daithonguyen_networksecurity

7/30/2019 DaiThoNguyen_NetworkSecurity

1/84

Network Security

Dr. Dai Tho Nguyen

University of Engineering and TechnologyVietnam National University, Hanoi


2/84

INTRODUCTION

Chapter 1

Dai Tho Nguyen Network Security 2


3/84

Social Context

This new century has been characterized by

terrorist attacks and security defenses

IT has also been victim of an unprecedented

number of attacks on information

Information security is now at the core of IT

Protecting valuable electronic information

Demand for IT professionals who know how to

secure networks and computers is at a high



4/84

Technological Context

Two major changes in the requirements of

information security in recent times

Traditionally information security is provided by

physical and administrative mechanisms

Computer use requires automated tools to protect

files and other stored information

Use of networks and communications facilitiesrequires measures to protect data during their

transmisson



5/84

Defining Information Security

Security

A state of freedom from a danger or risk

The state or condition of freedom exists because

protective measures are established and maintained

Information security

Describes the tasks of guarding information in a

digital format Information security can be understood by

examining its goals and how it is accomplished



6/84

Goals of Information Security

Ensures that protective measures are properlyimplemented

Protects information that has value to people

and organizations The value comes from the characteristicsconfidentiality, integrity, and availability

Protects the characteristics of information onthe devices that store, manipulate, andtransmit the information



7/84

How Info Security is Accomplished

Through a combination of 3 entities

Hardware, software, and communications

Three layers of protection

Products

The physical security around the data

People

Those who implement and use security products

Procedures

Plans and policies to ensure correct use of the products



8/84

Information Security Components



9/84

Information Security Definition

A more comprehensive definition of

information security

That which protects the integrity, confidentiality,

and availability of information on the devices that

store, manipulate, and transmit the information

through products, people, and procedures



10/84

Information Security Concepts (1)

Confidentiality

Preserving authorized restrictions on informationaccess and disclosure

Including means for protecting personal privacy andproprietary information

Integrity

Guarding against improper information

modification or destruction Including ensuring information nonrepudiation and

authenticity



11/84

Information Security Concepts (2)

Availability

Ensuring timely and reliable access to and use ofinformation

Authenticity The property of being genuine and being able to

be verified and trusted

Accountability

The security goal that requires for actions of anentity to be traced uniquely to that entity



12/84

Information Security Terms (1)

Asset

Something that has a value

Threat

An potential for violation of security, which exists

when there is a circumstance, capability, action, or

event that could breach security and cause harm

A threat is a possible danger that might exploit avulnerability



13/84


Threat agent

A person or thing that has the power to carry out

a threat

Attack

An assault on system security that derives from an

intelligent threat or act

A deliberate attempt to evade security services andviolate the security policy of a system

Often means the same thing as threat



14/84


Vulnerability

Weakness that allows a threat agent to bypass

security

Risk

The likelihood that a threat agent will exploit a

vulnerability

Realistically risk cannot ever be entirely eliminated

Three options when dealing with risks

Accept the risk, diminish the risk, or transfer the risk



15/84

Example of Security Terms



16/84

Security Definitions

Computer Security

Generic name for the collection of tools designed

to protect data and to thwart hackers

Network Security

Measures to protect data during their transmission

Internet Security

Measures to protect data during their transmission

over a collection of interconnected networks



17/84


18/84


19/84

Attacker Profiles (1)

Hackers

People with special knowledge of computer

systems

Black-hat hackers

Hack computing systems for their own benefit

White-hat hackers

Hack for finding loopholes and developing solutions Grey-hat hackers

Often wear a white hat but may also wear a black hat



20/84


Script kiddies

People who use scripts and programs developed

by black-hat hackers to attack computing systems

They dont know how to write hacking tools or

understand how an existing hacking tool works,

but could inflict a lot of damage

Cyber spies Collecting intelligence through intercepted

network communications



21/84


Vicious employees

People who intentionally breach security to harmtheir employers

Cyber terrorists Terrorists who use computer and network

technologies to carry out attacks and producepublic fear

Hypothetical attackers All attackers except cyber terrorists



22/84

OSI Security Architecture

Goals

Assess effectively the security needs of anorganization

Evaluate and choose security products and policies

ITU-T X.800 Security Architecture for OSI

A systematic way of defining and satisfying

security requirements Provides a useful, if abstract, overview of

concepts we will study



23/84

Aspects of Security

Security attack

Action that compromises the security ofinformation

Security mechanism Process that is designed to detect, prevent, or

recover from a security attack

Security service

Service that enhances the security of dataprocessing systems and information transfers



