Presentation is loading. Please wait.

Presentation is loading. Please wait.

ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Lecture 12 Network Security (2)

Published byLewis Richards Modified over 9 years ago

Similar presentations

Presentation on theme: "ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Lecture 12 Network Security (2)"— Presentation transcript:

1 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Lecture 12 Network Security (2)

2 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Outline Network Security Concepts Principles of cryptography Authentication Integrity Key Distribution and certification Security in different layers –E-Mail Security (Application) –Web Security SSL – The Secure Sockets Layer (Application-Transport) –Communication Security (Network/Data Link) IPSec Firewalls

3 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Trusted Intermediaries Symmetric key problem: How do two entities establish shared secret key over network? Solution: trusted key distribution center (KDC) acting as intermediary between entities Public key problem: When A obtains B’s public key (from web site, e-mail, diskette), how does it know it is B’s public key, not C’s? Solution: trusted certification authority (CA)

4 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Key Distribution Center (KDC) A and B need shared symmetric key. KDC: server shares different secret key with each registered user (many users) A and B know own symmetric keys, K A-KDC K B-KDC, for communicating with KDC. K B-KDC K X-KDC K Y-KDC K Z-KDC K P-KDC K B-KDC K A-KDC K P-KDC KDC A B P

5 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Key Distribution Center (KDC) Q: How does KDC allow B and A to determine shared symmetric secret key to communicate with each other? A and B communicate: using R1 as session key for shared symmetric encryption A knows R1 B knows to use R1 to communicate with A KDC generates R1 K B-KDC (A,R1) K A-KDC (A,B) K A-KDC (R1, K B-KDC (A,R1) ) A B Kerberos is an authentication service developed at MIT that uses symmetric key encryption techniques and a Key Distribution Center. The Kerberos Authentication Server (AS) plays the role of the KDC.

6 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Certification Authorities Certification authority (CA): binds public key to particular entity, E. E (person, router) registers its public key with CA. –E provides “proof of identity” to CA. –CA creates certificate binding E to its public key. –certificate containing E’s public key digitally signed by CA – CA says “this is E’s public key” B’s public key K B + B’s identifying information digital signature (encrypt) CA private key K CA - K B + certificate for B’s public key, signed by CA B

7 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Certification Authorities When A wants B’s public key: –gets B’s certificate (from B’s Web page, e-mail message or elsewhere). –apply CA’s public key to B’s certificate, get B’s public key B’s public key K B + digital signature (decrypt) CA public key K CA + K B +

8 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 A Certificate Contains FieldDescription versionversion number of X.509 specification (standard for Certification, developed by IETF) serial numberCA-issued unique identifier for a certificate signaturespecifies the algorithm used by CA to "sign" this certificate Issuer nameidentity of CA issuing this certificate Validity periodstart and end of period of validity for certificate Subject nameidentity of entity whose public key is associated with this certificate Subject public keythe subject's public key as well as an indication of the public key algorithm (and algorithm parameters) to be used with this key

9 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Outline Network Security Concepts Principles of cryptography Authentication Integrity Key Distribution and certification Security in different layers –E-Mail Security (Application) –Web Security SSL – The Secure Sockets Layer (Application-Transport) –Communication Security (Network/Data Link) IPSec Firewalls

10 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Secure e-mail A wants to send confidential e-mail, m, to B K S ( ). K B ( ). + + - K S (m ) K B (K S ) + m KSKS KSKS KBKB + Internet K S ( ). K B ( ). - KBKB - KSKS m K S (m ) K B (K S ) + A B A: – generates random symmetric private key, K S. – encrypts message with K S – also encrypts K S with B’s public key. – sends both K S (m) and K B (K S ) to B.

