Mehrdad Nourani

1
Data Network Security

• Mehrdad Nourani

2
Session 09

• Security Services
• Traffic Confidentiality

3

• Security Management, Services and Threats

4
Security Management

• Security management functions are concerned with
  the management, control, and administration of
  security services for all secured entities within
  the security domain according to the defined
  policies.
• Security management is responsible for the
  installation, monitoring, tuning, and
  restructuring of the available security services.
  Functions of security management include control
  and distribution, monitoring, event logging,
  event reporting, security audit trail and
  security recovery.
• Based on the corresponding policy and target
  systems/network some of these functions may not
  apply or need not to be implemented.

5
Security Services

• Security services are remedies, defenses, and
  countermeasures by which security threats are
  countered.
• The specific implementation of each security
  service is based on one or more security
  mechanisms.
• In general, we define six security services aimed
  to provide the following six basic security
  objectives.
• Some of these services may appear "overlapping."
• key management is an important function that has
  to be provided by any system involved in
  providing security services and data encryption.

6
Security Services (I)

• Confidentiality and Privacy - is the protection
  of information exchange and traffic flow from
  unauthorized disclosure (or all passive attacks).
  
• This service can be implemented at different
  layers of communication protocols and/or at
  several application/system levels.

7
Security Services (II)

• Integrity and Protection - is the protection of
  information exchange and storage from mostly
  active attacks and (wo)man-in-the-middle attacks/
• It assures that information is received as sent,
  with no duplication, insertion, modification,
  reordering, or replay.

8
Security Services (III)

• Access Control and Authorization - in the context
  of network security, is the protection,
  limitation, and control of access to the host,
  operating system, and applications via
  communications links.
• Authorization is to provide access rights as
  tailored to the individual user or application.

9
Security Services (IV)

• Non-repudiation and Accountability - is concerned
  with preventing either sender or receiver from
  denying an exchanged information.
• Sometimes, an arrangement to use an unbiased
  arbitrator, called a notary, is used when both
  parties are suspicious users.

10
Security Services (V)

• Authentication - is concerned with assuring that
  the communication is authentic, including source
  of information, communicating systems or
  applications, and/or users.

11
Security Services (VI)

• Availability and Non-Denial of Service - is
  concerned with assuring that a communication
  resource is not destroyed or blocked or becomes
  unavailable or unusable to its authorized users.
• Denial of service means knocking off services
  without permission, e.g., flooding the file
  server with phony files causing a system crash,
  or congesting remote access servers with
  unauthorized access requests.

12
Security Threats

• A threat or security attack is a potential
  violation of security or an intrusion for
  unauthorized, illegitimate, malicious or
  fraudulent purposes.
• These attacks are aimed to compromise security.
• The points of attack (or attacking points) can
  occur at various weakness points within a
  security perimeter, and can be at any level or
  layer of realization, e.g., at the physical
  system realization level, at the system or
  network level, at the communication protocol
  level, and so on.

13
Security Threat Classification

• The nature of the attacks varies with the
  circumstances and according to the defined
  perimeter for the security.
• Threats may be classified by their
• Type (e.g., accidental or intentional, passive
  or active)
• Consequences
• Sources (e.g., users or programs)
• Objects of threats

14
Typical Intentional Threats
15
Typical Intentional Threats (cont.)
16
Some Products Solutions

• Some security products/solutions are designed for
  a particular environment or for a special
  application.
• They are considered as custom-designed
  combinations of the above services.
• Examples of these are
• PGP (Pretty Good Privacy) - a widely used
  authentication and confidentiality service.
• Kerberos - an authentication protocol based on
  conventional encryption to authenticate clients
  to servers, and vice versa. The Version 5
  Kerberos was developed within the Internet
  community.
• PEM (Privacy Enhancement Mail) - developed
  specifically as an Internet Standard for
  electronic mail.

