Vous êtes sur la page 1sur 52

INTRODUCTION

Network Security is concerned with

Making sure that our system should protect from viruses, worms, Trojan Horses Keeping information out of the hands of unautorized users Identify the users Making sure that data is transmited or receive without a malicious adversary modification

Security threats and solutions


Threat
Data intercepted, Read or modified illicitly Users misinterpret their identity to commit fraud Unauthorized user on one network gains access to another

Security Functions Solutions


Encryption Encodes data to prevent tempering

Technology

Authentication

Symmetric encryption; Asymmetric encryption Verifies the identity of Digital signature both sender and receiver. Filters and prevents Firewall; certain traffic from Virtual private net entering the network or server

Firewall

Layered contribution to security


Physical layer by enclosing transmission lines in sealed tubes Data link layer by packets encoded Network layer firewalls can be installed Transport layer- entire connection can be encrypted Application layer- cryptography

Types And Sources Of NetworkThreats


VIRUSES,EMIAL VIRUSES,WORMS, TROJAN HORSES DENIAL-OF-SERVICE UNAUTHORIZED ACCESS

Softwares from system must secure

Viruses Email viruses Worms Trojan Horses

Prevention

secure operating system like UNIX or Windows NT virus protection software disable floppy disk booting NEVER run macros in a document unless you know what they do You should never double-click on an attachment that contains an executable that arrives as an email attachment

Security Issues

Secrecy Auhentication Nonrepudiation Integrity control

DENIAL-OF-SERVICE
Attacker's program simply makes a connection on some service port, perhaps forging the packet's header information that says where the packet came from, and then dropping the connection. Send more requests to the machine than it can handle DOS Attacks are very easy to launch But Difficult(sometimes impossible) to track Not easy to refuse the requests of attackers

PREVENTION

Not running your visible-to-the-world servers at a level too close to capacity Using packet filtering to prevent obviously forged packets from entering into your network address space. Keeping up-to-date on security-related patches for your hosts' operating systems.

Unauthorized Access
Main Goal is to access the resource that your machine should not provide the attacker

Executing Commands Illicitly Confidentiality Breaches Destructive Behavior

Executing Commands Illicitly


To execute commands on servers Classifications: Normal user Access: such as read files mails etc Administrator Access: changing its IP address, cause the machine to shut down

Destructive Behavior
Classifications:
o

o
o

Data Diddling. Changging the data Difficult to get


Data Destruction Deleting the data

Where Do They Come From?

Through any connection that you have to the outside world. Includes Internet connections, dial-up , modems, and even physical access. System cracker looking for passwords data phone numbers

Lessons Learned
Hope you have backups Don't put data where it doesn't need to be Avoid systems with single points of failure Stay current with relevant operating system patches Have someone on staff be familiar with security practices Firewalls

Questions

What is a firewall Security Administrator Tool for Analyzing Networks (SATAN) Security issues:

How to
protect confidential information from unauthorized users protect network and its resources from malicious users and accidents originating outside

Firewall

FIREWALL

Firewalls

security Administrator Tool for Analyzing Networks (SATAN)

Router Access Control List (ACL). Proxy. Types of Firewalls Application Gateways Packet Filtering Hybrid Systems

Application Gateways

Application Layer

Application Gateways

they don't allow anything to pass by default typically the slowest Transportor /session layer routers have ACLs (Access Control Lists) turned on less overhead much faster than its application layer cousins. use layers of packet filters in order to localize the traffic.

Packet Filtering

Packet Filtering

Hybrid Systems
security of the application layer gateways with the flexibility and speed of packet filtering,

Protecting Your Network


Protecting Confidential Information

Confidential Information resides on:

physical storage media physical network in the form of packets network packet sniffers IP spoofing password attacks distribution of sensitive internal information to external sources man-in-the-middle attacks

Common methods of attack are:


So, what's best for me? Secure Network Devices Crypto-Capable Routers Secure Modems; Dial-Back Systems Virtual private network

Cryptography

Terminology

Plaintext or Cleartext Encryption and decryption Ciphertext Cryptography and Cryptographers Cryptanalysis and Cryptoanalyst Cryptology

Benefits

Ensures privacy and Confidentiality Authenticates networked individuals and computers Digital identification of persons and Authorization Non-repudiation Integrity

Process of Encryption
Tonight at 10PM encrypt

P{k*76<I-o(6gH Tonight at 10PM


decrypt

Contd.

