8: Network Security8-1 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students,

Slides:



Advertisements
Similar presentations
Chapter 8 Network Security
Advertisements

Network Security7-1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Security in Networks (Part 2) CPSC 363 Computer Networks Ellen Walker Hiram College (Includes figures from Computer Networking by Kurose & Ross, © Addison.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
IPsec Internet Headquarters Branch Office SA R1 R2
PGP Overview 2004/11/30 Information-Center meeting peterkim.
Lecture 25 Secure Communications CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose & Keith Ross and Dave Hollinger.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
8: Network Security – Integrity, Firewalls.
5: DataLink Layer5-1 Chapter 5 Link Layer and LANs Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross.
CS 325 Computer Networks Sami Rollins Fall 2003.
1 Day 01 - The Internet. 2 Chapter 1 Introduction Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross.
Introduction1-1 CS 325 Computer Networks Sami Rollins Fall 2005.
Transport Layer Transport Layer. Transport Layer 3-2 Chapter 3 Transport Layer Computer Networking: A Top Down Approach Featuring the Internet,
Network security and Hot topics in networking EECS 489 Computer Networks Z. Morley Mao Wednesday, April 11,
24-1 Last time □ Message Integrity □ Authentication □ Key distribution and certification.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
Network Security7-1 Today r Collect Ch6 HW r Assign Ch7 HW m Ch7 #2,3,4,5,7,9,10,12 m Due Wednesday Nov 19 r Continue with Chapter 7 (Security)
7: Network Security1 Chapter 7: Network security Foundations: r what is security? r cryptography r authentication r message integrity r key distribution.
Internet and Intranet Protocols and Applications Lecture 10 Network (Internet) Security April 3, 2002 Joseph Conron Computer Science Department New York.
Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.
25-1 Last time □ Firewalls □ Attacks and countermeasures □ Security in many layers ♦ PGP ♦ SSL ♦ IPSec.
Investigators have published numerous reports of birds taking turns vocalizing; the bird spoken to gave its full attention to the speaker and never vocalized.
Secure connections.
Network Security7-1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,
Firewalls A note on the use of these ppt slides:
1 WEP Design Goals r Symmetric key crypto m Confidentiality m Station authorization m Data integrity r Self synchronizing: each packet separately encrypted.
ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Lecture 12 Network Security (2)
Kurose and Ross Chapter 8: Network Security 8: Network Security8-1.
8: Network Security8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents  sender encrypts.
Chapter 3 Transport Layer
Chapter 4 Network Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
Network Security7-1 Firewalls Isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall.
Transport Layer 3-1 Chapter 3 Transport Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A.
Transport Layer3-1 Chapter 3 Transport Layer Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,
Introduction1-1 Chapter 1 Computer Networks and the Internet Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose,
Prof. Younghee Lee 1 1 Computer Networks u Lecture 13: Network Security Prof. Younghee Lee * Some part of this teaching materials are prepared referencing.
Network Security7-1 CIS3360: Chapter 8: Cryptography Application of Public Cryptography Cliff Zou Spring 2012 TexPoint fonts used in EMF. Read the TexPoint.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 3: Securing TCP.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 5: Mobile security,
Network Security7-1 Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall.
Introduction1-1 Data Communications and Computer Networks Chapter 1 CS 3830 Lecture 1 Omar Meqdadi Department of Computer Science and Software Engineering.
Transport Layer3-1 Chapter 3 Transport Layer Computer Networking: A Top Down Approach 4 th edition. Jim Kurose, Keith Ross Addison-Wesley, July A.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 2: Message integrity.
Network Security7-1 Firewalls Isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall.
Network Security7-1 Today r Reminder Ch7 HW due Wed r Finish Chapter 7 (Security) r Start Chapter 8 (Network Management)
Chapter 8 Network Security A note on these ppt slides: All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Chapter 5 Link Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
Network Security7-1 Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall.
Chapter 4 Network Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
Network Security7-1 Firewalls Isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. firewall.
Lecture Notes Thursday Sue B. Moon.
Lecture 22 Network Security (cont) CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger slides are modified from Jim Kurose,
8: Network Security8-1 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students,
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography (confidentiality) 8.3 Message integrity 8.4 End-point authentication.
Last time Message Integrity Authentication
Chapter 3 Transport Layer
Chapter 3 Transport Layer
Security in the layers 8: Network Security.
Chapter 7 Network Security
Chapter 3 Transport Layer
Chapter 6 Network Security
Presentation transcript:

