计算机网络课件：Chapter8 Network Security

1、8: Network Security8-1Chapter 8Network SecurityA note on the use of these ppt slides:Were making these slides freely available to all (faculty, students, readers). Theyre in PowerPoint form so you can add, modify, and delete slides (including this one) and slide content to suit your needs. They obvi

2、ously represent a lot of work on our part. In return for use, we only ask the following:q If you use these slides (e.g., in a class) in substantially unaltered form, that you mention their source (after all, wed like people to use our book!)q If you post any slides in substantially unaltered form on

3、 a www site, that you note that they are adapted from (or perhaps identical to) our slides, and note our copyright of this material.Thanks and enjoy! JFK/KWRAll material copyright 1996-2007J.F Kurose and K.W. Ross, All Rights ReservedComputer Networking: A Top Down Approach ,4th edition. Jim Kurose,

4、 Keith RossAddison-Wesley, July 2007. 8: Network Security8-2Chapter 8: Network SecurityChapter goals: runderstand principles of network security: mcryptography and its many uses beyond “confidentiality（机密性）”mAuthentication（鉴别）mmessage integrity（报文完整性）rsecurity in practice:msecurity in application, t

5、ransport, network, link layers mfirewalls and intrusion detection systems8: Network Security8-3Chapter 8 roadmap8.1 What is network security?8.2 Principles of cryptography8.3 Message integrity8.4 End point authentication8.5 Securing e-mail8.6 Securing TCP connections: SSL8.7 Network layer security:

6、IPsec8.8 Securing wireless LANs8.9 Operational security: firewalls and IDS8: Network Security8-4What is network security?Confidentiality: only sender, intended receiver should “understand” message contentsmsender encrypts messagemreceiver decrypts messageAuthentication: sender, receiver want to conf

7、irm identity of each other Message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection（没改过、没探测过）Access and availability: services must be accessible and available to users8: Network Security8-5Friends and enemies: Alice, Bob, Trudyrwell-known

8、in network security worldrBob, Alice (lovers!) want to communicate “securely”rTrudy (intruder) may intercept, delete, add messagessecuresendersecurereceiverchanneldata, control messagesdatadataAliceBobTrudy8: Network Security8-6Who might Bob, Alice be?r well, real-life Bobs and Alices!rWeb browser/s

9、erver for electronic transactions (e.g., on-line purchases)ron-line banking client/serverrDNS serversrrouters exchanging routing table updatesrother examples?8: Network Security8-7There are bad guys (and girls) out there!Q: What can a “bad guy” do?A: a lot!mEavesdrop（窃听）: intercept messages 可能窃取口令和数

10、据mactively insert messages into connectionmImpersonation（假冒）: can fake (spoof) source address in packet (or any field in packet)mhijacking （劫持） : “take over” ongoing connection by removing sender or receiver, inserting himself in placemdenial （拒绝） of service: prevent service from being used by other

11、s (e.g., by overloading resources)more on this later 8: Network Security8-8Chapter 8 roadmap8.1 What is network security?8.2 Principles of cryptography8.3 Message integrity8.4 End point authentication8.5 Securing e-mail8.6 Securing TCP connections: SSL8.7 Network layer security: IPsec8.8 Securing wi

12、reless LANs8.9 Operational security: firewalls and IDS8: Network Security8-9The language of cryptographysymmetric key（对称密钥） crypto: sender, receiver keys identical（相同的、秘密的）public-key （公钥） crypto: encryption key public, decryption key secret (private私钥：只有一人知道，Alice or Bob, usually receiver)加密技术、算法本身是

13、公开和标准化的，任何人都可使用的。Plaintext明文plaintextCiphertext密文KAencryptionalgorithmdecryption algorithmAlices encryptionkeyBobs decryptionkeyKB8: Network Security8-10Symmetric key cryptographysubstitution cipher: substituting one thing for anothermmonoalphabetic cipher(单码代替密码): substitute one letter for anotherp

14、laintext: abcdefghijklmnopqrstuvwxyzciphertext: mnbvcxzasdfghjklpoiuytrewqPlaintext: bob. i love you. aliceciphertext: nkn. s gktc wky. mgsbcE.g.:Q: How hard to break this simple cipher?:q brute force (蛮力，how hard?) 可能的字母配对为26！即1026数量级。8: Network Security8-11Symmetric key cryptographysymmetric key c

