《计算机网络与通讯》课程教学资源（PPT课件讲稿，英文版）Chapter 07 Network Security

Chapter 7: Network Security Chapter goals: O understand principles of network security o cryptography and its many uses beyond confidentiality o authentication o message integrity o key distribution O security in practice o firewalls o security in application transport network link layers 361.F2003

Comp 361, Fall 2003 7: Network Security 1 Chapter 7: Network Security Chapter goals:  understand principles of network security:  cryptography and its many uses beyond “confidentiality”  authentication  message integrity  key distribution  security in practice:  firewalls  security in application, transport, network, link layers

Chapter 7 roadmap 7.1 What is network security? 7.2 Principles of cryptography 7.3 Authentication 7.4 Integrity 7.5 Key distribution and certification 7.6 Access control: firewalls 7.7 Attacks and counter measures 7. 8 Security in many layers 361.F2003

Comp 361, Fall 2003 7: Network Security 2 Chapter 7 roadmap 7.1 What is network security? 7.2 Principles of cryptography 7.3 Authentication 7.4 Integrity 7.5 Key Distribution and certification 7.6 Access control: firewalls 7.7 Attacks and counter measures 7.8 Security in many layers

What is network security? Confidentiality: only sender, intended receiver should "understand"message contents o sender encrypts message o receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards without detection Access and Availability: services must be accessible and available to users 361.F2003

Comp 361, Fall 2003 7: Network Security 3 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents  sender encrypts message  receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access and Availability: services must be accessible and available to users

Friends and enemies: Alice Bob. Trudy o well-known in network security world o Bob, Alice (lovers! )want to communicate "securely o Trudy(intruder)may intercept, delete, add messages Alice Bob channe data, control messages data secure secure data sender recelver Trudy 361.F2003

Comp 361, Fall 2003 7: Network Security 4 Friends and enemies: Alice, Bob, Trudy  well-known in network security world  Bob, Alice (lovers!) want to communicate “securely”  Trudy (intruder) may intercept, delete, add messages secure sender secure receiver channel data, control messages data data Alice Bob Trudy

Who might Bob, Alice be? g.. well real-life bobs and alices o Web browser/server for electronic transactions(e., on-line purchases O on-line banking client/server O DNS servers D routers exchanging routing table updates O other examples? 361.F2003

Comp 361, Fall 2003 7: Network Security 5 Who might Bob, Alice be?  … well, real-life Bobs and Alices!  Web browser/server for electronic transactions (e.g., on-line purchases)  on-line banking client/server  DNS servers  routers exchanging routing table updates  other examples?

There are bad guys(and girls)out there! Q: What can a bad guy"do? A: a lotl D eavesdrop: intercept messages o actively insert messages into connection o impersonation: can fake(spoof) source address in packet (or any field in packet) hjacking: take over"ongoing connection by removing sender or receiver inserting himself In place o denial of service: prevent service from being used by others(e.g, by overloading resources) more on this later… 361.F2003

Comp 361, Fall 2003 7: Network Security 6 There are bad guys (and girls) out there! Q: What can a “bad guy” do? A: a lot!  eavesdrop: intercept messages  actively insert messages into connection  impersonation: can fake (spoof) source address in packet (or any field in packet)  hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place  denial of service: prevent service from being used by others (e.g., by overloading resources) more on this later ……

Chapter 7 roadmap 7. 1 What is network security 7.2 Principles of cryptography 7.3 Authentication 7.4 Integrity 7.5 Key distribution and certification 7.6 Access control: firewalls 7.7 Attacks and counter measures 7. 8 Security in many layers 361.F2003

Comp 361, Fall 2003 7: Network Security 7 Chapter 7 roadmap 7.1 What is network security? 7.2 Principles of cryptography 7.3 Authentication 7.4 Integrity 7.5 Key Distribution and certification 7.6 Access control: firewalls 7.7 Attacks and counter measures 7.8 Security in many layers

The language of cryptography ⊙A|ices ⊙≥Bobs encryption decryption. s. key key plaintext, encryption_ciphertext decryption plaintext algorithm symmetric key crypto: sender, receiver keys identical public-key crypto: encryption key public, decryption key secret(private) 361.F2003

Comp 361, Fall 2003 7: Network Security 8 The language of cryptography symmetric key crypto: sender, receiver keys identical public-key crypto: encryption key public, decryption key secret (private) plaintext ciphertext plaintext K A encryption algorithm decryption algorithm Alice’s encryption key Bob’s decryption key K B

Symmetric key cryptograph substitution cipher: substituting one thing for another o monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewg E.g. Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc Q: How hard to break this simple cipher? 口 brute force( how haro? 口 other? 361.F2003

Comp 361, Fall 2003 7: Network Security 9 Symmetric key cryptography substitution cipher: substituting one thing for another  monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc E.g.: Q: How hard to break this simple cipher?: ❑ brute force (how hard?) ❑ other?

Symmetric key cryptograph A-B B plaintext encryption-ciphertext decryption plaintext message, m algorithm algorithm A A-B、A-B symmetric key crypto: Bob and Alice share know same (symmetric) key: K A-B D eg, key is knowing substitution pattern in mono alphabetic substitution cipher 0 Q: how do bob and alice agree on key value? 361.F2003

Comp 361, Fall 2003 7: Network Security 10 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K  e.g., key is knowing substitution pattern in mono alphabetic substitution cipher  Q: how do Bob and Alice agree on key value? ciphertext plaintext KA-B encryption algorithm decryption algorithm A-B KA-B plaintext message, m K (m) A-B K (m) A-B m = K ( ) A-B