encryption and firewallsencryption and firewalls2profs.net/steve/cisntwk441/09.pdf · firewalls...

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs 2nd ed Intrusion Detection and VPNs, 2 ed.

99Encryption and FirewallsEncryption and Firewalls

By Whitman, Mattord & Austin © 2008 Course Technology

Learning Objectivesg j

♦ Describe the role encryption plays in a firewall yp p yarchitecture

♦ Explain how digital certificates work and why they are important security tools

♦ Analyze the workings of SSL, PGP, and other popular encryption schemes

♦ Discuss Internet Protocol Security (IPSec) and identify its protocols and modes

Firewalls & Network Security, 2nd ed. - Chapter 9 Slide 2

Firewalls and Encryptionyp

♦ Hackers take advantage of a lack of encryptiong yp♦ Encryption:

– Preserves data integrityg y– Increases confidentiality– Is relied upon by user authenticationp y– Plays a fundamental role in enabling VPNs

Slide 3Firewalls & Network Security, 2nd ed. - Chapter 9

Hacker and an Unencrypted Packetyp


Hacker and an Encrypted Packetyp


The Cost of Encryptionyp

♦ CPU resources and time♦ Bastion host that hosts the firewall should be

robust enough to manage encryption and other security functionssecurity functions

♦ Encrypted packets may need to be padded to uniform length to ensure that some algorithmsuniform length to ensure that some algorithms work effectively

♦ Can result in slowdowns♦ Monitoring can burden system administrator


Preserving Data Integrityg g y

♦ Even encrypted sessions can go wrong as a yp g gresult of man-in-the-middle attacks

♦ Encryption can perform nonrepudiation using a digital signature


Maintaining Confidentialityg y

♦ Encryption conceals information to render it ypunreadable to all but intended recipients


Authenticating Network Clientsg

♦ Firewalls need to trust that the person’s claimed pidentity is genuine

♦ Firewalls that handle encryption can be used to identify individuals who have “digital ID cards” that include encrypted codes– Digital signatures– Public keys– Private keys


Enabling Virtual Private Networks (VPNs)(VPNs)♦ As an integral part of VPNs, encryption:g p , yp

– Enables the firewall to determine whether the user who wants to connect to the VPN is actually authorized to do so

– Encodes payload of information to maintain privacyprivacy


Principles of Cryptographyp yp g p y

♦ Encryption - the process of converting an original message into a form that cannot be understood by unauthorized individuals

♦ Cryptology the science of encryption♦ Cryptology, the science of encryption, encompasses two disciplines:– Cryptography - describes the processes involvedCryptography describes the processes involved

in encoding and decoding messages so that others cannot understand themC t l i th f d i h i th– Cryptanalysis - the process of deciphering the original message (plaintext) from an encrypted message (ciphertext), without knowing the

Firewalls & Network Security, 2nd ed. - Chapter 9 11

algorithms and keys used to perform the encryption

Encryption Definitionsyp

♦ Algorithm: The mathematical formula or method used to convert an unencrypted message into an encrypted message

♦ Cipher: The transformation of the individual♦ Cipher: The transformation of the individual components (characters, bytes, or bits) of an unencrypted message into encrypted yp g ypcomponents

♦ Ciphertext or cryptogram: The unintelligible d d lti f tiencoded message resulting from an encryption

♦ Cryptosystem: The set of transformations necessary to convert an unencrypted message


necessary to convert an unencrypted message into an encrypted message

Encryption Definitions (continued)yp ( )

♦ Decipher: To decrypt or convert ciphertext to plaintext

♦ Encipher: To encrypt or convert plaintext to ciphertextciphertext

♦ Key or cryptovariable: The information used in conjunction with the algorithm to create theconjunction with the algorithm to create the ciphertext from the plaintext; it can be a series of bits used in a mathematical algorithm, or the k l d f h t i l t th l i t tknowledge of how to manipulate the plaintext

