Network Security - Lecture 20

Network SecurityLecture 20Presented by: Dr. Munam Ali Shah Summary of the Previous LectureIn previous lecture we talked about the random numbers and the random number generatorsWe have also discussed random numbers and pseudorandom numbers. The design constraints were also discussedSummary of the previous lectureRandom number are the basis for many cryptographic applications.There is no reliable “independent” function to generate random numbers.Present day computers can only approximate random numbers, using pseudo-random numbers generated by Pseudo Random Number Generators (PRNG)s. Attacks on many cryptographic applications are possible by attacks on PRNGs.Computer applications are increasingly turning towards using physical data (external/internal) for getting truly random numbers.Part – 2 (e): Incorporating security in other parts of the networkOutlines of today’s lectureWe will talk about Confidentiality using symmetric encryptionWe will also explore Link vs. end to end encryptionKey Distribution design constraints will be exploredObjectivesYou would be able to present an understanding of deploying security in other parts of the networks.You would understand the potential locations in the network through which attack could be launchedPotential locations for confidentiality attacksInsider: eavesdropping the LANOutsider: from server or host with dial up facilityPatch panel is vulnerable if intruder access it physically: (can use low power radio transmitter)Attack through transmission mediumWired (coaxial, twisted pair, fibre optic)Wireless(microwave, satellite)Link vs. end to end encryptionhave two major placement alternativeslink encryptionvulnerable links are equipped with encryption deviceEn/decryption occurs independently on every linkrequires many devices in a large networkUser has no control over security of these devicesMany keys must be providedend-to-end encryption encryption occurs between original source and final destinationneed devices at each end with shared keysAuthenticationNeeds bothwhen using end-to-end encryption must leave headers in clearso network can correctly route informationhence although contents protected, traffic pattern flows are notideally want both at onceend-to-end protects data contents over entire path and provides authenticationlink protects traffic flows from monitoringPlacement of end to end Encryptioncan place encryption function at various layers in OSI Reference Modellink encryption occurs at layers physical or link layer end-to-end can occur at layers network layer: all user process and application within end system would employ the same encryption scheme with same key.Cont.End to end encryption at network layer provides end to end security for traffic within integrated internetworkSuch scheme cannot deliver necessary service for traffic that crosses internetwork boundaries e.g. email, ftpSolution: End to end encryption at application layerTransport and network connection ends up at each mail gateway, which setups new setup new transport and network connection to the other end systemEncryption Coverage Implications of Store-and-Forward CommunicationsDrawbackA network that support hundred of hosts may support thousands of users and processes. Many secret keys are need to be generated and distributedEncryption vs. protocolApplication level TCP levelUser data and TCP header are encryptedIP header need by the routerAt gateway: TCP connection is terminated and a new transport connection is open for next hopLink level Entire data unit except for the link (h & T)Entire data unit is cleared at each router and gateway16Traffic Analysisis monitoring of communications flows between partiesuseful both in military & commercial spheresFollowing information can be derived from traffic analysisIdentities of partnersFrequency of communicationMessage pattern, length and quantity that suggest important information of messageHelpful for covert channel: is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policyTraffic Confidentialitylink encryption obscure header detailsbut overall traffic volumes in networks and at end-points is still visibletraffic padding can further obscure flowsEnd to end EncryptionApplication layer: communicating entities are visibleTransport layer: network address and traffic patterns are visibleUniform Padding deny an opponent knowledge of data exchange between user and secure the traffic patternsKey Distributionsymmetric schemes require both parties to share a common secret keyissue is how to securely distribute this keyoften secure system failure due to a break in the key distribution scheme Key Distribution Given parties A and B have various key distribution alternatives:A can select key and physically deliver to Bthird party can select & deliver key to A & Bif A & B have communicated previously can use previous key to encrypt a new keyif A & B have secure communications with a third party C, C can relay key between A & BSummaryIn today’s lecture we talked about Confidentiality using symmetric encryptionWe explored Link vs. end to end encryptionThe design constraints for Key Distribution was also exploredNext lecture topicsWe will talk about incorporating and ensuring network security through other aspectsThe End