Netwok Security
Transcript of Netwok Security
-
8/3/2019 Netwok Security
1/31
It is very important as the volume of data onInternet is fast increasing. The four aspects are:
1. Privacy: The sender & receiver expectconfidentiality. The transmitted messageshould make sense to the INTENDEDrecipient ONLY. To others, the message
should be illegible.2. Authentication: The receiver is sure of
senders identity. He knows an imposterhas not sent the message.
3. Integrity: The data must arrive exactly as itwas sent. Message must not changebecause of accidental or malicious
transmission. As more & more monetarytransactions take place over the Internet, itis of prime importance.
-
8/3/2019 Netwok Security
2/31
4. Non-repudiation: Receiver must be able toprove that a message has come from a
specific sender. A sender may not be ableto deny later a message that he has reallysent. The burden of proof falls on thereceiver. For ex: If a customer sends amessage to a bank for transfer of moneyfrom one account to other, the bank musthave the proof that the customer actuallyrequested the transaction.
To carry sensitive information (military/financial),a system MUST assure PRIVACY. How to
prevent unauthorized access is a majorquestion. A practical way is to alter data so thatonly the intended recipient understands it;others dont. Encryption means the sendertransforms the original information to some otherform & ends the resulting unintelligible messageout over the network. Decryption reverses the
encryption process to transform the changedinformation to the original one.
-
8/3/2019 Netwok Security
3/31
There are two methods of encryption &decryption.
1. Conventional or secret/private key method.2. Public key method
Conventional Method.
The encryption key & decryption key are same &secret. Two types:
A) Character level encryption (CLE):Encryption is done at the character level. Itis of two types substitutional &
transpositional.
Substitutional: Simplest form of CLE.(i) Mono-alphabetic (ii) Poly-alphabetic
sender
Encryp
tion
Algo
networ
k
Decryption
Algo Receiver
-
8/3/2019 Netwok Security
4/31
In mono alphabetic substitutionalso calledCaesar Cipher, each character is replaced byanother single character of the set. It simply
adds a number to the ASCII code of thecharacter; the decryption algo simply deductsthat number from the ASCII code. Ke & Kd arethe same & defined the added/subtractedvalue. If Ke = 3, it means each character willbe replaced by a character that is 3 ahead- Dreplaced G, E by K & so on. If the substitutedcharacter is beyond the last character in theset, it is wrapped around.
Mono alphabetic substitution is very simple butcan be broken by snoopers very easily. This isbecause each character used in a language
has certain natural frequencies which can bedetected by intruders. They can crack thecode. In English, the letters E, T, O & A aremost frequently used.
(ii)Poly-alphabetic substitution:Each occurrence of a character can havedifferent substitutes.
One of the techniques is to find the position ofthe character in the text & to use that value askey. In this technique it is bit difficult to breakthe code but still the Ciphertext is not verysecure.
-
8/3/2019 Netwok Security
5/31
B) Transpositional: It is more secure method. The characters retain their plain text form
but change their positions to create the
cipher text. The characters are transposed/reordered. If a key = 4, complete messagecan be divided to set of 4 character groups.Msg : This is a lovely day (Plain text).
1 2 3 4keyt h i s- i s -a - l ov e l y- d a y
Ciphertext: t-av-hi-edisllas-oyy.
Bit Level Encryption (BLE).In this technique, data as text, graphics, audio/video are first divided to blocks of bits, thenaltered by encoding/decoding, permutation,substitution, XOR, rotation & so on.
1. Encoding/decoding: A decoder changes an
input of n bits to 2n bits.
-
8/3/2019 Netwok Security
6/31
The output should have only one single 1 at theoutput located at the position determined by theinput. An encoder has 2n inputs & n outputs. The
output should have a single 1. Fig. below showsa 2-bit decoder/encoder.
Input Output
00 0001
01 0010
10 0100
11 1000
2X4
decoder 4X2Encoder
Input Output
0001 00
0010 01
0100 10
1000 11
Input Input
output output
-
8/3/2019 Netwok Security
7/31
Permutation: Transposition at bit level. Instraight permutation, number of bits at input
& output level are preserved, in compressedpermutation, number of bits at output arereduced by dropping out some bits & inexpanded permutation, some bits are addedat the output. A permutation circuit can bemade easily as a hardware circuit withinternal wiring. These are called P-Boxes.
