DC DATACOMM John Abbott College JPC Datacomm Security M. E. Kabay, PhD, CISSP Director of Education, ICSA President, JINBU Corp Copyright © 1998 JINBU Corp. All rights reserved

DC Datacomm Security l Data Integrity l Sources of Error l Controlling Errors l Other Elements of Security

DC Data Integrity l Integrity refers to correctness and completeness l Switched telephone system has variable quality – Some virtual circuits are silent – Others are noisy--contain random and non- random extraneous and transient signals l Effects of noise – Obliterates differences between 0s and 1s – High-frequency transfers especially susceptible to distortion of signal – Results in data loss l Noise originates in electrical interference – e.g., lightning storms, motors, transmitters

DC Sources of Error Options for handling errors l Check nothing l Error detection with flagging l Error detection with request for retransmission l Forward error correction (FEC) – intelligent receiver – detect and correct certain errors

DC Controlling Errors l Echo Checking l Parity Checking l Cyclical Parity l Hamming Code l Checksums l Cyclical Redundancy Check

DC Controlling Errors Echo Checking l Send back all data to host (transmitter) for comparison with original message l Echoplex data transmission on old terminals sent data to host and then back to display l Expensive: at least doubles transmission time l Effectiveness depends on how errors are detected solely on the host l May introduce false positives where terminal received data OK but return to host had noise l Used for critical applications

DC Controlling Errors Parity Checking l Typically checks every character l Add a parity bit to each 7-bit character l Even parity – 0 if even # of 1s in byte – 1 if odd # of 1s in byte l Odd parity – 0 if odd # of 1s in byte – 1 if even # of 1s in byte l Does not permit correction of the error

DC Controlling Errors Cyclical Parity l Two or more parity bits l Permits detection of more types of error than simple parity check l Can have each parity bit depend on specific bits in byte – E.g., parity bit #1 could check bits 1, 3 & 5 of a 6-bit sequence; – parity bit #2 could check bits 2, 4 & 6 of the 6-bit sequence

DC Controlling Errors Hamming Code l FEC using 4 parity bits per byte l Places parity bits in positions 1, 2, 4 & 8 l Data bits in positions 3, 5, 6, 7, 9, 10 & 11 l Each data bit is part of the parity calculation for two or three parity bits l Can detect all single-bit errors and exactly correct the error l High overhead (4 parity bits for 7 data bits) has kept applications rare

DC Controlling Errors Checksums l Add up the data l Append results to data l After transmission, recalculate checksum l Compare new checksum with transmitted checksum

DC Controlling Errors Cyclical Redundancy Check l Similar to checksum l Uses more complicated arithmetic; e.g., addition, multiplication, division, subtraction l Generates a hash total l Can ensure that almost all errors, including multi-bit errors, will be caught l Widely used – client account numbers – telephone and credit card numbers

DC Other Elements of Security NIST goals of datacomm: message should be l sealed--unmodifiable without authorization l sequenced--numbered to prevent loss or duplication l secret--incomprehensible except to authorized recipient(s) l signed--non-repudiable authentication l stamped--non-repudiable receipt of message

DC Datacomm Security l Secure Transmission Facilities l Passwords l Historical and Statistical Logging l Closed User Groups l Firewalls l Encryption l Confidentiality and Authenticity

DC Secure Transmission Facilities Transmission media have different vulnerabilities l Easiest to tap: wireless & cellular telecomm l Easy: twisted pair, coax l Possible: satellite and terrestrial microwave l Hardest: fibre optic lines

DC Passwords l Security uses I&A: identification and authentication l Identification depends on user ID l Authentication can depend on – what you know; or – what you have; or both – what you are (or how you do stuff) l Commonest form of authentication is password l Other devices include one-time password generator l Call-back devices limit access to known locations

DC Historical and Statistical Logging l Historical: – record all data passing through device – AKA audit trails l Mainframe systems typically log – all login/logout – file opens/closes & which records changed – device requests (printers, tapes….) l Statistical logging – How long user IDs access specific files – Does not keep record-level detail

DC Closed User Groups l Set of user IDs that can access information l Can also define CUGs on VANs such as CompuServe l ICSA has CUGs for clients taking on-line courses

DC Firewalls l Firewall = data filter to examine all inbound and outbound data l Firewall can prevent intruders from gaining access to certain parts (or any) of system l Accept inbound connection only from trusted hosts l Can set up internal firewalls to segregate certain systems from each other; e.g., research computers protected from sales users l Application-level firewalls search data stream for , database access, file transfers l Firewalls susceptible to IP address spoofing

DC Encryption l Scramble data using a key and descramble using a key l Key is a secret data sequence

DC Encryption Symmetrical algorithms; e.g., DES l Problem of key management & distribution l Number of key pairs rises as n 2 CleartextCiphertext

DC Encryption l Asymmetrical algorithms l Keys and algorithms may both be different for encryption and decryption

DC Encryption l Public Key Cryptosystem; e.g., PGP l Generate 2 keys: keep 1 private, make 2 public l Only the other key can decrypt what 1 key encrypts

DC Confidentiality and Authenticity l To keep message secret, encrypt using recipients public key l To prove origin of message, encrypt message using authors private key l Current applications generally create a checksum and encrypt it with private key-- faster than encrypting entire message l See for freeware version of PGP for private use

DC Encryption: DES l Data Encryption Standard – example of symmetric encryption algorithm – especially useful for storing encrypted data Cleartext Key: ENCRYPT Ciphertext Key: DECRYPT Cleartext

DC Encryption: PKC l Public Key Cryptosystem – example of asymmetric encryption – especially good for communications and for digital signatures Cleartext Key: ENCRYPT Ciphertext Key: fu3f93jgf912=kjh#1sdfjdh1&... DECRYPT Cleartext

DC Encryption: PKC (contd) PGP is an example of the PKC l Key generation produces 2 keys l Each can decrypt only the ciphertext produced by the other l One is defined as public l Other is kept as private l Can easily send a message so only the desired recipient can read it: – encrypt using the _______________s _______________ key – decrypt using the _______________s _______________ key

DC Encryption: PKC (contd) l Signing a document using PKC This is the original text. Create message hash Unencrypted hash of msg and encrypt only hash with private key. This is the original text. 8u3ofdjgh djc9d_j3$ Encrypted hash of msg

DC This is the original text. 8u3ofdjgh djc9d_j3$ Encrypted hash of msg Encryption: PKC (contd) l Verifying the signature using PKC Decrypt the hash with sender public key… Unencrypted hash of msg and now create your own hash Newly computed hash of msg... and compare the two hashes SAME = VALID DIGITAL SIGNATURE

DC Communications Encryption l Encrypted messages – ideally all messages should be encrypted – public messages should be signed digitally l Virtual Private Networks – packets destined for remote network are encrypted before being sent to remote system – automatically decrypted upon receipt

DC Homework l Read Chapter 6 of your textbook in detail, adding to your workbook notes as appropriate. l Review and be prepared to define or expand all the terms listed at the end of Chapter 6 of your textbook (no hand-in required) l Answer all the exercises on pages 128 of the textbook using a computer word-processing program or absolutely legible handwriting (hand in after quiz tomorrow morning)