Network Security

Lecture Objectives

• System attacks

• Physical protection measures

• Controlling access to computers and networks

• Passwords

• Data security

• Substitution-based versus transposition-based cipher

• Public key cryptography, Advanced Encryption Standard, digital signatures, public key infrastructure• Secure wired and wireless communications• Firewall protection

Standard System Attacks• Two leading forms of attacks:

1. Exploiting known operating system vulnerabilities

2. Exploiting known application software vulnerabilities

• A patch may fix it, or introduce more holes

• New holes are always there to be found

• Common attack is via e-mail attachment: open it to launch virus

• Second common attack is scan your computer ports while connected to the Internet: an open port is an open invitation

• Denial of service attacks (or distributed denial): bombarding site with messages makes it incapable of answering valid request

• E-mail bombing: user sends excessive amount of unwanted e-mail

• Smurfing: software attacks network via IP broadcast addressing ops

• Ping storm: Internet ping software used to flood server with packets

• Spoofing: user creates packet that appears to be something else or from someone else

• Trojan Horse: malicious piece of code hidden inside seemingly harmless piece of code

• Stealing, guessing, and intercepting passwords

Physical Protection• From Environmental damage e.g. floods, earthquakes, heat

• From electrical power surges

• From noise by placing away from devices that generate electromagnetic interference

• By locking rooms, locking down computers, keyboards, and other devices

• Surveillance: Security cameras deters theft and vandalism and provide record of activities

• Intrusion detection

Controlling Access• Deciding who has access to what

• Limiting time of day and day of week access

• Limiting access, e.g. not allowing remote login during certain periods

Passwords and ID Systems• Most common form of security and the most abused

• Simple rules help support safe passwords:

• Regular password change

• Random password choice (min 8 characters, mixed symbols)

• Not sharing of passwords or writing them down

• Not selecting names and familiar objects as passwords

• New forms of biometrics “passwords” are emerging:

• finger, face, voice, ear, retina and iris scans

Access Rights

• Two basic questions to access right: who and how?

• Who do you give access right to? No one, group of users, entire set of users?

• How does a user or group of users have access? Read, write, delete, print, copy, execute?

• Most network operating systems have a powerful system for assigning access rights

Auditing• Can help detect wrongdoing

• Can deter

• NOS allow administrators to audit transactions

• Many criminals caught because of computer-based auditing

Basic Encryption and Decryption Techniques• Cryptography: creating/using encryption and decryption techniques

• Plaintext: data before any encryption has been performed

• Ciphertext: data after encryption has been performed

• Key: used to create ciphertext and decrypt ciphertext into plaintext

Monoalphabetic Substitution-based Ciphers• Monoalphabetic substitution-based ciphers replace character or characters with different character or characters using a key

Replacing: abcdefghijklmnopqrstuvwxyz

With: POIUYTREWQLKJHGFDSAMNBVCXZ

The message: “how about lunch at noon”

encodes into “EGVPO GNMKN HIEPM HGGH”

Polyalphabetic Substitution-based Cipher• Similar to monoalphabetic ciphers except multiple alphabetic strings are used to encode the plaintext

key: COMPUTERSCIENCECOMPUTERSCIENCECOMPUTER

plaintext:thisclassondatacommunicationsisthebest

• To encode message, take each letter of plaintext and corresponding key character immediately above it

• If Vigenere matrix of 26 rows by 26 character columns used

• For plaintext “t” and corresponding key “C” go to row C column t in the 26x26 matrix and retrieve the ciphertext character V

Transposition-based CiphersC O M P U T E R (key)

1 4 3 5 8 7 2 6 (Number the letters of key in alphabet order)

