fundamentals of security

04/22/23 1

Fundamentals of Security

04/22/23 2

Security Attacks

Passive Attacks Active Attacks

04/22/23 3

Passive Attacks

Interception (confidentiality)

04/22/23 4

Interception

Release Of Message Contents Traffic Analysis

• learn sensitive information

•Determine the identity and location of the host

04/22/23 5

Active Attacks

Interruption

(availability)

Modification

(integrity)

Fabrication

(authenticity)

04/22/23 6

Modification (integrity)

Modify the contents of the message or a file. It is an attack on integrity

04/22/23 7

Interruption (availability)

Try to break the system to make it out of service. It is an attack on Availability.

04/22/23 8

Fabrication (Authenticity)

Insert messages into system or objects into files. Try to fool the system. It is attack on authenticity.

04/22/23 9

Security Service

Confidentiality Authentication Integrity

Nonrepudiation Availability

04/22/23 10

Confidentiality

Is the protection of transmission from passive attacks

444-21-8888 444-21-8888

***-**-****

04/22/23 11

Authentication

The authentication service assures that the recipient receives information from reliable

source.

I am friendOk-let us talk

04/22/23 12

Integrity

Buy 1000 stocks

Buy 1000 stocks,

Buy 1000 stocks

Broker He/She

Make sure that the message is received as it is sent without modification, duplication,

insertion, reordering,or replay.

04/22/23 13

Nonrepudiation

I am John, buy 1000 stocks

You are not john, I can’t do that.

Broker He/She

Nonrepudiation prevents either sender or receiver from denying a transaction.

04/22/23 14

Availability

Protect against Denial Of Service attacks.

04/22/23 15

Cryptography Definition

• A process associated with scrambling plaintext (ordinary text, or clear text) into cipher text (a process called encryption), then back again (known as decryption). Cryptography concerns itself with four objectives:

1. Confidentiality (the information cannot be understood by anyone for whom it was unintended)

2. Integrity (the information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected).

3. Non-repudiation (the creator/sender of the information cannot deny at a later stage his or her intentions in the creation or transmission of the information).

4. Authentication (the sender and receiver can confirm each other’s identity and the origin/destination of the information) Procedures and protocols that meet some or all of the above criteria are known as cryptosystems.

04/22/23 16

Encryption Model

PlainText

Encryption Algorithm

Decryption Algorithm

PlainText

cryptanalyst

X

X’

K’

XY

Key Secure Channel

CipherText

04/22/23 17

Cryptography Classification

Cryptographic systems are generally classified along three independent dimensions:

• The type of operation used for transforming plaintext to ciphertext:: all encryption algorithms are based on two general principles:

1. Substitution: in which each element in the plain text (bit, letter, group of bits or letters) is mapped into another elements.

2. Transposition: in which elements in the plaintext are rearranged.

The fundamental requirements that all operations must be reversible. Most system involves multiple stages of substitution and transposition.

• The number of keys used:

1. Symmetric: If both sender and receiver use the same key, the system referred to be symmetric, single-key, secret-key, or conventional encryption.

2. Asymmetric: if both sender and receiver each uses a different key, the system is referred to be as asymmetric, two-key, or public-key encryption.

• The way in which the plaintext is processed:

1. Block ciphering: processes the input one block of elements at a time, producing an output block for each input block.

2. Stream ciphering: processes the input elements continuously, producing output one elements at a time.

04/22/23 18

Encryption techniques: Caesar Cipher

Substitution cipher:

Plain: meet me after the party

Cipher: PHHW PH DIWHU WKH SDUMB

C = E(p) = (p+3) % 26

p = D(C) = (C-3) % 26

04/22/23 19

Encryption techniques: Caesar Cipher

Cryptanalysis :p = D(C) = (C-i) % 26Try all the different 25 keys.

04/22/23 20

Encryption techniques: Mono-alphabetic Cipher

Substitution cipher:Plain:

a b c d e f g h I j k l m n o p q r s t u v w x y z

Cipher:

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

The cipher line could be any permutation of the 26 characters, so there are 26! Or greater

than 4 x 1026 Possible keys.

04/22/23 21

Encryption techniques: Mono-alphabetic Cipher

Cryptanalysis

Construct a table of frequency of one, two etc letters in a very long English text. Construct another table of frequency of one, two etc letters based on the encrypted text. From the relationship of both tables we can figure out the encryption key.

04/22/23 22

Encryption techniques: Hill Cipher

Substitution cipher:

The encryption algorithm takes m successive plaintext letters and substitutes for them m ciphertext letters. The substitution is determined by m linear equations in which each character is assigned a numerical value determined by m linear equations in which each character is assigned a numerical value (a=0,b=1,….z=25). For m = 3, the system can be described as follows:

26mod)(

26mod)(

26mod)(

3332321313

3322221212

3132121111

pkpkpkC

pkpkpkC

pkpkpkC

04/22/23 23

Encryption techniques: Hill Cipher

3

2

1

333231

232221

131211

3

2

1

ppp

kkkkkkkkk

CCC

PKPKCKCDP

KPPEC

k

k

11)(

)(

04/22/23 24

Encryption Techniques

Secret Key Public Key

04/22/23 25

Block Cipher Modes of Operations

•The Electronic Code Mode (ECB).

