lecture13 network security
TRANSCRIPT
-
8/6/2019 Lecture13 Network Security
1/40
31.1
Chapter 31Network Security
Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
-
8/6/2019 Lecture13 Network Security
2/40
31.2
3131--1 SECURITY SERVICES1 SECURITY SERVICES
NetworkNetwork securitysecurity cancan provideprovide fivefive servicesservices.. FourFour ofof thesethese
servicesservices areare relatedrelated toto thethe messagemessage exchangedexchanged usingusing thethe
networknetwork.. TheThe fifthfifth serviceservice providesprovides entityentity authenticationauthentication
oror identificationidentification..
Message Confidentiality
Message Integrity
MessageAuthentication
Message Nonrepudiation
Entity Authentication
Topics discussed in this section:Topics discussed in this section:
-
8/6/2019 Lecture13 Network Security
3/40
31.3
Figure 31.1 Security services related to the message or entity
-
8/6/2019 Lecture13 Network Security
4/40
31.4
3131--2 MESSAGE CONFIDENTIALITY2 MESSAGE CONFIDENTIALITY
TheThe conceptconcept ofof howhow toto achieveachieve messagemessage confidentialityconfidentiality
oror privacy privacy hashas notnot changedchanged for for thousandsthousands ofof yearsyears..
TheThe messagemessage mustmust bebe encryptedencrypted atat thethe sendersender sitesite andand
decrypteddecrypted atat thethe receiverreceiver sitesite.. ThisThis cancan bebe donedone usingusingeithereither symmetricsymmetric--keykey cryptographycryptography oror asymmetricasymmetric--keykey
cryptographycryptography..
Confidentiality with Symmetric-Key Cryptography
Confidentiality with Asymmetric-Key Cryptography
Topics discussed in this section:Topics discussed in this section:
-
8/6/2019 Lecture13 Network Security
5/40
31.5
Figure 31.2 Message confidentiality using symmetric keys in two directions
-
8/6/2019 Lecture13 Network Security
6/40
31.6
Figure 31.3 Message confidentiality using asymmetric keys
-
8/6/2019 Lecture13 Network Security
7/40
31.7
3131--3 MESSAGE INTEGRITY3 MESSAGE INTEGRITY
EncryptionEncryption andand decryptiondecryption provide provide secrecy,secrecy, oror
confidentiality,confidentiality, butbut notnot integrityintegrity.. However,However, onon occasionoccasion
wewe maymay notnot eveneven needneed secrecy,secrecy, butbut insteadinstead mustmust havehave
integrityintegrity..
Document and Fingerprint
Messageand Message DigestCreatingand Checking the Digest
Hash Function Criteria
Hash Algorithms: SHA-1
Topics discussed in this section:Topics discussed in this section:
-
8/6/2019 Lecture13 Network Security
8/40
31.8
To preserve the integrity of a document,both the document and the fingerprint
are needed.
Note
-
8/6/2019 Lecture13 Network Security
9/40
31.9
Figure 31.4 Message and message digest
-
8/6/2019 Lecture13 Network Security
10/40
31.10
The message digest needs to be keptsecret.
Note
-
8/6/2019 Lecture13 Network Security
11/40
31.11
Figure 31.5 Checking integrity
-
8/6/2019 Lecture13 Network Security
12/40
31.12
Figure 31.6 Criteria of a hash function
-
8/6/2019 Lecture13 Network Security
13/40
31.13
Figure 31.7 Message digest creation
-
8/6/2019 Lecture13 Network Security
14/40
31.14
SHA-1 hash algorithms create an N-bit
message digest out of a message of512-bit blocks.
SHA-1 has a message digest of 160 bits
(5 words of 32 bits).
Note
-
8/6/2019 Lecture13 Network Security
15/40
31.15
3131--4 MESSAGE AUTHENTICATION4 MESSAGE AUTHENTICATION
AA hashhash functionfunction cannotcannot provide provide authenticationauthentication. . TheThe
digestdigest createdcreated byby aa hashhash function function cancan detectdetect anyany
modificationmodification inin thethe message,message, butbut notnot authenticationauthentication..
MAC
Topics discussed in this section:Topics discussed in this section:
-
8/6/2019 Lecture13 Network Security
16/40
31.16
Figure 31.9 MAC, created by Alice and checked by Bob
-
8/6/2019 Lecture13 Network Security
17/40
31.17
3131--5 DIGITAL SIGNATURE5 DIGITAL SIGNATURE
WhenWhen AliceAlice sendssends aa messagemessage toto Bob,Bob, BobBob needsneeds toto
checkcheck thethe authenticityauthenticity ofof thethe sendersender;; hehe needsneeds toto bebe
suresure thatthat thethe messagemessage comescomes fromfrom AliceAlice andand notnotEveEve..
BobBob cancan askaskAliceAlice toto signsign thethe messagemessage electronicallyelectronically..
