1 / 30

Securing TCP/IP

Securing TCP/IP. Chapter 11. Four Security Methods. Encryption: Transforming information (plaintext, cleartext) using a cipher/algorithm and a key into ciphertext (meaningless, unreadable data) Example: Plaintext: 01001101 = M Key: 01010101 Cipher/algorithm: OR

alize
Download Presentation

Securing TCP/IP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing TCP/IP Chapter 11

  2. Four Security Methods • Encryption: • Transforming information (plaintext, cleartext) • using a cipher/algorithm and a key • into ciphertext (meaningless, unreadable data) • Example: • Plaintext: 01001101 = M • Key: 01010101 • Cipher/algorithm: OR • Ciphertext: 01011101 ≠ M

  3. Four Security Methods • Encryption: • Symmetric key algorithm: • One key for both encryption and decryption • The sender generates the key • The sender uses the key to encrypt the message • The sender sends the encrypted message • The sender sends the key • The receiver uses the key to decrypt the encrypted message • Disadvantage: While the key is being sent to the receiver, somebody might intercept it and use it to decrypt the encrypted message

  4. Four Security Methods • Encryption: • Symmetric key algorithm: • One key for both encryption and decryption

  5. Four Security Methods • Encryption: • Symmetric key algorithm: • Block ciphers: • Encrypting a single chunk of data at a time • Used when data come in discrete chunks (e.g., frame) • The key is generated for each block/chunk • Examples: DES, 3DES, IDEA, Blowfish, AES (popular) • Stream ciphers: • Encrypting a single bit of data at a time • Used when data come in long stream • The key is generated for each bit • Examples: RC4

  6. Block Cipher

  7. Stream Cipher

  8. Four Security Methods • Encryption: • Asymmetric key algorithm: • A key for encryption and another (different) key for decryption • Public key encryption: • The receiver generates both keys • The receiver sends the encryption key to the sender (public key) • The sender uses the key to encrypt the message • The sender sends the encrypted message • The receiver uses the decryption key (private key) to the sender • Advantage: Eliminate the possibility for interception

  9. Four Security Methods • Encryption: • Asymmetric key algorithm:

  10. Four Security Methods • Nonrepudiation • The process guaranteeing that the data came from the source you think it should have come • Cryptographic hash function: • A complex mathematical function that you run on the data to generate a value (message digest, hash sum) • One way function • Example: MD5 (Message Digest algorithm v. 5)

  11. Cryptographic Hash Function

  12. Four Security Methods • Nonrepudiation • The process guaranteeing that the data came from the source you think it should have come • Digital signature: • Only the “true” sender has the private key, while the receiver has the public key • The sender runs the cryptographic hash function on the data, encrypts the hash value by using its private key, and sends the data and the encrypted hash value (digital signature) • The receiver receives the data, and runs the same cryptographic hash function to the data to get the hash value (H-1) • The receiver also receives the encrypted hash value, decrypts it by using its public key to get the hash value (H-2) • The receiver compares H-1 and H-2. If they are the same, it means that the data came from the true sender • http://www.youdzone.com/signature.html

  13. Digital Signature

  14. Digital Signature

  15. Four Security Methods • Nonrepudiation • The process guaranteeing that the data came from the source you think it should have come (not from someone pretending to be someone you think) • Certificate: • A digital document • Binding a public key • To an identity of the sender of the public key • Whose truthfulness is guaranteed by the issuing Certification Authority (CA) • PKI: A set of CAs creating and distributing certificates

  16. Certificate The identity of the sender of the public key CA = The guarantor The public key

  17. Four Security Methods • Authentication: • Verifying that whoever accesses the data is the person you want accessing that data • A request to enter a username and password • Authorization: • Defining what a person accessing the data can do with that data • Assigning permissions to a user account

  18. Authentication-Authorization Authorization Authentication

  19. TCP/IP Security Standards • Authentication Standards • PAP • The username and password are sent in plaintext • CHAP and MS-CHAP • The username and the hash value of the password is sent • RADIUS (default protocol for MS) and TACACS+ (Cisco) • Allowing a single server to become responsible for all remote access authentication, authorization, and accounting services (see the definitions on page 295) • Kerberos • Cross platform authentication protocol (enabling multiple brands of servers to authenticate multiple brands of clients)

  20. TCP/IP Security Standards • Authentication Standards • EAP • Helping two devices negotiate the type of authentication options • EAP-PSK • EAP-TLS • EAP-TTLS • EAP-MS-CHAPv2 • EAP-MD5 • LEAP • Used in the wired and wireless network

  21. TCP/IP Security Standards • Authentication Standards • 802.1X • Combined with the EAP versions to make a complete authentication solution widely used for wireless network

  22. TCP/IP Security Standards • Encryption Standards • SSH • Secure replacement for Telnet • Ability to act as a tunnel for any TCI/IP application • Tunneling • Encrypted link between two programs in two separate computers • SSH tunnel: • A link between SSH client and SSH server • Once established, anything exchanged between SSH client and SSH server is encrypted

  23. SSH Tunneling

  24. TCP/IP Security Standards • Combined Authentication and Encryption Standards • SSL/TLS • Used by Web server with a certificate (Web server authentication) • Once the Web client confirms the certificate, anything exchanged between client and server is encrypted by using a faster symmetric algorithm • TLS: an updated version of SSL

  25. SSL Encrypted data exchange

  26. TCP/IP Security Standards • Combined Authentication and Encryption Standards • IPSec • An encryption protocol working at the Network layer (the rest work at the Presentation layer) • Also doing authentication • Used in IPv6 • Creating a secure tunnel between two computers

  27. IPSec

  28. TCP/IP Security Standards • Secure TCP/IP Applications • HTTPS • Secured HTTP • Using SSL/TLS • SCP • Secured FTP • Using SSH • Inability to resume interrupted transfers, directory listings, remote file removal • SFTP • Secured FTP/SSH FTP • Ability to resume interrupted transfers, directory listings, remote file removal

  29. TCP/IP Security Standards • Secure TCP/IP Applications • SNMP • Network management tool • UDP based protocol • Consists of SNMP manager and agents • Querying the state (e.g., CPU usage, network utilization, other network information) from SNMP-capable devices

  30. TCP/IP Security Standards • Secure TCP/IP Applications • NTP • Providing the mechanisms to synchronize time and coordinate time distribution in a large, diverse network

More Related