Title: Network%20Security
1Network Security
Refik MOLVA Institut Eurécom B.P. 193 06904
Sophia Antipolis Cedex - France Refik.Molva_at_eureco
m.fr ÓInstitut Eurecom 2002
2Outline
THEORY 1. Symmetric Cryptography 2. Asymmetric
Cryptography 3. Hash Functions and Integrity 4.
Authentication 5. Key Management APPLICATIONS 6.
Internet Security Using Firewalls 7. Internet
Security with Cryptographic Mechanisms 9.
Multicast Security
3Security Services
7498-2 ISO standard defines r security
services and mechanisms in the context of OSI r
function placement in OSI layers does not cover
the security of standalone systems. r
authentication r access control r
confidentiality r integrity r
non-repudiation
4Services vs. Layers
1. Application Layer Security r finest
granularity (user and program verification) r
end-to-end security r non-transparent to
applications 2. Transport Layer r medium
level granularity (end-users are not visible) r
end-to-end security r transparent to
applications 3. Network Layer r low
granularity r no end-to-end security
(hop-by-hop security relies on intermediate
systems) r transparent to applications 4.
Physical Layer r like network layer security,
plus r ease of integration r limited
functionality (hardware only)
5Cryptography
The art of writing in or deciphering secret code
by transforming the message content. Different
from steganography which aims at hiding the
message without transforming it.
Cryptography Cryptanalysis encryption code
breaking decryption Cryptology
Cryptography is the building block for most
security mechanisms.
6Symmetric Cryptography
r secret-key based
K
P
C
P
E
D
r The same key is required both for encryption
and decryption r Secrecy of K is essential ?
requirement for secret key management using an
on-line trusted third party (TTP) r K must be
shared by at least two parties ? no signature
7DES
E (encryption)
k1
k2
k15
k16
R1
R2
R15
R16
Output 64-bit
IP-1
Input 64-bit
IP
R1
R2
R16
R15
k16
k15
k2
k1
D (decryption)
IP initial permutation, IP-1(IP(x)) x Ri
key-dependent functions ki 16 sub-keys(48
bits) (key schedule) result of shift and select
operations on 56-bit K
8Advanced Encryption Standard (AES)
- Rijndael - Winner of an extensive selection
process - New encryption standard (FIPS 197) - replacement
to DES May 26, 2002 - Triple DES is still a valid standard (FIPS 46-3)
- Key size 128, 192, or 256 bits
- 10, 12 or 14 rounds, depending on the key size.
- byte-oriented cipher operations in each round
- Round function
- 8x8 S-box applied to each byte
- rows of the array shifted
- columns of the array mixed
- subkey bytes XORed into each byte of the array
- column mixing is omitted in the last round.
9AES-Rijndael Performance
- a machine that could recover a DES key in a
second then it would take that machine
approximately 149 thousand-billion (149 trillion)
years to crack a 128-bit AES key. To put that
into perspective, the universe is believed to be
less than 20 billion years old. - Key setup time
- 200 keys /msec in 32 bit C / Apple G4 PowerPC
- Encryption speed
- 52 Mbits/s in 32 bit C / Apple PowerPC
- 4.8 Mbits/s in Java / Intel Pentium Pro 200
10Asymmetric Cryptography
r public-key cryptography
K
K
P
C
P
E
D
r Different keys for encryption and decryption r
Each user has a secret key (K) and a public key
(K) r No shared secret between the origin and
the recipient þ no need to manage secret keys
but integrity of K must be assured with an
off-line trusted third party (TTP) þ digital
signature is possible
11Asymmetric Cryptography
r each user U has a secret key KSU and a
public key KPU r everybody can access KPU
(public database) r only U knows KSU
Name A, Key KPa Name B, Key KPb Name C,
Key KPc
A, KPa
EKPa (message)
A, KPa
EKPa (message)
A
KSa
r DKSu (EKPu(X)) x et EKPu (DKSu(X)) x
12Asymmetric Cryptography
Public-key algorithms are based on one-way
functions. V One-way functions (OWF) f X ?Y
is one-way if f(x) is easy to compute for all x
in X but for essentially all y in Im(f) it is
computationally infeasible to find x in X such
that f(x) y.
f
y f(x)
X
f-1
Example discrete exponential (Diffie-Hellman)
f axmod n
X
y f(x)
f logay
13Trapdoor OWF
f is a trapdoor one-way function if f is a OWF
with the additional property that given some
extra information called trapdoor it becomes easy
to compute the reverse of f (x such that f(x)
y). Example f(x) x5mod n n pq , p and q
are large primes f is a OWF (it is infeasible
to compute f-1) but if p and q are known f-1
becomes easy to compute (cf. RSA). No proof of
existence for OWF. Security of public-key
schemes is based on OWF. ? no proof of security
for public-key schemes
14The DIFFIE-HELLMAN Algorithm
r pioneer of public key algorithms
r A and B set a shared secret (axy mod p )
without exchanging secret information. r axy
mod p can be used as a secret key with a
symmetrical algorithm to encrypt data. r relies
on the difficulty of computing discrete log.
