CSC358 Intro.

to Computer Networks Review

Lecture 12: Network Security, Exam Prep confidentiality: only sender, intended receiver should
“understand” message contents
Amir H. Chinaei, Winter 2016  sender encrypts message
 receiver decrypts message
[email protected]
http://www.cs.toronto.edu/~ahchinaei/ authentication: sender, receiver want to confirm identity of
each other
Many slides are (inspired/adapted) from the above source message integrity: sender, receiver want to ensure message
© all material copyright; all rights reserved for the authors not altered (in transit, or afterwards) without detection
Office Hours: T 17:00–18:00 R 9:00–10:00 BA4222 access and availability: services must be accessible and
available to users
TA Office Hours: W 16:00-17:00 BA3201 R 10:00-11:00 BA7172
[email protected]
http://www.cs.toronto.edu/~ahchinaei/teaching/2016jan/csc358/
Network Security

Friends and enemies: Alice, Bob, Trudy Who might Bob, Alice be?
 well-known in network security world
 Bob, Alice (lovers!) want to communicate “securely”  … well, real-life Bobs and Alices!
 Trudy (intruder) may intercept, delete, add messages  Web browser/server for electronic transactions
(e.g., on-line purchases)
Alice Bob  on-line banking client/server
channel data, control  DNS servers
messages
 routers exchanging routing table updates
secure
data
sender
secure
receiver
data  other examples?

Trudy
Network Security
Network Security

There are bad guys (and girls) out there! The language of cryptography
Q: What can a “bad guy” do? Alice’s Bob’s
A: A lot! K encryption
A K decryption
key Bkey
 eavesdrop: intercept messages
 actively insert messages into connection plaintext encryption ciphertext decryption plaintext
algorithm algorithm
 impersonation: can fake (spoof) source address in
packet (or any field in packet)
 hijacking: “take over” ongoing connection by
removing sender or receiver, inserting himself in
place m plaintext message
 denial of service: prevent service from being used KA(m) ciphertext, encrypted with key KA
by others (e.g., by overloading resources) m = KB(KA(m))
Network Security Network Security

1
Breaking an encryption scheme Symmetric key cryptography

 cipher-text only attack:  known-plaintext attack: KS

Trudy has ciphertext she Trudy has plaintext KS
can analyze corresponding to ciphertext
 two approaches:  e.g., in monoalphabetic plaintext encryption ciphertext decryption plaintext
 brute force: search cipher, Trudy determines message, m algorithm algorithm
through all keys pairings for a,l,i,c,e,b,o, K
S
(m) m = KS(KS(m))

 statistical analysis  chosen-plaintext attack:

Trudy can get ciphertext for symmetric key crypto: Bob and Alice share same (symmetric)
chosen plaintext key: K S
 e.g., key is knowing substitution pattern in mono alphabetic
substitution cipher
Q: how do Bob and Alice agree on key value?

Network Security Network Security

Simple encryption scheme A more sophisticated encryption approach

 n substitution ciphers, M1,M2,…,Mn
substitution cipher: substituting one thing for another
 monoalphabetic cipher: substitute one letter for another
 cycling pattern:
 e.g., n=4: M1,M3,M4,M3,M2; M1,M3,M4,M3,M2; ..
plaintext: abcdefghijklmnopqrstuvwxyz  for each new plaintext symbol, use subsequent
subsitution pattern in cyclic pattern
ciphertext: mnbvcxzasdfghjklpoiuytrewq  dog: d from M1, o from M3, g from M4

e.g.: Plaintext: bob. i love you. alice

Encryption key: n substitution ciphers, and cyclic
pattern
ciphertext: nkn. s gktc wky. mgsbc
 key need not be just n-bit pattern

Encryption key: mapping from set of 26 letters

to set of 26 letters
Network Security Network Security

Symmetric key crypto: DES Symmetric key

crypto: DES
DES: Data Encryption Standard
 US encryption standard [NIST 1993]
 56-bit symmetric key, 64-bit plaintext input DES operation
 block cipher with cipher block chaining initial permutation
 how secure is DES? 16 identical “rounds” of
 DES Challenge: 56-bit-key-encrypted phrase decrypted function application,
(brute force) in less than a day each using different 48
 no known good analytic attack bits of key
 making DES more secure: final permutation
 3DES: encrypt 3 times with 3 different keys

