Chapter 8 roadmap

1
Chapter 8 roadmap

• 8.1 What is network security?
• 8.2 Principles of cryptography
• 8.3 Message integrity end point authentication
• 8.4 Securing e-mail
• 8.5 Securing TCP connections SSL
• 8.6 Network layer security IPsec
• 8.7 Securing wireless LANs
• 8.8 Operational security firewalls and IDS

2
What is network security?

• Confidentiality only sender, intended receiver
  should understand message contents
• sender encrypts message
• receiver decrypts message
• Authentication sender, receiver want to confirm
  identity of each other
• Message Integrity sender, receiver want to
  ensure that any message that is altered (in
  transit, or afterwards) will be detected
• Access control and Availability services
  accessible and available to authorized users

3
Friends and enemies Alice, Bob, Trudy

• well-known in network security world
• Bob, Alice want to communicate securely
• Trudy (intruder) may intercept, delete, insert,
  modify messages

Alice
Bob
data, control messages
channel
secure sender
secure receiver
data
data
Trudy
4
Who might Bob, Alice be?

• well, real-life Bobs and Alices!
• Web browser/server for electronic transactions
  (e.g., on-line purchases)
• on-line banking client/server
• DNS servers
• routers exchanging routing table updates
• other examples?

5
What can a bad guy do?

• eavesdrop intercept messages
• actively insert messages into connection
• impersonation can fake (spoof) source address in
  packet (or any field in packet)
• hijacking take over ongoing connection by
  removing sender or receiver, inserting itself in
  its place, or inserting itself in the middle
• denial of service prevent service from being
  used by others (e.g., by overloading resources)

6
Chapter 8 roadmap

• 8.1 What is network security?
• 8.2 Principles of cryptography
• 8.3 Message integrity end point authentication
• 8.4 Securing e-mail
• 8.5 Securing TCP connections SSL
• 8.6 Network layer security IPsec
• 8.7 Securing wireless LANs
• 8.8 Operational security firewalls and IDS

7
The language of cryptography
Alices encryption key
Bobs decryption key
encryption algorithm
decryption algorithm
ciphertext
plaintext
plaintext

• symmetric key crypto sender, receiver keys
  identical
• public-key crypto encryption key is public,
  decryption key is private (also called asymmetric
  key crypto)

8
Symmetric key cryptography
encryption algorithm
decryption algorithm
ciphertext
plaintext
plaintext message, m
K (m)
A-B

• symmetric key crypto Bob and Alice share (know)
  the same key
• standards DES, AES, RC4, IDEA,

9
Public Key Cryptography

• symmetric key crypto
• requires sender and receiver to share a secret
  key
• Q how to agree on key in first place
  (particularly if never met)?

• public key cryptography
• radically different approach Diffie-Hellman76,
  RSA78
• sender, receiver do not share secret key
• a public key for encrypting (or verifying)
• a private key for decrypting (or signing)

10
Public key cryptography

Bobs public key
K
B
-
Bobs private key
K
B
encryption algorithm
decryption algorithm
plaintext message
plaintext message, m
ciphertext
11
Public key encryption algorithms
Requirements
.
.

-

• need K ( ) and K ( ) such that

B
B

given public key K , it should be impossible to
compute private key K
B
-
B
RSA Rivest, Shamir, Adleman algorithm
12
RSA another important property
The following property will be very useful later
use public key first, followed by private key
use private key first, followed by public key
Result is the same!
13
Session keys

• RSA requires exponentiation which is
  computationally intensive
• e.g., DES is at least 100 times faster than
• RSA
• Session key, KS
• Bob and Alice use RSA to exchange a symmetric key
  KS
• Once both have KS, they use symmetric key crypto
  for confidential communication

14
Chapter 8 roadmap

• 8.1 What is network security?
• 8.2 Principles of cryptography
• 8.3 Message integrity end point authentication
• 8.4 Securing e-mail
• 8.5 Securing TCP connections SSL
• 8.6 Network layer security IPsec
• 8.7 Securing wireless LANs
• 8.8 Operational security firewalls and IDS

15
Message Integrity

• Allows communicating parties to verify that
  received messages are authentic.
• Content of message has not been altered
• Source of message is who/what you think it is
• Message has not been replayed
• Sequence of messages is maintained
• Lets first consider message digests