15RSA
r message structured in n bit blocks r for each
block P of cleartext V encryption C P e
mod r V decryption P C d mod r r main
property (non-trivial) (xe)d º (xd)e º x (mod
r) þ security relies on the choice of r, e and d
16RSA - Principle
1. pick two very large (100 digits) prime numbers
p,q 2. compute r pq 3. compute F(r) (p-1)
(q-1) 4. pick e, small number, prime with F(r),
e lt F(r) 5. compute d d.e º 1 (mod
F(r)) Why (x e)d º (xd)e º x (mod r)
? Euler's Theorem a F(r) º 1 (mod r) ?
am.F(r)1 º a (mod r) from 5. d.e e.d
m. F(r)1 so (xe)d º (xd)e º x
(mod r) Note m must be invertible, property
can be demonstrated with general m using Chinese
Remaindering.
17RSA - Example
1. p 17, q 13 2. r 221 3. F(r) (p-1)
(q-1) 192 4. e 11 5. d 35 , d.e ( 1 (mod
192)
e 11
d 35
P 123
C 12311(mod 221)
C 11535(mod 221)
E
D
P 123
C 115
18RSA
r security ? factoring r (512 bits, 154 digits)
into p and q r best known factoring algorithm 1
M years r 512-bit chips
1000 times slower than DES in hardware 100 times
slower than DES in software
19El Gamal Public Key Encryption
p is prime, x and y in Zp-1 a is a generator in
Zp. bay mod p KPB ( p, a, b) is the public
key. KSB y is the secret key.
r DH key agreement in encryption
Known by A x (random) axy mod p
Known by B y ay mod p
Public Key (p, a, ay mod p)
m1DH key agreement m2encrypted message
Encryption m1 ax mod p m2 m.axy mod p
Decryption m1 Þ axy mod p m m2.(m1y)-1 mod p
m.axy.((ax)y)-1 mod p
20Symmetric vs. Asymmetric Cryptography
Symmetric Cryptography r secret key shared by
(at least) two parties Pros r key is short
(64-128 bits) r fast encryption/decryption
r extensive history r perfect secrecy
exists Cons r key distribution(by on-line
TTP) is mandatory r no signature (possible
only with additional means) Asymmetric
Cryptography r one private key, one public key
per party Pros r no requirement for secret
key distribution r digital signature is
possible Cons r key is long (gt 512 bits)
r computationally intensive r security relies
on the difficulty of number-theoretic problems,
no perfect secrecy
21Symmetric vs. Asymmetric Cryptography Summary
Use Asymmetric Cryptography for r key
distribution (for symmetric keys) r digital
signature Use Symmetric Cryptography for r
bulk data encryption r data integrity
22Plaintext
23DES-ECB Encryption
24DES-CBC Encryption
25CBC Mode
Cipher Block Chaining 64-bit blocks
Cn-1
Cn-1
64 bits
64 bits
K
K
P
P
C
Ã…
Ã…
E
D
Cn
Pn
Pn
r Ci E K(Pi Ã… Ci-1) r C0 EK(P0 Ã… IV), IV
(Initialization Vector) transmitted in
cleartext r Pi DK(Ci) Ã… Ci-1 r chaining
effect Ci depends on all the Pj with j i r
last block of C depends on all the plaintext
blocks r converts DES into a stream cipher r 1
E/D operation per 64 bits
26CBC- Error propagation
- r Decryption of Pi requires Ci and Ci-1
- Error extension
- error in block Ci or loss of complete block Ci
- only Pi and Pi1 are affected
- subsequent blocks are not affected
(self-synchronization) - new vulnerability
- controlled modification by the intruder -
transmission error - on bit i of block Cj results in loss of Pj and
complementing of bit i in Pj1. - no self-synchronization on bit slips
- all subsequent blocks are lost
- ? requirement for framing and error control on C
- r Relationship between Error Control and CBC
Encryption
E
D
Error control
Error control
D
E
27CFB Mode
Cipher Feedback n variable block size for
C and P, n 64
shift register
shift register
64 bits
64 bits
64
64
K
K
E
E
n
n
64
64
Select n left bits
Select n left bits
n
n
P
P
C
Ã…
Ã…
n
n
n
1 E/D operation / n bits s0 initial value of
the register, transmitted in cleartext
28OFB Mode
Output Feedback variable quantum size (n 64)
shift register
shift register
64 bits
64
64
n
n
K
K
E
E
64
64
Select n left bits
Select n left bits
n
n
P
P
C
Ã…
Ã…
n
n
n
1 E/D operation per n bits s0 initial value of
the register, transmitted in cleartext s0 must be
different for each new message stream cipher
one-time pad with pseudo-random number generation
29Outline
THEORY 1. Symmetric Cryptography 2. Asymmetric
Cryptography 3. Hash Functions and Integrity 4.
