CN 2015 5 - SNGCE DIGITAL LIBRARY
Download
Report
Transcript CN 2015 5 - SNGCE DIGITAL LIBRARY
COMPUTER NETWORKS
Mr. DEEPAK P.
Associate Professor
ECE Department
SNGCE
1
DEEPAK.P
UNIT 5
2
DEEPAK.P
Network Security
3
DEEPAK.P
Network Security
Security
It means protecting the information.
Communicate securely over an in secure medium
Three types of security
1 Computer security
Protect data stored in a computer from hackers.
2 Internet security
Protecting data during its transmission among the
interconnected network.
3. Network Security - measures to protect data during
their transmission
4
DEEPAK.P
1. Computer Security
Computer security consists of the provisions and policies
adopted for protecting a computer from
Unauthorized access,
2. Misuse,
3. Modification,
1.
5
DEEPAK.P
2. Internet Security
Its objective is to establish rules and measures to use against
attacks over the Internet.
The Internet represents an insecure channel for exchanging
information leading to a high risk of intrusion or fraud
6
DEEPAK.P
3. Network Security
Computer security consists of the provisions and policies
adopted by a network administrator to prevent and
monitor
1.
2.
3.
4.
5.
7
Unauthorized access,
Misuse,
Modification,
Denial of a computer network
Network-accessible resources.
DEEPAK.P
Network Security Model
8
DEEPAK.P
Network Security Model
Receiver
Message
Secure Message
Secure Message
Security related information
Message
Sender
Secret information
Secret information
9
DEEPAK.P
Network Security Model Design Tasks
10
1.
Generate secret information by using an algorithm
2.
Develop methods to distribute and share secret
information.
DEEPAK.P
Security Services and Goals
11
DEEPAK.P
Security Goals
12
DEEPAK.P
Security Attack on Goals
The three goals of securityconfidentiality, integrity, and
availabilitycan be threatened by security attacks.
13
Security Attack on Goals
Snooping refers to unauthorized access to or
interception of data.
Traffic analysis refers to obtaining some other type of
information by monitoring online traffic.
14
Security Attack on Goals
Modification means that the attacker intercepts the message
and changes it.
Masquerading or spoofing happens when the attacker
impersonates somebody else.
Replaying means the attacker obtains a
of a message sent by a user and later tries to replay it.
copy
Repudiation means that sender of the message might later
deny that she has sent the message; the receiver of the
message might later deny that he has received the message.
15
Security Attack on Goals
Denial of service (DoS) is a very common attack. It may
slow down or totally interrupt the service of a system.
16
Security Services
17
DEEPAK.P
Security Services
Three Aspects of Security
1. Security Services--- Enhances the security
1. Privacy
•
It can be achieved by public or private key
cryptography
2. Authentication
•
The receiver needs to be sure about the senders
identity
3. Integrity
•
Data arriving at receiver is exactly same as that
of sent
18
DEEPAK.P
Security Services
4. Non-Repudiation
• Receiver should be able to prove that message it has
received has come from a specific sender
5. Confidentiality
• Protect data from un authorized disclosure
6. Availability
• The information created and stored by an organization
needs to be available to authorized entities.
19
DEEPAK.P
Confidentiality
Transmitted info in an insecure channel can only be
understood by desired destination/s
It must stay unintelligible for the rest
Ways of protection:
Dedicated physical links
High cost
Difficult maintenance
Cipher
Attack e.g.: obtaining data from sender
20
Integrity
Ensures that transmitted info was not modified during the
communication process
Message in destination must be the same as in source
Ways of protection:
Digital signature
Attack e.g.: modifying the destination address in a product
bought on the internet
21
Authenticity
Ensures the source of the info
Avoids imitation
Ways of protection:
Digital signature
2. Challenge
3. Human authentication
Biometric (fingerprint, retina, facial recognition, etc.)
Attack e.g.: user impersonation in bank transaction
1.
22
Virtual Networks
Non-repudiation:
Avoid sender’s denial
Avoid receiver’s denial
Ways of protection:
Digital signature
Attack e.g.: loss of an application form
23
Virtual Networks
Types of Attack
24
DEEPAK.P
Attack
In computer and computer networks an attack is any attempt
to destroy, expose, alter, disable, steal or gain
unauthorized access to or make unauthorized use of an
asset
Attacks: Violation of channel security
Any action that compromises the security of information is
called attack.
