Network Encryption Methods

Transcription

1 Network Encryption Network Encryption Methods CSC362, Information Security Objectives understanding the impact of employing encryption at different protocol layers application layer encryption transport layer encryption network layer encryption link layer encryption Balancing Competing Demands network cryptography is usually applied at a specific protocol layer rather than throughout the protocol stack the goal is to balance two competing goals: application transparency what effects does encryption have on the design and implementation of a network application? network transparency what impact does encryption have on normal network transactions? greater transparency means fewer changes, less intrusive application layer encryption offers advantages but has costs the message is encrypted/decrypted in its entirety by the end systems (applications) no (cryptographic) involvement from devices at other layers advantage: per E2E principle, potentially more secure because user has greater control over the process costs: sacrifices application transparency for network transparency; PDU data is encrypted but PDU headers are visible to attackers 1

2 traditionally, application and transport layers connect through the interface of a network socket abstractions that represent endpoints for network communications usually provided by OS services for example, to open a TCP network connection, the host process must open a socket at an internal software port for two- way communication with another host s port e.g., Microsoft s.net framework offers a connection socket with a set of methods for managing full two- way functionality for sending and receiving data encryption/decryption at this layer is usually an add- on e.g., Secure Socket Layer (SSL) originally developed by Netscape current standards called Transport Layer Security (TLS) TLSv.3 network layer is another option datagrams are encrypted by routers for transmission across an insecure channel at a later stage, they are decrypted by another router this promotes a high degree of application transparency and relieves the message transport layer of added duties but, there are decided costs at the network layer IP Security (IPSec) is a common standard for network layer encryption and is the basis for many Virtual Private Networks (VPNs) 2

3 link layer encryption attempts to protect the actual communication channel from interception and eavesdropping this is especially important for broadcast media we will examine WPA2 (Wi- Fi Protected Access 2) as an illustration of how encryption is employed for wireless local area networks Encryption and the Network Protocol Stack chief points to consider when examining a form of protocol layer encryption/decryption which protocol layer applies? where/when is the plaintext visible? (visibility) what are the transparency factors? (transparency) where do the keys reside and how are they updated? (key management) how do we authenticate the source of encrypted packets (authentication) Application Layer is one of the oldest Internet network applications originally conceived for ARPANET in 1965, but introduced in 1969 as an Internet standard Simple Mail Transfer Protocol (SMTP) was standardized in RFCs 821, 822 unlike other Internet applications, employs multiple protocols and extensions application layer encapsulates the encryption/decryption tasks: application PDU is encrypted by sender and decrypted by receiver or destination 3

4 1. User A employs a user agent to prepare a message. 2. User A sends the message made by the mail agent to a mail transfer agent (daemon) 3. mail daemon uses SMTP to send a message from User A to the local mail server or gateway 4. the local mail server can store and forward messages; it places the message in the mail queue for subsequent transmission 5. mail server uses SMTP to communicate with the destination mail server and transfers the message 6. the destination mail server transfers the message to User B s assigned inbox storage 7. User B fetches the message from his/her inbox using mail access protocol (MAP) 8. User B employs the mail user agent to read the message SMTP is primarily a PUSH protocol, i.e., messages are sent from the client to the server when the client initiates the contact client (local mail server) server (destination mail server) MAPs are primarily PULL protocols, i.e., the destination host initiates the last fetch mail server to mail user agent SMTP is a messaging protocol (like other application layer protocols here it is simulated using a telnet session $ telnet example.org 25 S: 220 example.org ESMTP Sendmail /8.13.1; Wed, 30 Aug 20xx 07:36: C: HELO mailout1.phrednet.com S: 250 example.org Hello ip068.subnet71.gci- net.com [ ], pleased to meet you C: MAIL FROM:xxxx@example.com S: <xxxx@example.com>... Sender ok C: RCPT TO:yyyy@example.com S: <yyyy@example.com>... Recipient ok C: DATA S: 354 Enter mail, end with "." on a line by itself From: Dave\r\nTo: Test Recipient\r\nSubject: SPAM SPAM SPAM\r\n\r\nThis is message 1 from our test script.\r\n.\r\n S: k7tkibyb Message accepted for delivery C: QUIT S: example.org closing connection Connection closed by foreign host. $ 4

