信息通信网络概论课件：Chapter11-Security

1、Chapter 11Security Protocols,Network Security Threats Security and Cryptography Cryptographic Algorithms,Chapter 11Security Protocols,Network Security Threats,Network Security,The combination of low-cost powerful computing and high-performance networks is a two-edged sword: Many powerful new service

2、s and applications are enabled But computer systems and networks become highly susceptible to a wide variety of security threats Network security involves countermeasures to protect computer systems from intruders Firewalls, security protocols, security practices,Threats, Security Requirements, and

3、Countermeasures,Network Security Threats Eavesdropping, man-in-the-middle, client and server impostors Denial of Service attacks Viruses, worms, and other malicious code Network Security Requirements Privacy, Integrity, Authentication, Non-Repudiation, Availability Countermeasures Communication chan

4、nel security Border security,Security Requirements,Security threats motivate the following requirements: Privacy: information should be readable only by intended recipient Integrity: recipient can confirm that a message has not been altered during transmission Authentication: it is possible to verif

5、y that sender or receiver is who he claims to be Non-repudiation: sender cannot deny having sent a given message. Availability: of information and services,Eavesdropping偷听,Information transmitted over network can be observed and recorded by eavesdroppers (using a packet sniffer) Information can be r

6、eplayed in attempts to access server Requirements: privacy, authentication, non-repudiation,Client Impostor 仿冒,Impostors attempt to gain unauthorized access to server Ex. bank account or database of personal records For example, in IP spoofing impostor sends packets with false source IP address Requ

7、irements: privacy, authentication,Denial of Service Attack,Attacker can flood a server with requests, overloading the server resources Results in denial of service to legitimate clients Distributed denial of service attack on a server involves coordinated attack from multiple (usually hijacked) comp

8、uters Requirement: availability,Server Impostor,An impostor impersonates a legitimate server to gain sensitive information from a client E.g. bank account number and associated user password Requirements: privacy, authentication, non-repudiation,Client,Server,Man in the middle,Man-in-the-Middle Atta

9、ck,An impostor manages to place itself as man in the middle convincing the server that it is legitimate client convincing legitimate client that it is legitimate server gathering sensitive information and possibly hijacking session Requirements: integrity, authentication,Malicious Code恶意代码,A client

10、becomes infected with malicious code Opening attachments in email messages Executing code from bulletin boards or other sources Virus: code that, when executed, inserts itself in other programs Worms: code that installs copies of itself in other machines attached to a network Many variations of mali

11、cious code Requirements: privacy, integrity, availability,Countermeasures,Secure communication channels Encryption Cryptographic checksums and hashes Authentication Digital Signatures,Countermeasures（Count.）,Secure borders Firewalls Virus checking Intrusion detection Authentication Access Control,Ch

12、apter 11Security Protocols,Security and Cryptography,Cryptography,Encryption: transformation of plaintext message into encrypted (and unreadable) message called ciphertext Decryption: recovery of plaintext from ciphertext Cipher: algorithm for encryption result is the digital signature Transmitter s

13、ends message and signature To check the signature: Receiver obtains hash of message Receiver decrypts signature using senders public key Receiver compares hash computed from message and hash obtained from signature Procedure also ensures message integrity,Secret Key vs. Public Key,Public key systems

14、 have more capabilities Secret key: privacy, integrity, authentication Public key: all of above + digital signature Public key algorithms are more complex Require more processing and hence much slower than secret key Practice: Use public key method during session setup to establish a session key Use

15、 secret key cryptography during session using the session key,Chapter 11Security Protocols,Cryptographic Algorithms,1、Data Encryption Standard,DES adopted by U.S. National Bureau of Standards in 1977 Most widely-used secret key system Efficient hardware implementation Encryption: Electronic Codebook

16、 (ECB) Mode Message broken into 64-bit blocks Each 64-bit plaintext block encrypted separtely into 64-bit cyphertext Original version of DES uses a 56-bit key Decryption: Encryption operations performed in reverse order,DES Algorithm,Initial permutation is independent of key Final permutation is inv

17、erse of initial permutation Penultimate step swaps 32-bits on left with 32-bits on the right Intermediate 16 iterations apply a different key that is derived from the original 56-bit key,DES Iteration,64-bit block divided into Li 1 and Ri 1 halves Left output Li = Ri 1 Right output Ri = Li 1 XOR f(R

18、i 1, Ki) bitwise XOR f(.,.) as follows: Ri 1 expanded to 48 bits using fixed re-ordering & duplication pattern XORed with Ki Each resulting group of 6-bits is mapped into 4-bit output according to substitution mapping,Cipher Block Chaining,ECB mode encrypts 64-bit blocks independently Attacker can u

19、se knowledge about pattern in message to attack encrypted sequence of blocks Cipher Block Chaining (CBC) introduces dependency between consecutive blocks Current plaintext block is XORed with preceding ciphertext block First plaintext block XORed with an initialization vector that is transmitted to

20、receiver in ciphertext,Cipher Block Chaining,DES Security,DES vulnerable to brute-force attack 56-bit key is too short Has been broken in less than one day using a specially-designed computer Triple-DES (3DES) Provides better security Uses two 56-bit keys C = EK1(DK2(EK1(P) P = DK1(EK2(DK1(P) Instea

21、d of “triple encryption”, use encryption-decryption-encryption If K1 = K2, reduces to original DES,2、RSA Public Key Algorithm,Named after Rivest, Shamir, and Adleman Modular arithmetic & factorization of large numbers Let n = pq, where p & q are two large numbers n typically several hundred bits lon

22、g, i.e. 512 bits 2s = n ，s is the length of a block. Plaintext must be shorter than n Find e relatively prime to (p 1)(q 1) i.e. e has no common factors with (p 1)(q 1) Public key is e,n Let d be multiplicative inverse of e de = 1 modulo (p 1)(q 1) Private key is d,n,Encryption & Decryption,Fact: For Pn and n, p, q, d as above: Pde mod n = P mod n Encryption: C = Pe mod n Result is number less than n