Security: Focus of Control

Similar documents
Security: Focus of Control. Authentication

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

14. Internet Security (J. Kurose)

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

CS Computer Networks 1: Authentication

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Internet and Intranet Protocols and Applications

Network Security. Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley, July 2002.

Verteilte Systeme (Distributed Systems)

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Computer Networks. Wenzhong Li. Nanjing University

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

CSC 8560 Computer Networks: Network Security

From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005

key distribution requirements for public key algorithms asymmetric (or public) key algorithms

Encryption. INST 346, Section 0201 April 3, 2018

Cryptographic Protocols 1

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

Kurose & Ross, Chapters (5 th ed.)

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Network Security Chapter 8

CS November 2018

Security Handshake Pitfalls

SECURITY IN NETWORKS 1

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Chapter 8 Network Security

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

Chapter 8. Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross Addison-Wesley, July 2004.

UNIT - IV Cryptographic Hash Function 31.1

(2½ hours) Total Marks: 75

Network Security. Chapter 8. MYcsvtu Notes.

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

SECURITY IN NETWORKS

CSC/ECE 774 Advanced Network Security

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Information Security CS 526

Ref:

CSC 774 Network Security

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Cryptography (Overview)

Introduction and Overview. Why CSCI 454/554?

CSC 474/574 Information Systems Security

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Pre-exam 3 Review. Fall Paul Krzyzanowski Distributed Systems

Chapter 4: Securing TCP connections

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Cryptographic Checksums

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Distributed Systems Principles and Paradigms

Chapter 9: Key Management

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

David Wetherall, with some slides from Radia Perlman s security lectures.

Distributed Systems Principles and Paradigms. Chapter 09: Security

The Network Security Model. What can an adversary do? Who might Bob and Alice be? Computer Networks 12/2/2009. CSC 257/457 - Fall

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Data Communication Prof.A.Pal Dept of Computer Science & Engineering Indian Institute of Technology, Kharagpur Lecture - 40 Secured Communication - II

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

CIS 6930/4930 Computer and Network Security. Final exam review

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Chapter 8 Web Security

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Smalltalk 3/30/15. The Mathematics of Bitcoin Brian Heinold

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Computer Communication Networks Network Security

Session key establishment protocols

Security in Distributed Systems. Network Security

COSC4377. Chapter 8 roadmap

CPSC 467b: Cryptography and Computer Security

Cryptography. some history. modern secret key cryptography. public key cryptography. cryptography in practice

Security Handshake Pitfalls

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Session key establishment protocols

Information Security & Privacy

E-commerce security: SSL/TLS, SET and others. 4.1

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Authentication Part IV NOTE: Part IV includes all of Part III!

T Cryptography and Data Security

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Digital Signatures. Secure Digest Functions

Security and Privacy. Xin Liu Computer Science University of California, Davis. Introduction 1-1

User Authentication. Modified By: Dr. Ramzi Saifan

Transport Level Security

Overview. SSL Cryptography Overview CHAPTER 1

Authentication in Distributed Systems

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

Lecture 1 Applied Cryptography (Part 1)

Computer Networks & Security 2016/2017

Transcription:

Security: Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized users 1

Authentication Question: how does a receiver know that remote communicating entity is who it is claimed to be? 2

Authentication Protocol (ap) Ap 1.0 Alice to Bob: I am Alice Problem: intruder Trudy can also send such a message Ap 2.0 Authenticate source IP address is from Alice s machine Problem: IP Spoofing (send IP packets with a false address) Ap 3.0: use a secret password Alice to Bob: I am Alice, here is my password (e.g., telnet) Problem: Trudy can intercept Alice s password by sniffing packets 3

Authentication Protocol Ap 3.1: use encryption use a symmetric key known to Alice and Bob Alice & Bob (only) know secure key for encryption/decryption A to B: msg = encrypt("i am A") B computes: if decrypt(msg)=="i am A" then A is verified else A is fradulent failure scenarios: playback attack Trudy can intercept Alice s message and masquerade as Alice at a later time 4

