Lecture III : Communication Security Mechanisms Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Computer Science Department, National Chiao Tung University
2 X.800 : Security Architecture Security Services Service Types Service Layer Mapping Security Mechanisms Mechanism Definition Service - Mechanism Mapping
3 Security Mechanisms Encipherment with Secret / Public Cryptography Data Integrity with One-Way Hash Function Authentication Access Control Digital Signature with Public- Cryptography Traffic Padding Notarization
4 Symmetric / Secret Encipherment Algorithms use same keys for encryption & decryption : Symmetric / Secret must be dispatched in secret Used for bulk encryption / decryption Also used in following security services : Authentication Random Number Generator Clear Encryption Symmetric Cipher Decryption Symmetric Clear
5 Asymmetric / Public Encipherment Algorithms use different keys for encryption & decryption Public is disclosed but Private is kept secret Computationally intensive - based on large prime numbers Also used in following security services : Digital Signatures Authentication Exchange Clear Encryption Public Cipher Decryption Private Clear
6 Data Encryption & Distribution Random Number Generator Public Encryption Symmetric { Symmetric Decryption Private Symmetric Clear Encryption Cipher Decryption Clear
7 Message Digest Message Message Originator Computes a fixed-length message digest from the message using a one-way hash transformation MD5 Message Recipient Validate message integrity by computing the message hash and comparing with the message digest Digest
8 Digital Signature Message Signature is public-key encrypted hash of a document and its relevant parameters MD5 Private Message Signed Document Hash Decryption Digital Signature
9 Digital Signature Validation Message recipients can validate the signature by encrypting it with the public key and comparing with document s hash value Signed Document Message MD5 Public Hash Digital Signature Encryption Hash = Valid?
10 Internet Security - ComSec Services & Mechanisms Spring 2011 Challenge-Response Authentication Challenger sends a challenge of random number to Responder Responder creates a response by digitally signing the challenge with its private key and returns the response to the Challenger Challenger processes the response with public key of legitimate Responder and compare it with original challenge Random Number Generator Challenge Decryption Private Response Same? = Challenge (Recovered) Encryption Public
11 Service - Mechanism Mapping A security service may need to be implemented by several different security mechanisms. Service Mechanism Encipherment Digital Signature Access control Data integrity Authentication Traffic padding Routing Control Notarization Peer Entity Authentication Data Origin Authentication Connection Confidentiality Connectionless Confidentiality Selective Field Confidentiality Traffic Flow Confidentiality Connection Integrity with Recovery Connection Integrity without Recovery Selective Field Connection Integrity Connectionless Integrity Selective Field Connectionless Integrity Non-repudiation Origin Non-repudiation Delivery Y Y Y Y Y Y. Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Access Control Y
12 Internet Security - X.800 Security Services Further Reading book Network Security Essentials, Ch. 1, Introduction, pp. 15 35 Web page: http://williamstallings.com/networksecurity/ Websites X.800 Security Services: http://en.wikipedia.org/wiki/security_service_(telecommunicati on) Availability: http://en.wikipedia.org/wiki/availability