daithonguyen_networksecurity
TRANSCRIPT
-
7/30/2019 DaiThoNguyen_NetworkSecurity
1/84
Network Security
Dr. Dai Tho Nguyen
University of Engineering and TechnologyVietnam National University, Hanoi
-
7/30/2019 DaiThoNguyen_NetworkSecurity
2/84
INTRODUCTION
Chapter 1
Dai Tho Nguyen Network Security 2
-
7/30/2019 DaiThoNguyen_NetworkSecurity
3/84
Social Context
This new century has been characterized by
terrorist attacks and security defenses
IT has also been victim of an unprecedented
number of attacks on information
Information security is now at the core of IT
Protecting valuable electronic information
Demand for IT professionals who know how to
secure networks and computers is at a high
Dai Tho Nguyen Network Security 3
-
7/30/2019 DaiThoNguyen_NetworkSecurity
4/84
Technological Context
Two major changes in the requirements of
information security in recent times
Traditionally information security is provided by
physical and administrative mechanisms
Computer use requires automated tools to protect
files and other stored information
Use of networks and communications facilitiesrequires measures to protect data during their
transmisson
Dai Tho Nguyen Network Security 4
-
7/30/2019 DaiThoNguyen_NetworkSecurity
5/84
Defining Information Security
Security
A state of freedom from a danger or risk
The state or condition of freedom exists because
protective measures are established and maintained
Information security
Describes the tasks of guarding information in a
digital format Information security can be understood by
examining its goals and how it is accomplished
Dai Tho Nguyen Network Security 5
-
7/30/2019 DaiThoNguyen_NetworkSecurity
6/84
Goals of Information Security
Ensures that protective measures are properlyimplemented
Protects information that has value to people
and organizations The value comes from the characteristicsconfidentiality, integrity, and availability
Protects the characteristics of information onthe devices that store, manipulate, andtransmit the information
Dai Tho Nguyen Network Security 6
-
7/30/2019 DaiThoNguyen_NetworkSecurity
7/84
How Info Security is Accomplished
Through a combination of 3 entities
Hardware, software, and communications
Three layers of protection
Products
The physical security around the data
People
Those who implement and use security products
Procedures
Plans and policies to ensure correct use of the products
Dai Tho Nguyen Network Security 7
-
7/30/2019 DaiThoNguyen_NetworkSecurity
8/84
Information Security Components
Dai Tho Nguyen Network Security 8
-
7/30/2019 DaiThoNguyen_NetworkSecurity
9/84
Information Security Definition
A more comprehensive definition of
information security
That which protects the integrity, confidentiality,
and availability of information on the devices that
store, manipulate, and transmit the information
through products, people, and procedures
Dai Tho Nguyen Network Security 9
-
7/30/2019 DaiThoNguyen_NetworkSecurity
10/84
Information Security Concepts (1)
Confidentiality
Preserving authorized restrictions on informationaccess and disclosure
Including means for protecting personal privacy andproprietary information
Integrity
Guarding against improper information
modification or destruction Including ensuring information nonrepudiation and
authenticity
Dai Tho Nguyen Network Security 10
-
7/30/2019 DaiThoNguyen_NetworkSecurity
11/84
Information Security Concepts (2)
Availability
Ensuring timely and reliable access to and use ofinformation
Authenticity The property of being genuine and being able to
be verified and trusted
Accountability
The security goal that requires for actions of anentity to be traced uniquely to that entity
Dai Tho Nguyen Network Security 11
-
7/30/2019 DaiThoNguyen_NetworkSecurity
12/84
Information Security Terms (1)
Asset
Something that has a value
Threat
An potential for violation of security, which exists
when there is a circumstance, capability, action, or
event that could breach security and cause harm
A threat is a possible danger that might exploit avulnerability
Dai Tho Nguyen Network Security 12
-
7/30/2019 DaiThoNguyen_NetworkSecurity
13/84
Information Security Terms (2)
Threat agent
A person or thing that has the power to carry out
a threat
Attack
An assault on system security that derives from an
intelligent threat or act
A deliberate attempt to evade security services andviolate the security policy of a system
Often means the same thing as threat
Dai Tho Nguyen Network Security 13
-
7/30/2019 DaiThoNguyen_NetworkSecurity
14/84
Information Security Terms (3)
Vulnerability
Weakness that allows a threat agent to bypass
security
Risk
The likelihood that a threat agent will exploit a
vulnerability
Realistically risk cannot ever be entirely eliminated
Three options when dealing with risks
Accept the risk, diminish the risk, or transfer the risk
Dai Tho Nguyen Network Security 14
-
7/30/2019 DaiThoNguyen_NetworkSecurity
15/84
Example of Security Terms
Dai Tho Nguyen Network Security 15
-
7/30/2019 DaiThoNguyen_NetworkSecurity
16/84
Security Definitions
Computer Security
Generic name for the collection of tools designed
to protect data and to thwart hackers
Network Security
