technology innovation centre catc birmingham city university john higgins [email protected]...
TRANSCRIPT
www.catcemea.org.uk
technology innovation centre
CATC Birmingham City University
John [email protected]
Richard [email protected]
Global contact [email protected]
Network SecurityIntro and VPNs
BasicSecurity
Concepts,Cryptography
andIPsec
Security
o What do we require from a data security system?
o Confidentiality Only the intended recipient can read the data
o Integrity No one can change data in transit
o Authentication I am who I say I am
o Non Repudiation Proof of message sent or received
Encryption
o Solution Encryption Take the message (plain text) Apply some algorithm to each of the
letters (the cipher) Generate the encrypted message
(cipher text)
Simple Encryption
Method and Key
o Encryption has two major components
Method• Substitution• Transposition
Key
Caesar’s 26 keys
0 A B C D E F G H I J K L M N O P
1 B C D E F G H I J K L M N O P Q
2 C D E F G H I J K L M N O P Q R
3 D E F G H I J K L M N O P Q R S
4 E F G H I J K L M N O P Q R S T
5 F G H I J K L M N O P Q R S T U
6 G H I J K L M N O P Q R S T U V
7 H I J K L M N O P Q R S T U V W
Simple Encryption
o Substitution Caesar Cipher Replace each letter by a shift of the alphabet
o Encryption method Substitution
o Encryption key +3
A B C D E Z
D E F G H C
I C A M E I S A W I C O N Q U E R E DL F D P H L V D Z L F R Q T X H U H G
Veni, vidi, vici
Simple Encryption Problems
o Simple encryption systems can be broken by statistical analysis
The letter ‘e’ occurs 13% in English texts Distribution statistics exist for all the letters in
an alphabet With the power of computing, easy to try
several alternatives
Making it harder to crack
o Polyalphabetic substitution ciphers Rotate the key in use Means each time a specific letter occurs it
may be substituted by a different letter Hence it is more complex to analysis
Polyalphabetic substitution
0 A B C D E F G H I J K L M N O P
1 B C D E F G H I J K L M N O P Q
2 C D E F G H I J K L M N O P Q R
3 D E F G H I J K L M N O P Q R S
4 E F G H I J K L M N O P Q R S T
5 F G H I J K L M N O P Q R S T U
6 G H I J K L M N O P Q R S T U V
7 H I J K L M N O P Q R S T U V W
Keyword BED Use 1,4,3,1,4,3……
Polyalphabetic substitution
1 4 3 1 4 3 1 4 3 1 4 3 1 4 3 1 4 3 1
I C A M E I S A W I C O N Q U E R E D
J G D N I L T E Z J G R O U X F V H E
o Keyword is BED
o Encryption method Substitution
o Encryption key +1, +4 , +3 and then
repeat
0 A B C D E F G H I J K L M N O P
1 B C D E F G H I J K L M N O P Q
2 C D E F G H I J K L M N O P Q R
3 D E F G H I J K L M N O P Q R S
4 E F G H I J K L M N O P Q R S T
5 F G H I J K L M N O P Q R S T U
6 G H I J K L M N O P Q R S T U V
7 H I J K L M N O P Q R S T U V W
Polyalphabetic substitution
o How to crack this?
o Statistical analysis Guess the codeword length ..say 4 Analyse every 4th letter for a distribution If no pattern emerges try 3…. Etc With the power of computing, easy to try
several alternatives Again with modern computing we can analyse
the cipher text and crack the code
Other Encryption Systems
o Polyalphabetic substitution ciphers Rotate the key in use
o Transposition ciphers Re-order the letters in the message Use a key to specify the re-ordering sequence
o This is generally known as diffusion and confusion
Transposition ciphers
1 2 3 4 5
I C A M E
I S A W I
C O N Q U
E R E D Z
Message :-I CAME I SAW I CONQUERED
Write the message into the box ignoring the spaces.Insert random characters at the end of message to fill grid
Chose the KEY 3, 2, 4, 1, 5Read out the letters in column order
AANE CSOR MWQD IICE EIUZ
Cipher Machines
o Down the ages cipher machines were developed such as the famous German Enigma machine
Security
o Data Encryption Standard (DES) Uses substitution and transposition Initial proposal used 128 bit key US NSA requested key to be reduced to 56 bits With enough computing power this can now be broken
in 3.5 hours by brute force attack
o Now replaced with Triple DES Uses cascaded DES encryption
• 3 * 56 bit key = 168 bit key
2 key version 1013 times stronger then DES
Symmetric encryption
o In a shared key encryption, a single key is used for both encryption and decryption of the data
o Only the trusted parties must know the shared/secret key
o DES, 3DES, IDEA, and Blowfish are examples of shared key encryption
Does this encryption system solve all our requirements?
