Chapter 31
Network Security
31.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
3131--1 1 SECURITY SERVICESSECURITY SERVICES
N kN k ii idid fifi ii FF ff hhNetworkNetwork securitysecurity cancan provideprovide fivefive servicesservices.. FourFour ofof thesetheseservicesservices areare relatedrelated toto thethe messagemessage exchangedexchanged usingusing thethe
kk ThTh fif hfif h ii idid ii h i ih i inetworknetwork.. TheThe fifthfifth serviceservice providesprovides entityentity authenticationauthenticationoror identificationidentification..
Topics discussed in this section:Topics discussed in this section:Message ConfidentialityMessage IntegrityMessage AuthenticationMessage NonrepudiationEntity Authentication
31.2
Entity Authentication
3131--2 2 MESSAGE CONFIDENTIALITYMESSAGE CONFIDENTIALITY
ThTh tt ff hh tt hihi fid ti litfid ti litTheThe conceptconcept ofof howhow toto achieveachieve messagemessage confidentialityconfidentialityoror privacyprivacy hashas notnot changedchanged forfor thousandsthousands ofof yearsyears..ThTh tt bb t dt d tt thth dd itit ddTheThe messagemessage mustmust bebe encryptedencrypted atat thethe sendersender sitesite andanddecrypteddecrypted atat thethe receiverreceiver sitesite.. ThisThis cancan bebe donedone usingusingithith t it i kk t ht h t it i kkeithereither symmetricsymmetric--keykey cryptographycryptography oror asymmetricasymmetric--keykey
cryptographycryptography..
Topics discussed in this section:Topics discussed in this section:Confidentiality with Symmetric-Key CryptographyConfidentiality with Asymmetric-Key Cryptography
31.4
3131--3 3 MESSAGE INTEGRITYMESSAGE INTEGRITY
E tiE ti dd d tid ti ididEncryptionEncryption andand decryptiondecryption provideprovide secrecy,secrecy, ororconfidentiality,confidentiality, butbut notnot integrityintegrity.. However,However, onon occasionoccasion
tt dd b tb t i t di t d tt hhwewe maymay notnot eveneven needneed secrecy,secrecy, butbut insteadinstead mustmust havehaveintegrityintegrity..
Document and FingerprintTopics discussed in this section:Topics discussed in this section:Document and FingerprintMessage and Message DigestCreating and Checking the Digestg g gHash Function CriteriaHash Algorithms: SHA-1
31.7
Note
To preserve the integrity of a document,b th th d t d th fi i tboth the document and the fingerprint
are needed.
31.8
Example 31.1
Can we use a conventional lossless compression methodas a hashing function?
SolutionSolutionWe cannot. A lossless compression method creates acompressed message that is reversible You cancompressed message that is reversible. You canuncompress the compressed message to get the originaloneone.
31.13
Example 31.2
Can we use a checksum method as a hashing function?
SolutionSolutionWe can. A checksum function is not reversible; it meets the first criterion However it does not meet the otherthe first criterion. However, it does not meet the other criteria.
31.14
Note
SHA-1 hash algorithms create an N-bit
Note
SHA 1 hash algorithms create an N bit message digest out of a message of
512 bit blocks512-bit blocks.
SHA 1 h di t f 160 bitSHA-1 has a message digest of 160 bits (5 words of 32 bits).
31.16
3131--4 4 MESSAGE AUTHENTICATIONMESSAGE AUTHENTICATION
AA hashhash functionfunction perper sese cannotcannot provideprovide authenticationauthentication..TheThe digestdigest createdcreated byby aa hashhash functionfunction cancan detectdetect anyanymodificationmodification inin thethe message,message, butbut notnot authenticationauthentication..
Topics discussed in this section:Topics discussed in this section:MAC
31.18
3131--5 5 DIGITAL SIGNATUREDIGITAL SIGNATURE
WhenWhen AliceAlice sendssends aa messagemessage toto Bob,Bob, BobBob needsneeds totoWhenWhen AliceAlice sendssends aa messagemessage toto Bob,Bob, BobBob needsneeds totocheckcheck thethe authenticityauthenticity ofof thethe sendersender;; hehe needsneeds toto bebesuresure thatthat thethe messagemessage comescomes fromfrom AliceAlice andand notnot EveEve..suresure thatthat thethe messagemessage comescomes fromfrom AliceAlice andand notnot EveEve..BobBob cancan askask AliceAlice toto signsign thethe messagemessage electronicallyelectronically..InIn otherother words,words, anan electronicelectronic signaturesignature cancan proveprove thetheInIn otherother words,words, anan electronicelectronic signaturesignature cancan proveprove thetheauthenticityauthenticity ofof AliceAlice asas thethe sendersender ofof thethe messagemessage.. WeWereferrefer toto thisthis typetype ofof signaturesignature asas aa digitaldigital signaturesignature..referrefer toto thisthis typetype ofof signaturesignature asas aa digitaldigital signaturesignature..
Topics discussed in this section:Topics discussed in this section:ComparisonNeed for Keys
pp
31.21
Process
Note
In a cryptosystem, we use the private d bli k f th iand public keys of the receiver;
in digital signature, we use the private and public keys of the sender.
31.24
3131--6 6 ENTITY AUTHENTICATIONENTITY AUTHENTICATION
EntityEntity authenticationauthentication isis aa techniquetechnique designeddesigned toto letlet oneoneEntityEntity authenticationauthentication isis aa techniquetechnique designeddesigned toto letlet oneonepartyparty proveprove thethe identityidentity ofof anotheranother partyparty.. AnAn entityentity cancanbebe aa personperson aa processprocess aa clientclient oror aa serverserver TheThe entityentitybebe aa person,person, aa process,process, aa client,client, oror aa serverserver.. TheThe entityentitywhosewhose identityidentity needsneeds toto bebe provedproved isis calledcalled thethe claimantclaimant;;thethe partyparty thatthat triestries toto proveprove thethe identityidentity ofof thethe claimantclaimantthethe partyparty thatthat triestries toto proveprove thethe identityidentity ofof thethe claimantclaimantisis calledcalled thethe verifierverifier..
P dTopics discussed in this section:Topics discussed in this section:PasswordsChallenge-Response
31.30
Note
In challenge-response authentication,th l i t th t h kthe claimant proves that she knows a
secret without revealing it.
31.31
Note
The challenge is a time-varying value t b th ifisent by the verifier;
the response is the result of a function applied on the challenge.
31.32
3131--7 7 KEY MANAGEMENTKEY MANAGEMENT
WeWe nevernever discusseddiscussed howhow secretsecret keyskeys inin symmetricsymmetric--keykeycryptographycryptography andand howhow publicpublic keyskeys inin asymmetricasymmetric--keykeyyp g p yyp g p y pp yy yy yycryptographycryptography areare distributeddistributed andand maintainedmaintained.. InIn thisthissection,section, wewe touchtouch onon thesethese twotwo issuesissues.. WeWe firstfirst discussdiscuss,, ffthethe distributiondistribution ofof symmetricsymmetric keyskeys;; wewe thenthen discussdiscuss thethedistributiondistribution ofof asymmetricasymmetric keyskeys..ff yy yy
Topics discussed in this section:Topics discussed in this section:Symmetric-Key DistributionPublic-Key Distribution
Topics discussed in this section:Topics discussed in this section:
31.38
y
Note
In public-key cryptography, everyone h t ’ bli khas access to everyone’s public key;
public keys are available to the public.
31.44