UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media.

Slides:



Advertisements
Similar presentations
Security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.
Advertisements

Sri Lanka Institute of Information Technology
Digital Signatures and Hash Functions. Digital Signatures.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Lecture 22 Internet Security Protocols and Standards
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Chapter 18: Network Security Business Data Communications, 5e.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Lecture 22 Internet Security Protocols and Standards modified from slides of Lawrie Brown.
Chapter 20: Network Security Business Data Communications, 4e.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Network Security Sorina Persa Group 3250 Group 3250.
1 Message Authentication and Hash Functions Authentication Requirements Authentication Functions Message Authentication Codes Hash Functions Security of.
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
1 Public-Key Cryptography and Message Authentication Ola Flygt Växjö University, Sweden
Acknowledgements: William Stallings.William Stallings All rights Reserved Session 4 Public Key Cryptography (Part 2) Network Security Essentials Application.
Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.
Computer Networks with Internet Technology William Stallings Network Security.
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
Cryptography, Authentication and Digital Signatures
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Message Authentication and Hash Functions Chapter 11.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Internet-security.ppt-1 ( ) 2000 © Maximilian Riegel Maximilian Riegel Kommunikationsnetz Franken e.V. Internet Security Putting together the.
Karlstad University IP security Ge Zhang
Network Security David Lazăr.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
William Stallings Data and Computer Communications Chapter 18 Network Security.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Authentication. Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” Failure scenario?? “I am Alice”
Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
PGP & IP Security  Pretty Good Privacy – PGP Pretty Good Privacy  IP Security. IP Security.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
K. Salah1 Security Protocols in the Internet IPSec.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
CSE 4905 IPsec.
Network Security.
Cryptographic Hash Function
Virtual Private Networks (VPNs)
Presentation transcript:

UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media.

Learning objectives After the completion of this unit the student must be able to Explain security Explain DES Explain RSA Explain Cryptography

Network Security Deals with the Following Issues Secrecy (or confidentiality) No unauthorized person can see the content Authentication Determining whom you are really talking to Non-repudiation (digital signature) A person cannot deny what he/she has sent Integrityp Make sure a received message has not been modified.

Attacks on Network Security Passive attack Release of message content Traffic analysis Active attack Masquerade Replay Modification of message contents Denial of service

Traditional Cryptography

One Example: Substitution Ciphers Every letter is shifted by k positions in the 26-letter alphabet list. Or using permutation to randomly map a letter to another letter. O SGCT NGX Using the properties of natural languages, decoding the above message is not difficult.

Two Fundamental Cryptographic Principles All message must contain some redundancy to prevent intruders from tricking the receiver into acting on a false message. Otherwise, a randomly generated cipher may map to a meaningful message. However, too much redundancy will make the cryptanalysts’ job easier. Some measure must be taken to prevent intruders from playing back old valid messages.

A Secret Key Algorithm: DES Data Encryption Standard (DES) is widely used in the industry. Plaintext is encrypted in blocks of 64 bits, yielding 64 bits of cipher. Key is 56 bits. (no longer considered safe) This algorithm has 19 stages. Triple DES uses E-D-E and two keys (112 bits is considered safe) for backward compatibility. (by setting k1=k2, triple DES can communicate with DES)

Double DES Can be Attacked by “Meet-in-the-Middle”

DES Block Diagram

Location of Encryption Devices

Two Locations of Encryption Devices Link encryption devices All traffic on such a link is encrypted. Both data payload and header can be encrypted. A passive intruder cannot know where a packet is headed for. However, it hurts network forwarding performance a lot. The header of a packet needs to be decrypted each time it enters the router for forwarding. Vulnerable when transmitted on a link that does not support encryption and when entering a router. End-to-end encryption devices Only the two end hosts know which traffic is important enough that it need to be encrypted. Performance is thus better. Only data payload can be encrypted. A passive intruder can know where a packet is headed for. Data payload is safe all the way from the source to the destination node.

Key Distribution is Very Important For traditional encryption to work, the communicating two party must have the same secret key before securely exchanging their data. Frequency key changes are desirable to limit the data compromised if an attacker learns the key. Therefore, the strength of any cryptographic systems depends on the key distribution technique!

