Er . - PowerPoint Presentation

Slide1

Er. Anamika Sharma

Network SecuritySlide2

Security is a state of well-being of information and infrastructures in which the possibility of successful yet undetected theft, tampering, and disruption of information and services is kept low or tolerable

Definition of SecuritySlide3

Security AttacksSlide4

Involved in Eavesdropping or monitoring the transmissionsGoal of opponent is to obtai

n information that is being transmittedTypes :-

The release of message contents

Traffic analysis

Passive attacksSlide5

Release of Message contentSlide6

Traffic AnalysisSlide7

Involves some modification of data stream or the creation of a false stream and divided in to four categories

Masquerade of one entity as some other

Replay previous messages

Modify messages in transit

Denial of service

Active attacksSlide8

MasqueradeSlide9

ReplaySlide10

Modification of messagesSlide11

Denial Of ServiceSlide12

Financial institutions and banksInternet service providersGovernment and defense agencies

Contractors to various government agenciesMultinational corporationsANYONE ON THE NETWORK

Who is vulnerable?Slide13

ITU-T X.800 Security Architecture for OSI

Defines a systematic way of defining and providing security requirements.

For us it provides a useful, if abstract, overview of concepts

of security services.

OSI Security ArchitectureSlide14

Security Attack: Any action that compromises the security of information owned by organization.

Security Mechanism: A process that is designed to detect, prevent, or recover from a security attack.Security services

: A processing or communication service that enhances the security of the data processing system and information transfer of an organization. These are intended to counter security attacks.

X.800 defines security services in 5 major categories

OSI focuses on:-Slide15

Security Services (X.800)Slide16

Data

Integrity

Assurance that the data that arrives is the same as when it was sent.

Slide17

Contd

…Slide18

Authentication

The process of verifying the identity of a user

Authentication procedure

Two-Party Authentication

One-Way Authentication

Two-Way

Authentication

Third-Party Authentication Slide19
Slide20
Slide21

Authentication using MACSlide22

Access Control

The process of enforcing access right

and

is based on following three entities

Subject

is entity that can access an object

Object

is entity to which access can be controlled

Access Right

defines the ways in which a subject can access an object.Slide23

Confidentiality

Assurance that sensitive information

is not visible to an eavesdropper.

So it involves the protection of transmitted data from passive attacks

This

is usually achieved using encryption.

Includes Cryptography Slide24

Message confidentiality using symmetric key in two directionsSlide25

Non-repudiation

Provides protection against denial by one of entities involved in communication of having participated in all or part of the communication

Nonrepudiation, Origin

Proof that message was sent by specified party

Nonrepudiation,Destination

Proof that message was received by specified partySlide26

Model for Network SecuritySlide27

Using this model

requires to :Design a suitable algorithm for the security transformation

Generate the secret information (keys) used by the algorithm

Develop methods to distribute and share the secret information

Specify a protocol enabling the principals to use the transformation and secret information for a security service

Model for Network SecuritySlide28

Model for Network Access SecuritySlide29

Using this model requires to:

Select appropriate gatekeeper functions to identify users

Implement

security controls to ensure only authorised users

access the

designated information or resources

Trusted computer systems can be used to implement this model

Model for Network Access SecuritySlide30

Secret writingThe science and art of transforming messages to make them secure and immune to attacks.

CryptographySlide31

Cryptography

ComponentsSlide32

Cryptography

Components

Decryption algorithm

It transforms the cipher text back into plaintextSlide33

Cryptography

Components

To create a cipher text or to encrypt a message , we need an encryption algorithm , an encryption key & the plain text . Slide34

Plaintext – A message in its natural format readable by an attacker.

Ciphertext – Message altered to be unreadable by anyone except the intended recipients.Key

– Sequence that controls the operation and behavior of the cryptographic algorithm.

Keyspace

–

Total number of possible values of keys in a crypto algorithm.

Encryption –

It is a process of changing or converting normal text or data information into

ciphertext

.

Basic TerminologySlide35

Basic Terminology

Decryption

– It is a process of changing or converting

ciphertext

back to correct message or data by using encryption method

Cryptography

:

The process of designing systems to realize secure communications over non-secure channels.

Cryptoanalysis

:

The discipline of breaking the cryptographic systems.

Coding Theory

: Deals with representing the information

using codes. It covers compression, secrecy, and

error correction.

