EE 418 Network Security and Cryptography Lecture #18
|
|
- Kory Cobb
- 6 years ago
- Views:
Transcription
1 EE 418 Network Security and Cryptography Lecture #18 December 6, 2016 Public Key Infrastructure. Authentication. Internet Security Lecture notes prepared by Professor Radha Poovendran. Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle Outline: 1. Review: Key Distribution and Management 2. Review: Public key infrastructure (PKI) 3. Introduction to Authentication Bellovin-Merritt Encrypted Key Exchange (EKE) Augmented Strong Password Protocols Secure Remote Password (SRP) Protocol 4. Internet Protocol Security (IPsec) 5. Secure Socket Layer (SSL) and Transport Layer Security (TLS) 1 Review: Introduction to Key Distribution and Management Last week, we started our conversation about key distribution and management. We considered two main problems that we need to address in order to ensure CIA security goals: 1. If Alice and rely on symmetric-key cryptography, they have to share the same secret encryptiondecryption key. How to they established that shared secret key over an insecure communication channel? 2. On the other hand, if Alice and rely on public key cryptography, then how do they know that the public key that they obtain somewhere online indeed belongs to the person they are wanting to talk to? On Tuesday, we focused on the first problem, related to symmetric-key cryptography, and we showed that there are two possible approaches that Alice and can take: (a) Alice and can use public key cryptography to establish a shared secret key that they can then use to communicate securely using symmetric-key cryptography. (Diffie-Hellman protocol) (b) Alice and can rely a trusted third party, known as a key distribution center (KDC), to help them establish a shared secret key. (Needham-Schroeder protocol) 2 Needham-Schroeder Protocol The Needham-Schroeder (N-S) is a protocol that allows Alice and to agree on a shared key using a key distribution center (KDC). The steps in N-S are illustrated in Figure 1 and described as follows: 1. Before initiating the protocol, Alice is assumed to share a key with the KDC, denoted K A. Similarly, is assumed to share a key K B with the KDC. Alice and both have unique identifiers ID A and ID B that are known to each other and the KDC. 2. Alice contacts the KDC and requests a shared key to communicate with by generating a random nonce r A and sending a message ID A ID B r A. 3. The KDC generates a shared key K AB and a ticket t B = E KB (K AB ID B ). The KDC sends E KA (r A ID B K AB t B ) to Alice. 4. Alice decrypts the message sent by the KDC and extracts t B and K AB. Alice checks to make sure that the decrypted r A sent by the KDC matches the r A sent by Alice. Alice then transmits ID A t B to. 5. decrypts t B using K B and extracts K AB. generates a random number r B and transmits E KAB (r B ) to Alice. 6. Alice decrypts s transmitted message using K AB. Alice computes E KAB (r B 1) and transmits this message to. By decrypting the message using K AB, verifies that Alice knows the key K AB. 1
2 KDC IIDD AA IIDD BB rr AA Chooses r A Alice Generates KK AAAA Computes tt BBoooo = ee KKBB (KK AAAA IIDD AA KK AAAA ee KKAA (rr AA IIDD BB tt BBBBBB tt BBBBBB Extracts K AB, t using K A Extracts K AB using K A ee KKAAAA (rr BB Chooses r B ee KKAAAA (rr BB 1 Fig. 1. Establishing a shared key using a KDC with the Needham-Schroeder protocol. 2.1 Replay Attack on Needham-Schroeder The N-S protocol was found to be vulnerable to a replay attack by Denning and Sacco in The steps of the attack are depicted in Figure 2: 1. An attacker Eve eavesdrops on the N-S protocol and obtains the messages exchanged by Alice,, and the KDC, including the ticket t B. 2. The attacker obtains a key K AB generated during a previous execution of the N-S protocol. 3. The attacker contacts, pretending to be Alice, and transmits ID A t B to. 4. decrypts t B using K B and extracts the key K AB, which is known to the adversary. generates a random number r B and transmits E KAB (r B ) to Alice. 5. Since the attacker knows K AB, (s)he decrypts s transmitted message using K AB. The attacker transmits E KAB (r B 1) to. 2.2 Kerberos Kerberos was developed at MIT in the 1980s to enable the use of a KDC without vulnerability to replay attack. Kerberos is described by IETF RFC The steps in Kerberos are depicted in Figure 3, and given as follows: 1. Alice generates a random number r A and sends ID A ID B r A to the KDC. 2. The KDC computes t B = E KB (K AB ID A L), where L is the lifetime of the secret key K AB. The KDC transmits y 1 = E KA (r A ID B K AB L) and t B to Alice. 3. Alice decrypts y 1 and obtains K AB. Alice computes y 2 = E KAB (ID A time), where time is Alice s current system time. Alice transmits y 2 t B to. 4. decrypts t B and obtains K AB. If time > L, then the key has expired and discards the key. replies to Alice with E KAB (time + 1). 2
3 Eve records Eve Obtains old key K AB recorded ttbbbbbb ee KKAAAA (rr BB ee KKAAAA (rr BB 1 Fig. 2. The replay attack on Needham-Schroeder. KDC Generates KK AAAA, chooses lifetime L Computes tt BBBBBB = ee KKBB (KK AAAA IIDD AA LL yy 1 = ee KKAA (rr AA IIDD BB KK AAAA LL IIDD AA IIDD BB rr AA Chooses r A Alice tt BBBBBB yy 1 Computes yy 2 = KK AAAA (IIDD AA tttttttt) tt BBBBBB yy 2 ee KKAAAA (tttttttt + 1 Extracts time Fig. 3. The Kerberos protocol. 3 Review: Public Key Infrastructure On Thursday, we started from an observation that, when Alice and communicate using public key cryptography, both users public keys should be managed to ensure that Alice has s correct public key 3