•The Cipher Block Chaining Mode (CBC).

•The Cipher Feedback Mode (CFB).

•The Output Feedback Mode (OFB)

•The Counter Mode (CTR).

04/22/23 26

Electronic Code Mode (ECB)

)(

)(1

jkj

jkj

CCIPHP

PCIPHC

ECB Encryption:

ECB Decryption:

for j=1..n

for j=1..n

PLAINTEXT

OUTPUT BLOCK

INPUT BLOCK

CIPHk

CIPHERTEXT

CIPHERTEXT

OUTPUT BLOCK

INPUT BLOCK

CIPH-1k

PLAINTEXT

ECB Encryption ECB Decryption

04/22/23 27

Cipher Block Chaining Mode (CBC)PLAINTEXT1

OUTPUT BLOCK1

INPUT BLOCK1

CIPHk

CIPHERTEXT1

CIPHERTEXT1

OUTPUT BLOCK1

INPUT BLOCK1

CIPH-1k

PLAINTEXT1

+ECB

Encryption

ECB

Decryption

PLAINTEXT2

OUTPUT BLOCK2

INPUT BLOCK2

CIPHk

CIPHERTEXT2

CIPHERTEXT2

+

PLAINTEXTn

OUTPUT BLOCKn

INPUT BLOCKn

CIPHk

CIPHERTEXTn

CIPHERTEXTn

+

IV

IV

+

OUTPUT BLOCK2

INPUT BLOCK2

CIPH-1k

PLAINTEXT2

+

OUTPUT BLOCKn

INPUT BLOCKn

CIPH-1k

PLAINTEXTn

+

04/22/23 28

Cipher Block Chaining Mode (CBC) (continue)

11

11

1

1

11

)(

)(

)(

)(

jjkj

k

jjkj

k

CCCIPHP

IVCCIPHP

CPCIPHC

IVPCIPHCCBC Encryption:

CBC Decryption:

for j=1..n

for j=1..n

Initial Vector (IV):•Need not be secret.•It should be generated for each encryption/decryption operation.•Must be available for each party in the communication.•It is very difficult to generate IV from the plaintext.

04/22/23 29

Output Feedback Mode (OFB)

IV

OUTPUT BLOCK1

INPUT BLOCK1

CIPHk

CIPHERTEXT1

IV

OUTPUT BLOCK1

INPUT BLOCK1

CIPHk

PLAINTEXT1

ECB

Encryption

ECB

Decryption

+

+

OUTPUT BLOCK2

INPUT BLOCK2

CIPHk

CIPHERTEXT2

OUTPUT BLOCK2

INPUT BLOCK2

CIPHk

PLAINTEXT2

+

+

OUTPUT BLOCKn

INPUT BLOCKn

CIPHk

CIPHERTEXTn

OUTPUT BLOCKn

INPUT BLOCKn

CIPHk

PLAINTEXTn

+

+

PLAUNTEXT1 PLAUNTEXT2 Plaintextn

04/22/23 30

Output Feedback Mode (OFB)-Encryption

)(

)(

1

1

nunn

jjj

jkj

jj

OMSBPC

OPC

ICIPHO

OI

IVI

for j=2,….n

for j=1,2…..n-1

for j=1,2…..n-1

04/22/23 31

Output Feedback Mode (OFB)-Decryption

)(

)(

1

1

nunn

jjj

jkj

jj

OMSBCP

OCP

ICIPHO

OI

IVI

for j=2,….n

for j=1,2…..n-1

for j=1,2…..n-1

04/22/23 32

Cipher Feedback Mode (CFB)

IV

OUTPUT BLOCK1Select s bits

Discard (b-s)bits

INPUT BLOCK1

CIPHk

CIPHERTEXT1S bits

IV

INPUT BLOCK1

CIPHk

PLAINTEXT1S bits

ECB

Encryption

ECB

Decryption

+

+

PLAUNTEXT1S bits


Discard (b-s)bits


Discard (b-s)bits

INPUT BLOCK(b-s)bits|sbits

CIPHk

INPUT BLOCKn(b-s)bits|sbits

CIPHk

PLAINTEXT1S bits

+

+

PLAUNTEXT1S bits


Discard (b-s)bits

CIPHERTEXT1S bits

04/22/23 33

Cipher Feedback Mode (OFB)-Encryption

#

#

##

#11

1

)(

)(

|)(

j

j

jsjj

jkj

jjsbj

P

C

OMSBPC

ICIPHO

CILSBI

IVI

for j=2,….n

for j=1,2…..n

for j=1,2…..n

Ciphertext segment consists of s bits

Plaintext segment consists of s bits

04/22/23 34

Cipher Feedback Mode (OFB)-Decryption

#

#

##

#11

1

)(

)(

|)(

j

j

jsjj

jkj

jjsbj

P

C

OMSBCP

ICIPHO

CILSBI

IVI

for j=2,….n

for j=1,2…..n

for j=1,2…..n



04/22/23 35

Counter Mode (CTR)

