Network Security PDF

Chat with Document Download

Document Details

Uploaded by Deleted User

Tags

network security firewalls cryptography communication networks

Related

Summary

This document outlines the fundamentals of computer network security, from firewalls to intrusion detection systems and various cryptographic methods like symmetric and asymmetric keys. The concepts are explained through examples and diagrams making it a very useful resource for learners of this field.

Full Transcript

Communication Networks Network Security operational security Firewall – stateless packet filter analyze packet-by-packet allow/drop based on network- and transport layer characteristics...

Communication Networks Network Security operational security Firewall – stateless packet filter analyze packet-by-packet allow/drop based on network- and transport layer characteristics – IP address, TCP/UDP protocol, src/dst port – protocol header flags – statefull packet filter track status of every TCP connection based on previous SYN/FIN packets allow/drop packets that don’t ‘make sense’ timeout inactive connections at firewall 2 of 29 Book: 8.9 Firewall rules Action Src address Dst address protocol Src port Dst port Flags Allow any 130.207.244.203 TCP any 80 - Drop 130.207.0.0/16 any TCP any 80 - Drop any 130.207.0.0/16 TCP any any SYN Allow any 130.207.0.0/16 UDP 53 any - Drop any 130.207.0.0/16 UDP any any - Drop any 130.207.255.255 ICMP - - - Drop 130.207.0.0/16 any ICMP - - TTL expired All other traffic Allow any any any any any - 3 of 29 Intrusion Detection System (IDS) deep packet inspection (application layer inspection) – outgoing mail with bogus sender – outgoing TCP connection from unknown application with data containing personal information – high frequency of incoming connections with login attempts to server – ‘AI’ based analysis based on trends an historical data combined with Intrusion Prevention System (IPS) (dynamic configurable firewall) 4 of 29 Book: 8.9.2 distributed IDS system multiple IDS nodes throughout the network detect signatures or anomalies in different zones – zone = set of security rules applied to one or more subnets – low security zone for easy access from public network: DeMilitarized Zone (DMZ) each node can take action or alert central gateway or filter 5 of 29 common security problems eavesdrop: intercept messages playback attack: intercept and repeat communication impersonation: spoof source address (identity) hijacking: 'take over' ongoing connection or communication sessions, by replacing sender or receiver by attacker’s identity (Distributed) Denial of Service ((D)DoS): prevent service from being used 6 of 29 Book: 8.1 communication security confidentiality – data encryption message integrity – message authentication codes, hashing – digital signatures end-point authentication – confirm identity of other party 7 of 29 Book: 8.1 message encryption make message unreadable during transport use of standardized Ancryption Algorithms (EA) – DES, AES, RSA,... key (passphrase) used for encryption / decryption – symmetric key – asymmetric key 8 of 29 Book: 8.2 symmetric keys Enc. key S_key = Dec. key R_key i.e. same key to encrypt and decrypt a message key must be kept secret Enc. key Dec. key S_key E_msg R_key Clear Text C_msg EA(S_key, C_msg) → E_msg EA(R_key, E_msg) → C_msg ? 