SECURITY IN MANY LAYERS

Fundamental tools in Network Security
• • • • • Symmetric Key & Public key cryptography Authentication Key distribution Message integrity Digital signatures

SECURITY IN MANY LAYERS.deals with use of the above tools in the top 4 layers of IP. namely• Application layer • Transport Layer • Network layer • Data link layer .

SECURE E-MAIL Most important security features when designing a secure e-mail system: -> CONFIDENTIALITY Assurance that a third person doesn’t read the message -> SENDER AUTHENTICATION Assurance that the message came from the right person -> MESSAGE INTEGRITY Assurance that message is not modified .RECEIVER AUTHENTICATION .

Confidentiality a) Encrypt message –symmetric key technology by sender & Decryption by receiver b) Public key cryptography c) Session key .

ii) Encrypts message m using iii) Encrypts Ks with public key Ks Ks iv)Concatenates encrypted message and encrypted symmetric key to form “package” v) Sends package to receiver’s e-mail id .• Session Key: Sender i) selects a symmetric session key .

 generates random 8: Network Security 8-7 .  encrypts message with KS (for efficiency)  also encrypts KS with Bob’s public key. KS. to Bob. m.  sends both KS(m) and KB(KS) to Bob.Secure e-mail (PGP or GPG)  Alice wants to send confidential e-mail. ) S m KS(m ) KS(m ) Internet KS ( ) KS - . m KS + KB + KB ( ) . Alice: symmetric private key. + + KB(KS ) + KB(KS ) KB KB( ) . KS K (.

• Receiver i) Uses his private key to decrypt symmetric key ii) Uses Ksto decrypt message m Ks .

) S m KS(m ) KS(m ) Internet KS ( ) KS - . + + KB(KS ) + KB(KS ) KB KB( ) . KS K (.Secure e-mail  Alice wants to send confidential e-mail. Bob:  uses his private key to decrypt and recover K S  uses K to decrypt K (m) to recover m S S 8: Network Security 8-9 . to Bob. m. m KS + KB + KB ( ) .

to indicate the creator of the document.Sender Authentication & Integrity • Making use of Digital signature and message Digest • Digital signature – A cryptographic technique( like a handwritten signature). non forgeable and non repudiable. . that is verifiable. • message Digest – protects the data.

• verifiable. and no one else (including Alice).Digital Signatures Cryptographic technique analogous to hand-written signatures. must have signed document . • sender (Bob) digitally signs document. nonforgeable: recipient (Alice) can prove to someone that Bob. establishing he is document owner/creator.

Bob’s private B key K (m) Bob’s message. creating “signed” message.Simple digital signature for message m: Bob signs m by encrypting with his private key KB. m Dear Alice ---text--------Bob K . KB(m) Bob’s message. m. signed (encrypted) with his private key B Public key encryption algorithm .

tocompute digital “fingerprint” • apply hash function H to m. get fixed size message digest.Message Digests Computationally expensive to public-key-encrypt long messages Goal: fixed-length. large message m H: Hash Function H(m) Hash function properties: • many-to-1 • produces fixed-size msg digest (fingerprint) • given message digest x. easy. H(m). computationally infeasible to find m such that x = H(m) 8: Network Security 8-13 .

• Sender: i) Applies hash function H to message m to obtain message digest ii) Signs the result of hash function with private key to create digital signature iii) Concatenates original message with signature to form “package” iv)Sends to receiver’s e-mail id .

H(m ) Alice digitally signs message. K () A KA(H(m)) - KA(H(m)) Internet - + KA KA( ) + .) . H(m ) + m • m compare H( ) . 8: Network Security 8-15 . KA m H(.Secure e-mail (continued) • Alice wants to provide sender authentication message integrity. • sends both message (in the clear) and digital signature.

• Receiver: i) Applies sender’s public key to signed message digest ii) Compares the result with his own hash H If two results are same. receiver can be confident that message came from the correct sender and is unaltered .

KA(H(m)) - + m KS KS ( ) . newly created symmetric key 8: Network Security 8-17 . KS + KB + KB( ) . KA KA( ) - . sender authentication. + + KB(KS ) Internet Alice uses three keys: her private key.Secure e-mail (continued) • Alice wants to provide secrecy. message integrity. m H( ) . Bob’s public key.

• uses symmetric key cryptography. and digital signature as described.free) • Internet e-mail encryption scheme.commercial) or Gnu Privacy Guard (GPG . integrity. A PGP signed message: ---BEGIN PGP SIGNED MESSAGE--Hash: SHA1 Bob: Hai how do you do? Am going on vacation ---BEGIN PGP SIGNATURE--Version: PGP 5. • inventor.Pretty good privacy (PGP . Phil Zimmerman.0 Charset: noconv yhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJh FEvZP9t6n7G6m5Gw2 ---END PGP SIGNATURE--- 8: Network Security 8-18 . de-facto standard. • provides secrecy. sender authentication. hash function. public key cryptography.

secure sockets layer (ssl) • Provides data encryption and authentication between a web client and web server. . • Can be viewed as a layer between application layer and transport layer.

> server • iv) thus server is authenticated before user submits payment details • SSL provides mechanism for detecting tampering with the information by an intruder .FEATURES • SSL server authentication : i) allows the user to confirm server identity • ii) SSL enabled browser maintains a list of CAs and their public keys • Iii) browser .> certificate .

• • • • SSL client authentication : i) allows server to confirm user identity ii) it is optional iii) makes use of client certificates. issued by CAs • Encrypted SSL session : • i) all information sent between browser and server is encrypted by the sending software and decrypted by receiving software • ii) important to both customer and merchant .

cryptographic preferences & certificate Bob generates a random symmetric key & encrypts it using alice public key Alice extracts the symmetric key .Checks his list with the received certificate for alice Alice sends bob her server’s SSL version number.HOW SSL WORKS? Bob browses alice’s secure page and sends SSL version number and cryptographic preferences Bob has a list of trusted CAs and a public key for each CA.

70 W  25479.039.908 88:0/-8 W 3.3/207.7590/- 70.9438039-09003-74807.3994-49.:894207.943  .70.078 03.31472.0791.48807.0.3/807.08:8041.0794.:9039.W W W W $$.7590/-90803/38419.43172:807/0399  9845943.39 ...3//0.7590/$$808843 W  .039.  2.38419..

0 . $$ #$ 4--74808.07 8$$.08 4-.0147 0. 5:-.0 5:-.0791.0.8941 97:890/8.75947.5.08  .07843 3:2-07.0.75989:83 . 57010703.0 ..8 889990 70.:705..3/.98 90822097.. 0.3/42 822097.0791.5..0  03.908. 0 . 7.3/ 803/8$$.75947.07843 3:2-07  ..90 4-0307...0 8 80.0803/8-4-07 807.90147.0097.8.0/ . 57010703.3/ .