Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 4. Copyright Pearson Prentice-Hall 2010  Chapter 3 introduces cryptographic elements that may be needed in a dialogue  Chapter 4 focuses on.

Published byBritney York Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 4. Copyright Pearson Prentice-Hall 2010  Chapter 3 introduces cryptographic elements that may be needed in a dialogue  Chapter 4 focuses on."— Presentation transcript:

1 Chapter 4

2 Copyright Pearson Prentice-Hall 2010  Chapter 3 introduces cryptographic elements that may be needed in a dialogue  Chapter 4 focuses on important cryptographic system standards, such as SSL/TLS, IPsec, and wireless security standards  Future chapters will use the cryptographic concepts you are learning in these chapters 2

3 Copyright Pearson Prentice-Hall 2010 3

4  Transmission across Un-trusted Networks ◦ Internet, Wireless LAN’s, etc. ◦ Companies will (should) apply Cryptographic Systems  Virtual Private Network (VPN)  SSL/TLS ◦ Secure Socket Layer/Transport Layer Security ◦ Non-Transparent, doesn’t automatically protect application messages. ◦ Only messages from applications that are SSL/TSL aware  Web Browsers/Web Servers; Many email ◦ But there’s a problem But there’s a problem  IPsec ◦ Operates on the Internet layer ◦ Everything in IP packet data file is protected ◦ Transparent protection – applications and transport layer are protected (see Module A) Copyright Pearson Prentice-Hall 2010 4

5 5 SSL/TSL Or IPsec SSL/TSL Or IPsec SSL/T SL IPsec

6  Connect one Client to one Server Copyright Pearson Prentice-Hall 2010 6

7 7

8  Connects a single Client to a Network  Connection is to a VPN Gateway ◦ Used for Authentication and Access Control ◦ Depending on Access Authorization connection can be to multiple computers on the network.  Uses SSL/TSL between Browser and Gateway ◦ The Gateway is a WebServer to SSL/TSL ◦ SSL/TSL protects messages between client and Gateway ◦ Gateway authenticates with the client via Public Key Authentication Copyright Pearson Prentice-Hall 2010 8

9  Web server  Database server ◦ Gateway translates browser requests to Queries to database ◦ Gateway translates database response to web pages “webifies”  Router ◦ Connection to subnet of network Copyright Pearson Prentice-Hall 2010 9

10 10

11 Copyright Pearson Prentice-Hall 2010 11 StepSenderName of Message Semantics (Meaning) 1ClientClient HelloClient requests secure connection. Client lists cipher suites it supports. 2ServerServer HelloServer indicates willingness to proceed. Selects a cipher suite to use in the session. 3ServerCertificateServer sends its digital certificate containing its public key. (Client should check the certificate’s validity.) 4ServerServerHelloDoneServer indicates that its part in the initial introduction is finished. Stage 1 Stage 2 & 3 ???

12 Copyright Pearson Prentice-Hall 2010 12 StepSenderName of Message Semantics (Meaning) 5ClientClientKey Exchange Client generates a random symmetric session key. Encrypts it with the server’s public key. It sends this encrypted key to the server. Only the server can decrypt the key, using the server’s own private key. The server decrypts the session key. Both sides now have the session key. 6ClientChangeCipher Spec* Client changes selected cipher suite from pending to active. 7ClientFinishClient indicates that its part in the initial introduction is finished. *Not cipher suite. Key Exchange using public key encryption for confidentiality Key Exchange using public key encryption for confidentiality Stage 2 & 3

13 Copyright Pearson Prentice-Hall 2010 13 StepSenderName of MessageSemantics (Meaning) 8ServerChangeCipherSpec*Server changes selected cipher suite from pending to active. 9ServerFinishServer indicates that its role in selecting options is finished. 10Ongoing communication stage begins *Not cipher suite.

14  Protects all traffic between two sites  VPN Gateway on both ends of transmission  VPN Gateway’s encrypt/decrypt messages Copyright Pearson Prentice-Hall 2010 14

15  Transport (Host-to-Host) ◦ Protects messages from host-to-host  Over the internet and Internet ◦ Requires installing IPsec on each client/server (not built into browser) ◦ Costly ◦ Eliminates ability of Firewall to filter content as it is encrypted  Tunnel (Site-to-Site) ◦ Protects messages between VPN Gateways over the Internet ◦ Less Costly than Transport ◦ Firewall can filter content Copyright Pearson Prentice-Hall 2010 15

16 Copyright Pearson Prentice-Hall 2010 16 1. End-to-End Security (Good) 1. End-to-End Security (Good) 2. Security in Site Network (Good) 2. Security in Site Network (Good) 3. Setup Cost On Each Host (Costly) 3. Setup Cost On Each Host (Costly)

17 Copyright Pearson Prentice-Hall 2010 17 2. No Security in Site Network (Bad) 2. No Security in Site Network (Bad) 3. No Setup Cost On Each Host (Good) 3. No Setup Cost On Each Host (Good)

18 Copyright Pearson Prentice-Hall 2010 18 CharacteristicTransport ModeTunnel Mode Uses an IPsec VPN Gateway? NoYes Cryptographic Protection All the way from the source host to the destination host, including the Internet and the two site networks. Only over the Internet between the IPsec gateways. Not within the two site networks. Setup CostsHigh. Setup requires the creation of a digital certificate for each client and significant configuration work. Low. Only the IPsec gateways must implement IPsec, so only they need digital certificates and need to be configured.