Cryptosystem

: The combination of algorithm, key, and key management functions used to perform cryptographic operations.Slide36

Categories of CryptographySlide37

Three Types of KeysSlide38

Symmetric Key Cryptography

The same key is used by both parties.

To encrypt data , the sender uses this key and an encryption algorithm.

To decrypt data , the receiver uses the same key and an decryption algorithm.

The key is shared.Slide39

Symmetric Key CryptographySlide40

Symmetric Pros and Cons

Strength:

Simple and really very fast (order of 1000 to 10000 faster than asymmetric mechanisms)

Weakness:

Must agree the key beforehand

Securely pass the key to the other partySlide41

There are two keys : A private key A public keyThe public key is announced to the public.

The private key is kept by the receiver.

Asymmetric Key CryptographySlide42

Asymmetric Key CryptographySlide43

Started thousands of years ago, when needed to exchange secrets.We still mainly use SKC in our network security.Two Types of algorithms

Traditional algorithms Character- oriented Modern algorithms

Bit -oriented

Symmetric Key CryptographySlide44

Traditional Ciphers

Character – oriented Obsolete

The goal is to show how modern ciphers are evolved.

Symmetric Key CryptographySlide45

Traditional Symmetric Key CryptographySlide46

SC substitutes one symbol with another.If the symbols in the plaintext are alphabetic characters , we can replace one character with another.

SCs can be categorized Monoalphabetic Polyalphabetic

Substitution CipheredSlide47

A character ( a symbol) in a plaintext is always changed to the same character in the cipher-text with respect to its position in the text.

Example Plaintext : HELLO Cipher-text : KHOOR

The relationship between characters in the plaintext and the cipher-text is a one-to-one relationship

Monoalphabetic CipherSlide48

Each occurrence of a character can have a different substitute.The relationship between characters in the plaintext

and the cipher-text is a one-to-many relationship.Ex.

Character A could be changed to D in the beginning of the text , but it could be changed to N at the middle. If the relationship between characters in the plaintext and the cipher-text is a one-to-many ,we need to

divide the text into groups of characters and use a set of Keys.

EX :We can divide the text “IAMANINDIANGIRL ” into groups of 3 characters and then apply the encryption using a set of 3 keys. ,Then repeat the procedure for the next 3 characters.

Polyalphabetic CipherSlide49

The simplest Monoalphabetic cipher.We assume that the plaintext and cipher-text consists of uppercase letters (A to Z) only.

The encryption algorithm is “shift key character down,” with key equal to some number.The decryption algorithm is “shift key character up,” with key equal to some number.

EX : If the key is 5, the encryption algorithm is” “shift 5 character down,”(towards the end of the alphabet)

the decryption algorithm is” “shift 5 character up ,”(towards the beginning of the alphabet).

THE SHIFT CIPHER IS SOMETIMES REFFERED TO AS

CAESAR

CIPHER

Shift CipherSlide50

Use shift cipher with key =15 to encrypt the message “HELLOMYFRIEND”Use shift cipher with key =15 to decrypt the message “WTAAD”

QuestionSlide51

No substitution of characters . Their locations change.A character in the first position of the plain text may appear in the tenth position of the cipher-text . A character in the eight position of the plain text may appear in the first position of the cipher-text

A transposition ciphers reorders symbols in a block of symbols.

Key : It is a mapping between the position of symbols in the plaintext and the cipher-text.

EX: Plaintext : 2 4 1 3

Cipher text: 1 2 3 4

NOTE :--- TO BE MORE EFFECTIVE ,THE KEY SHOULD BE LONG.

Transposition CiphersSlide52

Transposition Ciphers

Fig shows encryption

and

decryption for our 4 character block using the same key .

The encryption applies it from downward

while decryption applies it upward.

Slide53
Slide54

Encrypt “INTERNET EXPLORER” using a transposition cipher with keyQuestion

3

5

2

1

4

1

2

3

4

5Slide55

With the advent of the computer, ciphers needed to be bit oriented.Because the information to be encrypted is not just text ; it can also consist of numbers, graphics , audio and video data.

It is convenient to convert these types of data into a stream of bits , encrypt the stream, and then send the encrypted stream.When text is treated at the bit level, each character is replaced by 8 (16 ) bit ,which means no. of symbol becomes 8 (16).

Simple Modern CiphersSlide56

Mingling and mangling bits provides more security than mingling and mangling characters.Modern ciphers use a different strategy than the traditional ones .A combination of simple ciphers.

Simple Modern Ciphers

Slide57

Because it uses the exclusive-or operation as defined in computer science.An X-OR operation needs two data inputs

Plaintext as the first and Key as the second.Note :-An X-OR cipher , the size of the key ,the plaintext , and the cipher-text are all the same.

X –OR ciphers have a very interesting property :the encryption and decryption are the same.

X-OR Cipher

Slide58

Simple Modern Ciphers

X-OR Cipher

Slide59

The input bits are rotated to the left or right.

The rotation cipher can be keyed or keyless.In keyed rotation , the value of the key defines

the number of rotations ; in keyless rotation the

number of rotation is fixed.

It is a special case of the transposition cipher using bits instead of characters.

Rotation CipherSlide60

The rotation cipher has an interesting property. If the length of the original stream is N , after N rotations , we get the original input stream.

The number of rotations must be between 1 and 1-N

If we use a right rotation in the encryption ,we

use a left rotation in decryption and vice –versa.

Simple Modern Ciphers

Rotation CipherSlide61

It parallels the traditional substitution cipher for characters .The input to an S-box is a stream of bits with length N ; the result is another stream of bits with length M. (N =/ M)

It is normally keyless and is used as intermediate stage of encryption or decryption.

Substitution Cipher : S-boxSlide62

It parallels the traditional transposition cipher for characters .It performs a transposition at the bit level ; It transposes bits.

It can be implemented in software or hardware ,but hardware is faster .It is normally keyless .

Three types of permutations in P –boxes :

The Straight permutation,

Expansion permutation and

compression permutation .

Transposition Cipher : P-boxSlide63

A straight P-box has the same number of inputs as outputs.In an expansion permutation cipher , the number of output ports is greater than the number of input ports.

In a Compression permutation cipher ,the number of output ports is less than the number of input ports.

Rotation Cipher

Transposition Cipher : P-boxSlide64

The Ciphers of Today.They involve multiple rounds, where each round is a complex cipher.

The key used in each round is a subset or variation of the general key called the round key.The cipher has N rounds ,a key generator produces N keys .

There are two modern Symmetric-key ciphers:

DES &

AES .

These are referred as block cipher , because they divide the plaintext into blocks and use the same key to encrypt and decrypt the block.

Modern Round CipherSlide65

It is a complex block cipher It was designed by IBM and adopted by the U.S. government as the standard encryption method for nonmilitary and non classified use.The algorithm encrypts a 64-bit plaintext block using a 64-bit key.

Data Encryption Standard (DES)Slide66

It has two transposition blocks and 16 complex round ciphers . Each RC uses a different key derived from the original key .The initial and final permutations are keyless straight permutation.

Modern Round Cipher

Data Encryption Standard (DES)Slide67
Slide68

Each round of DES is a complex round cipher.The structure of the encryption round ciphers is different from that of the decryption one.

Data Encryption Standard (DES)Slide69
Slide70

DES Function : It is a heart of DES .

It applies a 48-bit key to the rightmost 32 bits to produce a 32-bit output.

It is made up of four operations.

Data Encryption Standard (DES)Slide71
Slide72

To lengthen the key ,3DES has been implemented.This uses three DES blocks.The encryption block uses an encryption-decryption-encryption combination of DSs.

Triple Data Encryption Standard (DES)Slide73

Triple Data Encryption Standard (DES)Slide74

It is designed because DES’s key was too small.The NIST chose the Rijndael algorithm as the basis of AES.

It is very complex round cipher.It is designed with three key sizes : 128, 192 0r 256 bits.

Advanced Encryption Standard (AES)Slide75

There is an initial XOR operation followed by 10 round ciphers .

The last round is slightly different from the preceding rounds.The 10 iteration blocks are almost identical ,each uses a different key derived from the original key.

Advanced Encryption Standard (AES)Slide76
Slide77

Structure of each round : each round of AES ,except for the last , is a cipher with four operations that are invertible .

The last round has only three operations.

Fig. is a flow chart that shows the operations in each round.Slide78
Slide79

Mode of OperationSlide80

This mode is a purely Block Cipher techniques.The plain text is divided into blocks of N bits.

The cipher-text is made of blocks of N bits.N depends on the type of cipher used. Four characteristics of the mode

The key and the encryption /decryption algorithm are

same,

equal blocks in the plaintext becomes equal blocks in the cipher text. This can be a security problem.

If record the plaintext block , the cipher-text is also recorded

.Blocks are independent of each other . A problem in encryption or decryption of a block does not affect other blocks

.