Counter1

OUTPUT BLOCK1

INPUT BLOCK1

CIPHk

CIPHERTEXT1

Counter1

OUTPUT BLOCK1

INPUT BLOCK1

CIPHk

PLAINTEXT1

ECB

Encryption

ECB

Decryption

+

+

OUTPUT BLOCK2

INPUT BLOCK2

CIPHk

CIPHERTEXT2

OUTPUT BLOCK2

INPUT BLOCK2

CIPHk

PLAINTEXT2

+

+

OUTPUT BLOCKn

INPUT BLOCKn

CIPHk

CIPHERTEXTn

OUTPUT BLOCKn

INPUT BLOCKn

CIPHk

PLAINTEXTn

+

+


Counter2

Counter1Countern

Countern

04/22/23 36

Counter Mode (CTR) (continue)

)(

)(

)(

)(

1

1

nnnn

jjj

jk

nnnn

jjj

jk

OMSBCP

OCP

TCIPHO

OMSBPC

OPC

TCIPHO

CTR Encryption:

CTR Decryption:

for j=1..n

for j=1..n-1

for j=1..n

for j=1..n-1

04/22/23 37

Secret Key Data Encryption Standard (DES)

K (56 bits)

Plain DataE Cipher Data

Cipher DataD Plain Data

K (56 bits)

04/22/23 38

K1 (56 bits)

Plain DataE

K2 (56 bits)

ECipher Data

K2 (56 bits)

D

K1 (56 bits)

D

Plain Data

Cipher Data

2DES

04/22/23 39

K1 (56 bits)

Plain DataE

3DES

K2 (56 bits)

E E

K1 (56 bits)

Cipher Data

K1 (56 bits)

D

K2 (56 bits)

D D

K1 (56 bits)

Cipher Data

Plain Data

04/22/23 40

Public Key RSA (Rivest- Chamir Adelman)

KU (Alice)

Bob’s Plain DataE Cipher Data

Cipher DataD Plain Data

KP (Alice)

04/22/23 41

Authentication Techniques

Secret Key Public Key

04/22/23 42

Authentication With Secret Key

K (Alice-Bob secret key)

Bob’s NameE Cipher Data

Cipher DataD

K (Alice-Bob-secret key) Bob’s Name

Bob

Alice

04/22/23 43

Authentication With Public Key

KP (Bob’s Private Key)

Bob’s NameE Cipher Data

Cipher DataD

KU (Bob’s Public Key) Bob’s Name

Bob

Alice

04/22/23 44

Integrity Hashing Algorithms

512 bit Blocks MD5

Message Digest of 128 bits

512 bit Blocks SHA-1

Message Digest of 160 bits

04/22/23 45

Hash Function Requirements

H(x) = h x is any sizeh is fixed

04/22/23 46

Hash Function Requirements (continue)

H is easy to implement

using hardware or software

04/22/23 47


One way property : given h it is Computationally infeasible to find Xsuch that H(x) = h

04/22/23 48


Week Collision Resistance : for anygiven x it is computationally infeasible to find y <> x withH(x) = H(y)

Strong Collision Resistance : for any given(x,y) it is computationallyinfeasible to find H(x) = H(y)for x<>y

04/22/23 49


bit1 bit2 …. bitn

b11 b21 bn1

b21 b22 b2n

b1m b2m bnm

C1 C2 Cn

block1

block2

blockm

Ci = bi1 + bi2 + …….. bim

04/22/23 50

Problem with simple hash function.

Doesn’t provide collision resistance

04/22/23 51

IV = CV0 Fn

b

Y0

n

CV1

F

b

Y1

n F

b

Y L-1

nn

CV2 CV L-1

General Structure Of Secure Hash Function

IV = Initial ValueCV = Chaining ValueYi = ith input blockF = Compression FunctionL = Number of input blocksn = Number of Hash codeb = length input block

04/22/23 52

Hash Function Summary

CV0 = IV = Initial ValueCVi = F(CVi-1,Yi-1) , 1=<i<= LH(M) = CVL

The compression function F has to be collision resistant, then the resultant iteration will have

more collision resistance.

