143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 1
143.471 Digital Communication Networks143.471 Digital Communication Networks
Network SecurityNetwork Security –– 1, 2 and 31, 2 and 3
Professor Richard Harris
Institute of Information Sciences andTechnology
1 – Physical
2 – Data Link
3 – Network
4 – Transport
5 – Session
6 – Presentation
7 – Application
Network SecurityNetwork Security -- 1/1/22
143.471 Digital Communication Networks143.471 Digital Communication Networks
Presentation Outline
Overview of Identification and Authentication
The importance of identification and Authentication insecure transactions
Cryptography introduction
Cryptography Protocols
Cryptography as a basis for Identification andAuthentication
The Digital Signature
A Secure and Authenticated Communication over anOpen Network
Network SecurityNetwork Security -- 1/1/33
143.471 Digital Communication Networks143.471 Digital Communication Networks
Additional References
[1] Kaufman, Perlman and Speciner, “Network Security”, 2nd
Edition, Prentice Hall, 2002.
[2] Stallings,“Networking Standards: A Guide to OSI, ISDNLAN, and MAN Standards”, (Addison-Wesley), 1993
[3] Stallings,“Networking and InterNetwork Security”,(Prentice Hall), 1995, ISBN 0-13-180050-7
[4] FIPS 186, Digital Signature Standard (DSS).
[5] FIPS 180, Secure Hash Standard (SHS).
[6] ANSI X9.17-1990, American National Standard forFinancial Institution Key Management
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 2
Network SecurityNetwork Security -- 1/1/44
143.471 Digital Communication Networks143.471 Digital Communication Networks
Need for Security
Network SecurityNetwork Security -- 1/1/55
143.471 Digital Communication Networks143.471 Digital Communication Networks
Problems for network security
Secrecy: keeping information out of the hands ofunauthorized users.
Authentication: determining whom you are talking tobefore revealing sensitive information or entering abusiness deal.
Non-repudiation: dealing with signature, how do youprove that your customer really placed an electronicorder.
Integrity control: how can you be sure that a messageyou received was really the one sent and not somethingthat a malicious adversary modified in transit orconcocted?
Network SecurityNetwork Security -- 1/1/66
143.471 Digital Communication Networks143.471 Digital Communication Networks
Where in the protocol network doessecurity belong?
Every layer has something to contributePhysical layer, wiretapping can be foiled by enclosingtransmission lines in sealed tubes containing gas at highpressure. Any attempt to drill into a tube will release some gas,reducing the pressure and triggering an alarm.
Data link layer, packets can be encrypted as they leave onemachine and decrypted as they enter another, vulnerable toattacks from within the router. However, link Encryption can beadded to any network easily and often is useful.
In the network layer, firewalls can be installed to keep goodpackets and bad packets out.
In the transport layer, entire connections can be encrypted, endto end, process to process.
Issues such as user authentication and non-repudiation can beonly handled in the application layer.
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 3
Network SecurityNetwork Security -- 1/1/77
143.471 Digital Communication Networks143.471 Digital Communication Networks
OSI Security Mechanisms (Controls)
Encipherment
The use of algorithms to transform data into a form that is notreadily intelligible. The transformation and subsequent recoveryof the data depend on an algorithm and one or more encryptionkeys
Authentication exchange
A mechanism intended to ensure the identity of an entity bymeans of information exchange
Digital Signature
Data appended to, or a cryptographic transformation of a dataunit that allows the recipient to prove the source and integrity ofthe data unit and protects against forgery (e.g. by the recipient)
Access control
A variety of mechanisms that enforce access rights to resources
Network SecurityNetwork Security -- 1/1/88
143.471 Digital Communication Networks143.471 Digital Communication Networks
Identification and Authentication(Overview)
One of the first steps towards securing the resources of asystem is the development of the ability to verify the identity ofits users…. Since all users communicate via messages thiscomes down to verifying that messages come from the allegedsource and have not been altered
The process of verifying a user’s identity is typically referred toas user identification and authentication
Identification and Authentication are distinct steps
Network SecurityNetwork Security -- 1/1/99
143.471 Digital Communication Networks143.471 Digital Communication Networks
Identification and Authentication(Overview)
Identification concerns the manner in which a user provideshis/her unique identity to a system
The identity:
May be (for example), a name or a number (account number)
Must be unique so that the system can distinguish betweendifferent users, or between different classes ofusers…(remember the Control Selection Criteria of “need toknow”)
May describe one individual, more than one individual….someor all of the time
Example
“System Security Officer” is a class identity
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 4
Network SecurityNetwork Security -- 1/1/1010
143.471 Digital Communication Networks143.471 Digital Communication Networks
Identification and Authentication(Overview)
Authentication is the process of associating an individual withhis/her unique identity… or that of associating a message with asending entity
An important distinction between Identification andAuthentication:
Identities can be public (but aren’t always)
Authentication information (but not necessarily themethodology) is kept secret and becomes the means by whicha person proves that they are who they say they are
There are three basic means by which an individual mayauthenticate his/her identity
Network SecurityNetwork Security -- 1/1/1111
143.471 Digital Communication Networks143.471 Digital Communication Networks
Identification and Authentication(The Three Basic Approaches)
Something the person knows
– password
– combination
– history
– other….
Something the person possesses
– a token or a card
– a key to a lock
– other….
Something the person is(Biometrics)
– Fingerprints
– retinal pattern
– voice pattern
– other….
Network SecurityNetwork Security -- 1/1/1212
143.471 Digital Communication Networks143.471 Digital Communication Networks
An Introduction to Cryptography
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 5
Network SecurityNetwork Security -- 1/1/1313
143.471 Digital Communication Networks143.471 Digital Communication Networks
Cryptography (Introduction)
EncryptionIs a process designed to conceal meaning by changingintelligible messages to unintelligible messages…..
Covers both encypherment and encoding
Encypherment– The translation of individual letters (or tokens) to other letters of
tokens
Encoding– The translation of words or phrases (or groups of tokens) to other
words or phrases
Cryptography relies on two basic componentsAn algorithm (also called a cryptographic methodology)
A Key (one or more)
Network SecurityNetwork Security -- 1/1/1414
143.471 Digital Communication Networks143.471 Digital Communication Networks
Cryptography(Example)
Example
In a simple system where letters are substitutedfor other letters
The Key…?
– The chart of paired letters
The Algorithm…?
