Presentation is loading. Please wait.

Presentation is loading. Please wait.

or call for office visit, or call Kathy Cheek,

Published byGeorgina Flynn Modified over 6 years ago

Similar presentations

Presentation on theme: "or call for office visit, or call Kathy Cheek,"— Presentation transcript:

1 email or call for office visit, or call Kathy Cheek, 404 894-5696
ECE-6612 Prof. John A. Copeland fax Office: Centergy 5188 or call for office visit, or call Kathy Cheek, Quiz-2 Review

2 Quiz-2 Topic Areas Quiz-2 Topic Areas Security - PGP, S/MIME IP Security - IPsec Web Security - Secure Socket Layers (SSL) - Secure Electronic Transactions (SET) Network Management Security - SNMP v3 Intruders Viruses X X.509 Certificates - Digital Proof of Identity Security - PGP, S/MIME IP Security - IPsec Web Security - Secure Socket Layers (SSL) - Secure Electronic Transactions (SET) Network Management Security - SNMP v3 Intruders (and other Malicious Users) Viruses - Worms, Trojan Horses, ... 2

3 X.509 Authentication Service
• An International Telecommunications Union (ITU) recommendation (versus “standard”) for allowing computer host or users to securely identify themselves over a network. • An X.509 certificate purchased from a “Certificate Authority” (trusted third party) allows a merchant to give you his public key in a way that your Browser can generate a session key for a transaction, and securely send that to the merchant for use during the transaction (padlock icon on screen closes to indicate transmissions are encrypted). • Once a session key is established, no one can “high jack” the session (for example, after your enter your credit card information, an intruder can not change the order and delivery address). • User only needs a Browser that can encrypt/decrypt with the appropriate algorithm, and generate session keys from truly random numbers. • Merchant’s Certificate is available to the public, only the secret key must be protected. Certificates can be cancelled if secret key is compromised. 3

4 Raw “Certificate” has user name, public key, expiration date, ...
Generate hash code of Raw Certificate Raw Cert. MIC Hash Encrypt hash code with CA’s private key to form CA’s signature Signed Cert. Signed Certificate Recipient can verify signature using CA’s public key. Certificate Authority generates the “signature” that is added to raw “Certificate” 4

5 Authentication of Source
Pretty Good Privacy, PGP Establishing Keys Public Key Certification Exchange Public Keys Multiple Recipients Encrypt message m with session key, S Encrypt S with each recipient's key Send: {S; Kbob}, {S; Kann}, ... , {m; S} Authentication of Source Hash (MD4, MD5, SHA1) of message, encrypt with private key (provides ciphertext/plaintext pair) Secret Key K: MIC is hash of K+m, or CBC residue with K (assuming message not encrypted with K). 5

6 6 From "PGP Freeware for MacOS, User's Guide" Version 6.5, Network Associates, Inc.,

7 Things of which to be aware
Neither PEM or PGP encode mail headers Subject can give away useful info To and From give an intruder traffic analysis info PGP gives recipient the original file name and modification date PEM may be used in a local system with unknown trustworthiness of certificates Certificates often verify that sender is "John Smith" but he may not be the "John Smith" you think (PGP allows pictures in certificates) 7

8 Simple Mail Transfer Protocol (SMTP, RFC 822)
SMTP Limitations - Can not transmit, or has a problem with: • executable files, or other binary files (jpeg image). • “national language” characters (non-ASCII) • messages over a certain size • ASCII to EBCDIC translation problems • lines longer than a certain length (72 to 254 characters) MIME Defined Five New Headers • MIME-Version. Must be “1.0” -> RFC 2045, RFC 2046 • Content-Type. More types being added by developers (application/word) • Content-Transfer-Encoding. How message has been encoded (radix-64) • Content-ID. Unique identifying character string. • Content Description. Needed when content is not readable text (e.g.,mpeg) Canonical Form: Standard format for use between systems ( not a “native” format - GIF).

9 Secure/MIME 9 Can “sign” and/or encrypt messages Functions:
• Enveloped Data: Encrypted content and encrypted session keys for recipients. • Signed Data: Message Digest encrypted with private key of “signer.” • Clear-Signed Data: Signed but not encrypted. • Signed and Enveloped Data: Various orderings for encrypting and signing. Algorithms Used • Message Digesting: SHA-1 and MDS • Digital Signatures: DSS • Secret-Key Encryption: Triple-DES, RC2/40 (exportable) • Public-Private Key Encryption: RSA with key sizes of 512 and 1024 bits, and Diffie-Hellman (for session keys). 9

10 X.509 Chain of Authentication
Actually, there is are sets of top-level CA’s, those included with browser programs (W, Y, ... ). 10

11 Router Network - Table Set Up
In an Router Network, circuits are defined by entries in the Routing Tables along the way. These may be Static (manually set up) or Dynamic (set up according to Algorithm in the Router). B A to D A C 1 2 3 6 E 4 5 7 D Station ( on a LAN) A Local Connection Trunk or Long-Haul 1 Router 11

