s2.bitdownload.irs2.bitdownload.ir/Ebook/Computer Science/Networks/Fung - Network... · the rounds...

Copyright

AUERBACH PUBLICATIONS

A CRC Press Company

Boca Raton London New York Washington, D.C.

Network SecurityTechnologies

Kwok T. Fung

Second Edition

2005 by CRC Press, LLC. All Rights Reserved.

Copyright

All terms mentioned in this book that are known to be trademarks or service marks have been appropriatelycapitalized. Use of a term in this book should not be regarded as affecting the validity of any trademarkor service mark.

This book contains information obtained from authentic and highly regarded sources. Reprinted materialis quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonableefforts have been made to publish reliable data and information, but the author and the publisher cannotassume responsibility for the validity of all materials or for the consequences of their use.

Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronicor mechanical, including photocopying, microfilming, and recording, or by any information storage orretrieval system, without prior permission in writing from the publisher.

The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, forcreating new works, or for resale. Specific permission must be obtained in writing from CRC Press LLCfor such copying.

Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and areused only for identification and explanation, without intent to infringe.

Visit the Auerbach Web site at www.auerbach-publications.com

2005 by CRC Press LLC Auerbach is an imprint of CRC Press LLC

No claim to original U.S. Government worksInternational Standard Book Number 0-8493-3027-0

Library of Congress Card Number 2004046417Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

Library of Congress Cataloging-in-Publication Data

Fung, K. T. (Kwok T.)Network security technologies / Kwok T. Fung.--2nd ed.

p. cm.Includes bibliographical references and index.ISBN 0-8493-3027-0 (alk. paper) 1. Computer networks--Security measures. I. Title.

TK5105.59.F86 2004 005.8--dc22

2004046417


AU3027_book.fm Page v Wednesday, September 1, 2004 5:57 PM

Copyright

DEDICATION

To my wife, children, and Bigglesworth and Fox and all others who have helped shape my values and priorities.


AU3027_book.fm Page vii Wednesday, September 1, 2004 5:57 PM

Copyright

CONTENTS

About the Author

Preface

1 Introduction1.1 Security in Network Design and Implementations1.2 Framework for Network Security Technologies

1.2.1 Major Basic Network Security Functional Elements1.2.2 Network Security and the OSI Model1.2.3 Categorizing Network Security Technologies1.2.4 The Framework

1.3 The Organization of the BookBibliography

2 Basic Confidentiality Technologies2.1 Hashing Algorithms

2.1.1 The MD5 Algorithm2.1.1.1 Common Use

2.1.2 The SHS Standard2.1.2.1 The SHA-1 Algorithm2.1.2.2 Message Digests and Digital Signatures2.1.2.3 Common Use

2.2 Secret- and Public-Key Cryptography2.3 Secret-Key Cryptography Algorithms

2.3.1 Block Ciphers and Stream Ciphers2.3.2 DES and 3DES Encryption Standards

2.3.2.1 The Basic DES Algorithm2.3.2.2 The 3DES Algorithm2.3.2.3 Common Use

2.3.3 The AES Standard2.3.3.1 The Rijndael Algorithm2.3.3.2 AES versus 3DES2.3.3.3 Common Use


AU3027_book.fm Page viii Wednesday, September 1, 2004 5:57 PM

Copyright

2.3.4 The RC4 Cipher2.3.4.1 The RC4 Algorithm2.3.4.2 Common Use

2.4 Public-Key Cryptography2.4.1 Public Key Cryptography Standards2.4.2 The RSA Algorithm

2.4.2.1 The Key-Generation Algorithm2.4.2.2 Encryption by Sender A2.4.2.3 Decryption by Recipient B2.4.2.4 Common Use

2.4.3 Digital Signature Cryptography Algorithms2.4.3.1 The DSA Algorithm2.4.3.2 The ECDSA Algorithm2.4.3.3 Common Use

2.5 The DiffieHellman Key-Exchange Algorithm2.5.1 An Overview of the Algorithm2.5.2 Common Use

2.6 SummaryBibliography

3 Basic Authentication Technologies3.1 IP-Layer Authentication Mechanisms

3.1.1 AH3.1.1.1 AH Header Format..3.1.1.2 AH Authentication Operation3.1.1.3 Authentication Algorithm

3.1.2 ESP3.1.2.1 ESP Packet Format3.1.2.2 ESP Authentication Operation3.1.2.3 Encryption Algorithm3.1.2.4 Common Use

3.2 Packet Filtering3.2.1 Packet Filter Types

3.2.1.1 Common Use3.3 UserID and Password Authentication Methods

3.3.1 PAP3.3.2 SPAP

3.3.2.1 Common Use3.4 SummaryBibliography

4 Basic Authorization Technologies4.1 Access Control

4.1.1 Physical Access Control4.1.1.1 Common Use

4.1.2 UserID and Password4.1.2.1 Levels of Access Privilege4.1.2.2 Common Use


AU3027_book.fm Page ix Wednesday, September 1, 2004 5:57 PM

Copyright

4.1.3 Access Control Lists4.1.3.1 Systems ACLs4.1.3.2 Router ACLs4.1.3.3 Common Use

4.2 DMZ4.2.1 Common Use


5 Basic Message Integrity Technologies5.1 Overview of VPN Technologies

5.1.1 Encapsulation Techniques5.2 Layer 2 VPNs

5.2.1 FR5.2.1.1 FR Virtual Circuits5.2.1.2 FR Frame Format

5.2.2 ATM5.2.2.1 ATM Cell Header Format5.2.2.2 Quality of Service (QoS)5.2.2.3 Security Mechanisms in ATM

5.3 MPLS VPNs5.3.1 The MPLS Protocol

5.3.1.1 LSRs and LERs5.3.1.2 FEC5.3.1.3 Labels and Label Bindings

5.3.2 MPLS VPNs5.3.3 AToM

5.3.3.1 AToM-Supported Transport Protocols5.4 Ethernet VLAN

5.4.1 IEEE 802.1Q5.4.2 802.1Q Ethernet VPNs5.4.3 PPPoE

5.4.3.1 Common Use5.5 Tunneling Protocols

5.5.1 PPP5.5.2 PPPoE5.5.3 PPP over SONET or SDH

5.5.3.1 The Interface Format5.5.3.2 Common Use

5.5.4 GRE5.5.4.1 Common Use

5.5.5 PPTP5.5.5.1 Common Use

5.5.6 L2TP5.5.6.1 Common Use

5.6 The Authentication Protocols AH and ESP5.6.1 Common Use


AU3027_book.fm Page x Wednesday, September 1, 2004 5:57 PM

Copyright


6 Basic Non-Repudiation Technologies6.1 Digital Signatures

6.1.1 Types of Digital Signatures6.1.2 Common Use

6.2 MAC6.2.1 Common Use

6.3 NAT and PAT6.3.1 NAT

6.3.1.1 NAT Function Example6.3.1.2 Common Use

6.3.2 PAT6.3.2.1 PAT Function Example6.3.2.2 Common Use


7 Enhanced Technologies7.1 UserID and Password Authentication and Authorization

7.1.1 CHAP7.1.1.1 Common Use

7.1.2 Kerberos7.1.2.1 Basic Mechanism7.1.2.2 Common Use

7.2 Token Cards7.2.1 Token Card Authentication Methods

7.2.1.1 Security Considerations7.2.1.2 Common Use

7.3 EAP and MPPE7.3.1 EAP

7.3.1.1 EAP Packet Formats7.3.1.2 Common Use

7.3.2 MPPE7.3.2.1 Common Use

7.4 Key-Management Protocols7.4.1 Key Management

7.4.1.1 ISAKMP7.4.1.2 OAKLEY7.4.1.3 IKE7.4.1.4 SKIP7.4.1.5 STS

7.5 Digital Signatures7.5.1 Digital Signature Standard (DSS)

7.5.1.1 Message Digest7.5.1.2 Key Association7.5.1.3 DS Algorithm


AU3027_book.fm Page xi Wednesday, September 1, 2004 5:57 PM

Copyright

7.5.2 Using Digital Signature in SSL7.5.2.1 Common Use

7.6 MAC7.6.1 HMAC7.6.2 Computing MACs

7.6.2.1 Common Use7.7 Digital Certificate

7.7.1 X.509 Certificates7.7.2 Certification Authority and Certification Path

7.7.2.1 Common Use7.8 IEEE 802.11

7.8.1 WEP7.8.1.1 WEP Encryption and Decryption Process

7.8.2 802.11i7.8.2.1 Common Use


8 Integrated Technologies8.1 SSO Technologies

8.1.1 The Open Group Security Forum (OGSF) SSO Model8.1.1.1 Common Use

8.1.2 Service Selection Gateways (SSGs)8.1.2.1 Common Use

8.1.3 The Generic Security Service Application Program Interface (GSS-API)8.1.3.1 Common Use

8.2 Higher-Layer VPNs8.2.1 The IPSec Protocol

8.2.1.1 IPSec Overview8.2.1.2 IPSec-Based VPNs8.2.1.3 Interworking of IPSec and Other Tunneling

Protocols8.2.1.4 Common Use

8.2.2 The SSL Standard8.2.2.1 SSL Overview8.2.2.2 SSL Accelerators

8.2.3 The Transport Layer Security (TLS) Protocol8.2.3.1 An Overview8.2.3.2 Backward Compatibility with SSL8.2.3.3 Common Use