16
Message Digests

• Function H( ) that takes as input an arbitrary
  length message and outputs a fixed-length string
• Note that H( ) is a many-to-1 function
• H( ) is often called a hash function

• Desirable properties of crypto hash function
• Easy to calculate
• Irreversible Cant determine m from H(m)
• Collision resistant computationally difficult to
  produce m and m such that
• H(m) H(m)
• Seemingly random output

17
Internet checksum poor crypto hash function

• Internet checksum has some properties of hash
  function
• produces fixed length digest (16-bit sum) of
  message
• is many-to-one

But for a message with given hash value, it is
easy to find another message with same hash
value. Simple checksum example
message
ASCII format
message
ASCII format
I O U 1 0 0 . 9 9 B O B
49 4F 55 31 30 30 2E 39 39 42 4F 42
49 4F 55 39 30 30 2E 31 39 42 4F 42
I O U 9 0 0 . 1 9 B O B
B2 C1 D2 AC
B2 C1 D2 AC
different messages but identical checksums!
18
Message Authentication Code (MAC)
(shared secret)
s
(message)
s
(shared secret)
19
Crypto hash functions in practice

• MD5 hash function widely used (RFC 1321)
• computes 128-bit message digest in 4-step
  process.
• arbitrary 128-bit string x, appears difficult to
  construct msg m whose MD5 hash is equal to x
• recent (2005) attacks on MD5, may not be
  collision resistant
• SHA-1 is also used
• US standard NIST, FIPS PUB 180-1
• 160-bit message digest
• more robust algorithms such as SHA224, SHA256,
  SHA384 and SHA512

20
Digital Signatures objective

• Like hand-written signatures
• sender (Bob) digitally signs document with his
  own private key, establishing he is document
  owner/creator.
• verifiable, nonforgeable recipient (Alice) can
  prove to someone that Bob, and no one else
  (including Alice), must have signed document

21
Digital Signatures

• simple digital signature for message m
• Bob signs m by encrypting with his private key
  KB, creating signed message, KB(m)

-
-
Bobs private key
Bobs message, m
(m)
Dear Alice Oh, how I have missed you. I think of
you all the time! (blah blah blah) Bob
Bobs message, m, signed (encrypted) with his
private key
public key encryption algorithm
22
Digital Signatures (more)
-

• suppose Alice receives msg m, digital signature
  KB(m)
• Alice verifies m by using Bobs public key KB to
  check KB(KB(m) ) m.
• if verified, whoever signed m must have used
  Bobs private key.

-

• Alice thus verifies that
• Bob signed m.
• No one else signed m.
• Bob signed m and not m.
• non-repudiation
• Alice can take m, and signature KB(m) to court
  and prove that Bob signed m or he let someone
  else use his private key.

-
23
Digital signature

• Alice verifies signature and integrity of
  digitally signed message

Bob sends digitally signed message
H(m)
Bobs private key
Bobs public key
equal ?
24
Public Key Certification

• public key problem
• When Alice obtains Bobs public key (from web
  site, e-mail, diskette), how does she know it is
  Bobs public key, not Trudys?
• solution
• trusted certification authority (CA)

25
Certification Authorities

• Certification Authority (CA) binds public key to
  a particular entity, E.
• E registers its public key with CA.
• E provides proof of identity to CA.
• CA creates certificate binding E to its public
  key.
• certificate containing Es public key digitally
  signed by CA CA says This is Es public key.

Bobs public key
CA private key
certificate for Bobs public key, signed by CA
-
Bobs identifying information
26
Certification Authorities

• when Alice wants Bobs public key
• gets Bobs certificate (Bob or elsewhere).
• apply CAs public key to Bobs certificate, get
  Bobs public key

Bobs public key
CA public key

Chain of authorities, root certificate
27
Chapter 8 roadmap

• 8.1 What is network security?
• 8.2 Principles of cryptography
• 8.3 Message integrity end point authentication
• 8.4 Securing e-mail
• 8.5 Securing TCP connections SSL
• 8.6 Network layer security IPsec
• 8.7 Securing wireless LANs
• 8.8 Operational security firewalls and IDS

28
Authentication challenge-response
Goal avoid playback attack
Nonce number (R) used only once in a lifetime
To prove that Alice is live, Bob sends Alice
nonce, R. Alice must return R, encrypted with
shared secret key
I am Alice
R
Alice is live, and only Alice knows key to
encrypt nonce, so it must be Alice!
29
Authentication using nonce and public key crypto ?
I am Alice
Bob computes
R
and knows only Alice could have the private key
to encrypt R such that
send me your public key
30
Security hole

• Man (woman) in the middle attack Trudy poses as
  Alice (to Bob) and as Bob (to Alice)

I am Alice
I am Alice
R
R
Send me your public key
Send me your public key
Trudy gets
sends m to Alice encrypted with Alices public key
31
Security hole (cont.)

