chapter 8 – network security
DESCRIPTION
Chapter 8 – Network Security. Two main topics Cryptographic algorithms and mechanisms Firewalls Chapter may be hard to understand if you don’t have some background. The topics are very extensive and 50 pages of text can’t cover much at all. Encryption. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/1.jpg)
Chapter 8 – Network Security
Two main topics Cryptographic algorithms and mechanisms Firewalls
Chapter may be hard to understand if you don’t have some background. The topics are very extensive and 50 pages of text can’t cover much at all.
![Page 2: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/2.jpg)
Encryption
Two main divisions: symmetric, same key both encodes and decodes (examples DES, Blowfish, RC2, RC4 etc.), asymmetric, different keys, one for encoding and one for decoding (example RSA, DH)
Symmetric, usually much faster to compute, but key distribution is harder
Asymmetric, much slower to compute, but key distribution is easier
![Page 3: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/3.jpg)
Problems requiring Encryption (in plain English)
You don’t want your data intercepted in-transit by an unintended recipient
You want to be sure that you are communicating with the person or website that you intend
You want to be able to prove that you are who you say you are
![Page 4: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/4.jpg)
Secret keys – symmetric encryption
Simple enough in concept – encrypt your message with a secret key and send it to a recipient – see next diagram
Read over the details of the example method given in the text (DES), but we will focus more on RSA
![Page 5: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/5.jpg)
Plaintext
Encrypt withsecret key
Ciphertext
Plaintext
Decrypt withsecret key
![Page 6: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/6.jpg)
Public Key or Asymmetric Algorithms
Usually based on difficult-to-compute mathematical algorithms like factoring large near-prime numbers or calculating discrete logs
Two keys – private key and public key One encrypts The other decrypts Only one copy of private key – owner Can be many copies of public key
![Page 7: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/7.jpg)
Public Key Usage
Look over the accompanying slides (handout) on the usage of Public Key cryptography
Factoid: RSA is 100x to 10,000x times slower to compute than a secret key method like DES or Blowfish
Therefore large amounts of encryption are not usually done with a public key method – instead secret (symmetric) keys are passed with public key encryption – see slides
![Page 8: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/8.jpg)
Terminology
Key – a string of characters used to encrypt or decrypt a message
Plain text – the original message Cipher text – the encrypted message Public key – the part of a (public,private) key
pair that is distributed to people whom you want to send encrypted messages to
Private key – the part that you keep to yourself to encrypt and decrypt with
![Page 9: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/9.jpg)
How Public and Private Keys Work
Plain text encrypted by a private key gives cipher text that can be decrypted (only) by the public key
Conversely, plain text encrypted by the public key gives text that can be decrypted (only) by the private key
Note: plain text encrypted by a public key can not be decrypted by a second use of the public key (same for the private key)
![Page 10: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/10.jpg)
How it Works (continued)
Note: if you want to keep your data secret it does not work to encrypt data with your private key and send it off to be decrypted with your public key because your public key (being public!) may be in other people’s hands other than your intended recipient
Therefore both sides need a separate (private, public) key pair (see the diagrams in the handout)
Caveat: if you want to prove that you are who you say you are then encrypting with your private key is useful – since only you posses it!
![Page 11: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/11.jpg)
Plaintext
Encrypt withpublic key
Ciphertext
Plaintext
Decrypt withprivate key
![Page 12: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/12.jpg)
Security
Cryptographyalgorithms
Publickey
(e.g., RSA)
Secretkey
(e.g., DES)
Messagedigest
(e.g., MD5)
Securityservices
AuthenticationPrivacy Messageintegrity
![Page 13: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/13.jpg)
Security Mechanisms
Authentication, trusted third party, digital signatures, certificates are all mechanisms based on various uses of encryption to handle those problems stated earlier in plain English
The next diagrams show graphically some of the handshaking that needs to go on
![Page 14: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/14.jpg)
Client Server
ClientId, E(x, CHK)
E(y + 1, CHK)
E(SK, SHK)
E(x + 1, SHK), E(y, SHK)
![Page 15: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/15.jpg)
AS B
E((T, L, K, B), KA ),
E((A, T), K ),
E((T, L, K, A), KB )
A, B
E(T + 1, K)
E((T, L, K, A), KB )
![Page 16: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/16.jpg)
A B
E(x, PublicB)
x
![Page 17: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/17.jpg)
Certificates
Just a special type of digitally signed document
In plain English it says: “I certify that the public key in this document belongs to the entity named in the document, signed X.”
X would normally be a CA or Certification Authority – an administrative entity that is in the business of issuing certificates
![Page 18: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/18.jpg)
“Chains of Trust”
Read over carefully the basic ideas behind the tree-structured certification authority given on page 592 and in figure 8.12
This whole issue is fraught with complications and standards – just the basic idea will suffice for us for this course
![Page 19: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/19.jpg)
User User User
User User User User User
CA CA
CA
CA CA CA
PCA1 PCA2
IPRA
PCA3
CA
CA
IPRA = Internet PolicyRegistration Authority (root)
PCAn = policy certification authorityCA =certification authority
![Page 20: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/20.jpg)
Example Systems
Privacy Enhanced Mail (PEM) Read over the basic idea on page 595 and
study the following figures
![Page 21: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/21.jpg)
Sender identity and messageintegrity confirmed
if checksums match
Calculate MD5 checksum onreceived message and compare
against received value
Decrypt signed checksumwith sender’ s public key
Calculate MD5 checksumover message contents
Sign checksum using RSAwith sender’ s private key
Transmitted message
![Page 22: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/22.jpg)
Decrypt message usingDES with secret key k
Decrypt E(k ) using RSA withmy private key -> k
Convert ASCII message
Encrypt k using RSA withrecipient’ s public key
Encode message + E(k )in ASCII for transmission
Encrypt message usingDES with secret key k
Create a random secret key k Original message
Transmitted message
![Page 23: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/23.jpg)
Transport Layer Security (TLS)
SSL, HTTPS are two well known examples
![Page 24: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/24.jpg)
Application (e.g., HTTP)
Secure transport layer
TCP
IP
Subnet
![Page 25: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/25.jpg)
Client Server
Hello
[Certificate] Keys[Cert. Verify] Finished
Data
Hello [Certificate, Keys,
Cert. Request] HelloDone
Finished
![Page 26: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/26.jpg)
Firewalls
Basic Functions Packet Filtering (see example on handouts) Network Address Translation (NAT) Application Proxy Monitoring and Logging
![Page 27: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/27.jpg)
Firewalls – Other functions
Firewalls can sometimes do: Data Caching Content Filtering Intrusion Detection Load Balancing
![Page 28: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/28.jpg)
Rest of the Internet Local siteFirewall
![Page 29: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/29.jpg)
Proxy-Based Firewalls
A big topic that is only briefly touched upon in this text book
![Page 30: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/30.jpg)
Company netFirewall Webserver
Randomexternal
user
Remotecompany
user
Internet
![Page 31: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/31.jpg)
Externalclient
External HTTP/TCP connection
Proxy
Firewall
Internal HTTP/TCP connection
Localserver
![Page 32: Chapter 8 – Network Security](https://reader036.vdocuments.us/reader036/viewer/2022081505/56815702550346895dc4a973/html5/thumbnails/32.jpg)
Outside world R1 R2net 1 net 2