Chapter 12 – Network Security
Encryption Types
- Concealment
– hides message among other irrelevant data
Transposition – characters or bits are transposed
à
badcfe
computationally fast
3. Substitution – one character or sequence
of bits is mapped to another
- computationally fast
- usually combined with transposition
- usually uses a dynamic map based on previous input
4. Calculation
- cleartext is input to an arithmetic calculation
- often involves exponentiation
5. Coding
- Substitution based on a code book
Verification
One-way hash function
- algorithm that generates a fixed length field that can be used to determine whether a
message has been altered
2. Message authentication code
- an encoded digest that has a high probability of exposing any changes made to a block of
data
- should not reveal content of message or be easily forged
- e.g. embedded time stamp, hash code, a secret code
Encryption Algorithms
Public-key encryption system
RSA
asymmetric encryption algorithm that uses a public/private key
- sender uses receiver’s public key to encrypt message
- only private key can be used to decrypt public key
Encryption types used: calculation (uses message exponentiation by an encryption key)
Authentication (Digital signatures)
DES – Data Encryption Standard
Symmetric – key used to decrypt particular bit stream is the same as the one used
to encrypt it
Exchange of keys requires secure channel
Encryption types used: substitution and transposition (16 stages of substitution and bit
permutation)
56-bit versions is the most commonly used
- there is also a 64-bit and a 128-bit version
EES – Escrowed Encryption Standard
ROM based
128 bit Law Enforcement Access Field (LEAF) exchanged at start of session to permit
government authorized wire taps
three keys
- session key
- kept by both parties
- lifetime of the session
- basis for message encryption
- chip key
- inner level of LEAF encryption
- used to encrypt session key
- held by government
- family key
- Outer level of LEAF encryption
- Used to encrypt chip serial number and checksum
- Not secure
- Held by government
PGP – Pretty Good Privacy
an e-mail security system
uses IDEA data encryption
uses RSA key management and digital signatures
uses MD5 one-way hash function
uses layer security
- electronic signature is embedded inside the encrypted message
- only the recipient ID is cleartext
Key management
- No single certifying authority
- Web of trust
PEM – Privacy Enhanced Mail
an IAB (Internet Activities Board) e-mail security system
uses DES message body encryption
uses RSA key management and X.509 certificate
uses MD2 or MD5 one-way has function
Key management
- CA’s (Certifying Authorities) certify users and subordinate organizations
- PCA’s (Policy Certification Authorities) certify CA’s and users wishing
anonymity
- IRPA (Internet Policy Registration Authority) certifies PCA’s
Web Encryption Schemes
S-HTTP – Secure HTTP
- Application level encryption
- Client initiates secure session by requesting secure document
- Server replies that document is secure and returns type of encryption and MIME type
- Client server negotiate capabilities and encryption formats
- Secure channel is established and document is transferred
- Has message authentication and digital signature
- Uses RSA
SSL – Secure Sockets Layer
- default socket is 443
- URL uses server protocol https
- Implemented at presentation level
- Can be used for other TCP/IP applications
- Developed by Netscape
- Causes all https packets to be encrypted, not only specific oens
- Uses RSA
PCT – Private Communications Technology
- Microsoft version of SSL
- Simpler negotiation protocol
Firewalls
Packet level firewall (screen routers)
- examines the source and destination address of every network packet that passes through
it and allows only those packets with acceptable source and destination addresses
- IP screening at the network level
- TCP screening at the transport level
Application level firewall (dual homed host)
- acts as an intermediate host computer or gateway between the Internet and the rest of
the organization’s networks
- requires application agents to transfer data across firewall
- IP forwarding disabled
- Utilities on machine disabled
- Proxy server
- Transparent
- Uses and address table to translate network addresses inside the organization into fake
addresses for use on the Internet
- Network Address Translation or Address Mapping
- Inside computer sends out request to external computer
- Proxy server takes request and changes source address in the outgoing IP packet to its
own address
- Proxy server sets the source port number in the TCP packet to a unique number that it
uses as an index into its address table to find the IP address of the actual sending
computer
- Proxy server receives the response, ensures packet is allowable and changes its address
to address of inside computer
- Inside computers can be assigned illegal Internet addresses to increase security