Seminar on Network Security and Related Research Issues

Dr. Haitham S Cruickshank http://www.ee.surrey.ac.uk/Personal/H.Cruickshank/

Q: Why do everybody agree that network security is very important, but not many providers are welling to implement it?

Answer: Not understood very well and too complex to implement effectively

Seminar outline
Introduction to security basics Examples of security systems in communication network Overview to IPSec and secure multicast Impact of using IPSec on middle entities such as Performance Enhancing Proxies (PEPs) Security issues in challenged networks such as Delay Tolerant Networks (DTN)

Existing security technologies

Application layer Application specific security Application layer

Transport layer

SSL/TLS

Transport layer

Network Layer

IPsec

Network Layer

Link layer

ATM/DVB

Link layer

Physical layer

Physical layer

Data Communications
4

Different facets of security

Authentication: validate authentic identity. Authorization: access control. Integrity: protection from unauthorized change. Confidentiality or Privacy: keep information private such that only authorized users can understand it. Availability: outsider cannot block legitimate access. Non-repudiation: supply undeniable evidence to prove the message transmission and network access.
5

Security attacks
Passive attacks: eavesdropping on transmission or monitor and analyze the network traffic. Active attacks: modification of information, interruption of information transmission and fabrication of messages:
Denial-of-service (DoS) Masquerade Man-in-the-middle Replay

Security systems - two categories

Secret-key algorithm:
Symmetric: same secret-key is used for both encryption and decryption DES: Data Encryption Standard AES: Advanced Encryption Standard

Public-key algorithm:
Asymmetric: different keys are used for encryption and decryption RSA (Rivest, Shamir and Adleman)

Secret-key system: encryption and decryption

secret key

secret key

plaintext
Ciphertext

plaintext
Encryption Algorithm Decryption Algorithm

Secret-key system example Data Encryption Standard (DES)

64 bit plaintext Initial Transposition L (i-1) R (i-1)

Iteration 1 56 bit key Iteration 16

Iteration 2 L (i-1) + F [R(i-1,K(i)]

32 bit swap 32 bit L (i) Inverse transposition 32 bit R (i)

64 bit ciphertext (b)

(a)

Other secret-key algorithms

10

Message authentication
A methodology to assure data integrity and to authenticate the data origin. One-way hash function:
A one-way hash function takes an arbitrarily long input message and produces a fixed-length, pseudorandom output called a hash Knowing a hash, it is computationally difficult to find the message that produced that hash It is almost impossible to find different messages that will generate the same hash

Message Authentication Code (MAC).

11

Message authentication code (MAC)

Hashed MAC (HMAC)

Ipad = repeated 36 in Hex Opad = repeated 5c in Hex

12

Public-key system
Public key:
Publicly available to anyone

Private key:
Only users themselves know their own private keys

13

Public-key system example RSA (Rivest, Shamir and Adleman )

Message M Encrypt Ciphertext C Decrypt Message M

Two large prime numbers p and q are chosen 'at random' and multiplied together to form a modulus n n = p.q Since it is not possible to factorise large numbers - the modulus can be published without disclosing p and q.

Public Key e

Private Key d

A pair of keys, e = encryption key, d = decryption key, are found by solving the following equation e.d mod (p-1)(q-1) = 1 A message M may then be enciphered with the encryption key e by raising M to the power e modulo n Ciphertext C = Me mod n This message may be recovered by raising the cipher text C to the power d modulo n M = C d mod n Simple example Choose p = 3, q = 11, then n = 33 now (p-1)(q-1) = 20 so e.d mod 20 = 1 choose d = 7 then e = 3 if M = 5 (the message)

Public key system - Privacy

Message M

Encrypt

Ciphertext C

Decrypt

Message M

Secret Key d

Private Key e

Public key system - Authentication

14

C = 5 3 mod 33 = 26, Encryption

M = 267 mod 33 = 5 Decryption

Integrity and authentication by public-key

secret key public key

plaintext
Ciphertext

plaintext
Encryption Algorithm Decryption Algorithm

15

Digital signature concept

Combines a hash with Public-key authentication

16

Digital certificates
Certificates bind a public key to a named entity Relies on the trust of the certificate authority A possible certificate and its signed hash, may look like this:

