Post on 09-May-2018
Introduction to Network Security
Gerald A. Marin
These slides are provided solely for the use of FIT students taking this course in Network Security. No further copies are permitted Some materials are permitted for classroom usepermitted. Some materials are permitted for classroom use by other authors, who retain all copyrights. In particular, a number of slides in this section represent copyright protected
t i l th t i th t t C t N t ki bmaterial that accompanies the text Computer Networking by J. F. Kurose and K. W. Ross; they are used with the authors’ permission.
Network Security 1-1
OrganizationOrgan zat on
What is network security?What is network security?Principles of cryptographySecurity Requirements: Confidentiality Security Requirements: Confidentiality, authentication, …Key Distribution and certificationKey Distribution and certificationAccess control: firewallsAttacks and counter measuresAttacks and counter measures
Network Security 1-2
What is network security?What s network secur ty?
Confidentiality: only sender, intended receiver y yshould “understand” message contents
sender encrypts messagereceiver decrypts messagereceiver decrypts message
Authentication: sender, receiver want to confirm identity of each other
Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection
Access Control and Availability: services must be accessible and available to intended users
Non-repudiation: sender should not be able to
Network Security 1-3
Non-repudiation: sender should not be able to disavow later.
Friends and enemies: Alice, Bob, Trudy, , ywell-known in network security worldBob Alice (lovers!) want to communicate “securely”Bob, Alice (lovers!) want to communicate securelyTrudy (intruder) may intercept, delete, add messages
channel data, control messages
Alice Bob
securesender
securereceiver
messages
data datarece ver
T d
Network Security 1-4
Trudy
Who might Bob, Alice be?Who m ght Bob, Al ce be?
… well, real-life Bobs and Alices!, fWeb browser/server for electronic transactions (e.g., on-line purchases)on-line banking client/serverDNS serversrouters exchanging routing table updatesother examples?
Network Security 1-5
There are bad guys (and girls) out there!g y ( g )Q: What can a “bad guy” do?A: a lot!A: a lot!
eavesdrop: intercept messagesactively insert messages into connectiony gimpersonation: can fake (spoof) source address in packet (or any field in packet)hijacking: “take over” ongoing connection by hijacking: take over ongoing connection by removing sender or receiver, inserting himself in placed i l f i t i f b i denial of service: prevent service from being used by others (e.g., by overloading resources)
Network Security 1-6
more on this later ……
OrganizationOrgan zat on
What is network security?What is network security?Principles of cryptographySecurity RequirementsSecurity RequirementsKey Distribution and certificationAcc ss c nt l: fi llsAccess control: firewallsAttacks and counter measuresS it i lSecurity in many layers
Network Security 1-7
The language of cryptographyg g f yp g p y
KAlice’s encryption
Bob’s decryptionK
plaintext plaintextciphertext
KA
encryption decryption
encryptionkey
decryptionkey
KB
plaintext pla ntextpypalgorithm
ypalgorithm
Symmetric key crypto: sender, receiver keys identicalAsymmetric key crypto: keys NOT identical.Public key crypto: encryption key public decryption key
Network Security 1-8
Public-key crypto: encryption key public, decryption key secret (private)
Symmetric key cryptographyymm y yp g p ysubstitution cipher: substituting one thing for another
l h b ti i h b tit t l tt f thmonoalphabetic cipher: substitute one letter for another
plaintext: abcdefghijklmnopqrstuvwxyz
ciphertext: mnbvcxzasdfghjklpoiuytrewq
E Plaintext: bob. i love you. aliceciphertext: nkn. s gktc wky. mgsbc
E.g.:
Q: How hard to break this simple cipher?:brute force (how hard?)
h ?Network Security 1-9
other?
Symmetric key cryptographyymm y yp g p y
K KA B
plaintextciphertext
KA-B
encryption decryption
KA-B
plaintext ppypalgorithm
ypalgorithm
p a nt tmessage, m
K (m)A-B
K (m)A-Bm = K ( )A-B
symmetric key crypto: Bob and Alice share know same (symmetric) key: Ke ke is kn in substituti n p ttern in m n
A-Be.g., key is knowing substitution pattern in mono alphabetic substitution cipherQ: how do Bob and Alice agree on key value?
Network Security 1-10
Block CipherBlock C pherThe idea of a block cipher is fundamental to the study
h of cyptography. A block cipher is a function that encrypts fix-sized blocks. Today block ciphers commonly encrypt blocks f 128 bits Th s id t t k 128 bits f “pl in of 128 bits. They are said to take 128 bits of plain
text” and produce 128 bits of “cipher text.” This is done using a secret key and a public algorithm.
Plain text Cipher textE(K,p) or EK(p)
D(K,c)
Network Security 1-11
K is said to be a “symmetric” secret key.
3-bit Example 3 b t Example 3 3
3
With 3 bits only 2 messages are possible. Notice that there are 2 ! (or 8!) possible permutations of 2 messages. Each permutation can ( ) p p g pbe thought of as a "lookup table" that represents an encryption of the possible messages through a reordering. For example:
⎫ ⎫000001010
⎫⎪⎪⎪
101110111
⎫⎪⎪⎪
“Lookup table” represents one encryption (possible reordering) of all possible messages A 010
011 becomes
100
⎪⎪⎪⎬⎪
111000001
⎪⎪⎪⎬⎪
of all possible messages. A particular lookup table corresponds to one particular
101110111
⎪⎪⎪⎪⎪⎭
010011100
⎪⎪⎪⎪⎪⎭
secret key. Thus, we need 16 bits to represent all 8!=40,320 possible keys.
Network Security 1-12
111⎪⎭ 100⎪⎭poss ble keys.
An “Ideal” CipherpTwo commanders have eight possible messages to send Message 000 is “do not attack” while 001 is send. Message 000 is do not attack while 001 is “attack at 1am,” message 002 is “attack at 2am,”…etc.Each has a code book that lists 8! = 40 320 “lookup Each has a code book that lists 8! = 40,320 lookup tables” generated randomly. All officers have a copy of this book. (Represents the algorithm.) J t b f th t th i ti d Just before they go to their respective commands they are directed to use table number 12,123 by the crypto staff. (Represents the secret key.) The ideal cipher represents the best that can be done. Namely, we choose one lookup table randomly from all possible lookup tables.
Network Security 1-13
y p p
Huge Lookup TablesHuge Lookup TablesIf we think of a block cipher as a lookup table (corresponding to a key), the size of real tables is (corresponding to a key), the size of real tables is a problem.For 32-bit blocks a table would be 16 gigabytes.F r F r 64 bit bl cks a table w uld be 150 milli n For For 64-bit blocks a table would be 150 million terabytes.For 128-bit blocks a table would be bytes.395 10×Thus, real codes use encryption algorithms plus a key to generate ciphertext from plaintext directly. y.
Note that this approach may NOT produce an ideal cypher.
Network Security 1-14
Brute Force ExampleBrute Force Example
I created a message using the following letters: g g gacelps. I have used a substitution code to encrypt it (again based only on the 6 letters above).(again based only on the 6 letters above).Any spaces have been ignored, that is, no space becomes nospace. Th t d t t i l lThe encrypted text is lcapclscaec.Find the key and break the code! Due 1/20/09 and each student will present his/her solution and pturn in a report with code.
How many possible messages are there?How many possible keys are there?
Network Security 1-15
y p y
Kerckhoffs’ PrincipleKerckhoffs Pr nc ple
Security depends only on the secrecy of Security depends only on the secrecy of the Key and not on the secrecy of algorithms.
Algorithms hard to change and built into system hardware/softwareAl ith d ’t h f l i d Algorithms don’t change for long periods Someone may obtain physical access to a laptop that contains the algorithmsthat contains the algorithmsAlgorithms SHOULD be published so that other experts can check them for vulnerabilities.
Network Security 1-16
Cipher AttacksC pher AttacksCiphertext-only attack: trying to decrypt a message when all you know is the ciphertext. This is the most difficult casecase.Known plaintext attack: trying to decrypt a message when you know both the plaintext and the ciphertext (by prior example or autoreply)example or autoreply).Chosen plaintext attack: now you get to specify specially prepared plaintexts for which you will then see the ciphertexts.
Offline: prepare plaintexts all ahead of timeOnline: prepare next plaintext after receiving ciphertexts from previous submissions.
Ch s n ciph t xt tt ck: R c i th ciph t xt Chosen ciphertext attack: Receive the ciphertext corresponding to your chosen plaintext AND receive the plaintext corresponding to your chosen ciphertext.
Network Security 1-17
Birthday Attack (ciphertext attack example)(ciphertext attack example)
Named after the “birthday paradox.” If you have 23 people in a room, then the probability that two p p , p yof them have the same birthday is greater than 0.5.
Useful approximation: for large n the probability of Useful approximation for large n the probability of generating a duplicate (also called the probability of a collision) is close to 0.5 after approximately attempts.
n
Birthday attack: If keys are being generated randomly, then a key collision will occur relatively soon.
Determine this has happened (see a ciphertext of header twice implies same key).Insert previous message ciphertext into current message
d it ill b t d b th k t h
Network Security 1-18
and it will be accepted because the keys match.
