四川大學(xué)計算機(jī)網(wǎng)絡(luò)課件

COMPUTERFIFTHEDITION

Chapter8NETWORKING

NetworkSecurity

KUROSE-ROSS

Anoteontheuseofthesepptslides:

We'remakingtheseslidesfreelyavailabletoall(faculty,students,readers).

They'reinPowerPointformsoyoucanadd,modify,anddeleteslides

(includingthisone)andslidecontenttosuityourneeds.TheyobviouslyComputerNetworking：

representalotofworkonourpart.Inreturnforuse,weonlyasktheATopDownApproach,

following:th

?Ifyouusetheseslides(e.g.,inaclass)insubstantiallyunalteredform,that5edition.

youmentiontheirsource(afterall,we'dlikepeopletouseourbook!)JimKurose,KeithRoss

?Ifyoupostanyslidesinsubstantiallyunalteredformonawwwsite,that

younotethattheyareadaptedfrom(orperhapsidenticalto)ourslides,andAddison-Wesley,April

noteourcopyrightofthismaterial.2009.

Thanksandenjoy!JFK/KWR

Allmaterialcopyright1996-2010

J.FKuroseandK.W.Ross,AllRightsReserved

NetworkSecurity8-1

Chapter8：NetworkSecurity

Chaptergoals：

understandprinciplesofnetworksecurity：

■cryptographyanditsmanyusesbeyond

''confidentiality11

■authentication

■messageintegrity

?securityinpractice：

■firewallsandintrusiondetectionsystems

■securityinapplication,transport,network,link

layers

NetworkSecurity8-2

Chapter8roadmap

8.1Whatisnetworksecurity?

8.2Principlesofcryptography

8.3Messageintegrity

8.4Securinge-mail

8.5SecuringTCPconnections：SSL

8.6Networklayersecurity：IPsec

8.7SecuringwirelessLANs

8.8Operationalsecurity：firewallsandIDS

NetworkSecurity8-3

Whatisnetworksecur汁y?

Confidentiality：onlysender,intendedreceiver

should''understand11messagecontents

■senderencryptsmessage

■receiverdecryptsmessage

Authentication：sender,receiverwanttoconfirm

identityofeachother

Messageintegrity：sender,receiverwanttoensure

messagenotaltered(intransit,orafterwards)

withoutdetection

Accessandavailability：servicesmustbeaccessible

andavailabletousers

NetworkSecurity8-4

Friendsandenemies：Alice,Bob,Trudy

?:?well-knowninnetworksecurityworld

Bob,Alice(lovers!)wanttocommunicate"securely"

Trudy(intruder)mayintercept,delete,addmessages

AliceBob

channeldata,control

\messages

secure

datasecureadata

senderureceiver

Trudy

NetworkSecurity8-5

WhomightBob,Alicebe?

?...well,real-lifeBobsandAlices!

?Webbrowser/serverforelectronic

transactions(e.g.zon-linepurchases)

on-linebankingclient/server

?DNSservers

?routersexchangingroutingtableupdates

otherexamples?

NetworkSecurity8-6

Therearebadguys(andgirls)outthere!

Q：Whatcana''badguy"do?

A：Alot!Seesection1.6

■eavescfrop：interceptmessages

■activelyinsertmessagesintoconnection

■impersonation：canfake(spoof)sourceaddress

inpacket(oranyfieldinpacket)

■hijacking：''takeover"ongoingconnectionby

removingsenderorreceiver,insertinghimself

inplace

■denialofservicepreventservicefrombeing

usedbyothers(e.g.zbyoverloadingresources)

NetworkSecurity8-7

Chapter8roadmap

8.1Whatisnetworksecurity?

8.2Principlesofcryptography

8.3Messageintegrity

8.4Securinge-mail

8.5SecuringTCPconnections：SSL

8.6Networklayersecurity：IPsec

8.7SecuringwirelessLANs

8.8Operationalsecurity：firewallsandIDS

NetworkSecurity8-8

Thelanguageofcryptography

Alice's8Bobs

K.encryptionKdecryption

fkeyD

|Bkey

encryptionciphertextdecryptionplaintext

plaintextr

algorithmalgorithm

mplaintextmessage

KA(m)ciphertext,encryptedwithkeyKA

m二KB(KA(m))