19 Copyright Pearson Prentice-Hall 2010 19 CharacteristicTransport ModeTunnel Mode Firewall FriendlinessBad. A firewall at the border to a site cannot filter packets because the content is encrypted. Good. Each packet is decrypted by the IPsec gateway. A border firewall after the IPsec gateway can filter the decrypted packet. The “Bottom Line”End-to-end security at high cost. Low cost and protects the packet over the most dangerous part of its journey.

20 Copyright Pearson Prentice-Hall 2010 20 SSL/TLSIPsec Cryptographic security standardYes Cryptographic security protectionsGoodGold Standard Supports central managementNoYes Complexity and expenseLowerHigher Layer of operationTransportInternet Transparently protects all higher-layer traffic NoYes Works with IPv4 and IPv6NAYes Modes of operationNATransport, Tunnel

21 Copyright Pearson Prentice-Hall 2010 21 Kind of like a cipher suite Enables Central Management

22 Copyright Pearson Prentice-Hall 2010 22

23 Copyright Pearson Prentice-Hall 2010 23

24 Protections from 3 rd parties Copyright Pearson Prentice-Hall 2010 24

25 Copyright Pearson Prentice-Hall 2010 25

26 Copyright Pearson Prentice-Hall 2010 26 Router does not need to make a complex decision for each packet

27 Copyright Pearson Prentice-Hall 2010 27 Cryptographic VPNsRouted VPNs ExamplesSSL/TLS IPsec Carrier PSDNs Carrier TCP/IP MPLS VPNs Cryptographic protections Confidentiality, integrity, authentication, etc. None Other protectionsLimiting customer access Limiting access to routing supervisory protocols Customer actions to improve protection Create a cryptographic VPN to run over carrier services

28 Wired and Wireless Protection Copyright Pearson Prentice-Hall 2010 28

29 Copyright Pearson Prentice-Hall 2010 29

30  Used to Authenticate Users connecting to wired-LAN ◦ By definition they are “in the building”  User connects to a Workgroup Switch vs. Core Switch (Review Module A) ◦ Specifically User connects to a port on the workgroup switch  Port is in Unauthorized status  Switches after supplicant is verified; Access Granted  Verification provided by Authentication Server (RADIUS) Copyright Pearson Prentice-Hall 2010 30

31 1. Supplicant 2. Workgroup Switch (Authenticator) 3. Authentication Server Copyright Pearson Prentice-Hall 2010 31

32 Copyright Pearson Prentice-Hall 2010 32

33 1. Workgroup switch senses a port connection 2. Sends EAP Start 3. Authentication Server sends EAP Request to client ◦ Specifies expected credentials ◦ If client doesn’t have credentials EAP Response of negative acknowledgement sent back to server 4. Client EAP Response with correct credentials 5. EAP Success if supplicant authenticated or 6. EAP Failure if suppliant is not Copyright Pearson Prentice-Hall 2010 33

34 Copyright Pearson Prentice-Hall 2010 34

35 Copyright Pearson Prentice-Hall 2010 35 RADIUS Functionality AuthenticationAuthorizationsAuditing Uses EAPUses RADIUS authorization functionality Uses RADIUS auditing functionality

36 Copyright Pearson Prentice-Hall 2010 36

37  802.1X can’t be used for Wireless connections  EAP assumes secure connection between supplicant and Authenticator ◦ UTP has low interception rate (need to tap line) ◦ Wireless has high interception rate ◦ EAP messages need to be secured – 802.11i Copyright Pearson Prentice-Hall 2010 37

38 Copyright Pearson Prentice-Hall 2010 38 EAP-TLS Uses TLS for authentication EAP-TLS Uses TLS for authentication PEAP uses any authentication standard allowed by EAP

39  802.11i, WPA, WEP  Security extends between Wireless Client and Access Point Copyright Pearson Prentice-Hall 2010 39

40 Copyright Pearson Prentice-Hall 2010 40 Cryptographic Characteristic WEPWPA802.11i (WPA2) Cipher for Confidentiality RC4 with a flawed implementation RC4 with 48-bit initialization vector (IV) AES with 128- bit keys Automatic Rekeying NoneTemporal Key Integrity Protocol (TKIP), which has been partially cracked AES-CCMP Mode Overall Cryptographic Strength NegligibleWeaker but no complete crack to date Extremely strong