04/22/23 53

MAC

Authentication

HASH

04/22/23 54

MAC Authentication

04/22/23 55

Message Authentication Code (MAC)

MAC is an authentication technique involves using a shared secret key to generate a small fixed size block of

data known as cryptographic checksum

MAC = Ck(M)

04/22/23 56

Message Authentication Code Based on DES

D1:64 bits

DES

64 bitO1

K

+

DES

64 bitO2

K

D2:64 bits

+

DES

64 bitOn

K

Dn:64 bits

DAC16-64 bitsDAC- Data Authentication Code

04/22/23 57

Source

Destination

K

Ck

N

Y

Ck

Message Authentication

04/22/23 58

Source

Destination

K1

Ck

N

Y

Message Authentication and confidentiality. Authentication tied to plain text

EK2

CkD

K2

04/22/23 59

Source

Destination

K1

Ck

N

Y

Message Authentication and confidentiality. Authentication tied to plain text

K2

CkD

K2

E

04/22/23 60

Source

Destination

K1

Ck

N

Y

Message Authentication and confidentiality. Authentication tied to cipher text

EK2

CkD

K2

04/22/23 61

HASH Authentication

04/22/23 62

K

Source

H

KDestination

N

Y

EH

D

Message Authentication using secret key

04/22/23 63

Source

Destination

H

N

Y

Message Authentication and confidentiality using secret key

K

HD

K

E

04/22/23 64

Kra

Source

H

DestinationN

Y

EH

Message Authentication and Digital signature using public/private keys

Kua

D

04/22/23 65

Kra

Source

H

Destination N

Y

EH

Message Authentication, confidentiality and Digital signature using both public/private keys and secret key

Kua

D

E

K

D

K

04/22/23 66

Kra

Source

H

Destination N

Y

EH

Message Authentication, confidentiality and Digital signature using public/private keys.

Kua

D

E

Kub

D

Krb

04/22/23 67

Source

Destination

H

N

Y

Message Authentication using secret key (e.g. Mobile IP)

H

||

||

K

04/22/23 68

Source

Destination

H

N

Y

Message Authentication and confidentiality using secret key

K

HD

K

E||

K

||

04/22/23 69

IKEv2 (RFC 4306)

04/22/23 70

Diffie-Hellman algorithm

Node A1.Private key A2.Public key gA

3.Secret key = gAB Node B

1.Private Key B2.Public key gB

3.Secret key = gBA

Secret key = gAB = gBA

Diffie-Hellman group g

04/22/23 71

IKEv2-IKE_SA-Phase 1

IKE_SA_INIT

IKE_AUTH

04/22/23 72

IKEv2-IKE_SA_INIT (Phase 1)

(1) HDR, SAi1, KEi, Ni

(2) HDR, SAr1,KEr,Nr, [CERTREQ]

Negotiate•Cryptographic Algorithms•Exchange nonce•Diffie-Helman exchange

04/22/23 73

IKEv2-IKE_AUTH (Phase 1)

(3) HDR, SK(IDi, [CERT,][CERTREQ][IDr,],AUTH,SAi2,TSi,TSr)

(4) HDR, SK(IDr, [CERT,],AUTH,SAr2,TSi,TSr)

04/22/23 74

IKEv2-CREATE_CHILD_SA (Phase 2)

(5) HDR, SK ([N], SA, Ni, [KEi], (TSi,TSr))

(6) HDR, SK (SA, Nr, [KEr],[ TSi,TSr]))

04/22/23 75

IKE_SA-Generating Keying Material

four cryptographic algorithms parameters are negotiated

1. An encryption algorithm: the algorithms used in the encryption, such as DES, 3DES etc.

2. Integrity protection algorithm: hashing functions such as MD5, SHA-1 etc.3. pseudo-random function (prf(K,S)): is the keyed pseudo-random function-- often a

keyed hash function-- used to generate a deterministic output that appears pseudo-random. prf's are used both for key derivations and for authentication (i.e. as a keyed MAC )

4. Diffie-Hellman group: g^xy is the Diffie-Hellman shared secret, g is the Diffie-Hellman group and g^xi, and g^yr are the public keys for the initiator and responder.

04/22/23 76

IKE_SA-Generating Keying Material (continue)

prf+ (K,S) = T1 | T2 | T3 | T4 | ...

where:

T1 = prf (K, S | 0x01)

T2 = prf (K, T1 | S | 0x02)

T3 = prf (K, T2 | S | 0x03)

T4 = prf (K, T3 | S | 0x04)

04/22/23 77

IKE_SA-Generating Keying Material (continue)

SKEYSEED = prf(Ni | Nr, g^ir)

{SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } =

prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr )

1. SK_d: used for deriving new keys for the CHILD_SAs established with this IKE_SA.

2. SK_ai and SK_ar: used as a key to the integrity protection algorithm for authenticating the component messages of subsequent exchanges.

3. SK_ei and SK_er: used for encrypting (and of course decrypting) all subsequent exchanges.

4. SK_pi and SK_pr: which are used when generating an AUTH payload.

04/22/23 78

IKE Header Format

IKE_SA Initiator’s SPI

IKE_SA Responder’s SPI

Next Payload MjVer MnVer Exchange type Flags

Message ID

Length

04/22/23 79

Traffic Selector Payload

Traffic Selector Payload allows peers to identify packet flows for processing by IPSec security services.

IP Protocol ID: UDP/TCP/ICMP etc.

Start Port: the smallest port number.

End Port: the largest port number.

Starting Address: The smallest address (IP4 or IP6).

Ending Address: The largest address (IP4 or IP6).

•TSi = (0, 0-65535,192.0.2.202-192.0.2.202)•TSr = (0, 0-65535,192.0.2.0-192.0.2.255)

04/22/23 80

Authentication of IKE_SA

Digital Signature:

AUTHr= <msg octets>,Ni, prf(SK_pr,IDr_p)

DSr = RSAPrKr(SHA-1(AUTHr))

AUTHi= <msg octets>),Nr, prf(SK_pi,IDr_p)

DSi = RSAPrKi(RSA-1(AUTHi))

PrK Private Key.

DS Digital Signature.Secret Key:

AUTH = prf(prf (SrK, ”Key Pad for IKv2”),<msg octets>))

SrK Shared Secret Key

04/22/23 81

IKEv2- Authentication with EAP

(1) HDR, SAi1, KEi, Ni

(2) HDR, SAr1, KEr, Nr, [CERTREQ]

(3) HDR, SK [IDi, [CERTREQ,] [IDr,] SAi2, TSi, TSr]

(4) HDR, SK [IDr, [CERT,] AUTH, EAP]

(5) HDR, SK (EAP)

(6) HDR, SK (EAP (success))

(7) HDR, SK (AUTH)

(8) HDR, SK (AUTH, SAr2, TSi, TSr)

• Initiate or declare its desire for EAP authentication by leaving out the AUTH payload at message 3. The initator will declare it identity but not proven it.

• The responder includes EAP payload in massage 4 and defer sending SAr2, TSi, TSr. The AUTH payload will be generated using public key.

• For EAP that creates shared secret key (MSK) as a side effect, this key will be used in generating AUTH payload in 7,8 messages.

04/22/23 82

(1) HDR, SK ([N], SA, Ni, [KEi])

(2) HDR, SK (SA, Nr, [KEr])

SKEYSEED = prf(SK_d (old), Ni | Nr| g^ir)



Renewing Security Association when it is about to expire. Include N payload with REKEY_SA

Unlike IKEv1, IKEv2 provides the optional feature to rekey SAs without restarting the entire IKE_SA.

IKEv2-Rekeying using CREATE_CHILD_SA

04/22/23 83

(1) HDR, SK (SA, Ni, [KEi], [TSi,TSr])

(2) HDR, SK (SA, Nr, [KEr], [TSi,TSr])

SKEYSEED = prf(SK_d (old), Ni | Nr| g^ir)



Renewing Security

Association when it is about to

expire.

IKEv2-creating new CHILS_SA with CREATE_CHILD_SA

The first CHILD_SA is created by IKE_AUTH exchange and additional CHILD_SAs can be optionally created in CREATE_CHILD_SA. Unlike IKEv1, IKEv2 provides the optional feature to create CHILD_SAs without

restarting the entire IKE_SA.

04/22/23 84

IKEv2- Requesting an Internal Address on Remote Network

(3) HDR, SK (IDi, [CERT,] [CERTREQ,] [IDr] AUTH CP[CFG_REQUEST), SAi2, TSi, TSr]

(4) HDR, SK (IDr, [CERT,] AUTH, CP[CFG_REPLY), SAr2, TSi, TSr))

IKE_AUTH exchange

CF[CFG_REQUEST]=INTERNAL_IPV4_ADDRRSS(0.0.0.0)INTERNAL_IPV4_NETMASK(0.0.0.0)

CF[CFG_REPLY]=INTERNAL_IPV4_ADDRRSS(192.0.2.202)INTERNAL_IPV4_NETMASK(255.255.255.0)

04/22/23 85

IPSec

04/22/23 86


IP Security Architecture

Architecture

ESP Protocol AH Protocol


DOI Domain of Interpretation

Key Management


Authentication Algorithm

04/22/23 87

IP Security Services

AH ESP

(Encryption Only)

ESP

(Encryption + Authentication)

x x

x x

x x x

x x

Connection Less Integrity

Data Origin Authentication

Replay Protection

Confidentiality

04/22/23 88

IPSec Security Protocols

• The IP Authentication Header (AH): offers integrity and data origin authentication, with optional anti-replay features in the direction of the receiver.

• The Encapsulating Security Payload (ESP): protocol offers the same set of services as (AH), and also offers confidentiality.

04/22/23 89

Where IPsec Can Be Implemented

• IPsec Part of IP Stack: may be integrated into the native IP stack. This requires access to the IP source code and is applicable to both hosts and security gateways.

• In a "bump-in-the-stack" (BITS) implementation: IPsec is implemented "underneath" an existing implementation of an IP protocol stack, between the native IP and the local network drivers. Source code access for the IP stack is not required in this context.

• In a "bump-in-the-Wire" (BITW) implementation: The use of a dedicated, inline security protocol.

04/22/23 90

Security Association

A Security Association (SA) is a simplex "connection" that provides security services to the traffic carried by it.

04/22/23 91

Security Association (continue)

Security services are provided by the use of AH, or ESP, but not both.