11 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Secure e-mail A wants to send confidential e-mail, m, to B K S ( ). K B ( ). + + - K S (m ) K B (K S ) + m KSKS KSKS KBKB + Internet K S ( ). K B ( ). - KBKB - KSKS m K S (m ) K B (K S ) + A B B: – uses his private key to decrypt and recover K S – uses K S to decrypt K S (m) to recover m

12 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Secure e-mail A wants to provide sender authentication, message integrity. “A” applies a hash function, H (e.g., MD5), to message m to obtain a message digest encrypts the result of the hash function with private key, to create a digital signature sends both message (in the clear) and digital signature. H( ). K A ( ). - + - H(m ) K A (H(m)) - m KAKA - Internet m K A ( ). + KAKA + K A (H(m)) - m H( ). H(m ) compare A B “B” applies the hash function, H (e.g., MD5), to message m to obtain a message digest, applies A's public key, to signature compares the result of the operations

13 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Secure e-mail A wants to provide secrecy, sender authentication, message integrity. “A” uses three keys: her private key, B’s public key, newly created symmetric key H( ). K A ( ). - + K A (H(m)) - m KAKA - m K S ( ). K B ( ). + + K B (K S ) + KSKS KBKB + Internet KSKS

14 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Pretty Good Privacy (PGP) Internet e-mail encryption scheme, de-facto standard. uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described. provides secrecy, sender authentication, integrity. inventor, Phil Zimmerman. ---BEGIN PGP SIGNED MESSAGE--- Hash: SHA1 B: Hello there, the journey was very good one…, A ---BEGIN PGP SIGNATURE--- Version: PGP 5.0 Charset: noconv yhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJhF EvZP9t6n7G6m5Gw2 ---END PGP SIGNATURE--- A PGP signed message: -----BEGIN PGP MESSAGE----- Version: PGP 5.0 u2R4d+/jKmn8Bc5+hgDsqAewsDfrGdszX6 8liKm5F6Gc4sDfcXyt RfdSlOjuHgbcfDssWe7/K=lKhnMikLo0+l /BvcX4t==Ujk9PbcD4 Thdf2awQfgHbnmKlok8iy6gThlp -----END PGP MESSAGE A secret PGP message:

15 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Outline Network Security Concepts Principles of cryptography Authentication Integrity Key Distribution and certification Security in different layers –E-Mail Security (Application) –Web Security SSL – The Secure Sockets Layer (Application-Transport) –Communication Security (Network/Data Link) IPSec Firewalls

16 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Secure Sockets Layer (SSL) transport layer security to any TCP-based application using SSL services. used between Web browsers, servers for e- commerce (https). security services: –server authentication –data encryption –client authentication (optional) server authentication: –SSL-enabled browser includes public keys for trusted CAs. –Browser requests server certificate, issued by trusted CA. –Browser uses CA’s public key to extract server’s public key from certificate. Do it yourself: check your browser’s security menu to see its trusted CAs.

17 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 SSL Encrypted SSL session: Browser generates symmetric session key, encrypts it with server’s public key, sends encrypted key to server. Using private key, server decrypts session key. Browser, server know session key –All data sent into TCP socket (by client or server) encrypted with session key. SSL: basis of IETF Transport Layer Security (TLS). SSL can be used for non-Web applications, e.g., IMAP. Client authentication can be done with client certificates. (if needed)

18 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Outline Network Security Concepts Principles of cryptography Authentication Integrity Key Distribution and certification Security in different layers –E-Mail Security (Application) –Web Security SSL – The Secure Sockets Layer (Application-Transport) –Communication Security (Network/Data Link) IPSec Firewalls

19 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 IPsec: Network Layer Security Network-layer secrecy: –sending host encrypts the data in IP datagram –TCP and UDP segments; ICMP and SNMP messages. Network-layer authentication –destination host can authenticate source IP address Two principle protocols: –authentication header (AH) protocol (authentication, integrity) –encapsulation security payload (ESP) protocol (authentication, integrity, secrecy) For both AH and ESP, source, destination handshake: –create network-layer logical channel called a security association (SA) Each SA unidirectional. Uniquely determined by: –security protocol (AH or ESP) –source IP address –32-bit connection ID

20 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Authentication Header (AH) Protocol provides source authentication, data integrity, no confidentiality AH header inserted between IP header, data field. protocol field: 51 intermediate routers process datagrams as usual AH header includes: connection identifier (Security Parameter Index, SPI) authentication data: source- signed message digest calculated over original IP datagram. next header field: specifies type of data (e.g., TCP, UDP, ICMP) IP headerdata (e.g., TCP, UDP segment) AH header

21 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 ESP Protocol provides secrecy, host authentication, data integrity. next header field is in ESP trailer. data, ESP trailer encrypted. ESP authentication field is similar to AH authentication field. Protocol = 50. IP header TCP/UDP segment ESP header ESP trailer ESP authent. encrypted authenticated

22 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Outline Network Security Concepts Principles of cryptography Authentication Integrity Key Distribution and certification Security in different layers –E-Mail Security (Application) –Web Security SSL – The Secure Sockets Layer (Application-Transport) –Communication Security (Network/Data Link) IPSec Firewalls

23 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. administered network public Internet firewall Firewalls: Why prevent denial of service attacks: –flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections. prevent illegal modification/access of internal data. –e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network (set of authenticated users/hosts)

24 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Firewalls Typical configuration of firewall: –Two routers that do packet filtering. These are standard routers equipped with some extra functionality. –An application gateway that operates at the application level.

