Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 1 Link Encryption What is Link Security? Link security objectives by link encryption In-line encryptor hardware Point to point deployment IP-routed development.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 1 Link Encryption What is Link Security? Link security objectives by link encryption In-line encryptor hardware Point to point deployment IP-routed development."— Presentation transcript:

1 1 1 Link Encryption What is Link Security? Link security objectives by link encryption In-line encryptor hardware Point to point deployment IP-routed development Key Recovery from Internet Cryptograph chapter 3

2 2 ISO/OSI Layer Review – 7 layers International Standard Organisation/Open System Interconnection  The 7-layer is shown on right.  There are many protocols in each layer.  For example, High Level Data link Control (HDLC) in Data link layer

3 3 Internet Protocol – 5 layers  Internet protocol reduces to five layers.  Link Security refers to the security measure in data link layer (ISO/OSI, layer 2) or Network Interface (Internet Protocol, layer 2)

4 4 Internet Cryptographic Protocols ProtocolPurpose CyberCash (5)Electronic funds transactions DNSSEC (5)Domain Name System IPSec (layer 3) Packet-level encryption PCTTCP/IP level encryption PGP (layer 5) E-mail S-HTTP (layer 5) Web browsing Secure RPCRemote procedure calls SET (layer 4)Electronic funds transactions SSL (layer 4) TCP/IP level encryption

5 5 What is a protocol?  It means “The proper way of handling data transfer between two parties. “  Assume two parties, Sender and Receiver are sending message. Below is the proper procedure inlcuding the error handling (in this case, retransmit)

6 6 What is link security protocol?  It is designed to hide secrets (means, encrypt for you)  It intends to protect data against forgery (false data).  It can simply fit into existing Internet applications.  In Data link layer (ISO/OSI layer 2) or Network Interface

7 7 Security Objectives of link security (1)  Maintain confidentiality on an isolated set of computers.  The computer contains sensitive data and needs to exchange with others.  Use a simple but secure protocol  Communications with outsiders is unwanted and to be blocked  To prevent the data from happening through accident, carelessness or overt ( 公開 ) attempt. Purpose Reason

8 8 Security Objectives (2)  Hide data traffic as much as possible  Shield everything possible about the data sent  Safety and familiarity is more important than cost  Use a well-established technique that is simple to understand and implement. Action

9 9 In-line Encryptor – must be a pair  It is a building block for link encryption.  It is a hardware device (not a software)  One port accepts plaintext, while the other produce ciphertext. (vice versa)

10 10 Example of a pair of in-line encryptor through the Internet, usually it is used through a leased line (from PCCW)

11 11 In-line Encryptor (real products)  Code encryptor (a small device with two network data link connections.)  In-line encryptor

12 12 Inside in-line encryptor

13 13 Features of in-line encryptor  Separate the plaintext and ciphertext ports (that is why there are two ports)  Use a stream cipher or block cipher  In practice, a block cipher such as RC4 is used in commercial setting. (it uses DES (data encryption standard algorithm)

14 14 Link level Vulnerabilities (means weakness) There are a few attacks, Below are some of them:  Replay Attacks  Rewrite Attacks  Convert Signalling Attacks

15 15 Replay Attacks – resend a few times  If the message is an encrypted, why should we care about replay?  The reason is that:  If an outsider captures the encrypted message and re-send it, he/she might attack the system.

16 16 Example of Replay Attacks False copies

17 17 Example of Replay Attacks - Explanation  Alice sends a message of “pay Chan Tai Man” to Bob. She sends one genuine (true) message.  Play-it-again Sam captures the encrypted message and re-sends twice to Bob.  Bob and his colleagues will then pay Chan Tai Man three times.  Of course, Sam will have certain benefits of doing this.

18 18 How to solve this? – Replay attack  Each plaintext message must have an extra information such as message number.  If the receiver receives a duplicated message, it is discarded.  This will solve it in TCP/IP (layers 3 & 4). It has this feature to solve this problem. data223data3 2data22

19 19 Rewrite Attacks  If an hacker knows the contents, he/she can modify the encrypted message.  Say for example, the encrypted message of pay 1000 is 89^&oiu, he/she can modify 89^&aiu by changing o to a. The resulting plaintext message is 9000. (This assumes that 89^&aiu will produce 9000.)

20 20 Example of Rewrite  Here, the encrypted message is modified via a switcher.

21 21 How to resolve this? - rewrite There are many methods. Below are some of them 1. Avoid products using other modes. Always use block ciphers or Vernam techniques. (crude rewrite attacks are still possible with block mode.); or 2. Insert a random number into each packet, include it in the packet checksum and encrypt the resulting packet; or 3. Use Message Digest that you learnt in lecture 4; or 4. Use digital signature to authenticate the source of data. (the message is signed)

22 22 Convert Signaling Attacks  The attack is done by inserting a subverted program (spy software) into a host on the plaintext side of an encryptor  The program collects sensitive data and then transmits it to the program outside the security boundary.

23 23 Example – subverted program

24 24 Deployment – Point to point between sender and receiver  This deployment uses a pair of trusted lines between a pair of hosts.  There is no need to connect to the Internet.  For example, you can apply for a leased line via Pacific Century Cyber Work (PCCW) between two computers (example from Central to Kowloon Tong). Now, it uses VPN, a pair of encryptors through the Internet) Arrangement

25 25 Point to point – Connection  Each host’s data link is connected to the plaintext port of in-line encryptor. It is commonly used in military applications. Protect

26 26 Point to point limitation  It is hard to use as it limits between two in-line encryptors. (between two points)  You don’t have any choice on the encryption.

27 27 Deployment Example: Ip routed  Link encryption can also be applied to links carrying IP traffic. ( means network layer)  This yields a flexible networking environment. (any workstation in the network can access.)  For example, assume that there are two networks that are connected by a pair of routers.  Any workstation, server etc can access the remote networking components through the leased line that is protected by the in-line encryptors.

28 28 Ip routed network diagram (to any host within the network) This arrangement is more flexible

29 29 Site protection – Ip routed  Given in the previous slide, the machines (server and workstations) are within the protected boundary of the site.  The in-line encryptors are used to further to protect from unnecessary physical access. (messages are encrypted.)

30 30 Site Protection – Unsafe arrangement  The workstation out of physical protection is unsafe.

31 31 Key Recovery – how to get the key  The protection of in-line encryptors lies in the key used.  Key recovery means the keys that are used to encrypt the data is recovered by someone else without notice.

32 32 Escrowed Encryption  Escrowed encryption is the system or method by which secret keys are stored to be used for key recovery.  That is to say, the secret keys are held in escrow (a separate organisation) until an authorised person (FBI or CIA in US) accesses it.  There is no commercial value as the encryption lasts for the transfer of data, but is used by government to decrypt the encrypted message (for anti-terrorism). No need to memorise

33 33 Example – sequence no need to memorise  The FBI first stores the ciphertext and then uses the family key (product of in-line encryptor) to obtain the session key.  Different manufacturer will produce different family keys for their products  FBI then approaches escrow agency to obtain the sender’s key based on device ID.  FBI then use the key to together with the session key to decrypt the ciphertext.

34 34 Example – picture

35 35 Summary  Link Security – between two parties, layer 2  Link security objectives – extend the security coverage  In-line encryptor – a pair of devices, to encrypt/decrypt message, there is no need to configure, and no need to encrypt document, it is done by the in-line encryptors.  Point to point – there is a limitation of the use of in-line encryptor, only to known location, The solution is to extend by IP routed  Key Recovery - less common in business, but is required by U.S. law to recover ciphertext for in-line encryptors  Link Security – between two parties, layer 2  Link security objectives – extend the security coverage  In-line encryptor – a pair of devices, to encrypt/decrypt message, there is no need to configure, and no need to encrypt document, it is done by the in-line encryptors.  Point to point – there is a limitation of the use of in-line encryptor, only to known location, The solution is to extend by IP routed  Key Recovery - less common in business, but is required by U.S. law to recover ciphertext for in-line encryptors

36 36 Next Week IPSec (Security at the IP Layer, Layer 3) In-line encryptor This Week

Download ppt "1 1 Link Encryption What is Link Security? Link security objectives by link encryption In-line encryptor hardware Point to point deployment IP-routed development."

Similar presentations

Secure Mobile IP Communication

Secure Mobile IP Communication
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
 How To Secure My Data. What to Protect??? DATA.

 How To Secure My Data. What to Protect??? DATA.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.

Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,

TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Similar presentations

Ads by Google