* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Powerpoint Slides
Trusted Computing wikipedia , lookup
Information security wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Next-Generation Secure Computing Base wikipedia , lookup
Deep packet inspection wikipedia , lookup
Computer security wikipedia , lookup
Proxy server wikipedia , lookup
Unix security wikipedia , lookup
Security-focused operating system wikipedia , lookup
One-time pad wikipedia , lookup
Authentication wikipedia , lookup
Mobile security wikipedia , lookup
Digital signature wikipedia , lookup
Quantum key distribution wikipedia , lookup
Electronic authentication wikipedia , lookup
Wireless security wikipedia , lookup
Security and safety features new to Windows Vista wikipedia , lookup
Cryptanalysis wikipedia , lookup
Public-key cryptography wikipedia , lookup
Cryptography wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Cybercrime countermeasures wikipedia , lookup
Web of trust wikipedia , lookup
Post-quantum cryptography wikipedia , lookup
History of cryptography wikipedia , lookup
Diffie–Hellman key exchange wikipedia , lookup
Network/Information Security “The terms network security and information security refer in a broad sense to confidence that information and services available on a network cannot be accessed by unauthorized users.” (Comer 1995) Need to protect Physical resources (disks, computers, cables, bridges, routers, etc.) Abstract resources (information) Security Requirements Data integrity - protecting information from unauthorized change. Data availability - guaranteeing that outsiders cannot prevent legitimate data access. Confidentiality/Privacy - preventing unauthorized listening. Security Requirements (contd..) Authentication - ensuring that a message indeed originated from its apparent source. Non-repudiation - ensuring that a party to a transaction cannot subsequently deny that this transaction took place. Internet Security Mechanisms Authentication Mechanisms: IP source authentication, Public key encryption Privacy Mechanism: Encryption Access Control Mechanisms: Internet firewall Authentication and privacy mechanisms can be added to application programs. Access control requires basic changes to Internet infrastructure. IP Source Authentication Server maintains a list of valid IP source addresses. Weak because it can be broken easily. An imposter can gain control of an intermediate router and impersonate an authorized client. An imposter can also impersonate a server. Public Key Encryption System Each end-entity has a cryptographic key pair a private key that is kept secret at that endentity, and a public key which is distributed. Keys, which are large integers, are used to encode and decode messages. A message encoded using one key can be decoded using the other. Public Key Encryption System (contd.) Message encrypted by a public key can only be decrypted by the holder of the corresponding private key. Private key can be used to generate a digital signature and anyone knowing the public key can authenticate it. Guessing or calculating the secret private key is an extremely difficult task. Public Key Encryption System (contd.) Public key encryption scheme can also handle the problem of privacy. Sender uses the receiver’s public key to encode the message. Receiver uses it’s private key to decode the message. Messages can be encoded twice to authenticate the sender and to enforce privacy. First with the sender’s private key and then with the receiver’s public key. Certificates and Certification Authorities To ensure authenticity, public keys are generally distributed in the form of certificates. A certificate contains a public key value identity of the holder of the corresponding private key digital signature of the certification authority (CA) Certificates and Certification Authorities (contd.) A CA is a trusted party whose public key is known, e.g., VeriSign, Inc. The recipient uses the public key of the CA, to decrypt the sender's public key in the certificate. The most vulnerable part of this method is the CA’s private key, which is used to digitally sign the certificate. SSL Handshake Messages exchanged in a typical SSL handshake CLIENT SERVER ClientHello A list of cipher suites supported ClientKeyExchange A random challenge, encrypted with the server’s public key ServerHello Server selects a cipher suite, usually RSA Certificate Server sends its certificate HTTP communication begins over the secure channel Source: Abbott, S. 1999. The Debate for Secure E-Commerce. Performance Computing, February 1999, p.p.. 37-42. Secure Sockets Layer (SSL) The leading security protocol on the internet. Developed by Netscape. At the start of an SSL session, the browser sends its public key to the server. Server uses the browser’s public key to encrypt a secret key and sends it to the browser. During the session, the server and browser exchange data via secret key encryption. SSL (contd.) SSL has merged with other protocols and authentication methods to create a new protocol known as Transport Layer Security (TLS). Typically only server authentication is done. Authentication of browser’s (user’s) identity requires certificates to be issued to users. Internet Firewalls Firewall protects an organization’s internal networks, routers, computers, and data against unauthorized access. Security perimeter involves installing a firewall at each external connection. For effective control all firewalls must use exactly the same access restrictions. Internet Firewall Implementation A firewall must handle datagrams at the same speed as the connection to the outside world. To operate at network speeds, routers include a high-speed filtering mechanism. Filters form the basic building blocks of a firewall. Packet Filters Provides a basic level of network security at the IP level. Filtering is based on any combination of source IP address, destination IP address, protocol, source protocol port number, and destination protocol port number. Packet filters do not maintain context or understand the application they are dealing with. Packet Filters Specifying the datagrams that should be filtered is not very effective. Instead we specify which datagrams to admit. Security concerns IP spoofing (mimicing IP addresses of trusted machines) IP tunneling (one datagram is temporarily encapsulated in another) Packet Filters “If an organization’s firewall restricts incoming datagrams except for ports that correspond to services the organization makes available externally, an arbitrary application inside the organization cannot become a client of a server outside the organization.” (Comer, 1995) Proxy Firewalls Most secure form of firewall All incoming traffic is tunneled to the appropriate proxy gateway for mail, HTTP, FTP, etc. Proxies then direct the information to the internal network. Proxies are applications that make decisions based on context, authorization, & authentication rules instead of IP addresses. Proxy Firewalls (contd.) Proxy firewall operates at the highest level of the protocol stack. Proxies are relays between the Internet and the organization’s private network. Proxy’s firewall address is the only one available to the outside world. Some firewalls combine router and proxy techniques to provide more security.