Top Banner
Jan 5, 1998 CMPN 369 Page 1 CPSC441 Security Module Internet Security
88
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
  • 1. CPSC441 Security Module Internet Security

2. TYPESOFSECURITY 1. INTEGRITY AND PRIVACY OF INFORMATION(SECURE DATA COMMUNICATION) SOLUTION: Electronic transaction 2. LIMIT TO CONNECTIVITY SOLUTION: Various kinds of Firewalls 3. NODE SECURITY SOLUTION: Anti-virus software 3. SUMMARY OF SECURITY OPTIONS 1.SECURE COMMUNICATION: a) Secure Socket Layer (SSL) b) Virtual Private Networks (VPN) c) Kerberos authentication d) Special protocols (S/MIME, DNSsec) 2.LIMITING CONNECTIVITY a) Packet filtering firewalls b) Proxy servers c) SOCKS servers d) NAT routers LINUX includes Packet filtering and NAT routing as a part of the Kernel software 3.NODE SECURITY Anti-virus software 4. SECURE DATA COMMUNICATION Required by e-commerce Based on the business transaction Current business transaction consist of: I.Initial identification of the client(S.I.N., Passport,certificates)II. Transaction: a) Initial setup: 1. Client selects and trustsserver (Bank etc.) 2. Sever verifies client, sets account b) Transaction execution: 5. TRANSACTION EXECUTION - cont. CLIENT: 1.HAS certificate 2. KNOWS account number 3. REQUESTS transaction 4. CONFIRMS (signs) the request SERVER: 1. AUTHENTICATES the client 2. PERFORMS the transaction 3. CONFIRMS (signs) the transaction 4. GUARANTEES the confidentiality 6. E -COMMERCE:NEEDED 1. CERTIFICATES 2. SERVER AUTHENTICATION 3. CLIENT AUTHENTICATION 4. DIGITAL SIGNATURES 5. CONFIDENCIALITY OF THE TRANSACTION Collectively known as SECURE COMMUNICATION Based on ENCRYPTION techniques 7. Symmetric-Key Encryption

  • T he same key is used for both encryption and decryption
  • T he encryption key can be calculated from thedecryption key and vice versa

8.

  • Implementations can be highly efficient nosignificant time delay
  • P rovides a degree of authentication information encrypted with one symmetric key cannot be decrypted with any other symmetric key.
  • E ffective only if the symmetric key is kept secret by the two parties involved.
  • P lays an important role in the SSL protocol, which is widely used for authentication, tamper detection, and encryption over TCP/IP networks.
    • SSL also uses techniques of public-key encryption(next)

Symmetric-Key Encryption 9. Public-Key Encryption

  • Patented by RSA Data Security (www.rsa.com)
  • A lso called asymmetric encryption
  • P air of keys--apublic keyand aprivate key
  • Data encrypted with your public key can be decrypted onlywith your private key P ublic keyispublished, and thecorresponding private key is kept secret. (moreinfo in Certificates and Authentication.)

10. Public-Key Encryption

  • L ets you freely distribute a public key, and only you will be able to read data encrypted using this key.
  • T o send encrypted data to someone, you encrypt the data with that person's public key, and the person receiving the encrypted data decrypts it with the corresponding private key.
  • Compared with symmetric-key encryption, public-key encryption requires more computation and is therefore not always appropriate for large amounts of data.

11. Public-Key Encryption

  • I t's possible to use public-key encryption to send a symmetric key, which can then be used to encrypt additional data. This is the approach used by the SSL protocol.
  • The reversealso works: data encrypted with your private key can be decrypted only with your public key.
  • This would not be a desirable way to encrypt sensitive data :anyone with your public key( published ) , could decrypt the data.

12.

  • Digital signatures using public-key cryptography.

13.

  • R ely on a mathematical function called aone-way hash(also called amessage digest ).
  • A one-way hash is a number of fixed length with the following characteristics:
    • The value of the hash is unique for the hashed data. Any change in the data, even deleting or altering a single character, results in a different value.
    • The content of the hashed data cannot, for all practical purposes, be deduced from the hash--which is why it is called "one-way."

Digital Signatures 14. Digital Signatures 15. Digital Signatures

  • If the two hashes match, the recipient can be certain that the public key used to decrypt the digital signature corresponds to the private key used to create the digital signature.
  • Confirming the identity of the signer, however, also requires some way of confirming that the public key really belongs to a particular person or other entity( Certificates and Authentication )

16.

