network security (1)

8/2/2019 Network Security (1)

http://slidepdf.com/reader/full/network-security-1 1/52



INTRODUCTION

Network Security is concerned with

Making sure that our system should protectfrom viruses, worms, Trojan Horses

Keeping information out of the hands of unautorized users

Identify the users Making sure that data is transmited or receive

without a malicious adversary modification



Security threats and solutions

Threat Security

Solutions

Functions Technology

Data intercepted,

Read or modified

illicitly

Encryption Encodes data to

prevent tempering

Symmetric

encryption;

Asymmetric

encryption

Users misinterpret

their identity to

commit fraud

Authentication Verifies the identity of

both sender and

receiver.

Digital signature

Unauthorized user

on one network

gains access to

another

Firewall Filters and prevents

certain traffic from

entering the network or

server

Firewall;

Virtual private net



Layered contribution to security

Physical layer – by enclosing transmissionlines in sealed tubes

Data link layer – by packets encoded

Network layer – firewalls can be installed

Transport layer- entire connection can be

encrypted

Application layer- cryptography



Types And Sources Of

NetworkThreats

VIRUSES,EMIAL VIRUSES,WORMS, TROJAN HORSES

DENIAL-OF-SERVICE

UNAUTHORIZED ACCESS



Softwares from system must secure

Viruses

Email viruses

Worms

Trojan Horses



Prevention

secure operating system like UNIX or WindowsNT

virus protection software disable floppy disk booting

NEVER run macros in a document unless youknow what they do

You should never double-click on an attachmentthat contains an executable that arrives as an e-mail attachment



Security Issues

Secrecy

Auhentication

Nonrepudiation

Integrity control



Attacker's program simply makes a connectionon some service port, perhaps forging thepacket's header information that says where thepacket came from, and then dropping theconnection.

Send more requests to the machine than it canhandle

DOS Attacks are very easy to launch

But Difficult(sometimes impossible) to track

Not easy to refuse the requests of attackers

DENIAL-OF-SERVICE



PREVENTION

Not running your visible-to-the-world

servers at a level too close to capacity Using packet filtering to prevent

obviously forged packets from entering

into your network address space. Keeping up-to-date on security-related

patches for your hosts' operatingsystems.



Unauthorized Access

Main Goal is to access the resource that

your machine should not provide theattacker

Executing Commands Illicitly

Confidentiality Breaches

Destructive Behavior



Executing Commands Illicitly

To execute commands on servers

Classifications:

Normal user Access: such as read filesmails etc

Administrator Access: changing its IPaddress, cause the machine to shut down



Destructive Behavior

Classifications:

Data Diddling.

o Changging the data o Difficult to get

Data Destruction

o Deleting the data



Where Do They Come From?

Through any connection that you have tothe outside world.

Includes Internet connections, dial-upmodems, and even physical access.

System cracker looking for passwords

data phone numbers

,



Lessons Learned

Hope you have backups Don't put data where it doesn't need to be Avoid systems with single points of failure Stay current with relevant operating system

patches Have someone on staff be familiar with security practices

Firewalls



Questions

What is a firewall

Security Administrator Tool for

Analyzing Networks (SATAN) Security issues:

How to

protect confidential information fromunauthorized users

protect network and its resources frommalicious users and accidents originatingoutside



Firewall

FIREWALL



Firewalls security Administrator Tool for Analyzing

Networks (SATAN)

Router Access Control List (ACL). Proxy. Types of Firewalls Application Gateways Packet Filtering Hybrid Systems



Application Gateways



Application Gateways Application Layer they don't allow anything to pass by default

typically the slowest

Packet Filtering

Transportor /session layer routers have ACLs (Access Control Lists) turned on

less overhead much faster than its application layercousins.

use layers of packet filters in order to localize the traffic.



Packet Filtering



Hybrid Systems

security of the application layer gatewayswith the flexibility and speed of packet

filtering,



Protecting Your Network

Confidential Information resides on: physical storage media

physical network in the form of packets

Common methods of attack are: network packet sniffers

IP spoofing

password attacks

distribution of sensitive internal information to externalsources

man-in-the-middle attacks

Protecting Confidential Information



So, what's best for me?

Secure Network Devices

Crypto-Capable Routers

Secure Modems; Dial-Back Systems

Virtual private network



Cryptography



Terminology

Plaintext or Cleartext

Encryption and decryption

Ciphertext

Cryptography and Cryptographers

Cryptanalysis and Cryptoanalyst

Cryptology



Benefits

Ensures privacy and Confidentiality

Authenticates networked individuals and

computers

Digital identification of persons and Authorization

Non-repudiation

Integrity



Process of Encryption

encrypt

decrypt

Tonight at 10PM

P{k*76<I-o(6gH

Tonight at 10PM



Contd.

Cipher: a set of rules for encoding data.

Basic encryption requires an algorithm and

a key.

Key size determines the extent of security.

