Computer Networks: A Systems Approach, 5e - Chapter 8 PDF

Summary

This document is chapter 8 of the textbook "Computer Networks: A Systems Approach, 5e." It discusses network security, including topics such as Cryptography, Ciphers and Firewalls.

Full Transcript

Computer Networks: A Systems Approach, 5e
Larry L. Peterson and Bruce S. Davie

Chapter 8
Network Security

Copyright © 2010, Elsevier Inc. All rights Reserved 1
 Chapter 8
Problem
Sharing resource in computer networks

1
2
3

Among
competing businesses,
mutually antagonistic governments, and
opportunistic criminals.
Network conversation must keep away from
compromised by an adversary.

2
 Chapter 8
Problem
Confidentiality

1
2
3

An adversary can’t read the contents of your encrypted message.
Data integrity
The data you made won’t be modified by unauthorized persons.
Originality (who made the work)
Timeliness
Authentication (fake DNS)
To ensure that you really are talking to whom you think you’re
talking.
Availability (DDoS attack)
To ensure a degree of access
Heathiness (Contamination)

3
 Chapter 8
Chapter Outline
Cryptographic Building Blocks

1
2
3

Key Pre Distribution
Authentication Protocols
Example Systems
Firewalls

4
 Chapter 8
Cryptograhic Building Blocks
Cryptography-based security

1
2
3

cryptographic algorithms—ciphers and cryptographic hashes
Cryptographic algorithms are parameterized by keys

Symmetric-key encryption and
decryption

5
 Chapter 8
Principles of Ciphers
Encryption

1
2
3

To transform a message in such a way that it becomes unintelligible
to any party that does not have the secret of how to reverse the
transformation.

The sender applies an encryption function to the original
plaintext message,
resulting in a ciphertext message that is sent over the network.
The ciphertext transmitted across the network is unintelligible to any
eavesdropper, assuming she doesn’t know the decryption function.
An encryption algorithm is that it turn plaintext into ciphertext in
such a way that only the intended recipient—the holder of the
decryption key—can recover the plaintext.

The receiver applies a secret decryption function
to recover the original plaintext.

6
 Chapter 8
Block Ciphers
Cipher block chaining (CBC)

1
2
3

Each plaintext block is XORed with the previous block’s ciphertext
before being encrypted.
The result is that each block’s ciphertext depends in part on the
preceding blocks, i.e. on its context. Since the first plaintext block has no
preceding block, it is XORed with a random number.
That random number, called an initialization vector (IV), is included with the
series of ciphertext blocks so that the first ciphertext block can be decrypted.
Block ciphers are always augmented to make the ciphertext for a
block vary depending on context.

7
 Chapter 8
Cryptograhic Building Blocks
Block Ciphers

1
2
3

Cipher block chaining (CBC).

8
 Chapter 8
Cryptograhic Building Blocks
Symmetric Key Ciphers

1
2
3

In a symmetric-key cipher, both participants in a communication
share the same key. In other words, if a message is encrypted using a
particular key, the same key is required for decrypting the message.

9
 Chapter 8
Symmetric Key Ciphers
Standards for symmetric-key ciphers.

1
2
3
Data Encryption Standard (DES)
was the first, and it has stood the test of time in that no cryptanalytic attack better
than brute force search has been discovered.
Brute force search, however, has gotten faster. DES’s keys (56 independent bits)
are now too small given current processor speeds.

Triple DES (3DES)
Increasing the key size.
168 (= 3256) independent bits used as three DES keys;
Eq) Assume DES-key1, DES-key2, and DES-key3.
3DES-encryption of a block is performed by first DES-encrypting the block using DES-
key1, then
DES-decrypting the result using DES-key2, and finally DES-encrypting that result using
DES-key3.
Decryption involves decrypting using DES-key3, then encrypting using DES-key2, then
decrypting using DES-key1

Advanced Encryption Standard (AES).
AES supports key lengths of 128, 192, or 256 bits, and the block length is 128 bits.

