7: Network Security1 Chapter 7: Network security – Author? Foundations: r what is security? r cryptography r authentication r message integrity r key distribution and certification Security in practice: r application layer: secure r transport layer: Internet commerce, SSL, SET r network layer: IP security

7: Network Security2 Importance of Network Security? r Think about… m The most private, embarrassing or valuable piece of information you’ve ever stored on a computer m How much you rely on computer systems to be available when you need them m The degree to which you question whether a piece of really came from the person listed in the From field m How convenient it is to be able to access private information online (e.g. buy without entering all data, look up your transcript without requesting a copy,…)

7: Network Security3 Importance of Network Security r Society is becoming increasingly reliant on the correct and secure functioning of computer systems m Medical records, financial transactions, etc. r It is our jobs as professional computer scientists: m To evaluate the systems we use to understand their weaknesses m To educate ourselves and others to be wise network consumers m To design networked systems that are secure

7: Network Security4 Overview of Attacks and responses r Probably from: r James Kurose & Keith Ross; Computer r Networking: A Top-Down Approach r Featuring the Internet, 3rd Edition, r Addison Wesley, 2005, ISBN: r r Copyright J.F Kurose and r K.W. Ross, All Rights Reserved r Acknowledgments

7: Network Security5 Taxonomy of Attacks (1)  Process based model to classify methods of attack  Passive:  Interception: attacks confidentiality. a.k.a., eavesdropping, “man-in-the-middle” attacks.  Traffic Analysis: attacks confidentiality, or anonymity. Can include traceback on a network, CRT radiation.  Active:  Interruption: attacks availability. (a.k.a., denial-of-service attacks  Modification: attacks integrity.  Fabrication: attacks authenticity.

7: Network Security6 Taxonomy of Attacks (2)  ‘Result of the attack’ taxonomy  Increased Access the quest for root  Disclosure of Information credit card numbers  Corruption of Information changing grades, etc  Denial of Service self explanatory  Theft of Resources stealing accounts, bandwidth

7: Network Security7 Fundamentals of Defense r Cryptography r Restricted Access m Restrict physical access, close network ports, isolate from the Internet, firewalls, NAT gateways, switched networks r Monitoring m Know what normal is and watch for deviations r Heterogeneity/Randomness m Variety of Implementations, Random sequence numbers, Random port numbers

7: Network Security8 Fundamentals of Defense r Cryptography: the study of mathematical techniques related to information security that have the following objectives: m Integrity m Non-repudiation m Confidentiality m Authentication

7: Network Security9 Objectives of Cryptography r Integrity : ensuring information has not been altered by unauthorized or unknown means m Integrity makes it difficult for a third party to substitute one message for another. m It allows the recipient of a message to verify it has not been modified in transit. r Nonrepudiation : preventing the denial of previous commitments or actions m makes it difficult for the originator of a message to falsely deny later that they were the party that sent the message. m E.g., your signature on a document.

7: Network Security10 Objectives of Cryptography r Secrecy/Confidentiality : ensuring information is accessible only by authorized persons m Traditionally, the primary objective of cryptography. m E.g. encrypting a message r Authentication : corroboration of the identity of an entity m allows receivers of a message to identify its origin m makes it difficult for third parties to masquerade as someone else m e.g., your driver’s license and photo authenticates your image to a name, address, and birth date.

7: Network Security11 Security Services r Authorization r Access Control r Availability r Anonymity r Privacy r Certification r Revocation

7: Network Security12 Security Services r Authorization: conveyance of official sanction to do or be something to another entity. m Allows only entities that have been authenticated and who appear on an access list to utilize a service. m E.g., your date of birth on your driver’s license authorizes you to drink as someone who is over 21. r Access Control: restricting access to resources to privileged entities. m ensures that specific entities may perform specific operations on a secure object. m E.g. Unix access control for files (read, write, execute for owner, group, world)

7: Network Security13 Security Services r Availability: ensuring a system is available to authorized entities when needed m ensures that a service or information is available to an (authorized) user upon demand and without delay. m Denial-of-service attacks seek to interrupt a service or make some information unavailable to legitimate users.

7: Network Security14 Security Services r Anonymity : concealing the identity of an entity involved in some process m Concealing the originator of a message within a set of possible entities. The degree of anonymity of an entity is the sum chance that everyone else in the set is the originator of the message. Anonymity is a technical means to privacy. r Privacy: concealing personal information, a form of confidentiality.

7: Network Security15 Security Services r Certification: endorsement of information by a trusted entity. r Revocation: retraction of certification or authorization r Certification and Revocation m Just as important as certifying an entity, we need to be able to take those rights away, in case the system is compromised, we change policy, or the safety that comes from a “refresh”.

7: Network Security16 Friends and enemies: Alice, Bob, Trudy r well-known in network security world r Bob, Alice want to communicate “securely” r Trudy, the “intruder” may intercept, delete, add messages Figure 7.1 goes here

7: Network Security17 What is network security? Secrecy: only sender, intended receiver should “understand” msg contents m sender encrypts msg m receiver decrypts msg Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection

7: Network Security18 Internet security threats Packet sniffing: m broadcast media m promiscuous NIC reads all packets passing by m can read all unencrypted data (e.g. passwords) m e.g.: C sniffs B’s packets A B C src:B dest:A payload

7: Network Security19 Internet security threats IP Spoofing: m can generate “raw” IP packets directly from application, putting any value into IP source address field m receiver can’t tell if source is spoofed m e.g.: C pretends to be B A B C src:B dest:A payload

7: Network Security20 Internet security threats Denial of service (DOS): m flood of maliciously generated packets “swamp” receiver m Distributed DOS (DDOS): multiple coordinated sources swamp receiver m e.g., C and remote host SYN-attack A A B C SYN

7: Network Security21 The language of cryptography symmetric key crypto: sender, receiver keys identical public-key crypto: encrypt key public, decrypt key secret Figure 7.3 goes here plaintext ciphertext K A K B