Key Distribution Can Be Achieved in a Number of Ways Suppose A and B communicate with each other: A can select a key and physically deliver it to B. A third party can select a key and physically deliver it to A and B. If A and B are already using a key to communicate, one party can transmit the new key to the other, encrypted using the old key. If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B. Security, flexibility, and convenience determine whether a method can gain popular uses. The hardest problem is how to set up the first secret key. Public key Diffie-Hellman method

An Automatic Key Distribution Example

Message Authentication (Also Called Digital Signature) A message is said to be authentic when it is genuine and came from its alleged source. Message authentication is a procedure that allows communicating parties to verify the received message are authentic. The receiver can make sure that the message content is not altered. The receiver can make sure that the message really came from the alleged source. The sender later cannot repudiate that he/she sent this message. The receiver can make sure that the message is not a replay.

Message Can Be Authenticated by Encryption Encrypt the content of a message by a key owned by the source. The receiver uses the same key to decrypt the received message. If the decoded message looks reasonable, then this message is not altered and came from the alleged source. Advantages: Achieve confidentiality, authentication, and integrity at one time. Disadvantage: Too slow. Sometime, confidentiality is not needed. For example, authentication of computer programs to detect virus.

Authentication Messages without Encryption (Message Digests) An authentication tag is generated and appended to the message for transmission. The tag is a hash function of the content of the message and the source’s key. The content of the message need not be encrypted. Much faster than using encryption for the whole message The receiver uses the same function and key to compute a tag. If the tag is the same as the appended tag, the message is authentic. Otherwise, either the appended tag or the message content has been altered.

Message Digests Use Secure Hash Function The purpose of a hash function H is to produce a “fingerprint” of a message. Requirements: H can be applied to a block of data of any size. H produces a fixed-length output. H(x) is easy to compute, making software and hardware implementation cost low. For any given code h, it is computationally infeasible to find x such that H(x) = h. For any given block x, it is computationally infeasible to find y != x with H(x) = H(y). It is computationally infeasible to find any pair (x, y) such that H(x) = H(y). Example: SHA, MD5

Different Ways of Doing Message Digests Used by IPsec

Public-Key Cryptography Each person has two keys – one public, the other private. The sender uses the receiver’s public key to encrypt message. The receiver uses his/her private key to decrypt. No secret key distribution is needed.

Public-Key Can be Used For Message Authentication Only Bob has Bob’s private key, no one else can use Bob’s private key to encrypt a message.

Public-Key Can be Used For Both Message Authentication and Encryption

The RSA Public-Key Encryption Algorithm

The RSA Public-Key Encryption Example

The Diffie-Hellman Key Exchange to Establish a Shared Secret Key Given g, n, and g^x mod n, finding x is computationally difficult. No need to distribute secret keys!

IPv4 and IPv6 Security: IPsec IPsec provides three facilities: Authentication-only (AH) Authentication with encryption (Encapsulating Security Payload, ESP) Key management IPsec provides two modes: Transport mode Only data payload can be authenticated or/and encrypted. Packet header is exposed. Tunnel mode Both packet header and data payload can be encrypted An original packet is put into and carried as a tunnel IP packet’s data payload. Thus, the original packet header is not exposed.

Transport and Tunnel Modes

Security Association in IPsec An association is a one-way relationship between a sender and a receiver that offers security service to the traffic carried on it. For a two-way secure exchange, two associations, one for each direction, need to be set up. A security association is uniquely defined by Security parameter index (like VC ID) So that a receiving node knows which encryption/authentication algorithm should be used to process a received packet IP destination address Security protocol identifier (e.g., AH or ESP)

Authentication Header Format The authentication data stores the message digest. The calculation of the digest covers: The IP header fields that either do not change (e.g., source IP address) or that are predictable upon arrival at the receiving node (e.g., destination IP address when source routing is used). The AH header itself. The entire IP data payload.

ESP(Encapsulating Security Payload) Header Format

Security Can be Enforced At Different Layers IPsec is a security mechanism at the network layer. When used, all traffic between two nodes needs to be authenticated or encrypted. (good for VPN) However, not all traffic is important. Authentication and encryption operations hurt forwarding packet performance a lot! Secure Socket Layer (SSL) is at the transport layer. We can use SSL to connect to a secure web server only when really needed. Also, we can do authentication/encryption at the application layer. That is, we can manually authenticate and encrypt a message and then send it on a normal TCP connection.

Tutorial Questions Explain about FTAM services. Discuss about DNS. Explain about multimedia. Discuss about WWW. Explain about Domain Name systems(DNS). Explain about Multimedia. [8+8] Write short notes on: (a) Word Wide Web. (b) FTAM (c) VTP.