Security Basics. 2003-2004 - Information management 2 Groep T Leuven – Information department 2/31...
-
Upload
dana-gibbs -
Category
Documents
-
view
213 -
download
0
Transcript of Security Basics. 2003-2004 - Information management 2 Groep T Leuven – Information department 2/31...
2003-2004 - Information management2Groep T Leuven – Information department2/31
Agenda• Properties of a secure communication • Symmetric encryption• Asymmetric encryption• Public key encryption• Digital Signatures• Encryption in the network• History
2003-2004 - Information management3Groep T Leuven – Information department3/31
Properties of a secure communication
• Authentication (identity)–Who are you?
• Authorization–What can you do ?
• Accounting (active audit)–What did you do ?
• Confidentiality
–What can you see ?
• Integrity
–Nothing has been modified
• Non Repudiation
–The sender cannot deny he has sent it
• Anti Replay
2003-2004 - Information management4Groep T Leuven – Information department4/31
Encryption: Basic Model
DecryptionEncryption
Cleartext
Decrypt KeyEncrypt Key
OriginalCleartextCiphertext
NetworkersNetworkers &^$!@#l:{Q&^$!@#l:{Q NetworkersNetworkers
• Encryption turns cleartext into ciphertext• Encryption key as parameter to algorithm• Decryption restores cleartext from ciphertext• Decryption key as parameter to algorithm
2003-2004 - Information management5Groep T Leuven – Information department5/31
Symmetric Encryption
• Encryption and decryption use same mathematical function
• Encryption and decryption use same key• Example: Data Encryption Standard
DES, 3DES, RC2, RC4, AES
Key
NetworkersNetworkers &^$!@#l:{Q&^$!@#l:{Q NetworkersNetworkersDecryptionEncryption
Key
2003-2004 - Information management6Groep T Leuven – Information department6/31
Challenges with Symmetric Encryption
• Keys must be changed frequentlyto avoid analysis, limit risks
• Shared keys must be generatedand distributed securely
• Multiple techniques to achieve this
2003-2004 - Information management7Groep T Leuven – Information department7/31
• By exchanging numbers in the clear, two entities can determine a new uniquenumber known only to them
• Result is a shared key which can be usedas DES key—repeated as often as required
• Scalable and secure key generation
Diffie-Hellman Key Exchange
AliceXBXA
YA = (aXA) mod p YB= (aXB) mod p
a , p
Z = (YB ) XAmod p Z = (YA )XB mod p
Bob
2003-2004 - Information management8Groep T Leuven – Information department8/31
Symmetric Encryption
• Provides confidentiality, data integrity• Relies on a shared secret (key)• Creates a flat community of trust• A relatively fast and efficient mechanism for
bulk data encryption
2003-2004 - Information management9Groep T Leuven – Information department9/31
Asymmetric Encryption
• Encryptor and decryptor use pair of different keys
• Encryptor and decryptor use different functions
• Example: Public key algorithms (RSA, Diffie-Hellman)
Key
NetworkersNetworkers &^$!@#l:{Q&^$!@#l:{Q NetworkersNetworkersDecryptionEncryption
Key
2003-2004 - Information management10Groep T Leuven – Information department10/31
Asymmetric Encryption
• Provides authentication, confidentiality, data integrity (basis for non-repudiation)
• Relies on individual key pairs• Allows for assurance among strangers• Relatively slow and cpu-intensive
2003-2004 - Information management11Groep T Leuven – Information department11/31
Public Key Encryption
• Public/private keys• Digital signatures• Certificates• Certifying Authority (CA)
2003-2004 - Information management12Groep T Leuven – Information department12/31
Authenticate Recipient
• Alice needs to send Bob an encrypted message– Alice picks up Bob’s public key– Alice encrypts the message with Bob’s public key– Alice sends the encrypted message
• Bob decrypts using his private key
Clear
BobAlice
ClearEncrypted
Bob’s Private KeyBob’s Public Key
DecryptionEncryption
2003-2004 - Information management13Groep T Leuven – Information department13/31
• Bob needs to know that Alice sent a message– Alice picks up her own private key– Alice encrypts the message with her private key– Alice sends the encrypted message
• Bob decrypts using Alice’s public key
Authenticate Sender
Clear
BobAlice
ClearEncrypted
Alice’s Public KeyAlice’s Private Key
DecryptionEncryption
2003-2004 - Information management14Groep T Leuven – Information department14/31
• A digital signature is a message thatis appended to a document
• It can be used to prove the identity of thesender and the integrity of the document
Digital Signature
Signature
InvoicePayment
2003-2004 - Information management15Groep T Leuven – Information department15/31
Digital Signature
• How does Alice sign her message?
