Lecture 23 (Network Security) Outline

„ Network Security
z Basic requirements.
z Meeting these requirements:
Privacy.
Digital Signature.
z Specific security standards in practice:
Privacy standards: DES, RSA.
Standard at application layer: PGP.
Standard at transport layer: SSL.

CSC4430 – Data Communication and Computer Networks 1

 23.1. Internet Security Threats

Alice Bob
data, control
channel
messages

data secure secure data

sender receiver

Trudy

„ Friends: Bob, Alice want to communicate “securely”.

„ Enemies: Trudy, the “intruder” may intercept, add,
delete or modify messages.

CSC4430 – Data Communication and Computer Networks 2

 23.1. Internet Security Threats

Q: What can a “bad guy” do?

A: a lot!
z eavesdrop: intercept messages.
z actively insert messages into connection.
z impersonation: can fake (spoof) source address in
packet (or any field in packet).
z denial of service: prevent service from being used
by others (e.g., by overloading resources).
z hijacking: “take over” ongoing connection by
removing sender or receiver, inserting himself in
place.

CSC4430 – Data Communication and Computer Networks 3

 23.1. Internet Security Threats

„ Eavesdrop = Packet sniffing:

z Common for broadcast media.
z Promiscuous NIC/adapter can read unencrypted
data from all passing by packets.
e.g. C sniffs B’s packets containing password.

CSC4430 – Data Communication and Computer Networks 4

 23.1. Internet Security Threats

„ Impersonation = IP spoofing:
z An intruder can generate “raw” IP packets directly
from application and put any value into IP source
address field.
z Receiver can not tell if source is spoofed.
e.g. C pretends to be B.

A C

src:B dest:A payload

CSC4430 – Data Communication and Computer Networks 5

 23.1. Internet Security Threats

„ Denial of service (DOS) attack:

z An intruder generates a flood of maliciously
packets to “swamp” receiver.
z Distributed DOS (DDOS): multiple coordinated
sources swamp a receiver.
e.g. C and remote host SYN-attack A.
A C
SYN
SYN
SYN SYN SYN

B
SYN
SYN
CSC4430 – Data Communication and Computer Networks 6
 23.2. Network Security Requirements

„ Network security aims to provide secure

communications.
„ Four aspects of network security:

z Privacy or Secrecy:
Sender and receiver expect confidentiality.
Only sender, intended receiver should “understand”
message contents.
CSC4430 – Data Communication and Computer Networks 7
 23.2. Network Security Requirements

z Authentication:
Sender and receiver want to confirm identity of each
other.
z Message Integrity:
Sender and receiver want to ensure message not altered
(in transit, or afterwards) without detection.
e.g. it would be disastrous if a request for transferring
$100 changes to a request for 10,000 or $100,000.
z Non-Repudiation:
Receiver must be able to prove that a received message
came from a specific sender.
The sender must not be able to deny sending a message.
e.g. bank must have proof that the customer actually
requested this transaction.
CSC4430 – Data Communication and Computer Networks 8
 23.3. Privacy

„ Privacy uses cryptography:

z Sender encrypts the message.
z Receiver decrypts the message.

CSC4430 – Data Communication and Computer Networks 9

 23.3.1. Traditional Cryptography

„ Ciphers were already studied in ancient times

„ Caesar’s cipher:
z replace a with d
z replace b with e
z ...
z replace z with c
„ Caesar’s cipher is an example of a monoalphabetic
substitution cipher, which permutes the characters.
„ Armed with simple statistical knowledge, one can
easily break a Caesar cipher.
z most frequent letters in English: e, t, o, a, n, i, ...
z most frequent digrams: th, in, er, re, an, ...
z most frequent trigrams: the, ing, and, ion, ...
CSC4430 – Data Communication and Computer Networks 10
 23.3.1. Traditional Cryptography

„ The first description of the frequency analysis attack

appears in a book written in the 9th century by the
Arab philosopher al-Kindi.
„ Example (S. Singh, The Code Book, 1999):
PCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD
KBXBJYUXJ LBJOO KCPK. CP LBO LBCMKXPV XPV IYJKL
PYDBL, QBOP KBO BXV OPVOV LBO LXRO CI SX'XJMI,
KBO JCKO XPV EYKKOV LBO DJCMPV ZOICJO BYS,
KXUYPD: “DJOXL EYPD, ICJ X LBCMKXPV XPV CPO
PYDBLK Y BXNO ZOOP JOACMPLYPD LC UCM LBO
IXZROK CI FXKL XDOK XPV LBO RODOPVK CI XPAYOPL
EYPDK. SXU Y SXEO KC ZCRV XK LC AJXNO X IXNCMJ CI
UCMJ SXGOKLU?”
OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO
PYDBLK
CSC4430 – Data Communication and Computer Networks 11
 23.3.1. Traditional Cryptography

