email or call for office visit, or call Kathy Cheek, 404 894-5696 ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: Centergy 5188 email or call for office visit, or call Kathy Cheek, 404 894-5696 Quiz-2 Review
Quiz-2 Topic Areas Quiz-2 Topic Areas Email Security - PGP, S/MIME IP Security - IPsec Web Security - Secure Socket Layers (SSL) - Secure Electronic Transactions (SET) Network Management Security - SNMP v3 Intruders Viruses X X.509 Certificates - Digital Proof of Identity Email Security - PGP, S/MIME IP Security - IPsec Web Security - Secure Socket Layers (SSL) - Secure Electronic Transactions (SET) Network Management Security - SNMP v3 Intruders (and other Malicious Users) Viruses - Worms, Trojan Horses, ... 2
X.509 Authentication Service • An International Telecommunications Union (ITU) recommendation (versus “standard”) for allowing computer host or users to securely identify themselves over a network. • An X.509 certificate purchased from a “Certificate Authority” (trusted third party) allows a merchant to give you his public key in a way that your Browser can generate a session key for a transaction, and securely send that to the merchant for use during the transaction (padlock icon on screen closes to indicate transmissions are encrypted). • Once a session key is established, no one can “high jack” the session (for example, after your enter your credit card information, an intruder can not change the order and delivery address). • User only needs a Browser that can encrypt/decrypt with the appropriate algorithm, and generate session keys from truly random numbers. • Merchant’s Certificate is available to the public, only the secret key must be protected. Certificates can be cancelled if secret key is compromised. 3
Raw “Certificate” has user name, public key, expiration date, ... Generate hash code of Raw Certificate Raw Cert. MIC Hash Encrypt hash code with CA’s private key to form CA’s signature Signed Cert. Signed Certificate Recipient can verify signature using CA’s public key. Certificate Authority generates the “signature” that is added to raw “Certificate” 4
Authentication of Source Email Pretty Good Privacy, PGP Establishing Keys • Public Key Certification • Exchange Public Keys Multiple Recipients • Encrypt message m with session key, S • Encrypt S with each recipient's key • Send: {S; Kbob}, {S; Kann}, ... , {m; S} Authentication of Source • Hash (MD4, MD5, SHA1) of message, encrypt with private key (provides ciphertext/plaintext pair) • Secret Key K: MIC is hash of K+m, or CBC residue with K (assuming message not encrypted with K). 5
6 From "PGP Freeware for MacOS, User's Guide" Version 6.5, Network Associates, Inc., www.pgp.com
Things of which to be aware Neither PEM or PGP encode mail headers • Subject can give away useful info • To and From give an intruder traffic analysis info PGP gives recipient the original file name and modification date PEM may be used in a local system with unknown trustworthiness of certificates Certificates often verify that sender is "John Smith" but he may not be the "John Smith" you think (PGP allows pictures in certificates) 7
Simple Mail Transfer Protocol (SMTP, RFC 822) SMTP Limitations - Can not transmit, or has a problem with: • executable files, or other binary files (jpeg image). • “national language” characters (non-ASCII) • messages over a certain size • ASCII to EBCDIC translation problems • lines longer than a certain length (72 to 254 characters) MIME Defined Five New Headers • MIME-Version. Must be “1.0” -> RFC 2045, RFC 2046 • Content-Type. More types being added by developers (application/word) • Content-Transfer-Encoding. How message has been encoded (radix-64) • Content-ID. Unique identifying character string. • Content Description. Needed when content is not readable text (e.g.,mpeg) Canonical Form: Standard format for use between systems ( not a “native” format - GIF).