Two types of keys:

Secret key or symmetric encryption

public key or asymmetric encryption



Secret Key Cryptography

Original message read by Ann

Message typed by Tim

P:k*76&io0gH

INTERNET

9854

9854

Encrypt

Decrypt

Secret Key

Secret Key



Features

Advantage

Message secure

Disadvantages Both parties must agree

Same key: read each others mail

n keys for n correspondents

Authenticity



Public Key Cryptography

Message typed by Tim

:L-9n643h2#D

INTERNET

My public keyis 90876832

90876832

64732819

Ann’s Private Key

Ann’s Public KeyOriginal message read by Ann

Encrypt

Decrypt



Features

Advantages

Public key distributed without compromise

through the service provider Authenticates message’s originator

Disadvantages

confidentiality



Digital Signatures

Working

Message digest

info about the signer, timestamp encrypted with secret key

Uses

verify sender

testify ownership of public key



Cryptographic Hash functions

Used to compute message digest

non reversible

No key

length:128 bit

Hash functions: MD5 and SHA



Digital Certificates

Accept your public key along with someproof of your identity (it varies with the

class of certificate) Like driver’s license

Certificate authorities: Verisign,

Cybertrust, and Nortel + Govt. issuedigital certificates

DC for a fee

Certificate Revocation List or CRL



Contents of Digital certificate

X’s identifying Information: Name, organization, address

Issuing authority’s digital signature and ID information

X’s Public Key Dates of Validity of this Digital ID

Class of Certificate

Digital ID Certificate number

DIGITAL CERTIFICATE



Classes

Four classes of digital certificates:

CLASS 1: Name and E-mail ID

CLASS 2: Drivers license, SSN, Date of birth CLASS 3: Credit check

CLASS 4: Position in organization etc.

# verification requirements not yet finalized



Cryptographic system

Encryption Advantages Disadvantages

S mmetric Ke Fast Both keys are the same

Can be easily implementedin hardware

Difficult to distribute keys

Does not support digital signatures

Public key Uses two different keys Slow and com utationall intensive

Relatively easy to distributeKeysProvides integrity andnon-repudiation throughDigital signatures

Advantages and disadvantages



Breaking Keys

Length of key in bits

Cost 40 56 64 80 128

$100 thousand 2 secs 35 hrs 1 yr 70000yrs

1019

yrs

$1 million .2 secs 3.5 hrs 37 days 7000 yrs 1018

yrs$100 million 2 millisecs 2 mins 9 hrs 7000 yrs 1016yrs$1 billion .2 millisecs 13 secs 1 hr 7 yrs 10

15yrs

$100 billion 2 microsecs .1 sec 32 secs 24 days 1013

yrs

Comparison of Time and Money Needed to Break Different Length Keys



Levels of security

Secret-Ke Length

Public-Ke Length

56 bits 384 bits64 bits 512 bits

80 bits 768 bits112 bits 1792 bits128 bits 2304 bits

Secret-Key and Public-Key Lengths for Equivalent Levels of Security



Key Algorithms

Function Al orithms

Used

Process

Messa eencryption

IDEA, RSA 1 Use IDEA with one-time session kegenerated by sender to encrypt message.

2 Encr t session ke with RSA usinrecipient's public key.

Di italsignature

MD5, RSA 1 Generate hash code of messa e withMD5.2 Encr t messa e di est with RSA usin

sender' private key.

Various Algorithms for Encryption Used by PGP



Secret Key Algorithms

Vigenere

historical cipher

Enigma

by Germans in World war II

SAFER

J.L.Massey

64 and 128 bit keys

secure and fast



Contd.

DES: Data Encryption Standard

by IBM in 1977

56 bit key and 64 bit block size easily breakable

variant 3DES

Blowfish Bruce Schneier

variable length key (<448) and 64 bit block

size



Contd.

IDEA: International Data Encryption Algorithm

ETH Zurich in 1991

128 bit key

very secure

RC2 & RC4

RSA data security

variable key size (40 common)

block & stream cipher



Public Key Algorithms

RSA: Rivest-Shamir-Adelman used for signing and encryption

long keys (512, 768, 1024, 2048) factors of large integers

Vulnerable to: Chosen plain text attacks

Timing attacks

Elliptic curve public key cryptosystems New and Slow but secure



Contd.

Diffie-Hellman

oldest; for key exchange

based on discrete algorithm problem strong prime and generator

Vulnerable to timing attack

DSS: Digital Signature Standard US government

leaking hidden data and revealing secret key



Contd.

EIGamal

based on discrete algorithm problem

LUC Peter smith

Uses LUCAS function

Four variations

LUCDIF PK-like diffie-Hellman LUCELG PK-like ElGamel public key

LUCELG DS-like ElGamel digital signature

LUCDSA-like US DSS



Hash Functions

MD2, MD4, MD5: Message Digestalgorithm 5

at RSA data security

MD2, MD4

any length byte string to 128 bit value

popular and secure

SHA: Secure Hash Algorithm

By USG

Produces 160 bit hash value



Attacks on Cryptosystems

Ciphertext-only attack

Known-plaintext attack

Chosen-plaintext attack

Man-in-the-middle attack

Timing attack



Cryptographic Protocols

DNSSEC: Domain Name Server Security

GSSAPI: Generic Security Services API

SSL: Secure Socket Layer SHTTP: Secure Hypertext Transfer

Protocol

S/MIME: Secure-MIME MSP: Message Security Protocol

PKCS: Public Key Encryption Standards

SSH2 Protocol



CryptoAPI and CDSA

CryptoAPI Microsoft for W95 and WNT

calling cryptographic functions throughstandardized interface

modular

processing and managing digital certificates

CDSA: Common Data Security Architecture Intel cross platform

network security (1)

Documents