Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ch 8. Security in computer networks Myungchul Kim

Published byChristiana Lawson Modified over 8 years ago

Similar presentations

Presentation on theme: "Ch 8. Security in computer networks Myungchul Kim"— Presentation transcript:

1 Ch 8. Security in computer networks Myungchul Kim mckim@icu.ac.kr

2 2 What is network security? Confidentiality: only sender, intended receiver should “ understand ” message contents – sender encrypts message – receiver decrypts message Authentication: sender, receiver want to confirm identity of each other Message integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection Access and availability: services must be accessible and available to users

3 8-3 There are bad guys (and girls) out there! Q: What can a “ bad guy ” do? A: a lot!  eavesdrop: intercept messages  actively insert messages into connection  impersonation: can fake (spoof) source address in packet (or any field in packet)  hijacking: “ take over ” ongoing connection by removing sender or receiver, inserting himself in place  denial of service: prevent service from being used by others (e.g., by overloading resources) more on this later ……

4 4

5 5 Principles of cryptography – The encryption technique is known – published, standardized, and available to everyone. – Symmetric key systems – Public key systems o Symmetric key cryptography – Block ciphers  PGP, SSL, IPsec

6 6 Symmetric key crypto: DES DES: Data Encryption Standard o US encryption standard [NIST 1993] o 56-bit symmetric key, 64-bit plaintext input o How secure is DES? – DES Challenge: 56-bit-key-encrypted phrase ( “ Strong cryptography makes the world a safer place ” ) decrypted (brute force) in 4 months – no known “ backdoor ” decryption approach o making DES more secure: – use three keys sequentially (3-DES) on each datum – use cipher-block chaining

7 7 Symmetric key crypto: DES initial permutation 16 identical “ rounds ” of function application, each using different 48 bits of key final permutation DES operation

8 8 AES: Advanced Encryption Standard o new (Nov. 2001) symmetric-key NIST standard, replacing DES o processes data in 128 bit blocks o 128, 192, or 256 bit keys o brute force decryption (try each key) taking 1 sec on DES, takes 149 trillion years for AES

9 9 o Public key encryption – Diffie and Hellman, 1976 – For encryption, authentication, digital signature – A public key available to every one and a private key that is known only to a person

10 10 Message integrity – Cryptographic hash function  Originated from …  Not tampered with on its way to …  A cryptograhic hash function: it is computationaly infeasible to find any two different messages x and y such that H(x) = H(y). – MD5 (128-bit hash)

11 11

12 12 o Message authentication code

13 13 o Digital signatures – Verifiable and nonforgeable

14 14

15 15

16 16 o Public key certification – Verify that you have the actual public key fo the entity – Certification Authority: binding a public key to a particular entity – ITU X.509

17 17

18 18 A certificate contains: o Serial number (unique to issuer) o info about certificate owner, including algorithm and key value itself (not shown) o info about certificate issuer o valid dates o digital signature by issuer

19 19 End-point authentication – The process of proving one’s identity to someone else.

20 20

21 21

22 22 - nonce: once in a lifetime

23 23

24 24

25 25

26 26 Securing E-mail – Confidentiality, sender authentication, message integrity, receiver authentication

27 27

28 28 Pretty Good Privacy (PGP): MD5 or SHA for message digest; CAST, triple-DES or IDEA for symmetric key encryption and RSA for the public key encryption

29 29 Securing TCP connections: SSL – Secure Sockets Layer (SSL) – Transport Layer Security (TLS)

30 30 – Handshake, key distribution, and data transfer

31 31 Network-layer security: IPsec – Virtual private networks (VPNs) – Authentication Header (AH) protocol: source host authentication and data integrity – Encapsulation Security Payload (ESP) protocol: … and confidentiality – AH header: next header, security parameter index, sequence number, authentication data

32 32 – The ESP protocol  Key distribution – Manual – Automated: Internet Key Exchange protocol using public-key cryptography