17
Businesses Threats
18
Security Mechanism

• Security mechanisms are effective techniques and
  schemes used to implement a given security
  service with different degrees of complexity.
• Security services are designed to detect,
  prevent, or recover from a security violation or
  attack.
• For example, an abstract service like data
  confidentiality might be implemented using either
  the secret key data encryption mechanism or
  public key data encryption scheme.
• In most practical cases, a combination of
  security mechanisms need to implement even one
  particular security service.
• The services can be implemented either with
  strong mechanism or with weak mechanism (low,
  medium, or high security).

19
Well-Known Mechanisms
20

• Security Perimeter Domain

21
Security Borders

• In communications network environment and where
  encryption (confidentiality and privacy) is
  desired, security borders can be established
  around
• Link-by-link
• End-to-end (or application-to-application)
• User-to-user (operating system to operating
  system)
• Network edge-to-network edge

22
Link-by-Link Security

• Link-by-link security takes place at the lowest
  layers, where every transaction through a
  particular data-link is encrypted (secured).
• Examples of this are data encryption devices
  placed at the physical and/or datalink layers.
• Key management in this case can be simple because
  only the endpoints of the communication link need
  to exchange keys independent from the rest of the
  network.
• The main problem is that leaving any link in the
  network unencrypted jeopardizes the security of
  the entire network.

23
End-to-End Security

• If security is provided at higher layers, it is
  called end-to-end, when information is encrypted
  selectively and decrypted by the intended final
  recipient.
• In this case, security devices are placed between
  the network layer and transport layer.
• The security device must recognize protocols up
  to network layer (layer 3) and encrypt only the
  transport data units.
• One problem is that the system is open to traffic
  analysis attack because the routing information
  for the data is not generally encrypted.

24
Security at Higher Levels

• Data security and encryption can be performed at
  higher layer and even for data storage.
• At the application level, a hierarchy of security
  services may be defined, each providing security
  against a different perceived threat.
• In general, security services are defined (within
  a particular border against outside world) for
• a user entity (either process or machine),
• a network, a communication environment,
• a computing environment, or
• a stand-alone system.

25
Security Perimeter

• A security perimeter as a homogeneous set of
  tools and measures, established around some
  communication and/or computing environment, to
  protect it from the outside nonsecure
  environment.
• In general, security perimeters can be
  established around user, data processing and/or
  application, data storage, and data
  communication.

26
Security Domain

• In practice, a security perimeter environment can
  be constituted of (or subdivided to) several
  heterogeneous security domains, each domain
  follows the same measures of its parent perimeter
  plus some possible extra measures.
• A security domain is, therefore, a subset of
  users and resources of the global security
  perimeter environment, conforming to
• a unique security policy,
• a single logical security management,
• a single security administration,
• a set of uniformly available elementary
  mathematical macros for provision of security
  services and mechanisms.

27
Domain Relationships

• Entities that are subject to a single security
  policy, grouped together logically or physically,
  and administered by a single authority, called
  security management system (SMS), constitute a
  security domain.
• The approach of structuring the boundaries of
  domains leads to various relationships between
  domains.
• Domains may be disjoint, overlapping, or subsets
  of other domains.

28
Security Perimeters and Domains

• Each domain may be served by a central Security
  Management Center (SMC), which will be
  responsible for the policy making, management,
  and control of security services and activity on
  the network.
• Some negotiation and resolutions is necessary in
  order to establish common sets and levels of
  security parameters.

29

• Confidentiality Using Symmetric Encryption

30
Confidentiality

• Traditionally symmetric encryption is used to
  provide message confidentiality
• Confidentiality has been the main goal of
  encryption
• Other considerations added in the past few
  decades
• Authentication
• Integrity
• Digital signature

31
Points of Vulnerability
2
3
4
1

1. snooping from another workstation
2. use dial-in to LAN or server to snoop
3. use external router link to enter snoop
4. monitor and/or modify traffic on external links

32
Potential Vulnerability

• consider typical scenario
• workstations on LANs access other workstations
  servers on LAN
• LANs interconnected using switches/routers
• with external lines or radio/satellite links
• consider attacks and placement in this scenario
• snooping from another workstation
• use dial-in to LAN or server to snoop
• use external router link to enter snoop
• monitor and/or modify traffic on external links

33
What to Encrypt?

• have two major placement alternatives
• link encryption
• encryption occurs independently on every link
• implies must decrypt traffic between links
• requires many devices, but paired keys
• end-to-end encryption
• encryption occurs between original source and
  final destination
• need devices at each end with shared keys

34
Encrypt Across a Packet Network
35
Disadvantage of Link Encryption

• One disadvantage of link encryption approach is
  that the message must be decrypted each time it
  enters a packet switch.
• This is necessary because the packet switch must
  read the address (i.e., the virtual circuit
  number) in the packet header to route the packet.
  