-
8/3/2019 Netwok Security
8/31
1 0 0 1
1 0 1 0
1 0 1 0
1 0
Straight
permutation
compressed
permutation
expanded
permutation
1 0 1 0
1 0 0 1 1
-
8/3/2019 Netwok Security
9/31
Substitution: Substitution of n bits by another n
bits can be achieved using a combination of P-boxes, encoders & decoders. Fig. below shows2-bit S-Box that replaces every 00 by 01, 01 by00, 10 by 11 & 11 by 10. The decoder changes2-bits to 4 bits. P-box changes the position ofthe 1. The encoder then changes the 4 bits to 2bit pattern.
2X4 Decoder
P Box
4X2 Encoder
Fig: S-Box
-
8/3/2019 Netwok Security
10/31
Product: P & S boxes can be combined & calledProduct.
Exclusive OR: The result of XOR on 2 bit is 0 ifthe 2 bits are same, otherwise, it is 1. The input& the key are XOR-ed to create the output. Thisoperation is reciprocal as the same key can beused with the Ciphertext at the receiver torecreate the original plaintext.Sender: 01100111 8 bit Plaintext
11011001 Key10111110 8 bit Ciphertext
|V
Receiver: 10111110 8 bit cipher-text
11011001 Key
01100111 8 bit plaintext
Rotation: Another way to encrypt a bit pattern isto rotate the bits to right or left. The key is thenumber of bits to be rotated.
Plaintext: 01100011 Before rotation (key=3)
10110001 After one rotation11011000 After two rotations
Ciphertext 01101100 After three rotations
-
8/3/2019 Netwok Security
11/31
1. It is example of BIT LEVEL encryption(Private Key algorithm).
2. It is designed by IBM.3. Algorithm encrypts a 64 bit plaintext using
56 bit key.4. The text is put thru 19 different & complex
procedures to create 64 bit Ciphertext.5. It is a BLOCK CIPHER i.e. it works on fixed
size blocks of data.
-
8/3/2019 Netwok Security
12/31
Sub-key generator (each s.k. 48 bits)
Key (56 bit)
Plaintext
T
R
A
N
S
P
O
S
IT
I
O
N
C
O
M
P
LE
X
C
OM
P
L
EX
C
OM
P
L
EX
SW
A
PP
ING
T
R
AN
S
PO
SIT
I
ON
CI
P
HE
R
TEX
T
K1 K2 K16
1 2 317
18 19
-
8/3/2019 Netwok Security
13/31
Sub key generation in DES.
28 bits
Combine
56 bits
Compressed permutation
48 bit sub-key
28 bits
28 bits
28 bits
Rotate Rotate
Divide
56 bits
-
8/3/2019 Netwok Security
14/31
The Schematic diagram shows that
1. Step 1 & 19 are relatively simple.2. Steps 2 thru 17 are complex, each requiring
sub-steps that are combinations oftransposition, substitution, swapping, XOR,rotation.
3. Steps 2 thru 17 are same BUT EACH STEPUSES A DIFFERENT KEY (48-bit sub-keyderived from the original key).
4. Additional complexity is achieved by havingeach step use the output of the previousstep as input.
-
8/3/2019 Netwok Security
15/31
64-bit data
Divide
32 bits
32
bits
Exp. permutation
48-bit
XORSub-key K
n
48-bit
compressed permutation
32-bit
Permutation
32-bit
XOR
32-bit32-bit
combine
From previous step
64-bit
To next step
-
8/3/2019 Netwok Security
16/31
IDEA (International data EncryptionAlgorithm)
1. It is a BLOCK CIPHER method similar toDES.
2. It operates on 64 bit blocks of plaintext. Itneeds 128-bit Key & sophisticatedprocessing during each phase of encryptionoperation.
