Security, Initialization

• Network Security
  • overview
  • encryption technology
  • firewalls and Network Address Translation
  • DES
  • RSA
  • Authentication and Kerberos
  • Digital Signatures
  • Firewalls
  • Network Address Translation
• Configuration
  • bootp, DHCP, ICMP router advertisement

Network Security: Definitions

• if the data received is the same as the data sent, we are guaranteeing data integrity
• a CRC/checksum does not protect against malicious modifications, which could also modify the CRC
• if the data will be delivered in spite of any attack, we are guaranteeing data availability
• if nobody on the network can read the information in the data, we are guaranteeing data confidentiality or privacy
• if only messages sent by a specific party will be accepted as valid, we are guaranteeing authentication

Attacks

• Alice and Bob communicate, Charlie attacks:
  • attack the end-systems (not a networking issue)
  • man/person in the middle: Charlie changes Alice's messages to Bob
  • snooping: Charlie may be able to read but not modify messages from Alice to Bob
  • known-plaintext: Charlie may be able to get Alice to encrypt a message and send it to Bob, or Charlie may be able to guess at what Alice is sending to Bob
  • exhaustive search: Charlie can try every possible key until a match is found
  • traffic analysis: bombing X causes YZ to be sent, bombing H causes MZ to be sent

Defenses

• security by obscurity: bad but very common
• one-way functions: if y = f(x), and I have y and f, it should be very hard to guess x, i.e. to compute f^-1 (example, factoring)
• encryption -- but fields needed for routing must remain readable
• authentication certificates -- but how to verify who gets the certificate?
• digital signatures -- but who to trust/believe?
• securing the infrastructure (DNS, routers), and only allowing well-tested services (firewalls)
• talking securely to strangers

Encryption Technologies

• one-time pad:
  • XOR key with plaintext to give cyphertext
  • XOR key with cyphertext to give plaintext
  • extremely secure, key distribution is hard
• Digital Encryption Standard (DES):
  • 56-bit secret keys, but relatively secure
  • XOR and permute (many times), very efficient
• Rivest-Shamir-Adleman (RSA):
  • arbitrary sized public keys (encrypt with public key, decrypt with private key): slow, secure
• MD-5 cryptographic checksum

Permutation and Substitution

• permutation hardware box: easy to permute the bits
• substitution hardware box: decode the n inputs to 2ⁿ lines, permute the lines, and re-encode as n outputs, or:
• xor hardware box: combine an input with a key to yield a substitution
• can have multiple permutation and substitution boxes chained one after another

Digital Encryption Standard

• 64-bit input, 64-bit output, 56-bit key
• 16 chained stages (plus an initial and a final transposition)
• each stage takes a left and right half (32 bits each) and produces a left and right half (32 bits each)
• the output left half is the input right half
• the output right half is the XOR of the left half and a substitution function of the right half and some of the bits of the key

DES modes

• single DES: simply encrypt each 64-bit block. Vulnerable to frequency analysis, substitution attacks, brute force attack
• triple DES: encrypt with K₁, decrypt with K₂, and encrypt with K₁ again
• cypher block chaining: before encrypting, XOR with previous cypher block. After decrypting, XOR with previous cypher block. Not vulnerable to frequency, substitution attacks.
• cypher feedback mode: keep queue of last 8 cypher bytes (Block). XOR the next plaintext byte with the leftmost byte of DES(Block). Receiver has same Block, can XOR the cypher byte with the leftmost byte of DES(Block).

DES history

• IBM and NSA, 1977
• key bit reduced from 128 to 56
• subject to brute force distributed attacks (internet, Chinese lottery)
• IDEA: 1990, 128-bit key, uses 16-bit multiplication, addition, XOR

Rivest Shamir Adleman

• most widespread public key algorithm
• find two large primes p and q (at least 100 digits -- there are many such primes)
• compute n = p * q and z = (p - 1) * (q - 1)
• find a number d relatively prime to z (that is, d and z have no common factors -- d could be prime)
• find e such that e * d = 1 mod z
• public key is (e, n), private key is (d, n): d is hard to find given e and n
• to encrypt, C = P^e mod n
• to decrypt, P = C^d mod n = P^{e * d} mod n = P¹ mod n

