Presentation is loading. Please wait.

Presentation is loading. Please wait.

L0. Introduction Rocky K. C. Chang, January 2013.

Similar presentations


Presentation on theme: "L0. Introduction Rocky K. C. Chang, January 2013."— Presentation transcript:

1 L0. Introduction Rocky K. C. Chang, January 2013

2 The Internet is inherently insecure. 2 Rocky K. C. Chang  Internet backbone infrastructure: DoS, worm  Routing protocols (BGP): route hijacking  DNS: poisoning, DoS  Core Internet protocols (e.g., IP, TCP/UDP, HTTP): eavesdropping, modification, authentication  LAN security: eavesdropping, modification, authentication  Host security (e.g., Web servers, database): DoS, authentication, phishing, malicious software implant, identity and data theft, data exfiltration, etc.

3 Internet security is inherently complex. 3 Rocky K. C. Chang  A packet goes through many hops and links.  Involve from the physical layer and up.  Physical layer security  Network security  System security  Application security  Complexity in software and protocols  Software ages  Some protocol fields are never tested.  The weakest link  The human factor  The success of Internet makes things worse.  Security verses privacy (anonymity)  How to measure security?

4 Internet security is more than cryptography. 4 Rocky K. C. Chang  Cryptography is not the solution to many security problems, e.g., software exploit, DoS.  The vulnerability could come from the implementations of the cryptographic algorithms.  Cryptography affects performance.  Ease of use

5 Security involves 5 Rocky K. C. Chang  Threats: potential violation of security  Policies  Security policies: trust and access control  Confidentiality policies: The Bell-LaPadula model  Integrity policies: Clark-Wilson integrity model  Hybrid policies: Chinese Wall models  Design and implementation  Identity representation, access control lists, information flow, etc  Encryption and key management  Authentication (human, user account, machine, service)

6 Security involves 6 Rocky K. C. Chang  How to ascertain how well a system meets its security goals?  Assurance, system evaluation (TCSEC)  Miscellaneous, e.g.,  Viruses, worms, software security  Auditing  Intrusion detection  System security  Network security  User security

7 This course is not about 7 Rocky K. C. Chang  Cryptography, the art of secret writing,  Writing computer viruses and worms,  Special techniques of attacking and defending,  The lower layer security measures,  System security,  Biometrics,  Application-specific security ……

8 This course is about 8 Rocky K. C. Chang  Understand the 3 fundamental cryptographic functions used in network security.  Understand the issues involved when applying the cryptographic functions to the network protocols.  Understand the main elements in securing today’s Internet infrastructure.  Exposed to some current Internet security problems.

9 Purposes of network security 9 Rocky K. C. Chang  Confidentiality (or secrecy): Prevent others from reading information shared between two participants.  Authentication: Verify someone’s or something’s identity.  Message integrity: Assure that the message received has not be altered since it was generated by a legitimate source.  Nonrepudiation: A sender should not be able to falsely deny later that he sent a message.  Legitimate (and authorized) usage: Ensure that the network and system resources are properly utilized.

10 Possible threats 10 Rocky K. C. Chang  Obtaining information for …  Secrecy, authentication  Modifying information for …  Authentication, message integrity  Stealing information for …  Secrecy, authentication, legitimate usage  Lying electronically for …  Nonrepudiation  Backmail for …  Secrecy, legitimate usage, message integrity  Revenge for …  Legitimate usage, message integrity  Testing for …  Legitimate usage, message integrity  Contracted for …  Secrecy, authentication, legitimate usage, message integrity  Fun for …  Secrecy, authentication, legitimate usage, message integrity

11 The goals of security 11 Rocky K. C. Chang  Prevention:  Confidentiality, source authentication, nonrepudiation, and legitimate usage  Active countermeasures  Detection:  Message authentication, nonrepudiation, and legitimate usage  Active and passive countermeasures  Recovery:  Legitimate usage  Rely on the detection.  Traceback:  Locate the actual attack source(s).

12 Scope of considerations 12 Rocky K. C. Chang  Two cases  The secrecy, message integrity, authentication, and nonrepudiation services are provided by some cryptographic functions.  Denial-of-service, worms, viruses, etc  Scope:  Concern mainly communication between two parties (group communication security is another important topic).  Concern attacks against protocols, not those against cryptographic algorithms or cryptographic techniques used to implement the algorithms.

13 Cryptography 13 Rocky K. C. Chang  Plaintext  (encryption)  ciphertext  Ciphertext  (decryption)  plaintext  What is the secret?  The cryptographic algorithm (restricted algorithm)  The cryptographic algorithm is not a secret, but the key is.  Level of security  the length of the key  the time of discovering the key using brute force  The security problem is reduced to the securing of the key.

14 Types of attacks 14 Rocky K. C. Chang  Passive attacks (eavesdropping), e.g.,  ciphertext-only attacks (recognizable plaintext attacks)  Fred has seen some ciphertext.  known-plaintext attacks  Fred has obtained some pairs.  chosen-plaintext attacks  Fred can choose any plaintext he wants.  Active attacks, e.g.,  pretend to be someone else  introduce new messages in the protocol  delete existing messages  substituting one message for another  replay old messages

15 Three cryptographic functions  Hash functions: require 0 key  Secret key functions: require 1 key  Public key functions: require 2 keys 15 Rocky K. C. Chang

16 Secret key (symmetric) cryptography 16 Rocky K. C. Chang  Given:  Alice and Bob agree on a secret key cryptosystem.  Alice and Bob agree on a key (secret) K.  Encryption and decryption using the key.  Alice encrypts M with K: K{M}  Bob decrypts K{M} with K  M  Problems:  Keys must be distributed in secret.  Compromising keys means compromising all aspects of security.  The number of keys is not scalable to the user population size.

17 Usages of the secret key cryptography  Transmitting over an insecure channel  Secure storage on insecure media  Authentication:  Challenge-response authentication with shared secret  Message integrity check 17 Rocky K. C. Chang

18 Public key (asymmetric) cryptography 18 Rocky K. C. Chang  Given:  Alice and Bob agree on a public key cryptosystem.  Alice owns a pair of public key and private key, and Bob knows Alice’s public key, which is not a secret.  Encryption using the public key and decryption using the private key.  Alice encrypts M with Bob’s public key: {M} Bob  Bob decrypts {M} Bob with its private key  M  Generate a digital signature on a message:  Alice signs M with its private key: [M] Alice.  Bob verifies Alice’s signature on [M] Alice with Alice’s public key.

19 Usages of the public key cryptography  Problems:  Public-key algorithms are slow. Secret key algorithms are at least 1,000 times faster.  Obtain the public key reliably.  Usages:  Transmitting over an insecure channel  Secure storage on insecure media (difference as compared with the secret key cryptography?)  Authentication:  Nonrepudiation with the digital signatures. 19 Rocky K. C. Chang

20 Hash functions 20 Rocky K. C. Chang  A hash (message digest or one-way function) produces a short, fixed-sized output h(m) for a message m.  Properties:  One-way functions are relatively easy to compute, i.e., given x and compute h(x).  However, given h(x), it is significantly harder to compute x.  It is computationally infeasible to find two inputs that hash to the same value.

21 Usages of hash functions 21 Rocky K. C. Chang  Password hashing  Message integrity  Keyed hash: compute h(message | key) and send the result with the message.  Message fingerprinting  Downline load security  Digital signature efficiency

22 Securing the Internet 22 Rocky K. C. Chang  IP Security (IPSec)  TCP and UDP insecurity  SSL/TLS  DNS security  Firewalls  DoS attacks and the countermeasures  Buffer overflow attacks and the countermeasures  Wireless LAN security

23 Acknowledgments 23 Rocky K. C. Chang  This set of notes is based on  C. Kaufman, R. Perlman, and M. Speciner, Network Security: Private Communication in Public World, Second Edition, Prentice Hall PTR,  L. Peterson and B. Davie, Computer Networks: A Systems Approach, Morgan Kaufmann,  B. Schneier. Applied Cryptography, Second Edition, Wiley,  M. Bishop, Introduction to Computer Security, Addison Wesley, 2005.


Download ppt "L0. Introduction Rocky K. C. Chang, January 2013."

Similar presentations


Ads by Google