《计算机网络与通讯》课程教学资源（PPT课件讲稿，英文版）Chapter 7 Network security

Chapter 7: Network security Foundations o what is security? o cryptography d authentication D message integrity o key distribution and certification Security in practice: O application layer: secure e-mail o transport layer: Internet commerce, SSL, SET D network layer: IP security 7: Network Security 1

7: Network Security 1 Chapter 7: Network security Foundations:  what is security?  cryptography  authentication  message integrity  key distribution and certification Security in practice:  application layer: secure e-mail  transport layer: Internet commerce, SSL, SET  network layer: IP security

Friends and enemies: Alice Bob. Trudy Dato Data control, data messages Secure Secure sencer eceiver channe 网 Alice Trudy o well-known in network security world o Bob, Alice (lovers! )want to communicate"securely o Trudy, the intruder"may intercept, delete, add messages 7: Network Security 2

7: Network Security 2 Friends and enemies: Alice, Bob, Trudy  well-known in network security world  Bob, Alice (lovers!) want to communicate “securely”  Trudy, the “intruder” may intercept, delete, add messages Figure 7.1 goes here

What is network security? Secrecy: only sender, intended receiver should understand"msa contents o sender encrypts msg o receiver decrypts msg Authentication: sender receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards)without detection 7: Network Security 3

7: Network Security 3 What is network security? Secrecy: only sender, intended receiver should “understand” msg contents  sender encrypts msg  receiver decrypts msg Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection

Internet security threats Packet sniffing broadcast media o promiscuous NIC reads all packets passing by o can read all unencrypted data(e.g. passwords) oe.g. C sniffs B's packets A srC:Bdest: Payload B 7: Network Security 4

7: Network Security 4 Internet security threats Packet sniffing:  broadcast media  promiscuous NIC reads all packets passing by  can read all unencrypted data (e.g. passwords)  e.g.: C sniffs B’s packets A B C src:B dest:A payload

Internet security threats IP Spoofing: o can generate raw"IP packets directly from application, putting any value into IP source address field o receiver can 't tell if source is spoofed oe.g. C pretends to be B src: B dest: a payload B 7: Network Security 5

7: Network Security 5 Internet security threats IP Spoofing:  can generate “raw” IP packets directly from application, putting any value into IP source address field  receiver can’t tell if source is spoofed  e.g.: C pretends to be B A B C src:B dest:A payload

Internet security threats Denial of service(DOS: o flood of maliciously generated packets "swamp receiver o Distributed DOS(DDOS): multiple coordinated Sources swamp receiver oe.g. C and remote host SyN-attack A A ADC SYN SYN SYN SYN SYN SYN SYN 7: Network Security 6

7: Network Security 6 Internet security threats Denial of service (DOS):  flood of maliciously generated packets “swamp” receiver  Distributed DOS (DDOS): multiple coordinated sources swamp receiver  e.g., C and remote host SYN-attack A A B C SYN SYN SYN SYN SYN SYN SYN

The language of cryptography plaintext VA B→ plaintext ciphertext Encryption Decryption algorithm algoritnm channe Alice Tr symmetric key crypto: sender, receiver keys identical public-key cryp to: encry ypt key public, decrypt key secret 7: Network Security 7

7: Network Security 7 The language of cryptography symmetric key crypto: sender, receiver keys identical public-key crypto: encrypt key public, decrypt key secret Figure 7.3 goes here plaintext plaintext ciphertext K A K B

Symmetric key cryptograph substitution cipher: substituting one thing for another o monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewg E.g. Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc Q: How hard to break this simple cipher? brute force(how hard? ° other? 7: Network Security 8

7: Network Security 8 Symmetric key cryptography substitution cipher: substituting one thing for another  monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc E.g.: Q: How hard to break this simple cipher?: •brute force (how hard?) •other?

Symmetric key crypto: DES DES: Data Encryption Standard D US encryption standard [NIST 1993 0 56-bit symmetric key, 64 bit plaintext input 门 How secure is Des? o DES Challenge: 56-bit-key-encrypted phrase CStrong cryptography makes the world a safer place")decrypted(brute force)in 4 months o no known"backdoor"decryption approach o making DES more secure o use three keys sequentially (3-DES)on each datum o use cipher-block chaining 7: Network Security 9

7: Network Security 9 Symmetric key crypto: DES DES: Data Encryption Standard  US encryption standard [NIST 1993]  56-bit symmetric key, 64 bit plaintext input  How secure is DES?  DES Challenge: 56-bit-key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 months  no known “backdoor” decryption approach  making DES more secure  use three keys sequentially (3-DES) on each datum  use cipher-block chaining

64-bit input 56bit key termite Symmetric Key L1 RI crypto: DES 48-bit KI fILL, RL, KID DES operation 12R2 initial permutation 48-bit K2 2R2K2 16 identical"rounds"of function application 13 each using different 48 bits of key final permutation 48-bit K16 t7R17 permu:e 64-bit output /: Network Security 10

7: Network Security 10 Symmetric key crypto: DES initial permutation 16 identical “rounds” of function application, each using different 48 bits of key final permutation DES operation