RSA example

• p = 17, q = 31 (not large enough, of course)
• n = p * q = 527 and z = (p - 1) * (q - 1) = 16 * 30 = 480
• a number d relatively prime to z: pick d = 91
• find e such that e * d = 1 mod z: e = 211
• public key is (e, n), in this case D3020F, private key is (d, n), in this case 5B020F: d is hard to find given only the public key
• to encrypt, C = P^e mod n: if P = 15, C = 77
• to decrypt, P = C^d mod n = 77⁹¹ mod 527 = 15

Authentication: challenge-response

• the parties share a secret key, K_AB
• Alice selects a random number R_A, sends to Bob (A, R_A)
• Bob selects a random number R_B, sends to Alice (R_B, K_AB (R_A))
• Alice sends to Bob (K_AB (R_B)), confirming she has K_AB
• in-class exercise: how can this exchange be defeated by someone who doesn't have K_AB?

Public-Key Authentication

• Alice selects a random number R_A, sends to Bob E_B(A, R_A)
• Bob selects a random number R_B, sends to Alice E_A(R_A, R_B, K_S)
• Alice sends to Bob (K_S (R_B)), confirming she has K_S
• problem: how do you know somebody's public key? (man in the middle)

Diffie-Hellman: Agreeing on a Secret Key

• Alice and Bob together (publicly) pick large primes n, g -- (n - 1)/2 must also be prime, and g has other conditions
• Alice picks a random secret x, sends Bob (n, g, g^x mod n)
• Bob picks a random secret y, sends Alice g^y mod n
• Alice and Bob both compute g^x * g^y mod n, the shared secret key
• vulnerable to man-in-the-middle

Kerberos

• a single, very secure authentication server AS and ticket-granting server TGS
• the server shares a different key K_H with each host H
• A ==> AS: A
• AS ==> A: K_A(K_S, K_TGS(A, K_S))
• A ==> TGS: K_TGS(A, K_S)),B,K_S(t)
• TGS ==> A: K_S(B, K_AB),K_B(A, K_AB)
• A ==> B: K_B(B, K_AB),K_AB(t)
• B ==> A: K_AB(t+1)

Digital Signatures

• assume that E(D(P)) = P (RSA has this property)
• Alice sends Bob E_B(D_A(P))
• Bob decrypts with his private key, encrypts with Alice's public key
• to provide authentication without secrecy:
  • a digest D of a message P is easily computed given P
  • it is very hard to construct a P that has a given digest D
  • only encrypt (sign) the digest
  • MD5

Firewalls

• a router looks up the destination IP address in a table to decide where to forward a packet
• a firewall looks up the source and destination IP addresses and port numbers in a table to decide whether to forward a packet
• firewall matches may be wildcard, e.g. all sources allowed to access port 80 of www.ics.hawaii.edu
• so a firewall is a layer 4 switch: a router is a layer 3 switch, an ethernet switch or a bridge is a layer 2 switch, a hub is a layer 1 switch

Network Address Translation

• I want to run several machines at home, but my ISP will only give me one IP address
• I attache to the network a NAT box:
  • the assigned IP on its outer interface
  • private IP(s) on the inner interface(s)
• if a client inside wants to connect to an IP outside, I rewrite the packet so:
  • the assigned IP is the source address
  • I use a different source port number
• I keep a table of rewritten "connections" (for UDP also) so I can forward consistently in both directions
• incoming connections need special treatment

Initial Configuration

• information that must be configured includes interface IP address and subnet mask, IP of default gateway and of DNS and maybe DNS name of printer and other servers
• this information can be stored in configuration files
• Windows control panel provides a centralized user interface to these configuration files
• RARP: I broadcast my ethernet address, a server will send me my IP address
• BOOTP allows centralizing the information. Request and reply are to IP broadcast address
• ICMP: address mask request/reply, router solicitation/advertisement

Dynamic Host Configuration Protocol

• a computer connecting to a network broadcasts a DHCP request
• a DHCP server will send a DHCP reply (to the IP broadcast address, but maybe the computer's ethernet number)
• server is configured with a pool of available IP addresses, picks one to reply to a request
• each address is valid for a specific length of time (the lease), which may be renewed