Measures to protect data during their transmission
Internet Security
Measures to protect data during their transmission
over a collection of interconnected networks
Dai Tho Nguyen Network Security 16
-
7/30/2019 DaiThoNguyen_NetworkSecurity
17/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
18/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
19/84
Attacker Profiles (1)
Hackers
People with special knowledge of computer
systems
Black-hat hackers
Hack computing systems for their own benefit
White-hat hackers
Hack for finding loopholes and developing solutions Grey-hat hackers
Often wear a white hat but may also wear a black hat
Dai Tho Nguyen Network Security 19
-
7/30/2019 DaiThoNguyen_NetworkSecurity
20/84
Attacker Profiles (2)
Script kiddies
People who use scripts and programs developed
by black-hat hackers to attack computing systems
They dont know how to write hacking tools or
understand how an existing hacking tool works,
but could inflict a lot of damage
Cyber spies Collecting intelligence through intercepted
network communications
Dai Tho Nguyen Network Security 20
-
7/30/2019 DaiThoNguyen_NetworkSecurity
21/84
Attacker Profiles (3)
Vicious employees
People who intentionally breach security to harmtheir employers
Cyber terrorists Terrorists who use computer and network
technologies to carry out attacks and producepublic fear
Hypothetical attackers All attackers except cyber terrorists
Dai Tho Nguyen Network Security 21
-
7/30/2019 DaiThoNguyen_NetworkSecurity
22/84
OSI Security Architecture
Goals
Assess effectively the security needs of anorganization
Evaluate and choose security products and policies
ITU-T X.800 Security Architecture for OSI
A systematic way of defining and satisfying
security requirements Provides a useful, if abstract, overview of
concepts we will study
Dai Tho Nguyen Network Security 22
-
7/30/2019 DaiThoNguyen_NetworkSecurity
23/84
Aspects of Security
Security attack
Action that compromises the security ofinformation
Security mechanism Process that is designed to detect, prevent, or
recover from a security attack
Security service
Service that enhances the security of dataprocessing systems and information transfers
Dai Tho Nguyen Network Security 23
-
7/30/2019 DaiThoNguyen_NetworkSecurity
24/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
25/84
Release of Message Contents
Dai Tho Nguyen Network Security 25
-
7/30/2019 DaiThoNguyen_NetworkSecurity
26/84
Traffic Analysis
Dai Tho Nguyen Network Security 26
-
7/30/2019 DaiThoNguyen_NetworkSecurity
27/84
Active Attacks
Involve some modification of the data stream
or the creation of a false stream
Four types
Masquerade Modification of messages
Replay Denial of service
The goal is to detect active attacks and to
recover from disruption or delays
Detection may contribute to prevention
Dai Tho Nguyen Network Security 27
-
7/30/2019 DaiThoNguyen_NetworkSecurity
28/84
Masquerade
Dai Tho Nguyen Network Security 28
-
7/30/2019 DaiThoNguyen_NetworkSecurity
29/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
30/84
Modification of Messages
Dai Tho Nguyen Network Security 30
-
7/30/2019 DaiThoNguyen_NetworkSecurity
31/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
32/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
33/84
Security Services (X.800) (1)
Authentication
Assurance that communicating entity is the one
that it claims to be
Access control
Prevention of unauthorized use of a resource
Data confidentiality
Protection of data from unauthorized disclosure
Dai Tho Nguyen Network Security 33
-
7/30/2019 DaiThoNguyen_NetworkSecurity
34/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
35/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
36/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
37/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
38/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
39/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
40/84
Tasks in Network Access Security
Gatekeeper function
Password-based login procedures designed to
deny access to all but authorized users
Screening logic designed to detect and rejectworms, viruses, and other similar attacks
Internal security controls
Monitor activity and analyze stored information todetect the presence of unwanted intruders
Dai Tho Nguyen Network Security 40
-
7/30/2019 DaiThoNguyen_NetworkSecurity
41/84
Defining Cryptography
Defining cryptography involves understanding
What it is
What it can do
How it can be used as a security tool to protect
data
Definition
The science of transforming information into anunintelligible form while it is being transmitted or
stored so that unauthorized users cannot access it
Dai Tho Nguyen Network Security 41
-
7/30/2019 DaiThoNguyen_NetworkSecurity
42/84
Cryptography and Security
Cryptography can provide basic security
protection for information
It can protect the confidentiality of information by
ensuring that only authorized parties can view it
It can protect the integrity of the information
It help ensure the availability of the data so that
authorized users (with the key) can access it It can verify the authenticity of the sender
It can enforce non-repudiation
Dai Tho Nguyen Network Security 42
