1 / 23

بسم الله الرحمن الرحيم NETWORK SECURITY

بسم الله الرحمن الرحيم NETWORK SECURITY. Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006. Network Security Goals. Confidentiality or Privacy: Only sender, intended receiver should ”understand” message contents Sender encrypts message Receiver decrypts message

chogan
Download Presentation

بسم الله الرحمن الرحيم NETWORK SECURITY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. بسم الله الرحمن الرحيمNETWORK SECURITY Done By: Saad Al-ShahraniSaeed Al-Smazarkah May 2006

  2. Network Security Goals • Confidentiality or Privacy: Only sender, intended receiver should ”understand” message contents • Sender encrypts message • Receiver decrypts message • Authentication:Sender, receiver want to confirm identity of each other • Integrity:Sender, receiver want to ensure messages are not altered during transmission without detection • Access and Availability: Services must be accessible and available to users

  3. People want to communicate securely • Eve (intruder/eavesdropper): may intercept, delete, add messages

  4. There are Eavesdroppers out there! Q: what can an eavesdropper do? A: a lot! • Observing and recording information • Unauthorized access to a server • Denial of service: prevent service from being used by others (e.g. by Flooding a server with requests) • Impersonating a legitimate server • Hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place

  5. Network Security: Agenda • Main weapon: cryptography • Confidentiality (encryption) • Message authentication • Signatures and Certificates • Internet Threats, Attacks and Defenses • Secure request/ response protocols • Secure connection ‘tunnels’ • Denial of Service attacks • Firewalls

  6. Encryption Protects Confidentiality • Secret Key crypto:Shared secret key (KE,B=KD,B) • Public key crypto:A user has a public encryption key KE,B and a matching private decryption key KD,B

  7. Secret Key Crypto • Two operations (“encrypt”, “decrypt”) which are inverses of each other. Like multiplication/division • One parameter (“the key”) • Even the person who designed the algorithm can’t break it without the key • Ideally, a different key for each pair of users

  8. Secret key crypto • encrypt= f(K, plaintext)=ciphertext • decrypt= f(K, ciphertext)=plaintext • authentication:send f(K, challenge) • integrity check:f(K, msg)=X • verify integrity check:f(K, X, msg)

  9. Public Key Crypto • Two keys per user, keys are inverses of each other • Public key “BPub” you tell to the world • Private key “BPriv” you keep private • Yes it’s magic. Why can’t you derive “BPriv” from “BPub”? • And if it’s hard, where did (BPub, BPriv) come from?

  10. Encryption and Integrity • Encryption hides the message from eavesdropper • Question:can eavesdropper change message? • Or:dose encryption ensure message integrity? • With Public Key Encryption: • Eve can replace EBPub(m) with fake: EBPub (m’) • With Secret (shared) Key Encryption: • This seems harder to do • But given c=mk, attacker can send c mask, to invert any bit in decrypted message (use mask) • Encryption does not ensure integrity!

  11. Public Key VS. Secret Key • In terms of capabilities public key is more powerful. • Public key provides digital signature. • Secret key is much faster than public key

  12. Public Key Digital Signatures: concept • One of the best features of public key • An integrity check • calculated as f(priv key, data) • verified as f(public key, data, signature) • Verifiers don’t need to know secret key • RSA can be used for digital signature scheme

  13. Popular Secret Key Algorithms • DES:old standard, 56-bit key, slow • 3DES:fix key size but 3 times as slow • RC4:variable length key, “stream cipher” (generate stream from key, XOR with data) • AES:replacement for DES, will probably take over

  14. Popular Public Key Algorithms • RSA:public key operations can be made very fast, but private key operations will be slow. • ECC (elliptic curve crypto):smaller keys, so faster than RSA (but not for public key ops).

  15. Secret Key Problem: How do two entities establish shared secret key over the network? Solution: Trusted key distribution (KDC) acting as intermediary between entities KDC needs shared key with each entity. Public Key Problem: When Saad obtains Saeed’s public key (from web site, e-mail, diskette), how does he know it is Saeed’s public key, not eavesdropper’s? Solution: Trusted certification authority (CA) Key Distribution Problem

  16. Key Distribution - Secret Keys • Could configure n2 keys • Makes the systems unfeasible for large-scale use • Instead use Key Distribution Center (KDC) • Every user has a secret key shared with KDC • The KDC knows all the users • The KDC assigns a key to any pair who need to talk

  17. Key Distribution - Public Keys • Certification Authority (CA) signs “Certificates” • Certificate =a signed message saying “I, the CA, vouch that 489024729 is Saad’s public key” • If everyone has a certificate, a private key, and the CA’s public key, they can authenticate

  18. Key Distribution - Public Keys Saeed Saad [“Saad”, key=342872]CA [“Saeed”, key=8294781]CA Auth, encryption, etc.

  19. Denial Of Service Attack • Attacker tries to exhaust resources of host/ server/ router/ user • Resources include: • Computation (CPU time) • Storage (e.g. for state of requests/connections) • Open TCP connections • Limited (10s to several thousand connections – depending on hardware, operating system) • SYN flooding DOS attack: attacker sends ‘SYN’ flow (open connection); server waits

  20. SYN flooding DOS attack • Attacker sends many SYN requests (using different spoofed client IP address), no ACK • Uses up server’s capacity for open connections

  21. Firewalls • Firewall: A secure machine (or program), isolating organization’s internal net from larger Internet (or another net), allowing some packets to pass, blocking others

  22. Packet Filtering • Internal network connected to Internet via Router Firewall (packet filtering) • Router filters packet-by-packet, decision to forward/ drop packet based on: • Source IP address, destination IP address • TCP/UDP source and destination port numbers • TCP SYN and ACK bit (identify client vs. server)

  23. References • Our textbook • http://www.aw.com/kurose-ross/ • http://www.iec.org • http://amir.herzberg.name

More Related