally: easy algorithm and very long keys
• Today: complex algorithm and shorter keys
Basic transposition and substitution circuits: fig. 7-4
• P box : implements a permutation (i.e. transition)
• S box : implements substitution of symbols
• S and P boxes can be arbitrarily combined to form
very complex functions

Secret-key Algorithms                                              DES
DES : data encryption standard
• IBM developed
• 1977: accepted as U.S. government
standard
• Encryption and decryption use same key
– Steps run in same order with keys reversed
DES algorithm is shown in fig. 7-5
– 16 iterations + initial and final transposition and
final swap
– each iteration uses different key Ki (i=1..16)
Triple DES                                                               Public-Key algorithms
C = Ek1 Dk2 Ek1 (P)                                                        DES has key distribution problem
Alternative: work with two keys, one of which
P = Dk1 Ek2 Dk1 (C)                                                        is public
• Uses just two keys                                                       usually the public key is used for encryption,
compatible with Single DES: use K1 = K2                                 the private for decryption
• No breaking method known to date                                         Requirements:
• Deriving decryption key from encryption key and
• Combine it with chaining                                                    (known) cryptographic algorithm is impossible
• Decryption key can not be broken using plaintext
approach

Public-Key algorithms                             Alice’s Pub Key        Authentication protocols
What is Authentication
Trust is the base of authentication
Bob’s infor to
Authenticate protocol :Kerboros
Alice’s      Alice                          Alice        Bob       Bob’s
Private                                                            Private
Key                                                                Key

OK

How Kerboros Works?

Authentication protocols                                            Based on Shared Secret

Authentication = Verify that sender of message is really the one
he says he is
General protocol model between A and B
• Use KDC: key distribution centre
– KDC is always honest
– KDC has shared keys with al its clients
– KDC distributes session keys ( Ks ) used for direct                       Alice           Alice’s infor to            Bob
communication between A and B
• Alternatively A and B may possess already a shared key                                          Bob
– using this shared key they may establish a session key
• After exchanging several messages A and B                                                                                         OK
should be convinced of each others identity
Bob can decrypt the information ,
so the infor comes from Alice
How Kerboros Works?                                                                          How Kerboros Works?
Authenticator                                                                            How Can the two
sides get the key?
Alice,                                                                                                    Server’s long term key
I’m Alice
Timestamp
Client’s long term key
KDC
Client wants Server       Invents
Alice                                                Bob                                                                Session
Timestamp                                                                               Key
IBM Compatible

Alice,Timestamp
IBM Compatible

Timestamp is the same                                                                                                                                SC
as sent out, so it must comes
from Bob

How Kerboros Works?                                                                          How Kerboros Works?
How Can the two
Mutual Authentication
sides get the key?
(Client/Server)
(Practice)
Server’s Long Term Key
Client’s long term key
KDC
Client,Time               Session Ticket
Client wants Server                  Invents
Session
IBM Compatible
Key                IBM Compatible
IBM Compatible

SC
Session Ticket
Time
Server’s Long Term Key

How Kerboros Works?                                                                          How Kerboros Works?
KDC’s two                                                                      Sub Protocols In
main jobs                                                                        Kerboros

KDC
• Authentication Service (AS) Exchange
Authentication                    To issue TGT                                         • Ticket-Granting Service (TGS) Exchange
Service
• Client/Server (CS) Exchange
Ticket Granting
Service                      To issue Session Ticket
How Kerboros Works?                            How Kerboros Works?
AS Exchange                                   TGS Exchange

How Kerboros Works?
CS Exchange                                    Digital Signatures
Purpose signature:
receiver can verify identity of sender
sender can not deny message later on
receiver can not change the message
Two methods:
Secret-key signatures
– uses trusted system (fig 7-22)
Public-key signatures
– using eg. RSA (fig 7-23)

Message Digest                                 Digital Signatures
Digest

MD5
MD5        Alice’s Pub
MD5
MD5      Message              Key
Message

Hash
Hash
Message        Function
Function
Message Digest
Digest
MD5                             Digest

```
DOCUMENT INFO
Shared By:
Categories:
Stats:
 views: 3 posted: 5/21/2010 language: English pages: 6