17

Public-Key Infrastructures (PKI)

RA: Regional Authority CA: Certification Authority

18

Diffie-Hellman key exchange protocol - 1

Diffie-Hellman key exchange protocol allows senders and recipients such as Alice and Bob to exchange a shared secret-key. Alice and Bob have to agree on two large prime numbers: n and g where (n - 1) / 2 is prime as well. These numbers can be public, so either of them can pick n and g and tell the other openly. Now Alice picks a large number (say 512-bits) x and keep it secret. Similarly, Bob picks a large prime number y. Alice initiates the key exchange protocol by sending message M1:
M1 = (n, g, gx mod n)
19

Diffie-Hellman key exchange protocol - 2

Bob responds by sending message M2:
M2 = (gy mod n)

Now Alice can calculate the shared secret-key K:

k = (gy mod n) x mod n = g yx mod n = g xy mod n

Also Bob can calculate the same secret-key k:

k = (gx mod n) y mod n = g xy mod n

The main weakness of Diffie-Hellman protocol is that neither Alice nor Bob can authenticate the origin of messages M2 and M1 respectively. One solution is to add Alices digital signature to message M1 and Bobs digital signature to M2.
20

Examples of Security Systems in Communication Network

21

Digital Video Broadcasting (DVB) introduction to conditional access

The scrambling/descrambling function aims to make the service incomprehensible to unauthorised users:
Descrambling can be achieved by any receiver having an appropriate descrambler and holding a secret Control Word (CW).

The CW is encrypted with a service key and sent inside a dedicated message (DVB tables) called Entitlement Control Messages (ECMs). The service key is encrypted with the smart card key and sent inside a dedicated message called Entitlement Management Messages (EMMs).
22

DVB conditional access - encryption

Video PES Audio PES Data PES Conditional Access (CA) system Scrambled & modulated DVB stream to satellite Modulator

Mux

DVB Scrambler

EMM

ECM Encryption

Encryption

CW Smart card processing system Subscriber Authorization System (SAS) Control Word (CW) generator

Subscriber Management System (SMS)

Billing & Customer service

Subscriber

23

DVB conditional access - descrambling

Satellite input MPEG-2 decoder Descrambled programme data (Video/audio/text)

Tuner

DVB descrambler (uses Control Word (CW))

Demultiplex ECM & EMM

CW

ECM session key / CW

EMM service key Demultiplexer

ECM decryption algorithm

Smart Card key Smart card

EMM decryption algorithm

24

Mobile networks - GSM security system

Mobile Station
SIM Secret Key (Ki) (128-bit) Challenge (RAND) (128-bit)

Radio Interface

Wireless Network
Random Number Generator (128-bit) Key Database

A8 Algo.

A3 Algo.
Response (SRES) (32-bit)

Reject No

A3 Algo.
SRES COUNT (22 bits)

A8 Algo.

Ki (128-bit)

=? Kc
Plain text
COUNT (22 bits) Yes Accept

Kc
Plain text

A5 Algo.

Encrypted Data (114-bit)

25

A5 Algo.

Mobile networks - 3G: authentication vector

Generate SQN
AMF: Authentication Management Field SQN AMF
f1: MAC algorithm

Generate RAND RAND

Master Key (K) (128-bit)

f2: authentication algo.

f3: cipher key generator

f4: integrity key generator

f5: anonymity key generator

MAC AUTN := SQN

XRES

CK

IK

AK

AK || AMF || MAC
26

AV := RAND || XRES || CK || IK || AUTN

Mobile networks - 3G: authentication process

RAND SQN
f5: anonymity key generator

AUTN AK AMF MAC

AK
Master Key (K) (128-bit) f1: MAC algorithm
MS: Mobile Station HE: Home Environment SHE SMS

SQN

f2: authentication algo.

f3: cipher key generator

f4: integrity key generator

XMAC
yes

SQNMS

SHE>SMS

=?
No

yes

RES

CK

IK
RES

Send Sync Failure & Abort

No

Send Reject & Abort

27

Send Response to VLR

Network layer security (IPSec)

