network security (1)
TRANSCRIPT
![Page 1: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/1.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 1/52
![Page 2: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/2.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 2/52
INTRODUCTION
Network Security is concerned with
Making sure that our system should protectfrom viruses, worms, Trojan Horses
Keeping information out of the hands of unautorized users
Identify the users Making sure that data is transmited or receive
without a malicious adversary modification
![Page 3: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/3.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 3/52
Security threats and solutions
Threat Security
Solutions
Functions Technology
Data intercepted,
Read or modified
illicitly
Encryption Encodes data to
prevent tempering
Symmetric
encryption;
Asymmetric
encryption
Users misinterpret
their identity to
commit fraud
Authentication Verifies the identity of
both sender and
receiver.
Digital signature
Unauthorized user
on one network
gains access to
another
Firewall Filters and prevents
certain traffic from
entering the network or
server
Firewall;
Virtual private net
![Page 4: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/4.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 4/52
Layered contribution to security
Physical layer – by enclosing transmissionlines in sealed tubes
Data link layer – by packets encoded
Network layer – firewalls can be installed
Transport layer- entire connection can be
encrypted
Application layer- cryptography
![Page 5: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/5.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 5/52
Types And Sources Of
NetworkThreats
VIRUSES,EMIAL VIRUSES,WORMS, TROJAN HORSES
DENIAL-OF-SERVICE
UNAUTHORIZED ACCESS
![Page 6: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/6.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 6/52
Softwares from system must secure
Viruses
Email viruses
Worms
Trojan Horses
![Page 7: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/7.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 7/52
Prevention
secure operating system like UNIX or WindowsNT
virus protection software disable floppy disk booting
NEVER run macros in a document unless youknow what they do
You should never double-click on an attachmentthat contains an executable that arrives as an e-mail attachment
![Page 8: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/8.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 8/52
Security Issues
Secrecy
Auhentication
Nonrepudiation
Integrity control
![Page 9: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/9.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 9/52
Attacker's program simply makes a connectionon some service port, perhaps forging thepacket's header information that says where thepacket came from, and then dropping theconnection.
Send more requests to the machine than it canhandle
DOS Attacks are very easy to launch
But Difficult(sometimes impossible) to track
Not easy to refuse the requests of attackers
DENIAL-OF-SERVICE
![Page 10: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/10.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 10/52
PREVENTION
Not running your visible-to-the-world
servers at a level too close to capacity Using packet filtering to prevent
obviously forged packets from entering
into your network address space. Keeping up-to-date on security-related
patches for your hosts' operatingsystems.
![Page 11: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/11.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 11/52
Unauthorized Access
Main Goal is to access the resource that
your machine should not provide theattacker
Executing Commands Illicitly
Confidentiality Breaches
Destructive Behavior
![Page 12: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/12.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 12/52
Executing Commands Illicitly
To execute commands on servers
Classifications:
Normal user Access: such as read filesmails etc
Administrator Access: changing its IPaddress, cause the machine to shut down
![Page 13: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/13.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 13/52
Destructive Behavior
Classifications:
Data Diddling.
o Changging the data o Difficult to get
Data Destruction
o Deleting the data
![Page 14: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/14.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 14/52
Where Do They Come From?
Through any connection that you have tothe outside world.
Includes Internet connections, dial-upmodems, and even physical access.
System cracker looking for passwords
data phone numbers
,
![Page 15: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/15.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 15/52
Lessons Learned
Hope you have backups Don't put data where it doesn't need to be Avoid systems with single points of failure Stay current with relevant operating system
patches Have someone on staff be familiar with security practices
Firewalls
![Page 16: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/16.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 16/52
Questions
What is a firewall
Security Administrator Tool for
Analyzing Networks (SATAN) Security issues:
How to
protect confidential information fromunauthorized users
protect network and its resources frommalicious users and accidents originatingoutside
![Page 17: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/17.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 17/52
Firewall
FIREWALL
![Page 18: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/18.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 18/52
Firewalls security Administrator Tool for Analyzing
Networks (SATAN)
Router Access Control List (ACL). Proxy. Types of Firewalls Application Gateways Packet Filtering Hybrid Systems
![Page 19: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/19.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 19/52
Application Gateways
![Page 20: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/20.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 20/52
Application Gateways Application Layer they don't allow anything to pass by default
typically the slowest
Packet Filtering
Transportor /session layer routers have ACLs (Access Control Lists) turned on
less overhead much faster than its application layercousins.
use layers of packet filters in order to localize the traffic.
