24-01-2010, 09:44 AM
[attachment=1415]
CRYPTOGRAPHY AND NETWORK SECURITY
Abstract
Network security is a complicated subject, historically only tackled by
well-trained and experienced experts. However, as more and more people
become ``wired'', an increasing number of people need to understand the
basics of security in a networked world. This document was written with
the basic computer user and information systems manager in mind,
explaining the concepts needed to read through the hype in the
marketplace and understand risks and how to deal with them.
Some history of networking is included, as well as an introduction to
TCP/IP and internetworking . We go on to consider risk management,
network threats, firewalls, and more special-purpose secure networking
devices.
This is not intended to be a ``frequently asked questions'' reference,
nor is it a ``hands-on'' document describing how to accomplish specific
functionality.
It is hoped that the reader will have a wider perspective on security
in general, and better understand how to reduce and manage risk
personally, at home, and in the workplace.
Cryptography and Network Security
Does security provide some very basic protections that we
are naive to believe that we don't need? During this time when the
Internet provides essential communication between tens of millions of
people and is being increasingly used as a tool for commerce, security
becomes a tremendously important issue to deal with.
There are many aspects to security and many applications,
Ranging from secure commerce and payments to private
Communications and protecting passwords. One essential
aspect for
Secure communications is that of cryptography.
Cryptography is the science of writing in secret code and is an ancient
art. The first documented use of cryptography in writing dates back to
circa 1900 B.C. when an Egyptian scribe used non-standard hieroglyphs
in an inscription.
In data and telecommunications, cryptography is necessary when
communicating over any untrusted medium, which includes just about any
network, particularly the Internet.
Within the context of any application-to-application communication,
there are some specific security requirements, including:
¢ Authentication: The process of proving one's identity. (The
primary forms of host-to-host authentication on the Internet today are
name-based or address-based, both of which are notoriously weak.)
¢ Privacy/confidentiality: Ensuring that no one can read the
message except the intended receiver.
¢ Integrity: Assuring the receiver that the received message has
not been altered in any way from the original.
¢ Non-repudiation: A mechanism to prove that the sender really
sent this message. Cryptography, then, not only protects data from
theft or alteration, but can also be used for user authentication.
The three types of cryptographic algorithms that will be discussed are
(Figure 1):
¢ Secret Key Cryptography (SKC): Uses a single key for both
encryption and decryption
¢ Public Key Cryptography (PKC): Uses one key for encryption and
another for decryption
¢ Hash Functions: Uses a mathematical transformation to
irreversibly "encrypt" information
1. Secret Key Cryptography
With secret key cryptography, a single key is used for both encryption
and decryption.
As shown in Figure the sender uses the key (or some set of rules) to
encrypt the plain text and sends the cipher text to the receiver. The
receiver applies the same key (or rule set) to decrypt the message and
recover the plain text. Because a single key is used for both
functions, secret key cryptography is also called symmetric encryption.
With this form of cryptography, it is obvious that the key must be
known to both the sender and the receiver; that, in fact, is the
secret. The biggest difficulty with this approach, of course, is the
distribution of the key.
Secret key cryptography schemes are generally categorized as being
either stream ciphers or block ciphers.
Stream ciphers operate on a single bit (byte or computer
word) at a time and implement some form of feedback mechanism so that
the key is constantly changing. A block cipher is so- called because
the scheme encrypts one block of data at a time using the same key on
each block. In general, the same plain text block will always encrypt
to the same cipher text when using the same key in a block cipher
whereas the same plaintext will encrypt to different cipher text in a
stream cipher.
2. Public key cryptography
Modern PKC was first described publicly by Stanford
University professor Martin Hellman and graduate student Whitfield
Diffie in 1976. Their paper described a two-key crypto system in which
two parties could engage in a secure communication over a non-secure
communications channel without having to share a secret key.
Generic PKC employs two keys that are
mathematically
related although knowledge of one key does not allow someone to
easily determine the other key. One key is used to encrypt the
plaintext and the other key is used to decrypt the cipher
text. The
important point here is that it does not matter which key
is applied
first, but that both keys are required for the process to
work (Figure
1B). Because a pair of keys are required, this approach is
also called
asymmetric cryptography
3. Hash Functions
Hash functions, also called message digests and one-way
encryption, are algorithms that, in some sense, use no key (Figure
1C). Instead, a fixed-length hash value is computed based upon the
plaintext that makes it impossible for either the contents or length of
the plaintext to be recovered. Hash algorithms are typically used to
provide a digital fingerprint of a file's contents often used to ensure
that the file has not been altered by an intruder or virus. Hash
functions are also commonly employed by many operating systems to
encrypt passwords. Hash functions, then, help preserve the integrity of
a file.