♦ Keyspace: The entire range of values that can possibly be used to construct an individual key


possibly be used to construct an individual key

Encryption Definitions (continued)yp ( )

♦ Plaintext: The original unencrypted message g yp gthat is encrypted and results from successful decryption

♦ Steganography: The process of hiding messages, usually within graphic images

♦ Work factor: The amount of effort (usually expressed in units of time) required to perform cryptanalysis on an encoded messagecryptanalysis on an encoded message


Cryptographic Notationyp g p

M represents original message; C represents p g g ; pciphertext; E represents encryption process; D represents the decryption process; K represents a key

So…E(M) = C encrypting a message results in

cyphertextD(C) = M and D[E(M)] = ME(M,K) = C specifies encrypting the message with

k k b t t d K1 K2 t i tha key; keys can be annotated K1, K2 etc in the case of multiple keys


Common Ciphersp

♦ In encryption the most commonly used algorithms include three functions: substitutionalgorithms include three functions: substitution, transposition, and XOR

♦ In a substitution cipher, you substitute one value f th l h b ti b tit tifor another - a monoalphabetic substitution uses only one alphabet - a polyalphabetic substitution use two or more alphabets

♦ The transposition cipher (or permutation cipher) simply rearranges the values within a block to create the ciphertext - this can be done at the bitcreate the ciphertext this can be done at the bit level or at the byte (character) level


Common Ciphers (continued)p ( )

♦ In the XOR cipher conversion, the bit stream is bj t d t B l XOR f ti i tsubjected to a Boolean XOR function against

some other data stream, typically a key stream ♦ XOR works as follows:♦ XOR works as follows:

– ‘0’ XOR’ed with ‘0’ results in a ‘0’. (0 ⊗ 0 = 0)– ‘0’ XOR’ed with ‘1’ results in a ‘1’. (0 ⊗ 1 = 1)

‘1’ XOR’ d ith ‘0’ lt i ‘1’ (1 ⊗ 0 1)– ‘1’ XOR’ed with ‘0’ results in a ‘1’. (1 ⊗ 0 = 1)– ‘1’ XOR’ed with ‘1’ results in a ‘0’. (1 ⊗ 1 = 0)

♦ Simply put if the two values are the same you♦ Simply put, if the two values are the same, you get “0”; if not, you get “1”

♦ This process is reversible. That is, if you XOR the cipherte t ith the ke stream o get the


the ciphertext with the key stream, you get the plaintext

Vernam Cipherp

♦ Also known as the one-time pad, the Vernam p ,cipher was developed at AT&T and uses a set of characters that are used for encryption operations only one time and then discarded

♦ The values from this one-time pad are added to th bl k f t t d th lti ithe block of text, and the resulting sum is converted to text


Book or Running Key Cipherg y p

♦ Another method, used in the occasional spy , pymovie, is the use of text in a book as the algorithm to decrypt a message

♦ The key relies on two components:– knowing which book to use– a list of codes representing the page number,

line number, and word number of the plaintext wordword


Symmetric Encryptiony yp

♦ The previous methods of encryption/decryption require the same algorithm and key be used to both encipher/decipher the message

♦ This is known as private key encryption or♦ This is known as private key encryption, or symmetric encryption

♦ In this approach the same key—a secret key—♦ In this approach, the same key a secret keyis used to encrypt and decrypt the message

♦ Usually extremely efficient, requiring simple processing to encrypt or decrypt the message

♦ Main challenge is getting a copy of the key to the receiver a process that must be conducted


the receiver, a process that must be conducted out-of-band to avoid interception

Symmetric Encryptiony yp


The Technology of Symmetric EncryptionEncryption♦ Data Encryption Standard (DES)

– developed in 1977 by IBM– based on the Data Encryption Algorithm (DEA),

which uses a 64-bit block size and a 56-bit keywhich uses a 64 bit block size and a 56 bit key– federally approved standard for nonclassified

datacracked in 1997 when developers of a new– cracked in 1997 when developers of a new algorithm, Rivest-Shamir-Aldeman offered $10,000 to whomever was first to crack itf t th d ll b t d th– fourteen thousand users collaborated over the Internet to finally break the encryption

