Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 4.  Chapter 3 introduces cryptographic elements that may be needed in a dialogue  Chapter 4 focuses on important cryptographic system standards,

Published byDale Williams Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 4.  Chapter 3 introduces cryptographic elements that may be needed in a dialogue  Chapter 4 focuses on important cryptographic system standards,"— Presentation transcript:

1 Chapter 4

2  Chapter 3 introduces cryptographic elements that may be needed in a dialogue  Chapter 4 focuses on important cryptographic system standards, such as SSL/TLS, IPsec, and wireless security standards  Future chapters will use the cryptographic concepts you are learning in these chapters Copyright Pearson Prentice-Hall 2009 2

3 3

4 4

5 5

6 6 StepSenderName of Message Semantics (Meaning) 1ClientClient HelloClient requests secure connection. Client lists cipher suites it supports. 2ServerServer HelloServer indicates willingness to proceed. Selects a cipher suite to use in the session. 3ServerCertificateServer sends its digital certificate containing its public key. (Client should check the certificate’s validity.) 4ServerServerHelloDoneServer indicates that its part in the initial introduction is finished.

7 Copyright Pearson Prentice-Hall 2009 7 StepSenderName of Message Semantics (Meaning) 5ClientClientKey Exchange Client generates a random symmetric session key. Encrypts it with the server’s public key. It sends this encrypted key to the server. Only the server can decrypt the key, using the server’s own private key. The server decrypts the session key. Both sides now have the session key. 6ClientChangeCipher Spec* Client changes selected cipher suite from pending to active. 7ClientFinishClient indicates that its part in the initial introduction is finished. *Not cipher suite. Key Exchange using public key encryption for confidentiality Key Exchange using public key encryption for confidentiality

8 Copyright Pearson Prentice-Hall 2009 8 StepSenderName of MessageSemantics (Meaning) 8ServerChangeCipherSpec*Server changes selected cipher suite from pending to active. 9ServerFinishServer indicates that its role in selecting options is finished. 10Ongoing communication stage begins *Not cipher suite.

9 Copyright Pearson Prentice-Hall 2009 9

10 10 SSL/TLSIPsec Cryptographic security standardYes Cryptographic security protectionsGoodGold Standard Supports central managementNoYes Complexity and expenseLowerHigher Layer of operationTransportInternet Transparently protects all higher-layer traffic NoYes Works with IPv4 and IPv6NAYes Modes of operationNATransport, Tunnel

11 Copyright Pearson Prentice-Hall 2009 11 1. End-to-End Security (Good) 1. End-to-End Security (Good) 2. Security in Site Network (Good) 2. Security in Site Network (Good) 3. Setup Cost On Each Host (Costly) 3. Setup Cost On Each Host (Costly)

12 Copyright Pearson Prentice-Hall 2009 12 2. No Security in Site Network (Bad) 2. No Security in Site Network (Bad) 3. No Setup Cost On Each Host (Good) 3. No Setup Cost On Each Host (Good)

13 Copyright Pearson Prentice-Hall 2009 13 CharacteristicTransport ModeTunnel Mode Uses an IPsec VPN Gateway? NoYes Cryptographic Protection All the way from the source host to the destination host, including the Internet and the two site networks. Only over the Internet between the IPsec gateways. Not within the two site networks. Setup CostsHigh. Setup requires the creation of a digital certificate for each client and significant configuration work. Low. Only the IPsec gateways must implement IPsec, so only they need digital certificates and need to be configured.

14 Copyright Pearson Prentice-Hall 2009 14 CharacteristicTransport ModeTunnel Mode Firewall FriendlinessBad. A firewall at the border to a site cannot filter packets because the content is encrypted. Good. Each packet is decrypted by the IPsec gateway. A border firewall after the IPsec gateway can filter the decrypted packet. The “Bottom Line”End-to-end security at high cost. Low cost and protects the packet over the most dangerous part of its journey.

15 Copyright Pearson Prentice-Hall 2009 15

16 Copyright Pearson Prentice-Hall 2009 16

17 Copyright Pearson Prentice-Hall 2009 17

18 Copyright Pearson Prentice-Hall 2009 18

19 Copyright Pearson Prentice-Hall 2009 19 Router does not need to make a complex decision for each packet

20 Copyright Pearson Prentice-Hall 2009 20 Cryptographic VPNsRouted VPNs ExamplesSSL/TLS IPsec Carrier PSDNs Carrier TCP/IP MPLS VPNs Cryptographic protections Confidentiality, integrity, authentication, etc. None Other protectionsLimiting customer access Limiting access to routing supervisory protocols Customer actions to improve protection Create a cryptographic VPN to run over carrier services

21 Copyright Pearson Prentice-Hall 2009 21

22 Copyright Pearson Prentice-Hall 2009 22

23 Copyright Pearson Prentice-Hall 2009 23

24 Copyright Pearson Prentice-Hall 2009 24 RADIUS Functionality AuthenticationAuthorizationsAuditing Uses EAPUses RADIUS authorization functionality Uses RADIUS auditing functionality