Network Security Network Security

2
 AES: Advanced Encryption Standard Public Key Cryptography
 symmetric-key NIST standard, replacied DES symmetric key crypto public key crypto
(Nov 2001)  requires sender & receiver  radically different
 processes data in 128 bit blocks know shared secret key
approach [Diffie-
 128, 192, or 256 bit keys  Q: how to agree on key in Hellman76, RSA78]
first place (particularly if
 brute force decryption (try each key) taking 1 sec never “met”)?  Sender & receiver do not
on DES, takes 149 trillion years for AES share secret key
 public encryption key
known to all
 private decryption key
known only to receiver

Network Security
Network Security

Public key cryptography Public key encryption algorithms

K
+ Bob’s public requirements:
B key

K
- Bob’s private
+ . .
1 need KB( ) and K - ( ) such that
B key B
- +
K (K (m)) = m
B B
plaintext encryption ciphertext decryption plaintext 2 given public key K +, it should be
message, m algorithm +
K (m) algorithm message B
B - +
m = KB (K (m)) impossible to compute private
B -
key K
B

RSA: Rivest, Shamir, Adelson algorithm

Network Security Network Security
2-15 2-16

Prerequisite: modular arithmetic RSA: getting ready

 x mod n = remainder of x when divide by n  message: just a bit pattern
 facts:  bit pattern can be uniquely represented by an integer
number
(a+b) mod n = [(a mod n) + (b mod n)] mod n  thus, encrypting a message is equivalent to encrypting a
(a-b) mod n = [(a mod n) - (b mod n)] mod n number.
(a*b) mod n = [(a mod n) * (b mod n)] mod n example:
 thus  m= 10010001 . This message is uniquely represented by
ad mod n = (a mod n)d mod n the decimal number 145.
 to encrypt m, we encrypt the corresponding number,
 example: x=14, n=10, d=2: which gives a new number (the ciphertext).
(x mod n)d mod n = 42 mod 10 = 6
xd = 142 = 196 xd mod 10 = 6
Network Security Network Security
2-17 2-18

3
RSA: Creating public/private key pair RSA: encryption, decryption
1. choose two large prime numbers p, q. 0. given (n,e) and (n,d) as computed above
(e.g., 1024 bits each)
1. to encrypt message m (<n), compute
2. compute n = pq, z = (p-1)(q-1)
c = m e mod n
3. choose e (with e<n) that has no common factors
with z (e, z are “relatively prime”). 2. to decrypt received bit pattern, c, compute
4. choose d such that ed-1 is exactly divisible by z. m = c d mod n
(in other words: ed mod z = 1 ).
magic m = (me mod n) d mod n
5. public key is (n,e). private key is (n,d).
happens!
+ - c
KB KB
Network Security Network Security
2-19 2-20

RSA example: Why does RSA work?

Bob chooses p=5, q=7. Then n=35, z=24.
 must show that cd mod n = m
e=5 (so e, z relatively prime). where c = me mod n
d=29 (so ed-1 exactly divisible by z).
 fact: for any x and y: xy mod n = x(y mod z) mod n
encrypting 8-bit messages.  where n= pq and z = (p-1)(q-1)
 thus,
cd mod n = (me mod n)d mod n
bit pattern m me c = me mod n
encrypt: = med mod n
00001100 12 24832 17 = m(ed mod z) mod n
= m1 mod n
d =m
c c m = cd mod n
decrypt:
17 481968572106750915091411825223071697 12

Network Security Network Security

2-21 2-22

RSA: another important property Why K B(K +B(m))

-
= m = K (K (m)) ?
+ -
B B
The following property will be very useful later:
follows directly from modular arithmetic:
+ - + -
K (K (m)) = m = K (K (m))
B B B B (me mod n)d mod n = med mod n
= mde mod n
use public key first, use private key = (md mod n)e mod n
followed by first, followed by
private key public key

result is the same!

