Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1. Chapter 10 Network Security.

Slides:



Advertisements
Similar presentations
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Advertisements

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Security at the Network Layer: IPSec
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
Network Security Chapter 8. Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic.
Principles of Information Security, 2nd edition1 Cryptography.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Chapter 29 Internet Security
McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Chapter 8 Network Security 4/17/2017
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Network Security Sorina Persa Group 3250 Group 3250.
The OSI Model and the TCP/IP Protocol Suite
13.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 13 Digital Signature.
Chapter 13 Digital Signature
Chapter 31 Network Security
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Rachana Y. Patil 1 1.
Computer Networks NYUS FCSIT Spring 2008 Milos STOLIC, Bs.C. Teaching Assistant
Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).
10.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 10 Symmetric-Key Cryptography.
3.1 SERVICES AND MECHANISMS SERVICES AND MECHANISMS The International Telecommunication Union- Telecommunication Standardization Section (ITU-T) provides.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Secure Socket Layer (SSL)
16.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 16 Security at the Application Layer: PGP and.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
Cryptography, Authentication and Digital Signatures
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
CSCD 218 : DATA COMMUNICATIONS AND NETWORKING 1
Security.
Chapter 31 Cryptography And Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Network Security David Lazăr.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
30.1 Chapter 30 Cryptography Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 14 Network Security: Firewalls and VPNs.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 29 Internet Security.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
Network Security Chapter 8 12/13/ Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
K. Salah1 Security Protocols in the Internet IPSec.
Chapter 7 : Web Security Lecture #1-Week 12 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Cryptography CSS 329 Lecture 13:SSL.
Network Security Chapter 8 Institute of Information Science and Technology. Chengdu University YiYong 2008 年 2 月 25 日.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Internet Protocol Version4 (IPv4)
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature.
Computer Communication & Networks
UNIT.4 IP Security.
Chapter 30 Cryptography Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Security at the Application Layer: PGP and S/MIME
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
Lecture 5: Transport layer (TLS / SSL) and Security ( PGP )
Chapter 13 Digital Signature
Chapter 29 Cryptography and Network Security
Presentation transcript:

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Chapter 10 Network Security

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Chapter 10: Objective  We introduce network security. We discuss security goals, types of attacks, and services provided by network security.  We introduce the first goal of security, confidentiality. We discuss symmetric-key ciphers and asymmetric-key ciphers.  We discuss other aspects of security: message integrity, message authentication, digital signature, entity authentication, and key management.  We apply what we have learned in the first three sections to the top three layers of the TCP/IP suite.  Finally, we discuss firewalls: packet-filter and proxy.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display INTRODUCTION Information is an asset that has a value like any other asset. As an asset, information needs to be secured from attacks. To be secured, information needs to be hidden from unauthorized access (confidentiality), protected from unauthorized change (integrity), and available to an authorized entity when it is needed (availability).

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Security Goals Let us first discuss three security goals:  Confidentiality  Integrity  Availability

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Attacks Our three goals of security, confidentiality, integrity, and availability, can be threatened by security attacks. Although the literature uses different approaches to categorizing the attacks, we divide them into three groups related to the security goals. Figure 10.1 shows the taxonomy.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display (continued)  Attacks Threatening Confidentiality  Attacks Threatening Integrity  Modification  Masquerading  Replaying  Repudiation  Attacks Threatening Availability  Denial of Service  Snooping  Traffic Analysis

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.1: Taxonomy of attacks with relation to security goals

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Services and Techniques ITU-T defines some security services to achieve security goals and prevent attacks. Each of these services is designed to prevent one or more attacks while maintaining security goals. The actual implementation of security goals needs some techniques. Two techniques are prevalent today:  Cryptography  Steganography

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display CONFIDENTIALITY We now look at the first goal of security, confidentiality. Confidentiality can be achieved using ciphers. Ciphers can be divided into two broad categories: symmetric-key and asymmetric-key.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Symmetric-Key Ciphers A symmetric-key cipher uses the same key for both encryption and decryption, and the key can be used for bidirectional communication, which is why it is called symmetric. Figure 10.2 shows the general idea behind a symmetric-key cipher.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display (continued)  Traditional Symmetric-Key Ciphers  Substitution Ciphers  Transposition Ciphers  Stream and Block Ciphers  Modern Symmetric-Key Ciphers  Modern Block Ciphers  Data Encryption Standard (DES)  Modern Stream Ciphers