Authentication 5. Key Management
APPLICATIONS 6. Internet Security Using
Firewalls 7. Internet Security with
Cryptographic Mechanisms 8. Multicast Security
?
30Hash Functions
message
Arbitrary length
h
message digest
fixed length (n ³ 128 bits)
Main purpose Modification Detection Codes
(MDC), Manipulation Detection Codes or Message
Integrity Check (MIC) Objective data
integrity with additional security means h(m)
serves as a representative of message m if m
changes, h(m) changes with high
probability Security properties one-way
given y, finding x h(x) y is difficult.
collision resistence it is difficult to find x
¹ x' h(x) h(x').
31General Model for Building Hash Functions
H0
f
fixed length input
H1
fixed length input
f
H (iterated hash function)
Hn h(x)
Additional input preprocessing by adding
padding and length block
32Message Authentication Codes
- Encryption of MAC
- MAC EK(h(M)) with DES or RSA
- Keyed hashing
- MAC h(K1 M K2)
- Examples from Internet
- r Keyed MD5 (RFC 1828, 08/1995)
r HMAC (RFC 2104, 02/1997)
HMAC ( K , text ) H ( K xor pad1 H ( K
xor pad2 text ) )
33Data integrity
K
MDCunkeyed hash
MAC function
message
unsecured channel
message
MAC
MDC function
message
K
message
MDC
E
unsecured channel
MDC function
message
secured channel
MDC
unsecured channel
34Outline
THEORY 1. Symmetric Cryptography 2. Asymmetric
Cryptography 3. Hash Functions and Integrity 4.
Authentication 5. Key Management
APPLICATIONS 6. Internet Security Using
Firewalls 7. Internet Security with
Cryptographic Mechanisms 8. Multicast Security
?
35Authentication Protocols (1/2)
- Secret function of a predictable item
B
A
hK(time stamp or counter)
- Synchronization requirement
- synchronized clocks ? very difficult with
distributed systems - how to secure a global time service ?
- counters ? losses
- how to secure re-synchronization?
- Protocol requires only 1 message
36Authentication Protocols (2/2)
- Secret function of an unpredictable item (nonce
random number used only once)
N
A
B
hK(N)
- No need for synchronization
- 2 messages
- Mutual authentication
A
B
Na
hK(Na), Nb
hK(Nb)
37S/key
One-time password authentication technique based
on a secure hash function
K is secret h is a public one-way hash function
it is computationally infeasible to derive
hi-1(K) from hi(K)
Authentication server
User
knows K
SKu hn(k)
accept if h(M) SKu
Sku M( hn-1(K))
accept if h(M) SKu
Sku M( hn-2(K))
...
Only the user who knows K can generate the hi(K)
values in the reverse order hn(K), hn-1(K),
hn-2(K),, h(K)
38Passive Devices
r storage of non-secret verification value W in
the device WOWF(S), S is a secret kept by the
user r verification by a reader r
authentication - user enters secret value S -
reader computes VOWF(S) - reader compares V
with W stored in the device r magnetic stripe
cards r cards with a memory chip
39Active Devices
r Able to run cryptographic algorithms and strong
authentication protocols r Eliminate the risk of
exhaustive attacks and replay on the PIN 1.
Personal computers 2. Tokens 3. Smart
cards Principle r PIN-based verification of
the user by the personal device. PIN is not
disclosed outside the protected area. r Personal
device runs the authentication protocol on behalf
of the user through untrusted environments.
Strong authentication protocols resist to attacks
from hostile public environment.
