of 26

Lecture 07 networking

Apr 12, 2017

ReportDownload

Engineering

William Stallings, Cryptography and Network Security 5/e

Network Security

Lecture - 07

1

Standards OrganizationsNational Institute of Standards & Technology (NIST)

Internet Society (ISOC)

International Telecommunication Union Telecommunication Standardization Sector (ITU-T)

International Organization for Standardization (ISO)

2

ProblemComputer networks are typically a shared resource used by many applications representing different interests. The Internet is particularly widely shared, being used by competing businesses, mutually antagonistic governments, and opportunistic criminals.Unless security measures are taken, a network conversation or a distributed application may be compromised by an adversary.

The University of Adelaide, School of Computer Science12 January 2016Chapter 2 Instructions: Language of the Computer3

Computer Securitythe protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications)

4

Key Security Concepts

5

Levels of Impactcan define 3 levels of impact from a security breachLowModerateHigh

6

Aspects of Securityconsider 3 aspects of information security:security attacksecurity mechanismsecurity serviceTerms in securitythreat a potential for violation of security

attack an assault on system security, a deliberate attempt to evade security services

7

Passive Attacks

8

Active Attacks

9

Security Serviceenhance security of data processing systems and information transfers of an organization

intended to counter security attacks

using one or more security mechanisms

often replicates functions normally associated with physical documentswhich, for example, have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed

10

Security ServicesX.800:a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers

RFC 2828:a processing or communication service provided by a system to give a specific kind of protection to system resources

11

Security Mechanismfeature designed to detect, prevent, or recover from a security attackno single mechanism that will support all services requiredhowever one particular element underlies many of the security mechanisms in use:cryptographic techniques

12

Model for Network Security

13

Model for Network Securityusing this model requires us to: design a suitable algorithm for the security transformation generate the secret information (keys) used by the algorithm develop methods to distribute and share the secret information specify a protocol enabling the principals to use the transformation and secret information for a security service

14

Model for Network Access Security

15

Cryptographic Building BlocksSymmetric-key encryption and decryption

The University of Adelaide, School of Computer Science12 January 2016Chapter 2 Instructions: Language of the Computer16

Cryptograhic Building BlocksEncryption transforms a message in such a way that it becomes unintelligible to any party that does not have the secret of how to reverse the transformation.

The sender applies an encryption function to the original plaintext message, resulting in a cipher text message that is sent over the network.

The receiver applies a secret decryption functionthe inverse of the encryption functionto recover the original plaintext.

The University of Adelaide, School of Computer Science12 January 2016Chapter 2 Instructions: Language of the Computer17

Cryptographic Building Blocks

Symmetric Key Ciphersboth participants in a communication share the same key. if a message is encrypted using a particular key, the same key is required for decrypting the message.

The University of Adelaide, School of Computer Science12 January 2016Chapter 2 Instructions: Language of the Computer18

Cryptographic Building BlocksPublic-key encryption

The University of Adelaide, School of Computer Science12 January 2016Chapter 2 Instructions: Language of the Computer19

Cryptographic Building BlocksAuthentication using public keys

The University of Adelaide, School of Computer Science12 January 2016Chapter 2 Instructions: Language of the Computer20

Example SystemsSecure Shell (SSH)Using SSH port forwarding to secure other TCP-based applications

The University of Adelaide, School of Computer Science12 January 2016Chapter 2 Instructions: Language of the Computer21

Wireless Security (IEEE 802.11i)

The IEEE 802.11i standard provides authentication, message integrity, and confidentiality to 802.11 (Wi-Fi) at the link layer.

WPA2 (Wi-Fi Protected Access 2) is often used as a synonym for 802.11i, although it is technically a trademark of The Wi-Fi Alliance that certifies product compliance with 802.11i.

802.11i authentication supports two modes. In either mode, the end result of successful authentication is a shared Pairwise Master Key. Personal mode, also known as Pre-Shared Key (PSK) mode, provides weaker security but is more convenient and economical for situations like a home 802.11 network. The wireless device and the Access Point (AP) are preconfigured with a shared passphraseessentially a very long passwordfrom with the Pairwise Master Key is cryptographically derived.

The University of Adelaide, School of Computer Science12 January 2016Chapter 2 Instructions: Language of the Computer22

Example SystemsWireless Security (IEEE 802.11i)Use of an Authentication Server in 802.11i

The University of Adelaide, School of Computer Science12 January 2016Chapter 2 Instructions: Language of the Computer23

FirewallsA firewall is a system that typically sits at some point of connectivity between a site it protects and the rest of the network.

It is usually implemented as an appliance or part of a router, although a personal firewall may be implemented on an end user machine.

Firewall-based security depends on the firewall being the only connectivity to the site from outside; there should be no way to bypass the firewall via other gateways, wireless connections, or dial-up connections.

The University of Adelaide, School of Computer Science12 January 2016Chapter 2 Instructions: Language of the Computer24

FirewallsFirewalls filter based on IP, TCP, and UDP information, among other things. They are configured with a table of addresses that characterize the packets they will, and will not, forward. Generally, each entry in the table is a 4-tuple: It gives the IP address and TCP (or UDP) port number for both the source and destination.

The University of Adelaide, School of Computer Science12 January 2016Chapter 2 Instructions: Language of the Computer25

FirewallsA firewall filters packets flowing between a site and the rest of the Internet

The University of Adelaide, School of Computer Science12 January 2016Chapter 2 Instructions: Language of the Computer26