Netwok Security

8/3/2019 Netwok Security

1/31

It is very important as the volume of data onInternet is fast increasing. The four aspects are:

1. Privacy: The sender & receiver expectconfidentiality. The transmitted messageshould make sense to the INTENDEDrecipient ONLY. To others, the message

should be illegible.2. Authentication: The receiver is sure of

senders identity. He knows an imposterhas not sent the message.

3. Integrity: The data must arrive exactly as itwas sent. Message must not changebecause of accidental or malicious

transmission. As more & more monetarytransactions take place over the Internet, itis of prime importance.


2/31

4. Non-repudiation: Receiver must be able toprove that a message has come from a

specific sender. A sender may not be ableto deny later a message that he has reallysent. The burden of proof falls on thereceiver. For ex: If a customer sends amessage to a bank for transfer of moneyfrom one account to other, the bank musthave the proof that the customer actuallyrequested the transaction.

To carry sensitive information (military/financial),a system MUST assure PRIVACY. How to

prevent unauthorized access is a majorquestion. A practical way is to alter data so thatonly the intended recipient understands it;others dont. Encryption means the sendertransforms the original information to some otherform & ends the resulting unintelligible messageout over the network. Decryption reverses the

encryption process to transform the changedinformation to the original one.


3/31

There are two methods of encryption &decryption.

1. Conventional or secret/private key method.2. Public key method

Conventional Method.

The encryption key & decryption key are same &secret. Two types:

A) Character level encryption (CLE):Encryption is done at the character level. Itis of two types substitutional &

transpositional.

Substitutional: Simplest form of CLE.(i) Mono-alphabetic (ii) Poly-alphabetic

sender

Encryp

tion

Algo

networ

k

Decryption

Algo Receiver


4/31

In mono alphabetic substitutionalso calledCaesar Cipher, each character is replaced byanother single character of the set. It simply

adds a number to the ASCII code of thecharacter; the decryption algo simply deductsthat number from the ASCII code. Ke & Kd arethe same & defined the added/subtractedvalue. If Ke = 3, it means each character willbe replaced by a character that is 3 ahead- Dreplaced G, E by K & so on. If the substitutedcharacter is beyond the last character in theset, it is wrapped around.

Mono alphabetic substitution is very simple butcan be broken by snoopers very easily. This isbecause each character used in a language

has certain natural frequencies which can bedetected by intruders. They can crack thecode. In English, the letters E, T, O & A aremost frequently used.

(ii)Poly-alphabetic substitution:Each occurrence of a character can havedifferent substitutes.

One of the techniques is to find the position ofthe character in the text & to use that value askey. In this technique it is bit difficult to breakthe code but still the Ciphertext is not verysecure.


5/31

B) Transpositional: It is more secure method. The characters retain their plain text form

but change their positions to create the

cipher text. The characters are transposed/reordered. If a key = 4, complete messagecan be divided to set of 4 character groups.Msg : This is a lovely day (Plain text).

1 2 3 4keyt h i s- i s -a - l ov e l y- d a y

Ciphertext: t-av-hi-edisllas-oyy.

Bit Level Encryption (BLE).In this technique, data as text, graphics, audio/video are first divided to blocks of bits, thenaltered by encoding/decoding, permutation,substitution, XOR, rotation & so on.

1. Encoding/decoding: A decoder changes an

input of n bits to 2n bits.


6/31

The output should have only one single 1 at theoutput located at the position determined by theinput. An encoder has 2n inputs & n outputs. The

output should have a single 1. Fig. below showsa 2-bit decoder/encoder.

Input Output

00 0001

01 0010

10 0100

11 1000

2X4

decoder 4X2Encoder

Input Output

0001 00

0010 01

0100 10

1000 11

Input Input

output output


7/31

Permutation: Transposition at bit level. Instraight permutation, number of bits at input

& output level are preserved, in compressedpermutation, number of bits at output arereduced by dropping out some bits & inexpanded permutation, some bits are addedat the output. A permutation circuit can bemade easily as a hardware circuit withinternal wiring. These are called P-Boxes.


