Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Chapter 3 Copyright Pearson Prentice Hall 2013.

Published byWilliam Ambrose Neal Modified over 8 years ago

Similar presentations

Presentation on theme: "Cryptography Chapter 3 Copyright Pearson Prentice Hall 2013."— Presentation transcript:

1 Cryptography Chapter 3 Copyright Pearson Prentice Hall 2013

2 Explain the concept of cryptography. Describe symmetric key encryption and the importance of key length. Explain negotiation stage. Explain initial authentication, including MS-CHAP. Describe keying, including public key encryption. Explain how electronic signatures, including digital signatures, digital certificates, and key-hashed message authentication codes (HMACs) work. Describe public key encryption for authentication. Describe quantum security. Explain cryptographic systems including VPNs, SSL, and IPsec. 2 Copyright Pearson Prentice Hall 2013

3 3

4 WHAT’S NEXT? 4 3.1 What Is Cryptography 3.2 Symmetric Key Encryption Ciphers 3.3 Cryptographic System Standards 3.4 The Negotiation Stage 3.5 Initial Authentication Stage 3.6 The Keying Stage 3.7 Message-by-Message Authentication 3.8 Quantum Security 3.9 Cryptographic Systems 3.10 SSL/TLS and IPsec Copyright Pearson Prentice Hall 2013

5 3.1: CRYPTOGRAPHY Cryptography is the use of mathematical operations to protect messages traveling between parties or stored on a computer Confidentiality means that someone intercepting your communications cannot read understand them 5 ??? Copyright Pearson Prentice Hall 2013

6 CRYPTOGRAPHY Confidentiality is only one cryptographic protection Authentication means proving one’s identity to another so they can trust you more Integrity means that the message cannot be changed or, if it is changed, that this change will be detected Copyright Pearson Prentice- Hall 2010 6

7 Definitions and ExampleExample Plaintext The message being sent Encryption Cryptographic process that changes plaintext into random (seemingly) bits Ciphertext Decryption Cryptographic process that changes ciphertext back into plaintext Cipher Mathematical process used to encrypt and decrypt Key Use in the cipher Random string of 40-4,000 bits e.g. 6415 as a key would be 1100100001111 Copyright Pearson Prentice- Hall 2010 7

8 3.1: CRYPTOGRAPHY Encryption for confidentiality needs a cipher (mathematical method) to encrypt and decrypt The cipher cannot be kept secret RSA is an example of a cipher The two parties using the cipher also need to know either a secret key (symmetric) or keys (public/private) A key is merely a long stream of bits (1s and 0s) The key or keys must be kept secret Cryptanalysts attempt to crack (find) the key 8 Copyright Pearson Prentice Hall 2013

9 Substitution Ciphers Substitute one letter (or bit) for another in each place The cipher we saw in Figure 3-2 is a substitution cipher Transposition Ciphers Transposition ciphers do not change individual letters or bits, but they change their order Most real ciphers use both substitution and transposition 9 Copyright Pearson Prentice Hall 2013

10 SUBSTITUTION SYMMETRIC KEY CIPHER Copyright Pearson Prentice- Hall 2010 10 PlaintextKeyCiphertext n4r o8w w15l i16… s23… t16… h3… e9… t12… i20… m6… e25… n o p q r +4 This is a very weak cipher Real ciphers use complex math This is a very weak cipher Real ciphers use complex math Symmetric because both sender and receive must know the key

11 11 Key (Part 1) Key (Part 2)132 2now 3ist 1het Key = 132 231 Copyright Pearson Prentice Hall 2013

12 Ciphers can encrypt any message expressed in binary (1s and 0s) This flexibility and the speed of computing makes this ciphers dominant for encryption today Codes are more specialized They substitute one thing for another Usually a word for another word or a number for a word Codes are good for humans and may be included in messages sent via encipherment 12 Copyright Pearson Prentice Hall 2013

