Computer Network: Network Security (Cryptography)
— — — By Rahul S Sengar
Network Security
Network Security can be identified by the following desirable properties of secure communication.
• Confidentiality. Only the sender and intended receiver should be able to understand the contents of the transmitted message. Because eavesdroppers may intercept the message, this necessarily requires that the message be somehow encrypted so that an intercepted message cannot be understood by an interceptor. This aspect of confidentiality is probably the most commonly perceived meaning of the term secure communication.
• Message integrity. Alice and Bob want to ensure that the content of their communication is not altered, either maliciously or by accident, in transit. Extensions to the checksumming techniques that we encountered in reliable transport and data link protocols can be used to provide such message integrity.
• End-point authentication. Both the sender and receiver should be able to confirm the identity of the other party involved in the communication to confirm that the other party is indeed who or what they claim to be. Face-to-face human communication solves this problem easily by visual recognition. When communicating entities exchange messages over a medium where they cannot see the other party, authentication is not so simple. When a user wants to access an inbox, how does the mail server verify that the user is the person he or she claims to be?
• Operational security. Almost all organizations (companies, universities, and so on) today have networks that are attached to the public Internet. These networks therefore can potentially be compromised. Attackers can attempt to deposit worms into the hosts in the network, obtain corporate secrets, map the internal network configurations, and launch DoS attacks.
Cryptography has a very rich history and can be dated back to old Vedic scriptures. Books like “The Codebreakers” [Kahn 1967], and “The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography” [Singh 1999], provide a fascinating look at the long history of cryptography. Cryptographic techniques allow a sender to disguise data so that an intruder can gain no information from the intercepted data. The receiver, of course, must be able to recover the original data from the disguised data.
Principles of Cryptography
Let us introduce Rohit and Naina. two people who want to communicate and wish to do so “securely.” This being a networking text, we should remark that Rohit and Naina could be two routers that want to exchange routing tables securely, a client and server that want to establish a secure transport connection, or two e-mail applications that want to exchange secure e-mail. Aman likes to listen to everyone’s conversation and wanted to intercept whatever is transmitted from Rohit to Naina. Our study is how Naina can be assured that they can communicate in the first place (i.e., that no one denies them access to the resources needed to communicate) as well as to be sure that the message she receives from Rohit was indeed sent by Rohit and vice versa.
Assume Naina sends a message to Rohit, “Computer Networking is cool”, now the original form of the message is called plain text or cleartext. Now, she encrypts the message using an encryption algorithm and that encrypted message is called ciphertext. Now, to encode the ciphertext there must be some secret information that prevents an intruder from decrypting the transmitted message, we use a key. Ka , a string of numbers or characters, is input into the encryption algorithm. The encryption algorithm takes the key and the plaintext message, m, as input and produces ciphertext as output. There are basically two types of key systems: Symmetric key systems and Public key systems (Not Asymmetric) :).
Symmetric Key Systems
All cryptographic algorithms involve substituting one thing for another, for example, taking a piece of plaintext and then computing and substituting the appropriate ciphertext to create the encrypted message. Before studying a modern key-based cryptographic system, let us first get our feet wet by studying a very old, very simple symmetric key algorithm attributed to Julius Caesar, known as the Caesar cipher (a cipher is a method for encrypting data).
For English text, the Caesar cipher would work by taking each letter in the plaintext message and substituting the letter that is k letters later (allowing wrap around; that is, having the letter z followed by the letter a) in the alphabet. For example, if k = 3, then the letter ‘a’ in plaintext becomes ‘d’ in ciphertext; ‘b’ in plaintext becomes ‘e’ in ciphertext, and so on. Here, the value of k serves as the key.
The monoalphabetic cipher is an improvised version of Caesar cipher. This additionally substitutes one letter of the alphabet with another letter of the alphabet. However, rather than substituting according to a regular pattern (for example, substitution with an offset of k for all letters), any letter can be substituted for any other letter as long as each letter has a unique substitute letter and vice versa.
Now, depending on what information does the intruder know, one can distinguish three different scenarios:
• Ciphertext-only attack. In some cases, the intruder may have access only to the intercepted ciphertext, with no certain information about the contents of the plaintext message. We have seen how statistical analysis can help in a ciphertext-only attack on an encryption scheme.
• Known-plaintext attack. if the intruder somehow knew for sure that “rohit” and “naina” appeared in the ciphertext message, then the intruder could have determined the (plaintext, ciphertext) pairings for the letters r, o, i, h, t, n, and a.
