COEN 350 Network Security Introduction

Computer Networks OSI Reference Model Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer

OSI Reference Model Useful to establish terminology Not implemented Upper layer implemented in terms of lower layer.

OSI Reference Model Application Layer Presentation Layer Locus of applications that use networking P2P HTTP ftp Presentation Layer Encodes application data into a canonical form Decodes it into system-dependent format at the receiving end.

OSI Reference Model Session Layer Transport Layer Extra functions over reliable one-to-one connection RPC Transport Layer Reliable communication stream between a pair of systems. IP, UDP, TCP, ICMP

OSI Reference Model Network Layer Computes paths across an interconnected mesh of links and packet switches Forwards packets over multiple links from source to destination

OSI Reference Model Data Link Layer Physical Layer Organizes physical layer’s bits into packets and controls who on a shared link gets each packet. Physical Layer Delivers an unstructured stream of bits across a single link of some sort.

TCP/IP Suite

Protocol Layers and Security Security measures often layer network protocols. Protect contents of packages is protection at layer 2. Still allows traffic analysis. IPSec protects (encrypts) packages at layer 4 Does not work with NAT.

Goals Authentication Authorization Integrity Privacy Who are you? Are you allowed to do that? Integrity Is this the real message? Privacy Does anyone else know about it?

Zone of Control The zone that needs to be secured in order to prevent eavesdropping. Physical access needs to be prevented. Tempest program (US military) All computer systems radiate information. Possible to reconstruct image on a monitor from 20 ft. Wireless access point rated for e.g. 50 ft radius for receiving data. Special antenna (built from a Pringles box, etc.) can read traffic from a mile away. Define a perimeter of a commercial wired network: Need to include backdoor channels like modems, etc. Tempest: Set of standards for limiting electric or electromagnetic radiation emanations from electronic equipment. Shortcut for filed of compromising emanations / Emissions Security

Legal Issues Patent Law First inventor has the right to invention. In other countries: First one to file. Patents issued based on what inventors present regarding Novelty (  Prior Art) Importance (“Aha” effect) Patent process flawed since Reagan under-funding, but slowly getting better Patent decision needs to be made within a day. Many cryptography algorithms are / were patented. Are now moving into the public domain. Still, many standards are built around patented methods. Kerberos uses secret key encryption instead of public key encryption.

Legal Issues Export Control Cryptographic algorithms and tools were considered to be restricted technology. Treated like ammunition. Taking a laptop to Mexico for a week-end could be a violation of export control. Government gave up after PGP fiasco Zimmermann invented PGP 1.0 in 1991. PGP fell under the ammunition clause. Zimmermann circumvented export restriction by publishing code in book form (under first amendment protection) Book was intended to be bought by exactly one person in Norway to scan in code and publish PGP outside of US (for free downloads).

Legal Issues Key Escrow Cryptography algorithms became unbreakable in the nineties. Prevent wiretaps, computer forensics, etc. National security efforts sponsored Clipper: 1993 Encryption chip with secret key. User gets chip, secret key is broken up and stored at two different agencies. Two different agencies needed to cooperate to recover secret key. Considered to be almost impossible if cooperation were legal and impossible if cooperation were illegal. Government gave up.