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.2: General idea of a symmetric-key cipher

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.3: Symmetric-key encipherment as locking and unlocking with the same key

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.4: Representation of plaintext and ciphertext characters in modulo 26

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Use the additive cipher with key = 15 to encrypt the message “hello”. Example 10.1

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Use the additive cipher with key = 15 to decrypt the message “WTAAD”. Example 10.2

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.5: An example key for a monoalphabetic substitution cipher

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display We can use the key in Figure 10.5 to encrypt the message Example 10.3

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Assume that Alice and Bob agreed to use an autokey cipher with initial key value k 1 = 12. Now Alice wants to send Bob the message “Attack is today”. The three occurrences of “t” are encrypted differently. Example 10.4

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.6: Transposition cipher

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.7: A modern block cipher

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.8: Components of a modern block cipher

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.9: General structure of DES

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.10: DES function

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.11: Key generation

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display We choose a random plaintext block and a random key, and determine (using a program) what the ciphertext block would be (all in hexadecimal) as shown below. Example 10.5

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display To check the effectiveness of DES when a single bit is changed in the input, we use two different plaintexts with only a single bit difference (in a program). The two ciphertexts are completely different without even changing the key. Although the two plaintext blocks differ only in the rightmost bit, the ciphertext blocks differ in 29 bits. Example 10.6

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.12: One-time pad

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Asymmetric-Key Ciphers In previous sections we discussed symmetric-key ciphers. In this section, we start the discussion of asymmetric-key ciphers. Symmetric- and asymmetric-key ciphers will exist in parallel and continue to serve the community. We actually believe that they are complements of each other; the advantages of one can compensate for the disadvantages of the other.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display (continued)  General Idea  Plaintext/Ciphertext  Encryption/Decryption  Need for Both  RSA Cryptosystem  Procedure  Applications

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.13: Locking and unlocking in asymmetric-key cryptosystem

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.14: General idea of asymmetric-key cryptosystem

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.15: Encryption, decryption, and key generation in RSA

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display For the sake of demonstration, let Bob choose 7 and 11 as p and q and calculate n = 7 × 11 = 77, φ(n) = (7 − 1)(11 − 1), or 60. If he chooses e to be 13, then d is 37. Note that e × d mod 60 = 1. Now imagine that Alice wants to send the plaintext 5 to Bob. She uses the public exponent 13 to encrypt 5. This system is not safe because p and q are small. Example 10.7

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Here is a more realistic example calculated using a computer program in Java. We choose a 512-bit p and q, calculate n and φ(n). We then choose e and calculate d. Finally, we show the results of encryption and decryption. The integer p is a 159-digit number. Example 10.8

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Example 10.8 (continued)

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Example 10.8 (continued)

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Example 10.8 (continued)

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display OTHER ASPECTS OF SECURITY The cryptography systems that we have studied so far provide confidentiality. However, in modern communication, we need to take care of other aspects of security, such as integrity, message and entity authentication, non-repudiation, and key management. We briefly discuss these issues in this section.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Message Integrity There are occasions where we may not even need secrecy but instead must have integrity: the message should remain unchanged. For example, Alice may write a will to distribute her estate upon her death. The will does not need to be encrypted. After her death, anyone can examine the will. The integrity of the will, however, needs to be preserved.  Message and Message Digest  Hash Functions

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.16: Message and digest

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Message Authentication A digest can be used to check the integrity of a message—that the message has not been changed. To ensure the integrity of the message and the data origin authentication—that Alice is the originator of the message, not somebody else—we need to include a secret shared by Alice and Bob (that Eve does not possess) in the process; we need to create a message authentication code (MAC).  HMAC

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.17: Message authentication code

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Digital Signature Another way to provide message integrity and message authentication (and some more security services, as we will see shortly) is a digital signature. A MAC uses a secret key to protect the digest; a digital signature uses a pair of private- public keys.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display (continued)  Comparison  Inclusion  Verification Method  Relationship  Duplicity  Process  Signing the Digest  Services  Message Authentication  Message Integrity  Non-repudiation

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display (continued)  RSA Digital Signature Scheme  Digital Signature Standard (DSS)

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.18: Digital signature process

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.19: Signing the digest

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.20: Using a trusted center for non-repudiation

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.21: The RSA signature on the message digest

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Entity Authentication Entity authentication is a technique designed to let one party verify the identity of another party. An entity can be a person, a process, a client, or a server. The entity whose identity needs to be proven is called the claimant; the party that tries to verify the identity of the claimant is called the verifier.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display (continued)  Entity versus Message Authentication  Verification Categories  Passwords  Challenge-Response  Using a Symmetric-Key Cipher  Using an Asymmetric-Key Cipher  Using Digital Signatures

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.22: Unidirectional, symmetric-key authentication

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.23: Unidirectional, asymmetric-key authentication

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.24: Digital signature, unidirectional authentication

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Key Management We discussed symmetric-key and asymmetric-key cryptography in the previous sections. However, we have not yet discussed how secret keys in symmetric-key cryptography, and public keys in asymmetric-key cryptography, are distributed and maintained. This section touches on these two issues.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display (continued)  Symmetric-Key Distribution  Symmetric-Key Agreement  Diffie-Hellman Key Agreement  Public-Key Distribution  Public Announcement  Certification Authority  X.509  Key Distribution Center (KDC)

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.25: Multiple KDCs

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.26: Creating a session key using KDC

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.27: Diffie-Hellman method

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Example 10.9 Let us give a trivial example to make the procedure clear. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume that g = 7 and p = 23. The steps are as follows: 1. Alice chooses x = 3 and calculates R 1 = 7 3 mod 23 = 21. Bob chooses y = 6 and calculates R 2 = 7 6 mod 23 = Alice sends the number 21 to Bob.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Example 10.9 (continued) 3. Bob sends the number 4 to Alice. 4. Alice calculates the symmetric key K = 4 3 mod 23 = 18. Bob calculates the symmetric key K = 21 6 mod 23 = 18. Conclusion: The value of K is the same for both Alice and Bob; g xy mod p = 7 18 mod 23 = 18.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.28: Certification authority

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display INTERNET SECURITY In this section, we discuss how the principles of cryptography are applied to the Internet. We discuss security in the application layer, transport layer, and network layer. Security at the data-link layer is normally a proprietary issue and is implemented by the designers of LANs and WANs.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Application-Layer Security This section discusses two protocols providing security services for s: Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extension (S/MIME).

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display (continued)  Security  Cryptographic Algorithms  Cryptographic Secrets  Certificates  Pretty Good Privacy (PGP)  Scenarios  Segmentation  Key Rings  PGP Algorithms  PGP Certificates and Trusted Model  PGP Packets  Applications of PGP

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display (continued)  S/MIME  Cryptographic Message Syntax (CMS)  Key Management  Cryptographic Algorithms  Applications of S/MIME

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.29: A plaintext message

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.30: An authenticated message

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.31: A compressed message

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.32: A confidential message

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.33: Key rings in PGP

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.34: Trust model

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.35: Signed-data content type

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.36: Enveloped-data content type

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.37: Digested-data content type

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.38: Authenticated-data content type

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Example The following shows an example of an enveloped-data in which a small message is encrypted using triple DES..