Network Security Network Security
2-23 2-24

4
Why is RSA secure? RSA in practice: session keys
 suppose you know Bob’s public key (n,e). How  exponentiation in RSA is computationally
hard is it to determine d? intensive
 essentially need to find factors of n without  DES is at least 100 times faster than RSA
knowing the two factors p and q  use public key crypto to establish secure
 fact: factoring a big number is hard connection, then establish second key –
symmetric session key – for encrypting data
session key, KS
 Bob and Alice use RSA to exchange a symmetric key KS
 once both have KS, they use symmetric key cryptography

Network Security Network Security

2-25 2-26

Chapter 8 roadmap Authentication

8.1 What is network security? Goal: Bob wants Alice to “prove” her identity to him
8.2 Principles of cryptography
Protocol ap1.0: Alice says “I am Alice”
8.3 Message integrity, authentication
8.4 Securing e-mail
8.5 Securing TCP connections: SSL
8.6 Network layer security: IPsec “I am Alice”
Failure scenario??
8.7 Securing wireless LANs
8.8 Operational security: firewalls and IDS

Network Security Network Security

2-27 2-28

Authentication Authentication: another try

Goal: Bob wants Alice to “prove” her identity to him Protocol ap2.0: Alice says “I am Alice” in an IP packet
containing her source IP address
Protocol ap1.0: Alice says “I am Alice”

Alice’s
IP address “I am Alice”
in a network,
Bob can not “see” Alice, Failure scenario??
so Trudy simply declares
“I am Alice” herself to be Alice

Network Security Network Security

2-29 2-30

5
Authentication: another try Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packet Protocol ap3.0: Alice says “I am Alice” and sends her
containing her source IP address secret password to “prove” it.

Alice’s Alice’s
“I’m Alice”
IP addr password

Trudy can create Failure scenario??

Alice’s
a packet OK
IP addr

Alice’s
“spoofing”
IP address “I am Alice” Alice’s address

Network Security Network Security

2-31 2-32

Authentication: another try Authentication: yet another try

Protocol ap3.0: Alice says “I am Alice” and sends her Protocol ap3.1: Alice says “I am Alice” and sends her
secret password to “prove” it. encrypted secret password to “prove” it.

Alice’s Alice’s Alice’s encrypted

“I’m Alice” “I’m Alice”
IP addr password IP addr password
playback attack: Trudy
Alice’s records Alice’s packet Alice’s Failure scenario??
OK OK
IP addr and later IP addr
plays it back to Bob

Alice’s Alice’s
“I’m Alice”
IP addr password

Network Security Network Security

2-33 2-34

Authentication: yet another try Authentication: yet another try

Protocol ap3.1: Alice says “I am Alice” and sends her Goal: avoid playback attack
encrypted secret password to “prove” it. nonce: number (R) used only once-in-a-lifetime
ap4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice
must return R, encrypted with shared secret key

Alice’s encrypted
“I’m Alice”
IP addr password record “I am Alice”
and
Alice’s
OK playback R
IP addr
still works! Alice is live, and
KA-B(R)
only Alice knows
Alice’s encrypted key to encrypt
“I’m Alice”
IP addr password nonce, so it must
Failures, drawbacks? be Alice!
Network Security Network Security
2-35 2-36

6
Authentication: ap5.0 ap5.0: security hole
man (or woman) in the middle attack: Trudy poses as Alice
ap4.0 requires shared symmetric key (to Bob) and as Bob (to Alice)
 can we authenticate using public key techniques?
ap5.0: use nonce, public key cryptography I am Alice I am Alice
R -
K (R)
T
“I am Alice” R Send me your public key
Bob computes - +
K (R)
R + - A K
K A(K A(R)) = R T
- Send me your public key
K A (R) K
+
and knows only Alice A +
“send me your public key” could have the private K (m)
Trudy gets T
+ key, that encrypted R - +
KA such that + m = K (K (m))
K (m) T T
+ - - + A sends m to Alice
K (K (R)) = R m = K (K (m)) encrypted with
A A
A A Alice’s public key
Network Security
2-37 Network Security

