1 mehrdad nourani data & network security. 2 security services & traffic confidentiality...

1

Mehrdad Nourani

Data & Network SecurityData & Network Security

2

Security Services & Traffic Confidentiality

Session 09Session 09

3

Security Management, Services and Threats

4

Security Management

• Security management functions are concerned with the management, control, and administration of security services for all secured entities within the security domain according to the defined policies.

• Security management is responsible for the installation, monitoring, tuning, and restructuring of the available security services. Functions of security management include control and distribution, monitoring, event logging, event reporting, security audit trail and security recovery.

• Based on the corresponding policy and target systems/network some of these functions may not apply or need not to be implemented.

5

Security Services

• Security services are remedies, defenses, and countermeasures by which security threats are countered.

• The specific implementation of each security service is based on one or more security mechanisms.

• In general, we define six security services aimed to provide the following six basic security objectives.

• Some of these services may appear "overlapping."

• key management is an important function that has to be provided by any system involved in providing security services and data encryption.

6

Security Services (I)

• Confidentiality and Privacy - is the protection of information exchange and traffic flow from unauthorized disclosure (or all passive attacks).

• This service can be implemented at different layers of communication protocols and/or at several application/system levels.

7

Security Services (II)• Integrity and Protection - is the

protection of information exchange and storage from mostly active attacks and (wo)man-in-the-middle attacks/

• It assures that information is received as sent, with no duplication, insertion, modification, reordering, or replay.

8

Security Services (III)

• Access Control and Authorization - in the context of network security, is the protection, limitation, and control of access to the host, operating system, and applications via communications links.

• Authorization is to provide access rights as tailored to the individual user or application.

9

Security Services (IV)• Non-repudiation and Accountability -

is concerned with preventing either sender or receiver from denying an exchanged information.

• Sometimes, an arrangement to use an unbiased arbitrator, called a notary, is used when both parties are suspicious users.

10

Security Services (V)

• Authentication - is concerned with assuring that the communication is authentic, including source of information, communicating systems or applications, and/or users.

11

Security Services (VI)• Availability and Non-Denial of Service

- is concerned with assuring that a communication resource is not destroyed or blocked or becomes unavailable or unusable to its authorized users.

• Denial of service means knocking off

services without permission, e.g., flooding the file server with phony files causing a system crash, or congesting remote access servers with unauthorized access requests.

12

Security Threats

• A threat or security attack is a potential violation of security or an intrusion for unauthorized, illegitimate, malicious or fraudulent purposes.

• These attacks are aimed to compromise security.

• The points of attack (or attacking points) can occur at various weakness points within a security perimeter, and can be at any level or layer of realization, e.g., at the physical system realization level, at the system or network level, at the communication protocol level, and so on.

13

Security Threat Classification

• The nature of the attacks varies with the circumstances and according to the defined perimeter for the security.

• Threats may be classified by their:— Type (e.g., accidental or intentional, passive

or active)—Consequences—Sources (e.g., users or programs)—Objects of threats

14

Typical Intentional Threats

15

Typical Intentional Threats (cont.)

16

Some Products & Solutions

• Some security products/solutions are designed for a particular environment or for a special application.

• They are considered as custom-designed combinations of the above services.

• Examples of these are:1. PGP (Pretty Good Privacy) - a widely used

authentication and confidentiality service.2. Kerberos - an authentication protocol based on

conventional encryption to authenticate clients to servers, and vice versa. The Version 5 Kerberos was developed within the Internet community.

3. PEM (Privacy Enhancement Mail) - developed specifically as an Internet Standard for electronic mail.

17

Businesses & Threats

18

Security Mechanism

• Security mechanisms are effective techniques and schemes used to implement a given security service with different degrees of complexity.

• Security services are designed to detect, prevent, or recover from a security violation or attack.

• For example, an abstract service like data confidentiality might be implemented using either the secret key data encryption mechanism or public key data encryption scheme.

• In most practical cases, a combination of security mechanisms need to implement even one particular security service. —The services can be implemented either with

strong mechanism or with weak mechanism (low, medium, or high security).

19

Well-Known Mechanisms

20

Security Perimeter & Domain

21

Security Borders• In communications network environment

and where encryption (confidentiality and privacy) is desired, security borders can be established around:—Link-by-link—End-to-end (or application-to-application)—User-to-user (operating system to operating

system)—Network edge-to-network edge

22

Link-by-Link Security

• Link-by-link security takes place at the lowest layers, where every transaction through a particular data-link is encrypted (secured).

• Examples of this are data encryption devices placed at the physical and/or datalink layers.

