Embed Size (px)
Citation preview
Internet Security - Farkas 1
CSCE 813CSCE 813 Midterm Topics Overview Midterm Topics Overview
Network AttacksNetwork Attacks
Classifications– Passive vs. Active– Against security objectives
What are the security objectives?
– Attacker’s activities Give some examples
Internet Security - Farkas 2
Forward SecrecyForward SecrecyCompromised key: permits the disclosure of
the data encrypted by the compromised key. No additional keys can be generated from
the compromised key. Perfect Forward Secrecy: compromise of a
single key will permit access to only data protected by a single key
Internet Security - Farkas 3
Why PFS is important for security protocols?
ProtectionProtection
Protection at storageProtection during usageProtection during transmission
Give an example attack and consequences for each
What are the basic security technologies?
Internet Security - Farkas 4
Internet Security - Farkas 5
Communication Security Communication Security Security ProtocolsSecurity Protocols
Cryptographic protocolsServices: secrecy, integrity, authentication,
key exchange, non-repudiation, etc.Components: communicating parties
(nodes), trusted third party, encryption algorithms, hash functions, timestamps, nonce, etc.
Internet Security - Farkas 6
Security Properties – Security Properties – Authentication of Origin Authentication of Origin
Verify – Who sent the message?– Who sent the message to whom?– Who sent the message to whom and how many
times?
Internet Security - Farkas 7
Security Properties Security Properties What is
– Non-interference– Message confidentiality– Sender authentication– Message authentication– Message integrity– Replay protection– …?
How can we support– Non-interference– Message confidentiality– Sender authentication– Message authentication– Message integrity– Replay protection– …?
Why do we need protocol analysis?
Internet Security - Farkas 8
AttacksAttacksKnown attacks
– Can be picked up by careful inspection
Non-intuitive attacks– Not easily apparent– May not depend on flaws or weaknesses of
cryptographic algs. – Use variety of methods, e.g., statistical analysis,
subtle properties of crypto algs., etc.
Internet Security - Farkas 9
TCP/IP Protocol StackTCP/IP Protocol Stack
Application Layer
Transport Layer
Internetwork Layer
Network Access Layer
How does the TCP/IP stack compares to the ISO-OSI model?
Why is layering a good idea?
How does layering impact the security capabilities?
What are the main protocols for each layer?
How do these protocols support security?
What are the main security What are the main security capabilities supported by the capabilities supported by the
security protocols? security protocols?
Internet Security - Farkas 10
Internet Security - Farkas 11
Security -- At What Security -- At What LayerLayer??
Where to implement security? Basic services that need to be implemented:
Key managementConfidentialityNonrepudiationIntegrity/authenticationAuthorization
What are the security technologies supporting these services?
Internet Security - Farkas 12
Network AccessNetwork Access Layer Layer
Responsible for packet transmission on the physical media
Protocols: Ethernet, Token Ring, Asynchronous Transfer Mode (ATM)
How does Ethernet support security?
Application Layer
Transport Layer
Network Layer
Network Access L
Virtual Private NetworkVirtual Private Network
L2TP: combines Layer 2 Forwarding (L2F) and Point-to-Point Tunneling Protocol (PPTP)
What does tunneling mean? Who can create a tunnel?
CSCE 813 - Farkas 13
CSCE 813 - Farkas 14
L2TP ProtocolL2TP Protocol
Tunnel components– Control channel (reliable): control sessions and tunnel– Data channel (unreliable): created for each call
What is the level of protection between Client 1 & LAC?LAC & LNS?
ControlSession 1 (Call ID 1)
Session 2 (Call ID 2)LAC LNSClient 1
Client 2Service 1
Service 2
CSCE 813 - Farkas 15
L2TP and IPSecL2TP and IPSecL2TP is NOT secure without the support of
IPSec What are the attacks to consider?
CSCE813 - Farkas 16
TCP/IP Protocol StackTCP/IP Protocol Stack
Application Layer
Transport Layer
Network Layer
Data Link Layer
PackagingAddressingRouting
What are the supported security protocols?
What is the effect of standardization on security?
CSCE813 - Farkas 17
Internet Engineering Task Internet Engineering Task Force StandardizationForce Standardization
IPv6 development requirements: Strong security features
1992: IPSEC WG (IETF)– Define security architecture – Standardize IP Security Protocol and Internet Key
Management Protocol 1998: revised version of IP Security Architecture
– IPsec protocols (two sub-protocols AH and ESP)– Internet Key Exchange (IKE)
CSCE813 - Farkas 18
IP Security OverviewIP Security Overview
IPSec: method of protecting IP datagrams– Data origin authentication– Connectionless data integrity authentication– Data content confidentiality– Anti-replay protection– Limited traffic flow confidentiality
CSCE813 - Farkas 19
IP Security ArchitectureIP Security ArchitectureIPsec module 1 IPsec module 2
SPD
SADSAD
SPD
IKE IKE
IPsec IPsecSA
Internet Security - Farkas 20
The Domain Name SystemThe Domain Name System
Why is it needed?Is this secure?What are the security concerns?