Meet-in-Middle Attack(K l i t t l )(Known plaintext example)
Suppose we know a header or any other part of a pp y pmessage always sent from Alice to Bob. Suppose further they use a 64-bit key. (Brute force attack requires evaluating keys.)64 192 1.845 10= ×q g y )Generate keys randomly and encode the header with each of the keys (produce table). Watch for the encoded header in each message
2 1.845 10322
Watch for the encoded header in each message. It will likely occur during during first transactions. Usually applied to all authentication messages sent by Alice
32 92 4.295 10= ×
messages sent by Alice.When encoded header occurs we look to see which key we used to generate it.
Network Security 1-19
“Distinguishing” AttackD st ngu sh ng AttackMany types of attacks:
…decrypt only a specific message…reveal partial information about a message…other vulnerabilities?
Given many kinds of attacks crypto analysts G ven many k nds of attacks crypto analysts generally defend against a “distinguishing attack.”A distinguishing attack is an attack that detects a non-trivial difference between the ideal cipher non-trivial difference between the ideal cipher and the actual cipher.
Encryption and decryption available for comparisons between ideal and actualbetween ideal and actual.Free to choose any key.More about “non-trivial” later.
Network Security 1-20
Conventional Encryption Conventional Encryption PrinciplesPrinciples
An encryption scheme has five ingredients:yp f gPlaintextEncryption algorithmSecret KeySecret KeyCiphertextDecryption algorithm (perhaps different key)
Security depends on the secrecy of the key, not the secrecy of the algorithmIn modern encryption encryp/decrypt is done with In modern encryption encryp/decrypt is done with a block cipher – an encryption function for fix-sized blocks.
Network Security 1-21
CryptographyCryptographyCryptographyCryptography
Classified along three independent Classified along three independent dimensions:
The type of operations used for transforming yp p gplaintext to ciphertextThe number of keys used
symmetric (sin le key)• symmetric (single key)• asymmetric (two-keys, or public-key encryption)
The way in which the plaintext is processedy p p
Network Security 1-22
Average time required for Average time required for h tih ti k h k h exhaustiveexhaustive key search key search
Key Size (bits)
Number of Alternative Keys
Time required at 106
Decryption/µs( ) y yp µ
32 232 = 4.3 x 109 2.15 milliseconds
56 256 = 7.2 x 1016 10 hours
128 2128 = 3 4 x 1038 5 4 x 1018 years128 2 = 3.4 x 10 5.4 x 10 years
168 2168 = 3.7 x 1050 5.9 x 1030 years
Network Security 1-23
Feistel Cipher StructureFeistel Cipher StructureFeistel Cipher StructureFeistel Cipher Structure
Virtually all conventional block encryption y ypalgorithms, including DES have a structure first described by Horst Feistel of IBM in 1973.Feistel ciphers are a special class of iterated blockFeistel ciphers are a special class of iterated block ciphers where the ciphertext is calculated from the plaintext by repeated application of the same transformation or “round” functiontransformation or round function. In a Feistel cipher, the text being encrypted is split into two halves. The round function f is applied to one half using a subkey and the output of f is exclusivehalf using a subkey and the output of f is exclusive-ored with the other half. The two halves are then swapped. Each round follows the same pattern except for the last round where there is no swap
Network Security 1-24
except for the last round where there is no swap.
Feistel Structure (Continued)Fe stel Structure (Cont nued)
A nice feature of a Feistel cipher is thatA nice feature of a Feistel cipher is that encryption and decryption are structurally identical though thestructurally identical, though the subkeys used during encryption at each round are taken in reverse order duringround are taken in reverse order during decryption.
Network Security 1-25
Feistel Cipher StructureFeistel Cipher StructureFeistel Cipher StructureFeistel Cipher StructureThe realization of a Feistel Network depends on the choice of the following depends on the choice of the following parameters and design features:
Block size: larger block sizes mean greater securityKey Size: larger key size means greater securityNumber of rounds: multiple rounds offer increasing securityySubkey generation algorithm: greater complexity will lead to greater difficulty of cryptanalysis.Fast software encryption/decryption: the speed of Fast software encryption/decryption: the speed of execution of the algorithm becomes a concern
Network Security 1-26
Network Security 1-27
Conventional Encryption Conventional Encryption Al ithAl ithAlgorithmsAlgorithms
Data Encryption Standard (DES)yp ( )WAS the most widely used encryption scheme (now vulnerable).DES is a block cipherDES is a block cipher.The plaintext is processed in 64-bit blocks.The key is 56-bits in length
M ki DES Making DES more secure:use three keys sequentially (3-DES) on each datumuse cipher-block chainingThe algorithm is referred to as the Data Encryption Algorithm (DEA).
Network Security 1-28
Symmetric key Symmetric key crypto: DES
initial permutation DES operation
p16 identical “rounds” of
function application, each using different each using different 48 bits of key
final permutationp
Network Security 1-29
Initial PermutationIn t al Permutat on
The 64 bits of the input block to be enciphered are first subjected to the following permutation, called the initial permutation IP:
58 50 42 34 26 18 10 260 52 44 36 28 20 12 4L162 54 46 38 30 22 14 664 56 48 40 32 24 16 857 49 41 33 25 17 9 159 51 43 35 27 19 11 361 53 45 37 29 21 13 563 55 47 39 31 23 15 7
R1
Network Security 1-30
DESDESDESDESThe overall processing at each iteration:
Li = Ri-1Li Ri 1
Ri = Li-1 F(Ri-1, Ki) (XOR addition)Function F to be described.
⊕
Ki is a ”subkey” formed as a permuted subset of the original 64-bit key.
L ft d Ri ht th s d f xt Left and Right are then swapped for next iteration. It remains only to understand key It remains only to understand key generation and the function F (”mangler”) .
Network Security 1-31
Key Generation StepsKey Generat on Steps
Circular left shift.
Network Security 1-32
Permuted choice 1 is determined by the following table:
57 49 41 33 25 17 91 58 50 42 34 26 18C 1 58 50 42 34 26 18
10 2 59 51 43 35 27 19 11 3 60 52 44 36
C0
19 11 3 60 52 44 3663 55 47 39 31 23 15 7 62 54 46 38 30 22 D0
14 6 61 53 45 37 2921 13 5 28 20 12 4
0
Note that bits 8, 16, …64 are not used; they are reserved for useas parity bits. The key is actually 56-bits. BUT Permuted Choice
Network Security 1-33
2 from previous slide actually selects 48 of these bits at each step.
Shift ScheduleSh ft Schedule
Iteration Number
1 2 3 4 5 6 7 8 9 10
11
12
13
14
15
16Number 0 1 2 3 4 5 6
Number of Left
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
Shifts
Network Security 1-34
Permuted Choice 2Permuted Cho ce
14 17 11 24 1 5 3 28 15 6 21 10
23 19 12 4 26 823 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55
48 bit subkey.41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32
Network Security 1-35
This completes the subkey generation description.
Network Security 1-36
E-Table (Expands 32 bits to 48)E (E p )
32 1 2 3 4 532 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 32 bit (right) 48 bits out
12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25
( g )
20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1
Network Security 1-37
DES Round n, Encryption
64-bit input from last round
32-bit Ln 32-bit Rn
Mangler <- Kn
(+)
32 bit L 1 32 bit R 132-bit Ln+1 32-bit Rn+1
64-bit output for next round
Network Security 1-38
p
DES Mangler FunctionE table
32-bit input
6-bits 6-bits 6-bits 6-bits 6-bits 6-bits 6-bits 6-bits
Kn (+)
S Box1 S Box2 S Box3 S Box4 S Box5 S Box6 S Box7 S Box8
4-bits 4-bits 4-bits 4-bits 4-bits 4-bits 4-bits 4-bits
3232-bit permutation
Network Security 1-39
32-bit output
S1
First Four S Boxes:
14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 O 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 O 6 1315 12 8 2 4 9 1 7 5 11 3 14 10 O 6 13 S2
15 1 8 14 6 11 3 4 9 7 2 13 12 O 5 10 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9 S3
10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 810 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8 13 7 O 9 3 4 6 10 2 8 5 14 12 11 15 1 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12 SS4
7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15 13 8 11 5 6 15 O 3 4 7 2 12 1 10 14 9 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
Network Security 1-40
3 15 O 6 10 1 13 8 9 4 5 11 12 7 2 14
S5
2 12 4 1 7 10 11 6 8 5 3 15 13 O 14 9 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 4 2 1 11 10 13 7 8 15 9 12 5 6 3 O 14 11 8 12 7 1 14 2 13 6 15 O 9 10 4 5 311 8 12 7 1 14 2 13 6 15 O 9 10 4 5 3 S6
12 1 10 15 9 2 6 8 O 13 3 4 14 7 5 11 10 15 4 2 7 12 9 5 6 1 13 14 O 11 3 8 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13 S7
4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 14 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12 SS8
13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
Network Security 1-41
2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
S-box Result is 4 bits (from 6)S box Result s 4 b ts (from 6)
S bb b b b b b → →1 2 3 4 5 6 1 2 3 4S-box b b b b b b s s s s→ →1 2 3 4 1 6 2 3 4 5where is the S-box entry at row and column .
Rows are numbered 0 through 3 and columns are 0 through 15s s s s b b b b b b
Rows are numbered 0 through 3 and columns are 0 through 15.
Example: 1Sp14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
O 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 011101→ 0011→
1
4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
15 12 8 2 4 9 1 7 5 11 3 14 10 O 6 13
011101→ 0011→
Network Security 1-42
32-Bit Permutation3 B t Permutat on16 7 20 2129 12 28 171 15 23 265 18 31 102 8 24 14
32 27 3 919 13 30 622 11 4 25
Network Security 1-43
Inverse of Initial PermutationInverse of In t al Permutat on40 8 48 16 56 24 64 3239 7 47 15 55 23 63 3138 6 46 14 54 22 62 3037 5 45 13 53 21 61 2936 4 44 12 52 20 60 2835 3 43 11 51 19 59 2734 2 42 10 50 18 58 2633 1 41 9 49 17 57 25
Network Security 1-44
End of DES EncryptionEnd of DES Encrypt on
Note that the DES Standard is available on our web site. Assignment: Read and Study.
Network Security 1-45
DES Round n, Decryption
64-bit input from last round
32-bit Ln 32-bit Rn
Mangler <- Kng
(+)
L (+) M = R
then
32-bit Ln+1 32-bit Rn+1
L = M (+) R
64-bit output for next round
Network Security 1-46
All steps in reverse order (except Mangler).
Concerns about DES
A “DES C k ” d i d f l th $250 000 th tA “DES Cracker” was designed for less than $250,000 that will try 1E12 56-bit keys per second (1000 per nanosecond). This will find the right key in about 3 days (if the plaintext is recognized as such when it appears).
The answer is to use longer keys 128-bit keys are inThe answer is to use longer keys. 128 bit keys are in fashion.
Triple DES effectively uses a 112 bit keyTriple-DES effectively uses a 112-bit key.
Network Security 1-47
Triple DEATriple DEATriple DEATriple DEA
Use three keys and three executions of Use three keys and three executions of the DES algorithm (encrypt-decrypt-encrypt)yp
C i h t t
C = EK3[DK2[EK1[P]]]• C = ciphertext• P = Plaintext• EK[X] = encryption of X using key K• DK[Y] = decryption of Y using key KDK[Y] = decryption of Y using key K
Effective key length of 168 bits
Network Security 1-48
Triple DEATriple DEA
Network Security 1-49
Other Symmetric Block Other Symmetric Block Ci hCi hCiphersCiphers
International Data Encryption Algorithm International Data Encryption Algorithm (IDEA)
128-bit keyyUsed in PGP
BlowfishEasy to implementHigh execution speed
l h f Run in less than 5K of memory
Network Security 1-50
Other Symmetric Block Other Symmetric Block Ci hCi hCiphersCiphers
RC5RC5Suitable for hardware and softwareFast, simpleAd t bl t f diff t d l thAdaptable to processors of different word lengthsVariable number of roundsVariable-length keyL iLow memory requirementHigh securityData-dependent rotations
Cast-128Key size from 40 to 128 bitsThe round function differs from round to round
Network Security 1-51
Suppose plaintext is less than block length (or last segment of text is less than block ( glength)?Padding is required. Schneier* suggests two methods:g q ggLet be the plaintext and let ( ) be the length of in bytes. Let be the block size of the block ciper in bytes. Then do either of the
P P P b
following:
1. Append a single byte with value 128 and as many zero bytes as1. Append a single byte with value 128 and as many zero bytes as required to make the overall length a multiple of . The numberof zero bytes added is in the range 0, 1, ..., 1.
bb −
2. Determine the number of padding bytes required. This is a number, (between 1 and ), and ( ) is a multiple of . Pad the plaintext
by appending bytes, each with value .n b n P b
n n+
Network Security 1-52
by appending bytes, each with value .n n
*Practical Cryptography, Schneier and Ferguson
Electronic CodeBook Mode (ECB)E (E )• This is the simplest way of encrypting plaintext into a
sequence of adjacent blocks Thussequence of adjacent blocks. Thus,
( , ), for 1, 2,..., max blocks.i iC E K P i= =
• Warning: if two plaintext blocks are the same, then their ciphertext will also be the same Thus this mode shouldciphertext will also be the same. Thus, this mode should never be used.
Network Security 1-53
Cipher Block Modes of Cipher Block Modes of O tiO tiOperationOperation
Cipher Block Chaining Mode (CBC)p g ( )The input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block.preceding ciphertext block.Repeating pattern of 64-bits are not exposedMust initialize with an “initial vector” or IV.
i1iki ]P[CEC ⊕= −
i1iiK
i1iKKiK
)P(C][CD)]P(C[ED][CD
⊕=⊕= −
Network Security 1-54ii1i1iiK1i
i1iiK
PPCC][CDC)P(C][CD
=⊕⊕=⊕⊕
−−−
−
Network Security 1-55
Random IVRandom IVWould like to choose a random IV for reasonable protection of the first block but receiver must know the IV (and it must be generated)
0
first block, but receiver must know the IV (and it must be generated).Idea: Create as the IV and send as the zeroth block. Then:
C
0 C randomblock=0
1
1 1 1
( , ).For decryption: ( , ) .
i i i
i i i i i i i
C E K P CP D K C C P C C P
−
− − −
= ⊕= ⊕ = ⊕ ⊕ =
Disadvantages:i l d b1. Must implement a random number generator.
2. The ciphertext is one block longer than the plaintext. This is especially troubling for short messages
Network Security 1-56
This is especially troubling for short messages.
AES: Advanced Encryption StandardE E yp
new (Nov. 2001) symmetric-key NIST new (Nov. 2001) symmetric key NIST standard, replacing DESprocesses data in 128 bit blocksp128, 192, or 256 bit keysbrute force decryption (try each key) brute force decryption (try each key) taking 1 sec on DES, takes 149 trillion years for AES
Network Security 1-57
Possible ProjectsPoss ble Projects
Implement DES (or triple DES or AES…) Implement DES (or triple DES or AES…) plus block chaining mode using a random IV.
Prompt for plaintext or ciphertext input or file p p p pname.Use ASCII character set.C t k f i t HEXCreate key from input HEX.Encrypt or Decrypt as specified by user.
Network Security 1-58
More About AESMore About AES
The AES standard was published in The AES standard was published in November 2001 (FIPS 197).Chosen from 5 finalists. f m f .Winner was Rijndael by Vincent Rijmen and Joan Daemen.NOT a Feistel Cypher10 full rounds include byte substitution, fu r un nc u yt u t tut n, permutation, arithmetic operations on a finite field, and XOR with key.
Network Security 1-59
Illustration with Simplified AES*mp f E
S-AES created by Professor Edward S AES created by Professor Edward Schaefer and students (Santa Clara University).ySimilar structure with fewer rounds and smaller parameters.
For tutorial purposes only – not for encryption
*Willi S lli C h d N k *William Stallings, Cryptography and Network Security, Principles and Practices, 4th edition, Pearson Education, Inc., New Jersey, 2006 , , y,
Network Security 1-60
S-AES Encryption/Decryption
Network Security 1-61
Algorithm can be expressed using function composition:
2 1 0AK SR NS AK MC SR NS AK plaintext
[ ]Functions are applied right to left as usual: ( ) ( ) .f g x f g x=
( )22Example: ( ) and ( ) sin , then ( ) sin .f x x g x x f g x x= = =
Network Security 1-62
S-AES Data Structures
Network Security 1-63
Transformations
Network Security 1-64
ADD Key Example:ADD Key ExamplePlain Text: 749A
0Key : 2 554 2 5 8 1
DA⎡ ⎤ ⎡ ⎤ ⎡ ⎤4 2 5 8 17 9 5A
D A C⎡ ⎤ ⎡ ⎤ ⎡ ⎤
⊕ =⎢ ⎥ ⎢ ⎥ ⎢ ⎥⎣ ⎦ ⎣ ⎦ ⎣ ⎦
In particular 2 1010 0010 1000 8.A⊕ ⇒ ⊕ = =
Network Security 1-65
Nibble SubstitutionN bble Subst tut on
S-table lookup left(2 bits) are row; right(2 bits) column.Example:
8 1 6 4⎡ ⎤ ⎡ ⎤
Network Security 1-66
8 1 6 40A C C
⎡ ⎤ ⎡ ⎤→⎢ ⎥ ⎢ ⎥
⎣ ⎦ ⎣ ⎦
Shift RowSh ft Row
Shift Row operates only on the second row of the input state matrix. It performs a one-nibble circular shift of the second rowsecond row.
Example:
6 4 6 4⎡ ⎤ ⎡ ⎤⎢ ⎥ ⎢ ⎥0 0C C⎡ ⎤ ⎡ ⎤
→⎢ ⎥ ⎢ ⎥⎣ ⎦ ⎣ ⎦
Network Security 1-67
Mix ColumnM x Column
The mix column transformation is defined by a type of matrix multiplication on the state matrix:
00 01 00 01' '1 4.
' '4 1s s s ss s s s⎡ ⎤ ⎡ ⎤⎡ ⎤
=⎢ ⎥ ⎢ ⎥⎢ ⎥⎣ ⎦ ⎣ ⎦ ⎣ ⎦
i10 11 10 114 1 s s s s⎣ ⎦ ⎣ ⎦ ⎣ ⎦
•Addition is defined as XOR•Multiplication is defined as the multiplication operation in–
“Galois Field” aka finite field( )42GF
Network Security 1-68
Galois Field aka finite field.( )42GF
Multiplication in ( )42GFMultiplication in ( )2GF
Network Security 1-69
Mix Column ExampleM x Column Example
1 4 6 4 6 4 4 4 0 3 4.
