Chapter 11

CS549:
Cryptography and Network

Security
by Xiang-Yang Li
Department of Computer Science,
IIT
Cryptography and Network Security
Notice
This lecture note (Cryptography and Network Security) is prepared by
Xiang-Yang Li. This lecture note has benefited from numerous
textbooks and online materials. Especially the Cryptography and
Network Security 2nd edition by William Stallings and the
Cryptography: Theory and Practice by Douglas Stinson.
You may not modify, publish, or sell, reproduce, create derivative
works from, distribute, perform, display, or in any way exploit any
of the content, in whole or in part, except as otherwise expressly
permitted by the author.
The author has used his best efforts in preparing this lecture note.
The author makes no warranty of any kind, expressed or implied,
with regard to the programs, protocols contained in this lecture
note. The author shall not be liable in any event for incidental or
consequential damages in connection with, or arising out of, the
furnishing, performance, or use of these.
Network Security
Topics to be covered
Applications
Email
security
www security
Malicious software
Networks
Wireless LAN security 802.11

IPsec
Firewall
Intrusions

Email Security
Xiang-Yang Li
Electronic Mail Security

Despite the refusal of VADM Poindexter and LtCol North to
appear, the Board's access to other sources of information
filled much of this gap. The FBI provided documents taken from
the files of the National Security Advisor and relevant NSC
staff members, including messages from the PROF system
between VADM Poindexter and LtCol North. The PROF messages
were conversations by computer, written at the time events
occurred and presumed by the writers to be protected from
disclosure. In this sense, they provide a first-hand,
contemporaneous account of events.
The Tower Commission Report to President Reagan on the
Iran-Contra Affair, 1987
Email Security
email is one of the most widely used and
regarded network services

currently message contents are not secure
may be inspected either in transit
or by suitably privileged users on destination system
Email Security Enhancements

confidentiality
protection
from disclosure
authentication
of sender of message
message integrity
protection from modification
non-repudiation of origin
protection from denial by sender
Pretty Good Privacy (PGP)

widely used de facto secure email
developed by Phil Zimmermann

selected best available crypto algs to use
integrated into a single program
available on Unix, PC, Macintosh and Amiga
systems
originally free, now have commercial
versions available also
PGP
Five services
Authentication, confidentiality, compression, email

compatibility, segmentation
Functions
Digital signature
Message encryption
Compression
Email compatibility
segmentation
10
PGP Operation Authentication

1. sender creates a message
2. SHA-1 used to generate 160-bit hash code of
message
3. hash code is encrypted with RSA using the
sender's private key, and result is attached to
message
4. receiver uses RSA or DSS with sender's public
key to decrypt and recover hash code
5. receiver generates new hash code for message
and compares with decrypted hash code, if
match, message is accepted as authentic
11
PGP Operation Confidentiality

1.
2.
3.
4.
5.
sender generates message and random 128-bit

number to be used as session key for this
message only
message is encrypted, using CAST-128 /
IDEA/3DES with session key
session key is encrypted using RSA with
recipient's public key, then attached to message
receiver uses RSA with its private key to decrypt
and recover session key
session key is used to decrypt message
12
PGP Operation Confidentiality &

Authentication
uses both services on same message
create
signature & attach to message

encrypt both message & signature
attach RSA encrypted session key
13
PGP Operation Compression

by default PGP compresses message after
signing but before encrypting
so can store uncompressed message & signature for

later verification
& because compression is non deterministic
uses ZIP compression algorithm
14
PGP Operation Email Compatibility

when using PGP will have binary data to
send (encrypted message etc)

however email was designed only for text
hence PGP must encode raw binary data
into printable ASCII characters
uses radix-64 algorithm
maps 3 bytes to 4 printable chars
also appends a CRC
PGP also segments messages if too big

15
PGP Operation Summary
16
Segmentation & Reassembly

Email systems impose maximum length
50
Kb, for example
PGP provides automatic segmentation
Done after all other operations

Thus only one session key needed
17
Key management
Generating unpredictable session keys
Identifying keys
Multiple public, private key pairs for a user
Maintain keys
Its
own public, private keys of a PGP entity

Public keys of correspondents
18
Session Key Generation

Algorithm used: CAST-128
Input to CAST-128
A 128-bit key
Two 64 bits plaintexts to be encrypted
Output using cipher feedback mode
Generates 2 64-bits ciphers form session key
Plaintexts are from 128-bits randomized
number
Based on key stroke of user (timing and actual keys)

Then combined with previous session key
19
Key Identifiers
Receiver has multiple public keys
How
to know which private key is proper?
Approach
Sending the least significant 64 bits as key ID

