Computer Science Lecture 23, page 1 CS677: Distributed OS Security: Focus of Control Three approaches for protection against security threats a)Protection.

Slides:



Advertisements
Similar presentations
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Advertisements

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
1 ITC242 – Introduction to Data Communications Week 11 Topic 17 Chapter 18 Network Security.
Chapters 8 Network Security Professor Rick Han University of Colorado at Boulder
Network Security understand principles of network security:
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Chapter 31 Network Security
INE1020: Introduction to Internet Engineering 6: Privacy and Security Issues1 Lecture 9: E-commerce & Business r E-Commerce r Security Issues m Secure.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Network Security  introduction  cryptography  authentication  key exchange  Reading: Tannenbaum, section 7.1 Ross/Kurose, Ch 7 (which is incomplete)
Computer Networks NYUS FCSIT Spring 2008 Milos STOLIC, Bs.C. Teaching Assistant
Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
Authentication Question: how does a receiver know that remote communicating entity is who it is claimed to be?
Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.
8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.
1 Network Security  introduction  cryptography  authentication  key exchange  Reading: Tannenbaum, section 7.1 Ross/Kurose, Ch 7 (which is incomplete)
Network Security – Part 2 (Continued) Lecture Notes for May 8, 2006 V.T. Raja, Ph.D., Oregon State University.
Security Keys, Signatures, Encryption. Slides by Jyrki Nummenmaa ‘
ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Lecture 12 Network Security (2)
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Security Chapter 8.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Computer and Internet Security. Introduction Both individuals and companies are vulnerable to data theft and hacker attacks that can compromise data,
Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.
Chapter 21 Distributed System Security Copyright © 2008.
23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Cryptography (2) University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
Network Security Understand principles of network security:
Network Security  introduction  cryptography  authentication  key exchange  required reading: text section 7.1.
Upper OSI Layers Natawut Nupairoj, Ph.D. Department of Computer Engineering Chulalongkorn University.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 2: Message integrity.
1 Network Security Basics. 2 Network Security Foundations: r what is security? r cryptography r authentication r message integrity r key distribution.
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Computer and Network Security - Message Digests, Kerberos, PKI –
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
1 6 Chapter 6 Implementing Security for Electronic Commerce.
Security. Cryptography (1) Intruders and eavesdroppers in communication.
Chapter 7 : Web Security Lecture #1-Week 12 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Network Security Basics
Chapter 7: Network security
Protocol ap1.0: Alice says “I am Alice”
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Advanced Computer Networks
Digital Signatures Cryptographic technique analogous to hand-written signatures. sender (Bob) digitally signs document, establishing he is document owner/creator.
Chapter 8 roadmap 8.1 What is network security?
Presentation transcript:

Computer Science Lecture 23, page 1 CS677: Distributed OS Security: Focus of Control Three approaches for protection against security threats a)Protection against invalid operations b)Protection against unauthorized invocations c)Protection against unauthorized users

Computer Science Lecture 23, page 2 CS677: Distributed OS Authentication Question: how does a receiver know that remote communicating entity is who it is claimed to be?

Computer Science Lecture 23, page 3 CS677: Distributed OS Authentication Protocol (ap) Ap 1.0 –Alice to Bob: “I am Alice” –Problem: intruder “Trudy” can also send such a message Ap 2.0 –Authenticate source IP address is from Alice’s machine –Problem: IP Spoofing (send IP packets with a false address) Ap 3.0: use a secret password –Alice to Bob: “I am Alice, here is my password” (e.g., telnet) –Problem: Trudy can intercept Alice’s password by sniffing packets

Computer Science Lecture 23, page 4 CS677: Distributed OS Authentication Protocol Ap 3.1: use encryption use a symmetric key known to Alice and Bob Alice & Bob (only) know secure key for encryption/decryption A to B: msg = encrypt("I am A") B computes: if decrypt(msg)=="I am A" then A is verified else A is fradulent failure scenarios: playback attack –Trudy can intercept Alice’s message and masquerade as Alice at a later time

