Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information and Network Security Rudra Dutta CSC 401- Fall 2011, Section 001.

Published byMelvin Morris Holmes Modified over 9 years ago

Similar presentations

Presentation on theme: "Information and Network Security Rudra Dutta CSC 401- Fall 2011, Section 001."— Presentation transcript:

1 Information and Network Security Rudra Dutta CSC 401- Fall 2011, Section 001

2 Network Security Based on concepts of information security – Complementary to: physical security of networks and endpoints – Also related to: human security Comparatively recent concern with security in networks Various “attackers” or “malcontents” at various levels of seriousness, frequency, ability Overarching goal – no single place (many vulnerabilities) No such thing as 100% security 2Copyright Rudra Dutta, NCSU, Fall 2011

3 Components of Study Basic concerns – Confidentiality, authentication, non-repudiation, integrity – Availability, authorization Fundamental tools – Cryptography Building blocks – Signatures, certifications, … Protocols / architectures – IPSec, firewall, VPN, PGP, SSL, Shibboleth … Emerging trend: trust management Copyright Rudra Dutta, NCSU, Fall 20113

4 Security Concerns Confidentiality (Secrecy, Privacy) – Nobody but intended recipient should know content – “Person-in-the-middle” possibility in networks Authentication – Confidence in recognizing trusted or known entity Non-repudiation – Inability to claim innocence of past action Integrity – Message received same as message sent Availability – Infrastructure / resource available to genuine use Authorization – Policy form of confidentiality Copyright Rudra Dutta, NCSU, Fall 20114

5 Cryptography D K ( E K ( P ) ) = P (symmetric-key) “Algorithm is public, only keys are secret” Attacks: (i) ciphertext-only, (ii) known-plaintext, (iii) chosen-plaintext Copyright Rudra Dutta, NCSU, Fall 20115

6 Ciphers as Transformation 6Copyright Rudra Dutta, NCSU, Fall 2011 Simple substitution cipher – More advanced ones possible Fundamental principles: – Messages must contain some redundancy – Some method is needed to foil replay attacks The first implies that plaintext “space” must be large and sparsely used – can use cryptographic hashes The second shows the need of timestamp or equivalent Ciphering (even efficiently) is only useful if these conditions are first met

7 Data Encryption Standard 7Copyright Rudra Dutta, NCSU, Fall 2011 A comparatively older and simpler symmetric key cipher Each stage uses a different 48-bit key derived from the main 56-bit key Li-1 is transformed to 48 bits, bit- XOR’d with key, mapped back into 32 bits

8 Other Ciphers Some common symmetric-key cryptographic algorithms 8Copyright Rudra Dutta, NCSU, Fall 2011

9 Public Key Cryptography Weak point: key distribution – Keys have to be distributed, yet kept secret – Once a key is compromised, worse than useless Solution: asymmetric keys – Encryption and decryption use different keys which are not trivially related to each other – Diffie-Hellman, 1976 D ( E ( P )) = P Exceedingly difficult to deduce D from E E cannot be broken by chosen-plaintext attack E(.) can be made public – D(.) is never distributed “public key cryptography” Copyright Rudra Dutta, NCSU, Fall 20119

10 RSA (Rivest, Shamir, Adleman) 1. Choose two large primes, p and q (e.g. 3 and 11) 2. Compute n = p × q and z = ( p − 1) × (q − 1) 3. Choose number relatively prime to z – call it d (7) 4. Find e such that e × d = 1 mod z (3) E(.) : C = P e (mod n) D(.) : P = C d (mod n) 10Copyright Rudra Dutta, NCSU, Fall 2011

11 Tools: Digital Signatures Required Conditions: 1. Receiver can verify claimed identity of sender. 2. Sender cannot later repudiate contents of message. 3. Receiver cannot have concocted message himself. 11Copyright Rudra Dutta, NCSU, Fall 2011

12 Message Digests (Cryptographic Hash) Message Digest (e.g. MD5) properties 1. Given P, easy to compute MD(P). 2. Given MD(P), effectively impossible to find P. 3. Given P no one can find P′ such that MD(P′) = MD(P). 4. Change to input of even 1 bit produces very different output. 12Copyright Rudra Dutta, NCSU, Fall 2011 Message digests can form Digital signatures (However, vulnerable to birthday attack)

13 Management of Public Keys Trudy can subvert public-key encryption: need certification 13Copyright Rudra Dutta, NCSU, Fall 2011

14 Achieving Security in Networks IPSec – Security in IP layer between endpoints Firewalls – policing at gateways VPNs – Multipoint-to-multipoint secure community over insecure Internet Kerberos etc. – authentication over insecure Internet PGP etc. – Security between application endpoints DNSSec – Securing DNS transactions TLS / SSL – API to encapsulate process-to- process (client-server) security Copyright Rudra Dutta, NCSU, Fall 201114

