public key - staff.city.ac.uk
Download
Report
Transcript public key - staff.city.ac.uk
Questions?
1. What is a protocol?
It is the special set of rules that end points in a
telecommunication connection use when they
communicate.
2. What is TCP/IP?
TCP - which uses a set of rules to exchange
messages with other Internet points at the
information packet level
IP - which uses a set of rules to send and receive
messages at the Internet address level
Questions?
3. What is SMTP used for?
Simple mail transport protocol is used to deliver the
messages
4. What are the two types of protocols that the incoming and
outgoing mail servers use?
POP and SMTP
5. What does the MIME standard provide?
Multipurpose Internet Mail Extensions provide definitions
for content types such as applications, images, and other
multimedia files
Question?
6. What is IMAP?
Internet Message Access Protocol
IMAP provides direct access to the messages that are
stored on the server
Image files
Web browsers accept two types of image files:
- .GIF and .JPG (or JPEG)
GIF – Graphics Interchange Format
JPEG – Joint Photographic Experts Group
Sound files
Three types of sound files are popular on the
Web
- .WAV
- .MID
- .MP3
- .AVI
Voice Over IP
Voice-over-IP (VoIP) is a method for sending
voice data using the IP protocol
VoIP interfaces with the public switched
telephone network (PSTN) and attempts to
provide the same quality of service
Protocols used in VoIP are:
- RTP (Real-Time Transfer Protocol)
- RTCP (Real-Time Control Protocol)
- RSVP ( Resources Reservation Protocol)
Video
The problems associated with network video are
worse than for network audio
Greater bandwidth is required and it is easy to visually
spot problems with the video stream
Same sets of protocols (as audio) are used to manage
the information
It is now affordable for any PC owner to purchase an
expensive colour camera that connects to the printer
port or USB port and allow real-time capture of video
RTP handles reliable delivery of real-time data
RTCP monitors the VoIP session to maintain
the quality of service (QoS)
RSVP manages network resources during the
connection
The voice processing and gateway/terminal
operation are specified by the H.323
standard
Virtual Private Networks (VPN)
A virtual private network allows for remote private
LANs to communicate securely through an un-trusted
public network such as the Internet
Citibank private
LAN
Washington
D.C
Citibank
private LAN
New York
Internet
Citibank private
LAN network
Boston
VPNs
Using VPNs, only authorized members of the network are
allowed access to the data
A VPN uses an IP tunneling protocol and security services
that are transparent to the private network users
Using a VPN, a private LAN connected to the Internet can be
connected to other LANs using a combination of tunneling,
encryption and authentication
Tunneling means that data that is transferred through the
public network in an encapsulated form
All of the data, including the addresses of the sender and
destination, are enclosed within a packet
Packets that are protected by tunneling, encryption, and
authentication offer the highest level of security
VPNs
The IP Security (IPSec) standards provide a security protocol
for tunneling as well as for data privacy, integrity, and
authentication, creating a truly secure VPN
IPSec is a set of protocols developed by the Internet
Engineering Task Force that adds additional security solutions
to TCP/IP networking
IPSec offers a solution to data privacy, integrity, and
authentication that is network independent, application
independent, and supports all IP services (e.g HTTP, FTP, etc.)
Setting up a Web server
One of the most popular Web server programs is the
Apache Server from the Apache Software Foundation
Two of the reasons why the Apache Server is the
most popular are because it is free and fully featured
To download an Apache Server free!! go to
http://www.apache.org
After the Web server is installed, it is necessary to
update the configuration file to provide a server
name, e-mail contact, and several other items
Hypertext Transfer Protocol
The protocol used for communication between a browser and a
Web server or between intermediate machines and Web servers
is known as HTTP
Characteristics of HTTP:
- Application Level: HTTP operates at the application level. It
assumes a reliable connection-oriented transport protocol such
as TCP but does not provide retransmission
- Request/Response: Once a transport session has been
established, one side (usually a browser) must send an HTTP
request to which the other side responds
- Stateless: Each HTTP request is self-contained; the server
does not keep a history of previous requests or previous
sessions
HTTP characteristics
Bi-directional transfer: In most cases, a browser requests
a Web page, and the server transfers a copy to the browser
Capability Negotiation: HTTP allows browsers and servers
to negotiate details such as the character set to be used
during transfers
Support for Caching: To improve response time, a browser
caches a copy of each Web page it retrieves
Support for intermediaries: HTTP allows a machine along
the path between a browser and a server to act as proxy
server that caches Web pages and answers a browser’s
request from its cache
Internet Security and Firewall
Design
Internet Firewall
A configuration of routers and networks placed
between an organization’s internal Internet and a
connection to an external Internet to provide security
Internet
Organization’s
net
Firewall used to protect
organization
Firewall
If an organization has multiple Internet connections, a firewall
must be placed at each, and all the organization’s firewalls
must be configured to enforce the organization’s security policy