„ We identify the most common characters, digrams and trigrams

in the ciphertext
„ Example
PCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD
KBXBJYUXJ LBJOO KCPK. CP LBO LBCMKXPV XPV IYJKL
PYDBL, QBOP KBO BXV OPVOV LBO LXRO CI SX'XJMI,
KBO JCKO XPV EYKKOV LBO DJCMPV ZOICJO BYS,
KXUYPD: “DJOXL EYPD, ICJ X LBCMKXPV XPV CPO
PYDBLK Y BXNO ZOOP JOACMPLYPD LC UCM LBO
IXZROK CI FXKL XDOK XPV LBO RODOPVK CI XPAYOPL
EYPDK. SXU Y SXEO KC ZCRV XK LC AJXNO X IXNCMJ CI
UCMJ SXGOKLU?”
OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO
PYDBLK
„ First guess:
z LBO is THE

CSC4430 – Data Communication and Computer Networks 12

 23.3.1. Traditional Cryptography

„ Assuming LBO represents THE, we replace L with T, B with H,

and O with E and get

PCQ VMJYPD THYK TYSE KHXHJXWXV HXV ZCJPE EYPD

KHXHJYUXJ THJEE KCPK. CP THE THCMKXPV XPV IYJKT
PYDHT, QHEP KHO HXV EPVEV THE LXRE CI SX'XJMI, KHE
JCKE XPV EYKKEV THE DJCMPV ZEICJE HYS, KXUYPD:
“DJEXT EYPD, ICJ X THCMKXPV XPV CPE PYDHTK Y HXNE
ZEEP JEACMPTYPD TC UCM THE IXZREK CI FXKT XDEK
XPV THE REDEPVK CI XPAYEPT EYPDK. SXU Y SXEE KC
ZCRV XK TC AJXNE X IXNCMJ CI UCMJ SXGEKTU?”
EFYRCDME, TXREK IJCS THE THCMKXPV XPV CPE
PYDBTK

CSC4430 – Data Communication and Computer Networks 13

 23.3.1. Traditional Cryptography

„ Code:
X Z A V O I D B Y G E R S P C F H J K L M N Q T U W
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
„ Ciphertext:
PCQ VMJYPD LBYK LYSO KBXBJXWXV BXV ZCJPO EYPD KBXBJYUXJ
LBJOO KCPK. CP LBO LBCMKXPV XPV IYJKL PYDBL, QBOP KBO BXV
OPVOV LBO LXRO CI SX'XJMI, KBO JCKO XPV EYKKOV LBO DJCMPV
ZOICJO BYS, KXUYPD: “DJOXL EYPD, ICJ X LBCMKXPV XPV CPO PYDBLK
Y BXNO ZOOP JOACMPLYPD LC UCM LBO IXZROK CI FXKL XDOK XPV
LBO RODOPVK CI XPAYOPL EYPDK. SXU Y SXEO KC ZCRV XK LC AJXNO
X IXNCMJ CI UCMJ SXGOKLU?”
OFYRCDMO, LXROK IJCS LBO LBCMKXPV XPV CPO PYDBLK
„ Plaintext:
Now during this time Shahrazad had borne King Shahriyar three sons. On the
thousand and first night, when she had ended the tale of Ma'aruf, she rose and
kissed the ground before him, saying: “Great King, for a thousand and one
nights I have been recounting to you the fables of past ages and the legends of
ancient kings. May I make so bold as to crave a favour of your majesty?”
Epilogue, Tales from the Thousand and One Nights

CSC4430 – Data Communication and Computer Networks 14

 23.3.2. Modern Cryptography

„ Two categories of modern cryptography:

z Secret key or Symmetric key crypto:
Sender and receiver use the same key.
The decryption algorithm is the inverse of the
encryption algorithm.

CSC4430 – Data Communication and Computer Networks 15

 23.3.2. Modern Cryptography

z Secret key or Symmetric key crypto (continued):

Commonly used to encrypt and decrypt long
messages.
Advantage:
Efficient – takes less time to encrypt message than
using public key crypto due to the smaller key.
Disadvantages:
Each pair of users must have a secret key. So, for N
users to communicate, we need N(N-1)/2 keys.
Difficult to distribute the key between two parties.
Most common method:
DES (Data Encryption Standard).

CSC4430 – Data Communication and Computer Networks 16

 23.3.2. Modern Cryptography

z Public-key crypto:
Sender and receiver uses different keys.
Each user has two keys:
A private key is kept by the user.
A public key is announced to the public.