SA using ESP

SA using AH

If both AH and ESP protection is applied to a traffic stream, then two (or more) SAs are created to provide protection to the traffic

stream.

04/22/23 92

Security Association (continue)

SA1

SA2

To secure bi-directional communication between two nodes, two Security Associations (one in each

direction) are required

04/22/23 93

IPSec Transport Mode

Transport Mode refers to applying more than one security protocol to the same IP datagram, without invoking tunneling. This approach to combining AH and ESP allows for only one level of combination; further nesting yields no added benefit (assuming use of adequately strong algorithms in each protocol) since the processing is performed at one IPsec instance at the (ultimate) destination.

Internet

Security Association 1 (ESP transport)

Security Association 2 (AH transport)

04/22/23 94

IPv4-Transport Mode

DataTCPIPv4 Hdr

DataTCPIPv4 Hdr AH

Authentication Except for Mutable fields

04/22/23 95

IPv6-Transport Mode

DataTCPIPv6 Hdr

DataTCPIPv6 Hdr AH

Authentication Except for Mutable fields

EH

DHHbyH,DH,RH,FH

HbyH : Hope by Hope extension.DH : Destination Header.RH : Routing Header.FH : Fragmentation Header.

04/22/23 96

IPSec Tunnel Mode

Tunneling is the process of encapsulating one protocol

inside another one

04/22/23 97

IPSec Tunnel Mode-case 1

both endpoints for the SAs are the same -- The inner and outer tunnels could each be either AH or ESP, though it is unlikely that Host 1 would specify both

to be the same, i.e., AH inside of AH or ESP inside of ESP.

Internet

Security Association 1 (tunnel)


Security Gwy1

Security Gwy2

Host Host

04/22/23 98


one endpoint of the SAs is the same. The inner and outer tunnels could each be either AH or ESP.

Internet



Security Gwy1

Security Gwy2

Host Host

04/22/23 99

neither endpoint is the same. The inner and outer tunnels could each be either AH or ESP.

Internet



Security Gwy1

Security Gwy2

Host Host


04/22/23 100

IPv4-Tunnel Mode

DataTCPIPv4 Hdr

DataTCPIPv4 HdrAH

Authentication Except for Mutable fields in new IP Header

New IPv4 Hdr

04/22/23 101

IPv6-Tunnel Mode

AH

Authentication Except for Mutable fields in new IP header and its extension header

DataTCPIPv6 Hdr EHNew IPv6 Hdr EH

DataTCPIPv6 Hdr EH

04/22/23 102

IPsec Data Bases

• The Security Policy Database (SPD): A SA is a management construct used to enforce security policy for traffic:

04/22/23 103

SPD Processing Choices

• DISCARD: The first choice refers to traffic that is not allowed to traverse the IPsec boundary

• BYPASS: The second choice refers to traffic that is allowed to cross the IPsec boundary without IPsec protection.

• PROTECT: traffic that is afforded IPsec protection, and for such traffic the SPD must specify the security protocols to be employed, their mode, security service options, and the cryptographic algorithms to be used.

SPDOutbound Traffic Inbound Traffic

04/22/23 104

SPD Policy Entries

• SPD-I: For inbound traffic that is to be bypassed or discarded, the entry consists of the values of the selectors that apply to the traffic to be bypassed or discarded.

• SPD-O: For outbound traffic that is to be bypassed or discarded, the entry consists of the values of the selectors that apply to the traffic to be bypassed or discarded.

• SPD-S: For traffic that is to be protected using IPsec, the entry consists of the values of the selectors that apply to the traffic to be protected via AH or ESP, controls on how to create SAs based on these selectors, and the parameters needed to effect this protection (e.g., algorithms, modes, etc.).

04/22/23 105

SPD Selector

• Remote IP Address(es) (IPv4 or IPv6): this is a list of ranges of IP addresses (unicast, anycast, broadcast (IPv4 only), or multicast group).

• Local IP Address(es) (IPv4 or IPv6): this is a list of ranges of IP addresses (unicast, anycast, broadcast (IPv4 only), or multicast group).

• Next Layer Protocol: Obtained from the IPv4 "Protocol" or the IPv6 "Next Header" fields.

• Port numbers: If the Next Layer Protocol uses two ports (e.g., TCP, UDP, SCTP, ...), then there are selectors for Local and Remote Ports.

• Mobility Header Message Type (MH type): If the Next Layer Protocol is a Mobility Header, then there is a selector for IPv6 Mobility Header Message Type (MH type).

