260 likes | 440 Views
Chapter 29. Internet Security. CONTENTS. INTRODUCTION PRIVACY DIGITAL SIGNATURE SECURITY IN THE INTERNET APPLICATION LAYER SECURITY TRANSPORT LAYER SECURITY: TLS SECURITY AT THE IP LAYER: IPSEC FIREWALLS. 29.1 Aspects of security.
E N D
Chapter 29 Internet Security
CONTENTS • INTRODUCTION • PRIVACY • DIGITAL SIGNATURE • SECURITY IN THE INTERNET • APPLICATION LAYER SECURITY • TRANSPORT LAYER SECURITY: TLS • SECURITY AT THE IP LAYER: IPSEC • FIREWALLS
29.1 Aspects of security • Privacy = Confidentiality of the transmitted message (encryption) • Authentication = The sender ( not an imposter) sent the message • Integrity = Message arrives without corruption • Nonrepudiation = Sender cannot deny the message.
29.2 Privacy : Secret-key Encryption • the same key is used by the sender (for encryption) and the receiver (for decryption). The key is shared. • Often called symmetric encryption because the same key can be used in both directions • Efficient algorithms, takes less time to compute. Often used for long messages. • Each pair must have a secret key. N people need ½N(N-1) • Difficult to distribute the secret key • KDC can solve the problem of secret-key distribution.
Privacy: Public-key Encryption • Each entity has two distinct keys: Private key and a Public key. • Sender uses Receiver’s public key to encrypt the plaintext • Receiver uses its own private key to decrypt the ciphertext. • No other private key can decrypt the ciphertext. • N people need 2 N keys. • Easy key distribution. • Requires more time to encrypt/decrypt than the Secret Key method. • More suitable for short messages • How to authenticate the binding between an entity and its public key?
Certification Authorities (CAs) • A trusted agency used to verify that a public key belongs to a specific entity. • Issues a certificate: Public key + entity’s information (e.g. name, router IP) and encrypt it using the CA private key • Each receiver uses the CA’s public key to decrypt the sender’s certificate thus obtains the sender’s public key.
29.3 Digital Signature • Encryption achieves privacy only. • Digital Signature’s goal is to achieve authentication and nonrepudiation of sender + integrity of the message. • Sender signs the message with a unique signature. • Receiver verifies the sender’s signature. • Two options: • Signing the whole document • Signing a Digest of the document.
Signing the Whole Document • Sender uses its private key to encrypt (i.e. sign) the messgae • Receiver uses the sender’s public key to decrypt (i.e. verify the signature) of the message. • Integrity: If message is intercepted and/or corrupted, the decrypted message is unreadable. • Authentication: If an imposter sent the message, using the intended sender’s public key to decrypt results in garbage. • Nonrepudiation: If sender denies the message, its private key is used by the authorities to decrypt the ciphertext. If results match, then the messages realy belongs to the sender.
Digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption must be applied.
Signing the digest • Two common has functions: • MD5 → 120-bit digest • SHA-1 → 160-bit digest • Properties of hash function: • One-Way: Massage to digest but not vice versa • One-to-One: No two distinct messages generate the same digest
+ Receiver site • Integrity, authenticity and nonrepudiation of Digest guarantees the same for the Message. Why so?
29.4 Security in the Internet • At the Application layer • The PGP scheme • At the Transport layer • TLS protocol • At the IP layer • IPSec • Firewalls
+ + 29.5 Application-Layer Security: PGP at the sender site
Includes Server’s public key Encrypted by Server’s public key Encrypted by client’s secret key Encrypted by client’s secret key TLS: 1) The Handshake Protocol • Data transfer is encrypted using the client-generated secret key
29.7 Security at the IP-Layer: 1) Authentication Header Protocol
Figure 29-16 ESP format
29.8 FIREWALLS
Figure 29-17 Firewall
Packet-filter firewall A packet-filter firewall filters at the network or transport layer.
Proxy firewall A proxy firewall filters at the application layer.