Security in Fixed and Wireless Networks

Guenter Schaefer, Professor, Technische Universität Ilmenau, Germany. After obtaining his Ph.D. degree (1998) he worked at Ecole Nationale Supérieure des Télécommunications, Paris, France (1999 - 2000). Between 2000 and 2005, he was researcher at Technische Universitaet Berlin, Germany where he was leading the network security laboratory. Since 2005 he is at his current post leading the Telematics/Computer Networks research group. His research interests lie in the areas of network security, networking protocols, mobile communications, and innovative communication services/architectures, and he regularly gives courses on network security, networking subjects and basics of computer science. Michael Rossberg, PostDoc Researcher, Technische Universität Ilmenau, Germany. In 2011 he obtained his Ph.D. in computer science with a thesis on peer-to-peer-based auto-configuration of large scale IPsec VPNs. His research interests lie in network security and performance evaluation/optimization. In 2010, Michael Rossberg and Guenter Schaefer were jointly awarded with the third prize of the German IT Security Award for their work on automatic configuration of large scale VPNs. Translated by Herbert Eppel at HE Translations, Leicester, UK (https://HETranslations.uk) DISCLAIMER: By including the link to this site, this does not mean the site is endorsed by Wiley

About the authors xiii

Preface to the second edition xv

Preface to the first edition xvii

I Foundations of Data Security Technology 1

1 Introduction 3

1.1 Content and Structure of this Book 4

1.2 Threats and Security Goals 6

1.3 Network Security Analysis 9

1.4 Information Security Measures 13

1.5 Important Terms Relating to Communication Security 14

2 Fundamentals of Cryptology 17

2.1 Cryptology, Cryptography and Cryptanalysis 17

2.2 Classification of Cryptographic Algorithms 18

2.3 Cryptanalysis 19

2.4 Estimating the Effort Needed for Cryptographic Analysis 21

2.5 Characteristics and Classification of Encryption Algorithms 23

2.6 Key Management 25

2.7 Summary 27

2.8 Supplemental Reading 28

2.9 Questions 29

3 Symmetric Cryptography 31

3.1 Encryption Modes of Block Ciphers 31

3.2 Data Encryption Standard 37

3.3 Advanced Encryption Standard 43

3.4 RC4 Algorithm 48

3.5 The KASUMI algorithm 51

3.6 Summary 53

3.7 Supplemental Reading 54

3.8 Questions 55

4 Asymmetric Cryptography 57

4.1 Basic Idea of Asymmetric Cryptography 57

4.2 Mathematical Principles 60

4.3 The RSA Algorithm 69

4.4 The Problem of the Discrete Logarithm 71

4.5 The Diffie–Hellman Key Exchange Algorithm 75

4.6 The ElGamal Algorithm 77

4.7 Security of Conventional Asymmetric Cryptographic Schemes 80

4.8 Principles of Cryptography Based on Elliptic Curves 81

4.9 Summary 93

4.10 Supplemental Reading 94

4.11 Questions 95

5 Cryptographic Check Values 97

5.1 Requirements and Classification 97

5.2 Modification Detection Codes 99

5.3 Message Authentication Codes 112

5.4 Message Authentication Codes Based on MDCs 116

5.5 Authenticated Encryption 117

5.6 Summary 121

5.7 Supplemental Reading 122

5.8 Questions 123

6 Random Number Generation 125

6.1 Random Numbers and Pseudo-Random Numbers 125

6.2 Cryptographically Secure Random Numbers 126

6.3 Statistical Tests for Random Numbers 128

6.4 Generation of Random Numbers 129

6.5 Generating Secure Pseudo-Random Numbers 130

6.6 Implementation Security 133

6.7 Summary 134

6.8 Supplemental Reading 135

6.9 Questions 136

7 Cryptographic Protocols 137

7.1 Properties and Notation of Cryptographic Protocols 137

7.2 Data Origin and Entity Authentication 139

7.3 Needham–Schroeder Protocol 143

7.4 Kerberos 147

7.5 International Standard X.509 155

7.6 Security of Negotiated Session Keys 160

7.7 Advanced Password Authentication Methods 161

7.8 Formal Validation of Cryptographic Protocols 166

7.9 Summary 176

7.10 Supplemental Reading 177

7.11 Questions 178

8 Secure Group Communication* 179

8.1 Specific Requirements for Secure Group Communication 179

8.2 Negotiation of Group Keys 181

8.3 Source Authentication 189

8.4 Summary 193

8.5 Supplemental Reading 194

8.6 Questions 194

9 Access Control 197

9.1 Definition of Terms and Concepts 197

9.2 Security Labels 199

9.3 Specification of Access Control Policies 201

9.4 Categories of Access Control Mechanisms 202

