CS 356 Internet Security Protocols. Fall 2013

Similar documents
CSCE 715: Network Systems Security

Cryptography and Network Security

Transport Layer Security

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

IP Security. Have a range of application specific security mechanisms

Transport Level Security

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

CSCE 715: Network Systems Security

Transport Layer Security

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Pretty Good Privacy (PGP

CSCE 813 Internet Security Secure Services I

Cryptography and Network Security. Sixth Edition by William Stallings

Chapter 4: Securing TCP connections

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Summary of PGP Services

CSC 6575: Internet Security Fall 2017

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

IPSec. Overview. Overview. Levente Buttyán

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Internet security and privacy

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Cryptography and Network Security. Sixth Edition by William Stallings

Secure Socket Layer. Security Threat Classifications

(2½ hours) Total Marks: 75

Chapter 8 Web Security

Overview. SSL Cryptography Overview CHAPTER 1

Security by Any Other Name:

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Introduction and Overview. Why CSCI 454/554?

Internet security and privacy

Configuration of an IPSec VPN Server on RV130 and RV130W

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

CSC 4900 Computer Networks: Security Protocols (2)

COSC4377. Chapter 8 roadmap

E-commerce security: SSL/TLS, SET and others. 4.1

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Cryptography (Overview)

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

APPLICATION LAYER APPLICATION LAYER : DNS, HTTP, , SMTP, Telnet, FTP, Security-PGP-SSH.

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Transport Layer Security

APNIC elearning: Cryptography Basics

Information Security & Privacy

Application Layer. Presentation Layer. Session Layer. Transport Layer. Network Layer. Data Link Layer. Physical Layer

HP Instant Support Enterprise Edition (ISEE) Security overview

14. Internet Security (J. Kurose)

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

Performance Implications of Security Protocols

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

CSE509: (Intro to) Systems Security

MTAT Applied Cryptography

Security Protocols and Infrastructures. Winter Term 2010/2011

Innovation and Cryptoventures. Technology 101. Lee Jacobs and Campbell R. Harvey. February 22, 2017

Virtual Private Networks

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

CS669 Network Security

CSE543 Computer and Network Security Module: Network Security

Chapter 12 Security Protocols of the Transport Layer

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

Chapter 6/8. IP Security

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Network Encryption 3 4/20/17

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Network Security. Thierry Sans

Encryption. INST 346, Section 0201 April 3, 2018

CS 161 Computer Security

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

Chapter 8 Network Security

BCA III Network security and Cryptography Examination-2016 Model Paper 1

The IPsec protocols. Overview

Computer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography

10EC832: NETWORK SECURITY

TLS authentication using ETSI TS and IEEE certificates

Data Sheet. NCP Secure Entry Mac Client. Next Generation Network Access Technology

Virtual Private Network

Chapter 7. WEB Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Network Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Lecture 13 Page 1. Lecture 13 Page 3

WAP Security. Helsinki University of Technology S Security of Communication Protocols

L13. Reviews. Rocky K. C. Chang, April 10, 2015

IP Security IK2218/EP2120

Transcription:

CS 356 Internet Security Protocols Fall 2013

Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database Security (skipped) Chapter 6 Malicious Software Networking Basics (not in book) Chapter 7 Denial of Service Chapter 8 Intrusion Detection Chapter 9 Firewalls and Intrusion Prevention Chapter 10 Buffer Overflow Chapter 11 Software Security Chapter 12 OS Security Chapter 22 Internet Security Protocols

Chapter 22 Internet Security Protocols and Standards

But First!!!!

Question #1: What was the first killer app on a PC?

Question #1: What was the first killer app on a PC? Answer: VISICALC, the world s 1 st spreadsheet

Question #2: What was the first and is still the biggest Internet killer app? Facebook? (850 million users) Twitter? (500 million users) YouTube? BitTorrent? World of Warcraft? Something else?