4 and vice versa. Otherwise, an attacker Eve could claim to be Alice and publish his/her own public key. Any messages for Alice encrypted by could then be read by the attacker. A standard approach to public key management is the use of Public Key Infrastructure (PKI). A key component of PKI are Certificate Authorities (CAs), which are trusted third-parties used to verify public keys. Alice can verify s public key with the help of a CA through the following procedure, depicted in Figure 4: 1. Alice sends a request to for s public key. 2. sends a certificate C, which contains s public key P K B, s identity, and possibly other information including the expiration time of the key (see Section 3.1). Attached to C is a signature σ = Sig P KCA (C), which is signed using the private key of the certificate authority. 3. Alice verifies the signature σ on certificate C. If the verification is successful, then Alice accepts P K B as s public key. Alice Certificate Authority, PK Alice Stores Sig CA (PK ) Sig CA (PK ) Verifies PK belong to Verifies PK PK, Sig CA (PK ) EE PPKKBBBBBB (mm Fig. 4. Verifying s public key using a certificate authority (CA). Thus, we can think of PKI as a secure system that generates, manages, and updates certificates in order to realize public key cryptography. Such a system consist of several important components: 1. Certificate Issuance: Certificates to users are issued by a Certification Authority (CA) (most of the times there are more than one). Certificates are issued after the user has proven its identity by some conventional means (as we have discussed in the past). 2. Certificate Revocation: Refers to the revocation of a certificate before the normal expiration time. Similar to canceling and reissuing a stolen credit card. 3. Key backup: The private keys of all certified users are stored for the purpose of recovery in case of loss. Recovery can occur in a similar fashion that one recovers a forgotten password (by proving its identity to the CA). 4. Timestamping: The times that certificates and keys are issued are recorded. These times can be used by different services for checking the validity of keys, certificates etc. PKI are used to enable several services involving security, and privacy, and some examples of those services are: 4
5 Secure protocols such as Secure Multipurpose Internet Mail Extensions (S-MIME) and Pretty Good Privacy (PGP). Secure web services such as Secure Socket Layer (SSL) and Transport Layer Security (TLS). Secure VPNs employing the IPSec protocol. Access Control: Implementation of privilege management for access to services such as database information, printing, etc. Privacy: Issuance of anonymous or pseudonymous certificates for purpose of access control and preservation of anonymity. For example, when one has access to a service if it belongs ot a group, but the unique member is not identified. 3.1 X.509 Certificates Typically a certificate binds the identity of a user to a public key. X.509 is a standard for public key certificates, and has been adopted by the International Telecommunication Standardization Sector (ITU-T). An illustration of an X.509 certificate is given as Figure 5. An X.509 certificate consists of the following components: Version - The version of X.509 that is used. Serial number - An integer that, together with the CA s name, uniquely identifies the certificate. Signature - The algorithm used to compute the signature on the certificate. Issuer - The name of the issuing CA. Validity - Contains two fields: the time that the certificate becomes valid, and the last time for which it is valid. Subject - The name of the entity whose key is certified. SubjectPublicKeyInfo - The subject s public key, along with the algorithm for which the subject s public key is generated (e.g., RSA or DSA). AlgorithmIdentifier - The algorithm used to compute the signature on the certificate. Contains the same information as the Signature field described above. Encrypted - Contains the signature on all of the above fields except AlgorithmIdentifier. 3.2 Certificate Authorities There are many CAs operating in different countries and under different ownership. Examples include Symantec and GoDaddy, along with smaller CAs run by enterprises and individuals. The PKI must have a mechanism for relating the certificate authorities and determining whether a certificate can be trusted based on the CA that has signed it. A simple PKI organization is shown in Figure 6. In this PKI, a root CA issues certificates for Regional Authorities, which in turn sign the certificates of smaller CAs. The trustworthiness of each signature is derived from the common trust in the root CA. 4 Introduction to Authentication Authentication occurs when Alice and try to verify each other s identities. Typically, Alice authenticates herself to by proving that she has knowledge of a shared secret, such as a cryptographic key K AB. One method for Alice and to verify each other s identities is through a challenge-response protocol, as depicted in Figure 7. A basic challenge-response protocol has the following steps: 1. Alice sends her identity to. responds by sending a random nonce (a random number that is only used once), denoted R B, to Alice. 2. Alice responds to s challenge with E KAB (R B ). Alice then transmits a nonce R A. 3. verifies that the received message Y = E KAB (R B ). If it does, then responds to Alice s challenge with E KAB (R A ). 4. If the value of E KAB (R A ) is correct, Alice authenticates. 5