![Page 21: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/21.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 21/52
Packet Filtering
![Page 22: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/22.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 22/52
Hybrid Systems
security of the application layer gatewayswith the flexibility and speed of packet
filtering,
![Page 23: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/23.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 23/52
Protecting Your Network
Confidential Information resides on: physical storage media
physical network in the form of packets
Common methods of attack are: network packet sniffers
IP spoofing
password attacks
distribution of sensitive internal information to externalsources
man-in-the-middle attacks
Protecting Confidential Information
![Page 24: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/24.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 24/52
So, what's best for me?
Secure Network Devices
Crypto-Capable Routers
Secure Modems; Dial-Back Systems
Virtual private network
![Page 25: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/25.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 25/52
Cryptography
![Page 26: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/26.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 26/52
Terminology
Plaintext or Cleartext
Encryption and decryption
Ciphertext
Cryptography and Cryptographers
Cryptanalysis and Cryptoanalyst
Cryptology
![Page 27: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/27.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 27/52
Benefits
Ensures privacy and Confidentiality
Authenticates networked individuals and
computers
Digital identification of persons and Authorization
Non-repudiation
Integrity
![Page 28: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/28.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 28/52
Process of Encryption
encrypt
decrypt
Tonight at 10PM
P{k*76<I-o(6gH
Tonight at 10PM
![Page 29: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/29.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 29/52
Contd.
Cipher: a set of rules for encoding data.
Basic encryption requires an algorithm and
a key.
Key size determines the extent of security.
Two types of keys:
Secret key or symmetric encryption
public key or asymmetric encryption
![Page 30: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/30.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 30/52
Secret Key Cryptography
Original message read by Ann
Message typed by Tim
P:k*76&io0gH
INTERNET
9854
9854
Encrypt
Decrypt
Secret Key
Secret Key
![Page 31: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/31.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 31/52
Features
Advantage
Message secure
Disadvantages Both parties must agree
Same key: read each others mail
n keys for n correspondents
Authenticity
![Page 32: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/32.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 32/52
Public Key Cryptography
Message typed by Tim
:L-9n643h2#D
INTERNET
My public keyis 90876832
90876832
64732819
Ann’s Private Key
Ann’s Public KeyOriginal message read by Ann
Encrypt
Decrypt
![Page 33: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/33.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 33/52
Features
Advantages
Public key distributed without compromise
through the service provider Authenticates message’s originator
Disadvantages
confidentiality
![Page 34: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/34.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 34/52
Digital Signatures
Working
Message digest
info about the signer, timestamp encrypted with secret key
Uses
verify sender
testify ownership of public key
![Page 35: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/35.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 35/52
Cryptographic Hash functions
Used to compute message digest
non reversible
No key
length:128 bit
Hash functions: MD5 and SHA
![Page 36: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/36.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 36/52
Digital Certificates
Accept your public key along with someproof of your identity (it varies with the
class of certificate) Like driver’s license
Certificate authorities: Verisign,
Cybertrust, and Nortel + Govt. issuedigital certificates
DC for a fee
Certificate Revocation List or CRL
![Page 37: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/37.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 37/52
Contents of Digital certificate
X’s identifying Information: Name, organization, address
Issuing authority’s digital signature and ID information
X’s Public Key Dates of Validity of this Digital ID
Class of Certificate
Digital ID Certificate number
DIGITAL CERTIFICATE
![Page 38: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/38.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 38/52
Classes
Four classes of digital certificates:
CLASS 1: Name and E-mail ID
CLASS 2: Drivers license, SSN, Date of birth CLASS 3: Credit check
CLASS 4: Position in organization etc.
