Anamika Sharma Network Security Security is a state of wellbeing of information and infrastructures in which the possibility of successful yet undetected theft tampering and disruption of information and services is kept low or tolerable ID: 591399
Download Presentation The PPT/PDF document "Er ." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Er. Anamika Sharma
Network SecuritySlide2
Security is a state of well-being of information and infrastructures in which the possibility of successful yet undetected theft, tampering, and disruption of information and services is kept low or tolerable
Definition of SecuritySlide3
Security AttacksSlide4
Involved in Eavesdropping or monitoring the transmissionsGoal of opponent is to obtai
n information that is being transmittedTypes :-
The release of message contents
Traffic analysis
Passive attacksSlide5
Release of Message contentSlide6
Traffic AnalysisSlide7
Involves some modification of data stream or the creation of a false stream and divided in to four categories
Masquerade of one entity as some other
Replay previous messages
Modify messages in transit
Denial of service
Active attacksSlide8
MasqueradeSlide9
ReplaySlide10
Modification of messagesSlide11
Denial Of ServiceSlide12
Financial institutions and banksInternet service providersGovernment and defense agencies
Contractors to various government agenciesMultinational corporationsANYONE ON THE NETWORK
Who is vulnerable?Slide13
ITU-T X.800 Security Architecture for OSI
Defines a systematic way of defining and providing security requirements.
For us it provides a useful, if abstract, overview of concepts
of security services.
OSI Security ArchitectureSlide14
Security Attack: Any action that compromises the security of information owned by organization.
Security Mechanism: A process that is designed to detect, prevent, or recover from a security attack.Security services
: A processing or communication service that enhances the security of the data processing system and information transfer of an organization. These are intended to counter security attacks.
X.800 defines security services in 5 major categories
OSI focuses on:-Slide15
Security Services (X.800)Slide16
Data
Integrity
Assurance that the data that arrives is the same as when it was sent.
Slide17
Contd
…Slide18
Authentication
The process of verifying the identity of a user
Authentication procedure
Two-Party Authentication
One-Way Authentication
Two-Way
Authentication
Third-Party Authentication Slide19Slide20Slide21
Authentication using MACSlide22
Access Control
The process of enforcing access right
and
is based on following three entities
Subject
is entity that can access an object
Object
is entity to which access can be controlled
Access Right
defines the ways in which a subject can access an object.Slide23
Confidentiality
Assurance that sensitive information
is not visible to an eavesdropper.
So it involves the protection of transmitted data from passive attacks
This
is usually achieved using encryption.
Includes Cryptography Slide24
Message confidentiality using symmetric key in two directionsSlide25
Non-repudiation
Provides protection against denial by one of entities involved in communication of having participated in all or part of the communication
Nonrepudiation, Origin
Proof that message was sent by specified party
Nonrepudiation,Destination
Proof that message was received by specified partySlide26
Model for Network SecuritySlide27
Using this model
requires to :Design a suitable algorithm for the security transformation
Generate the secret information (keys) used by the algorithm
Develop methods to distribute and share the secret information
Specify a protocol enabling the principals to use the transformation and secret information for a security service
Model for Network SecuritySlide28
Model for Network Access SecuritySlide29
Using this model requires to:
Select appropriate gatekeeper functions to identify users
Implement
security controls to ensure only authorised users
access the
designated information or resources
Trusted computer systems can be used to implement this model
Model for Network Access SecuritySlide30
Secret writingThe science and art of transforming messages to make them secure and immune to attacks.
CryptographySlide31
Cryptography
ComponentsSlide32
Cryptography
Components
Decryption algorithm
It transforms the cipher text back into plaintextSlide33
Cryptography
Components
To create a cipher text or to encrypt a message , we need an encryption algorithm , an encryption key & the plain text . Slide34
Plaintext – A message in its natural format readable by an attacker.
Ciphertext – Message altered to be unreadable by anyone except the intended recipients.Key
– Sequence that controls the operation and behavior of the cryptographic algorithm.
Keyspace
–
Total number of possible values of keys in a crypto algorithm.
Encryption –
It is a process of changing or converting normal text or data information into
ciphertext
.
Basic TerminologySlide35
Basic Terminology
Decryption
– It is a process of changing or converting
ciphertext
back to correct message or data by using encryption method
Cryptography
:
The process of designing systems to realize secure communications over non-secure channels.
Cryptoanalysis
:
The discipline of breaking the cryptographic systems.
Coding Theory
: Deals with representing the information
using codes. It covers compression, secrecy, and
error correction.