If channel is Non-reliable, attack will happened
25
Types of Attack
26
Types of Attack
Passive
2. Active
From the word active, it is clear that it is nothing but direct
attack
Passive attack is indirect attack
1.
Categories
Interception
2. Interruption
3. Modification
4. Fabrication
1.
27
Types of Attack
28
Passive attacks
Attacker does not change the content of the transmitted
information
Objectives:
1. Entity identification
2. Traffic control
3. Traffic analysis
4. Usual data exchange time detection
Difficult to detect
Easy to avoid -> encryption
29
Passive Attack
30
Active attacks
Attacker does change the content of the transmitted
information
Types:
1. Masked (impostor)
2. Repetitive (intercepted msg, repeated later)
3. Msg modification
4. Service denial
Difficult to prevent
Easy to detect -> detection & recovery
31
Active Attack
32
Categories of Active Attack
Interruption:
Destruction of a shared resource
Active
E.g:
Destruction of hardware
Communication breakdown
Receiver
Transmitter
Intruder
33
Virtual Networks
Interruption
Cutting wires
Jamming wireless signals
Dropping of packet by switch
34
DEEPAK.P
Interception
Interception
Receiver
Transmitter
Intruder
35
Virtual Networks
Interception
Try to tamper (alter) the message for his/her on
36
benefit
Confidentiality attack
Passive
A non-authorized intruder achieves the access to a nonshared resource
E.g:
Traffic capture
Obtaining copies of files or programs
DEEPAK.P
Modification
Receiver
Transmitter
Intruder
37
Virtual Networks
Modification
Try to intercept the message and send the modified
one
A non-shared resource is intercepted & modified by a nonauthorized host before arriving to its final destination
Active
E.g:
Change in sent data
38
DEEPAK.P
Fabrication
Fabrication (spoofing)
Receiver
Transmitter
Intruder
39
Virtual Networks
Fabrication
Message may be sent by a stranger by acting as a friend
Authenticity attack
Active
Non-authorized host (impostor) generates a resource that
arrives to the final destination
E.g:
Fraud information
40
DEEPAK.P
Malicious programs
41
Security Mechanisms
42
DEEPAK.P
Security Mechanisms
Security mechanism
It is designed to detect, prevent, recover from security
attack.
It is classified in to two
Specific Security mechanism
It is incorporated in to appropriate protocol
layer
Pervasive security mechanism
Not specific to any protocol layer
43
DEEPAK.P
Security Mechanisms
44
Virtual Networks
Security Mechanisms
Two techniques are relevant today: cryptography and
steganography.
1.
Cryptography
2.
Steganography
Steganography is the art or practice of concealing a
message, image, or file within another message, image,
or file.
45
Virtual Networks
Cryptography
46
DEEPAK.P
Cryptography
Way of protecting information against intruders (encryption
& digital signatures)
Definition
Science of secret writing, for hiding information from
third parties
Principle
Keeping privacy between two or more communication
elements
47
Cryptography
Cryptography means-Secret writing
It is a science of transforming messages and make them
48
secure.
Cryptographic techniques allow sender to mask data.
Cryptographic techniques allow receiver to recover data
from masked data.
It is the study of Encryption and Decryption methods.
Encryption—Plain text to cipher text
Decryption—Cipher text to Plain text
DEEPAK.P
Cryptography Model
49
DEEPAK.P
Components in Cryptography
B
A
A
Plain Text
Encryption
Plain Text
Network
Cipher Text
50
DEEPAK.P
Decryption
Cryptography
Transmitter
cipher
51
Receiver
decipher
Cryptography
Functioning basis
Altering original msg to avoid the access to the
information of any non-authorized party
E.g
Original msg: “This lecture is boring”
Altered msg: “Wklv ohfwxuh lv erulqj”
Caesar cipher (K=3)
52
Cryptography
Cipher:
Mechanism that converts a
plain msg in an unintelligible
one
Cipher algorithm needs a key
53
Virtual Networks
Decipher:
r Mechanism that converts an
unintelligible msg in the
original one
r Necessary to know the used
cipher algorithm and the key
Encryption& Decryption
Encryption
A Key
Plain Text
Encryption Algorithm
Cipher Text
54
DEEPAK.P
Decryption
A Key
Cipher Text
Decryption Algorithm
Plain Text
Encryption& Decryption
Encryption and decryption algorithm are public.
The keys are secret.