4. TRUST MODELS
Secure use of cryptography requires trust. While secret key
cryptography can ensure message confidentiality and hash codes can
ensure integrity, none of this works without trust. In SKC, PKC solved
the secret distribution problem. There are a number of trust models
employed by various cryptographic schemes.
¢ The web of trust employed by Pretty Good Privacy (PGP) users,
who hold their own set of trusted public keys.
¢ Kerberos, a secret key distribution scheme using a trusted
third party.
¢ Certificates, which allow a set of trusted third parties to
authenticate each other and, by implication, each other's users.
Each of these trust models differs in complexity, general
applicability, scope, and scalability.
Types of authority
¢ Establish identity: Associate, or bind, a public key to an
individual, organization, corporate position, or other entity.
¢ Assign authority: Establish what actions the holder may or may
not take based upon this certificate.
¢ Secure confidential information (e.g., encrypting the session's
symmetric key for data confidentiality).
----------------------------------------------------------------------
------
Todays latest used cryptographic techniques:
Hash algorithms that are in common use today include:
¢ Message Digest (MD) algorithms
¢ Secure Hash Algorithm (SHA)
Pretty Good Privacy (PGP)
Pretty Good Privacy (PGP) is one of today's most widely used public key
cryptography programs. PGP can be used to sign or encrypt e-mail
messages with mere click of the mouse.
Depending upon the version of PGP, the software uses SHA or MD5 for
calculating the message hash; CAST, Triple-DES, or IDEA for encryption;
and RSA or DSS/Diffie-Hellman for key exchange and digital signatures.
And much more techniques used.
Time is the only true test of good cryptography; any cryptographic
scheme that stays in use year after year is most likely a good one. The
strength of cryptography lies in the choice (and management) of the
keys; longer keys will resist attack better than shorter keys
Encrypt and decrypt messages using any of the classical substitution
ciphers discussed, both by hand and with the assistance of programs.
understand the concepts of language redundancy and unicity distance.
Different types of threats to network:
¢ Application backdoors - Some programs have special
features that allow for remote access . Others contain bugs
that provide a backdoor , or hidden access , that provides some
level of control of the program.
¢ SMTP session hijacking - SMTP is the most common
method of Sending e-mail over the Internet . By gaining access
to a list of e- mail Addresses , a person can send
unsolicited junk e-mail ( spam ) to thousands of users . This
is done quite often by redirecting the e-mail through the SMTP
server of an unsuspecting host , making the actual sender of
the spam difficult to trace.
¢ Operating system bugs - Like applications , some operating
systems Have backdoors . Others provide remote access with
insufficient security controls or have bugs that an
experienced hacker can take advantage of .
¢ Denial of service - You have probably heard this phrase
used in news reports on the attacks on major Web sites . This
type of attack is nearly Impossible to counter . What happens
is that the hacker sends a request to the server to connect
to it . When the server responds with an acknowledgement and
tries to establish a session , it cannot find the system
that made the request . By inundating a server with these
unanswerable session requests , a hacker causes the server to
slow to a crawl or eventually crash.
¢ E-mail bombs - An e-mail bomb is usually a personal
attack . Someone sends you the same e-mail hundreds or
thousands of times until your e-mail system cannot accept
any more messages .
¢ Macros - To simplify complicated procedures , many
applications allow you to create a script of commands that
the application can run . This script is known as a macro .
Hackers have taken advantage of this to create their own
macros that , depending on the application , can destroy your
data or crash your computer .
¢ Viruses - Probably the most well-known threat is computer
viruses . A virus is a small program that can copy itself to
other computers . This way it can spread quickly from one
system to the next. Viruses range from harmless messages to
erasing all of your data .
¢ Spam - Typically harmless but always annoying , spam is
the electronic equivalent of junk mail . Spam can be
dangerous though . Quite often it contains links to Web sites
. Be careful of clicking on these because you may
accidentally accept a cookie that provides a backdoor to your
computer.
