1 / 38

Security Overview

Security Overview. Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006. Disclaimer. The images in this presentation are taken from http://williamstallings.com/NetSec2e.html

marek
Download Presentation

Security Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006

  2. Disclaimer The images in this presentation are taken from http://williamstallings.com/NetSec2e.html Network Security Essentials, William Stallings

  3. Security Attacks

  4. Security Attacks • Interruption: attack on availability • Interception: attack on confidentiality • Modification: attack on integrity • Fabrication: attack on authenticity

  5. Threat Classifications

  6. Passive Attacks -Release of message contents

  7. Passive Attacks - Traffic analysis

  8. Active Attacks - Masquerade

  9. Active Attacks – Replay

  10. Active Attacks – Modification of message

  11. Active Attacks – Denial of service

  12. Security Goals Authenticity Integrity Availability Confidentiality

  13. Security Services • Confidentiality (privacy) • Authentication (who created or sent the data) • Integrity (has not been altered) • Non-repudiation (the order is final) • Access control (prevent misuse of resources) • Availability (permanence, non-erasure) • Denial of Service Attacks • Virus that deletes files

  14. Model of Network Security

  15. Methods of Defense • Encryption • Software Controls (access limitations in a data base, in operating system protect each user from other users) • Hardware Controls (smartcard) • Policies (frequent changes of passwords) • Physical Controls

  16. Conventional Encryption

  17. Cryptography Classified along three independent dimensions: • The type of operations used for transforming plaintext to cipher text • The number of keys used • symmetric (single key) (DES, 3DES) • asymmetric (two-keys, or public-key) (RSA) • The way in which the plaintext is processed • Block cipher vs. Stream cipher processing

  18. Average time required for exhaustive key search

  19. Key Distribution • A key could be selected by A and physically delivered to B. • A third party could select the key and physically deliver it to A and B. • If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key. • If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.

  20. Key Distribution • Session key: • Data encrypted with a one-time session key. At the conclusion of the session, the key is destroyed • Permanent key: • Used between entities for the purpose of distributing session keys

  21. Key Distribution

  22. Authentication • Requirements - must be able to verify that: 1. Message came from apparent sourceor author 2. Contents have not been altered, 3. Sometimes, it was sent at a certain time or sequence. • Protection against active attack (falsification of data and transactions)

  23. Authentication - MAC

  24. Authentication – Encrypted MAC

  25. Authentication – Secret Value

  26. Public-Key Cryptography • Use of two keys (public key, private key) • The scheme has six ingredients • Public key • Private key • Plaintext • Encryption algorithm • Ciphertext • Decryption algorithm

  27. Encryption using Public-Key

  28. Authentication usingPublic-Key

  29. Public-Key Cryptographic Algorithms • RSA - Ron Rives, Adi Shamir and Len Adleman at MIT, in 1977. • RSA is a block cipher • The most widely implemented • Diffie-Hellman • Echange a secret key securely • Compute discrete logarithms

  30. Public-Key Infrastructure (PKI) Creating Certificate * CA = Certificate Authority

  31. Public-Key Infrastructure (PKI) Obtaining a Certificate http://www.sdl.hitachi.co.jp/english/people/pki/index04.html

  32. X.509 Authentication Service • Distributed set of servers that maintains a database about users. • Each certificate contains the public key of a user and is signed with the private key of a CA*. • Is used in S/MIME, IP Security, SSL/TLS and SET. • RSA is recommended to use. * CA = Certificate Authority

  33. X.509 CA Hierarchy

  34. Revocation of Certificates • Reasons: • The users secret key is assumed to be compromised. • The user is no longer certified by this CA. • The CA’s certificate is assumed to be compromised.

  35. E-Mail Security • PGP – (Pretty Good Privacy) • Philip R. Zimmerman is the creator • Provides a confidentiality and authentication service • Can be used for email and file storage applications • S/MIME - (Secure/Multipurpose Internet Mail Extension) • Enveloped Data: content and session keys encrypted for recipients. • Signed Data: Message Digest encrypted with private key of “signer.” • Clear-Signed Data: Signed but not encrypted. • Signed and Enveloped Data

  36. PGP

  37. Secure Sockets Layer - SSL • Browser connects to a secure server https://..... • The server sends it’s certificate • The browser • verifies the certificate • creates a session key (shared secret) • encrypts the session key with server’s public key • sends it to the server. • The server decrypts the session key using it’s private key • The handshake is comlete! Now browser and server can talk using a shared secret key. • The browser send sensitive info (credit card) over a secure channel. http://www.ourshop.com/resources/ssl.html

  38. Security and Java Platform • Platform Security (Java Language, Sand Box) • Cryptography (JCA, JCE) • Authentication and Access Control (JAAS) • Secure Communications (JSSE, JGSS) • Public Key Infrastructure (PKI) http://java.sun.com/security/

More Related