Business Data Communications, 5e5 Symmetric Encryption • The only form of encryption prior to late 1970s • Five components to the algorithm – Strong encryption algorithm – Secure exchang
Trang 1Chapter 18:
Network Security
Business Data Communications, 5e
Trang 2Types of Security
• Information Security
• Computer Security
• Network Security
Trang 3Business Data Communications, 5e
Trang 4Security Threats
• Passive attacks
– Release of message contents
– Traffic analysis
– Difficult to detect because there is no data alteration
– Emphasis on prevention through encryption
Trang 5Business Data Communications, 5e
5
Symmetric Encryption
• The only form of encryption prior to late 1970s
• Five components to the algorithm
– Strong encryption algorithm
– Secure exchange of keys
Trang 6Conventional Encryption
Operation
Trang 7Business Data Communications, 5e
– Try every possible key on a piece of ciphertext until
an intelligible translation into plaintext is obtained
– On average, half of all possible keys must be tried to achieve success
Trang 8Data Encryption Standard (DES)
• Dominant encryption algorithm after release in
1977
• 56-bit key made it too easy to crack by 1998
• Life of DES extended by use of triple DES
(3DES
– Repeats basic DES algorithm three times, using either two or three unique keys
– Key size of 112 or 168 bits
– Drawbacks: Algorithm is sluggish in software, 64-bit
Trang 9Business Data Communications, 5e
9
Advanced Encryption Standard
Trang 10Location of Encryption Devices
• Link encryption
– Each vulnerable communications link is equipped on both ends with an encryption device
– All traffic over all communications links is secured
– Vulnerable at each switch
• End-to-end encryption
– Encryption process carried out at two end systems
– Encrypted data transmitted unaltered across network; destination shares key with source to decrypt data
– Packet headers cannot be secured
Trang 11Business Data Communications, 5e
11
Symmetric Encryption
Key Distribution
• Both parties must have the secret key
• Key is changed frequently
• Requires either manual delivery of keys, or
a third-party encrypted channel
• Most effective method is a Key
Distribution Center (e.g Kerberos)
Trang 12– Key distribution center
– Security service module (SSM)
Trang 13Business Data Communications, 5e
13
Automated Key Distribution
Trang 14Traffic Padding
• A function that produces ciphertext output
continuously, even in the absence of plaintext
• Continuous random data stream is generated
When plaintext is available, it is encrypted and
transmitted When input plaintext is not present, the random data are encrypted and transmitted
• Makes it impossible for an attacker to distinguish between true data flow and noise and therefore
impossible to deduce the amount of traffic
Trang 15Business Data Communications, 5e
15
Message Authentication
• Must verify that contents have not been
altered and that source is authentic
• Approaches
– Authentication using symmetric encryption
– Authentication without message encryption
– Message authentication code
– One-way hash function
Trang 16Hash Function (H)
Requirements
• Can be applied to a block of data of any size.
• Produces a fixed-length output.
• H(x) is relatively easy to compute for any given x
• For any given code h, it is computationally
infeasible to find x such that H(x) = h.
• For any given block x, it is computationally
infeasible to find y ≠ x with H(y) = H(x).
• It is computationally infeasible to find any pair
(x, y) such that H(x) = H(y).
Trang 17Business Data Communications, 5e
• Misconceptions about public key encryption
– it is more secure from cryptanalysis
– it is a general-purpose technique that has made
conventional encryption obsolete
– it is less cumbersome than conventional encryption
Trang 19Business Data Communications, 5e
19
Public-Key Encryption
Operation
Trang 20Public-Key Signature Operation
Trang 21Business Data Communications, 5e
21
Characteristics of Public-Key
• Computationally infeasible to determine
the decryption key given knowledge of the cryptographic algorithm and the encryption key
• Either of the two related keys can be used for encryption, with the other used for
decryption
Trang 22Steps in Public Key Encryption
• Each user generates a pair of keys to be used for the
encryption and decryption of messages
• Each user places one of the two keys in a public register
or other accessible file This is the public key The
companion key is kept private
• If Bob wishes to send a private message to Alice, Bob
encrypts the message using Alice's public key
• When Alice receives the message, she decrypts it using her private key No other recipient can decrypt the
message because only Alice knows Alice's private key
Trang 23Business Data Communications, 5e
23
Digital Signature Process
Trang 24RSA Encryption Algorithm
• Developed in 1977, first published in 1978
• Widely accepted and implemented approach to
public-key encryption
• For plaintext block M and ciphertext block C
– C = M e mod n
– M = C d mod n = (M e)d mod n = M ed mod n
• Both sender and receiver must know values of n and
e; only receiver knows value of d
• Public key of KU = {e, n}
Trang 25Business Data Communications, 5e
25
RSA Requirements
• It is possible to find values of e, d, n such that Med = M mod n for all M < n.
