计算机网络英文版课件：slide 15 Network Security

NetworkSecurityContentsIntroductionCryptographySymmetric-KeyAlgorithmsPublic-KeyAlgorithmsDigitalSignaturesManagementofPublicKeysCommunicationSecurityAuthenticationProtocolsNeedforSecuritySomepeoplewhocausesecurityproblemsandwhyIntroductionNetworksecurityproblemscanbedividedroughlyintofourcloselyintertwinedareas:secrecy,authentication,nonrepudiation,andintegritycontrol.Secrecy,alsocalledconfidentiality,hastodowithkeepinginformationoutofthehandsofunauthorizedusers.Authenticationdealswithdeterminingwhomyouaretalkingtobeforerevealingsensitiveinformationorenteringintoabusinessdeal.Nonrepudiationdealswithsignatures:Howdoyouprovethatyourcustomerreallyplacedanelectronicorderfortenmillionleft-handeddoohickeysat89centseachwhenhelaterclaimsthepricewas69cents?Whereintheprotocolstacknetworksecuritybelongs.Inthephysicallayer,Inthedatalinklayer,Inthenetworklayer,Inthetransportlayer,IntheapplicationlayerCryptographyIntroductiontoCryptographySubstitutionCiphersTranspositionCiphersAnIntroductiontoCryptographyTheencryptionmodel(forasymmetric-keycipher)SubstitutionCiphersInasubstitutionciphereachletterorgroupoflettersisreplacedbyanotherletterorgroupofletterstodisguiseit.plaintext:abcdefghijklmnopqrstuvwxyzciphertext:QWERTYUIOPASDFGHJKLZXCVBNMForthekeyabove,theplaintextattack

wouldbetransformedintotheciphertextQZZQEA.TranspositionCiphersAtranspositioncipher.Symmetric-KeyAlgorithmsSymmetric-keyalgorithms:usedthesamekeyforencryptionanddecryptionCryptographicalgorithmscanbeimplementedineitherhardware(forspeed)orinsoftware(forflexibility).DES–TheDataEncryptionStandardProductCiphersBasicelementsofproductciphers.(a)P-box.(b)S-box.(c)Product.SubstitutionsareperformedbyS-boxesP-boxcanbemadetoperformanytranspositionDataEncryptionStandardThedataencryptionstandard.(a)Generaloutline.

(b)Detailofoneiteration.Thecircled+meansexclusiveOR.Public-KeyAlgorithmsAradicallynewkindofcryptosystem,oneinwhichtheencryptionanddecryptionkeysweredifferent,andthedecryptionkeycouldnotfeasiblybederivedfromtheencryptionkey.Inthiskindofcryptosystem,the(keyed)encryptionalgorithm,E,andthe(keyed)decryptionalgorithm,D,hadtomeetthreerequirements.Theserequirementscanbestatedsimplyasfollows:D(E(P))=PItisexceedinglydifficulttodeduceDfromE.Ecannotbebrokenbyachosenplaintextattack.Theencryptionalgorithmandthekeyaremadepublic,hencethenamepublic-keycryptography.Public-keycryptographyrequireseachusertohavetwokeys:apublickey,usedbytheentireworldforencryptingmessagestobesenttothatuser,andaprivatekey,whichtheuserneedsfordecryptingmessages.RSAOnegoodpublic-KeyalgorithmswasdiscoveredbyagroupatM.I.T.(Rivestetal.,1978).Itisknownbytheinitialsofthethreediscoverers(Rivest,Shamir,Adleman):RSA.TheRSAmethodisbasedonsomeprinciplesfromnumbertheory.Howtousethemethod:Choosetwolargeprimes,pandq(typically1024bits).Computen=pxqandz=(p-1)x(q-1).Chooseanumberrelativelyprimetozandcallitd.Findesuchthatexd=1modz.Withtheseparameterscomputedinadvance,wearereadytobeginencryption.groupingtheplaintextintoblocksofkbits,wherekisthelargestintegerforwhich2k<nistrue.Toencryptamessage,P,computeC=Pe(modn).TodecryptC,computeP=Cd(modn).

