FACULTY OF INFORMATICS Masaryk University PA160: Net-Centric Computing II. Network Security Luděk Matýska Slides by: Tomáš Rebok Spring 2019 Luděk Matýska • 1. Network Security • Spring 2019 1/125 Course Introduction FACULTY OF INFORMATICS Masaryk University Course Introduction PA160 - Course Introduction J Luděk Matýska • 1. Network Security • Spring 2019 2/125 Course Introduction FACULTY OF INFORMATICS I Masaryk University Course Organization ■ attending the Lectures is optional ■ the knowledge acquired during PB156 & PA159 courses is assumed ■ course materials will be published on the course webpage (more or Less in time ;-)) ■ assessment methodology: ■ final exam (written form) ■ course Literature: ■ slides, RFCs,... ■ literature being announced in relevant course parts Luděk Matýska • 1. Network Security • Spring 2019 3/125 Course Introduction FACULTY OF INFORMATICS I Masaryk University Course Overview ■ the course goal: ■ to provide an advanced insight into the area of computer networks and their applications ■ discussed topics: ■ network security ■ network management and monitoring ■ parallel and distributed applications, grids ■ service-oriented architectures ■ specification and verification of communication protocols ■ network simulators and emulators ■ etc. Luděk Matýska • 1. Network Security • Spring 2019 4/125 1. Network Security FACULTY OF INFORMATICS Masaryk University 1. Network Security 1. Network Security Luděk Matýska • 1. Network Security • Spring 2019 5/125 Lecture overview FACULTY OF INFORMATICS Masaryk University Lecture overview Introduction Motivation Network Security Elements Cryptography Introduction Symmetric Cryptography Asymmetric Cryptography Network Security Mechanisms Entity Authentication Message Confidentiality (Security) Message Integrity Message Authentication Digital Signature Key Management and Distribution Example Protocols Ensuring Network Security in the Internet Application-layer Security Trans port-layer Security Network-layer Security Link-layer Security Network & Data Protection - Maintaining the Availability Firewalls Intrusion Detection Systems Denial of Service (DoS) & Distributed Denial of Service (DDoS) attacks Virusses & Worms Network & Data Protection - Concluding Remarks Conclusion Luděk Matýska • 1. Network Security • Spring 2019 6/125 Introduction FACULTY OF INFORMATICS Masaryk University Lecture overview Introduction Motivation Network Security Elements Cryptography Introduction Symmetric Cryptography Asymmetric Cryptography Network Security Mechanisms Entity Authentication Message Confidentiality (Security) Message Integrity Message Authentication Digital Signature Key Management and Distribution Example Protocols Ensuring Network Security in the Internet Application-layer Security Trans port-layer Security Network-layer Security Link-layer Security Network & Data Protection - Maintaining the Availability Firewalls Intrusion Detection Systems Denial of Service (DoS) & Distributed Denial of Service (DDoS) attacks Virusses & Worms Network & Data Protection - Concluding Remarks Conclusion Luděk Matýska • 1. Network Security • Spring 2019 7/125 Introduction FACULTY OF INFORMATICS Masaryk University Security ■ most of computer science is concerned with achieving desired behavior ■ in some sense, security is concerned with preventing undesired behavior ■ different way of thinking! ■ an enemy/opponent/hacker/adversary may be actively and maliciously trying to circumvent any protective measures one put in place ■ computer vs. network security ■ computer security - focuses on security aspects of systems in isolation ■ viruses, secure data storage, OS security, etc. ■ network security - focuses on security of data as it is transmitted between networked systems ■ authentication protocols, encryption of transmitted data, firewalls, etc. ■ not always a clear-cut dividing line... Luděk Matýska • 1. Network Security • Spring 2019 8/125 Introduction Motivation FACULTY OF INFORMATICS Masaryk University What can go wrong? ■ when your computer y receives or is waiting for a message ml Luděk Matýska • 1. Network Security • Spring 2019 9/125 Introduction Motivation FACULTY OF INFORMATICS Masaryk University What can go wrong? Message loss ■ adversary A can discard m in its transit Luděk Matýska • 1. Network Security • Spring 2019 Introduction Motivation FACULTY OF INFORMATICS Masaryk University What can go wrong? Message interception ■ adversary A can get a copy of m when m passes by Luděk Matýska • 1. Network Security • Spring 2019 11/125 Introduction Motivation FACULTY OF INFORMATICS Masaryk University What can go wrong? Message modification ■ adversary A can arbitrarily modify the content of m to become m' Luděk Matýska • 1. Network Security • Spring 2019 12/125 Introduction Motivation FACULTY OF INFORMATICS Masaryk University What can go wrong? Message insertion ■ adversary A can arbitrarily fabricate a message m, pretending that m was sent byx Luděk Matýska • 1. Network Security • Spring 2019 13/125 Introduction Motivation FACULTY OF INFORMATICS Masaryk University What can go wrong? Message replay ■ adversary A can replay a message m that has been sent earlier by x and received byy Luděk Matýska • 1. Network Security • Spring 2019 14/125 Introduction Motivation FACULTY OF INFORMATICS Masaryk University What can go wrong? Denial-of-Service attack ■ adversary A can send huge amount of messages to y to block m from arriving at y ■ in the case of botnet attack, the adversary instructs many bots to send messages to y simultaneously Luděk Matýska • 1. Network Security • Spring 2019 15/125 Introduction Motivation FACULTY OF INFORMATICS I Masaryk University What is needed? Reliable transmission ■ y wants to receive all messages sent by x to her ■ both x and y want to make sure the message is not tampered with ■ eventually they both want the message not to be overheard by any third party Introduction Motivation FACULTY OF INFORMATICS I Masaryk University What is needed? Sender verification ■ y wants to be able to verify that the message m has been really sent by x Luděk Matýska • 1. Network Security • Spring 2019 17/125 Introduction Motivation FACULTY OF INFORMATICS Masaryk University What is needed? Message non-repudiation ■ x wants to be able to prove to third party z that y has received a message m from x ■ y wants to be able to prove to third party z that x has sent a message m to y Introduction Motivation FACULTY OF INFORMATICS I Masaryk University Network Security Network Security is great... ■ protects messages from interception in their transit ■ provides desired Level of privacy for users or data ■ detects and discards messages that had been modified, inserted, or replayed ■ disallows unauthorized access to Local system resources and sensitive data ...but hard to achieve ■ many Layers in network architecture ■ many different media of network connection ■ adversary's Location hard to determine ■ new attacks keep emerging ■ cryptographic overhead Luděk Matýska • 1. Network Security • Spring 2019 19/125 Introduction Network Security Elements FACULTY OF INFORMATICS Masaryk University Network Security - Basic Elements A secure communication network should provide the following mechanisms/services: ■ AAA ■ Authentication m Authorization m Accounting ■ + secured communication ■ Confidentiality ■ Integrity ■ Non-repudiation ■ + Availability Luděk Matýska • 1. Network Security • Spring 2019 20/125 Introduction Network Security Elements FACULTY OF INFORMATICS I Masaryk University Network Security - Basic Elements Authentication ■ in Czech: autentizace NOT autentikace, autentifikace,... ■ several perspectives: ■ a process verifying that someone is who they claim they are (= entity authentication) ■ a process assuring the recipient that the message is from the source that it claims to be from (= message authentication) ■ requires a determination of the entity's identity ■ several methods for identity determination exist: ■ based on what a user knows - a proper pair of username and password/PIN ■ based on what a user has - a tool which a user owns (USB dongle, smart card, private key, etc.) ■ based on what a user is - a user has characteristics, which can be verified (fingerprint, retinal images, etc.) ■ based on what a user can - a user is able to answer particular verifying questions Ludek Matyska • 1. Network Security • Spring 2019 21 / 125 Introduction Network Security Elements FACULTY OF INFORMATICS I Masaryk University Network Security - Basic Elements Authorization ■ process of granting the user access to specific system resources ■ based on user's profile and the local/global policy controlling the resource access ■ follows the authentication process ■ ensured by access control Lists (ACLs) ■ define permissions to perform particular operation or to access particular resources Accounting ■ monitoring the users'usage of network services ■ the information can be used for management, planning, billing, or any other purposes Luděk Matýska • 1. Network Security • Spring 2019 22/125 Introduction Network Security Elements FACULTY OF INFORMATICS I Masaryk University Network Security - Basic Elements Confidentiality ■ protects data and information from unauthorized disclosure (sniffers) ■ data during transmission cannot be read by any unauthorized user ■ just the sender and receiver understand the content of the transferred message ■ ensured by message encryption Integrity ■ protects data from unauthorized modification ■ data during transmission cannot be modified or fabricated by any unauthorized user ■ usually based on encryption and hashing algorithms Luděk Matýska • 1. Network Security • Spring 2019 23/125 Introduction Network Security Elements FACULTY OF INFORMATICS I Masaryk University Network Security - Basic Elements Non-repudiation ■ sender nonrepudiation and receiver nonrepudiation serves the receiver/sender for the