Transcript Network Security

INTRODUCTION
Network Security is concerned with




Making sure that our system should protect
from viruses, worms, Trojan Horses
Keeping information out of the hands of
unautorized users
Identify the users
Making sure that data is transmited or receive
without a malicious adversary modification
Security threats and solutions
Threat
Security Functions
Solutions
Data intercepted,
Read or modified
illicitly
Encryption
Users misinterpret
their identity to
commit fraud
Authentication
Unauthorized user
on one network
gains access to
another
Firewall
Technology
Symmetric
encryption;
Asymmetric
encryption
Verifies the identity of Digital signature
both sender and
receiver.
Encodes data to
prevent tempering
Firewall;
Filters and prevents
Virtual private net
certain traffic from
entering the network or
server
Layered contribution to security
Physical layer – by enclosing transmission
lines in sealed tubes
 Data link layer – by packets encoded
 Network layer – firewalls can be installed
 Transport layer- entire connection can be
encrypted
Application layer- cryptography

Types And Sources Of
NetworkThreats


VIRUSES,EMIAL VIRUSES,WORMS, TROJAN HORSES


DENIAL-OF-SERVICE
UNAUTHORIZED ACCESS
Softwares from system must secure




Viruses
Email viruses
Worms
Trojan Horses
Prevention





secure operating system like UNIX or Windows
NT
virus protection software
disable floppy disk booting
NEVER run macros in a document unless you
know what they do
You should never double-click on an attachment
that contains an executable that arrives as an email attachment
Security Issues




Secrecy
Auhentication
Nonrepudiation
Integrity control
DENIAL-OF-SERVICE






Attacker's program simply makes a connection
on some service port, perhaps forging the
packet's header information that says where the
packet came from, and then dropping the
connection.
Send more requests to the machine than it can
handle
DOS Attacks are very easy to launch
But Difficult(sometimes impossible) to track
Not easy to refuse the requests of attackers
PREVENTION



Not running your visible-to-the-world
servers at a level too close to capacity
Using packet filtering to prevent
obviously forged packets from entering
into your network address space.
Keeping up-to-date on security-related
patches for your hosts' operating
systems.
Unauthorized Access
Main Goal is to access the resource that
your machine should not provide the
attacker



Executing Commands Illicitly
Confidentiality Breaches
Destructive Behavior
Executing Commands Illicitly




To execute commands on servers
Classifications:
Normal user Access: such as read files
mails etc
Administrator Access: changing its IP
address, cause the machine to shut down
Destructive Behavior
Classifications:

o
o

o
Data Diddling.
Changging the data
Difficult to get
Data Destruction
Deleting the data
Where Do They Come From?



Through any connection that you have to
the outside world.
Includes Internet
connections, dial-up
,
modems, and even physical access.
System cracker looking for passwords
data phone numbers
Lessons Learned






Hope you have backups
Don't put data where it doesn't need to be
Avoid systems with single points of failure
Stay current with relevant operating system
patches
Have someone on staff be familiar with security
practices
Firewalls
Questions



What is a firewall
Security Administrator Tool for
Analyzing Networks (SATAN)
Security issues:

How to
protect confidential information from
unauthorized users
 protect network and its resources from
malicious users and accidents originating
outside

Firewall
FIREWALL
Firewalls
security Administrator Tool for Analyzing
Networks (SATAN)
Router

Access Control List (ACL).

Proxy.
Types of Firewalls
 Application Gateways
 Packet Filtering
 Hybrid Systems

Application Gateways
Application Gateways



Application Layer
they don't allow anything to pass by default
typically the slowest
Packet Filtering




Transportor /session layer
routers have ACLs (Access Control Lists) turned on
less overhead much faster than its application layer
cousins.
use layers of packet filters in order to localize the traffic.
Packet Filtering
Hybrid Systems

security of the application layer gateways
with the flexibility and speed of packet
filtering,
Protecting Your Network
Protecting Confidential Information

Confidential Information resides on:



physical storage media
physical network in the form of packets
Common methods of attack are:





network packet sniffers
IP spoofing
password attacks
distribution of sensitive internal information to external
sources
man-in-the-middle attacks




So, what's best for me?
Secure Network Devices
Crypto-Capable Routers
Secure Modems; Dial-Back Systems
Virtual private network
Cryptography
Terminology






Plaintext or Cleartext
Encryption and decryption
Ciphertext
Cryptography and Cryptographers
Cryptanalysis and Cryptoanalyst
Cryptology
Benefits





Ensures privacy and Confidentiality
Authenticates networked individuals and
computers
Digital identification of persons and
Authorization
Non-repudiation
Integrity
Process of Encryption
Tonight at 10PM
encrypt
P{k*76<I-o(6gH
Tonight at 10PM
decrypt
Contd.