4 1 0 4 6 4 4 0 7 3C
C C⊕ ⊕⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎡ ⎤
= =⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥⊕ ⊕⎣ ⎦ ⎣ ⎦ ⎣ ⎦ ⎣ ⎦
i ii
i i
Network Security 1-70
Key ExpansionKey Expans on
Original 16 bit key is represented as shown on slide 63 usingOriginal 16-bit key is represented as shown on slide 63 using two 8-bit “words.”
0 1:w w
The four expansion words are found as follows:The four expansion words are found as follows:
( ) ( )( )2 0 11w w RCON SubNib RotNib w
w w w
= ⊕ ⊕
= ⊕
( ) ( )( )3 1 2
4 2 3
5 3 4
2
w w w
w w RCON SubNib RotNib w
w w w
= ⊕
= ⊕ ⊕
= ⊕5 3 4w w w⊕
( ) ( )where 1 10000000 and 2 00110000.RCON RCON= =
Network Security 1-71
Key Expansion (continued)Key Expans on (cont nued)
The function ROTNIB does a one nibble The function ROTNIB does a one nibble (4bits) circular rotation on the input 8-bit word which has the effect of swapping the ppfirst 4 bits with the second 4 bits. The function SUBNIB performs nibble substitution on the input 8-bit word using the S-box.
Network Security 1-72
Key Expansion ExampleKey Expans on ExampleFrom:
( ) ( )( )2 0 1
3 1 2
1w w RCON SubNib RotNib w
w w w
= ⊕ ⊕
= ⊕
( ) ( )( )4 2 3
5 3 4
2w w RCON SubNib RotNib w
w w w
= ⊕ ⊕
= ⊕
( )0 1
2
with initial key 2 55 0010 1101 0101 0101 we have:00101101 10000000 01010101
00101101 10000000 00010001 10111100
D w ww SubNib
= =
= ⊕ ⊕
= ⊕ ⊕ =
( )3
4
10111100 01010101 1110100110111100 00110000 10011110
ww SubNib
= ⊕ =
= ⊕ ⊕
10111100 00110000 00101111 10100011= ⊕ ⊕ =
Network Security 1-73
5
10111100 00110000 00101111 1010001110100011 11101001 01001010.w= ⊕ ⊕ == ⊕ =
Homework 2Homework
Use S-AES to encrypt the message FACE Use S AES to encrypt the message FACE using the key D24E.Work on your own (follow the slides).W y (f ).Can be done without programming.
Network Security 1-74
Location of Encryption DeviceLocation of Encryption DeviceLocation of Encryption DeviceLocation of Encryption Device
Link encryption:Link encryption:A lot of encryption devicesHigh level of securityg yDecrypt each packet at every switch
End-to-end encryptionThe source encrypts and the receiver decryptsPayload encryptedHeader in the clear
High Security: Both link and end-to-end ti d d (s Fi 2 9)
Network Security 1-75
encryption are needed (see Figure 2.9)
Network Security 1-76
Key DistributionKey DistributionKey DistributionKey Distribution
1. A key could be selected by A and y yphysically delivered to B.
2. A third party could select the key and h i ll d li it t A d Bphysically deliver it to A and B.
3. If A and B have previously used a key, one party could transmit the new key to one party could transmit the new key to the other, encrypted using the old key.
4. If A and B each have an encrypted . f an ach ha an ncrypt connection to a third party C, C could deliver a key on the encrypted links to A and B
Network Security 1-77
and B.
Key Distribution (See Figure Key Distribution (See Figure y ( gy ( g2.10)2.10)Session key:Session key:
Data encrypted with a one-time session key.At the conclusion of the session the key is d ddestroyed
Permanent key:U d b t titi f th f Used between entities for the purpose of distributing session keys
Network Security 1-78
Network Security 1-79
Recommended ReadingRecommended ReadingRecommended ReadingRecommended Reading
Stallings W. Cryptography and Network Stallings, W. Cryptography and Network Security: Principles and Practice, 2nd
edition. Prentice Hall, 1999Scneier, B. Applied Cryptography, New York: Wiley, 1996Mel, H.X. Baker, D. Cryptography Decrypted. Addison Wesley, 2001Ferguson, Niels and Schneier, Bruce Practical Cryptography, Wiley, 2003
Network Security 1-80
Public Key CryptographyK y yp g p y
symmetric key crypto public key cryptographyy y yprequires sender, receiver know shared s t k
public key cryptographyradically different approach [Diffie-H ll 76 RSA78]secret key
Q: how to agree on key in first place
Hellman76, RSA78]sender, receiver do not share secret keyn f rst place
(particularly if never “met”)?
not share secret keypublic encryption key known to allprivate decryption key known only to receiver
Network Security 1-81
receiver
Public key cryptographyy yp g p y
Bob’s publick
K B+
key KB
Bob’s privatekey
K B-
plaintext ciphertextencryption decryption plaintextplaintextmessage, m
ciphertextencryptionalgorithm
decryption algorithm
plaintextmessageK (m)
B+
m = K (K (m))B+
B-
Network Security 1-82
Public key encryption algorithmsy yp g m
Requirements:
need K ( ) and K ( ) such thatB B. .
q
1 + -B
K (K (m)) = mBB
- +
+given public key K , it should be impossible to compute
i t k K
B2 +
-private key K B
RSA: Rivest Shamir Adelson algorithmNetwork Security 1-83
RSA: Rivest, Shamir, Adelson algorithm
Math Foundations for Public Key Cryptographyy yp g p y
This material motivated by Ferguson/Schneier l h
Divisibility and Primes
Practical Cryptography
yGenerating PrimesComputations Modulo a PrimepLarge Primes
Network Security 1-84
Divisibility and Primes (Review)D v s b l ty and Pr mes (Rev ew)
1. We write | and say " divides " if we can divide by witha b a b b a| y yno remainder. 2. We say that a number is "prime" if its only divisors are 1 and itself. 3. Any number larger than 1 that is NOT a prime is a "composite" number.4. Divisibility is "transitive" that is: If | and | , then | . (Prove this.)5. Lemma 1: Let be a positive number greater than 1. Let be the
a b b c a cn d5. Lemma 1: Let be a positive number greater than 1. Let be the
smallest divin d
sor of that is greater than 1. Then is prime. We will consider the proof of this next. Lemma 1 is used to prove
n d
Theorem 1. 6. Theorem 1. (Due to Euclid). There are an infinite number of primes.
Network Security 1-85
Proof of Lemma Proof of Lemma
First students should prove that is well-defined. That is, show thatevery positive integer has a smallest divisor. Next suppose this number
is NOT prime By defn of prime then is divisible b
dn
d d y a number e is NOT prime. By defn of prime then is divisible bd d y a number that satisfies: 1 . Any such would be the smallest divisor of because divisibility is transitive. This is a contradiction.
ee d e n< <y
Network Security 1-86
Proof of Theorem 1Proof of Theorem
Assume on the contrary that the number of primes is finite and that
1 2 1 2
Assume, on the contrary, that the number of primes is finite and that, ,..., is the list of all primes. Let 1. Let be
the smallest divisor of that is greater than 1. We know fromk kp p p n p p p d
n= +
Lemma 1
1that is prime. We also know that | . None of the primes divides . Thus, is a prime that is not in our list of all primes. This
kd d n p pn d
is a contradiction so the number of primes must be infinite.
Network Security 1-87
Fundamental Theorem of Arithmetic
Any integer greater than 1 can be written as the product of primes andy g g p pthis representation is unique except for the order of the primes.
2
2 2
Example: 147 7 3 700 7 2 5 .
= ×
= × ×
Network Security 1-88
Generating Small Primes(Th Si f E t th )(The Sieve of Eratosthenes)
• Generate all primes less than a positive integer n greaterGenerate all primes less than a positive integer n greater than 2 but less than a max determined by available memory. E l 200000• Example:
•
n 200000:=
init 1 2, n..:= Must initialize array b to pass tobinit 0:=
Must initialize array b to pass to function f as a parameter.
• Define function f(n b) then call• Define function f(n,b), then call.
Network Security 1-89
f n b,( ) i 2←:= First prime is 2.
b m 1←
m 1 2, n..∈for
2
Sets a flag indicating all numbers less than n MAY be prime.
Thi i i i t ll lti l f it (l th
top floorni
⎛⎜⎝
⎞⎟⎠
←
i2 n≤while This i is a prime set all multiples of it (less than n) to composite.
⎝ ⎠
k j i⋅←
j 2 3, top..∈for
b k 0←
i i 1+←
bi 0while
i i 1+←
bi 0while
b
Network Security 1-90
0
187905 0A sample from the returned 187906
187907
187908
0
1
0
array of 200,000 elements.
187908
187909
187910
187911
0
1
0
0f n b,( )
187911
187912
187913
187914
0
0
0
0
=
187914
187915
187916
187917
0
0
0
0187917
187918
187919
187920
0
0
0
0
Network Security 1-91
187920 0
Computation Modulo a PrimeComputat on Modulo a Pr meLet be a prime (for much of this could also be a composite number) and recall that for any integer the number (mod ) is the remainder
p pr r pand recall that for any integer the number (mod ) is the remainder
obtained after dividing by . Thus, 100 (mod 13) 9. Nr r p
r p = ote that the only distinct values (mod ) are 0,1,2,..., 1. (Negative resultsp p −can also be converted into this range.)