♦ Triple DES (3DES) was developed as an


p ( ) pimprovement to DES and uses as many as three keys in succession

The Technology of Symmetric Encryption (continued)Encryption (continued)♦ Advanced Encryption Standard (AES)

– successor to 3DES– based on Rinjndael Block Cipher, which features

a variable block length and a key length of eithera variable block length and a key length of either 128, 192, or 256 bits

♦ In 1998, it took a special computer designed by♦ In 1998, it took a special computer designed by the Electronic Freedom Frontier more than 56 hours to crack DES - it would take the same computer approximately 4 698 864 quintillioncomputer approximately 4,698,864 quintillion years to crack AES


Asymmetric Encryptiony yp

♦ Also known as public key encryption♦ Uses two different but related keys♦ Either key can be used to encrypt or decrypt♦ If Key A is used to encrypt message, then only

Key B can decrypt; if Key B is used to encrypt message then only Key A can decryptmessage, then only Key A can decrypt

♦ This technique is most valuable when one of the keys is private and the other is publickeys is private and the other is public

♦ Problem: it requires four keys to hold a single conversation between two parties and the


number of keys grows geometrically as parties are added

Public Key Encryptiony yp


Digital Signaturesg g

♦ When asymmetric process is reversed, that the message was sent by organization owning the private key cannot be refuted (nonrepudiation)

♦ Digital signatures: encrypted messages verified♦ Digital signatures: encrypted messages verified as authentic by independent facility (registry)

♦ Digital certificate: electronic document similar to♦ Digital certificate: electronic document, similar to digital signature, attached to file certifying that file is from the organization it claims to be from

d h t b difi d f i i l f tand has not been modified from original format♦ Certificate Authority (CA): agency that manages

issuance of certificates and serves as electronic


issuance of certificates and serves as electronic notary public to verify their origin and integrity

Digital Signatureg g


Public Key Infrastructurey

♦ Public key infrastructure (PKI) is the entire set of hardware software and cryptosystems necessaryhardware, software, and cryptosystems necessary to implement public key encryption

♦ Systems are based on public key cryptosystems d i l d di it l tifi t d tifi tand include digital certificates and certificate

authorities


Public Key Infrastructure (continued)y ( )

♦ Can increase an organization’s ability to protect it i f ti t b idiits information assets by providing:– Authentication: Digital certificates authenticate

identity of each party in an online transactionidentity of each party in an online transaction– Integrity: Digital certificate asserts content signed

by the certificate has not been altered in transitby the certificate has not been altered in transit– Confidentiality: Keeps information confidential by

ensuring it is not intercepted during transmission– Authorization: Digital certificates can replace

user IDs and passwords, enhance security, and d h dreduce overhead

– Nonrepudiation: Certificates validate actionsFirewalls & Network Security, 2nd ed. - Chapter 9 29

Hybrid Systemsy y

♦ Pure asymmetric key encryption not widely used t i f tifi t i t d t i llexcept in area of certificates - instead, typically

employed in conjunction with symmetric key encryption, creating a hybrid system

♦ Hybrid process currently in use is based on Diffie-Hellman key exchange, which provides method to exchange private keys using publicmethod to exchange private keys using public key encryption without exposure to third parties

♦ In this method, asymmetric encryption is used to exchange symmetric keys so two entities canexchange symmetric keys, so two entities can conduct quick, efficient, secure communications based on symmetric encryption - Diffie-Hellman

id d th f d ti f b t


provided the foundation for subsequent developments in public key encryption

Hybrid Encryptiony yp


Using Cryptographic Controlsg yp g p

♦ Generation of unbreakable ciphertext is possible only if proper key management infrastructureonly if proper key management infrastructure has been constructed and cryptosystems are operated and managed correctly

