Professional Documents
Culture Documents
Chapter 8
Network Security
Chapter 8
Problem
Chapter 8
Problem
Suppose you are a customer using a credit card to
order an item from a website.
Chapter 8
Problem
Chapter 8
Problem
Chapter 8
Problem
This can result from a DNS attack, in which false information is
entered in a Domain Name Server or the name service cache of
the customers computer.
This leads to translating a correct URL into an incorrect IP
addressthe address of a false website.
A protocol that ensures that you really are talking to whom you
think youre talking is said to provide authentication.
Authentication entails integrity since it is meaningless to say that
a message came from a certain participant if it is no longer the
same message.
Chapter 8
Problem
Chapter 8
Problem
Chapter 8
Chapter Outline
Chapter 8
Overview
Cryptography functions
Security services
Public
key
(e.g., RSA)
Security
services
Message
digest
(e.g., MD5)
Privacy
Authentication
Message
integrity
10
Chapter 8
11
Chapter 8
12
Principles of Ciphers
Chapter 8
13
Principles of Ciphers
Chapter 8
14
Chapter 8
Principles of Ciphers
15
Principles of Ciphers
Chapter 8
16
Principles of Ciphers
Block ciphers are always augmented to make
the ciphertext for a block vary depending on
context. Ways in which a block cipher may be
augmented are called modes of operation.
Chapter 8
17
Block Ciphers
A common mode of operation is cipher block
chaining (CBC), in which each plaintext block
is XORed with the previous blocks ciphertext
before being encrypted.
Chapter 8
18
Block Ciphers
Chapter 8
19
Chapter 8
20
Round 1
Round 2
56-bit
key
Round 16
Final permutation
Chapter 8
21
Chapter 8
22
Chapter 8
23
Chapter 8
24
Chapter 8
25
Chapter 8
Public-key encryption
26
Chapter 8
27
Chapter 8
28
Chapter 8
29
Authenticator
Chapter 8
30
Authenticator
Chapter 8
Chapter 8
Authenticator
32
Authenticator
Chapter 8
33
Chapter 8
Authenticator
34
Authenticator
Chapter 8
35
Chapter 8
36
Chapter 8
37
Chapter 8
Chapter 8
39
Chapter 8
40
Chapter 8
41
Chapter 8
42
Chapter 8
43
Chapter 8
While only one public key per entity is sufficient for authentication and
confidentiality, there must be a symmetric key for each pair of entities who
wish to communicate. If there are N entities, that means N(N 1)/2 keys.
Unlike public keys, secret keys must be kept secret.
44
Chapter 8
A challenge-response protocol
45
Chapter 8
46
Chapter 8
47
Chapter 8
Chapter 8
Kerberos Authentication
49
Chapter 8
50
Chapter 8
51
Chapter 8
For example, if p were the prime number 5 (a real system would use
a much larger number), then we might choose 2 to be the generator
g since:
1 = 20 mod p
2 = 21 mod p
3 = 23 mod p
4 = 22 mod p
52
Chapter 8
53
Chapter 8
54
Chapter 8
A man-in-the-middle attack
55
Chapter 8
Example Systems
56
Chapter 8
Example Systems
Chapter 8
Example Systems
58
Chapter 8
Example Systems
59
Chapter 8
Example Systems
60
Chapter 8
Example Systems
IP Security (IPSec)
61
IP Security (IPSec)
Chapter 8
Example Systems
They are the Authentication Header (AH), which provides access control,
connectionless message integrity, authentication, and antireplay protection,
and the Encapsulating Security Payload (ESP), which supports these same
services, plus confidentiality.
AH is rarely used so we focus on ESP here.
The second part is support for key management, which fits under
an umbrella protocol known as ISAKMP:
62
Chapter 8
Example Systems
IP Security (IPSec)
63
Chapter 8
Example Systems
IP Security (IPSec)
64
IP Security (IPSec)
Chapter 8
Example Systems
65
IP Security (IPSec)
Chapter 8
Example Systems
66
Chapter 8
Example Systems
67
Chapter 8
Example Systems
68
Chapter 8
Firewalls
69
Chapter 8
Firewalls
70
Chapter 8
Firewalls
71
Chapter 8
Firewalls
72
Chapter 8
Summary
73