Presentation is loading. Please wait.

Presentation is loading. Please wait.

TCP/IP Protocol Suite 1 Security Credit: most slides from Forouzan, TCP/IP protocol suit.

Published byAshlee Williamson Modified over 9 years ago

Similar presentations

Presentation on theme: "TCP/IP Protocol Suite 1 Security Credit: most slides from Forouzan, TCP/IP protocol suit."— Presentation transcript:

1 TCP/IP Protocol Suite 1 Security Credit: most slides from Forouzan, TCP/IP protocol suit

2 TCP/IP Protocol Suite 2 Criminal Expoits and Attacks Phishing: Masquerading as a well-known site to obtain a user’ personal info. Denial of Service: Intentionally blocking a site to prevent business activities. Loss of control: an intruder gains control of a system. Loss of data: Steal or delete.

3 Attacks Software Based Attackes Malware – Malicious software – damaging or annoying software. Viruses or worms. Hardware Based Attacks Bios, USB devices, NAS, Cell phones Attacks on Virtualized Systems

4 Software based attacks: Viruses Attaches to a legitimate software (carrier, a program or document) and then replicates through other programs, devices, emails, instant messaging, etc. Computer crashes, destruction of HD, fill up HD, Reduce security settings allowing others to come in, reformat HD, etc. File infecting virus attaches to executables (such as cascade virus), resident virus loaded into RAM (such as Randex, Meve, MrKlunky), Boot virus infects MBR (Polyboot.B, AntiEXE), companion virus adds program to OS replacing legitimate OS programs (Stator, Asimove.1539), Macro virus written in any macro scripting (Melissa.A, Bablas.Pc). Polymorphic virus changes itself to avoid detection

5 Worms Stand alone programs Takes advantage of the OS/application vulnerabilities. Worms uses networks to send copies of itself slowing down networks. While virus requires user action to start an infected program, worms do not (can start executing itself). Worms as they travel through internet can leave a payload behind on each system which can delete files or allow remote controlling of the system.

6 Concealing malware Trojan horses, rootkits, logic bombs and privilege escalation.

7 Trojan Horse Installed with the knowledge of the user. A program advertised as a utility but actually does something else (screen saver, calendar, player, etc.). These programs may do a legitimate activity, but also might capture credit card info, etc and send it.

8 Rootkits Programs installed on computers that takes control of certain aspects of the computer by replacing OS utilities. Sony installed a program on their CDs (2005) preventing copying of the CD by operating system routines. Others used this idea and created their own, or added features to Sony’s program. Rootkits do not spread themselves. Very difficult to remove from HD. Boot from another device and see if problems disappear.

9 Logic Bombs Lies Dormant until triggered by an event such as a date, person fired, etc. Usually done by employees. Very difficult to discover before triggered. Embedded in large programs.

10 Privilege Escalation Either change own privilege to higher level, or use another employees higher privilege. Done by exploiting vulnerabilities of OS.

11 Malware for profit Spam, spyware and botnets Spam Waste of time, checking and deleting. Email lists are sold by many ISPs, and other sites.

12 Spyware Tracking software installed without the knowledge of the user. Advertises and Collects and distributes personal information. Harder to detect and remove than viruses. Causes the computer to slow down, freezes up, new browser toolbars or menus installed, hijacked homepage and increased popups. Adware – a software that delivers advertising for gambling sites or pornography. Keeps track of browsing behavior and reports to give specific pop-ups for merchandize. Keyloggers. A small hardware attached to the keyboard interface or a resident software that monitors and logs each keystroke.

13 Botnets Programs that render your computer to be controlled remotely. The computer is called a zombie. Thousands of zombie computers under the control of a single attacker is called a botnet. Attackers use internet relay chat (IRC) to remotely control the zombies. Zombies are used for spamming, spreading malware, denying services, etc.

14 Hardware based attacks BIOS BIOS can be flashed with viruses or rootkits. Flashing the bios can render the computer useless until it is replaced. You can write protect BIOS to prevent this from happening. USB devices NAS and SANs can get all malware discussed. Cell phones – infected messages, launch attacks, make calls, etc.

