Chapter 7: Network securityFoundations: rwhat is security?rcryptographyrauthenticationrmessage integrityrkey distribution and certification Security in practice:rapplication layer: secure e-mailrtransport layer: Internet commerce, SSL, SETrnetwork layer: IP security17: Network SecurityFriends and enemies: Alice, Bob, Trudyrwell-known in network security worldrBob, Alice (lovers!) want to communicate “securely”rTrudy, the “intruder” may intercept, delete, add messagesFigure 7.1 goes here27: Network SecurityWhat is network security?Secrecy: only sender, intended receiver should “understand” msg contentsmsender encrypts msgmreceiver decrypts msg Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection37: Network SecurityInternet security threatsPacket sniffing: mbroadcast mediampromiscuous NIC reads all packets passing bymcan read all unencrypted data (e.g. passwords)me.g.: C sniffs Bs packetsABCsrc:B dest:A payload47: Network SecurityInternet security threatsIP Spoofing: mcan generate “raw” IP packets directly from application, putting any value into IP source address fieldmreceiver cant tell if source is spoofedme.g.: C pretends to be BABCsrc:B dest:A payload57: Network SecurityInternet security threatsDenial of service (DOS): mflood of maliciously generated packets “swamp” receivermDistributed DOS (DDOS): multiple coordinated sources swamp receiverme.g., C and remote host SYN-attack AABCSYNSYNSYNSYNSYNSYNSYN67: Network SecurityThe language of cryptographysymmetric key crypto: sender, receiver keys identical public-key crypto: encrypt key public, decrypt key secret Figure 7.3 goes hereplaintextplaintextciphertextKAKB77: Network SecuritySymmetric key cryptographysubstitution cipher: substituting one thing for anothermmonoalphabetic cipher: substitute one letter for anotherplaintext: abcdefghijklmnopqrstuvwxyzciphertext: mnbvcxzasdfghjklpoiuytrewqPlaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbcE.g.:Q: How hard to break this simple cipher?: brute force (how hard?) other?87: Network SecuritySymmetric key crypto: DESDES: Data Encryption StandardrUS encryption standard NIST 1993r56-bit symmetric key, 64 bit plaintext inputrHow secure is DES?mDES Challenge: 56-bit-key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 monthsmno known “backdoor” decryption approachrmaking DES more securemuse three keys sequentially (3-DES) on each datummuse cipher-block chaining97: Network SecuritySymmetric key crypto: DESinitial permutation 16 identical “rounds” of function application, each using different 48 bits of key final permutationDES operation107: Network SecurityPublic Key Cryptographysymmetric key cryptorrequires sender, receiver know shared secret keyrQ: how to agree on key in first place (particularly if never “met”)?public key cryptographyrradically different approach Diffie- Hellman76, RSA78rsender, receiver do not share secret keyrencryption key public (known to all) rdecryption key private (known only to receiver)117: Network SecurityPublic key cryptographyFigure 7.7 goes here127: Network SecurityPublic key encryption algorithmsneed d ( ) and e ( ) such thatd (e (m) = m BBBBneed public and private keys for d ( ) and e ( )BBTwo inter-related requirements:12RSA: Rivest, Shamir, Adelson algorithm137: Network SecurityRSA: Choosing keys1. Choose two large prime numbers p, q. (e.g., 1024 bits each)2. Compute n = pq, z = (p-1)(q-1)3. Choose e (with en) that has no common factorswith z. (e, z are “relatively prime”).4. Choose d such that ed-1 is exactly divisible by z.(in other words: ed mod z = 1 ).5. Public key is (n,e). Private key is (n,d).147: Network SecurityRSA: Encryption, decryption0. Given (n,e) and (n,d) as computed above1. To encrypt bit pattern, m, computec = m mod ne(i.e., remainder when m is divided by n)e2. To decrypt received bit pattern, c, computem = c mod nd(i.e., remainder when c is divided by n)dm = (m mod n)emod ndMagic happens!157: Network SecurityRSA example:Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z.lettermmec = m mod nel12152483217cm = c mod nd1748196857210675091509141182522307200012cdletterlencrypt:decrypt:167: Network SecurityRSA: Why:m = (m mod n)emod nd(m mod n)emod n = m mod ndedNumber theory result: If p,q prime, n = pq, thenx mod n = x mod nyy mod (p-1)(q-1)= m mod ned mod (p-1)(q-1)= m mod n1= m(using number theory result above)(since we chose ed to be divisible by (p-1)(q-1) with remainder 1 )177: Network SecurityAuthenticationGoal: Bob wants Alice to “prove” her identity to himProtocol ap1.0: Alice says “I am Alice”Failure scenario?187: Network SecurityAuthentication: a