Top Banner

Click here to load reader

بسم الله الرحمن الرحيم NETWORK SECURITY

Jan 22, 2016

ReportDownload

Documents

chogan

بسم الله الرحمن الرحيم NETWORK SECURITY. Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006. Network Security Goals. Confidentiality or Privacy: Only sender, intended receiver should ”understand” message contents Sender encrypts message Receiver decrypts message - PowerPoint PPT Presentation

  • NETWORK SECURITY

    Done By:

    Saad Al-Shahrani Saeed Al-Smazarkah

    May 2006

  • Network Security GoalsConfidentiality or Privacy: Only sender, intended receiver should understand message contentsSender encrypts messageReceiver decrypts message

    Authentication: Sender, receiver want to confirm identity of each other

    Integrity: Sender, receiver want to ensure messages are not altered during transmission without detection

    Access and Availability: Services must be accessible and available to users

  • People want to communicate securelyEve (intruder/eavesdropper): may intercept, delete, add messages

  • There are Eavesdroppers out there! Q: what can an eavesdropper do?A: a lot!Observing and recording information

    Unauthorized access to a server

    Denial of service: prevent service from being used by others (e.g. by Flooding a server with requests)

    Impersonating a legitimate server

    Hijacking: take over ongoing connection by removing sender or receiver, inserting himself in place

  • Network Security: AgendaMain weapon: cryptographyConfidentiality (encryption)Message authenticationSignatures and Certificates

    Internet Threats, Attacks and DefensesSecure request/ response protocolsSecure connection tunnelsDenial of Service attacksFirewalls

  • Encryption Protects ConfidentialitySecret Key crypto: Shared secret key (KE,B=KD,B)Public key crypto: A user has a public encryption key KE,B and a matching private decryption key KD,B

  • Secret Key CryptoTwo operations (encrypt, decrypt) which are inverses of each other. Like multiplication/divisionOne parameter (the key)Even the person who designed the algorithm cant break it without the key Ideally, a different key for each pair of users

  • Secret key cryptoencrypt= f(K, plaintext)=ciphertextdecrypt= f(K, ciphertext)=plaintextauthentication: send f(K, challenge)integrity check: f(K, msg)=Xverify integrity check: f(K, X, msg)

  • Public Key CryptoTwo keys per user, keys are inverses of each other Public key BPub you tell to the worldPrivate key BPriv you keep privateYes its magic. Why cant you derive BPriv from BPub?And if its hard, where did (BPub, BPriv) come from?

  • Encryption and Integrity Encryption hides the message from eavesdropper

    Question: can eavesdropper change message?Or: dose encryption ensure message integrity?

    With Public Key Encryption:Eve can replace EBPub(m) with fake: EBPub (m)

    With Secret (shared) Key Encryption:This seems harder to doBut given c=mk, attacker can send c mask, to invert any bit in decrypted message (use mask)

    Encryption does not ensure integrity!

  • Public Key VS. Secret KeyIn terms of capabilities public key is more powerful.

    Public key provides digital signature.

    Secret key is much faster than public key

  • Public Key Digital Signatures: conceptOne of the best features of public keyAn integrity checkcalculated as f(priv key, data)verified as f(public key, data, signature)Verifiers dont need to know secret keyRSA can be used for digital signature scheme

  • Popular Secret Key AlgorithmsDES: old standard, 56-bit key, slow3DES: fix key size but 3 times as slowRC4: variable length key, stream cipher (generate stream from key, XOR with data)AES: replacement for DES, will probably take over

  • Popular Public Key AlgorithmsRSA: public key operations can be made very fast, but private key operations will be slow.

    ECC (elliptic curve crypto): smaller keys, so faster than RSA (but not for public key ops).

  • Key Distribution ProblemSecret Key Problem: How do two entities establish shared secret key over the network?Solution: Trusted key distribution (KDC) acting as intermediary between entities KDC needs shared key with each entity.Public Key Problem:When Saad obtains Saeeds public key (from web site, e-mail, diskette), how does he know it is Saeeds public key, not eavesdroppers?Solution: Trusted certification authority (CA)

  • Key Distribution - Secret KeysCould configure n2 keysMakes the systems unfeasible for large-scale useInstead use Key Distribution Center (KDC)Every user has a secret key shared with KDCThe KDC knows all the usersThe KDC assigns a key to any pair who need to talk

  • Key Distribution - Public KeysCertification Authority (CA) signs CertificatesCertificate = a signed message saying I, the CA, vouch that 489024729 is Saads public keyIf everyone has a certificate, a private key, and the CAs public key, they can authenticate

  • Key Distribution - Public KeysSaadSaeed[Saad, key=342872]CAAuth, encryption, etc.[Saeed, key=8294781]CA

  • Denial Of Service Attack Attacker tries to exhaust resources of host/ server/ router/ user Resources include:Computation (CPU time)Storage (e.g. for state of requests/connections)Open TCP connectionsLimited (10s to several thousand connections depending on hardware, operating system)SYN flooding DOS attack: attacker sends SYN flow (open connection); server waits

  • SYN flooding DOS attack Attacker sends many SYN requests (using different spoofed client IP address), no ACK Uses up servers capacity for open connections

  • Firewalls Firewall:A secure machine (or program), isolating organizations internal net from larger Internet (or another net), allowing some packets to pass, blocking others

  • Packet FilteringInternal network connected to Internet via Router Firewall (packet filtering)Router filters packet-by-packet, decision to forward/ drop packet based on:Source IP address, destination IP addressTCP/UDP source and destination port numbersTCP SYN and ACK bit (identify client vs. server)

  • References

    Our textbookhttp://www.aw.com/kurose-ross/http://www.iec.orghttp://amir.herzberg.name