1 / 62

Chapter 30

Chapter 30. Security. Credit: most slides from Forouzan, TCP/IP protocol suit. Phishing: Masquerading as a well-known site to obtain a user’ personal info. Denial of Service: Intentionally blocking a site to prevent business activities.

davidkperez
Download Presentation

Chapter 30

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit TCP/IP Protocol Suite

  2. Phishing: Masquerading as a well-known site to obtain a user’ personal info. Denial of Service: Intentionally blocking a site to prevent business activities. Loss of control: an intruder gains control of a system. Loss of data: Steal or delete. Criminal Expoits and Attacks TCP/IP Protocol Suite

  3. Wiretapping Replay – sending packets captured from previous session such as username and password. Buffer overflow: sending more data than receiver expects, thereby storing values in memory buffer. Address spoofing. Faking IP source address Name spoofing. Misspelling of a well-known name or poisoning name server. SYN flood – sending stream of TCP SYN Key breaking – guessing password Port Scanning – to find vulnerability Packet Interception – man in the middle attack. Techniques used TCP/IP Protocol Suite

  4. Encryption Digital Signatures Firewall Intrusion detection systems Packet inspection and content scanning VPN Security Techniques TCP/IP Protocol Suite

  5. 28.1 CRYPTOGRAPHY The word cryptography in Greek means “secret writing.” The term today refers to the science and art of transforming messages to make them secure and immune to attacks. The topics discussed in this section include: Symmetric-Key Cryptography Asymmetric-Key Cryptography Comparison TCP/IP Protocol Suite

  6. Figure 28.1Cryptography components TCP/IP Protocol Suite

  7. Note: In cryptography, the encryption/decryption algorithms are public; the keys are secret. TCP/IP Protocol Suite

  8. Note: In symmetric-key cryptography, the same key is used by the sender (for encryption) and the receiver (for decryption). The key is shared. TCP/IP Protocol Suite

  9. Figure 28.2Symmetric-key cryptography TCP/IP Protocol Suite

  10. Note: In symmetric-key cryptography, the same key is used in both directions. TCP/IP Protocol Suite

  11. Figure 28.3Caesar cipher TCP/IP Protocol Suite

  12. Figure 28.4Transpositional cipher TCP/IP Protocol Suite

  13. Is a block cipher Takes 64-bit plaintext and creates a 64-bit ciphertext. The cipher key is a 56-bit key. It uses 16 rounds, each round mixes and swapps (left half with right half) Data encryption Standard (DES) TCP/IP Protocol Suite

  14. Figure 28.5DES (Data Encryption Standard) TCP/IP Protocol Suite

  15. Note: The DES cipher uses the same concept as the Caesar cipher, but the encryption/ decryption algorithm is much more complex. TCP/IP Protocol Suite

  16. The secret key is personal and unshared. Symmetric key scheme would require n(n-1)/2 keys, for a million people it would require half a billion shared secret keys. Whereas, in asymmetric scheme we would only require a million secret keys. Asymmetric ciphers use two keys, private and public. Asymmetric is much slower. Both symmetric and asymmetric can be used if need to be. Think: if you want to send a secret symmetric key, you can use asymmetric. Asymmetric-key ciphers TCP/IP Protocol Suite

  17. Protocols • IPSec (internet Security Protocol) operates in the network layer. Used in VPN. • IP sec supports Authentication Header (AH) protocol and Encapsulation Security Payload (ESP) protocol • The SSL (Secure Socket Layer) protocol serves as a security for transferring encrypted data. • WEP (Wired Equivalent Privacy) standard. Data stream is encrypted with RC4 algorithm. RC4 is simple, it is not very secure. • WPA (Wi-Fi Protected Access) specification and AES (Advanced Encryption standard) more secure for encrypting wireless data. TCP/IP Protocol Suite

  18. Figure 28.8Public-key cryptography TCP/IP Protocol Suite

  19. Note: Symmetric-key cryptography is often used for long messages. TCP/IP Protocol Suite

  20. Note: Asymmetric-key algorithms are more efficient for short messages. TCP/IP Protocol Suite

  21. Note: Digital signature can provide authentication, integrity, and nonrepudiation for a message. TCP/IP Protocol Suite

