Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 36.

Published byGeorg Lindström Modified over 5 years ago

Similar presentations

Presentation on theme: "Lecture 36."— Presentation transcript:

1 Lecture 36

2 Limit the Signal Wire integrity and tapping In a traditional Ethernet, signals do not radiate far beyond the wire, so eavesdropping requires physical proximity to the network cable and physically tapping the line. This is done by splicing into the line (old “thicknet” Ethernet used “vampire” taps to add stations to the network, which actually tapped into the wire), stealing a line from a hub (which splits a network into a star topology), bridging the network, or similar techniques. Tapping can be detected by the change in electrical resistance in the wire. 11/20/2019

3 Physical limitation The problem then becomes physically limiting who has access to the machines or the endpoints once the problem of tapping the wire between endpoints has been addressed. Machines need to run secure (enough) operating systems and have accounts and secure passwords. 11/20/2019

4 Encryption One of the most common and useful techniques to protect data is encryption. Encryption has been used for thousands of years; in fact, a simple technique called the Caesar cipher was said to be used by Julius Caesar. Since modern computer speeds have rendered many techniques insecure, we will focus on the essential components of the methods that are used currently 11/20/2019

5 Private key or symmetric encryption.
Public and private key encryption Private key or symmetric encryption. Public key or asymmetric encryption 11/20/2019

6 Computational and data overhead
Private key algorithms generally run significantly faster than public key ones. This computational overhead becomes a factor when significant amounts of data must be encrypted (or decrypted) or if the processing power of the computer is limited, as in palmtop devices o sensor networks. 11/20/2019

7 Integrity Codes Checksum versus cryptographic hash Checksums are a common type of basic integrity code and are transmitted with the data. The receiver applies a simple formula to the data and compares the result with the integrity code that was transmitted to ensure with high probability that he received the message intact. Parity bits and cyclic redundancy checks (CRCs) are examples of checksums. 11/20/2019

8 Message authentication code (MAC)
A message authentication code (MAC) is a one-way hash function plus a secret key. In the first approach, the function computes the MAC by encrypting the hash of the message using the key; in the second approach, the function computes the MAC by taking the hash of the message and the key concatenated together. MACs protect the message’s authenticity without secrecy. The MACs are attached to the message. 11/20/2019

9 Payload versus header A packet consists of a header and a payload. The header contains source and destination address information and additional information such as the protocol, sequence number, and special flags. The payload is the data. 11/20/2019

10 Traffic analysis Even with encryption and integrity codes, packets are still vulnerable to a traffic analysis attack. This is particularly problematic if the header and payload are encrypted together because many parts of the header are predictable. 11/20/2019

11 Other Security-Related Mechanisms
Authentication protocols Authentication protocols provide a mechanism to verify a user’s claimed identity when he establishes a connection to a remote system. Protocols that allow a remote system login or code execution, such as telnet, ssh, and RPC, use the remote operating system’s authentication mechanism (typically a username and password combination). 11/20/2019

12 AAA Authentication, authorization, and auditing (AAA) help to maintain the security of systems. An IETF Working Group focuses on developing the requirements for AAA and protocols that implement them [AAA]. 11/20/2019

13 special hardware can be used.
One type of hardware is smartcards that contain cryptographic tokens or run algorithms to generate one-time passwords. Another type of hardware is a transmitter that makes it difficult to receive transmissions. Personal and local area networks, as well as cell phones , transmit with only enough power for the corresponding receiver to detect the signal successfully. In addition, they use frequency-hopping and spread-spectrum technology to increase the effective bandwidth, which also has the effect of making it more difficult to reconstruct the signal. 11/20/2019

14 IPSec IP Security IP Security (IPSec) are protocols that provide security for Internet Protocol (IP) packets. There are three main components to IPSec. The Internet key exchange (IKE) defines a hybrid protocol to negotiate and provide authenticated keying material for security associations in a protected manner. The authentication header (AH) provides message integrity. The encapsulating security payload (ESP) provides confidentiality. 11/20/2019

15 Authentication header
The AH uses a MAC (see Section ), referred to as an integrity check value (ICV), to guarantee the integrity of the data. It also can prevent replay attacks by including a sequence number in the header. Similar in ESP, it can operate in transport or tunnel mode. In transport mode, the AH information is added immediately following the IP header information. In tunnel mode, the entire original IP datagram becomes the payload of the IPSec packet, with the AH providing integrity for both its headers and the payload. 11/20/2019

16 Encapsulating security payload
The ESP is a mechanism to provide confidentiality and integrity to data by encrypting the payload. ESP operates in one of two modes, tunnel mode or transport mode, and the packet’s payload consists of either the upper-layer protocol (e.g., TCP, UDP, ICMP, or IGMP) or the entire IP datagram, respectively 11/20/2019

17 In transport mode, the ESP is added after the IP header, before any upper-layer protocols. The original IP headers are still visible. In tunnel mode, the entire IP datagram is encrypted within the ESP. Tunnel mode can be used by security gateways. The endpoint hosts communicate with the security gateways (through a protected intranet), and the security gateways communicate with each other via IPSec. 11/20/2019

Download ppt "Lecture 36."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication E-Mail Security E-Mail Security Secure Sockets Layer Secure.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang

Karlstad University IP security Ge Zhang
Network Security David Lazăr.

Network Security David Lazăr.

Similar presentations

Ads by Google