15、rypto: Bob and Alice share know same (symmetric) key: Kre.g., key is knowing substitution pattern in mono alphabetic substitution cipherrQ: how do Bob and Alice agree on key value at first?plaintextciphertextKA-Bencryptionalgorithmdecryption algorithmA-BKA-Bplaintextmessage, mK (m)A-BK (m)A-Bm = K (

16、 ) A-B8: Network Security8-12Symmetric key crypto: DESDES: Data Encryption StandardrUS encryption standard NIST 1993r56-bit symmetric key, 64-bit plaintext inputrHow secure is DES?mDES Challenge: 56-bit-key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force

17、) in 4 monthsmno known “backdoor” decryption approachrmaking DES more secure:muse three keys sequentially (3-DES) on each datummuse Cipher-Block Chaining（CBC：密码块链接）8: Network Security8-13Symmetric key crypto: DESinitial permutation 排列：16 identical “rounds” of function application, each using differe

18、nt 48 bits of key（经16轮且每轮48位密钥的加密），形成：final permutationDES operation8: Network Security8-14AES: Advanced Encryption Standardrnew (Nov. 2001) symmetric-key NIST standard, replacing DESrprocesses data in 128 bit blocksr128, 192, or 256 bit keysrIf brute force decryption (try each key) taking 1 sec on

19、DES, takes 149 trillion（万亿） years for AES！8: Network Security8-15Block Cipherrone pass through: one input bit affects 8 output 位64-bit inputT18bits8 bits8bits8 bits8bits8 bits8bits8 bits8bits8 bits8bits8 bits8bits8 bits8bits8 bits64-bit scrambler64-bit outputloop for n roundsT2T3T4T6T5T7T8rmultiple

20、passes: each input bit affects all output bits rblock ciphers: DES, 3DES, AES8: Network Security8-16Cipher Block Chainingrcipher block: if input block repeated, will produce same cipher text.给攻击者解密留下漏洞t=1m(1) = “HTTP/1.1”blockcipherc(1) = “k329aM02”rcipher block chaining: XOR ith input block, m(i),

21、with previous block of cipher text, c(i-1) (K：密钥，Ks：加密算法)mAt beginning, c(0) 初始向量transmitted to receiver in clear textmC(i)=Ks(m(i) c(i-1)mwhat happens in “HTTP/1.1” scenario from above?(不相同)mReceiver: 先用Ks解密获得：s(i)= m(i) c(i-1),由于已知c(i-1),进而得到： m(i)= s(i) c(i-1),+m(i)c(i)t=17m(17) = “HTTP/1.1”block

22、cipherc(17) = “k329aM02”blockcipherc(i-1)8: Network Security8-17Public key cryptographysymmetric key cryptorrequires sender, receiver know shared secret keyrQ: how to agree on key in first place (particularly if never “met” especially on the Internet)?public key cryptographyrradically different appr

23、oach Diffie-Hellman76, RSA78rsender, receiver do not share secret keyrpublic encryption key known to allrprivate decryption key known only to receiver8: Network Security8-18Public key cryptographyplaintextmessage, mciphertextencryptionalgorithmdecryption algorithmBobs public key plaintextmessageK (m

24、)B+K B+Bobs privatekey K B-m = K (K (m)B+B-8: Network Security8-19Public key encryption algorithmsneed K ( ) and K ( ) such thatBB.given public key K , it should be impossible to compute private key K ，且需要数字签名，把发送方与报文绑定起来BBRequirements:12RSA: （Rivest, Shamir, Adleman ，3个创立人的姓）algorithm+-K (K (m) = m

25、 BB-+-8: Network Security8-20RSA: （1） Choosing keys1. Choose two large prime numbers （大素数）：p, q. (e.g., 1024 bits each，或其乘积是1024位的数量级)2. Compute： n = pq, z = (p-1)(q-1)3. Choose e ( with eAlice data encryption key （实现数据机密性）mEA: Alice-Bob data encryption key （实现数据机密性）mMB: Bob-Alice MAC key（实现数据完整性）mM

26、A: Alice-Bob MAC key （实现数据完整性）rencryption and MAC algorithms negotiable between Bob, Alicerwhy 4 keys?（两个用于加密数据，两个用于验证数据的完整性。这样通常被认为更为安全）8: Network Security8-61SSL: three phases3. Data transfer（假定每个TCP报文段封装了正好一个记录）H( ).MBb1b2b3 bnddH(d)dH(d)H( ).EBTCP byte streamblock n bytes together compute MAC: 应

27、为H(d+MB+#) encrypt d, MACSSL seq. #dH(d)Type Ver LenSSL record formatencrypted using EBunencrypted8: Network Security8-62Chapter 8 roadmap8.1 What is network security?8.2 Principles of cryptography8.3 Message integrity8.4 End point authentication8.5 Securing e-mail8.6 Securing TCP connections: SSL8.

