Basic Network Security_Primer

1,226 views

Published on

null Bangalore Chapter - August - September 2013 Meet

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,226
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
30
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Basic Network Security_Primer

  1. 1. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Network Security Primer Authentication and Encryption Techniques Akshat Sharma, Cisco Systems
  2. 2. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
  3. 3. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
  4. 4. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Core Distribution Catalyst 3750 Catalyst 3750 Catalyst 3750 Video- Conferencing Units Server farms C2960s C2960s C2960s C2960s C4500
  5. 5. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Web Auth VLANs 802.1X ACLs SGTs MAB
  6. 6. Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 6
  7. 7. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 • Defined by IEEE and designed to provide port-based network access. • 802.1x authenticates network clients using information unique to the client and with credentials known only to the client. •Service known as port-level authentication
  8. 8. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Username / Password Directory alice c1sC0L1v Certificate Authority Token Server Deployment Best Practices Re-use Existing Credentials Understand the Limitations of Existing Systems Common Types Passwords Certificates Tokens Deciding Factors Security Policy Validation Distribution & Maintenance
  9. 9. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 • The framework is defined by three authentication processes: 1. The supplicant Possibly a standalone device or an end user, such as a remote user. 2. The authenticator A device to which the supplicant directly connects and through which the supplicant obtains network access permission 3. The authentication server The authenticator acts as a gateway to the authentication server, which is responsible for actually authenticating the supplicant.
  10. 10. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Authenticator (e.g. Switch, Access Point, PAE) Supplicant (Client) Enterprise NetworkSemi-Public Network / Enterprise Edge AuthenticationServer (Radius Server/LDAP or Kerberos) R A D I U S NAS
  11. 11. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 • EAP Extensible Authentication Protocol A flexible protocol used to carry arbitrary authentication information Typically rides on top of another protocol such as 802.1x (EAPoL) or RADIUS/TACACS+, etc. • EAP Messages Request Sent to supplicant to indicate a challenge Response Supplicant reply message Success Notification to supplicant of success Failure Notification to supplicant of failure
  12. 12. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  13. 13. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  14. 14. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 EthernetLaptop computer 802.1X Authenticator/Bridge Radius Server EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request Radius-Access-Request Radius-Access-Challenge EAP-Response (cred) Radius-Access-Request EAP-Success Access blocked Port connect Radius-Access-Accept Access allowed RADIUSEAPOL
  15. 15. Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 15
  16. 16. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 • MAB stands for MAC Authentication Bypass. • It enables port-based access control using the MAC address of the endpoint. • A MAB-enabled port can be dynamically enabled or disabled based on the MAC address of the device that connects to it.
  17. 17. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  18. 18. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 • WebAuth is a Layer 3 authentication method. • After IEEE 802.1X (or MAB) has timed out or failed, the port is opened long enough to allow the packets required for WebAuth. • After the port has been opened, the switch enforces a preconfigured ACL in some VLAN • At a minimum, the preconfigured ACL should allow the traffic required to complete the WebAuth process. In most cases, the ACL should at least allow DHCP (so the client can acquire an address) and DNS (so the client can trigger WebAuth when using fully qualified domain names in URLs).
  19. 19. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
  20. 20. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 802.1Q Trunk EAP Authentication AAA Corporate Resources Internet Employee Guest User 802.1X fails MAB : “Printer” Employee Vlan Web-Auth 802.1X fails MAB fails Guest Vlan
  21. 21. Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 21
  22. 22. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 • Brute Force considerations : 128 to 256 bit keys • Landauer’s Limit  kT ln 2 (10^18 Joules for 128 bits) • Available Wireless Encryption Techniques: WEP (outdated) WPA + TKIP (most compatible, less secure) WPA2+AES (Most secure) • DO NOT use WEP! • PKI infrastructure for strong Authentication and encryption  WPA2-AES + PKI based 802.1x
  23. 23. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 • Basically a pseudo random number generator that encrypts data packets. • Start with generic 802.11 packet • Use a secret key plus IV to seed RC4 stream cipher to create pseudo random number • Create a CRC-32 of data portion of packet which is then called ICV. • Data || ICV XOR Pseudo Random Number = Encrypted portion of WEP Packet
  24. 24. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 Frame Header Frame Body FCS Secret Key (40Bits) RC4 Algorithm IV (24bits) Generic 802.11 Packet Frame Shared before communication begins Created by Sending Device Integrity Check Algorithm Frame Body ICV Frame Header IV Frame Body ICV FCS WEP Packet Frame Encrypted
  25. 25. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 • Key Generation • ICV Generation • Weak Key’s and Weak IV’s • WEP Attacks
  26. 26. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 • The main problem of WEP is Key Generation. • Secret Key is too small, only 40 Bits. Very susceptible to brute force attacks. • IV is too small. Only 16 Million different possibilities for every packet. • Secret Keys are accessible to user, therefore not secret. • Key distribution is done manually.
  27. 27. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 • The ICV is generated from a cyclic redundancy check (CRC-32) Only a simple arithmetic computation. Can be done easily by anyone. Not cryptographically secure. • Easy for attacker to change packet and then change ICV to get response from AP.
  28. 28. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 • Certain keys are more susceptible to showing the relationship between plaintext and ciphertext. There are approx 9000 weak keys out of the 40 bit WEP secret key. • Weak IV will correspond to weak Keys.
  29. 29. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 • Replay Statistical gathering of certain ciphertext that once sent to server will cause wanted reaction. • 802.11 LLC Encapsulation Predictable headers to find ciphertext, plaintext combinations • Denial of Service Attacks Flooding the 2.4Ghz frequency with noise.
  30. 30. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 • 802.1x • WPA • 802.11i • All much more secure.
  31. 31. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
  32. 32. Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 32
  33. 33. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Encryption “The quick brown fox jumps over the lazy dog” “AxCv;5bmEseTfid3) fGsmWe#4^,sdgfMwi r3:dkJeTsY8Rs@!q3 %” “The quick brown fox jumps over the lazy dog” Decryption Plain-text input Plain-text outputCipher-text Same key (shared secret)
  34. 34. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 • Strength: Simple and really very fast (order of 1000 to 10000 faster than asymmetric mechanisms) Super-fast (and somewhat more secure) if done in hardware (DES, Rijndael) • Weakness: Must agree the key beforehand Securely pass the key to the other party
  35. 35. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 • Knowledge of the encryption key doesn’t give you knowledge of the decryption key • Receiver of information generates a pair of keys Publish the public key in a directory • Then anyone can send him messages that only she can read
  36. 36. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Encryption “The quick brown fox jumps over the lazy dog” “Py75c%bn&*)9|fDe^bD Faq#xzjFr@g5=&nmdFg $5knvMd’rkvegMs” “The quick brown fox jumps over the lazy dog” Decryption Clear-text Input Clear-text OutputCipher-text Different keys Recipient’s public key Recipient’s private key privatepublic
  37. 37. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 • Weakness: Extremely slow Susceptible to “known ciphertext” attack Problem of trusting public key (see later on PKI) • Strength Solves problem of passing the key Allows establishment of trust context between parties
  38. 38. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 As above, repeated for other recipients or recovery agents Digital Envelope Other recipient’s or agent’s public key (in certificate) in recovery policy Launch key for nuclear missile “RedHeat” is... Symmetric key encrypted asymmetrically (e.g., RSA) Digital Envelope User’s public key (in certificate) RNG Randomly- Generated symmetric “session” key Symmetric encryption (e.g. DES) *#$fjda^j u539!3t t389E *&@ 5e%32^kd
  39. 39. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 *#$fjda^j u539!3t t389E *&@ 5e%32^kd Launch key for nuclear missile “RedHeat” is... Symmetric decryption (e.g. DES) Digital Envelope Asymmetric decryption of “session” key (e.g. RSA) Symmetric “session” key Session key must be decrypted using the recipient’s private key Digital envelope contains “session” key encrypted using recipient’s public key Recipient’s private key
  40. 40. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 • We just solved the problem of symmetric key distribution by using public/private keys • But… • Scott creates a keypair (private/public) and quickly tells the world that the public key he published belongs to Bill • People send confidential stuff to Bill • Bill does not have the private key to read them… • Scott reads Bill’s messages  • Solution ? – Remember Digital Signatures ?
  41. 41. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Hash Function (SHA, MD5) Jrf843kjfgf* £$&Hdif*7o Usd*&@:<C HDFHSD(** Py75c%bn&*)9|fDe^b DFaq#xzjFr@g5=&n mdFg$5knvMd’rkveg Ms” This is a really long message about Bill’s… Asymmetric Encryption Message or File Digital Signature128 bits Message Digest Calculate a short message digest from even a long input using a one-way message digest function (hash) Signatory’s private key private
  42. 42. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 Jrf843kjf gf*£$&Hd if*7oUsd *&@:<CHD FHSD(** Py75c%bn&*) 9|fDe^bDFaq #xzjFr@g5= &nmdFg$5kn vMd’rkvegMs” Asymmetric decryption (e.g. RSA) Everyone has access to trusted public key of the signatory Signatory’s public key Digital Signature This is a really long message about Bill’s… Same hash function (e.g. MD5, SHA…) Original Message Py75c%bn&*) 9|fDe^bDFaq #xzjFr@g5= &nmdFg$5kn vMd’rkvegMs” ? == ? Are They Same?
  43. 43. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 • Message is captured. • Hash value of the message is calculated. • Sender's private key is retrieved from the sender's digital certificate. • Hash value is encrypted with the sender's private key. • Encrypted hash value is appended to the message as a digital signature. • Message is sent.
  44. 44. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 • Sender's public key is retrieved from the sender's digital certificate • Encrypted hash value is decrypted with the sender's public key. • Decrypted hash value is compared against the hash value produced on receipt. • If the values match, the message is valid. • Message is received. • Digital signature containing encrypted hash value is retrieved from the message. • Message is retrieved. • Hash value of the message is calculated.

×