purposes of proving origin/delivery of the message ■ neither the sender of a message can deny the transmission of the message nor the receiver of a message is able to deny the reception of the message ■ ensured by digital signatures Availability ■ property of a system, network, or a resource being accessible and usable anytime upon demand by an authorized system entity ■ i.e., a system is available if it provides services according to the system design whenever users require them ■ has to be associated with various security services ■ such as services protecting from denial of service (DoS) attacks Luděk Matýska • 1. Network Security • Spring 2019 24/125 Cryptography Introduction FACULTY OF INFORMATICS Masaryk University Lecture overview Introduction Motivation Network Security Elements Cryptography Introduction Symmetric Cryptography Asymmetric Cryptography Network Security Mechanisms Entity Authentication Message Confidentiality (Security) Message Integrity Message Authentication Digital Signature Key Management and Distribution Example Protocols Ensuring Network Security in the Internet Application-layer Security Trans port-layer Security Network-layer Security Link-layer Security Network & Data Protection - Maintaining the Availability Firewalls Intrusion Detection Systems Denial of Service (DoS) & Distributed Denial of Service (DDoS) attacks Virusses & Worms Network & Data Protection - Concluding Remarks Conclusion Luděk Matýska • 1. Network Security • Spring 2019 25/125 Cryptography Introduction FACULTY OF INFORMATICS Masaryk University Cryptography Introduction ■ network security is mostly achieved through the use of Cryptography Cryptography: ■ the science and art of transforming messages to make them secure and immune to attacks ■ basic cryptography mechanisms: ■ symmetric (secret-key) cryptography ■ asymmetric (public-key) cryptography plaintext key key plaintext \ / M ciphertext ^ ^ encryption algorithm I \ I channel decryption C^? algorithm sender v receiver (Alice) ffft. (Bob) intruder Luděk Matýska • 1. Network Security • Spring 2019 (Trudy) 26 /125 Cryptography Introduction Symmetric Cryptography FACULTY OF INFORMATICS Masaryk University Symmetric Cryptography the same key is used by both parties for both encryption and decryption advantages: ■ Low computational demands ■ suitable for encryption of Large messages drawbacks: ■ a necessity to share the secret key (-> a mechanism for key distribution is required) ■ can lead to many keys required to be maintained (e.g., many-to-one communication in distributed environment) e.g., DES, 3DES, IDEA, BLowfish, Rivest Cipher 4 (RC4), AES, etc. Alice Bob □ Shared secret key plaintext i i I I I Encryption Luděk Matýska . l. Network SecurfffiQ^rlhg 2 ciphertext Decryption plaintext 27/125 Cryptography Introduction Symmetric Cryptography FACULTY OF INFORMATICS I Masaryk University Symmetric Cryptography Simple Symmetric Ciphers Character-oriented ■ operate on characters of an alphabet ■ substitution ciphers - substitutes one symbol with another ■ monoalphabetic - a character/symbol in the plaintext is always changed to the same character/symbol in the ciphertext (e.g., Caesar cipher) ■ polyalphabetic - each occurrence of a character can have a different substitute ■ transposition ciphers - reorders (permutes) symbols in a block of symbols ■ instead of substitutions, locations of characters change Bit-oriented ■ operate on blocks of bits ■ e.g., XOR cipher, rotation cipher, etc. Ludek Matyska • 1. Network Security • Spring 2019 28 / 125 Cryptography Introduction Symmetric Cryptography FACULTY OF INFORMATICS I Masaryk University Symmetric Cryptography DES (Data Encryption Standard) ■ designed by IBM and adopted by the U.S. government as the standard encryption method for nonmiLitary and nonclassified use ■ the algorithm encrypts a 64-bit plaintext blocks using a 64-bit key ■ in fact, the key is just 56-bits long (every eighth bit is used for parity checking and is ignored) ■ DES has two transposition blocks (so-called P-boxes) and 16 complex round ciphers ■ although the 16 iteration round ciphers are conceptually the same, each uses a different key derived from the original key ■ not considered to be secure any more ■ because of the key length (too short) I see details in the animation: http://www.cs.bham.ac.uk/research/projects/lemsys/DES/DESPage.jsp Ludek Matyska • 1. Network Security • Spring 2019 29 / 125 Cryptography Introduction Symmetric Cryptography FACULTY OF INFORMATICS Masaryk University Symmetric Cryptography DES (Data Encryption Standard) - Algorithm outline I 64-bit plaintext DES It Initial permutation Round 1 ! K, Round 2 Round 16 i K __________i Final permutation V 64-bit ciphertext Luděk Matýska • 1. Network Security • Spring 2019 I ^2 16 Round key generator 64-bit key 30/125 Cryptography Introduction Symmetric Cryptography FACULTY OF INFORMATICS Masaryk University Symmetric Cryptography DES (Data Encryption Standard) - Algorithm outline II. (single round) Rou ndi 32 bits 32 bits 32 bits 32 bits f {R,, K,) jr 32 bits -*~(+) XOR t T L.+1 Ri+i 32 bits (48 bits) !______________________ a. Encryption round Ludek Matyska • 1. Network Security • Spring 2019 Round: 32 bits 32 bits 3. Decryption round 32 bits 32 bits f v jr32 bits ^-(+) XOR T Li+1 32 bits K, (48 bits) 31/125 Cryptography Introduction Symmetric Cryptography FACULTY OF INFORMATICS I Masaryk University Symmetric Cryptography Triple DES (3DES) Triple DES (3DES) ■ has been proposed and implemented to Lengthen the DES key ■ uses three DES blocks ■ encryption: DES encryption-decryption-encryption ■ decryption: DES decryption-encryption-decryption ■ different variants: ■ 3DES with three keys —>► the size of the key is increased to 168 bits ■ 3DES with two keys {Key1 = Keyi) —>► the size of the key is 112 bits ■ if {Key! = Key2 = Keyi) standard DES Luděk Matýska • 1. Network Security • Spring 2019 32/125 Cryptography Introduction Symmetric Cryptography FACULTY OF INFORMATICS Masaryk University Symmetric Cryptography Triple DES (3DES) 64-bit plaintext Encrypt DES LU Q QJ Cl Decrypt DES □ Key, Encrypt DES f □ Key. Key, 64-bit ciphertext LU Q Cl 64-bit plaintext Decrypt DES Encrypt DES Decrypt DES 64-bit ciphertext KeVl Key- Key, a. Encryption Triple DES b. Decryption Triple DES Ludek Matyska • 1. Network Security • Spring 2019 33/125 Cryptography Introduction Symmetric Cryptography FACULTY OF INFORMATICS Masaryk University Symmetric Cryptography AES (Advanced Encryption Standard) ■ proposed as a reaction to competition for selecting a successor to DES (1997) ■ originally called Rijndaet ■ standardized in 2001 ■ three variants: AES-128, AES-192 and AES-256 ■ the number indicates the key length ■ the keysize has no theoretical maximum ■ operates on a 4 x 4 array of bytes (= 128 bits) ■ AES performs a number of repetitions of transformation rounds that convert the input plaintext into the final output of ciphertext ■ each round consists of several processing steps, including one that depends on the encryption key ■ can be effectively implemented in HW see details in the animation: http: //www. formaestudio.com/rijndaelinspector/ Luděk Matýska • 1. Network Security • Spring 2019 34/125 Cryptography Introduction Symmetric Cryptography FACULTY OF INFORMATICS Masaryk University Symmetric Cryptography AES (Advanced Encryption Standard) - Algorithm outline I AES 128-bit plaintext K, Round 10 (slightly different) K 10 Round key generator 128-bit key 128-bit ciphertext Luděk Matýska • 1. Network Security • Spring 2019 35/125 Cryptography Introduction Symmetric Cryptography FACULTY OF INFORMATICS Masaryk University Symmetric Cryptography AES (Advanced Encryption Standard) - Algorithm outline II. (single round) Round i 128-bit data Sub Byte i Shift Row Byte substitution ~l— MixColumn Byte permutation 1 Complex operation (missing in round 10) AddRoundKey I 128-bit data Luděk Matýska • 1. Network Security • Spring 2019 36/125 Cryptography Introduction Asymmetric Cryptography FACULTY OF INFORMATICS I Masaryk University Asymmetric Cryptography ■ also known as Public-key Cryptography ■ uses different keys for encryption and decryption ■ both keys are denoted as keypair ■ the public key is used for encryption, while the private key is used for decryption ■ the message encrypted by a public key can be decrypted only by the appropriate private key ■ advantages: ■ no secret key is passed between two communicating parties lowers the risk of its disclosure ■ the public key can be published ■ drawbacks: ■ the speed asymmetric ciphers are suitable for small messages ■ for example, for a symmetric key exchange ■ suffer from the man-in-the-middle attack ■ the public keys have to be provided by a trusted party ■ e.g., RSA, Diffie-Hellman (kev exchange), etc. Luděk Matýska • 1. Network Security • Spring 2019 37/125 Cryptography Introduction Asymmetric Cryptography FACULTY OF INFORMATICS Masaryk University Asymmetric Cryptography Illustration Alice plaintext Encryption ciphertext Network To the public | A ciphertext Í Bob' s public Bob's private Bob 1 Decryption plaintext Luděk Matýska • 1. Network Security • Spring 2019 38/125 Cryptography Introduction Asymmetric Cryptography FACULTY OF INFORMATICS I Masaryk University Asymmetric Cryptography RSA (Rivest, Shamir, and Adleman algorithm) I. RSA (Rivest, Shamir, and Adleman algorithm) ■ the most common and popular public key algorithm ■ RSA gets its security from the difficulty of factoring large numbers ■ uses two (Large) numbers, e and d, as the encryption and decryption keys ■ public/private keys generation: ■ choose two random Large prime numbers,p and q (ideaLLy of equaL Length, e.g., 200 digits) ■ compute the product N = p • q ■ then randomLy choose the encryption key, e (between 1 and N - 1), such that e and (p - l)(q - 1) are reLativeLy prime ■ then compute the decryption key, d: d = e"1 mod ((p - l)(q - 1)) ■ i.e., d • e = 1 mod ((p - l)(q - 1)) ■ p and q are no Longer needed ■ public key: (e, N) ■ private key: (d, N) Ludek Matyska • 1. Network Security • Spring 2019 39 / 125 Cryptography Introduction Asymmetric Cryptography FACULTY OF INFORMATICS I Masaryk University Asymmetric Cryptography RSA (Rivest, Shamir, and Adleman algorithm) II. RSA (Rivest, Shamir, and Adleman algorithm) cont'd ■ message encryption ■ to encrypt a message m, it has to be divided into numerical blocks smaller than N ■ each block is then individually encrypted: c = me mod N ■ message decryption ■ decrypt every block by: m = cd mod N I see all the details in the RSA animation: http://cryptool.org/media/RSA/RSA-Flash-en/player.html Luděk Matýska • 1. Network Security • Spring 2019 40/125 Network Security Mechanisms FACULTY OF INFORMATICS Masaryk University Lecture overview Introduction Motivation Network Security Elements Cryptography Introduction Symmetric Cryptography Asymmetric Cryptography Network Security Mechanisms Entity Authentication Message Confidentiality (Security) Message Integrity Message Authentication Digital Signature Key Management and Distribution Example Protocols Ensuring Network Security in the Internet Application-layer Security Trans port-layer Security Network-layer Security Link-layer Security Network & Data Protection - Maintaining the Availability Firewalls Intrusion Detection Systems Denial of Service (DoS) & Distributed Denial of Service (DDoS) attacks Virusses & Worms Network & Data Protection - Concluding Remarks Conclusion Luděk Matýska • 1. Network Security • Spring 2019 41 /125 Network Security Mechanisms Entity Authentication FACULTY OF INFORMATICS Masaryk University Entity Authentication Password authentication ■ the simplest and the oldest method ■ Alice authenticates to Bob by sending a password ■ fixed passwords - subjects to several attacks: ■ eavesdropping, stealing a password, accessing a file with passwords, guessing (dictionary attacks), etc. ■ can be (partially) solved by: ■ hashing the passwords ■ hashing salted passwords ■ e.g., PAP (Password Authentication Protocol) - transmits unencrypted ASCII passwords (assumes out-of-band control channel) ■ one-time passwords - passwords valid just for only one login session ■ new password generated based on previous password ■ new password generated based on a challenge ■ specialized electronic tokens, out-of-band channels (SMS), etc. Ludek Matyska • 1. Network Security • Spring 2019 42 / 125 Network Security Mechanisms Entity Authentication FACULTY OF INFORMATICS Masaryk University Entity Authentication Challenge-Response Authentication ■ in password authentication, the claimant proves her identity by demonstrating that she knows a secret (the password) ■ however, since the claimant reveals this secret, the secret is susceptible to interception by the adversary ■ in challenge-response authentication, the claimant proves that she knows a secret without revealing it ■ the challenge is a time-varying value (a random number or a timestamp) sent by the verifier ■ the claimant applies a function to the challenge and sends the result (response) to the verifier ■ the response shows that the claimant knows the secret Luděk Matýska • 1. Network Security • Spring 2019 43/125 Network Security Mechanisms Entity Authentication FACULTY OF INFORMATICS Masaryk University Entity Authentication Challenge-Response Authentication - Symmetric keys using a nonce ■ ALice asks Bob for sending a nonce (a random number, timestamp, etc.) ■ ALice encrypts the nonce by shared secret key (the password) and sends it back to Bob Alice Bob 1 T Alice -|_% Alice sends data to Bob using KAB Luděk Matýska • 1. Network Security • Spring 2019 44/125 Network Security Mechanisms Entity Authentication FACULTY OF INFORMATICS Masaryk University Entity Authentication Challenge-Response Authentication - Symmetric keys using a nonce (mutual auth.) ■ same as the previous one, but with the mutual authentication Alice Bob Alice, RA Alice sends data to Bob using KAB Luděk Matýska • 1. Network Security • Spring 2019 45 /125 Network Security Mechanisms Entity Authentication FACULTY OF INFORMATICS Masaryk University Entity Authentication Challenge-Response Authentication - Hash functions usage ■ instead of encryption/decryption, one can also use a hash function for entity authentication ■ hash function - a one-way function generating a message digest ■ details on hash functions - see Message Integrity part ■ e.g., MS CHAP (Challenge-Handshake Authentication Protocol) Alice (user) 1 Bob (server) Luděk Matýska • 1. Network Security • Spring 2019 46 /125 Network Security Mechanisms Entity Authentication FACULTY OF INFORMATICS Masaryk University Entity Authentication Asymmetric keys - Public key usage ■ instead of symmetric-key ciphers, asymmetric-key ciphers can be also used for entity authentication ■ the secret is the private key of the claimant ■ she must show that she owns the private key related to the public key ■ the nonce can be encrypted either by the claimant's public key Bob Alice (use r) a I Bob, RB Luděk Matýska • 1. Network Security • Spring 2019 47/125 Network Security Mechanisms Entity Authentication FACULTY OF INFORMATICS Masaryk University Entity Authentication Asymmetric keys - Private key usage ■ or by her private key (= digital signatures, see Later) Alice (user) 1 Bob (server) ...... Alice R B Bob K, SA (RB, Bob) Luděk Matýska • 1. Network Security • Spring 2019 48/125 Network Security Mechanisms Message Confidentiality (Security) FACULTY OF INFORMATICS Masaryk University Message Confidentiality/Security - Data Encryption ■ the transmitted data are usually (especially for the Long messages) encrypted using a symmetric cryptography algorithm ■ because of their speed ■ the shared secret key necessary for the encryption can be (prior to the transmission) obtained using: ■ asymmetric cryptography - the chosen shared key is encrypted using the public key of the communicating partner and delivered to her ■ Diffie-Hellman algorithm - shared key computation Luděk Matýska • 1. Network Security • Spring 2019 49 /125 Network Security Mechanisms Message Confidentiality (Security) FACULTY OF INFORMATICS Masaryk University Message Confidentiality/Security - Data Encryption Symmetric Cryptography Alice g____________s_h5_ed_keys____________|| Bob Plaintext .-. Ciphertext Encryption Decryption Plaintext Data flow a. A shared secret key can be used in Alice-Bob communication Alice H____________S_har_ed_keys____________g Bob Plaintext i-1 Ciphertext ,-■ Plaintext -Decryption-Encryption- Data flow b. A different shared secret key is recommended in Bob-Alice communication Ludek Matyska • 1. Network Security • Spring 2019 50/125 Network Security Mechanisms Message Confidentiality (Security) FACULTY OF INFORMATICS Masaryk University Message Confidentiality/Security - Data Encryption Diffie-Hellman algorithm for session key generation I. Alice Bob Both Alice and Bob know tin- values of N and G ] O I Rl = Gx mod N Rl R2 = Gy mod N ] ^) R2 I K = (R2)x mod N~| Shared secret key f I K = (Rip mod N~| K = G*y mod N G and N are prime numbers, which both parties have to agree on ■ can be freely transmitted through the network the x and y are (private) Large numbers chosen by the parties independently on each other the computed K becomes the shared key used for the following symmetric encryption employed principle: (Gx mod N)y mod N = (Gy mod N)x mod N = Gxy mod N Luděk Matýska • 1. Network Security • Spring 2019 51/125 Network Security Mechanisms Message Confidentiality (Security) FACULTY OF INFORMATICS Masaryk University Message Confidentiality/Security - Data Encryption Diffie-Hellman algorithm for session key generation II. ■ a weakness - suffers from a man-in-the-middLe attack ■ can be avoided if Bob and Alice first authenticate each other Alice p and g are public. Eve Bob R, = gx mod p R2 = gz mod p HC-, = (R2)x mod p R3 = gv mod p K-, = (R-|)z mod p K2 = (R3)z mod p Alice-Eve key K2 = (R2) y mod p Eve-Bob key K1 = gxz mod p K2 = gzy mod p Luděk Matýska • 1. Network Security • Spring 2019 52/125 Network Security Mechanisms Message Integrity FACULTY OF INFORMATICS Masaryk University Message Integrity Hash functions ■ encryption provides confidentiality, but not integrity ■ sometimes, the message does not need to be hidden (encrypted) - the only need is to keep it safe from any tampering ■ to preserve the integrity of a message, the message is passed through a hash function ■ an algorithm that creates a compressed "image" (fingerprint) of the message ■ so-caLLed a message digest or a modification detection code (MDC) ■ the digest needs to be kept secret ~* 1 1 Hash _w - function Message (Variable length) Message Digest (Fixed length) Luděk Matýska • 1. Network Security • Spring 2019 53/125 Network Security Mechanisms Message Integrity FACULTY OF INFORMATICS I Masaryk University Message Integrity Hash function criteria ■ to be eligible for a hash, a function needs to meet the four criteria: ■ one-wayness - a message digest is created by a one-way hashing function ■ it must be impossible to recreate the message from the digest ■ resistance to weak collision - ensures that a message cannot easily be forged ■ one cannot easily modify the original message so that the new message hashes exactly to the same digest ■ resistance to strong collision - ensures that we cannot find two messages that hash to the same digest ■ called "strong" because the probability of a collision is higher than in the previous case ■ computation ease - it must be easy to compute the hash value for any given message ■ hash function examples: ■ MD5 (broken not secure), SHA-1, SHA-256, SHA-512, etc. Luděk Matýska • 1. Network Security • Spring 2019 54/125 Network Security Mechanisms Message Integrity FACULTY OF INFORMATICS Masaryk University Message Integrity Message integrity check Luděk Matýska • 1. Network Security • Spring 2019 55/125 Network Security Mechanisms Message Authentication FACULTY OF INFORMATICS Masaryk University Message Authentication Message Authentication ■ a process assuring the recipient that the message is from the source that it claims to be from ■ can be provided by: ■ symmetric cryptography - keyed hash functions, HMAC ■ asymmetric cryptography - digital signature Luděk Matýska • 1. Network Security • Spring 2019 56/125 Network Security Mechanisms Message Authentication FACULTY OF INFORMATICS I Masaryk University Message Authentication Symmetric cryptography ■ keyed hash functions are used ■ when creating the digest, such a function includes the symmetric key between the sender and receiver into the computation ■ so-called Message Authentication Code (MAC) is computed ■ besides the message authentication, the message integrity is obviously ensured as well AJice Bob L Luděk Matýska • 1. Network Security • Spring 2019 57/125 Network Security Mechanisms Message Authentication FACULTY OF INFORMATICS Masaryk University Message Authentication Symmetric cryptography - HMAC ■ instead of keyed hash functions, a keyless hash function can also be used for message authentication ■ = hashed MAC (HMAC) ■ creates a MAC by applying a keyless hash function to the concatenation of the message and a symmetric key ■ i.e., a copy of the symmetric key is prepended to the message and this combination is hashed using a keyless hash function (e.g., SHA-1, SHA-256, etc.) Message Hash IUI HMAC Hash HMAC Luděk Matýska • 1. Network Security • Spring 2019 58/125 Network Security Mechanisms Digital Signature FACULTY OF INFORMATICS I Masaryk University Digital Signature ■ MAC's/HMACs main drawback: they require a symmetric key to be established between the sender and the receiver ■ =4> Digital Signatures - employ asymmetric cryptography to provide message authentication and integrity ■ besides, the message nonrepudiation is also provided Digital Signature ■ a message is "signed" (= encrypted) using the sender's private key ■ and "verified" (= decrypted) using the sender's public key ■ can be achieved in two ways: ■ signing the whole document - easier, but less efficient (for long messages) ■ both the encrypted and unencrypted message are available ■ signing a digest of the document ■ most commonly used ■ instead of encrypting the whole document, just the message's digest is encrypted again, both the message and the signature are available Ludek Matyska • 1. Network Security • Spring 2019 59 / 125 Network Security Mechanisms Digital Signature FACULTY OF INFORMATICS Masaryk University Digital Signature Sender's side Alice Message Hash | Alice's private Message Message plus signed digest To Bob □ Encrypt n Digest Signed digest Luděk Matýska • 1. Network Security • Spring 2019 60/125 Network Security Mechanisms Digital Signature FACULTY OF INFORMATICS Masaryk University Digital Signature Receiver's side From Alice Alice's public T Digest Bob □ I I Message Decrypt ->- Compare Hash T" Digest Luděk Matýska • 1. Network Security • Spring 2019 61/125 Network Security Mechanisms Digital Signature FACULTY OF INFORMATICS Masaryk University Digital Signature Summary Remember In a crypto system (to provide message confidentiality),we use the private and public keys of the receiver; in digital signatures (to provide message authentication/integrity/nonrepudiation),\Ne use the private and public keys of the sender. ■ to combine both, the message is signed at first and Later both the message and the signature are encrypted Luděk Matýska • 1. Network Security • Spring 2019 62/125 Network Security Mechanisms Key Management and Distribution FACULTY OF INFORMATICS I Masaryk University Key Management and Distribution How secret keys in symmetric-key cryptography and how public keys in asymmetric-key cryptography are distributed and maintained? Symmetric-key Distribution ■ the symmetric key needs to be shared between every two communicating parties ■ if Alice needs to exchange confidential messages with N people -she needs to maintain N different keys ■ if N people need to communicate with one another - a total of N • (N - l)/2 keys is needed ■ (each person needs to maintain N - 1 keys; since the keys are shared, we need "only" N • (N - l)/2 keys) ■ moreover, the keys'distribution is another problem ■ ^> a trusted party - Key Distribution Center (KDC) - is needed to reduce the number of keys Luděk Matýska • 1. Network Security • Spring 2019 63/125 Network Security Mechanisms Key Management and Distribution FACULTY OF INFORMATICS Masaryk University Symmetric-key Management and Distribution Key Distribution Center (KDC) ■ each person/entity establishes a shared secret key with the KDC □ Alice ^g^kAli -Bito CI ■ J^a Bob Ann K Ami rrrm ^ " K S George KDC .J< Betsy Ted . Betsy Luděk Matýska • 1. Network Security • Spring 2019 64/125 Network Security Mechanisms Key Management and Distribution FACULTY OF INFORMATICS Masaryk University Symmetric-key Management and Distribution Key Distribution Center (KDC) cont'd. ■ the process of sending a confidential message from Alice to Bob may proceed as follows: 1. Alice sends a request to KDC, stating that she needs a session (temporary) secret key between herself and Bob 2. KDC informs Bob of Alice's request 3. If Bob agrees, a session key is created between the two ■ once the communication is terminated, the session key is no longer valid ■ several approaches of creating the session key based on the previous ideas have been proposed ■ e.g., basic approach, Needham-Schroeder protocol, Otway-Rees protocol, etc. ■ for the following three slides, the following holds: ■ Ka (Kb) ...a symmetric key known only to A and S (resp. B and S) ■ /?, RA, RB, /?!, R2 ...nonces ■ KAB ...the symmetric session key ■ example real implementation - Kerberos Ludek Matyska • 1. Network Security • Spring 2019 65 / 125 Network Security Mechanisms Key Management and Distribution FACULTY OF INFORMATICS I Masaryk University Symmetric-key Management and Distribution Key Distribution Center (KDC) III. - Basic Approach Alice KDC Bob Exchanging Data Using KAB Luděk Matýska • 1. Network Security • Spring 2019 66/125 Network Security Mechanisms Key Management and Distribution FACULTY OF INFORMATICS I Masaryk University Symmetric-key Management and Distribution Key Distribution Center (KDC) III. - Needham-Schroeder protocol Alice Bob Ludek Matyska • 1. Network Security • Spring 2019 67/125 Network Security Mechanisms Key Management and Distribution FACULTY OF INFORMATICS Masaryk University Symmetric-key Management and Distribution Key Distribution Center (KDC) III. - Otway-Rees protocol Alice □ KDC KAl R, Alice, Bob , RA, R, Alice. Bob KA1 RB, R, Alice, Bob , |RA> R, Alice , Bob R, RB, KAB , RA, KAB A message Bob ] I ^A' ^-AB Luděk Matýska • 1. Network Security • Spring 2019 68/125 Network Security Mechanisms Key Management and Distribution FACULTY OF INFORMATICS Masaryk University Public-key Management and Distribution Public-key Distribution ■ in pubLic-key cryptography, everyone shields a private key and advertises a public key ■ the public-key is freely available ■ Why a public-key distribution mechanism is needed, when the public-keys can be freely announced? ■ to protect the keys from forgery ■ the mechanism: the use of a trusted center - Certification Authority Luděk Matýska • 1. Network Security • Spring 2019 69/125 Network Security Mechanisms Key Management and Distribution FACULTY OF INFORMATICS Masaryk University Public-key Management and Distribution Certification Authority (CA) Certification Authority (CA) ■ issues so-called public-key certificates ■ bind an entity (human, server, etc.) with its public key ■ to prevent the certificate itself from being forged, the CA signs the certificate with its private key ■ such a certificate can be freely published and distributed ■ anyone who wants to extract the public key from the certificate uses the CA's public key to extract it ■ when compromised, the previously issued certificates can be revoked ■ example: X.509 certificates ■ supports hierarchical structure to allow the use in the wide Internet ■ (= hierarchical trust model) ■ called Public Key Infrastructure (PKI) Ludek Matyska • 1. Network Security • Spring 2019 70 / 125 Network Security Mechanisms Key Management and Distribution FACULTY OF INFORMATICS Masaryk University Public-key Management and Distribution X.509 Certificates Certificate Version Certificate Serial Number Certificate Algorithm Identifier for Certificate Issuer's Signature Issuer Validity Period Subject Subject Public-Key Information Algorithm Identifier Public-Key Value Issuer Unique Identifier Subject Unique Identifier Extensions Certification Authority's Digital Signature Extension Fields (optional) Luděk Matýska • 1. Network Security • Spring 2019 71/125 Network Security Mechanisms Key Management and Distribution FACULTY OF INFORMATICS Masaryk University Public-key Management and Distribution Public Key Infrastructure (PKI) Root CA Level-1 CA1 Level-2 CA1 Level-1 CA2 Level-2 CA2 Level-2 CA3 Level-2 CA4 Level-2 CA5 Level-2 CA6 One of many definitions: a set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke certificates based on public key cryptography each certificate is issued (and signed) only by a single party (= CA) ■ each CA certifies only its children ■ the CA's certificate itself may be signed by a different CA (all the way up to a "self-signed" root certificate) ■ root certificates must be available to those who use a lower level CA certificate (root certificates are typically widely distributed) Luděk Matýska • 1. Network Security • Spring 2019 72/125 example rroiocois ensuring iNetworK security in tne Internet FACULTY OF INFORMATICS I Masaryk University Lecture overview Introduction Motivation Network Security Elements Cryptography Introduction Symmetric Cryptography Asymmetric Cryptography Network Security Mechanisms Entity Authentication Message Confidentiality (Security) Message Integrity Message Authentication Digital Signature Key Management and Distribution Example Protocols Ensuring Network Security in the Internet Application-layer Security Trans port-layer Security Network-layer Security Link-layer Security Network & Data Protection - Maintaining the Availability Firewalls Intrusion Detection Systems Denial of Service (DoS) & Distributed Denial of Service (DDoS) attacks Virusses & Worms Network & Data Protection - Concluding Remarks Conclusion Luděk Matýska • 1. Network Security • Spring 2019 73/125 example rroiocois ensuring raeiworK security in tne Internet FACULTY OF INFORMATICS I Masaryk University Example Protocols Ensuring Network Security in the Internet ■ all the presented concepts can be realized on: ■ application layer - security mechanisms provided by applications (application protocols) themselves ■ e.g., PGP,SET,S/MIME,S-HTTP,etc. ■ transport layer - SSL and TLS ■ network layer - IPv6 & IPSec (IPv4) ■ link layer - e.g., PPP Luděk Matýska • 1. Network Security • Spring 2019 74/125 example protocols ensuring raeiworK security in tne Internet Application-layer Security FACULTY OF INFORMATICS I Masaryk University Application-Layer Security Pretty Good Privacy (PGP) ■ a de-facto standard proposed by Phil Zimmermann (1991) ■ the mechanism providing secure email communication channels ■ originally uses an alternative approach to PKI for distributing user's public keys - Web of Trust ■ decentralized trust model ■ identity certificates are digitally signed by other users who, by that act, endorse the association of that public key with the person/entity listed in the certificate ■ =>- leaves the trust decisions in the hands of individual users ■ there are several levels of confidence which can be included in such signatures ■ later versions are able to use PKI as well ■ involves all the basic security mechanisms: ■ email confidentiality (using a symmetric one-time key because of performance - 3DES, IDEA, etc.) ■ integrity (hash functions - MD5, SHA) ■ authentication (asymmetric cryptography - RSA) ■ non-repudiation (through the use of PKI) ■ « Digital Signatures Luděk Matýska • 1. Network Security • Spring 2019 75/125 example rroiocois ensuring roeiworK security in ine Internet Application-layer Security FACULTY OF INFORMATICS Masaryk University Application-layer Security - PGP Sender's side Sender site (Alice) Digital signature Privacy □ — Encrypt Digest Signed digest Encrypted (secret key & message + digest) Figure: The mechanism of signing and encrypting the sending message (sender's side). Ludek Matyska • 1. Network Security • Spring 2019 76 / 125 example rroiocois ensuring iNetworK security in tne Internet Application-layer Security FACULTY OF INFORMATICS Masaryk University Application-layer Security - PGP Receiver's side Bob's private Encrypted (secret key & message + digest) Encrypted (secret key) Decrypt - Encrypted (message + digest) 1 OP One-time J secret key ->-| Decrypt |- Alice's public,. Email —nz t Hash | Receiver site (Bob) Decrypt | J->~ Compare -J | Digest Digest Figure: The mechanism of decrypting and verifying the received message 77/125 (receiver's side). Ludek Matyska • 1. Network Security • Spring 2019 example rroiocois ensuring raeiworK security in tne Internet Application-layer Security FACULTY OF INFORMATICS I Masaryk University Application-Layer Security Secure Electronic Transactions (SET) I ■ a specialized cryptographic protocol developed by a group of companies (Visa, Microsoft, IBM, MasterCard, etc.) ■ designed for securing credit card transactions over insecure networks ■ NOT for a general encryption ■ design goals: ■ confidentiality of payment and ordering information ■ integrity of all transmitted data ■ authentication of all card holders ■ ensuring that a merchant can accept card transactions based on buyer's relationship with her financial institution ■ the merchant does not need to know the buyer's identity ■ creating protocols that neither depend on transport security mechanism nor prevent their use Luděk Matýska • 1. Network Security • Spring 2019 78/125 example rroiocois ensuring meiworK security in ine Internet Application-layer Security FACULTY OF INFORMATICS Masaryk University Application-Layer Security Secure Electronic Transactions (SET) II. Customer Í 1. Customer browses and decides to purchase. 2. SET sends order and payment information. 7. Merchant completes order. □ro Merchant 9. Issuer sends credit card bill to customer. 3. Merchant forwards payment information to bank. 6. Bank authorizes payment. 8. Merchant captures transaction. 4. Bank checks with issuer for payment authorization. 5. Issuer authorizes payment. Customer's bank ("issuer") Merchant's bank Figure: The SET transactions outline. Luděk Matýska • 1. Network Security • Spring 2019 79/125 example protocols ensuring iNetworK security in tne Internet Application-layer Security FACULTY OF INFORMATICS Masaryk University Application-Layer Security S/MIME and S-HTTP Secure/Multipurpose Internet Mail Extension (S/MIME) ■ a standard for public key encryption and signing of MIME data ■ MIME - Internet standard that extends the format of e-mail to support, e.g., text in character sets other than ASCII, non-text attachments (pictures, video, audio, etc.), message bodies with multiple parts, etc. ■ provides authentication, message integrity and non-repudiation of origin (using digital signatures) and privacy and data security (using encryption) Secure-HTTP (S-HTTP) ■ extends the Hypertext Transfer Protocol (HTTP) to support encryptions and digital signatures ■ extends the negotiation between the client browser and the server to include the negotiation for security matters ■ uses additional headers for message encryption, digital certificates, and authentication in the HTTP format ■ the HTTP headers are encapsulated into the S-HTTP headers ■ has been bundled away by the HTTPs (HTTP over SSL/TLS) Ludek Matyska • 1. Network Security • Spring 2019 80/125 example protocols ensuring iNetworK security in tne Internet Transport-layer Security FACULTY OF INFORMATICS Masaryk University Transport-layer Security - SSL/TLS I. Secure Sockets Layer (SSL) / Transport Layer Security (TLS) ■ the protocols for ensuring secure communication channels on the transport layer ■ (SSL precedes the TLS) ■ SSL 3.0 « TLS 1.0 (but see Poodle attack) ■ SSL/TLS provide secure and authenticated data paths between servers and clients: ■ data encryption - protect data in transport between the client and the server from interception (making them readable only by the intended recipient) ■ server and client authentication - the SSL uses standard public key encryption to authenticate the communicating parties to each other ■ message integrity - achieved through the use of session keys so that data cannot be intentionally/unintentionally tampered ■ main drawback: the necessity to adapt the applications (applications' protocols) ■ HTTP HTTPS (HTTP Secure) ■ FTP FTPS (FTP Secure) Ludek Matyslca ^^E'Network Security • Spring 2019 81 / 125 example rroiocois ensuring iNetworK security in tne Internet Transport-layer Security FACULTY OF INFORMATICS I Masaryk University Transport-layer Security - SSL/TLS Application Layer Change Cipher Specification SSL Alert Protocol SSL Handshake Protocol SSL Record Protocol TCP Protocol IP Protocol I] > SSL Figure: The SSL protocol stack. Ludek Matyska • 1. Network Security • Spring 2019 82/125 example protocols ensuring iNetworK security in tne Internet Transport-layer Security FACULTY OF INFORMATICS Masaryk University Transport-layer Security - SSL/TLS III. Before any SSL connection can be established, there must be a handshake performed: 1 2 Browser Algorithms I support. My random number. ^Verify certificate and extract seiver's public key. Enciypt pre-master secret with seiver's public key. ^Compute secret key. Send checksum of handshake messages using secret key. Compare checksum on client side. V__ Web Server r \ Use this algorithm. My random numl)er. My digital certificate. Deciyirt pre master secret with server's private key. D I Compute secret key. Compare checksum on seivei side. Send checksum of handsliake messages using secret key. V _ _J Figure: The SSL handshake (steps 5 and 6 verify the integrity of the handshake; the communication is encrypted using a symmetric (session) key). Ludek Matyska • 1. Network Security • Spring 2019 83 / 125 example protocols ensuring roetworK security in tne Internet Network-layer Security FACULTY OF INFORMATICS Masaryk University Network-layer Security - IPv6 & IPSec (IPv4) I. IP Security - IPv6 & IPSec (IPv4) ■ a set of protocols providing secured communication channels on the network layer ■ Authentication Header (AH) protocol - designed for ensuring sender's and receiver's authentication and communication integrity (NOT for communication confidentiality) ■ Encapsulating Security Payload (ESP) protocol - designed for providing sender's authentication, communication integrity and confidentiality ■ can be used independently or in combination ■ establishes logical channels (called Security Associations, SAs) ■ always one-way channels (two channels are needed for duplex communication) ■ identified by: ■ protocol identifier (AH or ESP), source IP address, and channel identification (so-called Security Parameter Index, SPI) ■ operates in 2 modes: ■ Transport mode - IPSec header is inserted between IP header and message body ■ Tunnel mode - IPSec header is inserted in front of the original IP Luděk Matýska^??lte^u^V^9Írír^61§w IP header is Created 84/125 example protocols ensuring roetworK security in tne Internet Network-layer Security FACULTY OF INFORMATICS I Masaryk University Network-layer Security - IPv6 & IPSec (IPv4) II. ■ key distribution: ■ Internet Key Exchange (IKE) - used