Network Security David Lazăr

Download 454 b.
Hajmi454 b.

Network Security

  • David Lazăr


  • Security Requirements and Attacks

  • Confidentiality with Conventional Encryption

  • Message Authentication and Hash Functions

  • Public-Key Encryption and Digital Signatures

  • IPv4 and IPv6 Security

Security Requirements

  • Confidentiality

  • Integrity

  • Availability

Passive Attacks

  • Release of message content (eavesdropping)

    • Prevented by encryption
  • Traffic Analysis

    • Fixed by traffic padding
  • Passive attacks are easier to prevent than to detect

Active Attacks

  • Involve the modification of the data stream or creation of a false data stream

  • Active Attacks are easier to detect than to prevent

Active Attacks (cont.)

  • Masquerade

  • Replay

  • Modification of messages

  • Denial of service

Conventional Encryption

Conventional Encryption Requirements

  • Knowing the algorithm, the plain text and the ciphered text, it shouldn’t be feasible to determine the key.

  • The key sharing must be done in a secure fashion.

Encryption Algorithms

  • Data Encryption Standard (DES)

    • Plaintext: 64-bit blocks
    • Key: 56 bits
    • Has been broken in 1998 (brute force)
  • Triple DES

  • Advanced Encryption Standard (AES)

    • Plaintext: 128-bit blocks
    • Key: 128, 256 or 512 bits

Location of Encryption Devices

Key Distribution

  • Manual

    • Selected by A, physically delivered to B
    • Selected by C, physically delivered to A and B
  • Automatic

    • The new key is sent encrypted with an old key
    • Sent through a 3-rd party with which A and B have encrypted links

Message Authentication

  • Authentic message means that:

    • it comes from the alleged source
    • it has not been modified

Message Authentication Approaches

  • Authentication with conventional encryption

  • Authentication without message encryption:

Message Authentication Code

  • Uses a secret key to generate a small block of data

One-way Hash Function

  • Message digest – a “fingerprint” of the message

  • Like MAC, but without the use of a secret key

  • The message digest must be authenticated

Secure Hash Requirements

  • H can be applied to a block of any size

  • H produces a fixed-length output

  • H(x) is easy to compute

  • Given h, it is infeasible to compute x s.t. H(x) = h

  • Given x, it is infeasible to find y s.t. H(x) = H(y)

  • It is infeasible to find (x,y) such that H(x) = H(y)

Secure Hash Functions

  • Message Digest v5 (MD5)

  • Secure Hash Algorithm (SHA-1)

    • 160-bit message digest

Public-Key Encryption

  • Each user has a pair of keys:

    • public key
    • private key
  • What is encrypted with one, can only be decrypted with the other



Digital Signature

  • Like authentication, only performed on a message authenticator (SHA-1)

Public-Key Encryption Algorithms

  • RSA (used by PGP)

  • El Gamal (used by GnuPG)

Key Management

  • Public-Key encryption can be used to distribute secret keys for conventional encryption

  • Public-Key authentication:

IPv4 and IPv6 Security

  • Provides encryption/authentication at the network (IP) layer

  • IPSec applications:

    • Virtual Private Networking
    • E-commerce

The Scope of IPSec

  • Authentication Header (AH)

  • Encapsulation Security Payload (ESP)

    • provides encryption and authentication
  • Key exchange function

Security Association

  • One-way relationship between two hosts, providing security services for the payload

  • Uniquely identified by:

    • Security Parameter Index (SPI)
    • IP destination address
    • Security Protocol Identifier (AH/ESP)

IPSec Operation Modes

  • Transport mode:

    • provides protection to the upper layers
    • ESP: encrypts the payload and, optionally, authenticates parts of the IP header
    • AH: authenticates the payload and parts of the IP header

IPSec Operation Modes

  • Tunnel mode:

    • used when one/both of the ends is a security gateway
    • the entire IP packet is encrypted (ESP) / authenticated (AH) and encapsulated in an outer IP packet

Key Management

  • Manual

    • used for small networks
    • easier to configure
  • Automated

    • more scalable
    • more difficult to setup
    • ISAKMP/Oakley

Do'stlaringiz bilan baham:

Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan © 2017
ma'muriyatiga murojaat qiling