04/22/23 106

Outbound IP Traffic Processing (Cache Hit)

SPD Selection

SPD Cache Process (AH/ESP)

Forwarding

Protected

bypass

discard

04/22/23 107

Outbound IP Traffic Processing (Cache Miss)

•Create inbound CE•Create Outbound CE

•Invoke IKE•Create SA

Check SPD-O,SPD-S

protected Bypass

•Create outbound CE

discard

discard Forwarding Process (AH/ESP)

04/22/23 108

inbound IP Traffic Processing

Process (AH/ESP)

IPSec Protected

No

Yes

Verify SelectorWith SAD Selector

SPD-I

Forward

bypass

discard

packet

04/22/23 109

Appendix

04/22/23 110

MD5

04/22/23 111

128 bit digestIV

Y0

512 bits

Y1

512 bits

Yq

512 bits

YL-1

512 bits

128 128

CV1

128

CVq CV L-1

128

K bits

L x 512 bits

Padding 1-512 bits Length

MD5 MD5 MD5 MD5

04/22/23 112

K bits

L x 512 bits

Step 1 Appending padding bits Padding:1-512

The length of the padding is 64 bits less than an integer multiple of

512 bits.

M = 448 bits, pad = 512 bits

04/22/23 113

K bits

L x 512 bits

Step 2 Adding Length Length

A 64 bit representation of the length in bits of the original message is appended to the result of step 1 (least significant byte first). If length is grater than 2^64, then only the low order 64 bits of the

length is used.

Length = K mod 2 ^ 64

04/22/23 114

Step 3 Initialize MD buffer

128 bit buffer is used to hold intermediate and final result of the hash function. The buffer is presented as four 32-bit registers

(A,B,C,D). The initial values are stored in little-endian, which least significant byte is in the lowest address

A = 01 33 45 57B = 89 AB CD EFC = FE DC BA 98D = 76 54 32 10

IV

04/22/23 115

Step 4 Process message in 512 blocks CVq

F,T[1..16], 16 steps

A B C D

G,T[16..32], 16 steps

A B C D

H,T[32..48], 16 steps

A B C D

I,T[49..64], 16 steps

A B C D

Yq

+ + + +

CVq+1

04/22/23 116

0 71 122 173 224 75 12

6 17

7 228 79 12

10 1711 2212 713 12

14 17

15 22

F,T[1..16], 16 steps

A B C D

Round 1

04/22/23 117

a b +((a+g(b,c,d)+X[k]+T[i]) <<<s)

A B C D

A B C D

+++cls

+

gX[k]

T[i]

MD5 compression function

04/22/23 118

Block 512

Word 0-32 bits

Word 16-32 bits

04/22/23 119

round Primitive function g G(b,c,d)

1 F(b,c,d) (b^c)v(b^d)

2 G(b,c,d) (b^d)v(c^d)

3 H(b,c,d) (b+c+d)

4 I(b,c,d) (c+(b v d))

04/22/23 120

Round 1 X[i] = i

Round 2 X[i] = (1+5i) mod16

Round 3 X[i] = (5+3i) mod16

Round 4 X[i] = 7i mod16

04/22/23 121

T[ i] = 2^32 x abs (sin(i))

sin table

04/22/23 122

SHA-1

04/22/23 123

160 bit digestIV

Y0

512 bits

Y1

512 bits

Yq

512 bits

YL-1

512 bits

160 160

CV1

160

CVq CV L-1

160

K bits

L x 512 bits

Padding 1-512 bits Length

SHA-1 SHA-1 SHA-1 SHA-1

04/22/23 124

K bits

L x 512 bits

Step 1 Appending padding bits Padding:1-512

The length of the padding is 64 bits less than an integer multiple of

512 bits.

M = 448 bits, pad = 512 bits

04/22/23 125

K bits

L x 512 bits

Step 2 Adding Length Length

A 64 bit representation of the length in bits of the original message is appended to the result of step 1 (least significant byte first). If length is grater than 2^64, then only the low order 64 bits of the

length is used.

Length = K mod 2 ^ 64

04/22/23 126

Step 3 Initialize ID buffer

160 bit buffer is used to hold intermediate and final result of the hash function. The buffer is presented as four 32-bit registers (A,B,C,D,E). The initial values are stored in big-endian, which

least significant byte is in the hightest address

A = 67 45 23 01B = EF CD AB 89C = 98 BA DC FED = 10 32 54 76E = C3 D2 E1 F0

IV

04/22/23 127

Step 4 Process Message in 512-bits blocks CVq

F1,,W[0..19], 20 steps

A B C D

F2,,W[20..39], 20 steps

A B C D

H,W[40..59], 20 steps

A B C D

I,T[60..79], 20 stepsA B C D

Yq

+ + + +

CVq+1

E

E

E

E

+

04/22/23 128

Wt

Kt

A B C D E

+S5 +

S30 +

f

A B C D E

+

SHA-1 compression function

04/22/23 129

Step Function Name Function Value

0<= t <=19 F1=f(t,b,c,d) (b^c)v(b^d)

20=<t<=29 F2=f(t,b,c,d) (b+c+d)

40=<t<=59 F3=f(t,b,c,d) (b^c)v(b^d)v(c^d)

60=<t<=79 F4=f(t,b,c,d) (b+c+d)

f for different rounds

04/22/23 130

Step Hexadecimal Take Integer Part of

0<= t <=19 Kt = 0x5A827999 2^30 x sqrt(2)

20=<t<=29 Kt = 0x6ED9EBA1 2^30 x sqrt(3)

40=<t<=59 Kt = 0x8F1BBCDC 2^30 x sqrt(5)

60=<t<=79 Kt = 0xCA62C1D6 2^30 x sqrt(10)

Kt

04/22/23 131

Brute Force Attack:

If we have a message x such that H(x) = h, the difficulty of finding y such as H(y) = H(x) is on the order of 2^128 operations to MD5 and 2^160 operations for SHA-1.

