Presentation is loading. Please wait.

Presentation is loading. Please wait.

4-Jun-164/598N: Computer Networks Differentiated Services Problem with IntServ: scalability Idea: segregate packets into a small number of classes –e.g.,

Published byLesley Cameron Modified over 8 years ago

Similar presentations

Presentation on theme: "4-Jun-164/598N: Computer Networks Differentiated Services Problem with IntServ: scalability Idea: segregate packets into a small number of classes –e.g.,"— Presentation transcript:

1 4-Jun-164/598N: Computer Networks Differentiated Services Problem with IntServ: scalability Idea: segregate packets into a small number of classes –e.g., premium vs best-effort Packets marked according to class at edge of network Core routers implement some per-hop-behavior (PHB) Example: Expedited Forwarding (EF) –rate-limit EF packets at the edges –PHB implemented with class-based priority queues or Weighted Fair Queue (WFQ)

2 4-Jun-164/598N: Computer Networks DiffServ (cont) Assured Forwarding (AF) –customers sign service agreements with ISPs –edge routers mark packets as being “in” or “out” of profile –core routers run RIO: RED with in/out

3 4-Jun-164/598N: Computer Networks http://www.debone.com/videoLinks.html http://www.earthcam.com/usa/newyork/timessquare/ livestream.htmlhttp://www.earthcam.com/usa/newyork/timessquare/ livestream.html

4 4-Jun-164/598N: Computer Networks Chapter 8: Security Outline –Encryption Algorithms –Authentication Protocols –Message Integrity Protocols –Key Distribution –Firewalls

5 4-Jun-164/598N: Computer Networks Overview Cryptography functions –Secret key (e.g., DES) –Public key (e.g., RSA) –Message digest (e.g., MD5) Security services –Privacy: preventing unauthorized release of information –Authentication: verifying identity of the remote participant –Integrity: making sure message has not been altered

6 4-Jun-164/598N: Computer Networks Secret Key (DES)

7 4-Jun-164/598N: Computer Networks Each Round + F L i─ 1 R i─ 1 R i K i L i 64-bit key (56-bits + 8-bit parity) 16 rounds

8 4-Jun-164/598N: Computer Networks Repeat for larger messages

9 4-Jun-164/598N: Computer Networks Public Key (RSA) Encryption & Decryption c = m e mod n m = c d mod n

10 4-Jun-164/598N: Computer Networks RSA (cont) Choose two large prime numbers p and q (each 256 bits) Multiply p and q together to get n Choose the encryption key e, such that e and (p - 1) x (q - 1) are relatively prime. Two numbers are relatively prime if they have no common factor greater than one Compute decryption key d such that –d = e-1mod ((p - 1) x (q - 1)) Construct public key as (e, n) Construct public key as (d, n) Discard (do not disclose) original primes p and q

11 4-Jun-164/598N: Computer Networks Message Digest Cryptographic checksum –just as a regular checksum protects the receiver from accidental changes to the message, a cryptographic checksum protects the receiver from malicious changes to the message. One-way function –given a cryptographic checksum for a message, it is virtually impossible to figure out what message produced that checksum; it is not computationally feasible to find two messages that hash to the same cryptographic checksum. Relevance –if you are given a checksum for a message and you are able to compute exactly the same checksum for that message, then it is highly likely this message produced the checksum you were given.