15 Attacks on Virtualized systems Operating system virtualization with virtual machine Storage virtualization Multiple os on the same machine. However, existing anti virus/spam software do not work. Additional concern – one existing virtual machine may infect another. Protection approaches: Hypervisor-runs on the physical machine and manages the virtual machines. Run security software such as a firewall on the physical machine

16 TCP/IP Protocol Suite 16 Techniques used Wiretapping Replay – sending packets captured from previous session such as username and password. Buffer overflow: sending more data than receiver expects, thereby storing values in memory buffer. Address spoofing. Faking IP source address Name spoofing. Misspelling of a well-known name or poisoning name server. SYN flood – sending stream of TCP SYN Key breaking – guessing password Port Scanning – to find vulnerability Packet Interception – man in the middle attack.

17 Goals of a security Confidentiality – protect our confidential information in storage and transmission. Integrity – Information is not changed unintentionally. Only changed by authorized people. Availability – Information should be available to authorized users. TCP/IP Protocol Suite 17

18 TCP/IP Protocol Suite 18 Security Techniques Encryption Digital Signatures Firewall Intrusion detection systems Packet inspection and content scanning VPN

19 TCP/IP Protocol Suite 19 28.1 CRYPTOGRAPHY The word cryptography in Greek means “secret writing.” The term today refers to the science and art of transforming messages to make them secure and immune to attacks. The topics discussed in this section include: Symmetric-Key Cryptography Asymmetric-Key Cryptography Comparison

20 TCP/IP Protocol Suite 20 Figure 28.1 Cryptography components

21 TCP/IP Protocol Suite 21 In cryptography, the encryption/decryption algorithms are public; the keys are secret. Note:

22 TCP/IP Protocol Suite 22 In symmetric-key cryptography, the same key is used by the sender (for encryption) and the receiver (for decryption). The key is shared. Note:

23 TCP/IP Protocol Suite 23 Figure 28.2 Symmetric-key cryptography

24 TCP/IP Protocol Suite 24 In symmetric-key cryptography, the same key is used in both directions. Note:

25 TCP/IP Protocol Suite 25 Figure 28.3 Caesar cipher

26 TCP/IP Protocol Suite 26 Figure 28.4 Transpositional cipher

27 TCP/IP Protocol Suite 27 Data encryption Standard (DES) Is a block cipher Takes 64-bit plaintext and creates a 64-bit ciphertext. The cipher key is a 56-bit key. It uses 16 rounds, each round mixes and swapps (left half with right half)

28 TCP/IP Protocol Suite 28 Figure 28.5 DES (Data Encryption Standard)

29 TCP/IP Protocol Suite 29 The DES cipher uses the same concept as the Caesar cipher, but the encryption/ decryption algorithm is much more complex. Note:

30 TCP/IP Protocol Suite 30 Asymmetric-key ciphers The secret key is personal and unshared. Symmetric key scheme would require n(n-1)/2 keys, for a million people it would require half a billion shared secret keys. Whereas, in asymmetric scheme we would only require a million secret keys. Asymmetric ciphers use two keys, private and public. Asymmetric is much slower. Both symmetric and asymmetric can be used if need to be. Think: if you want to send a secret symmetric key, you can use asymmetric.

31 Protocols IPSec (internet Security Protocol) operates in the network layer. Used in VPN. IP sec supports Authentication Header (AH) protocal and Encapsulation Security Payload (ESP) protocol The SSL (Secure Socket Layer) protocol serves as a security for transferring encrypted data. WEP (Wired Equivalent Privacy) standard. Data stream is encrypted with RC4 algorithm. RC4 is simple, it is not very secure. WPA (Wi-Fi Protected Access) specification and AES (Advanced Encryption standard) It more secure for encrypting wireless data. TCP/IP Protocol Suite 31

32 TCP/IP Protocol Suite 32 Figure 28.8 Public-key cryptography

33 TCP/IP Protocol Suite 33 Symmetric-key cryptography is often used for long messages. Note:

34 TCP/IP Protocol Suite 34 Asymmetric-key algorithms are more efficient for short messages. Note:

35 TCP/IP Protocol Suite 35 Digital signature can provide authentication, integrity, and nonrepudiation for a message. Note:

36 TCP/IP Protocol Suite 36 28.3 DIGITAL SIGNATURE Digital signature can provide authentication, integrity, and nonrepudiation for a message. The topics discussed in this section include: Signing the Whole Document Signing the Digest

37 TCP/IP Protocol Suite 37 Figure 28.12 Signing the whole document

38 TCP/IP Protocol Suite 38 Digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption must be applied. Note:

39 TCP/IP Protocol Suite 39 Figure 28.13 Hash function

40 TCP/IP Protocol Suite 40 Figure 28.14 Sender site

41 TCP/IP Protocol Suite 41 Figure 28.15 Receiver site The digest is much shorter than the message. The message itself may not lend itself to asymmetric cryptography because it is too long.