CSC4430 – Data Communication and Computer Networks 17

 23.3.2. Modern Cryptography

z Public-key crypto (continued):

Example:

All customers use the public key of the bank to encrypt the
message.
The bank uses its private key to decrypt the message.

CSC4430 – Data Communication and Computer Networks 18

 23.3.2. Modern Cryptography

z Public-key crypto (continued):

More efficient for short messages.
Advantages:
Remove the problem in sharing the keys.
The number of keys needed is reduced
tremendously.
Disadvantage:
Complexity of the algorithm.
Most common method:
RSA (Rivest, Shamir, Adleman).

CSC4430 – Data Communication and Computer Networks 19

 23.3.2. Modern Cryptography

„ Privacy using the combination:

z Combine the advantage of the secret key method
(efficiency) with the advantage of the public key
method (easy distribution of keys).

CSC4430 – Data Communication and Computer Networks 20

 23.3.2. Modern Cryptography

„ Privacy using the combination (continued):

z Public key is used to encrypt the secret key.
z The secret key is used to encrypt the message.
z Procedure:
Sender chooses a secret key – called one-session key.
Sender uses the public key of the receiver to encrypt the
secret key and sends the encrypted secret key to the
receiver.
Receiver uses the private key to decrypt the secret key.
The sender uses the secret key to encrypt the actual
message.

CSC4430 – Data Communication and Computer Networks 21

 23.4. Digital Signature

„ Electronic equivalent of written signature.

„ Two choices:
z Signing the entire document.
z Signing the digest (condensed version) of the
document.

CSC4430 – Data Communication and Computer Networks 22

 23.4.1. Signing the Whole Document

„ Can use public key encryption, but use

different roles:
z Sender uses her private key to encrypt (sign).
z Receiver uses the public key of the sender to
decrypt the message.

CSC4430 – Data Communication and Computer Networks 23

 23.4.2. Signing the Digest

„ Also use public key encryption, but on the

digest (shorter version) of the document.
„ Use a hash function to create the digest.

CSC4430 – Data Communication and Computer Networks 24

 23.4.2. Signing the Digest

z Properties of a hash function:

Hashing is one-way. It can only create the digest from
the message and not vice versa.
Produces a fixed-size digest.
Hashing is one-to-one function. There is little probability
that two messages will create the same digest.
Any small change in the document (even a space) will give
a different hashed value.
z Two most common hash function:
MD5 (Message Digest 5): produces 120-bit digest.
SHA-1 (Secure Hash Algorithm 1): produces 160-
bit digest.
SHA-1 is a US standard.

CSC4430 – Data Communication and Computer Networks 25

 23.4.2. Signing the Digest

„ Sender site:

z Create the digest.

z Sign the digest using private key.
z Send the digest with original message.
CSC4430 – Data Communication and Computer Networks 26
 23.4.2. Signing the Digest

„ Receiver site:

z Decrypt the digest.

z Compare the digest with its own digest.
CSC4430 – Data Communication and Computer Networks 27
 23.4. Digital Signature

„ Both use public key encryption.

„ Digital signature provides:
z Integrity:
If an intruder intercepts the message and partially
changes it, the decrypted message will be unreadable.
z Authentication:
If C pretends to be B (the sender), then C will use her
private key to encrypt.
If the receiver uses the public key of B to decrypt the
message, it will be unreadable.
z Non-repudiation:
If the receiver can decrypt the message using B public
key, then B must be the sender.
CSC4430 – Data Communication and Computer Networks 28
 23.4. Digital Signature

„ Non-repudiation relies on ensuring that the public key

actually belongs to B (the right sender).
„ Thus, we need a Certification Authority (CA).

CSC4430 – Data Communication and Computer Networks 29

 23.4. Digital Signature

„ Certification authority (CA):

z binds public key to particular entity, E.
„ E (person, router) registers its public key with CA.
z E provides “proof of identity” to CA.
z CA creates a certificate binding E to its public key.
z The certificate is digitally signed by CA – CA says “this is E’s
public key”.

Bob’s digital
+
public +
signature KB
key KB (encrypt)
CA
certificate for
K-
Bob’s private
identifying key CA Bob’s public key,
information signed by CA

CSC4430 – Data Communication and Computer Networks 30

 23.4. Digital Signature

„ Serial number (unique to issuer)

„ info about certificate owner, including algorithm and
key value itself (not shown)
„ info about
certificate
issuer
„ valid dates

„ digital
signature by
issuer

CSC4430 – Data Communication and Computer Networks 31

 23.4. Digital Signature

„ When Alice wants Bob’s public key:

z gets Bob’s certificate (Bob or elsewhere).
z apply CA’s public key to Bob’s certificate, get
Bob’s public key.