A firewall must be secure. That is:
- All traffic entering the organization passes through the
firewall
- All traffic leaving the organization passes through the firewall
- The firewall implements the security policy and rejects any
traffic that does not adhere to the policy
- The firewall itself is immune to security attacks
Firewall
Firewalls are the most important security tool used to
handle network connections between two organizations that
do not trust each other
By limiting access to a small set of computers, a firewall can
prevent outsiders from probing all computers in an
organization with unwanted traffic
With a firewall a manager can restrict incoming packets to a
small set of computers
It is less expensive to install a firewall than to make all
computer systems secure
Internet Cookies
An Internet cookie is a message given to a Web browser by
a Web server
The browsers stores the message in a text file called
cookie.txt
The saved message is sent back to the server each time the
browser requests a page from the server (This allows the
server to track the user access to pages on the web server)
Cookies are also called persistent cookies because they
typically stay in the browser for a long periods of time
Having identified the client computer with a persistent
name stored in the cookie file, server side applications(such
as CGI scripts) can be used to both store and retrieve
information from the client side of the connection
Network Security
Like the locks used to keep tangible property
secure, computers and data networks need
provision to keep information secure
Security is required in every computer and protocol
There are two fundamental internet security
mechanisms
- Perimeter security
- Information Security
Security
Perimeter security allows an organization to determine the
services and networks it will make available to outsiders and
the extent to which outsiders can use internal resources
Information security encompasses many aspects of protection:
- Data integrity: A secure system must protect information
from unauthorized change
- Data availability: The system must guarantee that outsiders
cannot prevent legitimate access to data
- Privacy or confidentiality: The system must prevent
outsiders from making copies of data as it passes across a
network or understanding the contents of copies are available
-
Authorization: Although physical security often
classifies people and resources into broad
categories, security for information usually needs
to be more restrictive
- Authentication: The system must allow two
communicating entities to validate each other’s
identity
- Replay avoidance: To prevent outsiders from
capturing copies of packets and using them later,
the system must prevent a retained copy of a
packet from being accepted
Encryption
This ensures that your data was unable to be read or
utilised by any party while in transit
Your message is encrypted into an incomprehensible
state before it leaves your computer
It maintains its state during its transmission over the
Internet
It is not decrypted until the recipient receives it
Because of the public key cryptography used only
the recipient can decipher the received message, no
one else can.
Public Key
Public Key is available to others for use when
encrypting information that will be sent to an individual
e.g people can use a person’s public key to encrypt
information they want to send to that person. Similarly
people can decrypt information sent by the person using
his public key
Private Key
Private key is accessible only to the individual
The individual can use the private key to decrypt any
messages encrypted with the public key. Similarly, the
individual can use the private key to encrypt messages, so
that the messages can be decrypted with the corresponding
public key
Exchanging key is no longer a security concern. I have my
public key and private key. I send my public key to anyone
on the Internet. With that public key, they encrypt their
email. Since the email was encrypted with public key, ONLY,
I can decrypt that email with my private key
If I want to encrypt my email to anyone else on the
Internet, I need their public key
Each individual involved needs their own public/private key
combination
How do you verify someone’s
public key ?
How do you TRUST the user is really who he says he is?
- You use your digital certificate
A digital certificate is a digital document that checks for the
identity and key ownership of an individual, a computer
system or an organization
e.g A users certificate verifies that the user owns a particular
public key
Certificates are issued by certificate authorities
These authorities are responsible for verifying the identity and
key ownership of the individual before issuing the certificate
e.g http://www.verisign.com
Authentication
This is digital verification of who you are, much in
the same way your driver’s license proves your
identity
Using standard email, there is no way to verify who
the sender is. With digital signatures and
certificates, you digitally encode verifiable proof
of your identity into the mail
Integrity
This is the verification that the data you sent
has not been altered
When information travels across the Internet,
it is routed through various gateway (way
stations)
It is possible for people to capture, alter, then
resend the message
With digital certificates, your email cannot be
altered without the recipient knowing
Creating Digital Signatures
When you email someone, your public/private key
combination creates the digital signature
Format:
- The sender uses a message-digest algorithm to generate a
short version (message digest) of the message that can be
encrypted
- The sender uses their private key to encrypt the message
digest.
