1 / 44

Ch 8. Security in computer networks

Myungchul Kim mckim@icu.ac.kr. Ch 8. Security in computer networks. What is network security?. Confidentiality: only sender, intended receiver should “ understand ” message contents sender encrypts message receiver decrypts message

alice
Download Presentation

Ch 8. Security in computer networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Myungchul Kim mckim@icu.ac.kr Ch 8. Security in computer networks

  2. What is network security? Confidentiality: only sender, intended receiver should “understand” message contents • sender encrypts message • receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access and availability: services must be accessible and available to users

  3. There are bad guys (and girls) out there! Q: What can a “bad guy” do? A: a lot! • eavesdrop: intercept messages • actively insert messages into connection • impersonation: can fake (spoof) source address in packet (or any field in packet) • hijacking:“take over” ongoing connection by removing sender or receiver, inserting himself in place • denial of service: prevent service from being used by others (e.g., by overloading resources) more on this later ……

  4. Principles of cryptography • The encryption technique is known – published, standardized, and available to everyone. • Symmetric key systems • Public key systems • Symmetric key cryptography • Block ciphers • PGP, SSL, IPsec

  5. Symmetric key crypto: DES DES: Data Encryption Standard • US encryption standard [NIST 1993] • 56-bit symmetric key, 64-bit plaintext input • How secure is DES? • DES Challenge: 56-bit-key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 months • no known “backdoor” decryption approach • making DES more secure: • use three keys sequentially (3-DES) on each datum • use cipher-block chaining

  6. DES operation Symmetric key crypto: DES initial permutation 16 identical “rounds” of function application, each using different 48 bits of key final permutation

  7. AES: Advanced Encryption Standard • new (Nov. 2001) symmetric-key NIST standard, replacing DES • processes data in 128 bit blocks • 128, 192, or 256 bit keys • brute force decryption (try each key) taking 1 sec on DES, takes 149 trillion years for AES

  8. Public key encryption • Diffie and Hellman, 1976 • For encryption, authentication, digital signature • A public key available to every one and a private key that is known only to a person

  9. Message integrity • Cryptographic hash function • Originated from … • Not tampered with on its way to … • A cryptograhic hash function: it is computationaly infeasible to find any two different messages x and y such that H(x) = H(y). • MD5 (128-bit hash)

  10. Message authentication code

  11. Digital signatures • Verifiable and nonforgeable

  12. Public key certification • Verify that you have the actual public key fo the entity • Certification Authority: binding a public key to a particular entity • ITU X.509

  13. A certificate contains: • Serial number (unique to issuer) • info about certificate owner, including algorithm and key value itself (not shown) • info about certificate issuer • valid dates • digital signature by issuer

  14. End-point authentication • The process of proving one’s identity to someone else.

  15. - nonce: once in a lifetime

  16. Securing E-mail • Confidentiality, sender authentication, message integrity, receiver authentication

  17. Pretty Good Privacy (PGP): MD5 or SHA for message digest; CAST, triple-DES or IDEA for symmetric key encryption and RSA for the public key encryption

  18. Securing TCP connections: SSL • Secure Sockets Layer (SSL) • Transport Layer Security (TLS)

  19. Handshake, key distribution, and data transfer

  20. Network-layer security: IPsec • Virtual private networks (VPNs) • Authentication Header (AH) protocol: source host authentication and data integrity • Encapsulation Security Payload (ESP) protocol: … and confidentiality • AH header: next header, security parameter index, sequence number, authentication data

  21. The ESP protocol • Key distribution • Manual • Automated: Internet Key Exchange protocol using public-key cryptography

  22. IEEE 802.11 security • war-driving: drive around Bay area, see what 802.11 networks available? • More than 9000 accessible from public roadways • 85% use no encryption/authentication • packet-sniffing and various attacks easy! • securing 802.11 • encryption, authentication • first attempt at 802.11 security: Wired Equivalent Privacy (WEP): a failure • current attempt: 802.11i

  23. Securing wireless LANs • Wired equivalent privacy (WEP) • Authentication and data encryption • Symmetric shared key • No key distribution

  24. IEEE 802.11i

  25. Firewalls and Intrusion Detection Systems • The goals of firewall • All traffic from outside to inside, and vice versa, passes through the firewall • Only authorized traffic, as defined by the local security policy, will be allowed to pass. • The firewall itself is immune to penetration.

  26. Traditional packet filters • Filtering decision • IP source or destination address • Protocol type in IP datagram field: TCP, UDP, ICMP, OSPF, … • TCP or UDP source and destination port • TCP flag bits: SYN, ACK, … • ICMP message type • Different rules for datagrams leaving and entering the network • Different rules for the different router interfaces.

  27. Stateless packet filtering: more examples

  28. - Access control list for 222.22/16

  29. stateful packet filters • Actually track TCP connections • Check connections • Application gateway • Policy decision based on application data • Disadvantages • A different application gateway for each application • Perfrance penalty • The client software must know how to contact the gateway

  30. Intrusion detection systems • Deep packet inspection • A high-security region and a lower-security region (demilitarized zone(DMZ)) • Signature-based system: require previous knowledge of the attach to generate an accurate signature • Anomaly-based system: create a traffic profile • Example: snort

More Related