Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Security - Computer Networks - Lecture Slides | CS 4590, Exams of Computer Systems Networking and Telecommunications

Material Type: Exam; Class: Computer Networks; Subject: Computer Science; University: California State University-East Bay; Term: Unknown 1989;

Typology: Exams

Pre 2010

Uploaded on 09/17/2009

koofers-user-fgh-2
koofers-user-fgh-2 šŸ‡ŗšŸ‡ø

5

(1)

10 documents

1 / 9

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
1
Chapter 8 Security
Why do we need security?
Algorithms
2
Who could cause problems?
To get revenge from being
fired
Ex employee
To discover a competitor’s
strategic marketing plan
Businessman
To claim to represent all of
Europe, not just Cannes
Sales Rep
To test out someone’s
security system, steal data
Cracker
To have fun snooping on
people’s email
Student
GoalAdversary
3
Who could cause problems?
To steal germ warfare secretsTerrorist
To learn an enemy’s military
or industrial secrets
Spy
To steal credit card numbers
for sale
Con man
To deny a promise made to a
customer by email
Stockbroker
To embezzle money from a
company
Accountant
GoalAdversary
Tennenbaum pg 722
4
4 main areas
• Secrecy
• Authentication
• Non repudiation
• Integrity control
5
4 main areas
• Secrecy - encryption
• Authentication - passwords
• Non repudiation – digital signatures
• Integrity control – message digest
6
Taxonomy of Network Security
Security
Cryptography
algorithms
Public
key
(e.g., RSA)
Secret
key
(e.g., DES)
Message
digest
(e.g., MD5)
Security
services
AuthenticationPrivacy Message
integrity
pf3
pf4
pf5
pf8
pf9

Partial preview of the text

Download Security - Computer Networks - Lecture Slides | CS 4590 and more Exams Computer Systems Networking and Telecommunications in PDF only on Docsity!

1

Chapter 8 Security

Why do we need security? Algorithms

2

Who could cause problems?

To get revenge from being fired

Ex employee

To discover a competitor’s strategic marketing plan

Businessman

To claim to represent all of Europe, not just Cannes

Sales Rep

To test out someone’s security system, steal data

Cracker

To have fun snooping on people’s email

Student

Adversary Goal

3

Who could cause problems?

Terrorist To steal germ warfare secrets

To learn an enemy’s military or industrial secrets

Spy

To steal credit card numbers for sale

Con man

To deny a promise made to a customer by email

Stockbroker

To embezzle money from a company

Accountant

Adversary Goal

Tennenbaum pg 722

4

4 main areas

• Secrecy

• Authentication

• Non repudiation

• Integrity control

5

4 main areas

• Secrecy - encryption

• Authentication - passwords

• Non repudiation – digital signatures

• Integrity control – message digest

6

Taxonomy of Network Security

Security

Cryptography algorithms

Public key (e.g., RSA)

Secret key (e.g., DES)

Message digest (e.g., MD5)

Security services

Privacy AuthenticationMessage integrity

7

Where is security implemented?

  • Any or all layers
    • Wireless – link layer
    • Ipsec – network layer
  • Needed end to end!

8

Terms

  • Plaintext : the original message to be sent.
  • Encryption : the process of taking a plaintext message and transforming it into a form which cannot be easily read, the ciphertext.
  • Ciphertext : the encrypted plaintext
  • Decryption : the process of transforming the ciphertext back into the plaintext.
  • Key : Many encryption/decryption schemes use the same algorithm but take a parameter which drives the algorithm. This is called a key.

