Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

Published byBarnaby Nichols Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos."— Presentation transcript:

1 1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos

2 2 Figure 8-1: Cryptographic System Phase 1: Initial Negotiation of Security Parameters Phase 2: Mutual Authentication Client PC Server

3 3 Figure 8-1: Cryptographic System Phase 4: Ongoing Communication with Message-by-Message Confidentiality, Authentication, and Message Integrity Phase 3: Key Exchange or Key Agreement Client PC Server

4 4 Figure 8-2: Major Cryptographic Systems Application Layer Transport Internet Data Link Physical PPTP, L2TP (really only a tunneling system) Not applicable. No messages are sent at this layer—only individual bits IPsec SSL/TLS Kerberos Cryptographic System

5 5 Figure 8-3: Virtual Private Network (VPN) VPN Server Protected Server VPN Server Protected Server Corporate Site A Corporate Site B Internet Remote Customer or Supplier PC Remote Corporate PC Remote Access VPN Remote Access VPN Site-to-Site VPN

6 6 Figure 8-4: SSL/TLS Operation Protects All Application Traffic That is SSL/TLS-Aware SSL/TLS Works at Transport Layer Applicant (Customer Client) Verifier (Merchant Server)

7 7 Figure 8-4: SSL/TLS Operation Applicant (Customer Client) Verifier (Merchant Server) 1. Negotiation of Security Options (Brief) 2. Merchant Authenticates Self to Customer Uses a Digital Certificate Customer Authentication is Optional and Uncommon

8 8 Figure 8-4: SSL/TLS Operation Applicant (Customer Client) Verifier (Merchant Server) 3. Client Generates Random Session Key Client Sends to Server Encrypted by Public Key Encryption 4. Ongoing Communication with Confidentiality and Merchant Digital Signatures

9 9 Figure 8-5: Point-to-Point Protocol (PPP) and RADIUS for Dial-Up Remote Access RADIUS Server RAS 1 RAS 2 Remote Corporate PC Remote Corporate PC Public Switched Telephone Network Corporate Site A 2. OK? 1. Login Username And Password Dial-Up Connection Dial-Up Connection

10 10 Figure 8-5: Point-to-Point Protocol (PPP) and RADIUS for Dial-Up Remote Access RADIUS Server RAS 1 RAS 2 Remote Corporate PC Remote Corporate PC Public Switched Telephone Network Corporate Site A 3. OK4. Welcome Dial-Up Connection Dial-Up Connection

11 11 Figure 8-6: PPP Authentication No Authentication Is an Option Client Server

12 12 Figure 8-6: PPP Authentication PAP Authentication Authentication-Request Messages (Send Until Response) Authentication-Response Message Client Server Poor Security: Usernames and Passwords Are Sent in the Clear

13 13 Figure 8-6: PPP Authentication CHAP Authentication Challenge Message Response Message Hash (Challenge Message + Secret) Client Server Server computes hash of challenge message plus secret If equals the response message, authentication is successful

14 14 Figure 8-6: PPP Authentication MS-CHAP Authentication Challenge Message Response Message Hash (Challenge Message + Password) Client Server CHAP, but with password as the secret. Widely used because allows password authentication Standard on Microsoft Windows client Only as secure as password strength

15 15 Figure 8-6: PPP Authentication EAP Authentication Authenticate Defer authentication; Will provide more information Client Server EAP defers authentication to a later process Such as RADIUS authentication

16 16 Figure 8-7: PPP Encryption New PPP Header. Plaintext. Original PPP Frame. Encrypted. New PPP Trailer. Plaintext.

17 17 Figure 8-8: PPP on Direct Links and Internets Connection over Direct Link PPP Provides End-to-End Link PPP Frame Verifier (Server) Applicant (Client)

18 18 Figure 8-8: PPP on Direct Links and Internets Connection over Internet PPP Frame in IP Packet PPP Limited to First Data Link (Network) Verifier (Server) Applicant (Client) Router

19 19 Figure 8-8: PPP on Direct Links and Internets Note: Tunneling Places the PPP Frame in an IP Packet, Which Delivers the Frame. To the Receiver, Appears to be a Direct Link. Allows organization to continue using existing PPP-based security such as encryption and authentication

20 20 Figure 8-9: Point-to-Point Tunneling Protocol (PPP) RADIUS Server PPTP RAS ISP PPTP Access Concentrator Corporate Site A IP Protocol 47 (GRE) Data Connection TCP Port 1723 Supervisory Connection (Vulnerable) Internet Remote Corporate PC Local ISP Access (Not Secure)

21 21 Figure 8-9: Point-to-Point Tunneling Protocol (PPP) RADIUS Server PPTP RAS Corporate Site A IP Protocol 47 (GRE) Data Connection TCP Port 1723 Supervisory Connection (Vulnerable) Internet Remote Corporate PC New: Not in Book Direct connection between PC And RADIUS Server

22 22 Figure 8-10: PPTP Encapsulation for Data Frames Enhanced General Routing Encapsulation (GRE) Header; Information About Encapsulated Packet New IP Header; Protocol=47; IP Destination Address Is That of Remote Access Server Encapsulated Original IP Packet

23 23 Figure 8-11: Layer 2 Tunneling Protocol (L2TP) Internal Server L2TP RAS DSL Access Multiplexer (DSLAM) with L2TP Client Running PPP Carrier Network Local Network L2TP Tunnel DSL Note: L2TP does not provide security. It provides only tunneling. L2TP recommends the use of IPsec for security.