• Difficult to detect - Bob receives everything
  that Alice sends, and vice versa. (e.g., so Bob,
  Alice can meet later and recall conversation)
• problem is that Trudy receives all messages as
  well
• public key needs to come from a trustworthy
  source, such as, a public key certificate

32
Chapter 8 roadmap

• 8.1 What is network security?
• 8.2 Principles of cryptography
• 8.3 Message integrity end point authentication
• 8.4 Securing TCP connections SSL
• 8.5 Network layer security IPsec
• 8.6 Securing wireless LANs
• 8.7 Operational security firewalls and IDS

33
Chapter 8 roadmap

• 8.1 What is network security?
• 8.2 Principles of cryptography
• 8.3 Message integrity end point authentication
• 8.4 Securing TCP connections SSL
• 8.5 Network layer security IPsec
• 8.6 Securing wireless LANs
• 8.7 Operational security firewalls and IDS

34
Secure sockets layer

• provides transport layer security to any
  TCP-based application
• e.g., between Web browsers, servers for
  e-commerce (https)
• two variants SSL 3.0, TLS 1.2
• security services
• server authentication, confidentiality,
  integrity, client authentication (optional)

Application
Application
SSL/TLS
secure socket
TCP
TCP
TCP socket
IP
IP
TCP API
TCP enhanced with SSL
35
SSL handshake

• Bob (client) establishes TCP connection to Alice
  (server)
• Bob authenticates Alice from her CA signed
  certificate
• Bob creates, encrypts (using Alices public key),
  sends pre-master secret to Alice
• (nonces not shown in messages)

TCP SYN
TCP SYNACK
TCP ACK
SSL hello
certificate
create Pre-master secret (PMS)
KA(PMS)
decrypt using KA- to get PMS
36
SSL key derivations

• Master secret generated from pre-master secret,
  server and client nonces
• Alice, Bob use shared master secret to generate 4
  symmetric keys
• EB Bob-gtAlice data encryption key
• EA Alice-gtBob data encryption key
• MB Bob-gtAlice MAC key
• MA Alice-gtBob MAC key
• encryption and MAC algorithms negotiable between
  Bob, Alice

37
More detail

• Actually two finished messages (encrypted),
  before transfer of application data, to detect
  any tampering of handshake messages
• client sends a MAC of all handshake messages
• server sends a MAC of all handshake messages

38
SSL record protocol

• SSL record protocol provides transport service to
  SSL Handshake protocol, application data, and
  other protocols (e.g., Alert protocol for ending
  session)
• Type is for demultiplexing
• Application data undergo
• Fragmentation into blocks
• Compression ( Optionally )
• Computing MAC ( Message Authentication Code )
• using entire record MAC key value of sequence
  counter
• Encryption
• Type, Version, and Length fields are left in the
  clear
•                     

39
Chapter 8 roadmap

• 8.1 What is network security?
• 8.2 Principles of cryptography
• 8.3 Message integrity end point authentication
• 8.4 Securing e-mail
• 8.5 Securing TCP connections SSL
• 8.6 Network layer security IPsec
• 8.7 Securing wireless LANs
• 8.8 Operational security firewalls and IDS

40
What is confidentiality at the network-layer?

• Between two network entities
• Sending entity encrypts the payloads of
  datagrams. Payload could be
• TCP segment, UDP segment, ICMP message, OSPF
  message, and so on.
• All data sent from one network entity to the
  other would be hidden
• Web pages, e-mail, P2P file transfers, TCP SYN
  packets, and so on.
• That is, blanket coverage.

41
Virtual Private Network (VPN)
42
IPsec services

• Origin authentication
• Data integrity
• Replay attack prevention
• Confidentiality
• Two protocols providing different service models
• authentication header (AH) protocol
• encapsulation security payload (ESP) protocol

43
IPsec Transport Mode

• IPsec datagrams emitted and received by two end
  systems.
• Protects upper level protocols of these end
  systems

44
IPsec tunneling mode (1)

• End routers are IPsec aware. Hosts need not be.