9

Cryptography

  • Secret Key
    • Symmetric
    • Participants share a key
      • DED Data Encryption Standard
      • International Data Encryption Algorithm (IDEA) Plaintext

Encrypt with secret key Ciphertext

Plaintext

Decrypt with secret key

10

Cryptography

  • Public key
    • Asymmetric
    • Private key that is not shared
    • Public key that is shared so others can use it
      • RSA (Rivest, Shamir, Adleman) Plaintext

Encrypt with public key Ciphertext

Plaintext

Decrypt with private key

11

Cryptography

  • Hash or message digest
    • No keys
    • Map large message to fixed length number
    • A cryptographic checksum
    • Computationally infeasible to find 2 messages that hash to the same cryptographic checksum - Message Digest version 5 (MD5) - More efficient than DES or RSA

12

Encryption

  • 2 techniques
    • Substitution : each letter or group of letters is replaced (substituted) with another letter or group of letters.
    • Transposition : alter the order in which the characters are sent

19

DES

  • No published mathematical proof that DES is

secure

  • Break it by exhaustively searching all possible

2^56 keys

  • (Text Estimate) 1.4X 10^17 microseconds to

break a key (4500 years) using an Alpha that can

do one encryption is 4 microseconds

  • 9000 Alphas in parallel – 6 months

20

DES

  • Triple DES encryption (uses two keys) The 128

bit composite key should be secure for another

few years at least.

  • International Data Encryption Algorithm

(IDEA) (1990) which uses 128 bit keys and 9

iterations of transformations. It can be used in the

same modes as DES.

  • Private key algorithms – how do we exchange the

keys?

21

Public Key

  • In 1976, Diffie and Helman and Stanford
  • Two keys, one used for encryption (the public

key ) and one used for decryption (the private

key ).

  • Given one key, it is nearly impossible to figure out

what the other one is.

22

RSA

  • Rivest, Shamir, and Adelman from MIT
  • Asymmetric encryption is very slow in

comparison to symmetric encryption

  • Typically used to set up a secure connection and

exchange a secret key to be used for the rest of the

connection

  • Key length is 512 bits

23

Public Key (RSA)

  • Encryption & Decryption c = me^ mod n m = cd^ mod n

Plaintext

Encrypt with public key Ciphertext

Plaintext

Decrypt with private key

24

RSA (cont)

  • Choose two large prime numbers p and q (each 256 bits)
  • Multiply p and q together to get n
  • Choose the encryption key e , such that e and ( p - 1) x ( q - 1) are relatively prime.
  • Two numbers are relatively prime if they have no common factor greater than one
  • Compute decryption key d such that d = e -1 mod (( p - 1) x ( q - 1))
  • Construct public key as ( e , n )
  • Construct public key as ( d , n )
  • Discard (do not disclose) original primes p and q

25

RSA

  • 1977, challenge to break a 129 digit RSA message
    • Estimated to take 40 quadrillion years
    • 1994 (after 17 years) four scientists had broken the code by using a factoring method that required ~ 5000MIP-years
    • Done in 8 months by dividing the problem into small pieces and shipping them via email to other computers all over the world – distributed approach
  • If a bad key is chosen, it is easy to break

26

Message Digest

  • Cryptographic checksum
    • just as a regular checksum protects the receiver from accidental changes to the message, a cryptographic checksum protects the receiver from malicious changes to the message.
  • One-way function
    • given a cryptographic checksum for a message, it is virtually impossible to figure out what message produced that checksum; it is not computationally feasible to find two messages that hash to the same cryptographic checksum.
  • Relevance
    • if you are given a checksum for a message and you are able to compute exactly the same checksum for that message, then it is highly likely this message produced the checksum you were given.