8: Network Security8-1 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students, readers). They’re in PowerPoint form so you can add, modify, and delete slides (including this one) and slide content to suit your needs. They obviously represent a lot of work on our part. In return for use, we only ask the following:  If you use these slides (e.g., in a class) in substantially unaltered form, that you mention their source (after all, we’d like people to use our book!)  If you post any slides in substantially unaltered form on a www site, that you note that they are adapted from (or perhaps identical to) our slides, and note our copyright of this material. Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross Addison-Wesley, July 2004.

8: Network Security8-2 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Authentication 8.4 Integrity 8.5 Key Distribution and certification 8.6 Access control: firewalls 8.7 Attacks and counter measures 8.8 Security in many layers Secure Secure sockets IPsec Security in

8: Network Security8-3 Secure Alice:  generates random symmetric private key, K S.  encrypts message with K S (for efficiency)  also encrypts K S with Bob’s public key.  sends both K S (m) and K B (K S ) to Bob.  Alice wants to send confidential , m, to Bob. K S ( ). K B ( ) K S (m ) K B (K S ) + m KSKS KSKS KBKB + Internet K S ( ). K B ( ). - KBKB - KSKS m K S (m ) K B (K S ) +

8: Network Security8-4 Secure Bob:  uses his private key to decrypt and recover K S  uses K S to decrypt K S (m) to recover m  Alice wants to send confidential , m, to Bob. K S ( ). K B ( ) K S (m ) K B (K S ) + m KSKS KSKS KBKB + Internet K S ( ). K B ( ). - KBKB - KSKS m K S (m ) K B (K S ) +

8: Network Security8-5 Secure (continued) Alice wants to provide sender authentication message integrity. Alice digitally signs message. sends both message (in the clear) and digital signature. H( ). K A ( ) H(m ) K A (H(m)) - m KAKA - Internet m K A ( ). + KAKA + K A (H(m)) - m H( ). H(m ) compare

8: Network Security8-6 Secure (continued) Alice wants to provide secrecy, sender authentication, message integrity. Alice uses three keys: her private key, Bob’s public key, newly created symmetric key H( ). K A ( ). - + K A (H(m)) - m KAKA - m K S ( ). K B ( ). + + K B (K S ) + KSKS KBKB + Internet KSKS

8: Network Security8-7 Pretty good privacy (PGP) r Internet encryption scheme, de-facto standard. r uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described. r provides secrecy, sender authentication, integrity. r inventor, Phil Zimmerman, was target of 3-year federal investigation. ---BEGIN PGP SIGNED MESSAGE--- Hash: SHA1 Bob:My husband is out of town tonight.Passionately yours, Alice ---BEGIN PGP SIGNATURE--- Version: PGP 5.0 Charset: noconv yhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJ hFEvZP9t6n7G6m5Gw2 ---END PGP SIGNATURE--- A PGP signed message:

8: Network Security8-8 Secure sockets layer (SSL) r transport layer security to any TCP- based app using SSL services. r used between Web browsers, servers for e-commerce (shttp). r security services: m server authentication m data encryption m client authentication (optional) r server authentication: m SSL-enabled browser includes public keys for trusted CAs. m Browser requests server certificate, issued by trusted CA. m Browser uses CA’s public key to extract server’s public key from certificate. r check your browser’s security menu to see its trusted CAs.

8: Network Security8-9 SSL (continued) Encrypted SSL session: r Browser generates symmetric session key, encrypts it with server’s public key, sends encrypted key to server. r Using private key, server decrypts session key. r Browser, server know session key m All data sent into TCP socket (by client or server) encrypted with session key. r SSL: basis of IETF Transport Layer Security (TLS). r SSL can be used for non-Web applications, e.g., IMAP. r Client authentication can be done with client certificates.

