Network Security Introduction PDF
Document Details
Uploaded by SmilingHibiscus5596
Universität Bern
2024
Prof. Dr. Torsten Braun
Tags
Summary
This is a lecture introduction to Network Security, covering various concepts and principles. The lecture is from UNIVERSITÄT BERN, and was presented by Prof. Dr Torsten Braun on September 16th - 23rd 2024.
Full Transcript
Network Security I. Introduction Prof. Dr. Torsten Braun, Institut für Informatik Bern, 16.09.2024 – 23.09.2024 Network Security: Introduction Network Security: Introduction Table of Contents 1. Concepts 2. Security Attacks 3. Security Services and Mechanisms 4. Encryption 5. Num...
Network Security I. Introduction Prof. Dr. Torsten Braun, Institut für Informatik Bern, 16.09.2024 – 23.09.2024 Network Security: Introduction Network Security: Introduction Table of Contents 1. Concepts 2. Security Attacks 3. Security Services and Mechanisms 4. Encryption 5. Number Theory 3 Network Security: Introduction 1. Concepts 1. Information and Network Security Information Security Network Security − Preservation of confidentiality, − Protection of networks and integrity, and availability of their services from information unauthorized modification, destruction, disclosure − Other properties like authenticity, accountability, − Provision that network non-repudation, reliability performs functions currently can be involved. and there are no harmful side effects 4 Network Security: Introduction 1. Concepts 2. Standardization Organizations − National Institute of Standards − International and Technology Telecommunication Union – − US federal agency Telecommunication − United Nations − Internet Society − Professional membership − International Organization for society Standardization (ISO) − Federation of national standardization organizations 5 Network Security: Introduction 1. Concepts 3. Key Security Objectives − Confidentiality − Authenticity − Integrity 6 Network Security: Introduction 1. Concepts 4. Essential Information/Network Security Objectives − Confidentiality − Availability − Data confidentiality − Timely and reliable access − Privacy − Accountability − Authenticity − Requirement for actions of − Property of being genuine an entity to be traced, and being able to be verified including nonrepudiation, deterrence, − Integrity fault isolation, intrusion − Data integrity detection etc. − System integrity 7 Network Security: Introduction 1. Concepts 5. Terminology OSI Terms Literature − Security attack − Threat − Actions compromising security of information − Circumstance or event with potential − Security mechanism to impact organizational operations − Process to detect, prevent, or − Attack recover from attacks − Malicious activity to collect, disrupt, − Security service deny, degrade, or destroy − Processing or communication information or system resources service to enhance security using security mechanisms 8 Network Security: Introduction 1. Concepts 6. Security Design Principles − Economy of mechanism, − Psychological acceptability complexity − Isolation − Fail-safe defaults − Encapsulation − Complete mediation − Open design − Modularity − Separation of privilege − Layering − Least privilege − Least astonishment − Least common mechanism 9 Network Security: Introduction 1. Concepts 7. Securing Networks − Where to put the security in a protocol stack? − Practical considerations: − End to end security − No modification to operating system 10 Network Security: Introduction 1. Concepts 8. Device Security Concern Systems − Intruders gain access to − Firewall network devices or − Hardware / software system limiting end systems. access between network and devices attached to network − Intrusion detection − Analysis of network traffic to find malicious access attempts − Intrusion prevention − Stopping of malicious activities after detection 11 Network Security: Introduction 2. Security Attacks 1. Attacks and Concepts − Interception (confidentiality) − Interruption (availability) − Modification (integrity) − Fabrication (authenticity) 12 Network Security: Introduction 2. Security Attacks 2.1 Kent‘s Classification: Passive Attacks − Packet eavesdropping, e.g., packet sniffing: detection of data (e.g., passwords, credit card numbers) in routers or unprotected transmission media − Traffic analysis: detection of end points and traffic type, e.g., addresses, packet lengths 13 Network Security: Introduction 2. Security Attacks 2.2 Kent‘s Classification: Active Attacks − Imitation of wrong identities (masquerading), e.g., IP Spoofing: use of a foreign IP address − Modification of messages − Replay attacks, i.e., repeated data transmission − Denial-of-Service attacks − Blocking of network or server functions − Repetition of TCP SYN packets: Server allocates resources for TCP connection. 