  • S trength of encryption is related to the difficulty of discovering the key, which in turn depends on both the cipher used and the length of the key.
  • Encryption strength is often described in terms of the size of the keys used to perform the encryption
  • I n general, longer keys provide stronger encryption.

Key Length and Encryption Strength 17.

  • Different ciphers may require different key lengths to achieve the same level of encryption strength
    • Example:a 128-bit key for use with a symmetric-key encryption cipher would provide stronger encryption than a 128-bit key for use with the RSA public-key encryption cipher.
  • L evel of strength may be vulnerable to attacks in the near future.

Key Length and Encryption Strength 18. OVERVIEW OF CRYPTO ALGORITHMS I.SYMETRICAL NameKey length (bits) Triple DES168(US only) RC2, RC4128(US only) DES56(US only) RC2, RC440 (Export) II.PUBLIC KEYRSA, Some others512 (equiv. to 64) III. HASHING (OWH) MD5, Some others 19. One-Time Pads (Topic for Quantum Cryptography) The use of a one-time pad for encryption and the possibility of getting any possible plaintext from the ciphertext by the use of some other pad. 20. A Certificate Identifies Someone or Something

  • Acertificateis an electronic document used to identify an individual, a server, a company, or some other entity and to associate that identity with a public key.
  • AddressesImpersonation ( Information passes to a person who poses as the intended recipient. )
  • Certificate authorities (CAs)are entities that validate identities and issue certificates

21. X.509

  • The basic fields of an X.509 certificate.

22. Certificate authorities (CAs)

  • B inds a particular public key to the name of the entity the certificate identifies (such as the name of an employee or a server).
  • Only the public key certified by the certificate will work with the corresponding private key possessed by the entity identified by the certificate.
  • A lways includes:
    • the name of the entity it identifies, an expiration date, the name of the CA that issued the certificate, a serial number, and other information.
    • the digital signature of the issuing CA.

23. CA HierarchiesIn large organizations, it may be appropriate to delegate the responsibility for issuing certificates to several different certificate authorities. 24. Types of Certificates

  • Client SSL certificates
  • Server SSL certificates
  • S/MIME certificates
  • Object-signing certificates
  • CA certificates

25. Client SSL certificates

  • Used to identify clients to servers via SSL (client authentication).
  • Typically, the identity of the client is assumed to be the same as the identity of a human being, such as an employee in an enterprise.
  • Examples:
  • A bank gives a customer a client SSL certificate that allows the bank's servers to identify that customer and authorize access to the customer's accounts.
  • A company might give a new employee a client SSL certificate that allows the company's servers to identify that employee and authorize access to the company's servers.

26. Server SSL certificates

  • Used to identify servers to clients via SSL (server authentication).
  • Server authentication may be used with or without client authentication.
  • Example:
  • Internet sites that engage in electronic commerce (commonly known ase-commerce ) usually support certificate-based server authentication, at a minimum, to establish an encrypted SSL session and to assure customers that they are dealing with a web site identified with a particular company. The encrypted SSL session ensures that personal information sent over the network, such as credit card numbers, cannot easily be intercepted.

27.

  • Used for signed and encrypted email.
  • A single certificate may be used as both an S/MIME certificate and an SSL certificate.
  • Examples:
  • A company deploys combined S/MIME and SSL certificates solely for the purpose of authenticating employee identities, thus permitting signed email and client SSL authentication but not encrypted email.
  • Another company issues S/MIME certificates solely for the purpose of both signing and encrypting email that deals with sensitive financial or legal matters.

S/MIME certificates 28. Object-signing certificates

  • Used to identify signers of Java code, JavaScript scripts, or other signed files.
  • Example:
  • A software company signs software distributed over the Internet to provide users with some assurance that the software is a legitimate product of that company. Using certificates and digital signatures in this manner can also make it possible for users to identify and control the kind of access downloaded software has to their computers.

29. CAcertificates

  • Used to identify CAs.
  • Client and server software use CA certificates to determine what other certificates can be trusted.
  • Example:
  • The CA certificates stored in Communicator determine what other certificates that copy of Communicator can authenticate. An administrator can implement some aspects of corporate security policies by controlling the CA certificates stored in each user's copy of Communicator.

30. Authentication Confirms an Identity

  • Client authenticationrefers to the confident identification of a client by a server (that is, identification of the person assumed to be using the client software).
  • Server authenticationrefers to the confident identification of a server by a client (that is, identification of the organization assumed to be responsible for the server at a particular network address).

31. T wo forms of client authentication:

  • Password-Based Authentication.
  • Certificate-Based Authentication

32.