28

Internet security - introduction Internet security is difficult because:

the internet spans a very wide area across political and organisational boundaries it involves how and when communicating parties (such as users, computer, services and network) can trust each another, as well as understanding the network hardware and protocols

Mechanics for Internet security:

access control using firewalls IPSec Application layer security

29

Internet security protocol layers

30

IPSec overview
IPSec provides a set of security services for traffic at the IP layer, in IPv4 and IPv6, through the use of IP Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols. Important IPsec databases:
Security Policy Database (SPD): Defined the protection offered by IPsec: PROTECTed using IPsec security services, DISCARDed, or allowed to BYPASS Security Association Database (SAD): Which encryption and integrity keys are associated with each IP packet

Two modes of operations:

Transport mode: End-to-end principle is observed Tunnel mode

Family of IPSec protocols

IP Security Architecture RFC 4301 IP Security Architecture RFC 4301

Authentication Header Authentication Header (AH) RFC 4302 (AH) RFC 4302

Encapsulating Security Encapsulating Security Payload (ESP) RFC 4303 Payload (ESP) RFC 4303

IPsec ISAKMP DOI IPsec ISAKMP DOI RFC 2407 RFC 2407 ISAKMP ISAKMP RFC 2408 RFC 2408

HMAC-MD5-96 HMAC-MD5-96 RFC 2403 RFC 2403

HMAC-SHA-1-96 HMAC-SHA-1-96 RFC 2404 RFC 2404

NULL Encryption NULL Encryption Algorithm Algorithm RFC 2410 RFC 2410 CBC-mode Cipher CBC-mode Cipher Algorithm Algorithm RFC 2451 RFC 2451
32

Internet Key Exchange Internet Key Exchange RFC 4306 RFC 4306 OAKLEY OAKLEY RFC 2412 RFC 2412

HMACHMACRIPEMD-160-96 RIPEMD-160-96 RFC 2857 RFC 2857

DES-CBC (with DES-CBC (with explicit IV) explicit IV) RFC 2405 RFC 2405

IPSec: Authentication Header (AH)

IPv4 Original IP header AH TCP Data

Transport mode:

coverage of authentication (except for mutable fields)

IPv6: Original IP header Hop-by-hop extensions AH End-to-end extensions TCP Data

coverage of authentication (except for mutable fields) IPv4 and IPv6: Encapsulating IP header AH Original + ext IP header fields TCP Data

Tunnel mode:

coverage of authentication (except for mutable fields)

33

IPSec: Encapsulated Security Payload (ESP)

ESP header IPv4 Original IP header ESP payload ESP trailer Auth Data SPI Seq Nr. TCP Data Padding

coverage of confidentiality Transport mode: IPv6: Original IP header Hop-by-hop extensions SPI Seq Nr. End-to-end extensions TCP Data Padding Auth Data coverage of authentication ESP header ESP payload ESP trailer

coverage of confidentiality coverage of authentication

Tunnel mode:

IPv4 and IPv6: New IP header New extensions

ESP header Original IP header

Original IP datagram

ESP trailer Auth Data

SPI

Seq Nr.

TCP

Data

Padding

coverage of confidentiality coverage of authentication

34

IPSec applications
End-to-end security VPN (virtual private network) with IPsec (Satellite example) End-to-end with VPN security Secured remote access

35

Limitations of IPSec - problems with middle entities

IPSec in transport mode encrypts all data above IP layer. IPSec in tunnel mode encrypts all data including the original IP layer. However it conflicts with:
Satellite bandwidth acceleration: Performance Enhancing proxies (PEPs) need to inspect TCP and HTTP header. Traffic Analysis: Service provider might require monitoring of their network traffic for management and QoS purposes. Traffic Engineering: Flow classification is essential in supporting a variety of classes of service and QoS.

