Security Overview

Security OverviewSecurity Overview

Hofstra UniversityHofstra University

University College for Continuing University College for Continuing EducationEducation

- Advanced Java Programming- Advanced Java Programming

Lecturer: Engin YaltLecturer: Engin Yalt

May 24, 2006May 24, 2006

DisclaimerDisclaimer

The images in this presentation are The images in this presentation are taken from taken from

http://williamstallings.com/NetSec2e.hhttp://williamstallings.com/NetSec2e.htmltml

Network Security Essentials, William Network Security Essentials, William Stallings Stallings

Security AttacksSecurity Attacks

Security AttacksSecurity Attacks

Interruption: attack on availabilityInterruption: attack on availability Interception: attack on Interception: attack on

confidentialityconfidentiality Modification: attack on integrityModification: attack on integrity Fabrication: attack on authenticityFabrication: attack on authenticity

Threat ClassificationsThreat Classifications

Passive Attacks -Passive Attacks -Release of message Release of message

contentscontents

Passive Attacks - Passive Attacks - Traffic analysisTraffic analysis

Active Attacks - Active Attacks - MasqueradeMasquerade

Active Attacks – Active Attacks – ReplayReplay

Active Attacks – Active Attacks – Modification of messageModification of message

Active Attacks – Active Attacks – Denial of serviceDenial of service

Security GoalsSecurity Goals

Integrity

Authenticity

Availability

Confidentiality

Security ServicesSecurity Services

Confidentiality (privacy)Confidentiality (privacy) Authentication (who created or sent the Authentication (who created or sent the

data)data) Integrity (has not been altered)Integrity (has not been altered) Non-repudiation (the order is final)Non-repudiation (the order is final) Access control (prevent misuse of Access control (prevent misuse of

resources)resources) Availability (permanence, non-erasure)Availability (permanence, non-erasure)

Denial of Service AttacksDenial of Service Attacks Virus that deletes filesVirus that deletes files

Model of Network Model of Network SecuritySecurity

Methods of DefenseMethods of Defense

EncryptionEncryption Software Controls (access limitations Software Controls (access limitations

in a data base, in operating system in a data base, in operating system protect each user from other users)protect each user from other users)

Hardware Controls (smartcard)Hardware Controls (smartcard) Policies (frequent changes of Policies (frequent changes of

passwords)passwords) Physical ControlsPhysical Controls

Conventional EncryptionConventional Encryption

CryptographyCryptography

Classified along three independent Classified along three independent dimensions:dimensions:

The type of operations used for The type of operations used for transforming plaintext to cipher texttransforming plaintext to cipher text

The number of keys usedThe number of keys used symmetric (single key) (DES, 3DES)symmetric (single key) (DES, 3DES) asymmetric (two-keys, or public-key) (RSA)asymmetric (two-keys, or public-key) (RSA)

The way in which the plaintext is The way in which the plaintext is processedprocessed

Block cipher vs. Stream cipher processingBlock cipher vs. Stream cipher processing

Average time required for Average time required for exhaustiveexhaustive key search key search

Key Size Key Size (bits)(bits)

Number of Number of Alternative KeysAlternative Keys

Time required at Time required at 101066 Decryption/ Decryption/µsµs

3232 223232 = 4.3 x 10 = 4.3 x 1099 2.15 milliseconds2.15 milliseconds

5656 225656 = 7.2 x 10 = 7.2 x 101616 10 hours10 hours

128128 22128 128 = 3.4 x 10= 3.4 x 103838 5.4 x 105.4 x 101818 yearsyears

168168 22168 168 = 3.7 x 10= 3.7 x 105050 5.9 5.9 xx 10 103030 yearsyears

Key DistributionKey Distribution A key could be selected by A and A key could be selected by A and

physically delivered to B.physically delivered to B. A third party could select the key and A third party could select the key and

physically deliver it to A and B.physically deliver it to A and B. If A and B have previously used a key, one If A and B have previously used a key, one

party could transmit the new key to the party could transmit the new key to the other, encrypted using the old key.other, encrypted using the old key.

If A and B each have an encrypted If A and B each have an encrypted connection to a third party C, C could connection to a third party C, C could deliver a key on the encrypted links to A deliver a key on the encrypted links to A and B.and B.

Key DistributionKey Distribution

Session key:Session key: Data encrypted with a one-time session Data encrypted with a one-time session

key. At the conclusion of the session, key. At the conclusion of the session, the key is destroyedthe key is destroyed

Permanent key:Permanent key: Used between entities for the purpose Used between entities for the purpose

of distributing session keysof distributing session keys

Key DistributionKey Distribution

AuthenticationAuthentication

• Requirements - must be able to verify Requirements - must be able to verify that:that:1. Message came from apparent source1. Message came from apparent source or authoror author2. Contents have not been altered,2. Contents have not been altered,3. Sometimes, it was sent at a certain 3. Sometimes, it was sent at a certain time or time or sequence.sequence.