10
 Chapter 8
Public Key Ciphers
Asymmetric, or public-key, ciphers.

1
2
3

A pair of related keys
one for encryption and
a different one for decryption.
“owned” by just one participant.
The owner keeps the decryption key secret
Only the owner can decrypt messages (private key).
The owner makes the encryption key public (public key)
anyone can encrypt messages for the owner
Make it not be possible to deduce the private key from the
public key.
Any participant can get the public key and send an encrypted
message to the owner, and
only the owner has the private key necessary to decrypt it.

11
 Chapter 8
Cryptograhic Building Blocks
Public Key Ciphers

1
2
3

Public-key encryption

12
 Chapter 8
Cryptograhic Building Blocks
Public Key Ciphers

1
2
3

An important additional property of public-key ciphers is that the
private “decryption” key can be used with the encryption algorithm to
encrypt messages so that they can only be decrypted using the public
“encryption” key.
This property clearly wouldn’t be useful for confidentiality since
anyone with the public key could decrypt such a message.
This property is, however, useful for authentication since it tells the
receiver of such a message that it could only have been created by the
owner of the keys.

13
 Chapter 8
Cryptograhic Building Blocks
Public Key Ciphers

1
2
3

Authentication using public keys

14
 Chapter 8
Cryptograhic Building Blocks
Public Key Ciphers

1
2
3

The concept of public-key ciphers was first published in 1976 by
Diffie and Hellman.
The best-known public-key cipher is RSA, named after its inventors:
Rivest, Shamir, and Adleman.
RSA relies on the high computational cost of factoring large numbers.
Another public-key cipher is ElGamal.
Like RSA, it relies on a mathematical problem, the discrete logarithm
problem, for which no efficient solution has been found, and requires
keys of at least 1024 bits.

15
 Chapter 8
Cryptograhic Building Blocks
Authenticator

1
2
3

An authenticator is a value, to be included in a transmitted message,
that can be used to verify simultaneously the authenticity and the
data integrity of a message.
One kind of authenticator combines encryption and a cryptographic
hash function.
Cryptographic hash algorithms are treated as public knowledge, as with
cipher algorithms.
A cryptographic hash function (also known as a cryptographic checksum)
is a function that outputs sufficient redundant information about a
message to expose any tampering.

16
 Chapter 8
Cryptograhic Building Blocks
Authenticator

1
2
3

Just as a checksum or CRC exposes bit errors introduced by noisy
links, a cryptographic checksum is designed to expose deliberate
corruption of messages by an adversary.
The value it outputs is called a message digest and, like an ordinary
checksum, is appended to the message.
All the message digests produced by a given hash have the same number
of bits regardless of the length of the original message.
Since the space of possible input messages is larger than the space of
possible message digests, there will be different input messages that
produce the same message digest, like collisions in a hash table.

17
 Chapter 8
Cryptograhic Building Blocks
Authenticator

1
2
3

There are several common cryptographic hash algorithms, including
MD5 (for Message Digest 5) and Secure Hash Algorithm 1 (SHA-1).
MD5 outputs a 128-bit digest, and SHA-1 outputs a 160-bit digest
A digest encrypted with a public key algorithm but using the private
key is called a digital signature because it provides nonrepudiation
like a written signature.

18
 Chapter 8
Cryptograhic Building Blocks
Authenticator

1
2
3

Another kind of authenticator is similar, but instead of encrypting a
hash, it uses a hash-like function that takes a secret value (known to
only the sender and the receiver) as a parameter.
Such a function outputs an authenticator called a message
authentication code (MAC).
The sender appends the MAC to her plaintext message.
The receiver recomputes the MAC using the plaintext and the secret
value, and compares that recomputed MAC to the received MAC.