8.2.4 The TTLS and PEAP Protocols8.2.4.1 The TTLS Protocol8.2.4.2 The PEAP Protocol8.2.4.3 Common Use

8.2.5 Comparison of Some VPN Technologies8.2.6 IPSec versus SSL


AU3027_book.fm Page xii Wednesday, September 1, 2004 5:57 PM

Copyright

8.3 Firewalls8.3.1 Classification of Firewalls8.3.2 Common Use


9 Network Security Architectures9.1 Remote Access

9.1.1 Remote Access Security Requirements9.1.1.1 Access Network Control9.1.1.2 User Authentication and Authorization9.1.1.3 Protection of Connection and Traffic Integrity

9.1.2 Authentication and Authorization Protocols9.1.3 Remote Access Architecture

9.1.3.1 DMZ9.1.3.2 RAS9.1.3.3 Authentication Server9.1.3.4 Proxy Server9.1.3.5 Firewall

9.1.4 AAA Servers9.1.5 An Illustration

9.2 PKI Architecture9.2.1 PKI Overview9.2.2 PKI Building Blocks9.2.3 PKI Defined9.2.4 The PKIX Architecture

9.2.4.1 End Entities9.2.4.2 Certification Authority9.2.4.3 Registration Authority9.2.4.4 Repositories9.2.4.5 Certificate Revocation List Issuers

9.2.5 PKIX Management Functions9.2.5.1 Registration9.2.5.2 Initialization9.2.5.3 Certification9.2.5.4 Key-Pair Recovery9.2.5.5 Key-Pair Update9.2.5.6 Revocation Request9.2.5.7 Cross-Certification9.2.5.8 Management Function Protocols

9.2.6 The PKI Forum9.2.7 An Illustration

9.3 Federal PKI9.3.1 FPKI Security Services

9.3.1.1 PKI Functionality9.3.1.2 Federal PKI Directory Servers


AU3027_book.fm Page xiii Wednesday, September 1, 2004 5:57 PM

Copyright

9.3.2 Federal PKI Directory Architecture9.3.2.1 Directory Components9.3.2.2 Architecture Overview9.3.2.3 Concept of Operation

9.3.3 PKI Services9.4 The SET Specification

9.4.1 Overview of SET9.4.2 SET E-Payment Operations


10 WLAN Security Architecture10.1 Overview of WLANs

10.1.1 Secure WLAN Architecture10.1.1.1 Client Stations10.1.1.2 APs10.1.1.3 Ethernet Switches10.1.1.4 Security Servers

10.1.2 WLAN Evolution10.1.2.1 First-Generation WLANs10.1.2.2 Second-Generation WLANs10.1.2.3 Third-Generation WLANs

10.1.3 WLAN Implementations10.2 WLAN Security Requirements

10.2.1 Authentication and Authorization10.2.2 Encryption10.2.3 Enterprisewide Roaming

10.3 WLAN Network Security Technologies10.3.1 Earlier Technologies

10.3.1.1 DMZ Isolation10.3.1.2 RF Isolation10.3.1.3 Proprietary Methods

10.3.2 802.11 Security Features10.3.2.1 SSID10.3.2.2 MAC Address Filtering10.3.2.3 The WEP Protocol10.3.2.4 The 802.11i Security Standard10.3.2.5 Authentication for 802.1X10.3.2.6 WPA

10.3.3 VPN Wireless Security10.4 SummaryBibliography

11 Network Security Implementation Topics11.1 Standards Vulnerabilities

11.1.1 Cryptographic Standards11.1.1.1 RC4


AU3027_book.fm Page xiv Wednesday, September 1, 2004 5:57 PM

Copyright

11.1.1.2 IEEE 802.1111.1.1.3 Limitations of IPSec11.1.1.4 Protocol-Based DoS11.1.1.5 SSL and TLS

11.1.2 Routing Protocols11.1.2.1 OSPF Security Capabilities11.1.2.2 RIP Security Capabilities

11.2 End-To-End Connectivity11.3 Systems Vulnerabilities

11.3.1 OS and NOS Problems11.3.2 Network Management Systems (NMS)

11.3.2.1 Protection of Network Equipment11.3.2.2 Protection of User Traffic

11.4 Router Configurations11.4.1 Protecting the Router Itself

11.4.1.1 Physical Security11.4.1.2 OS or NOS Vulnerabilities11.4.1.3 Configuration Hardening

11.4.2 Router Configurations11.4.2.1 Design and Development11.4.2.2 Deployment and Administration

11.5 Firewalls11.5.1 ACLs and Packet Filtering11.5.2 NAT and PAT Limitations

11.5.2.1 VoIP11.5.2.2 IPSec VPN

11.5.3 Special Application Layer Gateways11.6 Adding Security to Applications and Services

11.6.1 Network Services11.6.1.1 S-HTTP11.6.1.2 S/MIME11.6.1.3 SMTP

11.6.2 Web Applications11.7 SummaryBibliography

Appendix A: Security Technologies: A Hierarchical Guide

Appendix B: NSA and SNAC Router Security Configuration Guide Summary (from National Security Agency/System and Network Attack Center)

Executive SummaryGeneral RecommendationsSpecific Recommendations Specific Recommendations Specific RecommendationsRouter Security Checklist


AU3027_book.fm Page xv Wednesday, September 1, 2004 5:57 PM

Copyright

Appendix C: Key Network Security Terms and Definitions

Appendix D: List of Common TCP and UDP Well-Known Ports

Well-Known Port NumbersCommon Well-Known Port Numbers

Appendix E: RSA Public-Key Cryptography ExampleGenerating a Key Pair and Protecting the Private Key

Step 1: Generating an RSA Key PairStep 2: Encoding RSAPublicKey and RSAPrivateKey ValuesStep 3: Encoding a PrivateKeyInfo ValueStep 4: Encrypting the PrivateKeyInfo EncodingStep 5: Encoding the EncryptedPrivateKeyInfo Value

Appendix F: Acronyms


AU3027_book.fm Page xvii Wednesday, September 1, 2004 5:57 PM

Copyright

ABOUT THE AUTHOR

Kwok T. Fung worked for AT&T Bell Laboratories/AT&T Laboratories indata networking and telecommunications for more than 20 years. He alsotaught computer science for a number of years at the University of Windsor,Ontario, Canada. He coauthored the book Computer Design and Imple-mentation by Computer Science Press and has several papers publishedin technical journals and conference proceedings. He has also coauthoredseveral patent applications. He received his M.S. and Ph.D. degrees incomputer engineering from Cornell University and his B.S. in electricalengineering from the University of Manitoba, Canada.


AU3027_book.fm Page xix Wednesday, September 1, 2004 5:57 PM

Copyright

PREFACE

With the advent of telecommunication and IT technologies and the increas-ingly dominant roles played by E-commerce in every major industry,development and implementation efforts in the many areas of networksecurity draw technologies from more and more seemingly unrelatedtechnical fields that did not previously have to cross paths or intimatelyinterwork. These major fields include cryptography, network protocols,switch and router technology, and information technology, each with fullydeveloped theories and standards, as well as well-established practices.Trying to develop expertise in all of these technical fields is a challengingtask. This book presents the key network security-relevant technologiesin these diverse fields, using an organized, hierarchical framework thatgreatly facilitates understanding of not only the technologies themselvesbut also their interrelationships and how they interwork.

This framework has been formulated in a systematic classification andcategorization of network security technologies. First, fundamental net-work security functional elements are identified: confidentiality, authentica-tion, authorization, message integrity, and non-repudiation. Technologiesthat implement these functional elements are then classified and catego-rized based on these functional elements. The result is a unique presen-tation of major legacy, state-of-the-art, and emerging network securitytechnologies from all the relevant fields, which serves as an extremelyuseful and easy-to-follow guide.

The descriptions for most of the relevant technologies include enoughtechnical depth to enable the reader to have a full understanding of theroles played by, and responsibilities required of, each technology. How-ever, they are not intended to replace the corresponding detailed descrip-tions in such documents as standard specifications, RFCs, interface andimplementation agreements, etc. Every effort is made to render the math-ematical derivations used in the algorithms as self-contained as possible.


AU3027_book.fm Page xx Wednesday, September 1, 2004 5:57 PM

Copyright

In several places where this proves to be too difficult without sacrificingthe overall readability of the material, certain details that are not deemedabsolutely necessary to understanding the operations of the associatedalgorithms are omitted, and references are always provided for readers tosupplement the missing details. Regardless, for readers who desire inten-sive understanding of the in-depth theory and nitty-gritty details of eachtechnology, references are provided at the end of each chapter.

The presentation of the materials in this book is unique in the followingways:

Network security technologies are classified as basic, enhanced,integrated, and architectural as a means to associate their relativefunctional (not necessarily algorithmic, for example) complexities,providing a useful perspective on their interrelationships.

Together with the introduction and description of security-relatedtechnologies, the interrelationship and interworking of these tech-nologies are also discussed so that the readers can have an easiertime grasping the relevance of each of these technologies withinthe network security landscape.