42 TCP/IP Protocol Suite 42 Hash functions Message of arbitrary length is made into a fixed length message. MD2, MD4, MD5 SHA (Secure Hash Algorithm) developed by NIST.

43 TCP/IP Protocol Suite 43 Non-repudiation If alice signs a message then denies it, the message can be verified. That means we have to keep the messages. A trusted center can be created. Alice send the digitally signed message to the trusted center who verifies it, saves a copy of the message, recreates the message with its own signature and send to bob. Bob can verify the trusted center’s public key.

44 TCP/IP Protocol Suite 44 28.5 KEY MANAGEMENT In this section we explain how symmetric keys are distributed and how public keys are certified. The topics discussed in this section include: Symmetric-Key Distribution Public-Key Certification Kerberos

45 TCP/IP Protocol Suite 45 A symmetric key between two parties is useful if it is used only once; it must be created for one session and destroyed when the session is over. Note:

46 TCP/IP Protocol Suite 46 Figure 28.19 Diffie-Hellman method

47 TCP/IP Protocol Suite 47 The symmetric (shared) key in the Diffie-Hellman protocol is K = G xy mod N. Note:

48 TCP/IP Protocol Suite 48 Let us give an example to make the procedure clear. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume G = 7 and N = 23. The steps are as follows: 1. Alice chooses x = 3 and calculates R1 = 7 3 mod 23 = 21. 2. Alice sends the number 21 to Bob. 3. Bob chooses y = 6 and calculates R2 = 7 6 mod 23 = 4. 4. Bob sends the number 4 to Alice. 5. Alice calculates the symmetric key K = 4 3 mod 23 = 18. 6. Bob calculates the symmetric key K = 21 6 mod 23 = 18. The value of K is the same for both Alice and Bob; G xy mod N = 7 18 mod 23 = 18. Example 1

49 TCP/IP Protocol Suite 49 Figure 28.20 Man-in-the-middle attack

50 TCP/IP Protocol Suite 50 Key distribution center A typical operation with a KDC involves a request from a user to use some service. The KDC will use cryptographic techniques to authenticate requesting users as themselves. It will also check whether an individual user has the right to access the service requested. If the authenticated user meets all prescribed conditions, the KDC can issue a ticket permitting access. KDCs mostly operate with symmetric encryption.symmetric encryption In most (but not all) cases the KDC shares a key with each of all the other parties.key The KDC produces a ticket based on a server key.ticketserver The client receives the ticket and submits it to the appropriate server.clientserver The server can verify the submitted ticket and grant access to the user submitting it. Security systems using KDCs include Kerberos. (Actually, Kerberos partitions KDC functionality between two different agents: the AS (Authentication Server) and the TGS (Ticket Granting Service).)Kerberos

51 TCP/IP Protocol Suite 51 Figure 28.21 First approach using KDC

52 TCP/IP Protocol Suite 52 Needham–Schroeder protocol The term Needham–Schroeder protocol can refer to one of the two communication protocols intended for use over an insecure network, both proposed by Roger Needham and Michael Schroeder. [1] These are:communication protocolsRoger NeedhamMichael Schroeder [1] The Needham–Schroeder Symmetric Key Protocol is based on a symmetric encryption algorithm.symmetric encryption algorithm It forms the basis for the Kerberos protocol. This protocol aims to establish a session key between two parties on a network, typically to protect further communication.Kerberossession key The Needham–Schroeder Public-Key Protocol, based on public-key cryptography. This protocol is intended to provide mutual authentication between two parties communicating on a network, but in its proposed form is insecure.public-key cryptographyauthentication

53 TCP/IP Protocol Suite 53 Figure 28.22 Needham-Schroeder protocol

54 TCP/IP Protocol Suite 54 Figure 28.23 Otway-Rees protocol The Otway–Rees protocol is a computer network authentication protocol designed for use on insecure networks (e.g. the Internet). It allows individuals communicating over such a network to prove their identity to each other while also preventing eavesdropping orreplay attacks and allowing for the detection of modification.computer networkauthenticationprotocolinsecure networksInterneteavesdroppingreplay attacks