40Tokens
User relay between (untrusted) public terminal
and the personal token
cheap and easy to retrofit on existing
systems - ergonomics
41Smart Cards
- Communication between smart card and
authentication server is - transparent for the user
- After the user verification, the smart card runs
the strong authenticationprotocol - symmetrical (DES) or asymmetrical (RSA)
algorithm - nonce-, time stamp-, or counter-based
- The card can perform other services
- data encryption
- digital signature
- message integrity
- Advanced smart cards include
- an operating system
- a file system with access control
- a Java virtual machine
- the most secure and user-friendly
- - cost of deployment, retrofitting a reader
is required on each terminal
42Digital Signature
Generation of As signature on message M S
EKSa(h(M)) r h is an unkeyed hash function
(MD5, SHA-1, . . .) r KSa is As private RSA
key Verification of As signature by any other
party r compute h(M) r using As public key
KPa, check if DKPa(S) h(M)
43Outline
THEORY 1. Symmetric Cryptography 2. Asymmetric
Cryptography 3. Hash Functions and Integrity 4.
Authentication 5. Key Management
APPLICATIONS 6. Internet Security Using
Firewalls 7. Internet Security with
Cryptographic Mechanisms 8. Multicast Security
?
44Key Management
Most security mechanisms are based on
cryptography. Cryptography requires generation
distribution storage
archival deletion . . . . . . of (secret
and public) keys
45Key Generation
random number generation problem a random bit
generator can be used to generate random
numbers a random bit generator outputs a
sequence of statistically independent and
unbiased bits. Solutions physical
sources biased, de-skewing is necessary
impractical pseudorandom bit
generators Based on a truly random binary
sequence of length k, generate a sequence of
length l gtgt k using a deterministic
algorithm. The output sequence appears
to be random. Among all possible outputs
(if it were truly random) only a fraction 2k/2l
can be generated. The goal is
to expand the truly random "seed" to a longer
pseudorandom sequence.
46Pseudorandom Bit Generators (PRBG)
- Security properties
- resistance to statistical tests the output of
a pseudorandom bit generator should not be
distinguishable from a truly random sequence of
the same length by a polynomial-time algorithm. - resistance to next-bit test the next bit of
the output sequence cannot be predicted based on
the bit sequence that is already generated using
a polynomial-time algorithm. - the two conditions are equivalent
- a PRBG that fulfills one of these properties is
said cryptographically secure. - in addition the k-bit seed must be large enough
so that an exhaustive search over possible seeds
is infeasible. - Ex linear congruence
- xn axn-1 b mod p
- is not secure because given a partial
output sequence, the remainder of the
output bits can be predicted.
47RSA-based Cryptographically Secure PRBG
npq, e are defined like in the basic RSA
algorithm. Generation of an l bit pseudorandom
sequence 1. pick a random integer x0 in 1,
n-1 as the seed 2. For i from 1 to l do 2.1.
xi xei-1 mod n 2.2. zi the least
significant bit of xi output sequence z1, z2,
, zl The security property (resistance to
next-bit test) is proven based on the difficulty
of factorization.
48Practical Secure PRBGs
Use one-way hash functions. random_numbern
h(sn) n 0, 1, 2, s is the secret
seed. predictable after re-initialization
Þ the initialization must be randomized
(Kerberos) K DESK (universal
time) RnDESK(n) n 0, 1, 2, Þ
based on the secret key K These PRBGs are not
cryptographically secure because there is no
proof of the PRBG security property but they are
sufficiently secure for most applications.
49Key Distribution
- Symmetrical cryptography
- distribution of secret keys
- key distribution must assure the
confidentiality of secret keys - key distribution service must be on-line
- Asymmetrical cryptography
- distribution of public keys
- key distribution must assure the integrity
of public keys - key distribution service can be off-line
50Distribution of Secret Keys
- Problem how to distribute a secret session key
Kab to parties A and B who do not share a secret
channel ? - Complexity a new session key is needed for each
new session and per security function
(authentication, data confidentiality, integrity) - Alternatives (n number of parties)
- Manual complexity of initial key installation
O(n2) - Hybrid scheme (O(n))
- Algorithmic (O(n))
- Key server (O(n))
51Hybrid scheme
Use public-key cryptography to distribute secret
session keys. Use secret key (symmetrical)
cryptography for bulk data encryption.
52Algorithmic Key Distribution
g, p
Perfect forward secrecy breaking any long-term
key (signature key) does not threaten the secrecy
of past session keys (Kab). No forward secrecy
with the hybrid scheme.
53Key distribution with a key server
- Trust in key server
- security of session keys
- entity authentication
54Key distribution with a key server
Key Server Ka Kb
1. A, B
A Ka
B Kb
- Kab session key Ka, Kb terminal keys
- Trust in key server
- Kab is fresh and kept secret
- B (resp. A) believes whoever proves knowledge of
secret Kab is A (resp. B). - Key distribution must be strongly linked with
authentication.
55Public-key Integrity Problem
Problem
A X
- The integrity of public keys must be assured.