45
IPsec tunneling mode (2)
IPsec
IPsec

• Also tunneling mode.

46
Two protocols

• Authentication Header (AH) protocol
• provides source authentication data integrity
  but not confidentiality
• 51 in protocol field of IP header
• Encapsulation Security Protocol (ESP)
• provides source authentication, data integrity,
  and confidentiality
• 50 in protocol field of IP header

47
Four combinations are possible
Transport mode with AH Transport mode with ESP
Tunnel modewith AH Tunnel modewith ESP
Most common andmost important
48
Security association

• Before sending data, a logical connection is
  established from sending entity to receiving
  entity, called security association (SA)
• SAs are unidirectional
• Both sending and receiving entities maintain
  state information for the SA
• Recall that TCP endpoints also maintain state
  information.
• IP is connectionless IPsec is connection-oriented
  
• How many SAs in VPN for headquarters, branch
  office, and n traveling salesperson?

49
Example SA from R1 to R2

• R1 stores SA state info
• 32-bit identifier for SA Security Parameter
  Index (SPI)
• the origin interface of the SA (200.168.1.100)
• destination interface of the SA (193.68.2.23)
• type of encryption to be used (for example, 3DES
  with CBC)
• encryption key
• type of integrity check (for example, HMAC with
  MD5)
• authentication key

50
Security Association Database (SAD)

• Endpoint holds state of its SAs in a SAD
• With n salespersons, 2 2n SAs in R1s SAD
• When sending IPsec datagram, R1 accesses SAD to
  determine how to process datagram.
• When IPsec datagram arrives to R2, R2 examines
  SPI in IPsec datagram, indexes SAD with SPI, and
  processes datagram accordingly.

51
IPsec datagram tunnel mode, ESP
52
Inside the enchilada

• ESP header
• SPI, so receiving entity knows what to do
• Sequence number, to thwart replay attacks
• ESP trailer Padding for block ciphers
• next header identifies protocol in payload field
• Use shared keys to encrypt and create ESP MAC
  field

53
Summary IPsec services

• Suppose Trudy sits somewhere between R1 and R2.
  She doesnt know the keys.
• Will Trudy be able to see contents of original
  datagram? How about source, destination IP
  addresses, transport protocol, application port?
• Flip bits without detection?
• Masquerade as R1 using R1s IP address?
• Replay a datagram?

54
Athentication methods

• PSK (pre-shared key)
• PKI (public key infrastructure)
• pubic/private keys and certificates

55
IKE Key Management in IPsec

• In previous examples, we manually established
  IPsec SAs in IPsec endpoints
• Example SA
• SPI 12345
• Source IP 200.168.1.100
• Dest IP 193.68.2.23
• Protocol ESP
• Encryption algorithm 3DES-cbc
• HMAC algorithm MD5
• Encryption key 0x7aeaca
• HMAC key0xc0291f
• Such manual keying is impractical for large VPN
  with, say, hundreds of people.
• Instead use IPsec IKE (Internet Key Exchange)

56
Two Phases of IKE

• Phase I Establish bi-directional IKE SA
• IKE SA is different from IPsec SA,
• also called ISAKMP security association
• Each endpoint has private and public keys
• Use Diffie-Hellman algorithm to establish a
  shared secret
• (Mutual authentication is not done in phase I)

57
Diffie-Hellman algorithm

• Publicly known large prime number p and number g
  that is prime root mod p
• Alice and Bob independently choose private keys,
  a and b, respectively and exchange their public
  keys
• public key of Alice is ga mod p
• public key of Bob is gb mod p
• Shared secret known only to Alice and Bob is
• gab mod p (gb mod p)a mod p (ga mod p)b
  mod p
• Note that in phase I, public keys of Alice and
  Bob have not been authenticated

58
Two Phases of IKE (cont.)

• Phase I Establish bi-directional IKE SA
• Phase II The endpoints reveal their identities
  to each other and mutually authenticate using
  public key certificates
• Identities are not revealed to passive sniffers
  since messages are sent over encrypted IKE SA
  channel between the endpoints