to set up an SA (RFC 4306 for v2) ■ uses X.509 certificates for authentication and Diffie-HeLLman key exchange to set up a shared session secret ■ Internet Security Association and Key management Protocol (ISAKMP) - a framework for authentication and key exchange (RFC 2408) ■ designed to be key exchange independent (IKE or other protocols can be used to provide authenticated keying material) ■ advantages: secures all the data flows between two communicating parties; it is not necessary to adapt applications (application protocols) ■ drawbacks: there are no automated mechanisms for cryptographic keys' management ■ further information: ■ see IPv6 section in PA159 Ludek Matyska • 1. Network Security • Spring 2019 85 / 125 example protocols ensuring iNetworK security in tne Internet Network-layer Security FACULTY OF INFORMATICS Masaryk University Network-layer Security - IPv6 & IPSec (IPv4) Transport vs. Tunnel mode IP Header The rest of the packet IP Header IPsec Header The rest of the packet Figure: Transport mode. < <= IP Header The rest of the packet \ New IP Header IPsec Header IP Header The rest of the packet Payload for new IP header Figure: Tunnel mode. Luděk Matýska • 1. Network Security • Spring 2019 86/125 example protocols ensuring iNetworK security in tne Internet Network-layer Security FACULTY OF INFORMATICS I Masaryk University Network-layer Security - IPv6 & IPSec (IPv4) IV. Virtual Private Network (VPN) ■ a computer network that uses a public telecommunication infrastructure (such as the Internet) to provide remote offices or individual users with secure access to their organization's network ■ using a secure cryptographic method, it encapsulates data transfers between two or more networked devices which are not on the same private network ■ in order to keep the transferred data private ■ the VPN technology provides the following activities: ■ IP encapsulation - involves enclosing TCP/IP data packets within another packet with an IP-address of either a firewall or a server that acts as a VPN endpoint ■ various tunneling mechanisms: IPSec ESP tunnel, Point-to-Point Tunneling protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), PPP over SSL and PPP over SSH, etc. ■ Encryption - used to obfuscate the contents of the encapsulated data ■ Authentication - used to determine whether or not the endpoint can participate in the encrypted tunnel ■ may also be used to exchange the secret or public key used for payload encryption Luděk Matýska • 1. Network Security • Spring 2019 87/125 example protocols ensuring roetworK security in tne Internet Network-layer Security FACULTY OF INFORMATICS I Masaryk University Network-layer Security - IPv6 & IPSec (IPv4) IV. Virtual Private Networks (VPNs) II. Laptop Laptop Protected Network Protected Network Luděk Matýska • 1. Network Security • Spring 2019 88/125 example protocols ensuring iNetworK security in tne Internet Link-layer Security FACULTY OF INFORMATICS Masaryk University Link-Layer Security Point-to-Point Protocol (PPP) Point-to-Point Protocol (PPP) ■ a data Link protocol commonly used in establishing a direct connection between two networking nodes ■ limited to a single data link ■ provides connection authentication, transmission encryption (confidentiality), and compression ■ several authentication protocols can be used (PAP, CHAP, EAP, etc.) ■ transmission encryption - DES or 3DES ■ most commonly used forms: ■ Point-to-Point Protocol over ATM (PPPoA) m Point-to-Point Protocol over Ethernet (PPPoE) ■ both serve to establish a DSL line connection with an ISP Luděk Matýska • 1. Network Security • Spring 2019 89/125 Network & Data Protection - Maintaining the Availability FACULTY OF INFORMATICS Masaryk University Lecture overview Introduction Motivation Network Security Elements Cryptography Introduction Symmetric Cryptography Asymmetric Cryptography Network Security Mechanisms Entity Authentication Message Confidentiality (Security) Message Integrity Message Authentication Digital Signature Key Management and Distribution Example Protocols Ensuring Network Security in the Internet Application-layer Security Trans port-layer Security Network-layer Security Link-layer Security Network & Data Protection - Maintaining the Availability Firewalls Intrusion Detection Systems Denial of Service (DoS) & Distributed Denial of Service (DDoS) attacks Virusses & Worms Network & Data Protection - Concluding Remarks Conclusion Luděk Matýska • 1. Network Security • Spring 2019 90/125 Network & Data Protection - Maintaining the Availability FACULTY OF INFORMATICS I Masaryk University Network&Data Protection - Maintaining the Availability I. ■ all the previous security mechanisms cannot prevent Eve from sending a harmful message to a system ■ network & data protection - a complicated problem without a simple solution ■ authentication and encryption mechanisms are just technical fundamenta Ls ■ organizational and social aspects are needed ■ humans (users) are usually the weakest elements social engineering ■ possible threats: ■ accessing private data ■ modification of private or public data ■ including their removal (e.g., web pages) ■ undesired interferences to the network traffic/operation ■ including services' denial (so-called Denial of Service Ludek Matyska • 1. Ne^WrS£Jc§)ity • Spring 2019 91 / 125 Network & Data Protection - Maintaining the Availability FACULTY OF INFORMATICS Masaryk University Network&Data Protection - Maintaining the Availability I. A bit of History Public Internet use explodes World Wide Web is born ■ AOL brings e-mail to masses ■ IBM PC released ■ Home computers widely . available First microcomputers created First e-mail message sent Intel develops first microprocessor DARPA Internet project is born ' ENIAC, the first digital computer, is developed 2005 1995 - 1965 1955 1945 - Network Security Foundations published CERT reports 52.000 Internet hacks CERT reports 10.000 Internet hacks • First Office document viruses appear DARPA funds Firewall Toolkit" ■ CERT reports six Internet hacks ' First computer virus developed -Movie War Games popularizes hacker culture Modems usher in Era of Hacking DES encryption developed Public key encryption developed Luděk Matýska • 1. Network Security • Spring 2019 92/125 Network & Data Protection - Maintaining the Availability FACULTY OF INFORMATICS Masaryk University Network&Data Protection - Maintaining the Availability II. Attack/Intrusion a deliberate unauthorized attempt, successful or not, to break into, access, manipulate, or misuse some valuable property and where the misuse may result into or render the property unreliable or unusable The attack/intrusion process consists of few stages: ■ Reconnaissance - the process of gathering information about the target system and the details of its workings and weak points ■ a scanning program sends network traffic to all/selected computers and expects receiving return traffic that will indicate whether those computers have known vulnerabilities ■ Physical Intrusion to acquire/modify private information, and/or ■ Denial of Service to crash a service (or a machine), overload network links or machines' CPU, fill up a disk, etc. Luděk Matýska • 1. Network Security • Spring 2019 93/125 Network & Data Protection - Maintaining the Availability FACULTY OF INFORMATICS Masaryk University Network & Data Protection - Maintaining the Availability m. The protection from exploits has to be implemented on: ■ physical level ■ access protection ■ software level ■ authentication ■ encryption ■ traffic monitoring and instant reaction to incidents ■ juridical level ■ a definition of desired and undesired behaviour The basic security mechanisms for network protection: ■ Firewalls m Intrusion Detection Systems m Antiviruses Ludék Matyska • 1. Network Security • Spring 2019 Network & Data Protection - Maintaining the Availability Firewalls FACULTY OF INFORMATICS Masaryk University Firewalls I. Firewall ■ a primary mean of securing a private network against penetration ■ firewall = a hardware, software, or a combination of both that monitors and filters traffic packets that attempt to either enter or Leave a protected private network ■ i.e., interconnects networks with different trust ■ creates a perimeter defense designed to protect information resources of an organization Firewall Luděk Matýska • 1. Network Security • Spring 2019 95/125 Network & Data Protection - Maintaining the Availability Firewalls FACULTY OF INFORMATICS Masaryk University Firewalls II. What a firewall can do... ■ implement security policies network access protection) at a single point ■ only authorized traffic is allowed to access the network/services ■ (or leave the network) ■ monitor security-related events (audit, Log) ■ alarms for abnormal behavior can be implemented Luděk Matýska • 1. Network Security •Spring 2019 96 / 125 Network & Data Protection - Maintaining the Availability Firewalls FACULTY OF INFORMATICS I Masaryk University Firewalls III. and what afirewaU cannot do... ■ protect against attacks that bypass the firewall ■ e.g., dial-out from internal host to an ISP ■ protect against internal threats ■ disgruntled employee ■ an insider cooperates with an external attacker ■ protect against the transfer of virus-infected programs or files ■ not including application gateways, which may be able to do so Luděk Matýska • 1. Network Security • Spring 2019 97/125 Network & Data Protection - Maintaining the Availability Firewalls FACULTY OF INFORMATICS I Masaryk University Firewalls IV. Firewalls' Classification Basic firewalls' classification: ■ Packet filtering firewalls - operate on network layer ■ Circuit level gateways - operate on session/transport layer ■ Application gateways (or proxy servers) - operate on application layer ■ Dynamic packet filtering firewalls (or Session filtering firewalls) ■ a combination of the three above ■ these