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Transport-Layer Security Two protocols are dominant today for providing security at the transport layer: the Secure Sockets Layer (SSL) protocol and the Transport Layer Security (TLS) protocol. The latter is actually an IETF version of the former. We discuss SSL in this section; TLS is very similar. Figure shows the position of SSL and TLS in the Internet model.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display (continued)  SSL Architecture  Services  Key Exchange Algorithms  Encryption/Decryption Algorithms  Hash Algorithms  Cipher Suite  Compression Algorithms  Cryptographic Parameter Generation  Sessions and Connections

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display (continued)  Four Protocols  Handshake Protocol  ChangeCipherSpec Protocol  Alert Protocol  Record Protocol

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.39: Location of SSL and TLS in the Internet model

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.40: Calculation of master secret from pre-master secret

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.41: Calculation of key material from master secret

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.42: Extractions of cryptographic secrets from key material

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.43: Four SSL protocols

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.44: Handshake Protocol

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.45: Processing done by the Record Protocol

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Network-Layer Security We need security at the network layer for three reasons. First, not all client/server programs are protected at the application layer. Second, not all client/server programs at the application layer use the services of TCP to be protected by the transport-layer security. Third, many applications, such as routing protocols, directly use the service of IP; they need security services at the IP layer. IP Security is a collection of protocols designed by the Internet Engineering

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display (continued)  Two Modes  Transport Mode  Tunnel Mode  Comparison  Two Security Protocols  Authentication Header (AH)  Encapsulating Security Payload (ESP)  IPv4 and IPv6  AH versus ESP

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display (continued)  Services Provided by IPSec  Access Control  Message Integrity  Entity Authentication  Confidentiality  Replay Attack Protection  Security Association  Idea of Security Association  Security Association Database (SAD)  Security Policy  Security Policy Database

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display (continued)  Internet Key Exchange (IKE)  Virtual Private Network (VPN)

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.46: IPSec in transport mode

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.47: Transport mode in action

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.48: IPSec in tunnel mode

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.49: Tunnel mode in action

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.50: Transport mode versus tunnel mode

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.51: Authentication Header (AH) protocol

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.52: Encapsulating Security Payload (ESP)

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Table 10.1 : IPSec services

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.53: Simple SA

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.54: SAD

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.55: Security Policy Database

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.56: Outbound processing

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.57: Inbound processing

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.58: IKE components

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.59: Virtual private network

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display FIREWALLS All previous security measures cannot prevent Eve from sending a harmful message to a system. To control access to a system we need firewalls. A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.60: Firewall

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Packet-Filter Firewalls A firewall can be used as a packet filter. It can forward or block packets based on the information in the network-layer and transport-layer headers: source and destination IP addresses, source and destination port addresses, and type of protocol (TCP or UDP). A packet-filter firewall is a router that uses a filtering table to decide which packets must be discarded (not forwarded). Figure shows an example of a filtering table for this kind of a firewall.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.61: Packet-filter firewall

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Proxy Firewalls The packet-filter firewall is based on the information available in the network layer and transport layer headers (IP and TCP/UDP). However, sometimes we need to filter a message based on the information available in the message itself (at the application layer). One solution is to install a proxy computer to filter the messages.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Figure 10.62: Proxy firewall

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Chapter 10: Summary  The three goals of security can be threatened by security attacks. Two techniques have been devised to protect information against attacks: cryptography and steganography.  In a symmetric-key cipher the same key is used for encryption and decryption, and the key can be used for bidirectional communication. We can divide traditional symmetric-key ciphers into two broad categories: substitution ciphers and transposition ciphers.  In an asymmetric key cryptography there are two separate keys: one private and one public. Asymmetric-key cryptography means that Bob and Alice cannot use the same set of keys for two-way communication.

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Chapter 10: Summary (continued)  Other aspects of security include integrity, message authentication, entity authentication, and key management.  The Pretty Good Privacy (PGP), invented by Phil Zimmermann, provides with privacy, integrity, and authentication. Another security service designed for electronic mail is Secure/Multipurpose Internet Mail Extension (S/MIME).  A transport-layer security protocol provides end-to-end security services for applications that use the services of a reliable transport-layer protocol such as TCP. Two protocols are dominant today for providing security at the transport layer: Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Chapter 10: Summary (continued)  IP Security (IPSec) is a collection of protocols designed by the IETF to provide security for a packet at the network level. IPSec operates in transport or tunnel mode. IPSec defines two protocols: Authentication Header (AH) Protocol and Encapsulating Security Payload (ESP) Protocol.  A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter others. A firewall is usually classified as a packet-filter firewall or a proxy firewall.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.