Placement of Encryption Function Lecture 3 v 0

  • Slides: 19
Download presentation
Placement of Encryption Function Lecture 3 v 0. 0 CPSC 415 Biometrics and Cryptography

Placement of Encryption Function Lecture 3 v 0. 0 CPSC 415 Biometrics and Cryptography 1

Points of Vulnerability • Adversary can eavesdrop from a machine on the same LAN

Points of Vulnerability • Adversary can eavesdrop from a machine on the same LAN • Adversary can eavesdrop by dialing into communication server • Adversary can eavesdrop by gaining physical control of part of external links – twisted pair, coaxial cable, or optical fiber – radio or satellite links v 0. 0 CPSC 415 Biometrics and Cryptography 2

v 0. 0 CPSC 415 Biometrics and Cryptography 3

v 0. 0 CPSC 415 Biometrics and Cryptography 3

Confidentiality using Symmetric Encryption • have two major placement alternatives • link encryption –

Confidentiality using Symmetric Encryption • have two major placement alternatives • link encryption – encryption occurs independently on every link – All traffic over all communication links is secured – implies must decrypt traffic between links because the switch must read the address in the packet header – Each pair of nodes that share a unique key, with a different key used on each link, many keys. – Message is vulnerable at each switch – If working with a public network, the user has not control over the security of the nodes v 0. 0 CPSC 415 Biometrics and Cryptography 4

Confidentiality using Symmetric Encryption • end-to-end encryption – encryption occurs between original source and

Confidentiality using Symmetric Encryption • end-to-end encryption – encryption occurs between original source and final destination – need devices at each end with shared keys – Secure the transmission against attacks on the network links or switches – “end-to-end principle” – What part of each packet will the host encrypt? Header or user data? – A degree of authentication, only alleged sender shares the relevant key v 0. 0 CPSC 415 Biometrics and Cryptography 5

v 0. 0 CPSC 415 Biometrics and Cryptography 6

v 0. 0 CPSC 415 Biometrics and Cryptography 6

Placement of Encryption • Can place encryption function at various layers in OSI Reference

Placement of Encryption • Can place encryption function at various layers in OSI Reference Model – link encryption occurs at layers 1 or 2 – end-to-end can occur at layers 3, 4, 6, 7 • If move encryption toward higher layer – less information is encrypted but is more secure – application layer encryption is more complex, with more entities and need more keys v 0. 0 CPSC 415 Biometrics and Cryptography 7

Scope of Encryption v 0. 0 CPSC 415 Biometrics and Cryptography 8

Scope of Encryption v 0. 0 CPSC 415 Biometrics and Cryptography 8

Traffic Analysis • is monitoring of communications flows between parties – useful both in

Traffic Analysis • is monitoring of communications flows between parties – useful both in military & commercial spheres – can also be used to create a covert channel • link encryption obscures header details – but overall traffic volumes in networks and at end-points is still visible • traffic padding can further obscure flows – but at cost of continuous traffic v 0. 0 CPSC 415 Biometrics and Cryptography 9

Traffic Analysis • when using end-to-end encryption must leave headers in clear – so

Traffic Analysis • when using end-to-end encryption must leave headers in clear – so network can correctly route information • hence although contents protected, traffic pattern flows are not • ideally want both at once – end-to-end protects data contents over entire path and provides authentication – link protects traffic flows from monitoring v 0. 0 CPSC 415 Biometrics and Cryptography 10

Key Distribution Center v 0. 0 CPSC 415 Biometrics and Cryptography 11

Key Distribution Center v 0. 0 CPSC 415 Biometrics and Cryptography 11

Symmetric Cryptographic System cryptanalysis M encryption Alice Eve decryption M Bob K key •

Symmetric Cryptographic System cryptanalysis M encryption Alice Eve decryption M Bob K key • • C M K Secure channel Alice: sender Bob: receiver Eve: eavesdropper / Oscar : opponent Alice and Bob are the celebrities in cryptography. • Ciphertext C = EK(M); Plaintext M = EK-1(C) • One of the greatest difficulties: key management • Algorithms: DES, CAST, IDEA, RC 2/4/5 (Rivest’s Code), AES, … v 0. 0 CPSC 415 Biometrics and Cryptography 12

Symmetric Key Management • Each pair of communicating entities needs a shared key –

Symmetric Key Management • Each pair of communicating entities needs a shared key – Why? – For a n-party system, there are n(n-1)/2 distinct keys in the system and each party needs to maintain n-1 distinct keys. • How to reduce the number of shared keys in the system – Centralized key management – Public keys K 4 K 1 K 5 K 7 K 2 K 6 K 3 K 8 K 9 K 10 v 0. 0 CPSC 415 Biometrics and Cryptography 13

Centralized Key Management Online Central Server K 2 K 1 session key Alice Bob

Centralized Key Management Online Central Server K 2 K 1 session key Alice Bob • Only n keys, instead of n(n-1)/2 in the system. • Central server may become the single-point-of-failure of the entire system and the performance bottleneck. v 0. 0 CPSC 415 Biometrics and Cryptography 14

Key Distribution • symmetric schemes require both parties to share a common secret key

Key Distribution • symmetric schemes require both parties to share a common secret key • issue is how to securely distribute this key • often secure system failure due to a break in the key distribution scheme v 0. 0 CPSC 415 Biometrics and Cryptography 15

Key Distribution • given parties A and B have various key distribution alternatives: 1.

Key Distribution • given parties A and B have various key distribution alternatives: 1. A can select key and physically deliver to B 2. third party can select & deliver key to A & B 3. if A & B have communicated previously can use previous key to encrypt a new key 4. if A & B have secure communications with a third party C, C can relay key between A & B v 0. 0 CPSC 415 Biometrics and Cryptography 16

Key Distribution Scenario v 0. 0 CPSC 415 Biometrics and Cryptography 17

Key Distribution Scenario v 0. 0 CPSC 415 Biometrics and Cryptography 17

Key Distribution Issues • hierarchies of KDC’s required for large networks, but must trust

Key Distribution Issues • hierarchies of KDC’s required for large networks, but must trust each other • session key lifetimes should be limited for greater security • controlling purposes keys are used for – lots of keys to keep track of – binding management information to key v 0. 0 CPSC 415 Biometrics and Cryptography 18

Key Distribution Center (KDC) Q: How does KDC allow Bob, Alice to determine shared

Key Distribution Center (KDC) Q: How does KDC allow Bob, Alice to determine shared symmetric secret key to communicate with each other? KDC generates R 1 KA-KDC(A, B) Alice knows R 1 KA-KDC(R 1, KB-KDC(A, R 1) ) KB-KDC(A, R 1) Bob knows to use R 1 to communicate with Alice and Bob communicate: using R 1 as session key for shared symmetric encryption v 0. 0 CPSC 415 Biometrics and Cryptography 19