Thus, the book is intended to be used both as a textbook and studyguide and also as a reference for network telecommunications students,all network and information technology staffs (e.g., network designersand architects, network and systems engineers and administrators, etc.)who have a need to better understand the basic theories, interrelationshipsand interworking of different security functionalities and technologies andhow they relate to other network components. It is expected that vendorequipment users manuals will provide the details and CLI command usageinstructions needed for the actual configuration of security devices suchas firewalls, router configurations, etc.


1

AU3027_book.fm Page 1 Wednesday, September 1, 2004 5:57 PM

Copyrig

INTRODUCTION

As the role of enterprise networks keeps expanding in its support of bothinternal and external connectivity in the form of emerging Internet, intra-net, and extranet applications, network components are being exposedmore and more seriously to malicious as well as unintentional securitybreaches. Network security becomes an ever increasingly critical elementof enterprise network designs and implementations. A typical networksecurity exercise involves the planning and design of a companys net-works and information technology (IT) security infrastructures so as toprotect its valuable applications, sensitive data, and network resourcesfrom unauthorized access that results in either intentional or unintentionalmisuse and malicious alterations of the companys assets.

According to surveys of IT managers in major corporations done overthe last few years, the following are the most consistently cited securityconcerns (in descending order of perceived severity according to most ofthose surveyed):

Authorized access control Viruses Virtual private networks (VPNs) Confidentiality, privacy, and encryption Firewalls Access by remote users Education and staying up-to-date Usage monitoring and Internet usage abuse E-commerce Poorly designed software and systems E-mail and spam

ht 2005 by CRC Press, LLC. All Rights Reserved.

Security


Copyrig

Of course, some of these security concerns have a wider impact onthe worldwide IT community than others. For example, a bug in a routerswidely deployed network operating system (NOS) is likely to result inmuch more extensive damage than a poorly designed piece of applicationsoftware with limited local deployment in a companys remote or evencentral sites.

1.1 SECURITY IN NETWORK DESIGN AND IMPLEMENTATIONS

Network security in an enterprise environment refers to all the measuresand software and hardware implementations, as well as to the associatedpersonnel, documentation, and processes within the enterprise networkinfrastructure, that together protect the integrity and privacy of applica-tions, data, and information flow. Figure 1.1 shows the major stepsinvolved in a typical network security design process cycle.

The typical network security process for designing and implementingsecurity capabilities in the enterprise network should be considered verymuch a mission-critical task that:

Evolves rapidly Increases in complexity Is critical for business success

In particular, the key characteristic is that the entire process is aconstantly evolving one. Network security design and implementation

Figure 1.1 Network security methodology.

SecurityAudit

Design &Implementation

SecurityPolicies

Formulation

Management& Monitoring

Need for Redesign

Requirements


efforts need to be upgraded or readjusted as new threats are identifiedor as new business needs dictate new security requirements.


Copyrig

When considering the design and implementation of network security,the following principles should always be kept in mind in order to ensuresuccess:

Network security needs should be initiated at the beginning of anetwork design and development process and adequately managedthroughout the entire networks life cycle.

The application of network security policies, procedures, and coun-termeasures should be corporatewide in scope and should bedriven by well-defined and quantifiable needs.

The responsible network security functional group must workclosely with other engineering and technical function groups andall other relevant functional groups of the organization.

High-level visibility and management support and commitment areessential for any network security program to be successful.

The implementation of network security must not overburden theusers (including the network and IT developers and maintenancepersonnel) or significantly impact network and system performanceor mission objectives. It is always necessary to work toward acompromise.

Cost-effective solutions must be sought as soon as possible toensure that the network security program is as efficient and up-to-date as possible.

Never assume that a solution previously used to solve a specificnetwork security vulnerability problem will be sufficient for thesame vulnerability the next time. Technology moves too fast notto reevaluate available options at the time the decision is made.

Network security starts with the formulation and adoption of a set ofcorporatewide security policies and processes. A network security policyis a set of rules or decisions that combine to determine an organizationsstance with regard to network security. It determines the limits of accept-able behavior on the part of insiders and outsiders, and determines whatthe responses to deviations from acceptable behavior should be. Thenetwork security policy is used to guide the organization in determiningthe particular security steps to take. In particular, the policy must bedefined before any network security technology is chosen.

Security policies and processes must be tailored to the specific needsof the companys business. For instance, many government agencies adopte-authentication policies (e.g., assigning one of four electronic identityassurance levels to each e-government transaction) that have been defined


for interagency communication and need to be followed. The definitionof these policies is accomplished by determining the key business assets


Copyrig

that are vulnerable because they are connected to the network. The nextstep is to determine what would be required, at a high level, to protectthe endangered assets. The security policy will be the result of a com-promise between expected or suspected dangers, business needs, theusers tolerance, and the cost of security technologies and their operationalimpact.

The security policy needs to consider both computer resources andnetwork resources. Computer resources include, for example, applications,databases, and computer hardware. These are all business assets and areworth protecting at some level. Network resources include switches,routers, multiplexers, modems, and interconnecting links. They are usuallynot attacked purely for themselves (apart from a network providersperspective) but rather, as a way to attack the computer resources thatare connected to them. The final security policy will define what is to beprotected and how it is to be protected.

All these point to the realization that network security should beconsidered an integral part of network design and implementations, andmany of the classical security technologies, such as cryptography, shouldbe well understood by traditional network designers and vice versa.

1.2 FRAMEWORK FOR NETWORK SECURITY TECHNOLOGIES

Development and implementation in many areas of network security drawtogether technologies from more and more seemingly unrelated technicalfields that did not previously have to cross paths or intimately interwork.These major fields include, but are not limited to, cryptography, networkprotocols, switch and router technology, and information technology, eachwith fully developed theories and standards besides well-established indus-try practices. Trying to fully understand all this diverse knowledge is anecessary but challenging task for present-day network and IT architectsand designers.

In the following text, we develop an organized, hierarchical frameworkto present many of the key network-security-relevant technologies in thesediverse fields to facilitate a discussion of not only the technologies them-selves but also their interrelationships and how they interwork.

1.2.1 Major Basic Network Security Functional Elements

The ultimate objective of network security is to ensure that protectedapplications and the information used as input and generated as output


by these applications are not compromised by malicious or unintentionalsecurity breaches. As a result, it is possible to define the major basic


Copyrig

network security functional elements that are needed to build a networksecurity system, in terms of the following well-known security servicesneeded for secure message exchanges: confidentiality authentication,authorization, message integrity, and non-repudiation.

Thus, the following are defined to be the five basic network securityfunctional elements:

Confidentiality: Confidentiality or privacy ensures that the contentof the message is not visible to any persons other than the intendedor authorized receivers. Encryption is typically used to achieve this.Confidentiality or the ability to hide the meaning of informationfrom unauthorized persons is probably the most basic functionalelement that all other functional elements build on.

Authentication: Authentication ensures the integrity of user identi-ties through the identification of legitimate and illegitimate users.Legitimate users would be allowed to proceed with their businessto some extent, even though they could still subsequently belimited in what they can do by other aspects of security controls,such as authorization.

Authorization: Authorization is the control of access to network orsystems resources so that only authenticated users who have spe-cific authorization are allowed to access particular resources. Thistype of control would allow selective access to resources by thesmall population of users who have already been authenticated.

Message Integrity: Message integrity refers to the condition that thereceived message is not altered unintentionally en route comparedwith the originally sent message.

Non-repudiation: Non-repudiation guarantees that the sender is alegitimate sender of the received message and that the sendercannot later dispute the sending of the message. Sometimes, non-repudiation is extended to apply to the receiver also.

These five network security functional elements are implemented ashardware and software in network devices (e.g., routers and servers) thatare found in places over the end-to-end path of a connection between twocommunicating endpoints (typically, a client computer and a server or host).

It is important to note that not all five functional elements are alwaysincluded in any particular deployed network security system. Also, thereare network security services that cannot easily be classified under anyof the above functional elements but that work together with them toprovide the desired network security capabilities.


APPLICATION


Copyrig

It should also be noted that in the above definitions, authenticationrefers to user authentication but data authentication is separatelyreferred to as message integrity. In network security literature, authen-tication often refers to both user and data authentication.

Most common security risks are the results of breakdowns or inade-quacies in the protection provided by one or more of the functionalelements. For example, denial-of-service (DoS) is most likely due tomalicious attacks from outside hackers who have managed to gain unau-thorized access to some network or systems resources. The hackers might,in turn, have managed to gain access because of unencrypted or easilycompromised passwords. Also, the damage that viruses can potentiallycause to system resources can be significantly reduced with stricter securitypolicies and more carefully designed firewalls, for example.

1.2.2 Network Security and the OSI Model

It is useful to examine where the network security functional elementslisted above fall under the Open Systems Interconnection (OSI) 7 LayerReference Model. This is illustrated in Figure 1.2. This diagram can beuseful as the different technologies that are available to implement thesenetwork security functional elements are studied in subsequent chapters.

The network security functional elements span all seven layers,although particular technologies will likely dictate which layer each willoperate at. For example, SSL is a session-oriented technology and operatesprincipally at the application layer.

Figure 1.2 Network security and the OSI Network Model.

