Mạng máy tính 1 - Cryptography & network security

Cryptography & Network Security Principles of modern ciphers Implement crypto library Network Security Applications System Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1 BK TP.HCM Course details Number of credits: 3  Study time allocation per week:  2 lecture hours for theory  2 lecture hours for lab, exercises  6 hours for self-study  Website: 2 BK TP.HCM Course outline (1/2)  Basics of Cryptography ▫ Symmetric key ▫ Public key ▫ Hash function  Network Security Applications ▫ Authentication applications ▫ E-mail security 3 BK TP.HCM Course outline (2/2) Network Security Applications (con’t) ▫ Web security ▫ IP security  System Security ▫ IDS/IPS ▫ Firewalls ▫ 4 BK TP.HCM References [1] “Cryptography and Network Security Principles and Practices”, W. Stallings, 4th ed., Prentice Hall, 2005 [2] Slides “Cryptography and Network Security”, Bộ môn Hệ thống và Mạng, Khoa Khoa học và Kỹ thuật máy tính, ĐHBK Tp.HCM. 5 BK TP.HCM Assessment Scheme Attending lectures: >80% lecture times Reading textbooks and references Self-study and working in group Lab: 20% Assignments: 20% Midterm Exam: 20%, multiple question choice test – 45’ Final Exam: 40%, multiple question choice test – 60’ 6 Chapter 1 Introduction MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 7 BK TP.HCM Background Information Security requirements have changed in recent times. traditionally provided by physical and administrative mechanisms. computer use requires automated tools to protect files and other stored information. use of networks and communications links requires measures to protect data during transmission. 8 BK TP.HCM Definitions Computer Security - generic name for the collection of tools designed to protect data and to thwart hackers. Network Security - measures to protect data during their transmission. Internet Security - measures to protect data during their transmission over a collection of interconnected networks. 9 BK TP.HCM Aim of Course our focus is on Internet Security which consists of measures to deter, prevent, detect, and correct security violations that involve the transmission & storage of information 10 BK TP.HCM Security Trends 11 BK TP.HCM 12 BK TP.HCM OSI Security Architecture ITU-T X.800 “Security Architecture for OSI” defines a systematic way of defining and providing security requirements for us it provides a useful, if abstract, overview of concepts we will study 13 BK TP.HCM Aspects of Security consider 3 aspects of information security: ▫ security attack ▫ security mechanism ▫ security service 14 BK TP.HCM Security Attack any action that compromises the security of information owned by an organization information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems often threat & attack used to mean same thing have a wide range of attacks can focus of generic types of attacks ▫ passive ▫ active 15 BK TP.HCM Classify Security Attacks passive attacks - eavesdropping on, or monitoring of, transmissions to: ▫ obtain message contents, or ▫ monitor traffic flows active attacks – modification of data stream to: ▫ masquerade of one entity as some other ▫ replay previous messages ▫ modify messages in transit ▫ denial of service 16 BK TP.HCM Types of Attacks 17 BK TP.HCM Passive Attacks 18 BK TP.HCM Active Attacks 19 BK TP.HCM Security Service ▫ enhance security of data processing systems and information transfers of an organization ▫ intended to counter security attacks ▫ using one or more security mechanisms ▫ often replicates functions normally associated with physical documents 20 BK TP.HCM Security Services X.800 “a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers” RFC 2828 “a processing or communication service provided by a system to give a specific kind of protection to system resources” 21 BK TP.HCM Security Services (X.800) Authentication - assurance that the communicating entity is the one claimed Access Control - prevention of the unauthorized use of a resource Data Confidentiality –protection of data from unauthorized disclosure Data Integrity - assurance that data received is as sent by an authorized entity Non-Repudiation - protection against denial by one of the parties in a communication 22 BK TP.HCM Security Mechanism feature designed to detect, prevent, or recover from a security attack no single mechanism that will support all services required however one particular element underlies many of the security mechanisms in use: ▫ cryptographic techniques hence our focus on this topic 23 BK TP.HCM Security Mechanisms (X.800) specific security mechanisms ▫ encipherment, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization pervasive security mechanisms ▫ trusted functionality, security labels, event detection, security audit trails, security recovery 24 BK TP.HCM Model for Network Security 25 BK TP.HCM Model for Network Security  using this model requires us to: 1. design a suitable algorithm for the security transformation 2. generate the secret information (keys) used by the algorithm 3. develop methods to distribute and share the secret information 4. specify a protocol enabling the principals to use the transformation and secret information for a security service 26 BK TP.HCM Model for Network Access Security 27 BK TP.HCM Model for Network Access Security  using this model requires us to: 1. select appropriate gatekeeper functions to identify users 2. implement security controls to ensure only authorised users access designated information or resources  trusted computer systems may be useful to help implement this model 28 BK TP.HCM Cryptography 29 BK TP.HCM Cryptography characterize cryptographic system by: ▫ type of encryption operations used  substitution / transposition / product ▫ number of keys used  single-key or private / two-key or public ▫ way in which plaintext is processed  block / stream 30 BK TP.HCM Cryptanalysis objective to recover key not just message general approaches: ▫ cryptanalytic attack ▫ brute-force attack 31 BK TP.HCM Cryptanalytic Attacks ciphertext only ▫ only know algorithm & ciphertext, is statistical, know or can identify plaintext known plaintext ▫ know/suspect plaintext & ciphertext chosen plaintext ▫ select plaintext and obtain ciphertext chosen ciphertext ▫ select ciphertext and obtain plaintext chosen text ▫ select plaintext or ciphertext to en/decrypt 32 BK TP.HCM More Definitions unconditional security ▫ no matter how much computer power or time is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext computational security ▫ given limited computing resources (eg time needed for calculations is greater than age of universe), the cipher cannot be broken 33 BK TP.HCM Brute Force Search always possible to simply try every key most basic attack, proportional to key size assume either know / recognise plaintext Key Size (bits) Number of Alternative Keys Time required at 1 decryption/µs Time required at 106 decryptions/µs 32 232 = 4.3  109 231 µs = 35.8 minutes 2.15 milliseconds 56 256 = 7.2  1016 255 µs = 1142 years 10.01 hours 128 2128 = 3.4  1038 2127 µs = 5.4  1024 years 5.4  1018 years 168 2168 = 3.7  1050 2167 µs = 5.9  1036 years 5.9  1030 years 26 characters (permutation) 26! = 4  1026 2  1026 µs = 6.4  1012 years 6.4  106 years 34 BK TP.HCM Summary have considered: ▫ definitions for:  computer, network, internet security X.800 standard security attacks, services, mechanisms models for network (access) securityto Cryptography, cryptanalysis 35 BK TP.HCM Self study Symmetric Cipher Model Classical Substitution Ciphers ▫ Caesar Cipher ▫ Monoalphabetic Cipher ▫ Playfair Cipher ▫ Polyalphabetic Ciphers ▫ Vigenère Cipher Cryptanalysis using letter frequencies 36