- Solutions
- Authentication trees
- Public-key certification
56Identity Certificate
- Public Key certificate of entity A (keyKPa)
created by X - signed by trusted party X using secret key KSx
- can be checked by using public key KPX
- Prerequisite for verifying a certificate KPX
must be known and trusted. - identity certificates are required for all
services implemented using public-key encryption
(entity authentication, data origin
authentication, data integrity, non-repudiation
of origin, key distribution) - the security of these services entirely relies
on the validity (integrity) of the certificate
that includes the public key. - On the contrary of a common belief, a
certificate alone does not prove anything, it
must be used together with a mechanism like an
authentication protocol through which the owner
of the public-key demonstrates his knowledge of
the corresponding private key.
57TTP Functions
- Certification Authority (CA)
- Registration Authority (RA)
- Name Service
- Certificate Directory
- Key Generator
58Certification Scenario
Key pair generated by user
2 identity validation, public-key (proof of
knowledge of private key)
3 name, public-key
RA
(integrity-protection, entity authentication)
4 Certificate
User
CA
1 key pair
Certificate Directory
KG
59Certificate Chains
Problem A and B belong to domains managed by CA
X and CA Y. No direct cross certificate exists
between X and Y. But cross certificates exist
from Y to Z and from Z to X.
Domain 3
CAZ
Domain 1
Domain 2
CAX
CAY
A gets KPZ by verifying CX(Z) using KPX that is
trusted a priori. He gets KPY by verifying CZ(Y)
using KPZ. He finally verifies B' s public-key in
CY(B) using KPY.
60Hierarchical Model
U
V U issues
Root
Y
W
X
Z
B
A
D
C
- Alternative domain partitionings
- single domain all chains start at Root all
users trust a priori only KPRoot. - multiple domains chain between two domains
start from the closest common node each user
trusts a priori his closest authority and Root. - Drawbacks
- certificate chains can be too long
- lack of centralization in real life situations
61Outline
THEORY 1. Symmetric Cryptography 2. Asymmetric
Cryptography 3. Hash Functions and Integrity 4.
Authentication 5. Key Management
APPLICATIONS 6. Internet Security Using
Firewalls 7. Internet Security with
Cryptographic Mechanisms 8. Multicast Security
?
62Internet Security Directions
Cryptographic security protect only sensitive
resources using logical means
Secure virtual channel using cryptography
e-commerce
HTTP SMTP FTP TELNET
DNS SNMP RIP BGP
TCP/UDP OSPF
IP
Data Link
Internet
- Pros
- flexible (service type and security level)
- end-to-end (application and user security)
- no impact on global network
- Cons
- deployment (retrofitting in end-systems)
- cost of migration (protocol impact)
63Internet Security Directions
Domain Control Isolate trusted network from
untrusted Internet by filtering traffic across
the border
Intranet (trusted)
Internet (untrusted)
Filter
- Pros
- no impact on the intranet components
- no impact on application software and users
- ease of deployment for company intranets
- Cons
- impediment to the global network concept
- no end-to-end security
- insufficient for e-commerce applications
64Filtering Components
- Traffic filtering based on (combination of)
- packet filters
- application gateways
- circuit gateways
65Packet Filters
- Function integrated with packet forwarding
- Principle
- for each IP packet received from a local
interface - check the packet against the set of access rules
- forward, discard and/or log the packet according
to the result of the rule-based verification - Access rules are based on (a selection of)
- information of the TCP/IP header
- - source and destination IP addresses
- - source and destination port numbers
- - protocol type (TCP/UDP)
- - flags (ACK, SYN)
- the identity of the incoming interface
- direction of the packet (in/out)
- implemented by
- router (CISCO)
- IP forwarding algorithm in a host (Linux)
66Application Gateways
- Opposite approach to packet filtering
- Instead of a general purpose mechanism for all
kind of traffic, a special purpose access control
mechanism is used for each application. - Idea
- Application gateway is a proxy server. Each proxy
server acts as an intermediate between the client
and the actual server. Proxy server performs
varoous verifications on the application protocol
between the client and server. - Generic operation of an application gateway
- the client first connects to proxy server
- proxy server performs authentication and access
control verification - if the client is authorized, proxy server
connects to the actual destination - further communication between the client and the
actual server is relayed through the proxy server
and some optional filtering can be applied on the
data exchange. - An application gateway is a process, not a host.
- There is an application gateway for each
application protocol that is authorized. - Application gateways can be combined with a
packet filter.