41 Copyright Pearson Prentice-Hall 2010 41 Cryptographic Characteristic WEPWPA802.11i (WPA2) Operates in 802.1X (Enterprise) Mode? NoYes Operates in Pre- Shared Key (Personal) Mode? NoYes

42  Not practical / Expensive  Pre-Shared Key’s used in ◦ 802.11i and WPA  Each Wireless client uses the same shared Key for authentication ◦ This is your passphrase on your wireless network  Once authenticated Access Point provides an unshared Session Key Copyright Pearson Prentice-Hall 2010 42

43 Copyright Pearson Prentice-Hall 2010 43

44 Copyright Pearson Prentice-Hall 2010  Origin of WEP ◦ Original core security standard in 802.11, created in 1997  Uses a Shared Key ◦ Each station using the access point uses the same (shared) key ◦ The key is supposed to be secret, so knowing it “authenticates” the user ◦ All encryption uses this key 44

45 Copyright Pearson Prentice-Hall 2010  Problem with Shared Keys ◦ If the shared key is learned, an attacker near an access point can read all traffic ◦ Shared keys should at least be changed frequently  But WEP had no way to do automatic rekeying  Manual rekeying is expensive if there are many users  Manual rekeying is operationally next to impossible if many or all stations use the same shared key because of the work involved in rekeying many or all corporate clients 45

46 Copyright Pearson Prentice-Hall 2010  Problem with Shared Keys ◦ Because “everybody knows” the key, employees often give it out to strangers ◦ If a dangerous employee is fired, the necessary rekeying may be impossible or close to it 46

47 Copyright Pearson Prentice-Hall 2010  RC4 Initialization Vectors (IV) ◦ WEP uses RC4 for fast and therefore cheap encryption ◦ But if two frames are encrypted with the same RC4 key are compared, the attacker can learn the key ◦ To solve this, WEP encrypts with a per-frame key that is the shared WEP key plus an initialization vector (IV) ◦ However, many frames “leak” a few bits of the key ◦ With high traffic, an attacker using readily available software can crack a shared key in two or three minutes ◦ (WPA uses RC4 but with a 48-bit IV that makes key bit leakage negligible) 47

48 Copyright Pearson Prentice-Hall 2010  Conclusion ◦ Corporations should never use WEP for security 48

49 Copyright Pearson Prentice-Hall 2010 49

50 Copyright Pearson Prentice-Hall 2010 50

51 Copyright Pearson Prentice-Hall 2010 51

52 Copyright Pearson Prentice-Hall 2010  Spread Spectrum Operation and Security ◦ Signal is spread over a wide range of frequencies ◦ NOT done for security, as in military spread spectrum transmission. 52

53 Copyright Pearson Prentice-Hall 2010  Turning Off SSID Broadcasting ◦ Service set identifier (SSID) is an identifier for an access point ◦ Users must know the SSID to use the access point ◦ Drive-by hacker needs to know the SSID to break in ◦ Access points frequently broadcast their SSIDs 53

54 Copyright Pearson Prentice-Hall 2010  Turning off SSID Broadcasting ◦ Some writers favor turning off of this broadcasting ◦ But turning off SSID broadcasting can make access more difficult for ordinary users ◦ Will not deter the attacker because he or she can read the SSID,  which is transmitted in the clear in each transmitted frame 54

55 Copyright Pearson Prentice-Hall 2010  MAC Access Control Lists ◦ Access points can be configured with MAC access control lists ◦ Only permit access by stations with NICs having MAC addresses on the list ◦ But MAC addresses are sent in the clear in frames, so attackers can learn them ◦ Attacker can then spoof one of these addresses 55

56 Copyright Pearson Prentice-Hall 2010  Perspective ◦ These “false” methods, however, may be sufficient to keep out nosy neighbors ◦ But drive-by hackers hit even residential users ◦ Simply applying WPA or 802.11i provides much stronger security and is easier to do 56

57 57

58 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America. Copyright © 2010 Pearson Education, Inc. Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall

Download ppt "Chapter 4. Copyright Pearson Prentice-Hall 2010  Chapter 3 introduces cryptographic elements that may be needed in a dialogue  Chapter 4 focuses on."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Network Security.

Network Security.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Chapter Extension 8 Understanding and Setting up a SOHO Network © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 8 Understanding and Setting up a SOHO Network © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.

Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.
Chapter 4 Copyright Pearson Prentice Hall 2013.  Describe the goals of creating secure networks.  Explain how denial-of-service attacks work.  Explain.

Chapter 4 Copyright Pearson Prentice Hall  Describe the goals of creating secure networks.  Explain how denial-of-service attacks work.  Explain.
Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.

Chapter 3 Application Level Security in Wireless Network IWD2243 : Zuraidy Adnan : Sept 2012.
Securing Insecure Networks SSL/TLS & IPSec. 4-1: Cryptographic System Copyright Pearson Prentice-Hall 2010 2.

Securing Insecure Networks SSL/TLS & IPSec. 4-1: Cryptographic System Copyright Pearson Prentice-Hall
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Similar presentations

Ads by Google