13 13 MessageCode From17434 Akagi63717 To83971 Truk11131 STOP34058 ETA53764 6 PM73104 STOP26733 Require29798 B72135 N54678 STOP61552 Transmitted: 174346371783971… Transmitted: 174346371783971… Copyright Pearson Prentice Hall 2013

14 14 Key Length in Bits Number of Possible Keys 12 24 416 8256 1665,536 401,099,511,627,776 5672,057,594,037,927,900 1125,192,296,858,534,830,000,000,000,000,000,000 1125.1923E+33 1683.74144E+50 2561.15792E+77 5121.3408E+154 Each extra bit doubles the number of keys Each extra bit doubles the number of keys Shaded keys are Strong symmetric keys (>=100 bits) Shaded keys are Strong symmetric keys (>=100 bits) Copyright Pearson Prentice Hall 2013 five decillion,one hundred ninety two nonillion,two hundred ninety six octillion,eight hundred fifty eight septillion,five hundred thirty four sextillion,eight hundred thirty quintillion

15 Note: Public key/private key pairs (discussed later in the chapter) must be much longer than symmetric keys to be considered to be strong because of the disastrous consequences that could occur if a private key is cracked and because private keys cannot be changed frequently. Public keys and private keys must be at least 512 to 1,024 to 2,048 bits long 15 Copyright Pearson Prentice Hall 2013

16 ITS ALL ABOUT KEY SIZE Digits # of Operations Time* 501.4 x 10^103.9 hours 759.0 x 10^12104 days 1002.3 x 10^1574 years 2001.2 x 10^233.8 x 10^9 years 3001.5 x 10^294.9 x 10^15 years 5001.3 x 10^394.2 x 10^25 years * 1 operation = 1 microsecond (1 millionth of a second)

17 WHAT’S NEXT? 17 3.1 What Is Cryptography 3.2 Symmetric Key Encryption Ciphers 3.3 Cryptographic System Standards 3.4 The Negotiation Stage 3.5 Initial Authentication Stage 3.6 The Keying Stage 3.7 Message-by-Message Authentication 3.8 Quantum Security 3.9 Cryptographic Systems 3.10 SSL/TLS and IPsec Copyright Pearson Prentice Hall 2013

18 18 Copyright Pearson Prentice Hall 2013

19 19 RC4DES3DESAES Key Length (bits) 40 bits or more 56112 or 168128, 192, or 256 Key StrengthVery weak at 40 bits WeakStrong Processing Requirements LowModerateHighLow RAM Requirements LowModerate Low RemarksCan use keys of variable lengths Created in the 1970s Applies DES three times with two or three different DES keys Today’s gold standard for symmetric key encryption

20 WHAT’S NEXT? 20 3.1 What Is Cryptography 3.2 Symmetric Key Encryption Ciphers 3.3 Cryptographic System Standards 3.4 The Negotiation Stage 3.5 Initial Authentication Stage 3.6 The Keying Stage 3.7 Message-by-Message Authentication 3.8 Quantum Security 3.9 Cryptographic Systems 3.10 SSL/TLS and IPsec Copyright Pearson Prentice Hall 2013

21 Cryptographic Systems Encryption for confidentiality is only one cryptographic protection Authentication Integrity Individual users and corporations cannot be expected to master these many aspects of cryptography Consequently, crypto protections are organized into complete cryptographic systems that provide a broad set of cryptographic protection 21 Copyright Pearson Prentice Hall 2013

22 Cryptographic Systems Two parties first agree upon a particular cryptographic system to use Each cryptographic system dialogue begins with three brief handshaking stages 1.Negotiation 2.Authentication 3.Keying The two parties then engage in cryptographically protected communication This ongoing communication stage usually constitutes nearly all of the dialogue 22 Copyright Pearson Prentice Hall 2013

23 23 Copyright Pearson Prentice Hall 2013

24 Copyright Pearson Prentice-Hall 201024

25 25 Copyright Pearson Prentice Hall 2013

26 26 Cipher SuiteKey Negotiation Digital Signature Method Symmetric Key Encryption Method Hashing Method for HMAC Strength NULL_WITH_NULL_NULLNone RSA_EXPORT_WITH_ RC4_40_MD5 RSA export strength (40 bits) RC4 (40-bit key) MD5Weak RSA_WITH_DES_CBC_ SHA RSA DES_CBCSHA-1Stronger but not very strong DH_DSS_WITH_3DES_ EDE_CBC_SHA Diffie– Hellman Digital Signature Standard 3DES_ EDE_CBC SHA-1Strong RSA_WITH_AES_256_CB C_SHA256 RSA AES 256 bits SHA-256Very strong Copyright Pearson Prentice Hall 2013

27 Copyright Pearson Prentice-Hall 201027

28 Copyright Pearson Prentice-Hall 201028

29 29 Copyright Pearson Prentice Hall 2013

30 3-10: AUTHENTICATION: SUPPLICANT, VERIFIER, AND CREDENTIALS Copyright Pearson Prentice- Hall 2010 30 Supplicant: Wishes to prove its identity Verifier: Tests the credentials, accepts or rejects the supplicant Credentials Proofs of identity (password, etc.)

31 Copyright Pearson Prentice-Hall 201031

32 Authentications Methods Hashing – Similar to a Batch Total (accounting/auditing control) – Supplicant has data x (credential) Data x ---> “magical hash” ---> Hash – Verifier also has data x (credential) Data x ---> “magical hash” ---> Hash Certificates Copyright Pearson Prentice-Hall 200932 or

33 AUTHENTICATION USING HASHING Hashing A hashing algorithm is applied to a bit string of any length The result of the calculation is called the hash For a given hashing algorithm, all hashes are the same short length 33 Bit string of any length Hash: bit string of small fixed length Hashing Algorithm Hashing Algorithm Copyright Pearson Prentice Hall 2013

34 HASHING Hashing Algorithms MD5 (128-bit hashes) MD5 SHA-1 (160-bit hashes) SHA-1 SHA-224, SHA-256, SHA-384, and SHA-512 (name gives hash length in bits) Note: MD5 and SHA-1 should not be used because have been shown to be unsecure On Feb. 11, 2014 Microsoft announced in a security bulletin it would no longer accept MD5 Copyright Pearson Prentice- Hall 2010 34

35 HASHING VS. ENCRYPTION 35 CharacteristicEncryptionHashing Result lengthAbout the same length as the plaintext Short fixed length regardless of message length Reversible?Yes. DecryptionNo. There is no way to get from the short hash back to the long original message Copyright Pearson Prentice Hall 2013 Well Kind-of……

36 Copyright Pearson Prentice Hall 2013 36

37 3.5: MS-CHAP CHALLENGE-RESPONSE AUTHENTICATION PROTOCOL (CONTINUED) (FIGURE 3-12) 37 Copyright Pearson Prentice Hall 2013

38 3.5: MS-CHAP CHALLENGE-RESPONSE AUTHENTICATION PROTOCOL (CONTINUED) (FIGURE 3-12) 38 Copyright Pearson Prentice Hall 2013

39 39 Copyright Pearson Prentice Hall 2013

40 In symmetric key encryption for confidentiality, the two sides use the same key For each dialogue (session), a new symmetric key is generated: the symmetric session key In public key encryption, each party has a public key and a private key A persons public key is available to anyone A person keeps his or her private key secret Two common ciphers RSA (most common) elliptic curve cryptography (Potential problem with NSA backdoor) 40 Copyright Pearson Prentice Hall 2013 ENCRYPTION FOR CONFIDENTIALITY

41 HOW DO YOU EXCHANGE KEYS? Public Key Encryption Diffie-Hellman Copyright Pearson Prentice-Hall 201041

42 42 Copyright Pearson Prentice Hall 2013

43 Copyright Pearson Prentice- Hall 2010 43 RSA PUBLIC KEY ENCRYPTION

44 R IVEST S HAMIR A DLEMAN Problem Exchanging Key for encryption securely Signing a message (proving the true-party sent it) Solution (confidentiality) M^e mod n = C n = (p * q) where p and q are 2 very large prime numbers e is derived from p and q C^d mod n = M d is derived from p and q Anyone can know (e,n) d must be secret Solution (signing) S = D B (M) (D = decrypt with private key = encrypt plaintext with private key) E(S) = E A (S) (E A = Encrypt with public) S = D A (E(S) M = E B (S) Copyright Pearson Prentice-Hall 201044

45 PROBLEM How do you exchange the key(s) necessary for encryption? Solution: Diffie-Hellman math – don’t ask me to explain Requirements: p and q Two random very large numbers 100’s of digits long or longer n = p * q if p and q are sufficiently large it is almost impossible to factor n and come up with p and q; thus almost impossible to determine d! d = private key; derived from p and q (see wikipedia)see wikipedia e = public key; derived from p and q (see wikipedia)see wikipedia

46 THE MATH Plaintext Message = M Convert PlainText to number (binary) = M M^e (mod n) = CipherText(C) e and n are publicly known, either sent to party for communication or stored publicly (CA’s) C^d (mod n) = M d = Private Key

47 An Example 47

48 WEAKEST LINK FAILURE What is the weakest link in RSA?

49 FEBRUARY 2012 What did security researchers allege? Were they right? What is a Pseudo-Random Number Generator? What size keys should be in use today?

50 The two parties exchange parameters p and g Each uses a number that is never shared explicitly to compute a second number Each sends the other their second number Each does another computation on the second computed number Both get the third number, which is the key All of this communication is sent in the clear 50 Copyright Pearson Prentice Hall 2013

51 3-15: KEYING USING DIFFIE-HELLMAN KEY AGREEMENT 51 The gory details The gory details

52 Copyright Pearson Prentice-Hall 201052

53 53 Copyright Pearson Prentice Hall 2013

54 Consumes nearly all of the dialogues Message-by-Message Encryption Nearly always uses symmetric key encryption Already covered Public key encryption is too inefficient Message-by-Message Authentication Digital signatures (public/private keys) or Message authentication codes (MACs) Also provide message-by-message integrity 54 Copyright Pearson Prentice Hall 2013

55 PUBLIC KEY ENCRYPTION FOR CONFIDENTIALITY Copyright Pearson Prentice- Hall 2010 55 Digital Certificates Message by Message Encryption using Public/Private Keys

56 Copyright Pearson Prentice-Hall 201056

57 57 Copyright Pearson Prentice Hall 2013

58 3.7: DIGITAL SIGNATURE FOR MESSAGE-BY-MESSAGE AUTHENTICATION (CONTINUED) (FIGURE 3-16) 58 Encryption is done to protect the plaintext It is not needed for message-by-message authentication Encryption is done to protect the plaintext It is not needed for message-by-message authentication Copyright Pearson Prentice Hall 2013

59 3.7: DIGITAL SIGNATURE FOR MESSAGE-BY-MESSAGE AUTHENTICATION (CONTINUED) (FIGURE 3-16) 59 Copyright Pearson Prentice Hall 2013

60 60 Encryption GoalSender Encrypts with Receiver Decrypts with Public Key Encryption for Confidentiality The receiver’s public key The receiver’s private key Public Key Encryption for Authentication The sender’s private key The True Party’s public key (not the sender’s public key) Point of frequent confusion Copyright Pearson Prentice Hall 2013

61 Cannot use the senders public key It would always “validate” the senders digital signature Normally requires a digital certificate File provided by a certificate authority (CA) The certificate authority must be trustworthy Digital certificate provides the subjects (True Party's) name and public key Don't confuse digital signatures and the digital certificates used to test digital signatures! 61 Copyright Pearson Prentice Hall 2013

62 62 FieldDescription Version Number Version number of the X.509 standard. Most certificates follow Version 3. Different versions have different fields. This figure reflects the Version 3 standard. IssuerName of the Certificate Authority (CA). Serial Number Unique serial number for the certificate, set by the CA. Subject (True Party) The name of the person, organization, computer, or program to which the certificate has been issued. This is the true party. Public KeyThe public key of the subject (the true party). Public Key Algorithm The algorithm the subject uses to sign messages with digital signatures. Certificate provides the True Party’s public key Serial number allows the receiver to check if the digital certificate has been revoked by the CA Copyright Pearson Prentice Hall 2013

