390 likes | 563 Views
Security Overview. Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006. Disclaimer. The images in this presentation are taken from http://williamstallings.com/NetSec2e.html
E N D
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006
Disclaimer The images in this presentation are taken from http://williamstallings.com/NetSec2e.html Network Security Essentials, William Stallings
Security Attacks • Interruption: attack on availability • Interception: attack on confidentiality • Modification: attack on integrity • Fabrication: attack on authenticity
Security Goals Authenticity Integrity Availability Confidentiality
Security Services • Confidentiality (privacy) • Authentication (who created or sent the data) • Integrity (has not been altered) • Non-repudiation (the order is final) • Access control (prevent misuse of resources) • Availability (permanence, non-erasure) • Denial of Service Attacks • Virus that deletes files
Methods of Defense • Encryption • Software Controls (access limitations in a data base, in operating system protect each user from other users) • Hardware Controls (smartcard) • Policies (frequent changes of passwords) • Physical Controls
Cryptography Classified along three independent dimensions: • The type of operations used for transforming plaintext to cipher text • The number of keys used • symmetric (single key) (DES, 3DES) • asymmetric (two-keys, or public-key) (RSA) • The way in which the plaintext is processed • Block cipher vs. Stream cipher processing
Key Distribution • A key could be selected by A and physically delivered to B. • A third party could select the key and physically deliver it to A and B. • If A and B have previously used a key, one party could transmit the new key to the other, encrypted using the old key. • If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.
Key Distribution • Session key: • Data encrypted with a one-time session key. At the conclusion of the session, the key is destroyed • Permanent key: • Used between entities for the purpose of distributing session keys
Authentication • Requirements - must be able to verify that: 1. Message came from apparent sourceor author 2. Contents have not been altered, 3. Sometimes, it was sent at a certain time or sequence. • Protection against active attack (falsification of data and transactions)
Public-Key Cryptography • Use of two keys (public key, private key) • The scheme has six ingredients • Public key • Private key • Plaintext • Encryption algorithm • Ciphertext • Decryption algorithm
Public-Key Cryptographic Algorithms • RSA - Ron Rives, Adi Shamir and Len Adleman at MIT, in 1977. • RSA is a block cipher • The most widely implemented • Diffie-Hellman • Echange a secret key securely • Compute discrete logarithms
Public-Key Infrastructure (PKI) Creating Certificate * CA = Certificate Authority
Public-Key Infrastructure (PKI) Obtaining a Certificate http://www.sdl.hitachi.co.jp/english/people/pki/index04.html
X.509 Authentication Service • Distributed set of servers that maintains a database about users. • Each certificate contains the public key of a user and is signed with the private key of a CA*. • Is used in S/MIME, IP Security, SSL/TLS and SET. • RSA is recommended to use. * CA = Certificate Authority
Revocation of Certificates • Reasons: • The users secret key is assumed to be compromised. • The user is no longer certified by this CA. • The CA’s certificate is assumed to be compromised.
E-Mail Security • PGP – (Pretty Good Privacy) • Philip R. Zimmerman is the creator • Provides a confidentiality and authentication service • Can be used for email and file storage applications • S/MIME - (Secure/Multipurpose Internet Mail Extension) • Enveloped Data: content and session keys encrypted for recipients. • Signed Data: Message Digest encrypted with private key of “signer.” • Clear-Signed Data: Signed but not encrypted. • Signed and Enveloped Data
Secure Sockets Layer - SSL • Browser connects to a secure server https://..... • The server sends it’s certificate • The browser • verifies the certificate • creates a session key (shared secret) • encrypts the session key with server’s public key • sends it to the server. • The server decrypts the session key using it’s private key • The handshake is comlete! Now browser and server can talk using a shared secret key. • The browser send sensitive info (credit card) over a secure channel. http://www.ourshop.com/resources/ssl.html
Security and Java Platform • Platform Security (Java Language, Sand Box) • Cryptography (JCA, JCE) • Authentication and Access Control (JAAS) • Secure Communications (JSSE, JGSS) • Public Key Infrastructure (PKI) http://java.sun.com/security/