♦ C t hi t l b d t t♦ Cryptographic controls can be used to support several aspects of business:– Confidentiality and integrity of e-mail and its y g y

attachments– Authentication, confidentiality, integrity, and

nonrepudiation of e-commerce transactionsnonrepudiation of e commerce transactions– Authentication and confidentiality of remote

access through VPN connectionsHigher standard of authentication when used to


– Higher standard of authentication when used to supplement access control systems

E-mail Securityy

♦ Secure Multipurpose Internet Mail Extensions (S/MIME) builds on Multipurpose Internet Mail(S/MIME) builds on Multipurpose Internet Mail Extensions (MIME); adds encryption and authentication via digital signaturesg g

♦ Privacy Enhanced Mail (PEM) proposed by Internet Engineering Task Force (IETF) as a t d d th t ill f ti ith bli kstandard that will function with public key

cryptosystems; uses 3DES and RSA for key exchanges and digital signaturesg g g

♦ Pretty Good Privacy (PGP): uses IDEA Cipher, a 128-bit symmetric key block encryption algorithm

ith 64 bit bl k f di RSA f


with 64-bit blocks for message encoding; RSA for symmetric key exchange and digital signatures

Securing the Webg

♦ Secure Electronic Transactions (SET)– developed by MasterCard and VISA in 1997 to

provide protection from electronic payment fraudencrypts credit card transfers with DES and uses– encrypts credit card transfers with DES and uses RSA for key exchange

♦ Secure Sockets Layer (SSL)♦ Secure Sockets Layer (SSL)– developed by Netscape in 1994 to provide

security for online electronic commerce t titransactions

– uses several algorithms; mainly relies on RSA for key transfer and IDEA, DES, or 3DES for


ey t a s e a d , S, o 3 S oencrypted symmetric key-based data transfer

Securing the Web (continued)g ( )

♦ Secure Hypertext Transfer Protocol (SHTTP)– an encrypted version of HTTP– provides secure e-commerce transactions and

encrypted Web pages for secure data transferencrypted Web pages for secure data transfer over the Web, using several different algorithms

♦ Secure Shell (SSH)uses tunneling to provide security for remote– uses tunneling to provide security for remote access connections over public networks

– provides authentication services between a client dand a server

– used to secure replacement tools for terminal emulation, remote management, and file transfer


, g ,applications


♦ IP Security (IPSec): primary and now dominant t hi th ti ti d ti d tcryptographic authentication and encryption product

of IETF’s IP Protocol Security Working Group♦ IPS bi l diff t t t♦ IPSec combines several different cryptosystems:

– Diffie-Hellman key exchange for deriving key material between peers on a public networkbetween peers on a public network

– Public key cryptography for signing the Diffie-Hellman exchanges to guarantee the identity of the two parties g g y p

– Bulk encryption algorithms for encrypting the data– Digital certificates signed by a certificate authority to


g g y yact as digital ID cards


♦ IPSec has two components:p– the IP Security protocol itself, which specifies the

information to be added to an IP packet and indicates how to encrypt packet data

– the Internet Key Exchange, which uses asymmetric key exchange and negotiates theasymmetric key exchange and negotiates the security associations



♦ IPSec works in two modes of operation:p– transport mode: only IP data is encrypted—not

the IP headers themselves; allows intermediate nodes to read source and destination addresses

– tunnel mode: entire IP packet is encrypted and inserted as payload in another IP packetinserted as payload in another IP packet

♦ IPSec and other cryptographic extensions to TCP/IP often used to support a virtual privateTCP/IP often used to support a virtual private network (VPN), a private, secure network operated over a public, insecure network


p p ,

Securing Authenticationg

♦ A final use of cryptosystems is to provide yp y penhanced and secure authentication

♦ One approach to this issue is provided by Kerberos, which uses symmetric key encryption to validate an individual user’s access to various

t knetwork resources♦ It keeps a database containing the private keys

of clients and servers that are in theof clients and servers that are in the authentication domain that it supervises


