1 / 37

Identity Documents

Learn about the different types of identity documents, such as passports and driver's licenses, and the importance of digital certificates in verifying authenticity and ensuring secure online communication.

jmeissner
Download Presentation

Identity Documents

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Documents • What is an identity document? (Passport, birth certificate, driver’s license) • A piece of paper • Issued by a trusted third party • With information verifying the identity of the holder • An identity document is useless unless the holder can be CHALLENGED to demonstrate that he is the person named in the document • Photograph • Signature • Fingerprint • Trusted Infrastructures • OS (Windows, Linux, BSD…) • Device (BIOS, CPU, Video/Audio, Storage) • User (Biometrics, smart cards, digital signatures) • Applications (Virus checkers, code authentication) • Server (Secure Email, SSL) • Content (Copy/tamper protection, document authentication) • Network (VPNs, firewalls, proxy servers, intrusion detectors) • Enterprise (Central management procedures) • External organization (Gov’t agency, CA) Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  2. Digital Certificates A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. • A Digital Certificate is simply a small computer file. • A digital certificate provides identifying information. • It can be compared to the documents as like passport /driving licenses. • A digital certificate is an electronic "passport" that allows a person, computer or organization to exchange information securely over the Internet using the public key infrastructure (PKI). • A digital certificate may also be referred to as a public key certificate. • A Digital certificate establishes the relation between a user and his/her public key • The certificate contains • The name of the certificate holder, a serial number, expiration dates, • A copy of the certificate holder's public key • (used for encrypting messages & digital signatures) • The digital signature of the certificate-issuing authority • Certification Authority (CA) so that a recipient can verify that the certificate is real. • CA – is a trusted agency that can issue digital certificates. • Who can be CA? A CA may be reputed organization as – post office, financial institution, s/w company, and etc., Example – VeriSign & Entrust. CA has the authority to issue digital certificate to individuals and organizations, later can be used in asymmetric key cryptographic applications Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  3. Technical detail of Digital Certificate • X.509 Version 2 Certificate VERSION # OF X.509 UNIQUE # ASSIGNED BY CA EXAMPLES: MD5RSA, sha1RSA USUALLY A DOMAIN NAME EXAMPLES: RSA Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  4. Certification and Registration Authority • A certification Authority (CA) is a trusted agency that can issue digital certificates. • CA may be reputed organization – Post Office, Financial institution, S/W company and etc. VeriSign, Entrust, Safescrypt Ltd. (Satyam Infoway Ltd) are famous CAs • A registration authority (RA) is an authority in a network that verifies user requests for a digital certificate and tells the certificate authority (CA) to issue it. • The RA is an intermediate entity between the end users and the CA • RA will assist CA in day-to-day activities. (CA overloaded with many tasks, so RA role happens) • The RA provide the following services: • Accepting & Verifying new users registration information, Generating keys for end users(if needed) • Accepting & authorizing requests for key backups and recovery, for certificate revocation • Certification Creation: • 1: It begins with the subject (user/organization) who want to obtain • a certificate (subject create private and public key) • 2: If user generate the key pair, need to send public key • and associated registration information (Certificate • Signing Request (CSR) • 3: RA verify the user’s credentials. (two steps- verify • the evidences provided are correct, ensure that the user who is requesting for the • certificate possess private key correspond to public key. • 4: RA passes all details of the user to CA. The CA does its own verification & creates a digital certificate for the user Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  5. Trust CA, Verify Certificate, Hierarchy • CA always signs a digital certificate with its private key. CA says, “I have signed this certificate to guarantee that this user possesses the specified public key.” • As how humans trust passport, user trust the digital certificate issued by CA. • To verify the certificate, user can de-sign it using CA’s public key. If it is possible to design the certificate then user can trust that the certificate is valid. • How to verify a Digital Certificate? • Certificate Hierarchy • User A need to verify B’s certificate • A will de-sign using CA’s public key • But, A does not know who is CA? To resolve this, • “Chain of trust” – a Certification • Authority Hierarchy is created. • It begins with the root CA. Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  6. Certificate Hierarchy, Cross-certification Certificate Revocation Cross-Certification: It allows CA’s and end user from different PKI domains to interact . (User A and B live in different countries, so their CA could be different). Cross-certification certificates are issued by the CA’s to create a non-hierarchical trust path. Certificate Revocation status mechanisms Certificate Revocation: Digital certificate can be revoked(as like credit card in bank) If it was stolen or some mistake while issuing or the certificate holder leaves a job, it was issued while the holder was employee in that job Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  7. Certification Types, Roaming Certificates and Attributes • Digital certificates may vary in their status and cost. It depends on the requirement, these differ. • The Certificate types can be classified as follows: • 1. Email, 2. Server-side SSL, 3. Client-side SSL, 4. Code-signing certificates • 1. It include the user’s Email id. Useful for user verify the signer of an email message • 2. Useful for merchants to allow buyers to purchase goods or services • 3. Allow a merchant(server side entity) to verify a client(browser-side entity). • 4. the code(ex: java, applet, ActiveX) can be signed by the signer. • The digital transaction can be mobilized. To overcome the problem of portability, Roaming Certificates is now in use. Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  8. Private Key Management • A user must hold the private key secretly. It must not be possible for another user to access someone’s private key. • There are several mechanism to protect the private key. • Multiple Key Pairs:Users can possess multiple digital certificates(multiple key pairs). One for signing and another for encryption. • Key Update: The key pairs should be updated periodically, because keys become susceptible to cryptanalysis attacks. • Key Archival: The CA must plan for and maintain the history of the certificates and the keys of its users. Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  9. PKIX Model • The Internet Engineering Task Force (IETF) formed the Public Key Infrastructure X.509(PKIX) working group. • It extends the X.509 standard and specifies how the certificates can be deployed. • PKIX Architectural Model: It developed documents that describes five areas of its model. • 1. X.509 V3 certificate & V2 certificate revocation list profiles 2. Operational protocols • 3. Management protocols 4. Policy outlines 5. Timestamp and Data certification services Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  10. Public Key Cryptography Standards (PKCS) • The PKCS model was initially developed by RSA Lab. • To standardize Public Key Infrastructure (PKI), the PKCS was designed. • Standardization – formatting, algorithms and APIs Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  11. PKCS Standards contd... Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  12. XML, PKI Security • The Extensible Mark-up Language(XML) is used to describe data. It is a set of rules for encoding document in a format that can be shared via public Internet. • It is the current technology which used to render web services • XML EncryptionThe following can be encrypted • The entire XML document • An element and all its sub-elements • The content portion of an XML document • A reference to a resource outside of an XML document • Steps involved in XML Encryption is as follows: • Select XML to be encrypted (as stated above) • Convert the data to be encrypted in a canonical form • Encrypt the result using public key encryption • Send the encrypted XML document to the intended recipient • <EncryptedData> </EncryptedData>- to start/close the before and after XML portion(s) • <CipherData></CipherData> - the encrypted text to be embedded • <CipherValue></CipherValue> • XML Digital Signatures • Create a SignedInfo element with Signature, Canonicalization Method and References • Canonicalize the XML document • Calculate Signature value, depending on the algorithms specified in the SignedInfo, KeyInfo and SignatureValue elements <signature>...</signature>-start and end <SignedInfo>...</SignedInfo>-for algorithm-calculating message digest <SignatureValue>...</SignatureValue>-actual XML digital signature Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  13. Creating Digital Certificates • The Java programming environment provides two very useful utilities called as • keytool is a command-line utility, which allows to create keys, certificates & exporting/importing • keystore is a collection of keys and certificates that we create using keytool • Refer page no. 253 to 259 for step by step wizard process to create digital certificate. Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  14. Internet Security Protocols • Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. • Various security protocols associated with the Internet and various security mechanisms exist for specialized Internet services – email, e-commerce, wifi, etc., • Basic Concepts • Static Web Pages - "Static" means unchanged or constant. It contain the same prebuilt content each time the page is loaded. Standard HTML pages are static Web pages. • Dynamic Web Pages - "dynamic" means changing or lively. The content of dynamic Web pages can be generated on-the-fly. These are generated by Web Application(Client),Server-side scripting. • Active Web Pages – Client send an HTTP request, Server send back HTTP response, (ActiveX coltrols, Applets, AJAX with JavaScript) Both Dynamic and Active are in same. The difference is Dynamic refer the execution done in server, active refer the browser performs the logic • Protocols and TCP/IP – Protocol is a set of rules governing the format of data sent over the Internet or other network. Transmission Control Protocol/Internet Protocol. A protocol for communication between computers, used as a standard for transmitting data over networks and as the basis for standard Internet protocols • Layered Organization – TCP/IP Layers. Data exchange. The application layer at source node creates the data to be transmitted to the destination node. Hand it to transport layer, it moves to the internet layer and goes on ... To the bottommost layer- physical layer, the data is transmitted as voltage pulse across communication medium such as coaxial cable. (Data form – frames / packets) Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  15. Secure Socket Layer • The SSL is an Internet protocol for secure exchange of information between a web browser and server. It provide two basic security – Authentication & Confidentiality • SSL manages server authentication, client authentication and encrypted communication between servers and clients. SSL , one of the world’s popular Web security mechanism. It provide s a secure pipe between Web Browser and Web Server. In 1994, Netscape Corp. developed SSL. There are three versions (2, 3, and 3.1) , the popular is version 3, it was released in 1995. • The SSL layer is located between Application and Transport Layer. • Instead of normal data exchange, In source, the data is given to SSL from application, SSL performs encryption and adds its own header information (SH), then give it to transport layer and then the process goes on as usually. • In receiving end also, the process is normal till it reaches SSL layer. The SSL layer at the receiver’s end removes SH, decrypts the encrypted data and gives the plain text data to application layer. • SSL Working Process • It has three sub protocols – 1. Handshake 2. Record 3. Alert • Handshake – The Client and Server handshake for communication using an SSL enable connection • Record – The Client and Server decides the algorithms to use for secure information exchange • Alert – If error detects, the Client or Server sends an alert message to the other If fatal, both will close their SSL connection. Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  16. SSL works • Handshake consists of a series of message between the client and the server. • Type(1 byte), Length(3 bytes), content(1 or more bytes) • It is actually made up of four phases. • Establish security capabilities (Client hello, Server hello) • Version, Random, Session id, Cipher suite, Compression method (Both Client and Server consists these parameters) • Server authentication and key exchange (Certificate, Server key exchange, Certificate request, Server hello done) • Client authentication and key exchange (Certificate, Client key exchange, Certificate verify) • Finish (Change cipher specs, Finished (C/S) • Record provides two services • Confidentiality • Integrity • Application data, Fragmentation, Compression, Addition of MAC, Encryption and Append header • Alert consists of two bytes • Type of error (warning, fatal) • Actual error Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  17. Transport Layer Security, Secure Hyper Text Transfer • TLS is an IETF standards, comes with an Internet standard version of SSL. • TLS is defined in RFC 2246 (TLS v1.0). It is a protocol ensures privacy between communicating applications and their users on the Internet. • When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL). • SHTTP is a set of security mechanisms defined for protecting the Internet traffic. • Secure Hypertext Transfer Protocol (S-HTTP) is a little-used alternative to the HTTPS protocol for encrypting web communications carried over HTTP. (HTTP request sent by SSL is referred as HTTPs) SHTTP works at application layer, tightly coupled with HTTP. • It supports both authentication and encryption of HTTP traffic between C/S. It can encrypt and sign individual messages. (* SHTTP is rarely used) Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  18. Time Stamping Protocol • The Time-Stamp Protocol, or TSP is a cryptographic protocol for certifying timestamps using X.509 certificates and public key infrastructure (PKI). • The timestamp is the signer's assertion that a piece of electronic data existed at or before a particular time. • It is a PKI service is provided by an authority called as Time Stamping Authority(TSA) • Time Stamping technique is used to ascertain whether an e-doc was created or signed at or before a particular date and time. • The TSA acts like a trusted third-party. • TSP is a simple request-response protocol, similar to HTTP. This works as given: • Message digest calculation • Client requiring a timestamp calculates a message digest of the original message, which needs a timestamp from the TSA • Time stamping request • Client sends the message digest calculated in step 1 to the TSA for getting it time stamped • Time stamping response • In response to the client’s request, the TSA might decide to grant or reject the time stamp. If accepted, it signs request together with time stamp by TSA private key Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  19. Secure Electronic Transaction (SET) • The SET is an open encryption and security specification that is designed for protecting credit card transaction on the internet. • SET is a set of security protocols and formats that enable the users to employ the existing credit card payment infrastructure on the internet is a secure manner. • SET services • Provides secure communication channel in an e-commerce transaction • Provides authentication by the use of digital certificates • It ensures confidentiality when and where necessary • SET participants • Cardholder – It is an authorized holder of a payment card such as MasterCard or Visa. • Merchant – A person or an organization to sell goods or services to cardholders. • Issuer – A financial institution (a bank) that provides a payment card to a cardholder. • Acquirer – A financial institution, has a relationship with merchants for processing payment card authorizations and payments • Payment Gateway – It processes the payment messages on behalf of the merchant. It act as an interface between SET and the existing card payment networks for payment authorizations. • Certification Authority – An authority trusted to provide public key certificates to cardholders, merchants and payment gateways. Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  20. SET Process • The customer opens an account – a credit card account(MasterCard or Visa) with a bank(issuer). • The customer receives a certificate – certificate hold customer’s public key, expire date issued by CA after the verification (details such as passport, business document etc.). • The merchant receives a certificate – To accept a certain brand of credit cards. • The customer places an order – A typical shopping cart process. • The merchant is verified – Merchant send its certificate to customer for valid assurance. • The order and payment details are sent – To merchant with certificate for order confirmation. • The merchant requests payment authorization – The merchant forward the customer payment detail to payment gateway via the acquirer or to the acquirer itself to authorize the payment. • The payment gateway authorizes the payment – It verifies customer details with credit card and either authorizes or rejects the payment. • The merchant confirms the order – The merchant sends a order confirmation to customer after authorization given by payment gateway. • The merchant provides goods or services – The merchant ships the goods or provides the services as per the customer’s order. • The merchant requests payment – The payment gateway interacts with issuer, acquirer and clearing house to effect the payment from customer account to merchant’s account after merchant’s requests. Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  21. SET Objectives, Internals • All information exchange in SSL happens in an encrypted form, intruder cannot make any sense of it. • The Set hides the cardholder’s credit card details from the merchant is pretty interesting. SET relies on the concept of digital envelope. • SET s/w prepares the Payment Information on the cardholder’s computer. • Cardholder’s computer now creates a one-time session key. • Using one-time session key, the cardholder’s computer now encrypts the payment information. • The cardholder’s computer wraps one-time session key with the public key of the payment gateway to form envelope. • It then sends the encrypted PI and the digital envelope together to the merchant. • SET INTERNALS – The major transactions supported by SET are: • Purchase Request - The user has to completed the shopping part. t is made up of four messages – Initiate Request, Initiate Response, Purchase Request & purchase Response • Payment Authorization - It ensures that the issuer of the credit card approved the transaction. It consists of two messages – Authorization Request and Authorization Response • Payment Capture - The merchant engages the payment gateway for obtaining payment. It contains two messages – Capture Request and Capture Response • (detailed content for above SET Internals – refer page no. 290 – 296) • SET Conclusions – SSL and SET are both used for facilitating secure exchange of information, their purposes are quite different. SSL is primarily used for exchange between any kind of parties, whereas SET is designed for conducting e-commerce transactions. SSL deals with encryption, decryption of information between two parties, whereas SET involves in payment gateway for issues credit card & etc. Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  22. E-mail Security • E-mail is the most widely used application on the internet. • messages distributed by electronic means from one computer user to one or more recipients via a network. • E-mail security has become an important issue at present. • E-mail Technology • RFC 822 – It defines a format for text e-mail messages. (An E-mail has two portions – contents/body and headers) • Simple Mail Transfer Protocol (SMTP) – It is used for e-mail communications. The email software at the sender’s end gives the email message to the local SMTP server, in turn it sends to the receiver. • Its main job is to carry the email message between the sender and the receiver. • (The receiver’s computer pulls email message from SMTP server at the receiver’s end using protocols- Post Office Protocol(POP) and Internet Mail Access Protocol(IMAP) • E-mail Security Protocols • Privacy Enhanced Mail(PEM) – It is an e-mail security standard adopted by Internet Architecture Board(IAB) for providing secure email communication. It was developed by Internet Research Task Force(IRTF) and Privacy Security Research Group(PSRG). • Pretty Good Privacy(PGP) – It supports the basic requirements of cryptography. PGP has popular and widely used, as compared to PEM. • Secure Multipurpose Internet Mail Extensions(S/MIME) – It extends the basic email system by permitting users to send binary files. Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  23. Electronic Money Electronic money – also called as electronic cash or digital cash pave a way for payments on the internet. It is nothing but refer a file. i.e. Physical form of money is converted into binary form of computer data. • Types of E-Money • Identified e-money, anonymous e-money • Classification based on Tracking Money • Online e-money, offline e-money Bank (physical money) > Customer(obtain e-money(files)) > Merchant (for payment transaction) > Bank (for verification- verify e-money, credits) >> Credit merchant’s account with actual money Security Mechanism in E-Money Bank sends e-money to customer after encrypting Bank > $100(original msg.) > Encrypt(with bank’s private key) > Encrypt(with customer’s public key) > Data(twice encrypted) Customer decrypt’s bank’s msg. To get E-Money Customer > Received msg. > Decrypt(with customer’s private key) > Decrypt(with bank’s public key) > $100(original message) Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  24. PEM, PGP, S/MIME • PEM supports three main cryptographic function • PEM work process: • Canonical conversion > Digital signature • > Encryption > Base-6f4 Encoding • When sending an email message PEM allows three Security options: Signature, Signature & Base-64 Encoding, Signature, Encryption and Base-64 encoding • PGP supports email cryptographic are: • PGP work process: • Digital signature > Compression > Encryption > • Enveloping > Base-64 Encoding • In PGP, the sender needs to include the identifiers of the algorithm used in the message, along with the value of the keys. • S/MIME supports the exchange of multimedia files, documents in various formats. • SMTP use only 7-bit ASCII for characters and in won’t send binary data. • A MIME email message contains a normal internet text message along with some special headers and formatted sections of text. Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  25. WAP Security • WAP is a communication protocol that enables wireless mobile devices to have an access to the internet • WAP architecture was developed to deal with the limitations of the mobile devices • WAP – It shows the differences between wired and wireless • It gives look and feel for the end user and keep the communication between the content and end user. • WAP was used instead of TCP/IP and HTTP/FTP, because these are too complex • In WAP architecture, additional level between client and server is WAP Gateway • WAP gateway is to translate client requests to the server from WAP to HTTP and vice versa (mobile phone > tower(network base station) > WAP gateway(relayed on this) > HTTP) • The WAP gateway then interacts with the web server • WAP Stack • It is based on OSI model rather than TCP/IP model. • It consists of five protocol layers • In that the security layer is called as Wireless Transport Layer Security (WTLS) • It is an optional layer, provides features such as authentication, privacy and secure connection. Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  26. WAP Stack - WTLS WTLS is based on the Transport Layer Security (TLS), which is based on Secure Socket Layer protocol. WTLS run on top of the WAP transport layer(WDP). WTLS is similar to SSL that allows the transaction to be secure and reliable. It ensures four things Privacy, Server authentication, Client authentication and Data integrity. The conversion between WTLS and SSL – WAP gateway converts WTLS text into plain text and applies SSL (or vice versa). The most important difference between SSL & WTLS is that SSL needs a reliable transport layer. • Security in GSM • An improvement over Advanced Mobile Phone System(AMPS), it was in the form of a technology named • D-AMPS. Similar voice technology called as Global System for Mobile Communication(GSM) was spread its wings all over the world. General Packet Radio Service(GPRS) is an emerging wireless data service, offers a mobile data experience to current analog modem without wires and with access wherever GSM wireless service is available. • GSM is for Voice and GPRS is for Data together called 2.5th Gen • Three aspects of GSM Security • 1. Subscriber identity authentication, 2. Signalling data confidentiality, 3.User data confidentiality • Each subscriber is identified with unique International Mobile Subscriber Identity(IMSI) and authentication key(ki). GSM security infrastructure consists of three elements – Subscriber Identity Module(SIM), GSM handset, GSM network • The SIM contains the ciphering key generation algorithm(A8) used to produce ciphering key(kc) for secure communication between subscriber and mobile telephony base station. • The ciphering algorithm(A5) is used to encrypt the voice & data traffic between user’s handset and GSM network. Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  27. Security in 3G • GPRS has naturally evolved in Universal Mobile Telephone System(UMTS). It is an extension of basic GPRS. UMTS is called 3rd Gen of Wireless/Mobile Technology(GPRS is between 2nd and 3rd Gen) • It extends the wireless system performance by offering – expanded data services and enhanced data speeds • It used to deliver high-tech applications – voice on demand, video/audio streaming, high-speed multimedia, video conferencing, multi-player gaming and improved mobile internet access. • It allows concurrent usage of multiple services. • The UMTS authentication process involves three parties – User’s mobile handset, Home location and Current location. • The user authentication process consists of four steps • User’s handset sends its IMSI to the home location. • Home location performs the following • Generating random number • Retrieves secret key from its database • It uses random number and key to generate - Response(RES), Confidentiality key(CK), Integrity key(IK), Authentication key(AK) • Home location and user’s handset share a secret, Sequence Number(SEQ). HL calculate MAC(RAND, SEQ) • It does XOR operation on SEQ and authentication key • It sends the following items to current location – RAND, RES, CK, IK, MAC, (SEQ XOR AK) • Current location receives these values from home location and send – RAND,XOR of SEQ, AK, MAC to user’s handset • User’s handset receives these values performs the following tasks • It calculates RES, using RAND received from current location and secret key shared with its home location and Generates keys – CK, IK, AK • XOR operation using AK over the value. Using RAND and SEQ,, it performs MAC operations as MAC(RAND, SEQ) • Compares MAC received from current location. User’s handset sends RES to current location Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  28. TCP / IP – Segment Format • Internet is based on the Transmission Control Protocol / Internet Protocol • TCP/IP consists of FIVE main layers – Application, Transport, Network, Data link and Physical • Compare to OSI model, no presentation