dr. l. christofi1 local & metropolitan area networks acoe322 lecture 8 network security
TRANSCRIPT
![Page 1: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/1.jpg)
Dr. L. Christofi 1
Local & Metropolitan Area Networks
ACOE322
Lecture 8Network Security
![Page 2: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/2.jpg)
Dr. L. Christofi 2
0. Overview• As the knowledge of computer networking and protocols has
become more widespread, so the threat of intercepting and decoding message data during its transfer across a network has increased.
• An intruder in a network can identify and remove the protocol control information at the head of each message, leaving the message contents. The message contents, including passwords and other sensitive information, can then be interpreted. This is know as listening or eavesdropping.
• In addition, an intruder can use a recorded message sequence to generate a new sequence. This is known as masquerading.
• Therefore, encryption should be applied to all data transfers that involve a network.
• In the context of the ISO reference model, the most appropriate layer to perform such operations is the presentation layer.
![Page 3: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/3.jpg)
Dr. L. Christofi 3
Terminology • Data encryption involves the sending party in
processing all data prior to transmission so that in case it is intercepted during transmission to be incomprehensible to the intercepting party.
• Data should only be interpreted (decrypted) only by the intended recipient.
• Most encryption methods involve the use of an encryption key, which is only known by the two correspondents.
• Before encryption, message data is called plaintext and after encryption, ciphertext.
• The aim is to chose an encryption method such as an intruder cannot decipher the recorded ciphertext in a realistic time period.
![Page 4: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/4.jpg)
Dr. L. Christofi 4
Security Requirements• Privacy (Confidentiality)
—Data only be accessible by authorized parties
• Authenticity —A host or service be able to verity the identity of a
user
• Integrity—Data can be modified only by authorized parties
• Availability—Data are available to authorized parties
• Non-repudiation—Receiver must be able to prove that a received
message came from a specific sender
![Page 5: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/5.jpg)
Dr. L. Christofi 5
Cryptography• Original message
— Plaintext
• Encryption —Transforms the plaintext to cipher text
• Decryption—Transforms the ciphertext back to plain text
• Ciphers—Different categories of algorithms in cryptography
• Key—Number (value) that the ciphers operate on
![Page 6: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/6.jpg)
Dr. L. Christofi 6
Cryptography Components
![Page 7: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/7.jpg)
Dr. L. Christofi 7
Encryption and Decryption• In cryptography, the encryption/decryption
algorithms are public; the keys are secret• Two groups of algorithms
—Symmetric-key algorithms—Public-key algorithms
![Page 8: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/8.jpg)
Dr. L. Christofi 8
Symmetric-key cryptography• Same key is used by the sender (for encryption) and
receiver (for decryption). The key is shared• In symmetric-key cryptography, the same key is
used in both directions• Often used for long messages• Algorithm is public, key is secret
![Page 9: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/9.jpg)
Dr. L. Christofi 9
Traditional Ciphers• Substitution Ciphers• Transposition Ciphers
![Page 10: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/10.jpg)
Dr. L. Christofi 10
Substitution Ciphers• One symbol is substitutes by another
— e.g. Caesar Cipher (a->D, b->E, c->F,… z-C).
• Monoalphabetic substitution— The relationship between a character in the plaintext to the
character in the ciphertext is always one-to-one
• Polyalphabetic substitution— The relationship between a character in the plaintext and a
character in the ciphertext is one-to-many
![Page 11: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/11.jpg)
Dr. L. Christofi 11
Transposition Ciphers
• The characters retain their plaintext form but change their positions
• Text is organized into a two-dimensional table and the columns are interchanged according to a key
![Page 12: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/12.jpg)
Dr. L. Christofi 12
Block Cipher• Plain text and ciphertext are block of bits• Each block is a unit of encryption/decryption
![Page 13: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/13.jpg)
Dr. L. Christofi 13
Block Cipher (Cont.)• P-box• S-box• Product block• Data Encryption Standard (DES)• Triple DES
![Page 14: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/14.jpg)
Dr. L. Christofi 14
Public-key cryptography• Two keys are used
—Private key• Kept by receiver• Used for decryption
—Public key• Announced to the public• Used for encryption
• Disadvantages—Complexity of the algorithm
• Key is too large, calculation time is long—Need to verify the association between an entity and its
public key• Most common algorithm – RSA (Rivest, Shamir, and
Adleman)• More efficient for short messages
![Page 15: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/15.jpg)
Dr. L. Christofi 15
Public-key cryptography (Cont.)
