Understanding Network Security Fundamentals

Slide Note
Embed
Share

Network security is crucial in today's digital age as the Internet is used for various activities like banking, shopping, and social interactions. This article covers key aspects of network security such as confidentiality, integrity, authentication, non-repudiation, and availability. It also explores the roles of entities like Alice, Bob, and Trudy in secure communication and common threats like eavesdropping and impersonation.

mckynl
mckynl Follow

Uploaded on Oct 04, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. CS 352 Network Security: Introduction CS 352, Lecture 25.1 http://www.cs.rutgers.edu/~sn624/352 Srinivas Narayana 1

  2. Security and the Network Stack Application FTP HTTP HTTPS SMTP DNS Security: cuts across all parts of the network stack! Transport UDP TCP IP Network 802.3 802.11 ATM Link

  3. Why network security? The Internet is used for all sorts of things Banking and commerce Interconnecting electronic voting machines Interacting with the Government, your employer, school, Shopping online, including essentials like milk or groceries Sometimes, even basic social interactions require the Internet! But malicious people share your network People who want to snoop, pretend, steal Attacks can be passive or active Sit and snoop (e.g., credit card info) Actively target (e.g., phishing)

  4. Some key aspects of network security Confidentiality: only the sender and the intended receiver should understand the message contents Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Authentication: confirm the identity of communicating parties Non-repudiation: Once someone sends a message, or conducts a transaction, they can t later deny the contents of that message Availability: sender and receiver able to communicate at all

  5. Friends and enemies: Alice, Bob, Trudy Two parties, Bob and Alice, want to communicate securely Often used in network security examples Trudy (intruder) may intercept, delete, add messages data, control messages channel Alice Bob secure sender secure receiver data data Trudy

  6. Who/what might Bob and Alice be? Real humans Web browser/server for electronic transactions e.g., on-line purchases, or online banking DNS clients and servers Routers exchanging routing table updates Two mail clients Many other examples!

  7. What might Trudy do? Eavesdrop: intercept messages Entity in the middle: actively insert messages into connection Impersonation: can fake (spoof) source address in packet (or any field in packet) Hijacking: take over ongoing connection by removing sender or receiver, inserting itself in place Denial of service: prevent service from being used by others (e.g., by overloading resources)

  8. What we will learn in the next lectures Principles of network security Primitives for confidentiality, authentication, integrity, non- repudiation How to apply these principles to secure: An application: e-mail Transport: TLS (Transport Layer Security for TCP)

  9. Network security is a broad area Many exciting topics! Security for apps and transport protocols: e.g., QUIC Security at all layers: Network layer (e.g., IPSec, VPNs); Link layer (e.g., WPA) Security for protocols, e.g., DNSSEC, BGPSEC Operational security: how to secure a network Firewalls, intrusion detection/prevention, data breach security, Covering these and other topics in network & system security would require its own set of courses

  10. CS 352 Cryptography: Introduction CS 352, Lecture 25.2 http://www.cs.rutgers.edu/~sn624/352 Srinivas Narayana 11

  11. Confidentiality Confidentiality: only the sender and the intended receiver should understand the message contents How to achieve this goal? Cryptography Sender encrypts a message, receiver decrypts it. An intermediate observer should just see random bytes!

  12. Terminology of Cryptography Alice s encryption key KA Alice KA(m), ciphertext encryption algorithm m, plaintext Trudy m: plaintext message KA, Alice s encryption key. Secret known only to Alice KA(m) is ciphertext: m encrypted with key KA Encryption transforms the message so that it s jumbled Ideal: want KA(m) to be uncorrelated with m (Trudy can t read the msg)

  13. Terminology of Cryptography Alice s encryption key Bob s decryption key KA KB Alice Bob KB(KA(m)), plaintext KA(m), ciphertext encryption algorithm m, plaintext decryption algorithm Trudy KBis Bob s decryption key, a secret known only to Bob m = KB(c), c decrypted with key KB. KB(c) is plaintext Want Bob to retrieve the same plaintext as the one sent by Alice Want m = KB(KA(m)) Encryption and decryption algorithms are also called ciphers.

  14. Algorithms and Keys Cryptography requires algorithms (for encryption and decryption) and keys (parameters fed to the algorithms) Cryptography practice: algorithms must be publicly known Inspires trust that it works: obvious flaws found sooner Openness fosters innovation: techniques can be improved by everyone On the other hand, keys are secret Keys must be hard to guess, e.g., 128-bit, 256-bit, 1024-bit Analogy: everyone knows how your house lock works, and they use a similar design for their house lock Everyone uses the same lock, so it must be a reliable lock But only you know the combination for your lock

  15. Two kinds of cryptography Alice s encryption key Alice Bob s decryption key KA KB Bob KB(KA(m)), plaintext KA(m), ciphertext encryption algorithm m, plaintext decryption algorithm Trudy KA and KB are the same: symmetric key cryptography Next module KA and KB are different: public key cryptography Next lecture!