Need send the receivers public key ID used for
encrypting the session key
Need send the senders public key ID, whose
corresponding private key used for signature
20
Key Rings
Private key rings
Timestamp,
Key ID, public key, encrypted private key,
user ID
Public key rings
Timestamp, Key ID, public key, owner trust, user ID,

key legitimacy, signature, signature trust
21
Public Key Management

A public key attributed to B may belong to
can send messages to A forge Bs sig

C can read any encrypted message to B
Approach to true public key
Physically get key from B
Obtain Bs key from mutual trusted authority
Using key legitimacy field
computed from the signature trust field and number

of certificates for the key
22
Revoking Public Key

Reason
It is compromised: private key is open

Simply to avoid use of same key for a period
Approach
Owner issues key revocation certificate, signed by

owner
Using corresponding private key to sign the certificate
Disseminate the certificate as widely and as quickly as
possible
23
S/MIME (Secure/Multipurpose
Internet Mail Extensions)
security enhancement to MIME email
original
Internet RFC822 email was text only

MIME provided support for varying content types and
multi-part messages
with encoding of binary data to textual form
S/MIME added security enhancements
have S/MIME support in various modern
mail agents: MS Outlook, Netscape etc
24
S/MIME Functions
enveloped data
encrypted
content and associated keys
signed data
encoded message + signed digest
clear-signed data
cleartext message + encoded signed digest
signed & enveloped data
nesting of signed & encrypted entities
25
S/MIME Cryptographic Algorithms

hash functions: SHA-1 & MD5
digital signatures: DSS & RSA

session key encryption: ElGamal & RSA
message encryption: Triple-DES, RC2/40
and others
have a procedure to decide which
algorithms to use
26
S/MIME Certificate Processing

S/MIME uses X.509 v3 certificates
managed using a hybrid of a strict X.509
CA hierarchy & PGPs web of trust

each client has a list of trusted CAs certs
and own public/private key pairs & certs
certificates must be signed by trusted
CAs
27
Certificate Authorities
have several well-known CAs
Verisign one of most widely used

Verisign issues several types of Digital IDs
with increasing levels of checks & hence
trust
Class
1
2+
3+
Identity Checks
Usage
name/email check
web browsing/email
enroll/addr check
email, subs, s/w validate
ID documents e-banking/service access
28
Email SPAM
Spam is flooding the Internet with many
copies of the same message, in an attempt

to force the message on people who would
not otherwise choose to receive it. Most
spam is commercial advertising, often for
dubious products, get-rich-quick schemes,
or quasi-legal services. Spam costs the
sender very little to send -- most of the
costs are paid for by the recipient or the
carriers rather than by the sender
29
Email Spam
E-mail spam has existed since the beginning
of the Internet, and has grown to about 90

billion messages a day, although about 80%
is sent by fewer than 200 spammers.
Botnets, virus infected computers, account
for about 80% of spam.
E-mail addresses are collected from
chatrooms, websites, newsgroups, and
viruses which harvest users address books,
and are sold to other spammers
30
Anti-Spam Techs
Some popular methods for filtering and
refusing spam include
e-mail filtering based on the content of the e-mail,

DNS-based blackhole lists (DNSBL), greylisting,
spamtraps, enforcing technical requirements,
checksumming systems to detect bulk email, and by
putting some sort of cost on the sender via a Proof-ofwork system or a micropayment.
Each method has strengths and weaknesses and each is
controversial due to its weaknesses.
31
Filtering Methods
Bayesian spam filtering

CRM114
dSPAM
Markovian discrimination
POPFile
Policyd-weight Postfix policy-daemon before SMTP DATA
Procmail is an MDA (Mail Delivery Agent) for Unix systems.
Maildrop is an MDA (Mail Delivery Agent) for Unix systems.
Sendmail supports libmilter for mail filtering
Sieve (mail filtering language) is an RFC standard for
describing mail filters
SpamAssassin
Anti-Spam SMTP Proxy
information filtering
White list#E-mail whitelists
32
Summary
have considered:
secure
email
PGP
S/MIME
33

Security on WWW
Xiang-Yang Li
34
Introduction
Introduction
Presentation of SSL
The inner workings of SSL

Attacks on SSL
Presentation of S-HTTP
Comparison with SSL/TLS
Attacks on S-HTTP
Other aspects of Web security
TLS
IPSec, Kerberos, SET
Conclusion
35
Web Security
Web now widely used by business,
government, individuals
but Internet & Web are vulnerable
have a variety of threats
integrity
confidentiality
denial of service
authentication
need added security mechanisms