27

Authentication Protocols

  • Three-way handshake

Client Server ClientId, E(x, CHK)

E(y + 1, CHK)

E(SK, SHK)

E(x + 1, SHK), E(y, SHK)

28

  • Trusted third party (Kerberos)

S A B

E((T, L, K, B), K (^) A), E((A, T), K),

E((T, L, K, A), K (^) B)

A, B

E(T + 1, K)

E((T, L, K, A), K (^) B)

29

  • Public key authentication

A B

E(x, Public (^) B)

x

30

Authentication Techniques

  • Three way handshake
  • Trusted third party
  • Public/private key
    • Can use your own private key to encrypt a small portion of a message (digest)
    • Receiver uses your public key to decrypt the digest
    • This authenticates you
  • Use DES or RSA (described in pgs. 585-

37

CA’s

  • Certificate Authorities are trusted servers who maintain the certificates.
  • The CAs verify through external means (telephone, mail, etc.) that you are who you say you are.
  • They will then maintain your X.509 certificate.
  • When someone wants your public key, they contact the CA.
  • The CA digitally signs your public key using its own private key.
  • The requester uses the CA’s public key to decrypt the message get your public key 38

Key Distribution (cont)

  • Chain of Trust
    • if X certifies that a certain public key belongs to Y , and Y certifies that another public key belongs to Z , then there exists a chain of certificates from X to Z
    • someone that wants to verify Z ’s public key has to know X ’s public key and follow the chain
  • Certificate Revocation List

39

SSL

  • Secure Sockets Layer (SSL) – (originated by

Netscape) as of ā€˜98 controlled by the IETF who

renamed it Transport Layer Security (TSL)

  • Supports the X.509 digital certificate standard.
  • All web browsers and servers support this.
  • It is a standard for authentication and encryption

and also allows message integrity checks.

40

SSL

  • Implements security at the transport layer
  • Web servers using this will run at port 443 instead

of 80

  • SSL handshake protocol is completed before an

application can transmit or receive information

  • The two sides must authenticate each other and

negotiate an encryption algorithm.

41

SSL

  • public key authentication and encryption
  • The domestic version uses a 128-bit key.
  • Secure server URLs use https:// We know we are

connected to one if we see the lock on the bottom

of our browser or a dialog box comes up.

42

HTTPS

  • Security enhanced version of HTTP
  • developed by EIT and released in 1994
  • This protocol adds application layer encryption

and authentication on top of the socket based

communication.

  • Client and server communicate in normal HTTP

fashion then negotiate security requirements.

43

HTTPS

  • Functions HTTPS supports
    • Authentication, checks for certificate revocation, supports certificate hierarchies, digital signatures, various security levels, and secured communications through firewalls.
    • Supports security at the document level.
    • Uses public key encryption.

Do we need both SSL and HTTPS?

44

IPSec

  • IP Security (IPSec) is the IETFs new Ipv

security protocol that provides authentication and

encryption and key management at the IP level.

  • It has also been added on to Ipv4.
  • It has the potential to speed things up and be a

better security channel if the protocol is

implemented in hardware on IP routers and

switches.

45

IPSec

  • Authentication algorithms (AH):
    • MD5 and SHA-
  • Encryption algorithms (ESP):
    • DES (56 bit) and triple DES (168 bit) or AES (128, 192, and 256 bit) based on Rijndael algorithm created by Rijman and Daemen - see http://csrc.nist.gov/encryption/aes
  • Key Exchange (IKE):
    • Diffie Hellman

46

Firewalls

  • Packet filtering or
  • Proxy-based application gateways.

Rest of the Internet Firewall Local site

47

Firewalls

  • Packet Filter
    • Implemented in routers
    • Tables indicate which communication protocols are allowed in and out of the network (e.g no telnet)
    • Packets are dropped rejected or permitted based on application port number, source and destination IP address
    • Disadvantage: can mimic a trusted IP

Rest of the Internet Firewall Local site

48

Firewalls

  • Proxy Firewall - Also called an application firewall
    • Proxy processes are run for various types of application traffic (ie. Mail proxy)
    • The proxy can evaluate packets based on context, authorization, and authentication instead of just IP addresses
    • A proxy’s IP address is the only address visible to the outside world – hides internal IP addresses. End user must direct messages directly to the proxy
    • Transparent proxy: user doesn’t know his messages are traveling to the proxy first

Rest of the Internet Firewall Local site