Download Network Security

Network Security
Krerk Piromsopa.
Department of Computer Engineering.
Chulalongkorn University.
Krerk Piromsopa.
Network Security
• Communicate securely.
– Secrecy (Understand only by the sender and intended)
– Authentication (Confirm Identity of other party involved)
– Message integrity (The message is not altered)
• Passive Intruder, Active Intruder
• Both party might be Routers, applications, etc..
• LAN.
– Packet sniffer (Ethernet promiscuous mode)
Krerk Piromsopa.
Secrecy (Encryption)
• Symmetric Key Cryptography
– Caesar cipher
– DES (Data Encryption Standard)
• Public Key Encryption
– RSA algorithm (Ron Rivest, Adi Shamir, and Leonard Adleman)
Krerk Piromsopa.
Authentication
• Digital Signature
• Key Distribution and Certification (KDC)
• Certification Authority (CA)
Krerk Piromsopa.
Protocols
•
•
•
•
•
PGP
S/MIME
SSL
SET
IPsec
– AH(Authentication Header)
– ESP
Krerk Piromsopa.
Secure sockets layer (SSL)
Client
Browse secure page
Server
Send server’s CA
Got server’s Public Key
Make Random
symmetic key and
encrypts using
server’s Public Key
Krerk Piromsopa.
Got symmetric key
SSL
Krerk Piromsopa.
Secure Email
• Public Key encryption
– inefficient for long messages
(attachments,images, audio,
video)
• Symmetric key session
Krerk Piromsopa.
• Hash function and digital
signatures
• PGP
• S/MIME
PGP
•
PGP (short for Pretty Good Privacy), created by Philip Zimmermann, is the de
facto standard program for secure e-mail and file encryption on the Internet. Its
public-key cryptography system enables people who have never met to secure
transmitted messages against unauthorized reading and to add digital
signatures to messages to guarantee their authenticity. Why do we need PGP?
E-mail sent over the Internet is more like paper mail on a postcard than mail in
a sealed envelope. It can easily be read, or even altered, by anyone with
privileged access to any of the computers along the route followed by the mail.
Hackers can read and/or forge e-mail. Government agencies eavesdrop on
private communications.
Krerk Piromsopa.
Secure electronic transaction (SET)
• Developed by Visa and MasterCard in Feb 1996
• three software components
– Browser wallet
– Merchant server
– Acquirer gateway
Krerk Piromsopa.
IPsec
• Authentication Header (AH)
– Provides source host
identification and data integrity
– not secrecy
– RFC 2402
• AH header includes
–
–
–
–
Next Header field
Security Parameter Index
Sequence Number
Authentication Data (digital
signature)
Krerk Piromsopa.
•
Encapsulation Security
Payload (ESP)
– Encrypt IP Datagram
– RFC 2406
Firewalls
• Benefits
– Prevent intruders from interfering with the daily operation of the
internal network. Denail-of-service attack (SYN flooding)
– Prevent intruders from deleting or modifying information stored
within the internal network.
– Prevent intruders from obtaining secret information.
• Packet Filtering
– Source/Destination IP address, TCP and UDP Source/Destination
Port, ICMP message type, TCP SYN and ACK
• Application Gateways
– Provide services for limit number of user.
Krerk Piromsopa.
Firewalls
Krerk Piromsopa.
Firewalls
Krerk Piromsopa.
VPN
Krerk Piromsopa.
Microsoft Passport
• Single-Sign-On
Krerk Piromsopa.
Microsoft Passport Risk
• DNS attacks
• Active attacks
Krerk Piromsopa.
EC investigates MS Passport's Privacy
•
The European Commission is studying Microsoft's
Passport system to ensure that the sign-on software
complies with security and privacy requirements
• An EC working party has questioned whether the Passport
system breaks the European Union-US Safe Harbour
agreement on data protection, which restricts the migration
of personal data beyond the control of computer users to
other countries.
• Source: Computer Weekly, 20 August 2002
Krerk Piromsopa.
Reference
•
•
•
•
Firewall Figures from http://www.firewalls.pl/
http://www.setco.org/
http://avirubin.com/passport.html
http://www.usabilitynews.com/news/article644.asp
Krerk Piromsopa.