1 / 37

Security

Security. Yih-Kuen Tsay Dept. of Information Management National Taiwan University. Introduction. Security Needs Secrecy (confidentiality), integrity, etc. Arise from the desire to share resources Security Policies Specify who are authorized to access what resources

harding-conway
Download Presentation

Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University Security -- 1

  2. Introduction • Security Needs • Secrecy (confidentiality), integrity, etc. • Arise from the desire to share resources • Security Policies • Specify who are authorized to access what resources • Independent of the technology used • Security Mechanisms • Enforce security policies • Security Models • Help understand and analyze the above Security -- 2

  3. Components of a Security Model Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 3

  4. The Enemy in Network Security Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 4

  5. Familiar Names in the Security Literature Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 5

  6. Classes of Security Threats • Leakage • Acquisition of information by unauthorized parties • Tampering (Modification) • Unauthorized alteration of information • Vandalism • Interference with the proper operation without gain to the perpetrator Security -- 6

  7. Methods of Attack • Eavesdropping • Release of message contents and traffic analysis • Masquerading • Message Tampering (Modification) • Man-in-the-middle attack • Replaying • Denial of Service • Mobile Code Security -- 7

  8. Designing Secure Systems • Use best standards available • Informal analysis and checks • Formal validation • Security logs and auditing Security -- 8

  9. Security Requirements • Secrecy (Confidentiality) • Data Integrity • Authentication • Non-repudiation • Availability • … Security -- 9

  10. The Secret-Key Encryption Model Source: W. Stallings, “Cryptography and Network Security” Security -- 10

  11. The Public-Key Encryption Model Source: W. Stallings, “Cryptography and Network Security” Security -- 11

  12. The Public-Key Authentication Model Source: W. Stallings, “Cryptography and Network Security” Security -- 12

  13. Notational Conventions Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 13

  14. Alice’s Bank Account Certificate Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 14

  15. A Public Key Certificate of Bob’s Bank Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 15

  16. A Scheme of Cipher Block Chaining Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 16

  17. A Stream Cipher Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 17

  18. Digital Signatures with Secret Keys Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 18

  19. Digital Signatures with Public Keys Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 19

  20. Key size/hash size Extrapolated PRB optimized (bits) speed (kbytes/s) (kbytes/sec.) TEA 128 700 - DES 56 350 7746 112 120 2842 Triple-DES IDEA 128 700 4469 512 7 - RSA RSA 2048 1 - MD5 128 1740 62425 160 750 25162 SHA Performance of Encryption Algorithms Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 20

  21. The Needham-Schroeder Authentication Protocol Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 21

  22. Kerberos • Developed at MIT (Project Athena) • For protecting networked services • Based on the Needham-Schroeder protocol • Current version: Kerberos Version 5 • Source code available • Also used in OSF DCE, Windows 2000, ... • Probable extension for the initial authentication of principals Security -- 22

  23. Kerberos Architecture Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 23

  24. The Kerberos Protocol Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 24

  25. The Kerberos Protocol (cont.) auth(C) contains C,t. ticket(C,S) contains C,S,t1,t2,KCS. Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 25

  26. Critiques of Kerberos • Synchronization of clients’ and servers’ clocks (Version 4) • Unique timestamps or sequence numbers as nonces • Limited session lifetimes Security -- 26

  27. TLS/SSL • The Secure Sockets Layer (SSL) protocol originated from Netscape, now a nonproprietary standard (SSLv3) • An extension of SSL became the Transport Layer Security (TLS) protocol (RFC 2246) • Provides secure end-to-end communications • Operates between TCP/IP (or any other reliable transport protocol) and the application • Built into most browsers and servers Security -- 27

  28. TLS TLS Change TLS Alert Handshake HTTP Telnet Cipher Spec Protocol protocol TLS Record Protocol Transport layer (usually TCP) Network layer (usually IP) TLS protocols: Other protocols: The TLS/SSL Protocol Stack Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 28

  29. How SSL/TLS Works • Sessions between a client and a server are established by the Handshake Protocol • A session defines a set of security parameters, including peer certificate, cipher spec, and master secret • Multiple connections can be established within a session, each defining further security parameters such as keys for encryption and authentication • Security parameters dictate how application data are processed by the SSL Record Protocol into TCP segments Security -- 29

  30. Security Functions of SSL/TLS • Confidentiality: using one of DES, Triple DES, IDEA, RC2, RC4, … • Integrity: using MAC with MD5 or SHA-1 • Authentication: using X.509v3 digital certificates Security -- 30

  31. The SSL/TLS Handshake Protocol Security -- 31 Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition.

  32. Component Description Example Key exchange the method to be used for RSA with public-key method exchange of a session key certificates Cipher for data the block or stream cipher to be IDEA transfer used for data Message digest for creating message SHA function authentication codes (MACs) SSL/TLS Handshake Configuration Options Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 32

  33. The SSL/TLS Record Protocol Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 33

  34. Wired Equivalent Privacy (WEP) • Access control by a challenge-response protocol • A single key shared by the base station and all authorized devices • Encryption based on RC4 • The access key also used for encryption Security -- 34

  35. RC4 in IEEE 802.11 WEP *Note: The IV is only 24-bit long and is sent in clear. Source: G. Coulouris et al., Distributed Systems: Concepts and Design, Fourth Edition. Security -- 35

  36. Weaknesses in WEP • The sharing of a single key • Base stations never authenticated • Inappropriate use of a stream cipher • Key lengths of 40 bits and 64 bits • Weakness of RC4 • The user’s likely lack of awareness Solution: WPA (Wi-Fi Protected Access) and 802.11i WPA2 Security -- 36

  37. Micropayments • The price of some goods may be lower than the standard transaction fees • Micropayments offer a way for selling small-value products and services • Technology providers: eCharge (via phone bills), Qpass (monthly bills), Millicent (prepay electronic cash), ... Security -- 37

More Related