• Protection against active attack Protection against active attack (falsification of data and transactions)(falsification of data and transactions)

Authentication - MACAuthentication - MAC

Authentication – Encrypted Authentication – Encrypted MACMAC

Authentication – Secret Authentication – Secret ValueValue

Public-Key CryptographyPublic-Key Cryptography

Use of two keys (public key, private Use of two keys (public key, private key)key)

The scheme has six ingredientsThe scheme has six ingredients Public keyPublic key Private keyPrivate key PlaintextPlaintext Encryption algorithmEncryption algorithm CiphertextCiphertext Decryption algorithmDecryption algorithm

Encryption using Public-Encryption using Public-KeyKey

Authentication usingAuthentication using Public-KeyPublic-Key

Public-Key Cryptographic Public-Key Cryptographic AlgorithmsAlgorithms

RSA - Ron Rives, Adi Shamir and Len RSA - Ron Rives, Adi Shamir and Len Adleman at MIT, in 1977.Adleman at MIT, in 1977. RSA is a block cipherRSA is a block cipher The most widely implementedThe most widely implemented

Diffie-Hellman Diffie-Hellman Echange a secret key securelyEchange a secret key securely Compute discrete logarithmsCompute discrete logarithms

Public-Key Infrastructure Public-Key Infrastructure (PKI) (PKI)

Creating CertificateCreating Certificate

* CA = Certificate Authority

Public-Key Infrastructure Public-Key Infrastructure (PKI) (PKI)

Obtaining a CertificateObtaining a Certificate

http://www.sdl.hitachi.co.jp/english/people/pki/index04.html

X.509 Authentication X.509 Authentication ServiceService

Distributed set of servers that Distributed set of servers that maintains a database about users.maintains a database about users.

Each certificate contains the public key Each certificate contains the public key of a user and is signed with the private of a user and is signed with the private key of a CA*.key of a CA*.

Is used in S/MIME, IP Security, Is used in S/MIME, IP Security, SSL/TLS and SET.SSL/TLS and SET.

RSA is recommended to use.RSA is recommended to use.

* CA = Certificate Authority* CA = Certificate Authority

X.509 CA HierarchyX.509 CA Hierarchy

Revocation of Revocation of CertificatesCertificates

Reasons:Reasons: The users secret key is assumed to be The users secret key is assumed to be

compromised.compromised. The user is no longer certified by this The user is no longer certified by this

CA.CA. The CA’s certificate is assumed to be The CA’s certificate is assumed to be

compromised.compromised.

E-Mail SecurityE-Mail Security PGP – PGP – (Pretty Good Privacy)(Pretty Good Privacy)

Philip R. Zimmerman is the creatorPhilip R. Zimmerman is the creator Provides a confidentiality and authentication Provides a confidentiality and authentication

serviceservice Can be used for email and file storage applicationsCan be used for email and file storage applications

S/MIME - S/MIME - ((Secure/Multipurpose Internet Mail Secure/Multipurpose Internet Mail Extension)Extension) Enveloped Data:Enveloped Data: content and session keys content and session keys

encrypted for recipients.encrypted for recipients. Signed Data:Signed Data: Message Digest encrypted with Message Digest encrypted with

private key of “signer.”private key of “signer.” Clear-Signed Data:Clear-Signed Data: Signed but not encrypted. Signed but not encrypted. Signed and Enveloped DataSigned and Enveloped Data

PGPPGP

Secure Sockets Layer - Secure Sockets Layer - SSLSSL

Browser connects to a secure server https://.....Browser connects to a secure server https://..... The server sends it’s certificateThe server sends it’s certificate The browser The browser

verifies the certificateverifies the certificate creates a session key (shared secret)creates a session key (shared secret) encrypts the session key with server’s public keyencrypts the session key with server’s public key sends it to the server.sends it to the server.

The server decrypts the session key using it’s private The server decrypts the session key using it’s private keykey

The handshake is comlete! Now browser and server The handshake is comlete! Now browser and server can talk using a shared secret key.can talk using a shared secret key.

The browser send sensitive info (credit card) over a The browser send sensitive info (credit card) over a secure channel.secure channel.

http://www.ourshop.com/resources/ssl.htmlhttp://www.ourshop.com/resources/ssl.html

Security and Java Security and Java PlatformPlatform

Platform Security (Java Language, Sand Platform Security (Java Language, Sand Box)Box)

Cryptography (JCA, JCE)Cryptography (JCA, JCE) Authentication and Access Control Authentication and Access Control

(JAAS)(JAAS) Secure Communications (JSSE, JGSS)Secure Communications (JSSE, JGSS) Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)

http://java.sun.com/security/http://java.sun.com/security/