36
SSL (Secure Socket Layer)

transport layer security service
originally developed by Netscape

version 3 designed with public input
subsequently became Internet standard
known as TLS (Transport Layer Security)

uses TCP to provide a reliable end-to-end
service
SSL has two layers of protocols
37
Location of SSL
Application Layer
Secure Socket Layer

(SSL)
Transmission Control Protocol

(TCP)
SSL is build on top of
TCP
Provides a TCP like
interface
In theory can be used
by all type of
applications in a
transparent manner
Internet Protocol
(IP)
38
SSL Architecture
39
SSL Architecture
SSL session
an
association between client & server

created by the Handshake Protocol
define a set of cryptographic parameters
may be shared by multiple SSL connections
SSL connection
a transient, peer-to-peer, communications link

associated with 1 SSL session
40
SSL Record Protocol

confidentiality
using
symmetric encryption with a shared secret key

defined by Handshake Protocol
IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC440, RC4-128
message is compressed before encryption
message integrity
using a MAC with shared secret key

similar to HMAC but with different padding
41
SSL Change Cipher Spec Protocol

one of 3 SSL specific protocols which use
the SSL Record protocol

a single message
causes pending state to become current
hence updating the cipher suite in use
42
SSL Alert Protocol

conveys SSL-related alerts to peer entity
severity
warning or fatal
specific alert
unexpected message, bad record mac, decompression
failure, handshake failure, illegal parameter
close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked,
certificate expired, certificate unknown
compressed & encrypted like all SSL data
43
SSL Handshake Protocol

allows server & client to:
authenticate
each other
to negotiate encryption & MAC algorithms
to negotiate cryptographic keys to be used
comprises a series of messages in phases
Establish Security Capabilities

Server Authentication and Key Exchange
Client Authentication and Key Exchange
Finish
44
General purpose
1.Handshake
`
2. Data transmission
Two step process:
Handshake : exchange private keys using a public key encryption
algorithm
Data transmission: exchange the required data using a private key
encryption
45
SSL Handshake Protocol
46
handshake
`
Client
Client Hello
Server
Server Hello
Server Certificate
Server Hello Done
Client Key Exchange
Change Cipher Specification
Handshake Finished
Change Cipher Specifications
Handshake Finished
47
hello
Client Hello:
List of supported private
key encryptions +
Client random number
Server Hello:
Selected encryption
algorithm
Server Random number
Session ID
Server Certificate:
Verify servers identity
`
Client
Server
Client Hello
Server Hello
Server Certificate
Server Hello Done
Client Key Exchange
Handshake Finished
Handshake Finished
48
Key exchange
Client Key Exchange:
Client
Generate second
random: Pre Master
Key
Send Pre Master Key
Calculate Master Key
Calculate Secret Key
Calculate MAC Key
Server
Calculate Master Key
Calculate Secret Key
Calculate MAC Key
`
Client
Server
Client Hello
Server Hello
Server Certificate
Server Hello Done
Client Key Exchange
Handshake Finished
Handshake Finished
49
Resumed based on Session Id
`
Client
Client Hello
Server
Server Hello
Handshake Finished
Handshake Finished
50
Certificate authority
Certificate Authority (CA) is a trusted
third party that helps identify the server.

How does everything work?
Server sends ID, public key to CA

CA creates and signs the servers Certificate
Client receives the Certificate from Server
Client verifies the Certificate using the signature and
the CAs public key
51
MAC
MAC = Message Authentication Code
The initial message is split into fragments

For each fragment a fingerprint is
calculated using the MAC key

The fragment, fingerprint and record
header are encrypted and sent
Receiver checks the fingerprint using
MAC key to detect inconsistent messages
52
Attacks on SSL
Certificate Injection Attack
The list of trusted Certificate Authorities is altered

Can be avoided by upgrading the OS or switching to a safer one.
Man in the Middle
Cipher Spec Rollback : regresses the public key encryption algorithms

Version Rollback : regression from SSL 3.0 to weaker SSL 2.0
Algorithm rollback : modify public encryption method
Truncation attack : TCP FIN|RST used to terminate connection
Can be avoided by randomly delaying the computations
Can be used on servers that accept small key sizes: 40 bits for symmetric
encryptions and 512 for the asymmetric one.
Timing attack
Brute force
53
TLS (Transport Layer Security)