• Thus, the message is vulnerable at each switch.
  If this is a public packet-switching network
  (PSN), the user has no control over the security
  of the nodes.

36
Disadvantage of End-to-End Encryption

• End-to-end approach would seem to secure the
  transmission against attacks on the network links
  or switches.
• when using end-to-end encryption must leave
  headers in clear (unencrypted)
• so network can correctly route information
• hence although contents protected, traffic
  pattern flows are not (as they can be read)

37
End-to-End vs. Link Encryption

• With end-to-end encryption, the user data are
  secure. However, the traffic pattern is not,
  because packet headers are transmitted in the
  clear.
• To achieve greater security, both link and
  end-to-end encryption are needed.
• Ideally we want both at once
• end-to-end protects data contents over entire
  path and provides authentication
• link protects traffic flows from monitoring but
  it requires a lot of encryption devices

38
End-to-End vs. Link Encryption (cont.)
39
Logical Placement of Encryption

• can place encryption function at various layers
  in OSI Reference Model
• link encryption occurs at layers 1 or 2
• end-to-end can occur at layers 3, 4, 6, 7
• E.g. the user data portion of all frames in ATM
  cells is encrypted
• as move higher less information is encrypted but
  it is more secure though more complex with more
  entities and keys

40
Using an Encryption Processor

• In network layer (layer 3)
• each end system can engage in an encrypted
  exchange with another end system.
• All the user processes and applications within
  each end system would employ the same encryption
  scheme with the same key to reach a particular
  target end system.
• With this arrangement, it is desirable to
  off-load the encryption function to some sort of
  front-end processor.

41
Front-End Encryption Processor

• The front-end processor (FEP) accepts and
  processes the packet
• Red data unencrypted (in clear)
• Black data encrypted

42
Scope of Encryption

• Encryption service on end-to-end protocols (e.g.
  frame-delay or TCP) provides end-to-end security
  for traffic within a fully integrated
  inter-network.
• Such scheme cannot deliver the security service
  to the traffic that crosses inter-network
  boundaries, such as electronic mail, electronic
  data interchange (EDI) and file transfer.

43
Scope of Encryption in OSI
Application Layer
44
Scope of Encryption in OSI (cont.)

• For applications like electronic mail that have a
  store-and-forward capability, the only place to
  achieve end-to-end encryption is at the
  application layer.
• A drawback of the application layer encryption is
  that the number of entities to consider increases
  dramatically, e.g.
• Supporting hundreds of hosts
• Supporting thousands of users
• Need to manage (generate and distribute) many
  more secret keys
• As we move up in the communication hierarchy,
  less information is encrypted but it is more
  secure.

45
Encryption and Protocol Levels

• In application level
• Only user data portion of a TCP segment is
  encrypted
• In transport/session (TCP) level
• the user data and the TCP header are encrypted.
  The IP header is needed by router to route the IP
  datagram.

46
Encryption and Protocol Levels (cont.)

• When a message passes through a gateway
• TCP header is terminated and a new transport
  connection is opened for the next hop
• The gateway is treated as a destination by the
  underlying IP. Thus, all data is decrypted in
  gateway.
• If the next hop is over TCP/IP, then the user
  data and TCP header are encrypted again.

47
Encryption and Protocol Levels (cont.)

• In link level
• Entire data unit except for the link header and
  trailer is encrypted on each link.
• The entire data unit is in the clear
  (unencrypted) at each router or gateway.