ap5.0: security hole Digital signatures

man (or woman) in the middle attack: Trudy poses as Alice (to
Bob) and as Bob (to Alice)
cryptographic technique analogous to hand-written
signatures:
 sender (Bob) digitally signs document, establishing
he is document owner/creator.
 verifiable, nonforgeable: recipient (Alice) can prove to
difficult to detect: someone that Bob, and no one else (including Alice),
 Bob receives everything that Alice sends, and vice versa. must have signed document
(e.g., so Bob, Alice can meet one week later and recall
conversation!)
 problem is that Trudy receives all messages as well!

Network Security Network Security

2-39 2-40

Digital signatures Digital signatures

-
 suppose Alice receives msg m, with signature: m, KB(m)
simple digital signature for message m:
 Bob signs m by encrypting with his private key K-B,  Alice verifies m signed by Bob by applying Bob’s public key
+ - + -
creating “signed” message, K-B(m) KB to KB(m) then checks KB(KB(m) ) = m.
+ -
 If KB(KB(m) ) = m, whoever signed m must have used Bob’s
- -
private key.
Bob’s message, m K B Bob’s private m,K B(m)
key
Dear Alice Alice thus verifies that:
Bob’s message,
Oh, how I have missed Public key m, signed  Bob signed m
you. I think of you all the
time! …(blah blah blah) encryption (encrypted) with  no one else signed m
algorithm his private key
Bob  Bob signed m and not m‘
non-repudiation:
-
 Alice can take m, and signature KB(m) to court and
Network Security
prove
Network Security
that Bob signed m
2-41 2-42

7
 Message digests Internet checksum: poor crypto hash function
large H: Hash
message
m
Function Internet checksum has some properties of hash function:
computationally expensive to  produces fixed length digest (16-bit sum) of message
public-key-encrypt long  is many-to-one
messages H(m)
goal: fixed-length, easy- to- Hash function properties: But given message with given hash value, it is easy to find another
compute digital message with same hash value:
“fingerprint”  many-to-1

 apply hash function H to  produces fixed-size msg

message ASCII format message ASCII format
m, get fixed size message digest (fingerprint)
IOU1 49 4F 55 31 IOU9 49 4F 55 39
digest, H(m).  given message digest x,
00.9 30 30 2E 39 00.1 30 30 2E 31
computationally infeasible to 9BOB 39 42 D2 42 9BOB 39 42 D2 42
find m such that x = H(m)
B2 C1 D2 AC different messages B2 C1 D2 AC
but identical checksums!
Network Security Network Security
2-43 2-44

Digital signature = signed message digest

Hash function algorithms
Bob sends digitally signed Alice verifies signature, integrity
message: of digitally signed message:  MD5 hash function widely used (RFC 1321)
large  computes 128-bit message digest in 4-step process.
H: Hash
message
function H(m) encrypted  arbitrary 128-bit string x, appears difficult to construct
m msg digest msg m whose MD5 hash is equal to x
-
Bob’s digital large
KB(H(m))
 SHA-1 is also used
private signature message
Bob’s
 US standard [NIST, FIPS PUB 180-1]
- (encrypt) m digital
key KB public
signature
 160-bit message digest
key +
H: Hash KB (decrypt)
encrypted
msg digest function
-
+ KB(H(m))
H(m) H(m)

equal
? Network Security
Network Security 2-46

Recall: ap5.0 security hole Public-key certification

man (or woman) in the middle attack: Trudy poses as Alice
(to Bob) and as Bob (to Alice)  motivation: Trudy plays pizza prank on Bob
 Trudy creates e-mail order:
I am Alice I am Alice
Dear Pizza Store, Please deliver to me four pepperoni
R
pizzas. Thank you, Bob
-
K (R)
T
 Trudy signs order with her private key
R - Send me your public key  Trudy sends order to Pizza Store
K (R) +
A K
T
 Trudy sends to Pizza Store her public key, but says it’s
Send me your public key
+ Bob’s public key
K
A +  Pizza Store verifies signature; then delivers four
Trudy gets
K (m)
T pepperoni pizzas to Bob
+
- +
m = K (K (m))  Bob doesn’t even like pepperoni
K (m) T T
A sends m to Alice
- +
m = K (K (m)) encrypted with
A A Alice’s public key Network Security
Network Security 2-48