14 Network Security: Introduction 2. Security Attacks 3. Surfaces Examples Categories − Open ports in servers − Network − Services available inside a firewall − Software − Code processing incoming data − Humans − Interfaces, SQL, web forms − Employees 15 Network Security: Introduction 3. Security Services and Mechanisms 1. Network Security Services: X.800, RFC 2828 − Peer-entity and data-origin − Non-repudiation authentication − protects against sender/receiver denying − assures the recipient of a message sending/receiving a message. the authenticity of the claimed source or the entity connected. − Availability − guarantees that the system services are − Access control always available when needed. − limits the access to authorized users. − Security audit − Data confidentiality − keeps track of transactions for later use − protects against unauthorized (diagnostic, alarms…). release of message content. − Key management − Data integrity − allows to negotiate, setup and maintain − guarantees that a message keys between communicating entities. is received as sent. 16 Network Security: Introduction 3. Security Services and Mechanisms 2. Security Mechanisms − Cryptographic algorithms − Traffic padding (reversible, non-reversible) − Routing control − Data integrity − Notarization − Digital signatures − Access control − Authentication exchange 17 Network Security: Introduction 3. Security Services and Mechanisms 3. Cryptographic Algorithms − Keyless Algorithms − Single-Key Algorithms − Cryptographic hash functions − Symmetric Encryption (e.g., AES) − Cryptographic random number − Message Authentication Codes generation (e.g., HMAC) − Two-Key Algorithms − Asymmetric Encryption (e.g., RSA) − Digital Signature (e.g., RSA) − Key Exchange − User Authentication 18 Network Security: Introduction 3. Security Services and Mechanisms 4. Relationship of Security Services and Mechanisms Service 19 Network Security: Introduction 4. Encryption 1. Operation − Communication over an insecure channel − Encryption by sender 5404 3214 5404 3214 5673 1023 5673 1023 − Decryption by receiver valid 11/22 dfdj59058trekj9r valid 11/22 − Attacker must not be able to understand the communication. 20 Network Security: Introduction 4. Encryption 2. Algorithm Types Block Ciphers Stream Ciphers Input: block of n bits Input: stream of symbols Output: block of n bits Output: stream of symbols Example: AES Example: GSM Block ciphers can be used to build stream ciphers. 21 Network Security: Introduction 4. Encryption 3. Models Symmetric Encryption Asymmetric Encryption − Encryption Key = Decryption Key − Encryption key ≠ Decryption key − Decryption key can be derived from − Decryption key can not be derived encryption key. from encryption key. − Example: AES − Example: RSA 5404 3214 5404 3214 5673 1023 5673 1023 valid 11/22 dfdj59058trekj9r valid 11/22 22 Network Security: Introduction 4. Encryption 4. Symmetric vs Asymmetric Algorithms − Symmetric algorithms are much faster, e.g., in the order of a 3 magnitudes, i.e., 1000 times faster − Symmetric algorithms require a shared secret, which is impractical, if the communicating entities do not have another secure channel. − Both types of algorithms are combined to provide practical and efficient secure communication, e.g., − establish a secret session key using asymmetric crypto and − use symmetric crypto for encrypting the traffic 23 Network Security: Introduction 4. Encryption 5. Kerchoff’s Principle A cipher should be secure “No security by obscurity” even if the intruder knows all the details of the encryption process except for the secret key. 24 Network Security: Introduction 5. Number Theory 1. Finding Prime Numbers: Euclid Algorithm − To find greatest common divisor of two integers − Example: gcd (595, 408) = 17 − 595 / 408 = 1 remainder 187 − 408 / 187 = 2 remainder 34 − 187 / 34 = 5 remainder 17 − 34 / 17 = 2 remainder 0 25 Network Security: Introduction 5. Number Theory 2.1 Fermat Theorem If p is prime and Alternate form: a (> 0) is not divisible by p: If p is prime and a > 0 ap-1 = 1 (mod p) ap = a (mod p) Examples: − a = 5, p = 3: 5(3-1) = 52 = 25 = 8 ∙ 3 + 1 − a = 7, p = 3: 7(3-1) = 72 = 49 = 16 ∙ 3 + 1 26 Network Security: Introduction 5. Number Theory 2.2 Proof of Fermat’s Theorem − Set of positive integers < p: Multiplying sets X and P and taking the result P = {1, 2, …, p-1} and multiply by (mod p) yields: (a modulo p) → X = {a mod p, 2a mod p, 3a mod p, …, (p-1) a mod p} − a・2a ・3a ・… ・(p-1) a = (1・2 … ・(p-1)) (mod p) − No element of X is 0 because p does not divide a and − ap-1 (p-1)! = (p-1)! (mod p) none of two integers of X are equal, ((p-1)! is relatively prime to p ) i.e. X = set of positive integers < p: X = {1, 2, …, p-1} in some order − ap-1 = 1 mod p − Proof: − Otherwise: ∃ j, k (1 ≦j
