Chapter 8

Network Security
 Cryptography

• Introduction to Cryptography
• Substitution Ciphers
• Transposition Ciphers
• One-Time Pads
• Two Fundamental Cryptographic Principles
 Need for Security

Some people who cause security problems and why.

 N/W Security Problems
• Network security problems can be divided roughly into
four closely intertwined areas: secrecy, authentication,
nonrepudiation, and integrity control.
• Secrecy, also called confidentiality, has to do with
keeping information out of the grubby little hands of
unauthorized users. This is what usually comes to
mind when people think about network security.
• Authentication deals with determining whom you are
talking to before revealing sensitive information or
entering into a business deal.
• Nonrepudiation deals with signatures: how do you
prove that your customer really placed an electronic
order for ten million left-handed doohickeys at 89
cents each when he later claims the price was 69
cents? Or maybe he claims he never placed any order.
• Finally, integrity control has to do with how you can
be sure that a message you received was really the
• Cryptography comes from the Greek words for ‘‘secret
writing.’’ It has a long and colorful history going back
thousands of years.

• Professionals make a distinction between ciphers and

codes. A cipher is a character-for-character or bit-for-bit
transformation, without regard to the linguistic structure of
the message.

• In contrast, a code replaces one word with another word or

symbol. Codes are not used any more, although they have
a glorious history.
An Introduction to
Cryptography

The encryption model (for a symmetric-key cipher).

Transposition Ciphers

A transposition cipher.
 One-Time Pads

The use of a one-time pad for encryption and

the possibility of getting any possible plaintext
from the ciphertext by the use of some other
pad.
Quantum Cryptography

An example of quantum cryptography.

 Symmetric-Key Algorithms

• DES – The Data Encryption Standard

• AES – The Advanced Encryption
Standard
• Cipher Modes
• Other Ciphers
• Cryptanalysis
 Product Ciphers

Basic elements of product ciphers. (a) P-box. (b) S-box. (c)

Product.
 Data Encryption Standard

The data encryption standard. (a) General outline.

(b) Detail of one iteration. The circled + means exclusive
OR.
 Triple DES

(a) Triple encryption using DES. (b) Decryption.

AES – The Advanced Encryption Standard

Rules for AES proposals

1. The algorithm must be a symmetric block cipher.
2. The full design must be public.
3. Key lengths of 128, 192, and 256 bits supported.
4. Both software and hardware implementations required
5. The algorithm must be public or licensed on
nondiscriminatory terms.
 AES (2)

An outline of
Rijndael.
 AES (3)

Creating of the state and rk arrays.

Electronic Code Book
Mode

The plaintext of a file encrypted as 16 DES

blocks.
Cipher Block Chaining
Mode

Cipher block chaining. (a) Encryption. (b) Decryption.

Cipher Feedback
Mode

(a) Encryption. (c)

Decryption.
 Stream Cipher Mode

A stream cipher. (a) Encryption. (b) Decryption.

 Counter Mode

Encryption using counter mode.

 Cryptanalysis

Some common symmetric-key cryptographic algorithms.

 Public Key Cryptography
• Historically, distributing the keys has always been the
weakest link in most cryptosystems. No matter how
strong a cryptosystem was, if an intruder could steal the
key, the system was worthless.

• Cryptologists always took for granted that the encryption

key and decryption key were the same.

• But the key had to be distributed to all users of the

system. Thus, it seemed as if there was an inherent
problem. Keys had to be protected from theft, but they
also had to be distributed, so they could not be locked in a
bank vault.
 Public Key Cryptography
In 1976, two researchers at Stanford University, Diffie and
Hellman (1976), proposed a radically new kind of
cryptosystem, one in which the encryption and decryption
keys were so different that the decryption key could not
feasibly be derived from the encryption key.

In their proposal, the (keyed) encryption algorithm,

E, and the (keyed) decryption algorithm, D, had to meet
three requirements.
These requirements can be stated simply as follows:
1. D(E(P)) = P.
2. It is exceedingly difficult to deduce D from E.
3. E cannot be broken by a chosen plaintext attack.
• The first requirement says that if we apply D to an
encrypted message, E(P), we get the original plaintext
message, P, back. Without this property, the legitimate
receiver could not decrypt the ciphertext.