9 of 29 Book: 8.2.1 block ciphers symmetric keys algorithms: DES, AES,... input message is divided in blocks of k-bits (e.g. 128-bit block cipher) each cipher block is encrypted independently Original message Cipher Algo Cipher Algo Cipher Algo Encrypted message 10 of 29 Book: 8.2.1 cipher-block chaining problem: same C_block will always result in same E_block – can be used by attacker to reverse engineer E_key solution: add random block (R_block) – EA(E_key, C_block XOR R_block) → E_block Original message C_block R_block Cipher Algo Cipher Algo Cipher Algo E_block Encrypted message 11 of 29 Book: 8.2.1 asymmetric keys R_key is secret Enc. key S_key ≠ Dec. key R_key S_key is public: obtain S_key from receiver’s website, email,… helps solving problem of exchanging secret keys Pub. key S_key Pub. key Pub. key S_key E_msg Priv. key S_key R_key Pub. key Clear Text S_key C_msg EA(Pub_key, C_msg) → E_msg ? EA(Priv_key, E_msg) → C_msg 12 of 29 Book: 8.2.1 session keys asymmetric (e.g. RSA) encryption / decryption is time consuming use RSA in combination with symmetric key algo: session key – generate symmetric key: session key – use pub. / priv. key to exchange session key Encrypted Public Key Private Session Key Key Key RSA(Pub_key, Ses_key) → E_key RSA(Priv_key, E_key) → Ses_key E_msg EA(Ses_key, C_msg) → E_msg EA(Ses_key, E_msg) → C_msg Session Session Key Key 13 of 29 session keys prime exchanging session keys n = 11 g=7 without priv. / pub. keys x=3 y=6 e.g. Diffie – Hellman A = gx mod n B = gy mod n B = 76 mod 11 A = 73 mod 11 – start from large prime e.g. 2048bit A=2 B=4 K1 = Bx mod n K2 = Ay mod n K1 = 43 mod 11 K2 = 26 mod 11 K1 = 9 Symmetric Enc. Key K2 = 9 14 of 29 hashing map data of arbitrary length on to data of fixed size cryptographic hash: computationally indefeasible to find two different messages x and y such that H(x) = H(y) – e.g.: MD5 (condition broken in 2011) SHA-1 (condition broken in 2017) def simple_hash(string_to_hash) : sum = 0 Generate number based on data for c in string_to_hash : sum += ord(c) Limit size result = sum % 1000 return result print (simple_hash("Student KULeuven")) > 351 15 of 29 Book: 8.3.1 data integrity message authentication hashing algorithms: MD5, SHA-1, SHA-256, SHA-512,... C_msg MAC_1 Auth Auth key C_msg key SHA-1(Auth_key + C_msg) → MAC_1 SHA-1(Auth_key + C_msg) → MAC_2 C MAC_1 == MAC_2 ? MA m sg C_ Auth key 16 of 29 Book: 8.3.2 digital signature hash document encrypt the digest with sender’s private key Pub. C_msg Signature key Pub. Priv. C_msg key key HASH(C_msg) → HASH HASH(C_msg) → HASH_1 EA(Priv_key, HASH) → Signature EA(Pub_key, Signature) → HASH_2 HASH_1 == HASH_2 ? 17 of 29 Book: 8.3.3 public key certification how to be sure a public key belongs to a specific user? Certification Authorities (CA) – based on trust – validates the identity of a person, organization, … – creates a certificate that binds the public key to a unique parameter that identifies the user (name, IP, hostname, …) – certificate is digitally signed by the CA User User User Name Priv. Pub. Pub. Email Key Key Key IP CA pub. key User distributed in CA Pub. Cert CA CA secure way Pub. + Priv. Pub. CA signature Key Key Key 18 of 29 Book: 8.3.3 end-point authentication prove the identity of one application to another over a computer network link (e.g. online banking, email login, …) combine (symmetric) encryption with nonce Secret Hello, I’m Alice Secret Key Key nonce Generate random number-used-once EA(key, nonce) → Token_1 Token_1 EA(key, nonce) → Token_2 Token_1 == Token_2 ? 