Vous êtes sur la page 1sur 52


Network Security is concerned with

Making sure that our system should protect from viruses, worms, Trojan Horses Keeping information out of the hands of unautorized users Identify the users Making sure that data is transmited or receive without a malicious adversary modification

Security threats and solutions

Data intercepted, Read or modified illicitly Users misinterpret their identity to commit fraud Unauthorized user on one network gains access to another

Security Functions Solutions

Encryption Encodes data to prevent tempering



Symmetric encryption; Asymmetric encryption Verifies the identity of Digital signature both sender and receiver. Filters and prevents Firewall; certain traffic from Virtual private net entering the network or server


Layered contribution to security

Physical layer by enclosing transmission lines in sealed tubes Data link layer by packets encoded Network layer firewalls can be installed Transport layer- entire connection can be encrypted Application layer- cryptography

Types And Sources Of NetworkThreats


Softwares from system must secure

Viruses Email viruses Worms Trojan Horses


secure operating system like UNIX or Windows NT virus protection software disable floppy disk booting NEVER run macros in a document unless you know what they do You should never double-click on an attachment that contains an executable that arrives as an email attachment

Security Issues

Secrecy Auhentication Nonrepudiation Integrity control

Attacker's program simply makes a connection on some service port, perhaps forging the packet's header information that says where the packet came from, and then dropping the connection. Send more requests to the machine than it can handle DOS Attacks are very easy to launch But Difficult(sometimes impossible) to track Not easy to refuse the requests of attackers


Not running your visible-to-the-world servers at a level too close to capacity Using packet filtering to prevent obviously forged packets from entering into your network address space. Keeping up-to-date on security-related patches for your hosts' operating systems.

Unauthorized Access
Main Goal is to access the resource that your machine should not provide the attacker

Executing Commands Illicitly Confidentiality Breaches Destructive Behavior

Executing Commands Illicitly

To execute commands on servers Classifications: Normal user Access: such as read files mails etc Administrator Access: changing its IP address, cause the machine to shut down

Destructive Behavior


Data Diddling. Changging the data Difficult to get

Data Destruction Deleting the data

Where Do They Come From?

Through any connection that you have to the outside world. Includes Internet connections, dial-up , modems, and even physical access. System cracker looking for passwords data phone numbers

Lessons Learned
Hope you have backups Don't put data where it doesn't need to be Avoid systems with single points of failure Stay current with relevant operating system patches Have someone on staff be familiar with security practices Firewalls


What is a firewall Security Administrator Tool for Analyzing Networks (SATAN) Security issues:

How to
protect confidential information from unauthorized users protect network and its resources from malicious users and accidents originating outside




security Administrator Tool for Analyzing Networks (SATAN)

Router Access Control List (ACL). Proxy. Types of Firewalls Application Gateways Packet Filtering Hybrid Systems

Application Gateways

Application Layer

Application Gateways

they don't allow anything to pass by default typically the slowest Transportor /session layer routers have ACLs (Access Control Lists) turned on less overhead much faster than its application layer cousins. use layers of packet filters in order to localize the traffic.

Packet Filtering

Packet Filtering

Hybrid Systems
security of the application layer gateways with the flexibility and speed of packet filtering,

Protecting Your Network

Protecting Confidential Information

Confidential Information resides on:

physical storage media physical network in the form of packets network packet sniffers IP spoofing password attacks distribution of sensitive internal information to external sources man-in-the-middle attacks

Common methods of attack are:

So, what's best for me? Secure Network Devices Crypto-Capable Routers Secure Modems; Dial-Back Systems Virtual private network



Plaintext or Cleartext Encryption and decryption Ciphertext Cryptography and Cryptographers Cryptanalysis and Cryptoanalyst Cryptology


Ensures privacy and Confidentiality Authenticates networked individuals and computers Digital identification of persons and Authorization Non-repudiation Integrity

Process of Encryption
Tonight at 10PM encrypt

P{k*76<I-o(6gH Tonight at 10PM



Cipher: a set of rules for encoding data. Basic encryption requires an algorithm and a key. Key size determines the extent of security. Two types of keys:

Secret key or symmetric encryption public key or asymmetric encryption

Secret Key Cryptography

Secret Key Message typed by Tim
9854 P:k*76&io0gH Encrypt INTERNET Decrypt

Secret Key Original message read by Ann



Message secure Both parties must agree Same key: read each others mail n keys for n correspondents Authenticity


Public Key Cryptography

Message typed by Tim My public key is 90876832 Encrypt 90876832 Anns Public Key Original message read by Ann Anns Private Key