6 Certificate: Data: Version: 1 (0x0) Serial Number: 7829 (0x1e95) Signature Algorithm: md5withrsaencryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/ Address=server-certs@thawte.com Validity Not Before: Jul 9 16:04: GMT Not After : Jul 9 16:04: GMT Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN= Subject Public Key Info: Public Key Algorithm: rsaencryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: 66:36:d0:8e:56:12:44:ba:75:eb:e8:1c:9c:5b:66: 70:33:52:14:c9:ec:4f:91:51:70:39:de:53:85:17: 16:94:6e:ee:f4:d5:6f:d5:ca:b3:47:5e:1b:0c:7b: c5:cc:2b:6b:c1:90:c3:16:31:0d:bf:7a:c7:47:77: 8 f:a0:21:c7:4c:d0:16:65:00:c1:0f:d7:b8:80:e3: d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f Exponent: (0x10001) Signature Algorithm: md5withrsaencryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d: 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92: ab:2f:4b:cf:0a:13:90:ee:2c:0e:43:03:be:f6:ea:8e:9c:67: d0:a2:40:03:f7:ef:6a:15:09:79:a9:46:ed:b7:16:1b:41:72: 0 d:19:aa:ad:dd:9a:df:ab:97:50:65:f5:5e:85:a6:ef:19:d1: 5a:de:9d:ea:63:cd:cb:cc:6d:5d:01:85:b5:6d:c8:f3:d9:f7: 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22: 68:9f Fig. 5. An example of an X.509 certificate. A more difficult scenario arises when Alice and do not share a cryptographic key K, but instead share a password pwd. This occurs when Alice is a client (user) and is a server. In this case, if Alice and attempt to use the protocol of Figure 7 using K = f(pwd) as a shared key, where f is a publicly known function, then Eve can mount the following dictionary attack: 1. Eve eavesdrops on a complete protocol interaction, and records s challenge R B and Alice s response E K (R B ). 2. Eve takes a list of possible passwords pwd 1,..., pwd n. For each password, Eve computes K i = f(pwd i ) and E Ki (R B ). If E Ki (R B ) = E K (R B ), then Eve has found the correct password. The dictionary attack is effective because users typically choose passwords that are much easier to guess than cryptographic keys. If Alice and need to authenticate each other using only a shared password, strong password protocols are needed that do not allow an attacker to perform the dictionary attack. 4.1 Bellovin-Merritt Encrypted Key Exchange (EKE) The Bellovin-Merritt Encrypted Key Exchange was developed by Steven Bellovin and Michael Merritt in 1992, and was protected by U.S. Patent 5,241,599 until its expiration in Bellovin-Merritt assumes that Alice and share a password pwd and can compute W = f(pwd), where f is a publicly known function. Bellovin-Merritt also assumes that Alice and have knowledge of a prime p and generator g, as in the Diffie-Hellman key exchange. The protocol achieves mutual authentication of Alice and, and enables Alice and to generate a stronger key K for further communication. The protocol consists of the following steps: 1. Alice generates a random a. Alice transmits her identity to, along with E W (g a mod p). 2. decrypts Alice s message and obtains g a mod p. generates a random number b and a nonce C 1, and computes K = g ab mod p. 6
7 Root RA 1 RA 2 RA 2 is approved. Its public key is 47383AE349 Root s signature CA 4 is approved. Its public key is 542EA34149 RA 2 s signature CA 1 CA 2 CA 3 CA 4 Fig. 6. A hierarchial PKI. Alice Knows K AB I am Alice Knows K AB I am, R B EE KKAAAA (RR BB R A EE KKAAAA (RR AA Fig. 7. Basic mutual authentication protocol. 3. transmits E W (g b mod p, C 1 ) to Alice. 4. Alice decrypts s message and obtains g b mod p and C 1. Alice computes K = g ab mod p and generates a nonce C 2 5. Alice transmits E K (C 1, C 2 ) to. 6. decrypts Alice s message and verifies that the first half of the message is C 1. computes E K (C 2 ) and transmits to Alice. 4.2 Security Properties of EKE The Bellovin-Merritt protocol provides the following security properties: Authentication of Alice: Only a user with knowledge of W could correctly decrypt s first message, obtain g b mod p, and compute K. authenticates Alice by checking that Alice encrypted his challenge C 1 using the correct key K. Authentication of : Similarly, only a valid could correctly compute K and E K (C 2 ). Security against Dictionary Attack: The only messages encrypted with W are g a mod p and g b mod p. In order for an adversary to check a possible password pwd, the adversary would need to decrypt both messages using key W = f(pwd ). After decrypting, however, the adversary cannot compute the key K due to the difficulty of the Diffie-Hellman problem, and hence has no way to determine if the possible password is correct. 4.3 Augmented Strong Password Protocols The EKE protocol prevents an adversary from impersonating Alice or without knowledge of W = f(pwd). The goal of augmented EKE is to ensure that a server does not need to store the client Alice s 7
8 pwd or W. That way, even if the server is compromised, an attacker cannot impersonate Alice. Instead, stores a prime p and 2 W mod p. The augmented strong password protocol is shown in Figure 8, and consists of the following steps: Alice Choose a, compute W and p from password Stores Alice, p, 2 W mod p 2 a mod p 2 b mod p, h(2 ab mod p, 2 bw mod p) Chooses b h (2 ab mod p, 2 bw mod p) Fig. 8. Augmented strong password protocol. 1. Alice generates a uniformly at random and transmits 2 a mod p to. 2. generates b uniformly at random, and transmits 2 b mod p and h((2 ab mod p) (2 bw mod p)), where h is a hash function. 3. Alice computes 2 ab mod p and h((2 ab mod p) (2 bw mod p)). If the hash value matches the value transmitted by, then Alice authenticates and transmits h ((2 ab mod p) (2 bw mod p)). Here h is a hash function that is different from h. 4.4 Security Properties of Augmented Strong Password Protocol The augmented strong password protocol provides the following security properties: Authentication of Alice: Alice must know the correct value of W to compute 2 bw mod p in the third message. Authentication of : must know 2 W mod p and b in order to compute 2 bw mod p. Security against Dictionary Attack: Whenever the key W appears in any message, the message is hashed. Hence an attacker cannot determine W without inverting the hash function. Security against Server Compromise: If an attacker compromises the server and obtains 2 W mod p, then the attacker must still solve an instance of the Discrete Logarithm Problem to find W, or mount a dictionary attack. 4.5 Secure Remote Password (SRP) Protocol SRP was proposed by Tom Wu in 1998, and is documented in RFC It appears in IETF protocols including Telnet (RFC 2944) and TLS (RFC 5054) authentication, and is implemented in OpenSSL. In SRP, stores g W mod p for some large prime p. SRP consists of the following steps: 1. Alice generates a random a, and then transmits her identity and g a mod p to. 2. generates b, a challenge C 1, and a 32-bit number u. transmits (g b + g W ) mod p, u, and C 1 to Alice. 3. computes K = (g a ) b (g W ) bu = g b(a+uw ) mod p. 4. Alice receives s message and extracts g b mod p by subtracting g W mod p from the first part of the message. Alice computes K = (g b ) a (g b ) uw = g b(a+uw ) mod p. Alice transmits E K (C 1 ) and C 2 to. 5. authenticates Alice based on her challenge and transmits E K (C 2 ) to Alice. 8