Cipher: a set of rules for encoding data.
Basic encryption requires an algorithm and
a key.
Key size determines the extent of security.
Two types of keys:


Secret key or symmetric encryption
public key or asymmetric encryption
Secret Key Cryptography
Secret Key
Message typed by Tim
9854
P:k*76&io0gH
Encrypt
Decrypt
INTERNET
9854
Secret Key
Original message read by Ann
Features

Advantage


Message secure
Disadvantages




Both parties must agree
Same key: read each others mail
n keys for n correspondents
Authenticity
Public Key Cryptography
Message typed by Tim
Ann’s Private Key
My public key
is 90876832
64732819
Decrypt
:L-9n643h2#D
Encrypt
90876832
INTERNET
Ann’s Public Key
Original message read by Ann
Features

Advantages



Public key distributed without compromise
through the service provider
Authenticates message’s originator
Disadvantages

confidentiality
Digital Signatures

Working




Message digest
info about the signer, timestamp
encrypted with secret key
Uses


verify sender
testify ownership of public key
Cryptographic Hash functions





Used to compute message digest
non reversible
No key
length:128 bit
Hash functions: MD5 and SHA
Digital Certificates





Accept your public key along with some
proof of your identity (it varies with the
class of certificate)
Like driver’s license
Certificate authorities: Verisign,
Cybertrust, and Nortel + Govt. issue
digital certificates
DC for a fee
Certificate Revocation List or CRL
Contents of Digital certificate
DIGITAL CERTIFICATE
X’s identifying Information: Name, organization, address
Issuing authority’s digital signature and ID information
X’s Public Key
Dates of Validity of this Digital ID
Class of Certificate
Digital ID Certificate number
Classes

Four classes of digital certificates:




#
CLASS
CLASS
CLASS
CLASS
1:
2:
3:
4:
Name and E-mail ID
Drivers license, SSN, Date of birth
Credit check
Position in organization etc.
verification requirements not yet finalized
Cryptographic system
Advantages and disadvantages
Encryption
Advantages
Symmetric Key Fast
Disadvantages
Both keys are the same
Can be easily implemented Difficult to distribute keys
in hardware
Does not support digital signatures
Public key
Uses two different keys
Relatively easy to distribute
Keys
Provides integrity and
non-repudiation through
Digital signatures
Slow and computationally intensive
Breaking Keys
Comparison of Time and Money Needed to Break Different Length Keys
Length of key in bits
Cost
40
$100 thousand 2 secs
56
35 hrs
64
1 yr
$1 million
$100 million
$1 billion
$100 billion
3.5 hrs
2 mins
13 secs
.1 sec
37 days
9 hrs
1 hr
32 secs
.2 secs
2 millisecs
.2 millisecs
2 microsecs
80
70000
yrs
7000 yrs
7000 yrs
7 yrs
24 days
128
19
10 yrs
18
10 yrs
16
10 yrs
15
10 yrs
13
10 yrs
Levels of security
Secret-Key and Public-Key Lengths for Equivalent Levels of Security
Secret-Key
Length
56 bits
64 bits
80 bits
112 bits
128 bits
Public-Key
Length
384 bits
512 bits
768 bits
1792 bits
2304 bits
Key Algorithms
Various Algorithms for Encryption Used by PGP
Function
Message
encryption
Digital
signature
Algorithms
Used
IDEA, RSA
MD5, RSA
Process
(1) Use IDEA with one-time session key
generated by sender to encrypt message.
(2) Encrypt session key with RSA using
recipient's public key.
(1) Generate hash code of message with
MD5.
(2) Encrypt message digest with RSA using
sender' private key.
Secret Key Algorithms

Vigenere


Enigma


historical cipher
by Germans in World war II
SAFER



J.L.Massey
64 and 128 bit keys
secure and fast
Contd.

DES: Data Encryption Standard





by IBM in 1977
56 bit key and 64 bit block size
easily breakable
variant 3DES
Blowfish


Bruce Schneier
variable length key (<448) and 64 bit block
size
Contd.

IDEA: International Data Encryption
Algorithm




ETH Zurich in 1991
128 bit key
very secure
RC2 & RC4



RSA data security
variable key size (40 common)
block & stream cipher
Public Key Algorithms

RSA: Rivest-Shamir-Adelman




used for signing and encryption
long keys (512, 768, 1024, 2048)
factors of large integers
Vulnerable to:
Chosen plain text attacks
 Timing attacks


Elliptic curve public key cryptosystems

New and Slow but secure
Contd.

Diffie-Hellman





oldest; for key exchange
based on discrete algorithm problem
strong prime and generator
Vulnerable to timing attack
DSS: Digital Signature Standard


US government
leaking hidden data and revealing secret key
Contd.

EIGamal


based on discrete algorithm problem
LUC



Peter smith
Uses LUCAS function
Four variations




LUCDIF PK-like diffie-Hellman
LUCELG PK-like ElGamel public key
LUCELG DS-like ElGamel digital signature
LUCDSA-like US DSS
Hash Functions

MD2, MD4, MD5: Message Digest
algorithm 5





at RSA data security
MD2, MD4
any length byte string to 128 bit value
popular and secure
SHA: Secure Hash Algorithm


By USG
Produces 160 bit hash value
Attacks on Cryptosystems





Ciphertext-only attack
Known-plaintext attack
Chosen-plaintext attack
Man-in-the-middle attack
Timing attack
Cryptographic Protocols








DNSSEC: Domain Name Server Security
GSSAPI: Generic Security Services API
SSL: Secure Socket Layer
SHTTP: Secure Hypertext Transfer
Protocol
S/MIME: Secure-MIME
MSP: Message Security Protocol
PKCS: Public Key Encryption Standards
SSH2 Protocol
CryptoAPI and CDSA

CryptoAPI





Microsoft for W95 and WNT
calling cryptographic functions through
standardized interface
modular
processing and managing digital certificates
CDSA: Common Data Security
Architecture


Intel cross platform
similar to CryptoAPI