Secure/MIME 9 Can “sign” and/or encrypt messages Functions: • Enveloped Data: Encrypted content and encrypted session keys for recipients. • Signed Data: Message Digest encrypted with private key of “signer.” • Clear-Signed Data: Signed but not encrypted. • Signed and Enveloped Data: Various orderings for encrypting and signing. Algorithms Used • Message Digesting: SHA-1 and MDS • Digital Signatures: DSS • Secret-Key Encryption: Triple-DES, RC2/40 (exportable) • Public-Private Key Encryption: RSA with key sizes of 512 and 1024 bits, and Diffie-Hellman (for session keys). 9
X.509 Chain of Authentication Actually, there is are sets of top-level CA’s, those included with browser programs (W, Y, ... ). 10
Router Network - Table Set Up In an Router Network, circuits are defined by entries in the Routing Tables along the way. These may be Static (manually set up) or Dynamic (set up according to Algorithm in the Router). B A to D A C 1 2 3 6 E 4 5 7 D Station ( on a LAN) A Local Connection Trunk or Long-Haul 1 Router 11
Router 12 Web Server Browser Application Application Layer Layer (HTTP) (HTTP) Port 80 Port 31337 Buffers Packets that Transport need to be forwarded Transport Layer (based on IP address). Layer (TCP,UDP) (TCP,UDP) Segment No. Segment No. Network Network Layer (IP) Layer (IP) IP Address 130.207.22.5 Network Network IP Address 24.88.15.22 Layer Layer Token Ring E'net Data Token Ring E'net Data Link Layer Link Layer Data-Link Layer Data Link Layer Ethernet Token Ring E'net Phys. Token Ring Phys. Layer Phys. Layer Layer Phys. Layer 12
Internet (IP) Layer Security The Internet Engineering Task Force (IETF) • Internet Protocol Security protocol (IPSEC) working group to standardize an IP Security Protocol (IPSP) and an Internet Key Management Protocol (IKMP). objective of IPSP is to make available cryptographic security mechanisms to users who desire security. mechanisms should work for both the current version of IP (IPv4) and the new IP (IPng or IPv6). should be algorithm-independent, in that the cryptographic algorithms can be altered. should be useful in enforcing different security policies, but avoid adverse impacts on users who do not employ them. Internet (IP) Layer Security 13 Rolf Oppliger, "Internet Security: Firewalls and Beyond," p92, Comm. ACM 40, May 1997
(SNMP version 3) 14
SET (Secure Electronic Transactions) • Provides a secure communications channel among all the parties involved in a transaction: Customer, Seller, Customer’s credit provider, Seller’s bank. • Provides trust by the use of X.509v3 certificates. • Ensures privacy because information is only made available to the parties that need it. * Cardholder account authentication to the Merchant (Cardholder must have a Certificate issued by the credit company). Merchant may issue a temporary Certificate to insure the session is not high-jacked). * Verifies that Merchant has a business relationship with a financial institution. * Integrity of data customer sends to Merchant (order info tied to funds transfer). 15
16
17
Network Intruders Masquerader: A person who is not authorized to use a computer, but gains access appearing to be someone with authorization (steals services, violates the right to privacy, destroys data, ...) Misfeasor: A person who has limited authorization to use a computer, but misuses that authorization (steals services, violates the right to privacy, destroys data, ...) Clandestine User: A person who seizes supervisory control of a computer and proceeds to evade auditing and access controls. 19
The Stages of a Network Intrusion [RAERU] 1. Scan the network to: [RECONNAISANCE] • locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports. [ACCESS] 3. Elevate privileges to “root” privileges. [ELEVATE] 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. [ROOT KIT] 5. Use IRC (Internet Relay Chat) to invite friends to the feast, or use the computer and its info another way. [UTILIZE] Flow-based* "CI", signature-based? Vulnerability Scan Signature?, Flow-Based Port Profile* Host-based Signature?, "Port-Profile*", Forbidden Zones*, Host-based Signature?, "Port-Profile*", Forbidden Zones*, Host-based * StealthWatch 20
Protection from a Network Intrusion 1. Use a “Firewall” between the local area network and the world-wide Internet to limit access (Chapter 10). 2. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or monitor and prosecute). 3. Use a program like TripWire on each host to detect when systems files are altered, and email an alert to Sys Admin. 4. On Microsoft PC’s, a program like Zone Alarm or Black Ice is easier to install than learning how to reset default parameters to make the system safe (and fun besides). 21
Anomaly-Based Intrusion Detection High statistical variation in most measurable network behavior parameters results in high false-alarm rate #FP = #Normal Events x FP-rate #FN = #Bad Events x FN-rate False Alarms, False Positives Undetected Intrusions, False Negatives Detection Threshold 22