沒有投影片標題 - National Tsing Hua University
Download
Report
Transcript 沒有投影片標題 - National Tsing Hua University
Private-key Digital Signature with message digest
KBB(A,t,MD(p))
(C) All rights reserved by Professor Wen-Tsuen Chen
1
MD in Public-key Digital Signature
(C) All rights reserved by Professor Wen-Tsuen Chen
2
IP Security
Security-related Proposed standards in
RFC1825,1826,1827,1828,1829.
Mandatory for IPv6 and optional for IPv4.
The key concept is the security association which is a oneway relationship between a sender and a receiver. For twoway secure exchange, two security associations are
required.
In any IP packet, the security association is uniquely
identified by the Destination Address in the IP header and
the security parameter index (SPI) in the enclosed
extension header.
(C) All rights reserved by Professor Wen-Tsuen Chen
3
8
0
Next Header
16
Length
31
Reserved
Security Parameters Index
Authentication Data
(Variable number of 32-bit words)
Length : Length of Authentication Data field in 32-bits words.
Security Parameters index: Identifies a security association.
(C) All rights reserved by Professor Wen-Tsuen Chen
4
IP authentication
RFC 1828 specifies the use of MD5 for authentication.
The MD5 algorithm is performed over the IP packet plus a
secret key and then inserted into the IP packet.
At the destination, the same calculation is performed on
the IP packet plus the secret key and compared to the
received value.
Provides both authentication and data integrity.
(C) All rights reserved by Professor Wen-Tsuen Chen
5
IP Encapsulating Security Payload
Provide support for privacy and data integrity for
IP packets.
Transport-mode ESP mechanism encrypts a
transport-layer segment, while tunnel-mode ESP
mechanism encrypts an entire IP packet.
Transport mode ESP is susceptible to traffic
analysis on the transmitted packets.
(C) All rights reserved by Professor Wen-Tsuen Chen
6
Use DES-CBC (Data Encryption Standard-Cipher
Block Chaining) in ESP specification
0
16
24
31
Security Parameters Index (SPI)
Initialization Vector
Payload Data
Padding
Pad Length Payload Type
LENGEND
= Encrypted
(C) All rights reserved by Professor Wen-Tsuen Chen
7
Secure IPv4 datagram or IPv6 packet
The ESP header begins with a SPI and possibly some parameters, transmitted in
plaintext form. The remainder is encrypted.
(C) All rights reserved by Professor Wen-Tsuen Chen
8
IP Authentication Plus Privacy
(C) All rights reserved by Professor Wen-Tsuen Chen
9
DNS: Domain Name System
Use a hierarchical naming scheme know as domain names.
Defined in RFCs1034 and 1035.
(C) All rights reserved by Professor Wen-Tsuen Chen
10
A subtree of names, managed by a given name server, forms a
zone of authority.
(C) All rights reserved by Professor Wen-Tsuen Chen
11
Domain Name Resolution
The domain mechanism for mapping names to IP address consists of
independent cooperative system called name servers.
Domain name servers are organized in a tree.
Root Server
Server for .com
Server for .edu
Server for .gov
Server for .tw
Server for
dec.com
Server for
mit.edu
Server for
nsf.gov
Server for
nthu.edu.tw
Use top-down search.
In theory, each server knows the addresses of all lower-level servers
for all its subdomain.
(C) All rights reserved by Professor Wen-Tsuen Chen
12
When a domain name server receives a query, if the name lies in
the subdomain for which it is an authority, sends the answer to
the client.
Otherwise, check the type of interaction specified by the client.
If recursive resolution (complete translation), the server contacts
a domain name server that can resolve the name and returns the
answer. If iterative resolution, generates a reply that specifies
the next name server the client should contact.
A client must know at least one name server.
To ensure that a domain name server can reach others, the DNS
requires that each server know the address of at least one root
server.
Use caching for efficient name resolution.
(C) All rights reserved by Professor Wen-Tsuen Chen
13
DNS Resource Records
RESOURCE DOMAIN NAME
…...
TYPE
CLASS
TIME TO LIVE
RESOURCE DATA LENGTH
RESOURCE DOMAIN NAME
…...
(C) All rights reserved by Professor Wen-Tsuen Chen
14
(C) All rights reserved by Professor Wen-Tsuen Chen
15
Network Management Systems
A network management system is a collection of
tools for network monitoring and control.