NetworkSecurity8-9

Simpleencryptionscheme

substitutioncipher：substitutingonethingforanother

■monoalphabeticcipher：substituteoneletterforanother

plaintext:abcdefghijkImnopqrstuvwxyz

I

ciphertext:mnbvcxzasdfghjklpoiuytrewq

EXQJ.Plaintext:bob.iloveyou.alice

ciphertext:nkn.sgktcwky.mgsbc

Key：themappingfromthesetof26letterstothe

setof26letters

NetworkSecurity8-10

Polyalphabeticencryption

nmonoalphabeticciphers,M1/M2/.../Mn

?Cyclingpattern：

■eg,n=4,Miggg.Mg

Foreachnewplaintextsymbol,use

subsequentmonoalphabeticpatternin

cyclicpattern

■dog：dfromAAlzofromAA3/gfromAA4

Key：thenciphersandthecyclicpattern

NetworkSecurity8-11

Breakinganencryptionscheme

Cipher-textonlyKnown-plaintextattack：

attack：TrudyhasTrudyhassome

ciphertextthatsheplaintextcorresponding

cananalyzetosomeciphertext

■

Twoapproaches：e.g.zinmonoalphabetic

cipher,Trudydetermines

■Searchthroughoil

pairingsfora,l,i,ce,b,o,

keys：mustbeableto

differentiateresultingChosen-plaintextattack：

plaintextfromTrudycangetthe

gibberishciphertextforsome

■Statisticalanalysischosenplaintext

NetworkSecurity8-12

TypesofCryptography

Cryptooftenuseskeys：

■Algorithmisknowntoeveryone

■Only"keys"aresecret

Publickeycryptography

■Involvestheuseoftwokeys

Symmetrickeycryptography

■Involvestheuseonekey

Hashfunctions

■Involvestheuseofnokeys

■Nothingsecret：Howcanthisbeuseful?

NetworkSecurity8-13

Symmetrickeycryptography

plaintext

message,m

m=K(K(m))

sss

symmetrickeycrypto：BobandAlicesharesame

(symmetric)key：KS

。e.g.zkeyisknowingsubstitutionpatterninmono

alphabeticsubstitutioncipher

Q：howdoBobandAliceagreeonkeyvalue?

NetworkSecurity8-14

Twotypesofsymmetricciphers

Streamciphers

■encryptonebitattime

Blockciphers

■Breakplaintextmessageinequal-sizeblocks

■Encrypteachblockasaunit

NetworkSecurity8-15

StreamCiphers

pseudorandom

keystream

generator?keystream

。Combineeachbitofkeystreamwithbitof

plaintexttogetbitofciphertext

*m(i)=ithbitofmessage

*ks(i)=ithbitofkeystream

*c(i)=ithbitofciphertext

c(i)=ks(i)十m(i)(十二exclusiveor)

m(i)=ks(i)十c(i)

NetworkSecurity8-16

RC4StreamCipher

RC4isapopularstreamcipher

■Extensivelyanalyzedandconsideredgood

■Keycanbefrom1to256bytes

■UsedinWEPfor802.11

■CanbeusedinSSL

NetworkSecurity8-17

Blockciphers

Messagetobeencryptedisprocessedin

blocksofkbits(e.g.,64-bitblocks).

1-to-lmappingisusedtomapk-bitblockof

plaintexttok-bitblockofciphertext

Examplewithk=3：

inputoutputinputoutput

000110100Oil

001111101010

010101110000

Oil100in001

Whatistheciphertextfor010110001111?

NetworkSecurity8-18

Blockciphers

Howmanypossiblemappingsaretherefor

k=3?

■Howmany3-bitinputs?

■Howmanypermutationsofthe3-bitinputs?

■Answer：40,320;notverymany!

?Ingeneral,2k!mappings;hugefork=64

Problem：

■Tableapproachrequirestablewith264entries,

eachentrywith64bits

Tabletoobig：insteadusefunctionthat

simulatesarandomlypermutedtable

NetworkSecurity8-19

FromKaufman

Prototypefunctioneta1

NetworkSecurity8-20

Whyroundsinprototype?

Ifonlyasingleround,thenonebitofinput

affectsatmost8bitsofoutput.

In2ndround,the8affectedbitsget

scatteredandinputtedintomultiple

substitutionboxes.

Howmanyrounds?

■Howmanytimesdoyouneedtoshufflecards

■Becomeslessefficientasnincreases

NetworkSecurity8-21

Encryptingalargemessage

Whynotjustbreakmessagein64-bit

blocks,encrypteachblockseparately?

■Ifsameblockofplaintextappearstwice,will

givesameciphertext.

Howabout：

■Generaterandom64-bitnumberr(i)foreach

plaintextblockm(i)

■十

Calculatec(i)=Ks(m(i)r(i))

■Transmitc(i),r(i),i=1,2,...