technologies operate at different Levels of detail, providing varying degrees of network access protection Luděk Matýska • 1. Network Security • Spring 2019 98/125 Network & Data Protection - Maintaining the Availability Firewalls FACULTY OF INFORMATICS Masaryk University Firewalls V. Packet Filtering firewalls ■ decisions are made on per-packet basis ■ no state information is maintained ■ applies packet filters based on access rules defined by the following parameters: ■ source address ■ destination address ■ application or protocol/next header (TCP, UDP, etc.) ■ source port number ■ destination port number ■ advantages: ■ simple, low cost, fast, transparent to users ■ disadvantages: ■ cannot prevent attacks that employ application-specific vulnerabilities or functions LucekMatyska. ilefefi&IMSS^^^cflP1 examine upper-Layer data Network & Data Protection - Maintaining the Availability Firewalls FACULTY OF INFORMATICS Masaryk University Firewalls V. Dynamic Packet Filtering (Session Filtering) firewalls I. ■ traditional packet filters do not examine higher layer context ■ i.e., matching the incoming (returned) packets with an outgoing flow ■ dynamic packet filtering examines and maintains a context of each packet ■ they keep track of client-server connection ■ =^ a connection table (so-called State table) is maintained ■ packet decision is made in the context of a connection ■ if a packet establishes a new connection, it is checked against a policy ■ if a packet is a part of an existing connection, it is matched up in the state table ■ advantages: ■ transparent to users ■ low CPU overheads ■ for all the packets (except the first one) belonging to the same connection, no policy database lookups are performed Luděk Matýska • 1. Network Security • Spring 2019 100/125 Network Datap op 'nforaíiatics F|revvalls Masaty* University Firewalls V. farnic Packet Rltering Filtering) firewall; Luděk Matýska . i. NetWQ rk Security . spri- ng 2019 source port source address destination port dfistinaton address Network & Data Protection - Maintaining the Availability Firewalls FACULTY OF INFORMATICS Masaryk University Firewalls V. Circuit Level Gateways I. ■ work at the session Layer of the ISO/OSI model (TCP layer of the TCP/IP model) ■ monitor TCP handshaking between packets to determine whether a requested session is legitimate ■ do not permit an end-to-end TCP connection ■ rather, the gateway sets up two TCP connections ■ one between itself and a TCP user on an inner host, and ■ one between itself and a TCP user on an outside host ■ once the two connections are established, the gateway typically relays TCP segments from one to the other without examining the contents ■ usage example: ■ hiding information about internal/protected networks ■ non-requested data from outside the firewall is not allowed in - all ports are closed until the firewall opens them ■ e.g., requests from protected network pass through the gateway, which intercept and record them ■ once the answer reaches the gateway, it is compared to the original request to see if the IP address and the port match up Luděk Matýska • 1. Network Security • Spring 2019 102 / 125 Network & Data Protection - Maintaining the Availability Firewalls FACULTY OF INFORMATICS Masaryk University Firewalls V. Circuit Level Gateways II. Circuit Level Gateways cont'd. ■ a combination of circuit-level gateway with Internet sharing = Network Address Translation (NAT) ■ originally a reaction to IPv4 address exhaustion ■ but the NAT is not a firewall on itself! Luděk Matýska • 1. Network Security • Spring 2019 103/125 Network & Data Protection - Maintaining the Availability Firewalls FACULTY OF INFORMATICS Masaryk University Firewalls V. Circuit Level Gateways III. Incoming Traffic Allowed Outgoing Traffic Luděk Matýska • 1. Network Security • Spring 2019 104/125 Network & Data Protection - Maintaining the Availability Firewalls FACULTY OF INFORMATICS Masaryk University Firewalls V. Application Gateways I. ■ similar to circuit-level gateways except that they are application specific ■ i.e., tailored to a specific application program ■ every connection between two networks is made via an application program called a proxy ■ proxies are application/protocol specific ■ they investigate the content of the passing flows ■ connection state is maintained and updated ■ only protocols that have specific proxies configured are allowed through the firewall (all other traffic is rejected) ■ e.g., a gateway that is configured to be a web proxy will not allow any FTP, telnet or other traffic through Application-level gateway Luděk Matýska • 1. Network Security • Spring 2019 105 /125 Network & Data Protection - Maintaining the Availability Firewalls FACULTY OF INFORMATICS Masaryk University Firewalls V. Application Gateways II. Application Gateways cont'd. ■ usage example: ■ HTTP proxies (URL blocking), SMTP proxies (virus scanning, spam identification), DNS proxies, etc. ■ advantages: ■ more secure than packet filtering firewalls ■ can investigate the content of the flows ■ can protect against protocol errors ■ it is easy to log and audit all incoming/outgoing traffic ■ disadvantages: ■ very CPU intensive lower performance ■ require high performance host computer ■ more vulnerable to DoS attacks (see later) ■ problematic for encrypted data (including IPSec) Luděk Matýska • 1. Network Security • Spring 2019 106/125 Network & Data Protection - Maintaining the Availability Firewalls FACULTY OF INFORMATICS I Masaryk University Firewalls VI. Concluding Remarks ■ firewalls cannot serve as a panacea to network security threats ■ many security attacks led from within the internal (not protected) network ■ increase the risk of rapid infection spread ■ false safety feeling ■ the internal network is not usually sufficiently protected ■ users become lazy ■ usually cause a slowdown on high-speed networks ■ their functionality is very useful for interrupting the ongoing attack ■ application proxies: ■ risk of faults (e.g., false virus detection) ■ the importance of privacy protection Luděk Matýska • 1. Network Security • Spring 2019 107/125 Network & Data Protection - Maintaining the Availability Intrusion Detection Systems FACULTY OF INFORMATICS Masaryk University Intrusion Detection Systems (IDS) I. ■ network perimeter security technologies (i.e., firewalls) and anti-malicious software technologies (i.e., antiviruses, see later) cannot stop attackers if they obtain authenticated access to target computers and log on to them as if they are legitimate users ■ (i.e., they had obtained login information of a legitimate user) ■ it is desirable (and often necessary) to detect intrusion activities by monitoring ingress packets that have passed through firewalls and analyze how users use their computers ■ Intrusion Detection Systems (IDS) and Honeypots Intrusion Detection Systems (IDS) ■ a system used to detect unauthorized intrusions into computer systems and networks ■ based on an assumption that the behavior of the intruder differs from that of a Legitimate user ■ they collect information from a variety of system and network sources and look for attack signatures ■ = specific patterns that usually indicate malicious or suspicious intent Ludék Matyska • 1. Network Security • Spring 2019 108 / 125 Network & Data Protection - Maintaining the Availability Intrusion Detection System FACULTY OF INFORMATICS Masaryk University Intrusion Detection Systems (IDS) II. Classification IDS classification: ■ different ways of classifying an IDS ■ IDSs based on detection model: ■ anomaly detection ■ signature based misuse (misuse detection) ■ hybrid ■ IDSs based on scope: ■ host-based ■ multihost-based ■ network-based ■ IDSs based on operation: ■ offline - inspect system logs at set intervals ■ online - monitor the system continuously Luděk Matýska • 1. Network Security • Spring 2019 Network & Data Protection - Maintaining the Availability Intrusion Detection Systems FACULTY OF INFORMATICS I Masaryk University Intrusion Detection Systems (IDS) III. Anomaly Detection Anomaly Detection IDSs: ■ model the normal usage of the network as a noise characterization ■ anything distinct from the noise (atypical behavior) is assumed to be an intrusion activity ■ e.g., flooding a host with lots of packet ■ the primary strength is its ability to recognize novel attacks ■ drawbacks: ■ assume, that intrusions will be accompanied by manifestations that are sufficiently unusual ■ generate many false alarms ■ compromise the effectiveness of the IDS Luděk Matýska • 1. Network Security • Spring 2019 110/125 Network & Data Protection - Maintaining the Availability Intrusion Detection Systems FACULTY OF INFORMATICS Masaryk University Intrusion Detection Systems (IDS) III. Misuse Detection Misuse Detection IDSs: ■ recognize known attacks based on signatures ■ a set of attack signatures has to be defined (and updated) ■ if an action matching a signature is detected, it is considered to be an attack ■ drawbacks: ■ unable to detect novel attacks ■ suffer from false alarms ■ have to be programmed again for every new pattern to be detected Luděk Matýska • 1. Network Security • Spring 2019 111/125 Network & Data Protection - Maintaining the Availability Intrusion Detection Systems FACULTY OF INFORMATICS I Masaryk University Intrusion Detection Systems (IDS) III. Host-based & Multihost-based IDSs I. Host-based IDSs: ■ host operating system (or an application) Logs in the audit information ■ e.g., use of identification and authentication mechanisms (Logins, etc.), file opens and program executions, admin activities, etc. ■ the audit is then analyzed to detect trails of intrusion Multihost-based IDSs: ■ audit information is analyzed from multiple hosts ■ analysis architecture: ■ centralized - all data shipped to a central location for analysis ■ hierarchical - data is analyzed as it passed up through the layers ■ distributed - distributed analysis of the data Luděk Matýska • 1. Network Security • Spring 2019 112/125 Network & Data Protection - Maintaining the Availability Intrusion Detection Systems FACULTY OF INFORMATICS Masaryk University Intrusion Detection Systems (IDS) III. Host-based & Multihost-based IDSs II. Host-based & Multihost-based IDSs: cont'd. ■ advantages: ■ can detect data that are encrypted during transmissions ■ do not need special hardware devices ■ check system logs and so can analyze system behavior more accurately ■ disadvantages: ■ are installed in the target systems, and so they require extra system managing ■ may consume extra computing resources on the systems ■ might become affected by attacks that affect the host computers/servers they are installed in Luděk Matýska • 1. Network Security • Spring 2019 113/125 Network & Data Protection - Maintaining the Availability Intrusion Detection Systems FACULTY OF INFORMATICS Masaryk University Intrusion Detection Systems (IDS) III. Network-based IDSs ■ Look for attack signatures in network traffic via a promiscuous interface ■ a filter is usually applied to determine which traffic will be discarded or passed on to an attack recognition module ■ to filter out known un-malicious traffic ■ advantages: ■ low cost - usually small number of selected points to monitor the entire network ■ no interference - packets are monitored passively (it does not interfere normal network traffic) ■ intrusion resistent - usually a small system, which can be easily made to resist an intrusion ■ disadvantages: ■ may not be able to analyze encrypted packets ■ may not be able to handle large volume of network traffics in time ■ some intrusion activities (e.g., fragmentation-attack) are hard to identify ■ hard to determine, whether the intrusion activity has been successfully carried out Ludek Matyska • 1. Network Security • Spring 2019 114/125 Network & Data Protection - Maintaining the Availability Intrusion Detection Systems FACULTY OF INFORMATICS Masaryk University Intrusion Detection Systems (IDS) IV. Concluding Remarks ■ Intrusion Detection Systems are only one piece of the whole security puzzle ■ they must be supplemented by other security and protection mechanisms ■ they are a very important part of security architecture but do not solve all the potenciál problems Luděk Matýska • 1. Network Security • Spring 2019 115/125 Network & Data Protection - Maintaining the Availability Intrusion Detection Systems FACULTY OF INFORMATICS I Masaryk University Honeypots Honeypot ■ a system designed to teach how intruders probe for and exploit a system ■ by learning their tools and methods, one can better protect her network and systems ■ usually used for: ■ diverting an attacker from accessing critical systems ■ collecting information about the attacker's activity ■ encouraging the attacker to stay on the system long enough for administrators to respond ■ based on virtual or real systems Luděk Matýska • 1. Network Security • Spring 2019 116/125 Network & Data Protection - Maintaining the Availability Intrusion Detection Systems FACULTY OF INFORMATICS Masaryk University Honeypots "Tracking Their Moves" I. "Tracking Their Moves" ■ do not Log information on the honeypot itself ■ the fewer modification you make to the honeypot, the better ■ the more changes you make, the better the chance an intruder will discover something is up ■ you can easily lose the information ■ track in Layers, do not depend on a single source of information ■ first layer of tracking is the firewall logs ■ second layer is the system logs ■ third layer of tracking is to use a sniffer ■ it picks up aLL keystrokes and screen captures ■ run, e.g., the Tripwire on the honeypot ■ to discover what binaries have been altered on a compromised system Luděk Matýska • 1. Network Security • Spring 2019 117/125 Network & Data Protection - Maintaining the Availability Intrusion Detection Systems FACULTY OF INFORMATICS Masaryk University Honeypots "Tracking Their Moves" II. "Tracking Their Moves" cont'd. ■ do not mindlessly reinstall the compromised system!!! ■ otherwise you'll lose the information about the security hole the intruder had exploited ■ if possible, do not reboot the compromised system ■ running malicious programs may not automatically start after the reboot ■ if possible, do not disconnect the compromised system from the network ■ the system, once being disconnected from the network, may close all the active network connections ■ better way is to cut off the system on the closest firewall ■ or disconnect it behind first network element (switch, router, etc.) Luděk Matýska • 1. Network Security • Spring 2019 118/125 uenidi or ^erviLe ^utoj ex uibinuuteu uenidi or ^erviLe Network & Data Protection - Maintaining the Availability (DDoS) attacks FACULTY OF INFORMATICS I Masaryk University Denial of Service (DoS) & Distributed DoS (DDoS) I. Denial of Service (DoS) attack: ■ an attack that causes a Loss of a service to users ■ typically the loss of network connectivity and services by consuming the bandwidth of the victim's network or overloading the computational resources of the victim's system ■ the flood of incoming messages essentially forces the target system to shut down (thus denying the service) ■ attack lead from a single source ■ not too dangerous - can be stopped in the closest active network element ■ attack lead from many sources = Distributed Denial of Service (DDoS) attack ■ a synchronized attack from many sources (e.g., Botnets) ■ hard to discover - all the requests appear to be sent by legitimate users ■ much more dangerous ■ stopping requires a cooperation in the network ■ stopping in active networks - consecutive cut of flows against their direction Luděk Matýska • 1. Network Security • Spring 2019 119/125 uenidi or ^erviLe ^utoj ex uibinuuteu uenidi or ^erviLe Network & Data Protection - Maintaining the Availability (DDoS) attacks FACULTY OF INFORMATICS I Masaryk University Denial of Service (DoS) & Distributed DoS (DDoS) II. Luděk Matýska • 1. Network Security • Spring 2019 120/125 Network & Data Protection - Maintaining the Availability Virusses & Worms FACULTY OF INFORMATICS Masaryk University Virusses & Worms I. Computer virus a self-propagating computer program designed to alter or destroy a computer system resource Worm a seLf-repLicating program, similar to a computer virus - a virus attaches itself to, and becomes part of, another executable program; however, a worm is self-contained and does not need to be part of another program to propagate itself (through security holes of a networked system) Virus/Worm attacks: ■ some sort of trigger will activate the attack phase, and the virus will then "do something" ■ trigger = a specific date, or the number of times the virus has been replicated, or anything similar ■ "do something" = anything from printing a silly message on the screen to erasing all of your data Ludek Matyska • 1. Network Security • Spring 2019 121 / 125 Network & Data Protection - Maintaining the Availability Virusses & Worms FACULTY OF INFORMATICS I Masaryk University Virusses & Worms II. Protection from virus/worm attacks: ■ run a secure operating system with access rights ■ security features keep viruses away ■ run virus protection software ■ in end-nodes and/or application gateways ■ avoid programs from unknown sources ■ educating the users is a must ■ = computer hygiene Luděk Matýska • 1. Network Security • Spring 2019 122/125 Network & Data Protection - Maintaining the Availability Network & Data Protection - Concluding Remarks FACULTY OF INFORMATICS Masaryk University Network & Data Protection - Concluding Remarks ■ attacks/intrusions - an effort to acquire an access to a network or its services ■ reasons range from boyish fun ("testing neighbor's pears") to military/terroristic actions ■ usage: ■ private data access/modification ■ source platform for subsequent activity (e.g., DDoS) ■ protection: ■ access control on all possible levels ■ regular maintanance (patches, upgrades, etc.) ■ network traffic monitoring ■ monitoring of processes running on the servers/end-nodes ■ users'education Luděk Matýska • 1. Network Security • Spring 2019 123/125 Conclusion FACULTY OF INFORMATICS Masaryk University Lecture overview Introduction Motivation Network Security Elements Cryptography Introduction Symmetric Cryptography Asymmetric Cryptography Network Security Mechanisms Entity Authentication Message Confidentiality (Security) Message Integrity Message Authentication Digital Signature Key Management and Distribution Example Protocols Ensuring Network Security in the Internet Application-layer Security Trans port-layer Security Network-layer Security Link-layer Security Network & Data Protection - Maintaining the Availability Firewalls Intrusion Detection Systems Denial of Service (DoS) & Distributed Denial of Service (DDoS) attacks Virusses & Worms Network & Data Protection - Concluding Remarks Conclusion Luděk Matýska • 1. Network Security • Spring 2019 124/125 Conclusion FACULTY OF INFORMATICS Masaryk University Recapitulation - Network Security ■ AAA mechanisms + secured communication mechanisms + data/services protection/avai Labi Lity ■ features of a secured communication network: ■ Confidentiality ■ Integrity ■ Non-repudiation ■ symmetric (shared key) and asymmetric (key pair - private and pubLic) cryptography ■ secured communication mechanisms can be provided on various ISO/OSI Layers (application, transport, network, data Link) ■ further information: ■ PV017: Information Technology Security (doc. Staudek) ■ PV079: Applied Cryptography (prof. Matyáš et al.) ■ PV080: Protection of Data and Information Privacy (prof. Matyáš) ■ PV157: Authentication and Access Control (prof. Matyáš and dr. Říha) ■ PV210: Security analysis of network traffic (dr. Vykopal) ■ etc. Luděk Matýska • 1. Network Security • Spring 2019 125/125