Computer Science and Engineering Computer System Security CSE 5339/7339 Session 28 (last) November 30, 2004.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

IPSec.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Internet Security CSCE 813 IPsec
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 5 Network Security Protocols in Practice Part I
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
K. Salah1 Security Protocols in the Internet IPSec.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Network Security Sorina Persa Group 3250 Group 3250.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 24 November 11, 2004.
Chapter 13 – Network Security
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
Cryptography, Authentication and Digital Signatures
CSCE 715: Network Systems Security
TCP/IP Protocols Contains Five Layers
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Karlstad University IP security Ge Zhang
Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.
Network Security David Lazăr.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 21 November 2, 2004.
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 3 August 26, 2004.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 23 November 9, 2004.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
PGP & IP Security  Pretty Good Privacy – PGP Pretty Good Privacy  IP Security. IP Security.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Network Layer Security Network Systems Security Mort Anvari.
K. Salah1 Security Protocols in the Internet IPSec.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.
The OSI Model. Understanding the OSI Model In early 1980s, manufacturers began to standardize networking so that networks from different manufacturers.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
@Yuan Xue Case Study (Mid-term question) Bob sells BatLab Software License Alice buys BatLab Credit card information Number of.
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
IP Security
IPSec Detailed Description and VPN
Chapter 5 Network Security Protocols in Practice Part I
IPSecurity.
CSE 4905 IPsec.
IT443 – Network Security Administration Instructor: Bo Sheng
IPSec IPSec is communication security provided at the network layer.
Virtual Private Networks (VPNs)
Module 2 OBJECTIVE 14: Compare various security mechanisms.
Lecture 36.
Lecture 36.
Presentation transcript:

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 28 (last) November 30, 2004

Computer Science and Engineering Contents  A7  in  Tommy’s presentation  Presentation evaluation  in  Put-it-all-together  Final  Q/A  Evaluation

Computer Science and Engineering Class Inputs ResearchersInstructorStudentsNon-academic CSE 5339/7339

Computer Science and Engineering OS Database Networks System Background MathAlgorithms Security Issues EncryptionDecryption

Computer Science and Engineering Security

Security Goals Availability Availability Confidentiality Integrity Assets are accessed only by authorized people Assets can be modified only by authorized people Assets are accessible to authorized people

Computer Science and Engineering senderreceiverMedium Intruder Block it Intercept it Modify it Fabricate an authentic looking message

Computer Science and Engineering Important Background

Computer Science and Engineering Analysis of Algorithms nSequential Algorithms n Time Complexity n Space Complexity nAn algorithm whose time complexity is bounded by a polynomial is called a polynomial-time algorithm. An algorithm is considered to be efficient if it runs in polynomial time.

Computer Science and Engineering Time Complexity  O(n)  O(log n)  O(nlogn)  O(n 2 )  …  O(n k )Polynomial  O(2 n )Exponential  O(k n )  O(n n )

Computer Science and Engineering Applications OS -- Review OS – a program that acts as an intermediary between a user of a computer and the computer hardware. OS Hardware Users

Computer Science and Engineering OS -- Review OS Services Program Execution I/O Operation File System manipulation Communications Error detection Resource Allocation Accounting Protection

Computer Science and Engineering Levels of Abstraction in a DBMS Physical Database View 1 View 2 View n Conceptual Database

Computer Science and Engineering Important Concepts in Database  Data independence -- storage media; application  Schema -- record definition  Relation – table  Indexing – B trees  Entity/ Relationship model – entity, entity set, attributes, key, relationship  Relational Database – information for an enterprise  entities and relationships  relational database  SQL – Query language, programming language, embedded vs. interactive

Computer Science and Engineering Computer Network Basics  Wide Area Networks (WAN)  Metropolitan Area Network (MAN)  Local Area Network (LAN)  System or Storage Area Network (SAN)

Computer Science and Engineering ISO OSI Network Model Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical LAN Internet

Computer Science and Engineering Mail ftp Telnet Transmission Control Protocol (TCP) Internet Protocol (IP) Ethernet Token ring TCP/IP

Computer Science and Engineering IP Protocol  Unreliable packet delivery service  Datagram (IPv4) Service TypeVERSHLENTOTAL LENGTH IDENTIFICATIONFLAGSFRAGMENT OFFSET TIME TO LIVEPROTOCOLHEADER CHECKSUM SOURCE ADDRESS DESTINATION ADDRESS PADDINGOPTIONS (IF ANY) DATA

Computer Science and Engineering Encryption

Encryption/Decryption EncryptionDecryption plaintext Original plaintext ciphertext

Computer Science and Engineering Ciphers  Substitution Ciphers Substitute a character or a symbol for each character of the original message  Transposition Ciphers The order of letters is rearranged

Computer Science and Engineering Symmetric Encryption EncryptionDecryption plaintext Original plaintext ciphertext key

