* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Lecture 25: Introduction to Network Security
Windows Vista networking technologies wikipedia , lookup
Computer network wikipedia , lookup
Packet switching wikipedia , lookup
PSTN network topology wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Airborne Networking wikipedia , lookup
Distributed firewall wikipedia , lookup
Computer security wikipedia , lookup
CS 453 Computer Networks Lecture 25 Introduction to Network Security Network Security Data networks have become the core communication conduit for local, regional and global communications Once the esoteric domain of computer scientists… …no longer… Now data communications network are primary means of communications worldwide Network Security Data communications networks carry Medical records Critical health care data Banking and financial information National security secrets …. …and of course, Youtube and our email Network Security The point – data networks are critical Lives, livelihoods, economy and countries depend on them Not only must they be present and operational, .. But the must be secure …and this is not just about people to people, organization to organization communications, but The network itself Network Security So what do we mean by secure? Confidential communications – some messages should only be read by the intended receiver Authentication – we want to have confidence that a message come from who we thought it came from Integrity and nonrepudiation – that the message received is the one sent, it has not been altered or tampered with Availability and access control – make network resilient to security threats and only let agents use the network that should be using the network and… …and only in the way they are authorized to use it Network Security In part, network security means protecting the network Building in safeguards and protections Monitoring for attacks and intrusions… And responding to these threats and intrusions with newer better protections Network Security Confidentiality – Encryption If we want to make sure that only the intended recipient of a message can understand the message, we need to disguise it – ..That is encryption Network Security Encryptions basics – Imagine Alice and Bob They are two routers in a network And they need to send messages to each other Network Security Encryptions basics – Alice send a message “Bob, I Love You, Alice” to Bob The message as is is referred to as “cleartext” But Alice will encrypt it – The encrypted form is called “ciphertext” Network Security Encryptions basics – Alice will use a key Ka to encrypt the message m… Bob will use another (possibly the same) key Kbto unencrypt the message m Alice sends Ka(m) to Bob… Bob processes the ciphertext with Kb(Ka(m))=m Network Security Encryptions basics – Symmetric key encryption – both keys are identical and secret Public Key encryption – A pair of keys are used one known to everyone – And one known only to the receiver (or sender) but not both Network Security Encryptions basics – Caesar ciper – encode text using an offset in the alphabet … For example, if K=3, then A=D, B=E, … …or I Love You = l oryh brx Easy to crack, crack one symbol and you crack the code Network Security Encryptions basics – Monoalphabetic cipher – define an arbitrary mapping between cleartext symbols and ciphertext symbols So, something like a bcd ef… mnbv cx… So, maybe “I Love You” i s “s gktc wky” Caesar cipher – key has 26 possible values Monoalphabetic cipher key has 26! possible values Harder to crack… But not that hard Why? Network Security Encryptions basics – Polyalphabetic cipher Use multiple monoalphabetic ciphers And use them in repeating sequences to encrypt a message Suppose we have two cipher c1 and c2 We could use the sequece c1, c1, c2, c1, c1 That is, encrypt the first symbol with c1, then second symbol with c1, third symbol with c2, … Its getting harder to crack Network Security Data Encryption Standard (DES) NIST – 1993 Symmetric key for commercial and nonclassified use Encrypt messages in 64 bit pieces using 56 bit keys Involves multiple “shuffles” and permutions of the data… See Kaufman (1995) for details Network Security Data Encryption Standard (DES) Is it good? RSA challenge to break DES encryption 1997 Group of internet volunteers – Cracked the code in less than 4 month And earn $10k In 1999 – another group of internet volunteers Cracked the code in 22 hours Network Security Data Encryption Standard (DES) 2001 NIST proposed a successor to DES – Advanced Encryption Standard (AES) Encrypts 128 bit blocks Uses 128, 192, 256 bit keys NIST estimates that if a computer could crack a 56 DES code in one second… It would that the same computer 149 trillion years to crack a 128 bit AES key Network Security Data Encryption Standard (DES) 2001 NIST proposed a successor to DES – Advanced Encryption Standard (AES) Encrypts 128 bit blocks Uses 128, 192, 256 bit keys NIST estimates that if a computer could crack a 56 DES code in one second… It would that the same computer 149 trillion years to crack a 128 bit AES key Network Security Symmetric Key Encryption Requires sender and receiver both to have a key, … And the sender and receiver key have to be identical But how to they get these keys They can’t transmit them The can’t encrypt them then transmit them Network Security Public Key Encryption Imagine – Bob has two keys One (Kb-pub) is a public which he will share with anyone One (Kb-pri) is private and not shared with anyone A message encrypted with Bob’s Kb-pub can only be decrypted with Bob’s Kb-pri Kb-pri(Kb-pub(m)) = m Network Security Public Key Encryption Bob has two keys