home
lowysng@gmail.com

Internet Security

4 March 2024

A secure communication between two parties satisfies three properties: confidentiality, integrity, and authenticity. Confidentiality means the message is only readable by the two parties. Integrity means that the message remains unaltered during transmission. Authenticity means the either party can verify the identity of the other party. Without confidentiality, a third party can eavesdrop and read the message. Without integrity, a third party can tamper with the message. Without authenticity, a third party can impersonate one of the two parties.

Network security protocols are built on top of cryptographic algorithms. Encryption algorithms are functions that use encryption keys to transform plaintext into ciphertext. There are two types of encryption schemes: symmetric key encryption and public key encryption. Encryption algorithms immediately solve the problem of confidentiality.

In symmetric key encryption, the same key is used for both encryption and decryption. Block ciphers are one example of symmetric key encryption. In block ciphers, the plaintext is broken down into blocks, and each block is transformed by its corresponding mapping function. The blocks are then permutated, and then encrypted again, for multiple rounds. At the end, the blocks are reassembled and combined to create the ciphertext. The encryption key in block ciphers is used to determine the mapping functions. Randomness can be introduced into the encryption process by using an initialisation vector. The initialisation vector is used to encrypt the first block, which is then used to encrypt the next block, and so on. Popular block ciphers include DES, 3DES, and AES.

In public key encryption, two keys are used: a public key and a private key. The public key is used to encrypt the plaintext, and the private key is used to decrypt the ciphertext. RSA is one example of public key encryption. RSA is based on the difficulty of factoring large numbers. However, RSA is slow and not suitable for encrypting large messages. One way to overcome this limitation is to use RSA with symmetric key encryption. In this hybrid scheme, the public key is used to encrypt the symmetric key, and the symmetric key is used to encrypt the message.

Encryption algorithms can also be used to solve the problem of integrity. Message integrity can be achieved using symmetric key encryption. Both parties must first agree on an authentication key. The sending party uses the auth key to generate a hash (called a message auth code or MAC) of the message (using a one way hash function, eg. MD5 or SHA-1), and then sends both the message and the hash to the receiving party. The receiving party uses the auth key to generate a hash of the incoming message, and then compares the hash with the hash sent by the sending party. HMAC is a common standard for generating MACs.

Another application of encryption algorithms is in digital signatures. Digital signatures are used to verify that a message is sent by the claimed sender, and only the claimed sender. Digital signature uses public key encryption. To sign a messager, the sender uses a one way hash function to produce a hash of the message, and then encrypts the hash with his private key to generate a signature. Both are then sent to the receiver. The receiver uses the sender's public key to decrypt the signature, and then uses the same one way hash function to produce a hash of the incoming message. If both hashes match, the signature is verified. One caveat here is that the receiver must be able to trust the sender's public key. The sender can certify his public key by obtaining a certificate from a certificate authority.

Encryption algorithms can also be used to solve the problem of authenticity. The simplest way is to use symmetric key encryption and a nonce (a disposable number). Suppose A wants to authenticate himself to B. B generates a nonce and sends it to A. A encrypts the nonce and sends it to B along with the message. B decrypts the nonce and compares it with the original nonce. If they match, A is authenticated, since only A could have encrypted the nonce. The nonce is critical to prevent replay attacks. Replay attacks occur when an attacker intercepts a message and then sends it again to the receiver, pretending to be the original sender.

TLS is an application layer protocol that enhances TCP in the transport layer by providing secure communication. Suppose that a client wants to communicate with a server, and that the server has a public/private key pair certified by a certificate authority. After TCP connection is established, the client sends a hello message to the server. The server responds with its certificate, which contains its public key. The client generates a one time master secret, encrypts it with the server's public key, and sends it to the server. The server uses its private key to decrypt the master secret. Once both parties have the master secret, they can use it to generate encryption keys to generate ciphertexts, and authentication keys to generate MACs for integrity checking. TLS on either side can now break the incoming data stream into chunks, generate a MAC for each chunk, and then combine them for encryption. The encrypted package is then encapsulated into a TLS record, and then passed into TCP for transmission.

IPsec is an enhancement of IP in the network layer. Organisations use IPsec to create a virtual private network (VPN). VPNs run on top of the public Internet, but data is encrypted before it is sent into the network core. IPsec uses two protocols: the authentication header (AH) and the encapsulating security payload (ESP). However, ESP is more commonly used because it provides all three security properties. Before IPsec datagrams are sent, the two parties must first establish a secure channel. This is done using the Internet Key Exchange (IKE) protocol. Like TLS, the two parties first authenticate each other, and then exchange the encryption keys and the authentication keys. After a secure channel has been established, the sending party can begin to transform IP datagrams into IPsec datagrams. The original datagram is appended with an ESP trailer containing padding for encryption, and the payload type, ie. UDP or TCP, and then encrypted. The encrypted datagram is then prepended with an ESP header containing an SPI identifier and a sequence number to mitigate replay attacks. An MAC is generated for integrity checking, and then appended. Finally, the entire package is encapsulated to form an IPsec datagram, and then sent into the network core. Here, it is treated like any other IP datagram, and is routed to the destination.

In addition to encryption algorithms and security protocols, organisations can also use various operational security measures to enhance network security. The most common are firewalls and intrusion detection systems (IDS). Firewalls are used to filter incoming and outgoing traffic. Broadly speaking, there are three types of firewalls: packet filtering firewalls (individual inspection of packet headers), stateful inspection firewalls (eg. over live TCP connections), and application layer firewalls (based on application data). IDS are used to detect abnormal activities, such as network mapping, port scanning, denial of service attacks, malware, and vulnerability attacks. IDS can be signatured based or anomaly based. Signature based IDS looks for known patterns of attacks by comparing against a database of signatures. Anomaly based IDS uses statistical analysis look for deviations from normal activities.