RSAAnexampleoftheRSAalgorithmp=3andq=11n=33andz=20d=7,e=3DigitalSignaturesTheauthenticityofmanylegal,financial,andotherdocumentsisdeterminedbythepresenceorabsenceofanauthorizedhandwrittensignature.Forcomputerizedmessagesystemstoreplacethephysicaltransportofpaperandinkdocuments,amethodmustbefoundtoallowdocumentstobesignedinanunforgeableway.Basically,whatisneededisasystembywhichonepartycansendasignedmessagetoanotherpartyinsuchawaythatthefollowingconditionshold:Thereceivercanverifytheclaimedidentityofthesender.Thesendercannotlaterrepudiatethecontentsofthemessage.Thereceivercannotpossiblyhaveconcoctedthemessagehimself.Symmetric-KeySignaturesOneapproachtodigitalsignaturesistohaveacentralauthoritythatknowseverythingandwhomeveryonetrusts.DigitalsignatureswithBigBrotherPublic-KeySignaturesDigitalsignaturesusingpublic-keycryptographyItwouldbeniceifsigningdocumentsdidnotrequireatrustedauthority.thepublic-keyencryptionanddecryptionalgorithmshavethepropertythatE(D(P))=Pinaddition,ofcourse,totheusualpropertythatD(E(P))=P.

MessageDigestsAnauthenticationschemethatdoesnotrequireencryptingtheentiremessagemessagedigest:aone-wayhashfunction,MD,thattakesanarbitrarilylongpieceofplaintextandfromitcomputesafixed-lengthbitstring.messagedigesthasfourimportantpropertiesGivenP,itiseasytocomputeMD(P).GivenMD(P),itiseffectivelyimpossibletofindPGivenPnoonecanfindP'suchthatMD(P')=MD(P).Achangetotheinputofeven1bitproducesaverydifferentoutput.Computingamessagedigestfromapieceofplaintextismuchfasterthanencryptingthatplaintextwithapublic-keyalgorithm.Avarietyofmessagedigestfunctionshavebeenproposed.ThemostwidelyusedonesareMD5(Rivest,1992)andSHA-1(NIST,1993).SHA-1(SecureHashAlgorithm)processesinputdatain512-bitblocks,onlyunlikeMD5,itgeneratesa160-bitmessagedigestMessageDigestsDigitalsignaturesusingmessagedigestsSHA-1UseofSHA-1andRSAforsigningnonsecretmessages.ManagementofPublicKeysCertificatesX.509PublicKeyInfrastructuresProblemswithPublic-KeyEncryptionAwayforTrudytosubvertpublic-keyencryptionAsafirstattemptatdistributingpublickeyssecurely,wecouldimagineakeydistributioncenteravailableon-line24hoursadaytoprovidepublickeysondemand.AnorganizationthatcertifiespublickeysisnowcalledaCA(CertificationAuthority).CertificatesApossiblecertificateanditssignedhash.TheCAthenissuesacertificatesimilartotheoneinFig.8-24andsignsitsSHA-1hashwiththeCA'sprivatekey.ThisschemedoesnotrequiretheCAtobeon-lineforverificationX.509IfeverybodywhowantedsomethingsignedwenttotheCAwithadifferentkindofcertificate,managingallthedifferentformatswouldsoonbecomeaproblem.Tosolvethisproblem,astandardforcertificateshasbeendevisedandapprovedbyITU.ThestandardiscalledX.509andisinwidespreaduseontheInternet.TheIETFversionofX.509isdescribedinRFC3280.X.509isawaytodescribecertificatesX.509ThebasicfieldsofanX.509certificate.Forexample,ifBobworksintheloandepartmentoftheMoneyBank,hisX.500addressmightbe:/C=US/O=MoneyBank/OU=Loan/CN=Bob/