and session layers in TCP/IP • The data unit created at App. Layer is called a message • A message broken into segments by Transport Layer and add its header • Gives to Network Layer, it add IP header to the segment • Gives to Data link Layer, it add frame header • Gives to Physical Layer for Transmission • The actual bits are transmitted as voltage pulses in Physical Layer • Opposite process happens at Destination end, reach app. layer • TCP Segment • Source and Destination port number, Sequence number, Acknowledgement number, Header length, Reserved, • Flag, Window size, Checksum and Urgent pointer • IP Datagram Segment • The TCP header + original message passed to IP layer. IP layer treats as its original message and add its header. • IP Datagram is made up of two main parts – Header and Data • Fields of Datagram are : - Version, Header length, Service type, Total length, Identification, Flags, Fragmentation offset, Time to live, Protocol, Source and Destination address and Options. • Firewall – A firewall is a hardware or software or a combination of both that is used to prevent unauthorized programs. • Two main attack – Inside and outside network traffic Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  29. Firewall - Types • A firewall is like a sentry(guard) keep monitoring and control the accessibility (both inside and outside the network) • Characteristics of a good Firewall • All traffic (transmissions) from inside to outside & vice versa must pass through firewall • As per local security policy, only traffic authorized are allowed to pass through • Firewall should more stronger to prevent attacks • Types of Firewalls • Based on filtering traffic, firewall classified Packet & Application gateway • Packet –A set of rules to each packet & on outcome decides to forward/discard the packet. Also called as Screening Router/Filter.The filtering rules are based on a no. of fields in • IP & TCP/UDP headers. A packet filter performs following functions Receive each packet arrives Pass them through set of rules If no rule match, take default action(discard/ accept Packets) Advantage is simplicity, fast in their operating speed Disadvantage is difficult in setting packet filter rules, lack of support for Authentication. Attacker try to break security of a packet filter by IP address spoofing, Source routing attacks and Tiny fragment attacks techniques. Advanced packet filter is called as Dynamic or Stateful packet filter. It allows the examination of packets based on the current state of the network Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  30. Firewall - Types • Application gateway –is also called as proxy server, because it acts like a substitute and decide about the flow of application level traffic. It also called as bastion server • It works as follows • Internal user contact application gateway using TCP/IP application, such as HTTP or TELNET • Application gateway asks the user about the remote host detail, user id and password to access • User provide those information to application gateway • Application gateway passes the user’s packets to the remote host, a circuit gateway within application gateway will create new connection between itself and remote host • It change the source IP address in the packets, so internal user’s IP are hidden from outside world • The application gateway acts as proxy of the end user and delivers packets from user to remote host and vice versa • Network Address Translation(NAT) – solves the shortage of IP addresses. It allows a user to have a large number of IP addresses internally, but only a single IP address externally.NAT router perform the job of address translation • All incoming packets, NAT router replaces the destination address of the packet with internal address of receiving host • All outgoing packets, source address replaces with external address of the NAT router Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  31. Firewall Configuration • There are three possible configurations of firewalls • Screened Host Firewall: 1. Single-Homed Bastion, 2. Dual-Homed Bastion and 3. Screened Subnet Firewall • 1. It consists of two parts – packet-filtering router and application gateway • The packet filter ensures the incoming traffic is allowed, if it is destined for application gateway by examine destination address of incoming IP packet. And for outgoing packet, the source address is examined • The application gateway performs authentication and proxy function • This configuration increases security at both packet and application levels , it gives flexibility to network • A disadvantage here is if packet filter is attacked then its security compromised and whole network is attacked • 2. To overcome earlier configuration, direct connection between internal hosts and packet filter are avoided. It connects only to application gateway, has a separate connection with internal hosts, if packet filter is attacked the application gateway only visible not the internal hosts. • 3. It offers the highest security among the possible firewall configuration. Here two packet filters are used, one between internet and application gateway, another one between application gateway and internal network. • <= this diagram is for 3rd configuration • just remove the external screening router – it is • 2nd configuration(dual bastion) Demilitarized Zone network architecture require for the organization has servers that need to make available to the outside world(web/FTP servers) Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  32. IP Security • The IP packets contain data in plain text form. Higher level security mechanisms (SSL, SHTTP, PGP, PEM, S/MIME AND SET) is to prevent the attacks. • In 1994, Internet Architecture Board(IAB) said that Internet