CSIS 625 Week
12
Encryption,
Authentication, Misc. Wireless topics
Copyright 2001 and
2002 – Daniel R. Oelke
For use by students
of CSIS 625 for purposes of this class only.
I.
Overview
A.
Presentation Layer
topics
1.
Encryption
2.
Authentication
B.
Home Gateways – NAT,
firewall, etc.
C.
Wireless topics not
covered earlier
1.
LMDS, MMDS, Free-space
Optics
II.
Presentation
Layer
A.
Encryption
1.
Encryption is a method by which information is modified so
that others can not understand it.
a)
Scrambling of the data
b)
aka Cryptography
2.
Stenography is a method by which information is hidden from
others.
a)
Hiding of the data using “noise”
b)
Least significant bits in pictures or audio
3.
Encryption has 2 major branches
a)
Asymmetric Encryption (Public Key)
b)
Symmetric Encryption
4.
Encryption - the players
a)
Instead of using A sends a message to B, cryptography books
have taken to using some relatively standard names for the nodes communicating
b)
Alice, Bob, Carol, Dave - participants in an communication
c)
Eve - the eavesdropper - listens in on communication, but doesn’t
alter the communication.
d)
Mallory - a malicious active attacker
e)
Peggy - a prover
f)
Victor - a verifier
5.
Symmetric Key Encryption
a)
Both the sender and the receiver know some common secret.
b)
The secret is the key to decoding the message
c)
The secrecy of the key is important
d)
Transporting and securing the key between the Alice and Bob is
difficult, because it must be done through a secure mechanism.
e)
One time pad - the key is as big as the message. The message is xor’d with the key.
(1)
The only truly unbreakable encryption system.
(2)
Most products that claim one-time-pad are not.
6.
Symmetric Key encryption types
a)
DES - Data Encryption Standard
(1)
Uses a 56 bit key
(2)
All 256 keys can be tested in < 3.5 days with a
$250k machine
(a)
On average only need to test ½ that number of keys.
(b)
This was in Janurary of 1999
(c)
Could be done cheaper and faster by now
(3)
Set as a US government standard in 1977
b)
3DES - Use of DES three times over
(1)
Gives 3x56 or 168 bits of keyspace
c)
AES - Advanced Encryption Standard
(1)
Rijndael is the chosen standard
(a)
Chosen in October 2000 after 3+ years of competition.
(2)
Officially set as a US government standard in May 2002
(3)
128, 192, or 256 bit keys
7.
Asymmetric Encryption
a)
Commonly called Public Key encryption
b)
Two numbers (secrets) are created.
c)
One of these keys is called the public key and given to
everyone.
d)
One of these keys is called the private key and is kept
secret.
e)
To send a message, the public key is used to encrypt the
data. After that, only someone with the
private key can decode the message.
8.
Public Key Encryption types
a)
RSA - Ron Rivest, Adi Shamir, and Leonard Adleman.
(1)
An algorithm that picks two large prime numbers and multiplies
them. It is assumed that it is very
difficult to factor the resulting number.
(2)
The bigger the numbers the harder it is to break the
encryption
b)
Elliptic Curve
c)
Many practical systems use public key encryption to encrypt a
symmetric key that is then used to encrypt the rest of the message
(1)
Public Key encryption tends to use compute expensive
algorithms.
9.
Key Size
a)
Comparing key size between different algorithms is not easily
done.
b)
A typical 128bit symmetric key encryption method might take as
long to break as a 1024 bit asymmetric key encryption.
c)
Don’t get into “my key is bigger” battles.
d)
What is important is how strong the overall system is.
(1)
Key size is one factor
(2)
Algorithm choice is another
(3)
Use of proven algorithms is best
(4)
Implementation is often the biggest problem
(5)
Beware – a lot of people are selling snake oil.
e)
Comparison from “Applied Cryptography” by Bruce Schneier in
1996
(1)
For similar resistances to brute force attacks –
(a)
56 bits Symmetric ~= 384 bits Public-key
(b)
64 bits Symmetric ~= 512 bits Public-key
(c)
80 bits Symmetric ~= 768 bits Public-key
(d)
112 bits Symmetric ~= 1792 bits Public-key
(e)
128 bits Symmetric ~= 2304 bits Public-key
(2)
Security Requirements and the lifetime of information vs.
symmetric key length
(a)
Tactical military information – Minutes/hours – 56-64 bits
(b)
Product Announcements, mergers – Days/weeks – 64 bits
(c)
Long term business plans – years – 64 bits
(d)
Trade secrets (Coca-Cola recipe) – decades – 112 bits
(e)
Personal affairs -
>50 years – 128 bits
(f)
Diplomatic embarrassments >65 years – 128 bits
(g)
US census data – 100 years – at least 128 bits
B.
Authentication
1.
Authentication is the process of making sure that someone is
who they say they are.
2.
It is also the process of making sure that a message has been
transported without being modified.
a)
Much more than error detection
b)
Mallory might intercept the message, change it and change the
CRC
3.
One-way hash
a)
An algorithm that
creates a big hashed number and it is very difficult to produce another message
with the same number.
b)
SHA-1(160 bit hash), MD5 (128 bit hash), RIPEMD (128 bit hash)
4.
The secure hash can be sent via another transport mechanism
that is secure
5.
The secure hash could be encrypted with the sender’s private
key – allowing everyone to decrypt and check the secure hash
a)
This assumes that the sender keeps their private key from
being stolen by someone else.
C.
Authentication & Encryption
1.
Authentication often uses many of the same public key
encryption algorithms as encryption.
2.
Message tampering detection
a)
Create a secure hash, and then encrypt using the private key.
b)
Anyone can then decrypt the hash using a public key and
compare the result with their own copy of the public key.
III.
Home Gateways.
A.
Often it is useful to have a “box” that connects to the
Internet and allows many machines in a home to share that single connection
1.
The connection to the Internet is often high speed (but not always)
2.
The network in the home is often Ethernet over CAT-5 cable,
but wireless Ethernet has taken off in popularity.
3.
Not just for homes – many businesses use similar devices
B.
Gateway functions
1.
Connection to the ISP (Internet Service Provider)
a)
Often the Gateway just has an upstream Ethernet connection
that goes to the ISP’s Cable modem or DSL modem, etc.
b)
May have a built in cable modem
c)
May have a built in DSL modem
d)
May have a built in 56kbps modem
2.
IP Router
a)
Provides a way to move IP packets from one network to another.
b)
Can connect to the ISP using:
(1)
Static IP address
(2)
DHCP assigned address
(3)
PPPOE - PPP Over
Ethernet
(4)
Dial-up networking
3.
NAT – Network Address Translation
a)
Idea is that private addresses that are not seen by the
Internet are used in the “inside” network.
b)
Allows for many machines on the inside network to use a share
outside the network IP address
c)
See board for discussion of how this works…
4.
Firewall
a)
Often a box that provides NAT will be called a firewall
because it does not allow incoming connections
b)
A firewall may allow or disallow connections based on:
(1)
Source IP Address
(2)
Destination IP Address
(3)
Source Port number
(4)
Destination Port number
(5)
Protocol (TCP or UDP)
c)
Usually a firewall is allows for more specialized filtering
than just NAT
IV.
Miscellaneous Wireless
topics
A.
LMDS - Local Multipoint Distribution System
1.
A high speed wireless access technology using bands in the
28-31Ghz frequency spectrum.
2.
Speeds in the 100’s of Mbps depending on the amount of
spectrum given to a given connection.
3.
Is a point-to-multipoint technology
a)
One central site
b)
Many subscriber sites
4.
Started in 1998 when FCC auctioned off the spectrum for LMDS
a)
Must own a license to use a set of frequencies.
(1)
Or pay the current license holder for the privilege of using
it
5.
May use TDMA or FDMA or combination
6.
Encoding techniques of PSK, QPSK, 8PSK, 4-QAM, 16-QAM, or
64-QAM
7.
Limited Rage
a)
3-5 Mile radius
b)
Caused by extremely high frequencies and need to have strong
signal to noise ratio for higher QAM methods.
8.
Reference:
a)
http://www.iec.org/online/tutorials/lmds/
B.
MMDS - Microwave Multipoint Distribution System
1.
Also called Multi-channel
Multi-point Distribution System
2.
Fixed wireless technology
3.
Uses 33 channels of 6MHz each (2.5 - 2.7Ghz)
4.
Originally set up for poor man’s cable, now used to send
digital data
5.
Sprint is the major license holder in the US
a)
Have offered Internet access up to 1Mbps using this technology
6.
Up to 35mile radius
C.
Optical Wireless
1.
Also called Free Space Optics
2.
Use of lasers sent through air instead of fiber optics cable.
3.
Can be point to point or point to multipoint systems
4.
Speeds from 155Mbps up to (claimed) 10Gbps
5.
Issues to deal with
a)
Movement of buildings
b)
Pigeons and other flying objects
c)
Fog and Rain
d)
Perceived Safety issues
6.
Limited Range - 2-4km
7.
Reference:
D.
OFDM
1.
Orthogonal Frequency Division Multiplexing
2.
A technique used by 802.11a and some other wireless systems to
send a large amount of data over radio waves.
3.
Divides the bandwidth into several frequencies.
4.
The bandwidth of each frequency has a few bits modulated into
it using QPSK or QAM.
5.
When all the bits from all the frequencies are added together
it can achieve a very high bit rate.
6.
Often some of the bits are redundant so that some type of FEC
can be employed.
7.
More info: