Download Lec 2

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
Document related concepts

SIP extensions for the IP Multimedia Subsystem wikipedia , lookup

Telecommunication wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

History of cryptography wikipedia , lookup

Transcript 
Secure communications
Week 10 – Lecture 2
To summarise yesterday
• Security is a system issue
• Technology and security specialists are part of the
system
• Users from inside the organisation are usually the
biggest risk – they have the motivation
• As systems architect – you are responsible
• The system has to be designed to protect itself –
user profiles, database views etc.
Are Networks a risk?
• Yes
• Two main areas where an intruder can listen
passively
• Within a collision zone on the LAN – a “sniffer” can
look at all datagrams passing the NIC not just
datagrams addressed to it
• At a router – much more difficult
• Internet
• More difficult to read – sniff
• Easier to write – spoof - pretend to be someone else
Firewalls
• Routers as packet filters
• Application level firewalls - proxy
Application
Internal
Network
Outside world
Router
Firewalls
But there may be other connections to the outside world
Routers as Firewalls
• A Router is usually the connection to the outside
world
• Routers can check all packets
• Source & destination addresses
• Protocol – eg TCP UDP
• Port number – application eg Telnet
• Little intelligence – work quickly
• Use NAT to hide topology of the internal network
Application firewalls
• Mail servers & Internet proxy servers are examples
• Higher level of intelligence
• Can implement most security policies e.g. could limit
WEB requests from Purchasing to between 8:00am and
6:00pm
• Has logging & auditing capabilities
• Slows throughput but as a caching device can also speed
up WEB access
• Application specific
Secure communications
• Secrecy – only the two parties should
understand the messages
• Authentication – each party should know
the messages are from the right person
• Message integrity – the messages must not
be able to be changed
Secrecy - encryption
• Encryption has been around for centuries
• It used to be reliant on keeping the algorithm
secret
• But computers make it easier to encrypt and to
break the code
• Early computer development was made by code
breakers during WW2 – Enigma - Turing at
Bletchley Park
Four elements to encryption
• The Original or plain text
• An Encryption method – the algorithm is common
and normally well known – a transformation
method
• The Key – many locks are the same but the key is
different. The key must be secret to the parties.
• The Encrypted text
So keeping the key secret is the
requirement
• Secret
• Secure
• So how do you share keys?
Attacks on algorithms
• Brute force is too difficult
• Plain text attacks is more useful if you
know
– The algorithm
– The encrypted text and the
– Plain text (remember Enigma)
Common security protocols
• IPsec for IP traffic across the Internet – VPNs
• SSL – Secure Socket Layer – secures WWW
connections
• PGP – Pretty Good Privacy and S/MIME secure
email
• SET secures Internet financial transactions
These protocols may use different algorithms for encryption and
Digital signatures
Protocols use 6 basic tools
•
•
•
•
•
•
Symmetric encryption
Public key encryption
One way hash codes
Message authentication schemes
Digital signature schemes
Random number generators
Two types of key
• Symmetric key – each party has the same
key and thus must be kept secret
• Asymmetric or public keys –
• the writer uses a public key to encrypt, but this
cannot decrypt, thus it can be public knowledge
• The reader has a private key to decrypt. This must
be kept secret
Bob
Alice et al
Bob generates two keys
- he gives the public key to any one who wants it
- Bob keeps the private key
Bob however is the only
Person to have the private
Key, and thus only he can
Decrypt the message
Alice sends Bob a message
Encrypted with HIS public key
No one can decrypt the
Message with the public key
DES – Data Encryption Standard
•
•
•
•
Symmetric key
Developed by US National Bureau of Standards
Uses a 56 bit key (triple DES 112 bits)
In 2000 it took a network of computers 22 hours
to break the key
• Good enough for most of us.
RSA Algorithm
•
•
•
•
Asymmetric key method
Recommends a key length of 768 bits or greater
Asymmetric encryption takes 1000 more CPU time
Usually used in combination with DES
• Alice wants to talk to Bob
• Alice sends a DES key for the session to Bob, encrypted using
his public RSA key
• Only Bob can decrypt the session key
• It is then used for the session
• Kurose page 571 for details on these methods
Using the hybrid approach is usual
• It is normal in all security protocols
– PGP
– S/MIME
– Etc
• The protocol generates a session key using a
random number generator
• This is encrypted using the receiver’s public key
and sent to the other party
• The symmetric key is then used to encrypt the
session
Authentication
• If Alice sends a message to Bob, how does
he know it is Alice?
• Alice’s IP address – but can be spoofed
• Use a special password – but even if
encrypted it can be used in playback mode
• Use of a random number or nonce
Authentication by Nonce
• Alice sends Hi to Bob
• Bob sends back a “nonce” in plain text
• Alice encrypts the nonce with their
symmetric key
• Bob decrypts and compares it to the number
he sent
Message integrity
• The digital world need some way of knowing that a
message came from the specified person, has not been
changed, and that the writer cannot repudiate the message
• One characteristic of the RSA method is that it also works
in reverse. If Bob encrypts a message using his private key,
then it can be decrypted by a person having the public key
• Thus one knows
• It came from Bob
• It has not been changed
Message Digest
• Use of the RSA key might be overkill for large
documents
• Can calculate a fingerprint (like a hash total) that
will prove the message has not been changed
• This fingerprint is then encrypted with the
author’s private key
• Holders of the author’s public key can then know
that the message came from the author and has not
been changed
Key Distribution Centres
• Trusted intermediary - Verisign
• Can be authorised to distribute shared
private keys, or a person’s public key
VPN – Virtual Private Network
• Over a shared network infrastructure,
usually the Internet
• Through an encrypted connection
– Tunneling – set of predetermined router hops
– Encryption of the packet contents
– Packet and user authentication
• Most private WANs will soon be VPNs – 30
to 0% cheaper
Related documents
module4.1
module4.1
Information Security - National University of Sciences and
Information Security - National University of Sciences and
BLOOM`S TAXONOMY
BLOOM`S TAXONOMY
Problem: Alice and Bob play the following number game. Alice
Problem: Alice and Bob play the following number game. Alice
(pdf)
(pdf)
2012 Prelim Paper
2012 Prelim Paper
Plotting a Linear Relationship Between Two Variables
Plotting a Linear Relationship Between Two Variables
what is a secure element
what is a secure element
Background - comp
Background - comp
VeriSign: Enable everyone, everywhere to use the Internet with
VeriSign: Enable everyone, everywhere to use the Internet with
Real-time security
Real-time security
Tutorial 3 Selected Answers Question 13
Tutorial 3 Selected Answers Question 13