Cipher: a set of rules for encoding data. Basic encryption requires an algorithm and a key. Key size determines the extent of security. Two types of keys:

Secret key or symmetric encryption public key or asymmetric encryption

Secret Key Cryptography


Secret Key Message typed by Tim
9854 P:k*76&io0gH Encrypt INTERNET Decrypt

9854
Secret Key Original message read by Ann

Features

Advantage

Message secure Both parties must agree Same key: read each others mail n keys for n correspondents Authenticity

Disadvantages

Public Key Cryptography


Message typed by Tim My public key is 90876832 Encrypt 90876832 Anns Public Key Original message read by Ann Anns Private Key

64732819
Decrypt

:L-9n643h2#D
INTERNET

Features

Advantages

Public key distributed without compromise through the service provider Authenticates messages originator confidentiality

Disadvantages

Digital Signatures

Working

Message digest info about the signer, timestamp encrypted with secret key verify sender testify ownership of public key

Uses

Cryptographic Hash functions

Used to compute message digest non reversible No key length:128 bit Hash functions: MD5 and SHA

Digital Certificates

Accept your public key along with some proof of your identity (it varies with the class of certificate) Like drivers license Certificate authorities: Verisign, Cybertrust, and Nortel + Govt. issue digital certificates DC for a fee Certificate Revocation List or CRL

Contents of Digital certificate


DIGITAL CERTIFICATE

Xs identifying Information: Name, organization, address


Issuing authoritys digital signature and ID information Xs Public Key

Dates of Validity of this Digital ID


Class of Certificate Digital ID Certificate number

Classes

Four classes of digital certificates:


CLASS CLASS CLASS CLASS

1: 2: 3: 4:

Name and E-mail ID Drivers license, SSN, Date of birth Credit check Position in organization etc.

verification requirements not yet finalized

Cryptographic system
Advantages and disadvantages
Encryption Advantages Disadvantages Both keys are the same Symmetric Key Fast Can be easily implemented Difficult to distribute keys in hardware Does not support digital signatures Public key Uses two different keys Relatively easy to distribute Keys Provides integrity and non-repudiation through Digital signatures Slow and computationally intensive

Breaking Keys
Comparison of Time and Money Needed to Break Different Length Keys

Length of key in bits Cost 40 $100 thousand 2 secs $1 million $100 million $1 billion $100 billion .2 secs 2 millisecs .2 millisecs 2 microsecs 56 35 hrs 3.5 hrs 2 mins 13 secs .1 sec 64 1 yr 37 days 9 hrs 1 hr 32 secs 80 70000 yrs 7000 yrs 7000 yrs 7 yrs 24 days 128 19 10 yrs 10 yrs 16 10 yrs 15 10 yrs 13 10 yrs
18

Levels of security
Secret-Key and Public-Key Lengths for Equivalent Levels of Security

Secret-Key Length 56 bits 64 bits 80 bits 112 bits 128 bits

Public-Key Length 384 bits 512 bits 768 bits 1792 bits 2304 bits

Key Algorithms
Various Algorithms for Encryption Used by PGP
Function Message encryption Algorithms Used IDEA, RSA Process (1) Use IDEA with one-time session key generated by sender to encrypt message. (2) Encrypt session key with RSA using recipient's public key. (1) Generate hash code of message with MD5. (2) Encrypt message digest with RSA using sender' private key.

Digital signature

MD5, RSA

Secret Key Algorithms

Vigenere

historical cipher by Germans in World war II

Enigma

SAFER

J.L.Massey 64 and 128 bit keys secure and fast

Contd.

DES: Data Encryption Standard


by IBM in 1977 56 bit key and 64 bit block size easily breakable variant 3DES Bruce Schneier variable length key (<448) and 64 bit block size

Blowfish

Contd.

IDEA: International Data Encryption Algorithm


ETH Zurich in 1991 128 bit key very secure RSA data security variable key size (40 common) block & stream cipher

RC2 & RC4


Public Key Algorithms

RSA: Rivest-Shamir-Adelman

used for signing and encryption long keys (512, 768, 1024, 2048) factors of large integers Vulnerable to:
Chosen plain text attacks Timing attacks

Elliptic curve public key cryptosystems

New and Slow but secure

Contd.

Diffie-Hellman

oldest; for key exchange based on discrete algorithm problem strong prime and generator Vulnerable to timing attack US government leaking hidden data and revealing secret key

DSS: Digital Signature Standard


Contd.

EIGamal

based on discrete algorithm problem

LUC

Peter smith Uses LUCAS function Four variations


LUCDIF PK-like diffie-Hellman LUCELG PK-like ElGamel public key LUCELG DS-like ElGamel digital signature LUCDSA-like US DSS

Hash Functions

MD2, MD4, MD5: Message Digest algorithm 5


at RSA data security MD2, MD4 any length byte string to 128 bit value popular and secure By USG Produces 160 bit hash value

SHA: Secure Hash Algorithm


Attacks on Cryptosystems

Ciphertext-only attack Known-plaintext attack Chosen-plaintext attack Man-in-the-middle attack Timing attack

Cryptographic Protocols

DNSSEC: Domain Name Server Security GSSAPI: Generic Security Services API SSL: Secure Socket Layer SHTTP: Secure Hypertext Transfer Protocol S/MIME: Secure-MIME MSP: Message Security Protocol PKCS: Public Key Encryption Standards SSH2 Protocol

CryptoAPI and CDSA

CryptoAPI

Microsoft for W95 and WNT calling cryptographic functions through standardized interface modular processing and managing digital certificates

CDSA: Common Data Security Architecture


Intel cross platform similar to CryptoAPI