PRESENTATION

SESSION

TRANSPORT

NETWORK

DATA LINK

PHYSICAL

Typically Customer or Vendor-ProvidedSecurity

Physical Security

TypicallyServiceProvider-Providedon TransportBackboneNetwork

AuthorizationAuthenticationConfidentialityMessage IntegrityNon-Repudiation

Logical Security

Functional Security:


If a customer uses service providers for backbone connectivity in theirnetwork, as is likely the case, many of the lower-layer security capabilities


Copyrig

will be integrated into the backbone network infrastructure or offered asoptional features.

1.2.3 Categorizing Network Security Technologies

Once the five network security functional elements have been identified,it is possible to examine the many different key legacy, state-of-the-art,and emerging technologies that have been defined and invented to imple-ment these functional elements to meet specific security requirementsunder different operating environments. In order to formulate a structuredview of the relationship between different, diverse network security tech-nologies, we divide the technologies according to the way they implementthe functional elements, into the following four categories (only technol-ogies considered to be standards, de facto standards, or industry-acceptedpractices are described in this book):

Basic Technologies: From each functional elements perspective,these are functionally simple technologies, each of which is typi-cally designed to implement primarily only one specific functionalelement. Examples of these technologies are encryption technolo-gies, Layer 2 VPNs such as Frame Relay (FR) permanent virtualcircuits (PVCs) and switched virtual circuits (SVCs), and routeraccess control lists (ACLs). Basic network security technologies canbe considered to be the fundamental building blocks of all theother security technologies and are described in Chapters 2, 3, 4,5, and 6 for the five different functional elements.

Enhanced Technologies: These are network security technologiesthat are still designed to implement primarily one particular func-tional element, but we consider them to be more than basictechnologies because they are relatively more complex and veryoften make heavy use of some of the basic technologies, andsometimes even include other functionally different basic technol-ogies. One example is the digital signature for implementing sourcenon-repudiation, as digital signatures are built on top of hashingalgorithms, which are also considered to be basic technologies forimplementing confidentiality. Enhanced technologies are describedin Chapter 7.

Integrated Technologies: These are network security technologiesthat are, in turn, defined using other more basic technologies andare designed or have evolved to support more than one functionalelement. Examples of these technologies are SSL and IP Security


(IPSec). (IPSec is normally considered a Layer 3 VPN.) Integratedtechnologies are described in Chapter 8.


Copyrig

Security Architectures: These are network security technology archi-tectures that define standard or de facto security architectures basedon basic, enhanced, and integrated technologies and are intendedto provide guidelines for implementing security systems within thearchitectures defined framework. The defined architecture typicallyimplements a number of network security elements. The bestexample of this category is public key infrastructure (PKI). Securityarchitectures are described in Chapter 9.

Note that this categorization is really intended primarily for ease ofunderstanding and application. There are, of course, technologies that canreadily be put into more than one category. For example, EncapsulationSecurity Payload (ESP) is considered to be a basic authentication technol-ogy but it also provides a confidentiality capability. Also, there are tech-nologies implementing security functional services that might not fit inperfectly with any of the five network security functional elements definedin this book.

As will be evident from the rest of the book, the identification of thenetwork security functional elements and the classification and categori-zation of these technologies together allow a much more structured wayof learning about the many existing and developing sometimes com-plementing and sometimes competing network security technologies,as well as how they interrelate and interwork together.

1.2.4 The Framework

The classification into network security functional elements and the cat-egorization of network security technologies as basic functional elementsversus nonbasic elements, together provide a framework for a structuredapproach to studying the fast-evolving and sometimes increasingly con-fusing panorama of these technologies. Figure 1.3 shows a frameworkthat provides such an organized, hierarchical view of security technologies.

This structured, hierarchical view is used in presenting all the legacy,state-of-the-art, and emerging network security technologies in the rest ofthe book. A summary of this view is given in Appendix A.

1.3 THE ORGANIZATION OF THE BOOK

The rest of the book discusses the industrys key network security tech-nologies using this framework.


F

Basic Message Integrity

Technologies

Basic Nonrepudiation

Technologies

Enhanced Message Integrity

Technologies

Enhanced Nonrepudiation

Technologies

Technologies

itectures

AU

3027_book.fm Page 9 W

ednesday, September 1, 2004 5:57 PM

Copyright 2005 by

igure 1.3 A framework for network security technologies.

Basic AuthenticationTechnologies

Basic ConfidentialityTechnologies

Basic AuthorizationTechnologies

Enhanced AuthenticationTechnologies

EnhancedConfidentialityTechnologies

Enhanced AuthorizationTechnologies

Integrated Network Security

Network Security Arch

CRC Press, LLC. All Rights Reserved.

Chapter 2 begins the presentation of network security technologies bydiscussing some of the key basic confidentiality technologies. There are


Copyrig

two major types of confidentiality technologies: hashing functions suchas Message Digest 5 (MD5) and SHA-1, and cryptographic algorithms suchas Rons (or Rivests) Code (RC4), Data Encryption Standard (DES), TripleData Encryption Standard (3DES), etc. As indicated earlier, confidentialitycan be considered to be the most fundamental of all the network securityfunctional elements and this will become evident in later chapters, as wefind that the basic confidentiality technologies discussed in this chapterare used over and over again in other enhanced, integrated, and archi-tectural technologies.

Chapter 3 discusses some basic authentication technologies. Theseinclude Authentication Header technologies such as AH and EncapsulatingSecurity Payload (ESP), packet filtering techniques, and the use of userIDand password authentication methods.

Chapter 4 discusses basic authorization technologies including physicalaccess control, the use of userID and password for authorization, accesscontrol lists (ACLs), and demilitarized zones (DMZs).

Chapter 5 discusses basic message integrity technologies. These includeLayer 2 VPNs such as FR and ATM VPNs, tunneling protocols such asGeneric Routing Encapsulation (GRE), Point-to-Point Tunneling Protocol(PPTP), Layer 2 Tunneling Protocol (L2TP), Multi-Protocol Label Switching(MPLS), PPP over Ethernet (PPPoE), etc., and also the use of authenticationheaders such as AH and ESP for data integrity.

Chapter 6 discusses basic non-repudiation technologies, which includedigital signatures, message authentication code (MAC) algorithms, networkaddress translation (NAT), and port address translation (PAT) technologies.

Chapter 7 discusses enhanced technologies. These include theenhanced authentication and authorization technologies such as userID-and password-based technologies such as Password Authentication Pro-tocol (PAP) and Challenge Handshake Authentication Protocol (CHAP),token cards, PPP-based VPNs of Extensible Authentication Protocol (EAP)and Microsoft Point-to-Point Encryption (MPPE), key-management tech-nologies such as Internet Security Association and Key Management Pro-tocol (ISAKMP), OAKLEY, Internet Key Exchange (IKE), and Simple KeyManagement for Internet Protocol (SKIP), digital signatures and digitalcertificates, wireless WEP, and IEEE 802.11i.

Chapter 8 discusses integrated technologies. Included in this categoryare SSO, firewalls, and higher-layer VPNs such as IP Security (IPSec), SSL,and Simple Key Management for Internet Protocol (TLS).

Chapter 9 discusses four security architectures Remote Access, PKI,federal public key infrastructure (FPKI), and Secure Electronic Transaction(SET).


Chapter 10 discusses the Wireless LAN (WLAN) security architecture.A number of the key WLAN security technologies such as Wired Equivalent


Copyrig

Privacy (WEP) and IEEE 802.11i are included in the discussion.Chapter 11 looks at a number of topics that are related to the imple-

mentation of network security technologies. The topics can be generallycategorized as vulnerability considerations and improvement consider-ations.

At the end of each chapter, a summary section is included to providea useful perspective on certain important aspects of the technologies.

BIBLIOGRAPHY

1. IETF RFC 1825: Security Architecture for the Internet Protocol, R. Atkinson,August 1995.

2. Mike Horton and Clinton Mugge, Network Security Portable Reference,McGraw-Hill/Osborne, 2003.

3. Saadat Malik, Network Security Principles and Practices, Cisco Press, 2003.4. Authentication Policy for Federal Agencies, Draft E, Federal Register, Vol. 68,

No. 133, July 11, 2003.5. Layered Security: Re-Establishing the Trusted Network, NetScreen Technologies

white paper, June 2003.


2


Copyrig

BASIC CONFIDENTIALITY TECHNOLOGIES

This chapter looks at some key basic confidentiality technologies. Confi-dentiality or privacy ensures that the content of a message is not visibleto persons other than the intended or authorized recipients. During evena single session between two message exchanging parties, there mightpotentially be a number of different types of messages that requireconfidentiality. These include the original sensitive data, passwords, secretor private keys that are needed for encryption and decryption of thesensitive data and, maybe, a session that both sides agree on for cryp-tography purposes during bulk file transfer.

Two classes of technologies are commonly used to achieve confiden-tiality:

Hashing algorithms Secret- and public-key cryptography

Both technologies have the ability to hide the meaning of the contentof a message from an unauthorized person. This is the most importantand fundamental capability in any network security system. This capabilityis routinely needed for sending such sensitive information as passwords,signed documents and, of course, important data itself. The more effortsthe intruder needs to put in to understand the message, the more effectivethe technology.

Hashing algorithms such as Message Digest 5 (MD5) do not requirespecial keys for encryption and decryption of messages. Rather, they relyon the natural randomness of messages to achieve a high probability oftwo separate messages not being hashed to the same resulting hashed


messages. In each hashing technology the critical component is thehashing function used.