• Key management in this case can be simple because only the endpoints of the communication link need to exchange keys independent from the rest of the network.

• The main problem is that leaving any link in the network unencrypted jeopardizes the security of the entire network.

23

End-to-End Security

• If security is provided at higher layers, it is called end-to-end, when information is encrypted selectively and decrypted by the intended final recipient.

• In this case, security devices are placed between the network layer and transport layer.

• The security device must recognize protocols up to network layer (layer 3) and encrypt only the transport data units.

• One problem is that the system is open to traffic analysis attack because the routing information for the data is not generally encrypted.

24

Security at Higher Levels

• Data security and encryption can be performed at higher layer and even for data storage.

• At the application level, a hierarchy of security services may be defined, each providing security against a different perceived threat.

• In general, security services are defined (within a particular border against outside world) for:—a user entity (either process or machine), —a network, a communication environment, —a computing environment, or —a stand-alone system.

25

Security Perimeter

• A security perimeter as a homogeneous set of tools and measures, established around some communication and/or computing environment, to protect it from the outside nonsecure environment.

• In general, security perimeters can be established around user, data processing and/or application, data storage, and data communication.

26

Security Domain

• In practice, a security perimeter environment can be constituted of (or subdivided to) several heterogeneous security domains, each domain follows the same measures of its parent perimeter plus some possible extra measures.

• A security domain is, therefore, a subset of users and resources of the global security perimeter environment, conforming to:1. a unique security policy, 2. a single logical security management, 3. a single security administration, 4. a set of uniformly available elementary

mathematical macros for provision of security services and mechanisms.

27

Domain Relationships• Entities that are subject to a single security policy, grouped together

logically or physically, and administered by a single authority, called security management system (SMS), constitute a security domain.

• The approach of structuring the boundaries of domains leads to various relationships between domains.

• Domains may be disjoint, overlapping, or subsets of other domains.

28

Security Perimeters and Domains• Each domain may be served by a central Security Management Center

(SMC), which will be responsible for the policy making, management, and control of security services and activity on the network.

• Some negotiation and resolutions is necessary in order to establish common sets and levels of security parameters.

29

Confidentiality Using Symmetric Encryption

30

Confidentiality• Traditionally symmetric encryption is used

to provide message confidentiality• Confidentiality has been the main goal of

encryption• Other considerations added in the past

few decades:—Authentication—Integrity—Digital signature

31

Points of Vulnerability

1

2

3

4

1. snooping from another workstation

2. use dial-in to LAN or server to snoop

3. use external router link to enter & snoop

4. monitor and/or modify traffic on external links

32

Potential Vulnerability• consider typical scenario

— workstations on LANs access other workstations & servers on LAN

— LANs interconnected using switches/routers— with external lines or radio/satellite links

• consider attacks and placement in this scenario1. snooping from another workstation2. use dial-in to LAN or server to snoop3. use external router link to enter & snoop4. monitor and/or modify traffic on external links

33

What to Encrypt?

• have two major placement alternatives• link encryption

—encryption occurs independently on every link—implies must decrypt traffic between links—requires many devices, but paired keys

• end-to-end encryption—encryption occurs between original source and

final destination—need devices at each end with shared keys

34

Encrypt Across a Packet Network

35

Disadvantage of Link Encryption

• One disadvantage of link encryption approach is that the message must be decrypted each time it enters a packet switch.

• This is necessary because the packet switch must read the address (i.e., the virtual circuit number) in the packet header to route the packet.

• Thus, the message is vulnerable at each switch. If this is a public packet-switching network (PSN), the user has no control over the security of the nodes.

36

Disadvantage of End-to-End Encryption

• End-to-end approach would seem to secure the transmission against attacks on the network links or switches.

• when using end-to-end encryption must leave headers in clear (unencrypted)—so network can correctly route information

• hence although contents protected, traffic pattern flows are not (as they can be read)

37

End-to-End vs. Link Encryption

• With end-to-end encryption, the user data are secure. However, the traffic pattern is not, because packet headers are transmitted in the clear.

• To achieve greater security, both link and end-to-end encryption are needed.

• Ideally we want both at once—end-to-end protects data contents over entire

path and provides authentication—link protects traffic flows from monitoring but

it requires a lot of encryption devices

38

End-to-End vs. Link Encryption (cont.)

39

Logical Placement of Encryption

• can place encryption function at various layers in OSI Reference Model—link encryption occurs at layers 1 or 2—end-to-end can occur at layers 3, 4, 6, 7

– E.g. the user data portion of all frames in ATM cells is encrypted

—as move higher less information is encrypted but it is more secure though more complex with more entities and keys

40

Using an Encryption Processor

• In network layer (layer 3):— each end system can engage in an encrypted

exchange with another end system. —All the user processes and applications within

each end system would employ the same encryption scheme with the same key to reach a particular target end system.