• The second requirement speaks for itself.

• The third requirement is needed because, as we shall see in

a moment, intruders may experiment with the algorithm to
their hearts’ content. Under these conditions, there is no
reason that the encryption key cannot be made public.
• The method works like this. A person, say, Alice, who
wants to receive secret messages, first devises two
algorithms meeting the above requirements.

• The encryption algorithm and Alice’s key are then made

public, hence the name publickey cryptography. Alice
might put her public key on her home page on the Web, for
example.

• We will use the notation EA to mean the encryption

algorithm parameterized by Alice’s public key. Similarly,
the (secret) decryption algorithm parameterized by Alice’s
private key is DA. Bob does the same thing, publicizing
EB but keeping DB secret.
• A note on terminology is perhaps useful here. Public-key
cryptography requires each user to have two keys: a public
key, used by the entire world for encrypting messages to
be sent to that user, and a private key, which the user needs
for decrypting messages.

• We will consistently refer to these keys as the public and

private keys, respectively, and distinguish them from the
secret keys used for conventional symmetric-key
cryptography
 Public-Key Algorithms

• RSA
• Other Public-Key Algorithms
 RSA
• One good method was discovered by a group at M.I.T.
(Rivest et al., 1978). It isknown by the initials of the three
discoverers (Rivest, Shamir, Adleman): RSA.

• It has survived all attempts to break it for more than 30

years and is considered very strong. Much practical
security is based on it.

• For this reason, Rivest, Shamir,and Adleman were given

the 2002 ACM Turing Award.

• Its major disadvantage is that it requires keys of at least

1024 bits for good security (versus 128 bits for symmetric-
key algorithms), which makes it quite slow.
 RSA
The RSA method is based on some principles from number
theory. We will now summarize how to use the method; for
details, consult the paper.
1. Choose two large primes, p and q (typically 1024 bits).
2. Compute n = p × q and z = (p − 1) × (q − 1).
3. Choose a number relatively prime to z and call it d.
4. Find e such that e × d = 1 mod z.
With these parameters computed in advance, we are ready to
begin encryption.
• Divide the plaintext (regarded as a bit string) into blocks, so
that each plaintext message, P, falls in the interval 0 ≤ P < n.

• Do that by grouping the plaintext into blocks of k bits,

where k is the largest integer for which 2k < n is true.
 RSA
• To encrypt a message, P, compute C = Pe (mod n). To
decrypt C, compute P = Cd (mod n).

• It can be proven that for all P in the specified range, the

encryption and decryption functions are inverses. To
perform the encryption, you need e and n.

• To perform the decryption, you need d and n. Therefore,

the public key consists of the pair (e, n) and the private
key consists of (d, n).
• The security of the method is based on the difficulty of
factoring large numbers.

• If the cryptanalyst could factor the (publicly known) n, he

could then find p and q, and from these z. Equipped with
knowledge of z and e, d can be found using Euclid’s
algorithm.

• Fortunately, mathematicians have been trying to factor

large numbers for at least 300 years, and the accumulated
evidence suggests that it is an exceedingly difficult
problem.

• According to Rivest and colleagues, factoring a 500-digit

number would require 1025 years using brute force.
• An example of how the RSA algorithm works is given in
Fig. 8-17. For this example, we have chosen p = 3 and q =
11, giving n = 33 and z = 20.

• A suitable value for d is d = 7, since 7 and 20 have no

common factors.

• With these choices, e can be found by solving the equation

7e = 1 (mod 20), which yields e = 3.

• The ciphertext, C, corresponding to a plaintext message, P,

is given by C = P3 (mod 33).

• The ciphertext is decrypted by the receiver by making use

of the rule P = C7 (mod 33). The figure shows the
encryption of the plaintext ‘‘SUZANNE’’ as an example.
 RSA

An example of the RSA algorithm.