Cryptosystem
: The combination of algorithm, key, and key management functions used to perform cryptographic operations.Slide36
Categories of CryptographySlide37
Three Types of KeysSlide38
Symmetric Key Cryptography
The same key is used by both parties.
To encrypt data , the sender uses this key and an encryption algorithm.
To decrypt data , the receiver uses the same key and an decryption algorithm.
The key is shared.Slide39
Symmetric Key CryptographySlide40
Symmetric Pros and Cons
Strength:
Simple and really very fast (order of 1000 to 10000 faster than asymmetric mechanisms)
Weakness:
Must agree the key beforehand
Securely pass the key to the other partySlide41
There are two keys : A private key A public keyThe public key is announced to the public.
The private key is kept by the receiver.
Asymmetric Key CryptographySlide42
Asymmetric Key CryptographySlide43
Started thousands of years ago, when needed to exchange secrets.We still mainly use SKC in our network security.Two Types of algorithms
Traditional algorithms Character- oriented Modern algorithms
Bit -oriented
Symmetric Key CryptographySlide44
Traditional Ciphers
Character – oriented Obsolete
The goal is to show how modern ciphers are evolved.
Symmetric Key CryptographySlide45
Traditional Symmetric Key CryptographySlide46
SC substitutes one symbol with another.If the symbols in the plaintext are alphabetic characters , we can replace one character with another.
SCs can be categorized Monoalphabetic Polyalphabetic
Substitution CipheredSlide47
A character ( a symbol) in a plaintext is always changed to the same character in the cipher-text with respect to its position in the text.
Example Plaintext : HELLO Cipher-text : KHOOR
The relationship between characters in the plaintext and the cipher-text is a one-to-one relationship
Monoalphabetic CipherSlide48
Each occurrence of a character can have a different substitute.The relationship between characters in the plaintext
and the cipher-text is a one-to-many relationship.Ex.
Character A could be changed to D in the beginning of the text , but it could be changed to N at the middle. If the relationship between characters in the plaintext and the cipher-text is a one-to-many ,we need to
divide the text into groups of characters and use a set of Keys.
EX :We can divide the text “IAMANINDIANGIRL ” into groups of 3 characters and then apply the encryption using a set of 3 keys. ,Then repeat the procedure for the next 3 characters.
Polyalphabetic CipherSlide49
The simplest Monoalphabetic cipher.We assume that the plaintext and cipher-text consists of uppercase letters (A to Z) only.
The encryption algorithm is “shift key character down,” with key equal to some number.The decryption algorithm is “shift key character up,” with key equal to some number.
EX : If the key is 5, the encryption algorithm is” “shift 5 character down,”(towards the end of the alphabet)
the decryption algorithm is” “shift 5 character up ,”(towards the beginning of the alphabet).
THE SHIFT CIPHER IS SOMETIMES REFFERED TO AS
CAESAR
CIPHER
Shift CipherSlide50
Use shift cipher with key =15 to encrypt the message “HELLOMYFRIEND”Use shift cipher with key =15 to decrypt the message “WTAAD”
QuestionSlide51
No substitution of characters . Their locations change.A character in the first position of the plain text may appear in the tenth position of the cipher-text . A character in the eight position of the plain text may appear in the first position of the cipher-text
A transposition ciphers reorders symbols in a block of symbols.
Key : It is a mapping between the position of symbols in the plaintext and the cipher-text.
EX: Plaintext : 2 4 1 3
Cipher text: 1 2 3 4
NOTE :--- TO BE MORE EFFECTIVE ,THE KEY SHOULD BE LONG.
Transposition CiphersSlide52
Transposition Ciphers
Fig shows encryption
and
decryption for our 4 character block using the same key .
The encryption applies it from downward
while decryption applies it upward.
Slide53Slide54
Encrypt “INTERNET EXPLORER” using a transposition cipher with keyQuestion
3
5
2
1
4
1
2
3
4
5Slide55
With the advent of the computer, ciphers needed to be bit oriented.Because the information to be encrypted is not just text ; it can also consist of numbers, graphics , audio and video data.
It is convenient to convert these types of data into a stream of bits , encrypt the stream, and then send the encrypted stream.When text is treated at the bit level, each character is replaced by 8 (16 ) bit ,which means no. of symbol becomes 8 (16).
Simple Modern CiphersSlide56
Mingling and mangling bits provides more security than mingling and mangling characters.Modern ciphers use a different strategy than the traditional ones .A combination of simple ciphers.