48
Traffic Analysis

• is monitoring of communications flows between
  parties
• useful both in military commercial spheres
• can also be used to create a covert channel
  (using the communication channel in a way that
  violates the security policy, e.g. an employee
  sends a short message as 0 and a long message
  as 1. If an outsider can monitor the channel
  they effectively established a covert channel)
• Traffic analysis violates confidentiality since
  by monitoring length, duration etc. of
  communication one can find useful information
  like
• Identity of partners
• How frequently they communicated
• Message pattern, level of importance
• Correlation between events and communication

49
A Solution to Traffic Analysis

• link encryption obscures header details
• but overall traffic volumes in networks and at
  end-points is still visible
• Traffic padding
• Generate random messages (even if there is none)
• Uniform the length of messages at the
  transport/application level
• traffic padding can further obscure flows
• but at cost of continuous traffic

50
A Solution to Traffic Analysis (cont.)

• Protecting end-to-end encryption against traffic
  analysis is more difficult.
• Since two sides should do encryption and
  decryption, the choices to defend against traffic
  analysis is more limited.
• Still you can obscure the underlying traffic by
• Padding out data units to a uniform length at
  transport or application layer
• Inserting null messages into the stream randomly

51

• Key Distribution

52
Symmetric Encryption

• All of the methods discusses so far use a single
  key that must be strictly kept secret. These
  systems are called symmetric-encryption (or
  secret-key or private-key) systems.
• Key distribution is still a challenge. One
  approach is based on sending pieces of key
  through separate channels.

53
Importance of Key Distribution

• symmetric schemes require both parties to share a
  common secret key
• issue is how to securely distribute this key
• often secure system failure due to a break in the
  key distribution scheme

54
Key Distribution Mechanisms

• given parties A and B, there are various key
  distribution alternatives
• A can select key and physically deliver to B
• third party can select deliver key to A B
• if A B have communicated previously can use
  previous key to encrypt a new key
• if A B have secure communications with a third
  party C, C can relay key between A B
• For practical large distributed systems in which
  many links/hosts/users need to exchange keys
  option 4 is the answer.

55
Key Distribution Mechanisms (cont.)

• Link Encryption Use methods (1) or (2) because
  only two devices communicate.
• End-to-end Encryption
• Manual delivery is not possible due to
  exponential growth.
• At the network/IP level a key is needed for each
  pair of hosts. (For N hosts, we need N(N-1)/2
  keys).
• At the application level a key is needed for
  every pair of users/processes. (e.g. 1000 nodes
  require C21000500000 keys)

56
Key Distribution Mechanisms (cont.)

• (3) Can be used for both link and end-to-end
  encryptions. However, if an attacker find one key
  then all subsequent keys will be revealed.
• (4) is widely used for end-to-end encryption
  using at least 2-levels of keys
• Session key a temporary key for the duration of
  logical connection (e.g. transport connection)
• Master key is used to encrypt and send session
  keys. It is distributed in some non-cryptographic
  way (e.g. physical delivery). For N pairs only N
  master keys are needed.

57
Key Distribution Scenario
58
Key Distribution Scenarios (cont.)

• A issues a request to KDC for a session key. The
  message includes the identity of A and B and N1
  (called nonce, e.g. a random number).
• KDC responds with a message encrypted with Ka
  (master key of A). The message includes
• One-time session key Ks.
• Original request and nonce of A
• Ks and identifier of A (e.g. As network address)
  encrypted with Kb
• A stores Ks and send EKb(KsIDA) to B
• Using Ks, B sends a nonce N2 to A.
• Using Ks A responds f(N2) (a transformation of N2
  e.g. N21) for authentication.

59
Key Distribution Scenarios (cont.)

• Note that the actual key distribution involves
  only steps 1 through 3.
• After step 3, both A and B have the session key
  Ks and they may begin their protected exchange of
  information.
• Steps 3, 4 and 5 together perform an
  authentication function.
• They assume B that the original message it
  received in step 3 was not a replay.

60
Key Distribution Issues

• hierarchies of KDCs required for large networks,
  but must trust each other
• session key lifetimes should be limited for
  greater security
• use of automatic key distribution on behalf of
  users, but must trust system
• use of decentralized key distribution
• controlling purposes keys are used for

61
Automatic Key Distribution

• For connection-oriented protocols (e.g. at
  network or transport levels) the key can be
  generated, using Front-End Processor, in a way
  that is transparent to the end user.

62
Automatic Key Distribution (cont.)

• The KDC provides a one-time session key for that
  connection. The session keys are used for the
  duration of a session. At the conclusion of the
  session, or connection, the session key is
  destroyed.
• The automated key distribution approach provides
  the flexibility and dynamic characteristics
  needed to allow a number of terminal users to
  access a number of hosts and for the hosts to
  exchange data with each other.
• Kerberos, used extensively in Microsoft Windows
  2000, is modelled on a KDC.

63
Difficulties in Key Distribution

• In general, a KDC supporting n sites, where each
  site needs a secret key with every other site,
  must make almost n2/2 keys.
• The KDC is often burdened with extensive key
  management and can become a bottleneck.
• If the KDC also acts as a key escrow agent, the
  KDC itself is an attractive target (e.g., for a
  distributed denial-of-service attack).
• For these reasons, the symmetrical encryption is
  not very attractive in large networks and is
  avoided altogether.
• Another approach to security is the public-key
  encryption, which makes key distribution much
  easier. We will discuss it in the next chapter.

64
Decentralized Key Control

• For small networks we may use a decentralized
  approach. Each node must maintain n-1 master
  keys.
• A issues a request to B for a session key and
  includes a nonce N1.
• B responds with a message that is encrypted using
  the shared master key (MKm). The response
  includes the session key (Ks chosen by B), an
  identifier of B, value f(N1) and another nonce
  N2.
• Using the new session key A returns f(N2) to B
  for authentication.

65
Controlling Key Usage

• Sometimes it is useful to define different
  session keys on the basis of use (for various
  applications)
• e.g. for communication, PIN-encrypted
  applications, file encryption, etc.
• Its often desirable to institute controls in
  systems that limit the ways in which keys are
  used, based on characteristics associated with
  those keys.
• Method 1 Use a tag with each key
• In DES, the actual key is 56 bits. 8 nonkey bits
  are used to indicate something, e.g.
• 1 bit indicate whether the key is a session key
  or a Master key
• 1 bit indicate whether its for encryption or
  decryption
• Two problems 1) the length is limited and 2) the
  tag is not transmitted in clear form it can be
  used only at the point of decryption, limiting
  the ways in which the key can be controller.

66
Controlling Key Usage (cont.)

• Method 2 Use control vector (CV).
• KDC sends control vector in clear and can be used
  in any stage.
• For master key Km and session key Ks
• Hash Value H h(CV)
• Key Input Km XOR H
• Ciphertext EKm XOR H Ks
• Ks DKm XOR H
  EKm XOR H Ks
• There is no restriction on length which enables
  arbitrarily complex controls to be imposed on
  each key
• The control vector is available in clear form at
  all stages of operation. Thus, the control of key
  use can be exercised in multiple locations.

67
Controlling Key Usage (cont.)

• To control some of the bits (for identification
  or hierarchy, etc.) a control vector is used. KDC
  sends control vector in clear and can be used in
  any stage.

68

• Random Numbers

69
Importance of Random Numbers

• many uses of random numbers in cryptography
• nonces in authentication protocols to prevent
  replay (attacker stores old messages and replays
  them to fake his ID and get session key for A)
• session keys
• public key generation
• Key stream for a one-time pad
• in all cases its critical that these values be
• statistically random
• with uniform distribution, independent
• unpredictable cannot infer future sequence on
  previous values

70
Natural Random Noise

• best source is natural randomness in real world
• find a regular but random event and monitor
• do generally need special hardware to do this
• e.g. radiation counters, radio noise, audio
  noise, thermal noise in diodes, leaky capacitors,
  mercury discharge tubes etc
• starting to see such hardware in new CPU's
• problems of bias or uneven distribution in signal
  
