Presentation is loading. Please wait.

Presentation is loading. Please wait.

Strong Password Protocols, Firewalls

Published byDulcie Daniels Modified over 6 years ago

Similar presentations

Presentation on theme: "Strong Password Protocols, Firewalls"— Presentation transcript:

1 Strong Password Protocols, Firewalls
Network Security Design Fundamentals ET-IDA-082 Lecture-22 Network Defense Strong Password Protocols, Firewalls , v07 Prof. W. Adi

2 Outlines Firewalls Types and applications Strong Password Protocols
Lamport´s Hash Strong Protocols Firewalls Types and applications

3 Password Schemes Strong Password Protocols
There are many different electronic devices for e-payment system. Different banks may be concerted in e-payment and the financial network is neccessary. E-payment flatform is built connecting the financial network and other open network, where the electronic devices can communicate with the flatform. PC is the most common device. Other devices include mobile devices, e.g. laptop, PDA, mobile telephone, ATM(Automatic Teller Machine), POS(Position of Sale), telephone and terminal. The electronic devices can connect the e-payment flatform using different open network.

4 Challenge-Response Authentication
User, system share a secret function F (in practice, f is a known function with unknown parameters, such as a cryptographic key Ks) A random source generates r as a challenge Secret key ks r F F(r) request to authenticate system user user random message r (the challenge) system F(r) (the response) user system

5 Pass Algorithms Challenge-response with the function F itself as secret Example: Challenge is a random string of characters such as “abcdefg”, “ageksido” Response is some function of that string such as “ bdf” , “gkio” (each second letter is selected) Can alter algorithm based on alternative selections Network connection is as above, dial-up might require “aceg”, “aesd” Usually deployed in conjunction with fixed, reusable password

6 One-Time Passwords One-Time Password: Password that can be used exactly once After use, it is immediately invalidated Use strategies: 1- Any One-Time Password out of a shared list (Banking TAN) Challenge: give a valid authenticated passwords from a securely shared list (PINS) p1 p2 p3 ….. pn Response is any password for the list used only once 2- One-Time Password selected from a shred list (Selected Banking TAN) Challenge: is a serial number i for a password from the shared authenticated list p1 p2 p3 … pi .. pn Response is password for a particular random selection pi Problems Synchronization of user, system Generation of good random passwords Password distribution problem

7 S/Key (TM Bellcore 1980) h(p2) = p1 h(pi) = pi-1
One-time password scheme based on idea of Lamport (1981) h is a one-way hash function (MD5 or SHA-1, for example) User chooses initial seed k0 System calculates: h(k0) = k1 h(k1) = k2 h(k2) = k3 h(kn–2) = kn–1 h(kn–1) = kn pn pn-1 pn-2 p2 p1 h ki+1 ki Initialize with k0 at t=0 h(p2) = p1 h(pi) = pi-1 Passwords pi ‘s are recalled in the reversed order

8 S/Key Protocol System stores maximum number of authentications n, number of next authentication i, last correctly supplied password pi–1. { name } { i } { pi } system user system user h(pi) = pi-1 user system System computes h(pi) = h(kn–i+1) = kn–i = pi-1. If match with what is stored, system replaces pi–1 with pi and increments i.

9 Next used password in revesred order
Source Wikipedia

10 Compare password to Hn-1 password
Compare password to Hn-1 password. If equal, n authen-tication is successfull. Store password for the n-1 future reference Next password Source Wikipedia

11 Hardware Support Token-based Temporally-based
Used to compute response to challenge May encipher or hash challenge May require PIN from user Temporally-based Every minute (or so) different number shown Computer knows what number to expect when User enters number and fixed password

12 C-R and Dictionary Attacks
Same as for fixed passwords Attacker knows challenge r and response f(r); if f encryption function, can try different keys May only need to know form of response; attacker can tell if guess correct by looking to see if deciphered object is of right form Example: Kerberos Version 4 used DES, but keys had 20 bits of randomness; Purdue attackers guessed keys quickly because deciphered tickets had a fixed set of bits in some locations

13 Encrypted Key Exchange
Defeats off-line dictionary attacks Idea: random challenges enciphered, so attacker cannot verify correct decipherment of challenge Assume Alice, Bob share secret password s In what follows, Alice needs to generate a random public key p and a corresponding private key q Also, k is a randomly generated session key, and RA and RB are random challenges

14 EKE: Encrypted Key Exchange Protocol
( Starting with W as a weak secret password between Alice and Bob ) and E is a cipher Alice || Ew( ga mod p) Alice Bob Bob || Ew( gb mod p) Alice Bob Now Alice, Bob share a randomly generated secret Diffie-Hellman session key k = gab mod p Ek(RA) Alice Bob Ek(RARB) Alice Bob Ek(RB) Alice Bob

15 Biometrics Automated measurement of biological, behavioral features that identify a person Fingerprints: optical or electrical techniques Maps fingerprint into a graph, then compares with database Measurements not exact, so approximate matching algorithms used Voices: speaker verification or recognition Verification: uses statistical techniques to test hypothesis that speaker is who is claimed (speaker dependent) Recognition: checks content of answers (speaker independent)

16 Other Characteristics
Can use several other characteristics Eyes: patterns in irises unique Measure patterns, determine if differences are random; or correlate images using statistical tests Faces: image, or specific characteristics like distance from nose to chin Lighting, view of face, other noise can hinder this Keystroke dynamics: believed to be unique Keystroke intervals, pressure, duration of stroke, where key is struck Statistical tests used Cautions: Known patters can be optically attacked by copying!

