06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Transcription

1 1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security Dr. L. Christofi 1 0. Overview As the knowledge of computer networking and protocols has become more widespread, so the threat of intercepting and decoding message data during its transfer across a network has increased. An intruder in a network can identify and remove the protocol control information at the head of each message, leaving the message contents. The message contents, including passwords and other sensitive information, can then be interpreted. This is know as listening or eavesdropping. In addition, an intruder can use a recorded message sequence to generate a new sequence. This is known as masquerading. Therefore, encryption should be applied to all data transfers that involve a network. In the context of the ISO reference model, the most appropriate layer to perform such operations is the presentation layer. Dr. L. Christofi 2 Terminology Data encryption involves the sending party in processing all data prior to transmission so that in case it is intercepted during transmission to be incomprehensible to the intercepting party. Data should only be interpreted (decrypted) only by the intended recipient. Most encryption methods involve the use of an encryption key, which is only known by the two correspondents. Before encryption, message data is called plaintext and after encryption, ciphertext. The aim is to chose an encryption method such as an intruder cannot decipher the recorded ciphertext in a realistic time period. Dr. L. Christofi 3 06/02/2006 1

2 2 Security Requirements Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able to verity the identity of a user Integrity Data can be modified only by authorized parties Availability Data are available to authorized parties Non-repudiation Receiver must be able to prove that a received message came from a specific sender Dr. L. Christofi 4 Cryptography Original message Plaintext Encryption Transforms the plaintext to cipher text Decryption Transforms the ciphertext back to plain text Ciphers Different categories of algorithms in cryptography Key Number (value) that the ciphers operate on Dr. L. Christofi 5 Cryptography Components Dr. L. Christofi 6 06/02/2006 2

3 3 Encryption and Decryption In cryptography, the encryption/decryption algorithms are public; the keys are secret Two groups of algorithms Symmetric-key algorithms Public-key algorithms Dr. L. Christofi 7 Symmetric-key cryptography Same key is used by the sender (for encryption) and receiver (for decryption). The key is shared In symmetric-key cryptography, the same key is used in both directions Often used for long messages Algorithm is public, key is secret Dr. L. Christofi 8 Traditional Ciphers Substitution Ciphers Transposition Ciphers Dr. L. Christofi 9 06/02/2006 3

4 4 Substitution Ciphers One symbol is substitutes by another e.g. Caesar Cipher (a->d, b->e, c->f, z-c). Monoalphabetic substitution The relationship between a character in the plaintext to the character in the ciphertext is always one-to-one Polyalphabetic substitution The relationship between a character in the plaintext and a character in the ciphertext is one-to-many Dr. L. Christofi 10 Transposition Ciphers The characters retain their plaintext form but change their positions Text is organized into a two-dimensional table and the columns are interchanged according to a key Dr. L. Christofi 11 Block Cipher Plain text and ciphertext are block of bits Each block is a unit of encryption/decryption Dr. L. Christofi 12 06/02/2006 4

5 5 Block Cipher (Cont.) P-box S-box Product block Data Encryption Standard (DES) Triple DES Dr. L. Christofi 13 Public-key cryptography Two keys are used Private key Kept by receiver Used for decryption Public key Announced to the public Used for encryption Disadvantages Complexity of the algorithm Key is too large, calculation time is long Need to verify the association between an entity and its public key Most common algorithm RSA (Rivest, Shamir, and Adleman) More efficient for short messages Dr. L. Christofi 14 Public-key cryptography (Cont.) Dr. L. Christofi 15 06/02/2006 5

6 6 Digital signature Digital signature is used to provide Authentication Integrity Nonrepudiation Dr. L. Christofi 16 Signing the whole document The sender uses private key to encrypt (sign) the message The receiver uses the public key of the sender to decrypt the message. Note: Digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption must be applied. Dr. L. Christofi 17 Signing the document The sender creates a miniature version or digest of the document and signs it Using hash function is used to creates a fixed-size digest from a variable-length message Two common hash MD5: produce a 120-bit digest SHA-1: produce a 160-bit digest The receiver checks signature on miniature Dr. L. Christofi 18 06/02/2006 6

7 7 Sender and receiver site Sender Site Receiver site Dr. L. Christofi 19 User authentication Message authentication Identity of sender is verified for each single message User authentication User identity is verified once for the entire duration of system access With symmetric key With public key Sender use private key to encrypt the message Receiver uses sender s public key to decrypt the message Dr. L. Christofi 20 Using symmetric key only Simple approach Sender sends his/her identity and password in an encrypted message, using symmetric key (Kab) Can not prevent replay attack. Replay attack: malicious intruders can resend the same message Dr. L. Christofi 21 06/02/2006 7

8 8 Using symmetric key only (Cont.) Using a nonce Step 1: Sender sends his/her identity and password in an encrypted message, using symmetric key (Kab) Step 2: Receiver challenges sender by sending a nonce, which is a large random number that is used only once (one-time number), to the receiver Step 3: Receiver responds to the message by sending back the encrypted nonce using the symmetric key Advantage: can prevent replay attack Dr. L. Christofi 22 Public key authentication Sender encrypts the message with his/her private key Receiver uses sender s public key to decrypt the message and authenticate the sender Problem Cannot prevent man-in-the-middle attack Man-in-the-middle-attack: Intruder announce his/her public key to the receiver in place of a sender Dr. L. Christofi 23 Firewalls A device (usually a router or a computer) installed between the internal network of an organization and rest of the internet Help to protect an organization s computers and networks from unwanted Internet traffic Designed to keep problems in the internet from spreading to an organizations computers Classes of firewalls Packet-filter firewalls Proxy-based firewalls Dr. L. Christofi 24 06/02/2006 8

9 9 Packet-filter firewall A filter that uses a filtering table to decide which packet must be discarded (not forwarded). Filters on network layer and transport layer Block packets based on Source and destination IP addresses Source and destination ports Type of protocol (TCP or UDP) Dr. L. Christofi 25 Packet-filter firewall Dr. L. Christofi 26 Proxy firewall Focuses on application layer Filters messages based on information of the message at application layer Step 1: Runs as a proxy for destination process to receive the request Step 2: Opens the packet at the application level and finds out if the request is legitimate Step 3: If message is legitimate, act as sender process and sends the message to the real receiver. Otherwise drop the message and send an error message to the external sender Dr. L. Christofi 27 06/02/2006 9

10 10 Proxy firewall Dr. L. Christofi 28 References F. Halsall, Data Communications, Computer Networks and Open Systems, 4 th edition, Addison Wesley, 1995 W. Stallings, Data and Computer Communications, 7 th edition, Prentice Hall, 2004 Dr. L. Christofi 29 06/02/