19
 Chapter 8
Cryptograhic Building Blocks
Authenticator

1
2
3

A common variation on MACs is to apply a cryptographic hash (such
as MD5 or SHA-1) to the concatenation of the plaintext message and
the secret value.
The resulting digest is called a hashed message authentication code
(HMAC) since it is essentially a MAC.
The HMAC, but not the secret value, is appended to the plaintext
message.
Only a receiver who knows the secret value can compute the correct
HMAC to compare with the received HMAC.

20
 Chapter 8
Cryptograhic Building Blocks
Authenticator

1
2
3

Computing a MAC versus computing
an HMAC

21
 Chapter 8
Key Pre Distribution
To use ciphers and authenticators, the communicating

1
2
3

participants need to know what keys to use.
In the case of a symmetric-key cipher, how does a pair of
participants obtain the key they share?
In the case of a public-key cipher, how do participants know
what public key belongs to a certain participant?
The answer differs depending on whether the keys are short-
lived session keys or longer-lived pre-distributed keys.

22
 Chapter 8
Key Pre Distribution
A session key is a key used to secure a single, relatively short

1
2
3

episode of communication: a session.
Each distinct session between a pair of participants uses a new
session key, which is always a symmetric-key key for speed.
The participants determine what session key to use by means of a
protocol—a session key establishment protocol.
A session key establishment protocol needs its own security (so that,
for example, an adversary cannot learn the new session key); that
security is based on the longer-lived pre-distributed keys.

23
 Chapter 8
Key Pre Distribution
There are several motivations for this division of labor

1
2
3

between session keys and pre-distributed keys:
Limiting the amount of time a key is used results in less time for
computationally intensive attacks, less ciphertext for cryptanalysis,
and less information exposed should the key be broken.
Pre-distribution of symmetric keys is problematic.
Public key ciphers are generally superior for authentication and
session key establishment but too slow to use encrypting entire
messages for confidentiality.

24
 Chapter 8
Key Pre Distribution
Pre-Distribution of Public Keys

1
2
3

The algorithms to generate a matched pair of public and private keys
are publicly known, and software that does it is widely available.
So if Alice wanted to use a public key cipher, she could generate her
own pair of public and private keys, keep the private key hidden, and
publicize the public key.
But how can she publicize her public key— assert that it belongs to
her—in such a way that other participants can be sure it really
belongs to her?

25
 Chapter 8
Key Pre Distribution
Pre-Distribution of Public Keys

1
2
3

A complete scheme for certifying bindings between public keys and
identities— what key belongs to who—is called a Public Key
Infrastructure (PKI).
A PKI starts with the ability to verify identities and bind them to keys
out of band. By “out of band,” we mean something outside the
network and the computers that comprise it, such as in the following
scenarios.
If Alice and Bob are individuals who know each other, then they could
get together in the same room and Alice could give her public key to
Bob directly, perhaps on a business card.

26
 Chapter 8
Key Pre Distribution
Pre-Distribution of Public Keys

1
2
3

If Bob is an organization, Alice the individual could present
conventional identification, perhaps involving a photograph or
fingerprints.
If Alice and Bob are computers owned by the same company, then a
system administrator could configure Bob with Alice’s public key.
A digitally signed statement of a public key binding is called a public
key certificate, or simply a certificate

27
 Chapter 8
Key Pre Distribution
Pre-Distribution of Public Keys

1
2
3

One of the major standards for certificates is known as X.509. This
standard leaves a lot of details open, but specifies a basic structure. A
certificate clearly must include
the identity of the entity being certified
the public key of the entity being certified
the identity of the signer
the digital signature
a digital signature algorithm identifier (which cryptographic hash and
which cipher)

28
 Chapter 8
Key Pre Distribution
Pre-Distribution of Public Keys

1
2
3

Certification Authorities
A certification authority or certificate authority (CA) is an entity claimed
(by someone) to be trustworthy for verifying identities and issuing
public key certificates.
There are commercial CAs, governmental CAs, and even free CAs.
To use a CA, you must know its own key. You can learn that CA’s key,
however, if you can obtain a chain of CA-signed certificates that starts
with a CA whose key you already know.
Then you can believe any certificate signed by that new CA