25 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Packet Filtering internal network connected to Internet via router firewall router filters packet-by-packet, decision to forward/drop packet based on: –source IP address, destination IP address –TCP/UDP source and destination port numbers –ICMP message type –TCP SYN and ACK bits Should arriving packet be allowed in? Departing packet let out?

26 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Packet Filtering Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or destination port = 23. –All incoming and outgoing UDP flows and telnet connections are blocked. Example 2: Block inbound TCP segments with ACK=0. –Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside.

27 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Application Gateways Filters packets on application data as well as on IP/TCP/UDP fields. Example: allow select internal users to telnet outside. 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to destination host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway. host-to-gateway telnet session gateway-to-remote host telnet session application gateway router and filter

28 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Limitations of Firewalls and Gateways IP spoofing: router can’t know if data “really” comes from claimed source if multiple applications need special treatment, each has own application gateway. client software must know how to contact gateway. –e.g., must set IP address of proxy in Web browser filters often use all or nothing policy for UDP. tradeoff: degree of communication with outside world, level of security many highly protected sites still suffer from attacks.

29 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Reading Material Chapter 7 – text3 (Kurose) Chapter 8 – text2 (Tanenbaum)

30 ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Notice Mid term 2 exam marks are available at, http://teacher.buet.ac.bd/khaledmahbub/ANT_Exam_Marks.html Bonus Marks: –Old Marking Scheme Mid Term 1 30% Mid Term 2 30% Final Exam 40% –New Marking Scheme Mid Term 1 25% Mid Term 2 25% Attendance 10% Final Exam 40%

Download ppt "ICT 6621 : Advanced NetworkingKhaled Mahbub, IICT, BUET, 2008 Lecture 12 Network Security (2)"

Similar presentations

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Security in Networks (Part 2) CPSC 363 Computer Networks Ellen Walker Hiram College (Includes figures from Computer Networking by Kurose & Ross, © Addison.

Security in Networks (Part 2) CPSC 363 Computer Networks Ellen Walker Hiram College (Includes figures from Computer Networking by Kurose & Ross, © Addison.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
PGP Overview 2004/11/30 Information-Center meeting peterkim.

PGP Overview 2004/11/30 Information-Center meeting peterkim.
Chapters 8 Network Security Professor Rick Han University of Colorado at Boulder

Chapters 8 Network Security Professor Rick Han University of Colorado at Boulder
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Lecture 25 Secure Communications CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose & Keith Ross and Dave Hollinger.

Lecture 25 Secure Communications CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose & Keith Ross and Dave Hollinger.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Chapter 7: Network Security

Chapter 7: Network Security
1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.

1 Key Establishment Symmetric key problem: How do two entities establish shared secret key in the first place? Solutions: Deffie-Hellman trusted key distribution.
Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.

Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
8: Network Security8-1 22 – Integrity, Firewalls.

8: Network Security – Integrity, Firewalls.
1DT014/1TT821 Computer Networks I Chapter 8 Network Security

1DT014/1TT821 Computer Networks I Chapter 8 Network Security
Chapter 29 Internet Security

Chapter 29 Internet Security
1 Key Establishment Symmetric key problem: How do two entities establish shared secret key over network? Solution: trusted key distribution center (KDC)

1 Key Establishment Symmetric key problem: How do two entities establish shared secret key over network? Solution: trusted key distribution center (KDC)
Network Security7-1 Network Security 1. What is network security 2. Principles of cryptography 3. Authentication 4. Integrity 5. Key Distribution and certification.

Network Security7-1 Network Security 1. What is network security 2. Principles of cryptography 3. Authentication 4. Integrity 5. Key Distribution and certification.
Chapter 31 Network Security

Chapter 31 Network Security

Similar presentations

Ads by Google