Professional Documents
Culture Documents
Outline
What is network security?
Examples of Network Attacks
Security Principles
Cryptography
Message integrity, authentication
Securing e-mail
Securing TCP connections: SSL
Network layer security: IPsec
Securing wireless LANs
Operational security: firewalls and IDS
9
10
Bob
channel
data
data, control
messages
secure
sender
secure
receiver
data
Trudy
11
13
If
router
S1
Internet
S2
S3
14
DHCP Request
DHCP Response
DHCP
Server
Internet
router
Rogue
DHCP
Server
15
ARP Spoofing
ARP Request
ARP Response
ARP
Server
Internet
router
Rogue
ARP
Server
16
BGP hijacking
ICMP Redirect
ICMP Redirect:
Prefix A via Router 2
IP Prefix
Next Hop
Prefix A
Router 2
Internet
Router 1
(Default)
Prefix A
Router 2
Private
Intranet
Router 3
18
Private
Intranet
Router 3
ICMP Redirect:
Prefix A via Attackers IP
Attacker can
prevent communication
create a man-in-the-middle attack
19
BGP Attacks
Security vulnerabilities in BGP
An AS can advertise IP addresses it does NOT own
An AS can not verify that the AsPath is correct
ISPs exchange BGP messages over regular TCP sessions.
Examples:
2008 Pakistan Telecom
Tried to block YouTube
Inadvertently propagated false BGP Advertisements
2004: Turkish ISP TTNet
Advertised best path via Turkey to everywhere
Almost entire Internet inoperational for several hours
2003: DataOne in Malaysia
Hijacked two of Yahoos Santa Clara prefixies
Believed to be malicious
2003: Spammers hijack Northrop Grumman
Hijacked block of unused IP addresses
Used it to sent spam
20
Outline
What is network security?
Examples of Network Attacks
Security Principles
Cryptography
Message integrity, authentication
Securing e-mail
Securing TCP connections: SSL
Network layer security: IPsec
Securing wireless LANs
Operational security: firewalls and IDS
24
encryption
algorithm
KA(m)
ciphertext
Bobs
K decryption
Bkey
decryption plaintext
algorithm
m = KB(KA(m))
Trudy
m plaintext message
KA(m) ciphertext, encrypted with key KA
m = KB(KA(m))
25
known-plaintext attack:
Trudy has plaintext
corresponding to ciphertext
e.g., in monoalphabetic
cipher, Trudy determines
pairings for a,l,i,c,e,b,o,
chosen-plaintext attack:
Trudy can get ciphertext for
chosen plaintext
26
KS
plaintext
message, m
encryption
algorithm
ciphertext
K
(m)
decryption plaintext
algorithm
m = KS(KS(m))
symmetric key crypto: Bob and Alice share same (symmetric) key: K
DES: Data Encryption Standard (1993)
56-bit-key-encrypted phrase decrypted (brute force) in less than a day
28
e.g. RSA
plaintext
message, m
encryption
algorithm
Computationally expensive
Inefficient, particularly for long
messages.
DES much faster than RSA
100 times faster in software
1000-10000 in hardware
ciphertext
+
B
K (m)
- Bobs private
B key
decryption
algorithm
plaintext
message
-
+
B
m = KB (K (m))
29
Outline
What is network security?
Examples of Network Attacks
Security Principles
Cryptography
Message integrity, authentication
Securing e-mail
Securing TCP connections: SSL
Network layer security: IPsec
Securing wireless LANs
Operational security: firewalls and IDS
30
Authentication
Goal: Bob wants Alice to prove her identity to him
Protocol ap1.0: Alice says I am Alice
Alice
Bob
I am Alice
Trudy
in a network,
Bob can NOT see
Alice, so Trudy simply
declares
to be Alice
31
Alices
IP address I am Alice
Failure scenario??
Trudy
32
Trudy
33
Alices Alices
Im Alice
IP addr password
Alices
IP addr
OK
Failure scenario??
Trudy
34
Alices Alices
Im Alice
IP addr password
Alices
IP addr
OK
Alices Alices
Im Alice
IP addr password
35
Alices encrypted
Im Alice
IP addr password
Alices
IP addr
OK
Failure scenario??
36
Alices encrypted
Im Alice
IP addr password
Alices
IP addr
OK
record
and
playback
still works!
