1 / 14

CSE 4213: Computer Networks II

CSE 4213: Computer Networks II. Suprakash D at ta datta@cs.yorku.ca Office: CSEB 3043 Phone: 416-736-2100 ext 77875 Course page: http://www.cs.yorku.ca/course/4213 These slides are adapted from Jim Kurose’s slides. Chapter 8 roadmap. 8.1 What is network security?

tholmes
Download Presentation

CSE 4213: Computer Networks II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CSE 4213: Computer Networks II Suprakash Datta datta@cs.yorku.ca Office: CSEB 3043 Phone: 416-736-2100 ext 77875 Course page: http://www.cs.yorku.ca/course/4213 These slides are adapted from Jim Kurose’s slides. COSC 4213 - S.Datta

  2. Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Authentication 8.4 Integrity 8.5 Key Distribution and certification 8.6 Access control: firewalls 8.7 Attacks and counter measures 8.8 Security in many layers 8.8.1. Secure email 8.8.2. Secure sockets 8.8.3. IPsec 8.8.4. Security in 802.11 COSC 4213 - S.Datta

  3. . . KS( ) KS( ) + + + - KB(KS ) KB(KS ) KB KB - + KS KS(m ) KS(m ) m m KS Internet KS . . + - KB( ) KB( ) Secure e-mail • Alice wants to send confidential e-mail, m, to Bob. • Alice: • generates random symmetric private key, KS. • encrypts message with KS (for efficiency) • also encrypts KS with Bob’s public key. • sends both KS(m) and KB(KS) to Bob. COSC 4213 - S.Datta

  4. . . KS( ) KS( ) + + + - KB(KS ) KB(KS ) KB KB - + KS KS(m ) KS(m ) m m KS Internet KS . . + - KB( ) KB( ) Secure e-mail • Alice wants to send confidential e-mail, m, to Bob. • Bob: • uses his private key to decrypt and recover KS • uses KS to decrypt KS(m) to recover m COSC 4213 - S.Datta

  5. + - KA KA + - . . + - KA( ) KA( ) . . - - KA(H(m)) KA(H(m)) H(m ) m H( ) H( ) compare Internet m H(m ) m Secure e-mail (continued) • Alice wants to provide sender authentication message integrity. • Alice digitally signs message. • sends both message (in the clear) and digital signature. COSC 4213 - S.Datta

  6. . KS( ) + + - KB(KS ) KA KB + + KS m . - KA( ) . - KA(H(m)) H( ) m Internet KS . + KB( ) Secure e-mail (continued) • Alice wants to provide secrecy, sender authentication, message integrity. Alice uses three keys: her private key, Bob’s public key, newly created symmetric key COSC 4213 - S.Datta

  7. Internet e-mail encryption scheme, de-facto standard. uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described. provides secrecy, sender authentication, integrity. inventor, Phil Zimmerman, was target of 3-year federal investigation. ---BEGIN PGP SIGNED MESSAGE--- Hash: SHA1 Bob:My husband is out of town tonight.Passionately yours, Alice ---BEGIN PGP SIGNATURE--- Version: PGP 5.0 Charset: noconv yhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJhFEvZP9t6n7G6m5Gw2 ---END PGP SIGNATURE--- Pretty good privacy (PGP) A PGP signed message: COSC 4213 - S.Datta

  8. transport layer security to any TCP-based app using SSL services. used between Web browsers, servers for e-commerce (shttp). security services: server authentication data encryption client authentication (optional) server authentication: SSL-enabled browser includes public keys for trusted CAs. Browser requests server certificate, issued by trusted CA. Browser uses CA’s public key to extract server’s public key from certificate. check your browser’s security menu to see its trusted CAs. Secure sockets layer (SSL) COSC 4213 - S.Datta

  9. Encrypted SSL session: Browser generates symmetric session key, encrypts it with server’s public key, sends encrypted key to server. Using private key, server decrypts session key. Browser, server know session key All data sent into TCP socket (by client or server) encrypted with session key. SSL: basis of IETF Transport Layer Security (TLS). SSL can be used for non-Web applications, e.g., IMAP. Client authentication can be done with client certificates. SSL (continued) COSC 4213 - S.Datta

  10. Network-layer secrecy: sending host encrypts the data in IP datagram TCP and UDP segments; ICMP and SNMP messages. Network-layer authentication destination host can authenticate source IP address Two principal protocols: authentication header (AH) protocol encapsulation security payload (ESP) protocol For both AH and ESP, source, destination handshake: create network-layer logical channel called a security association (SA) Each SA unidirectional. Uniquely determined by: security protocol (AH or ESP) source IP address 32-bit connection ID IPsec: Network Layer Security COSC 4213 - S.Datta

  11. provides source authentication, data integrity, no confidentiality AH header inserted between IP header, data field. protocol field: 51 intermediate routers process datagrams as usual AH header includes: connection identifier authentication data: source- signed message digest calculated over original IP datagram (HMAC) next header field: specifies type of data (e.g., TCP, UDP, ICMP) IP header data (e.g., TCP, UDP segment) AH header Authentication Header (AH) Protocol COSC 4213 - S.Datta

  12. provides secrecy, host authentication, data integrity. data, ESP trailer encrypted. next header field is in ESP trailer. ESP authentication field is similar to AH authentication field. Protocol = 50. ESP trailer ESP authent. ESP Protocol authenticated encrypted ESP header IP header TCP/UDP segment COSC 4213 - S.Datta

  13. IEEE 802.11 security • War-driving: drive around Bay area, see what 802.11 networks available? • More than 9000 accessible from public roadways • 85% use no encryption/authentication • packet-sniffing and various attacks easy! • Securing 802.11 • encryption, authentication • first attempt at 802.11 security: Wired Equivalent Privacy (WEP): a failure • current attempt: 802.11i COSC 4213 - S.Datta

  14. Network Security (summary) Basic techniques…... • cryptography (symmetric and public) • authentication • message integrity • key distribution …. used in many different security scenarios • secure email • secure transport (SSL) • IP sec COSC 4213 - S.Datta

More Related