needs better security measures, in terms of authentication, integrity and confidentiality. • IPV6 or IP new generation(IPng) designed in such measures. They incorporate a way in the current version IPV4, because v6 took more years to release & implemented • The outcome of the study and IAB’ report is the protocol security at IP level called IP Security (IPSec) • The IETF published FIVE security standards related to IPSec in 1995. They are • 1825 Overview of security architecture • 1826 Description of a packet authentication extension to IP • 1827 Description of a packet encryption extension to IP • 1828 A specific authentication mechanism • 1829 A specific encryption mechanism • Application of IPSec – Secure remote internet access, Secure branch office connectivity, Set up communication with other organization Advantages – 1. transparent to end users, 2. can work with firewall, become entry-exit point for • The logical format of a message traffic, 3. works at network layer. No changes are after IPSec processing is needed. 4. All incoming, outgoing traffic gets protected. 5. Allows interconnectivity between branches/offices in inexpensive. 6. allow travelling staff to have secure access to corporate network. The overall idea of IPSec is to encrypt, seal the transport and application layer data during transmission. It offers integrity protection for the internet layer. Internet header transport header Actual data Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  33. IPSec Protocols • IP packets normally consists of two portions : 1. IP header and 2. actual data. • IPSec features are implemented by additional header – extension headers. IPSec offer two main services – Authentication & Confidentiality. IPSec defines two IP extension headers – one for authentication and another for confidentiality. • IPSec actually consists of two main protocol > Authentication Header(AH) and Encapsulating security payload(ESP) • AH protocol provides authentication, integrity and an optional anti-replay service. The AH is a header inserted between IP header and packet content. Security reside completely in AH. • ESP protocol provides data confidentiality. ESP is a new header inserted into IP packet and it include the transformation of protected data into an encrypted format. • Both AH and ESP can be used in any one of the modes – Tunnel and Transport mode • In the tunnel mode, an encrypted tunnel is established between two hosts. i.e., Two hosts(x,y) communicating using IPSec tunnel mode, first they identify their respective proxies(p1,p2) and a logical encrypted tunnel is established between the proxies. X sends transmission to p1, tunnel carries transmission to p2, p2 forward it to y. In the tunnel mode, IPSec protects the entire IP datagram. It takes • IP datagram adds IPSec header and trailer and encrypts whole thing, then add new IP header to encrypted datagram. In contrast, transport mode does not hide actual source and • destination addresses. Here, IPSec takes the transport layer • payload, adds header, trailer, encrypts whole and add IP header. • It is useful in a host-host(end-to-end)encryption. The sending host • use IPSec to authenticate, encrypt transport layer payload and receiver verifies it. Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  34. Internet Key Exchange Protocol, Security Association, IPSec Key Management • Internet Key Exchange Protocol is used for key management procedure. IKE used to negotiate cryptographic algorithm, later used by AH and ESP in actual cryptographic operations. IKE is the initial phase of IPSec, where algorithms and keys are decided. After IKE phase, the AH and ESP protocols take over. The output of IKE is Security Association(SA). It is an agreement between the communicating parties about factors – IPSec protocol version, mode of operation, cryptographic algorithm, key, lifetime of keys and etc. The AH and ESP protocols make use of SA in their actual operations. • The communicating parties need two sets of SA and they need to allocate storage area to store information, this standard storage area is called Security Association Database(SAD). • IPSec Key Management – Apart from AH and ESP, the third most significant protocol is IKM. Without proper key management, IPSec cannot exist. This key management use two aspect – Key Agreement and Distribution. Require four keys, if both AH and ESP are used. Two keys each for AH and ESP. (one key is for Message Transmission and another key is for Message Receiving). The protocol used in IPSec for key management is ISAKMP/Oakley. Internet Security Association Key Management Protocol a platform for key management. • The Oakley is refined version of Diffie-Hellman key exchange protocol. The features of Oakley protocol is • Defeat replay attacks, implement cookies to defeat congestion attacks, enable exchange of Diffie-Hellman public key values, provides authentication mechanism to thwart man in the middle attack • ISAKMP protocol defines procedures and formats for establishing, maintaining, • SA information. An ISAKMP message contain ISAKMP header followed by one • or more payloads. The entire block encapsulated inside transport segment • (TCP or UDP) (See the diagram). Payload types are proposal & key exchange • There are five exchange types in ISAKMP, they are base, identity protection, • authentication only, aggression and information exchange. Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  35. Virtual Private Network(VPN) • VPN is a network that is constructed by using public wires — usually the Internet — to connect to a private network, such as a company's internal network. There are a number of systems that enable you to create networks using the Internet as the medium for transporting data. • It is a mechanism of employing encryption, authentication and integrity protection. It used to connect distant networks of an organization or allow travelling users to remotely access private network securely over the internet. • In VPN approach, two networks connects each other through VPN tunnel with their respective firewalls(for encryption and decryption). The two firewalls virtually connect to the internet. VPN protects traffic passing between any two hosts on the two different networks. • Assume host X of network 1 send data packet to host Y of network 2. The transmission is as follows: • X creates packet, insert its own IP address as source and IP address of host Y as destination address(fig 1) • Data sent to host Y through appropriate mechanism – data reaches Firewall 1 , now F1 adds new headers • New headers – F1’s IP address as source, F2’s IP address as destination (fig 2). It also performs packet encryption and authentication depend on the setting and send the modified packet over the internet • Packet reaches Firewall 2 via one or more routers over the internet. Now F2 removes the outer header and performs decryption and cryptographic function as necessary. It yields the original packet created by host X. • It take a look on the plain content of the packet and knows the packet to reach host Y and it delivers the packet to Y. • 1 • 2 x y other header and actual data F1 F2 x y other header and actual data Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  36. Intrusion • Intruders – It means the attackers intrude into the privacy of a network system( private or public). Generally there are two most widely known threats are intruders and viruses. • Intruders are three types – Masquerade, Misfeasor, and Clandestine user • Masquerade: An external user who does not have authority to use a computer, penetrates into a system to access legitimate user’s account • Misfeasor: An internal user – legitimate user has no access of applications, data or resources try to access them and the legitimate user who has the access of applications, data or resources try to misuse them • Clandestine user: An internal or external user try to use the system with the privileges of supervisor user to avoid audit information being captured or recorded • How intruders try to attack? Attacker try to obtain legitimate user’s password. Here a simple example: • Try all possible shot password combination, Collect users information ( full name, family members, hobbies, etc.) • Try default password supplied by the software vendors, try out the words people most often used as their password • Try using phone numbers, date of birth, social security numbers, bank account numbers and etc. • Try communication line between user and host network, use a trojan horse, try out vehicle license plate numnbers • Audit Records – One of the most important tool in intrusion detection, also called as audit logs • It is used to record information about the action of user, illegitimate user information are recorded, so as to take appropriate actions • It can be classified into two – Native Audit records and Detection-Specific records. • Native: All multi operating system have accounting software built-in. This software record information about all user’s action. • Detection-Specific: This type of audit record facility collects information specific only to intrusion detection. • Each record contain information as – subject, action, object, exception-condition, resource usage, timestamp Note: For more details refer “Atul Kahate-Cryptography and Network Security”

  37. Intrusion Detection contd... • To achieve intrusion prevention, the intrusion detection focus on following factors – • Recovering from attacks and loses is directly proportional to how quickly we are able to detect an intrusion • Intrusion detection can help collecting more information about intrusion, strengthening intrusion prevention methods • Intrusion detection system can act as good deterrents to intruders • Intrusion detection mechanism also known as Intrusion Detection System (IDS) • IDS classified into two – Statistical anomaly detection and Rule based detection • Statistical anomaly detection – Behaviour of users over time is captured as statistical data and processed. Rules are applied to test whether the user’s behaviour is legitimate or not. This can done in two way : Threshold detection and Profile based detection • Threshold detection – This is defined for all user as a group and frequency of various events is measured against these threshold • Profile based detection - Profiles for individual users are created and they are matched against the collected statistics to see if any irregular patterns emerge • Rule based detection – A set of rule is applied to see if a given behaviour is suspicious enough to be classified an attempt to intrude. This can be classified into two – Anomaly detection and Penetration identification • Distributed Intrusion Detection – Focus to distributed system from single for intrusion detection • Different systems record audit information in different form. This need to uniformly processed • One or few nodes would be used to gather and analyze an information. There should be provision to send audit information securely from all over hosts to these hosts • Honeypots – Modern intrusion detection systems use an novel idea called honeypots, that attracts potential attackers • It is designed to do the following – Divert attention of intruders, Collect intruder’s action, Encourage attackers to stay for some time, allow to detect and swiftly act on it. • Naturally, honeypots are armed sensors and loggers, which alarms administrators of any user actions. Note: For more details refer “Atul Kahate-Cryptography and Network Security”

More Related