Network Security

David Lazăr

Contents

• Security Requirements and Attacks

• Confidentiality with Conventional Encryption

• Message Authentication and Hash Functions

• Public-Key Encryption and Digital Signatures

• IPv4 and IPv6 Security

Security Requirements

• Confidentiality

• Integrity

• Availability

Passive Attacks

• Release of message content (eavesdropping)– Prevented by encryption

• Traffic Analysis– Fixed by traffic padding

• Passive attacks are easier to prevent than to detect

Active Attacks

• Involve the modification of the data stream or creation of a false data stream

• Active Attacks are easier to detect than to prevent

Active Attacks (cont.)

• Masquerade

• Replay

• Modification of messages

• Denial of service

Conventional Encryption

Plain text

Encryption algorithm

Decryption algorithm

Plain text

Transmitted ciphertext

Shared secret key

Conventional Encryption Requirements

• Knowing the algorithm, the plain text and the ciphered text, it shouldn’t be feasible to determine the key.

• The key sharing must be done in a secure fashion.

Encryption Algorithms

• Data Encryption Standard (DES)– Plaintext: 64-bit blocks– Key: 56 bits– Has been broken in 1998 (brute force)

• Triple DES

• Advanced Encryption Standard (AES)– Plaintext: 128-bit blocks– Key: 128, 256 or 512 bits

Location of Encryption Devices

PSN

PSN

PSN

PSN

PSN Packet Switching Node

End-to-end encryption device

Link encryption device

Key Distribution

• Manual– Selected by A, physically delivered to B– Selected by C, physically delivered to A and B

• Automatic– The new key is sent encrypted with an old key– Sent through a 3-rd party with which A and B

have encrypted links

Message Authentication

• Authentic message means that: – it comes from the alleged source– it has not been modified

Message Authentication Approaches

• Authentication with conventional encryption

• Authentication without message encryption:– when confidentiality is not necessary– when encryption is unpractical

Message Authentication Code

• Uses a secret key to generate a small block of data

MACM = F (KAB, M)

One-way Hash Function

• Message digest – a “fingerprint” of the message

• Like MAC, but without the use of a secret key

• The message digest must be authenticated

Secure Hash Requirements

• H can be applied to a block of any size• H produces a fixed-length output• H(x) is easy to compute• Given h, it is infeasible to compute x s.t.

H(x) = h• Given x, it is infeasible to find y s.t.

H(x) = H(y)• It is infeasible to find (x,y) such that

H(x) = H(y)

Secure Hash Functions

• Message Digest v5 (MD5)– 128-bit message digest– has been found to have collision weakness

• Secure Hash Algorithm (SHA-1)– 160-bit message digest

Public-Key Encryption

• Each user has a pair of keys:– public key– private key

• What is encrypted with one, can only be decrypted with the other

Encryption

Plain text Plain text

Transmitted ciphertext

Bob’s public key

Alice Bob

Bob’s private key

Authentication

Plain text Plain text

Transmitted ciphertext

Alice’s public key

Alice Bob

Alice’s private key

Digital Signature

• Like authentication, only performed on a message authenticator (SHA-1)

Public-Key Encryption Algorithms

• RSA (used by PGP)

• El Gamal (used by GnuPG)

Key Management

• Public-Key encryption can be used to distribute secret keys for conventional encryption

• Public-Key authentication:– signing authority– web of trust

IPv4 and IPv6 Security

• Provides encryption/authentication at the network (IP) layer

• IPSec applications:– Virtual Private Networking– E-commerce

The Scope of IPSec

• Authentication Header (AH)– provides authentication only

• Encapsulation Security Payload (ESP)– provides encryption and authentication

• Key exchange function

Security Association

• One-way relationship between two hosts, providing security services for the payload

• Uniquely identified by:– Security Parameter Index (SPI)– IP destination address– Security Protocol Identifier (AH/ESP)

IPSec Operation Modes

• Transport mode:– provides protection to the upper layers– ESP: encrypts the payload and, optionally,

authenticates parts of the IP header– AH: authenticates the payload and parts of

the IP header

IPSec Operation Modes

• Tunnel mode:– used when one/both of the ends is a security

gateway– the entire IP packet is encrypted (ESP) /

authenticated (AH) and encapsulated in an outer IP packet

Key Management

• Manual– used for small networks– easier to configure

• Automated– more scalable– more difficult to setup– ISAKMP/Oakley