—With this arrangement, it is desirable to off-load the encryption function to some sort of front-end processor.

41

Front-End Encryption Processor

• The front-end processor (FEP) accepts and processes the packet—Red data: unencrypted (in clear)—Black data: encrypted

42

Scope of Encryption

• Encryption service on end-to-end protocols (e.g. frame-delay or TCP) provides end-to-end security for traffic within a fully integrated inter-network.

• Such scheme cannot deliver the security service to the traffic that crosses inter-network boundaries, such as electronic mail, electronic data interchange (EDI) and file transfer.

43

Scope of Encryption in OSI

Application Layer

44

Scope of Encryption in OSI (cont.)

• For applications like electronic mail that have a store-and-forward capability, the only place to achieve end-to-end encryption is at the application layer.

• A drawback of the application layer encryption is that the number of entities to consider increases dramatically, e.g.—Supporting hundreds of hosts—Supporting thousands of users—Need to manage (generate and distribute) many more

secret keys

• As we move up in the communication hierarchy, less information is encrypted but it is more secure.

45

Encryption and Protocol Levels

• In application level:—Only user data portion of a TCP segment is encrypted

• In transport/session (TCP) level:— the user data and the TCP header are encrypted. The IP

header is needed by router to route the IP datagram.

46

Encryption and Protocol Levels (cont.)

• When a message passes through a gateway:—TCP header is terminated and a new transport

connection is opened for the next hop—The gateway is treated as a destination by the

underlying IP. Thus, all data is decrypted in gateway.—If the next hop is over TCP/IP, then the user data and

TCP header are encrypted again.

47

Encryption and Protocol Levels (cont.)

• In link level:—Entire data unit except for the link header and

trailer is encrypted on each link.—The entire data unit is in the clear

(unencrypted) at each router or gateway.

48

Traffic Analysis

• is monitoring of communications flows between parties—useful both in military & commercial spheres—can also be used to create a covert channel (using the

communication channel in a way that violates the security policy, e.g. an employee sends a short message as “0” and a long message as “1”. If an outsider can monitor the channel they effectively established a covert channel)

• Traffic analysis violates confidentiality since by monitoring length, duration etc. of communication one can find useful information like:—Identity of partners—How frequently they communicated—Message pattern, level of importance—Correlation between events and communication —…

49

A Solution to Traffic Analysis• link encryption obscures header details

—but overall traffic volumes in networks and at end-points is still visible

• Traffic padding:—Generate random messages (even if there is none)—Uniform the length of messages at the

transport/application level

• traffic padding can further obscure flows—but at cost of continuous traffic

50

A Solution to Traffic Analysis (cont.)

• Protecting end-to-end encryption against traffic analysis is more difficult.

• Since two sides should do encryption and decryption, the choices to defend against traffic analysis is more limited.

• Still you can obscure the underlying traffic by:—Padding out data units to a uniform length at

transport or application layer—Inserting null messages into the stream

randomly

51

Key Distribution

52

Symmetric Encryption• All of the methods discusses so far use a single key that

must be strictly kept secret. These systems are called symmetric-encryption (or secret-key or private-key) systems.

• Key distribution is still a challenge. One approach is based on sending pieces of key through separate channels.

53

Importance of Key Distribution

• symmetric schemes require both parties to share a common secret key

• issue is how to securely distribute this key• often secure system failure due to a break

in the key distribution scheme

54

Key Distribution Mechanisms

• given parties A and B, there are various key distribution alternatives:

1. A can select key and physically deliver to B2. third party can select & deliver key to A & B3. if A & B have communicated previously can

use previous key to encrypt a new key4. if A & B have secure communications with a

third party C, C can relay key between A & B

• For practical large distributed systems in which many links/hosts/users need to exchange keys option 4 is the answer.

55

Key Distribution Mechanisms (cont.)• Link Encryption: Use

methods (1) or (2) because only two devices communicate.

• End-to-end Encryption:—Manual delivery is not

possible due to exponential growth.

—At the network/IP level a key is needed for each pair of hosts. (For N hosts, we need N(N-1)/2 keys).

—At the application level a key is needed for every pair of users/processes. (e.g. 1000 nodes require C2

1000≈500000 keys)

56

Key Distribution Mechanisms (cont.)• (3) Can be used for both link

and end-to-end encryptions. However, if an attacker find one key then all subsequent keys will be revealed.