Good reading: SANS Institute: Security Issues with DNS, http://www.sans.org/reading-room/whitepapers/dns/security-issues-dns-1069
Internet Security - Farkas 21
Transport LayerTransport Layer Host-to-host
transportation of packets Services:
– Connection-oriented or connectionless
– Reliable or unreliable TCP, UDP
Application Layer
Transport Layer
Network Layer
Data Link LayerWhat are the TL security protocols?
CSCE 813 - Farkas 22
Security Security RequirementsRequirements
– Key management– Confidentiality– Repudiation– Integrity/authentication– Authorization
What are the advantages supporting security at this layer?
Which are the most popular transport layer security protocols?
CSCE 813 - Farkas 23
Transport Layer Security Transport Layer Security ProtocolsProtocols
Connectionless and connection-oriented transport layer service: Security Protocol 4 (SP4) – NSA, NIST, Transport Layer Security Protocol (TLSP) – ISO
Connection-oriented transport layer service:– Encrypted Session Manager (ESM) – AT&T Bell Labs.– Secure Socket Layer (SSL) – Netscape Communications– Transport Layer Security (TLS) – IETF TLS WG
Most popular transport layer security protocols
Internet Security - Farkas 24
Application LayerApplication Layer Provides applications that
can access services at the other layers, e.g., telnet (port 23), mail (port 25), finger (port 79)
New services and protocols are always being developed
Application Layer
Transport Layer
Network Layer
Data Link Layer
CSCE 813 - Farkas 25
ApproachesApproaches
Provide security system that can be used by different applications– Develop authentication and key distribution
models
Enhance application protocol with security features– Need to enhance each application
CSCE 813 - Farkas 26
Third Party AuthenticationThird Party Authentication
1.Request ticket- granting ticket
2. Ticket + session key
3. Request service- granting ticket
4. Ticket + session key
ClientKDC
TGS
Server
5. Request service6. Provide server authentication
Once peruser logonsession
Once perservicesession
Once pertype of service
Kerberos
Cerberus
CSCE 813 - Farkas 27
Security-Enhanced Application Security-Enhanced Application ProtocolProtocol
Applications:– Terminal access– File transfer– Electronic mail– WWW transactions– DNS– Distributed file system
CSCE 813 - Farkas 28
SSHSSH
Use generic transport layer security protocol over TCP/IP
Support for– Host and user authentication– Data compression– Data confidentiality– Integrity protection
Server listens for TCP connection on port 22, assigned to SSH
CSCE 813 - Farkas 29
PGP: Confidentiality and AuthenticationPGP: Confidentiality and Authentication
E
D
MH E
KAprivate
c
KAprivate[H(M)]
ME
KsKB
public
c
KBpublic (Ks)
Ks[M+H(M)]
D
KBprivate
D
Ks
KApublic
Compare
H
Sender A
Receiver B
Summary of Advantages and Summary of Advantages and Disadvantages ofDisadvantages of
Supporting Security at Supporting Security at Different LayersDifferent Layers
Internet Security - Farkas 30
Internet Security - Farkas 31
Network Access Layer SecurityNetwork Access Layer Security
Dedicated link between hosts/routers hardware devices for encryption
Advantages: – Speed
Disadvantages:– Not scaleable– Works well only on dedicates links– Two hardware devices need to be physically connected
Internet Security - Farkas 32
InternInternetwork Layer Securityetwork Layer Security
IP Security (IPSec) Advantages:
– Overhead involved with key negotiation decreases <-- multiple protocols can share the same key management infrastructure
– Ability to build VPN and intranet Disadvantages:
– Difficult to handle low granularity security, e.g., nonrepudation, user-based security,
Internet Security - Farkas 33
Transport Layer SecurityTransport Layer Security
Advantages:– Does not require enhancement to each
application
Disadvantages:– Difficult to obtain user context– Implemented on an end system– Protocol specific implemented for each
protocol
Internet Security - Farkas 34
Application Layer SecurityApplication Layer Security Advantages:
– Executing in the context of the user --> easy access to user’s credentials
– Complete access to data --> easier to ensure nonrepudation– Application can be extended to provide security (do not depend on
the operating system)– Application understand data --> fine tune security
Disadvantages:– Implemented in end hosts– Security mechanisms have to be implemented for each application
--> – expensive– greated probability of making mistake
Internet Security - Farkas 35
Next Class: Next Class: Web Application SecurityWeb Application Security