63 63 FieldDescription Digital Signature The digital signature of the certificate, signed by the CA with the CA’s own private key. For testing certificate authentication and integrity. User must know the CA’s public key independently. Signature Algorithm Identifier The digital signature algorithm the CA uses to sign its certificates. Other Fields… The CA signs the cert with its own private key so that the cert’s validity can be checked for alterations. Copyright Pearson Prentice Hall 2013

64 DIGITAL CERTIFICATES CAN BE USED TO: sign e-mails ensure documents haven't been tampered with verify that software and software updates available online originated with a particular person or group Copyright Pearson Prentice- Hall 2010 64

65 3.7: VERIFYING THE DIGITAL CERTIFICATE Testing the Digital Signature The digital certificate has a digital signature of its own Signed with the Certificate Authority’s (CA’s) private key Must be tested with the CA’s well-known public key If the test works, the certificate is authentic and unmodified 65 Copyright Pearson Prentice Hall 2013

66 3.7: VERIFYING THE DIGITAL CERTIFICATE Checking the Valid Period Certificate is valid only during the valid period in the digital certificate (not shown in the figure) If the current time is not within the valid period, reject the digital certificate 66 Copyright Pearson Prentice Hall 2013

67 3.7: VERIFYING THE DIGITAL CERTIFICATE Checking for Revocation Certificates may be revoked for improper behavior or other reasons Revocation must be tested Cannot be done by looking at fields within the certificate Receiver must check with the CA 67 Copyright Pearson Prentice Hall 2013

68 3.7: VERIFYING THE DIGITAL CERTIFICATE Checking for Revocation Verifier may download the entire certificate revocation list from the CA See if the serial number is on the certificate revocation list If so, do not accept the certificate Or, the verifier may send a query to the CA Requires the CA to support the Online Certificate Status Protocol 68 Copyright Pearson Prentice Hall 2013

69 69 Copyright Pearson Prentice Hall 2013

70 AN EXAMPLE OF DIGITAL CERTIFICATES Twitter.com Copyright Pearson Prentice- Hall 2010 70

71 REMEMBER FLAME? Used counterfeit Microsoft digital certificate Allowed attackers to “sign” Flame software as if it was Microsoft Software Thus able to evade Malware detection How? Cryptographic Collision Attack Hashing plaintext should result in a unique hash But sometimes independent plaintext results in the same hash If you know this you can reverse engineer hash key and counterfeit a certificate based on hash Copyright Pearson Prentice- Hall 2010 71

72 72 Copyright Pearson Prentice Hall 2013

73 3.7: KEY-HASHED MESSAGE AUTHENTICATION CODE (HMAC) (CONTINUED) (FIGURE 3-22) 73 As in the case of digital signatures, confidentiality is done to protect the plaintext. It is not needed for authentication and has nothing to do with authentication. As in the case of digital signatures, confidentiality is done to protect the plaintext. It is not needed for authentication and has nothing to do with authentication. Copyright Pearson Prentice Hall 2013

74 3.7: KEY-HASHED MESSAGE AUTHENTICATION CODE (HMAC) (CONTINUED) (FIGURE 3-22) 74 Copyright Pearson Prentice Hall 2013

75 Also Brings Message Integrity If the message has been altered, the authentication method will fail automatically Digital Signature Authentication Uses public key encryption for authentication Very strong but expensive Key-Hashed Message Authentication Codes An alternate authentication method using hashing Much less expensive than digital signature authentication Much more widely used 75 Copyright Pearson Prentice Hall 2013

76 3.7: NONREPUDIATION Nonrepudiation means that the sender cannot deny that he or she sent a message With digital signatures, the sender must use his or her private key It is difficult to repudiate that you sent something if you use your private key With HMACs, both parties know the key used to create the HMAC The sender can repudiate the message, claiming that the receiver created it 76 Copyright Pearson Prentice Hall 2013

