Network Security
ContentsSecurity Requirements and AttacksConfidentiality with Conventional EncryptionMessage Authentication and Hash FunctionsPublic-Key Encryption and Digital SignaturesIPv4 and IPv6 Security
Security RequirementsConfidentialityIntegrityAvailability
Passive AttacksRelease of message content (eavesdropping)Prevented by encryptionTraffic AnalysisFixed by traffic paddingPassive attacks are easier to prevent than to detect
Active AttacksInvolve the modification of the data stream or creation of a false data streamActive Attacks are easier to detect than to prevent
Active Attacks (cont.)MasqueradeReplayModification of messagesDenial of service
Conventional EncryptionPlain textEncryption algorithmDecryption algorithmPlain textTransmitted ciphertextShared secret key
Conventional Encryption RequirementsKnowing the algorithm, the plain text and the ciphered text, it shouldnt be feasible to determine the key.The key sharing must be done in a secure fashion.
Encryption AlgorithmsData Encryption Standard (DES)Plaintext: 64-bit blocksKey: 56 bitsHas been broken in 1998 (brute force)Triple DESAdvanced Encryption Standard (AES)Plaintext: 128-bit blocksKey: 128, 256 or 512 bits
Location of Encryption DevicesPSNPSNPSNPSNPSNPacket Switching NodeEnd-to-end encryption deviceLink encryption device
Key DistributionManualSelected by A, physically delivered to BSelected by C, physically delivered to A and BAutomaticThe new key is sent encrypted with an old keySent through a 3-rd party with which A and B have encrypted links
Message AuthenticationAuthentic message means that: it comes from the alleged sourceit has not been modified
Message Authentication ApproachesAuthentication with conventional encryptionAuthentication without message encryption:when confidentiality is not necessarywhen encryption is unpractical
Message Authentication CodeUses a secret key to generate a small block of dataMACM = F (KAB, M)
One-way Hash FunctionMessage digest a fingerprint of the messageLike MAC, but without the use of a secret keyThe message digest must be authenticated
Secure Hash RequirementsH can be applied to a block of any sizeH produces a fixed-length outputH(x) is easy to computeGiven h, it is infeasible to compute x s.t. H(x) = hGiven x, it is infeasible to find y s.t. H(x) = H(y)It is infeasible to find (x,y) such that H(x) = H(y)
Secure Hash FunctionsMessage Digest v5 (MD5)128-bit message digesthas been found to have collision weaknessSecure Hash Algorithm (SHA-1)160-bit message digest
Public-Key EncryptionEach user has a pair of keys:public keyprivate keyWhat is encrypted with one, can only be decrypted with the other
EncryptionPlain textPlain textTransmitted ciphertextBobs public keyAliceBobBobs private key
AuthenticationPlain textPlain textTransmitted ciphertextAlices public keyAliceBobAlices private key
Digital SignatureLike authentication, only performed on a message authenticator (SHA-1)
Public-Key Encryption AlgorithmsRSA (used by PGP)El Gamal (used by GnuPG)
Key ManagementPublic-Key encryption can be used to distribute secret keys for conventional encryptionPublic-Key authentication:signing authorityweb of trust
IPv4 and IPv6 SecurityProvides encryption/authentication at the network (IP) layerIPSec applications:Virtual Private NetworkingE-commerceOptional for IPv4, mandatory for IPv6
IP Header with IPSec Information
Two Types of IPSec Security Protocols
Advantages of IPSec
How an AH is Generated in IPSec
AH Fields
The ESP Header FormatEncapsulated Security Payload
Tunnel Versus Transport Mode
AH Header Placement in Transport Mode
AH Header Placement in Tunnel Mode
ESP Header Placement in Transport Mode
ESP Header Placement in Tunnel Mode
Security AssociationOne-way relationship between two hosts, providing security services for the payloadUniquely identified by:Security Parameter Index (SPI)IP destination addressSecurity Protocol Identifier (AH/ESP)
SA Security Parameters
IPSec Process Negotiation
Key ManagementManualused for small networkseasier to configureAutomatedmore scalablemore difficult to setupISAKMP/Oakley
IKE Use in an IPSec Environment