It has the following key elements:
Management station, or manager.
Agent in managed nodes, equipments etc.
Management Information base (MIB).
Network management protocol.
(C) All rights reserved by Professor Wen-Tsuen Chen
16
(C) All rights reserved by Professor Wen-Tsuen Chen
17
The management station will have
A set of management applications for data analysis,
fault recovery etc.
An Interface by which the network manager may
monitor and control the network.
The capability of translating the network manager’s
requirements into the actual monitoring and control of
remote elements in the network.
A database of network management information
extracted from the database of all the managed entities
in the network.
(C) All rights reserved by Professor Wen-Tsuen Chen
18
The agent is an active element residing in hosts, bridges,
routers, and hubs etc. that responds to requests for
information or actions from a management station, and
may provide the management station (through trap) with
important but unsolicited information.
An MIB is a collection of objects which are resources in
the network that may be managed.
Network management protocol for TCP/IP networks is
SNMP (Simple network management protocol), and for
OSI-based networks is CMIP (Common Management
Information Protocol).
(C) All rights reserved by Professor Wen-Tsuen Chen
19
SNMP: Simple Network Management Protocol
First Proposed in 1988, RFC 1028, RFC 1067
Version 1 of SNMP in May 1990, RFC 1157
SNMPv2 issued in 1993, RFCs 1441 to 1452.
SNMP provides the infrastructure for network
management applications.
The object definition language ASN.1 (Abstract
Syntax Notation One), taken from OSI, is used for
defining objects in MIBs.
(C) All rights reserved by Professor Wen-Tsuen Chen
20
Structure of Management Information
The SMI defines the general framework within
which and MIB can be defined and constructed.
The SMI identifies the data types (only simple) the
scalars and two-dimensional arrays of scalars,
called tables) that can be used in the MIB, and
how resources within the MIB are represented and
named.
(C) All rights reserved by Professor Wen-Tsuen Chen
21
(C) All rights reserved by Professor Wen-Tsuen Chen
22
SNMP Protocol
Provides a basic mechanism for the exchange of
management information between manager and agent.
Get-bulk-request, Inform-request, Response, and
SNMPv2-trap are SNMPv2 specific.
An SNMPv2-trap is generated by an agent for reporting
unusual events.
Inform-request is sent by a manager on behalf of an
application, to another manager for providing management
information to an application.
The manager receiving an Inform Request acknowledges
receipt with Response.
(C) All rights reserved by Professor Wen-Tsuen Chen
23
in lexicographic order
Response
Acknowledgement of receipt by Inform-request
(C) All rights reserved by Professor Wen-Tsuen Chen
24
Remote Network Monitoring
RMON, RFC 1757 in Feb. 1995 for internetwork
management.
To monitor subnetwork-wide behavior while
reducing the burden both on other agents and on
management stations.
The RMON specification is primarily a definition
of a MIB and for defining standard networkmonitoring functions and interfaces for
communicating between SNMP-based
management consoles and remote monitors.
(C) All rights reserved by Professor Wen-Tsuen Chen
25
Applications
Email: SMTP, MIME.
File Transfer Protocols: FTP, TFTP, NFS.
Remote Login: TELNET.
World Wide Web: HTTP.
(C) All rights reserved by Professor Wen-Tsuen Chen
26
Electronic Mail
Simple Mail Transfer Protocol (SMTP) is the standard
protocol for transferring mail between hosts in the TCP/IP
protocol, defined in RFC 821. Mail format is defined in
RFC 822.
Multipurpose Internet Mail Extensions (MIME) is an
extension to the RFC 822, provided in RFC 1521 and 1522.
SMTP did not specify the message contents, usually is
used to sent text messages. MIME address the content
formats and transfer encoding.
(C) All rights reserved by Professor Wen-Tsuen Chen
27
(C) All rights reserved by Professor Wen-Tsuen Chen
28
(C) All rights reserved by Professor Wen-Tsuen Chen
29
(C) All rights reserved by Professor Wen-Tsuen Chen
30
(C) All rights reserved by Professor Wen-Tsuen Chen
31
(C) All rights reserved by Professor Wen-Tsuen Chen
32
(C) All rights reserved by Professor Wen-Tsuen Chen
33
(C) All rights reserved by Professor Wen-Tsuen Chen
34
Email Gateways
For bridging two email systems differing in message
formats and protocols (e.q., RFC 822 and X.400)
(C) All rights reserved by Professor Wen-Tsuen Chen
35
Email Security
PGP: Pretty Good Privacy, by Phil Zimmermaun in 1995.