12 4-Jun-164/598N: Computer Networks IP Security Payload is in the clear text - anyone in the middle can see it No way of knowing who the sender is - just trust the header No way of knowing if the data was modified - checks protect against network errors, not malicious attacks Solution: Virtual Private Network (VPN) –Make node appear in the same network as say a company, while actually outside the network –IPSEC is a secure VPN technology

13 4-Jun-164/598N: Computer Networks IPSEC Authentication - Know the sender Encryption - Cannot eves drop Operates in host-to-host or host-to-network or network-to-network modes With Two Major modes –Tunnel –Transport AH (Authentication Header) ESP (Encapsulating Security Protocol) AH + ESP

14 4-Jun-164/598N: Computer Networks Exchanging Keys Exchange keys between client and server –Manual Keying –Internet Security Association and Key Management Protocol (ISAKMP) –Certificates IPSEC: –Works for all IP datagrams (UDP, TCP, RTSP, etc.) –Complicated to setup and not interoperable (yet) Application level: –SSL, SSH tunnels

15 4-Jun-164/598N: Computer Networks ClientServer ClientId, E (, CHK) E( y +, CHK) E(SK, SHK) Y Authentication Protocols Three-way handshake

16 4-Jun-164/598N: Computer Networks Trusted third party (Kerberos)

17 4-Jun-164/598N: Computer Networks AB E ( x, Public B ) x Public key authentication

18 4-Jun-164/598N: Computer Networks Message Integrity Protocols Digital signature using RSA –special case of a message integrity where the code can only have been generated by one participant –compute signature with private key and verify with public key Keyed MD5 –sender: m + MD5(m + k) + E(k, private) –receiver recovers random key using the sender’s public key applies MD5 to the concatenation of this random key message MD5 with RSA signature –sender: m + E(MD5(m), private) –receiver decrypts signature with sender’s public key compares result with MD5 checksum sent with message

19 4-Jun-164/598N: Computer Networks Message Integrity Protocols Digital signature using RSA –special case of a message integrity where the code can only have been generated by one participant –compute signature with private key and verify with public key Keyed MD5 –sender: m + MD5(m + k) + E(E(k, rcv-pub), private) –receiver recovers random key using the sender’s public key applies MD5 to the concatenation of this random key message MD5 with RSA signature –sender: m + E(MD5(m), private) –receiver decrypts signature with sender’s public key compares result with MD5 checksum sent with message

20 4-Jun-164/598N: Computer Networks Key Distribution Certificate –special type of digitally signed document: “I certify that the public key in this document belongs to the entity named in this document, signed X.” –the name of the entity being certified –the public key of the entity –the name of the certified authority –a digital signature Certified Authority (CA) –administrative entity that issues certificates –useful only to someone that already holds the CA’s public key.

21 4-Jun-164/598N: Computer Networks Key Distribution (cont) Chain of Trust –if X certifies that a certain public key belongs to Y, and Y certifies that another public key belongs to Z, then there exists a chain of certificates from X to Z –someone that wants to verify Z’s public key has to know X’s public key and follow the chain Certificate Revocation List

22 4-Jun-164/598N: Computer Networks Firewalls Filter-Based Solution –example ( 192.12.13.14, 1234, 128.7.6.5, 80 ) (*,*, 128.7.6.5, 80 ) –default: forward or not forward? –how dynamic? –stateful

23 4-Jun-164/598N: Computer Networks Proxy-Based Firewalls Problem: complex policy Example: web server Solution: proxy Design: transparent vs. classical Limitations: attacks from within

24 4-Jun-164/598N: Computer Networks Denial of Service Attacks on end hosts –SYN attack Attacks on routers –Christmas tree packets –pollute route cache Authentication attacks Distributed DoS attacks

Download ppt "4-Jun-164/598N: Computer Networks Differentiated Services Problem with IntServ: scalability Idea: segregate packets into a small number of classes –e.g.,"

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
Introduction to Cryptography

Introduction to Cryptography
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Chapter 29 Internet Security

Chapter 29 Internet Security
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Chapter 31 Network Security

Chapter 31 Network Security
INE1020: Introduction to Internet Engineering 6: Privacy and Security Issues1 Lecture 9: E-commerce & Business r E-Commerce r Security Issues m Secure.

INE1020: Introduction to Internet Engineering 6: Privacy and Security Issues1 Lecture 9: E-commerce & Business r E-Commerce r Security Issues m Secure.

Similar presentations

Ads by Google