8/31

1 0 0 1

1 0 1 0

1 0 1 0

1 0

Straight

permutation

compressed

permutation

expanded

permutation

1 0 1 0

1 0 0 1 1


9/31

Substitution: Substitution of n bits by another n

bits can be achieved using a combination of P-boxes, encoders & decoders. Fig. below shows2-bit S-Box that replaces every 00 by 01, 01 by00, 10 by 11 & 11 by 10. The decoder changes2-bits to 4 bits. P-box changes the position ofthe 1. The encoder then changes the 4 bits to 2bit pattern.

2X4 Decoder

P Box

4X2 Encoder

Fig: S-Box


10/31

Product: P & S boxes can be combined & calledProduct.

Exclusive OR: The result of XOR on 2 bit is 0 ifthe 2 bits are same, otherwise, it is 1. The input& the key are XOR-ed to create the output. Thisoperation is reciprocal as the same key can beused with the Ciphertext at the receiver torecreate the original plaintext.Sender: 01100111 8 bit Plaintext

11011001 Key10111110 8 bit Ciphertext

|V

Receiver: 10111110 8 bit cipher-text

11011001 Key

01100111 8 bit plaintext

Rotation: Another way to encrypt a bit pattern isto rotate the bits to right or left. The key is thenumber of bits to be rotated.

Plaintext: 01100011 Before rotation (key=3)

10110001 After one rotation11011000 After two rotations

Ciphertext 01101100 After three rotations


11/31

1. It is example of BIT LEVEL encryption(Private Key algorithm).

2. It is designed by IBM.3. Algorithm encrypts a 64 bit plaintext using

56 bit key.4. The text is put thru 19 different & complex

procedures to create 64 bit Ciphertext.5. It is a BLOCK CIPHER i.e. it works on fixed

size blocks of data.


12/31

Sub-key generator (each s.k. 48 bits)

Key (56 bit)

Plaintext

T

R

A

N

S

P

O

S

IT

I

O

N

C

O

M

P

LE

X

C

OM

P

L

EX

C

OM

P

L

EX

SW

A

PP

ING

T

R

AN

S

PO

SIT

I

ON

CI

P

HE

R

TEX

T

K1 K2 K16

1 2 317

18 19


13/31

Sub key generation in DES.

28 bits

Combine

56 bits

Compressed permutation

48 bit sub-key

28 bits

28 bits

28 bits

Rotate Rotate

Divide

56 bits


14/31

The Schematic diagram shows that

1. Step 1 & 19 are relatively simple.2. Steps 2 thru 17 are complex, each requiring

sub-steps that are combinations oftransposition, substitution, swapping, XOR,rotation.

3. Steps 2 thru 17 are same BUT EACH STEPUSES A DIFFERENT KEY (48-bit sub-keyderived from the original key).

4. Additional complexity is achieved by havingeach step use the output of the previousstep as input.


15/31

64-bit data

Divide

32 bits

32

bits

Exp. permutation

48-bit

XORSub-key K

n

48-bit

compressed permutation

32-bit

Permutation

32-bit

XOR

32-bit32-bit

combine

From previous step

64-bit

To next step


16/31

IDEA (International data EncryptionAlgorithm)

1. It is a BLOCK CIPHER method similar toDES.

2. It operates on 64 bit blocks of plaintext. Itneeds 128-bit Key & sophisticatedprocessing during each phase of encryptionoperation.

3. Each 64-bit block of plaintext passesthrough a series of eight iterations followedby a final transposition.

4. At each of eight iterations, each of 64output bits is a function of all 64 input bits.

5. The 128 bit key is first used to generate 52sub-keys each 16 bit.

6. Six sub-keys are used at each iteration &remaining 4 sub-keys are used in finaltransposition stage.

7. Decryption uses same algo but withmodified set of keys.

8. Each 64 bit is first divided to 4 numbers16bit words each & then goes thru a series of

multiplication, addition, XOR operations. (Alllines in the figure are 16 bits & allmultiplication operations involve first the 32bit product of the two 16 bit inputs beingcomputed & then divided by (216+1). The

Fig: One of the 16 steps in DES


17/31

output is then 16-bit remained. In case ofaddition, two 16 bit inputs are addedtogether & any carry generated is ignored.

s

Encryption Schematic of IDEA.