Encrypt Hash Using Alice’s Private Key
Hash of Message
Digital Signature = Encrypted Hash of Message
AliceAlice
Message
HashHashFunctionFunction
2003-2004 - Information management16Groep T Leuven – Information department16/31
Digital Signature Verification
• How does Bob verify Alice’s signature ?
Message
If Hashes Are Equal, Signature Is Authentic.
HashHashFunctionFunction
SignatureSignature
Decrypt theReceived Signature
Decrypt Using Alice’s Public Key
Hash of Message
Re-Hash the Received Message
Hash of Message
Message withAppended Signature
SignatureSignature
Message
AliceAlice
2003-2004 - Information management17Groep T Leuven – Information department17/31
• Two common public-key digitalsignature techniques:
• RSA (Rivest, Shamir, Adelman)• DSS (Digital Signature Standard)
• A sender uses his secret key to signsign a document• The receiver of the document uses the sender’s
public key to verifyverify the signature• If the verification is successful, we are
assured of two things:• The document has not been altered• The identity of the author
Digital Signature
2003-2004 - Information management19Groep T Leuven – Information department19/31
• How can Bob be assured that Alice’s public key belongs to the real Alice?
Where Did the Public Key Come From?
“I’m Margaret Thatcher.” “I’m Mickey Mouse.”
Alice Bob
2003-2004 - Information management20Groep T Leuven – Information department20/31
• A signed message that attests to the authenticity of the users public key
• A digital certificate contains:• Serial number of the certificate• Issuer algorithm information (digest/hash, PK
type, PK)• Valid to/from date• User public key information (PK type, PK)• Signature of issuing authority
Digital Certificate
00001230000123SHA,DH, 3837829....SHA,DH, 3837829....1/1/93 to 12/31/981/1/93 to 12/31/98Alice Smith, Acme CorporationAlice Smith, Acme CorporationDH, 3813710...DH, 3813710...Acme Corporation, Security Dept.Acme Corporation, Security Dept.SHA,DH, 2393702347 ...SHA,DH, 2393702347 ...