9 4.6 Security Properties of SRP SRP provides the following security properties: Authentication of Alice: Only a user with knowledge of W could compute (g b ) uw mod p (knowledge of g W mod p is not sufficient due to the difficulty of the Diffie-Hellman problem). Hence, only a valid Alice can compute the key K and respond to s challenge. Authentication of : The value of g W mod p must be known to compute (g W ) bu, and hence to compute the correct value of the key. Security against Dictionary Attack: In order to verify a guess of a password pwd, an attacker would have to solve an instance of the Diffie-Hellman problem to compute K, which is believed to be computationally difficult. Security against Server Compromise: If an attacker compromises the server and obtains g W mod p, then the attacker must still solve a Discrete Logarithm Problem to find W, or mount a dictionary attack. 5 Internet Protocol Security (IPsec) IPsec is a protocol suite designed to provide security properties, including confidentiality, integrity, and mutual authentication, to entities that communicate via the Internet Protocol (IP). IPsec can be used with IPv4 and IPv6, and is part of the IPv6 standard. IPsec is described by IETFs including RFC 5996 (Internet Key Exchange v2), RFC 4302 (Authenticated Header), and RFC 4303 (Encapsulating Security Payload). Under IPsec, Alice creates a cryptographically protected connection, called a Security Association (SA), to, and creates a corresponding SA to Alice. IPsec operates in two modes (Figure 9): Transport Mode Tunnel Mode IP header Rest of packet IP header Rest of packet IP header IPsec Rest of packet new IP header IPsec IP header Rest of packet Fig. 9. Transport and tunnel mode of IPsec. Transport mode: Transport mode adds IPsec information between the packet s IP header and the remainder of the packet. In transport mode, only the packet payload is encrypted and authenticated, while the IP header is unencrypted. Transport mode is used for IPsec over end-to-end connections. Tunnel mode: Tunnel mode adds a new IP header and IPsec information around the existing IP header. In tunnel mode, both the IP header and the packet payload are encrypted and authenticated. Tunnel mode establishes a private, secure communication link over an open, insecure channel such as the Internet, and is used to create virtual private networks. Tunnel mode is illustrated in Figure 10. In what follows, we first describe how IPsec creates a shared key between Alice and for the remainder of the session using the Internet Key Exchange (IKE) protocol. We then discuss how IPsec provides encryption and authentication to each packet. 5.1 Internet Key Exchange (IKE) The Internet Key Exchange consists of two phases. In Phase 1, mutual authentication and key establishment take place. In Phase 2, one or more SAs between Alice and are created. Phase 1 IKE has two modes of operation. Aggressive mode involves Alice and exchanging three messages, while main mode consists of three modes. The phase 1 protocol also changes based on whether Alice and use public key cryptography or a shared secret key to establish the connection. 9
10 Logical View A B Tunnel E F Physical View A B C D E F Flow: X Source: A Dest: F Data Source: B Dest: E Flow: X Source: A Dest: F Source: B Dest: E Flow: X Source: A Dest: F Flow: X Source: A Dest: F Data Data Data Encrypted Encrypted Fig. 10. Use of IPsec tunnel to create a virtual private connection. Nodes B and E act as proxies (tunnel endpoints) for nodes A and F. IKE using public signature keys: The IKE protocol when Alice and use digital signatures is described as follows (Figure 11). The protocol assumes that Alice and know each other s signature keys P K A and P K B, respectively. Alice Crypto Proposal Crypto Proposal Accepted g a mod p, R A Compute K = f(g ab mod p, R A, R B ) g b mod p, R B E K ( Alice, proof I am Alice, [certificate]) Compute K = f(g ab mod p, R A, R B ) E K (, proof I am, [certificate]) Fig. 11. IKE using public signature keys, main mode. 1. Alice sends a list of proposed cryptographic primitives, including primitives for encryption, hash, authentication, and Diffie-Hellman group. The Diffie-Hellman group consists of a prime p and a generator g. 2. replies to Alice with a message accepting the cryptographic primitives. 3. Alice generates a random number a and a nonce R A, and transmits g a mod p and R A to. 4. generates a random number b and a nonce R B, and transmits g b mod p and R B to Alice. 5. Alice and both compute K = f(g ab mod p, R A, R B ), where f is a publicly known function. 10