59
Chapter 8 roadmap

• 8.1 What is network security?
• 8.2 Principles of cryptography
• 8.3 Message integrity end point authentication
• 8.4 Securing e-mail
• 8.5 Securing TCP connections SSL
• 8.6 Network layer security IPsec
• 8.7 Securing wireless LANs
• 8.8 Operational security firewalls and IDS

60
IEEE 802.11 security

• first attempt at Wi Fi security Wired Equivalent
  Privacy (WEP)
• Many weaknesses
• Pre-shared key only for authentication
• Most recent standard 802.11i (WPA2)

61
WEP weaknesses

• RC4 stream encryption, based on XOR of plaintext
  and key, is subject to known plaintext attack
• Append 24-bit initialization vector (IV) to
  40-bit (or 104-bit) secret to generate key for
  each frame
• There are only 224 unique keys
• 24-bit IV, one per frame, is transmitted in
  plaintext -gt reuse occurs quickly
• other weaknesses, e.g., no message integrity
  protection

62
802.11i (WPA2)

• Provides AES block encryption and message
  integrity
• Allows key distribution in addition to pre-shared
  key
• use of an authentication server separate from
  access point, in addition to local authentication
  by access point

63
EAP extensible authentication protocol

• EAP end-end client (mobile) to authentication
  server protocol
• EAP sent over separate links
• mobile-to-AP (EAP over LAN)
• AP to authentication server (RADIUS over UDP)

wired network
EAP TLS
EAP
RADIUS
EAP over LAN (EAPoL)
IEEE 802.11
UDP/IP
64
802.11i four phases of operation
AP access point
STA client station
AS Authentication server
wired network
STA and AS mutually authenticate,
together generate Master Key (MK). AP serves as a
relay
STA derives Pairwise Master Key (PMK)
AS derives same PMK, sends to AP
65
Chapter 8 roadmap

• 8.1 What is network security?
• 8.2 Principles of cryptography
• 8.3 Message integrity end point authentication
• 8.4 Securing e-mail
• 8.5 Securing TCP connections SSL
• 8.6 Network layer security IPsec
• 8.7 Securing wireless LANs
• 8.8 Operational security firewalls and IDS

66
Firewalls
isolates organizations internal net from larger
Internet, allowing some packets to pass, blocking
others (i.e., access control)
firewall


67
Three types of firewalls

• stateless packet filters
• stateful packet filters
• application gateways

68
Stateless packet filtering
Should arriving packet be allowed in? Departing
packet let out?

• internal network connected to Internet via router
  firewall
• router filters packet-by-packet, decision to
  forward/drop packet based on
• source IP address, destination IP address
• TCP/UDP source and destination port numbers
• ICMP message type
• TCP SYN and ACK bits

69
Stateless packet filtering example

• example 1 block incoming and outgoing datagrams
  with IP protocol field 17 and with either
  source or dest port 23.
• all incoming, outgoing UDP flows and telnet
  connections are blocked.
• example 2 Block inbound TCP segments with ACK0.
• prevents external clients from making TCP
  connections with internal clients, but allows
  internal clients to connect to outside.

70
Stateless packet filtering more examples

Policy Firewall Setting
No outside Web access. Drop all outgoing packets to any IP address, port 80
No incoming TCP connections, except those for institutions public Web server only. Drop all incoming TCP SYN packets except those with destination IP 130.207.244.203, port 80
Prevent Web-radios from eating up the available bandwidth. Drop all incoming UDP packets - except DNS and router broadcasts.
Prevent your network from being used for a smurf DoS attack. Drop all ICMP packets going to a broadcast address (e.g. 130.207.255.255).
Prevent your network from being tracerouted Drop all outgoing ICMP TTL expired traffic
71
Access Control Lists

• ACL table of rules, applied top to bottom to
  incoming packets (action, condition) pairs

action source address dest address protocol source port dest port flag bit
allow 222.22/16 outside of 222.22/16 TCP gt 1023 80 any
allow outside of 222.22/16 222.22/16 TCP 80 gt 1023 ACK
allow 222.22/16 outside of 222.22/16 UDP gt 1023 53 ---
allow outside of 222.22/16 222.22/16 UDP 53 gt 1023 ----
deny all all all all all all
72
Stateful packet filtering