8
Certification authorities Chapter 8 roadmap
 certification authority (CA): binds public key to particular
entity, E. 8.1 What is network security?
 E (person, router) registers its public key with CA. 8.2 Principles of cryptography
 E provides “proof of identity” to CA.
 CA creates certificate binding E to its public key.
8.3 Message integrity, authentication
 certificate containing E’s public key digitally signed by CA – CA says 8.4 Securing e-mail
“this is E’s public key”
8.5 Securing TCP connections: SSL
8.6 Network layer security: IPsec
digital
Bob’s
public signature
+
KB 8.7 Securing wireless LANs
+
key KB (encrypt) 8.8 Operational security: firewalls and IDS
CA
private - certificate for
Bob’s K CA
identifying key Bob’s public key,
information signed by CA
Network Security
Network Security

Secure e-mail Secure e-mail

 Alice wants to send confidential e-mail (secrecy), m, to Bob.  Alice wants to send confidential e-mail (secrecy), m, to Bob.
KS KS

m KS( ) . KS(m ) KS(m )

KS( ). m m KS( ) . KS(m ) KS(m )
KS( ). m

+ Internet
- KS + Internet
- KS

KS KB( )
+ . + +
-
KB( ). KS
+
KB( ) . + +
-
KB( ).
KB(KS ) KB(KS ) KB(KS ) KB(KS )
K+ B K-
B K+B K-
B

Alice: Bob:
 generates random symmetric private key, KS  uses his private key to decrypt and recover K S
 encrypts message with KS (for efficiency)  uses KS to decrypt KS(m) to recover m
 also encrypts KS with Bob’s public key
 sends both KS(m) and KB(KS) to Bob Network Security

Secure e-mail (continued) Secure e-mail (continued)

 Alice wants to provide sender authentication and  Alicewants to provide secrecy, sender authentication,
message integrity and message integrity.
-
KA- K+
A KA
- - -
m .
H( )
-
KA( ). KA(H(m)) KA(H(m)) +
KA( ) . H(m ) m H( ). -
KA( ). KA(H(m))
KS

+ Internet
- compare + KS( ).
m H(.) H(m ) m +
m Internet

KS
+
KB( ). +
 Alice digitally signs message KB(KS )
K+
 sends both message (in the clear) and digital signature B

Alice uses three keys: her private key, Bob’s public key, newly
Network Security
created symmetric key
Network Security

9
Chapter 8 roadmap SSL: Secure Sockets Layer
 widelydeployed security
goals: original
protocol
8.1 What is network security?  supported by almost all  Web e-commerce
8.2 Principles of cryptography browsers, web servers transactions
8.3 Message integrity  https  encryption (especially
 billions $/year over SSL credit-card numbers)
8.4 Securing e-mail  mechanisms: [Woo 1994],  Web-server authentication
8.5 Securing TCP connections: SSL implementation: Netscape  optional client
 variation -TLS: transport layer
8.6 Network layer security: IPsec authentication
security, RFC 2246  minimum hassle in doing
8.7 Securing wireless LANs  provides business with new
8.8 Operational security: firewalls and IDS  confidentiality merchant
 integrity  available to all TCP
 authentication applications
Network Security Network Security
 secure socket interface

SSL and TCP/IP Could do something like PGP:

-
KA
-
Application
m .
H( )
-
KA( ). KA(H(m))
KS
Application
SSL + K (.)
S
TCP
TCP m + Internet
IP IP KS
+
KB( ) . +
KB(KS )
normal application application with SSL +
KB

 SSL provides application programming interface  but want to send byte streams & interactive data
(API) to applications  want set of secret keys for entire connection
 C and Java SSL libraries/classes readily available  want certificate exchange as part of protocol: handshake phase
Network Security Network Security