24/84


25/84

Release of Message Contents



26/84

Traffic Analysis



27/84

Active Attacks

Involve some modification of the data stream

or the creation of a false stream

Four types

Masquerade Modification of messages

Replay Denial of service

The goal is to detect active attacks and to

recover from disruption or delays

Detection may contribute to prevention



28/84

Masquerade



29/84


30/84

Modification of Messages



31/84


32/84


33/84

Security Services (X.800) (1)

Authentication

Assurance that communicating entity is the one

that it claims to be

Access control

Prevention of unauthorized use of a resource

Data confidentiality

Protection of data from unauthorized disclosure



34/84


35/84


36/84


37/84


38/84


39/84


40/84

Tasks in Network Access Security

Gatekeeper function

Password-based login procedures designed to

deny access to all but authorized users

Screening logic designed to detect and rejectworms, viruses, and other similar attacks

Internal security controls

Monitor activity and analyze stored information todetect the presence of unwanted intruders



41/84

Defining Cryptography

Defining cryptography involves understanding

What it is

What it can do

How it can be used as a security tool to protect

data

Definition

The science of transforming information into anunintelligible form while it is being transmitted or

stored so that unauthorized users cannot access it



42/84

Cryptography and Security

Cryptography can provide basic security

protection for information

It can protect the confidentiality of information by

ensuring that only authorized parties can view it

It can protect the integrity of the information

It help ensure the availability of the data so that

authorized users (with the key) can access it It can verify the authenticity of the sender

It can enforce non-repudiation



43/84


44/84

Summary

Motivations

Security definitions, concepts, and terms

Computer security challenges

Attacker profiles

X.800 security architecture

Security attacks, services, mechanisms

Models for network (access) security Overview of cryptography



45/84


46/84

Symmetric Encryption

Also referred to as conventional, secret-key,

private-key or single-key encryption

Sender and recipient share a common key

All encryption from ancient times until 1976

was exclusively based on symmetric methods

By far the most widely used



47/84


48/84


49/84


50/84

Cryptography Classification

Classification along 3 independent dimensions

Type of encryption operations used

Substitution, transposition, product

Number of keys used Single-key

Two-key

Way in which plaintext is processed Block

Stream



51/84


52/84


53/84


54/84


55/84

Feistel Cipher Structure

First described by Horst Feistel of IBM in 1973

Encryption process

The plaintext block is divided into 2 halves to pass

through multiple rounds

A substitution on the left half by applying a round

function to the right half and a subkey and then taking

XOR of the output with the left half

A permutation with the interchange of the 2 halves

Implementation of Shannons S-P net concept



56/84


57/84

Feistel Cipher Design Elements

Block size

Key size

Number of rounds

Subkey generation algorithm

Round function

Fast software encryption/decryption Ease of analysis



58/84


59/84

Strength of DES

Two concerns

Possibility of exploiting the characteristics of the

DES algorithm

Numerous attempts with no success

Key length

More than a thousand years to break the cipher with a

single machine performing 1 DES encryption/s

In 7/1998, EFF announced having broken DES using a

$250,000 machine for less than 3 days

With 128-bit key, DES would be unbreakable



60/84

3DES

First standardized in ANSI X9.17 in 1985

Included as part of DES in FIPS 46-3 in 1999

Use 3 keys and 3 executions of DES

= E(3, D 2, E 1, )

Can use 2 keys: = E 1, D 2, E 1,

Becomes single DES with 1 key

Why not 2DES?

Meet-in-the-middle attack with O(256) steps



61/84


62/84

Overview of AES

Rijndael was developed by Rijmen and

Daemen from Belgium

Uses 128 bit blocks and 128/192/256 bit keys

Some comments

Not a Feistel structure

Processes entire data block in every round

Data blocks and keys are depicted as square matrix ofbytes with ordering by column

The structure is quite simple



63/84


64/84


65/84


66/84


67/84


68/84


69/84


70/84


71/84


72/84


73/84


74/84


75/84


76/84


77/84


78/84


79/84


80/84

C (C )


81/84

Counter (CTR)

A block mode with recent interest, thoughproposed early on

Use of a counter equal to plaintext block size

Counter value must be different for eachplaintext block

Counter is encrypted and then XORed with

plaintext block to produce ciphertext block Similar to OFB but encrypts counter value rather

than any feedback value



82/84


83/84


84/84

daithonguyen_networksecurity

Documents