Kerberos

♦ Kerberos system knows these private keys and y p ycan authenticate one network node (client or server) to another

♦ Kerberos also generates temporary session keys—that is, private keys given to the two

ti i tiparties in a conversation


Kerberos


Attacks on Cryptosystemsyp y

♦ Historically, attempts to gain unauthorized y, p gaccess to secure communications have used brute force attacks in which the ciphertext is

frepeatedly searched for clues that can lead to the algorithm’s structure (ciphertext attacks)Thi k f l i♦ This process, known as frequency analysis, can be used along with published frequency of occurrence patterns of various languages andoccurrence patterns of various languages and can allow an experienced attacker to quickly crack almost any code if the individual has a ylarge enough sample of the encoded text


Attacks on Cryptosystems (continued)yp y ( )

♦ Occasionally, an attacker may obtain duplicate y, y ptexts, one in ciphertext and one in plaintext, which enable the individual to reverse-engineer the encryption algorithm in a known-plaintext attack schemeAlt ti l tt k d t♦ Alternatively, an attacker may conduct a selected-plaintext attack by sending a potential victim a specific text that they are sure thevictim a specific text that they are sure the victim will forward on to others; the attacker then intercepts the encrypted message and p yp gcompares it to the original plaintext



♦ Man-in-the-middle attack: method used to intercept the transmission of a public key or even to insert a known key structure in place of the requested public key

♦ Correlation attacks: collection of brute-force th d th t tt t t d d t ti ti lmethods that attempt to deduce statistical

relationships between the structure of the unknown key and the ciphertext that is theunknown key and the ciphertext that is the output of the cryptosystem



♦ In a dictionary attack, the attacker encrypts y , ypevery word in a dictionary using the same cryptosystem as used by the target

♦ In a timing attack, the attacker eavesdrops during a victim’s session and uses statistical

l i f th ’ t i tt d i tanalysis of the user’s typing patterns and inter-keystroke timings to discern sensitive session informationinformation


Defending from Attacksg

♦ No matter how sophisticated encryption and p ypcryptosystems have become, however, they have retained the same flaw that the first

f fsystems contained thousands of years ago: If you discover the key, that is, the method used to perform the encryption you can determineto perform the encryption, you can determine the message

♦ Thus key management is not so much the♦ Thus, key management is not so much the management of technology but rather the management of people


g p p

Chapter Summaryp y

♦ Encryption: process of rendering information yp p gunreadable to all but the intended recipients; purpose is to preserve the integrity and

f f f /confidentiality of information and/or make the process of authenticating users more effectiveFi ll ti t id t ti♦ Firewalls use encryption to provide protection both for data in transit and to help keep firewall securesecure

♦ Encryption of data incurs costs since it requires processing time to encrypt and decrypt the data


processing time to encrypt and decrypt the data being protected

Chapter Summary (continued)p y ( )

♦ Cryptology: science of encryption♦ Cryptography: complex process of making and

using codes♦ Applying concealing techniques is encryption and

decoding ciphertext is called decryptionP d t d t d t h th♦ Process used to decrypt data when the process and/or keys are unknown is called cryptanalysis

♦ C t hi t l t h i d t l d♦ Cryptographic controls: techniques and tools used to implement cryptographic protections; used to secure e-mail Web access Web applications filesecure e mail, Web access, Web applications, file transfers, remote access procedures like VPNs


Chapter Summary (continued)p y ( )

♦ Cryptographic control systems often subject to tt kattack

♦ Many methods of attack have evolved– brute computational approaches– use of weaknesses often found in

implementation of cryptographic controlsimplementation of cryptographic controls♦ Some attacks attempt to inject themselves

between the parties of a securedbetween the parties of a secured communication channel

♦ Other attacks combine multiple brute-force♦ Other attacks combine multiple brute force approaches into one correlation attack


encryption and firewallsencryption and firewalls2profs.net/steve/cisntwk441/09.pdf · firewalls...

Documents