36

Secure Sockets Layer (SSL)

37

SSL - Connection establishment

38

SSL Data transmission

39

Example multicast applications

Digital TV Multicast Service Centre Satellite mobile (military/civil)

3G mobile

Wide Area Internet Multicast 40

Secure group communications

The IPSEC standards and its related technologies, are aimed mainly at unicast transmissions between one sender and one receiver:
Securing multicast is a difficult issue because it involves group communications

MSEC is an IETF Working Group focusing on standardizing building blocks and protocols for secure group communications and multicast. In addition, there is a Research Group called GSEC which is an IRTF (Internet Research Task Force) group formed to discuss research issues related to multicast security.
41

Factors affecting secure multicast

Applications: One-tomany and many-to-Many
Application Type

Group dynamics: Size

and behaviour Trust model: Security policies and key Group Dynamics management
Trust Model

Critical issues:
Secure group management Key distribution for large groups
42

Secure Multicast architecture Centralised Multicast

security policies

Policy server

Group key management

Group Controller/Key Server

Receiver

Multicast data handling

43

Sender

Secure Multicast architecture Distributed

Multicast security policies

Policy server

Policy server

Group key management

Group Controller/Key Server

Group Controller/Key Server

Receiver

Multicast data handling

Sender

Receiver

44

Group key management protocols

Group Secure Association Key Management Protocol (GSAKMP):
It includes mechanisms for group policy dissemination, group key dissemination, and group rekey operation

Multimedia Internet KEYing (MIKEY):

The MIKEY protocol is used for peer-to-peer, simple one-to-many, and small-size (interactive) groups, and is intended for use in real-time applications. One of the main multimedia scenarios is the conversational multimedia scenario, where users may interact and communicate in realtime

Group Domain of Interpretation (GDOI):

GDOI (RFC 3547) is an ISAKMP Domain of Interpretation (DOI) for group key management to support secure group communications. It proposes new exchanges according to the ISAKMP and IKE standard

45

GSAKMP message sequence

Group Controller (GC) Request to join Group establishment (once per GM) Key download Notification (acknowledgement) Group Member (GM)

Group maintenance (repeat as necessary)

Server rekey

Group removal / destruction Group removal

46

Key distribution: Logical Key Hierarchy (LKH) - 1

RFC 2627 defines the Logical key hierarchy (LKH) as a mechanism for improving the scalability of multicast key management. LKH provides the following two features:
Secure removal of a compromised user from the multicast group. Key transmission efficiency.

47

Key distribution: Logical Key Hierarchy (LKH) - 2

O

M K ey hierarchy A K ey A B C D E F

U sers 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 (a)
48

U sers 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 (b)

LKH Tree (user 4 joins)

Send

O
Send

Group key

M Key hierarchy
Send

I
Send

Group members 1 2 3 4 5 6
49

9 10 11 12 13 14 15 16

LKH Tree (group rekey)

Rekey

O
Unchanged

Group key
Unchanged

M Key hierarchy

Group members 1 2 3 4 5 6
50

9 10 11 12 13 14 15 16

LKH Tree (removal of member 4)

Rekey

Group key
Unchanged

Rekey

M Key hierarchy
Rekey Unchanged

I
Unchanged Rekey

Group members 1 2 3 4 5 6
51

9 10 11 12 13 14 15 16

Screen capture for LKH

Rekey messages = 2log2N 1 16 users = 24 2048 users = 211 131072 users = 217 1 million users = 220

52

Performance Enhancing proxies (PEPs)

53

ETSI - BSM Architecture

The Broadband Satellite Multimedia (BSM) architecture divides the protocol stack into 2 parts:
Satellite Independent (SI) upper layers Satellite Dependent (SD) lower layers

The upper layers contain a set of common IP interworking functions:

Define Satellite Independent Adaptation Functions (SIAF) Common ways of handling Quality of Service (QoS); Addressing; Multicast and Security etc.

Satellite Independent Service Access Point (SI-SAP) defined as a common interface between the upper and lower layers. The lower layers contain the satellite specific functions:
The lower layers are closely tied to the payload capability of the satellite
54

BSM Protocol Stack

IP v 4 a n d IP v 6
IP R o u tin g IP R o u te D e te r m in a tio n IP Q o S M a n a g e m e n t IP S e c u r ity

A d d re s s T a b le

BSM A d d r e s s R e s o lu t io n

BSM R o u t in g A d a p t a t io n

BSM C o n n e c t io n CTRL

BSM Q oS A d a p t a t io n

BSM QoS M gm t

BSM S e c u r it y M gm t

S IA F
IP P a c k e t F o r w a r d in g

S I- U - S A P

S I- C - S A P

S I- M - S A P

S e g m e n t a t io n / e n c a p s u la t io n SDAF

BSM A d d r e s s R e s o lu t io n

BSM C o n n e c t io n CTRL

S a te llite D a ta U n it S w itc h in g

BSM R e s o u rc e M gm t

BSM S e c u r it y M gm t

S a te llite L in k C o n tr o l ( S L C )

S a te llite M e d iu m A c c e s s C o n tr o l ( S M A C )

S a te llite P h y s ic a l ( S P H Y )

55

Performance Enhancing Proxies (PEPs) types and layering

Transport Layer PEPs (T-PEP): T-PEPs interact with TCP. Such an implementation is sometimes called TCP Performance Enhancing Proxy (TCP PEP). The term TCP spoofing is sometimes used synonymously for TCP PEP functionality. Application layer PEPs (A-PEP): Application layer PEPs operate above the transport layer. An example of application layer proxy is a Web cache. A-PEPs can be implemented to improve the HTTP performance over wireless links.
56

T-PEP and A-PEP mechanisms

TCP ACK Spacing: In environments where ACKs tend to bunch together, ACK spacing is used to smooth out the flow of TCP acknowledgments traversing a link. Local TCP Acknowledgements: In some PEP implementations, TCP data segments received by the PEP are locally acknowledged by the PEP. Local TCP Retransmissions: A TCP PEP may locally retransmit data segments lost on the path between the TCP PEP and the receiving end system. Browser Cache Leveraging: Caching some web pages not residing in browser cache, improving efficiency. HTTP pre-fetching: Intercepting requested Web pages, identifying Web objects referred to by the Web pages, downloading these objects in anticipation of the next user requests.
57

Security issues in PEPs

Security can be applied in application, transport (SSL), IP (IPSec) or link layers:
However security must allow T-PEP access to the transport protocol headers and A-PEPs access to application layer contents (e.g web pages )

This implies that IPSec and SSL can be applied in limited cases. Satellite link layer security can be applied transparently to T-PEPs and A-PEPs.

58

Successful T-PEP (not A-PEP) with end-to-end SSL

Host TLS or application layer security Transport layer IP layer Link layer Ethernet Content Provider TLS or application layer security Transport layer IP layer Link layer Ethernet

SI-SAP

ST PEP Transport layer IP layer Link layer

Ethernet1 Ethernet2 BSM ST IP layer BSM GW IP layer

GW PEP Transport layer IP layer Link layer

Ethernet1 Ethernet 2

L- layer S-MAC Ethernet S-PHY

S- MAC S-PHY

L-layer Ethernet

Internet

59

Successful T-PEP and A-PEP with IPSec - 1

SI-SAP

ST PEP Transport layer IP layer Link layer

Ethernet1 Ethernet2 Ethernet S-PHY S-PHY Ethernet

GW PEP BSM ST IP layer

Link layer

BSM GW IPsec
S-MAC

Transport layer IP layer Link layer

Ethernet1 Ethernet2

IPsec
S-MAC

IP layer
Link layer

Host/Hosts

Content Provider

60

Successful T-PEP and A-PEP with IPSec - 2

SI-SAP

ST PEP Transport layer IP layer IPsec BSM ST IP layer

Link layer S-MAC S-PHY

GW PEP BSM GW IP layer

Link layer S-MAC S-PHY Ethernet

Transport layer IPsec (IPsec) IP layer IP layer Link layer

Ethernet1 Ethernet2

Link layer
Ethernet1 Ethernet2

Ethernet

Host/Hosts

Content Provider

61

Successful PEPs with link layer security

SI-SAP

ST PEP Transport layer IP layer Link layer

Ethernet1 Ethernet2 Ethernet S-PHY S-PHY Ethernet

GW PEP BSM ST IP layer

Link layer S-MAC L-security

BSM GW IP layer
S-MAC L-security Link layer

Transport layer IP layer Link layer

Ethernet1 Ethernet2

Host/Hosts

Content Provider

62

Limitations of IPSec - problems with middle entities - revisited

IPSec in transport mode encrypts all data above IP layer. IPSec in tunnel mode encrypts all data including the original IP layer. However it conflicts with:
Satellite bandwidth acceleration: Performance Enhancing proxies (PEPs) need to inspect TCP and HTTP header. Traffic Analysis: Service provider might require monitoring of their network traffic for management and QoS purposes. Traffic Engineering: Flow classification is essential in supporting a variety of classes of service and QoS.