  22. 28.3 DIGITAL SIGNATURE Digital signature can provide authentication, integrity, and nonrepudiation for a message. The topics discussed in this section include: Signing the Whole Document Signing the Digest TCP/IP Protocol Suite

  23. Figure 28.12Signing the whole document TCP/IP Protocol Suite

  24. Note: Digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption must be applied. TCP/IP Protocol Suite

  25. Figure 28.13Hash function TCP/IP Protocol Suite

  26. Figure 28.14Sender site TCP/IP Protocol Suite

  27. The digest is much shorter than the message. The message itself may not lend itself to asymmetric cryptography because it is too long. Figure 28.15Receiver site TCP/IP Protocol Suite

  28. Message of arbitrary length is made into a fixed length message. MD2, MD4, MD5 SHA (Secure Hash Algorithm) developed by NIST. Hash functions TCP/IP Protocol Suite

  29. If alice signs a message then denies it, the message can be verified. That means we have to keep the messages. A trusted center can be created. Alice send the digitally signed message to the trusted center who verifies it, saves a copy of the message, recreates the message with its own signature and send to bob. Bob can verify the trusted center’s public key. Non-repudiation TCP/IP Protocol Suite

  30. 28.5 KEY MANAGEMENT In this section we explain how symmetric keys are distributed and how public keys are certified. The topics discussed in this section include: Symmetric-Key Distribution Public-Key Certification Kerberos TCP/IP Protocol Suite

  31. Note: A symmetric key between two parties is useful if it is used only once; it must be created for one session and destroyed when the session is over. TCP/IP Protocol Suite

  32. Figure 28.19Diffie-Hellman method TCP/IP Protocol Suite

  33. Note: The symmetric (shared) key in the Diffie-Hellman protocol is K = G xy mod N. TCP/IP Protocol Suite

  34. Example 1 Let us give an example to make the procedure clear. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume G = 7 and N = 23. The steps are as follows: 1. Alice chooses x = 3 and calculates R1 = 73 mod 23 = 21. 2. Alice sends the number 21 to Bob. 3. Bob chooses y = 6 and calculates R2 = 76 mod 23 = 4. 4. Bob sends the number 4 to Alice. 5. Alice calculates the symmetric key K = 43 mod 23 = 18. 6. Bob calculates the symmetric key K = 216 mod 23 = 18. The value of K is the same for both Alice and Bob; G xy mod N = 718 mod 23 = 18. TCP/IP Protocol Suite

  35. Figure 28.20Man-in-the-middle attack TCP/IP Protocol Suite

  36. Figure 28.21First approach using KDC TCP/IP Protocol Suite

  37. Figure 28.22Needham-Schroeder protocol TCP/IP Protocol Suite

  38. Figure 28.23Otway-Rees protocol TCP/IP Protocol Suite

  39. Note: In public-key cryptography, everyone has access to everyone’s public key. TCP/IP Protocol Suite

  40. Table 28.1 X.509 fields TCP/IP Protocol Suite

  41. Figure 28.24PKI hierarchy TCP/IP Protocol Suite

  42. Figure 28.25Kerberos servers TCP/IP Protocol Suite

  43. Figure 28.26Kerberos example TCP/IP Protocol Suite

  44. 28.6 SECURITY IN THE INTERNET In this section we discuss a security method for each of the top 3 layers of the Internet model. At the IP level we discuss a protocol called IPSec; at the transport layer we discuss a protocol that “glues” a new layer to the transport layer; at the application layer we discuss a security method called PGP. The topics discussed in this section include: IP Level Security: IPSec Transport Layer Security Application Layer Security: PGP TCP/IP Protocol Suite

  45. Figure 28.27Transport mode TCP/IP Protocol Suite

  46. Figure 28.28Tunnel mode TCP/IP Protocol Suite

  47. Figure 28.29AH TCP/IP Protocol Suite

  48. Note: The AH protocol provides message authentication and integrity, but not privacy. TCP/IP Protocol Suite

  49. Figure 28.30ESP TCP/IP Protocol Suite

  50. Note: ESP provides message authentication, integrity, and privacy. TCP/IP Protocol Suite

More Related