11 6. Alice encrypts her identity, a proof of her identity, and her certificate with the key K and transmits the ciphertext to. Alice computes the proof of identity by hashing her identity and the nonces, and then signing the hash with her private key. 7. decrypts the received message and authenticates Alice using the public key P K A. encrypts his identity, proof of identity, and certificate, and transmits the ciphertext to Alice. IKE using shared key: The IKE protocol when Alice and use a shared secret J in aggressive mode is described as follows (Figure 12). Alice Knows shared secret J Knows shared secret J CP, g a mod p, R A, Alice CPA, g b mod p, R B, proof I am, Proof I am Alice Fig. 12. IKE using shared secret keys, aggressive mode. 1. Alice sends a list of proposed cryptographic primitives, including primitives for encryption, hash, authentication, and Diffie-Hellman group. The Diffie-Hellman group consists of a prime p and a generator g. Alice also sends g a mod p, where a is a random number, a random nonce R A, and her identifier. 2. responds with a message accepting the cryptographic primitives. also sends g b mod p, where b is a random number, a random nonce R B, a proof of s identity, and s identifier. The proof of identity contains the same information as in the previous protocol, but is encrypted using the shared secret J. 3. Alice authenticates and transmits her proof of identity. 4. Alice and compute the shared key as K = f(j, g ab mod p, R A, R B ), where f is a publicly known function. 5.2 Communication Using IPsec After Alice and have agreed on a shared session key with the IKE protocol, they can use IPsec to provide encryption and message authentication. These cryptographic protections can be provided either through the Authentication Header (AH, described in IETF RFC 2402) or the Encapsulating Security Payload (ESP, described in IETF RFC 2406). AH provides only message authentication, while ESP provides both encryption and message authentication. We first describe the changes made to the IP headers by IPsec, followed by AH and ESP. IP headers in IPsec: The two widely-used versions of IP are IPv4 and IPv6. IPv4 (RFC 791) was introduced in 1981 and is used to route most Internet traffic. IPv6 (RFC 2460) was released in 1998 as a replacement for IPv4. The main difference between the protocols is that IPv4 uses 32-bit addresses, creating the possible problem of exhausting the space of possible addresses, while IPv6 uses 128-bit addresses. The IPv4 header is shown in Figure 13(a). To use IPsec with IPv4, the Protocol field is set to 50 (for ESP) or 51 (for AH). The IPv6 header is shown in Figure 13(b). To use IPsec with IPv6, the next header field is set to 50 (for ESP) or 51 (for AH). 11
12 Version (4 bits) Header Length (4 bits) 16-bit identifier Type of Service (8 bits) Flags (3 bits) Datagram Length (16 bits) Fragmentation Offset (13 bits) Version (4 bits) Type of Service (8 bits) Payload length (16 bits) Next Header (8 bits) Flow Label (20 bits) Hops Remaining (8 bits) Hops remaining (TTL) (8 bits) Upper Layer Protocol (8 bits) Header Checksum (16 bits) Source Address (128 bits) 32-bit Source IP Address 32-bit Destination IP Address Destination Address (128 bits) Options (a) (b) Fig. 13. (a) IPv4 header. (b) IPv6 header. Next Header (8 bits) Payload Length(8 bits) Unused (16 bits) Security Parameter Index (32 bits) Sequence Number (32 bits) Authentication Data (Variable) Fig. 14. The Authentication Header (AH). Authentication Header (AH): The AH is shown in Figure 14, and consists of the following fields: Next Header: The next protocol used in the packet (e.g., TCP or UDP). Payload Length: The size of the AH header, not including the first 8 octets. Security Parameter Index (SPI): A field that enables the destination to identify the security association and look up the associated cryptographic key. Sequence Number: A number that increases with each packet that is sent. Used to identify and discard packets that have been replayed. Authentication Data: Cryptographic integrity check on the data packet. Encapsulating Security Payload (ESP): The Encapsulating Security Payload (ESP) provides both encryption and message authentication. ESP is shown in Figure 15, and consists of the following fields: Security Parameter Index (SPI): Same as in the AH. Sequence Number: Same as in the AH. Initialization Vector: The IV required by cryptographic algorithms such as CBC mode encryption. Data: The encrypted data (packet contents). Padding: Optional, can be used to make the data a multiple of block size, or hide the length of the plaintext. Padding Length: Number of octets of padding. 12
13 Security Parameter Index (32 bits) Sequence Number (32 bits) IV (Initialization vector) (Variable) Data (Variable) Padding (Variable) Padding length (8 bits) Next header/protocol type (8 bits) Authentication Data (Variable) Fig. 15. The Encapsulating Security Payload (ESP). Next Header: Same as the AH. Authentication Data: Same as the AH. The Data, Padding, Padding Length, and Next Header fields are encrypted. 6 Secure Socket Layer (SSL) and Transport Layer Security (TLS) The Secure Socket Layer (SSL) and Transport Layer Security (TLS) are protocols for server authentication, session key establishment, and formation of a secure end-to-end connection between Alice and. They are implemented by web browsers including Internet Explorer, Firefox, Chrome, Safari, and Opera. SSL/TLS is described by RFC Both protocols begin with handshakes, which establish a session key and agree on cryptographic primitives to be used. The basic SSL/TLS handshake protocol has the following steps, which are illustrated in Figure 16: 1. Alice sends a connection request, a nonce R A, and a list of supported cryptographic primitives to. 2. chooses one of the supported primitives and transmits the chosen primitive, a random nonce R B, and his certificate to Alice. 3. Alice verifies the certificate and chooses a secret S and computes a key K = f(s, R A, R B ), where f is a publicly known function. Alice transmits E P KB (S) to, where P K B is s public key. Alice also transmits a keyed hash (using the key K) of the previous two messages. 4. decrypts E P KB (S) and computes K = f(s, R A, R B ). transmits a keyed hash of the first two messages and a known constant (the known constant is added to ensure that the keyed hashes sent by Alice and do not have the same value). The key generation function f may return two keys, K enc and K auth, that can be used for encryption and authentication, respectively. 6.1 Security Properties of SSL/TLS Handshake The SSL/TLS handshake provides the following security properties: 13