IETF standard RFC 2246 similar to SSLv3
with minor differences
in record format version number

uses HMAC for MAC
a pseudo-random function expands secrets
has additional alert codes
some changes in supported ciphers
changes in certificate negotiations
changes in use of padding
54
TLS
TLS was developed by IETF to replace SSL version 3.
Based on SSL version 3, with some changes:
Replaced FORTEZZA key exchange option with DSS.
Include the hash method HMAC used by IPSec for

authentication in IP headers.
More differentiation between sub-protocols.
TLS has mechanisms for backwards compatibility with SSL.
55
TLS
TLS has about 30 possible cipher suites, combinations of
key exchange, encryption method, and hashing method.
Key exchange includes: RSA, DSS, Kerberos
Encryption includes: IDEA(CBC), RC2, RC4, DES, 3DES,
and AES
Hashing: SHA and MD5
(Note: Some of the suites are intentionally weak export
versions.)
56
Secure Electronic Transactions

(SET)
open encryption & security specification
to protect Internet credit card
transactions
developed in 1996 by Mastercard, Visa etc
not a payment system
rather a set of security protocols &
formats
secure communications amongst parties
trust from use of X.509v3 certificates
privacy by restricted info to those who need it
57
SET Components
58
SET Transaction
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
customer opens account

customer receives a certificate
merchants have their own certificates
customer places an order
merchant is verified
order and payment are sent
merchant requests payment authorization
merchant confirms order
merchant provides goods or service
merchant requests payment
59
Dual Signature
customer creates dual messages
order
information (OI) for merchant

payment information (PI) for bank
neither party needs details of other
but must know they are linked

use a dual signature for this
signed concatenated hashes of OI & PI
60
Purchase Request Customer
61
Purchase Request Merchant
62
Purchase Request Merchant

1.
2.
3.
4.
verifies cardholder certificates using CA sigs

verifies dual signature using customer's public
signature key to ensure order has not been
tampered with in transit & that it was signed
using cardholder's private signature key
processes order and forwards the payment
information to the payment gateway for
authorization (described later)
sends a purchase response to cardholder
63
Payment Gateway Authorization

1.
2.
3.
4.
5.
6.
7.
8.
verifies all certificates

decrypts digital envelope of authorization block to obtain
symmetric key & then decrypts authorization block
verifies merchant's signature on authorization block
decrypts digital envelope of payment block to obtain
symmetric key & then decrypts payment block
verifies dual signature on payment block
verifies that transaction ID received from merchant
matches that in PI received (indirectly) from customer
requests & receives an authorization from issuer
sends authorization response back to merchant
64
Payment Capture
merchant sends payment gateway a
payment capture request

gateway checks request
then causes funds to be transferred to
merchants account
notifies merchant using capture response
65
A
B
C
D
C- Secure-HTTP
Presentation of S-HTTP
Designed by E. Rescorla and A. Schiffman
of EIT to secure HTTP connections
Proposed in 1994 but never used
commercially
Not to be confused with HTTPS: encrypts
HTTP messages at the application level
Security on the WWW
66
A
B
C
D
C- Secure-HTTP
Location of S-HTTP
Secure-HTTP
Message encryption and
signature
Application Layer:
HTTP message
Transmission Control Protocol

(TCP)
HTTP-specific message
encryption
Can possibly be used
over a secure channel
Designed to be
compatible with HTTP
for handling at lower
layers
Internet Protocol
(IP)
Security on the WWW
67
A
B
C
D
C- Secure-HTTP
S-HTTP vs. SSL/TLS

HTTP-specific vs. general purpose SSL (IMAPS,
POPS, LDAPS)
Burden of encryption not on
transmission/reception but rather on message
production/unpacking
Similar set of available ciphers, plus added
capabilities for signing (DSS, RSA)
Very general specifications, leaving a lot to
implement and a potential for incompatible
implementations
Only one reference implementation in NCSA
Mosaic
Security on the WWW
68
A
B
C
D
C- Secure-HTTP
S-HTTP vs. SSL/TLS: functionalities

Security Service
S-HTTP
SSL
Privacy
Public or private cryptosystem

Encryption of the complete HTTP
transaction
Symmetric key cryptosystem

Complete communication encryption
Integrity
Simple MAC or signing
MAC only
Authentication
Key management on the keys used,

or digital signature
During the initial public key

exchange (server auth. mandatory,
client auth. optional)
Non-repudiation
Digital signature
Not provided
S-HTTP can make use of key management

Non-repudiation is not provided by SSL
Signing is optional, but a major attraction to S-HTTP
Security on the WWW
69
A
B
C
D
C- Secure-HTTP
S-HTTP vs. SSL/TLS: proxy traversal