28、7 Network layer security: IPsec8.8 Securing wireless LANs8.9 Operational security: firewalls and IDS8: Network Security8-63IPsec: Network Layer Security(一组协议,相当复杂!)rnetwork-layer secrecy: msending host encrypts the data in IP datagram: TCP and UDP segments; ICMP and SNMP messages.rnetwork-layer auth

29、entication: mdestination host can authenticate source IP address 以防IP地址哄骗rtwo principal protocols:mauthentication header (AH) protocolmencapsulation security payload (ESP) protocolrfor both AH and ESP, 在通信前 source 和 destination 要进行 handshake:mcreate network-layer logical channel (单工connection) calle

30、d a security association (SA),且有了由人工配置或自动地按需获取的共享密钥reach SA unidirectional单向的runiquely determined by:msecurity protocol (AH or ESP)msource IP addressm32-bit connection ID (SPI:安全参数索引)8: Network Security8-64Authentication Header (AH) Protocolrprovides source authentication, data integrity, no confide

31、ntialityrAH header inserted between IP header, data field.rprotocol field (in IP header): 51 (指示该数据报包含了一个AH的首部,以便目的主机知道用AH协议来处理该数据报)rintermediate routers process datagrams as usualAH header includes:rconnection identifier即SPI: 32bits，与目的IP地址与安全协议结合使用，唯一地标识该数据报的SArauthentication data: 是一个可变长字段，包含对数据报

32、的MAC(是对初始IP数据报和AH首部计算而得).rnext header field: specifies type of data located behind AH head (e.g., TCP, UDP, ICMP)rSequence #: 32 bits，be datagram #, being 0 for the first SAIP headerdata (e.g., TCP, UDP segment)AH header8: Network Security8-65ESP Protocol(在创建SA以后，源和目的主机共享一个加密密钥和一个鉴别密钥，然后源才可向目的主机发安全数

33、据报)rprovides secrecy, host authentication, data integrity.rdata, ESP trailer encrypted.rnext header field is in ESP trailer.作用同AH中。因被加密，入侵者就不能确定正在使用的运输层协议rESP首部含SPI和序号字段，各32位，作用同AH中。rESP authentication field is similar to AH authentication field.rProtocol (in IP header): = 50 指示目的主机用ESP协议来处理该数据报。IP

34、headerTCP/UDP segmentESPheaderESPtrailerESPauthent.encryptedauthenticated8: Network Security8-66Chapter 8 roadmap8.1 What is network security?8.2 Principles of cryptography8.3 Message integrity8.4 End point authentication8.5 Securing e-mail8.6 Securing TCP connections: SSL8.7 Network layer security:

35、 IPsec8.8 Securing wireless LANs8.9 Operational security: firewalls and IDS8: Network Security8-67IEEE 802.11 securityrencryption, authenticationrfirst attempt at 802.11 security: Wired Equivalent Privacy (WEP:有线等有线等效保密效保密): 使用对称共享密钥，在主机和无线接入点之间提供鉴别和数据加密。 不是很好！不是很好！rcurrent attempt: 802.11i标准8: Netw

36、ork Security8-68Wired Equivalent Privacy (WEP): rauthentication as in protocol ap4.0mhost requests authentication from access pointmaccess point sends 128B nonce来响应请求来响应请求mhost encrypts nonce using shared symmetric keymaccess point decrypts nonce, 如这个不重数如这个不重数值相同，则值相同，则 authenticates hostrno key dis

37、tribution mechanismrauthentication: knowing the shared key is enough（假定是通过带外方式达成了一致）8: Network Security8-69WEP data encryptionrhost/AP share 40 bit symmetric key (semi-permanent)rhost appends 24-bit initialization vector (IV) to create 64-bit keyr64 bit key used to generate stream of keys, kiIVrkiIV