Iteration 1

Iteration 2

Transformation

Iteration 8

KEY

GENE

RATOR

K43-K48

K7-K12

K1-K6

K49-K52

128 bit

key

52 sub-

keys each

16 bit

64 bit

plain text


18/31


19/31

Public key methods

In conventional methods, the decryption algo isalways the inverse of encryption algo & uses thesame key. So, it is also called Symmetricencryption algo. Anyone who knows theencryption algo & key can deduce the decryptionalgo. Security can be assured only if the entireprocess is kept secret.It has the advantage of(1) Being very efficient,(2) taking less time to encrypt a message &

hence used to encrypt long messages.It has two major disadvantages.(1) Each pair of users must have a secret key.

So, N people in the world need N(N-1)/2secret keys which is very huge to create &maintain.

(2) The distribution of the keys are very difficult.

SECRET KEY ALGOS ARE USEFUL IF USEDONCE.


20/31

The solution of the problem is public keyencryption. Every user has the same encryption

key & algo. The decryption key is kept secret.The decryption key is not the inverse ofencryption key. The encryption & decryptionalgo use different functions & knowing one doesnot enable the user to know the other. Inaddition, the keys are different. Public keys areencryption algo & key are publicly announced.The decryption algo & key are kept secret &used only by the bank.Advantages:

1. Removes the restriction of shared keybetween TWO entities. The key shared bytwo parties cannot be shared with a third

party, if one of them wants tocommunicate with another party. In publickey, this is possible. Each entity cancreate a pair of keys & is independent,keep the private key & distribute the publickey.

2. The number of keys is reduced drastically.

For N users, 2N keys & not N(N-1) as insecret key is needed.


21/31

Disadvantage : Very complex algorithm. For themethod tobe effective, large numbers areneeded. Calculating Ciphertext from plaintext

using long keys take long time.

PUBLIC KEY ALGOS ARE USEFUL IF USEDONCE.

Public key encryption.

Customer 1

Private

key

Public

key

Public

key

Customer n

BankCustomer 2

Public

key


22/31

RSA Encryption.It is public key encryption.

Rivest, Shamir, Adleman created this key.One party say bank customer uses public keyKp. The other party uses secret key. Ks. Bothuse a number N.

The encryption algo uses the following steps:1. Encode the data to be encrypted as a no. to

create the plaintext P.2. Calculate the Ciphertext C as C = PKp

modulo N (modulo means dividePKp by N &keep only the remainder).

3. Send C as Ciphertext.

The decryption algo follows these steps:1. Receive Cs the Ciphertext2. Calculate plain text P = CKsmodulo N.3. Decode P to the original data.


23/31

Example with Kp= 5, Ks= 77 & N=119.The whole idea behind RSA is the way in whichKp, Ks & N are chosen using number theory.

1. Choose 2 prime nos. p & q. (We choose 7 &

17).2. Calculate N = p X q (N = 7X17 =119).3. Select Kp such that it is not a factor of

(p-1) X (q-1) = 96. The factors of 96 are 2,2,

2, 2, 2, 3.We choose 5, not a factor of 96.4. Select Ks such that (KpXKs) modulo

(p-1) X (q-1) = 1. We choose 77. Ifchecked,

5X77 = 385 & 385 = 4X96 +1.