15 IP Security Multiple services, separate – Secrecy, Integrity, Replay protection – Based on symmetric keys – Pluggable algorithm modules Security Association – End-to-end context, unidirectional, security identifier – Allows use of IPSec at different granularities Transport mode – IPSec header Inserted after IP header – Integrity, authentication, replay attacks with AH – Origin (integrity, authentication), secrecy, replay with ESP Tunnel mode – IP packet encapsulated in new IP packet, ESP – Integrity, authentication, secrecy, replay Copyright Rudra Dutta, NCSU, Fall 201115

16 Key Management Shared keys Distribution (sharing) of keys outside SA ISAKMP framework – Manual pre-configuration – Internet Key Exchange v2 protocol – DNS as key distributor – Others … When two IP endpoints want to setup a SA, they already have a shared key / have a way to share a key Copyright Rudra Dutta, NCSU, Fall 201116

17 IPsec AH Transport mode only – Authentication Header – In IPv6, used as extension header In IP header, Protocol is 51 for IPSec Identifier Detect replay attacks Hashed Message Authentication Code Signature computed using shared key 17Copyright Rudra Dutta, NCSU, Fall 2011

18 IPsec ESP Header contains security identifier and sequence number Originally, secrecy only (not integrity) Later extended by adding authentication signature Eventually likely to phase out AH 18Copyright Rudra Dutta, NCSU, Fall 2011

19 Firewalls Packet filtering gateways – Can filter by ports, or any other field DMZ or Perimeter Networks can complement Stateless, stateful, application-level gateways Should form component of overall security picture 19Copyright Rudra Dutta, NCSU, Fall 2011

20 Virtual Private Networks Create virtual circuits between gateways of each physical network of an organization – Actually, not virtual circuits but SA tunnels – Firewalls as well as gateways Intermediate routers can transport but not compromise – May provide MPLS tunnels (with bandwidth provisions) 20Copyright Rudra Dutta, NCSU, Fall 2011

21 Kerberos “Three-headed” scheme Separate user authentication from service authorization Password not transmitted, on public workstation briefly Copyright Rudra Dutta, NCSU, Fall 201121 K S : Session key K AB : Service session key Ticket granting ticket Service ticket

22 Pretty Good Privacy RSA used to encrypt small, random words IDEA (much faster) encrypts larger message Bob confident of P, Alice Random input by Alice Like DES Only Bob can get K M 22Copyright Rudra Dutta, NCSU, Fall 2011

23 PGP Message 23Copyright Rudra Dutta, NCSU, Fall 2011

24 DNS 24

25 DNS Spoofing 25Copyright Rudra Dutta, NCSU, Fall 2011

26 Poisoning DNS Basically – force DNS server to query, and send false answer right behind the query Need to first know sequence number – register bogus domain 26Copyright Rudra Dutta, NCSU, Fall 2011

27 DNSSec DNSSec attempts to provide: – Proof of where the data originated – Public key distribution – Transaction and request authentication DNS replies are Resource Records – Grouped into sets – RRSets Each DNS zone has public/private key pair – RRSet to be delivered is cryptographically hashed – Hash is signed by zone’s private key New RR types to store key, hash, specify algorithm (and others such as validity period) Hashing and signing is offline – at zone Signatures also protect query-response between servers 27Copyright Rudra Dutta, NCSU, Fall 2011

28 SSL / TLS Encapsulate security for application programs Original SSL proposed by Netscape, later TLS standardized by IETF – TLS is incompatible with SSL – Falls back on SSL, but not earlier than SSL 3.0 Newly generated key to sign and encrypt data for each connection Copyright Rudra Dutta, NCSU, Fall 201128

29 Summary Cryptography and privacy/secrecy of keys used to assure security goals Network security largely still in the stage of shoring up known exploits Understanding of vulnerabilities are still on a case-by-case basis “Encrypt everything” may be both overkill and underkill Significant growth area Copyright Rudra Dutta, NCSU, Fall 201129

Download ppt "Information and Network Security Rudra Dutta CSC 401- Fall 2011, Section 001."

Similar presentations

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Security S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.

Security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Introduction to Cryptography

Introduction to Cryptography
Network Security Chapter 8. Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic.

Network Security Chapter 8. Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Chapter 18: Network Security Business Data Communications, 5e.

Chapter 18: Network Security Business Data Communications, 5e.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Chapter 8 Network Security 4/17/2017 www.noteshit.com.

Chapter 8 Network Security 4/17/2017
Chapter 20: Network Security Business Data Communications, 4e.

Chapter 20: Network Security Business Data Communications, 4e.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Similar presentations

Ads by Google