Take plaintext message and write it under key

1 4 3 5 8 7 2 6

C O M P U T E R

t h i s i s t h

e b e s t c l a

s s i h a v e e

v e r t a k e n

Read ciphertext down the columns, column by column

TESVTLEEIEIRHBSESSHTHAENSCVKITAA

Public Key Cryptography

• Two keys are used:• First key (public key) encrypts message

• Second key (private key) decrypts message

• Not possible to deduce one key from the other• Not possible to break the code given to the public key• To receive secure data give public key and keep private key• Secure sockets layer on the Internet is example of public key cryptography

Data Encryption Standard (DES)

• 64-bit data block and subjected it to 16 encryption levels

• Choice of encryption performed at each level depends on 56-bit key applied

• 56 bits provides over 72 quadrillion combinations, but the standard has been cracked

Triple-DES

• Data is encrypted using DES three times:• First time by the first key

• Second time by a second key

• Third time by the first key again

• Can also have 3 unique keys

• Virtually unbreakable but CPU intensive• Smart cards, cell phones, PDAs require faster and smaller piece of software

Advanced Encryption Standard (AES)• National Institute of Standards and Technology selected the Rijndael algorithm for AES to replace DES:

• Has more elegant mathematical formulas

• Requires only one pass

• designed to be fast, unbreakable, and to support even the smallest computing device

• Key size of AES: 128, 192, or 256 bits

• Estimated time to crack (assuming 1sec crack for DES key): 149 trillion years

• Very fast execution with very good use of resources

• Widely implemented

Digital Signatures• Document to be signed sent through complex mathematical computation that generates a hash (encoded with owner’s private key)• To prove future ownership, hash is:

• Decoded using owner’s public key

• Compared with a current hash of the document

•I f the two hashes agree, the document belongs to the owner• U.S.A. legalised digitally signed documents

Public Key Infrastructure• Combination of encryption techniques, software, and services that involves all necessary pieces to support digital certificates, certificate authorities, and public key generation, storage, and management

• Digital certificate is electronic document similar to passport that establishes one’s credentials when transacting

• Digital certificates contains one’s name, serial number, expiration dates, copy of public key, and digital signature of certificate-issuing authority

• Certificates are usually kept in registry so other users may check them for authenticity

• Certificates are issued by certificate authority (CA)

• CA is either specialised network software or trusted third party

• Example: Want to order something over the Internet?

• web site wants to ensure you are legit, so web server requests your browser to sign the order with your private key (obtained from your certificate)

• The web server requests your certificate from the third party CA, validates that certificate by verifying the third party’s signature, then uses that certificate to validate the signature on your order

• The user can do the same to ensure web server is not bogus

• Certificate revocation lists used to “deactivate” certificates

Steganography

• The art and science of hiding information inside other seemingly ordinary messages or documents

• Unlike sending an encrypted message you do not know when steganography is hiding a secret message within a document

• Examples include creating watermark over image or taking “random” pixels from image and replacing them with hidden data

Securing Communications: Guarding for Viruses

• A big threat to communication systems is passing of viruses

• Signature-based scanners look for particular virus patterns or signatures and alert the user

• Terminate-and-stay-resident programs run in background constantly watching for viruses and their actions

• Multi-level generic scanning is combination of antivirus techniques including intelligent checksum analysis and expert system analysis

Firewalls• A system or combination of systems that supports an access control policy between two networks

• A firewall limits types of transactions that enter a system, as well as types of transactions that leave a system

• Firewalls can be programmed to stop certain types or ranges of IP addresses and TCP port numbers (applications)

• Packet filter: firewall that is a router and has been programmed to filter out or allow to pass certain IP addresses or TCP port numbers

• Proxy server: firewall that handles any external transaction that requires access to the network (makes external access slow)

Wireless Security

•Wired Equivalency Protocol (WEP) the first security protocol used with wireless LANs and the first to break

•Wi-Fi Protected Access (WPA) replaced WEP: dynamic key encryption replaced static 40-bit

• New protocol being created IEEE 802.11i

• allows keys, encryption algorithms, and negotiation to be dynamically assigned

• incorporates Rijndael algorithm with 128, 192, or 256 bit keys