Chapter 8

Network Security

Cryptographyyp g p y

• Introduction to Cryptography• Substitution Ciphers• Substitution Ciphers• Transposition Ciphers• One-Time Pads• Two Fundamental Cryptographic Principles• Two Fundamental Cryptographic Principles

Need for Securityy

Some people who cause security problems and whySome people who cause security problems and why.

An Introduction to Cryptographyyp g p y

The encryption model (for a symmetric-key cipher)The encryption model (for a symmetric key cipher).

Transposition Ciphersp p

A transposition cipherA transposition cipher.

One-Time Pads

The use of a one time pad for encryption and theThe use of a one-time pad for encryption and the possibility of getting any possible plaintext from

the ciphertext by the use of some other pad.p y p

Quantum CryptographyQ yp g p y

An example of quantum cryptography.

Symmetric-Key Algorithmsy y g

• DES – The Data Encryption StandardAES Th Ad d E ti St d d• AES – The Advanced Encryption Standard

• Cipher Modesp• Other Ciphers

C l i• Cryptanalysis

Product Ciphersp

Basic elements of product ciphers (a) P-box (b) S-box (c) ProductBasic elements of product ciphers. (a) P box. (b) S box. (c) Product.

Data Encryption Standardyp

The data encryption standard (a) General outlineThe data encryption standard. (a) General outline.(b) Detail of one iteration. The circled + means exclusive OR.

Triple DESp

(a) Triple encryption using DES (b) Decryption(a) Triple encryption using DES. (b) Decryption.

AES – The Advanced Encryption Standardyp

Rules for AES proposalsRules for AES proposals1. The algorithm must be a symmetric block cipher.2. The full design must be public.3. Key lengths of 128, 192, and 256 bits supported.y g , , pp4. Both software and hardware implementations required5 The algorithm must be public or licensed on5. The algorithm must be public or licensed on

nondiscriminatory terms.

Electronic Code Book Mode

The plaintext of a file encrypted as 16 DES blocksThe plaintext of a file encrypted as 16 DES blocks.

Cipher Block Chaining Modep g

Cipher block chaining (a) Encryption (b) DecryptionCipher block chaining. (a) Encryption. (b) Decryption.

Cipher Feedback Modep

(a) Encryption (c) Decryption(a) Encryption. (c) Decryption.

Stream Cipher Modep

A stream cipher (a) Encryption (b) DecryptionA stream cipher. (a) Encryption. (b) Decryption.

Counter Mode

Encryption using counter mode (IV: Initial Vector)Encryption using counter mode. (IV: Initial Vector)

Cryptanalysisyp y

Some common symmetric-key cryptographic algorithmsSome common symmetric key cryptographic algorithms.

Public-Key Algorithmsy g

• RSA• choose two primes, p and q

( 1)( 1)• n=pq, z=(p-1)(q-1)• gcd(z d)=1• gcd(z,d)=1• Find e ed=1 mod zFind e, ed 1 mod z• Public key (e, n), private key (d,n)y ( , ), p y ( , )

RSA: p=3, q=11, n=33, z=20, d=7, e=3;public key (3 33); private key (7 33)public key (3,33); private key (7, 33)

An example of the RSA algorithmAn example of the RSA algorithm.

Digital Signaturesg g

• Symmetric-Key Signaturesbli Si• Public-Key Signatures

• Message Digests• Message Digests• The Birthday Attacky

Symmetric-Key Signaturesy y g

Digital signatures with Big BrotherDigital signatures with Big Brother.

Public-Key Signaturesy g

Digital signatures using public-key cryptographyDigital signatures using public key cryptography.

Message Digestsg g

Digital signatures using message digestsDigital signatures using message digests.

SHA-1

Use of SHA-1 and RSA for signing nonsecret messagesUse of SHA 1 and RSA for signing nonsecret messages.

Management of Public Keysg y

• Certificates• X.509

P bli K I f t t• Public Key Infrastructures

Problems with Public-Key Encryptiony yp

A way for Trudy to subvert public-key encryptionA way for Trudy to subvert public key encryption.

Certificates

A possible certificate and its signed hashA possible certificate and its signed hash.

X.509

The basic fields of an X 509 certificateThe basic fields of an X.509 certificate.

Public-Key Infrastructuresy

(a) A hierarchical PKI (b) A chain of certificates(a) A hierarchical PKI. (b) A chain of certificates.

Communication Securityy

• IPsec• Firewalls• Virtual Private Networks• Virtual Private Networks• Wireless Securityy

IPsec

The IPsec authentication header in transport mode for IPv4The IPsec authentication header in transport mode for IPv4.