• It is relatively easy to calculate Me and Cd
for all values of M < n.
• It is infeasible to determine d given e and
n.
– This requirement can be met with large values
of e and n
Trang 26Approaches to Defeating RSA
• Brute force approach: try all possible private keys
– The larger the number of bits in e and d, the more
secure the algorithm
– However, the larger the size of the key, the slower the system will run.
• Cryptanalysis: factoring n into its two prime
factors
– A hard problem, but not as hard as it used to be
– Currently, a 1024-bit key size is considered strong
enough for virtually all applications
Trang 27Business Data Communications, 5e
27
Key Management
• Symmetric encryption requires both parties
to share a secret key
• Secure distribution of keys is the most
difficult problem for symmetric encryption
• Public key encryption solves this problem, but adds the issue of authenticity
• Public key certiciates address this issue
Trang 28Public Key Certificates
Trang 29Business Data Communications, 5e
29
Public Key Certificate Process
1 A public key is generated by the user and
submitted to Agency X for certification.
2 X determines by some procedure, such as a to-face meeting, that this is authentically the user’s public key.
face-3 X appends a timestamp to the public key,
generates the hash code of the result, and encrypts that result with X’s private key forming the
signature.
4 The signature is attached to the public key.
Trang 30Virtual Private Networks (VPNs)
• Internet connectivity provides easier access for
telecommuters and off-site employees
• Use of a public network exposes corporate traffic
to eavesdropping and provides an entry point for unauthorized users
• A variety of encryption and authentication
packages and products are available to secure and authenticate remote access
• Need for a standard that allows a variety of
Trang 31Business Data Communications, 5e
– Secure branch office connectivity over the Internet
– Secure remote access over the Internet
– Establishing extranet and intranet connectivity with
partners
– Enhancing electronic commerce security
Trang 32Benefits of IPSec
• When implemented in a firewall or router,
provides strong security for all traffic crossing
the perimeter
• IPSec in a firewall is resistant to bypass
• Runs below the transport layer (TCP, UDP) and
so is transparent to applications
• Can be transparent to end users
• Can provide security for individual users if
needed
Trang 33Business Data Communications, 5e
33
IPSec Functions
• IPSec provides three main facilities
– authentication-only function referred to as
Authentication Header (AH)
– combined authentication/encryption function called Encapsulating Security Payload (ESP) – a key exchange function
• For VPNs, both authentication and
encryption are generally desired
Trang 34ESP Transport and Tunneling
• Transport Mode
– provides protection
primarily for upper-layer
protocols
– Typically used for
end-to-end communication between
two hosts
– encrypts and optionally
authenticates the IP payload
but not the IP header
– useful for relatively small
networks; for a full-blown
VPN, tunnel mode is far
• Tunnel Mode
– Provides protection to the entire packet
– Original packet is encapsulated in ESP fields, protecting contents from examination
– Used when one or both ends
is a security gateway – Multiple hosts on networks behind firewalls may engage
in secure communications without implementing IPSec
Trang 35Business Data Communications, 5e
35
IPSec Key Management
• Manual
– System administrator manually configures each
system with its own keys and with the keys of other communicating systems
– Practical for small, relatively static environments
• Automated
– Enables the on-demand creation of keys for SAs and facilitates the use of keys in a large distributed system– Most flexible but requires more effort to configure
and requires more software
Trang 36IPSec and VPNs
• Organizations need to isolate their networks and
at the same time send and receive traffic over the Internet
• Authentication and privacy mechanisms of secure
IP allow for security strategy
• IPSec can be implemented in routers or firewalls owned and operated by the organization, allowing the network manager complete control over