77 3.7: NONREPUDIATION However, packet-level nonrepudiation is unimportant in most cases The application message—an e-mail message, a contract, etc., is the important thing If the application layer message has its own digital signature, you have nonrepudiation for the application message, even if you use HMACs at the Internet layer for packet authentication 77 Copyright Pearson Prentice Hall 2013

78 3.7: REPLAY ATTACKS AND DEFENSES Replay Attacks Capture and then retransmit an encrypted message later May have a desired effect Even if the attacker cannot read the message 78 Copyright Pearson Prentice Hall 2013

79 3.7: REPLAY ATTACKS AND DEFENSES Thwarting Replay Attacks Time stamps to ensure freshness of each message Sequence numbers so that repeated messages can be detected Nonces Unique randomly generated number placed in each request message Reflected in the response message If a request arrives with a previously used nonce, it is rejected 79 Copyright Pearson Prentice Hall 2013

80 Copyright Pearson Prentice- Hall 2010 80 Copyright Pearson Prentice-Hall 2009 ConfidentialityAuthentication Symmetric Key Encryption Applicable. Sender encrypts with key shared with the receiver. Not applicable. Public Key Encryption Applicable. Sender encrypts with receiver’s public key. Receiver decrypts with the receiver’s own private key. Applicable. Sender (supplicant) encrypts with own private key. Receiver (verifier) decrypts with the public key of the true party, usually obtained from the true party’s digital certificate. HashingNot applicable.Applicable. Used in MS-CHAP for initial authentication and in HMACs for message-by- message authentication.

81 COST OF IT SECURITY FAILURES 2013 Ponemon Institute Report: Annual cost of Failed Trust: Threats & Attacks

82 MANAGING CRYPTOGRAPHIC KEYS & DIGITAL CERTIFICATES Premise of the study: Trust today is based on cryptography and digital certificates What kind of trust are we talking about? SSL Internet (Financial Institutions, online shopping, CC payments) Cloud Computing Any Public/Private Key encryption methodology Corporations must have control over keys/certificates Where are they located? How many are there? Oversight of PKI?

83 WHERE ARE MY KEYS? I do NOT know how many keys/certificates my organization has*: UK - 61% France - 59% U.S. - 54% Australia - 47% Germany - 34% That’s OK the N.S.A. does!

84 CRIMINAL ATTACKS Indirect Exploiting Certificate Authority Issue fraudulent certificates DigiNotar; DigiCert Direct Flame; used compromised cryptography to mimic Microsoft updater software

85 COST CATEGORIES Incident Response Lost Productivity Revenue Loss Brand and Reputation Damage

86 SSH KEY THEFT Secure connections between hosts Allows remote connections Creates secure connection over insecure network (Internet) Allows Root Access Cloud Computing

87 COMPROMISED C.A.’S Criminal obtains certificate allowing them to masquerade as legitimate: company server/host software...

88 SERVER KEY THEFT Criminal can: Impersonate as a legitimate web-site Authenticate against an encrypted database to access CC; IP; etc.

89 USING WEAK CRYPTOGRAPHY MD5.. and others

90 TOTAL COST

91

92 WHAT’S NEXT? 92 3.1 What Is Cryptography 3.2 Symmetric Key Encryption Ciphers 3.3 Cryptographic System Standards 3.4 The Negotiation Stage 3.5 Initial Authentication Stage 3.6 The Keying Stage 3.7 Message-by-Message Authentication 3.8 Quantum Security 3.9 Cryptographic Systems 3.10 SSL/TLS and IPsec Copyright Pearson Prentice Hall 2013

93 Quantum Computing Time Magazine, February 2014 Time Magazine Wired, May 2014 Wired Quantum Mechanics Describes the behavior of fundamental particles Complex and even weird results 93 Copyright Pearson Prentice Hall 2013