Authentication Using Nonces Problem with ap 3.1: same password is used for all sessions Solution: use a sequence of passwords pick a "once-in-a-lifetime-only" number (nonce) for each session Ap 4.0 A to B: msg = "I am A" /* note: unencrypted message! */ B to A: once-in-a-lifetime value, n A to B: msg2 = encrypt(n) /* use symmetric keys */ B computes: if decrypt(msg2)==n then A is verified else A is fradulent note similarities to three way handshake and initial sequence number choice problems with nonces? 5

Authentication Using Public Keys Ap 4.0 uses symmetric keys for authentication Question: can we use public keys? symmetry: DA( EA(n) ) = EA ( DA(n) ) AP 5.0 A to B: msg = "I am A" B to A: once-in-a-lifetime value, n A to B: msg2 = DA(n) B computes: if EA (DA(n))== n then A is verified else A is fradulent 6

Problems with Ap 5.0 Bob needs Alice s public key for authentication Trudy can impersonate as Alice to Bob Trudy to Bob: msg = I am Alice Bob to Alice: nonce n (Trudy intercepts this message) Trudy to Bob: msg2= DT(n) Bob to Alice: send me your public key (Trudy intercepts) Trudy to Bob: send ET (claiming it is EA) Bob: verify ET(DT(n)) == n and authenticates Trudy as Alice!! Moral: Ap 5.0 is only as secure as public key distribution 7

Man-in-the-middle Attack Trudy impersonates as Alice to Bob and as Bob to Alice Alice Trudy Bob I am A I am A nonce n DT(n) send me ET ET nonce n DA(n) send me EA EA Bob sends data using ET, Trudy decrypts and forwards it using EA!! (Trudy transparently intercepts every message) 8

Digital Signatures Using Public Keys Goals of digital signatures: sender cannot repudiate message never sent ("I never sent that") receiver cannot fake a received message Suppose A wants B to "sign" a message M B sends DB(M) to A A computes if EB ( DB(M)) == M then B has signed M Question: can B plausibly deny having sent M? 9

Message Digests Encrypting and decrypting entire messages using digital signatures is computationally expensive Routers routinely exchange data Does not need encryption Needs authentication and verify that data hasn t changed Message digests: like a checksum Hash function H: converts variable length string to fixed length hash Digitally sign H(M) Send M, DA(H(m)) Can verify who sent the message and that it has been changed! Property of H Given a digest x, it is infeasible to find a message y such that H(y) = x It is infeasible to find any two messages x and y such that H(x) = H(y) 10

Hash Functions : MD5 The structure of MD5 11

Hash Functions MD5 not secure any more SHA hash functions (SHA = Secure Hash Algorithm) SHA-1 : 160-bit function that resembles MD5 SHA-2: family of two hash functions (SHA-256 and SHA-512) Developed by NIST and NSA 12

Symmetric key exchange: trusted server Problem: how do distributed entities agree on a key? Assume: each entity has its own single key, which only it and trusted server know Server: will generate a one-time session key that A and B use to encrypt communication will use A and B's single keys to communicate session key to A, B 13

Key Exchange: Key Distribution Center (1) The principle of using a KDC. 14

Authentication Using a Key Distribution Center (2) Using a ticket and letting Alice set up a connection to Bob. 15

Authentication Using a Key Distribution Center (3) The Needham-Schroeder authentication protocol. 16

Public Key Exchange Mutual authentication in a public-key cryptosystem. 17

Public key exchange: trusted server public key retrieval subject to man-in-middle attack locate all public keys in trusted server everyone has server's encryption key (ES public) suppose A wants to send to B using B's "public" key use certificates: public keys signed by certification authority certificates can be revoked as well 18

Diffie-Hellman Key Exchange How to choose a key without encryption Agree on n,g large integers Alice choose secret x, Bob chooses secret y 19

Security in Enterprises Multi-layered approach to security in modern enterprises Security functionality spread across multiple entities Firewalls (policies + ports) Deep Packet inspection Virus and email scanners VLANs Network radius servers Securing WiFi VPNs Securing services using SSL, cerificates, kerberos 20

