Cryptography for Secure Network Communication

Aug 27, 2024

Lecture Notes: Cryptography and Network Communication

Introduction

  • Overview of cryptographic protocols for protecting network communication.
  • Reminder of quiz on Wednesday in Walker at regular time.

Topics Covered

  1. Protecting network communication at a larger scale than Kerberos.
  2. Integration of cryptographic protection into web applications.

Cryptographic Primitives

Symmetric Cryptography

  • Uses a secret key (k) for encryption and decryption.
  • Functions:
    • Encrypt function (E): converts plaintext (p) to ciphertext (c).
    • Decrypt function (D): converts ciphertext (c) back to plaintext (p) using the same key (k).

Asymmetric Cryptography

  • Different keys for encryption and decryption.
  • Functions:
    • Encrypt with public key to create ciphertext.
    • Decrypt using corresponding secret key.
  • Allows publishing the public key, enabling others to send encrypted messages.
  • Signing and verifying messages using public key cryptography.

Protecting Network Communication

  • Kerberos model requires trust in the Key Distribution Center (KDC).
  • Challenges with Kerberos:
    • Single KDC as a trust point.
    • Key management on a large scale is difficult.
    • All users must have an account in the KDC database.
    • KDC must be online for every interaction, causing performance bottlenecks.

Scaling Solutions with Public Key Cryptography

  • Public key crypto eliminates the need for KDC to be online.
  • Establishing secure communication by sharing public keys.
  • Example of a protocol using public key crypto for session key negotiation.

Authentication Challenges

  • Problems with ensuring parties' identities.
  • Solutions:
    • Signing messages with secret keys.
    • Client certificates in web browsers for user authentication.

Discovering Public Keys

  • Need to securely map names to public keys without KDC.
  • Introduction of Certificate Authorities (CA) to manage key mappings.
  • CAs sign messages to verify public keys, eliminating the need for online checks.

Certificate Management

  • Certificates can have expiration times for security.
  • Issues related to mis-issuance and compromised keys.
  • Certificate revocation methods:
    • Certificate Revocation Lists (CRLs)
    • Online Certificate Status Protocol (OCSP)

Web Browser Integration

Protecting Data on Networks

  • Use of SSL/TLS to encrypt and authenticate data.

Protecting Browser Data and User Interface

  • Code running in the browser (e.g., JavaScript) must be protected.
  • User interface needs to help users identify secure sites (lock icon, URL verification).

Mixed Content Issues

  • Problems with insecure embedding of content (e.g., scripts).
  • Solutions:
    • Ensure all resources are served over HTTPS.
    • Use Subresource Integrity (SRI) to validate content.

Cookies and Security

  • Importance of secure flags on cookies to prevent exposure in non-secure contexts.
  • Developers should ensure cookies are properly marked as secure.

Forced HTTPS

  • Implementation of HTTP Strict Transport Security (HSTS) to enhance security.
  • Key features:
    • Strict enforcement of HTTPS.
    • Automatic redirection of HTTP requests to HTTPS.
    • Preventing insecure embedding of content.

Conclusion

  • Importance of integrating cryptography into web applications.
  • Need for continuous updates and awareness of emerging security challenges.