25 Copyright Pearson Prentice-Hall 2009 25

26 Copyright Pearson Prentice-Hall 2009 26

27 Copyright Pearson Prentice-Hall 2009 27

28 Copyright Pearson Prentice-Hall 2009 28 Cryptographic Characteristic WEPWPA802.11i (WPA2) Cipher for Confidentiality RC4 with a flawed implementation RC4 with 48-bit initialization vector (IV) AES with 128- bit keys Automatic Rekeying NoneTemporal Key Integrity Protocol (TKIP), which has been partially cracked AES-CCMP Mode Overall Cryptographic Strength NegligibleWeaker but no complete crack to date Extremely strong

29 Copyright Pearson Prentice-Hall 2009 29 Cryptographic Characteristic WEPWPA802.11i (WPA2) Operates in 802.1X (Enterprise) Mode? NoYes Operates in Pre- Shared Key (Personal) Mode? NoYes

30 Copyright Pearson Prentice-Hall 2009 30

31 Copyright Pearson Prentice-Hall 2009 31

32 Copyright Pearson Prentice-Hall 2009 32

33 Copyright Pearson Prentice-Hall 2009 33

34  Origin of WEP ◦ Original core security standard in 802.11, created in 1997  Uses a Shared Key ◦ Each station using the access point uses the same (shared) key ◦ The key is supposed to be secret, so knowing it “authenticates” the user ◦ All encryption uses this key Copyright Pearson Prentice-Hall 2009 34

35  Problem with Shared Keys ◦ If the shared key is learned, an attacker near an access point can read all traffic ◦ Shared keys should at least be changed frequently  But WEP had no way to do automatic rekeying  Manual rekeying is expensive if there are many users  Manual rekeying is operationally next to impossible if many or all stations use the same shared key because of the work involved in rekeying many or all corporate clients Copyright Pearson Prentice-Hall 2009 35

36  Problem with Shared Keys ◦ Because “everybody knows” the key, employees often give it out to strangers ◦ If a dangerous employee is fired, the necessary rekeying may be impossible or close to it Copyright Pearson Prentice-Hall 2009 36

37  RC4 Initialization Vectors (IV) ◦ WEP uses RC4 for fast and therefore cheap encryption ◦ But if two frames are encrypted with the same RC4 key are compared, the attacker can learn the key ◦ To solve this, WEP encrypts with a per-frame key that is the shared WEP key plus an initialization vector (IV) ◦ However, many frames “leak” a few bits of the key ◦ With high traffic, an attacker using readily available software can crack a shared key in two or three minutes ◦ (WPA uses RC4 but with a 48-bit IV that makes key bit leakage negligible) Copyright Pearson Prentice-Hall 2009 37

38  Conclusion ◦ Corporations should never use WEP for security Copyright Pearson Prentice-Hall 2009 38

39  Spread Spectrum Operation and Security ◦ Signal is spread over a wide range of frequencies ◦ NOT done for security, as in military spread spectrum transmission. Copyright Pearson Prentice-Hall 2009 39

40  Turning Off SSID Broadcasting ◦ Service set identifier (SSID) is an identifier for an access point ◦ Users must know the SSID to use the access point ◦ Drive-by hacker needs to know the SSID to break in ◦ Access points frequently broadcast their SSIDs Copyright Pearson Prentice-Hall 2009 40

41  Turning off SSID Broadcasting ◦ Some writers favor turning off of this broadcasting ◦ But turning off SSID broadcasting can make access more difficult for ordinary users ◦ Will not deter the attacker because he or she can read the SSID,  which is transmitted in the clear in each transmitted frame Copyright Pearson Prentice-Hall 2009 41

42  MAC Access Control Lists ◦ Access points can be configured with MAC access control lists ◦ Only permit access by stations with NICs having MAC addresses on the list ◦ But MAC addresses are sent in the clear in frames, so attackers can learn them ◦ Attacker can then spoof one of these addresses Copyright Pearson Prentice-Hall 2009 42

43  Perspective ◦ These “false” methods, however, may be sufficient to keep out nosy neighbors ◦ But drive-by hackers hit even residential users ◦ Simply applying WPA or 802.11i provides much stronger security and is easier to do Copyright Pearson Prentice-Hall 2009 43

44 Copyright Pearson Prentice-Hall 2009 44

Download ppt "Chapter 4.  Chapter 3 introduces cryptographic elements that may be needed in a dialogue  Chapter 4 focuses on important cryptographic system standards,"

Similar presentations

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Security in IEEE 802.11 wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.

Security in IEEE wireless networks Piotr Polak University Politehnica of Bucharest, December 2008.
16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.

Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.
Chapter 4 Copyright Pearson Prentice Hall 2013.  Describe the goals of creating secure networks.  Explain how denial-of-service attacks work.  Explain.

Chapter 4 Copyright Pearson Prentice Hall  Describe the goals of creating secure networks.  Explain how denial-of-service attacks work.  Explain.
Securing Insecure Networks SSL/TLS & IPSec. 4-1: Cryptographic System Copyright Pearson Prentice-Hall 2010 2.

Securing Insecure Networks SSL/TLS & IPSec. 4-1: Cryptographic System Copyright Pearson Prentice-Hall
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Access Control and Site Security (Part 2) (January 28, 2015) © Abdou Illia – Spring 2015.

Access Control and Site Security (Part 2) (January 28, 2015) © Abdou Illia – Spring 2015.

Similar presentations

Ads by Google