– Substitution
Network SecurityNetwork Security -- 1/1/1515
143.471 Digital Communication Networks143.471 Digital Communication Networks
Cryptography(The Two Basic Types)
There are two basic types of CryptographicSystems
Secret Key (also called symmetric systems)
The same key is used to encrypt and decrypt data
Two or more parties share the key
The key must remain secret
Public Key (also called asymmetric systems)
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 6
Network SecurityNetwork Security -- 1/1/1616
143.471 Digital Communication Networks143.471 Digital Communication Networks
Cryptography(Secret Key and Public Key)
Secret Key Encryption
EncryptionAlgorithm
DecryptionAlgorithm
PlainText PlainTextCypherText
KeyShared by theparties involved
- Produces output that is dependent on the key
- Powerful enough to defy decryption fromexamination of the cyphertext and/or knowledgeof the algorithm
- Security is dependent on the secrecy of the key
- How do you distribute the key..??
- Key must remain secret
- Reliance on allparties
- Data Encryption Standard (DES)Federal Information ProcessingStandards (FIPS) 46-1
- DES has been widely adoptedby the commercial sector in theU.S.
- Chips available, so low costencryption/decryption isavailable, but accessis restricted
Network SecurityNetwork Security -- 1/1/1717
143.471 Digital Communication Networks143.471 Digital Communication Networks
Cryptography(Secret Key and Public Key)
One of the major difficulties with Secret Key systems is thesecure distribution of the Key
Public Key Systems don’t require Key distribution…although you still need keys to encrypt and decrypt
The Public Key algorithms are asymmetric…. That is, youcannot decrypt the message with the same key that you usedto encrypt it.
This system uses key pairs, one to encrypt and one todecrypt…. If you want to receive secure messages then youcan make one key public (otherwise known as the PublicKey)…. and so long as the other key is known only to you,then you will be the only person that can read it
Needless to say, it is a requirement of this type of systemthat you cannot derive one key from the other
Network SecurityNetwork Security -- 1/1/1818
143.471 Digital Communication Networks143.471 Digital Communication Networks
Cryptography(Public Key example)
Public Key Encryption
EncryptionAlgorithm
DecryptionAlgorithm
A X
- X places his/her PublicKey (Xp) in an accessibleplace…. and keeps thePrivate Key (Xs) hidden
Directory of Public Keys
Xp
- A obtains X’s public Key,encrypts a message andsends it to X
Xp
PlainText CypherText
- X uses his/her Private Key todecrypt the message
Xs
PlainText
RSA, named after its three creators,Ronald Rivest, Adi Shamir and LenAdlemen
The Digital Signature Standard (DSS)
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 7
Network SecurityNetwork Security -- 1/1/1919
143.471 Digital Communication Networks143.471 Digital Communication Networks
Cryptography
Some uses
To ensure confidentiality and integrity of information
Public Key is particularly useful when key secrecy is a problem
Public Key can be used to distribute secret keys
To support controls such as authentication (how do I know youare who you say you are)
Other…..
Having set a foundation for cryptographic systems weshall take another look at the important (and related)issue of identification and authentication
Network SecurityNetwork Security -- 1/1/2020
143.471 Digital Communication Networks143.471 Digital Communication Networks
Internet Communications andCryptography
The rush towards Internet Related Electronic BusinessActivities
Funds transfer associated with sales
Authorisations
Would you send your Credit Card number over the Internet…??
The Problems of - Identification and Authentication
The Problems of - Security of Information once theSender / Receiver have been authenticated
Interruption
Interception
Modification
Fabrication
Network SecurityNetwork Security -- 1/1/2121
143.471 Digital Communication Networks143.471 Digital Communication Networks
Cryptography as a Basis forIdentification & Authentication
Drawbacks of Secret Key Systems
Relies on one or more parties sharing the Secret Key
In practice this means that communication can only occurbetween people with some prior relationship…. (because theymust be entrusted with the Secret Key)
The same key that allows for communication allows any of theparties to create forgeries in the name of others
Public Key Systems Provide a basis for AuthenticationIn RSA each key of a key pair can undo what the other does
If a user can unscramble a message using say, Jack’s PublicKey, then it must have been created in the first place with Jack’sPrivate Key…. This is the basis for Digital Signatures
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 8
Network SecurityNetwork Security -- 1/1/2222
143.471 Digital Communication Networks143.471 Digital Communication Networks
Transposition Ciphers
Transposition ciphers reorder the letters but don’t disguise them. The cipher iskeyed by a word or phrase not containing any repeated letters. In this example,MEGABUCK is the key. The purpose in the example is to number the columns,column 1 is under the key letter closest to the start of the alphabet.
To break a transposition cipher1. Be aware it is a transposition cipher by looking at the frequency of E, T, A, etc.2. Guess the number of columns by first guessing a word or phrase. Say: “Million dollars”3. The remaining step is to order the columns.
Network SecurityNetwork Security -- 1/1/2323
143.471 Digital Communication Networks143.471 Digital Communication Networks
P-Box
Transposition can be implemented with simpleelectrical circuits.
If the 8 bits are designated from top to bottom as
01234567, then
the output of this particular P-box is 36071245
By appropriate internal wiring, a P-box can bemade to perform any transposition and do it atpractically the speed of light, since no computationis involved; just signal propagation
This design follows Kerckhoff’s principle: theattacker knows that the general method ispermuting the bits. What he doesn’t know is whichbit goes where, which is the key.
Inp
utO
utp
ut
Network SecurityNetwork Security -- 1/1/2424
143.471 Digital Communication Networks143.471 Digital Communication Networks
Substitution ciphers
In substitution cipher each letter or group of letters is replaced byanother letter or group of letters to disguise it.
For instancea b c d e f g h i j k l m n o p q r s t u v w x y z
Q W E R T Y U I O P A S D F G H J K L Z X C V B N M
Substitution ciphers preserve the order of the plaintext symbols butdisguise them.
The substitution ciphers can be broken by starting out withcounting the relative frequencies of all letters in the ciphertext. Thenone might tentatively assign the most common one to letter e, etc.
The general system of symbol-to-symbol substitution is calledmono-alphabetic substitution
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 9
Network SecurityNetwork Security -- 1/1/2525
143.471 Digital Communication Networks143.471 Digital Communication Networks
S-Box
Substitutions are performed by S-boxIn the example, the 3-bit input selects oneof the eight lines existing from the firststage and sets it to 1; all the other linesare 0.
The second stage is a P-box.
The third stage encodes the selectedinput line in binary again. With the wiringshown, if the eight octal numbers01234567 were input one after another,the output sequence would be 24506713.In other words, 0 has been replaced by 2and 1 has been replaced by 4.
By appropriate wiring of the P-box insidethe S-box, any substitution can beaccomplished.
Network SecurityNetwork Security -- 1/1/2626
143.471 Digital Communication Networks143.471 Digital Communication Networks
One-time pads
1. Choose a random bit string as the key.
2. Then convert the plaintext into a bit string, for exampleby using its ASCII representation.
3. Finally compute the XOR of these two strings, bit by bit.The resulting ciphertext cannot be broken, because in asufficiently large sample of ciphertext, each letter will occurequally often.