  • The user has already decided to trust the server, either without authentication or on the basis of server authentication via SSL.
  • The user has requested a resource controlled by the server.
  • The server requires client authentication before permitting access to the requested resource.

Password-Based Authentication 33.

  • In response to an authentication request from the server, the client displays a dialog box requesting the user's name and password for that server. The user must supply a name and password separately for each new server the user wishes to use during a work session.
  • The client sends the name and password across the network, either in the clear or over an encrypted SSL connection.
  • The server looks up the name and password in its local password database and, if they match, accepts them as evidence authenticating the user's identity.
  • The server determines whether the identified user is permitted to access the requested resource, and if so allows the client to access it.

Password-Based Authentication 34.

  • the user has already decided to trust the server and has requested a resource, and that the server has requested client authentication in the process of evaluating whether to grant access to the requested resource.

Certificate -Based Authentication 35.

  • The client software maintains a database of the private keys that correspond to the public keys published in any certificates issued for that client. The client asks for the password to this database the first time the client needs to access it during a given session

Certificate -Based Authentication 36.

  • The client unlocks the private-key database, retrieves the private key for the user's certificate, and uses that private key to digitally sign some data that has been randomly generated for this purpose .The digital signature can be created only with that private key and can be validated with the corresponding public key against the signed data, which is unique to the SSL session.

Certificate -Based Authentication 37.

  • The client sends both the user's certificate and the evidence (the randomly generated piece of data that has been digitally signed) across the network.

Certificate -Based Authentication 38.

  • The server uses the certificate and the evidence to authenticate the user's identity(more on SSL)

Certificate -Based Authentication 39.

  • The server may optionallyperform other authentication tasksto evaluate whether the identified user is permitted to access the requested resource.

Certificate -Based Authentication 40. Certificate-based authentication is generally considered preferable to password-based authentication because it is based on what the user has (the private key) as well as what the user knows (the password that protects the private key). 41.

  • C ertificates replace the authentication portion of the interactionbetween the client and the server.
  • Instead of requiring a user to send passwords across thenetwork throughout the day, single sign-on requires the user toenter the private-key database password just once, withoutsending it across the network. .

42. Authentication Using Kerberos

  • The operation of Kerberos V4.

43. SECURE SOCKET LAYER (SSL) A PROTOCOL BETWEEN TCP/IP LAYER AND APPLICATION LAYER ORIGINALY DESIGNED BY NETSCAPE PROVIDES SECURE COMMUNICATION BASED ON ENCRYPTION TECHNIQUES BASIC FUNCTIONALITY: I. AUTHENTICATES SERVER II. AUTHENTICATES CLIENT (OPTION) III. ENCRYPTS THE MESSAGE USES PUBLIC KEY FOR AUTHENTICAT. USES SYMETRICAL KEY FOR MESSAGE ENCRYPTION 44. SERVER AUTHENTICATION - SSL I. SERVER: SENDS THE CERIFICATEAND DIGITAL SIGGNITUREOF RANDOM DATA II. CLIENT: READS THE CERTIFICATE EXTRACTS PUBLIC KEY VERIFIES THE FOLLOWING: 1. Date within valid period? 2. Is CA a trusted CA? 3. Is certificate's Digital Signature valid? 4. Is the server's Domain Name correct? 45. CLIENT AUTHENTICATION - SSL ( OPTIONAL) I.SERVER REQUEST CLIENT'S CERTIFICATE II. CLIENT SENDS:1.CERIFICATE 2. DIGITAL SIGNITURE OF RANDOM DATA KNOWN ONLY TO CLIENT AND SERVER. III. SERVER PERFORMS THE SAME STEPS AS THE CLIENT IN THE PREVIOUS CASE 46. SSL HANDSHAKE 1. CLIENT SENDS "hello" MESSAGE CONSISTING OF: Some system info Cipher to be used Random number 2. SERVER RESPONDS WITH A SIMILAR MESSAGE 3. SERVER SENDS ITS CERTIFICATE AND OPTIONALLY REQUESTS CLIENT CERTIFICATE 4. CLIENT AUTHENTICATES SERVER 5. OPTIONALLY, SERVER AUTHENTICATES CLIENT 47. SSL HANDSHAKE - cont. 6. BOTH CLIENT AND SERVER GENERATE THE SESSION SYMETRICAL KEY AND SEND MESSAGES THAT FURTHER COMMUNICATION WILL BE ENCRYPTED 7. ENCRYPTED SSL SESSION BEGINS 48. SSL- establishing connection 49. SSL Session State 50. SSL Connection State 51. SSL Handshake Protocol 52. OPENSSL(www.opens.org) FREE SOFTWARE PACKAGE AVAILABLE ON THE NET. CONSISTS OF: opens COMMAND LINE UTILITY SSL LIBRARIES SOME DOCUMENTATION CAN BE USED FOR: Making yourself CA Writing SSL Client/Server programs Studying SSL code 53. OpenSSL