33 33 IEEE 802.11 security o war-driving: drive around Bay area, see what 802.11 networks available? – More than 9000 accessible from public roadways – 85% use no encryption/authentication – packet-sniffing and various attacks easy! o securing 802.11 – encryption, authentication – first attempt at 802.11 security: Wired Equivalent Privacy (WEP): a failure – current attempt: 802.11i

34 34 Securing wireless LANs o Wired equivalent privacy (WEP) – Authentication and data encryption – Symmetric shared key – No key distribution

35 35 o IEEE 802.11i

36 36

37 37 Firewalls and Intrusion Detection Systems o The goals of firewall – All traffic from outside to inside, and vice versa, passes through the firewall – Only authorized traffic, as defined by the local security policy, will be allowed to pass. – The firewall itself is immune to penetration.

38 38 o Traditional packet filters – Filtering decision  IP source or destination address  Protocol type in IP datagram field: TCP, UDP, ICMP, OSPF, …  TCP or UDP source and destination port  TCP flag bits: SYN, ACK, …  ICMP message type  Different rules for datagrams leaving and entering the network  Different rules for the different router interfaces.

39 39 Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 No incoming TCP connections, except those for institution ’ s public Web server only. Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80 Prevent Web-radios from eating up the available bandwidth. Drop all incoming UDP packets - except DNS and router broadcasts. Prevent your network from being used for a smurf DoS attack. Drop all ICMP packets going to a “ broadcast ” address (eg 130.207.255.255). Prevent your network from being tracerouted Drop all outgoing ICMP TTL expired traffic Stateless packet filtering: more examples

40 40 - Access control list for 222.22/16

41 41 o stateful packet filters – Actually track TCP connections – Check connections o Application gateway – Policy decision based on application data – Disadvantages  A different application gateway for each application  Perfrance penalty  The client software must know how to contact the gateway

42 42

43 43 o Intrusion detection systems – Deep packet inspection – A high-security region and a lower-security region (demilitarized zone(DMZ)) – Signature-based system: require previous knowledge of the attach to generate an accurate signature – Anomaly-based system: create a traffic profile – Example: snort

44 44

Download ppt "Ch 8. Security in computer networks Myungchul Kim"

Similar presentations

Chapter 8 Network Security

Chapter 8 Network Security
Network Security7-1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,

Network Security7-1 Chapter 7 Network Security Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley,
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Local Wireless Network - An wireless Access Point (AP) which is the bridge the ethernet network and the wireless network -The AP protect its wireless network.

Local Wireless Network - An wireless Access Point (AP) which is the bridge the ethernet network and the wireless network -The AP protect its wireless network.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
8: Network Security8-1 21 - Security. 8: Network Security8-2 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides.

8: Network Security Security. 8: Network Security8-2 Chapter 8 Network Security A note on the use of these ppt slides: We’re making these slides.
Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.

Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
CSE401n:Computer Networks

CSE401n:Computer Networks
1DT014/1TT821 Computer Networks I Chapter 8 Network Security

1DT014/1TT821 Computer Networks I Chapter 8 Network Security
Network Security understand principles of network security:

Network Security understand principles of network security:
Review and Announcement r Ethernet m Ethernet CSMA/CD algorithm r Hubs, bridges, and switches m Hub: physical layer Can’t interconnect 10BaseT & 100BaseT.

Review and Announcement r Ethernet m Ethernet CSMA/CD algorithm r Hubs, bridges, and switches m Hub: physical layer Can’t interconnect 10BaseT & 100BaseT.
8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.

8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.
Chapter 20: Network Security Business Data Communications, 4e.

Chapter 20: Network Security Business Data Communications, 4e.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
Network Security Sorina Persa Group 3250 Group 3250.

Network Security Sorina Persa Group 3250 Group 3250.
24-1 Last time □ Message Integrity □ Authentication □ Key distribution and certification.

24-1 Last time □ Message Integrity □ Authentication □ Key distribution and certification.

Similar presentations

Ads by Google