Network Security David Lazăr


Download 454 b.
Sana08.07.2018
Hajmi454 b.


Network Security

  • David Lazăr


Contents

  • Security Requirements and Attacks

  • Confidentiality with Conventional Encryption

  • Message Authentication and Hash Functions

  • Public-Key Encryption and Digital Signatures

  • IPv4 and IPv6 Security



Security Requirements

  • Confidentiality

  • Integrity

  • Availability



Passive Attacks

  • Release of message content (eavesdropping)

    • Prevented by encryption
  • Traffic Analysis

    • Fixed by traffic padding
  • Passive attacks are easier to prevent than to detect



Active Attacks

  • Involve the modification of the data stream or creation of a false data stream

  • Active Attacks are easier to detect than to prevent



Active Attacks (cont.)

  • Masquerade

  • Replay

  • Modification of messages

  • Denial of service



Conventional Encryption



Conventional Encryption Requirements

  • Knowing the algorithm, the plain text and the ciphered text, it shouldn’t be feasible to determine the key.

  • The key sharing must be done in a secure fashion.



Encryption Algorithms

  • Data Encryption Standard (DES)

    • Plaintext: 64-bit blocks
    • Key: 56 bits
    • Has been broken in 1998 (brute force)
  • Triple DES

  • Advanced Encryption Standard (AES)

    • Plaintext: 128-bit blocks
    • Key: 128, 256 or 512 bits


Location of Encryption Devices



Key Distribution

  • Manual

    • Selected by A, physically delivered to B
    • Selected by C, physically delivered to A and B
  • Automatic

    • The new key is sent encrypted with an old key
    • Sent through a 3-rd party with which A and B have encrypted links


Message Authentication

  • Authentic message means that:

    • it comes from the alleged source
    • it has not been modified


Message Authentication Approaches

  • Authentication with conventional encryption

  • Authentication without message encryption:



Message Authentication Code

  • Uses a secret key to generate a small block of data



One-way Hash Function

  • Message digest – a “fingerprint” of the message

  • Like MAC, but without the use of a secret key

  • The message digest must be authenticated



Secure Hash Requirements

  • H can be applied to a block of any size

  • H produces a fixed-length output

  • H(x) is easy to compute

  • Given h, it is infeasible to compute x s.t. H(x) = h

  • Given x, it is infeasible to find y s.t. H(x) = H(y)

  • It is infeasible to find (x,y) such that H(x) = H(y)



Secure Hash Functions

  • Message Digest v5 (MD5)

  • Secure Hash Algorithm (SHA-1)

    • 160-bit message digest


Public-Key Encryption

  • Each user has a pair of keys:

    • public key
    • private key
  • What is encrypted with one, can only be decrypted with the other



Encryption



Authentication



Digital Signature

  • Like authentication, only performed on a message authenticator (SHA-1)



Public-Key Encryption Algorithms

  • RSA (used by PGP)

  • El Gamal (used by GnuPG)



Key Management

  • Public-Key encryption can be used to distribute secret keys for conventional encryption

  • Public-Key authentication:



IPv4 and IPv6 Security

  • Provides encryption/authentication at the network (IP) layer

  • IPSec applications:

    • Virtual Private Networking
    • E-commerce


The Scope of IPSec

  • Authentication Header (AH)

  • Encapsulation Security Payload (ESP)

    • provides encryption and authentication
  • Key exchange function



Security Association

  • One-way relationship between two hosts, providing security services for the payload

  • Uniquely identified by:

    • Security Parameter Index (SPI)
    • IP destination address
    • Security Protocol Identifier (AH/ESP)


IPSec Operation Modes

  • Transport mode:

    • provides protection to the upper layers
    • ESP: encrypts the payload and, optionally, authenticates parts of the IP header
    • AH: authenticates the payload and parts of the IP header


IPSec Operation Modes

  • Tunnel mode:

    • used when one/both of the ends is a security gateway
    • the entire IP packet is encrypted (ESP) / authenticated (AH) and encapsulated in an outer IP packet


Key Management

  • Manual

    • used for small networks
    • easier to configure
  • Automated

    • more scalable
    • more difficult to setup
    • ISAKMP/Oakley



Do'stlaringiz bilan baham:


Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©fayllar.org 2017
ma'muriyatiga murojaat qiling