• (4) is widely used for end-to-end encryption using at least 2-levels of keys:—Session key: a temporary

key for the duration of logical connection (e.g. transport connection)

—Master key: is used to encrypt and send session keys. It is distributed in some non-cryptographic way (e.g. physical delivery). For N pairs only N master keys are needed.

57

Key Distribution Scenario

58

Key Distribution Scenarios (cont.)1. A issues a request to KDC for a session key.

The message includes the identity of A and B and N1 (called nonce, e.g. a random number).

2. KDC responds with a message encrypted with Ka (master key of A). The message includes:• One-time session key Ks.• Original request and nonce of A• Ks and identifier of A (e.g. A’s network address)

encrypted with Kb

3. A stores Ks and send EKb(Ks||IDA) to B

4. Using Ks, B sends a nonce N2 to A.

5. Using Ks A responds f(N2) (a transformation of N2 e.g. N2+1) for authentication.

59

Key Distribution Scenarios (cont.)

• Note that the actual key distribution involves only steps 1 through 3.— After step 3, both A and B have the session

key Ks and they may begin their protected exchange of information.

• Steps 3, 4 and 5 together perform an authentication function.— They assume B that the original message it

received in step 3 was not a replay.

60

Key Distribution Issues

• hierarchies of KDC’s required for large networks, but must trust each other

• session key lifetimes should be limited for greater security

• use of automatic key distribution on behalf of users, but must trust system

• use of decentralized key distribution• controlling purposes keys are used for

61

Automatic Key Distribution

• For connection-oriented protocols (e.g. at network or transport levels) the key can be generated, using Front-End Processor, in a way that is transparent to the end user.

62

Automatic Key Distribution (cont.)

• The KDC provides a one-time session key for that connection. The session keys are used for the duration of a session. At the conclusion of the session, or connection, the session key is destroyed.

• The automated key distribution approach provides the flexibility and dynamic characteristics needed to allow a number of terminal users to access a number of hosts and for the hosts to exchange data with each other.

• Kerberos, used extensively in Microsoft Windows 2000, is modelled on a KDC.

63

Difficulties in Key Distribution

• In general, a KDC supporting n sites, where each site needs a secret key with every other site, must make almost n2/2 keys.

• The KDC is often burdened with extensive key management and can become a bottleneck.

• If the KDC also acts as a key escrow agent, the KDC itself is an attractive target (e.g., for a distributed denial-of-service attack).

• For these reasons, the symmetrical encryption is not very attractive in large networks and is avoided altogether.

• Another approach to security is the public-key encryption, which makes key distribution much easier. We will discuss it in the next chapter.

64

Decentralized Key Control• For small networks we may use a decentralized

approach. Each node must maintain n-1 master keys.1. A issues a request to B for a session key and includes a

nonce N1.2. B responds with a message that is encrypted using the

shared master key (MKm). The response includes: the session key (Ks chosen by B), an identifier of B, value f(N1) and another nonce N2.

3. Using the new session key A returns f(N2) to B for authentication.

65

Controlling Key Usage• Sometimes it is useful to define different session

keys on the basis of use (for various applications)— e.g. for communication, PIN-encrypted applications, file

encryption, etc.

• It’s often desirable to institute controls in systems that limit the ways in which keys are used, based on characteristics associated with those keys.

• Method 1: Use a tag with each key— In DES, the actual key is 56 bits. 8 nonkey bits are used

to indicate something, e.g.– 1 bit indicate whether the key is a session key or a Master

key– 1 bit indicate whether it’s for encryption or decryption– …

— Two problems: 1) the length is limited and 2) the tag is not transmitted in clear form it can be used only at the point of decryption, limiting the ways in which the key can be controller.

66

Controlling Key Usage (cont.)

• Method 2: Use control vector (CV).— KDC sends control vector in clear and can be used in any

stage.

— For master key Km and session key Ks :

Hash Value= H = h(CV) Key Input = Km XOR H

Ciphertext = EKm XOR H [Ks]

Ks = DKm XOR H [EKm XOR H [Ks]

• There is no restriction on length which enables arbitrarily complex controls to be imposed on each key

• The control vector is available in clear form at all stages of operation. Thus, the control of key use can be exercised in multiple locations.

67

Controlling Key Usage (cont.)

• To control some of the bits (for identification or hierarchy, etc.) a control vector is used. KDC sends control vector in clear and can be used in any stage.