14 Alice Ciphers I support, R A Certificate, cipher I choose, R B Chooses secret S, Compute K = f(s, R A, R B ) EE PPKKBB (SS), h KK (mm 1, mm 2 h KK (mm 1, mm 2, cccccccccc) Compute K = f(s, R A, R B ) Fig. 16. The SSL/TLS protocol. Session Key Establishment: The key K that is generated by Alice is used as a session key. Since the secret S used to generate K is encrypted using s public key, a third party Eve cannot determine K. Authentication of the Server : The fourth message of the protocol authenticates, since only a user with s private key could obtain the key for the keyed hash. Authentication of Alice is not provided by the basic SSL/TLS protocol. One approach to authenticating Alice is for Alice to encrypt her login and password using the key K and transmit them to. Since a new session key is generated at each execution of SSL/TLS and the session key is unknown to the adversary, this approach enables to authenticate Alice while protecting the password from eavesdroppers. 6.2 The Record Protocol SSL/TLS performs encrypted and authenticated data transfer using the SSL Record Protocol. An SSL record is shown in Figure 17. sends data to Alice using the record protocol as follows: Data Data Fragment 1 MAC 1 Data Fragment 2 MAC 2 Record Header Record E K (Data Fragment 1, MAC 1) E K (Data Fragment 2, MAC 2) Header Fig. 17. The SSL record protocol. 1. breaks the data stream x to be transmitted into fragments x 1,..., x n. While SSL has a maximum fragment size, the actual fragment size can be determined by. 2. computes a MAC on each fragment. The MAC is computed using HMAC as: MAC i = HMAC(K auth, (seq type version length x i )), where K auth is a key for message authentication, seq is a sequence number, type is explained below, version is the version of SSL/TLS, and length is the length of the data fragment. 14
15 3. For each fragment, computes y i = E Kenc (x i MAC i ) using a block cipher such as AES, where K enc is the key used for encryption. 4. The transmitted record is given by (header y i ). The header contains the record type, SSL protocol version, and the length of the record. The possible record types are alert (used to alert the communicating party to closure of the connection or errors such as decryption failure and certificate expiration), handshake (for initiating a connection or resuming a paused connection), and change cipher spec (for changing which primitives are used for encryption or authentication). Sources for Today s Lecture: 1. Charlie Kaufman, Radia Perlman, and Mike Speciner Network Security: Private Communication in Public World, 2nd Edition. Prentice Hall, 2002, p and and and
Introduction to Cryptography Lecture 10
Introduction to Cryptography Lecture 10 Digital signatures, Public Key Infrastructure (PKI) Benny Pinkas January 1, 2012 page 1 Non Repudiation Prevent signer from denying that it signed the message I.e.,
More informationCS549: Cryptography and Network Security
CS549: Cryptography and Network Security by Xiang-Yang Li Department of Computer Science, IIT Cryptography and Network Security 1 Notice This lecture note (Cryptography and Network Security) is prepared
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationIPSec. Slides by Vitaly Shmatikov UT Austin. slide 1
IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues Eavesdropping Modification of packets in transit Identity spoofing (forged source IP addresses) Denial of service
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationInternet security and privacy
Internet security and privacy IPsec 1 Layer 3 App. TCP/UDP IP L2 L1 2 Operating system layers App. TCP/UDP IP L2 L1 User process Kernel process Interface specific Socket API Device driver 3 IPsec Create
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationDavid Wetherall, with some slides from Radia Perlman s security lectures.
David Wetherall, with some slides from Radia Perlman s security lectures. djw@cs.washington.edu Networks are shared: Want to secure communication between legitimate participants from others with (passive
More informationIPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security
IPsec (AH, ESP), IKE Guevara Noubir noubir@ccs.neu.edu Securing Networks Control/Management (configuration) Applications Layer telnet/ftp: ssh, http: https, mail: PGP (SSL/TLS) Transport Layer (TCP) (IPSec,
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationCIS 6930/4930 Computer and Network Security. Final exam review
CIS 6930/4930 Computer and Network Security Final exam review About the Test This is an open book and open note exam. You are allowed to read your textbook and notes during the exam; You may bring your
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationLecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.
15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS
More informationNetwork Security Chapter 8
Network Security Chapter 8 Cryptography Symmetric-Key Algorithms Public-Key Algorithms Digital Signatures Management of Public Keys Communication Security Authentication Protocols Email Security Web Security
More informationChapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,
Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls 32.1 Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 32.2 Figure 32.1 Common structure
More informationProtocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.