38、 used to encrypt ith byte, di, in frame:ci = di XOR kiIVrIV and encrypted bytes, ci sent in frame8: Network Security8-70802.11 WEP encryption IV (per frame) KS: 40-bit secret symmetric key k1IV k2IV k3IV kNIV kN+1IV kN+4IV d1 d2 d3 dN CRC1 CRC4 c1 c2 c3 cN cN+1 cN+4 plaintext frame data plus CRC key

39、 sequence generator ( for given KS, IV) 802.11 header IV WEP-encrypted （data + CRC（4B） Figure 7.8-new1: 802.11 WEP protocol Sender-side WEP data encryption每一每一Frame中使用的中使用的IV不同，使得每次的不同，使得每次的64位加密密钥不同位加密密钥不同。8: Network Security8-71Breaking 802.11 WEP encryptionsecurity hole: r24-bit IV, one IV per fr

40、ame, - IVs eventually reused（在处理在处理12000侦之后选中相同侦之后选中相同IV值的概率超过值的概率超过99%）rIV transmitted in plaintext - IV reuse detected 在在Frame长为长为1KB和数据传输率为和数据传输率为11Mbps情况下，传输情况下，传输12000 Frames仅需几秒的时间仅需几秒的时间（10248 1200011=8.937秒）rAttack(对于给定的ks，通过得到通过得到IV，即可得到，即可得到64位的密钥位的密钥):mTrudy causes Alice to encrypt known

41、plaintext d1 d2 d3 mTrudy sees: ci = di XOR kiIVmTrudy knows ci di, so can compute kiIV = ci XOR dimNext time（几秒后） IV is used, Trudy knows encrypting key sequence k1IV k2IV k3IV 从而导出从而导出ks和知道和知道64位的密钥位的密钥mSo，Trudy can decrypt new di!（后来新发的真实数据后来新发的真实数据）8: Network Security8-72 802.11i: improved secur

42、ity（2004）rnumerous (stronger) forms of encryption being possible 提供了强且多的加密形式提供了强且多的加密形式rprovides key distribution mechanism ruses Authentication Server（AS） to separate from Access Point AP能够与能够与AS通信；通信；AS与与AP的分离，使得一台的分离，使得一台AS可可服务于多个服务于多个AP；集中在一台服务器中作出有关鉴别；集中在一台服务器中作出有关鉴别和接入的决定，降低了和接入的决定，降低了AP的成本和复杂

43、性。的成本和复杂性。 802.11i运行分为运行分为4个阶段：个阶段：发现；发现；相互鉴别和相互鉴别和主密钥（主密钥（MK）生成；）生成；成对主密钥（成对主密钥（PMK）生成；）生成；临时密钥（临时密钥（TK）生成。）生成。8: Network Security8-73AP: access pointAS:Authentication serverwirednetworkSTA:client station1Discovery of security capabilities（AP通告它的存在并能够向无线客户机节点提供鉴别和加密的格式）通告它的存在并能够向无线客户机节点提供鉴别和加密的格式）3

44、STA and AS mutually authenticate, togethergenerate Master Key (MK). AP servers as “pass through”（如使用（如使用EAP且通过且通过AP”通道通道”的中继，实现客户机与的中继，实现客户机与AS的彼此相互鉴别的彼此相互鉴别,并导出并导出/生成主密生成主密钥）钥）23STA derives导出导出Pairwise 成对成对Master Key (PMK) (使用使用MK生成的一个次密钥，生成的一个次密钥，即共享密钥即共享密钥)AS derivessame PMK(使用使用MK生成的生成的一个次密钥一个次密

45、钥，即共享密钥即共享密钥), sends to AP4 STA, AP use PMK to deriveTemporal Key (TK) used for message Encryption in wireless link level, integrity while commu. with other uers 802.11i: four phases of operation8: Network Security8-74wirednetworkEAP TLSEAP EAP over LAN (EAPoL) IEEE 802.11 RADIUSUDP/IPEAP: extensibl

46、e authentication protocolrEAP: end-end client (mobile) to authentication server protocolrEAP sent over separate “links”mmobile-to-AP (EAP over LAN)mAP to authentication server (RADIUS over UDP)8: Network Security8-75Chapter 8 roadmap8.1 What is network security?8.2 Principles of cryptography8.3 Mess

47、age integrity8.4 End point authentication8.5 Securing e-mail8.6 Securing TCP connections: SSL8.7 Network layer security: IPsec8.8 Securing wireless LANs8.9 Operational security: firewalls and IDS8: Network Security8-76Firewalls（软硬件的结合体）（软硬件的结合体）isolates organizations internal net from larger Interne

