Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security and Public Key Infrastructure (PKI)

Published byKelly Fowler Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Security and Public Key Infrastructure (PKI)"— Presentation transcript:

1 Network Security and Public Key Infrastructure (PKI)
Bill Chu

2 Introduction to Security
Internet environment Information security addresses: Confidentiality E.g. illegal access to secret information Integrity E.g. illegal addition/deletion/modification of data E.g. perform illegal operations E.g. nonrepudiation Availability E.g. Severely load the system so that the system cannot perform normal functions Usability Appropriate use of information

3 Requirements for Electronic Business Transactions
Authentication of transacting partners Am I dealing with the one who claim to be Once authenticated, business evaluations become possible credit history (report), bank verifications Data integrity any change to data are detected by receiver Non-repudiation can not deny if one issued a transaction Confidentiality keep transactions to only transacting partners

4 How can We Meet these Requirements?
Solutions: cryptography-based technologies Cryptography for authentication private key of cryptography is the evident you are who you claim to be you are the only one who has that key data confidentiality data encrypted prevents eavesdrops by others non-repudiation the data is encrypted with your key, you can not deny you did not send it you are the only one who has that encryption key it is typically called encryptedly signed (digital signature) Message digest for data integrity run a “checksum” over the data & encrypt it changing data will be detected by the encrypted “checksum” others can not decrypt the checksum

5 Cryptography Concept: Secret writing communicating in secret writing
prevent others from reading your message Process encrypt messages before send decrypt message after receive secret writing can not be read by others Keys encryption and decryption is private knowledge it is computationally difficult to break encryption/decryption Encryption Decryption “hello” cleartext ciphertext

6 Key-based Cryptography
Encryption/Decryption with keys computationally difficult without keys Two types private key or symmetric key cryptography one key used for encryption and decryption key has to be kept secret between partners how to distribute the shared private key is a problem public key or asymmetric key cryptography a pair of keys for encryption and decryption each partner has a pair of keys it keeps one key private to itself & publishes another for others to use Encryption Decryption “hello” cleartext ciphertext key

7 Digital Signature, non-repudiation
Using Cryptography Bob Encryption Decryption “hello” cleartext ciphertext Private key Alice Alice “I love you” “I love you” Bob Encryption Decryption cleartext ciphertext cleartext Alice’s private key Allice’s public key Digital Signature, non-repudiation “Meet me at 3” “Meet me at 3” Alice Bob Encryption Decryption cleartext ciphertext cleartext Bob’s Public key Bob’s private key Confidential message

8 Cryptographic hash function
A hash function is a one-way function (analogous to meat grinder). A cryptographic hash function typically hashes objects of any size to a fixed length hash (e.g. 128 bits) A cryptographic has function has to satisfy the following properties: It is computationally infeasible to find the original object based on the hash result It is computationally infeasible to find two documents that produce the same hash result

9 Digital Signature and its verification
I love you + 67(*% + MD5 + RSA “I love you” 67Y(*% Send Hash Encription MD5 Allice’s private key Digital signature 67Y(*% “I love you” =? Hash Decription Yes=verification success MD5 Allice’s public key Verification of digital signature

10 The trust establishment problem
In order to verify a signature of Alice we must trust that we know that we have Alice’s public key. Closed trust model: we verify the public keys ourselves, or we know everyone we are dealing with Open trust model: we must deal with people we do not know The Internet is definitely an open world, therefore a closed trust model will not work

11 Public key infrastructure
Have a third trusted party to verify the identity of public keys using signed statements (digital certificates) from the trusted party (certification authority) Have an directory of valid digital certificates so that users can check (analogous to credit card validation)

12 Digital Certificate A Public-key certificate binds an entity’s (e.g. amazon.com) public key and one or more attributes relating to its identity. Trusted authority Binding process, verification by the trusted authoraty Digital document (digital certificate) as proof Helps key distribution as digital certificates can be transmitted without encryption Fields in a digital certificate: subject name: unique for a CA, however, multiple certificates may be issued to the same entity by a CA subject public key Optional fields Signature of the above. version (1,2,or 3) serial number: unique within a CA signature algorithm id issuer: CA validity period