Copyrig

Key cryptographic algorithms such as Data Encryption Standard (DES),on the other hand, make use of keys for encryption and decryption ofmessages. Closely associated with cryptographic technologies are key-sharing and key-encryption technologies such as the DiffieHellman Algo-rithm, as well as key-management technologies such as Internet KeyExchange (IKE). Key-management technologies ar e considered asenhanced technologies and discussed in Chapter 7.

Software and packages that implement many of the hashing andcryptographic algorithms are commercially available, enabling the conve-nient use of these technologies in different network security applications.

2.1 HASHING ALGORITHMS

A hashing algorithm refers to a mathematical function that takes a variable-size string as input and transforms (hashes) it into a fixed-size string,which is called the hash value, as output. In network security applications,the mathematical function should have the essential properties that thetransformation is one-way and that it is computationally infeasible for twodifferent inputs to produce the same output.

One of the most common uses of hashing in network security is toproduce condensed representations of messages or fingerprints, oftenknown as message digests, by applying a hashing algorithm to anarbitrary amount of data the message.

The two most commonly used hashing algorithms are MD5 and SHA-1 (part of the secure hash standard [SHS]), to be described in the followingtext.

2.1.1 The MD5 Algorithm

The MD5 message-digest algorithm defined in RFC 1321 takes as input amessage of arbitrary length, applies some independent and unbiasedbit-wise operations on the message blocks, and produces as output a 128-bit fingerprint or message digest of the input. With this hashing technique,the conjecture is that it is computationally infeasible to produce twomessages having the same message digest, or to produce any messagehaving a prespecified target message digest. MD5 is designed to be a fastand compact algorithm.

The MD5 algorithm is an extension of the MD4 message-digest algo-rithm by Ronald L. Rivest of MIT. It is slightly slower than MD4, but ismore conservative in design, giving up a little in speed for a much greaterlikelihood of ultimate security.


Given a

b-

bit length message, the MD5 algorithm performs the follow-ing five steps to compute the message digest:


Copyrig

Step 1, append padding bits: The message is padded (extended)so that its length (in bits) is congruent to 448, modulo 512. Thatis, the message is extended so that it is just 64 bits shy of beinga multiple of 512 bits long. Padding is always performed, even ifthe length of the message is already congruent to 448, modulo 512.

Step 2, append length: A 64-bit representation of b (the length ofthe message before the padding bits were added) is appended tothe result of the previous step. In the unlikely event that b isgreater than 264, then only the low-order 64 bits of b are used.(These bits are appended as two 32-bit words and appended low-order word first.) At this point, the resulting message (after paddingwith bits and with b) has a length that is an exact multiple of 512bits. Equivalently, this message has a length that is an exact multipleof sixteen 32-bit words.

Step 3, initialize the MD buffer: A four-word buffer (A, B, C, andD) is used to compute the message digest. Here, A, B, C, and Dare 32-bit registers, which are initialized to the following values inhexadecimal, low-order bytes first: Word A: 01 23 45 67 Word B: 89 ab cd ef Word C: fe dc ba 98 Word D: 76 54 32 10

Step 4, process message in 16-word blocks: This is the main partof the MD5 hashing algorithm and essentially consists of fourrounds of independent and unbiased bit-wise operations on mes-sage blocks using the MD buffers A, B, C, and D (for details, seeIETF RFC 1321).

Step 5, output a 128-bit message digest.

The MD5 message-digest algorithm is simple to implement and pro-vides a fingerprint or message digest of a message of arbitrary length. Itis estimated that the difficulty of coming up with two messages havingthe same message digest is on the order of 264 operations, and that thedifficulty of coming up with any message having a given message digestis on the order of 2128 operations.

2.1.1.1 Common Use

The MD5 algorithm is intended to be used to generate message digestsfor digital signature applications (see Chapter 7), where a large file must


be compressed in a secure manner before being encrypted with a privatekey under a public-key cryptography system such as RSA (see Section


Copyrig

2.4.2).

2.1.2 The SHS Standard

SHS is a Federal Information Processing Standards (FIPS) standard thatspecifies four secure hash algorithms: SHA-1, SHA-256, SHA-384, and SHA-512. SHA-1 generates a 160-bit message digest whereas SHA-256, SHA-384, and SHA-512 generate 256-bit, 384-bit, and 512-bit message digests,respectively.

All four algorithms utilize iterative, one-way hash functions that canprocess a message to produce a condensed representation called a mes-sage digest. These algorithms enable the determination of a messagesintegrity: any change to the message will, with a very high probability,result in a different message digest. This property is useful in the generationand verification of digital signatures and message authentication codes(MACs), and also in the generation of random numbers (bits).

Each algorithm can be described in two stages preprocessing andhash computation:

Preprocessing involves padding a message, parsing the paddedmessage into m-bit blocks, and setting initialization values (IVs) tobe used in the hash computation.

Hash computation generates a message schedule from the paddedmessage and uses that schedule, along with functions, constants,and word operations, to iteratively generate a series of hash values.The final hash value generated by the hash computation is usedto determine the message digest.

The four algorithms differ most significantly in the number of bits ofsecurity provided for the data being hashed this is directly related tothe message digest length. When a secure hash algorithm is used inconjunction with another algorithm, there may be requirements specifiedelsewhere that require the use of a secure hash algorithm having a certainnumber of bits of security. For example, if a message is being signed witha digital signature algorithm that provides 128 bits of security, then thatsignature algorithm may require the use of a secure hash algorithm thatalso provides 128 bits of security (e.g., SHA-256).

Additionally, the four secure hash algorithms differ in terms of the sizeof the blocks and words of data that are used during hashing. Table 2.1presents the basic properties of all four secure hash algorithms.


Table 2.1

SHS Algorithm Properties


Copyrig

2.1.2.1 The SHA-1 Algorithm

SHA-1 is used to hash a message of length

and also a sequence of eighty 32-bit words. The words of the first five-wordbuffer are labeled A, B, C, D, and E. The words of the second five-word


Copyrig

buffer are labeled H0, H1, H2, H3, and H4. The words of the 80-wordsequence are labeled W(0), W(1), , W(79). A single-word buffer, TEMP,is also employed.

2.1.2.1.3 Predefined Functions and Constants

To describe the hash computation method, the following predefined setof functions and constants is required:

A sequence of logical functions f(0), f(1), , f(79) is used. Eachf(t), 0

H2 = 98BADCFE H3 = 10325476


Copyrig

H4 = C3D2E1F0

Now M(1), M(2), , M(n) are processed. To process M(i), we proceedas follows:

a. Divide M(i) into 16 words W(0), W(1), ., W(15), where W(0) isthe leftmost word.

b. For t = 16 to 79 let:W(t) = S^1(W(t 3) XOR W(t 8) XOR W(t 14) XOR W(t 16)).

c. Let A = H0, B = H1, C = H2, D = H3, and E = H4.d. For t = 0 to 79 do:

TEMP = S^5(A) + f(t;B,C,D) + E + W(t) + K(t);E = D; D = C; C = S^30(B); B = A; A = TEMP;

e. Let H0 = H0 + A, H1 = H1 + B, H2 = H2 + C, H3 = H3 + D, andH4 = H4 + E.

After processing M(n), the message digest is the 160-bit string repre-sented by the five words:

H0, H1, H2, H3, and H4.

The SHA-1 specification also defines a second hash computationmethod that saves sixty-four 32-bit words of storage, but this method islikely to lengthen the execution time due to the increased complexity ofthe address computations.

2.1.2.2 Message Digests and Digital Signatures

Figure 2.1 illustrates how SHA-1 can be used with a public-key cryptog-raphy technology such as the digital signature algorithm (DSA) in thegeneration and verification of digital signatures. The following briefly looksat the steps executed by the sender and the receiver of the message:

The Sender: Step 1: The message is hashed using SHA-1 to produce a

message digest. Step 2: The message digest is encrypted (signed) using DSA

with the senders private key. Step 3: The resulting digital signature is appended to the mes-

sage (which is likely also encrypted for confidentiality) and sentout over an unsecured network to the receiver.


Signature Generation Signature Verification

Received Message

Message Digest

Public Key

or

Yes Signature Verified

Signature Verification Failed

SHA-1

DS AlgorithmSign Operation

AU

3027_book.fm Page 20 W

ednesday, September 1, 2004 5:57 PM

Copyright

Figure 2.1 Generation and verification of digital signatures.

Message

SHA-1

Message Digest

Private Key

DS AlgorithmSign Operation

No

DigitalSignature

DigitalSignature


The Receiver: Step 1: The message (which needs to be first decrypted if the


Copyrig

received message is encrypted) is hashed using SHA-1 to pro-duce a message digest.

Step 2: The digital signature is decrypted (verified) with thesenders public key to produce a message digest.

Step 3: The two message digests are compared for a match.

If the two derived message digests match, the digital signature hasbeen positively verified. If they do not match, the message most likelydid not come from the intended sender or, to a lesser extent, the messagehas been altered en route.

Signing the message digest rather than the message typically improvesthe efficiency of the process because the message digest is usually muchsmaller in size than the message itself. The same hashing algorithm mustbe used by the verifier of a digital signature as was used by the creatorof the signature.