An error in one block is not propagated to other blocks . This is advantage if the channel is not noise –free

.

Electronic Code BookSlide81
Slide82

It tries to alleviate some of the problems in ECB by including the previous cipher block in the preparation of the current block.

In this case, a phony block called the initiation vector (IV)is used.

Following are the characteristics of CBC.

Even though the key and the encryption /decryption algorithm are the same , equal blocks in the plaintext do not become equal blocks in the cipher-text.

Blocks are dependent on each other.

The error in one block is propagated to the other blocks

.

Cipher Block ChainingSlide83
Slide84

It was created for the situations in which we need to send or receive r bits of dataFollowing are the characteristics of CFB.

If we change the IV from one encryption to another using the same plaintext , the cipher-text is different.The cipher-text

Ci

depends on both Pi and the preceding cipher-text block .

Errors in one or more bits of the cipher-text block affect the next cipher-text blocks.

Cipher FeedbackSlide85
Slide86

Very similar to CFB mode with one difference.Each bit in the cipher-text is independent of the previous bit or bits.This avoids error propagation

Following are the characteristics of OFB.If we change the IV from one encryption to another using the same plaintext , the cipher-text will be different.

The cipher-text

Ci

depends on the plaintext Pi.

Errors in one or more bits of the cipher-text do not affect future cipher-text blocks.

Output FeedbackSlide87
Slide88

Digital Signature

A person signs a document to show that it originated from him/her or was approved by him/her. The signature is proof to the recipient that the document comes from the correct entity.

In other words, a signature on a document, when verified, is a sign of authentication—the document is authentic.

When Alice sends a message to Bob, Bob needs to check the authenticity of the sender: he needs to be sure that the message comes from Alice and not Eve. Bob can ask Alice to sign the message electronically.

In other words, an electronic signature can prove the authenticity of Alice as the sender of the message. We refer to this type of signature as a

digital signature

.Slide89

Important Points

A digital signature needs a public-key system.

The signer signs with her private key, the verifier verifies with the signer’s public key.

A cryptosystem uses the private and public

keys of the recipient:

a digital signature uses the private and

public keys of the sender.Slide90

Figure

shows

the digital signature process. The sender uses a

signing

algorithm

to sign the message. The message and the signature are sent to the recipient.

The

recipient receives the message and the signature and applies the

verifying algorithm

to the combination. If the result is true, the message is accepted, otherwise it is rejected.

The

digital signature process

Digital signature processSlide91

16.91

Signing

the digest

Asymmetric-key cryptosystems are very inefficient when dealing with long messages. In a digital signature system, the messages are normally long, but we have to use asymmetric-key schemes. The solution is to sign a digest of the message, which is much shorter than the message itself.

Figure 16.12

Signing the digestSlide92

Hashing Algorithm

MD5Computes 128-bit hash value

Widely used for file integrity checking

SHA-1

Computes 160-bit hash value

NIST approved message digest algorithmSlide93

Digital certificates and digital signing of an e-mail message Slide94

Message is captured. •Hash value of the message is calculated.

•Sender's private key is retrieved from the sender‘s digital certificate. •Hash value is encrypted with the sender's private key.

•Encrypted hash value is appended to the message as a digital signature.

•Message is sent

Digital certificates and digital signing of an e-mail message Slide95

Digital certificates and verifying a digital signature of an e-mail message Slide96

Message is received.

•Digital signature containing encrypted hash value is retrieved from the message. •Message is retrieved. •Hash value of the message is calculated.

•Sender's public key is retrieved from the sender's digital certificate.

•Encrypted hash value is decrypted with the sender's public key.

•Decrypted hash value is compared against the hash value produced on receipt.

•If the values match, the message is valid.

•As shown in these sequences, the digital certificates provide access to the public keys for the verification of the digital signature.

Digital certificates and verifying a digital signature of an e-mail message Slide97

How Digital Certificates Are Used for Message Encryption: Digital certificates and encryption of an e-mail message Slide98

Client generates a session key, a secret symmetric key, at random

.

Client encrypts message using session key and symmetric algorithm.

Client encrypts session key with receiver’s public key: digital envelope .

Client sends encrypted message and digital envelope to receiver. Slide99

Digital certificates and decrypting a an e-mail message Slide100

Receiver uses her private key to decrypt envelope and get session key.

Receiver uses session key to decrypt message

When session is over, both parties discard session key.

Optionally, digital certificate could be used at start of session to verify client identity. Slide101

THANK YOU