Question #2: What was the first and is still the biggest Internet killer app? Answer: EMAIL

EMAIL Popularity

RFC 821 Codified by Jon Postel in 1982 Postel laid out the essential messaging framework for Internet-connected computers (what today we d call ISPs or service providers) to exchange and forward messages. To be sure, the technology was raw and has been updated many times since (attachments and multi-part messages were standardized in the early 1990s, for instance).

Question #3 Who s that MIME?

Question #3 Who s that MIME? But this isn t the type of MIME used by EMAIL

MIME and S/MIME MIME extension to the old RFC 822 specification of an Internet mail format RFC 822 defines a simple heading with To, From, Subject assumes ASCII text format provides a number of new header fields that define information about the body of the message S/MIME Secure/Multipurpose Internet Mail Extension security enhancement to the MIME Internet e-mail format based on technology from RSA Data Security provides the ability to sign and/or encrypt e-mail messages

MIME Content Types

S/MIME Content Types

Typical S/MIME Process Bob's private key One-time session key Alice's public key This is an S/MIME message from Bob to Alice. Bob will sign and encrypt the message before sending it to This is an S/MIME message from Bob to Alice. Bob will sign and encrypt the message before sending it to DhYz949avHVA t5upjuxn8l79o ADnluV3vpuhE HMEcMBB1K9 Y8ZoJOYAmF2 BsIpLbjDkNJQR j98iklssmju650 SoDlFkYYtTqw po9812kklmhx cfgiu8700qqrr sdfgiuytp0m8 H7G4FF32jkoN NNmj78uqwplH Plaintext message (unisigned) Digital signature added (DSS/SHA) Message with signature encrypted with one-time session key (Triple DES) Encrypted copy of session key added (El Gamal) Document converted to Radix-64 format Figure 22.1 Typical S/MIME Process

S/MIME Cryptographic Algorithms default algorithms used for signing messages are DSS and SHA-1 RSA public-key encryption algorithm can be used with SHA-1 or the MD5 message digest algorithm for forming signatures radix-64 or base64 mapping is used to map the signature and message into printable ASCII characters

S/MIME Public Key Certificates default algorithms used for encrypting S/MIME messages are 3DES and EIGamal EIGamal is based on the Diffie-Hellman public-key exchange algorithm if encryption is used alone radix-64 is used to convert the ciphertext to ASCII format basic tool that permits widespread use of S/MIME is the public-key certificate S/MIME uses certificates that conform to the international standard X.509v3

S/MIME Functions

DomainKeys Identified Mail (DKIM) specification of cryptographically signing e-mail messages permitting a signing domain to claim responsibility for a message in the mail stream proposed Internet Standard (RFC 4871: DomainKeys Identified Mail (DKIM) Signatures) has been widely adopted by a range of e-mail providers

Message transfer agent (MTA) SMTP Message transfer agent (MTA) SMTP Message transfer agent (MTA) SMTP (SMTP, local) Mail submission agent (MSA) Message handling system (MHS) Mail delivery agent (MDA) SMTP Message user agent (MUA) Message author (SMTP, local) Message store (MS) Internet Mail Architecture (IMAP, POP, local) Message recipient Message user agent (MUA) Figure 22.2 Function Modules and Standardized Protocols Used Between Them

MTA MTA SMTP SMTP DNS Public key query/response MDA DNS MSA Signer SMTP POP, IMAP SMTP MUA MUA Mail origination network Mail delivery network DNS = domain name system MDA = mail delivery agent MSA = mail submission agent MTA = message transfer agent MUA = message user agent Figure 22.3 Simple Example of DKIM Deployment Verifier Example of DKIM Deployment

Today s ACTING lesson I need 3 volunteers, preferably someone who can act

You receive this EMAIL

It takes you to this web site

Or maybe this web site Unknown Web site Certificate Accept Anyway? yes no

Secure Sockets Layer (SSL) one of the most widely used security services general-purpose service implemented as a set of protocols that rely on TCP subsequently became Internet standard RFC2246: Transport Layer Security (TLS)