2.1.2.3 Common Use

Just as the MD5 algorithm, the SHS hashing algorithms (in particular, SHA-1) are intended to be used for the generation of message digests in digitalsignature applications (e.g., DSA).

2.2 SECRET- AND PUBLIC-KEY CRYPTOGRAPHY

There are two classes of cryptography that are used in network security:secret key (or sometimes known as symmetric key) and public key (orsometimes known as asymmetric key). Secret-key cryptography is char-acterized by the fact that the same key that is used to encrypt the datais also used to decrypt the encrypted data.

Until the mid 1970s, secret-key cryptography was the only form ofcryptography available, so the same secret key had to be known by allindividuals participating in any application that provided a cryptographicsecurity service. Although this form of cryptography was computationallyefficient, it suffered from the shortcoming that only limited security serviceswere offered, and it presented a difficult key-management problembecause the secret keys had to be distributed securely to the communi-cating parties.

However, all this changed when Whitfield Diffie and Martin Hellmanintroduced the notion of public-key cryptography in 1976. This representeda significant breakthrough in cryptography because it enabled services


that could not previously have been entertained, and it also significantlyexpedited the implementation of traditional security services.


Copyrig

Public-key cryptography is based on the use of key pairs. When usinga key pair, only one of the two keys, which is referred to as the privatekey, must be kept secret and under the control of the owning party. Theother key, referred to as the public key, can be disseminated freely foruse by any party who wishes to participate in security services with theparty holding the private key. This is possible because the keys in thepair are mathematically related, but it remains computationally infeasibleto derive the private key from knowledge of the public key. In theory,any individual can send the holder of a private key a message encryptedusing the corresponding public key, and only the holder of the privatekey can decrypt the secure message. Similarly, the holder of the privatekey can establish the integrity and origin of the data he sends to anotherparty by digitally signing the data using his private key. Anyone whoreceives that data can use the associated public key to validate that thedata came from the holder of the private key and to verify that the integrityof the data has been maintained.

Public-key cryptographic algorithms are much more CPU-intensive thansecret-key cryptographic algorithms, but key management is easier toimplement because only public keys need to be distributed. Because ofthe relative ease of key management due to advances in key-managementtechnologies, public-key cryptographic technologies have become themajor driving force behind E-commerce and many other applications overthe Internet.

The following sections describe some of the major secret- and public-key cryptographic technologies used in the network security industry.

2.3 SECRET-KEY CRYPTOGRAPHY ALGORITHMS

These cryptography algorithms only make use of a secret key that isshared by the encryption and decryption operations. One special exampleof a shared secret key is a session key that has been agreed upon throughexchanges of messages during the beginning of a Secure Socket Layer(SSL) session and prior to a typical secure file transfer in which the sessionkey is used to encrypt and decrypt a large amount of data by the senderand the receiver, respectively.

2.3.1 Block Ciphers and Stream Ciphers

Each secret-key cryptography algorithm or cipher typically works in twophases: the key set-up phase and the ciphering or encrypt and decryptphase. There are two major classes of these algorithms: block ciphers and


Key Key Stream


Copyrig

stream ciphers. Block ciphers encrypt plaintext in units of blocks andlikewise decrypt ciphertext in units of blocks, whereas stream ciphersencrypt plaintext in one stream and decrypt ciphertext likewise.

Figure 2.2 depicts the operation of a block cipher. The block cipherfragments the frame into blocks of a predetermined size and performsthe XOR function on each block with the key stream generated by thecipher algorithm. Each block must be of the predetermined size, andleftover frame fragments are padded to the appropriate block size. Forexample, if a block cipher fragments frames into 16-byte blocks, and a38-byte frame is to be encrypted, the block cipher fragments the frameinto two 16-byte blocks and one 6-byte block. The 6-byte block is paddedwith ten bytes of padding to meet the sixteen-byte block size.

Figure 2.3 depicts the operation of a stream cipher such as RC4. Thestream cipher encrypts data by generating a key stream from the key and

Figure 2.2 Block cipher operation.

Figure 2.3 Stream cipher operation.

Ciphertext

Plaintext

XORCipher Ciphertext.

Plaintext

Plaintext

Ciphertext

Plaintext

XORCipher

Key Key Stream


performing the XOR function on the key stream with the plaintext data.The key stream can be any size that matches the size of the plaintext


Copyrig

frame to be encrypted.

2.3.2 DES and 3DES Encryption Standards

DES was originally developed by IBM as Lucifer in the early 1970s. TheNational Security Agency (NSA) and the National Institute of Standardsand Technology (NIST) used a modified version of Lucifer and named itDES. DES was adopted as the federal standard in 1976 [specified in FIPS46-3 and identical to the American National Standards Institute (ANSI)standard Data Encryption Algorithm (DEA) defined in ANSI X3.92]. How-ever, DES became vulnerable as computers became more powerful, andsimple DES has been cracked and is no longer secure. So NIST defined3DES or Triple DES in 1999. 3DES uses three stages of DES and so ismuch more secure and suffices for most applications. In 2001, NISTreplaced DES by the Advanced Encryption Standard (AES). AES is expectedremain strong enough for the next ten to twenty years.

Data DES is a block cipher i.e., it acts on a fixed-length block ofplaintext and converts it into a block of ciphertext of the same size byusing a secret key.

In DES, the block size for plaintext is 64 bits. The length of the keyis also 64 bits but 8 bits are used for parity. Hence the effective key lengthis only 56 bits. In 3DES, three stages of DES are applied using a separatekey for each stage. So the key length in 3DES is 168 bits.

Decryption in DES is done by applying the reverse transformation tothe block of ciphertext using the same key. The DES method of operationis shown below.

2.3.2.1 The Basic DES Algorithm

DES encrypts a plaintext block by a process that has r = 16 rounds asshown in Figure 2.4 and is described below:

The Encryption Process: The block of plaintext is split into two halves (L0, R0), each of

which is 32 bits long. Also, DES uses the original 56-bit key togenerate 16 subkeys of 48 bits each (ki). These subkeys areused in the 16 rounds.

In each round, the function F is applied to one half using asubkey ki , and the result is XORed with the other half. Thetwo halves are then swapped and the process is repeated. All


Rr-1R1R0R2 Lr


Copyrig

the rounds follow the same pattern except the last one, wherethere is no swap.

The final result is the ciphertext (L r, Rr). Hence, the plaintext(L0, R0) is transformed to (Lr, Rr).

The Decryption Process: Decryption is structurally identical to encryption. So the same

mechanism as above is used. However, the input here is thepair (Rr, Lr) instead of (L0, R0).

Also, the input subkeys are applied in the reverse order. So theith subkey is krit1 instead of ki.

The final result is the original text (L0, R0). So the ciphertext(Rr, Lr) was decrypted to (L0, R0).

The function F is a key-dependent complex function known as thecipher function, which takes the 48-bit subkey and a 32-bit plaintext halfas input and produces a 32-bit output for each round of the algorithm.The reader is referred to the FIPS PUB 46-1 publication for a detaileddescription of both the cipher function and the complete encryption anddecryption algorithms.

2.3.2.2 The 3DES Algorithm

3DES uses the same basic machinery of DES three times over, using threekeys k1, k2, and k3. The plaintext (M) is encrypted using k1. This result isencrypted with k2 and the result is then further encrypted with k3 to getthe ciphertext (C). Thus where stands for encryp-tion using ki. This mode of using 3DES is called the DESEEE modebecause all three keys run in encryption mode. The other mode is calledDESEDE, where the second stage is run in decryption mode, i.e.,

stands for encryption using k2.The three keys may or may not be independent. For the DESEDE

mode, three options are defined:

Figure 2.4 The DES algorithm.

F F F

k1

L0L1 L2

k2 kr

Lr-1Rr

C E E E M= k k k3 2 1( ( ( ))) Eki

C E E E M E= k k k k3 2 1 2( ( ( )));


The keys k1, k2, and k3 are independent. k1 and k2 are independent but k1 = k3.


Copyrig

k1 = k2 = k3; in this case, 3DES becomes backward compatible withDES.

2.3.2.3 Common Use

Both DES and 3DES are used in all common security technologies thatutilize encryption and decryption with secret keys.

2.3.3 The AES Standard

The AES standard was developed to replace DES and 3DES. AES uses theRijndael algorithm, a symmetric block cipher algorithm that can processblocks of 128 bits using cipher keys with lengths of 128, 192, and 256 bits.

2.3.3.1 The Rijndael Algorithm

This is an iterative block cipher, which means that the initial input blockand cipher key undergo multiple transformation cycles before producingthe final output. The algorithm can operate over a variable-length blockusing variable-length keys. A 128-, 192-, or 256-bit key can be used toencrypt data blocks that are 128, 192, or 256 bits long, and all nine combi-nations of key and block length are possible. (The accepted AES implemen-tation contains only some of the Rijndael algorithms total capabilities.) Thealgorithm is written so that block length and key length can easily beextended in multiples of 32 bits, and the system is specifically designedfor efficient implementation in hardware or software on a range ofprocessors.

The Rijndael algorithm is a substitutionlinear transformation networkwith ten, twelve, or fourteen rounds, depending on the key size. A datablock to be encrypted by the algorithm is split into an array of bytes, andeach encryption operation is byte-oriented. The Rijndael algorithms roundfunction consists of four layers. In the first layer, an 8 8 substitutiontable also known as an S-box is applied to each byte. The second andthird layers are linear mixing layers, in which the rows of the array areshifted and the columns are mixed. In the fourth layer, subkey bytes areXORed into each byte of the array. In the last round, column mixing isomitted.

