[Back to Lecture Notes page]
Network Security
Subtopic Outline:
The Need for Network Security
- Network security becoming more and more important as more private and confidential information are put on networked machines.
- Also due to the increase popularity of on-line services for banking, credit payment, filing tax returns, etc.
- Some examples of security dangers: Fig 7-1 p578
Network Security Problems:
- Categories of problems to overcome:
- Secrecy: not letting unauthorized personnel access certain data.
- Authentication: verifying who we are communicating with.
- Non-repudiation: ensuring a sender of a message cannot deny they sent the message.
- Integrity control: ensuring a piece of data is not tampered with.
Such issues are handled in traditional non- electronic systems as well. Eg. The postal system ensures the content of letters are secret and free from tampering until it reaches the destinations. We use our signature for authentication, etc.
Example Security Measures in Various Layers
- Some examples of steps we can take to increase security at lower layers:
- Physical layer: sealing copper wires in high-pressure tubes.
- Data Link layer: Encryption in DLL software link encryption.
- Network layer: packet-filter firewalls.
- Transport layer: : Encryption in transport software
Besides packet filters, we do not usually have security measures put in lower layers.
- Most of these are geared towards protecting secrecy. The other problems usually need more sophisticated methods in the application layer.
Some Terminology
Figure 7-2 p580
- Plaintext
: message string to be encrypted.
- Ciphertext
: encrypted message
- Encryption method
: algorithm to convert from plaintext to ciphertext.
- Encryption Key
: a string used in by the encryption method to transform plaintext to ciphertext.
- Decryption method
: algorithm to convert from ciphertext back to original plaintext.
- Decryption Key
: a string used in by the decryption method to convert ciphertext back to original plaintext.
- Cryptography
: the art of coming up with ciphers (methods, keys, etc).
- Cryptoanalysis
: the art of breaking ciphers.
- Cryptology
: cryptography + crytoanalysis
The Encryption Key
- Encryption methods are generally assumed to be public knowledge we assume that given enough time someone will find out enough to determine what the method is.
- They are too difficult to change regularly once discovered.
The rule of cryptography is to make the encryption method public, but keep the keys used secret so we keep making changes to the key, which is easy to change, but keep the method the same.
- Length of the keys very important if too short, intruder can just try all possible keys.
Substitution Ciphers
- Substitute each character with another
- Only the authorized users know which character is substituted with which.
|
Plaintext: |
abcdefghijklmnopqrstuvwxyz |
|
Key: |
QWERTYUIOPASDFGHJKLZXCVBNM |
The plaintext string "cipher" becomes "EOHITK"
- Problem: cryptoanalyst can guess at the substitution key by looking for regular characters and strings read example in book p583.
Transposition Ciphers
- Instead of changing the characters, just re-order them.
- Problem: like substitution, original message can be guess by considering regular patterns in the language, and guessing words again, read example in book p584.
One-Time Pads
- To get an unbreakable cipher:
- Generate a random bit-string as key
- Convert plaintext to bits, eg using ASCII representation.
- EXCLUSIVE-OR the plaintext and key together to get the ciphertext.
- Unbreakable since key is random - a particular plaintext could be changed to any ciphertext.
- Cannot memorise the key, so must be written down.
- Amount of data depends on amount of bits in key
- Sender and receiver must be in synch since the ciphertext is virtually random, there is no way for the receiver to resynchoronize a data transmission with the sender. They will have to start from the beginning of the message again.
Secret-Key Algorithms
- Previous methods: simple algorithms, complex keys.
- More sophisticated cryptography: complex algorithms, simple keys.
- By making algorithms so complex, even with a large amount of ciphertext to analyse, it would take too long to try out different permutations and substitutions.
- Eg. using basic circuit elements:
Figure 7-4 p587
P-Box takes a set of bits and scrambles the order.
S-Box take a set of bits, change to another bit representation, scramble using P-Box, change back to original representation.
Product-Cipher use P-boxes and S-Boxes in combination.
Example Secret-Key Algorithms
- Data Encryption Standard (DES)
- International Data Encryption Algorithm (IDEA)
- BLOWFISH
- Crab
- Etc.
Public-Key Algorithms
- In the cryptography systems we discuss so far, encryption and decryption algorithm and keys are always the same.
- They are also called symmetric cryptography.
- In 1976, Diffie and Hellman proposed a system where the decryption algorithm is different from the encryption algorithm.
- These are called non-symmetric or public-key cryptography.
- Public Key cryptography is the most popular type of cryptography used today.
Public-Key Algorithms
- Encryption and decryption algorithms are public.
- The encryption key is public, but only decryption key is private to the intended receiver.
- When sender wants to send to the receiver with the private key, they encrypt using the public encryption algorithm and key.
- No one else besides the receiver can read the ciphertext since only the receiver has the decryption key.
- Only works one-way needs two sets of keys to have two-way secure communication.
Example Public-Key Algorithms
- RSA
named after its authors Rivest, Shamir and Adleman.
- ElGamal
- named after its author Taher ElGamal
- Knapsack algorithm by Merkle and Hellman.
Authentication Protocols
- Process to verify that the communicating partner is who it is suppose to be.
- Both parties use a secret session key used for the communication.
- Using a shared secret key using symmetric cryptography.
- Using a Key Distribution Center (KDC) a trusted organization who will handle authenticating and managing the session keys.
- Using the Kerberos protocol developed at MIT.
- Using public-key cryptography.
Digital Signatures
- To add a piece of data (the signature) to an electronic documents to verify the author.
- Must ensure that ONLY the original author could have generated the signature.
- A common way today is to use public-key cryptography, by adding extra steps of encrypting with a private key and decrypting with a public key
- Since only the author is suppose to have the private key, no one else could have generated the encrypted signature.
Message Digests
- Cryptographic methods should have integrity checks to determine if the messages have been tampered with.
- Message digest functions creates a "hash" number based on the message
- Even a minor change in the message will give a very different hash.
- The digest (or hash) function works one way you cannot get back the original message from the hash number.
Using Message Digest
- Steps in using message digest for authentication:
- Sender runs the message through the digest function to get a hash value
- Encrypt the hash value with the senders private key
- Send the signed hash and the original message to the receiver
- Receiver decrypts the signed hash using the senders public key to get back the hash value
- Receiver runs the received message through the same digest function if the hash value is the same as the one sent by the sender, then the message has not been tampered with
Common Digest Functions
- MD4 produces 128-bit hash numbers
- MD5 also produces 128-bit hash numbers
- Created to solve some weaknesses found in MD4
- The most widely used digest function today.
- SHA Secure Hash Algorithm
- Produces 160-bit hashes
- Designed by the U.S. National Institute of Standards and Technology (NIST) for its Digital Signature Standard (DSS)
[Back to Lecture Notes page]