1 / 25

Chapter 29

Chapter 29. Internet Security. CONTENTS. INTRODUCTION PRIVACY DIGITAL SIGNATURE SECURITY IN THE INTERNET APPLICATION LAYER SECURITY TRANSPORT LAYER SECURITY: TLS SECURITY AT THE IP LAYER: IPSEC FIREWALLS. 29.1 Aspects of security.

Download Presentation

Chapter 29

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 29 Internet Security

  2. CONTENTS • INTRODUCTION • PRIVACY • DIGITAL SIGNATURE • SECURITY IN THE INTERNET • APPLICATION LAYER SECURITY • TRANSPORT LAYER SECURITY: TLS • SECURITY AT THE IP LAYER: IPSEC • FIREWALLS

  3. 29.1 Aspects of security • Privacy = Confidentiality of the transmitted message (encryption) • Authentication = The sender ( not an imposter) sent the message • Integrity = Message arrives without corruption • Nonrepudiation = Sender cannot deny the message.

  4. 29.2 Privacy : Secret-key Encryption • the same key is used by the sender (for encryption) and the receiver (for decryption). The key is shared. • Often called symmetric encryption because the same key can be used in both directions • Efficient algorithms, takes less time to compute. Often used for long messages. • Each pair must have a secret key. N people need ½N(N-1) • Difficult to distribute the secret key • KDC can solve the problem of secret-key distribution.

  5. Privacy: Public-key Encryption • Each entity has two distinct keys: Private key and a Public key. • Sender uses Receiver’s public key to encrypt the plaintext • Receiver uses its own private key to decrypt the ciphertext. • No other private key can decrypt the ciphertext. • N people need 2 N keys. • Easy key distribution. • Requires more time to encrypt/decrypt than the Secret Key method. • More suitable for short messages • How to authenticate the binding between an entity and its public key?

  6. Certification Authorities (CAs) • A trusted agency used to verify that a public key belongs to a specific entity. • Issues a certificate: Public key + entity’s information (e.g. name, router IP) and encrypt it using the CA private key • Each receiver uses the CA’s public key to decrypt the sender’s certificate thus obtains the sender’s public key.

  7. Secret Key + Public Key Combination

  8. 29.3 Digital Signature • Encryption achieves privacy only. • Digital Signature’s goal is to achieve authentication and nonrepudiation of sender + integrity of the message. • Sender signs the message with a unique signature. • Receiver verifies the sender’s signature. • Two options: • Signing the whole document • Signing a Digest of the document.

  9. Signing the Whole Document • Sender uses its private key to encrypt (i.e. sign) the messgae • Receiver uses the sender’s public key to decrypt (i.e. verify the signature) of the message. • Integrity: If message is intercepted and/or corrupted, the decrypted message is unreadable. • Authentication: If an imposter sent the message, using the intended sender’s public key to decrypt results in garbage. • Nonrepudiation: If sender denies the message, its private key is used by the authorities to decrypt the ciphertext. If results match, then the messages realy belongs to the sender.

  10. Digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption must be applied.

  11. Signing the digest • Two common has functions: • MD5 → 120-bit digest • SHA-1 → 160-bit digest • Properties of hash function: • One-Way: Massage to digest but not vice versa • One-to-One: No two distinct messages generate the same digest

  12. Sender site +

  13. + Receiver site • Integrity, authenticity and nonrepudiation of Digest guarantees the same for the Message. Why so?

  14. 29.4 Security in the Internet • At the Application layer • The PGP scheme • At the Transport layer • TLS protocol • At the IP layer • IPSec • Firewalls

  15. + + 29.5 Application-Layer Security: PGP at the sender site

  16. PGP at the receiver site

  17. 29.6 Transport Layer Security (TLS)

  18. Includes Server’s public key Encrypted by Server’s public key Encrypted by client’s secret key Encrypted by client’s secret key TLS: 1) The Handshake Protocol • Data transfer is encrypted using the client-generated secret key

  19. 29.7 Security at the IP-Layer: 1) Authentication Header Protocol

  20. 2) Encapsulating Security Payload (ESP)

  21. Figure 29-16 ESP format

  22. 29.8 FIREWALLS

  23. Figure 29-17 Firewall

  24. Packet-filter firewall A packet-filter firewall filters at the network or transport layer.

  25. Proxy firewall A proxy firewall filters at the application layer.

More Related