NIST selected the Rijndael algorithm for AES because it offers a com-bination of security, performance, efficiency, ease of implementation, andflexibility. Specifically, it has the following advantages:


Table 2.2 AES versus 3DES


Copyrig

The Rijndael algorithm appears to be consistently a very good per-former when implemented in both hardware and software across awide range of computing environments, regardless of whether it isused in the feedback mode or in the nonfeedback mode.

Its key set-up time is excellent, and its key agility is good. The very low memory requirements of the Rijndael algorithm make

it very well suited for restricted-space environments while stilldemonstrating excellent performance.

The Rijndael algorithm operations are among the easiest to defendagainst power and timing attacks.

Additionally, it appears that a measure of defense can be providedagainst such attacks without significantly impacting the algorithmsperformance.

Finally, the algorithms internal round structure appears to havegood potential for benefiting from instruction-level parallelism.

2.3.3.2 AES versus 3DES

Table 2.2 is not intended to provide absolute comparative merits butrather, some additional relevant information.

2.3.3.3 Common Use

Just as DES and 3DES, AES is used in all common security technologiesthat require cryptography utilizing secret keys.

AES, already a standard for new implementations in the U.S. govern-ment, is gradually being rolled out in many different encryption protocolsincluding IEEE 802.11, IPSec, S/MIME, and TLS.

AES 3DES

Type of Algorithm Symmetric, block cipher Symmetric, Feistel cipherKey Size (in bits) 128, 192, 256 112 or 168Speed High LowTime to Crack

(assume a machine could try 255 keys per second NIST)

149 trillion years 4.6 billion years

Resource Consumption

Low Medium


2.3.4 The RC4 Cipher

RC4 is a stream cipher designed by R. Rivest in 1987. It is a variable key-


Copyrig

size stream cipher with byte-oriented operations. The algorithm is basedon the use of random permutation operations. Analysis shows that theperiod of the cipher is overwhelmingly likely to be greater than 10100.Eight to sixteen machine operations are required per output byte, and thecipher can be expected to run very quickly in software. RC4 is consideredto be a secure algorithm.

RC4 uses a variable-length key from 1 to 256 bytes to initialize a 256-byte state table. The state table is used for the subsequent generation ofpseudorandom bytes and then to generate a pseudorandom stream, whichis XORed with plaintext to give ciphertext. Each element in the state tableis swapped at least once.

The RC4 key is often limited to 40 bits because of U.S. export restric-tions, but it is sometimes used as a 128-bit key for strong encryption. Thealgorithm has the capability of using keys between 1 and 2048 bits.

RC4 is used in many commercial software packages, such as LotusNotes and Oracle Secure SQL. It is also defined in the Cellular Specifica-tions.

2.3.4.1 The RC4 Algorithm

The RC4 algorithm works in two phases: key setup and ciphering.Key setup is the first and more difficult phase of this algorithm. During

an N-bit key setup (where N is the key length), the encryption key isused to generate an encrypting variable by utilizing two arrays, state andkey, and N-number of mixing operations. These mixing operations consistof swapping bytes, modulo operations, and other formulas. A modulooperation is the process of obtaining the remainder from a division. Forexample, 11 4 is 2 remainder 3; therefore, 11 mod 4 would be equal to 3.

Once the encrypting variable is produced from the key setup, it entersthe ciphering phase, where it is XORed with the plaintext message tocreate an encrypted message. Once the receiver gets the encrypted mes-sage, he or she decrypts it by XORing it with the same encrypting variable.

2.3.4.2 Common Use

RC4 is widely used in commercial applications including Oracle SQL,Microsoft Windows, PERL, and the SSL technology (Chapter 8) for bothfile encryption and secure communication over the network, includingWireless LANs (WLANs).


2.4 PUBLIC-KEY CRYPTOGRAPHY

Public-key cryptography is based on the use of private and public key


Copyrig

pairs. The private key must be kept secret and under the control of theowner, and the public key can be disseminated freely to the public.

2.4.1 Public Key Cryptography Standards

It is worth noting that Public Key Cryptography Standards (PKCS) arespecifications produced by RSA Laboratories in cooperation with securesystems developers worldwide for the purpose of accelerating the deploy-ment of public-key cryptographic technologies. First published in 1991 asa result of meetings with a small group of early adopters of public-keycryptographic technologies, the PKCS documents have become widelyreferenced and implemented. The PKCS standards cover RSA encryption,DiffieHellman key agreement, password-based encryption, extended-certificate syntax, private-key information syntax, and certification requestsyntax, as well as selected attributes.

The following table lists the standards defined by PKCS:

PKCS #1: RSA Cryptography Standard PKCS #2: Has been incorporated into PKCS #1 PKCS #3: DiffieHellman Key Agreement Standard PKCS #4: Has been incorporated into PKCS #1 PKCS #5: Password-Based Cryptography Standard PKCS #6: Extended-Certificate Syntax Standard PKCS #7: Cryptographic Message Syntax Standard PKCS #8: Private-Key Information Syntax Standard PKCS #9: Selected Attribute Types PKCS #10: Certification Request Syntax Standard PKCS #11: Cryptographic Token Interface Standard PKCS #12: Personal Information Exchange Syntax Standard PKCS #13: Elliptic Curve Cryptography Standard PKCS #15: Cryptographic Token Information Format Standard

Contributions from the PKCS standards series have become part ofmany formal and de facto standards, including PKIX, SET, S/MIME, and SSL.

ANSI and RivestShamirAdleman (RSA) PKCS both define digital sig-nature mechanisms with very similar underlying principles. RSA PKCS #1v2.0 describes the RSA algorithm and ways to use that algorithm for bothencryption and decryption and for digital signature generation and veri-fication. ANSI X9.31 similarly defines a digital signature mechanism that


is based on the same RSA algorithm and, overall, the two digital signaturemechanisms have only small variations.


Copyrig

It should be noted that whereas the RSA algorithm is considered inour network security framework to be a basic cryptographic technologyin this book, the overall digital signature mechanisms defined in the ANSIX9.31 and PKCS specifications are enhanced, non-repudiation technologiesand will be discussed further in Chapter 7.

The RSA algorithm is summarized in the following text.

2.4.2 The RSA Algorithm

The RSA public- and private-key cryptographic algorithm is defined inANSI X9.31 as part of the RSA PKCS. RSA PKCS are specifications producedby RSA Laboratories in cooperation with secure systems developers world-wide for the purpose of accelerating the deployment of public-key cryp-tography. First published in 1991 as a result of meetings with a smallgroup of early adopters of public-key technology, the PKCS documentshave become widely referenced and implemented. The RSA algorithmdepends on a public and private key pair.

2.4.2.1 The Key-Generation Algorithm

The following steps are used to generate the public and private key pair:

Step 1: Generate two large random primes, p and q, of approxi-mately equal size such that their product n = pq is of the requiredbit length, e.g., 1024 bits.

Step 2: Compute n = pq and = (p 1)(q 1). Step 3: Choose an integer e, 1 < e < , such that gcd (e, ) = 1. Step 4: Compute the secret exponent d, 1 < d < , such that ed 1

(mod ). Step 5: The public key is (n, e) and the private key is (n, d). The

values of p, q, and should also be kept secret.

2.4.2.2 Encryption by Sender A

Sender A does the following:

Step 1: Obtains the recipient Bs public key (n, e). Step 2: Represents the plaintext message as a positive integer m < n. Step 3: Computes the ciphertext c = me mod n. Step 4: Sends the ciphertext c to B.


2.4.2.3 Decryption by Recipient B

Recipient B does the following:


Copyrig

Step 1: Uses the private key (n, d) to compute m = cd mod n. Step 2: Extracts the plaintext from the integer representative m.

2.4.2.4 Common Use

Contributions from the PKCS standards series have become parts of manyformal and de facto standards, including the ANSI X9 documents and theRSA algorithms (including improved RSA algorithms such as RSA-PSS),and have found their way into many other network security technologiessuch as PKIX, SET, S/MIME, and SSL.

2.4.3 Digital Signature Cryptography Algorithms

The DSA algorithm and the Elliptic Curve Digital Signature Algorithm(ECDSA; defined in ANSI X9.62) are FIPS-approved digital cryptographicalgorithms that are used in digital signature generation and verificationwithin the digital signature standards (DSS) specifications. Digital signa-tures themselves are considered to be an enhanced technology and willbe described in more detail in Chapter 7.

DSA and ECDSA allow a signatory to generate a digital signature on apiece of data and a verifier to verify the authenticity of the signature. Eachsignatory has a public and private key. The private key is used in the signaturegeneration process and the public key is used in the signature verificationprocess. The signature generation and verification processes involve the useof either algorithm (DSA or ECDSA) to encrypt and decrypt a message usingthe private and public keys, respectively. An adversary, who does not knowthe private key of the signatory, cannot generate the correct signature of thesignatory. However, by using the signatorys public key, anyone can verifya correctly signed message. A means of associating public and private keypairs to the corresponding users (i.e., key management) is required (seeChapter 7 and Chapter 9 on key-management technologies).