A solution Multi Layer IPSec (ML-IPSec): divides the IP datagram into several zones and apply different protection schemes to each zone.
63

Multi Layer IPSec (ML-IPSec) - design

IP HEADER TCP/UDP HEADER TCP/UDP DATA

ML-IPSec: zone map

IP HEADER

TCP/UDP HEADER

TCP/UDP DATA

Zone 1

Zone 2

IP HEADER

ESP HEADER

TCP/UDP HEADER

ESP TRAILER 1

TCP/UDP DATA

ESP TRAILER 2

ESP AUTH

Zone 1 (k1)

Zone 2 (k2)
Encrypted

64

Interworking between ML-IPSEC and LKH

O Group key K1 (for transport layer header) N

M Key hierarchy

Group key K2 (for transport layer data) J K

Users U1 U2 U3 U4 U5 U6 U7 U8
65

GW1 GW2 GW3 GW4 GW5 GW6 GW7 GW8

Delay/Disruption Tolerant Networks (DTN) - security

66

Delay/Disruption Tolerant Networking (DTN - Introduction

DTN is an overlay network architecture which runs on top of heterogeneous networks. It provides good services in high delay/disruption environments. It originated within the Inter Planetary research community. It has three main components:

67

67

Example DTN scenario: UN monitoring in disaster and conflict areas

UN Headquarters

UN: United Nations

Fixed Satellite Terminal (ST4) Local Government
DTN-G4 Sensor Sensor

Internet

Fixed Satellite Terminal (ST3)

DTN-G3

DTN-G2

Fixed/mobile Satellite Terminal (ST2)

DTN

WSN
DTN-Peer Sensor

Satellite Network Internet

DTN-G1 Sensor Sensor Sensor

Satellite link WiFi/WiMax link Wireless Sensor link

Fixed/Mobile Satellite Terminal (ST1)

DTN

Wired link WSN: Wireless Sensors Network

WSN

DTN-Peer

68

DTN security issues

Current security protocols such as IPSec and TLS (or SSL) do not perform well in high delay/disruption conditions because of the following assumptions:
end-to-end connectivity is always present low link delays low error rate on link channels

69

DTN Security Architecture

DTN security architecture provides hop-by-hop authentication and end-to-endish authentication, integrity, and confidentiality. It has several blocks (headers) to provide these security services.
Bundle Authentication Block (BAB): hop-by-hop authentication & integrity Payload Integrity Block (PIB): end-to-endish authentication and integrity Payload Confidentiality Block (PCB): end-to-endish confidentiality
70
70

Internetworking of heterogeneous networks using DTN Gateways

71

DTN security : Hop-by-Hop authentication

72

DTN security : End-to-End authentication and integrity

73

DTN security : End-to-End confidentiality

74

Open research issues in DTN security

Lightweight key management Lightweight AAA-like architecture for authentication/authorisation Resilience to Denial of Service (DoS) attacks Providing anonymity to end users for some services/applications

75

Summary - security layers comparison

Link layer Network layer Transport layer Widely used for securing TCP connections Application layer Can satisfy applications requirement very well

Major advantages

Complete control of the link security

IPSec is the best solution for Internet security

Major disadvantages

Only the one link hop is secure

IPSec works only for IP networks

No security for UDP and multicast

No transparency, where applications need modification to fit security

76

Summary - security services at various protocol layers

Link layer
Terminal authentication Host authentication User authentication Link privacy End to end privacy Link data integrity End to end data integrity Yes No No Yes No Yes No

IP Network layer
Yes (IP address) Yes (IP address) No Yes (IPSec IP tunnel) Yes Yes (IPSec IP tunnel) Yes

Transport layer
No No Yes No Yes No Yes

Application layer
No No Yes No Yes No Yes

77