¢ Redirect bombs - Hackers can use ICMP to change (
redirect ) the Path information takes by sending it to a
different router . This is one of the ways that a denial of
service attack is set up.
Network security can be done by various methods.
1. Virtual Private Network:
A virtual private network ( VPN ) is a way to use a public
telecommunication infrastructure , such as the Internet , to
provide remote offices or individual users with secure access to
their organization's network. A virtual private network can be
contrasted with an expensive system of owned or leased lines
that can only be used by one organization. The goal of a VPN is
to provide the organization with the same capabilities , but at a
much lower cost
Implementation of network security by VPN.
Step 1. - The remote user dials into their local ISP and logs into the
ISPâ„¢s network as usual.
Step 2. - When connectivity to the corporate network is desired, the
user initiates a tunnel request to the destination Security server on
the corporate network. The security server authenticates the user and
creates the other end of tunnel.
Fig : a) A leased line private
network b) A virtual private network
Step 3. - The user then sends data through the tunnel which encrypted
by the VPN software before being sent over the ISP connection.
Step 4. - The destination Security server receives the encrypted data
and decrypts. The Security server then forwards the decrypted data
packets onto the corporate network. Any information sent back to the
Remote user is also encrypted before being sent over the Internet.
2.Firewalls:
A firewall provides a strong barrier between your private
network and the Internet . You can set firewalls to
restrict the number of open ports , what type of packets are
passed through and which protocols are allowed through . You
should already have a good firewall in place before you
implement a VPN , but a firewall can also be used to
terminate the VPN sessions .
Fig2: A fire wall consisting of two
packet filters and an application gateway
3.IPSec -
Internet Protocol Security Protocol (IPSec) provides
enhanced security features such as better encryption algorithms
and more comprehensive authentication . IPSec has two encryption
modes : tunnel and transport . Tunnel encrypts the header and
the payload of each packet while transport only encrypts the
payload. Only systems that are IPSec compliant can take advantage
of this Protocol . Also , all devices must use a common
key and the firewalls of each network must have very
similar security policies set up. IPSec can encrypt data
between various devices , such as :
Router to router
Firewall to router
PC to router
PC to server
A software firewall can be installed on the computer in your
home that has an Internet connection . This computer is
considered a gateway because it provides the only point
of access between your home network and the Internet .
4. AAA Server - AAA (authentication , authorization and
accounting)
servers are used for more secure access in a remote-access VPN
environment . When a request to establish a session comes in
from a dial up client , the Request is proxies to the AAA
server . AAA then checks the following :
Who you are (authentication)
What you are allowed to do (authorization)
What you actually do (accounting)
The accounting information is especially useful for tracking
client. Use for security auditing , billing or reporting
purposes .
REFRERNCES
--
1. The New Lexicon Webster's Encyclopedic Dictionary of the
English Language. New York: Lexicon.
2. Cryptography And Network Security -- William Stallings
3. R.T. Morris, 1985. A Weakness in the 4.2BSD Unix TCP/IP
Software. Computing Science Technical Report No. 117, AT&T Bell
Laboratories, Murray Hill, New Jersey.
4. COMPUTER NETWORKS ---ANDREW S. TENAUNBAUM
5. S.M. Bellovin. Security Problems in the TCP/IP Protocol Suite.
Computer Communication Review, Vol. 19, No. 2, pp. 32-48, April 1989.
6. Y. Rekhter, R. Moskowitz, D. Karrenberg, G. de Groot, E. Lear,
``Address Allocation for Private Internets.'' RFC 1918.
7. J.P. Holbrook, J.K. Reynolds. ``Site Security Handbook.'' RFC
1244.
8. M. Curtin, ``Snake Oil Warning Signs: Encryption Software to
Avoid.'' USENET <sci.crypt> Frequently Asked Questions File.
CONTENTS
¢ What is Cryptography?
¢ Types of Cryptography
1. Secret(symmetric) Key Cryptography.
2. Public(asymmetric) Key Cryptography.
3. Hash Functions.
4. Trust Models.
¢ Todays latest used cryptographic techniques
¢ Different types of threats to network
¢ Network Security can be done by various methods
1. VPN ( Virtual Private Networks)
2. Firewalls
3. IPSec.
4. AAA Server.