29
 Chapter 8
Key Pre Distribution
Pre-Distribution of Symmetric Keys

1
2
3

If Alice wants to use a secret-key cipher to communicate with Bob,
she can’t just pick a key and send it to to him because, without
already having a key, they can’t encrypt this key to keep it
confidential and they can’t authenticate each other.
As with public keys, some pre-distribution scheme is needed.
Pre-distribution is harder for symmetric keys than for public keys for
two obvious reasons:
While only one public key per entity is sufficient for authentication and
confidentiality, there must be a symmetric key for each pair of entities
who wish to communicate. If there are N entities, that means N(N − 1)/2
keys.
Unlike public keys, secret keys must be kept secret.

30
 Chapter 8
Key Pre Distribution
Pre-Distribution of Symmetric Keys

1
2
3

Authentication Protocols

A challenge-response protocol

31
 Chapter 8
Key Pre Distribution
Pre-Distribution of Symmetric Keys

1
2
3

Public Key Authentication Protocols

A public-key authentication protocol
that depends on synchronization

32
 Chapter 8
Key Pre Distribution
Pre-Distribution of Symmetric Keys

1
2
3

Public Key Authentication Protocols

A public-key authentication protocol that does not depend on synchronization.
Alice checks her own timestamp against her own clock, and likewise for Bob.

33
 Chapter 8
Key Pre Distribution
Pre-Distribution of Symmetric Keys

1
2
3

Symmetric Key Authentication Protocols

The Needham-Schroeder authentication protocol

34
 Chapter 8
Key Pre Distribution
Pre-Distribution of Symmetric Keys

1
2
3

Symmetric Key Authentication Protocols

Kerberos Authentication

35
 Chapter 8
Key Pre Distribution
Pre-Distribution of Symmetric Keys

1
2
3

Diffie-Hellman Key Agreement
The Diffie-Hellman key agreement protocol establishes a session key
without using any pre-distributed keys.
The messages exchanged between Alice and Bob can be read by anyone
able to eavesdrop, and yet the eavesdropper won’t know the session key
that Alice and Bob end up with.
On the other hand, Diffie-Hellman doesn’t authenticate the participants.
Since it is rarely useful to communicate securely without being sure
whom you’re communicating with, Diffie-Hellman is usually augmented
in some way to provide authentication.
One of the main uses of Diffie-Hellman is in the Internet Key Exchange
(IKE) protocol, a central part of the IP Security (IPSEC) architecture

36
 Chapter 8
Key Pre Distribution
Pre-Distribution of Symmetric Keys

1
2
3

Diffie-Hellman Key Agreement
The Diffie-Hellman protocol has two parameters, p and g, both of which
are public and may be used by all the users in a particular system.
Parameter must be a prime number. The integers (short for
modulo ) are through , since is the remainder after is
divided by , and form what mathematicians call a group under
multiplication.
Parameter (usually called a generator) must be a primitive root of :
for every number from through there must be some value
such that.

37
 Chapter 8
Key Pre Distribution
Pre-Distribution of Symmetric Keys

1
2
3

Diffie-Hellman Key Agreement
For example, if p were the prime number 5 (a real system would use a
much larger number), then we might choose 2 to be the generator g
since:
1 = 20 mod p
2 = 21 mod p
3 = 23 mod p
4 = 22 mod p

38
 Chapter 8
Key Pre Distribution
Pre-Distribution of Symmetric Keys

1
2
3

Diffie-Hellman Key Agreement
Suppose Alice and Bob want to agree on a shared symmetric key. Alice
and Bob, and everyone else, already know the values of and.
Alice generates a random private value and Bob generates a random
private value.
Both a and b are drawn from the set of integers.
Alice and Bob derive their corresponding public values—the values they
will send to each other unencrypted—as follows.
Alice’s public value is
and Bob’s public value is
They then exchange their public values. Finally, Alice computes

and Bob computes
.