It is important to note that the DSA and ECDSA encryption anddecryption algorithms, just like the RSA algorithm, are considered to bebasic cryptographic technologies even though they are defined in thespecifications of the DSS, which is considered to be an enhanced, non-repudiation technology.

2.4.3.1 The DSA Algorithm

The following text summarizes the encryption (signature generation) anddecryption (signature verification) operations in the DSA algorithm.


The DSA algorithm makes use of the following parameters:


Copyrig

p = a prime modulus, where 2L1 < p < 2L for 512 = < L = 1 (g has order q mod p). x = a randomly or pseudorandomly generated integer with 0 < x < q. y = gx mod p. k = a randomly or pseudorandomly generated integer with 0 < k < q.

The integers p, q, and g can be public and can be common to a groupof users. A users private and public keys are x and y, respectively. Theyare normally fixed for a period of time. Parameters x and k are used forsignature generation only, and must be kept secret. Parameter k must beregenerated for each signature.

2.4.3.1.1 DSA Signature Generation

The signature of a message M is the pair of numbers r and s computedaccording to the equations below:

r = (gk mod p) mod q and s = (k 1 (SHA-1(M) + xr)) mod q.

In the above, k1 is the multiplicative inverse of k, mod q, i.e., (k1 k)mod q = 1 and 0 < k1 < q. The value of SHA-1(M) is a 160-bit stringoutput by the secure hash algorithm (SHA-1) specified in FIPS 180-1 (seeSection 2.1.2.1).

As an option, one may wish to check if r = 0 or s = 0. If either r =0 or s = 0, a new value of k should be generated and the signature shouldbe recalculated (it is extremely unlikely that r = 0 or s = 0 if signaturesare generated properly).

The signature is transmitted along with the message to the verifier.

2.4.3.1.2 DSA Signature Verification

Prior to verifying the signature in a signed message, p, q, and g plus thesenders public key and identity are made available to the verifier in anauthenticated manner.

Let M, r, and s be the received versions of M, r, and s, respectively,and let y be the public key of the signatory. To verify the signature, theverifier first checks to see that 0 < r < q and 0 < s < q; if either condition


is violated, the signature is rejected. If these two conditions are satisfied,the verifier computes


Copyrig

w = (s) 1 mod qu1 = ((SHA-1(M))w) mod qu2 = ((r)w) mod qv = (((g)u1 and (y)u2) mod p) mod q

If v = r 1, then the signature is verified and the verifier can have highconfidence that the received message was sent by the party holding thesecret key x corresponding to the public key y.

If v does not equal r 1, then the message may have been modified, themessage may have been incorrectly signed by the signatory, or the messagemay have been signed by an impostor. The message should be consideredinvalid.

2.4.3.2 The ECDSA Algorithm

The ECDSA digital signature algorithm is a FIPS-approved cryptographicalgorithm for digital signature generation and verification. ECDSA is theelliptic curve analog of the DSA. ECDSA is described in ANSI X9.62.

2.4.3.3 Common Use

Just as RSA, DSA and ECDSA are used in digital signature generation andverification. In fact, all three algorithms are FIPS approved for the gener-ation and verification of digital signatures.

2.5 THE DIFFIEHELLMAN KEY-EXCHANGE ALGORITHM

The DiffieHellman Key-Agreement Protocol (also called Exponential KeyAgreement) was developed by Diffie and Hellman in 1976 and publishedin the groundbreaking paper New Directions in Cryptography in theIEEE Transactions on Information Theory. The protocol allows two usersto securely exchange a shared key over an insecure medium withoutactually transmitting this key. The algorithm is utilized in the OAKLEYkey-management protocol to allow two communicating entities to nego-tiate methods for encryption, key derivation, and authentication (describedin Chapter 7).

Note that this key-exchange algorithm works with any key, whetherit is a secret key, a private key, or a session key.


Alice Bob


Copyrig

2.5.1 An Overview of the Algorithm

The protocol has two system parameters p and g. They are both publicand may be used by all the users in a system. Parameter p is a primenumber and parameter g is the primitive root (usually called a generator)and is an integer less than p, which is capable of generating every elementfrom one to p 1 when multiplied by itself a certain number of times,modulo the prime p.

The diagram in Figure 2.5 illustrates the algorithm, which is explainedin the following text. Alice and Bob agree upon a prime number p anda primitive root g. Alice generates a random number x, calculates A = gx

mod p, and sends this to Bob. Bob also generates a random number y,calculates B = gy mod p, and sends this to Alice. Now Alice calculates gxy

mod p and Bob does the same.The shared key is gxy mod p. An attacker only gets to know the numbers

g, p, A, and B but not x and y. The attacker needs x and y to computethe key. The DiffieHellman problem is based on the difficulty of calcu-lating discrete logarithms, so it is not possible to calculate x from A, p,and g, or y from B, p, and g.

Thus, a shared key has been successfully exchanged without actuallysending the key over the network. This is obviously a secure way toexchange keys.

2.5.2 Common Use

As indicated earlier, the DiffieHellman algorithm has been used in thedefinition of the OAKLEY key-management protocol which, in turn, has

Figure 2.5 The DiffieHellman key-exchange algorithm.

generate x

Bx = gxy mod p

g and p agreedg and p agreed

generate x

secret keysecret key

B = gy mod p

Ay = gxy mod p

A = gx mod p


been partially used in defining the IPSec Internet Key Exchange Protocol(IKE). Both OAKLEY and IKE are described further in Chapter 7.


Copyrig

2.6 SUMMARY

Confidentiality functional elements play a central role in secure commu-nications and, as a result, hashing algorithms and key-based (secret key,and public and private key pairs) cryptographic algorithms are the basictechnologies that are employed over and over again in most other networksecurity technologies and in various applications. In addition, programmedpackages and software are readily available commercially and academicallyfor different operating environments. For example, the hashing algorithmMD5 is used to produce message digests and, in turn, RSA is then usedto generate digital signatures. Similarly, SHA-1 is used with public-keyDSA in digital signature applications also.

The secret-key cryptographic algorithm AES, which is considered tobe more secure than the earlier DES or 3DES algorithm, is used in manypopular network security technologies including IPSec VPNs, Secure MIME(S/MIME), TLS (a follow-up to SSL), and WLAN.

RC4 is a secret-key stream cipher and is used in WLAN security aswell as many other applications.

A number of public-key cryptographic algorithms have been definedfor use in areas where public cryptography is applied: the RSA algorithmused in both PKCS #1 v.2 and ANSI 9.31 (both digital signature specifi-cations), DSA, and ECDSA.

The DiffieHellman is a very heavily used secret-key-exchange algo-rithm because it accomplishes secure key exchange without actuallysending the key over the network. For example, it is used in key-management technologies such as OAKLEY and IKE, and IKE forms acentral part of the public-key architecture PKI, as is described in Chapter 9.

Bibliography

1. IETF RFC 1321: The MD5 Message-Digest Algorithm. April 1992.2. FIPS PUB 46-2: Data Encryption Standard (DES), October 25, 1999.3. 3DES and Encryption, tutorial by K. Castelino.4. FIPS PUB 197: Specification for the Advanced Encryption Standard (AES),

November 26, 2001.5. IETF RFC 3565: Use of the Advanced Encryption Standard (AES) Encryption

Algorithm in Cryptographic Message Syntax (CMS), July 2003.6. PKCS #1 v2.1: RSA Cryptography Standard, RSA Laboratories, June 14, 2002.7. Wireless LAN Security, Cisco White Paper, 2002.8. FIPS PUB 186-2: Digital Signature Standard (DSS), National Institute of Standards

and Technology, January 27, 2000.9. FIPS PUB 180-2: Secure Hash Standard (SHS), National Institute of Standards

and Technology, August 1, 2002.


10. W. Diffie and M.E. Hellman, New directions in cryptography, IEEE Transactionson Information Theory, IT 22: 644654, 1976.


Copyrig

11. Robert Neumann, Security Association and Key Management, ISAKMP andOAKLEY protocols seminar work, January 28, 2003.

12. R. Rivest, RC4 Encryption Algorithm, History and Description of the Algorithm.13. IETF RFC 2104: HMAC: Keyed-Hashing for Message Authentication, H. Krawc-

zyk, M. Bellare, and R. Canetti, February 1997.14. IETF RFC 3174: US Secure Hash Algorithm 1 (SHA1), D. Eastlake, 3rd, and P.

Jones, September 2001.15. Burt Kaliski, Raising the Standard for RSA Signatures: RSA-PSS, RSA Laborato-

ries, February 26, 2003.


3


Copyrig

BASIC AUTHENTICATION TECHNOLOGIES

Authentication ensures the integrity of user identities through the identi-fication of legitimate users and the rejection of others. Legitimate userswould be allowed to proceed with their business to some extent, eventhough they can still subsequently be limited in what they can actuallydo or rejected by other aspects of security controls, such as authorization.In this chapter, we look at some basic authentication technologies, i.e.,technologies that are intended primarily for the

s2.bitdownload.irs2.bitdownload.ir/Ebook/Computer Science/Networks/Fung - Network... · the rounds...

Documents

Transcript of s2.bitdownload.irs2.bitdownload.ir/Ebook/Computer Science/Networks/Fung - Network... · the rounds...