■：十

Atreceiverm(i)=Ks(c(i))r(i)

■Problem：inefficient,needtosendc(i)andr(i)

NetworkSecurity8-22

CipherBlockChaining(CBC)

CBCgeneratesitsownrandomnumbers

■Haveencryptionofcurrentblockdependonresultof

previousblock

■十

c(i)=K5(m(i)c(i-l))

二十

-m(i)Ks(c(i))c(i-l)

Howdoweencryptfirstblock?

■Initializationvector(IV)：randomblock二c(0)

■IVdoesnothavetobesecret

?ChangeIVforeachmessage(orsession)

■Guaranteesthatevenifthesamemessageissent

repeatedly,theciphertextwillbecompletelydifferent

eachtime

NetworkSecurity8-23

CipherBlockChaining

。cipherblock：ifinputm(l)=nHTTP/l.r,

t=i

blockrepeated,will

???

producesamecipherm(17)="HTTP/1.1"

text：t=17

?cipherblockchaining：

XORithinputblock,m(i),

withpreviousblockof

ciphertext,c(i-l)

■c(0)transmittedto

receiverinclear

■whathappensin

uHTTP/l.lnscenario

fromabove?

NetworkSecurity8-24

Symmetrickeycrypt。：DES

DES：DataEncryptionStandard

?USencryptionstandard[NIST1993]

。56-bitsymmetrickey,64-bitplaintextinput

。Blockcipherwithcipherblockchaining

。HowsecureisDES?

■DESChallenge：56-bit-key-encryptedphrase

decrypted(bruteforce)inlessthanaday

■Noknowngoodanalyticattack

。makingDESmoresecure：

■3DES：encrypt3timeswith3differentkeys

(actuallyencrypt,decrypt,encrypt)

NetworkSecurity8-25

Symmetrickey

crypt。：DES

—DESoperation

initialpermutation

16identical"rounds"of

functionapplication,

eachusingdifferent

48bitsofkey

finalpermutation

NetworkSecurity8-26

AES：AdvancedEncryptionStandard

?new(Nov.2001)symmetric-keyNIST

standard,replacingDES

processesdatain128bitblocks

?128,192,or256bitkeys

bruteforcedecryption(tryeachkey)

taking1seconDESZtakes149trillion

yearsforAES

NetworkSecurity8-27

PublicKeyCryptography

symmetrickeycryptopublickeycryptography

requiressender,radicallydifferent/

receiverknowsharedapproach[Diffie-

secretkeyHcllman76,RSA78]H

Q：howtoagreeonkeysender,receiverdo

infirstplacenotsharesecretkey

(particularlyifnever?"4/6/2encryptionkey

“met")?knowntoall

privatedecryption

keyknownonlyto

receiver

NetworkSecurity8-28

Publickeycryptography

《Bob'spublic

Bkey

於濘＞K-Bob'sprivate

；Bkey

plaintextencryptionciphertext「decryptionplaiptext

algorithmalgorithm

message,mK；(m)message

m=KB(Kg(m))

NetworkSecurity8-29

Publickeyencryptionalgorithms

Requirements：

(T)needK：(?)andK'(?)suchthat

匕

一+D

―m))=m

(2)givenpublickey母，汁shouldbe

impossibletocompute

privatekeyKg

RSA：RivestzShamir,Adelsonalgorithm

NetworkSecurity8-30

Prerequisite：modulararithmetic

xmodn二remainderofxwhendividebyn

?Facts：

[(amodn)+(bmodn)]modn=(a+b)modn

[(amodn)-(bmodn)]modn=(a-b)modn

[(amodn)*(bmodn)]modn=(a*b)modn

Thus

(amodn)dmodn=admodn

Example：x=14,n=10zd=2:

(xmodn)dmodn=42mod10=6

dd

x二1平二196xmod10=6

NetworkSecurity8-31

RSA：gettingready

Amessageisabitpattern.

Abitpatterncanbeuniquelyrepresentedbyan

integernumber.

Thusencryptingamessageisequivalentto

encryptinganumber.

Example

m=10010001.Thismessageisuniquely

representedbythedecimalnumber145.

*Toencryptmzweencryptthecorresponding

number,whichgivesanewnumber(the

ciphertext).

NetworkSecurity8-32

RSA：Creatingpublic/privatekey

pair

1.Choosetwolargeprimenumbersp,q.

(eg,1024bitseach)

2.Computen=pq,z=(p-l)(q-l]

3.Choosee"ithe勿thathasnocommonfactors

withz.(ezzare''relativelyprime").

4.Chooset/suchthated-1isexactlydivisiblebyz.

(inotherwords：ecfmodz=1\

5.Publickeyis(n,e).Privatekeyis(n,d).

