Chapter 31
-
Upload
faisal-mehmood -
Category
Education
-
view
301 -
download
4
description
Transcript of Chapter 31
![Page 1: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/1.jpg)
31.1
Chapter 31
Network Security
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
![Page 2: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/2.jpg)
31.2
31-1 SECURITY SERVICES31-1 SECURITY SERVICES
Network security can provide five services. Four of these Network security can provide five services. Four of these services are related to the message exchanged using the services are related to the message exchanged using the network. The fifth service provides entity authentication network. The fifth service provides entity authentication or identification.or identification.
Message ConfidentialityMessage IntegrityMessage AuthenticationMessage NonrepudiationEntity Authentication
Topics discussed in this section:Topics discussed in this section:
![Page 3: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/3.jpg)
31.3
Figure 31.1 Security services related to the message or entity
![Page 4: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/4.jpg)
31.4
31-2 MESSAGE CONFIDENTIALITY31-2 MESSAGE CONFIDENTIALITY
The concept of how to achieve message confidentiality The concept of how to achieve message confidentiality or privacy has not changed for thousands of years. or privacy has not changed for thousands of years. The message must be encrypted at the sender site and The message must be encrypted at the sender site and decrypted at the receiver site. This can be done using decrypted at the receiver site. This can be done using either symmetric-key cryptography or asymmetric-key either symmetric-key cryptography or asymmetric-key cryptography. cryptography.
Confidentiality with Symmetric-Key CryptographyConfidentiality with Asymmetric-Key Cryptography
Topics discussed in this section:Topics discussed in this section:
![Page 5: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/5.jpg)
31.5
Figure 31.2 Message confidentiality using symmetric keys in two directions
![Page 6: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/6.jpg)
31.6
Figure 31.3 Message confidentiality using asymmetric keys
![Page 7: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/7.jpg)
31.7
31-3 MESSAGE INTEGRITY31-3 MESSAGE INTEGRITY
Encryption and decryption provide secrecy, or Encryption and decryption provide secrecy, or confidentiality, but not integrity. However, on occasion confidentiality, but not integrity. However, on occasion we may not even need secrecy, but instead must have we may not even need secrecy, but instead must have integrity. integrity.
Document and FingerprintMessage and Message DigestCreating and Checking the DigestHash Function CriteriaHash Algorithms: SHA-1
Topics discussed in this section:Topics discussed in this section:
![Page 8: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/8.jpg)
31.8
To preserve the integrity of a document,both the document and the fingerprint
are needed.
Note
![Page 9: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/9.jpg)
31.9
Figure 31.4 Message and message digest
![Page 10: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/10.jpg)
31.10
The message digest needs to be kept secret.
Note
![Page 11: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/11.jpg)
31.11
Figure 31.5 Checking integrity
![Page 12: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/12.jpg)
31.12
Figure 31.6 Criteria of a hash function
![Page 13: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/13.jpg)
31.13
Can we use a conventional lossless compression method as a hashing function?
SolutionWe cannot. A lossless compression method creates a compressed message that is reversible. You can uncompress the compressed message to get the original one.
Example 31.1
![Page 14: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/14.jpg)
31.14
Can we use a checksum method as a hashing function?
SolutionWe can. A checksum function is not reversible; it meets the first criterion. However, it does not meet the other criteria.
Example 31.2
![Page 15: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/15.jpg)
31.15
Figure 31.7 Message digest creation
![Page 16: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/16.jpg)
31.16
SHA-1 hash algorithms create an N-bit message digest out of a message of
512-bit blocks.
SHA-1 has a message digest of 160 bits (5 words of 32 bits).
Note
![Page 17: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/17.jpg)
31.17
Figure 31.8 Processing of one block in SHA-1
![Page 18: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/18.jpg)
31.18
31-4 MESSAGE AUTHENTICATION31-4 MESSAGE AUTHENTICATION
A hash function per se cannot provide authentication. A hash function per se cannot provide authentication. The digest created by a hash function can detect any The digest created by a hash function can detect any modification in the message, but not authentication. modification in the message, but not authentication.
MACTopics discussed in this section:Topics discussed in this section:
![Page 19: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/19.jpg)
31.19
Figure 31.9 MAC, created by Alice and checked by Bob
![Page 20: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/20.jpg)
31.20
Figure 31.10 HMAC
![Page 21: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/21.jpg)
31.21
31-5 DIGITAL SIGNATURE31-5 DIGITAL SIGNATURE
When Alice sends a message to Bob, Bob needs to When Alice sends a message to Bob, Bob needs to check the authenticity of the sender; he needs to be check the authenticity of the sender; he needs to be sure that the message comes from Alice and not Eve. sure that the message comes from Alice and not Eve. Bob can ask Alice to sign the message electronically. Bob can ask Alice to sign the message electronically. In other words, an electronic signature can prove the In other words, an electronic signature can prove the authenticity of Alice as the sender of the message. We authenticity of Alice as the sender of the message. We refer to this type of signature as a digital signature.refer to this type of signature as a digital signature.