19 of 29 Book: 8.4 securing TCP connections Transport Layer Security (TLS) – previous version was ‘Secure Socket Layer’ (SSL) on top of TCP, TCP/IP headers not secured Web (server) symmetric and asymmetric keys HTTP IP TCP HTTP Data TLS TLS provides : Application Layer TLS 80 443 – encryption TCP IP TCP Encrypted Transport Layer – integrity IP TLS record – authentication (server & client) Network Layer Link Layer tools and libraries available for any programming language Physical Layer 20 of 29 Book: 8.6 TLS handshake after TCP handshake TLS Hello – supported EA/MAC algorithms Server – client nonce Pub. Cert + SYN CA signature server certificate + info TCP SYN ACK Server Priv. Key ACK – CA signature for certificate – selected cipher algo TLS Hello – server nonce Server Cert. + info Encrypted Pre-Master Key Pre Master Encrypted Pre-M Key aster Key – random key generated by client – encrypted with server’s public key 21 of 29 Book: 8.6.1 TLS key derivation Server Server Pub. Cert Priv. + Key CA signature Generated pre-master key (PMS) EA(Pub_key, PMS) → E_PMS EA(Priv_key, E_PMS) → PMS Server Client Server Client PMS nonce nonce PMS nonce nonce HASH(PMS + S_nonce + C_nonce) → MS Master Master Key Key MS is sliced in keys for Client Client Server Server confidentiality Client Client Server Server E_key MAC E_key MAC message authentication E_key MAC E_key MAC 22 of 29 Book: 8.6.2 TLS record format Type: data and HMAC format indicator Version: used SSL/TLS version Len: payload + HMAC Data: EA ( CE_key, TCP_Payload ) HMAC: EA( C_MAC, HASH( Data + record nr. ) ) Server Server Client Client Client Client Server Server E_key MAC E_key MAC E_key MAC E_key MAC En S ig cry n pt Encry Si gn IP TCP Type Version Len Data HMAC pt IP TCP Type Version Len Data HMAC TLS record 23 of 29 Book: 8.6.2 TLS type field handshake IP TCP Type Version Len Handshake Data – exchanging key – payload (cert and nonce data) not encrypted – no HMAC application data IP TCP Type Version Len Data HMAC – encrypted payload and HMAC present alert IP TCP Type Version Len Alert Code – error reporting (e.g. decryption error, bad HMAC,…) – esed for connection tear-down (terminate-alert) (connection can not be preemptively closed by TCP FIN message) 24 of 29 Virtual Private Networking (VPN) securely connect employees’ PC to their company’s network or securely interconnect 2 or more company’s sites into one 'virtual' network by using the public internet as low-cost backbone IP network on top of IP network protocols: – IPSec (IP Security) – OpenVPN (TLS-based VPN) – wireguard (TLS-based VPN) 25 of 29 Book: 8.7 Virtual Private Networking (2) client-server mode point-to-point mode 26 of 29 IP Security (IPSec) unidirectional security association configured in every router – SA identifier – src/dst IP of routers – encryption algo + key – authentication key/cert............... Internet Key exchange can be used to configure SA SRC : 172.16.1.12 DST : 172.16.2.13 Payload – setup secure communication using Difffie-Hellman (stage 1)... – exchange Auth cert and Encryption key to configure SA (stage 2)............ SRC : 200.168.1.100 DST : 193.68.2.23 SA indentfier Sequence number IP TCP HTTP Data............... d d te te SRC : 172.16.1.12 yp yp DST : 172.16.2.13 IP IPSec Encrypted data cr cr En En Payload 27 of 29 Book: 8.7.3, 8.7.4, 8.7.5 secure anonymous proxy server secure connection to application gateway only IP of application gateway is revealed to destination ISP WAN Destination server Application Gateway GLOBAL HTTP CONNECT proxy Internet SOCKS proxy VPN 28 of 29 Book: 8.9.1* The Onion Router project (TOR) P2P proxy overlay used by TOR browser or TOR proxy service connect to TOR network B select first hop (Guard) 107.20.6.200 C pick 2 random nodes create TOR packet A Overlay P2P – encapsulate destination in 3 layers Network – encrypt each layer with pub key of node 85.12.36.9 200.32.5.17 D E packet is ‘peeled’ at every hop every node tracks previous, so return path can be reconstructed SRC : 85.12.36.9 DST : 107.20.6.200 SRC : Node A DST : Node B SRC : Node B DST : Node E SRC : 200.32.5.17 IP Network DST : 200.32.5.17 (e.g. Internet) Payload 29 of 29

Use Quizgecko on...
Browser
Open
Browser
Browser