The biggest disadvantage is that both sender and receiver mustcarry the pads which greatly reduces their practical utility.
Network SecurityNetwork Security -- 1/1/2727
143.471 Digital Communication Networks143.471 Digital Communication Networks
One-time pads
Message 1, “I love you.”
Message 2, “Elvis lives”
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 10
Network SecurityNetwork Security -- 1/1/2828
143.471 Digital Communication Networks143.471 Digital Communication Networks
Prime Numbers
Prime numbers only have divisors of 1 and self
they cannot be written as a product of other numbers
note: 1 is prime, but is generally not of interest
eg. 2,3,5,7 are prime, 4,6,8,9,10 are not
Prime numbers are central to number theory
List of prime number less than 200 is:2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 8997 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173179 181 191 193 197 199
Network SecurityNetwork Security -- 1/1/2929
143.471 Digital Communication Networks143.471 Digital Communication Networks
Prime Factorisation
To factor a number n involves writing it as a product ofother numbers: n = a × b × c
Note that factoring a number is relatively hard comparedto multiplying the factors together to generate thenumber!
The prime factorisation of a number n is when its writtenas a product of primes
eg. 91=7×13
Network SecurityNetwork Security -- 1/1/3030
143.471 Digital Communication Networks143.471 Digital Communication Networks
Relatively Prime Numbers & GCD
Two numbers a, b are relatively prime if they have nocommon divisors apart from 1
eg. 8 & 15 are relatively prime since factors of 8 are 1,2,4,8 and of15 are 1,3,5,15 and 1 is the only common factor
Conversely can determine the Greatest Common Divisorby comparing their prime factorizations and using leastpowers
eg. 300 = 22×31×52 18=21×32
hence GCD(18,300) = 21×31×50 = 6
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 11
Network SecurityNetwork Security -- 1/1/3131
143.471 Digital Communication Networks143.471 Digital Communication Networks
Fermat's Theorem
ap-1 mod p = 1
where p is prime and gcd(a,p) = 1
Also known as Fermat’s Little Theorem
Useful in public key
Network SecurityNetwork Security -- 1/1/3232
143.471 Digital Communication Networks143.471 Digital Communication Networks
Euler Totient Function ø(n) – (1)
When doing arithmetic modulo n, complete set ofresidues is: 0…n-1
Reduced set of residues is those numbers (residues)which are relatively prime to n
eg for n = 10,
complete set of residues is {0,1,2,3,4,5,6,7,8,9}
reduced set of residues is {1,3,7,9}
Number of elements in a reduced set of residues iscalled the Euler Totient Function ø(n)
Network SecurityNetwork Security -- 1/1/3333
143.471 Digital Communication Networks143.471 Digital Communication Networks
Euler Totient Function ø(n) – (2)
To compute ø(n) need to count number of elements to beexcluded
In general need prime factorization, but
for p (p is a prime) ø(p) = p -1
for p.q (p and q are primes) ø(p.q) = (p-1)(q-1)
eg.
ø(37) = 36
ø(21) = (3–1)×(7–1) = 2×6 = 12
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 12
Network SecurityNetwork Security -- 1/1/3434
143.471 Digital Communication Networks143.471 Digital Communication Networks
Generalization of Euler’s theorem
For numbers n = pq where p and q are primes,
akø(n) + 1 = a mod n, for all a < n, as long as k is anon-negative integer.
Network SecurityNetwork Security -- 1/1/3535
143.471 Digital Communication Networks143.471 Digital Communication Networks
Digital Signature Standard - DSS(A Brief Introduction)
To reduce costs and increase productivity, many businesses areattempting to transform paper-based systems into automatedelectronic systems.
Unfortunately they generally end up with a Hybrid system… One ofthe culprits is the use of signatures to identify and authenticate aperson
There is a need for a reliable, cost-effective way to replace ahandwritten signature with a digital signature. Like a handwrittensignature, a digital signature can be used to identify andauthenticate the originator of the information.
A digital signature can also be used to verify that information hasnot been altered after it is signed; this provides message integrity.The DSS specifies a Digital Signature Algorithm (DSA) for use incomputing and verifying digital signatures.
Network SecurityNetwork Security -- 1/1/3636
143.471 Digital Communication Networks143.471 Digital Communication Networks
Digital Signatures
The Digital Signature Standard is a special version ofPublic Key Cryptography
The Digital Signature Standard can be used to
Identify and Authenticate the originator
Verify that the message has not been altered after it has beensigned
Determine whether playback is occurring
Guard against; interception, Modification and Fabrication
Digital Signature Standard uses the Secure HashAlgorithm to aid in the detection of modification…..
We need to look at Hash functions before we cancontinue
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 13
Network SecurityNetwork Security -- 1/1/3737
143.471 Digital Communication Networks143.471 Digital Communication Networks
Building Towards StrongAuthentication
The Digital Signature Standard is a special version ofPublic Key Cryptography…… Designed toauthenticate both the sender and the message
The Generate a Digital Signature
The owner of the Private Key applies a one way function(such as the Secure Hash Algorithm [Ref 4]) to the message
This results in a condensed representation of the messageknown as a Message Digest
You can’t get the original message back from the digest
Choosing a different message that digests to the samemessage is difficult
It is this digest which is encrypted with the Private Key
Network SecurityNetwork Security -- 1/1/3838
143.471 Digital Communication Networks143.471 Digital Communication Networks
Message Digest
One criticism of signature methods is that they often couple twodistinct functions : authentication and secrecy.
Often authentication is needed but secrecy is not.
Encryption
Protects against passive attack (eavesdropping).
A different requirement is to protect against active attack(falsification of data and transactions).
Protection against such attacks is known as message authentication.
A message digest or MD, is based on a hash function, and it is anauthentication scheme that does not require encrypting the entiremessage, but provides a message authentication function.
Network SecurityNetwork Security -- 1/1/3939
143.471 Digital Communication Networks143.471 Digital Communication Networks
Generating a Message Digest
Digest/Hash
Function
N possibleinputs
K possibleoutputs
Message
Apparently random mappingbetween input and output
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 14
Network SecurityNetwork Security -- 1/1/4040
143.471 Digital Communication Networks143.471 Digital Communication Networks
RSA
Developed soon after the Merkle knapsack algorithm
The three inventors were Ron Rivest, Adi Shamir andLeonard Adleman, 1978
RSA gets its security from the difficulty of factoring apair of large numbers (100 or more digits)
Network SecurityNetwork Security -- 1/1/4141
143.471 Digital Communication Networks143.471 Digital Communication Networks
RSA(Generating the keys)
Then randomly choose theencryption key, e, such thate and (p-1)x(q-1) are relativelyprime
Now find the decryption key d(using Euclid’s algorithm) suchthat d is the inverse of e
))1()1((mod
))1()1mod((1
1
qped
wayanotheritputtingor
qpdee and n make up the Public Key.
d is the Private Key
qpn Choose two large primenumbers p and q and find theproduct n
Network SecurityNetwork Security -- 1/1/4242
143.471 Digital Communication Networks143.471 Digital Communication Networks
RSA(To Encrypt a Message)
Public Key
n n = pxq where p and q are two primes (p and q must remain secret)e randomly chosen and relatively prime to (p-1)x(q-1)
Private Key
d the inverse of e. That is, e-1 mod ((p-1)x(q-1))
Encrypting
c = me mod n
Decrypting
m = cd mod n
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 15
Network SecurityNetwork Security -- 1/1/4343
143.471 Digital Communication Networks143.471 Digital Communication Networks
RSA(Example - 1)
The encryption key e must have no factors incommon with..
