Transcript Basic Internet Security Concepts

Basic Internet Security
Concepts
J.W. Ryder
[email protected]
04-01-98
J.W. Ryder
Introduction
• The internet is a vast
wilderness, an infinite world of
opportunity
• Exploring, e-mail, free
software, chat, video, ebusiness, information, games
• Explored by humans
04-01-98
J.W. Ryder
Internet Security
Concepts
• Introduction of several basic
security concepts
• General mechanisms for
protection
04-01-98
J.W. Ryder
Sniffing and Spoofing
• [1]
• Sniffing
– The ability to inspect IP
Datagrams which are not destined
for the current host.
• Spoofing
– After sniffing, create malicious
havoc on the internet
04-01-98
J.W. Ryder
Unprotected Internet node
Private Network node
Secure Gateway node
1
Gabrielle
Poirot (C)
A Guy
Bank
(I)
Steve
Burns
(C)
Sears
Wall Street
(N)
A Guy’s
Swiss
Bank
Ramon
Sanchez
(A)
04-01-98
J.W. Ryder
A Guy has no integrity
• Swiss Bank Scam
• Integrity - The guarantee that,
upon receipt of a datagram from
the network, the receiver will be
able to determine if the data was
changed in transit
04-01-98
J.W. Ryder
Ramon springs for sound
• Sears solid state stereos
• Authentication - The guarantee
that, upon receipt of a datagram
from the network, the receiver
will be able to determine if the
stated sender of the datagram is,
in fact, the sender
04-01-98
J.W. Ryder
A guy sniffs success
• Gabrielle and Steve almost
strike it rich
• Confidentiality - Ensure that
each party, which is supposed to
see the data, sees the data and
ensure that those who should
not see the data, never see the
data.
04-01-98
J.W. Ryder
Wall Street Woes
• A guy spots a hot stock tip
• Non-repudiation - Once a host
has sent a datagram, ensure that
that same host cannot later
claim that they did not send the
datagram
04-01-98
J.W. Ryder
A guy becomes
desperate
• Bring Wall St. to its knees
• Denial of Service Attack Flood a given IP Address (Host)
with packets so that it spends
the majority of its processing
time denying service
04-01-98
J.W. Ryder
2
One Way
Hash
Functions
(MD5,
SHA1)
Application
In
Comm.
Stack
Key
Mgmt.
Functions
IP
Crypto
Functions
(DES,
CDMF,
3DES)
Physical
Adapter
04-01-98
J.W. Ryder
Protocol Flow
• [2, 3]
• Through layers, each layer has a
collection of responsibilities
• ISO OSI Reference Model (Open Systems Interconnection)
• IP Datagram
04-01-98
J.W. Ryder
3
IP Hdr.
Data
IP Datagram
Data
MAC Fn
Digest
MAC Function
IP Hdr.
Data
Integrity
04-01-98
J.W. Ryder
Digest
Keys
• Bit values fed into
cryptographic algorithms and
one way hashing functions
which provide help provide
confidentiality, integrity, and
authentication
• The longer the better - 40, 48,
56, 128
• Brute force attacks can win with
small keys
04-01-98
J.W. Ryder
Symmetric Keys
• Have qualities such as life
times, refresh rates, etc.
• Symmetric - Keys that are
shared secrets on N cooperating,
trusted hosts
04-01-98
J.W. Ryder
Asymmetric
• Public / Private key pairs
• Public key lists kept on well
known public key servers
• Public key is no secret. If it is,
the strategy will not work.
• Public and Private keys inverse
functional values
• Private key is only known to
you and must remain secret
04-01-98
J.W. Ryder
Concept
• Sender encrypts data with
private key
• Receiver decrypts data with
public key
• Receiver replies after
encrypting with public key
• Sender receives response and
decrypts with private key
04-01-98
J.W. Ryder
4
Data
Crypto Fn.
Key
Encrypted
Data
Encryption Function
Encrypted
Data
IP Hdr.
Confidentiality
04-01-98
J.W. Ryder
5
Encrypted
Data
Crypto Fn.
Data
Key
Decryption Function
Data
Confidentiality
04-01-98
J.W. Ryder
MACs
• Message Authentication Codes,
One Way Hashing Functions
• A function, easy to compute but
computationally infeasible to
find 2 messages M1 and M2
such that
– h (M1) = h (M2)
• MD5 (Rivest, Shamir, Adleman)
RSA ; SHA1 (NIST)
• MD5 yields a 128 bit digest
[3]
04-01-98
J.W. Ryder
DES
•
•
•
•
Data Encryption Standard
U.S. Govt. Standard
56 bit key - originally 128 bits
Absolute elimination of
exhaustive search of key space
• U.S. Security Agency Request Reduce to 56 bits
• Export CDMF (40 bits)
• Keys are secrets to algorithms,
not algorithms themselves [4, 5]
04-01-98
J.W. Ryder
IP Hdr.
Encrypted
Data
Digest
Confidentiality & Integrity
IP Hdr.
Encrypted
Data
Digital
Signature
(Enc. Digest)
Confidentiality, Integrity,
& Authentication
04-01-98
J.W. Ryder
Data
CF
EM
DS
Key
MAC
Digest
MAC_Time < CF _Time
Why would a guy prefer a
Digital Signature over a Keyed
Digest ? Why not?
What types of Security are
provided with EM, DS, Digest,
Keyed Digest?
04-01-98
J.W. Ryder
Keyed
Digest
No Security
Msg
Msg
MD
Integrity
Confidentiality
EM
EM
MD
Conf. & Integrity
Msg
DS
Integrity & Auth.
EM
DS
Conf., Int., & Auth.
Msg
KD
Integrity & Auth.
EM
KD
Conf., Int., & Auth.
04-01-98
J.W. Ryder
Purpose
• Some ideas on Internet Security
• Classes of mischief on Internet,
definitions
• Tools to fight mischief
• Combinations of these tools
04-01-98
J.W. Ryder
Purpose continued
• Very high level
• Good starting point for further
study about
• General networking &
strategies
• Cryptography
• Key Management
• Algorithm Analysis
04-01-98
J.W. Ryder
Post Presentation
Results
• Should be familiar with
concepts & terms such as
– Integrity, Authentication, Nonrepudiation, Confidentiality
– Keys, MACs, Cryptography,
Digest, Digital Certificates,
Datagram
– High level understanding of some
methods to combat some the
above types of Internet mischief
04-01-98
J.W. Ryder