3. Each 64-bit block of plaintext passesthrough a series of eight iterations followedby a final transposition.
4. At each of eight iterations, each of 64output bits is a function of all 64 input bits.
5. The 128 bit key is first used to generate 52sub-keys each 16 bit.
6. Six sub-keys are used at each iteration &remaining 4 sub-keys are used in finaltransposition stage.
7. Decryption uses same algo but withmodified set of keys.
8. Each 64 bit is first divided to 4 numbers16bit words each & then goes thru a series of
multiplication, addition, XOR operations. (Alllines in the figure are 16 bits & allmultiplication operations involve first the 32bit product of the two 16 bit inputs beingcomputed & then divided by (216+1). The
Fig: One of the 16 steps in DES
-
8/3/2019 Netwok Security
17/31
output is then 16-bit remained. In case ofaddition, two 16 bit inputs are addedtogether & any carry generated is ignored.
s
Encryption Schematic of IDEA.
Iteration 1
Iteration 2
Transformation
Iteration 8
KEY
GENE
RATOR
K43-K48
K7-K12
K1-K6
K49-K52
128 bit
key
52 sub-
keys each
16 bit
64 bit
plain text
-
8/3/2019 Netwok Security
18/31
-
8/3/2019 Netwok Security
19/31
Public key methods
In conventional methods, the decryption algo isalways the inverse of encryption algo & uses thesame key. So, it is also called Symmetricencryption algo. Anyone who knows theencryption algo & key can deduce the decryptionalgo. Security can be assured only if the entireprocess is kept secret.It has the advantage of(1) Being very efficient,(2) taking less time to encrypt a message &
hence used to encrypt long messages.It has two major disadvantages.(1) Each pair of users must have a secret key.
So, N people in the world need N(N-1)/2secret keys which is very huge to create &maintain.
(2) The distribution of the keys are very difficult.
SECRET KEY ALGOS ARE USEFUL IF USEDONCE.
-
8/3/2019 Netwok Security
20/31
The solution of the problem is public keyencryption. Every user has the same encryption
key & algo. The decryption key is kept secret.The decryption key is not the inverse ofencryption key. The encryption & decryptionalgo use different functions & knowing one doesnot enable the user to know the other. Inaddition, the keys are different. Public keys areencryption algo & key are publicly announced.The decryption algo & key are kept secret &used only by the bank.Advantages:
1. Removes the restriction of shared keybetween TWO entities. The key shared bytwo parties cannot be shared with a third
party, if one of them wants tocommunicate with another party. In publickey, this is possible. Each entity cancreate a pair of keys & is independent,keep the private key & distribute the publickey.
2. The number of keys is reduced drastically.
For N users, 2N keys & not N(N-1) as insecret key is needed.
-
8/3/2019 Netwok Security
21/31
Disadvantage : Very complex algorithm. For themethod tobe effective, large numbers areneeded. Calculating Ciphertext from plaintext
using long keys take long time.
PUBLIC KEY ALGOS ARE USEFUL IF USEDONCE.
Public key encryption.
Customer 1
Private
key
Public
key
Public
key
Customer n
BankCustomer 2
Public
key
-
8/3/2019 Netwok Security
22/31
RSA Encryption.It is public key encryption.
Rivest, Shamir, Adleman created this key.One party say bank customer uses public keyKp. The other party uses secret key. Ks. Bothuse a number N.
The encryption algo uses the following steps:1. Encode the data to be encrypted as a no. to
create the plaintext P.2. Calculate the Ciphertext C as C = PKp
modulo N (modulo means dividePKp by N &keep only the remainder).
3. Send C as Ciphertext.
The decryption algo follows these steps:1. Receive Cs the Ciphertext2. Calculate plain text P = CKsmodulo N.3. Decode P to the original data.
-
8/3/2019 Netwok Security
23/31
Example with Kp= 5, Ks= 77 & N=119.The whole idea behind RSA is the way in whichKp, Ks & N are chosen using number theory.
1. Choose 2 prime nos. p & q. (We choose 7 &
17).2. Calculate N = p X q (N = 7X17 =119).3. Select Kp such that it is not a factor of
(p-1) X (q-1) = 96. The factors of 96 are 2,2,
2, 2, 2, 3.We choose 5, not a factor of 96.4. Select Ks such that (KpXKs) modulo
(p-1) X (q-1) = 1. We choose 77. Ifchecked,
5X77 = 385 & 385 = 4X96 +1.