67Application Gateways
Simpler Packet Filtering Basic model for packet
filtering with application gateways
Network 1 (untrusted)
Interface 1
Packet Filter
Interface 3
Interface 2
Application Gateway Host
Network 2 (trusted)
Authorized connections
68Circuit Gateways
- generic proxy for all TCP based applications
- Basic principle
- client-server connections are forced to pass
through the gateway by a change in the transport
layer software of the client. - relaying takes place at the transport
layer(TCP). - the layers above TCP (application) are not
affected at all. - Encapsulation of client-server connection by
client-gateway connection
Server
GW
Client
Connection request (dataserver name)
Verification
Connection request
establish relay
Connection response
Connection response
Data
Data
relay
69Packet filtering Firewall
Local Network
Packet Filter Router
Internet
- Router blocks all or most access to internal
network. - Router can allow selective access to services.
- Usually inherently danagerous services as NIS,
NFS, X11 are blocked
70Dual-Homed Gateway
Proxy Servers bastion Host
Local Network
Internet
Firewall
- Gateway host has a separate interface (network
adapter) to each network. - Packet (IP) forwarding on the gateway is
disabled. - Proxy server performs application layer access
control. - Default condition only traffic authorized by
application gateways can cross the boundary - In a simple setup proxy servers for telnet, ftp,
http and a mail server can be located on the
firewall.
71Screened Host Firewall
Proxy Servers Bastion Host
Packet Filter Router
Local Network
Internet
Open Services
Firewall
- packet filter "forces" all inbound packets to
connect to the gateway or "bastion host". - packet filter lets out only packets from the
gateway. - Proxy servers performs application layer access
control. - Main difference from Dual-homed Gateway
- no true network isolation
72Screened Subnet Firewall
Buffer Subnet De-militarized Zone (DMZ)
Proxy Servers Bastion Host
External Packet Filter Router
Internal Packet Filter Router
Local Network
Internet
Open Services
De-militarized Zone
- Internal packet filter "forces" all exit packets
to connect to the gateway. - External packet filter "forces" all entry
packets to connect to the gateway or to open
services. - External packet filter lets out only packets
from the gateway or from open services. - Internal packet filter lets in only packets from
the gateway. - Proxy servers perform application layer access
control.
73Other Useful Tools
- TCP_WRAPPER
- host-based access control and logging for
TCP-based services - located at each host
- integrated with inetd
- Tripwire
- host-based integrity verification
- detects modification of essential files
- based on hashing
- SATAN, ISS
- vulnerability testing on UNIX networks
- based on well-known security flaws
- COPS
- vulnerability testing on UNIX systems
- ISS Real Secure, Netranger, etc.
- network intrusion detection
74Outline
THEORY 1. Symmetric Cryptography 2. Asymmetric
Cryptography 3. Hash Functions and Integrity 4.
Authentication 5. Key Management
APPLICATIONS 6. Internet Security Using
Firewalls 7. Internet Security with
Cryptographic Mechanisms 8. Multicast Security
?
75Cryptographic Security
Domain Name System
Routing Information Protocol
EGP BGP
SNMP
Routing Security
Transmission Control Protocol
User Datagram Protocol
ICMP IGMP
OSPF
Transport Layer Security
ARP RARP
Internet Protocol
Internet Layer Security
xDSL
Ethernet
Data Link Layer
ATM
76Internet Layer Security Architecture
- IPsec
- RFC 2401 - Architecture Document
- IP Authentication Header (IP AH)
- IP Encapsulating Security Payload (ESP)
- Keyed Hash Functions
- Key management and Security Associations
- No protection for ARP in IPv4
- Secure equivalent in IPv6 using ICMP
77IP Authentication Header
- Cryptographic Authentication for IPv4 and IPv6
Datagrams - RFC 2402
- Services provided
- support for variable functions and parameters
(SPI) - data origin authentication
- data integrity
- replay detection
- Services not provided
- confidentiality
- traffic secrecy
78IP AH
0
8
16
24
Security Parameter Index (SPI)
Sequence Number
Authentication Data (variable)
mutable fields
Auth.Data
000
IP Datagram
000000000000
Secure Hash Function
79IP AH
- Transport mode AH placement in the IP datagram
IPv4
Original IP Header
AH
TCP
Data
coverage of authentication (except for mutable
fields)
IPv6
Original IP Header
Hop-by-hop extensions
End-to-end extensions
AH
TCP
Data
coverage of authentication (except for mutable
fields)
- Tunnel mode AH placement in the IP datagram
Encapsulating IP Header
Original IP Header
Extension fields
TCP
Data
AH
coverage of authentication (except for mutable
fields)
80IP AH
Secure Hash Function alternatives
n x 512
512
Key padding
IP packet
Key
padding
MD5
Authentication Data (128 bits)
- Asymmetric or Symmetric Encryption of MD5 output
81IP Encapsulating Security Payload
- RFC 2406
- Services provided
- data confidentiality
- data integrity with replay detection
- traffic confidentiality (optional)
0
8
16
24
Security Parameter Index (SPI)
Coverage of Authentication
Sequence Number
Coverage of Confidentiality
Payload
Padding
Authentication Data (variable)
82IP ESP
ESP header
ESP payload
ESP trailer
Auth. Data
Original IP Header
IPv4
SPI
Seq.Nr.