P2 Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE 802.11i, IEEE 802.1X P2.2 IP Security IPsec transport mode (host-to-host), ESP and
More information14. Internet Security (J. Kurose)
14. Internet Security (J. Kurose) 1 Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer:
More informationIP Security IK2218/EP2120
IP Security IK2218/EP2120 Markus Hidell, mahidell@kth.se KTH School of ICT Based partly on material by Vitaly Shmatikov, Univ. of Texas Acknowledgements The presentation builds upon material from - Previous
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationInformation Security & Privacy
IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 2 Sept 4, 2013 Key Management Network Security 1 Objectives Understand/explain the issues related to, and
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 24 April 16, 2012 CPSC 467b, Lecture 24 1/33 Kerberos Secure Shell (SSH) Transport Layer Security (TLS) Digital Rights Management
More informationCryptographic Protocols 1
Cryptographic Protocols 1 Luke Anderson luke@lukeanderson.com.au 5 th May 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Problem with Diffie-Hellman 2.1 Session Hijacking 2.2 Encrypted Key Exchange
More information0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken
0/41 Alice Who? Authentication Protocols Andreas Zeller/Stephan Neuhaus Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken The Menu 1/41 Simple Authentication Protocols The Menu 1/41 Simple
More informationCOSC4377. Chapter 8 roadmap
Lecture 28 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7
More informationIntroduction to IPsec. Charlie Kaufman
Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF standard for Network Layer security Popular for creating trusted link (VPN), either firewall-firewall, or machine
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 11: Public Key Infrastructure Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Public key infrastructure Certificates Trust
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationLecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005
Lecture 30 Security April 11, 2005 Cryptography K A ciphertext Figure 7.3 goes here K B symmetric-key crypto: sender, receiver keys identical public-key crypto: encrypt key public, decrypt key secret Symmetric
More informationFall 2010/Lecture 32 1
CS 426 (Fall 2010) Key Distribution & Agreement Fall 2010/Lecture 32 1 Outline Key agreement without t using public keys Distribution of public keys, with public key certificates Diffie-Hellman Protocol
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationTransport Level Security
2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,
More informationCryptography and Network Security Chapter 16. Fourth Edition by William Stallings
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Chapter 16 IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death,
More informationKey Management and Distribution
Key Management and Distribution Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More informationInternet and Intranet Protocols and Applications
Internet and Intranet Protocols and Applications Lecture 10: Internet and Network Security April 9, 2003 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu What is network
More informationChapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010
Cryptography Chapter 8 Network Security Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic Principles Need for Security An Introduction
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationSecurity Handshake Pitfalls
Hello Challenge R f(k, R f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone can send the challenge R. f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 15 Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North to appear,
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationCSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L
CS 3461/5461: Introduction to Computer Networking and Internet Technologies Network Security Study: 21.1 21.5 Kannan Srinivasan 11-27-2012 Security Attacks, Services and Mechanisms Security Attack: Any
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 3.3: Security Handshake Pitfalls CSC 474/574 Dr. Peng Ning 1 Authentication Handshakes Secure communication almost always includes an initial authentication
More informationDatasäkerhetsmetoder föreläsning 7
Datasäkerhetsmetoder föreläsning 7 Nyckelhantering Jan-Åke Larsson Cryptography A security tool, not a general solution Cryptography usually converts a communication security problem into a key management
More informationL7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L7: Key Distributions Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 9/16/2015 CSCI 451 - Fall 2015 1 Acknowledgement Many slides are from or are
More informationOutline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication
Outline Security Handshake Pitfalls (Chapter 11 & 12.2) Login Only Authentication (One Way) Login i w/ Shared Secret One-way Public Key Lamport s Hash Mutual Authentication Shared Secret Public Keys Timestamps
More informationCryptographic Checksums
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;
More informationLecture 9: Network Level Security IPSec
Lecture 9: Network Level Security IPSec CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, and Tony Barnard HW3 being graded Course Admin HW4 will
More informationAuthentication Handshakes
AIT 682: Network and Systems Security Topic 6.2 Authentication Protocols Instructor: Dr. Kun Sun Authentication Handshakes Secure communication almost always includes an initial authentication handshake.
More informationIntroduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution
Introduction to Network Security Missouri S&T University CPE 5420 Key Management and Distribution Egemen K. Çetinkaya Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More informationAcronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector
Acronyms 3DES AES AH ANSI CBC CESG CFB CMAC CRT DoS DEA DES DoS DSA DSS ECB ECC ECDSA ESP FIPS IAB IETF IP IPsec ISO ITU ITU-T Triple DES Advanced Encryption Standard Authentication Header American National
More informationCryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
More informationWhat did we talk about last time? Public key cryptography A little number theory
Week 4 - Friday What did we talk about last time? Public key cryptography A little number theory If p is prime and a is a positive integer not divisible by p, then: a p 1 1 (mod p) Assume a is positive
More informationChapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads
Cryptography p y Chapter 8 Network Security Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic Principles Need for Security An Introduction
More informationCSC 482/582: Computer Security. Security Protocols
Security Protocols Topics 1. Basic Concepts of Cryptography 2. Security Protocols 3. Authentication Protocols 4. Key Exchange Protocols 5. Kerberos 6. Public Key Infrastructure Encryption and Decryption
More informationComputer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography
Chapter 7: Network security 15-441 Computer Networking Network Security: Cryptography, Authentication, Integrity Foundations: what is security? cryptography authentication message integrity key distribution
More informationAIT 682: Network and Systems Security
AIT 682: Network and Systems Security Final Exam Review Instructor: Dr. Kun Sun Topics covered by Final Topic before Midterm 10% Topic after Midterm 90% Date: 12/13/2017 7:30am 10:15am Place: the same
More informationNetwork Security. Chapter 8. MYcsvtu Notes.
Network Security Chapter 8 Network Security Some people who cause security problems and why. Cryptography Introduction Substitution ciphers Transposition ciphers One-time pads Fundamental cryptographic
More informationTransport Layer Security
CEN585 Computer and Network Security Transport Layer Security Dr. Mostafa Dahshan Department of Computer Engineering College of Computer and Information Sciences King Saud University mdahshan@ksu.edu.sa
More informationData Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II
Data Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II Hello and welcome to today's lecture on secured communication.