24 24 Figure 8-12: IPsec Operation: Tunnel and Transport Modes Secure Connection Secure on the Internet Transport Mode Site Network Site Network Security in Site Network Security in Site Network Extra Software Required Extra Software Required

25 25 Figure 8-12: IPsec Operation: Tunnel and Transport Modes Tunneled Connection Secure on the Internet Tunnel Mode Site Network Site Network No Security in Site Network No Security in Site Network No Extra Software No Extra Software IPsec Server IPsec Server

26 26 Figure 8-12: IPsec Operation: Tunnel and Transport Modes Transport Mode Orig. IP Hdr IPsec Hdr Protected Packet Data Field Destination IP Address Is Actual Address; Vulnerable to Scanning Tunnel Mode New IP Hdr IPsec Hdr Protected Original Packet Destination IP Address Is IPsec Server Address Host IP Address Is not Revealed

27 27 Figure 8-13: IPsec ESP and AH Protection IP Header ESP Header Protected ESP Trailer IP Header Authentication Header Protected Confidentiality Authentication and Message Integrity No Confidentiality Protocol = 50 Protocol = 51 Encapsulating Security Payload Authentication Header

28 28 Modes and Protections ESP Confidentiality Authentication Integrity AH Authentication Integrity Transport Mode (End-to-End) Possible Tunnel Mode (IPsec Gateway to Gateway) Possible

29 29 Figure 8-14: IPsec Security Associations IPsec Policy Server 2. Security Association (SA) for Transmissions from A to B 3. Security Association (SA) For Transmission from B to A (Can Be Different Than A to B SA) Party A Party B 1. List of Allowable Security Associations 1. List of Allowable Security Associations

30 30 Figure 8-15: Establishing IPsec Security Associations Using IKE Internet Key Exchange Security Association UDP Port 500 Party A Party B IPsec SAs First establish IKE association and protected session Then create IPsec SAs within the Protection of the IKE session.

31 31 Figure 8-16: Key-Hashed Message Authentication Codes (HMACs) Shared Key HMAC Original Plaintext Key-Hashed Message Authentication Code (HMAC) Appended to Plaintext Before Transmission Hashing with MD5, SHA1, etc. Note: There is no encryption; only hashing

32 32 Figure 8-16: Key-Hashed Message Authentication Codes (HMACs) Shared Key Computed HMAC Received Original Plaintext Hashing with same algorithm. Receiver Redoes the HMAC Computation On the Received Plaintext Received HMAC If computed and received HMACs are the same, The sender must know the key and so is authenticated

33 33 Figure 8-17: Kerberos Authentication System Applicant (A) Kerberos Server Key Distribution Center (K) Verifier (V) Abbreviations: A = Applicant V = Verifier K = Kerberos Server

34 34 Figure 8-17: Kerberos Authentication System Applicant (A) Kerberos Server Key Distribution Center (K) Verifier (V) 1. Request for Ticket-Granting Ticket 2. Response: TGT*, Key nA** *TGT (Ticket-Granting Ticket) is encrypted in a way that only K can decrypt. Contains information that K will read later. **Key nA (Network Login Key for A) is encrypted with A’s Master Key (Key mA). In future interactions with K, A will use nA to limit the master key’s exposure.

35 35 Figure 8-18: Kerberos Ticket-Granting Service: Part 1 Applicant (A) Kerberos Server Key Distribution Center (K) Verifier (V) 1. Request Ticket for V; TGT; Authenticator* encrypted with Key nA 2. Response: Key AV** encrypted with Key nA; Service Ticket *Authenticator is A’s IP address, user name, and time stamp. This authenticator is encrypted with Key nA to prove that A sent it. **Key AV is a symmetric session key that A will use with V.

36 36 Figure 8-19: Kerberos Ticket-Granting Service: Part 2 Applicant (A) Kerberos Server Key Distribution Center (K) Verifier (V) *Authenticator (Auth) encrypted with Key AV. **Service Ticket contains Key AV encrypted with the Verifier’s master key, Key mV. 3. Request for Connection: Auth*; Service Ticket** 4. V decrypts Service Ticket; Uses Key AV to test Auth 5. Ongoing Communication with Key AV

37 37 Figure 8-20: Placement of Firewalls and Cryptographic Servers Internet Internal Host Can Read Decrypted Packets Firewall Cryptographic Server Filtered by Firewall Open to Attack Internal Host Cryptographic Server Firewall Creates Holes for Cryptographic Systems Filtered by Firewall Not Filtered by Firewall

Download ppt "1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Virtual Private Networks and IPSec

Virtual Private Networks and IPSec
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)

Similar presentations

Ads by Google