  • http://www.openssl.org
  • Free library providing cryptographic functions
    • its not the only one, alternatives: Crypto++ and Cryptlib of Peter Guttman
  • The important feature is the complete implementation of the protocols SSLv2,SSLv3 and TLSv1
  • The relevant specifications are at:
  • SSLv2: http://www.netscape.com/eng/security/SSL_2.html
  • SSLv3: http://home.netscape.com/eng/ssl3/index.html
  • TLS (RFC 2246): http://www.ietf.org/rfc/rfc2246.txt
  • HTTPS (RFC 2818): http://www.ietf.org/rfc/rfc2818.txt

54. VIRTUALPRIVATENETWORKS (VPN) 1. CONNECTS SECURE NETWORKS VIA INTERNET (NAT protected networks are incompatible with VPN) 2. USES TUNNELING TECHNIQUE TO CREATE A ILLUSION OF A PRIVATE LEASED LINE 3. IS IMPLEMENTED BY ENCRYPTION AND CERTIFICATION SIMILAR TO SSL 4. BASED ON PROTOCOL CALLED IPSec 55. Virtual Private Networks (VPN) 56.

  • Adds integrity checking, authentication, encryption and protection to IP packets
  • End-to-end security + secure tunnels between gateways
  • Independent of current cryptographic algorithms
  • Works for IPv4 and IPv6 (mandatory component)
  • Two major concepts:
    • Security Association
    • Tunneling

The IP security architecture (IPsec) 57. COMPONENTSOFIPSec 1. AUTHENTICATION HEADER (AH) Responsiblefor authentication2. ENCAPSULATED SECURITY PAYLOAD (ESP) Responsiblefor encryption 3. INTERNET KEY EXCHANGE (IKE) Responsible for the handshake to establish the encrypted communication 58. IP security scenario 59. IPsec 60. Transport Mode Tunneling Mode 61.

  • En-route intermediate processing:
  • Destination specified in the outer header (Ipsec firewall or router) receives the tunneled packet, extracts the original packet, and sends to the ultimate destination
  • Tradeoff: Processing overhead / extra security

IP security architecture (IPsec) 62. The IP security architecture (IPsec) Authentication Header (AH) AH verifies that the data hasnt been altered. In transport modesome fields in the IP header change en-route and their value cannot be predicted by the receiver (mutable fields) Type of service, flags, fragment offset, time to live, header checksum. Protection of mutable fields? Use tunneling 63. The IP security architecture (IPsec) Authentication Header (AH) 64. The IP security architecture (IPsec) Encapsulating Security Payload (ESP) ESP encrypts the data so it remains confidential. Provide integrity check, authentication, and encryption to IP datagrams 65. The IP security architecture (IPsec) Encapsulating Security Payload (ESP) Transport-level security 66. The IP security architecture (IPsec) Encapsulating Security Payload (ESP) A virtual private network via Tunnel Mode 67.

  • Tunneling (encapsulation):
  • Common in packet-switching networks
  • Wrapping a packet in a new one:
    • a new header is attached to the original packet
    • Entire original packet becomes the payload of the new one

IP security architecture (IPsec) 68. IPsec

  • The IPsec authentication header in transport mode for IPv4.

69. IPsec

  • (a)ESP in transport mode.(b)ESP in tunnel mode.

70.

  • Supports automated negotiation of Security Associations and automated generation and refresh of cryptographic keys
  • The ability to perform these functions with little or no manual configuration of machinescritical element to any enterprise-scale IPsec deployment.

The Internet Key Exchange protocol (IKE framework) 71. Authentication Based on a Shared Secret Key

  • Two-way authentication using a challenge-response protocol.

72. Authentication Using Kerberos

  • The operation of Kerberos V4.

73.

  • To protect a network against unauthorised access to a network, network administrators can set up a firewall.
  • A firewall is a component that is incorporated into the gateway between the network and any external connections.
  • The firewall examines incoming packets from outside the network.Packets using the HTTP or SMTP protocols are allowed to pass through because they are considered safe but packets using other protocols are rejected.

Firewalls Our Network Gateway Rest of World 74.