NetworkSecurity8-33

RSA：Encryption,decryption

〃⑼

0.Given(/7ze)and(ascomputedabove

1.Toencryptmessagem(<n),compute

c-memodn

2.Todecryptreceivedbitpattern,c,compute

m-c'modn

Magicm_f/nemodn

happens!Y/

c

NetworkSecurity8-34

RSAexample：

Bobchoosesp=5,q=7.Thenn=35,z=24.

e=5(soezzrelativelyprime).

d=29(soed-1exactlydivisiblebyz).

Encrypting8-bitmessages.

e

bitpatternmmc二memodn

encrypt.|oo1224832

OOOOO17

ccd

decrypt：m二cmodn

1748196857210675091509141182522307169712

NetworkSecurity8-35

WhydoesRSAwork?

Mustshowthatcdmodn=m

wherec=memodn

Fact：foranyxandy：xymodn=x(vmodz)modn

■wheren=pqandz=(p-l)(q-l)

Thus,

cdmodn=(memodn)dmodn

=medmodn

=modz)modn

=m1modn

=m

NetworkSecurity8-36

RSA：anotherimportantproperty

Thefollowingpropertywillbeusefullater：

一十_

K(K(m))二m二K(K(m))

BDDDDR

k.______________________/<__________/

usepublickeyuseprivatekey

first,followedfirst,followed

byprivatekeybypublickey

Resultisthesame!

NetworkSecurity8-37

WhyKB(Kg(m))二m二《(6(m))?

Followsdirectlyfrommodulararithmetic：

eded

(mmodn)modn二mmodn

=mdemodn

de

二(mmodn)modn

NetworkSecurity8-38

WhyisRSASecure?

?supposeyouknowBob'spublickey(nze).

Howhardisittodetermined?

essentiallyneedtofindfactorsofn

withoutknowingthetwofactorspandq.

fact：factoringabignumberishard.

GeneratingRSAkeys

?havetofindbigprimespandq

?approach：makegoodguessthenapply

testingrules(seeKaufman)

NetworkSecurity8-39

Sessionkeys

Exponentiationiscomputationallyintensive

?DESisatleast100timesfasterthanRSA

Sessionkey,小

BobandAliceuseRSAtoexchangea

symmetrickeyKs

OncebothhaveKS/theyusesymmetrickey

cryptography

NetworkSecurity8-40

Chapter8roadmap

8.1Whatisnetworksecurity?

8.2Principlesofcryptography

8.3Messageintegrity

8.4Securinge-mail

8.5SecuringTCPconnections：SSL

8.6Networklayersecurity：IPsec

8.7SecuringwirelessLANs

8.8Operationalsecurity：firewallsandIDS

NetworkSecurity8-41

MessageIntegrity

?allowscommunicatingpartiestoverifythat

receivedmessagesareauthentic.

■Contentofmessagehasnotbeenaltered

■Sourceofmessageiswho/whatyouthinkitis

■Messagehasnotbeenreplayed

■Sequenceofmessagesismaintained

let'sfirsttalkaboutmessagedigests

NetworkSecurity8-42

MessageDigests

functionH()that

takesasinputan

arbitrarylength

messageandoutputsa

fixed-lengthstring：desirableproperties：

''messagesignature"■easytocalculate

notethatH()isa■irreversibility：Can't

many-to-1functiondeterminemfromH(m)

■collisionresistance：

*H()isoftencalledacomputationallydifficult

''hashfunction"toproducemandm'such

thatH(m)二H(m')

■seeminglyrandomoutput

NetworkSecurity8-43

工ntarnatchecksum：poormassage

digest

Internetchecksumhassomepropertiesofhashfunction：

/producesfixedlengthdigest(16-bitsum)ofinput

/ismany-to-one

butgivenmessagewithgivenhashvalue,itiseasytofindanother

messagewithsamehashvalue.

■e.g.,：simplifiedchecksum：add4-bytechunksatatime：

messageASCIIformatmessageASC工工format

iou1494F5531Iou9494F5539

00.930302E3900.130302E31

9BOB3942D2429BOB3942D242

B2ciD2differentmessagesC1D2AC

butidenticalchecksums!

NetworkSecurity8-44

HashFunctionAlgorithms

AAD5hashfunctionwidelyused(RFC1321)

■computes128-bitmessagedigestin4-step

process.

。SHA-1isalsoused.

■USstandard[NIST,FIPSPUB180-1]

■160-bitmessagedigest

NetworkSecurity8-45

MessageAuthenticationCode(MAC)

ss=sharedsecret

es

g

aZSZ

sSD

eDS

SS

mSN

ZW

W

?Authenticatessender

?Verifiesmessageintegrity

Noencryption!