 Digital Signatures

• Symmetric-Key Signatures
• Public-Key Signatures
• Message Digests
• The Birthday Attack
 Digital Signature
• The authenticity of many legal, financial, and other documents is
determined by the presence or absence of an authorized handwritten
signature.
• And photocopies do not count. For computerized message systems to
replace the physical transport of paper-and-ink documents, a method
must be found to allow documents to be signed in an unforgeable
way.
• The problem of devising a replacement for handwritten signatures is
a difficult one. Basically, what is needed is a system by which one
party can send a signed message to another party in such a way that
the following conditions hold:

1. The receiver can verify the claimed identity of the sender.

2. The sender cannot later repudiate the contents of the message.
3. The receiver cannot possibly have concocted the message himself.
• The first requirement is needed, for example, in financial systems.
When a customer’s computer orders a bank’s computer to buy a ton
of gold, the bank’s computer needs to be able to make sure that the
computer giving the order really belongs to the customer whose
account is to be debited. In other words, the bank has to authenticate
the customer (and the customer has to authenticate the bank).

• The second requirement is needed to protect the bank against fraud.

Suppose that the bank buys the ton of gold, and immediately
thereafter the price of gold drops sharply. A dishonest customer might
then proceed to sue the bank, claiming that he never issued any order
to buy gold. When the bank produces the message in court, the
customer may deny having sent it. The property that no party to a
contract can later deny having signed it is called nonrepudiation. The
digital signature schemes that we will now study help provide it.
The third requirement is needed to protect the customer in the
event that the price of gold shoots up and the bank tries to
construct a signed message in which the customer asked for
one bar of gold instead of one ton. In this fraud scenario,
the bank just keeps the rest of the gold for itself.
Symmetric-Key Signatures

Digital signatures with Big Brother.

• One approach to digital signatures is to have a central authority that
knows everything and whom everyone trusts, say, Big Brother (BB).
Each user then chooses a secret key and carries it by hand to BB’s
office. Thus, only Alice and BB know Alice’s secret key, KA, and so
on.
• When Alice wants to send a signed plaintext message, P, to her
banker, Bob, she generates KA(B, RA, t, P), where B is Bob’s
identity, RA is a random number chosen by Alice, t is a timestamp to
ensure freshness, and KA(B, RA, t, P) is the message encrypted with
her key, KA.

• Then she sends it as depicted in Fig. 8-18.

• BB sees that the message is from Alice, decrypts it, and sends a
message to Bob as shown. The message to Bob contains the plaintext
of Alice’s message and also the signed message KBB(A, t, P). Bob
now carries out Alice’s request.
One potential problem with the signature protocol of Fig. 8-18 is Trudy
replaying either message. To minimize this problem, timestamps are
used throughout.

Furthermore, Bob can check all recent messages to see if RA was used
in any of them. If so, the message is discarded as a replay. Note that
based on the timestamp, Bob will reject very old messages. To guard
against instant replay attacks, Bob just checks the RA of every incoming
message to see if such a message has been received from Alice in the
past hour. If not, Bob can safely assume this is a new request.
 Public-Key Signatures

Digital signatures using public-key cryptography.

• Although using public-key cryptography for digital signatures is an
elegant scheme, there are problems that are related to the
environment in which they operate rather than to the basic algorithm.

• For one thing, Bob can prove that a message was sent by Alice only
as long as DA remains secret. If Alice discloses her secret key, the
argument no longer holds, because anyone could have sent the
message, including Bob himself.

• The problem might arise, for example, if Bob is Alice’s stockbroker.

Suppose that Alice tells Bob to buy a certain stock or bond.
Immediately thereafter, the price drops sharply.

• Another problem with the signature scheme is what happens if Alice

decides to change her key
 Message Digests
One criticism of signature methods is that they often couple two distinct
functions: authentication and secrecy. Often, authentication is needed
but secrecy is not always needed. Also, getting an export license is often
easier if the system in question provides only authentication but not
secrecy. Below we will describe an authentication scheme that does not
require encrypting the entire message.
This scheme is based on the idea of a one-way hash function that takes
an arbitrarily long piece of plaintext and from it computes a fixed-length
bit string.
This hash function, MD, often called a message digest, has four
important properties:
1. Given P, it is easy to compute MD(P).
2. Given MD(P), it is effectively impossible to find P.
3. Given P, no one can find P′ such that MD(P′) = MD(P).
4. A change to the input of even 1 bit produces a very different output.
 Message Digests

Digital signatures using message digests.