  16. CS 352 Symmetric Key Cryptography CS 352, Lecture 25.3 http://www.cs.rutgers.edu/~sn624/352 Srinivas Narayana 18

  17. Symmetric Key Cryptography Alice s encryption key Bob s decryption key KS KS Alice Bob KS(KS(m)), plaintext KS(m), ciphertext encryption algorithm m, plaintext decryption algorithm Alice and Bob use the same (symmetric) key, KS Abuse notation: KS(m) at Alice s side is encryption, KS(c) at Bob s side is decryption m = KS(KS(m)) Techniques of symmetric key crypto: substitution and permutation

  18. Substitution-based ciphers Monoalphabetic cipher: substitute one letter for another Example 1: Caesar cipher. Replace each letter by letter shifted by some number of characters in the alphabet Successor(2): a c, b d, Predecessor(3): a x, b y, c z, d a, Example 2. Generic substitution mapping cipher Easy to guess the key by observing the ciphertext alone. statistically analyze the language. Some letters are more common in plaintext than others, e.g., e and s are more common than k, j, or z plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq Key: mapping from 26 letters to 26 letters

  19. Substitution-based ciphers Example 3. Polyalphabetic ciphers. Use N monoalphabetic substitution ciphers with a pattern to cycle between them n substitution ciphers, M1,M2, ,Mn Cycling pattern: e.g., n=4: M1,M3,M4,M3,M2; M1,M3,M4,M3,M2; .. For each new plaintext symbol, use subsequent substitution pattern in cyclic pattern Ciphertext for dog : substitute d from M1, o from M3, g from M4 Key: n substitution ciphers, and the cyclic pattern

  20. Substitution-based ciphers Example 4. One-time pad. XOR each bit of the plaintext with one bit of the shared key to generate the ciphertext: ciphertext[i] = message[i] key-bits[i] Key: a truly random bit string, same size as the message, never reused, held secret, and shared ahead of time Polyalphabetic cipher taken to an extreme: moving randomly through randomly-chosen substitution ciphers Statistically very hard to break: All plaintexts are equally likely, since the key is truly random Guessing one part of the plaintext reveals nothing about other parts Claude Shannon: a cipher that achieves perfect secrecy

  21. Permutation-based ciphers Instead of substituting letters in the plaintext, we change their order Key: the new order. Convenient to use a word to induce an order Say the key = ANDREW. Sorted in alphabetical order, this is ADENRW. We need to permute each 6-letter part of the message as follows: 1st letter of plaintext 1st letter of ciphertext 2nd letter of plaintext 4th letter of ciphertext 3rd letter of plaintext 2nd letter of ciphertext, etc. A N D R E W 1 4 2 5 3 6 t h i s i s a m e s s a g e i w o u l d l i k e t o e n c r y p t n o w thisisamessageiwouldliketoencryptnow tiihssaesmsagioewullkdietecdnrytopnw Possible to guess the key by analyzing structure of language and common letters.

  22. Stream and Block Ciphers

  23. Two types of symmetric ciphers Stream ciphers Encrypt one bit at time, possibly with some dependence on prior bits Block ciphers Break plaintext message in equal-size blocks Encrypt each block as a unit, typically independently

  24. Stream Ciphers pseudo random keystream generator Input key keystream Combine each bit of keystream with bit of plaintext to get one bit of ciphertext m(i) = ith bit of message, ks(i) = ith bit of keystream, c(i) = ith bit of ciphertext Encryption: c(i) = ks(i) m(i) ( = XOR) Decryption: m(i) = ks(i) c(i) Very similar to one-time pad, except that the key is generated using a pseudorandom keystream generator This strategy adopted by the RC4 cipher, deployed in early WiFi security standards (WEP and WPA); later deemed insecure

  25. Block ciphers Message to be encrypted is processed in blocks of k bits (e.g., 64-bit blocks). Example block substitution cipher: 1-to-1 mapping is used to map k-bit block of plaintext to k-bit block of ciphertext Example with k=3: input output 000 110 001 111 010 101 011 100 input output 100 011 101 010 110 000 111 001 101 000 111 001 Ciphertext for 0 1 0 1 1 0 0 0 1 1 1 1?