Key is a value or number
55
DEEPAK.P
Classification of Cryptography
Cryptographic algorithm can be classified in to
Symmetric key type or secret key
Same key is used by sender and receiver (Key is
shared)
Public Key type or asymmetric
Two keys are used
Public key
Used for encryption
Available to public
56
DEEPAK.P
Cryptography
57
Symmetric Key
Cryptography
58
DEEPAK.P
Symmetric Key
Features:
Private key
Transmitter & Receiver share the same key
Transmitter
cipher
59
Virtual Networks
Receiver
decipher
Privacy using private key cryptography
60
DEEPAK.P
Symmetric Key
Algorithms:
DES, 3DES, RC5, IDEA, AES
Requirements:
Neither plaintext nor the key may be extracted from the msg
The cost in time & money of obtaining the information must be higher than the
value of the obtained information
Algorithm strength:
Internal complexity
Key length
61
Symmetric Key
Accomplished objectives:
Confidentiality
Integrity
Authentication
Non repudiation
62
Symmetric Key
Advantages:
Algorithm execution rate
Best method to cipher great pieces of information
Disadvantages:
Distribution of private key
Key management
The number of used keys is proportional to the number of used
secure channels
63
Symmetric key Types
64
DEEPAK.P
Symmetric key Cryptography
B
A
A
Plain Text
Encryption
Plain Text
Network
Cipher Text
Shared key
65
DEEPAK.P
Decryption
Symmetric key Cryptography
Also called single key/Conventional
Two types
Traditional cipher
I.
Mono alphabetic cipher
Caesar cipher
One time pad
Play fair
Hill
Poly Alphabetic
1.
2.
3.
4.
5.
6.
a)
66
DEEPAK.P
Vigenere cipher
Symmetric key Cryptography
II. Modern Ciphers
Simple Modern cipher (Stream)
XOR
Rotation
Substitution Cipher
Transposition cipher
Modern cipher( Block)
DES
Triple DES
AES
67
DEEPAK.P
Ceasar Cipher
Replacing each letter of the alphabet to the letter
specified the key value.
It is also called shift cipher.
Eg.
Key=3
Plain text =hello
Cipher text=khoor
68
DEEPAK.P
Ceasar Cipher
69
DEEPAK.P
Poly alphabetic Substitution
This is an improvement over the Caesar cipher
Here the relationship between a character in the plaintext
and a character in the cipher text is always one-to-many.
Example of poly alphabetic substitution is the Vigenere
cipher.
In this case, a particular character is substituted by different
characters in the cipher text depending on its
position in the plaintext.
70
DEEPAK.P
Poly alphabetic Substitution
71
DEEPAK.P
Transpositional Cipher
The transpositional cipher, the characters remain unchanged but
their positions are changed to create the ciphertext.
The characters are arranged in two-dimensional matrix and
columns are interchanged according to a key is shown in the
middle portion of the diagram.
Transpositional cipher is also not a very secure approach.
The attacker can find the plaintext by trial and error utilizing
the idea of the frequency of occurrence of characters.
72
DEEPAK.P
Transpositional Cipher
73
DEEPAK.P
Block Cipher
Block ciphers use a block of bits as the un it of encryption and
decryption.
To encrypt a 64-bit block, one has to take each of the 2^64
input values and map it to one of the 2^64 output values.
The mapping s hould be one-to-one.
74
DEEPAK.P
Block Cipher
75
DEEPAK.P
Data Encryption Standard (DES)
76
DEEPAK.P
Data Encryption Standard (DES)
77
DEEPAK.P
Data Encryption Standard (DES)
One example of the block cipher is DES
78
DEEPAK.P
Data Encryption Standard (DES)
79
DEEPAK.P
Triple DES
80
DEEPAK.P
Asymmetric Key
Cryptography
81
DEEPAK.P
Asymmetric Key
Features:
Public Key
Every party has got a pair of keys (private-public)
Transmitter
cipher
82
Receiver
decipher
Asymmetric Key
Features:
Each participant has a secret key (private key)
To send a message
83
Encrypt with public key
To decrypt, decrypt using a private key
Privacy using public key cryptography
84
DEEPAK.P
Asymmetric Key
Algorithms:
1. Diffie-Hellman,
2. RSA,
3. DSA
The cost in time & money of obtaining the information must be
higher than the value of the obtained information
For an public-key encrypted text, there must be only a
private key capable of decrypt it, and viceversa
85
Asymmetric Key
Accomplished objectives:
Confidentiality
Integrity
Authentication
Offers very good mechanisms
Non repudiation
86
Virtual Networks
Asymmetric Key
Advantages:
No problems for key distribution -> public key
In case of the steal of a user’s private key, only the msgs sent to
that user are involved
Better authentication mechanisms than symmetric systems
Disadvantages:
Algorithm execution rate is high
87
Asymmetric key Types
88
DEEPAK.P
Public key Cryptography
Most common Algorithms are
RSA
2. Diffie-Helman
1.