Recall also that the greatest common divisor or "gcd" of positive integers and is the largest integer 0 such that | and | .Example: gcd(12,16) 4.Also recall that the least common multiple or
a b k k a k b>=
"lcm" of and is a bpthe smallest integer 0 such that | and | .Example: lcm(12,16) 48.
k a k b k>=
Network Security 1-92It is well known that gcd( , ) lcm( , ) .a b a b ab× =
Euclid’s gcd AlgorithmEucl d s gcd Algor thmGiven two non-negative integers, the notation ( , ) implies that0 .
a ba b≤ <
( , ) ( , )While 0 x y a b
x←>
( , ) ( mod , )gcd( , ) .
x y y x xa b y
←←
Example: (21,30) (9,21) (3,9) (0,3) gcd(21,30) 3.→ → → ⇒ =Definition: If gcd( , ) 1, then and are said to be relativelyprime.
a b a b=
Network Security 1-93
Extended Euclid AlgorithmExtended Eucl d Algor thmIt is well known that there exist integers and such that gcd( , ) . In the previous example, we want
x ya b ax by= +g ( ) p p
3 gcd(21,30) 21 30 . If we write down our intermediate steps,1. 30 1 21 9
yx y= = +
= × +2. 21 2 9 33
= × +. 9 3 3 0, which implies gcd(21,30) 3.= × + =
From step 2 we have 3 21 2 9. We use step 1 to substitute forthe 9. This yields 3 21 2 (30 1 21) 3 21 2 30.Th 3 3 21 2 30 Th t d d d l ith d
= − ×= − × − × = × − ×
thThus, 3 3 21 2 30. The extended-gcd algorithm produ= × − × ces the two sought integers and . This, in turn, will enable division moduloa specified value which is a critical step in the RSA algorithm
x y
Network Security 1-94
a specified value, which is a critical step in the RSA algorithm.
RSA: Choosing keysRSA Choos ng keys1. Choose two large prime numbers p, q.
( 2000 bi f h i d )(e.g., 2000+ bits for their product)I used the small primes approach to findp = 39607 and q = 78517.p q
2. Compute n = pq, z = (p-1)(q-1)
n 3109822819=
Z 3109704696Z = 3109704696
Network Security 1-95
RSA Keys ContinuedRSA Keys Cont nued3. Choose e (with e<n) that has no common f t ith ( “ l ti l i ”)factors with z. (e, z are “relatively prime”).
These factors are easy to guess. My first guess was 47785. It happens that gcd(47785 3109704696) 1It happens that gcd(47785,3109704696) 1.=
4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ).
This is the difficult step and requires the extended Euclidean algorithm.
Network Security 1-96
Finding d Using Ext Euclid Alg F nd ng d Us ng Ext Eucl d Alg Must choose d so that ed = 1 (mod z):Find gcd(47785,z) where 47785 is a guess.Find gcd(47785,z) where 47785 is a guess.3109704696 = 65077x47785+251
47785 = 190x251 + 95⇒ 47785 = 190x251 + 95251 = 2x95 + 61
⇒⇒
95 = 1x61 + 3461 = 1x34 + 27
⇒⇒
34 = 1x27 + 727 = 3x7 + 6
⇒⇒
Relatively Prime
Network Security 1-97
27 3x7 6⇒ 7 = 1x6 + 1. ⇒
Reversing Steps to Find 1=ax+byRevers ng Steps to F nd ax by
sub 1: 1 = 7 - 1x6sub : 7 6sub 6: = 7 - 1x(27-3x7) = 4x7 - 1x27sub 7: = 4x(34 - 1x27) -1x27 = 4x34 - 5x27sub 27: = 4x34 - 5x(61 - 1x34) = 9x34 - 5x61sub 34: = 9x(95 - 1x61) - 5x61 = 9x95 - 14x61sub 61: = 9x95 - 14x(251 - 2x95) = 37x95 - 14x251sub 61: = 9x95 - 14x(251 - 2x95) = 37x95 - 14x251sub 95: = 37x(47785 - 190x251) - 14x251 = 37x47785 - 7044x251sub 251: = 37x47785 - 7044(3109704696 - 65077x47785) = 458402425x47785 - 7044x3109704696
Because second term on right-hand side is zero mod z, it follows that
Network Security 1-98
458402425x47785=1 mod z. Let d = 458402425.
RSA Keys ContinuedRSA Keys Cont nued
5 Public key is (n e) Private key is (n d)5. Public key is (n,e). Private key is (n,d).KB
+KB
-
n 3109822819=
47785
Trudy knows that Bob’s public key is (n,e) and would like to find d. She
e = 47785
d = 458402425
knows ed mod z =1 but does not know z. To find z she needs p and q and so must factor n.
Security depends on difficulty of factoring n (which has 2000+ digits)
Network Security 1-99
n (which has 2000+ digits).
RSA: Encryption, decryptionRSA Encrypt on, decrypt on0. Given (n,e) and (n,d) as computed above
1. To encrypt bit pattern, m, computec = m mod ne (i e remainder when m is divided by n)ec = m mod n (i.e., remainder when m is divided by n)
2. To decrypt received bit pattern, c, computedm = c mod nd (i.e., remainder when c is divided by n)d
m = (m mod n)e mod ndMagichappens!
c
Network Security 1-100
c
RSA example:mpBob chooses p=5, q=7. Then n=35, z=24.
e=5 (so e z relatively prime)e=5 (so e, z relatively prime).d=29 (so ed-1 exactly divisible by z.)
letter m me c = m mod neencrypt:
l 12 1524832 17
d dd l
encrypt:
c m = c mod nd17 481968572106750915091411825223071697 12
cd letterl
decrypt:
Network Security 1-101
Why does RSA work?Why does RSA work?
RSA d d ll k lt f b th
mod( 1)( 1)
RSA depends on a well-known result from number theory:If and are prime and , then
mod mod for any positive integers andy y p q
p q n pqx n x n x y− −
=
=mod mod for any positive integers and .
Example:
x n x n x y=
Let 3 5 15 be the product of two primes.n = × =12 12mod8
12
Choose 2 and 12.Then result says that 2 mod15 2 mod15. Correct?
x y= =
=12
12mod8 4
LHS 2 mod15 4096mod15 1.RHS 2 mod15 2 mod15 16mod15 1.
= = =
= = = =
Network Security 1-102
RSA: Why does m = (m mod n)e mod n ?dRSA Why does m (m mod n) mod n ?
Recall number theory result: If p,q prime and n pq th n:n = pq, then:
x mod n = x mod ny y mod (p-1)(q-1)
(m mod n)e mod n = m mod nd ed
ded mod (p-1)(q-1)= m mod ned mod (p 1)(q 1)
d1(using number theory result above)
= m mod n1
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
Network Security 1-103= m
(p )(q ) )
RSA: another important propertymp p p y
The following property will be very useful later:
K (K (m)) = mBB
- +K (K (m))BB
+ -=( )
BB ( ( ))BB
use public key use private key p yfirst, followed by private key
p yfirst, followed by public key
Result is the same!
Network Security 1-104
Security OverviewSecur ty Overv ew
What is network security?What is network security?Principles of cryptographySecurity RequirementsSecurity RequirementsKey Distribution and certificationAcc ss c nt l: fi llsAccess control: firewallsAttacks and counter measures
Network Security 1-105
AuthenticationAuthentication
Goal: Bob wants Alice to “prove” her identity Goal: Bob wants Alice to prove her identity to him
Protocol ap1 0: Alice says “I am Alice”Protocol ap1.0: Alice says I am Alice
“I Ali ”Failure scenario??
“I am Alice”
Network Security 1-106
AuthenticationAuthentication
Goal: Bob wants Alice to “prove” her identity Goal: Bob wants Alice to prove her identity to him
Protocol ap1 0: Alice says “I am Alice”Protocol ap1.0: Alice says I am Alice
in a network,Bob can not “see”
Alice, so Trudy simply Alice, so Trudy simply declares
herself to be Alice“I am Alice”
Network Security 1-107
Authentication: another tryy
Protocol ap2.0: Alice says “I am Alice” in an IP packett i i h IP dd containing her source IP address
“I am Alice”Alice’s IP address
Failure scenario??IP address
Network Security 1-108
Authentication: another tryy
Protocol ap2.0: Alice says “I am Alice” in an IP packett i i h IP dd containing her source IP address
Trudy can createa packet
“sp fin ”spoofing”Alice’s address“I am Alice”Alice’s
IP address
Network Security 1-109
Authentication: another tryy
Protocol ap3.0: Alice says “I am Alice” and sends hert d t d t “ ” itunencrypted secret password to “prove” it.
“I’m Alice”Alice’s IP addr
Alice’s password
Failure scenario??OKAlice’s
IP addr
Network Security 1-110
Authentication: another tryy
Protocol ap3.0: Alice says “I am Alice” and sends hert d t d t “ ” itunencrypted secret password to “prove” it.
“I’m Alice”Alice’s IP addr
Alice’s password
playback attack: Trudy records Alice’s packetand later plays it back t B b Sh l
OKAlice’s IP addr
to Bob. She can also learn the password.
“I’m Alice”Alice’s IP addr
Alice’s password
Network Security 1-111
IP addr password
Authentication: yet another tryy y
Protocol ap3.1: Alice says “I am Alice” and sends hert d t d t “ ” itencrypted secret password to “prove” it.
“I’m Alice”Alice’s IP addr
encrypted password
Failure scenario??OKAlice’s
IP addr
Network Security 1-112
Authentication: another tryy
Protocol ap3.1: Alice says “I am Alice” and sends hert d t d t “ ” itencrypted secret password to “prove” it.
recordd
“I’m Alice”Alice’s IP addr
encrypptedpassword
andplayback
still works!OKAlice’s
IP addr
“I’m Alice”Alice’s IP addr
encryptedpassword
Network Security 1-113
IP addr password
Authentication: yet another tryy yGoal: avoid playback attack
Nonce: number (R) used only once –in-a-lifetimeap4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice
must return R encrypted with shared secret keymust return R, encrypted with shared secret key
“I am Alice”
R
K (R) Alice is live and K (R)A-BAlice is live, and only Alice knows key to encrypt
nonce so it must
Network Security 1-114
Failures, drawbacks?nonce, so it must
be Alice!
Authentication: ap5.0p .
ap4.0 requires shared symmetric key can we authenticate using public key techniques?
ap5.0: use nonce, public key cryptography
“I am Alice”R
Bob computes(K (R)) R
-K +RK (R)A
-
“send me your public key”
(K (R)) = RAK Aand knows only Alice
could have the private k h d R
send me your public key
K A+ key, that encrypted R
such that(K (R)) = RA
-K A
+
Network Security 1-115
AA
ap5.0: security holep yMan (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice)
I am Alice I am AliceRR
TK (R)-
Send me your public key
K +
AK (R)-R
TK ASend me your public key
AK +
K (m)+TK (m)
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice ennr pted ith
AK (m)+
+-
Network Security 1-116
ennrypted with Alice’s public keyA
m = K (K (m))+A
-
ap5.0: security holep yMan (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice)
Difficult to detect: h h l d d Bob receives everything that Alice sends, and vice
versa. (e.g., so Bob, Alice can meet one week later and recall conversation))
problem is that Trudy receives all messages as well!
Network Security 1-117
Integrity: Digital Signaturesg y D g g
Cryptographic technique analogous to hand-Cryptographic technique analogous to hand-written signatures.sender (Bob) digitally signs document, sender (Bob) digitally signs document, establishing he is document owner/creator. verifiable, nonforgeable: recipient (Alice) can
t th t B b d l prove to someone that Bob, and no one else (including Alice), must have signed the document
Network Security 1-118
Digital SignaturesD g g
Simple digital signature for message m:Bob signs m by encrypting with his private key KB, creating “signed” message, KB(m)--
Dear AliceBob’s message, m Bob’s private
key K B
-
Bob’s message,
K B-(m)
Oh, how I have missed you. I think of you all the time! …(blah blah blah)
Bob
Public keyencryptionalgorithm
g ,m, signed
(encrypted) with his private key
Network Security 1-119
Digital Signatures (more)g g ( )Suppose Alice receives msg m, digital signature KB(m)Alice verifies m signed by Bob by applying Bob’s
-
Alice verifies m signed by Bob by applying Bob s public key KB to KB(m) then checks KB(KB(m) ) = m.If KB(KB(m) ) = m whoever signed m must have used
+ +
-
- -
+If KB(KB(m) ) m, whoever signed m must have used Bob’s private key.
Alice thus verifies that:Alice thus verifies that:Bob signed m.No one else signed m.Bob signed m and not m’.
Non-repudiation:Alice can take m and signature K (m) to -
Network Security 1-120
Alice can take m, and signature KB(m) to court and prove that Bob signed m.
Message Digests l g D g
Computationally expensive
large message
m
H: HashFunction
Computationally expensive to public-key-encrypt long messages H(m)
Goal: fixed-length, easy-to-compute digital “fingerprint”
Hash function properties:many-to-1
fingerprintapply hash function H to m, get fixed size
produces fixed-size msg digest (fingerprint)given message digest x message digest, H(m). given message digest x, computationally infeasible to find m such th t H( )
Network Security 1-121
that x = H(m)
Internet checksum: poor crypto hash p ypfunction
Internet checksum has some properties of hash function:Internet checksum has some properties of hash function:produces fixed length digest (16-bit sum) of messageis many-to-oneis many to one
But given message with given hash value, it is easy to find another message with same hash value: m g m
I O U 1 49 4F 55 31
message ASCII formatI O U 9 49 4F 55 39
message ASCII formatI O U 10 0 . 99 B O B
49 4F 55 3130 30 2E 3939 42 D2 42
B2 C1 D2 AC
0 0 . 19 B O B
30 30 2E 3139 42 D2 42
B2 C1 D2 ACdiff nt m ss s
Network Security 1-122
B2 C1 D2 AC B2 C1 D2 ACdifferent messagesbut identical checksums!
Digital signature = signed message digest
Bob sends digitally signed message:
Alice verifies signature and integrity of digitally signed message:
large message
mH: Hashfunction H(m)
g message:
encrypted msg digest
digitalsignature(encrypt)
Bob’s private
key K -
KB(H(m))-large
messagem digitalBob’s (encrypt)key K B
encrypted msg digest
m
H: Hashfunction
digitalsignature(decrypt)
publickey K B
+
+ KB(H(m))-g g
H(m) H(m)
equal
Network Security 1-123
equal?
Hash Function AlgorithmsF g mMD5 hash function widely used (RFC 1321)
computes 128-bit message digest in 4-step process. arbitrary 128-bit string x appears difficult to arbitrary 128 bit string x, appears difficult to construct msg m whose MD5 hash is equal to x.
SHA-1 is also used.US standard [NIST, FIPS PUB 180-1]160-bit message digest
Network Security 1-124
Chapter 7 roadmapChapter 7 roadmap
What is network security?What is network security?Principles of cryptographySecurity RequirementsSecurity RequirementsKey distribution and certificationAcc ss c nt l: fi llsAccess control: firewallsAttacks and counter measuresS it i lSecurity in many layers
Network Security 1-125
Trusted Intermediariesm
Symmetric key problem: Public key problem:How do two entities establish shared secret key over network?
When Alice obtains Bob’s public key (from web site e-mail key over network?
Solution:trusted key distribution
web site, e mail, diskette), how does she know it is Bob’s public k t T d ’ ?trusted key distribution
center (KDC) acting as intermediary between entities
key, not Trudy’s?Solution:
trusted certification entities trusted certification authority (CA)
Network Security 1-126
Key Distribution Center (KDC)K y D (KD )Alice, Bob need shared symmetric key.KDC h diff t t k ith h KDC: server shares different secret key with each registered user (many users)Alice, Bob know own symmetric keys, KA KDC KB KDC , for Alice, Bob know own symmetric keys, KA-KDC KB-KDC , for communicating with KDC.
KDC
KX-KDC
K
KP-KDC
KB-KDC
KA-KDC
KP-KDC
KB-KDC
KY-KDC
KZ-KDCKA KDC
Network Security 1-127
KA-KDC
Key Distribution Center (KDC)K y D (KD )Q: How does KDC allow Bob, Alice to determine shared symmetric secret key to communicate with each other? symmetric secret key to communicate with each other?
KDC generates K (A B)
Alice Bob knows to
generates R1KA-KDC(A,B)
KA-KDC(R1, KB-KDC(A,R1) )Aliceknows
R1
Bob knows to use R1 to
communicate with Alice
KB-KDC(A,R1)
A KDC( B KDC( ) )
with Alice
Alice and Bob communicate: using R1 as session key for shared symmetric encryption
Network Security 1-128
session key for shared symmetric encryption
Certification AuthoritiesfCertification authority (CA): binds public key to particular entity Eparticular entity, E.E (person, router) registers its public key with CA.
E provides “proof of identity” to CA. p p yCA creates certificate binding E to its public key.certificate containing E’s public key digitally signed by CA – CA says “this is E’s public key”CA says this is E s public key
Bob’s public
k K +digital
signature( t)
K B+
key K B
Bob’s id tif i
(encrypt)
CA private
key K CA-
B
certificate for Bob’s public key,
Network Security 1-129
identifying information
key CA Bob s public key, signed by CA
Certification AuthoritiesfWhen Alice wants Bob’s public key:
gets Bob’s certificate (Bob or elsewhere)gets Bob s certificate (Bob or elsewhere).apply CA’s public key to Bob’s certificate, get Bob’s public keyp y
Bob’s public
digitalsignatureK B
+public
key K B+signature
(decrypt)
CA p bli +
B
publickey
K CA+
Network Security 1-130
A certificate contains:Serial number (unique to issuer)info about certificate owner including algorithm info about certificate owner, including algorithm and key value itself (not shown)
info about certificate certificate issuervalid datesdigital signature by issuerissuer
Network Security 1-131
Security OverviewSecur ty Overv ew
What is network security?What is network security?Principles of cryptographySecurity RequirementsSecurity RequirementsKey Distribution and certificationAcc ss c nt l: fi llsAccess control: firewallsAttacks and counter measuresS it i lSecurity in many layers
Network Security 1-132
Firewalls
isolates organization’s internal net from larger firewallisolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.
administerednetwork
publicInternet
firewall
Network Security 1-133
firewall
Firewalls: Whyyprevent denial of service attacks:
SYN fl di tt k t bli h b SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections.
prevent illegal modification/access of internal data.e.g., attacker replaces CIA’s homepage with
thi lsomething elseallow only authorized access to inside network (set of
authenticated users/hosts)authenticated users/hosts)two types of firewalls:
application-level
Network Security 1-134
pppacket-filtering
Packet Filtering Should arriving packet be allowed F g packet be allowed
in? Departing packet let out?
internal network connected to Internet viarouter firewallrouter filters packet-by-packet, decision to forward/drop packet based on:forward/drop packet based on:
source IP address, destination IP addressTCP/UDP source and destination port numbersICMP message type
Network Security 1-135
ICMP message typeTCP SYN and ACK bits
Packet FilteringgExample 1: block incoming and outgoing datagrams with IP protocol field = 17 (UDP) and g p f ( )with either source or dest port = 23 (telnet).