  26. Block ciphers How many possible k-bit block substitution ciphers exist? There are 2k values that are permuted amongst themselves: 2k! k=3-bit inputs: 8! 40,320. Not that many. But huge for k=64. Using a table for substitution is impractical k=64: need 264-entry table; each entry has 64 bits Instead, use a function that simulates a randomly permuted table Some heavily used symmetric ciphers are block-based, e.g., AES

  27. Summary of symmetric key ciphers so far Assume a pre-shared key between two communicating parties Key techniques: substitution and permutation Practical ciphers use a complex combination of the two Data Encryption Standard (DES) Multiple iterations of substitution and permutation using a 56-bit key Advanced Encryption Standard (AES) State of the art for symmetric key encryption. Hardware accelerated A cool animation to understand the steps in AES: https://formaestudio.com/rijndaelinspector/archivos/Rijndael_Animation _v4_eng-html5.html

  28. CS 352 Improving Symmetric Key Crypto CS 352, Lecture 25.4 http://www.cs.rutgers.edu/~sn624/352 Srinivas Narayana 31

  29. Review: Symmetric Key Cryptography Alice s encryption key Bob s decryption key KS KS Alice Bob KS(KS(m)), plaintext KS(m), ciphertext encryption algorithm m, plaintext decryption algorithm Trudy Shared key at both ends, KS Algorithms are typically easy to understand and implement Achieves confidentiality: harder for Trudy to break ciphertext However, fails to provide integrity, authentication, and non- repudiation Requires a pre-shared key between Alice and Bob

  30. Attempting authentication with symmetric key crypto

  31. An example: Login system Bob runs a login server to provide access to protected resources Alice must present a password to login Exchange of password implemented using symmetric key cryptography on top of block ciphers

  32. Simple authentication strategy Login: Alice Password please Bob Alice KS(Alice s password) Trudy Alice s password is encrypted, and hence protected from Trudy Assuming Bob is trusted, Bob can decrypt the password using the shared secret key KS

  33. However, subject to replay attack Login: Alice Password please Bob Alice KS(Alice s password) Trudy Store: KS(Alice s password) Trudy can store the observed ciphertext KS(password), and replay it later to gain access to Bob s server

  34. Preventing replay attacks Key idea: Vary the ciphertext for the same plaintext sent at different times. Make the ciphertext depend on a one-time value, randomly chosen by Bob. e.g., a random number generated by Bob Nonce: a number used once only Alice must combine the password with the nonce before encryption

  35. Challenge-Response with Nonce Login: Alice Password please + Nonce Bob Alice KS(Alice s password, Nonce) Trudy The nonce changes each authentication attempt Trudy cannot reply an earlier ciphertext to produce a valid password The nonce is different, so the expected ciphertext is different Nonces don t have to be confidential

  36. Protecting against general replay attacks

  37. Generally, repeated ciphertext is bad Real network protocols often have repeated plaintext e.g., the same web page content for the login screen e.g., application headers, like HTTP/1.1 GET The problem is more general: not just about repeating passwords! If the same plaintext shows up as the same ciphertext repeatedly, that can be used to break the cipher Example: Block substitution ciphers: finding the mapping for one part of one block means other ciphertext can be reversed to guess plaintext of other blocks, and so on Idea: Can we use nonces for all messages? Yes!

  38. However, nave nonces are inefficient! Suppose nonce is used as follows: Alice performs KS(message nonce) before transmitting If Alice must send N bits of plaintext, Bob must send N bits of nonce Doubles the number of bits exchanged overall! Want to generate nonces automatically & randomly @ Alice, but still have Bob agree on the nonces. How? Cipher block chaining: use the previous ciphertext as a nonce for the next plain text block The first block uses an Initialization Vector (IV): only first nonce is sent explicitly by Bob

  39. Cipher block chaining: encryption @ Alice M1 M2 M3 Plaintext IV Sent by Bob Encrypt Encrypt Encrypt C1 C2 C3 Ciphertext C1 depends on the first nonce, IV, not just the plaintext M1

  40. Agreeing on a shared key

  41. How to agree on a shared secret key? In reality: two parties may meet in person or communicate out of band to exchange shared key Often, communicating parties may never meet in person It s very common not to meet someone you talk to over the Internet Amazon? Your bank? And what if the shared secret is stolen? Must exchange keys securely again! Q: how to exchange keys securely over an insecure network? Next lecture: Public key cryptography

Related


Understanding Security Onion: Network Security Monitoring Tools

Understanding Security Onion: Network Security Monitoring Tools

sadhbh
BCA 601(N): Computer Network Security

BCA 601(N): Computer Network Security

danna
Overview of Computer and Network Security Fundamentals

Overview of Computer and Network Security Fundamentals

menaal
Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University

Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University

kol_lov
Enhancing Network Security with Software-Defined Snort and OpenFlow

Enhancing Network Security with Software-Defined Snort and OpenFlow

yazleenh
Understanding Network Security Vulnerabilities and Attacks

Understanding Network Security Vulnerabilities and Attacks

leyo_5
Real-Time Data-Driven Network Security Workshop by Joe St. Sauver

Real-Time Data-Driven Network Security Workshop by Joe St. Sauver

liel_1
Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication

Legal Framework on Information Security in the Ministry of Trade, Tourism, and Telecommunication

joso_597
IPv6 Security and Threats Workshop Summary

IPv6 Security and Threats Workshop Summary

lori_4
Network Slicing with OAI 5G CN Workshop Overview

Network Slicing with OAI 5G CN Workshop Overview

justice
Understanding Snort: An Open-Source Network Intrusion Detection System

Understanding Snort: An Open-Source Network Intrusion Detection System

farah
Understanding the Role of Security Champions in Organizations

Understanding the Role of Security Champions in Organizations

irvin
Understanding the Roles of a Security Partner

Understanding the Roles of a Security Partner

zaara
Understanding Intrusion Detection Systems (IDS) and Snort in Network Security