94 3.8: QUANTUM SECURITY Quantum Key Distribution Transmits a very long key—as long as the message This is a one-time key that will not be used again A one-time key as long as a message cannot be cracked by cryptanalysis If an interceptor reads part of the key in transit, this will be immediately apparent to the sender and receiver 94 Copyright Pearson Prentice Hall 2013

95 3.8: QUANTUM SECURITY Quantum Key Cracking Tests many keys simultaneously If quantum key cracking becomes capable of working on long keys, today’s strong key lengths will offer no protection 95 Copyright Pearson Prentice Hall 2013

96 WHAT’S NEXT? 96 3.1 What Is Cryptography 3.2 Symmetric Key Encryption Ciphers 3.3 Cryptographic System Standards 3.4 The Negotiation Stage 3.5 Initial Authentication Stage 3.6 The Keying Stage 3.7 Message-by-Message Authentication 3.8 Quantum Security 3.9 Cryptographic Systems 3.10 SSL/TLS and IPsec Copyright Pearson Prentice Hall 2013

97 97 Copyright Pearson Prentice Hall 2013

98 98 Copyright Pearson Prentice Hall 2013 SSL or IPsec IPSec Only

99 WHAT’S NEXT? 99 3.1 What Is Cryptography 3.2 Symmetric Key Encryption Ciphers 3.3 Cryptographic System Standards 3.4 The Negotiation Stage 3.5 Initial Authentication Stage 3.6 The Keying Stage 3.7 Message-by-Message Authentication 3.8 Quantum Security 3.9 Cryptographic Systems 3.10 SSL/TLS and IPsec Copyright Pearson Prentice Hall 2013

100 100 Copyright Pearson Prentice Hall 2013

101 101 Copyright Pearson Prentice Hall 2013

102 102 SSL/TLSIPsec Cryptographic security standardYes Cryptographic security protectionsGoodGold Standard Supports central managementNoYes Complexity and expenseLowerHigher Layer of operationTransportInternet Transparently protects all higher-layer traffic NoYes Works with IPv4 and IPv6NAYes Modes of operationNATransport, Tunnel Copyright Pearson Prentice Hall 2013 UCF VPN

103 103 1. End-to-End Security (Good) 1. End-to-End Security (Good) 2. Security in Site Network (Good) 2. Security in Site Network (Good) 3. Setup Cost On Each Host (Costly) 3. Setup Cost On Each Host (Costly) Copyright Pearson Prentice Hall 2013

104 104 2. No Security in Site Network (Bad) 2. No Security in Site Network (Bad) 3. No Setup Cost On Each Host (Good) 3. No Setup Cost On Each Host (Good) Copyright Pearson Prentice Hall 2013

105 105 CharacteristicTransport ModeTunnel Mode Uses an IPsec VPN Gateway? NoYes Cryptographic Protection All the way from the source host to the destination host, including the Internet and the two site networks. Only over the Internet between the IPsec gateways. Not within the two site networks. Setup CostsHigh. Setup requires the creation of a digital certificate for each client and significant configuration work. Low. Only the IPsec gateways must implement IPsec, so only they need digital certificates and need to be configured. Copyright Pearson Prentice Hall 2013

106 106 CharacteristicTransport ModeTunnel Mode Firewall FriendlinessBad. A firewall at the border to a site cannot filter packets because the content is encrypted. Good. Each packet is decrypted by the IPsec gateway. A border firewall after the IPsec gateway can filter the decrypted packet. The “Bottom Line”End-to-end security at high cost. Low cost and protects the packet over the most dangerous part of its journey. Copyright Pearson Prentice Hall 2013

107 107 Copyright Pearson Prentice Hall 2013

108 108

109 Copyright © 2013 Pearson Education, Inc. Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall

Download ppt "Cryptography Chapter 3 Copyright Pearson Prentice Hall 2013."

Similar presentations

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 6 Wenbing Zhao Department of Electrical and Computer Engineering.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Cryptography Basic (cont)

Cryptography Basic (cont)
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Cryptographic Technologies

Cryptographic Technologies
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Cryptography April 20, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.

Similar presentations

Ads by Google