89
DEEPAK.P
Public key Cryptography
B
A
A
Plain Text
Encryption
Plain Text
Network
Decryption
Cipher Text
Public key
90
DEEPAK.P
Private key
RSA Algorithm
It is by the first three letters of 3 developers (Rivest,
Shamir, Adelman)
It is a public key crypto system
It is a very strong algorithm
Disadvantage
Key requires at least 1024 bits for good security
91
DEEPAK.P
RSA Algorithm
Public key algorithm that performs encryption as well as
decryption based on number theory
92
DEEPAK.P
RSA Algorithm Steps
Choose two large prime numbers (P,Q)
Compute n=P*Q
Compute Z=(P-1)*(Q-1)
Choose a number relatively prime to Z and call it D
Find E such that E*D=1 mod Z
Encryption
To encrypt a message P,
Compute
C=Pe (mod (n))
93
DEEPAK.P
RSA Algorithm Steps
Decryption
To Decrypt the message C,
Compute
P=Cd (mod n)
To perform encryption we need e&n
To perform Decryption we need d&n
Public key consists of Pair(e&n)
Private key consists of Pair (d&n)
94
DEEPAK.P
RSA
95
DEEPAK.P
Digital Signature
96
DEEPAK.P
Digital Signature
A digital signature is a mathematical scheme for
demonstrating the authenticity of a digital message or
document.
By message authentication we mean that the receiver should
be sure about sender’s identity.
A digital signature is the electronic signature (Certificate)
duly issued by the Certifying Authority that shows the
authenticity of the person signing the same.
97
DEEPAK.P
Digital Signature Process
98
DEEPAK.P
Authentication, Integrity and Non repudiation using
Digital Signature
Digital Signature provides the three security services such as
Authentication, Integrity and Non-repudiation.
There are two option for Digital Signature:
Signing the entire document
2. Signing the digest (sample of the message)
1.
99
DEEPAK.P
Signing the Entire Document
In the first case the entire document is encrypted using
private key of the sender and at the receiving end it is
decrypted using the public key of the sender.
For a large message this approach is very inefficient.
100
DEEPAK.P
Signing the Entire Document
In the second case a miniature version of the message,
known as digest , is encrypted using the private key of the
sender and then the signed digest along with the message is
sent to the receiver
101
DEEPAK.P
Digital Signature Using Hash function
102
DEEPAK.P
Digital Signature
103
DEEPAK.P
Digital Signature
104
DEEPAK.P
Firewall
105
DEEPAK.P
Firewalls
To accomplish the security it is necessary to perform user
authentication and access control to protect the networks
from unauthorized traffic. This is known as firewalls
Firewall system is an electronic security guard and electronic
barrier at the same time.
It protects and controls the interface between a private network
and an insecure public network
A firewall is a device (or software feature) designed to control
the flow of traffic into and out-of a network.
106
Firewalls
107
Firewalls
In general, firewalls are installed to prevent attacks.
A firewall can be hardware or software
It is responsible for partitioning a designated area such that
any damage on one side cannot spread to the other side.
Ex. Some routers come with firewall functionality
ipfw, ipchains, pf on Unix systems, Windows XP and Mac
OS X have built in firewalls
108
Firewalls
Internet
DMZ
Web server, email
server, web proxy,
etc
Firewall
Firewall
Intranet
109
Firewalls
The firewalls can be broadly categorized into the following
three types:
1.
2.
3.
Packet Filters
Application-level Gateways
Circuit-level Gateways
Packet Filters or Packet filtering router applies a set of rules to
each incoming IP packet and then forwards or discards it.
Packet filter is typically set up as a list of rules based on
matches of fields in the IP or TCP header.
110
Firewalls
Used to filter packets based on a combination of features
These are called packet filtering firewalls
Ex. Drop packets with destination port of 23 (Telnet)
111
Firewalls
Application level gateway, also called a Proxy Server acts as a
relay of application level traffic.
Users contact gateways using an application and the request is
successful after authentication.