• Chosen-plaintext attack. In a chosen-plaintext attack, the intruder is able to choose the plaintext message and obtain its corresponding ciphertext form.
Polyalphabetic encryption is an improvised technique on monoalphabetic encryption to use multiple monoalphabetic ciphers. This could be achieved by using a specific monoalphabetic cipher to encode a letter in a specific order in the plaintext message, making the same letter, appearing in different positions in the plaintext message.
Block Ciphers
Block ciphers use in many secure Internet protocols, including PGP (for secure e-mail), SSL (for securing TCP connections), and IPsec (for securing the network-layer transport).
In a block cipher, the message to be encrypted is processed in blocks of k bits. To encode a block, the cipher uses a one-to-one mapping to map the k-bit block of cleartext to a k-bit block of ciphertext. Suppose that k = 3, so that the block cipher maps 3-bit inputs (cleartext) to 3-bit outputs (ciphertext). One possible mapping is given below figure. This block cipher breaks the message up into 3-bit blocks and encrypts each block according to the above mapping. You should verify that the message 010110001111 gets encrypted into 101000111001.
The brute-force attack for this cipher is to try to decrypt ciphertext by using all mappings. With only 40,320 mappings (when k = 3), this can quickly be accomplished on a desktop PC. To thwart brute-force attacks, block ciphers typically use much larger blocks, consisting of k = 64 bits or even larger. Note that the number of possible mappings for a general k-block cipher is 2k!, which is astronomical for even moderate values of k (such as k = 64).
Today there are a number of popular block ciphers, including DES (standing for Data Encryption Standard), 3DES, and AES (standing for Advanced Encryption Standard). Each of these standards uses functions, rather than predetermined tables, along the lines of the figure below (albeit more complicated and specific to each cipher). Each of these algorithms also uses a string of bits for a key. For example, DES uses 64-bit blocks with a 56-bit key. AES uses 128-bit blocks and can operate with keys that are 128, 192, and 256 bits long. NIST estimates that a machine that could crack 56-bit DES in one second (that is, try all 256 keys in one second) would take approximately 149 trillion years to crack a 128-bit AES key.
Public Key Encryption
One of the most important disadvantages of using Caesar cipher up to the 1970’s cipher is that the encrypted communication required that the two communication nodes share a common secret or symmetric key for encryption and decryption. To solve this issue, In 1976, DIffie and Hellman demonstrated an algorithm (known now as Diffie-Hellman Key Exchange) to do just that — a radically different and marvelously elegant approach toward secure communication that has led to the development of today’s public key cryptography systems. Interestingly, it has recently come to light that ideas similar to those in [Diffie 1976] and [RSA 1978] had been independently developed in the early 1970s in a series of secret reports by researchers at the Communications-Electronics Security Group in the United Kingdom.
Suppose Alice wants to communicate with Bob. Bob (the recipient of Alice’s messages) instead has two keys — a public key that is available to everyone in the world (including Trudy the intruder) and a private key that is known only to Bob. We will use the notation KB+ and KB– to refer to Bob’s public and private keys, respectively. In order to communicate with Bob, Alice first fetches Bob’s public key. Alice then encrypts her message, m, to Bob using Bob’s public key and a known (for example, standardized) encryption algorithm; that is, Alice computes KB+(m). Bob receives Alice’s encrypted message and uses his private key and a known (for example, standardized) decryption algorithm to decrypt Alice’s encrypted message. That is, Bob computes KB–(KB+(m)). We will see below that there are encryption/decryption algorithms and techniques for choosing public and private keys such that KB–(KB+(m)) = m; that is, applying Bob’s public key, KB+, to a message, m (to get KB+(m)), and then applying Bob’s private key, KB–, to the encrypted version of m (that is, computing KB–(KB+(m))) gives back m. This is a remarkable result! In this manner, Alice can use Bob’s publicly available key to send a secret message to Bob without either of them having to distribute any secret keys! We will see shortly that we can interchange the public key and private key encryption and get the same remarkable result — that is, KB– (B+(m)) = KB+ (KB–(m)) = m.
RSA algorithm is the most famous example of Public-key cryptography.
Closing Note: This blog is solely made for the simplest general introduction to security in computer networks. It has left many important pieces as it’s impossible to explain them in one blog. I hope you really find something new information and would carry on the journey to understand the vastness of the dynamic system on which Computer Networks are built upon. 😊
