S. Erfani, ECE Dept., University of Windsor 0688-590-18 Network Security

4.9 Location of Encryption Devices

As you should know by now, the most powerful and common approach to countering the threats to network security is encryption. In using encryption, we need to decide what to encrypt and where the encryption devices should be located. There are two fundamental alternatives:

Link encryption

End –to-end encryption

There are shown in use over a packet – switching network in Fig. 3.

=End-to-end encryption Device

=Link encryption device

PSN =Packet switching node

Figure 3 Encryption across a Packet-Switching Network

Link Encryption

In this scheme, each vulnerable communications link is equipped on both ends with an encryption device. Thus all traffic over all communications links is secured. Although, this requires a lot of encryption devices in a large network, it provides a high level of security. One disadvantage of this approach is that the message must be decrypted each time it enters a packet switch. This is necessary because the packet switch must read the address (i.e., the virtualcircuit number) in the packet header to route the packet. Thus the message is vulnerable at each switch. If this is a public packet-switching network (PSN), the user has no control over the security of the modes.

End-to-End Encryption

In this approach, the encryption process is carried out at the two end systems. The source host or terminal encrypts the data. The data, in encrypted form, are then transmitted unaltered across the network to the destination terminal on host. The destination shares a key with the source and so is able to decrypt the data. This approach would seem to secure the transmission against attacks on the network links on switches. However, the host may only encrypt the used data position of the packet and must leave the header in the clear, so that it can be read by the network.

Note 1– With end-to-end encryption, the user data are secure. However, the traffic pattern is not, because packet headers are transmitted in the.

Note 2– To achieve greater security, both link and end-to-end encryption are needed, as shown in Figure 3 (on page 10 of my notes).

4.10 Key Distribution

For symmetrical encryption systems to work, the two parties must have the same key, and that key must be protected from access by others. Furthermore, frequent key changes are usually desirable to limit the amount of data compromised if an opponent, Oscar, leaves the key. Therefore, the strength of any cryptographic system rests with the key distribution technique. That is, the means of delivering a key to two parties that wish to exchange data securely.

Key distribution can be achieved in a number of ways. For two parties, Alice and Bob:

  1. A key could be selected by Alice and physically delivered to Bob:
  1. A 3rd party could select the key and physically deliver it to Alice and Bob.
  1. If Alice and Bob have previously and recently used a key, one party could transmit the new key to the other, encrypted using the old key.
  1. If Alice and Bob each have an encrypted connection to a trusted 3rd party, named Casey, he could deliver a key on the encrypted links to Alice and Bob.

Note 3– Option 1 and 2 call for manual delivery of a key. This is seasonal for link encryption. However, for end-to-end encryption, manual delivery is awkward. In a distributed system, any given host on terminal may need to engage in exchange with many other hosts and terminal over time. Thus each device needs a number of keys, supplied dynamically. The problem becomes quite difficult is a wide area distributed system.

Note 4– Option 3 is a possibility for either link encryption on end-to-end encryption, but it an opponent, Oscar, ever succeeds in gaining access to one key, then all subsequent keys are revealed.

Note 5– To provide keys for end-to-end encryption, option 4 is preferable.

Key distribution Center(KDC)

Figure 4 shows an implementation that uses option 4 for end-to-end encryption. The trusted third party (TTP) becomes known as a key distribution center (KDC). The configuration consists of the following elements:

  1. Host sends packet requesting

connection

  1. Front end buffers packet: asks

KDC for session key

  1. KDC distributes session key to

both front ends

  1. Buffered packet transmitted

FEP =Front-end processor

KDC =key distribution center

Figure 4 Automatic Key Distribution for Connection-Oriented Protocol

  1. KDC – Also known as key exchange authority or key exchange center, determine which systems are allowed to communicate with each other securely. When permission is granted, the KDC provides a one-time session key for that connection. The session keys are used for the duration of a session. At the conclusion of the session, or connection, the session key is destroyed.
  1. FEP – The front-end procession (FEP) performs end-to-end encryption and obtains session keys on behalf of its host on terminal.

The steps involved in establishing a connection are shown in Fig. 4.

Step 1– When one host wishes to set up a connection to another host, it transmit a connection sequent packet.

Step 2 – The FEP saves that packet and applies to the KDC for permission to establish the connection. The communications between the FEP and the KDC is encrypted using a master key shared only by the FEP and the KDC.

Step 3– If the KDC approves the connection sequent, it generates the session key and delivers it to the two appropriate FEPs, using a unique permanent key for each FEP.

Step 4– The requesting FEP can now release the connection sequent packet, and a connection is set up between the two and systems. All used data exchanged between the two end systems are encrypted by their respective FEPs using the one-time session key.

Note6– The automated key distribution approach provides the flexibility and dynamic characteristics needed to allow a number of terminal users to access a number of hosts and for the hosts to exchange data with each other. Kerberos, used extensively in Microsoft Windows 2000, is modeled on a KDC.

Note 7– In general, a KDC supporting n sites, where each site needs a secret key with every other site, must make almost n2/2 keys. This means that a KDC supporting 1,000 sites must make almost 500,000 keys, an unmanageable number of keys.

Note 8– The KDC is often burdened with extensive key management and can become a bottleneck. Additionally, if the KDC also acts as a key escrow agent, the KDC itself is an attractive target (e.g., for a distributed denial-of-service attack). For these reasons, the symmetrical encryption should be avoided altogether. Another approach to security is the public-key encryption, which makes key distribution much easier. We will discuss it in the next chapter.

Sep. 25, 20031