Public-KeyInfrastructuresPKI(PublicKeyInfrastructure):forcertifyingpublickeysAPKIhasmultiplecomponents,includingusers,CAs,certificates,anddirectories.WhatthePKIdoesisprovideawayofstructuringthesecomponentsanddefinestandardsforthevariousdocumentsandprotocols.Public-KeyInfrastructures(a)AhierarchicalPKI.(b)Achainofcertificates.RAs(RegionalAuthorities)trustanchorsCommunicationSecurityCommunicationsecurity:howtogetthebitssecretlyandwithoutmodificationfromsourcetodestinationandhowtokeepunwantedbitsoutsidethedoor.IPsec(IPsecurity)FirewallsIPsecThecompleteIPsecdesignisaframeworkformultipleservices,algorithmsandgranularities.Thereasonformultipleservicesisthatnoteveryonewantstopaythepriceforhavingalltheservicesallthetime,sotheservicesareavailablealacarte.Themajorservicesaresecrecy,dataintegrity,andprotectionfromreplayattacks(intruderreplaysaconversation).

Allofthesearebasedonsymmetric-keycryptographybecausehighperformanceiscrucial.Thereasonforhavingmultiplealgorithmsisthatanalgorithmthatisnowthoughttobesecuremaybebrokeninthefuture.BymakingIPsecalgorithm-independent,theframeworkcansurviveevenifsomeparticularalgorithmislaterbroken.ThereasonforhavingmultiplegranularitiesistomakeitpossibletoprotectasingleTCPconnection,alltrafficbetweenapairofhosts,oralltrafficbetweenapairofsecurerouters,amongotherpossibilities.IPSecThoughitisintheIPlayer,IPSecisconnectionoriented.tohaveanysecurity,akeymustbeestablishedandusedforsomeperiodoftime—inessence,akindofconnection.A''connection''inthecontextofIPseciscalledanSA(securityassociation).

AnSAisasimplexconnectionbetweentwoendpointsandhasasecurityidentifierassociatedwithit.Ifsecuretrafficisneededinbothdirections,twosecurityassociationsarerequired.Securityidentifiersarecarriedinpacketstravelingonthesesecureconnectionsandareusedtolookupkeysandotherrelevantinformationwhenasecurepacketarrives.IPsechastwoprincipalparts.Thefirstpartdescribestwonewheadersthatcanbeaddedtopacketstocarrythesecurityidentifier,integritycontroldata,andotherinformation.Theotherpart,ISAKMP(InternetSecurityAssociationandKeyManagementProtocol)dealswithestablishingkeys.IPSecIPseccanbeusedineitheroftwomodes.Intransportmode:theIPsecheaderisinsertedjustaftertheIPheader.TheProtocolfieldintheIPheaderischangedtoindicatethatanIPsecheaderfollowsthenormalIPheader(beforetheTCPheader).TheIPsecheadercontainssecurityinformation,primarilytheSAidentifier,anewsequencenumber,andpossiblyanintegritycheckofthepayload.Intunnelmode:theentireIPpacket,headerandall,isencapsulatedinthebodyofanewIPpacketwithacompletelynewIPheader.Tunnelmodeisusefulwhenthetunnelendsatalocationotherthanthefinaldestination.Insomecases,theendofthetunnelisasecuritygatewaymachine,forexample,acompanyfirewall.IPsecTheIPsecauthenticationheaderintransportmodeforIPv4.IPsecAHheaderTheNextheaderfieldisusedtostorethepreviousvaluethattheIPProtocolfieldhadbeforeitwasreplacedwith51toindicatethatanAHheaderfollows.ThePayloadlengthisthenumberof32-bitwordsintheAHheaderminus2.TheSecurityparametersindexistheconnectionidentifierTheSequencenumberfieldisusedtonumberallthepacketssentonanSA.theAuthenticationdata,whichisavariable-lengthfieldthatcontainsthepayload'sdigitalsignature.WhentheSAisestablished,thetwosidesnegotiatewhichsignaturealgorithmtheyaregoingtouse.SinceIPsecisbasedonsymmetric-keycryptographyandthesenderandreceivernegotiateasharedkeybeforesettingupanSA,thesharedkeyisusedinthesignaturecomputation.Thesharedkeyisnottransmitted,ofcourse.IPSecTheAHheaderdoesnotallowencryptionofthedata,soitismostlyusefulwhenintegritycheckingisneededbutsecrecyisnotneeded.OnenoteworthyfeatureofAHisthattheintegritycheckcoverssomeofthefieldsintheIPheader,namely,thosethatdonotchangeasthepacketmovesfromroutertorouter.TheTimetolivefieldchangesoneachhop,forexample,soitcannotbeincludedintheintegritycheck.However,theIPsourceaddressisincludedinthecheck,makingitimpossibleforanintrudertofalsifytheoriginofapacket.IPsec(a)ESPintransportmode.(b)ESPintunnelmode.FirewallsthedangerofinformationleakingoutadangerofinformationleakinginInparticular,viruses,worms,andotherdigitalpestscanbreachsecurity,destroyvaluabledata,andwastelargeamountsofadministrators'timetryingtocleanupthemesstheyleave.Consequently,mechanismsareneededtokeep''good''bitsinand''bad''bitsout.Firewalls:acompanycanhavemanyLANsconnectedinarbitraryways,butalltraffictoorfromthecompanyisforcedthroughanelectronicdrawbridge(firewall),asshowninFig.8-29