o Confidentiality Yes
o Integrity No
• Message may be incorrect • We can use a hash algorithm
o Authentication Yes
• Assuming no one has stolen the key
o Non repudiation No
Problems with symmetric encryption
o Two big problems exist: Scalability Key distribution
New Solutions
o Public-Private Keyso Diffie-Hellman Key Exchange
o Developed by Mathematicians who focussed on modular arithmetic and one way functions
Public Key Encryption
o Ron Rivest, Adi Shamir and Lenard Adleman produced a popular encryption method called RSA, using modular mathematics they generated two inter-related keys: Public key Private key
Pay to Terry Smith $100.00
One Hundred and xx/100 Dollars
A priA pub
BobAlice
EncryptPay to Terry Smith $100.00
One Hundred and xx/100 Dollars
Public Key Encryption
Decrypt
A pub
KJklzeAidJfdlwiej47DlItfd578MNSbXoE
RSA Operation
o To work with RSA generate a key pair Keep your private key private Publicise your public key
o When sending a message to Bob Get Bob’s public key Encrypt the message with Bob’s public key
and send it Only Bob can decrypt it with his private key
Does this encryption system solve all our requirements?
o Confidentiality Yes
o Integrity No
• Message may be incorrect• Unless we use a hash algorithm
o Authentication No
• Our public key is publicly available
o Non repudiation Maybe
How to make Authentication with Public and Private Keys
o Use your own private key to encrypt your ‘signature’ Digital signature You’re the only one with your private key
• Hence the message can be authenticated
The recipient can check your signature by ‘decrypting’ it with your public key
Fhlkdhfakjs asjfa1KJklzeAidJfdlwiej47DlItfd578MNSbXoE
‘signature’From Bob (12)
B pri
A pub
Bob
Encrypt
Pay to Terry Smith £100.00( 12 )
Public Key Encryption with Signatures
A pub
Encrypt
B pub
+
Fhlkdhfakjs asjfa1
KJklzeAidJfdlwiej47DlItfd578MNSbXoE
‘signature’From Bob (12)
A pri
A pub
Alice
Decrypt
Pay to Terry Smith £100.00( 12 )
Public Key Decryption with Signatures
Decrypt
B pub
+
B pub
Message in transit to Alice
Fhlkdhfakjs asjfa1KJklzeAidJfdlwiej47DlItfd578MNSbXoE
A pub
B pri
MESSAGE SIGNATURE
B pubA pri
Message encrypted with Signature encrypted (signed) with
Message decrypted with ApriOnly Alice can do this
Signature decrypted with BpubAnyone with Bpub can do this
Is this secure ?
o Relies on knowing you have Bpub and it really is Bob’s public Key
o Need to be sure so get Bob’s public key from a trusted source
o Key must be signed by someone you already trust
o You must have signers public key to check the signature A trusted key authority
o This is called a digital certificate
Digital Certificate
Diffie-Hellman key Exchange
o The Diffie-Hellman algorithm provides a way for two users, Bob and Alice, to establish a shared secret key that only they know They then use the key for symmetrical
encryption (e.g. 3DES) The shared secret key can be established
even though Bob and Alice are communicating over an insecure channel
Problem
o How can Bob be sure that he is exchanging keys with Alice?
o Some sort of authentication is required Pre-share keys
• Not scalable
Digital certificates• Scalable
VPN’s
IPSEC - VPN
o IPSEC – VPN Encrypt the whole IP datagram (possibly
header and all) Build a tunnel (wrap the packet in a new
IP header) Send over insure network to other end of
tunnel
IPSEC Virtual Private Networks
o Use authentication to establish who is at the other end
o Use Diffie-Hellman to generate shared secret keys
o Use symmetrical system (DES) to encrypt data
VPN usage scenarios
IPSEC VPN
o ISAKMP POLICY Authenticate Agree encryption Generate keys
o IPSEC transform set Bulk encryption method
IPSEC VPN
o Interesting Traffic for VPN Access list
o Crypto map Pulls it all together Applied on an interface.