13 PKI Basic Components PKI public key certificate or simply certificate
an electronic record that binds a public key to an identity of the owner of a public-private key pair, signed by a trusted entity (CA) Certificate Revocation List (CRL) a list of certificates that have been revoked Certification Authority (CA) a trusted entity that issues and revokes public key certificates Registration Authority (RA) an entity trusted by CA to register user identity & associated public key to CA Certificate Repository electronic site that holds certificates & CRLs Relying Party (Certificate user) an entity that uses certificates to know, with certainty, the public key of another entity

14 PKI policy and practice
Certificate policy statements The CA specifies what a give certificate can be used for (e.g. , secure server) Driver’s License analogy: this license authorizes the holder to operate 4-wheeled vehicles of up to certain size and weight. Certification practice statements Describes the detailed processes/mechanisms used by registration authorities. Driver’s License analogy: types of id accepted, questions for the written test, criterion and mechanism for eye sight test, criterion for road test Cross certification Accepting certificates issued by different CA’s Driver’s License analogy: most state will accept driver’s licenses issued by other states, but additional tests may be necessary, details vary in different states.

15 Secure Socket Layer (SSL)
The client (e.g.SSL inside a browser) chooses a protocol Key exchange algorithm Private key cryptography algorithm Message integrity algorithm Server (e.g. SSL inside a web server) informs the client that it supports the propose protocol Server asserts its identity by sending a digital certificate The client verifies the digital certificate by using public keys of CA’s the client trusts The client then generates a session key and encrypt it with the server’s public key and sends the ciphertext to the server Server decrypts the session key and complete the handshake by sending a message back to the client using the session key for encryption. The client decrypts the messages and is then certain that a secure channel has been established. All data transacted in this session (both directions) are encrypted using the session key

16 Virtual Private Network
SSL/HTTPs provides encrypted communication for web traffic VPN provides an encrypted communication pipe for all network traffic

17 Intrusion Techniques:
Discovery Scanning Target acquisition: map host names, ip addresses Host discovery Port scanning Banner retrieval: types of machines, version information. Vulnerability Scanning: discover known bugs and attacks Exploits NT: obtain user/admin access, NT resource Kit, cover tracks UNIX: obtain root access, root kit, cover tracks Install sniffers, keyboard loggers, acquire access to other parts of the network Spoofing Change data, delete files, steal secrets Dialin and backdoor Social engineering

18 Summary of Intrusion Techniques
Brute force Patience Mis-configurations Out-of-date software versions

19 Firewalls Characteristics Service control, e.g. no ftp
All traffic goes through firewalls Only authorized traffic can go through The firewall itself is immune to penetration Service control, e.g. no ftp direction control user control behavior control (e.g. filter s, and web addresses) Types of firewalls packet filtering router application level gateway circuit level gateway (prevents end to end TCP connection), e.g. SOCKS

20 Packet filtering router firewall
web server Send to port 80 At OK Server Client Send to port 670 Send to port 890 Internet Private network

21 Circuit gateway firewall
Server Client Socks lib Socks lib Relay Internet Private network Relay will examine all packets and filter out illegal packets For example, a company’s policy may want to filter out all java applets through the firewall.

22 Application gateway firewall
Server Client App. gateway Internet Private network Application gateway is a proxy server For every application made available through the firewall, there must be a proxy on the application gateway The application gateway forwards requests to the server, it can also do customized filtering of messages

23 Deterring pranks Install appropriate defensive tools (some of)
use files virus scans, detect port scans Intrusion Detection Systems (IDS) Install decoys and deception tools (all.net)

24 More serious threats Customized virus will evade popular virus scan programs Virus immunology techniques may help, but there is no guarantee! Customized trojans IDS and popular tools are generally ineffective Attack techniques: Be noisy Be quiet Be clever

25 Denial of service Noisy sync flooding
Typical denial of service starts with a hacked account (e.g. AOL surveys!) Synchronized attacks uses multiple staging points, very difficult to detect and deal with.

26 Best defenses Educate users about password and common sense security precautions Don’t execute active MIME contents Christmas cards etc. Security is a system engineering problem the system is only as secure as its weakest link Clear risk assessment Turn off unwanted services, simplify, simplify and simplify Don’t blindly use defaults! Upgrade software Don’t make information easily available Use biometrics when appropriate User education and more user education

27 Resources

Download ppt "Network Security and Public Key Infrastructure (PKI)"

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography and Network Security

Cryptography and Network Security
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Similar presentations

Ads by Google