So, if Alice wants to send Bob an encrypted message… She must first request a copy of Bob’s public key – Kb-pub Alice then encrypts the message using Kb-pub and an agreed upon encryption algorithm… … and send the message Bob receives the message, and… Decrypts is using his private key Kb-pri Network Security Public Key Encryption Takes care of confidentiality Recall that in symmetric key encryption— the keys were secret, so Under normal circumstances you can assume that if a message arrived that had been encrypted with that key, it came from the source that you think it came from… Unless it was stolen (that’s what spies are for) Network Security Public Key Encryption …but with Public Key Encryption anyone can get the public key, so you don’t know if the message really came from Alice, even it is says it did. i.e. can’t do authentication Network Security Public Key Encryption Algorithms RSA Public Key Encryption –widely used Choose two large prime numbers p and q Compute n = pq and z=(p-1)(q-1) Choose a number e, less than n- has no common factors (except 1)with z Find a number d, where ed-1 is evenly divisible by z Public key Kpub =(n,e) Private key Kpri = (n,d) Network Security Public Key Encryption Algorithms RSA Public Key Encryption Then for a message m, we encrypt C = me mod n And decrypt – M = cd mod n Remember Alice has e And only Bob has d Network Security Public Key Encryption Algorithms RSA Public Key Encryption Suppose Bob picks p=5 and q=7 n=35 and z=24 Choose e=5 since 5(e) and 24(z) have no common factors Choose d=29 since ed-1 mod z = 0 (5*29)-1 mod 24 =0 Bob give Alice his Kpub which is e Alice encrypts the message “hi” and sends to Bob Network Security RSA Public Key Encryption Alice encrypts with e=5, n=29 Cleartext Numeric value me C=me mod n h 68 1453933568 3 i 69 1564031349 34 Bob decrypts with d=29, n=35 C cd M=cd mod n cleartext 3 6.86304E13 68 h 34 2.58755E44 69 i Network Security Authentication – is it really who we think it is? Host-based authentication Message have IP address of source So, authenicate based on IP address in message header Easy to fake, IP spoofing Network Security Authentication Password authentication Use a password in a message … Or to establish a connection Easy to capture password, especially if cleartext Sniffing Network Security Authentication Encrypted Password authentication Encrypt a password and use it in a message Or to establish a connection Still can capture encrypted password… And play it back when password needed Playback attack Network Security Authentication Public Key authentication Just like data stream encryption we can use Public Keys to encrypt password for authentication Alice wants to send a message to Bob… Bob send Alice his public key Alice encrypts her password with Bob’s public key, and transmit SSH Network Security Public Key authentication Man-in-the-middle attack Bob wants to send a message to Alice Carol sends Bob her public key saying it is from Alice, Carol also obtains Alice’s public key (it is public) Bob sends a message to Alice using Carol’s public key and Carol intercepts it Carol decrypts and reads the message Carol encrypts the message with Alice’s public key And sends it to Alice saying it is from Bob …and no one is the wiser Network Security Data integrity – is really the right data We need some way to assure the receiver that the message contents are really the message contents that were sent In the paper world we sign reports, expense accounts statements, etc. to vouch for the accuracy (integrity) of the information in the reports or statements …so Network Security Data integrity Digital signatures Encrypt a document using a private key What? BTW, public/private keys are two way If I encrypt with my private key, since it is not public, I had to be the one that encrypted it (my signature) Network Security Data integrity Digital signatures Note: it the message is altered after it is digitally signed. Kpub(Kpri(M)) will not result in m i.e. it will not decrypt Network Security Data integrity Message digests Digital signatures are expensive Alternative Create a message digest Use Hash function – like CRC, Checksum Then digitally sign the message digest MD5 Network Security Data integrity Message digests Original message is sent in cleartext… Along with digitally signed message digest Receiver computes second message digest on received message If two message digests match, message is good Network Security Access control Firewalls Packet Filtering IP source or destination address TCP or UDP port numbers ICMP message types Connect initiation datagrams using SYN and ACK bits Network Security Access control Firewalls Packet Filtering Controlled by rules Permit this, deny that Order of evaluation of rules important Network Security Access control Firewalls Application Gateways Sometimes packet filtering is not enough Maybe you want certain authenticated users to be able to use a service from specific IP addresses but not others Application Gateways are intermediate services – connect to gateway, the gateway connects to the service of interest Network Security Access control Firewalls Application Gateways For example, suppose you want to let certain users telnet out of the network, but not everyone User wanting to Telnet out, telnets to telnet gateway User authenticates to gateway User provide gateway with telnet destination Gateway telnets to destination Gateway relays telnet packet between user and service Network Security Threats Mapping – port scanning Packet sniffing Spoofing Denial of Service Attacks See: http://en.wikipedia.org/wiki/Denial_of_service “That’s all I have to say about that.” Forest Gump