SSL Protocol Stack SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol HTTP SSL Record Protocol TCP IP Figure 22.4 SSL Protocol Stack

SSL Record Protocol Operation Application Data Fragment Compress Add MAC Encrypt Append SSL Record Header Figure 22.5 SSL Record Protocol Operation

SSL Change Cipher Spec Protocol one of three SSL specific protocols that use the SSL Record Protocol is the simplest consists of a single message which consists of a single byte with the value 1 sole purpose of this message is to cause pending state to be copied into the current state hence updating the cipher suite in use

SSL Alert Protocol

SSL Handshake Protocol most complex part of SSL is used before any application data are transmitted allows server and client to: comprises a series of messages exchanged by client and server exchange has four phases

Client Server Time client_hello server_hello certificate server_key_exchange certificate_request server_hello_done certificate Phase 1 Establish security capabilities, including protocol version, session ID, cipher suite, compression method, and initial random numbers. Phase 2 Server may send certificate, key exchange, and request certificate. Server signals end of hello message phase. SSL Handshake Protocol client_key_exchange certificate_verify Phase 3 Client sends certificate if requested. Client sends key exchange. Client may send certificate verification. change_cipher_spec finished change_cipher_spec finished Phase 4 Change cipher suite and finish handshake protocol. Note: Shaded transfers are optional or situation-dependent messages that are not always sent. Figure 22.6 Handshake Protocol Action

HTTPS (HTTP over SSL) combination of HTTP and SSL to implement secure communication between a Web browser and a Web server built into all modern Web browsers search engines do not support HTTPS URL addresses begin with https:// documented in RFC 2818, HTTP Over TLS agent acting as the HTTP client also acts as the TLS client closure of an HTTPS connection requires that TLS close the connection with the peer TLS entity on the remote side, which will involve closing the underlying TCP connection

Virtual Private Networks (VPN) A secure tunnel through the internet

Before VPNs Corporations used LEASED LINES to create a WAN among their various geographic sites

VPN From Wikipedia

IP Security (IPsec) various application security mechanisms S/MIME, PGP, Kerberos, SSL/HTTPS security concerns cross protocol layers would like security implemented by the network for all applications authentication and encryption security features included in next-generation IPv6 also usable in existing IPv4

IPsec general IP security mechanism s Provides: provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet

IPsec Uses

Benefits of IPsec when implemented in a firewall or router, it provides strong security to all traffic crossing the perimeter in a firewall it is resistant to bypass below transport layer, hence transparent to applications can be transparent to end users can provide security for individual users secures routing architecture

The Scope of IPsec

Security Associations a one-way relationship between sender and receiver that affords security for traffic flow if a peer relationship is needed for two-way secure exchange then two security associations are required is uniquely identified by the Destination Address in the IPv4 or IPv6 header and the SPI in the enclosed extension header (AH or ESP)

Encapsulating Security Payload (ESP) Bit: 0 16 24 31 Security Parameters Index (SPI) Sequence Number Confidentiality Coverage Authentication Coverage Payload Data (variable) Padding (0-255 bytes) Pad Length Next Header Authentication Data (variable) Figure 22.7 IPSec ESP Format

Transport and Tunnel Modes transport mode protection extends to the payload of an IP packet typically used for end-to-end communication between two hosts ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header tunnel mode provides protection to the entire IP packet the entire original packet travels through a tunnel from one point of an IP network to another used when one or both ends of a security association are a security gateway such as a firewall or router that implements IPsec with tunnel mode a number of hosts on networks behind firewalls may engage in secure communications without implementing IPsec

Summary secure E-Mail and S/MIME DomainKeys Identified Mail Internet mail architecture DKIM strategy Secure Sockets Layer (SSL) and Transport Layer Security (TLS) SSL architecture SSL record protocol change cipher spec protocol alert protocol handshake protocol HTTPS connection initiation connection closure Virtual Private Networks (VPN) IPv4 and IPv6 security IP security overview scope of IPsec security associations encapsulating security payload transport and tunnel modes

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback