Lecture13 Network Security

8/6/2019 Lecture13 Network Security

1/40

31.1

Chapter 31Network Security

Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.


2/40

31.2

3131--1 SECURITY SERVICES1 SECURITY SERVICES

NetworkNetwork securitysecurity cancan provideprovide fivefive servicesservices.. FourFour ofof thesethese

servicesservices areare relatedrelated toto thethe messagemessage exchangedexchanged usingusing thethe

networknetwork.. TheThe fifthfifth serviceservice providesprovides entityentity authenticationauthentication

oror identificationidentification..

Message Confidentiality

Message Integrity

MessageAuthentication

Message Nonrepudiation

Entity Authentication

Topics discussed in this section:Topics discussed in this section:


3/40

31.3

Figure 31.1 Security services related to the message or entity


4/40

31.4

3131--2 MESSAGE CONFIDENTIALITY2 MESSAGE CONFIDENTIALITY

TheThe conceptconcept ofof howhow toto achieveachieve messagemessage confidentialityconfidentiality

oror privacy privacy hashas notnot changedchanged for for thousandsthousands ofof yearsyears..

TheThe messagemessage mustmust bebe encryptedencrypted atat thethe sendersender sitesite andand

decrypteddecrypted atat thethe receiverreceiver sitesite.. ThisThis cancan bebe donedone usingusingeithereither symmetricsymmetric--keykey cryptographycryptography oror asymmetricasymmetric--keykey

cryptographycryptography..

Confidentiality with Symmetric-Key Cryptography

Confidentiality with Asymmetric-Key Cryptography



5/40

31.5

Figure 31.2 Message confidentiality using symmetric keys in two directions


6/40

31.6

Figure 31.3 Message confidentiality using asymmetric keys


7/40

31.7

3131--3 MESSAGE INTEGRITY3 MESSAGE INTEGRITY

EncryptionEncryption andand decryptiondecryption provide provide secrecy,secrecy, oror

confidentiality,confidentiality, butbut notnot integrityintegrity.. However,However, onon occasionoccasion

wewe maymay notnot eveneven needneed secrecy,secrecy, butbut insteadinstead mustmust havehave

integrityintegrity..

Document and Fingerprint

Messageand Message DigestCreatingand Checking the Digest

Hash Function Criteria

Hash Algorithms: SHA-1



8/40

31.8

To preserve the integrity of a document,both the document and the fingerprint

are needed.

Note


9/40

31.9

Figure 31.4 Message and message digest


10/40

31.10

The message digest needs to be keptsecret.

Note


11/40

31.11

Figure 31.5 Checking integrity


12/40

31.12

Figure 31.6 Criteria of a hash function


13/40

31.13

Figure 31.7 Message digest creation


14/40

31.14

SHA-1 hash algorithms create an N-bit

message digest out of a message of512-bit blocks.

SHA-1 has a message digest of 160 bits

(5 words of 32 bits).

Note


15/40

31.15

3131--4 MESSAGE AUTHENTICATION4 MESSAGE AUTHENTICATION

AA hashhash functionfunction cannotcannot provide provide authenticationauthentication. . TheThe

digestdigest createdcreated byby aa hashhash function function cancan detectdetect anyany

modificationmodification inin thethe message,message, butbut notnot authenticationauthentication..

MAC



16/40

31.16

Figure 31.9 MAC, created by Alice and checked by Bob


17/40

31.17

3131--5 DIGITAL SIGNATURE5 DIGITAL SIGNATURE

WhenWhen AliceAlice sendssends aa messagemessage toto Bob,Bob, BobBob needsneeds toto

checkcheck thethe authenticityauthenticity ofof thethe sendersender;; hehe needsneeds toto bebe

suresure thatthat thethe messagemessage comescomes fromfrom AliceAlice andand notnotEveEve..

BobBob cancan askaskAliceAlice toto signsign thethe messagemessage electronicallyelectronically..

InIn otherother words,words, anan electronicelectronic signaturesignature cancan proveprove thethe

authenticityauthenticity ofofAliceAlice asas thethe sendersender ofof thethe messagemessage.. WeWe

referrefer toto thisthis typetype ofof signaturesignature asas aa digitaldigital signaturesignature..

Comparison

Need for Keys

Process



18/40

31.18

A digital signature needs a public-keysystem.

Note


19/40

31.19

Figure 31.11 Signing the message itself in digital signature


20/40

31.20

In a cryptosystem, we use the privateand public keys of the receiver;

in digital signature, we use the private

and public keys of the sender.

Note


21/40

31.21

Figure 31.12 Signing the digest in a digital signature


22/40

31.22

A digital signature today providesmessage integrity.

Note


23/40

31.23

Digital signature provides messageauthentication.

Note


24/40

31.24

Figure 31.13 Using a trusted center for nonrepudiation


25/40

31.25

Nonrepudiation can be provided using atrusted party.

Note


26/40

31.26

3131--6 ENTITY AUTHENTICATION6 ENTITY AUTHENTICATION

EntityEntity authenticationauthentication isis aa techniquetechnique designeddesigned toto letlet oneone

partyparty proveprove thethe identityidentity ofof anotheranother partyparty.. AnAn entityentity cancan

bebe aa person,person, aa process,process, aa client,client, oror aa serverserver.. TheThe entityentity

whosewhose identityidentity needsneeds toto bebe provedproved isis calledcalled thethe claimantclaimant;;thethe partyparty thatthat triestries toto proveprove thethe identityidentity ofof thethe claimantclaimant

isis calledcalled thethe verifierverifier..

Passwords

Challenge-Response



27/40

31.27

In challenge-response authentication,the claimant proves that she knows a

secret without revealing it.

Note


28/40

31.28

The challenge is a time-varying valuesent by the verifier;

the response is the result of a function

applied on the challenge.

Note


29/40

31.29

Figure 31.14 Challenge/response authentication using a nonce


30/40

31.30

Figure 31.15 Challenge-response authentication using a timestamp


31/40

31.31

Figure 31.17 Authentication, asymmetric-key


32/40

31.32

Figure 31.18 Authentication, using digital signature


33/40

31.33

3131--7 KEY MANAGEMENT7 KEY MANAGEMENT

WeWe nevernever discusseddiscussed howhow secretsecret keyskeys inin symmetricsymmetric--keykey

cryptographycryptography andand howhow publicpublic keyskeys inin asymmetricasymmetric--keykey

cryptographycryptography areare distributeddistributed andand maintainedmaintained.. InIn thisthis

section,section, wewe touchtouch onon thesethese twotwo issuesissues.. WeWe firstfirst discussdiscuss

thethe distributiondistribution ofof symmetricsymmetric keyskeys;; wewe thenthen discussdiscuss thethe

distributiondistribution ofof asymmetricasymmetric keyskeys..

Symmetric-Key Distribution

Public-Key Distribution



34/40

31.34

Figure 31.19 KDC


35/40

31.35

A session symmetric key between twoparties is used only once.

Note


36/40

31.36

Figure 31.30 Creating a session key between Alice and Bob usingKDC


37/40

31.37

In public-key cryptography, everyonehas access to everyones public key;

public keys are available to the public.

Note


38/40

31.38

Figure 31.24 Trusted center


39/40

31.39

Figure 31.25 Controlled trusted center


40/40

31.40

Figure 31.26 Certification authority

Lecture13 Network Security

Documents

Transcript of Lecture13 Network Security