ComparisonNeed for KeysProcess
Topics discussed in this section:Topics discussed in this section:
![Page 22: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/22.jpg)
31.22
A digital signature needs a public-key system.
Note
![Page 23: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/23.jpg)
31.23
Figure 31.11 Signing the message itself in digital signature
![Page 24: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/24.jpg)
31.24
In a cryptosystem, we use the private and public keys of the receiver;
in digital signature, we use the private and public keys of the sender.
Note
![Page 25: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/25.jpg)
31.25
Figure 31.12 Signing the digest in a digital signature
![Page 26: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/26.jpg)
31.26
A digital signature today provides message integrity.
Note
![Page 27: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/27.jpg)
31.27
Digital signature provides message authentication.
Note
![Page 28: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/28.jpg)
31.28
Figure 31.13 Using a trusted center for nonrepudiation
![Page 29: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/29.jpg)
31.29
Nonrepudiation can be provided using a trusted party.
Note
![Page 30: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/30.jpg)
31.30
31-6 ENTITY AUTHENTICATION31-6 ENTITY AUTHENTICATION
Entity authentication is a technique designed to let one Entity authentication is a technique designed to let one party prove the identity of another party. An entity can party prove the identity of another party. An entity can be a person, a process, a client, or a server. The entity be a person, a process, a client, or a server. The entity whose identity needs to be proved is called the claimant; whose identity needs to be proved is called the claimant; the party that tries to prove the identity of the claimant the party that tries to prove the identity of the claimant is called the verifier. is called the verifier.
PasswordsChallenge-Response
Topics discussed in this section:Topics discussed in this section:
![Page 31: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/31.jpg)
31.31
In challenge-response authentication,the claimant proves that she knows a
secret without revealing it.
Note
![Page 32: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/32.jpg)
31.32
The challenge is a time-varying value sent by the verifier;
the response is the result of a function applied on the challenge.
Note
![Page 33: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/33.jpg)
31.33
Figure 31.14 Challenge/response authentication using a nonce
![Page 34: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/34.jpg)
31.34
Figure 31.15 Challenge-response authentication using a timestamp
![Page 35: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/35.jpg)
31.35
Figure 31.16 Challenge-response authentication using a keyed-hash function
![Page 36: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/36.jpg)
31.36
Figure 31.17 Authentication, asymmetric-key
![Page 37: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/37.jpg)
31.37
Figure 31.18 Authentication, using digital signature
![Page 38: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/38.jpg)
31.38
31-7 KEY MANAGEMENT31-7 KEY MANAGEMENT
We never discussed how secret keys in symmetric-key We never discussed how secret keys in symmetric-key cryptography and how public keys in asymmetric-key cryptography and how public keys in asymmetric-key cryptography are distributed and maintained. In this cryptography are distributed and maintained. In this section, we touch on these two issues. We first discuss section, we touch on these two issues. We first discuss the distribution of symmetric keys; we then discuss the the distribution of symmetric keys; we then discuss the distribution of asymmetric keys.distribution of asymmetric keys.
Symmetric-Key DistributionPublic-Key Distribution
Topics discussed in this section:Topics discussed in this section:
![Page 39: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/39.jpg)
31.39
Figure 31.19 KDC
![Page 40: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/40.jpg)
31.40
A session symmetric key between two parties is used only once.
Note
![Page 41: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/41.jpg)
31.41
Figure 31.30 Creating a session key between Alice and Bob using KDC
![Page 42: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/42.jpg)
31.42
Figure 31.21 Kerberos servers
![Page 43: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/43.jpg)
31.43
Figure 31.22 Kerberos example
![Page 44: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/44.jpg)
31.44
In public-key cryptography, everyone has access to everyone’s public key;
public keys are available to the public.
Note
![Page 45: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/45.jpg)
31.45
Figure 31.23 Announcing a public key
![Page 46: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/46.jpg)
31.46
Figure 31.24 Trusted center
![Page 47: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/47.jpg)
31.47
Figure 31.25 Controlled trusted center
![Page 48: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/48.jpg)
31.48
Figure 31.26 Certification authority
![Page 49: Chapter 31](https://reader036.fdocuments.us/reader036/viewer/2022062418/555799d2d8b42aa3378b5046/html5/thumbnails/49.jpg)
31.49
Figure 31.27 PKI hierarchy