  • Firewalls can also be programmed tolimit accessto certain machines and certain ports.This reduces the chance of malicious people trying to tie up computer resources from outside the network.
  • They can also be programmed toreject packetsor if they come from certain sources.This reduces the chance of spamming (unwanted E-mails from third parties).
  • Firewalls can also limit access from the network to the rest of the world to prevent the downloading of programs that may contain viruses or to stop employees from wasting time by surfing the net.

Firewalls 75.

  • Firewallsdo not inhibitthe internal operation of the network.Nor do they completely prevent access to the outside world.
  • Furthermore, what access is allowed can bemonitoredby the Firewall which can flag suspicious activity.

Firewalls 76.

  • Firewalls cannot protect against:
    • Attacks that do not go through the firewall(hand carried tapes/disks, modem connections).
    • Data-driven attacks: something (malicious) is uploaded or copied through a legitimate channel, and then executed.
    • Denial of service attacks that overload the data connection between Intranet and Internet.

Firewalls 77. Firewalls packet filter:restrict IP addresses ( address filtering ), ports connection filter:only allow packets belonging to authorized (TCP) connections Application (proxy)gateway:Reissues the request on behalf of the client NAT:network address (and port) translator arenotfirewalls, but can prevent all incoming connections 78. Packet filtering (screening router) FirewallsAllow only datagrams with certain properties to pass. 79. Firewalls 80. 81. 82. Packet filtering

  • Service level filtering - TCP/UDP protocols
  • Source/Destination filtering - IP Packets
  • Combination of both
  • Limitations: Cannot control the data within the packet

83. PACKET FILTERING Firewall has to distinguish between the outgoing packets (not filtered) and incoming packets (filtered) EXAMPLE ClientFirewallServer telnetrequest telnet response In this situation the firewall must allow The response to go through Secure network Untrusted network 84. PACKET FILTERINGEXAMPLE - CONT ClientFirewallServer telnet request In this situation the firewall must stop the packet Secure network Untrusted network 85.

  • PACKET FILTERING
  • EXAMPLE CONT
  • Solution:
  • The client request is configured as follows:
  • dest IP dest Port #source IP source Port #
  • IPd23IPs>1024
  • The server response will come as follows:
  • dest IP Dest Port #source IP source Port #
  • IPs>1024IPd23
  • The firewall is configured such that itallows incomingpackets with destination Port # > 1024 and blocks the other incoming packets

86. PACKET FILTERINGEXAMPLE CONT Solution: 2. Client builds a Transmission Control Block (TCB) describing the request. TCB contains the following: Verification tags for client and server IP addresses of client and server State of the connection etc. The firewall is configured to allow only the incoming packets which came as a response to the request. 87. Application level(Proxy)

  • Accepts the request from the client
  • Checks for the validity of the request
  • Reissues the request to the server
  • Provides higher level of control then filtering
  • In general, client software has to be modified

88. Circuit level Gateway

  • Allows or disallows all TCP/IP services according to the set of rules
  • Similar to Proxy Server
  • Most of the firewall software provides some combination of all 3 functions

Related Documents
Security+ Certification (Glossary Definition) (Slides)

Security+ Certification (Glossary Definition) (Slides)

Category: Technology
AWS Security Event Slides

AWS Security Event Slides

Category: Documents
Networking and Security PowerPoint Slides

Networking and Security PowerPoint Slides

Category: Documents
Security Services Lifecycle Management - SALSAHPCsalsahpc.indiana.edu/CloudCom2010/slides/PDF/Security Services... · Security Services Lifecycle Management Slide _ 7 Security Service

Security Services Lifecycle Management -...

Category: Documents
Wth Slides Mod Security

Wth Slides Mod Security

Category: Documents
Network Security Architectureweb.engr.illinois.edu/.../slides/NetworkSecurity.ppt.pdf3 Overview Network Security Architecture −Wireless −Security Domains −VPN Firewall Technology

Network Security...

Category: Documents
Ios4 Security Evaluation Slides

Ios4 Security Evaluation Slides

Category: Documents
Slides: The Security Challenge: KPN's Practical Approach

Slides: The Security Challenge: KPN's Practical Approach

Category: Software
Thayer Vietnam’s Security Outlook: Power Point Slides

Thayer Vietnam’s Security Outlook: Power Point Slides

Category: Documents
Security slides v2

Security slides v2

Category: Technology
Security and Safety CBT Slides

Security and Safety CBT Slides

Category: Documents
Computer Security Set of slides 2

Computer Security Set of slides 2

Category: Documents