+ digital Bob’s
KB signature public
+
(decrypt) KB key

CA
public +
K CA
key

CSC4430 – Data Communication and Computer Networks 32

 23.5. DES

„ DES (Data Encryption Standard):

z Originally developed in IBM, now an ANSI
standard.
z Encrypts 64-bit plaintext using 56-bit symmetric
key.
z How secure is DES?
Using brute force, it requires 4 months to decrypt
56-bit-key-encrypted phrase.
No known “backdoor” decryption approach.
„ Triple DES:
z Improves security by using DES three times with
different keys.
CSC4430 – Data Communication and Computer Networks 33
 23.5. DES

„ DES uses bit-level encryption technique:

z Divide data (text, graphics, audio or video) into
blocks of bits.
z Alter the bits by using permutation, exclusive OR,
rotation, etc.
„ Permutation:
z Changing the position of the bits.

CSC4430 – Data Communication and Computer Networks 34

 23.5. DES

„ Exclusive OR:

„ Rotation:

CSC4430 – Data Communication and Computer Networks 35

 23.5. DES

„ Schematic diagram of DES:

z First step and last two steps are relatively simple.

z Step 2-17 use the same procedure but different
key, derived from the original key.

CSC4430 – Data Communication and Computer Networks 36

 23.5. DES

„ DES subkey generation: „ One of the 16 complex steps:

CSC4430 – Data Communication and Computer Networks 37

 23.6. RSA

„ RSA (Rivest, Shamir, Adleman):

z Is an algorithm for public-key encryption.

z In this method:
Sender uses a public key of receiver Kp.
Receiver uses its secret (private) key Ks.
Both use a number N.
z It is reciprocal, i.e.
Kp(Ks(P)) = P or Ks(Kp(P)) = P.
CSC4430 – Data Communication and Computer Networks 38
 23.6. RSA

„ Encryption algorithm:
z Encode the data as a number to create the
plaintext P.
z Calculate the ciphertext C as C = PKp modulo N.
z Send C as the ciphertext.
„ Decryption algorithm:
z Receive C, the ciphertext.
z Calculate the plaintext P = CKc modulo N.
z Decode P to the original data.

CSC4430 – Data Communication and Computer Networks 39

 23.6. RSA

„ Example: Kp = 5, Ks = 77, N = 119.

CSC4430 – Data Communication and Computer Networks 40

 23.6. RSA

„ Choosing Kp, Ks and N.

1. Pick a pair of prime number p and q.
2. Calculate N = p × q.
3. Calculate m = (p-1) × (q-1).
4. Select Kp that is not a factor of m.
5. Select Ks such that (Kp × Ks) mod m = 1.

1. p = 7, q = 17
2. N = 7 ×17 = 119
3. m = (7-1) × (17-1) = 96
4. Kp = 5
5. Kc = 77

CSC4430 – Data Communication and Computer Networks 41

 23.6. RSA

„ Security of RSA:
z The complexity lies in the process of picking the
prime numbers (p and q) for a given N.
z It would take more than 70 years to find the
numbers with 100 bits (N).
z RSA Laboratories recommends N = 1024 bits.

CSC4430 – Data Communication and Computer Networks 42

 23.7. PGP

„ PGP (Pretty Good Privacy):

z Is an example of a good secure system as it
provides all four aspects of security.
z Is the de-facto standard for Internet e-mail
encryption.
z Uses:
Digital signature – provide integrity, authentication
and non-repudiation.
Combination of secret key and public key
encryption – provide privacy.

CSC4430 – Data Communication and Computer Networks 43

 23.7. PGP

„ PGP at the sender site:

CSC4430 – Data Communication and Computer Networks 44

 23.7. PGP

„ PGP at the receiver site:

CSC4430 – Data Communication and Computer Networks 45

 23.8. SSL

„ SSL (Secure Socket Layer):

z Works at the transport layer.
z Provides all four aspects of security to any TCP-
based applications using SSL services.
z Example: secure http - used between WWW
browsers and web servers.

Client Server
HTTP, telnet HTTP, telnet
SSL SSL
TCP/IP TCP/IP

CSC4430 – Data Communication and Computer Networks 46

 23.8. SSL

z Transaction using normal http:

Can see the plaintext using packet sniffer.

z Transaction using secure http:

Only see the ciphertext.

CSC4430 – Data Communication and Computer Networks 47

 23.9. Summary

„ Network Security:
z Four aspects of network security.
Privacy – achieved using cryptography : Section
27.2.
Integrity, authentication and non-repudiation –
achieved using digital signature : Section 27.3.
z Specific security standards in practice:
Privacy standards: DES, RSA : Section 23.2.
Application layer: PGP : Section 27.4.
Transport layer: SSL.

CSC4430 – Data Communication and Computer Networks 48