(p-1) X (q-1) = 46 X 70 = 3220
Choose e (at random) to be 79. In that case:
d = 79-1 mod((p-1)x(q-1)) = 1019
This number was calculated using the extendedEuclidean algorithm
Publish e and n, and keep d secret. Discard p and q.To encrypt the message, m = 6882326879666683.
First break it into small blocks. Three-digit blockswork nicely in this case. The message will beencrypted in six blocks, mi, in which
m1 = 688
m2 = 232
m3 = 687
m4 = 966
m5 = 668
m6 = 3
Choose p = 47 and q = 71.Therefore n = p x q = 3337
Network SecurityNetwork Security -- 1/1/4444
143.471 Digital Communication Networks143.471 Digital Communication Networks
RSA(Example - 2)
The first block is encrypted as:..
68879 (mod 3337) = 1570 = c1
Performing the same operation on the subsequentblocks generates an encrypted message::
c = 1570 2756 2714 2276 2423 158
Decrypting the message requires performing thesame exponentiation using the decryption key of1019. So:
15701019 (mod 3337) = 688 = m1.
The rest of the message can be recovered in thismanner
Network SecurityNetwork Security -- 1/1/4545
143.471 Digital Communication Networks143.471 Digital Communication Networks
Digital Signatures(The Protocol) - 1
Two people, Jack and Tanya wish to establish a securecommunication across the Internet… They also needtheir communication to be so structured so that both willhave a record that neither can repudiate
The Authentication works like thisJ -> T Hi, are you Tanya?
T -> J Jack, this is Tanya….Ts[ h(Jack, this is Tanya)]
J Use Tanya’s Public Key to obtain the DigestTp[Ts[ h(Jack, this is Tanya)]]
= h(Jack, this is Tanya)
Run the SHA on the Message and compare the result with thereceived Digest. If its the same you know its not been tamperedwith
This process must of course be two ways!
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 16
Network SecurityNetwork Security -- 1/1/4646
143.471 Digital Communication Networks143.471 Digital Communication Networks
Digital Signatures(The Protocol) - 2
Tanya has sent a messageand signed it…
If Tanya’s Public Key willdecrypt a digest and thatdigest matches the plain textmessage, then Tanya sent thatPlain Text Message
When the digest of a message isencrypted using the sender’s privatekey and is appended to the originalmessage, the result is known as thedigital signature of the message.
What are the odds of being able tochange the Plain Message tosomething “malicious” but which willstill digest to the same value.?
That is, so that the receiver thinksthat the modified plaintext messagecame from Tanya
Network SecurityNetwork Security -- 1/1/4747
143.471 Digital Communication Networks143.471 Digital Communication Networks
Certificates(Key Management)
Before two parties use public-keycryptography to conduct business, eachwants to be sure that the other party isauthenticated.
Before Jack accepts a message withTanya’s digital signature, he wants to besure that the public key belongs toTanya and not to someonemasquerading as Tanya on an opennetwork.
One way to be sure that the public keybelongs to Tanya is to receive it over asecure channel directly from Tanya.However, in most circumstances thissolution is not practical.
After all, I could have placed myPublic Key on the Network,whilst pretending to be Tanya
Where?
How can you besure that it was
Tanya who put itthere?
Network SecurityNetwork Security -- 1/1/4848
143.471 Digital Communication Networks143.471 Digital Communication Networks
Certificates - 1
Whilst it can be proved whetherTanya sent the message or not… Youcan still be fooled by a masqueraderunless you know that the Public Keythat you think is Tanya’s does reallybelong to Tanya
How do you distribute Public Keys ina way that you know that a particularPublic Key belongs to a particularperson..??
An object called a certificate is beingdeveloped to solve this problem. Ithas in it at least the followinginformation:
The Certificate Issuer’s ID
Who this Certificate is for
The person’s Public Key
Expiry Date
The Certificate Issuer’sDigital Signature
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 17
Network SecurityNetwork Security -- 1/1/4949
143.471 Digital Communication Networks143.471 Digital Communication Networks
A More Complete and PreciseCertificate Definition(X.509)
Certificate ::= SIGNED { SEQUENCE {version Version DEFAULT v1,serialNumber CertificateSerialNumber,signature AlgorithmIdentifier,issuer Name,validity Validity,subject Name,subjectPublicKeyInfo SubjectPublicKeyInfo,issuerUniqueIdentifier IMPLICIT UniqueIdentifier OPTIONAL,
-- if present, version must be v2subjectUniqueIdentifier IMPLICIT UniqueIdentifier OPTIONAL
-- if present, version must be v2 -- }}
This (incomplete) definition is in ASN.1 (Abstract Syntax Notation 1).See ITU-T Recommendation X.208
Validity ::= SEQUENCE {notBefore UTCTime,notAfter UTCTime }
Network SecurityNetwork Security -- 1/1/5050
143.471 Digital Communication Networks143.471 Digital Communication Networks
Certificates(A Summary) - 1
A digital signature cryptographically binds the signed data with aunique private key, which is assumed to be under the exclusivecontrol of the person, cardholder, merchant, financial institution, orCA as appropriate.
The private key is mathematically linked to the public key of the keypair. Assuming that the private key has not been compromised, thedigital signature has the effect of binding the public key to the dataas well.
However, anyone can generate a public/private key pair, and so it isessential that some mechanism be established that binds the publickey to the entity in a trustworthy manner. This is the fundamentalpurpose of a certificate – to bind a public key to a uniquelyidentified entity.
Network SecurityNetwork Security -- 1/1/5151
143.471 Digital Communication Networks143.471 Digital Communication Networks
Certificates(A Summary) - 2
Since a bogus Certificate Authority could be set up to createcertificates that would contain information nearly identical to thatcontained in a valid certificate, the signature of the CertificateAuthority itself shall be certified as authentic by a higher levelCertificate Authority.
The only exception to this requirement is the industry rootCertificate Authority.
This is the only directly trusted Certificate Authority.
