Placement of Encryption Function Lecture 3 v 0
- Slides: 19
Placement of Encryption Function Lecture 3 v 0. 0 CPSC 415 Biometrics and Cryptography 1
Points of Vulnerability • Adversary can eavesdrop from a machine on the same LAN • Adversary can eavesdrop by dialing into communication server • Adversary can eavesdrop by gaining physical control of part of external links – twisted pair, coaxial cable, or optical fiber – radio or satellite links v 0. 0 CPSC 415 Biometrics and Cryptography 2
v 0. 0 CPSC 415 Biometrics and Cryptography 3
Confidentiality using Symmetric Encryption • have two major placement alternatives • link encryption – encryption occurs independently on every link – All traffic over all communication links is secured – implies must decrypt traffic between links because the switch must read the address in the packet header – Each pair of nodes that share a unique key, with a different key used on each link, many keys. – Message is vulnerable at each switch – If working with a public network, the user has not control over the security of the nodes v 0. 0 CPSC 415 Biometrics and Cryptography 4
Confidentiality using Symmetric Encryption • end-to-end encryption – encryption occurs between original source and final destination – need devices at each end with shared keys – Secure the transmission against attacks on the network links or switches – “end-to-end principle” – What part of each packet will the host encrypt? Header or user data? – A degree of authentication, only alleged sender shares the relevant key v 0. 0 CPSC 415 Biometrics and Cryptography 5
v 0. 0 CPSC 415 Biometrics and Cryptography 6
Placement of Encryption • Can place encryption function at various layers in OSI Reference Model – link encryption occurs at layers 1 or 2 – end-to-end can occur at layers 3, 4, 6, 7 • If move encryption toward higher layer – less information is encrypted but is more secure – application layer encryption is more complex, with more entities and need more keys v 0. 0 CPSC 415 Biometrics and Cryptography 7
Scope of Encryption v 0. 0 CPSC 415 Biometrics and Cryptography 8
Traffic Analysis • is monitoring of communications flows between parties – useful both in military & commercial spheres – can also be used to create a covert channel • link encryption obscures header details – but overall traffic volumes in networks and at end-points is still visible • traffic padding can further obscure flows – but at cost of continuous traffic v 0. 0 CPSC 415 Biometrics and Cryptography 9
Traffic Analysis • when using end-to-end encryption must leave headers in clear – so network can correctly route information • hence although contents protected, traffic pattern flows are not • ideally want both at once – end-to-end protects data contents over entire path and provides authentication – link protects traffic flows from monitoring v 0. 0 CPSC 415 Biometrics and Cryptography 10
Key Distribution Center v 0. 0 CPSC 415 Biometrics and Cryptography 11
Symmetric Cryptographic System cryptanalysis M encryption Alice Eve decryption M Bob K key • • C M K Secure channel Alice: sender Bob: receiver Eve: eavesdropper / Oscar : opponent Alice and Bob are the celebrities in cryptography. • Ciphertext C = EK(M); Plaintext M = EK-1(C) • One of the greatest difficulties: key management • Algorithms: DES, CAST, IDEA, RC 2/4/5 (Rivest’s Code), AES, … v 0. 0 CPSC 415 Biometrics and Cryptography 12
Symmetric Key Management • Each pair of communicating entities needs a shared key – Why? – For a n-party system, there are n(n-1)/2 distinct keys in the system and each party needs to maintain n-1 distinct keys. • How to reduce the number of shared keys in the system – Centralized key management – Public keys K 4 K 1 K 5 K 7 K 2 K 6 K 3 K 8 K 9 K 10 v 0. 0 CPSC 415 Biometrics and Cryptography 13
Centralized Key Management Online Central Server K 2 K 1 session key Alice Bob • Only n keys, instead of n(n-1)/2 in the system. • Central server may become the single-point-of-failure of the entire system and the performance bottleneck. v 0. 0 CPSC 415 Biometrics and Cryptography 14
Key Distribution • symmetric schemes require both parties to share a common secret key • issue is how to securely distribute this key • often secure system failure due to a break in the key distribution scheme v 0. 0 CPSC 415 Biometrics and Cryptography 15
Key Distribution • given parties A and B have various key distribution alternatives: 1. A can select key and physically deliver to B 2. third party can select & deliver key to A & B 3. if A & B have communicated previously can use previous key to encrypt a new key 4. if A & B have secure communications with a third party C, C can relay key between A & B v 0. 0 CPSC 415 Biometrics and Cryptography 16
Key Distribution Scenario v 0. 0 CPSC 415 Biometrics and Cryptography 17
Key Distribution Issues • hierarchies of KDC’s required for large networks, but must trust each other • session key lifetimes should be limited for greater security • controlling purposes keys are used for – lots of keys to keep track of – binding management information to key v 0. 0 CPSC 415 Biometrics and Cryptography 18
Key Distribution Center (KDC) Q: How does KDC allow Bob, Alice to determine shared symmetric secret key to communicate with each other? KDC generates R 1 KA-KDC(A, B) Alice knows R 1 KA-KDC(R 1, KB-KDC(A, R 1) ) KB-KDC(A, R 1) Bob knows to use R 1 to communicate with Alice and Bob communicate: using R 1 as session key for shared symmetric encryption v 0. 0 CPSC 415 Biometrics and Cryptography 19
- How do you decide the placement of the encryption function?
- Monther aldwairi
- 01:640:244 lecture notes - lecture 15: plat, idah, farad
- Vera krypt
- Homomorphic encryption standard
- Symmetric encryption advantages and disadvantages
- Set-omeconfiguration
- Making good encryption algorithms
- Lest we remember: cold boot attacks on encryption keys
- El gamal algorithm
- Public key encryption
- Rsa encryption java
- Encoding and encryption
- Encryption decrypti
- Crc encryption
- Encryption
- Homomorphic encryption tutorial
- Conventional encryption
- Encryption wizard
- Message confidentiality is using