FirewallsAfirewallconsistingoftwopacketfiltersandanapplicationgateway

Firewalls-PacketfiltersEverypacketmusttransittwofiltersandanapplicationgatewaytogoinorout.Packetsmeetingsomecriterionareforwardednormally.Packetfiltersaretypicallydrivenbytablesconfiguredbythesystemadministrator.Thesetableslistsourcesanddestinationsthatareacceptable,sourcesanddestinationsthatareblocked,anddefaultrulesaboutwhattodowithpacketscomingfromorgoingtoothermachines.Blockingoutgoingpacketsistrickiersomesitesnotsticktothestandardportnumberingconventionsforsomeimportantservices,suchasFTP(FileTransferProtocol),portnumbersareassigneddynamicallyblockingUDPpacketsisevenharderFirewalls-ApplicationGatewayTheapplicationgatewayoperatesattheapplicationlevel.thegatewaydecideswhethertotransmitordiscardthemessagebasedonheaderfields,messagesize,oreventhecontent.FirewallsproblemsstillexistanintruderoutsidethefirewallcanputinfalsesourceaddressestobypassthischeckinsidershipsoutsecretdocumentsbyencryptingthemorevenphotographingthemandshippingthephotosasJPEGfiles,whichbypassesanywordfilters.awholeotherclassofattacksthatfirewallscannotdealwith:DoS(DenialofService)attacks,DDoS(DistributedDenialofService)attackAuthenticationProtocolsAuthenticationdealswiththequestionofwhetheryouareactuallycommunicatingwithaspecificprocess.Authorizationisconcernedwithwhatthatprocessispermittedtodo.Thegeneralmodelthatallauthenticationprotocolsusepublic-keycryptographyiswidelyusedfortheauthenticationprotocolsthemselvesandforestablishingthesessionkeyasecretsessionkeyforuseintheupcomingconversationAuthenticationprotocolsAuthenticationBasedonaSharedSecretKeyEstablishingaSharedKey:Diffie-HellmanAuthenticationUsingaKeyDistributionCenterAuthenticationUsingKerberosAuthenticationUsingPublic-KeyCryptographyAuthenticationBasedonaSharedSecretKeyFigure8-32Two-wayauthenticationusingachallenge-responseprotocolassumethatAliceandBobalreadyshareasecretkey,KAB

AuthenticationBasedonaSharedSecretKeyassumethatAliceandBobalreadyshareasecretkey,KABThisprotocolisbasedonaprinciplefoundinmanyauthenticationprotocols:onepartysendsarandomnumbertotheother,whothentransformsitinaspecialwayandthenreturnstheresult.Suchprotocolsarecalledchallenge-responseprotocols.notationused:A,BaretheidentitiesofAliceandBobRi'sarethechallenges,wherethesubscriptidentifiest