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 18
Network SecurityNetwork Security -- 1/1/5252
143.471 Digital Communication Networks143.471 Digital Communication Networks
Using Digital Signatures andCertificates
The Authentication works like this:
J -> T Hi, are you Tanya?
T -> J Jack, this is Tanya, Here is my certificate issued byCertification Authority 1, (Tanya<<CA1)
J Examine Certificate...Determine it’s validity by examining theIssuer’s signature...Get the Public Key that has been bound toTanya…..Now ask Tanya to prove her identity
J -> T Prove it
T -> J Jack, this is Tanya….Ts[Digest(Jack, this is Tanya)]
J Use Tanya’s Public Key to obtain the DigestRun the Hash on the Message and compare the result with thereceived Digest.If its the same you know its not been tampered with…
Network SecurityNetwork Security -- 1/1/5353
143.471 Digital Communication Networks143.471 Digital Communication Networks
Summarising a Secure &Authenticated Transaction(Steps 1,2,3,4 and 5 Encryption)
1. Tanya runs the Message througha one-way algorithm to producethe message digest..
2. She then encrypts the messagedigest with her private key toproduce the digital signature.
3. Next, she generates a randomsymmetric key and uses it toencrypt the Message, hersignature and a copy of hercertificate, which contains herpublic signature key.
To decrypt the propertydescription, Bob will require asecure copy of this randomsymmetric key.
RS[(Msg), Ts[H(Msg)], (Tanya<<CA1)]
MessageDigest = H(Msg)
Digital Signature = Ts[ H(Msg)]
Random Symmetric Key = RS
Network SecurityNetwork Security -- 1/1/5454
143.471 Digital Communication Networks143.471 Digital Communication Networks
Summarising a Secure &Authenticated Transaction(Steps 1,2,3,4 and 5 Encryption)
4. Bob’s certificate, which Tanyamust have obtained prior toinitiating securecommunication with him,contains a copy of his publickey-exchange key.
To ensure secure transmissionof the symmetric key, Tanyaencrypts it using Bob’s publickey-exchange key. Theencrypted key, referred to asthe digital envelope, will besent to Bob along with theencrypted message itself.
Digital Envelope = Bp[RS]
Bp = The KeySection of (Bob<<CA2)]
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 19
Network SecurityNetwork Security -- 1/1/5555
143.471 Digital Communication Networks143.471 Digital Communication Networks
Summarising a Secure &Authenticated Transaction(Steps 1,2,3,4 and 5 Encryption)
5. Tanya sends a message to Bobconsisting of the following: thesymmetrically encryptedMessage, signature andcertificate, as well as theasymmetrically encryptedsymmetric key (the digitalenvelope).
RS[(Msg), Ts[H(Msg)], (Tanya<<CA1)]+Bp[RS]
Digital Envelope
Network SecurityNetwork Security -- 1/1/5656
143.471 Digital Communication Networks143.471 Digital Communication Networks
Summarising a Secure &Authenticated Transaction(Steps 6,7,8,9 and 10 - Decryption)
6 Bob receives the messagefrom Tanya and decrypts thedigital envelope with hisprivate key-exchange key toretrieve the symmetric key.
7 He uses the symmetric keyto decrypt the propertydescription, Tanya’ssignature, and hercertificate.
8 He decrypts Tanya’s digitalsignature with her publicsignature key, which heacquires from her certificate.This recovers the originalmessage digest of theproperty description.
RS[(Msg), Ts[H(Msg)], (Tanya<<CA1)] + Bp[RS]
RS = Bs[Bp[RS]]
[(Msg), Ts[H(Msg)], (Tanya<<CA1)]= RS[RS[(Msg), Ts[H(Msg)], (Tanya<<CA1)]]
Tp = The KeySection of (Tanya<<CA1)]
H(Msg) = Tp [Ts[H(Msg)]],
Network SecurityNetwork Security -- 1/1/5757
143.471 Digital Communication Networks143.471 Digital Communication Networks
Summarising a Secure &Authenticated Transaction(Steps 6,7,8,9 and 10 - Decryption)
9 He runs the Messagethrough the same one-way algorithm used byTanya and produces anew message digest ofthe decrypted propertydescription.
[(Msg), Ts[H(Msg)], (Tanya<<CA1)]
H(Msg) generated by Bob from the Message
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 20
Network SecurityNetwork Security -- 1/1/5858
143.471 Digital Communication Networks143.471 Digital Communication Networks
Summarising a Secure &Authenticated Transaction(Steps 6,7,8,9 and 10 - Decryption)
10 Finally, he compares hismessage digest to theone obtained fromTanya’s digital signature.
H(Msg) generated by Bob from the Message
H(Msg) = Tp [Ts[H(Msg)]],
Compare
Yes
If they are exactly the same, he confirmsthat the message content has not beenaltered during transmission and that it wassigned using Tanya’s private signature key.
If they are not the same,then the message eitheroriginated somewhereelse or was altered afterit was signed. In thatcase, Bob takes someappropriate action suchas notifying Tanya ordiscarding the message.
SameNo
Network SecurityNetwork Security -- 1/1/5959
143.471 Digital Communication Networks143.471 Digital Communication Networks
Digital Signatures - The Future
Extensive activity to set up systems that will allow worldwide business transactions over the Internet…. See“SET” standard
Governments (in particular the US Government) areproviding legislative frameworks for CertificationHierarchies
Digital Signature technology and its uses will explode…..
Network SecurityNetwork Security -- 1/1/6060
143.471 Digital Communication Networks143.471 Digital Communication Networks
Definition of Terms - 1(Source: X.509)
Authentication Token(Token): Information conveyedduring a strong authenticationexchange, which can be used toauthenticate its sender.
User Certificate; Certificate: Thepublic keys of a user, together withsome other information, renderedunforgeable by encipherment withthe private key of the certificationauthority which issued it.
Certification Authority: An authoritytrusted by one or more users tocreate and assign certificates.Optionally the certification authoritymay create the users’ keys.
Certification Path: An orderedsequence of certificates of objects inthe DIT which, together with thepublic key of the initial object in thepath, can be processed to obtain thatof the final object in the path.
Cryptographic System,Cryptosystem: A collection oftransformations from plain text intociphertext and vice versa, theparticular transformation(s) to beused being selected by keys. Thetransformations are normally definedby a mathematical algorithm.
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 21
Network SecurityNetwork Security -- 1/1/6161
143.471 Digital Communication Networks143.471 Digital Communication Networks
Definition of Terms - 2(Source: X.509)
Hash Function: A (mathematical)function which maps values from alarge (possibly very large) domaininto a smaller range. A “good” hashfunction is such that the results ofapplying the function to a (large) setof values in the domain will be evenlydistributed (and apparently atrandom) over the range.