Simple Modern Ciphers
Slide57
Because it uses the exclusive-or operation as defined in computer science.An X-OR operation needs two data inputs
Plaintext as the first and Key as the second.Note :-An X-OR cipher , the size of the key ,the plaintext , and the cipher-text are all the same.
X –OR ciphers have a very interesting property :the encryption and decryption are the same.
X-OR Cipher
Slide58
Simple Modern Ciphers
X-OR Cipher
Slide59
The input bits are rotated to the left or right.
The rotation cipher can be keyed or keyless.In keyed rotation , the value of the key defines
the number of rotations ; in keyless rotation the
number of rotation is fixed.
It is a special case of the transposition cipher using bits instead of characters.
Rotation CipherSlide60
The rotation cipher has an interesting property. If the length of the original stream is N , after N rotations , we get the original input stream.
The number of rotations must be between 1 and 1-N
If we use a right rotation in the encryption ,we
use a left rotation in decryption and vice –versa.
Simple Modern Ciphers
Rotation CipherSlide61
It parallels the traditional substitution cipher for characters .The input to an S-box is a stream of bits with length N ; the result is another stream of bits with length M. (N =/ M)
It is normally keyless and is used as intermediate stage of encryption or decryption.
Substitution Cipher : S-boxSlide62
It parallels the traditional transposition cipher for characters .It performs a transposition at the bit level ; It transposes bits.
It can be implemented in software or hardware ,but hardware is faster .It is normally keyless .
Three types of permutations in P –boxes :
The Straight permutation,
Expansion permutation and
compression permutation .
Transposition Cipher : P-boxSlide63
A straight P-box has the same number of inputs as outputs.In an expansion permutation cipher , the number of output ports is greater than the number of input ports.
In a Compression permutation cipher ,the number of output ports is less than the number of input ports.
Rotation Cipher
Transposition Cipher : P-boxSlide64
The Ciphers of Today.They involve multiple rounds, where each round is a complex cipher.
The key used in each round is a subset or variation of the general key called the round key.The cipher has N rounds ,a key generator produces N keys .
There are two modern Symmetric-key ciphers:
DES &
AES .
These are referred as block cipher , because they divide the plaintext into blocks and use the same key to encrypt and decrypt the block.
Modern Round CipherSlide65
It is a complex block cipher It was designed by IBM and adopted by the U.S. government as the standard encryption method for nonmilitary and non classified use.The algorithm encrypts a 64-bit plaintext block using a 64-bit key.
Data Encryption Standard (DES)Slide66
It has two transposition blocks and 16 complex round ciphers . Each RC uses a different key derived from the original key .The initial and final permutations are keyless straight permutation.
Modern Round Cipher
Data Encryption Standard (DES)Slide67Slide68
Each round of DES is a complex round cipher.The structure of the encryption round ciphers is different from that of the decryption one.
Data Encryption Standard (DES)Slide69Slide70
DES Function : It is a heart of DES .
It applies a 48-bit key to the rightmost 32 bits to produce a 32-bit output.
It is made up of four operations.
Data Encryption Standard (DES)Slide71Slide72
To lengthen the key ,3DES has been implemented.This uses three DES blocks.The encryption block uses an encryption-decryption-encryption combination of DSs.
Triple Data Encryption Standard (DES)Slide73
Triple Data Encryption Standard (DES)Slide74
It is designed because DES’s key was too small.The NIST chose the Rijndael algorithm as the basis of AES.
It is very complex round cipher.It is designed with three key sizes : 128, 192 0r 256 bits.
Advanced Encryption Standard (AES)Slide75
There is an initial XOR operation followed by 10 round ciphers .
The last round is slightly different from the preceding rounds.The 10 iteration blocks are almost identical ,each uses a different key derived from the original key.
Advanced Encryption Standard (AES)Slide76Slide77
Structure of each round : each round of AES ,except for the last , is a cipher with four operations that are invertible .
The last round has only three operations.
Fig. is a flow chart that shows the operations in each round.Slide78Slide79
Mode of OperationSlide80
This mode is a purely Block Cipher techniques.The plain text is divided into blocks of N bits.
The cipher-text is made of blocks of N bits.N depends on the type of cipher used. Four characteristics of the mode
The key and the encryption /decryption algorithm are
same,
equal blocks in the plaintext becomes equal blocks in the cipher text. This can be a security problem.
If record the plaintext block , the cipher-text is also recorded
.Blocks are independent of each other . A problem in encryption or decryption of a block does not affect other blocks
.