IPsec (2)( )

(a) ESP in transport mode (b) ESP in tunnel mode(a) ESP in transport mode. (b) ESP in tunnel mode.

Firewalls

A firewall consisting of two packet filters and an application gatewayA firewall consisting of two packet filters and an application gateway.

Virtual Private Networks

(a) A leased-line private network (b) A virtual private network(a) A leased line private network. (b) A virtual private network.

802.11 Securityy

Packet encryption using WEPPacket encryption using WEP.

Authentication Protocols

A h i i B d Sh d S K• Authentication Based on a Shared Secret Key• Establishing a Shared Key: Diffie-Hellmans b s g S ed ey: e e• Authentication Using a Key Distribution Center• Authentication Using Kerberos• Authentication Using Public-Key CryptographyAuthentication Using Public Key Cryptography

Authentication Based on a Shared Secret Key

Two-way authentication using a challenge-response protocol.

Authentication Based on a Shared Secret Key (2)

A shortened two-way authentication protocolA shortened two way authentication protocol.

Authentication Based on a Shared Secret Key (3)

The reflection attackThe reflection attack.

Authentication Based on a Shared Secret Key (4)

A fl i k h l f i 8 32A reflection attack on the protocol of Fig. 8-32.

Authentication Based on a Shared Secret Key (5)

Authentication using HMACsAuthentication using HMACs.

Establishing a Shared Key:The Diffie-Hellman Key Exchange

The Diffie-Hellman key exchangeThe Diffie Hellman key exchange.

Establishing a Shared Key:The Diffie-Hellman Key Exchange

The bucket brigade or man-in-the-middle attackThe bucket brigade or man in the middle attack.

Authentication Using a Key Distribution Center

A first attempt at an authentication protocol using a KDCA first attempt at an authentication protocol using a KDC.

Authentication Using a Key Distribution Center (2)

The Needham-Schroeder authentication protocolThe Needham Schroeder authentication protocol.

Authentication Using a Key Distribution Center (3)

The Otway-Rees authentication protocol (slightly simplified)The Otway Rees authentication protocol (slightly simplified).

Authentication Using Kerberosg

The operation of Kerberos V4The operation of Kerberos V4.

Authentication Using Public-Key Cryptography

Mutual authentication using public-key cryptographyMutual authentication using public key cryptography.

E-Mail Securityy

• PGP – Pretty Good PrivacyPEM P i E h d M il• PEM – Privacy Enhanced Mail

• S/MIMES/MIME

PGP – Pretty Good Privacyy y

PGP in operation for sending a messagePGP in operation for sending a message.

PGP – Pretty Good Privacy (2)y y ( )

A PGP messageA PGP message.

Web Securityy

• ThreatsS i• Secure Naming

• SSL – The Secure Sockets Layer• SSL – The Secure Sockets Layer• Mobile Code Securityy

Secure Namingg

(a) Normal situation (b) An attack based on breaking(a) Normal situation. (b) An attack based on breaking into DNS and modifying Bob's record.

Secure Naming (2)g ( )

How Trudy spoofs Alice's ISPHow Trudy spoofs Alice s ISP.

Secure DNS

An example RRSet for bob.com. The KEY record is Bob's public key. The SIG record is the top-level com server's signed has of the A and KEY records to verify their authenticityhas of the A and KEY records to verify their authenticity.

Self-Certifying Namesy g

A self-certifying URL containing a hash of server's name and public key.

SSL—The Secure Sockets Layery

Layers (and protocols) for a home user browsing with SSLLayers (and protocols) for a home user browsing with SSL.

SSL (2)( )

A simplified version of the SSL connection establishment subprotocolA simplified version of the SSL connection establishment subprotocol.

SSL (3)( )

Data transmission using SSL.

Java Applet Securitypp y

Applets inserted into a Java Virtual MachineApplets inserted into a Java Virtual Machine interpreter inside the browser.

Social Issues

• Privacy• Freedom of Speech• Freedom of Speech• Copyrightpy g

Anonymous Remailersy

Users who wish anonymity chain requests throughUsers who wish anonymity chain requests through multiple anonymous remailers.

Freedom of Speechp

Possibly banned material:1. Material inappropriate for children or teenagers.pp p g2. Hate aimed at various ethnic, religious, sexual, or other

groups.groups.3. Information about democracy and democratic values.4 A t f hi t i l t t di ti th4. Accounts of historical events contradicting the

government's version.5. Manuals for picking locks, building weapons, encrypting

messages, etc.

Steganographyg g p y

(a) Three zebras and a tree (b) Three zebras a tree and the(a) Three zebras and a tree. (b) Three zebras, a tree, and the complete text of five plays by William Shakespeare.