55 TCP/IP Protocol Suite 55 In public-key cryptography, everyone has access to everyone’s public key. Note:

56 TCP/IP Protocol Suite 56 Table 28.1 X.509 fields

57 TCP/IP Protocol Suite 57 Figure 28.24 PKI hierarchy (Public key Infrastructure) PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The third-partyvalidation authority (VA) can provide this information on behalf of CA.public keyscertificate authorityvalidation authority The binding is established through the registration and issuance process, which, depending on the assurance level of the binding, may be carried out by software at a CA or under human supervision. The PKI role that assures this binding is called the registration authority (RA), which ensures that the public key is bound to the individual to which it is assigned in a way that ensures non-repudiationregistration authoritynon-repudiation

58 TCP/IP Protocol Suite 58 Kerberos a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdroppingand replay attacks. Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key cryptography during certain phases of authentication.

59 TCP/IP Protocol Suite 59 Figure 28.25 Kerberos servers

60 TCP/IP Protocol Suite 60 Figure 28.26 Kerberos example

61 TCP/IP Protocol Suite 61 28.6 SECURITY IN THE INTERNET In this section we discuss a security method for each of the top 3 layers of the Internet model. At the IP level we discuss a protocol called IPSec; at the transport layer we discuss a protocol that “glues” a new layer to the transport layer; at the application layer we discuss a security method called PGP. The topics discussed in this section include: IP Level Security: IPSec Transport Layer Security Application Layer Security: PGP

62 TCP/IP Protocol Suite 62 Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to- host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). [1] Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite, while some other Internet security systems in widespread use, such as Transport Layer Security (TLS) and Secure Shell(SSH), operate in the upper layers of the TCP/IP model. Hence, IPsec protects any application traffic across an IP network. Applications do not need to be specifically designed to use IPsec. Without IPsec, the use of TLS/SSL must be designed into an application to protect the application protocols.

63 TCP/IP Protocol Suite 63 Figure 28.27 Transport mode

64 TCP/IP Protocol Suite 64 Figure 28.28 Tunnel mode

65 TCP/IP Protocol Suite 65 Figure 28.29 AH

66 TCP/IP Protocol Suite 66 The AH protocol provides message authentication and integrity, but not privacy. Note:

67 TCP/IP Protocol Suite 67 Figure 28.30 ESP

68 TCP/IP Protocol Suite 68 ESP provides message authentication, integrity, and privacy. Note:

69 TCP/IP Protocol Suite 69 Figure 28.31 Position of TLS

70 TCP/IP Protocol Suite 70 Figure 28.32 TLS layers

71 TCP/IP Protocol Suite 71 Figure 28.33 Handshake protocol

72 TCP/IP Protocol Suite 72 Figure 28.34 Record Protocol

73 TCP/IP Protocol Suite 73 Figure 28.35 PGP at the sender site

74 TCP/IP Protocol Suite 74 Figure 28.36 PGP at the receiver site

75 TCP/IP Protocol Suite 75 28.7 FIREWALLS A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others. A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others. The topics discussed in this section include: Packet-Filter Firewall Proxy Firewall

76 TCP/IP Protocol Suite 76 Figure 28.37 Firewall

77 TCP/IP Protocol Suite 77 Figure 28.38 Packet-filter firewall

78 TCP/IP Protocol Suite 78 A packet-filter firewall filters at the network or transport layer. Note:

79 TCP/IP Protocol Suite 79 Figure 28.39 Proxy firewall

80 TCP/IP Protocol Suite 80 A proxy firewall filters at the application layer. Note:

Download ppt "TCP/IP Protocol Suite 1 Security Credit: most slides from Forouzan, TCP/IP protocol suit."

Similar presentations

Security S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.

Security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.

Dr. John P. Abraham Professor UTPA 2 – Systems Threats and Risks.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Network Security Chapter 8. Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic.

Network Security Chapter 8. Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.

Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Chapter 29 Internet Security

Chapter 29 Internet Security
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Chapter 8 Network Security 4/17/2017 www.noteshit.com.

Chapter 8 Network Security 4/17/2017
Network Security Sorina Persa Group 3250 Group 3250.

Network Security Sorina Persa Group 3250 Group 3250.

Similar presentations

Ads by Google