TCP
Data
Padding
Transport Mode
Coverage of confidentiality
Coverage of authentication
ESP header
ESP payload
ESP trailer
AuthData
IPv6
Original IP Header
Hop-by-hop extensions
Padding
Data
end-to-end extensions
SPI
Seq.Nr.
TCP
Coverage of confidentiality
Coverage of authentication
ESP header
ESP trailer
Original IP datagram
Tunnel Mode
New IP Header
new extensions
AuthData
original IP Header
SPI
Seq.Nr.
Padding
Data
TCP
Coverage of confidentiality
Coverage of authentication
83End-to-end security with IPsec
Internet or Intranet
Transport Mode
Tunnel Mode
ULH
ULH
IP1
AH
AH
IP1
IP2
ULH
ULH
IP1
ESP
IP1
ESP
IP2
ULH
AH
ESP
IP1
One or more SAs applied to the same traffic
stream
IP1 original IP header IP2 encapsulating
IP header
ULH Upper Layer Header
84Simple virtual private network with IPsec
Tunnel Mode
ULH
IP1
AH
IP2
IP1
ESP
IP2
ULH
85Remote access with IPsec
Internet
Intranet
SG
86Internet Security Architecture
Domain Name System
Routing Information Protocol
EGP BGP
SNMP
Routing Security
Transmission Control Protocol
User Datagram Protocol
ICMP IGMP
OSPF
Transport Layer Security
ARP RARP
Internet Protocol
Internet Layer Security
xDSL
Ethernet
Data Link Layer
ATM
87Transport Layer Security (TLS) Protocol
- RFC 2246
- Based on Secure Sockets Layer (SSL) from Netscape
Communications - Services provided
- peer entity authentication
- data confidentiality
- data integrity (replay detection)
- generation/distribution of session keys
- security parameter negotiation
- Two sub-layers
- TLS Record Protocol
- TLS Handshake Protocol
- Record sub-layer encapsulates Application Data
and Handshake Protocol
88TLS Handshake Protocol
- Session Negotiation between peer Transport
Entities - A session consists of
- session Id
- X509 public-key certificate of the peer
- compression algorithm
- encryption algorithm
- MAC algorithm (MD5, SHA, etc.)
- cryptographic attributes
- - Session data are used by the TLS Record Layer
for encryption and integrity protection of higher
layer protocols - - A session can be reused by several transport
connections.
Server
Client
ClientHello
ServerHello Certificate ServerKeyExchange
Certificate ClientKeyExchange
Application Data
89WWW Security
server
browser
CGI
gateway program
applet
HTTP url
Local resources
Local resources
- Vulnerabilities
- HTTP risks due to communication over Internet
- CGI malicious script can expose server
resources - Java malicious applet can expose client
resources
90HTTP and CGI Security
- Client-server communication
- Standard authentication by the server
- uuencoded cleartext passwords
- domain-based access control
- per subtree of the html document directory
- application layer Secure HTTP
- transport layer SSL Netscape (see Transport
Layer Security) - proxy server to filter traffic at domain
boundary - CGI
- restricted access to cgi-bin directory
- user-provided parameter verification in the cgi
scripts - limited use of setuid bit with cgi scripts
- limited use of process creation in cgi scripts
- hide source of cgi scripts from the net
91Mobile Code
Client
Browser
Network
Applet
Libraries
Malicious applet (executable content) can
cause - diclosure of client information -
modification of client information - denial of
service on client resources Flexibility and
power at the cost of higher risk
92Java Security
- Language features
- object-oriented data encapsulation
- type-safety
- final attribute
- absence of pointers
- garbage collection
- namespace encapsulation
- Protection against malicious Applets Sandbox
Approach - Bytecode Verifier
- converts bytecode from the network into
local class, checking - stack overflows
- pointers
- access restrictions
- object and method access
- Class Loader
- protects integrity of local classes
- forces class import from origin node
- signature verification by subtyped
SignedClassLoader - Security Manager
93Outline
THEORY 1. Symmetric Cryptography 2. Asymmetric
Cryptography 3. Hash Functions and Integrity 4.
Authentication 5. Key Management
APPLICATIONS 6. Internet Security Using
Firewalls 7. Internet Security with
Cryptographic Mechanisms 8. Multicast Security
?
94Multicast Security
- Key Management
- Data Origin Authentication
- Data Confidentiality
95Key Management
- Security requirements
- membership (JOIN/LEAVE) security
- Containment.
- Scalability
- Processing cost
- Membership dynamics
- No group-wide re-key message
- Treat the group as single entity
- Existing algorithms
- one key for the whole group
- the group is a set of subgroups different keys
in each subgroup
96Multicast Key management
K0
- K0 Group Key
- u4s keys K3,K34, K1234,K0
- u4 JOINS trivial
- u4 LEAVES
- K34, K1234,K0K3 ? u3
- K1234, K0K12 ? u1, u2
- K0K5678 ? u5,u6,u7,u8
- advantage number of re-key messages are in the
logarithmic order - there is no containment.
K1234 K5678
K12 K34 K56 K78
K1 K2 K3 K4 K5 K6 K7 K8
u7
u1
u2
u3
u4
u5
u6
u8
97Multicast Key ManagementSub-group approach
- Iolus Mittra, 97
- intermediate nodes involved in key distribution
- GSC (Group Security Controller)
- defines the groups and the GSI
- GSI (Group Security Intermediary)
- 1- decrypt M with the key of the group
- 2 - recrypt M with the key of the other
- group hes involved in.
K1
GSC
GSI
GSI
K3
K2
GSI
GSI
GSI
K6
K4
K5
- advantage containment scalability
- disadvantage we have to trust GSIs
98Multicast Key Management Sub-group Approach
- Molva et al. 99
- Based on asymmetric algorithms
a1
Source sends
a2
a3
a4
a5
a6
a7
Recipients in subgroup
S4
99Multicast Key Management (4/4)
- access to segments between s4 and s8
- using t2 and t10
- k4 t10 k5 L(L(t2)) etc.
- L and R are one-way functions.
t0
R
L
t1
t2
L
L
R
R
t3
t4
t5
t6
R
L
R
L
L
L
R
R
t7
t8
t9
t10
t11
t12
t13
t14
k4 k5 k6 k7
k8
k1 k2 k3
100Broadcast Encryption(2/3)
- k-resilient scheme Fiat et al. 1994
- Every user ui is assigned a set of keys Ki
- S sends MK and a key envelope
- to a user set T
- Each users in T retrieves K
- from the key envelope using Ki
- mathematically proven k-resilient.
S
..
u1
u2
u3
un
101Broadcast encryption(3/3)
- f-redundant key cover schemes Abdalla et al.
2000
- k(ui) Kj \ ui?Kj
- S ?u2,u6,u10,u12 M
- S computes Cmin(K) and sends the same message
encrypted with the keys in Cmin(K) (minimal key
cover). - gt f-redundancy some of users outside the
intended destination group will be able to access
M
?u8
?u5
K1
?u2
?u9
?u3
?u4
K2
K5
?u10
?u6
?u13
K3
?u11
?u7
K4
?u12
U
U universe of users ui Ki sets of users (one
key per set)
102Data Encryption (1/3)
- Pannetrat et al. 2002 Based on same idea as the
key distribution algorithm using intermediate
nodes - Symmetric encryption in XOR-Counter mode.
- Apply several layers of encryption at the source
and recipients. - Only two operations in the intermediate elements
- One decryption
- One encryption
103Data Encryption (2/3)
104Data Encryption(3/3)
105Multicast Authentication (1/4)
- Requirements
- A Multiparty Problem
- One source and an unlimited number of recipients
- The source does not trust the recipients
- ? authentication technique must be asymmetric
- A Packet Streaming Problem
- Individual authentication of each packet
- Authentication of packet sequences
- cost/packet
- Packet loss rate
- Real time
- A digital signature per packet is not a practical
solution - 1 digital signature for a set of packets
- Packet chaining using hash functions
106Multicast Authentication (2/4)
- TESLA Perrig et al. 2000
- Lamports hash chaining like in S/Key
- K0, K1, K2, . . . Kn \ Ki h(Ki1)
- Authenticated multicast message sent at time
interval i - Mi, MAC(Ki, Mi), Ki-1
- Mi authenticated using a further message in the
stream - Synchronization required to detect re-plays Kj
only valid in interval Ij - The first message asymmetrically authenticated
using a digital signature.
107Multicast Authentication (3/4)
- Advantages
- Spread the cost of a signature
- over several packets.
- Erasure code to tolerate losses.
- No need to send duplicate hash values
-
P
P
P
P
P
P
P
P
P
P
P
P
hash
hash
hash
hash
hash
hash
E.C.1
Sign
E.C.2
108Multicast Authentication (4/4)
- Alternative feedback schemes
109