9.5 Summary 204

9.6 Supplemental Reading 204

9.7 Questions 205

II Network Security 207

10 Integration of Security Services in Communication Architectures 209

10.1 Motivation 209

10.2 A Pragmatic Model 211

10.3 General Considerations for the Placement of Security Services 213

10.4 Integration in Lower Protocol Layers vs Applications 216

10.5 Integration into End Systems or Intermediate Systems 217

10.6 Summary 219

10.7 Supplemental Reading 219

10.8 Questions 219

11 Link Layer Security Protocols 221

11.1 Virtual Separation of Data Traffic with IEEE 802.1Q 222

11.2 Securing a Local Network Infrastructure Using IEEE 802.1X 224

11.3 Encryption of Data Traffic with IEEE 802.1AE 226

11.4 Point-to-Point Protocol 228

11.5 Point-to-Point Tunneling Protocol 236

11.6 Virtual Private Networks 242

11.7 Summary 243

11.8 Supplemental Reading 245

11.9 Questions 246

12 IPsec Security Architecture 249

12.1 Short Introduction to the Internet Protocol Suite 249

12.2 Overview of the IPsec Architecture 253

12.3 Use of Transport and Tunnel Modes 261

12.4 IPsec Protocol Processing 263

12.5 The ESP Protocol 267

12.6 The AH Protocol 273

12.7 The ISAKMP Protocol 279

12.8 Internet Key Exchange Version 1 286

12.9 Internet Key Exchange Version 2 293

12.10 Other Aspects of IPsec 297

12.11 Summary 299

12.12 Supplemental Reading 300

12.13 Questions 301

13 Transport Layer Security Protocols 303

13.1 Secure Socket Layer 303

13.2 Transport Layer Security 315

13.3 Datagram Transport Layer Security 322

13.4 Secure Shell 323

13.5 Summary 332

13.6 Supplemental Reading 333

13.7 Questions 334

III Secure Wireless and Mobile Communications 335

14 Security Aspects of Mobile Communication 337

14.1 Threats in Mobile Communication Networks 337

14.2 Protecting Location Confidentiality 338

14.3 Summary 343

14.4 Supplemental Reading 343

14.5 Questions 343

15 Security in Wireless Local Area Networks 345

15.1 The IEEE 802.11 Standard for WLANs 345

15.2 Entity Authentication 347

15.3 Wired Equivalent Privacy 353

15.4 Robust Secure Networks 358

15.5 Security in Public WLANs 365

15.6 Summary 367

15.7 Supplemental Reading 368

15.8 Questions 369

16 Security in Mobile Wide-Area Networks 371

16.1 Global System for Mobile Communication 371

16.2 Universal Mobile Telecommunications System 378

16.3 Long-Term Evolution385

16.4 Summary 389

16.5 Supplemental Reading 390

16.6 Questions 391

IV Protecting Communications Infrastructures 393

17 Protecting Communications and Infrastructure in Open Networks 395

17.1 Systematic Threat Analysis 396

17.2 Security of End Systems 399

17.3 Summary 411

17.4 Supplemental Reading 411

17.5 Questions 412

18 Availability of Data Transport 413

18.1 Denial-of-Service Attacks 413

18.2 Distributed Denial-of-Service Attacks 420

18.3 Countermeasures 422

18.4 Summary 433

18.5 Supplemental Reading 434

18.6 Questions 435

19 Routing Security 437

19.1 Cryptographic Protection of BGP 441

19.2 Identification of Routing Anomalies* 450

19.3 Summary 455

19.4 Supplemental Reading 456

19.5 Questions 457

20 Secure Name Resolution 459

20.1 The DNS Operating Principle 459

20.2 Security Objectives and Threats 461

20.3 Secure Use of Traditional DNS 467

20.4 Cryptographic Protection of DNS 469

20.5 Summary 481

20.6 Supplemental Reading 482

20.7 Questions 483

21 Internet Firewalls 485

21.1 Tasks and Basic Principles of Firewalls 485

21.2 Firewall-Relevant Internet Services and Protocols 487

21.3 Terminology and Building Blocks 490

21.4 Firewall Architectures 491

21.5 Packet Filtering 495

21.6 Bastion Hosts and Proxy Servers 500

21.7 Other Aspects of Modern Firewall Systems 502

21.8 Summary 503

21.9 Supplemental Reading 504

21.10 Questions 505

22 Automated Attack Detection and Response 507

22.1 Operating Principle and Objectives of Intrusion Detection Systems 508

22.2 Design and operation of network-based IDSs 512

22.3 Response to Attacks and Automatic prevention 521

22.4 Techniques for Evading NIDSs 524

22.5 Summary 526

22.6 Supplemental Reading 527

22.7 Questions 528

23 Management of Complex Communication Infrastructures* 529

23.1 Automatic Certificate Management 529

23.2 Automatic VPN Configuration 536

23.3 Summary 550

23.4 Supplemental Reading 552

23.5 Questions 554

Bibliography 555

Abbreviations 585

Index 595