Computer Science and Engineering Asymmetric Encryption EncryptionDecryption plaintext Original plaintext ciphertext KEKE KDKD

Computer Science and Engineering Hash Functions H M H(M) = h

Computer Science and Engineering Cryptographic Hash Functions  Message Digest Functions  Protect integrity  Users create a message digest or fingerprint of a digital document  Message Authentication Codes (MACs)  Protect both integrity and authenticity  MACs produce fingerprints based on both a given document and a secret key

Computer Science and Engineering Getting a Message Digest from a document Hash Message Digest

Computer Science and Engineering Generating Signature Message Digest Signature Encrypt using private key

Computer Science and Engineering Appending Signature to document Append Signature

Computer Science and Engineering Verifying Signature Hash Decrypt using public key Message Digest Message Digest

Computer Science and Engineering Security in OS

Computer Science and Engineering OS User interface Resource allocation Services users DataCPUMemoryI/O devices TablesLibraries Synchronization Concurrency control Deadlock management Communication Accounting OS Functions

Computer Science and Engineering In general O S OO SS Gate OOO SSS

Computer Science and Engineering User Authentication  Knowledge-based techniques (passwords)  Token-based techniques (smart cards)  Biometric techniques (fingerprint)  Two-factor (Card + PIN)

Computer Science and Engineering Security Policy A security policy is a statement of the security we expect the system to enforce. A system can be trusted only in relation to its security policy, that is, to the security needs the system is expected to satisfy.

Computer Science and Engineering Military Security policy Unclassified Restricted Confidential Secret Top Secret

Computer Science and Engineering Models of Security  Security models are used to  Test a particular policy for completeness and consistency  Document a policy  Help conceptualize and design an implementation  Check whether an implementation meets the requirements

Computer Science and Engineering Kernel – OS part that performs lowest level functions User tasks OS OS Kernel Hardware

Computer Science and Engineering Combined Security Kernel / OS System User tasks OS OS Kernel Hardware Security activity OS Kernel: - HW interactions - Access control OS: - Resource allocation - Sharing - Access control - Authentication functions

Computer Science and Engineering Modules operating in Different Layers Least trusted code Most trusted code User interface User ID lookup Data comparison Data update User Authentication module

Computer Science and Engineering Security in DB

Computer Science and Engineering Sensitive Data  Data that should not be made public  Nothing sensitive and everything sensitive – can be handled by access control to the database itself  Some but not all are sensitive -- not only data elements but context and meaning  Factors that make data sensitive  Inherently sensitive  From a sensitive source  Declared sensitive  Part of a sensitive attribute or a sensitive record  Sensitive in relation to previously disclosed information

Computer Science and Engineering Types of Disclosures  Exact data -- most serious disclosure  Bounds – sensitive data is between L and H  Negative result -- a value that is not a zero  Existence  Probable value -- probability that a certain element has a certain value A successful security strategy must protect against both direct and indirect disclosures

Computer Science and Engineering Multilevel Database  Sensitivity is determined not only by attribute NameDepartmentSalaryPhonePerformance  element security  several grades of security  aggregate vs. individual elements

Computer Science and Engineering Proposal for Multilevel security  Partitioning (Separation)  The database is divided into several databases, each at its own level of security  Encryption (Separation)  Sensitive data are encrypted  Each level of sensitive data can be stored in a table encrypted under a key unique to the level of sensitivity

Computer Science and Engineering Network Security

Computer Science and Engineering An Example of an Attack  Attacker send echo request message to broadcast address  Attacker also spoofs source address in the request Intermediary Attacker Victim

Computer Science and Engineering attacker master daemon Large number of UDP packets to random ports

Computer Science and Engineering Encryption  Link Encryption  End-to-End Encryption BNTSME

Computer Science and Engineering Link Encryption Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical BNTSME

Computer Science and Engineering End-to-End Encryption Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical BNTSME

Computer Science and Engineering IPSec  Security Parameter Index (SPI) – data element, a pointer into a table of security associations  Authentication Header (AH) – immediately follows IP header (authentication for IP traffic)  Encapsulated Security Payload (ESP) – replaces (includes) the conventional TCP header and data portion of packet (encryption for IP data)

Computer Science and Engineering TCP/IP Conventional Packets Physical Header IP Header TCP Header Data Physical Trailer

Computer Science and Engineering TCP/IP Conventional Packets IP Header AH

Computer Science and Engineering Authentication Header Next Header SEQUENCE NUMBER Payload Length Security Parameters Index (SPI) Authentication Data Reserved

Computer Science and Engineering IPSec Packets ESP (includes TCP header and Data)

Computer Science and Engineering Encapsulated Security Packet Next Header SEQUENCE NUMBER Payload DATA Padding Length Padding Security Parameters Index (SPI) Authentication Data authenticated encrypted

Computer Science and Engineering Good Luck!