Alsocalled''keyedhash"

Notation：AADm=H(s||m);sendm||MDm

NetworkSecurity8-46

HMAC

popularMACstandard

addressessomesubtlesecurityflaws

operation：

■concatenatessecrettofrontofmessage.

■hashesconcatenatedmessage

■concatenatessecrettofrontofdigest

■hashescombinationagain

NetworkSecurity8-47

Example：OSPF

RecallthatOSPFisanAttacks：

intra-ASroutingMessageinsertion

protocol

Messagedeletion

Eachroutercreates

。Messagemodification

mapofentireAS(or

area)andruns

shortestpathHowdoweknowifan

algorithmovermap.OSPFmessageis

*Routerreceiveslink-authentic?

stateadvertisements

(LSAs)fromallother

routersinAS.

NetworkSecurity8-48

OSPFAuthentication

withinanAutonomouscryptographichash

System,routerssendwithAAb5

OSPFmessagesto■64-bitauthentication

eachother.fieldincludes32-bit

OSPFprovidessequencenumber

■

authenticationchoicesAAD5isrunovera

concatenationofthe

■noauthenticationOSPFpacketand

■sharedpassword：sharedsecretkey

insertedinclearin64-■MD5hashthen

bitauthenticationfieldappendedtoOSPF

inOSPFpacketpacket;encapsulatedin

■cryptographichashIPdatagram

NetworkSecurity8-49

End-pointauthentication

wanttobesureoftheoriginatorofthe

message-end-pointauthentication

assumingAliceandBobhaveashared

secret,willMACprovideend-point

authentication?

■wedoknowthatAlicecreatedmessage.

■...butdidshesendit?

NetworkSecurity8-50

Playbackattack

MAC二

Transfer$1Mfrom

BilltoTrudyMAC

NetworkSecurity8-51

Defendingagainstplayback

attack：nonce

UIamAlice"

R

f(msgsR)Transfer$1AA

~fromBilltoSusan

NetworkSecurity8-52

DigitalSignatures

cryptographictechniqueanalogoustohand-

writtensignatures.

。sender(Bob)digitallysignsdocument,

establishingheisdocumentowner/creator.

?goalissimilartothatofMAC,exceptnowuse

public-keycryptography

verifiable,nonforgeab/e\recipient(Alice)can

provetosomeonethatBob,andnooneelse

(includingAlice),musthavesigneddocument

NetworkSecurity8-53

DigitalSignatures

simpledigitalsignatureformessagem：

。Bobsignsmbyencryptingwithhisprivatekey

Kj,creating"signed"message,K￡m)

Bob'smessage,m年.吃,PKate《(m)

DearAlice

Bob'smessage,

Oh,howIhavemissedPublickey

you.Ithinkofyouallthem,signed

time!...(blahblahblah)encryption(encrypted)with

algorithmhisprivatekey

BobH

NetworkSecurity8-54

Digitalsignature二signedmessagedigest

Aliceverifiessignatureand

Bobsendsdigitallysignedintegrityofdigitallysigned

message：message：

aencrypted

msgdigest

Ke(H(m))

large

message

mBob'sdigital

signature

K

H：HashB(decrypt)

function

H(m)H(m)

equal

NetworkSecurity8-55

DigitalSignatures(more)

。

supposeAlicereceivesmsgm,digitalsignatureKB^m)

?AliceverifiesmsignedbyBobbyapplyingBob's

publickeyK；toK(m)thenchecksKg(K(m))=m.

+.BB

?二

ifKB(KB(m))m,whoeversignedmmusthaveused

Bob'sprivatekey.

Alicethusverifiesthat：

/Bobsignedm.

/nooneelsesignedm.

/Bobsignedmandnotm\

Non-repudiation：

/Alicecantakem,andsignatureKB(m)to

courtandprovethatBobsignedm.

NetworkSecurity8-56

Public-keycertification

motivation：TrudyplayspizzaprankonBob

■Trudycreatese-mailorder：

DearPizzaStore,Pleasedelivertomefour

pepperonipizzas.Thankyou,Bob

■Trudysignsorderwithherprivatekey

■TrudysendsordertoPizzaStore

■TrudysendstoPizzaStoreherpublickey,but

saysit'sBob'spublickey.

■PizzaStoreverifiessignature;thendelivers

fourpizzastoBob.

■Bobdoesn'tevenlikePepperoni

NetworkSecurity8-57

CertificationAuthorities

。Certificationauthority(CA)：bindspublickeyto

particularentity,E.

。E(person,router)registersitspublickeywithCA.

■Eprovides''proofofidentity"toCA.

■CAcreatescertificatebindingEtoitspublickey.

■certificate