• stateless packet filter memoryless
• admits packets that make no sense, e.g., dest
  port 80, ACK bit set, even though no TCP
  connection established

action source address dest address protocol source port dest port flag bit
allow outside of 222.22/16 222.22/16 TCP 80 gt 1023 ACK

• stateful packet filter track status of every TCP
  connection
• track connection setup (SYN), teardown (FIN) can
  determine whether incoming, outgoing packets
  make sense
• timeout inactive connections at firewall no
  longer admit packets

73
Stateful packet filtering

• ACL augmented to indicate need to check
  connection state table before admitting packet

action source address dest address proto source port dest port flag bit check conxion
allow 222.22/16 outside of 222.22/16 TCP gt 1023 80 any
allow outside of 222.22/16 222.22/16 TCP 80 gt 1023 ACK x
allow 222.22/16 outside of 222.22/16 UDP gt 1023 53 ---
allow outside of 222.22/16 222.22/16 UDP 53 gt 1023 ---- x
deny all all all all all all
74
Application gateways
gateway-to-remote host telnet session
host-to-gateway telnet session

• Make policy decisions based on application or
  application data
• Example allow select internal users to telnet
  outside.
• common examples mail server, web cache

application gateway
router and filter
1. Require all telnet users to telnet through
gateway. 2. For authorized users, gateway sets up
telnet connection to dest host. Gateway relays
data between 2 connections 3. Router filters all
telnet connections not originating from gateway.
75
Limitations of firewalls and gateways

• If multiple apps need special treatment, each
  needs its own gateway
• client software must know how to contact gateway.
• e.g., must set IP address of proxy in Web browser
• IP spoofing router cant know if data really
  come from claimed source

• filters often use all or nothing policy for UDP
• tradeoff degree of communication with outside
  world, level of security
• many highly protected sites still suffer from
  attacks

76
Intrusion detection systems

• packet filtering
• operates on TCP/IP headers only
• no correlation check among sessions
• IDS intrusion detection system
• deep packet inspection look at packet contents
  (e.g., check character strings in packet against
  database of known viruses, attack strings)
• examine correlation among multiple packets to
  detect
• port scanning
• network mapping
• DoS attack

77
Intrusion detection systems

• multiple IDSs different types of checking at
  different locations

application gateway
firewall

Internet

internal network
Web server
IDS sensors
DNS server
FTP server
demilitarized zone
78
Network Security (summary)

• Basic techniques...
• cryptography (symmetric and public)
• message integrity
• end-point authentication
• . used in many different security scenarios
• secure email
• secure transport (SSL)
• IP sec
• 802.11
• Operational Security firewalls and IDS

79
End of Chapter 8
80
Unused slides
81
Chapter 8 Network Security

• Chapter goals
• understand principles of network security
• cryptography and its many uses beyond
  confidentiality
• message integrity
• authentication
• security in practice
• security in application, transport, network, link
  layers
• firewalls and intrusion detection systems

82
A certificate contains

• Serial number (unique to issuer)
• info about certificate owner, including algorithm
  and key value itself (not shown)

• info about certificate issuer
• valid dates
• digital signature by issuer

83
IPsec datagram

• Focus for now on tunnel mode with ESP

84
Firewall objectives

• prevent denial of service attacks
• SYN flooding attacker establishes many bogus TCP
  connections, no resources left for real
  connections
• prevent illegal modification/access of internal
  data.
• e.g., attacker replaces CIAs homepage with
  something else
• allow only authorized access to inside network
  (set of authenticated users/hosts)
• three types of firewalls
• stateless packet filters
• stateful packet filters
• application gateways

85
IEEE 802.11 security

• War-driving drove around Bay area with laptop
  and 802.11 card Shipley 2001
• more than 9000 accessible from public roadways
• 85 use no encryption/authentication
• packet-sniffing and various attacks easy
• Securing 802.11
• encryption, authentication
• first attempt at Wi Fi security Wired Equivalent
  Privacy (WEP) has weaknesses
• recent standard 802.11i (WPA2)

86
Wired Equivalent Privacy (WEP)

• authentication as in protocol ap4.0
• host requests authentication from access point
• access point sends 128 bit nonce
• host encrypts nonce using shared symmetric key
• access point decrypts nonce, authenticates host
• no key distribution mechanism
• authentication knowing the shared key is enough