One-way Function: A (mathematical)function f which is easy to compute,but which for a general value y in therange, it is computationally difficult tofind a value x in the domain such thatf(x) = y. There may be a few values yfor which finding x is notcomputationally difficult.
Public Key: (In a public keycryptosystem) that key of a user’skey pair which is publicly known.
Private Key; Secret Key(In a public key cryptosystem)that key of a user’s key pairwhich is known only by that user.
Simple Authentication:Authentication by means ofsimple password arrangements.
Security Policy:The set of rules laid down by thesecurity authority governing theuse and provision of securityservices and facilities.
Network SecurityNetwork Security -- 1/1/6262
143.471 Digital Communication Networks143.471 Digital Communication Networks
Definition of Terms - 3(Source: X.509)
Strong Authentication:Authentication by means ofcryptographically derivedcredentials.
Trust:Generally, an entity can be saidto “trust” a second entity when it(the first entity) makes theassumption that the secondentity will behave exactly as thefirst entity expects. This trustmay apply only for some specificfunction.
The key role of trust in theauthentication framework is todescribe the relationshipbetween an authenticating entityand a certification authority; anauthenticating entity shall becertain that it can trust thecertification authority to createonly valid and reliablecertificates.
Certificate Serial Number:An integer value, unique withinthe issuing CA, which isunambiguously associated with acertificate issued by that CA.
Network SecurityNetwork Security -- 1/1/6363
143.471 Digital Communication Networks143.471 Digital Communication Networks
Notation - 1(Source: X.509)
Notation Meaning
Xp Public key of a user X.
Xs Private key of X.
Xp[I] Encipherment of some information, I, using the public key of X.
Xs[I] Encipherment of I using the private key of X.
X{I} The signing of I by user X. It consists of I with an enciphered summary appended.
CA(X) A certification authority of user X.
CAn(X) (Where n>1): CA(CA(...n times...(X)))
X1«X2» The certificate of user X2 issued by certification authority X1.
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 22
Network SecurityNetwork Security -- 1/1/6464
143.471 Digital Communication Networks143.471 Digital Communication Networks
Notation - 2(Source: X.509)
X1«X2» X2«X3» A chain of certificates (can be of arbitrary length), where each item is the certificate for thecertification authority which produced the next. It is functionally equivalent to the followingcertificate X1«Xn+1». For example, possession of A«B»B«C» provides the same capability asA«C», namely the ability to find out Cp given Ap.
X1p • X1«X2» The operation of unwrapping a certificate (or certificate chain) to extract a public key. It is an infixoperator, whose left operand is the public key of a certification authority, and whose right operandis a certificate issued by that certification authority. The outcome is the public key of the userwhose certificate is the right operand. For example:
Ap • A«B» B«C»
denotes the operation of using the public key of A to obtain B’s public key, Bp, from its certificate,followed by using Bp to unwrap C’s certificate. The outcome of the operation is the public key ofC, Cp.
AB A certification path from A to B, formed of a chain of certificates, starting with CA(A)«CA2(A)»and ending with CA(B)«B».
NOTE – In the table, the symbols X, X1, X2, etc., occur in place of the names of users, while the symbol I occurs in placeof arbitrary information.
Network SecurityNetwork Security -- 1/1/6565
143.471 Digital Communication Networks143.471 Digital Communication Networks
Likelihood and Costs of Network SecurityThreats
Network SecurityNetwork Security -- 1/1/6666
143.471 Digital Communication Networks143.471 Digital Communication Networks
Common Security Threats
Virus infection – most likely event
Unauthorized accessBy internal and external hackers
High cost to recover (both in $ and publicity)
Device failure (not necessarily by a malicious act)
Device theft, Natural Disaster
Denial of Service attacks
External attacks blocking access to the network
Big picture messages:Viruses: most common threat with a fairly high cost
Unauthorized access by employees: greater threat
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 23
Network SecurityNetwork Security -- 1/1/6767
143.471 Digital Communication Networks143.471 Digital Communication Networks
Identify and Document Controls
Identify current in-place controls and list them in the cellfor each asset and threat
For each asset and the specific threat
Describe each control that
– Prevents,
– Detects and/or
– Corrects that threat
Place each control and its role in a numeric list (without anyranking)
Place the number in the cell (in the control spreadsheet)
– Each cell may have one or more controls
Network SecurityNetwork Security -- 1/1/6868
143.471 Digital Communication Networks143.471 Digital Communication Networks
Business Continuity Planning
Make sure that organization’s data and applications willcontinue to operate even in the face of disruption,destruction, or disaster
Continuity Plan includesDevelopment of controls
To prevent these events from having a major impact
Disaster recovery plan
To enable the organization to recover if a disaster occurs
Network SecurityNetwork Security -- 1/1/6969
143.471 Digital Communication Networks143.471 Digital Communication Networks
Specifics of Continuity Plan
Preventing Disruption, Destruction, and Disaster
Using Redundant Hardware
Preventing Natural Disaster
Preventing Theft
Preventing Viruses
Preventing Denial of Service
Detecting Disruption, Destruction, and Disaster
Correcting Disruption, Destruction, and DisasterDisaster Recovery Plan
Disaster Recovery Outsourcing
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 24
Network SecurityNetwork Security -- 1/1/7070
143.471 Digital Communication Networks143.471 Digital Communication Networks
Using Redundant Hardware
A key principal in preventing disruption, destruction anddisaster
Examples of components that provide redundancy
Uninterruptible power supplies (UPS)
A separate battery powered power supply
Can supply power for minutes or even hours
Fault-tolerant servers (with redundant components)
Disk mirroring
A redundant second disk for every disk on the server
Every data on primary disk is duplicated on mirror
Disk duplexing (redundant disk controllers)
Can apply to other network components as wellCircuits, routers, client computers, etc.,
Network SecurityNetwork Security -- 1/1/7171
143.471 Digital Communication Networks143.471 Digital Communication Networks
Preventing Natural Disasters
More difficult to do
Since the entire site can be destroyed by a disaster
Fundamental principle:
Decentralize the network resources
Store critical data in at least two separate locations (in differentpart of the country)
Best solution
Have a completely redundant network that duplicates everynetwork component, but in a different location
Other stepsDepend on the type of disaster to be prevented
Flood: Locate key components away from riversFire: Install Halon fire suppression system
Network SecurityNetwork Security -- 1/1/7272
143.471 Digital Communication Networks143.471 Digital Communication Networks
Preventing Theft
Security plan must include:
An evaluation of ways to prevent equipment theft
Procedures to execute the plan
Equipment theft
A big problem
About $1 billion lost each year to theft of computersand related equipment
Attractive good second hand market
Making the m valuable to steal
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 25
Network SecurityNetwork Security -- 1/1/7373
143.471 Digital Communication Networks143.471 Digital Communication Networks
Preventing Computer Viruses
Viruses (Macro viruses)
Attach themselves to other programs (documents) and spreadwhen the programs are executed (the files are opened)