Security Of MD5 and RSA-1

04/22/23 132

•An attacker is generating k different inputs trying to find at least one message y, where H(x) = H(y)

•What is the size of k such that the probability of H(x) = H(y) = .5

Mathematical Basis Of Brute Force Attack

Problem Statement

04/22/23 133

Output Feedback Mode (OFB)

IV

OUTPUT BLOCK1

INPUT BLOCK1

CIPHk

CIPHERTEXT1

IV

OUTPUT BLOCK1

INPUT BLOCK1

CIPHk

PLAINTEXT1

ECB

Encryption

ECB

Decryption

+

+

OUTPUT BLOCK2

INPUT BLOCK2

CIPHk

CIPHERTEXT2

OUTPUT BLOCK2

INPUT BLOCK2

CIPHk

PLAINTEXT2

+

+

OUTPUT BLOCKn

INPUT BLOCKn

CIPHk

CIPHERTEXTn

OUTPUT BLOCKn

INPUT BLOCKn

CIPHk

PLAINTEXTn

+

+


04/22/23 134

Output Feedback Mode (OFB)-Encryption

)(

)(

1

1

nunn

jjj

jkj

jj

OMSBPC

OPC

ICIPHO

OI

IVI

for j=2,….n

for j=1,2…..n-1

for j=1,2…..n-1

04/22/23 135

Output Feedback Mode (OFB)-Decryption

)(

)(

1

1

nunn

jjj

jkj

jj

OMSBCP

OCP

ICIPHO

OI

IVI

for j=2,….n

for j=1,2…..n-1

for j=1,2…..n-1

04/22/23 136

Cipher Feedback Mode (CFB)

IV


Discard (b-s)bits

INPUT BLOCK1

CIPHk

CIPHERTEXT1S bits

IV

INPUT BLOCK1

CIPHk

PLAINTEXT1S bits

ECB

Encryption

ECB

Decryption

+

+

PLAUNTEXT1S bits


Discard (b-s)bits


Discard (b-s)bits

INPUT BLOCK(b-s)bits|sbits

CIPHk

INPUT BLOCKn(b-s)bits|sbits

CIPHk

PLAINTEXT1S bits

+

+

PLAUNTEXT1S bits


Discard (b-s)bits

CIPHERTEXT1S bits

04/22/23 137

Cipher Feedback Mode (OFB)-Encryption

#

#

##

#11

1

)(

)(

|)(

j

j

jsjj

jkj

jjsbj

P

C

OMSBPC

ICIPHO

CILSBI

IVI

for j=2,….n

for j=1,2…..n

for j=1,2…..n



04/22/23 138

Cipher Feedback Mode (OFB)-Decryption

#

#

##

#11

1

)(

)(

|)(

j

j

jsjj

jkj

jjsbj

P

C

OMSBCP

ICIPHO

CILSBI

IVI

for j=2,….n

for j=1,2…..n

for j=1,2…..n



04/22/23 139

Counter Mode (CTR)

Counter1

OUTPUT BLOCK1

INPUT BLOCK1

CIPHk

CIPHERTEXT1

Counter1

OUTPUT BLOCK1

INPUT BLOCK1

CIPHk

PLAINTEXT1

ECB

Encryption

ECB

Decryption

+

+

OUTPUT BLOCK2

INPUT BLOCK2

CIPHk

CIPHERTEXT2

OUTPUT BLOCK2

INPUT BLOCK2

CIPHk

PLAINTEXT2

+

+

OUTPUT BLOCKn

INPUT BLOCKn

CIPHk

CIPHERTEXTn

OUTPUT BLOCKn

INPUT BLOCKn

CIPHk

PLAINTEXTn

+

+


Counter2

Counter1Countern

Countern

04/22/23 140

Cryptography And Network SecurityWilliam Stallings

04/22/23 141

CHILD_SA-Generating Keying Material

CHILD_SA are created by:

1. Piggybacked on the IKE_AUTH exchange.

KYEMAT = prf+ (SK_d ,Ni |Nr)

Where Ni, Nr are nonces from the IKE_SA_INIT exchange if request is the first CHILD_SA create.

2. CREATE_CHILD_SA exchange

KEYMAT = prf+(Sk_d,g^ir (new) | Ni | Nr)

Ni, Nr are fresh nonces from the CREATE_CHILD_SA exchange; g^ir (new) is the shared secret from the ephemeral Diffie - Hellman exchange of this CREATE_CHILD_SA exchange

fundamentals of security

Documents

encryption techniques

cipher text

publickey encryption

encryption algorithms

conventional encryption

block of elements

plain text

input elements