An error in one block is not propagated to other blocks . This is advantage if the channel is not noise –free
.
Electronic Code BookSlide81Slide82
It tries to alleviate some of the problems in ECB by including the previous cipher block in the preparation of the current block.
In this case, a phony block called the initiation vector (IV)is used.
Following are the characteristics of CBC.
Even though the key and the encryption /decryption algorithm are the same , equal blocks in the plaintext do not become equal blocks in the cipher-text.
Blocks are dependent on each other.
The error in one block is propagated to the other blocks
.
Cipher Block ChainingSlide83Slide84
It was created for the situations in which we need to send or receive r bits of dataFollowing are the characteristics of CFB.
If we change the IV from one encryption to another using the same plaintext , the cipher-text is different.The cipher-text
Ci
depends on both Pi and the preceding cipher-text block .
Errors in one or more bits of the cipher-text block affect the next cipher-text blocks.
Cipher FeedbackSlide85Slide86
Very similar to CFB mode with one difference.Each bit in the cipher-text is independent of the previous bit or bits.This avoids error propagation
Following are the characteristics of OFB.If we change the IV from one encryption to another using the same plaintext , the cipher-text will be different.
The cipher-text
Ci
depends on the plaintext Pi.
Errors in one or more bits of the cipher-text do not affect future cipher-text blocks.
Output FeedbackSlide87Slide88
Digital Signature
A person signs a document to show that it originated from him/her or was approved by him/her. The signature is proof to the recipient that the document comes from the correct entity.
In other words, a signature on a document, when verified, is a sign of authentication—the document is authentic.
When Alice sends a message to Bob, Bob needs to check the authenticity of the sender: he needs to be sure that the message comes from Alice and not Eve. Bob can ask Alice to sign the message electronically.
In other words, an electronic signature can prove the authenticity of Alice as the sender of the message. We refer to this type of signature as a
digital signature
.Slide89
Important Points
A digital signature needs a public-key system.
The signer signs with her private key, the verifier verifies with the signer’s public key.
A cryptosystem uses the private and public
keys of the recipient:
a digital signature uses the private and
public keys of the sender.Slide90
Figure
shows
the digital signature process. The sender uses a
signing
algorithm
to sign the message. The message and the signature are sent to the recipient.
The
recipient receives the message and the signature and applies the
verifying algorithm
to the combination. If the result is true, the message is accepted, otherwise it is rejected.
The
digital signature process
Digital signature processSlide91
16.91
Signing
the digest
Asymmetric-key cryptosystems are very inefficient when dealing with long messages. In a digital signature system, the messages are normally long, but we have to use asymmetric-key schemes. The solution is to sign a digest of the message, which is much shorter than the message itself.
Figure 16.12
Signing the digestSlide92
Hashing Algorithm
MD5Computes 128-bit hash value
Widely used for file integrity checking
SHA-1
Computes 160-bit hash value
NIST approved message digest algorithmSlide93
Digital certificates and digital signing of an e-mail message Slide94
Message is captured. •Hash value of the message is calculated.
•Sender's private key is retrieved from the sender‘s digital certificate. •Hash value is encrypted with the sender's private key.
•Encrypted hash value is appended to the message as a digital signature.
•Message is sent
Digital certificates and digital signing of an e-mail message Slide95
Digital certificates and verifying a digital signature of an e-mail message Slide96
Message is received.
•Digital signature containing encrypted hash value is retrieved from the message. •Message is retrieved. •Hash value of the message is calculated.
•Sender's public key is retrieved from the sender's digital certificate.
•Encrypted hash value is decrypted with the sender's public key.
•Decrypted hash value is compared against the hash value produced on receipt.
•If the values match, the message is valid.
•As shown in these sequences, the digital certificates provide access to the public keys for the verification of the digital signature.
Digital certificates and verifying a digital signature of an e-mail message Slide97
How Digital Certificates Are Used for Message Encryption: Digital certificates and encryption of an e-mail message Slide98
Client generates a session key, a secret symmetric key, at random
.
Client encrypts message using session key and symmetric algorithm.
Client encrypts session key with receiver’s public key: digital envelope .
Client sends encrypted message and digital envelope to receiver. Slide99
Digital certificates and decrypting a an e-mail message Slide100
Receiver uses her private key to decrypt envelope and get session key.
Receiver uses session key to decrypt message
When session is over, both parties discard session key.
Optionally, digital certificate could be used at start of session to verify client identity. Slide101
THANK YOU