YOU ARE DOWNLOADING DOCUMENT

Please tick the box to continue:

Transcript
Page 1: بسم الله الرحمن الرحيم NETWORK SECURITY

الرحيم الرحمن الله بسم

NETWORK SECURITY

Done By:

Saad Al-Shahrani Saeed Al-Smazarkah

May 2006

Page 2: بسم الله الرحمن الرحيم NETWORK SECURITY

Network Security Goals

Confidentiality or Privacy: Only sender, intended receiver should ”understand” message contents

o Sender encrypts messageo Receiver decrypts message

Authentication: Sender, receiver want to confirm identity of each other

Integrity: Sender, receiver want to ensure messages are not altered during transmission without detection

Access and Availability: Services must be accessible and available to users

Page 3: بسم الله الرحمن الرحيم NETWORK SECURITY

People want to communicate securely

• Eve (intruder/eavesdropper): may intercept, delete, add messages

Page 4: بسم الله الرحمن الرحيم NETWORK SECURITY

There are Eavesdroppers out there!

Q: what can an eavesdropper do?A: a lot!

o Observing and recording information

o Unauthorized access to a server

o Denial of service: prevent service from being used by others (e.g. by Flooding a server with requests)

o Impersonating a legitimate server

o Hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place

Page 5: بسم الله الرحمن الرحيم NETWORK SECURITY

Network Security: Agenda

o Main weapon: cryptography Confidentiality (encryption) Message authentication Signatures and Certificates

o Internet Threats, Attacks and Defenses Secure request/ response protocols Secure connection ‘tunnels’ Denial of Service attacks Firewalls

Page 6: بسم الله الرحمن الرحيم NETWORK SECURITY

Encryption Protects Confidentiality

Secret Key crypto: Shared secret key (KE,B=KD,B) Public key crypto: A user has a public encryption

key KE,B and a matching private decryption key KD,B

Page 7: بسم الله الرحمن الرحيم NETWORK SECURITY

Secret Key Crypto

Two operations (“encrypt”, “decrypt”) which are inverses of each other. Like multiplication/division

One parameter (“the key”) Even the person who designed the algorithm

can’t break it without the key Ideally, a different key for each pair of users

Page 8: بسم الله الرحمن الرحيم NETWORK SECURITY

Secret key crypto

encrypt= f(K, plaintext)=ciphertext decrypt= f(K, ciphertext)=plaintext authentication: send f(K, challenge) integrity check: f(K, msg)=X verify integrity check: f(K, X, msg)

Page 9: بسم الله الرحمن الرحيم NETWORK SECURITY

Public Key Crypto

Two keys per user, keys are inverses of each other Public key “BPub” you tell to the world Private key “BPriv” you keep private Yes it’s magic. Why can’t you derive “BPriv” from

“BPub”? And if it’s hard, where did (BPub, BPriv) come from?

Page 10: بسم الله الرحمن الرحيم NETWORK SECURITY

Encryption and Integrity

Encryption hides the message from eavesdropper

Question: can eavesdropper change message?o Or: dose encryption ensure message integrity?

With Public Key Encryption:o Eve can replace EBPub(m) with fake: EBPub (m’)

With Secret (shared) Key Encryption:o This seems harder to doo But given c=mk, attacker can send c mask, to invert any bit in

decrypted message (use mask)

Encryption does not ensure integrity!

Page 11: بسم الله الرحمن الرحيم NETWORK SECURITY

Public Key VS. Secret Key

In terms of capabilities public key is more powerful.

Public key provides digital signature.

Secret key is much faster than public key

Page 12: بسم الله الرحمن الرحيم NETWORK SECURITY

Public Key Digital Signatures: concept

One of the best features of public key An integrity check

calculated as f(priv key, data) verified as f(public key, data, signature)

Verifiers don’t need to know secret key RSA can be used for digital signature scheme

Page 13: بسم الله الرحمن الرحيم NETWORK SECURITY

Popular Secret Key Algorithms

DES: old standard, 56-bit key, slow 3DES: fix key size but 3 times as slow RC4: variable length key, “stream cipher”

(generate stream from key, XOR with data)

AES: replacement for DES, will probably take over

Page 14: بسم الله الرحمن الرحيم NETWORK SECURITY

Popular Public Key Algorithms

RSA: public key operations can be made very fast, but private key operations will be slow.

ECC (elliptic curve crypto): smaller keys, so faster than RSA (but not for public key ops).

Page 15: بسم الله الرحمن الرحيم NETWORK SECURITY

Key Distribution Problem

Secret Key Problem: How do two entities

establish shared secret key over the network?

Solution: Trusted key

distribution (KDC) acting as intermediary between entities

KDC needs shared key with each entity.

Public Key Problem: When Saad obtains

Saeed’s public key (from web site, e-mail, diskette), how does he know it is Saeed’s public key, not eavesdropper’s?

Solution: Trusted certification

authority (CA)

Page 16: بسم الله الرحمن الرحيم NETWORK SECURITY

Key Distribution - Secret Keys

Could configure n2 keys Makes the systems unfeasible for large-scale use Instead use Key Distribution Center (KDC)

Every user has a secret key shared with KDC The KDC knows all the users The KDC assigns a key to any pair who need to talk

Page 17: بسم الله الرحمن الرحيم NETWORK SECURITY

Key Distribution - Public Keys

Certification Authority (CA) signs “Certificates”

Certificate = a signed message saying “I, the CA, vouch that 489024729 is Saad’s public key”

If everyone has a certificate, a private key, and the CA’s public key, they can authenticate

Page 18: بسم الله الرحمن الرحيم NETWORK SECURITY

Key Distribution - Public Keys

Saad Saeed

[“Saad”, key=342872]CA

Auth, encryption, etc.

[“Saeed”, key=8294781]CA

Page 19: بسم الله الرحمن الرحيم NETWORK SECURITY

Denial Of Service Attack

Attacker tries to exhaust resources of host/ server/ router/ user

Resources include: Computation (CPU time) Storage (e.g. for state of requests/connections) Open TCP connections

Limited (10s to several thousand connections – depending on hardware, operating system)

SYN flooding DOS attack: attacker sends ‘SYN’ flow (open connection); server waits

Page 20: بسم الله الرحمن الرحيم NETWORK SECURITY

SYN flooding DOS attack

Attacker sends many SYN requests (using different spoofed client IP address), no ACK

Uses up server’s capacity for open connections

Page 21: بسم الله الرحمن الرحيم NETWORK SECURITY

Firewalls

Firewall:A secure machine (or program), isolating organization’s internal net from larger Internet (or another net), allowing some packets to pass, blocking others

Page 22: بسم الله الرحمن الرحيم NETWORK SECURITY

Packet Filtering

Internal network connected to Internet via Router Firewall (packet filtering)

Router filters packet-by-packet, decision to forward/ drop packet based on:

o Source IP address, destination IP addresso TCP/UDP source and destination port numberso TCP SYN and ACK bit (identify client vs. server)

Page 23: بسم الله الرحمن الرحيم NETWORK SECURITY

References

Our textbook http://www.aw.com/kurose-ross/ http://www.iec.org http://amir.herzberg.name