Support text compression, secrecy and digital signatures.
(C) All rights reserved by Professor Wen-Tsuen Chen
36
PGP message format
(C) All rights reserved by Professor Wen-Tsuen Chen
37
PEM: Privacy Enhanced Mail
An official Internet standard described in RFC
1421-1424.
Support privacy and authentication for RFC 822
based email systems.
The message together with its message digest is
encrypted using DES with a one-time key that is
enclosed along with the message.
The key can be protected with RSA and certified
by certification authorities.
(C) All rights reserved by Professor Wen-Tsuen Chen
38
(C) All rights reserved by Professor Wen-Tsuen Chen
39
World Wide Web
An architectural framework for accessing linked
documents spread out all over the Internet.
The first proposal for a web of linked documents by CERN,
the European center for unclear research, physicist Tim
Berners-Lee in March 1989.
The first graphical interface Mosaic released in Feb. 1993,
developed by Marc Andreesen et al. In the National Center
for Supercomputing Applications, situated in Univ. of
Illinois, Urbana-Champaign.
Netscape Communications Corp. was founded in 1994.
World Wide Web Consortium formed in 1994 in M.I.T and
INRIA. Home page: http://www.w3.org.
(C) All rights reserved by Professor Wen-Tsuen Chen
40
World Wide Web Elements
URL: Uniform resource locator
HTTP: Hypertext Transfer Protocol
HTML: Hypertext Markup Language
Java Language
(C) All rights reserved by Professor Wen-Tsuen Chen
41
URL: Uniform Resource Locator
Defined in RFC 1738, 1808.
A URL is compact representation of the location
and access method for a resource available via the
Internet.
A resource is any object that can be accessed by
the Internet, including file directories, files,
documents, images, audio and video clips, etc.
The general from of a URL
<scheme>:<scheme-specific-part>
(C) All rights reserved by Professor Wen-Tsuen Chen
42
RFC 1738 defines URL formats for the following
access schemes:
ftp
http
gopher
mailto
news
nntp
telnet
wais
file
prospero
File Transfer Protocol
Hypertext Transfer Protocol
The Gopher Protocol
Electronic mail address
USNET news
USNET news using NNTP access
Reference to interactive sessions
Wide-Area Information Servers
Host-specific file names
Prospero Directory Service
(C) All rights reserved by Professor Wen-Tsuen Chen
43
(C) All rights reserved by Professor Wen-Tsuen Chen
44
URI: Universal Resource Identifier (URI)
Specified in RFC 1630.
A unifying syntax for the expression of names and
addresses of objects on the Internet as used in the
World Wide Web.
The URL is a type of URI, in which an access
protocol is designated and a specific Internet
address is provided.
Decouple the name of a resource from its location
and even from its access method.
(C) All rights reserved by Professor Wen-Tsuen Chen
45
HTTP: Hypertext Transfer Protocol
A client-server protocol for transferring
information, including (not just hypertext) plain
text, hypertext, audio, images, or any Internetaccessible information.
HTTP is the foundation protocol of the world wide
web and typically used between a web browser
and a web server.
(C) All rights reserved by Professor Wen-Tsuen Chen
46
(C) All rights reserved by Professor Wen-Tsuen Chen
47
General structure of HTTP messages
Request-Line
Status-Line
General-Header
General-Header
Request-Header
Response-Header
Entity-Header
Entity-Header
Entity-Body
Entity-Body
(C) All rights reserved by Professor Wen-Tsuen Chen
48
(C) All rights reserved by Professor Wen-Tsuen Chen
49
HTML: Hypertext Markup Language
A language for describing how documents (Web
pages) are to be formatted.
Embedding markup commands with each HTML
files so that a browser can reformat the files.
Standardization of HTML is managed by the
WWW consortium.
(C) All rights reserved by Professor Wen-Tsuen Chen
50
Java Language
Developed by Sun Microsystems Inc. in 1995.
For waiting interactive web pages.
A small Java program, called an applet, is
associated with a web page and downloaded to the
client machine to interpret the web page.
(C) All rights reserved by Professor Wen-Tsuen Chen
51
(C) All rights reserved by Professor Wen-Tsuen Chen
52