SSL: a simple secure channel Big Picture: a simple handshake

 handshake: Alice and Bob use their certificates,
private keys to authenticate each other and
exchange shared secret
 key derivation: Alice and Bob use shared secret to
derive set of keys
 data transfer: data to be transferred is broken up
into series of records
MS: master secret
 connection closure: special messages to securely
EMS: encrypted master secret
close connection

Network Security Network Security

10
Big Picture: key derivation Big Picture: data records
 why not encrypt data in constant stream as we write it to
 considered bad to use same key for more than one TCP?
cryptographic operation  where would we put the MAC? If at end, no message integrity
until all data processed.
 use different keys for message authentication code (MAC) and
encryption  e.g., with instant messaging, how can we do integrity check over
all bytes sent before displaying?
 four keys:  instead, break stream in series of records
 Kc = encryption key for data sent from client to server  each record carries a MAC
 Mc = MAC key for data sent from client to server  receiver can act on each record as it arrives
 Ks = encryption key for data sent from server to client  issue: in record, receiver needs to distinguish MAC from
 Ms = MAC key for data sent from server to client data
 want to use variable-length records
 keys derived from key derivation function (KDF)
 takes master secret and (possibly) some additional random data
and creates the keys length data MAC

Network Security Network Security

Big Picture: sequence numbers Big Picture: control information

 problem: attacker can capture and replay record  problem: truncation attack:
or re-order records  attacker forges TCP connection close segment
 solution: put sequence number into MAC:  one or both sides thinks there is less data than there
 MAC = MAC(Mx, sequence||data) actually is.
 note: no sequence number field  solution: record types, with one type for closure
 type 0 for data; type 1 for closure
 problem: attacker could replay all records  MAC = MAC(Mx, sequence||type||data)
 solution: use nonce

length type data MAC

Network Security Network Security

SSL: Big Picture summary

bob.com
Final Exam Prep
encrypted

Network Security

11
 Final exam: questions distribution
Final exam: cover page

 The structure is similar to that of the midterm.

 7 questions for a total of 50 points
 #1 (12 points, 24% of the exam)
 Mostly concepts from Chapters 1, 2, 3, 4, 5, and 8
 #2, #3 (5 points, 10% of the exam, each)
 Detailed questions on Chapters 1 and 2 (pre-midterm)

 #4, #5, #6 (8 points, 16% of the exam, each)

 Detailed questions on Chapters 3, 4, and 5

 #7 (4 points, 8% of the exam)

 Detailed questions on Chapter 8 (8.1-8.5)

Final exam: approach/final answer Final exam: 50% rule, difficulty

 Most questions require to calculate the final answer.  Remember: you are required to earn 50% of
 This is, in fact, good! the final exam or 50% of the weighted
 Relatively simple numbers and calculations are required. average of the midterm and final exam to
 If you end up in complicated calculations, you can conclude that
you are probably in a wrong track. pass the course.
 Example: if a student receives perfect points in all
 Also, a final answer with a missing or wrong assignments and have collected several bonus points,
approach/justification does not receive points. but has not earned at least 50% of the above, he/she will
receive an F in the course.
 Write neatly and concisely, such that you do not lose
points unnecessarily.  The exam is long & difficult for students who are
not prepared; and, it’s fair & doable in ~ an hour
for others.

Final exam: preparation Last but not the least!

 Similar to the midterm;  If you want to do me a favour:
 In addition to preparation for pre-midterm part (refer to ??
Lecture 5);
 Make sure you understand details/concepts of Assignments
3 to 5, Tutorials 5 to 11, reading from the book, and the  Thanks and good luck!
following problems:
 Ch3: even questions from P2-P40, as well as 41, 45, and 53
 Ch4: even questions from P2-P40, as well as 43 and 49
 Ch5: P2, P4, P10, P14, P18, P20, P26, P28, P32, P34 and P36
 Ch8: P1-P12, P15-P18, P20-P22
 Reference is the 5th edition

12