All incoming and outgoing UDP flows and telnet connections are blockedconnections are blocked.Protocols: www.iana.org/assignments/protocol-numbersP l i / i /Protocols: www.iana.org/assignments/port-numbers.
Example 2: Block inbound TCP segments with p gACK=0.
Prevents external clients from making TCP connections with internal clients but allows
Network Security 1-136
connections with internal clients, but allows internal clients to connect to outside.
Application gateways gateway-to-remote pp g y
Filters packets on
host-to-gatewaytelnet session
g yhost telnet session
papplication data as well as on IP/TCP/UDP fields.Example: allow select
applicationgateway
router and filter
Example: allow select internal users to telnet outside.
1. Require all telnet users to telnet through gateway.2. For authorized users, gateway sets up telnet connection to
d t h t G t l d t b t 2 tidest host. Gateway relays data between 2 connections3. Router filter blocks all telnet connections not originating
from gateway.
Network Security 1-137
Limitations of firewalls and gatewaysg y
IP spoofing: router can’t know if data
filters often use all or thi li f UDPcan t know if data
“really” comes from claimed source
nothing policy for UDP.tradeoff: degree of communication with
if multiple app’s. need special treatment, each has own app gateway
communication with outside world, level of security
hi hl t t d has own app. gateway.client software must know how to contact
many highly protected sites still suffer from attacks.
gateway.e.g., must set IP address of proxy in Web
Network Security 1-138
f p ybrowser
Security OverviewSecur ty Overv ew
What is network security?What is network security?Principles of cryptographySecurity RequirementsSecurity RequirementsKey Distribution and certificationAcc ss c nt l: fi llsAccess control: firewallsAttacks and counter measuresS it i lSecurity in many layers
Network Security 1-139
Internet security threatsyMapping:
before attacking: “case the joint” find out before attacking: case the joint – find out what services are implemented on networkUse ping to determine what hosts have addresses on networkPort-scanning: try to establish TCP connection to each port in sequence (see what happens)to each port in sequence (see what happens)nmap (http://www.insecure.org/nmap/) mapper: “network exploration and security auditing”p y g
Countermeasures?
Network Security 1-140
BackgroundBackground
Scanners OS Fingerprinting
Sniffers/Protocol AnalyzersSniffers/Protocol AnalyzersOh my!!!
Network Security 1-141
Background: ScannersWhat is a scanner?
Background Scanners
A scanner, in network terms, is a program that traverses through a network given a set of targets and returns information based on a set of given criteria.
Types of scanners includeIP Scanners: Returns a list of active IPs
• Superscan , NMAPPort/ Service scanners: Returns what ports are open on a target and what services are being provided on it.g p
• IPTools, NMAPVulnerability Scanners: Returns a list of exploits which the target might be vulnerable to.
• Nessus RetinaNessus, RetinaNAT Scanners: attempts to determine the number of systems running behind the natted firewall and their operating systems
• firewalk
Network Security 1-142
Background: OS Fingerprinting ToolsBackground: OS Fingerprinting Tools
What is OS fingerprinting?A technique which queries the TCP/IP Stack of a host to determine what operating system is running on it.
There are two different types of OS fingerprinting tools,Active:
G t s t k t ffi • Generates network traffic • May be detected• Specially crafted packets• Catches variability's in TCP/IP stack• Catches variability s in TCP/IP stack
Passive: • No traffic is generated• Virtually undetectable
Network Security 1-143
• Virtually undetectable
Background: OS Fingerprinting Tools
Early toolsSIRC Roger Espel Llima . AKA: orabidoo (NMAP predecessors)
• attempted to place a host in os classes; Linux 4 4bsd win95 or unknown• attempted to place a host in os classes; Linux, 4.4bsd, win95 or unknown
CHECKOS, by Shok (NMAP predecessors)• very similar to SIRC-
was never suppose to go public• was never suppose to go public
SS, by SU1d (NMAP successor)• identified 12 different operating systems• the networking code was from NMAP• the networking code was from NMAP
Queso, Jordi Murgo, AKA:Savage, Apostols (NMAP successor)• first program to move the fingerprinting out of the code and into a separate file.
Made adding a new operating system easier.
Network Security 1-144
Background: OS Fingerprinting Tools
Today's toolsXprobe2, by Ofir Arkin, http://www.sys-ssecurity.com
U ICMP th th d t d fi i ti• Uses ICMP as the method to do fingerprinting• Generates fingerprints of systems scanned
NMAP, by Fyodor, http://www.isecure.org• detects 100’s of different OS versions and network devices• By far the most sophisticated fingerprinting tool on the net
– IP/Service scanner– Portscanner– OS fingerprintingOS fingerprinting– Network Device fingerprinting– 12 different modes of scanning– 4 different ways to discover systems
8 diff k difi i i ( l l i l– 8 different packet modification options (you can select multiple options simultaneously)
– 6 different timing options and 6 different method of detecting
Network Security 1-145
Background: OS Fingerprinting ToolsT day's t lsToday s tools
Passive ToolsSiphon, by Subterrain Security Group
• http://www.blackhat.com/presentations/bh-usa-01/AbadBeddoe/1• Runs as a service and logs detected operating systems to a file and
dstdout
P0f, by Michal Zalewski• http://lcamtuf.coredump.cx/p0f.shtml• Analyzes tcpdump formatted files• Excellent tool for network analysis to use with windump and
tcpdump
Network Security 1-146
Background: SniffersBackground Sn ffersWhat is a sniffer?
• A program that puts the systems network interface in promiscuous mode allowing the A program that puts the systems network interface in promiscuous mode allowing the monitoring and analysis of network traffic
Types of sniffers;Command line (CLI) sniffers:
• Data is viewed in a pretty raw format: TCPdump. Windump, snort, sniffit• Sniffit was one of the first sniffers with a GUI
Protocol Analyzers:• Graphical Interfaces; Etherpeek, Iris, SniffITPro, Netasyst, Ethereal• In addition to what a sniffer can do, Protocol analyzers can;
provide detailed and formatted protocol information– provide detailed and formatted protocol information– Able to generates reports and in many cases has some intelligence– Assist in troubleshooting network problems
• Both software and hardware based
non-switch networks: sniffit and all of the abovenon-switch networks: sniffit and all of the aboveswitched networks: ettercap
• The other sniffer/protocol analyzers can sniff a network providing they are connected to what is called a mirrored port.
Network Security 1-147
A Detailed view: Analyzing the ToolsAnalyzing the Tools
and the traffic they generatePart 1Part 1
Network Security 1-148
Active OS Fingerprinting Tools:NMAP “J k f ll t d ”NMAP “Jack of all trades”
IP SIP Scannernmap -sS –P0 <ip range>
• Action: send syn, recv syn-ack, send rst nmap –sT –P0 <ip range>
A ti k d k k d t• Action: syn, recv syn-ack, send syn-ack-ack, send rstPort Scanner
nmap -sT –P0 –p<port range> <target>• Action: send syn, recv syn-ack, send syn-ack-ack, send rst
S i SService Scannernmap <target>
OS fingerprintingg p gnmap –O –P0 <target>
Scan Analysis ☺
Network Security 1-149
ResourcesResources
Web SitesWeb Siteshttp://www.isecure.orghttp://www.sys-security.comhttp://securify.packetstorm.orghttp //s cur fy.pac tstorm.orghttp://www.protocols.comhttp://www.sans.orghttp://www.networksorcery.com/enp/default0601.htm
Booksk hNetwork Intrusion Detection, Northcutt
TCP/IP Illustrated vol1, Stevens
Network Security 1-150
Internet security threatsyMapping: countermeasures
record traffic entering networkrecord traffic entering networklook for suspicious activity (IP addresses, ports being scanned sequentially)g q y)
Network Security 1-151
Internet security threatsyPacket sniffing:
broadcast mediabroadcast mediapromiscuous NIC reads all packets passing bycan read all unencrypted data (e.g. passwords)can read all unencrypted data (e.g. passwords)e.g.: C sniffs B’s packets
A C
Bsrc:B dest:A payload
Network Security 1-152
Countermeasures?