Alices encrypted
Im Alice
IP addr password
37
Outline
What is network security?
Examples of Network Attacks
Security Principles
Cryptography
Message integrity, authentication
Securing e-mail
Securing TCP connections: SSL
Network layer security: IPsec
Securing wireless LANs
Operational security: firewalls and IDS
39
Digital signatures
cryptographic technique analogous to handwritten signatures:
sender (Bob) digitally signs document, establishing he
is document owner/creator.
verifiable, nonforgeable: recipient (Alice) can prove to
someone that Bob, and no one else (including Alice),
must have signed document
41
Digital signatures
simple digital signature for message m:
- Bobs private
KB
key
Public key
encryption
algorithm
Bob
m,K B(m)
Bobs message,
m, signed
(encrypted) with
his private key
Bob signed m
no one else signed m
Bob signed m and not m
non-repudiation:
Alice can take m, and signature KB(m) to court and prove that
Bob signed m
42
Message digests
computationally expensive to public-key-encrypt long messages
goal: fixed-length, easy- to-compute digital fingerprint
large
message
m
H: Hash
Function
H(m)
43
H: Hash
function
Bobs
private
key
KB
digital
signature
(encrypt)
encrypted
msg digest
encrypted
msg digest
H(m)
KB(H(m))
large
message
m
H: Hash
function
KB(H(m))
Bobs
public
key
KB
digital
signature
(decrypt)
H(m)
H(m)
equal
?
44
SHA-2 (SHA-512)
Historically SHA-I was most popular but now
nearly broken
Oct 2012, Keccak algo chosen by NIST for SHA-3
45
Public-key Certification
Motivation: Trudy plays pizza prank on Bob
Trudy creates e-mail order:
Dear Pizza Store, Please deliver to me four pepperoni pizzas.Thank
you, Bob
Trudy signs order with her private key
Trudy sends order to Pizza Store
Trudy sends to Pizza Store her public key, but says its Bobs
public key
Pizza Store verifies signature; then delivers four pepperoni
pizzas to Bob
Bob doesnt even like pepperoni!
Q: But how do we know what the right public key is?
46
Certification Authorities
Certification Authority (CA): binds public key to
particular entity, E.
E (person, router) registers its public key with CA.
E provides proof of identity to CA.
CA creates certificate binding E to its public key.
certificate containing Es public key digitally signed by CA CA
says this is Es public key
Bobs
public
key
Bobs
identifying
information
KB
digital
signature
(encrypt)
CA
private
key
CA
KB
certificate for
Bobs public key,
signed by CA
47
Certification Authorities
When Alice wants Bobs public key:
gets Bobs certificate (Bob or elsewhere).
apply CAs public key to Bobs certificate, get Bobs public key
+
KB
digital
signature
(decrypt)
CA
public
key
Bobs
public
+
K B key
K+
CA
48
Outline
What is network security?
Examples of Network Attacks
Security Principles
Cryptography
Message integrity, authentication
Securing e-mail
Securing TCP connections: SSL
Network layer security: IPsec
Securing wireless LANs
Operational security: firewalls and IDS
49
Secure e-mail
Alice wants to send confidential e-mail, m, to Bob.
KS
K ( .)
S
+
KS
KS(m )
KS(m )
KB( )
K+
B
Internet
KB(KS )
Alice:
generates random symmetric private key, KS
encrypts message with KS (for efficiency)
also encrypts KS with Bobs public key
sends both KS(m) and KB(KS) to Bob
KS( )
KB(KS )
KS
-
KB( )
K-B
Bob:
uses his private key to decrypt
and recover KS
uses KS to decrypt KS(m) to
recover m
50
KA
H( )
KA( )
KA(H(m))
KS
KS( )
m
KS
KB( )
K+
B
Internet
KB(KS )
51
Application
confidentiality
integrity
authentication
SSL
TCP
IP
52
public
Internet
salesperson
in hotel
router w/
IPv4 and IPsec
router w/
IPv4 and IPsec
branch office
53
54
Firewalls
isolates organizations internal net from larger Internet,
allowing some packets to pass, blocking others
public
Internet
administered
network
Types
Packet Filters
Stateful Packet Filters
Application Gateways
55
internal
network
IDS
sensors
Internet
Web
DNS
server FTP server
server
demilitarized
zone
56
57