-
7/30/2019 DaiThoNguyen_NetworkSecurity
43/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
44/84
Summary
Motivations
Security definitions, concepts, and terms
Computer security challenges
Attacker profiles
X.800 security architecture
Security attacks, services, mechanisms
Models for network (access) security Overview of cryptography
Dai Tho Nguyen Network Security 44
-
7/30/2019 DaiThoNguyen_NetworkSecurity
45/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
46/84
Symmetric Encryption
Also referred to as conventional, secret-key,
private-key or single-key encryption
Sender and recipient share a common key
All encryption from ancient times until 1976
was exclusively based on symmetric methods
By far the most widely used
Dai Tho Nguyen Network Security 46
-
7/30/2019 DaiThoNguyen_NetworkSecurity
47/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
48/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
49/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
50/84
Cryptography Classification
Classification along 3 independent dimensions
Type of encryption operations used
Substitution, transposition, product
Number of keys used Single-key
Two-key
Way in which plaintext is processed Block
Stream
Dai Tho Nguyen Network Security 50
-
7/30/2019 DaiThoNguyen_NetworkSecurity
51/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
52/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
53/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
54/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
55/84
Feistel Cipher Structure
First described by Horst Feistel of IBM in 1973
Encryption process
The plaintext block is divided into 2 halves to pass
through multiple rounds
A substitution on the left half by applying a round
function to the right half and a subkey and then taking
XOR of the output with the left half
A permutation with the interchange of the 2 halves
Implementation of Shannons S-P net concept
Dai Tho Nguyen Network Security 55
-
7/30/2019 DaiThoNguyen_NetworkSecurity
56/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
57/84
Feistel Cipher Design Elements
Block size
Key size
Number of rounds
Subkey generation algorithm
Round function
Fast software encryption/decryption Ease of analysis
Dai Tho Nguyen Network Security 57
-
7/30/2019 DaiThoNguyen_NetworkSecurity
58/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
59/84
Strength of DES
Two concerns
Possibility of exploiting the characteristics of the
DES algorithm
Numerous attempts with no success
Key length
More than a thousand years to break the cipher with a
single machine performing 1 DES encryption/s
In 7/1998, EFF announced having broken DES using a
$250,000 machine for less than 3 days
With 128-bit key, DES would be unbreakable
Dai Tho Nguyen Network Security 59
-
7/30/2019 DaiThoNguyen_NetworkSecurity
60/84
3DES
First standardized in ANSI X9.17 in 1985
Included as part of DES in FIPS 46-3 in 1999
Use 3 keys and 3 executions of DES
= E(3, D 2, E 1, )
Can use 2 keys: = E 1, D 2, E 1,
Becomes single DES with 1 key
Why not 2DES?
Meet-in-the-middle attack with O(256) steps
Dai Tho Nguyen Network Security 60
-
7/30/2019 DaiThoNguyen_NetworkSecurity
61/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
62/84
Overview of AES
Rijndael was developed by Rijmen and
Daemen from Belgium
Uses 128 bit blocks and 128/192/256 bit keys
Some comments
Not a Feistel structure
Processes entire data block in every round
Data blocks and keys are depicted as square matrix ofbytes with ordering by column
The structure is quite simple
Dai Tho Nguyen Network Security 62
-
7/30/2019 DaiThoNguyen_NetworkSecurity
63/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
64/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
65/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
66/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
67/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
68/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
69/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
70/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
71/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
72/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
73/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
74/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
75/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
76/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
77/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
78/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
79/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
80/84
C (C )
-
7/30/2019 DaiThoNguyen_NetworkSecurity
81/84
Counter (CTR)
A block mode with recent interest, thoughproposed early on
Use of a counter equal to plaintext block size
Counter value must be different for eachplaintext block
Counter is encrypted and then XORed with
plaintext block to produce ciphertext block Similar to OFB but encrypts counter value rather
than any feedback value
Dai Tho Nguyen Network Security 81
-
7/30/2019 DaiThoNguyen_NetworkSecurity
82/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
83/84
-
7/30/2019 DaiThoNguyen_NetworkSecurity
84/84