# verification requirements not yet finalized
![Page 39: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/39.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 39/52
Cryptographic system
Encryption Advantages Disadvantages
S mmetric Ke Fast Both keys are the same
Can be easily implementedin hardware
Difficult to distribute keys
Does not support digital signatures
Public key Uses two different keys Slow and com utationall intensive
Relatively easy to distributeKeysProvides integrity andnon-repudiation throughDigital signatures
Advantages and disadvantages
![Page 40: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/40.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 40/52
Breaking Keys
Length of key in bits
Cost 40 56 64 80 128
$100 thousand 2 secs 35 hrs 1 yr 70000yrs
1019
yrs
$1 million .2 secs 3.5 hrs 37 days 7000 yrs 1018
yrs$100 million 2 millisecs 2 mins 9 hrs 7000 yrs 1016yrs$1 billion .2 millisecs 13 secs 1 hr 7 yrs 10
15yrs
$100 billion 2 microsecs .1 sec 32 secs 24 days 1013
yrs
Comparison of Time and Money Needed to Break Different Length Keys
![Page 41: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/41.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 41/52
Levels of security
Secret-Ke Length
Public-Ke Length
56 bits 384 bits64 bits 512 bits
80 bits 768 bits112 bits 1792 bits128 bits 2304 bits
Secret-Key and Public-Key Lengths for Equivalent Levels of Security
![Page 42: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/42.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 42/52
Key Algorithms
Function Al orithms
Used
Process
Messa eencryption
IDEA, RSA 1 Use IDEA with one-time session kegenerated by sender to encrypt message.
2 Encr t session ke with RSA usinrecipient's public key.
Di italsignature
MD5, RSA 1 Generate hash code of messa e withMD5.2 Encr t messa e di est with RSA usin
sender' private key.
Various Algorithms for Encryption Used by PGP
![Page 43: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/43.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 43/52
Secret Key Algorithms
Vigenere
historical cipher
Enigma
by Germans in World war II
SAFER
J.L.Massey
64 and 128 bit keys
secure and fast
![Page 44: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/44.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 44/52
Contd.
DES: Data Encryption Standard
by IBM in 1977
56 bit key and 64 bit block size easily breakable
variant 3DES
Blowfish Bruce Schneier
variable length key (<448) and 64 bit block
size
![Page 45: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/45.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 45/52
Contd.
IDEA: International Data Encryption Algorithm
ETH Zurich in 1991
128 bit key
very secure
RC2 & RC4
RSA data security
variable key size (40 common)
block & stream cipher
![Page 46: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/46.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 46/52
Public Key Algorithms
RSA: Rivest-Shamir-Adelman used for signing and encryption
long keys (512, 768, 1024, 2048) factors of large integers
Vulnerable to: Chosen plain text attacks
Timing attacks
Elliptic curve public key cryptosystems New and Slow but secure
![Page 47: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/47.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 47/52
Contd.
Diffie-Hellman
oldest; for key exchange
based on discrete algorithm problem strong prime and generator
Vulnerable to timing attack
DSS: Digital Signature Standard US government
leaking hidden data and revealing secret key
![Page 48: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/48.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 48/52
Contd.
EIGamal
based on discrete algorithm problem
LUC Peter smith
Uses LUCAS function
Four variations
LUCDIF PK-like diffie-Hellman LUCELG PK-like ElGamel public key
LUCELG DS-like ElGamel digital signature
LUCDSA-like US DSS
![Page 49: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/49.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 49/52
Hash Functions
MD2, MD4, MD5: Message Digestalgorithm 5
at RSA data security
MD2, MD4
any length byte string to 128 bit value
popular and secure
SHA: Secure Hash Algorithm
By USG
Produces 160 bit hash value
![Page 50: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/50.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 50/52
Attacks on Cryptosystems
Ciphertext-only attack
Known-plaintext attack
Chosen-plaintext attack
Man-in-the-middle attack
Timing attack
![Page 51: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/51.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 51/52
Cryptographic Protocols
DNSSEC: Domain Name Server Security
GSSAPI: Generic Security Services API
SSL: Secure Socket Layer SHTTP: Secure Hypertext Transfer
Protocol
S/MIME: Secure-MIME MSP: Message Security Protocol
PKCS: Public Key Encryption Standards
SSH2 Protocol
![Page 52: Network Security (1)](https://reader030.vdocuments.us/reader030/viewer/2022021223/577d1f371a28ab4e1e902051/html5/thumbnails/52.jpg)
8/2/2019 Network Security (1)
http://slidepdf.com/reader/full/network-security-1 52/52
CryptoAPI and CDSA
CryptoAPI Microsoft for W95 and WNT
calling cryptographic functions throughstandardized interface
modular
processing and managing digital certificates
CDSA: Common Data Security Architecture Intel cross platform