Security in Internet Services Websites SSL + authentication + captchas Challenge-response authentication paypal Two factor authentication Gmail: password + mobile phone One-time passwords Hotmail one-time password Online merchant payments: paypal, amazon payments, google checkouts 21

Protection Against Intruders: Firewalls A common implementation of a firewall. 22

Firewalls Firewall: network components (host/router+software) sitting between inside ("us") and outside ("them) Packet filtering firewalls: drop packets on basis of source or destination address (i.e., IP address, port) Application gateways: application specific code intercepts, processes and/or relays application specific packets e.g., email of telnet gateways application gateway code can be security hardened can log all activity 23

Access Control Access control lists Capabilities Protection domains 24

Secure Email Requirements: Secrecy Sender authentication Message integrity Receiver authentication Secrecy Can use public keys to encrypt messages Inefficient for long messages Use symmetric keys Alice generates a symmetric key K Encrypt message M with K Encrypt K with E B Send K(M), E B (K) Bob decrypts using his private key, gets K, decrypts K(M) 25

Secure Email Authentication and Integrity (with no secrecy) Alice applies hash function H to M (H can be MD5 or SHA) Creates a digital signature D A (H(M)) Send M, D A (H(M)) to Bob Putting it all together Compute H(M), D A (H(M)) M = { M, D A (H(M)) } Generate symmetric key K, compute K(M ) Encrypt K as E B (K) Send K(M ), E B (K) Used in PGP (pretty good privacy) 26

Secure Sockets Layer (SSL) SSL: Developed by Netscape Provides data encryption and authentication between web server and client SSL lies above the transport layer Useful for Internet Commerce, secure mail access (IMAP) Features: SSL server authentication Encrypted SSL session SSL client authentication 27

Secure Socket Layer Protocol: https instead of http Browser -> Server: B s SSL version and preferences S->B: S s SSL version, preferences, and certificate Certificate: server s RSA public key encrypted by CA s private key B: uses its list of CAs and public keys to decrypt S s public key B->S: generate K, encrypt K with with E S B->S: future messages will be encrypted, and K(m) S->B: future messages will be encrypted, and K(m) SSL session begins 28

Example: Kerberos (1) Assist clients in setting up secure channel with a server Auth Server (AS) provides login service Ticket granting service (TGS) sets up secure channel Tickets are used to convince the server of the authenticity of the client Single signon: no need to auth to other servers separately 29

Electronic Payment Systems (1) Payment systems based on direct payment between customer and merchant. a) Paying in cash. b) Using a check. c) Using a credit card. 30

E-cash The principle of anonymous electronic cash using blind signatures. 31

BitCoin Digital currency: P2P electronic cash, Decentralized Open source crypto protocol Satoshi Nakamoto New coins made by bitcoin servers expend resources to generate a coin 25 coins generated every 10 minutes Uses digital signatures to pay to public keys Bitcoin blockchain: distributed transaction ledger 32

Secure Electronic Transactions (SET) The different steps in SET. 33

Blockchain: Distributed Ledger Blockchain: distributed public ledger of transactions Lists all financial transactions, distributed DB Generic protocol for transactions based on public key cryptography Applications: stock register, land transactions, marriage records, smart contracts Sign a transaction with private key and insert in the ledger Every block contains multiple transactions Massively duplicated; shared using P2P file transfer protocol Updated by special nodes miners to append blocks All Network nodes perform validation and clearing Miners perform settlement using distributed consensus 34

How Blockchain works ] 35

Bitcoin Bitcoin: use blockchain to track financial transactions Hold bitcoins in a digital wallet, pay for goods & services Payment transactions are recorded in the Bitcoin blockchain 36

Security: conclusion key concerns: encryption authentication key exchange also: increasingly an important area as network connectivity increases digital signatures, digital cash, authentication, increasingly important an important social concern further reading: Crypto Policy Perspectives: S. Landau et al., Aug 1994 CACM Internet Security, R. Oppliger, CACM May 1997 www.eff.org 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback