Network Security PDF
Document Details
Uploaded by Deleted User
Dr. Abdullah Rashed
Tags
Related
Summary
This document presents a lecture or presentation on network security, covering various aspects including protocols like IPsec, PEM, and PGP. It discusses topics like encryption, digital signatures, and different types of cryptographic techniques, along with examples and design principles.
Full Transcript
4 1 Network Security Dr. Abdullah Rashed Questions IPsec vs Pem vs PGP ESP vs AH Digital Signiture vs Ciphering Tunnel mode vs Transport mode What are differences between Key exchange and Key Management? Define the following terms IP packet IP Header Authentica...
4 1 Network Security Dr. Abdullah Rashed Questions IPsec vs Pem vs PGP ESP vs AH Digital Signiture vs Ciphering Tunnel mode vs Transport mode What are differences between Key exchange and Key Management? Define the following terms IP packet IP Header Authentication header Authentication ESP Agent Pretty Good Privacy (PGP) PGP provides two services: encryption and digital signatures. 1. Encryption allows a user to encode a file for storage locally or for transmission as an e-mail message. 2. private exchanges over a network. PGP encrypts the entire contents of the message in such a way that only the intended recipient can decode and read the message. Anyone else who attempts to capture or copy the message en route will receive meaningless garble. 3. The digital signature service allows 4. a user to `sign' a document before transmission in such a way that anyone can verify that the signature is genuine and belongs with a particular document. If someone alters the message or substitutes a different message, the signature will no longer be valid. And any recipient can verify that the message has been signed by its true creator and not an imposter. For digital signatures, PGP uses an efficient algorithm known as MD5 to produce a summary code, or hash code, of the message that is, for all practical purposes, unique to that message. PGP then uses RSA to encrypt the hash code with the sender's private key. The receiver can use RSA to recover the hash code and verify that it is the correct hash code for the message. If it is correct, then only the alleged sender could have prepared the encrypted hash code. Privacy Enhanced Mail (PEM) Provides message integrity checking Originator authentication Confidentiality. Certificates issue Internet Protocol Security (IPSEC) IPSEC develop mechanisms to protect client protocols of IP. Protocol and cryptographic techniques will also be developed to support the key management requirements of the network layer security. The key management will be specified as an application layer protocol that is independent of the lower layer security protocol. The protocol will initially support public key-based techniques. Flexibility in the protocol will allow eventual support of Key Distribution Center and manual distribution approaches Example Protocols Several widely used Internet protocols illustrate different facets of cryptographic techniques privacy-enhanced electronic mail protocol: PEM: The protocols were launched Privacy-enhanced Electronic Mail (or PEM). Ipsec (Internet Protocol Security) provides security mechanisms at the network, or IP, layer Secure Electronic Mail: PEM 1. A typical network mail service. The UA (user agent) interacts directly with the sender. 2. When the message is composed, the UA hands it to the MTA (message transport, or transfer, agent). 3. The MTA transfers the message to its destination host, or to another MTA, which in turn transfers the message further. 4. At the destination host, the MTA invokes a user agent to deliver the message. User Agents U U U A A A Message Transfer M M M T Agents T T A A A Attacker An attacker can read electronic mail at any of the computers on which 1. MTAs handling the message reside 2. the network itself. An attacker could also modify the message without the recipient detecting the change. Because authentication mechanisms are: 1. Authentication mechanisms minimal 2. Authentication mechanisms easily avoided. A sender could forge a letter from another and inject it into the message handling system at any MTA Attacker Finally, a sender could deny having sent a letter, and the recipient could not prove otherwise to a disinterested party. These four types of attacks (violation of confidentiality, authentication, message integrity, and nonrepudiation) make electronic mail nonsecure. In 1985, the Internet Research Task Force on Privacy (also called the Privacy Research Group) began studying the problem of enhancing the privacy of electronic mail. The goal of this study was to develop electronic mail protocols that would provide the following services. Services Confidentiality, by making the message unreadable except to the sender and recipient(s) Origin authentication, by identifying the sender precisely Data integrity, by ensuring that any changes in the message are easy to detect Nonrepudiation of origin (if possible) The protocols were launched Privacy-enhanced Electronic Mail (or PEM). Secure Electronic Mail: PEM 1. Message handling system. 2. The user composes mail on the UA (user agent). 3. When she sends it, the message is passed to the MTA (message transport, or transfer, agent). 4. The MTA passes the message to other MTAs, until it reaches the MTA associated with the destination host. 5. That host transfers it to the appropriate UA for delivery. U U U User Agents A A A Message Transfer M M M Ag T T T ent A A A s PEM Design Principles Basic Design Other Considerations Design Principles 1. Acceptance and use 2. Not be changed 3. Independence 4. Protect transmission 5. Provide specific services (the privacy enhancements). 6. Compatible 7. Do not need prearrangement 8. Callers must authenticate themselves to the recipients Design Principles Not to redesign existing mail system or protocols To be compatible with a range of MTAs, UAs, and other computers To make privacy enhancements available separately, so they are not required To enable two parties to use the protocol to communicate without prearrangement Basic Design Session key (randomly and is used only once) Interchange key: must be sent to recipient (block or PK) PK Symmetric Cipher / block 1. Alice wants to send msg to Bob 2. Alice generates key (randomly) 3. Alice sends the key to Bob: by telephone or courier or viral. 4. Alice ciphers her Msg then sends 5. Bob receives the Msg and deciphers it Asymmetric Cipher / block 1. Alice wants to receive msg from Bob 2. Alice generates or Public key and private key (Math System) 3. Alice sends the public key to Bob via facebook write it on the wall 4. Bob ciphers his Msg then sends it to Alice 5. Alice receives the Msg and deciphers it with private key Other Considerations Certificate-based key management scheme A major problem for next week? A major problem is the specification of Internet electronic mail. Among the restrictions placed on it, the requirements that the letter contain only ASCII characters and that the lines be of limited length are the most onerous. Related to this is the difference among character sets. A letter typed on an ASCII- based system will be unreadable on an EBCDIC-based system. Security at the Network Layer: IPsec IPsec is a collection of protocols and mechanisms that provides: Confidentiality Authentication Message integrity Replay detection at the IP layer. Security at the Network Layer: IPsec Because cryptography forms the basis for these services, the protocols also include a key management scheme, which we will not discuss here. IPsec mechanisms protect all messages sent along a path. If the IPsec mechanisms reside on an intermediate host (for example, a firewall or gateway), that host is called a security gateway. IPsec has two modes: 1. Transport mode 2. Tunnel mode IPsec modes IPsec has two modes: 1. Transport mode encapsulates the IP packet data area (which is the upper layer packet) in an IPsec envelope, and then uses IP to send the IPsec-wrapped packet. The IP header is not protected. 2. Tunnel mode encapsulates an entire IP packet in an IPsec envelope and then forwards it using IP. Here, the IP header of the encapsulated packet is protected. Transport mode is used when both endpoints support IPsec. Tunnel mode is used when either or both endpoints do not support IPsec but two intermediate hosts do. IPsec modes IPsec has two modes: 1. Transport mode 1.1. Encrypts (payload of the packet) 1.2. Host to host communication 2. Tunnel mode End to end (cipher entire IP packet). Entire network Payload of packet=data to be send Ip header=ip version, source destination A major problem ASCII: the Problem and solution Header IP Header EXAMPLE Secure Corp. and Guards Inc. wish to exchange confidential information about a pending fraud case. The hosts main.secure.com and fraud.guards.com both support IPsec. The messages between the systems are encapsulated using transport mode at the sender and processed into cleartext at the receiver. EXAMPLE Red Dog LLC is a third corporation that needs access to the data. The data is to be sent to gotcha.reddog.com. Red Dog’s systems do not support IPsec, with one exception. That exception is the host, firewall.reddog.com, that is connected to both Red Dog’s internal network and the Internet. Because none of Red Dog’s other hosts is connected to the Internet, all traffic to gotcha from Secure Corp. firewall.reddog.com. EXAMPLE So main.secure.com uses tunnel mode to send its IPsec packets to Red Dog. When the packets arrive at firewall, the IPsec information is removed and validated, and the enclosed IP packet is forwarded to gotcha. In this context, firewall.reddog.com is a security gateway. Message Security Protocol Two protocols provide message security: 1. The authentication header (AH): protocol provides message integrity and origin authentication and can provide antireplay services. 2. The encapsulating security payload (ESP) protocol provides confidentiality and can provide the same services as those provided by the AH protocol. Both protocols are based on cryptography, with key management supplied by the Internet Key Exchange (IKE) protocol (although other key exchange