Computer Science Lecture 23, page 5 CS677: Distributed OS Authentication Using Nonces Problem with ap 3.1: same password is used for all sessions Solution: use a sequence of passwords pick a "once-in-a-lifetime-only" number (nonce) for each session Ap 4.0 A to B: msg = "I am A" /* note: unencrypted message! */ B to A: once-in-a-lifetime value, n A to B: msg2 = encrypt(n) /* use symmetric keys */ B computes: if decrypt(msg2)==n then A is verified else A is fradulent note similarities to three way handshake and initial sequence number choice problems with nonces?

Computer Science Lecture 23, page 6 CS677: Distributed OS Authentication Using Public Keys Ap 4.0 uses symmetric keys for authentication Question: can we use public keys? symmetry: DA( EA(n) ) = EA ( DA(n) ) AP 5.0 A to B: msg = "I am A" B to A: once-in-a-lifetime value, n A to B: msg2 = DA(n) B computes: if EA (DA(n))== n then A is verified else A is fradulent

Computer Science Lecture 23, page 7 CS677: Distributed OS Problems with Ap 5.0 Bob needs Alice’s public key for authentication –Trudy can impersonate as Alice to Bob Trudy to Bob: msg = “I am Alice” Bob to Alice: nonce n (Trudy intercepts this message) Trudy to Bob: msg2= DT(n) Bob to Alice: send me your public key (Trudy intercepts) Trudy to Bob: send ET (claiming it is EA) Bob: verify ET(DT(n)) == n and authenticates Trudy as Alice!! Moral: Ap 5.0 is only as “secure” as public key distribution

Computer Science Lecture 23, page 8 CS677: Distributed OS Man-in-the-middle Attack Trudy impersonates as Alice to Bob and as Bob to Alice –Alice Trudy Bob – “I am A” “I am A” – nonce n – DT(n) – send me ET – ET – nonce n – DA(n) – send me EA – EA – Bob sends data using ET, Trudy decrypts and forwards it using EA!! (Trudy transparently intercepts every message)

Computer Science Lecture 23, page 9 CS677: Distributed OS Digital Signatures Using Public Keys Goals of digital signatures: sender cannot repudiate message never sent ("I never sent that") receiver cannot fake a received message Suppose A wants B to "sign" a message M B sends DB(M) to A A computes if EB ( DB(M)) == M then B has signed M Question: can B plausibly deny having sent M?

Computer Science Lecture 23, page 10 CS677: Distributed OS Message Digests Encrypting and decrypting entire messages using digital signatures is computationally expensive –Routers routinely exchange data Does not need encryption Needs authentication and verify that data hasn’t changed Message digests: like a checksum –Hash function H: converts variable length string to fixed length hash –Digitally sign H(M) –Send M, DA(H(m)) –Can verify who sent the message and that it has been changed! Property of H –Given a digest x, it is infeasible to find a message y such that H(y) = x –It is infeasible to find any two messages x and y such that H(x) = H(y)

Computer Science Lecture 23, page 11 CS677: Distributed OS Hash Functions : MD5 The structure of MD5

Computer Science Lecture 23, page 12 CS677: Distributed OS Symmetric key exchange: trusted server Problem: how do distributed entities agree on a key? Assume: each entity has its own single key, which only it and trusted server know Server: will generate a one-time session key that A and B use to encrypt communication will use A and B's single keys to communicate session key to A, B

Computer Science Lecture 23, page 13 CS677: Distributed OS Key Exhange: Key Distribution Center (1) The principle of using a KDC.

Computer Science Lecture 23, page 14 CS677: Distributed OS Authentication Using a Key Distribution Center (2) Using a ticket and letting Alice set up a connection to Bob.

Computer Science Lecture 23, page 15 CS677: Distributed OS Authentication Using a Key Distribution Center (3) The Needham-Schroeder authentication protocol.

Computer Science Lecture 23, page 16 CS677: Distributed OS Public Key Exchange Mutual authentication in a public-key cryptosystem.

Computer Science Lecture 23, page 17 CS677: Distributed OS Public key exchange: trusted server public key retrieval subject to man-in-middle attack locate all public keys in trusted server everyone has server's encryption key (ES public) suppose A wants to send to B using B's "public" key

Computer Science Lecture 23, page 18 CS677: Distributed OS Protection Against Intruders: Firewalls A common implementation of a firewall.

Computer Science Lecture 23, page 19 CS677: Distributed OS Firewalls Firewall: network components (host/router+software) sitting between inside ("us") and outside ("them) Packet filtering firewalls: drop packets on basis of source or destination address (i.e., IP address, port) Application gateways: application specific code intercepts, processes and/or relays application specific packets –e.g., of telnet gateways –application gateway code can be security hardened –can log all activity

Computer Science Lecture 23, page 20 CS677: Distributed OS Secure Requirements: –Secrecy –Sender authentication –Message integrity –Receiver authentication Secrecy –Can use public keys to encrypt messages Inefficient for long messages –Use symmetric keys Alice generates a symmetric key K Encrypt message M with K Encrypt K with E B Send K(M), E B (K) Bob decrypts using his private key, gets K, decrypts K(M)

Computer Science Lecture 23, page 21 CS677: Distributed OS Secure Authentication and Integrity (with no secrecy) –Alice applies hash function H to M (H can be MD5) –Creates a digital signature D A (H(M)) –Send M, D A (H(M)) to Bob Putting it all together –Compute H(M), D A (H(M)) –M’= { H(M), D A (H(M)) } –Generate symmetric key K, compute K(M’) –Encrypt K as E B (K) –Send K(M’), E B (K) Used in PGP (pretty good privacy)

Computer Science Lecture 23, page 22 CS677: Distributed OS Secure Sockets Layer (SSL) SSL: Developed by Netscape –Provides data encryption and authentication between web server and client –SSL lies above the transport layer –Useful for Internet Commerce, secure mail access (IMAP) –Features: SSL server authentication Encrypted SSL session SSL client authentication

Computer Science Lecture 23, page 23 CS677: Distributed OS Secure Socket Layer Protocol: https instead of http –Browser -> Server: B’s SSL version and preferences –S->B: S’s SSL version, preferences, and certificate Certificate: server’s RSA public key encrypted by CA’s private key –B: uses its list of CAs and public keys to decrypt S’s public key –B->S: generate K, encrypt K with with E S –B->S: “future messages will be encrypted”, and K(m) –S->B: “future messages will be encrypted”, and K(m) –SSL session begins…

Computer Science Lecture 23, page 24 CS677: Distributed OS SSL Homework: get your own digital certificate –Click on “security” icon (next to “print” icon) in Netscape 4.7 –Click on “Certificates” and then on “obtain your certificate” –Send an to yourself signed with your certificate –Also examine listed of trusted CAs built into the browser

Computer Science Lecture 23, page 25 CS677: Distributed OS Electronic Payment Systems (1) Payment systems based on direct payment between customer and merchant. a)Paying in cash. b)Using a check. c)Using a credit card.

Computer Science Lecture 23, page 26 CS677: Distributed OS E-cash The principle of anonymous electronic cash using blind signatures.

Computer Science Lecture 23, page 27 CS677: Distributed OS Secure Electronic Transactions (SET) The different steps in SET.

Computer Science Lecture 23, page 28 CS677: Distributed OS Security: conclusion key concerns: encryption authentication key exchange also: increasingly an important area as network connectivity increases digital signatures, digital cash, authentication, increasingly important an important social concern further reading: –Crypto Policy Perspectives: S. Landau et al., Aug 1994 CACM –Internet Security, R. Oppliger, CACM May 1997 –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.