customer

C = PKp

modulo N

Bank

Plaintext

P

P = CKs

modulo N

Kp & N Ks & N

EncryptionDecryption

P

C

Plaintext

C=Ciphertext


24/31

Security of RSA: Pair of nos. Kp & N are publicly

announced. The bank keeps Ks as the secretkey. If a bank can calculate Ks why not asnooper? The answer lies in the complexity ofthe process. The bank starts with two primenumbers p & q to calculate N, Kp, Ks. Thesnooper does not know p or q. He uses N first tocalculate p & q & then GUESS Ks. If p & q arechosen to eb few hundred digits long, it isextremely difficult to factorize it to its primenumbers.Reciprocity of RSA: RSA algo is reciprocal. Thebank can use the same secret key Ks to send areply to the customer & the customer can

decrypt the message using his own private key.Authentication

It means verifying the identity of the sender; i.e.message is coming from an authentic sender &not an imposter. Among several methods, weshall discuss Digital Signature method based on

encryption/decryption.


25/31

Concept is same as signing physically

documents in a business transaction forexample say signing documents in a bank. Thebank gives a form to be signed by customer &keeps the signed form on record when thecustomer needs to withdraw large amount ofmoney from the bank. If the customer laterdenies withdrawal of money, the bank may showthe signature to prove that bank have givenmoney to the person with valid signature.The EQUIVALENT SIGNATURE is created inelectronic media called digital signature.

DIGITAL SIGNATURE

Security has four aspects: Privacy,Authentication, Integrity, & Non-repudiation.Privacy has been discussed. The other threecan be achieved using digital signature. Insigning of a document, the roles of the public &private key are different.

The sender uses private key to encrypt (sign)the message just as one uses her signature(which is private & difficult to forge) to sign apaper document. The receiver uses public key of


26/31

sender to decrypt the message just as oneverifies from memory other peoples signature.

Fig: Signing the whole document.

A

encryption

Net

wor

kdecryption

B

As private key

As public key

Ciphertext

Ciphertext

P

L

AI

N

T

E

X

T

P

LA

I

N

T

E

X

T


27/31

Digital signature can provide integrity,authentication, and non-repudiation. It does notprovide privacy. If the latter is required, anotherlayer of encryption/ decryption is required.

Digital Signature CANNOT be achieved usingsecret key encryption.

How digital signature provides integrity,authentication, and non-repudiation?Integrity: The integrity of the message is

preserved because if an intruder intercepts it,and partially changes it, the decrypted messagewould be illegible.Authentication: If an intruder say X sends amessage pretending that it has come fromsomeone else, say G, she must use her ownprivate key (private X) for encryption. The

message is then decryptedNon-repudiation: If the sender denies sending amessage, her private key corresponding to herpublic key can be tested on the original plaintext.If the result of decryption matches the original


28/31

message, then we know that the sender hassent the message.

Signing the digestPublic encryption is efficient if the message isshort. Using public key to sign the wholedocument is inefficient. So, the sender creates aminiature of the document called the digest &signs on the digest. The receiver checks thesignature on the miniature.To create the digest, a hash function is usedwhich creates fixed size digest from a variablelength message.Fig: Creating a digest.

Two most common hash functions are MD5(Message Digest 5) & SHA-1 (Secure HashAlgorithm1).Two properties of hash function are needed toguarantee success.

1. Hashing is one way. The digest can becreated from a message not vice versa.

Variable

length

message

Hash

function

Fixed

length

message

digest


29/31

2. It is a one-to-one function. There is littleprobability that two messages will createthe same digest.

After the digest is created, it is encrypted(signed) using the senders private key. Theencrypted digest is attached to the originalmessage & sent to the receiver.

Fig: Sender site.

The receiver receives the original message and

the encrypted digest & separates the two. Thereceiver applies the same hash function themessage to create a second digest. Thereceiver also decrypts the received digest usingpublic key of the sender. If the two digests are

Message

Signed

DigestEncrypt

Message

Digest

Hash

A

As private key

+

To

B

Message + signed digest


30/31

same, all three aspects of security arepreserved.

Message

Digest Digest

Decrypt Hash

From A

As public key

Compare

B


31/31

Fig: Receiver site.

Netwok Security

Documents

Transcript of Netwok Security