Public key distributed without compromise through the service provider Authenticates messages originator confidentiality


Digital Signatures


Message digest info about the signer, timestamp encrypted with secret key verify sender testify ownership of public key


Cryptographic Hash functions

Used to compute message digest non reversible No key length:128 bit Hash functions: MD5 and SHA

Digital Certificates

Accept your public key along with some proof of your identity (it varies with the class of certificate) Like drivers license Certificate authorities: Verisign, Cybertrust, and Nortel + Govt. issue digital certificates DC for a fee Certificate Revocation List or CRL

Contents of Digital certificate


Xs identifying Information: Name, organization, address

Issuing authoritys digital signature and ID information Xs Public Key

Dates of Validity of this Digital ID

Class of Certificate Digital ID Certificate number


Four classes of digital certificates:


1: 2: 3: 4:

Name and E-mail ID Drivers license, SSN, Date of birth Credit check Position in organization etc.

verification requirements not yet finalized

Cryptographic system
Advantages and disadvantages
Encryption Advantages Disadvantages Both keys are the same Symmetric Key Fast Can be easily implemented Difficult to distribute keys in hardware Does not support digital signatures Public key Uses two different keys Relatively easy to distribute Keys Provides integrity and non-repudiation through Digital signatures Slow and computationally intensive

Breaking Keys
Comparison of Time and Money Needed to Break Different Length Keys

Length of key in bits Cost 40 $100 thousand 2 secs $1 million $100 million $1 billion $100 billion .2 secs 2 millisecs .2 millisecs 2 microsecs 56 35 hrs 3.5 hrs 2 mins 13 secs .1 sec 64 1 yr 37 days 9 hrs 1 hr 32 secs 80 70000 yrs 7000 yrs 7000 yrs 7 yrs 24 days 128 19 10 yrs 10 yrs 16 10 yrs 15 10 yrs 13 10 yrs

Levels of security
Secret-Key and Public-Key Lengths for Equivalent Levels of Security

Secret-Key Length 56 bits 64 bits 80 bits 112 bits 128 bits

Public-Key Length 384 bits 512 bits 768 bits 1792 bits 2304 bits

Key Algorithms
Various Algorithms for Encryption Used by PGP
Function Message encryption Algorithms Used IDEA, RSA Process (1) Use IDEA with one-time session key generated by sender to encrypt message. (2) Encrypt session key with RSA using recipient's public key. (1) Generate hash code of message with MD5. (2) Encrypt message digest with RSA using sender' private key.

Digital signature


Secret Key Algorithms


historical cipher by Germans in World war II



J.L.Massey 64 and 128 bit keys secure and fast


DES: Data Encryption Standard

by IBM in 1977 56 bit key and 64 bit block size easily breakable variant 3DES Bruce Schneier variable length key (<448) and 64 bit block size



IDEA: International Data Encryption Algorithm

ETH Zurich in 1991 128 bit key very secure RSA data security variable key size (40 common) block & stream cipher

RC2 & RC4

Public Key Algorithms

RSA: Rivest-Shamir-Adelman

used for signing and encryption long keys (512, 768, 1024, 2048) factors of large integers Vulnerable to:
Chosen plain text attacks Timing attacks

Elliptic curve public key cryptosystems

New and Slow but secure



oldest; for key exchange based on discrete algorithm problem strong prime and generator Vulnerable to timing attack US government leaking hidden data and revealing secret key

DSS: Digital Signature Standard



based on discrete algorithm problem


Peter smith Uses LUCAS function Four variations

LUCDIF PK-like diffie-Hellman LUCELG PK-like ElGamel public key LUCELG DS-like ElGamel digital signature LUCDSA-like US DSS

Hash Functions

MD2, MD4, MD5: Message Digest algorithm 5

at RSA data security MD2, MD4 any length byte string to 128 bit value popular and secure By USG Produces 160 bit hash value

SHA: Secure Hash Algorithm

Attacks on Cryptosystems

Ciphertext-only attack Known-plaintext attack Chosen-plaintext attack Man-in-the-middle attack Timing attack

Cryptographic Protocols

DNSSEC: Domain Name Server Security GSSAPI: Generic Security Services API SSL: Secure Socket Layer SHTTP: Secure Hypertext Transfer Protocol S/MIME: Secure-MIME MSP: Message Security Protocol PKCS: Public Key Encryption Standards SSH2 Protocol

CryptoAPI and CDSA


Microsoft for W95 and WNT calling cryptographic functions through standardized interface modular processing and managing digital certificates

CDSA: Common Data Security Architecture

Intel cross platform similar to CryptoAPI