5 4/12/17 few encryption technologies have had the longevity of Phil Zimmerman s PGP ( Pretty Good Privacy ) one of the first widely available applications that incorporated public key cryptography PGP is not a pure public key system but a hybrid instead it relies on secret key data encryption/decryption to avoid the the inefficiency problems associated with public key technology major components: users generate their own keys a public, private key pair key size was originally 384 bytes which is easily broken today currently: 2,048 or 4,096 bytes binary, but exported in ASCII- armored format keys, messages, key management {{PGPkey url= keyid=0xffa60123 pubkey= BEGIN PGP PUBLIC KEY BLOCK Version: GnuPG v1.4.6 (MingW32) EkkCGwMFCQWjmoAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRC8IRhO/6YFZyCu AJ9oVG2rQR87dBEQOjU6bdLvbyLJ9ACfb2aUWehrQ04iWpCHW9dTvNw1Pz6IRgQQ EQIABgUCREVycAAKCRAEdWQX3LF5hf6SAJ9wHVt6Az5PnYBGELX9/feMDdGuYQCf exlzh+ynx2skdupxl5gnzadrr2kirgqqeqiabgucrltj8wakcrb6fhywk1chanwd AKCYwxeBl26StQUHF4Xyw3YOcQPr/QCfeVfxe2QyXtOQ0Ur+1go+IvUIjdaIRgQS EQIABgUCRFAHMQAKCRD4z5ci90zsiyNDAJ4jbDz7D8NcHD35Z12i4eoI3ftFOgCd GT3tOljpoU2XrXL1/L0EHWBdLRGITAQSEQIADAUCRkDC7gWDA1jp2wAKCRDLoD9G szdlofjosontvenqnwoh469h6thyh6oes94nackos6xk3iismvrzjzvtpn5mn/z4 7aVy/N8vgpvT3IYiFmZJSd8gpYpIdV5EyL87k+oluTQUqKfpmEQPaNXWZoXrn+xN x7giihwiefl9xndyebwh65xsqsof0w9ucuyujqhxsrro7ozgayccnjsw+fvtqvis 1YQoRjYkdSLipTkrtvo7iBY0rq88+uli5aK6H71kEjn5tK8IvUuKygwq/O+csCel ef6iky6aaj9lemejkbhkzfwmlcxwkfoh1djajqcemxh1gc/t4pdi6g7opaqfxwv1 tsn+fdlfyi5ospzxifnicxrmpkizzdxoso0vilmkmjpcnc8risdrhn/uyutc9p7l TBpITQmRQIZKmkFJ0bBucVI1PE2Y2iP7SZ5lv1Bq4uaaW3YE5Sw9DZMAAwUJAI9x mqgibep2ekkrbacoiupj6yhfc/oyx5cjsejt9jymx0u+cl32mv70eslfbndvgrot D+EMnHfNgh12QldUIu7v6YAdwepBDtCFmxwzZcea2MUhbzQTWqvtDpEUMMzIw1HY HOPl89wfO6VIAxw9QVJ9dYHl4bDgRBStMqdQJA6HkD2PtuTtn8rtndmNnwCgp4Fh A3AmpyzmF4Wf2PtuFNl2IoUD/1pWobB75wRwKAvgG7K/THkhjpLYtSmZdn1NswRf NMBLYCgbYV84BlIHy2aymPljTWWLKa/RGba2MyfWXfNwcGF440OfH1CwXMPw87+a 2uyIRgQQEQIABgUCRkJFvgAKCRCshZNisEE7+lo0AJ4o0Hr4BbQWGVX1mC3E32Xl ivdf+acdgdyodihqjrjiwjw3i8zbt5joamciygqteqiaigucrkjloqmfajwxhjxb Xj5dK1tALl13aWtpcGVkaWE+JAAACgkQrIWTYrBBO/rpswCfZffb7x/naE/zJvK7 KCDm7NnkHhwAoJkNCnYDDdDRnAufgPamFGwUeoVzuQJNBEP2Ek0QCQCTl2JYMAy1 5/LLBlKiuU7jHWikBP+Z/Q5RsyFgBDmD++dJSlLF61O0kjt/O5RqzjhiZrmAk1Fg rfnslcywhr9wshwisnqllynyjrlfmm/rltkk0muqbuv7lu3st8/nbcmye3spz6kr 3Km62DLBiEngjKUqQzGSRNslHFzDZRq1vLuMZrqAgcCiEffI5deo+CJGn5i7anpH +KVU0VmOVnv07Wvrcs7nBiOWDYT14GFtKYn7QpE0WtC/MKvUlQ+LGR9/jvL9RzOV 1OLVe/8TUZ4db0PCuv11/cmAWaZLbn57pE3mKN72GBlLHQaPdPY+JprkB8h5DI4T vy/ia/9r8bazts72po/plqzg4ebqjherzv4lzeufkrlornbpvyspxl+l1qj+wx9e L0gmQ1ir0MFJhmpd+AAsmGRajlJLqf1xhTuSjspqswjKj8NJHX3HhPMl+wWqlaw+ ofsofqdod1grac7ynyv+q2p2tssooqtgtrjyjbkntqhqlrdpd7qtqmvuie1jswx3 YWluIChDeWRlIFdleXMpIDxjeWRld2V5c0BnbWFpbC5jb20+iGYEExECACYFAkP2 HBJyZiQ2+CNn035ekLKsL3BNFKSMWt8vuEDk2FlPfboSRQVgqIPxpMUJuJesUvaJ VvOvMkODO0Y5fOgcwXzxV/pH0+GvZJMk6aODU3fuCiGpKGzGHCH4x/Ofnt5ztYhP BBgRAgAPBQJD9hJNAhsMBQkFo5qAAAoJELwhGE7/pgVnOrUAmgJLiWcQ8TjHIixC bicoqozktbclaj4t2qynt9aqkayqrddx0ofcbtc4la== =RJYJ END PGP PUBLIC KEY BLOCK }} messages are compressed and encrypted using a random secret session key compression (e.g., PKZIP) helps to reduce redundancies that enable the attacker to gain more information about the message contents encryption is symmetric secret key the session key must be transmitted to the recipient and is encrypted using the recipient s public key 5

6 the original scheme for PGP key management was the Web of Trust users networked to certify the authenticity of keys 6

7 currently, Symantec owns commercial rights to PGP and offers two types of service an enterprise suite for businesses and organizations a desktop version for personal users open source versions are available OpenPGP GnuPG (GPG) 7