17 Location If you know where user is, validate identity by seeing if person is where the user is Requires special-purpose hardware to locate user GPS (global positioning system) device gives location signature of entity Host uses LSS (location signature sensor) to get signature for entity

18 Multiple Methods Example: “where you are” also requires entity to have LSS (Location Signature Sensor) and/or GPS, so also “which means you have?” Can assign different methods to different tasks As users perform more and more sensitive tasks, must authenticate in a variety of ways includes controls on access (time of day, etc.), resources, and requests to change passwords Pluggable Authentication Modules (Physical Security)

19 Key Points Authentication is not cryptography Passwords are useful
You have to consider physical security of system components Passwords are useful They provide a basis for most forms of authentication Protocols are important Make attacks more difficult

20 Internal Defenses Firewalls etc. (Optional)

21 Perimeter and Internal Defenses
Commonly deployed defenses Perimeter defenses – Firewall, IDS Protect local area network and hosts Keep external threats from internal network Internal defenses – Virus scanning Protect hosts from threats that get through the perimeter defenses Extend the “perimeter” – VPN Common practices, but could be improved Internal threats are significant Unhappy employees Compromised hosts

22 Standard perimeter defense mechanisms
Firewall Packet filter (stateless, stateful) Application layer proxies Traffic shaping Intrusion detection Anomaly and misuse detection Methods applicable to network or host

23 Basic Firewall Concept
Separate local area net from internet Firewall Local area network Internet Router All packets between LAN and internet routed through firewall

24 Firewall goals Prevent malicious attacks on hosts
Port sweeps, ICMP echo to broadcast addr, syn flooding, … Worm propagation Exploit buffer overflow in program listening on network Prevent general disruption of internal network External SMNP packets Provide defense in depth Programs contain bugs and are vulnerable to attack Network protocols may contain; Design weaknesses (SSH CRC) Implementation flaws (SSL, NTP, FTP, SMTP...) Control traffic between “zones of trusts”

25 Review: TCP Protocol Stack
Application protocol Application Application TCP, UDP protocol Transport Transport Network IP protocol IP IP protocol Network Link Network Access Link Data Link Data Link Transport layer provides ports, logical channels identified by number

26 Types of Firewalls Three common types of Firewalls:
Packet-filtering routers Application-level gateways Circuit-level gateways

27 Types of Firewalls Packet-filtering Router

28 Types of Firewalls Packet-filtering Router
Applies a set of rules to each incoming IP packet and then forwards or discards the packet Filter packets going in both directions The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header Two default policies (discard or forward)

29 Packet-filtering Router
Advantages: Simplicity Transparency to users High speed Disadvantages: Difficulty of setting up packet filter rules Lack of Authentication

30 Packet-filtering Router
Possible attacks and appropriate countermeasures IP address spoofing Source routing attacks Tiny fragment attacks

31 Types of Firewalls Application-level Gateway

32 Types of Firewalls Application-level Gateway Also called proxy server
Acts as a relay of application-level traffic

33 Application-level Gateway
Advantages: Higher security than packet filters Only need to scrutinize a few allowable applications Easy to log and audit all incoming traffic Disadvantages: Additional processing overhead on each connection (gateway as splice point)

34 Types of Firewalls Circuit-level Gateway

35 Circuit-level Gateway
Stand-alone system or Specialized function performed by an Application-level Gateway Sets up two TCP connections The gateway typically relays TCP segments from one connection to the other without examining the contents

36 Circuit-level Gateway
The security function consists of determining which connections will be allowed Typically use is a situation in which the system administrator trusts the internal users An example is the SOCKS package

37 Firewall Configurations
In addition to the use of simple configuration of a single system (single packet filtering router or single gateway), more complex configurations are possible Three common configurations

38 Firewall Configurations
Screened host firewall system (single-homed bastion host)

39 Firewall Configurations
Screened host firewall, single-homed bastion configuration Firewall consists of two systems: A packet-filtering router A bastion host

40 Firewall Configurations
Configuration for the packet-filtering router: Only packets from and to the bastion host are allowed to pass through the router The bastion host performs authentication and proxy functions

41 Firewall Configurations
Greater security than single configurations because of two reasons: This configuration implements both packet-level and application-level filtering (allowing for flexibility in defining security policy) An intruder must generally penetrate two separate systems

42 Firewall Configurations
This configuration also affords flexibility in providing direct Internet access (public information server, e.g. Web server)

43 Firewall Configurations
Screened host firewall system (dual-homed bastion host)

44 Firewall Configurations
Screened host firewall, dual-homed bastion configuration The packet-filtering router is not completely compromised Traffic between the Internet and other hosts on the private network has to flow through the bastion host

45 Firewall Configurations
Screened-subnet firewall system

46 Firewall Configurations
Screened subnet firewall configuration Most secure configuration of the three Two packet-filtering routers are used Creation of an isolated sub-network

47 Firewall Configurations
Advantages: Three levels of defense to thwart intruders The outside router advertises only the existence of the screened subnet to the Internet (internal network is invisible to the Internet)

48 Firewall Configurations
Advantages: The inside router advertises only the existence of the screened subnet to the internal network (the systems on the inside network cannot construct direct routes to the Internet)

49 Trusted System Technology Trusted Computing
One way to enhance the ability of a system to defend against intruders and malicious programs is to implement trusted system technology

Download ppt "Strong Password Protocols, Firewalls"

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.

Fall 2008CS 334: Computer Security1 Firewalls Special Thanks to our friends at The Blekinge Institute of Technology, Sweden for providing the basis for.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
—On War, Carl Von Clausewitz

—On War, Carl Von Clausewitz
Chapter 11 Firewalls.

Chapter 11 Firewalls.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science ©2002-2004 Matt.

Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Similar presentations

Ads by Google