Worms
Special type of virus that spread itself without humanintervention (copies itself from computer to computer)
Anti-virus software packages
Check disks and files to ensure that they are virus-free
Incoming e-mail messages
Most common source of viruses
Attachments to e-mails to be checked for viruses
Use of filtering programs that ‘clean’ incoming e-mail
Network SecurityNetwork Security -- 1/1/7474
143.471 Digital Communication Networks143.471 Digital Communication Networks
Preventing Denial of Service Attacks
DoS attacks
Network disrupted by a flood of messages (prevents messages fromnormal users)
Flooding web servers, email servers
Distributed DoS (DDoS)
Places DDoS agents into many computers
Controls them by DDoS handler
Example: Issues instructions to computers to send simultaneous messagesto a target computer
Difficult to prevent DoS and DDoS attacks
Setup many servers around the world
Use Intrusion Detection Systems
Require ISPs to verify that all incoming messages have valid IPaddresses
Network SecurityNetwork Security -- 1/1/7575
143.471 Digital Communication Networks143.471 Digital Communication Networks
Detecting Disruption, Destruction,Disaster
Recognize major problems quickly
Involves alerting network managers to problems forcorrective actions
Requires clear procedures describing how to report problemsquickly
Detecting minor disruptionsMore difficult
Bad spots on a drive remaining unnoticed until it is checked
Requires ongoing monitoring
Requires fault information be routinely logged
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 26
Network SecurityNetwork Security -- 1/1/7676
143.471 Digital Communication Networks143.471 Digital Communication Networks
Disaster Recovery Plans (DRPs)
Identify clear responses to possible disasters
Provide for partial or complete recovery of
All data, Application software,
Network components, and Physical facilities
Includes backup and recovery controls
Make backup copies of all data and SW routinely
Encrypt them and store them offsite
Should include a documented and tested approach to recovery
Include Disaster Recovery Drills
Should address what to do in situations like
If the main database is destroyed
If the data centre is destroyed, how long
Network SecurityNetwork Security -- 1/1/7777
143.471 Digital Communication Networks143.471 Digital Communication Networks
Elements of a DRP
Names of responsible individuals
Staff assignments and responsibilities
List of priorities of “fix-firsts”
Location of alternative facilities
Recovery procedures for data communications facilities,servers and application systems
Actions to be taken under various contingencies
Manual processes
Updating and Testing procedures
Safe storage of data, software and the disaster recoveryplan itself
Network SecurityNetwork Security -- 1/1/7878
143.471 Digital Communication Networks143.471 Digital Communication Networks
Two-Level DRPs
Level 1:
Build enough capacity and have enough spare equipment
To recover from a minor disaster (e.g., loss of a major server orportion of the network)
Could be very expensive
Level 2:Rely on professional disaster recovery firms
To provide second level support for major disasters
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 27
Network SecurityNetwork Security -- 1/1/7979
143.471 Digital Communication Networks143.471 Digital Communication Networks
Disaster Recovery Firms
Offer a range of services
Secure storage for backups
A complete networked data center that clients can use indisasters
Complete recovery of data and network within hours
Expensive, used by large organizationsMay be worthwhile when millions of dollars of lost revenue maybe at stake
Network SecurityNetwork Security -- 1/1/8080
143.471 Digital Communication Networks143.471 Digital Communication Networks
Controlling Unauthorized Access
Types of intruders
Casual intruders
With Limited knowledge (“trying doorknobs”)
Script kiddies: Novice attackers using hacking tools
Security experts (hackers)
Motivation: the thrill of the hunt; show off
Crackers: hackers who cause damage
Professional hackers (espionage, fraud, etc)
Breaking into computers for specific purposes
Organization employees
With legitimate access to the network
Gain access to information not authorized to use
Network SecurityNetwork Security -- 1/1/8181
143.471 Digital Communication Networks143.471 Digital Communication Networks
Preventing Unauthorized Access
Requires a proactive approach that includes routinelytesting the security systems
Best rule for high security
Do not keep extremely sensitive data online
Store them in computers isolated from the network
Security Policy
Critical to controlling risk due to access
Should define clearly
Important assets to be safeguarded and Controls needed
What employees should do
Plan for routinely training employees and testing security controlsin place
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 28
Network SecurityNetwork Security -- 1/1/8282
143.471 Digital Communication Networks143.471 Digital Communication Networks
Elements of a Security Policy
Names of responsible individuals
Incident reporting system and response team
Risk assessment with priorities
Controls on access points to prevent or deterunauthorized external access
Controls within the network to ensure internal userscannot exceed their authorized access
An acceptable use policy
User training plan on security
Testing and updating plans
Network SecurityNetwork Security -- 1/1/8383
143.471 Digital Communication Networks143.471 Digital Communication Networks
Aspects of Preventing UnauthorizedAccess
Securing the Network Perimeter
Securing the Interior of the networkMost ignored aspects
“candy security” – security without this aspect
“crunchy outside, soft and chewy inside”
Authenticating usersTo make sure only valid users are allowed into the network
Network SecurityNetwork Security -- 1/1/8484
143.471 Digital Communication Networks143.471 Digital Communication Networks
Securing Network Perimeter
Basic access points into a network
LANs inside the organization
Dial-up access through a modem
Internet (most attacks come in this way)
Basic elements in preventing accessPhysical Security
Dial-in security
Firewalls and
Network Address Translation (NAT) Proxy servers
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 29
Network SecurityNetwork Security -- 1/1/8585
143.471 Digital Communication Networks143.471 Digital Communication Networks
Physical Security
Means preventing outsiders from gaining access intooffices, server rooms, equipment
Secure both main and remote facilities
Implement proper access controls to areas where networkequipment is located
Only authorized personnel to access
Each network component to have its own level of physical security
– Have locks on power switches and passwords to disable keyboard andscreens
Be careful about distributed backup and servers
– Good for continuity, but bad for unauthorized access
– More equipment and locations to secure
Network SecurityNetwork Security -- 1/1/8686
143.471 Digital Communication Networks143.471 Digital Communication Networks
Personnel Matters
Also important to
Provide proper security education
Perform background checks
Implement error and fraud controls
Reduces the possibility of attackers posing asemployees
Example: Become employed as janitor and use various listeningdevices/computers to access the network
Areas vulnerable to this type of access:Network Cabling
Network Devices
Network SecurityNetwork Security -- 1/1/8787
143.471 Digital Communication Networks143.471 Digital Communication Networks
Securing Network Cables
Easiest targets for eavesdropping
Often run long distances and usually not checked regularly
Easier to tap into local cables
Easier to identify individual circuits/channels
Control physical access by employees or vendors toconnectors and cables
Secure local cables behind walls and above ceilings