customer
C = PKp
modulo N
Bank
Plaintext
P
P = CKs
modulo N
Kp & N Ks & N
EncryptionDecryption
P
C
Plaintext
C=Ciphertext
-
8/3/2019 Netwok Security
24/31
Security of RSA: Pair of nos. Kp & N are publicly
announced. The bank keeps Ks as the secretkey. If a bank can calculate Ks why not asnooper? The answer lies in the complexity ofthe process. The bank starts with two primenumbers p & q to calculate N, Kp, Ks. Thesnooper does not know p or q. He uses N first tocalculate p & q & then GUESS Ks. If p & q arechosen to eb few hundred digits long, it isextremely difficult to factorize it to its primenumbers.Reciprocity of RSA: RSA algo is reciprocal. Thebank can use the same secret key Ks to send areply to the customer & the customer can
decrypt the message using his own private key.Authentication
It means verifying the identity of the sender; i.e.message is coming from an authentic sender ¬ an imposter. Among several methods, weshall discuss Digital Signature method based on
encryption/decryption.
-
8/3/2019 Netwok Security
25/31
Concept is same as signing physically
documents in a business transaction forexample say signing documents in a bank. Thebank gives a form to be signed by customer &keeps the signed form on record when thecustomer needs to withdraw large amount ofmoney from the bank. If the customer laterdenies withdrawal of money, the bank may showthe signature to prove that bank have givenmoney to the person with valid signature.The EQUIVALENT SIGNATURE is created inelectronic media called digital signature.
DIGITAL SIGNATURE
Security has four aspects: Privacy,Authentication, Integrity, & Non-repudiation.Privacy has been discussed. The other threecan be achieved using digital signature. Insigning of a document, the roles of the public &private key are different.
The sender uses private key to encrypt (sign)the message just as one uses her signature(which is private & difficult to forge) to sign apaper document. The receiver uses public key of
-
8/3/2019 Netwok Security
26/31
sender to decrypt the message just as oneverifies from memory other peoples signature.
Fig: Signing the whole document.
A
encryption
Net
wor
kdecryption
B
As private key
As public key
Ciphertext
Ciphertext
P
L
AI
N
T
E
X
T
P
LA
I
N
T
E
X
T
-
8/3/2019 Netwok Security
27/31
Digital signature can provide integrity,authentication, and non-repudiation. It does notprovide privacy. If the latter is required, anotherlayer of encryption/ decryption is required.
Digital Signature CANNOT be achieved usingsecret key encryption.
How digital signature provides integrity,authentication, and non-repudiation?Integrity: The integrity of the message is
preserved because if an intruder intercepts it,and partially changes it, the decrypted messagewould be illegible.Authentication: If an intruder say X sends amessage pretending that it has come fromsomeone else, say G, she must use her ownprivate key (private X) for encryption. The
message is then decryptedNon-repudiation: If the sender denies sending amessage, her private key corresponding to herpublic key can be tested on the original plaintext.If the result of decryption matches the original
-
8/3/2019 Netwok Security
28/31
message, then we know that the sender hassent the message.
Signing the digestPublic encryption is efficient if the message isshort. Using public key to sign the wholedocument is inefficient. So, the sender creates aminiature of the document called the digest &signs on the digest. The receiver checks thesignature on the miniature.To create the digest, a hash function is usedwhich creates fixed size digest from a variablelength message.Fig: Creating a digest.
Two most common hash functions are MD5(Message Digest 5) & SHA-1 (Secure HashAlgorithm1).Two properties of hash function are needed toguarantee success.
1. Hashing is one way. The digest can becreated from a message not vice versa.
Variable
length
message
Hash
function
Fixed
length
message
digest
-
8/3/2019 Netwok Security
29/31
2. It is a one-to-one function. There is littleprobability that two messages will createthe same digest.
After the digest is created, it is encrypted(signed) using the senders private key. Theencrypted digest is attached to the originalmessage & sent to the receiver.
Fig: Sender site.
The receiver receives the original message and
the encrypted digest & separates the two. Thereceiver applies the same hash function themessage to create a second digest. Thereceiver also decrypts the received digest usingpublic key of the sender. If the two digests are
Message
Signed
DigestEncrypt
Message
Digest
Hash
A
As private key
+
To
B
Message + signed digest
-
8/3/2019 Netwok Security
30/31
same, all three aspects of security arepreserved.
Message
Digest Digest
Decrypt Hash
From A
As public key
Compare
B
-
8/3/2019 Netwok Security
31/31
Fig: Receiver site.