12 Router 12 Web Server Browser Application Application Layer Layer
(HTTP) (HTTP) Port 80 Port 31337 Buffers Packets that Transport need to be forwarded Transport Layer (based on IP address). Layer (TCP,UDP) (TCP,UDP) Segment No. Segment No. Network Network Layer (IP) Layer (IP) IP Address Network Network IP Address Layer Layer Token Ring E'net Data Token Ring E'net Data Link Layer Link Layer Data-Link Layer Data Link Layer Ethernet Token Ring E'net Phys. Token Ring Phys. Layer Phys. Layer Layer Phys. Layer 12

13 Internet (IP) Layer Security
The Internet Engineering Task Force (IETF) Internet Protocol Security protocol (IPSEC) working group to standardize an IP Security Protocol (IPSP) and an Internet Key Management Protocol (IKMP). objective of IPSP is to make available cryptographic security mechanisms to users who desire security. mechanisms should work for both the current version of IP (IPv4) and the new IP (IPng or IPv6). should be algorithm-independent, in that the cryptographic algorithms can be altered. should be useful in enforcing different security policies, but avoid adverse impacts on users who do not employ them. Internet (IP) Layer Security 13 Rolf Oppliger, "Internet Security: Firewalls and Beyond," p92, Comm. ACM 40, May 1997

14 (SNMP version 3) 14

15 SET (Secure Electronic Transactions)
• Provides a secure communications channel among all the parties involved in a transaction: Customer, Seller, Customer’s credit provider, Seller’s bank. • Provides trust by the use of X.509v3 certificates. • Ensures privacy because information is only made available to the parties that need it. * Cardholder account authentication to the Merchant (Cardholder must have a Certificate issued by the credit company). Merchant may issue a temporary Certificate to insure the session is not high-jacked). * Verifies that Merchant has a business relationship with a financial institution. * Integrity of data customer sends to Merchant (order info tied to funds transfer). 15

16 16

17 17

18

19 Network Intruders Masquerader: A person who is not authorized to use a computer, but gains access appearing to be someone with authorization (steals services, violates the right to privacy, destroys data, ...) Misfeasor: A person who has limited authorization to use a computer, but misuses that authorization (steals services, violates the right to privacy, destroys data, ...) Clandestine User: A person who seizes supervisory control of a computer and proceeds to evade auditing and access controls. 19

20 The Stages of a Network Intrusion [RAERU]
1. Scan the network to: [RECONNAISANCE] • locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports. [ACCESS] 3. Elevate privileges to “root” privileges. [ELEVATE] 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. [ROOT KIT] 5. Use IRC (Internet Relay Chat) to invite friends to the feast, or use the computer and its info another way. [UTILIZE] Flow-based* "CI", signature-based? Vulnerability Scan Signature?, Flow-Based Port Profile* Host-based Signature?, "Port-Profile*", Forbidden Zones*, Host-based Signature?, "Port-Profile*", Forbidden Zones*, Host-based * StealthWatch 20

21 Protection from a Network Intrusion
1. Use a “Firewall” between the local area network and the world-wide Internet to limit access (Chapter 10). 2. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or monitor and prosecute). 3. Use a program like TripWire on each host to detect when systems files are altered, and an alert to Sys Admin. 4. On Microsoft PC’s, a program like Zone Alarm or Black Ice is easier to install than learning how to reset default parameters to make the system safe (and fun besides). 21

22 Anomaly-Based Intrusion Detection
High statistical variation in most measurable network behavior parameters results in high false-alarm rate #FP = #Normal Events x FP-rate #FN = #Bad Events x FN-rate False Alarms, False Positives Undetected Intrusions, False Negatives Detection Threshold 22

Download ppt "or call for office visit, or call Kathy Cheek,"

Similar presentations

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Cryptography and Network Security

Cryptography and Network Security
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Lecture 5: Email security: PGP Anish Arora CSE 5473 Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CSE 5473 Introduction to Network Security.
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Chapter 5 Electronic mail security. Outline Pretty good privacy S/MIME Recommended web sites.

Chapter 5 Electronic mail security. Outline Pretty good privacy S/MIME Recommended web sites.
1 Pertemuan 12 E-mail Security Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 12 Security Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
NS-H0503-02/11041 E-mail Security. NS-H0503-02/11042 Email Security email is one of the most widely used and regarded network services currently message.

NS-H / Security. NS-H / Security is one of the most widely used and regarded network services currently message.
Electronic mail security

Electronic mail security
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.

Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
Henric Johnson1 Electronic mail security Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Electronic mail security Henric Johnson Blekinge Institute of Technology, Sweden
Chapter 8 Web Security.

Chapter 8 Web Security.
Electronic Mail Security

Electronic Mail Security
Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Office: Klaus 3362 .

Prof. John A. Copeland fax Office: Klaus
1 TCP/IP Applications. 2 NNTP: Network News Transport Protocol NNTP is a TCP/IP protocol based upon text strings sent bidirectionally over 7 bit ASCII.

1 TCP/IP Applications. 2 NNTP: Network News Transport Protocol NNTP is a TCP/IP protocol based upon text strings sent bidirectionally over 7 bit ASCII.
Electronic mail security. Outline Pretty good privacy S/MIME.

Electronic mail security. Outline Pretty good privacy S/MIME.
ECE-8843 Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Office: GCATT.

ECE Prof. John A. Copeland fax Office: GCATT.
Krerk Piromsopa. Network Security Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.

Krerk Piromsopa. Network Security Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.
Chapter 6 Electronic Mail Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.

Chapter 6 Electronic Mail Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.

Similar presentations

Ads by Google