• have to compensate for this when sample and use
• best to only use a few noisiest bits from each
  sample

71
Published Sources

• a few published collections of random numbers
• earlier Tippett in 1927 published a collection
• Rand Co, in 1955, published 1 million numbers
• generated using an electronic roulette wheel
• has been used in some cipher designs, e.g. Khafre
  
• issues are that
• these are limited
• too well-known for most uses

72
Pseudorandom Number Generators (PRNGs)

• For cryptography applications we need a
  deterministic algorithm to generate pseudorandom
  numbers.
• how a deterministic algorithm generates random
  values?
• A philosophical objection not engineers concern
• algorithmic technique to create random numbers
• although not truly random
• can pass many tests of randomness

73
Linear Congruential Generator

• common iterative technique using
• Xn1 (aXn c) mod m
• where mgt0 and 0a,c,Xnltm
• X0 is the seed
• m must be very large to have a long sequence
• given suitable values of parameters can produce a
  long random-like sequence
• suitable criteria to have are
• function generates a full-period
• generated sequence should appear random
• efficient implementation with 32-bit arithmetic
• note that an attacker can reconstruct sequence
  given a small number of value

74
Practical Pseudorandom Generator

• common iterative technique using
• Xn1 (16807Xn) mod (231-1)
• If m is prime and c0, the period of generating
  numbers is m-1
• To be efficient in implementation we chose 232-1.
• Coefficient a7516807 generates very good random
  sequence and is widely used.
• If an opponent is able to get X0, X1, X2, X3
  these three equations can be solved for a, c and
  m.
• To create unpredictability, use current clock mod
  m as the new seed to change the sequence every N
  numbers.

75
Using Block Ciphers as Stream Ciphers

• can use block cipher to generate numbers
• use Counter Mode
• Xi EKmi
• use Output Feedback Mode
• Xi EKmXi-1

76
Using Counter Mode

• use Counter Mode
• Xi EKmi
• The counter has period of N , e.g. 256 when
  56-bit DES keys are used
• Since the master key is protected it is not
  possible to deduce the secret key from earlier
  keys

77
Using Output Feedback Mode

• The output of each stage is a 64-bit value of
  which the s leftmost bits are fed back for
  encryption.
• Successive 64-bit outputs constitute a sequence
  of pseudorandom numbers with good statistical
  properties.

78
ANSI X9.17 Pseudorandom Number Gen.

• ANSI X9.17 PRNG
• uses date-time seed inputs and 3 triple-DES
  encryptions to generate new seed random
• Input two pseudorandom inputs
• DTi a 64-bit representation of the current
  date/time
• a 64-bit seed Vi generated at the beginning of
  ith stage
• Keys (K1,K2) all 3DES modules use the same pair
  of 56-bit keys
• Output 64-bit pseudorandom number (Ri) and
  64-bit seed value (Vi1)
• Ri EDEK1,K2Vi ? EDEK1,K2DTi
• Vi1 EDEK1,K2Ri ? EDEK1,K2DTi

79
Blum Blum Shub (BBS) Generator

• based on public key algorithms
• Choose
• two prime numbers p,q such that pq3(mod 4)
• np.q
• a random number s (seed) such that it is
  relatively prime to n (i.e. neither p nor q is a
  factor of s).
• The BBS generates sequence of bits Bi as follows
• X0s2 mod n
• For i1 to 8
• Xi(Xi-1)2 mod n (All Xi is a number 0
  Xi lt n )
• BiXi mod 2 (Bi is least
  significant bit of Xi)

80
Features of BBS Generator

• unpredictable, passes next-bit test (see table
  for n192649283x503 and s101355).
• security rests on difficulty of factoring n (i.e.
  given n determine its two prime factors p and q)
• is unpredictable given any run of bits (given k
  bits of the sequence it is impossible to
  determine bit k1 with probability above ½)
• slow, since very large numbers must be used
• too slow for cipher use, good for key generation

i
81
Summary

• have considered
• use of symmetric encryption to protect
  confidentiality
• need for good key distribution
• use of trusted third party KDCs
• random number generation