Understanding Intrusion Detection Systems (IDS) and Snort in Network Security

adrol
Progress of Network Architecture Work in FG IMT-2020

Progress of Network Architecture Work in FG IMT-2020

lonan
Enhancing Network Security Using Snort Virtual Network Function with DPI Service

Enhancing Network Security Using Snort Virtual Network Function with DPI Service

aheck
New Pattern Matching Algorithms for Network Security Applications by Liu Yang

New Pattern Matching Algorithms for Network Security Applications by Liu Yang

zahr_450
Network Security Breakout: Science DMZ, BGP, Data Movement, Measurement & Monitoring Tools

Network Security Breakout: Science DMZ, BGP, Data Movement, Measurement & Monitoring Tools

caan946
Understanding Weird Logs in Zeek for Network Security Analysis

Understanding Weird Logs in Zeek for Network Security Analysis

musa
Understanding Network Security Fundamentals in Computer Networks

Understanding Network Security Fundamentals in Computer Networks

kral
Proactive Network Protection Through DNS Security Insights

Proactive Network Protection Through DNS Security Insights

rserv
Elastic Security Virtualization with vNIDS

Elastic Security Virtualization with vNIDS

jfrai
Cyber Threat Detection and Network Security Strategies

Cyber Threat Detection and Network Security Strategies

lilliemae
Understanding LXI Network Security in Industrial Environments

Understanding LXI Network Security in Industrial Environments

renae

More Related Content

Understanding Network Analysis: Whole Networks vs. Ego Networks
Understanding Network Analysis: Whole Networks vs. Ego Networks
Understanding Network Security Fundamentals and Common Web Application Attacks
Understanding Network Security Fundamentals and Common Web Application Attacks
Understanding Transport Layer Security (TLS)
Understanding Transport Layer Security (TLS)
Understanding Security in World Politics
Understanding Security in World Politics
Modeling and Generation of Realistic Network Activity Using Non-Negative Matrix Factorization
Modeling and Generation of Realistic Network Activity Using Non-Negative Matrix Factorization
Network Compression Techniques: Overview and Practical Issues
Network Compression Techniques: Overview and Practical Issues
Transportation Network Modeling and Analysis with C.Coupled SE Platform
Transportation Network Modeling and Analysis with C.Coupled SE Platform
Meridian: An SDN Platform for Cloud Network Services
Meridian: An SDN Platform for Cloud Network Services
Understanding Network Interference in CS590B/690B Lecture
Understanding Network Interference in CS590B/690B Lecture
Comprehensive Overview of Information Security Fundamentals
Comprehensive Overview of Information Security Fundamentals
UIC Security Division Overview and International Activities
UIC Security Division Overview and International Activities
Automating Security Operations Using Phantom
Automating Security Operations Using Phantom
Revolutionizing Network Management with Intent-Based Networking
Revolutionizing Network Management with Intent-Based Networking
Understanding Computer Communication Networks at Anjuman College
Understanding Computer Communication Networks at Anjuman College
Understanding the Tor Network: An In-Depth Overview
Understanding the Tor Network: An In-Depth Overview
Understanding Horizontal and Backbone Cabling in Network Architecture
Understanding Horizontal and Backbone Cabling in Network Architecture
Introduction to PCAP: Understanding Network Analysis for Problem Solving
Introduction to PCAP: Understanding Network Analysis for Problem Solving
Analysis of Network Coordinate Systems and Security Vulnerabilities
Analysis of Network Coordinate Systems and Security Vulnerabilities
Understanding Network Management Processes in Computer Networks
Understanding Network Management Processes in Computer Networks
Proposal for Enhancing Security in RRC Connection Setup Procedure
Proposal for Enhancing Security in RRC Connection Setup Procedure
Introduction to Network Security Course
Introduction to Network Security Course
Understanding Enterprise Network Security and Firewalls
Understanding Enterprise Network Security and Firewalls
Understanding Network Security Fundamentals
Understanding Network Security Fundamentals
Next-Generation Network Security Solutions for Evolving Challenges
Next-Generation Network Security Solutions for Evolving Challenges