39
 Chapter 8
Key Pre Distribution
Pre-Distribution of Symmetric Keys

1
2
3

Diffie-Hellman Key Agreement
Alice and Bob derive their corresponding public values—the values they
will send to each other unencrypted—as follows.
Alice’s public value is
and Bob’s public value is
They then exchange their public values. Finally, Alice computes

and Bob computes
.

40
 Chapter 8
Key Pre Distribution
Pre-Distribution of Symmetric Keys

1
2
3

A man-in-the-middle attack

41
 Chapter 8
Example Systems
Pretty Good Privacy (PGP)

1
2
3

Pretty Good Privacy (PGP) is a widely used approach to providing
security for electronic mail. It provides authentication,
confidentiality, data integrity, and nonrepudiation.
Originally devised by Phil Zimmerman, it has evolved into an IETF
standard known as OpenPGP
PGP’s confidentiality and receiver authentication depend on the
receiver of an email message having a public key that is known to the
sender.
To provide sender authentication and nonrepudiation, the sender
must have a public key that is known by the receiver.
These public keys are pre-distributed using certificates and a web-of-
trust PKI.
PGP supports RSA and DSS for public key certificates.

42
 Chapter 8
Example Systems
Pretty Good Privacy (PGP)

1
2
3

PGP’s steps to prepare a message for
emailing from Alice to Bob

43
 Chapter 8
Example Systems
Secure Shell (SSH)

1
2
3

The Secure Shell (SSH) protocol is used to provide a remote login
service, and is intended to replace the less-secure Telnet and rlogin
programs used in the early days of the Internet.
SSH is most often used to provide strong client/server
authentication/ message integrity—where the SSH client runs on the
user’s desktop machine and the SSH server runs on some remote
machine that the user wants to log into—but it also supports
confidentiality.
Telnet and rlogin provide none of these capabilities.
Note that “SSH” is often used to refer to both the SSH protocol and
applications that use it; you need to figure out which from the
context.

44
 Chapter 8
Example Systems
Secure Shell (SSH)

1
2
3

Using SSH port forwarding to secure
other TCP-based applications

45
 Chapter 8
Example Systems
Transport Layer Security (TLS, SSL, HTTPS)

1
2
3

Handshake protocol to establish TLS
session

46
 Chapter 8
Example Systems
IP Security (IPSec)

1
2
3

Support for IPsec, as the architecture is called, is optional in IPv4 but
mandatory in IPv6.
IPsec is really a framework (as opposed to a single protocol or
system) for providing all the security services discussed throughout
this chapter.
IPsec provides three degrees of freedom.
First, it is highly modular, allowing users (or more likely, system
administrators) to select from a variety of cryptographic algorithms and
specialized security protocols.
Second, IPsec allows users to select from a large menu of security
properties, including access control, integrity, authentication, originality,
and confidentiality.
Third, IPsec can be used to protect “narrow” streams (e.g., packets
belonging to a particular TCP connection being sent between a pair of
hosts) or “wide” streams (e.g., all packets flowing between a pair of
routers).

47
 Chapter 8
Example Systems
IP Security (IPSec)

1
2
3

When viewed from a high level, IPsec consists of two parts.
The first part is a pair of protocols that implement the available
security services.
They are the Authentication Header (AH), which provides access control,
connectionless message integrity, authentication, and antireplay
protection, and the Encapsulating Security Payload (ESP), which
supports these same services, plus confidentiality.
AH is rarely used so we focus on ESP here.
The second part is support for key management, which fits under an
umbrella protocol known as ISAKMP:
Internet Security Association and Key Management Protocol.