68

Random Numbers

69

Importance of Random Numbers

• many uses of random numbers in cryptography —nonces in authentication protocols to prevent

replay (attacker stores old messages and replays them to fake his ID and get session key for A)

—session keys—public key generation—Key stream for a one-time pad

• in all cases its critical that these values be —statistically random

– with uniform distribution, independent—unpredictable cannot infer future sequence on

previous values

70

Natural Random Noise• best source is natural randomness in real

world • find a regular but random event and monitor • do generally need special hardware to do this

—e.g. radiation counters, radio noise, audio noise, thermal noise in diodes, leaky capacitors, mercury discharge tubes etc

• starting to see such hardware in new CPU's • problems of bias or uneven distribution in

signal —have to compensate for this when sample and use —best to only use a few noisiest bits from each

sample

71

Published Sources

• a few published collections of random numbers

• earlier Tippett in 1927 published a collection

• Rand Co, in 1955, published 1 million numbers —generated using an electronic roulette wheel —has been used in some cipher designs, e.g.

Khafre

• issues are that:—these are limited—too well-known for most uses

72

Pseudorandom Number Generators (PRNGs)

• For cryptography applications we need a deterministic algorithm to generate pseudorandom numbers.

• how a deterministic algorithm generates random values?—A philosophical objection; not engineers’

concern

• algorithmic technique to create “random numbers”—although not truly random—can pass many tests of “randomness”

73

Linear Congruential Generator

• common iterative technique using:Xn+1 = (aXn + c) mod m

where m>0 and 0≤a,c,Xn<m — X0 is the seed— m must be very large to have a long

sequence• given suitable values of parameters can

produce a long random-like sequence• suitable criteria to have are:

—function generates a full-period—generated sequence should appear random—efficient implementation with 32-bit arithmetic

• note that an attacker can reconstruct sequence given a small number of value

74

Practical Pseudorandom Generator

• common iterative technique using:Xn+1 = (16807Xn) mod (231-1)—If m is prime and c=0, the period of generating

numbers is m-1—To be efficient in implementation we chose 232-1.—Coefficient a=75=16807 generates very good

random sequence and is widely used.

• If an opponent is able to get X0, X1, X2, X3 these three equations can be solved for a, c and m.

• To create unpredictability, use current clock mod m as the new seed to change the sequence every N numbers.

75

Using Block Ciphers as Stream Ciphers

• can use block cipher to generate numbers• use Counter Mode

Xi = EKm[i]

• use Output Feedback ModeXi = EKm[Xi-1]

76

Using Counter Mode

• use Counter ModeXi = EKm[i]

• The counter has period of N , e.g. 256 when 56-bit DES keys are used

• Since the master key is protected it is not possible to deduce the secret key from earlier keys

77

Using Output Feedback Mode

• The output of each stage is a 64-bit value of which the s leftmost bits are fed back for encryption.

• Successive 64-bit outputs constitute a sequence of pseudorandom numbers with good statistical properties.

78

ANSI X9.17 Pseudorandom Number Gen.• ANSI X9.17 PRNG

—uses date-time + seed inputs and 3 triple-DES encryptions to generate new seed & random

• Input: two pseudorandom inputs:—DTi : a 64-bit representation of

the current date/time

—a 64-bit seed Vi generated at the beginning of ith stage

• Keys (K1,K2): all 3DES modules use the same pair of 56-bit keys

• Output: 64-bit pseudorandom number (Ri) and 64-bit seed value (Vi+1)

—Ri = EDEK1,K2[Vi EDEK1,K2[DTi]]

—Vi+1= EDEK1,K2[Ri EDEK1,K2[DTi]]

79

Blum Blum Shub (BBS) Generator• based on public key algorithms• Choose:

— two prime numbers p,q such that p≡q≡3(mod 4)— n=p.q—a random number s (seed) such that it is relatively

prime to n (i.e. neither p nor q is a factor of s).

• The BBS generates sequence of bits Bi as follows:

X0=s2 mod n

For i=1 to ∞

Xi=(Xi-1)2 mod n (All Xi is a number 0 ≤ Xi < n )

Bi=Xi mod 2 (Bi is least significant bit of Xi)

80

Features of BBS Generator• unpredictable, passes next-bit

test (see table for n=192649=283x503 and s=101355).

• security rests on difficulty of factoring n (i.e. given n determine its two prime factors p and q)

• is unpredictable given any run of bits (given k bits of the sequence it is impossible to determine bit k+1 with probability above ½)

• slow, since very large numbers must be used

• too slow for cipher use, good for key generation

i

81

Summary

• have considered:—use of symmetric encryption to protect

confidentiality—need for good key distribution—use of trusted third party KDC’s—random number generation