Information and Network Security Rudra Dutta CSC 401- Fall 2011, Section 001.

Slides:



Advertisements
Similar presentations
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Advertisements

Security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Introduction to Cryptography
Network Security Chapter 8. Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic.
Guide to Network Defense and Countermeasures Second Edition
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Chapter 18: Network Security Business Data Communications, 5e.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Chapter 8 Network Security 4/17/2017
Chapter 20: Network Security Business Data Communications, 4e.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Computer Networks, Fifth Edition by Andrew Tanenbaum and David Wetherall, © Pearson Education-Prentice Hall, 2011 Network Security Chapter 8.
Network Security Sorina Persa Group 3250 Group 3250.
Network Security Chapter Computer Networks, Fifth Edition by Andrew Tanenbaum and David Wetherall, © Pearson Education-Prentice Hall, 2011.
1 ECE453 – Introduction to Computer Networks Lecture 19 – Network Security (II)
Computer Networks NYUS FCSIT Spring 2008 Milos STOLIC, Bs.C. Teaching Assistant
Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Chapter 10 Network Security.
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
Cryptography, Authentication and Digital Signatures
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
Chapter 21 Public-Key Cryptography and Message Authentication.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Karlstad University IP security Ge Zhang
Network Security David Lazăr.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
Network Security Understand principles of network security:
Network Security7-1 Today r Reminder Ch7 HW due Wed r Finish Chapter 7 (Security) r Start Chapter 8 (Network Management)
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Network Security Chapter 8 12/13/ Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental.
+ Security. + What is network security? confidentiality: only sender, intended receiver should “understand” message contents sender encrypts message receiver.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
PGP & IP Security  Pretty Good Privacy – PGP Pretty Good Privacy  IP Security. IP Security.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media.
1 Some Backgrounds on Network Security Rocky K. C. Chang 12 February 2003.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.
Cryptography CSS 329 Lecture 13:SSL.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Network Security Chapter 8 Institute of Information Science and Technology. Chengdu University YiYong 2008 年 2 月 25 日.
Network Security.
Secure Sockets Layer (SSL)
Chapter 8 Network Security.
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
Network Security Chapter 8.
Presentation transcript:

Information and Network Security Rudra Dutta CSC 401- Fall 2011, Section 001

Network Security Based on concepts of information security – Complementary to: physical security of networks and endpoints – Also related to: human security Comparatively recent concern with security in networks Various “attackers” or “malcontents” at various levels of seriousness, frequency, ability Overarching goal – no single place (many vulnerabilities) No such thing as 100% security 2Copyright Rudra Dutta, NCSU, Fall 2011

Components of Study Basic concerns – Confidentiality, authentication, non-repudiation, integrity – Availability, authorization Fundamental tools – Cryptography Building blocks – Signatures, certifications, … Protocols / architectures – IPSec, firewall, VPN, PGP, SSL, Shibboleth … Emerging trend: trust management Copyright Rudra Dutta, NCSU, Fall 20113

Security Concerns Confidentiality (Secrecy, Privacy) – Nobody but intended recipient should know content – “Person-in-the-middle” possibility in networks Authentication – Confidence in recognizing trusted or known entity Non-repudiation – Inability to claim innocence of past action Integrity – Message received same as message sent Availability – Infrastructure / resource available to genuine use Authorization – Policy form of confidentiality Copyright Rudra Dutta, NCSU, Fall 20114

Cryptography D K ( E K ( P ) ) = P (symmetric-key) “Algorithm is public, only keys are secret” Attacks: (i) ciphertext-only, (ii) known-plaintext, (iii) chosen-plaintext Copyright Rudra Dutta, NCSU, Fall 20115

Ciphers as Transformation 6Copyright Rudra Dutta, NCSU, Fall 2011 Simple substitution cipher – More advanced ones possible Fundamental principles: – Messages must contain some redundancy – Some method is needed to foil replay attacks The first implies that plaintext “space” must be large and sparsely used – can use cryptographic hashes The second shows the need of timestamp or equivalent Ciphering (even efficiently) is only useful if these conditions are first met

Data Encryption Standard 7Copyright Rudra Dutta, NCSU, Fall 2011 A comparatively older and simpler symmetric key cipher Each stage uses a different 48-bit key derived from the main 56-bit key Li-1 is transformed to 48 bits, bit- XOR’d with key, mapped back into 32 bits

Other Ciphers Some common symmetric-key cryptographic algorithms 8Copyright Rudra Dutta, NCSU, Fall 2011

Public Key Cryptography Weak point: key distribution – Keys have to be distributed, yet kept secret – Once a key is compromised, worse than useless Solution: asymmetric keys – Encryption and decryption use different keys which are not trivially related to each other – Diffie-Hellman, 1976 D ( E ( P )) = P Exceedingly difficult to deduce D from E E cannot be broken by chosen-plaintext attack E(.) can be made public – D(.) is never distributed “public key cryptography” Copyright Rudra Dutta, NCSU, Fall 20119

RSA (Rivest, Shamir, Adleman) 1. Choose two large primes, p and q (e.g. 3 and 11) 2. Compute n = p × q and z = ( p − 1) × (q − 1) 3. Choose number relatively prime to z – call it d (7) 4. Find e such that e × d = 1 mod z (3) E(.) : C = P e (mod n) D(.) : P = C d (mod n) 10Copyright Rudra Dutta, NCSU, Fall 2011