 SHA-1

Use of SHA-1 and RSA for signing nonsecret messages.

 SHA-1 (2)

(a) A message padded out to a multiple of 512 bits.

(b) The output variables. (c) The word
Management of Public Keys

• Certificates
• X.509
• Public Key Infrastructures
Problems with Public-Key Encryption

A way for Trudy to subvert public-key encryption.

 Certificates

A possible certificate and its signed

hash.
 X.509

The basic fields of an X.509 certificate.

Public-Key Infrastructures

(a) A hierarchical PKI. (b) A chain of

certificates.
Communication Security

• IPsec
• Firewalls
• Virtual Private Networks
• Wireless Security
 IPsec

The IPsec authentication header in transport mode for

IPv4.
 IPsec (2)

(a) ESP in transport mode. (b) ESP in tunnel mode.

 Firewalls

A firewall consisting of two packet filters and an application gateway.

 Virtual Private Networks

(a) A leased-line private network. (b) A virtual private

network.
802.11 Security

Packet encryption using WEP.

 Authentication Protocols

• Authentication Based on a Shared Secret Key

• Establishing a Shared Key: Diffie-Hellman
• Authentication Using a Key Distribution
Center
• Authentication Using Kerberos
• Authentication Using Public-Key
Cryptography
Authentication Based on a Shared Secret Key

Two-way authentication using a challenge-response protocol.

Authentication Based on a Shared Secret Key
(2)

A shortened two-way authentication protocol.

Authentication Based on a Shared Secret Key
(3)

The reflection attack.

Authentication Based on a Shared Secret Key
(4)

A reflection attack on the protocol of Fig. 8-

32.
Authentication Based on a Shared Secret Key
(5)

Authentication using HMACs.

 Establishing a Shared Key:
The Diffie-Hellman Key Exchange

The Diffie-Hellman key exchange.

 Establishing a Shared Key:
The Diffie-Hellman Key Exchange

The bucket brigade or man-in-the-middle attack.

Authentication Using a Key Distribution Center

A first attempt at an authentication protocol using a

KDC.
Authentication Using a Key Distribution Center
(2)

The Needham-Schroeder authentication protocol.

Authentication Using a Key Distribution Center
(3)

The Otway-Rees authentication protocol (slightly

simplified).
Authentication Using
Kerberos

The operation of Kerberos V4.

Authentication Using Public-Key Cryptography

Mutual authentication using public-key cryptography.

 E-Mail Security

• PGP – Pretty Good Privacy

• PEM – Privacy Enhanced Mail
• S/MIME
PGP – Pretty Good Privacy

PGP in operation for sending a message.

PGP – Pretty Good Privacy (2)

A PGP message.
 Web Security

• Threats
• Secure Naming
• SSL – The Secure Sockets Layer
• Mobile Code Security
 Secure Naming

(a) Normal situation. (b) An attack based on breaking

into DNS and modifying Bob's record.
Secure Naming (2)

How Trudy spoofs Alice's ISP.

 Secure DNS

An example RRSet for bob.com. The KEY record is Bob's

public key. The SIG record is the top-level com server's
signed has of the A and KEY records to verify their
authenticity.
 Self-Certifying Names

A self-certifying URL containing a hash of server's

name and public key.
SSL—The Secure Sockets Layer

Layers (and protocols) for a home user browsing with SSL.

 SSL (2)

A simplified version of the SSL connection establishment subprotocol.

 SSL (3)

Data transmission using SSL.

 Java Applet Security

Applets inserted into a Java Virtual Machine

interpreter inside the browser.
 Social Issues

• Privacy
• Freedom of Speech
• Copyright
 Anonymous Remailers

Users who wish anonymity chain requests through

multiple anonymous remailers.
 Freedom of Speech

Possibly banned material:

1. Material inappropriate for children or teenagers.
2. Hate aimed at various ethnic, religious, sexual, or other
groups.
3. Information about democracy and democratic values.
4. Accounts of historical events contradicting the
government's version.
5. Manuals for picking locks, building weapons, encrypting
messages, etc.
 Steganography

(a) Three zebras and a tree. (b) Three zebras, a tree, and
the
complete text of five plays by William Shakespeare.