Proxy traversal: SSL connection
OR
cleartext
SSL tunnel
External
secure server
SSL tunnel
SSL-aware proxy
Enterprise environment
Proxy traversal: S-HTTP messaging
Encrypted data
Authentication
External
secure server
Security on the WWW
S-HTTP-aware proxy
Enterprise environment
70
A
B
C
D
C- Secure-HTTP
S-HTTP inner working

Message-based encryption
Superset of HTTP: outer envelope
Specific headers added
S-HTTP message
S-HTTP headers
HTTP payload headers:
Security-Scheme, Encryption-Identity,
Certificate-Info + regular HTTP headers
Request:
Secure*Secure-HTTP/1.2
Response:
Secure-HTTP/1.2 200 OK
HTTP message body
Security on the WWW
71
A
B
C
D
C- Secure-HTTP
S-HTTP attacks
Basically the same as on SSL, since the ciphers are the same
Default values more secure in S-HTTP than SSL at the time
of proposal (e.g. DES vs. RC4)

S-HTTP generally stronger by design (more resilient to
proxy compromising)
More complex and wider specifications create a potential for
faulty implementations
No real-world use to field test the actual security of SHTTP
Security on the WWW
72
A
B
C
D
D- Other protocols
HTTP Basic Authentication
HTTP has an authentication scheme as part of its original

protocol.
Supported by almost all browsers and web servers.
Password and username are sent in clear text
(base64 encoded) in the HTTP request message.
Obviously not secure enough for sensitive information.
This scheme is being replaced by the slightly more secure
HTTP Digest Authentication, which sends a MD5 hash of the
password and other information.
Security on the WWW
73
IPsec
IPSec is a security layer added to a computers protocol
stack in the kernel (Below TCP). It is invisible to the
application. It is implemented by adding additional
protocol numbers in the IP protocol field.
Good for implementing a VPN.

Packets can be either tunneled inside IPSec packets, or
Transported with only the data portion of the original
packet encrypted.
Every IPSec end machine (which could be a LANs router)
must implement IPSec for it to work.
74
Summary
have considered:
need
for web security

SSL/TLS transport layer security protocols
de facto standard, versatile and low-level enough
to accommodate many types of payloads
SET
secure credit card payment protocols

IPSec: true network-layer security for any applications
(not just the Web)
Kerberos: robust 2-way authentication framework with
emphasis on security manageability
75
A
B
C
D
D- Conclusion
Web Security
SSL/TLS: de facto standard, versatile and low-level

enough to accommodate many types of payloads
S-HTTP: never took off, restricted to HTTP messages
IPSec: true network-layer security for any
applications (not just the Web)
Kerberos: robust 2-way authentication framework
with emphasis on security manageability
Security on the WWW
76

Chapter 11

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Chapter 11

Diunggah oleh

Hak Cipta:

Format Tersedia

CS549:

Cryptography and Network

Cryptography and Network Security

Cryptography and Network Security

Wireless LAN security 802.11

Cryptography and Network Security

Cryptography and Network Security

Cryptography and Network Security

Electronic Mail Security

Cryptography and Network Security

regarded network services

Cryptography and Network Security

Email Security Enhancements

protection from modification

protection from denial by sender

Cryptography and Network Security

Pretty Good Privacy (PGP)

developed by Phil Zimmermann

available on Unix, PC, Macintosh and Amiga

Cryptography and Network Security

Authentication, confidentiality, compression, email

Cryptography and Network Security

PGP Operation Authentication

Cryptography and Network Security

PGP Operation Confidentiality

sender generates message and random 128-bit

Cryptography and Network Security

PGP Operation Confidentiality &

signature & attach to message

Cryptography and Network Security

PGP Operation Compression

signing but before encrypting

so can store uncompressed message & signature for

uses ZIP compression algorithm

Cryptography and Network Security

PGP Operation Email Compatibility

send (encrypted message etc)

PGP also segments messages if too big

PGP Operation Summary

Cryptography and Network Security

Segmentation & Reassembly

Kb, for example

PGP provides automatic segmentation

Done after all other operations

Cryptography and Network Security

Multiple public, private key pairs for a user

own public, private keys of a PGP entity

Cryptography and Network Security

Session Key Generation

Output using cipher feedback mode

Generates 2 64-bits ciphers form session key

Plaintexts are from 128-bits randomized

Based on key stroke of user (timing and actual keys)

Cryptography and Network Security

to know which private key is proper?

Sending the least significant 64 bits as key ID

Cryptography and Network Security

Key ID, public key, encrypted private key,

Timestamp, Key ID, public key, owner trust, user ID,

Cryptography and Network Security

Public Key Management

can send messages to A forge Bs sig

computed from the signature trust field and number