![Page 16: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/16.jpg)
Dr. L. Christofi 16
Digital signature
• Digital signature is used to provide—Authentication—Integrity—Nonrepudiation
![Page 17: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/17.jpg)
Dr. L. Christofi 17
Signing the whole document• The sender uses private key to encrypt (sign) the
message• The receiver uses the public key of the sender to
decrypt the message.• Note: Digital signature does not provide privacy. If
there is a need for privacy, another layer of encryption/decryption must be applied.
![Page 18: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/18.jpg)
Dr. L. Christofi 18
Signing the document• The sender creates a miniature version or digest of the document
and signs it—Using hash function is used to creates a fixed-size digest from a
variable-length message—Two common hash
• MD5: produce a 120-bit digest• SHA-1: produce a 160-bit digest
• The receiver checks signature on miniature
![Page 19: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/19.jpg)
Dr. L. Christofi 19
Sender and receiver site
Sender Site
Receiver site
![Page 20: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/20.jpg)
Dr. L. Christofi 20
User authentication• Message authentication
—Identity of sender is verified for each single message
• User authentication• User identity is verified once for the entire
duration of system access• With symmetric key• With public key
—Sender use private key to encrypt the message—Receiver uses sender’s public key to decrypt the
message
![Page 21: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/21.jpg)
Dr. L. Christofi 21
Using symmetric key only• Simple approach
— Sender sends his/her identity and password in an encrypted message, using symmetric key (Kab)
— Can not prevent replay attack.— Replay attack: malicious intruders can resend the same
message
![Page 22: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/22.jpg)
Dr. L. Christofi 22
Using symmetric key only (Cont.)• Using a nonce
— Step 1: Sender sends his/her identity and password in an encrypted message, using symmetric key (Kab)
—Step 2: Receiver challenges sender by sending a nonce, which is a large random number that is used only once (one-time number), to the receiver
—Step 3: Receiver responds to the message by sending back the encrypted nonce using the symmetric key
—Advantage: can prevent replay attack
![Page 23: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/23.jpg)
Dr. L. Christofi 23
Public key authentication• Sender encrypts the message with his/her
private key• Receiver uses sender’s public key to decrypt
the message and authenticate the sender• Problem
—Cannot prevent man-in-the-middle attack
• Man-in-the-middle-attack:—Intruder announce his/her public key to the
receiver in place of a sender
![Page 24: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/24.jpg)
Dr. L. Christofi 24
Firewalls • A device (usually a router or a computer) installed between the
internal network of an organization and rest of the internet• Help to protect an organization’s computers and networks from
unwanted Internet traffic• Designed to keep problems in the internet from spreading to an
organizations’ computers• Classes of firewalls
— Packet-filter firewalls— Proxy-based firewalls
![Page 25: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/25.jpg)
Dr. L. Christofi 25
Packet-filter firewall
• A filter that uses a filtering table to decide which packet must be discarded (not forwarded).
• Filters on network layer and transport layer
• Block packets based on—Source and destination IP addresses—Source and destination ports—Type of protocol (TCP or UDP)
![Page 26: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/26.jpg)
Dr. L. Christofi 26
Packet-filter firewall
![Page 27: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/27.jpg)
Dr. L. Christofi 27
Proxy firewall• Focuses on application layer
• Filters messages based on information of the message at application layerStep 1: Runs as a proxy for destination process to
receive the requestStep 2: Opens the packet at the application level
and finds out if the request is legitimateStep 3: If message is legitimate, act as sender
process and sends the message to the real receiver. Otherwise drop the message and send an error message to the external sender
![Page 28: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/28.jpg)
Dr. L. Christofi 28
Proxy firewall
![Page 29: Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649e9e5503460f94ba035f/html5/thumbnails/29.jpg)
Dr. L. Christofi 29
References
• F. Halsall, Data Communications, Computer Networks and Open Systems, 4th edition, Addison Wesley, 1995
• W. Stallings, Data and Computer Communications, 7th edition, Prentice Hall, 2004