87
WEP data encryption

• Host/AP share 40 bit symmetric key
  (semi-permanent)
• Host appends 24-bit initialization vector (IV) to
  create 64-bit keya new IV for each frame
• 64 bit key used to generate (by RC4) a stream of
  keys, ki(IV)
• ki(IV) used to encrypt ith byte, di, in frame
• ci di XOR ki(IV)
• Each frame contains its IV (in the clear) and
  encrypted data

88
802.11 WEP encryption
Sender-side WEP encryption
89
Breaking 802.11 WEP encryption

• security hole
• 24-bit IV, one IV per frame, -gt IVs eventually
  reused
• IV transmitted in plaintext -gt IV reuse detected
• attack
• Trudy causes Alice to encrypt known plaintext d1
  d2 d3 d4
• Trudy sees ci di XOR ki(IV)
• Trudy knows ci di, so can compute ki(IV)
• Trudy knows encrypting key sequence k1(IV),
  k2(IV), k3(IV)
• Next time IV is used, Trudy can decrypt
• plus other weaknesses
• (e.g., no message integrity protection)

90
R1 converts original datagraminto IPsec datagram

• Appends to back of original datagram (which
  includes original header fields) an ESP trailer
  field.
• Encrypts result using algorithm key specified
  by SA.
• Appends to front of this encrypted quantity the
  ESP header, creating enchilada.
• Creates authentication MAC over the whole
  enchilada, using algorithm and key specified in
  SA
• Appends MAC to back of enchilada, forming
  payload
• Creates brand new IP header, with all the classic
  IPv4 header fields, which it appends before
  payload.

91
IPsec sequence numbers

• For new SA, sender initializes seq. to 0
• Each time datagram is sent on SA
• Sender increments seq counter
• Places value in seq field
• Goal
• Prevent attacker from sniffing and replaying a
  packet
• Receipt of duplicate, authenticated IP packets
  may disrupt service
• Method
• Destination checks for duplicates
• But doesnt keep track of ALL received packets
  instead uses a window

92
Security Policy Database (SPD)

• Policy For a given datagram, sending entity
  needs to know if it should use IPsec.
• Needs also to know which SA to use
• May use source and destination IP address
  protocol number.
• Info in SPD indicates what to do with arriving
  datagram
• Info in the SAD indicates how to do it.

93
IKE PSK and PKI

• Authentication (proof who you are) with either
• pre-shared secret (PSK) or
• with PKI (pubic/private keys and certificates).
• With PSK, both sides start with secret
• then run IKE to authenticate each other and to
  generate IPsec SAs (one in each direction),
  including encryption and authentication keys
• With PKI, both sides start with public/private
  key pair and certificate.
• run IKE to authenticate each other and obtain
  IPsec SAs (one in each direction).
• Similar with handshake in SSL.

93
94
Symmetric key crypto

• DES Data Encryption Standard
• U.S. encryption standard NIST 1993
• 64 bit plaintext input, 56-bit symmetric key
• cipher-block chaining for sequence of 64-bit data
  units
• XOR encrypted nth data unit with n1st data unit
  the result is then encrypted
• Triple-DES (3DES)
• use three keys sequentially -- output of one key
  operation as input of next key operation
• Other symmetric key systems RC4, IDEA, ,
• AESrecent (Nov. 2001) NIST standard to succeed
  DES, 128-bit data, 128, 192, or 256 bit keys

95
Message integrity authenticity

• Bob receives msg from Alice, wants to ensure
• message originally came from Alice
• message not changed since sent by Alice
• Cryptographic Hash
• takes input m, produces fixed length value, H(m),
  called message digest
• e.g., as in Internet checksum
• computationally infeasible to find two different
  messages, x, y such that H(x) H(y)
• Equivalently given x H(m), cannot find m such
  that H(m)x
• note Internet checksum fails this requirement

96
IPsec Security Association

• For both AH and ESP, source, destination
  handshake
• create network-layer unidirectional logical
  channel called a security association (SA)
• source and dest share a symmetric key
• Internet Key Exchange protocol (RFC 2409) allows
  the use of signatures, public keys, or a
  pre-shared key
• Uniquely determined by
• security protocol (AH or ESP)
• source IP address
• 32-bit connection ID (Security Parameter Index)

97
Authentication Header (AH) Protocol

• provides source authentication, data integrity,
  no confidentiality
• AH header inserted between IP header, data field.
• IP header protocol field 51
• intermediate routers process datagrams as usual

• AH header includes
• connection identifier
• authentication data MAC calculated over original
  IP datagram, AH header fields and symmetric key
  (except IP TTL field)
• next header field specifies type of data (e.g.,
  TCP, UDP, ICMP)
• sequence number

98
ESP Protocol

• provides secrecy, host authentication, data
  integrity.
• data, ESP trailer encrypted.
• next header field is in ESP trailer.