More informationE-commerce security: SSL/TLS, SET and others. 4.1
E-commerce security: SSL/TLS, SET and others. 4.1 1 Electronic payment systems Purpose: facilitate the safe and secure transfer of monetary value electronically between multiple parties Participating parties:
More informationLecture 2 Applied Cryptography (Part 2)
Lecture 2 Applied Cryptography (Part 2) Patrick P. C. Lee Tsinghua Summer Course 2010 2-1 Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-2
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationEEC-682/782 Computer Networks I
EEC-682/782 Computer Networks I Lecture 25 Wenbing Zhao wenbingz@gmail.com http://academic.csuohio.edu/zhao_w/teaching/eec682.htm (Lecture nodes are based on materials supplied by Dr. Louise Moser at UCSB
More informationCryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography
Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography Key Management The first key in a new connection or association is always delivered via a courier Once you have a key, you
More informationOverview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation
Overview Key exchange Session vs. interchange keys Classical, public key methods Key generation Cryptographic key infrastructure Certificates Key storage Key escrow Key revocation Digital signatures May
More informationSecurity: Focus of Control. Authentication
Security: Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized
More informationPassword. authentication through passwords
Password authentication through passwords Human beings Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse
More informationReal-time protocol. Chapter 16: Real-Time Communication Security
Chapter 16: Real-Time Communication Security Mohammad Almalag Dept. of Computer Science Old Dominion University Spring 2013 1 Real-time protocol Parties negotiate interactively (Mutual) Authentication
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationChapter 5: Network Layer Security
Managing and Securing Computer Networks Guy Leduc Mainly based on Network Security - PRIVATE Communication in a PUBLIC World C. Kaufman, R. Pearlman, M. Speciner Pearson Education, 2002. (chapters 17 and
More informationIssues. Separation of. Distributed system security. Security services. Security policies. Security mechanism
Module 9 - Security Issues Separation of Security policies Precise definition of which entities in the system can take what actions Security mechanism Means of enforcing that policy Distributed system
More informationDigital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)
Message Authentication Code (MAC) Key-dependent one-way hash function Only someone with a correct key can verify the hash value Easy way to turn one-way hash function into MAC is to encrypt hash value
More informationNetwork Security - ISA 656 IPsec IPsec Key Management (IKE)
Network Security - ISA 656 IPsec IPsec (IKE) Angelos Stavrou September 28, 2008 What is IPsec, and Why? What is IPsec, and Why? History IPsec Structure Packet Layout Header (AH) AH Layout Encapsulating
More informationHIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson
HIP Host Identity Protocol October 2007 Patrik Salmela Ericsson Agenda What is the Host Identity Protocol (HIP) What does HIP try to solve HIP basics Architecture The HIP base exchange HIP basic features
More informationIP Security Discussion Raise with IPv6. Security Architecture for IP (IPsec) Which Layer for Security? Agenda. L97 - IPsec.
IP Security Discussion Raise with IPv6 Security Architecture for IP (IPsec) Security Association (SA), AH-Protocol, -Protocol Operation-Modes, Internet Key Exchange Protocol (IKE) End-to-end security will
More informationBCA III Network security and Cryptography Examination-2016 Model Paper 1
Time: 3hrs BCA III Network security and Cryptography Examination-2016 Model Paper 1 M.M:50 The question paper contains 40 multiple choice questions with four choices and student will have to pick the correct
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: Authenticate each other Establish sessions keys This process may
More informationIPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43
0/43 IPsec and SSL/TLS Applied Cryptography 0 Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, 2016 Cryptography in the TCP/IP stack application layer transport layer network layer data-link
More informationLecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005
Firewalls Lecture 33 Security April 15, 2005 Idea: separate local network from the Internet Trusted hosts and networks Intranet Firewall DMZ Router Demilitarized Zone: publicly accessible servers and networks
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Security in Network Layer Implementing security in application layer provides flexibility in security
More informationNetwork Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions
CHAPTER 3 Network Security Solutions to Review Questions and Exercises Review Questions. A nonce is a large random number that is used only once to help distinguish a fresh authentication request from
More informationח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms
Public Key Cryptography Kurose & Ross, Chapters 8.28.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) AddisonWesley, April 2009. Copyright 19962010,
More informationDistributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to
More informationINF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang
INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture
More informationModern cryptography 2. CSCI 470: Web Science Keith Vertanen
Modern cryptography 2 CSCI 470: Web Science Keith Vertanen Modern cryptography Overview Asymmetric cryptography Diffie-Hellman key exchange (last time) Pubic key: RSA Pretty Good Privacy (PGP) Digital
More informationTopics. Dramatis Personae Cathy, the Computer, trusted 3 rd party. Cryptographic Protocols
Cryptographic Protocols Topics 1. Dramatis Personae and Notation 2. Session and Interchange Keys 3. Key Exchange 4. Key Generation 5. Cryptographic Key Infrastructure 6. Storing and Revoking Keys 7. Digital
More informationFrom Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005
Chapter 7: Security From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edition 4 Introduction Security policies Provide for the sharing of resources within specified limits
More informationKey Agreement. Guilin Wang. School of Computer Science, University of Birmingham
Key Agreement Guilin Wang School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk 1 Motivations As we know, symmetric key encryptions are usually much more efficient than public key encryptions,
More informationIP Security. Have a range of application specific security mechanisms
IP Security IP Security Have a range of application specific security mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPS However there are security concerns that cut across protocol layers Would like security
More informationChapter 8 Web Security
Chapter 8 Web Security Web security includes three parts: security of server, security of client, and network traffic security between a browser and a server. Security of server and security of client
More informationStrong Password Protocols
Strong Password Protocols Strong Password Protocols Password authentication over a network Transmit password in the clear. Open to password sniffing. Open to impersonation of server. Do Diffie-Hellman
More information10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms
Authentication IT443 Network Security Administration Instructor: Bo Sheng Authentication Mechanisms Key Distribution Center and Certificate Authorities Session Key 1 2 Authentication Authentication is
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationJunos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services
Junos Security Chapter 8: IPsec VPNs 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services Chapter Objectives After successfully completing this chapter, you will
More informationAcknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications
CSE565: Computer Security Lectures 16 & 17 Authentication & Applications Shambhu Upadhyaya Computer Science & Eng. University at Buffalo Buffalo, New York 14260 Lec 16.1 Acknowledgments Material for some
More information