8: Network Security8-10 IPsec: Network Layer Security r Network-layer secrecy: m sending host encrypts the data in IP datagram m TCP and UDP segments; ICMP and SNMP messages. r Network-layer authentication m destination host can authenticate source IP address r Two principle protocols: m authentication header (AH) protocol m encapsulation security payload (ESP) protocol r For both AH and ESP, source, destination handshake: m create network-layer logical channel called a security association (SA) r Each SA unidirectional. r Uniquely determined by: m security protocol (AH or ESP) m source IP address m 32-bit connection ID

8: Network Security8-11 Authentication Header (AH) Protocol r provides source authentication, data integrity, no confidentiality r AH header inserted between IP header, data field. r protocol field: 51 r intermediate routers process datagrams as usual AH header includes: r connection identifier r authentication data: source- signed message digest calculated over original IP datagram. r next header field: specifies type of data (e.g., TCP, UDP, ICMP) IP headerdata (e.g., TCP, UDP segment) AH header

8: Network Security8-12 ESP Protocol r provides secrecy, host authentication, data integrity. r data, ESP trailer encrypted. r next header field is in ESP trailer. r ESP authentication field is similar to AH authentication field. r Protocol = 50. IP header TCP/UDP segment ESP header ESP trailer ESP authent. encrypted authenticated

8: Network Security8-13 IEEE security r War-driving: drive around Bay area, see what networks available? m More than 9000 accessible from public roadways m 85% use no encryption/authentication m packet-sniffing and various attacks easy! r Securing m encryption, authentication m first attempt at security: Wired Equivalent Privacy (WEP): a failure m current attempt: i

8: Network Security8-14 Wired Equivalent Privacy (WEP): r authentication as in protocol ap4.0 m host requests authentication from access point m access point sends 128 bit nonce m host encrypts nonce using shared symmetric key m access point decrypts nonce, authenticates host r no key distribution mechanism r authentication: knowing the shared key is enough

8: Network Security8-15 WEP data encryption r Host/AP share 40 bit symmetric key (semi- permanent) r Host appends 24-bit initialization vector (IV) to create 64-bit key r 64 bit key used to generate stream of keys, k i IV r k i IV used to encrypt ith byte, d i, in frame: c i = d i XOR k i IV r IV and encrypted bytes, c i sent in frame

8: Network Security WEP encryption Sender-side WEP encryption

8: Network Security8-17 Breaking WEP encryption Security hole: r 24-bit IV, one IV per frame, -> IV’s eventually reused r IV transmitted in plaintext -> IV reuse detected r Attack: m Trudy causes Alice to encrypt known plaintext d 1 d 2 d 3 d 4 … m Trudy sees: c i = d i XOR k i IV m Trudy knows c i d i, so can compute k i IV m Trudy knows encrypting key sequence k 1 IV k 2 IV k 3 IV … m Next time IV is used, Trudy can decrypt!

8: Network Security i: improved security r numerous (stronger) forms of encryption possible r provides key distribution r uses authentication server separate from access point

8: Network Security8-19 AP: access point AS: Authentication server wired network STA: client station 1 Discovery of security capabilities 3 STA and AS mutually authenticate, together generate Master Key (MK). AP servers as “pass through” 2 3 STA derives Pairwise Master Key (PMK) AS derives same PMK, sends to AP 4 STA, AP use PMK to derive Temporal Key (TK) used for message encryption, integrity i: four phases of operation

8: Network Security8-20 wired network EAP TLS EAP EAP over LAN (EAPoL) IEEE RADIUS UDP/IP EAP: extensible authentication protocol r EAP: end-end client (mobile) to authentication server protocol r EAP sent over separate “links” m mobile-to-AP (EAP over LAN) m AP to authentication server (RADIUS over UDP)

8: Network Security8-21 Network Security (summary) Basic techniques…... m cryptography (symmetric and public) m authentication m message integrity m key distribution …. used in many different security scenarios m secure m secure transport (SSL) m IP sec m

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.