2003-2004 - Information management21Groep T Leuven – Information department21/31
Certification AuthorityIssuing Certificates
Certification Authority
A’s Public A’s Public NumberNumber
CA’s CA’s SignatureSignature
Ca’s Ca’s Public NumberPublic Number
User A
Public Number
Certificate Certificate
Public Number
User B
B’s Public B’s Public NumberNumber
CA’s CA’s SignatureSignature
Ca’s Ca’s Public NumberPublic Number
Cisco Systems Confidential 96NWK_ekaufman.ppt 21Cisco Systems Confidential
2003-2004 - Information management22Groep T Leuven – Information department22/31
Example of X.509 Hierarchical Authority Structure
CACA
CACA CACA
CC DDAA BB
Cert UK-IntCert UK-Int Cert UK-USCert UK-US Cert US-ICCert US-IC
Cert UK-BCert UK-B Cert US-CCert US-C Cert US-DCert US-DCert UK-ACert UK-A
UKUK
IntInt
USUS
Cert UK-Int Cert US-Int
Cert Int-USCert Int-USCert Int-UKCert Int-UK
Example: Certificates Used by A to Obtain Public Key of C:Example: Certificates Used by A to Obtain Public Key of C:
2003-2004 - Information management23Groep T Leuven – Information department23/31
Policy Objectives
Access Security
Connectivity
Performance
Ease of use
Authenticity
Confidentiality
Integrity
Auditability
2003-2004 - Information management24Groep T Leuven – Information department24/31
Encryption Alternatives
Network-Layer Encryption
Application-Layer Encryption
Link-LayerEncryption
Link-LayerEncryption
ApplicationLayers (5-7)
Transport/NetworkLayers (3-4)
Link/PhysicalLayers (1-2)
2003-2004 - Information management25Groep T Leuven – Information department25/31
Application Encryption
• Encrypts traffic to/from interoperable applications• Specific to application, but network independent• Application dependent
– All users must have interoperable applications• Examples: S/MIME, https, ssh, ssl
2003-2004 - Information management26Groep T Leuven – Information department26/31
• Encrypts traffic between specific networks, subnets,or address/port pairs
• Specific to protocol, but media/interface independent• Does not need to supported by intermediate network devices• Independent of intermediate topology
Network Encryption
HRServer
E-mailServer
A to HR Server—Encrypted
All Other Traffic—Clear
A
B
D
2003-2004 - Information management27Groep T Leuven – Information department27/31
Link Encryption
• Encrypts all traffic on a link, including network-layer headers• Specific to media/interface type, but protocol independent• Topology dependent
– Traffic is encrypted/decrypted on link-by link basis– All alternative paths must be encrypted/decrypted
2003-2004 - Information management28Groep T Leuven – Information department28/31
• 1976 Public key principles established by Diffie and Hellman
• 1978 Public key implementation defined by Rivest, Shamir, Aldeman for digital signatures
• 1985 First product incorporating public keyintroduced by Cylink
• 1985 El Gamal develops public key digital signatureand encryption scheme based on exponentiation
Evolution of Public Key Cryptography
2003-2004 - Information management29Groep T Leuven – Information department29/31
Evolution of Public Key Cryptography (Cont.)
• 1987-89 Public key emerging as standard in Europe
• Endorsed by SWIFT, EFTPOS (1987)ISO/OSI standards in review phase (1988)
• 1987-95 Public key evolving as U.S. standard
• Used in STU-III Secure Telephone (1987)Adopted by Treasury and Justice (1988)Adopted by Internet (1989)NIST standards in review phase (1989)ANSI X9.17 proposal in review (1989)Digital signature standard (DSS) (1994)FIPS-186 DSS (1994)ANSI X0.42 (draft) for Diffie-Hellman (1995)
2003-2004 - Information management30Groep T Leuven – Information department30/31
Public Key Standards
• OSI/IEC 9594-8 Recommendation X.509 (also ITU X.509):the Directory: Authentication Framework
• AS28095.5.3 (Australian Government)—Electronic DataTransfer-Requirements for Interfaces: Part 5.3 Data Encipherment Algorithms (RSA)
• ISO9796: Information Technology, Security Techniques: Digital Signature Scheme Giving Message Recovery
• ANSI X9.31 (Draft): Public Key Cryptography using Reversible Algorithms for the Financial Services Industry: Part 1: the RSA Signature Algorithm
2003-2004 - Information management31Groep T Leuven – Information department31/31
• ANSI X9.30 (Draft): Public Key Cryptography forthe Financial Service Industry: Part 1: The DigitalSignature Algorithm
• X9.42 (Draft): Diffie-Hellman Public Key Exchange• Federal Information Processing Standard FIPS-186:
Digital Signature Standard• Federal Information Processing Standard FIPS-186:
Digital Signature Standard • Others:
– ETEBAC5, (France)ISO draft standard CD 11166IEEE draft 802.11 Secure Interoperability Standard for LANs
Public Key Standards (Cont.)