Internet security threatsyPacket sniffing: countermeasures
all hosts in orgnization run software that all hosts in orgnization run software that checks periodically if host interface in promiscuous mode.one host per segment of broadcast media (switched Ethernet at hub)
A C
Bsrc:B dest:A payload
Network Security 1-153
Internet security threatsyIP Spoofing:
can generate “raw” IP packets directly from can generate raw IP packets directly from application, putting any value into IP source address fieldreceiver can’t tell if source is spoofede.g.: C pretends to be B
A C
Bsrc:B dest:A payload
Network Security 1-154
BCountermeasures?
Internet security threatsyIP Spoofing: ingress filtering
routers should not forward outgoing packets u u f w u g g pwith invalid source addresses (e.g., datagram source address not in router’s network) great but egress filtering can not be mandated great, but egress filtering can not be mandated for all networks
A C
Bsrc:B dest:A payload
Network Security 1-155
B
Internet security threatsyDenial of service (DOS):
flood of maliciously generated packets “swamp” flood of maliciously generated packets swamp receiverDistributed DOS (DDOS): multiple coordinated ( ) psources swamp receivere.g., C and remote host SYN-attack A
A C
SYNSYN
BSYNSYNSYN
SYN
Network Security 1-156SYNSYNCountermeasures?
Internet security threatsyDenial of service (DOS): countermeasures
filter out flooded packets (e.g., SYN) before reaching p g ghost: throw out good with badtraceback to source of floods (most likely an innocent, compromised machine)
A C
SYNSYN
BSYNSYNSYN
SYN
Network Security 1-157SYNSYN
OutlineOutl neWhat is network security?P i i l f t hPrinciples of cryptographyAuthenticationIntegrityK Di ib i d ifi iKey Distribution and certificationAccess control: firewallsAttacks and counter measuresSecurity in many layers
Secure emailSecure socketsSecure socketsIPsec802.11 WEP
Network Security 1-158
Secure e-mail using public keym g p yAlice wants to send confidential e-mail, m, to Bob.
K
KS( ). KS(m )m
KS
KS( ). mKS(m )
K ( ).+
+ - KSInternet
KB( ).-K KB( ).KB(KS )+
KB+
KB( ).KB-
KS KB(KS )+
Alice:generates random symmetric private key, KS.encrypts message with KS (for efficiency)l h B b’ bl k
Network Security 1-159
also encrypts KS with Bob’s public key.sends both KS(m) and KB(KS) to Bob.
Secure e-mail (continued)m ( )• Alice wants to provide sender authentication message integritymessage integrity.
KA- KA
+
H( ). KA( ).-
+
H(m )KA(H(m))-m KA( ).+KA(H(m))-
compare+ -Internet
m mH( ). H(m )
compare
• Alice digitally signs message.• sends both message (in the clear) and digital signature.
Network Security 1-160
sends both message (in the clear) and digital signature.
Secure e-mail (continued)( )
• Alice wants to provide secrecy, sender authentication, message integritymessage integrity.
H( ). KA( ).- KA(H(m))-m
KA-
KSH( ) KA( )
+
m
KS( ).S
m
KB( ).+
+
K (K )+
Internet
KS
Alice uses three keys: her private key, Bob’s public
KB(KS )KB+
Network Security 1-161
y p y, pkey, newly created symmetric key
Pretty good privacy (PGP)y g p y ( )
Internet e-mail encryption A PGP signed message:ypscheme, de-facto standard.uses symmetric key cryptography, public key
---BEGIN PGP SIGNED MESSAGE---Hash: SHA1
g g
cryptography, hash function, and digital signature as described.
Bob:My husband is out of town tonight.Passionately yours, Alice
provides secrecy, sender authentication, integrity.inventor, Phil Zimmerman,
---BEGIN PGP SIGNATURE---Version: PGP 5.0Charset: noconvyhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJ
was target of 3-year federal investigation.
hFEvZP9t6n7G6m5Gw2---END PGP SIGNATURE---
Network Security 1-162
Secure sockets layer (SSL)y ( L)
transport layer server authentication:transport layer security to any TCP-based app using SSL s i s
SSL-enabled browser includes public keys for trusted CAs.B services.
used between Web browsers, servers for
Browser requests server certificate, issued by trusted CA.Browser uses CA’s browsers, servers for
e-commerce (shttp).security services:
Browser uses CA s public key to extract server’s public key from certificate.
server authenticationdata encryption client authentication
check your browser’s security menu to see its trusted CAs.
Network Security 1-163
(optional)its trusted CAs.
SSL (continued)Encrypted SSL session:
Browser generates SSL: basis of IETF Transport Layer g
symmetric session key, encrypts it with server’s public key sends
Security (TLS).SSL can be used for non Web applications public key, sends
encrypted key to server.Using private key, server
non-Web applications, e.g., IMAP.Client authentication g p y
decrypts session key.Browser, server know session key
can be done with client certificates.
session keyAll data sent into TCP socket (by client or server) encrypted with session key
Network Security 1-164
encrypted with session key.
What is IPSec (Microsoft Technet)?( )
“Internet Protocol security (IPSec) is a framework of open standards for helping to ensure private, secure communications over Internet Protocol (IP) networks through the use of ( ) gcryptographic security services. IPSec supports network-level data integrity, data confidentiality, data origin authentication, and replay protection Because IPSec is integrated at the Internetand replay protection. Because IPSec is integrated at the Internet layer (layer 3), it provides security for almost all protocols in the TCP/IP suite, and because IPSec is applied transparently to applications, there is no need to configure separate security for each application that uses TCP/IP. “
Network Security 1-165
IPsec: Network Layer SecurityL y yNetwork-layer secrecy:
sending host encrypts the For both AH and ESP, source, sending host encrypts the data in IP datagramTCP and UDP segments; ICMP and SNMP
destination handshake:create network-layer logical channel called a ICMP and SNMP
messages.Network-layer authentication
destination host can
security association (SA)Each SA unidirectional.Uniquely determined by:destination host can
authenticate source IP address
Two principle protocols:
q y ysecurity protocol (AH or ESP)source IP addressTwo principle protocols:
authentication header (AH) protocol
l i i
source IP address32-bit connection ID
Network Security 1-166
encapsulation security payload (ESP) protocol
Authentication Header (AH) Protocol
provides source authentication, data
AH header includes:connection identifier
integrity, no confidentialityAH header inserted
connection identifierauthentication data: source- signed message di t l l t d AH header inserted
between IP header, data field.
digest calculated over original IP datagram.next header field:
protocol field: 51intermediate routers process datagrams as
next header field specifies type of data (e.g., TCP, UDP, ICMP)
process datagrams as usual
IP h d d t ( TCP UDP s m nt)AH h d
Network Security 1-167
IP header data (e.g., TCP, UDP segment)AH header
ESP ProtocolE
provides secrecy, host ESP authentication authentication, data integrity.data ESP trailer
field is similar to AH authentication field.P t l 50 data, ESP trailer
encrypted.next header field is in ESP
Protocol = 50.
trailer.
encryptedauthenticated
IP header TCP/UDP segmentESPheader
ESPtrailer
ESPauthent.
encrypted
Network Security 1-168
IEEE 802.11 securityEEE . y
War-driving: drive around Bay area, see what 802.11 g ynetworks available?
Thousands accessible from public roadways85% use no encryption/authentication85% use no encryption/authenticationpacket-sniffing and various attacks easy!
Wired Equivalent Privacy (WEP): authentication as in q yprotocol ap4.0
host requests authentication from access pointaccess point sends 128 bit nonceaccess point sends 128 bit noncehost encrypts nonce using shared symmetric keyaccess point decrypts nonce, authenticates host
Network Security 1-169
IEEE 802.11 securityEEE . y
Wired Equivalent Privacy (WEP): data encryptionq y ( ) ypHost/AP share 40 bit symmetric key (semi-permanent)Host appends 24-bit initialization vector (IV) to create 64-bit key64 bit key used to generate stream of keys ki
IV64 bit key used to generate stream of keys, kiki
IV used to encrypt ith byte, di, in frame:ci = di XOR ki
IVi i i
IV and encrypted bytes, ci sent in frame
Network Security 1-170
802.11 WEP encryption. WE yp
IV (per frame)
KS: 40-bit secret
symmetric
key sequence generator ( for given KS, IV)
symmetric k1
IV k2IV k3
IV … kNIV kN+1
IV… kN+1IV
d1 d2 d3 … dN
CRC1 … CRC4 plaintext
frame data plus CRC
802.11header IV
WEP-encrypted data plus CRC
c1 c2 c3 … cN
cN+1 … cN+4
plus CRC
Figure 7.8-new1: 802.11 WEP protocol Sender-side WEP encryption
Network Security 1-171
Breaking 802.11 WEP encryptiong yp
Security hole: 24-bit IV, one IV per frame, -> IV’s eventually reusedIV transmitted in plaintext -> IV reuse detectedAtt kAttack:
Trudy causes Alice to encrypt known plaintext d1 d2d3 d4 d3 d4 … Trudy sees: ci = di XOR ki
IV
Trudy knows ci di, so can compute kiIVrudy knows ci di, so can compute ki
Trudy knows encrypting key sequence k1IV k2
IV k3IV …
Next time IV is used, Trudy can decrypt!
Network Security 1-172
Network Security (summary)Network Secur ty (summary)Basic techniques…...
cryptography (symmetric and public)authentication
i t itmessage integritykey distribution
used in many different security scenarios…. used in many different security scenariossecure emailsecure transport (SSL)secure transport (SSL)IP sec802.11 WEP
Network Security 1-173