• ESP authentication field is similar to AH
  authentication field.
• Protocol 50 in IP header.

authenticated
encrypted
ESP header
IP header
TCP/UDP segment
99
Many more details

• We have decribed the IPsec transport mode for
  security association between hosts for IPv4
• IPsec tunnel model is for security association
  between routers
• IPsec for IPv6

100
Symmetric key cryptography

• substitution cipher substituting one thing for
  another
• monoalphabetic cipher substitute one letter for
  another

plaintext abcdefghijklmnopqrstuvwxyz
ciphertext mnbvcxzasdfghjklpoiuytrewq
E.g.
Plaintext bob. i love you. alice
ciphertext nkn. s gktc wky. mgsbc

• Q How hard to break this simple cipher?
• brute force (how hard?)
• other?

101
Symmetric key crypto DES

• DES Data Encryption Standard
• US encryption standard NIST 1993
• 56-bit symmetric key, 64-bit plaintext input
• How secure is DES?
• DES Challenge 56-bit-key-encrypted phrase
  (Strong cryptography makes the world a safer
  place) decrypted (brute force) in 4 months
• no known backdoor decryption approach
• making DES more secure
• use three keys sequentially (3-DES) on each datum
• use cipher-block chaining

102
Symmetric key crypto DES

• initial permutation
• 16 identical rounds of function application,
  each using different 48 bits of key
• final permutation

103
AES Advanced Encryption Standard

• new (Nov. 2001) symmetric-key NIST standard,
  replacing DES
• processes data in 128 bit blocks
• 128, 192, or 256 bit keys
• brute force decryption (try each key) taking 1
  sec on DES, takes 149 trillion years for AES

104
Block Cipher
64-bit input
8bits
8bits
8bits
8bits
8bits
8bits
8bits
8bits
loop for n rounds
8 bits
8 bits
8 bits
8 bits
8 bits
8 bits
8 bits
8 bits

• one pass through one input bit affects eight
  output bits

64-bit scrambler
64-bit output

• multiple passes each input bit afects all output
  bits
• block ciphers DES, 3DES, AES

105
Cipher Block Chaining

• cipher block if input block repeated, will
  produce same cipher text

m(1) HTTP/1.1
c(1) k329aM02
t1
block cipher

m(17) HTTP/1.1
c(17) k329aM02
t17
block cipher

• cipher block chaining XOR ith input block, m(i),
  with previous block of cipher text, c(i-1)
• c(0) transmitted to receiver in clear
• what happens in HTTP/1.1 scenario from above?

m(i)
c(i-1)
block cipher
c(i)
106
RSA Choosing keys
1. Choose two large prime numbers p, q.
(e.g., 1024 bits each)
2. Compute n pq, z (p-1)(q-1)
3. Choose e (with eltn) that has no common
factors with z. (e, z are relatively prime).
4. Choose d such that ed-1 is exactly divisible
by z. (in other words ed mod z 1 ).
5. Public key is (n,e). Private key is (n,d).
107
RSA Encryption, decryption
0. Given (n,e) and (n,d) as computed above
2. To decrypt received bit pattern, c, compute
d
(i.e., remainder when c is divided by n)
Magic happens!
c
108
RSA example
Bob chooses p5, q7. Then n35, z24.
e5 (so e, z relatively prime). d29 (so ed-1
exactly divisible by z.
e
m
m
letter
encrypt
l
12
1524832
17
c
letter
decrypt
17
12
l
481968572106750915091411825223071697
109
RSA Why is that
Useful number theory result If p,q prime and n
pq, then
(using number theory result above)
(since we chose ed to be divisible by (p-1)(q-1)
with remainder 1 )
110
SSL three phases

• 3. Data transfer

TCP byte stream
b1b2b3 bn
MB
d
block n bytes together
compute MAC
EB
encrypt d, MAC, SSL seq.
SSL seq.
SSL record format
Type Ver Len
encrypted using EB
unencrypted