- The sender transmits the message and the encrypted
message digest to the recipient
- Upon receiving the message the recipient decrypts the
message digest
- The recipient uses the hash function on the message to
Creating Digital Signatures
- The recipient compares the decrypted message digest
against the newly generated message digest
- If the message digests are identical, the recipient knows the
message is from the correct source
- If the message is wrong then the recipient knows that the
message is from someone else or the message was modified
during transmission
- The encrypted message digest serves as a digital signature
for the message
The signature verifies the identity of the sender and the
contents of the message
If the message was modified during transmission the hash
function will generate a different message digest when
applied after the transmission
Proxy Server
A server that sits between the client application, such
as a Web browser, and a real server
It intercepts all requests to the real server to see if it
can fulfil the requests itself. If not, it forwards the
request to the real server
Proxy servers have two main purposes
- Improve Performance
- Filter Requests
Improve Performance
Proxy servers can improve performance for groups of users
Proxy servers saves the results of all requests for a certain
amount of time
Consider for example x and y access the WWW through a
proxy server
First user X requests a certain Web page 1. Sometime later
user Y requests the same page. Instead of forwarding the
request to the Web server where page 1 resides the proxy
server returns the page 1
Since the proxy server is on the same network as the user,
this is a much faster operation
Real proxy servers support hundreds or thousands of users
Major online services such as Compuserve and America Online
employ an array of proxy servers
Filter Requests
Companies can use proxy servers to prevent its employees
from accessing a specific set of Web sites
Proxy server can be used to limit access to some of these
undesirable sites
A Proxy Server is a WWW server that acts as the sole web
server for your entire domain or whatever clients you place
behind the firewall, a logical block between your clients and
the rest of the Internet
The Proxy server usually sits on your firewall and intercepts
all web requests coming from clients within the firewall
If the requested URL is on the Proxy control list then the
message “URL is not accessible” will appear
Internet Security
Internet security is difficult because datagrams
travelling from source to destination often pass across
many intermediate networks and through routers that
are not owned or controlled by either the sender or
the recipient
Source authentication requires the server to examine
the source IP address on each incoming datagram,
and only accept requests from computers on an
authorized list
Source authentication is weak because it can be
broken easily
Secure Sockets
The Secure Socket Layer (SSL) technology was
originally developed by Netscape
When a client uses SSL to contact a server, the SSL
protocol allows each side to authenticate itself to the
other
The two sides then negotiate to select an encryption
algorithm that they both support
Finally SSL allows the two sides to establish an
encrypted connection (i.e a connection that uses the
chosen encryption algorithm to guarantee privacy)
Monitoring and Logging
Monitoring is the most important aspect of a firewall
Unless a firewall reports incidents, a manager may be
unaware of problems
Monitoring can be active or passive
In active monitoring, a firewall notifies a manager
whenever an incident occurs
The chief advantage of active monitoring is speed- a
manager finds out about a potential problem
immediately
But the main disadvantage is that active monitoring
produces so much information it is difficult for the
manager to focus on major issues
Monitoring
In passive monitoring, a firewall logs a record of
each incident in a file on disk
A passive monitoring usually records information
about normal traffic as well as datagrams that are
filtered
A chief advantage of passive monitoring arises
from its record of events – a manager can consult
the log to observe trends and when a security
problem occur, review the history of events that
led to the problem
Internet Architecture
How are networks interconnected to form an internet work ?
Physically, two networks can only be connected by a
computer that attaches to both of them.
A physical attachment does not provide the interconnection
we have in mind, however, because such a connection does
not guarantee that the computer will cooperate with other
machines that wish to communicate
Computers that interconnect two networks and pass packets
from one to the other are called internet gateways or
internet routers
Net 1
Net 2
R
Router R connects to both network 1 and
network 2
Each network can be LAN or WAN, and each
may have many computers attached to them
Interconnection through IP routers
In an actual internet that includes many networks
and routers, each router needs to know about the
topology of the internet beyond the networks to
which it connects
Net 1
R1
Net 2
R2
Net 3
R1 must transfer from network 1 to 2 all packets
destined for computers on either network 2 or
network 3
Routers used with TCP/IP Internets are usually
small computers
They often have little disk storage and modest
main memories
If packet forwarding is based on networks, the
amount of information that a router needs to keep
is proportional to the number of networks in the
Internet, not the number of computers
The Users View
A user views an internet as a single, virtual network to
which all machines connect despite their physical
connections
Since application programs that communicate over the
Internet do not know the details of underlying connections
they can be run without change on any computer
Because the details of each machine’s physical network
connections are hidden in the Internet software, only the
Internet software needs to change when new physical
connections are added or existing software needs to change
when new physical connections are added or existing
connections are removed
A second advantage of having communication at the
network level is users do not have to understand,
remember, or specify how networks connect or what
traffic they carry
Application programs can be written that
communicate independent of underlying physical
connectivity
Network managers are free to change interior parts
of the underlying internet architecture without
changing application software in most computers
attached to the Internet