Keep equipment room locked and alarm controlled
Choose a cable type harder to tapHarder to tap into fiber optic cables
Pressurized cables: generates alarms when cut
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 30
Network SecurityNetwork Security -- 1/1/8888
143.471 Digital Communication Networks143.471 Digital Communication Networks
Securing Network Devices
Should be secured in locked wiring closets
More vulnerable: LAN devices (controllers, hubs, bridges,routers, etc.,)
A sniffer (LAN listening device) can be easily hooked up to thesedevices
Use secure hubs: requires special code before a new computersare connected
Network SecurityNetwork Security -- 1/1/8989
143.471 Digital Communication Networks143.471 Digital Communication Networks
Dial-in Security
Routinely change modem numbers
Use call-back modems & automatic numberidentification (ANI)
Only users dialing in from authorized locations are grantedaccess
User dials-in and logs into his/her account
Modem (at server) hangs-up and dials back user’s modem’sprespecified number
ANI: allows the user to dial in from several prespecified locations
Use one-time only passwords
For traveling employees who can’t use call-back modems andANI
Network SecurityNetwork Security -- 1/1/9090
143.471 Digital Communication Networks143.471 Digital Communication Networks
Firewalls
Prevent intruders (by securing Internet connections)
From making unauthorized access and denial of service attacks to your network
Could be a router, gateway, or special purpose computer
Examines packets flowing into and out of the organization’s network
Restricts access to that network
Placed on every connection that network has to Internet
Main types of firewalls
Packet level firewalls (i.e., packet filters)
Application-level firewalls (i.e., application gateway)
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 31
Network SecurityNetwork Security -- 1/1/9191
143.471 Digital Communication Networks143.471 Digital Communication Networks
Packet Filters
Examines the source and destination address of packetspassing through
Allows only packets that have acceptable addresses to pass
Examines IP Addresses and TCP ports only
Firewall is unaware of applications and what the intruder is trying todo
IP spoofing remains a problem
Done by simply changing the source address of incomingpackets from their real address to an address inside theorganization’s network
Firewall will pass this packet
Network SecurityNetwork Security -- 1/1/9292
143.471 Digital Communication Networks143.471 Digital Communication Networks
Application-Level Firewalls
Acts as an intermediate host computer (between outsideclients and internal servers)
Forces anyone to login to this firewall and allows access only toauthorized applications (e.g., Web site access)
Separates a private network from the rest of the Internet
Hides individual computers on the network behind the firewall
Some prohibits external users downloading executablefiles
Software modifications done via physical access
Requires more processing power than packet filterswhich can impact network performance
Because of the increased complexity of what they do
Network SecurityNetwork Security -- 1/1/9393
143.471 Digital Communication Networks143.471 Digital Communication Networks
Network Address Translation (NAT)
Used, by most firewalls, to shield a private network fromoutside interference
Translates between private addresses inside a network andpublic addresses outside the network
Done transparently (unnoticed by external computers)
Internal IP addresses remain hidden
Performed by NAT proxy serversUses an address table to do translations
Ex: a computer inside accesses a computer outside
Change source IP address to its own address
Change source port number to a unique number
– Used as an index to the original source IP address
Performs reverse operations for response packets
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 32
Network SecurityNetwork Security -- 1/1/9494
143.471 Digital Communication Networks143.471 Digital Communication Networks
Using Illegal Addresses with NAT
Used to provide additional security
Assigns illegal IP addresses to devices inside thenetwork
Even if they are discovered, no packets (with these addresses)from Internet will be delivered (illegal IP address)
Example: Assigned by ICANN: 128.192.55.xx
Assign to NAT proxy server: 128.192.55.1
Assign to internal computers: 10.3.3.xx
– 10.x.x.x is reserved for private networks (never used on Internet)
No problem with users: NAT proxy server
Big problem with intruders !!
Network SecurityNetwork Security -- 1/1/9595
143.471 Digital Communication Networks143.471 Digital Communication Networks
Use of NAT Proxy Servers
Becoming popular; replacing firewalls
Slow down message transfer
Require at least two separate DNS servers
For use by external users on Internet
For use by internal users (internal DNS server)
Use of combined, layered approachUse layers of NAT proxy servers, packet filters and applicationgateways
Maintaining online resources (for public access) in a “DMZnetwork” between the internal networks and the Internet
Network SecurityNetwork Security -- 1/1/9696
143.471 Digital Communication Networks143.471 Digital Communication Networks
A Network Design Using Firewalls
For initial screening- Permits web access- Denies FTP requests
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 33
Network SecurityNetwork Security -- 1/1/9797
143.471 Digital Communication Networks143.471 Digital Communication Networks
Securing the Interior
Security Holes
Trojan Horses
Encryption
Network SecurityNetwork Security -- 1/1/9898
143.471 Digital Communication Networks143.471 Digital Communication Networks
Security Holes
Made by flaws in network software that permitunintended access to the network
A bug that permits unauthorized access
Operating systems often contain security holes
Details can be highly technical
Once discovered, knowledge about the security holequickly circulated on the Internet
A race can then begin between
Hackers attempting to break into networks through the security holeand
Security teams working to produce a patch to eliminate the securityhole
CERT: major clearing house for Internet related holes
Network SecurityNetwork Security -- 1/1/9999
143.471 Digital Communication Networks143.471 Digital Communication Networks
Other Security Holes
Flawed policies adopted by vendors
New computers come with preinstalled user accounts with wellknown passwords
Managers forgetting to change these passwords
American government's OS security levelsMinimum level (C2): provided by most OSs
Medium Level (B2): provided by some
Highest level (A1 and A2): provided by few
143.471 Digital Communications 23/05/2007
Network Security Cryptography, Hash Functions & Digital Signatures - 34
Network SecurityNetwork Security -- 1/1/100100
143.471 Digital Communication Networks143.471 Digital Communication Networks
OS Security: Windows vs. Linux
Windows
Originally written for one user one computer
User with full control
Applications making changes to critical parts of the system
– Advantages: More powerful applications (without needing user tounderstand internals), feature rich, easy to use applications
– Disadvantages: Hostile applications taking over the system
LinuxMulti-users with various access wrights
Few system administrators with full control
Network SecurityNetwork Security -- 1/1/101101
143.471 Digital Communication Networks143.471 Digital Communication Networks
Trojan Horses
Remote access management consoles that enable usersto access a computer and manage it from afar
More often concealed in another software that isdownloaded over Internet
Common carriers: Music and video files shared on Internet sites
Undetected by antivirus software
Major TrojansBack Office: attacked Windows servers
Gives the attacker the same right as the administrator
Morphed into tools such as MoSucker and Optix Pro
Powerful and easy to use