48
 Chapter 8
Example Systems
IP Security (IPSec)

1
2
3

The abstraction that binds these two pieces together is the security
association (SA).
An SA is a simplex (one-way) connection with one or more of the
available security properties.
Securing a bidirectional communication between a pair of hosts—
corresponding to a TCP connection, for example—requires two SAs,
one in each direction.
Although IP is a connectionless protocol, security depends on
connection state information such as keys and sequence numbers.
When created, an SA is assigned an ID number called a security
parameters index (SPI) by the receiving machine

49
 Chapter 8
Example Systems
IP Security (IPSec)

1
2
3

IPsec supports a tunnel mode as well as the more straightforward
transport mode.
Each SA operates in one or the other mode.
In a transport mode SA, ESP’s payload data is simply a message for a
higher layer such as UDP or TCP.
In this mode, IPsec acts as an intermediate protocol layer, much like
SSL/TLS does between TCP and a higher layer.
When an ESP message is received, its payload is passed to the higher
level protocol.
In a tunnel mode SA, however, ESP’s payload data is itself an IP
packet

50
 Chapter 8
Example Systems
IP Security (IPSec)

1
2
3

IPsec’s ESP format

51
 Chapter 8
Example Systems
IP Security (IPSec)

1
2
3

An IP packet with a nested IP packet
encapsulated using ESP in tunnel
mode. Note that the inner and outer
packets have different addresses

52
 Chapter 8
Example Systems
Wireless Security (IEEE 802.11i)

1
2
3

The IEEE 802.11i standard provides authentication, message
integrity, and confidentiality to 802.11 (Wi-Fi) at the link layer.
WPA2 (Wi-Fi Protected Access 2) is often used as a synonym for
802.11i, although it is technically a trademark of The Wi-Fi Alliance
that certifies product compliance with 802.11i.
802.11i authentication supports two modes. In either mode, the end
result of successful authentication is a shared Pairwise Master Key.
Personal mode, also known as Pre-Shared Key (PSK) mode, provides
weaker security but is more convenient and economical for situations
like a home 802.11 network.
The wireless device and the Access Point (AP) are preconfigured with a
shared passphrase—essentially a very long password—from with the
Pairwise Master Key is cryptographically derived.

53
 Chapter 8
Example Systems
Wireless Security (IEEE 802.11i)

1
2
3

Use of an Authentication Server in
802.11i

54
 Chapter 8
Firewalls
A firewall is a system that typically sits at some point of

1
2
3

connectivity between a site it protects and the rest of the
network.
It is usually implemented as an “appliance” or part of a
router, although a “personal firewall” may be implemented
on an end user machine.
Firewall-based security depends on the firewall being the
only connectivity to the site from outside; there should be no
way to bypass the firewall via other gateways, wireless
connections, or dial-up connections.

55
 Chapter 8
Firewalls
In effect, a firewall divides a network into a more-trusted

1
2
3

zone internal to the firewall, and a less-trusted zone external
to the firewall.
This is useful if you do not want external users to access a
particular host or service within your site.
Firewalls may be used to create multiple zones of trust, such
as a hierarchy of increasingly trusted zones.
A common arrangement involves three zones of trust: the
internal network; the DMZ (“demilitarized zone”); and the
rest of the Internet.

56
 Chapter 8
Firewalls
Firewalls filter based on IP, TCP, and UDP information,

1
2
3

among other things.
They are configured with a table of addresses that
characterize the packets they will, and will not, forward.
By addresses, we mean more than just the destination’s IP
address, although that is one possibility.
Generally, each entry in the table is a 4-tuple: It gives the IP
address and TCP (or UDP) port number for both the source
and destination.

57
 Chapter 8
Firewalls

1
2
3
A firewall filters packets flowing
between a site and the rest of the
Internet

58
 Chapter 8
Summary
We have discussed privacy and security issues in the

1
2
3

network
We have discussed different authentication protocols
We have discussed different key distribution protocols
We have discussed different cipher techniques
Classical and Public-Key
We have discussed some examples of secured systems
PGP, SSH, IPSec

59