112
Firewalls
Circuit-level gateway can be a standalone or a specialized
system.
113
Components in a Active Firewalls
114
Components in a Active Firewalls
115
IP security(IP.sec)
116
DEEPAK.P
Ip.sec.
Internet Protocol Security (IPsec) is a protocol suite for
securing Internet Protocol (IP) communications by
authenticating and encrypting each IP packet of a
communication session.
IPsec includes protocols for establishing mutual
authentication between agents at the beginning of the
session and negotiation of cryptographic keys to be used
during the session.
The Microsoft implementation of IPSec is based on standards
developed by the Internet Engineering Task Force (IETF)
IPSec working group.
117
Ip.sec.
118
Ip.sec.
119
Ip.sec.
The IP security architecture uses the concept of a security
association as the basis for building security functions into
IP.
A security association is simply the bundle of algorithms and
parameters (such as keys) that is being used to encrypt and
authenticate a particular flow in one direction.
IPsec supports two encryption modes: Transport and
Tunnel.
Transport mode encrypts only the data portion (payload) of
each packet, but leaves the header untouched.
120
Ip.sec.
In tunnel mode, the entire IP packet is encrypted and/or
authenticated.
It is then encapsulated into a new IP packet with a new IP
header.
On the receiving side, an IPSec-compliant device decrypts
each packet
Tunnel mode is the more secure mode..
121
Ip.sec.
122
Ip.sec. Architecture
123
Ip.sec. Vs TLS
124
Pretty Good Privacy(PGP)
125
DEEPAK.P
PGP
Pretty Good Privacy or PGP is a popular program used to
encrypt and decrypt email over the Internet, as well as
authenticate messages with digital signatures and encrypted
stored files.
Developed by Phil Zimmerman in 1995.
There are two main schemes which are especially designed to
provide confidentiality and authentication for electronic
mail systems. These are:
PGP(Pretty Good Privacy)
2.
S/MIME(Secure/Multipurpose Internet Mail
Extension)
1.
126
PGP
PGP combines the best available cryptographic algorithms
to achieve secure e-mail communication.
It is assumed that all users are using public key
cryptography and have generated a private/public key pair.
Either RSA (with RSA digital signatures) or El Gamel (with
DSA) can be used.
All users also use a symmetric key system such as triple
DES or Rijndael.
127
PGP
PGP is a type of Public Key cryptography.
It is a computer program that encrypts (scrambles) and decrypts
(unscrambles) data.
When you begin using PGP , it generates two keys that belong
uniquely to you.
One PGP key is Private and stays in your computer, while
the other key is Public.
You give this second key to your correspondents
128
PGP
PGP is similar to your telephone number.
You can advertise your Public Key the same way as you do
your telephone number.
If I have your telephone number, I can call you, however I
cannot answer your telephone.
Similarly, if I have your Public Key, I can send you mail,
however I cannot read your mail.
129
PGP
130
PGP Encryption
PGP encryption uses a serial combination of hashing, data
compression, symmetric-key cryptography, and finally publickey cryptography.
131
PGP Decryption
PGP encryption uses a serial combination of hashing, data
compression, symmetric-key cryptography, and finally publickey cryptography.
132
PGP
PGP offers 5 services:
1.
Authentication
2.
Confidentiality
3.
Compression
4.
E-mail compatibility
5.
Segmentation
133
SSL/TLS
134
DEEPAK.P
SSL/TLS
Transport Layer Security (TLS) and its predecessor, Secure
Sockets Layer (SSL), are cryptographic protocols designed to
provide communications security over a computer network.
A popular implementation of public-key encryption is the
Secure Sockets Layer (SSL).
Originally developed by Netscape, SSL is an Internet
security protocol used by Internet browsers and Web servers
to transmit sensitive information.
SSL has become part of an overall security protocol known
as Transport Layer Security (TLS).
135
SSL/TLS
TLS is the new name for SSL.
SSL and TLS are protocols that aim to provide privacy and
data integrity between two parties
SSL version 3.0 has been implemented in many web browsers
TLS can be viewed as SSL v3.1
136
SSL Architecture
137
SSL Architecture
SSL Handshake Protocol
negotiation of security algorithms and parameters
key exchange
server authentication and optionally client authentication
SSL Record Protocol
fragmentation
compression
message authentication and integrity protection
encryption
SSL Alert Protocol
error messages (fatal alerts and warnings)
SSL Change Cipher Spec Protocol
138
a single message that indicates the end of the SSL handshake