48、t, allowing some packets to pass, blocking others.firewall administerednetworkpublicInternetfirewall8: Network Security8-77Firewalls: typesthree types of firewalls:mstateless (traditional) packet filtersmstateful packet filtersmApplication-level gateways8: Network Security8-78Stateless packet filter

49、ingrinternal network connected to Internet via router firewallrrouter filters packet-by-packet, decision to forward/drop packet based on:msource IP address, destination IP addressmTCP/UDP source and destination port numbersmProtocol type value of IP datagram, ICMP message typemTCP SYN and ACK bitsm进

50、入、欲离开网络的规则、路由器接口规则等进入、欲离开网络的规则、路由器接口规则等 Should arriving packet be allowed in? Departing packet let out?8: Network Security8-79Stateless packet filtering: examplerexample 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23.mall incoming, outgo

51、ing UDP flows and telnet connections （port = 23） are blocked.rexample 2: Block inbound（进入的进入的） TCP segments with ACK=0.mprevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.8: Network Security8-80PolicyFirewall SettingNo outsi

52、de Web access.Drop all outgoing packets to any IP address, port 80（web应用使用应用使用http的的tcp连接端口号连接端口号）No incoming TCP connections, except those for institutions public Web server only.Drop all incoming TCP SYN packets to any IP except 03, port 80Prevent Web-radios from eating up the availab

53、le bandwidth.Drop all incoming UDP packets - except DNS and router broadcasts.Prevent your network from being used for a smurf DoS attack.Drop all ICMP ping packets going to a “broadcast” address (eg 55).Prevent your network from being tracerouted（被跟踪路由）Drop all outgoing ICMP TTL expire

54、d trafficStateless packet filtering: more examples8: Network Security8-81actionsourceaddressdestaddressprotocolsourceportdestportflagbitallow222.22/16outside of222.22/16TCP 102380anyallowoutside of222.22/16222.22/16TCP80 1023ACKallow222.22/16outside of222.22/16UDP 102353-allowoutside of222.22/16222.

55、22/16UDP53 1023-denyallallallallallallAccess Control Lists(ACL)rACL: table of rules, applied top to bottom to incoming packets: (action, condition) pairs8: Network Security8-82Stateful packet filteringrstateless packet filter: 尽管限制性相当强，但接纳的分组尽管限制性相当强，但接纳的分组可能被试图用可能被试图用异常分组来崩溃内部系统、执行拒绝服务攻击或绘异常分组来崩溃内部

56、系统、执行拒绝服务攻击或绘制内部网络结构制内部网络结构的攻击者的攻击者使用使用，e.g., source port = 80, ACK bit set, even though no TCP connection established:actionsourceaddressdestaddressprotocolsourceportdestportflagbitallowoutside of222.22/16222.22/16TCP80 1023ACKrstateful packet filter: 通过一张连接表来通过一张连接表来 track status of every TCP conn

57、ection，并以此做出过滤决定：并以此做出过滤决定：mtrack connection setup (SYN), teardown (FIN): can determine whether incoming, outgoing packets “makes sense”mTimeout（如60秒） inactive connections at firewall: no longer to admit packets8: Network Security8-83actionsourceaddressdestaddressprotosourceportdestportflagbitcheck

58、connectionallow222.22/16outside of222.22/16TCP 102380anyallowoutside of222.22/16222.22/16TCP80 1023ACKxallow222.22/16outside of222.22/16UDP 102353-allowoutside of222.22/16222.22/16UDP53 1023-xdenyallallallallallallStateful packet filteringrACL 增加的增加的“核对连接栏核对连接栏” to indicate need to check connection

59、state table before admitting packet（即核对即核对ACL，又要查连接状态表，要都符合，又要查连接状态表，要都符合方可接纳。方可接纳。见见P478的两个例子）的两个例子）8: Network Security8-84Application gateways（应用程序的特定服务器应用程序的特定服务器）rfilters packets on application layer data as well as on IP/TCP/UDP fields （而非其首部中）（而非其首部中）.rexample: allow select internal users（一组受限用一组受限用户户） to telnet outside.host-to-gatewaytelnet sessiongateway-to-remote host telnet sessionapplicationgatewayrouter and filter1. require all telnet users to telnet through gateway.2. for authorized users, gateway sets up telnet conne