InIn otherother words,words, anan electronicelectronic signaturesignature cancan proveprove thethe
authenticityauthenticity ofofAliceAlice asas thethe sendersender ofof thethe messagemessage.. WeWe
referrefer toto thisthis typetype ofof signaturesignature asas aa digitaldigital signaturesignature..
Comparison
Need for Keys
Process
Topics discussed in this section:Topics discussed in this section:
-
8/6/2019 Lecture13 Network Security
18/40
31.18
A digital signature needs a public-keysystem.
Note
-
8/6/2019 Lecture13 Network Security
19/40
31.19
Figure 31.11 Signing the message itself in digital signature
-
8/6/2019 Lecture13 Network Security
20/40
31.20
In a cryptosystem, we use the privateand public keys of the receiver;
in digital signature, we use the private
and public keys of the sender.
Note
-
8/6/2019 Lecture13 Network Security
21/40
31.21
Figure 31.12 Signing the digest in a digital signature
-
8/6/2019 Lecture13 Network Security
22/40
31.22
A digital signature today providesmessage integrity.
Note
-
8/6/2019 Lecture13 Network Security
23/40
31.23
Digital signature provides messageauthentication.
Note
-
8/6/2019 Lecture13 Network Security
24/40
31.24
Figure 31.13 Using a trusted center for nonrepudiation
-
8/6/2019 Lecture13 Network Security
25/40
31.25
Nonrepudiation can be provided using atrusted party.
Note
-
8/6/2019 Lecture13 Network Security
26/40
31.26
3131--6 ENTITY AUTHENTICATION6 ENTITY AUTHENTICATION
EntityEntity authenticationauthentication isis aa techniquetechnique designeddesigned toto letlet oneone
partyparty proveprove thethe identityidentity ofof anotheranother partyparty.. AnAn entityentity cancan
bebe aa person,person, aa process,process, aa client,client, oror aa serverserver.. TheThe entityentity
whosewhose identityidentity needsneeds toto bebe provedproved isis calledcalled thethe claimantclaimant;;thethe partyparty thatthat triestries toto proveprove thethe identityidentity ofof thethe claimantclaimant
isis calledcalled thethe verifierverifier..
Passwords
Challenge-Response
Topics discussed in this section:Topics discussed in this section:
-
8/6/2019 Lecture13 Network Security
27/40
31.27
In challenge-response authentication,the claimant proves that she knows a
secret without revealing it.
Note
-
8/6/2019 Lecture13 Network Security
28/40
31.28
The challenge is a time-varying valuesent by the verifier;
the response is the result of a function
applied on the challenge.
Note
-
8/6/2019 Lecture13 Network Security
29/40
31.29
Figure 31.14 Challenge/response authentication using a nonce
-
8/6/2019 Lecture13 Network Security
30/40
31.30
Figure 31.15 Challenge-response authentication using a timestamp
-
8/6/2019 Lecture13 Network Security
31/40
31.31
Figure 31.17 Authentication, asymmetric-key
-
8/6/2019 Lecture13 Network Security
32/40
31.32
Figure 31.18 Authentication, using digital signature
-
8/6/2019 Lecture13 Network Security
33/40
31.33
3131--7 KEY MANAGEMENT7 KEY MANAGEMENT
WeWe nevernever discusseddiscussed howhow secretsecret keyskeys inin symmetricsymmetric--keykey
cryptographycryptography andand howhow publicpublic keyskeys inin asymmetricasymmetric--keykey
cryptographycryptography areare distributeddistributed andand maintainedmaintained.. InIn thisthis
section,section, wewe touchtouch onon thesethese twotwo issuesissues.. WeWe firstfirst discussdiscuss
thethe distributiondistribution ofof symmetricsymmetric keyskeys;; wewe thenthen discussdiscuss thethe
distributiondistribution ofof asymmetricasymmetric keyskeys..
Symmetric-Key Distribution
Public-Key Distribution
Topics discussed in this section:Topics discussed in this section:
-
8/6/2019 Lecture13 Network Security
34/40
31.34
Figure 31.19 KDC
-
8/6/2019 Lecture13 Network Security
35/40
31.35
A session symmetric key between twoparties is used only once.
Note
-
8/6/2019 Lecture13 Network Security
36/40
31.36
Figure 31.30 Creating a session key between Alice and Bob usingKDC
-
8/6/2019 Lecture13 Network Security
37/40
31.37
In public-key cryptography, everyonehas access to everyones public key;
public keys are available to the public.
Note
-
8/6/2019 Lecture13 Network Security
38/40
31.38
Figure 31.24 Trusted center
-
8/6/2019 Lecture13 Network Security
39/40
31.39
Figure 31.25 Controlled trusted center
-
8/6/2019 Lecture13 Network Security
40/40
31.40
Figure 31.26 Certification authority