Tools: Digital Signatures Required Conditions: 1. Receiver can verify claimed identity of sender. 2. Sender cannot later repudiate contents of message. 3. Receiver cannot have concocted message himself. 11Copyright Rudra Dutta, NCSU, Fall 2011

Message Digests (Cryptographic Hash) Message Digest (e.g. MD5) properties 1. Given P, easy to compute MD(P). 2. Given MD(P), effectively impossible to find P. 3. Given P no one can find P′ such that MD(P′) = MD(P). 4. Change to input of even 1 bit produces very different output. 12Copyright Rudra Dutta, NCSU, Fall 2011 Message digests can form Digital signatures (However, vulnerable to birthday attack)

Management of Public Keys Trudy can subvert public-key encryption: need certification 13Copyright Rudra Dutta, NCSU, Fall 2011

Achieving Security in Networks IPSec – Security in IP layer between endpoints Firewalls – policing at gateways VPNs – Multipoint-to-multipoint secure community over insecure Internet Kerberos etc. – authentication over insecure Internet PGP etc. – Security between application endpoints DNSSec – Securing DNS transactions TLS / SSL – API to encapsulate process-to- process (client-server) security Copyright Rudra Dutta, NCSU, Fall

IP Security Multiple services, separate – Secrecy, Integrity, Replay protection – Based on symmetric keys – Pluggable algorithm modules Security Association – End-to-end context, unidirectional, security identifier – Allows use of IPSec at different granularities Transport mode – IPSec header Inserted after IP header – Integrity, authentication, replay attacks with AH – Origin (integrity, authentication), secrecy, replay with ESP Tunnel mode – IP packet encapsulated in new IP packet, ESP – Integrity, authentication, secrecy, replay Copyright Rudra Dutta, NCSU, Fall

Key Management Shared keys Distribution (sharing) of keys outside SA ISAKMP framework – Manual pre-configuration – Internet Key Exchange v2 protocol – DNS as key distributor – Others … When two IP endpoints want to setup a SA, they already have a shared key / have a way to share a key Copyright Rudra Dutta, NCSU, Fall

IPsec AH Transport mode only – Authentication Header – In IPv6, used as extension header In IP header, Protocol is 51 for IPSec Identifier Detect replay attacks Hashed Message Authentication Code Signature computed using shared key 17Copyright Rudra Dutta, NCSU, Fall 2011

IPsec ESP Header contains security identifier and sequence number Originally, secrecy only (not integrity) Later extended by adding authentication signature Eventually likely to phase out AH 18Copyright Rudra Dutta, NCSU, Fall 2011

Firewalls Packet filtering gateways – Can filter by ports, or any other field DMZ or Perimeter Networks can complement Stateless, stateful, application-level gateways Should form component of overall security picture 19Copyright Rudra Dutta, NCSU, Fall 2011

Virtual Private Networks Create virtual circuits between gateways of each physical network of an organization – Actually, not virtual circuits but SA tunnels – Firewalls as well as gateways Intermediate routers can transport but not compromise – May provide MPLS tunnels (with bandwidth provisions) 20Copyright Rudra Dutta, NCSU, Fall 2011

Kerberos “Three-headed” scheme Separate user authentication from service authorization Password not transmitted, on public workstation briefly Copyright Rudra Dutta, NCSU, Fall K S : Session key K AB : Service session key Ticket granting ticket Service ticket

Pretty Good Privacy RSA used to encrypt small, random words IDEA (much faster) encrypts larger message Bob confident of P, Alice Random input by Alice Like DES Only Bob can get K M 22Copyright Rudra Dutta, NCSU, Fall 2011

PGP Message 23Copyright Rudra Dutta, NCSU, Fall 2011

DNS 24

DNS Spoofing 25Copyright Rudra Dutta, NCSU, Fall 2011

Poisoning DNS Basically – force DNS server to query, and send false answer right behind the query Need to first know sequence number – register bogus domain 26Copyright Rudra Dutta, NCSU, Fall 2011

DNSSec DNSSec attempts to provide: – Proof of where the data originated – Public key distribution – Transaction and request authentication DNS replies are Resource Records – Grouped into sets – RRSets Each DNS zone has public/private key pair – RRSet to be delivered is cryptographically hashed – Hash is signed by zone’s private key New RR types to store key, hash, specify algorithm (and others such as validity period) Hashing and signing is offline – at zone Signatures also protect query-response between servers 27Copyright Rudra Dutta, NCSU, Fall 2011

SSL / TLS Encapsulate security for application programs Original SSL proposed by Netscape, later TLS standardized by IETF – TLS is incompatible with SSL – Falls back on SSL, but not earlier than SSL 3.0 Newly generated key to sign and encrypt data for each connection Copyright Rudra Dutta, NCSU, Fall

Summary Cryptography and privacy/secrecy of keys used to assure security goals Network security largely still in the stage of shoring up known exploits Understanding of vulnerabilities are still on a case-by-case basis “Encrypt everything” may be both overkill and underkill Significant growth area Copyright Rudra Dutta, NCSU, Fall

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.