1 1 Link Encryption What is Link Security? Link security objectives by link encryption In-line encryptor hardware Point to point deployment IP-routed development.

Slides:



Advertisements
Similar presentations
Secure Mobile IP Communication
Advertisements

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
 How To Secure My Data. What to Protect??? DATA.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Protocols and the TCP/IP Suite Chapter 4. Multilayer communication. A series of layers, each built upon the one below it. The purpose of each layer is.
INE1020: Introduction to Internet Engineering 6: Privacy and Security Issues1 Lecture 9: E-commerce & Business r E-Commerce r Security Issues m Secure.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Cryptography and Network Security
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
Krerk Piromsopa. Network Security Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.
Cryptography, Authentication and Digital Signatures
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.
Types of Electronic Infection
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.
Network Security David Lazăr.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
Chapter 8 – Network Security Two main topics Cryptographic algorithms and mechanisms Firewalls Chapter may be hard to understand if you don’t have some.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
TCP/IP (Transmission Control Protocol / Internet Protocol)
Internet Security and Firewall Design Chapter 32.
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Public Key Encryption, Secure WWW Transactions & Digital Signatures.
PGP & IP Security  Pretty Good Privacy – PGP Pretty Good Privacy  IP Security. IP Security.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Chapter 14 Network Encryption
UNIT-VIII Syllabus Application Layer – Network Security, Domain name system, SNMP, Electronic Mail; the World WEB, Multi Media.
Protocol Layering Chapter 11.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.
@Yuan Xue Case Study (Mid-term question) Bob sells BatLab Software License Alice buys BatLab Credit card information Number of.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
The Secure Sockets Layer (SSL) Protocol
Secure Sockets Layer (SSL)
Lecture 4 - Cryptography
The Secure Sockets Layer (SSL) Protocol
Advanced Computer Networks
Presentation transcript:

1 1 Link Encryption What is Link Security? Link security objectives by link encryption In-line encryptor hardware Point to point deployment IP-routed development Key Recovery from Internet Cryptograph chapter 3

2 ISO/OSI Layer Review – 7 layers International Standard Organisation/Open System Interconnection  The 7-layer is shown on right.  There are many protocols in each layer.  For example, High Level Data link Control (HDLC) in Data link layer

3 Internet Protocol – 5 layers  Internet protocol reduces to five layers.  Link Security refers to the security measure in data link layer (ISO/OSI, layer 2) or Network Interface (Internet Protocol, layer 2)

4 Internet Cryptographic Protocols ProtocolPurpose CyberCash (5)Electronic funds transactions DNSSEC (5)Domain Name System IPSec (layer 3) Packet-level encryption PCTTCP/IP level encryption PGP (layer 5) S-HTTP (layer 5) Web browsing Secure RPCRemote procedure calls SET (layer 4)Electronic funds transactions SSL (layer 4) TCP/IP level encryption

5 What is a protocol?  It means “The proper way of handling data transfer between two parties. “  Assume two parties, Sender and Receiver are sending message. Below is the proper procedure inlcuding the error handling (in this case, retransmit)

6 What is link security protocol?  It is designed to hide secrets (means, encrypt for you)  It intends to protect data against forgery (false data).  It can simply fit into existing Internet applications.  In Data link layer (ISO/OSI layer 2) or Network Interface

7 Security Objectives of link security (1)  Maintain confidentiality on an isolated set of computers.  The computer contains sensitive data and needs to exchange with others.  Use a simple but secure protocol  Communications with outsiders is unwanted and to be blocked  To prevent the data from happening through accident, carelessness or overt ( 公開 ) attempt. Purpose Reason

8 Security Objectives (2)  Hide data traffic as much as possible  Shield everything possible about the data sent  Safety and familiarity is more important than cost  Use a well-established technique that is simple to understand and implement. Action

9 In-line Encryptor – must be a pair  It is a building block for link encryption.  It is a hardware device (not a software)  One port accepts plaintext, while the other produce ciphertext. (vice versa)

10 Example of a pair of in-line encryptor through the Internet, usually it is used through a leased line (from PCCW)

11 In-line Encryptor (real products)  Code encryptor (a small device with two network data link connections.)  In-line encryptor

12 Inside in-line encryptor

13 Features of in-line encryptor  Separate the plaintext and ciphertext ports (that is why there are two ports)  Use a stream cipher or block cipher  In practice, a block cipher such as RC4 is used in commercial setting. (it uses DES (data encryption standard algorithm)

14 Link level Vulnerabilities (means weakness) There are a few attacks, Below are some of them:  Replay Attacks  Rewrite Attacks  Convert Signalling Attacks

15 Replay Attacks – resend a few times  If the message is an encrypted, why should we care about replay?  The reason is that:  If an outsider captures the encrypted message and re-send it, he/she might attack the system.

16 Example of Replay Attacks False copies

17 Example of Replay Attacks - Explanation  Alice sends a message of “pay Chan Tai Man” to Bob. She sends one genuine (true) message.  Play-it-again Sam captures the encrypted message and re-sends twice to Bob.  Bob and his colleagues will then pay Chan Tai Man three times.  Of course, Sam will have certain benefits of doing this.

18 How to solve this? – Replay attack  Each plaintext message must have an extra information such as message number.  If the receiver receives a duplicated message, it is discarded.  This will solve it in TCP/IP (layers 3 & 4). It has this feature to solve this problem. data223data3 2data22

19 Rewrite Attacks  If an hacker knows the contents, he/she can modify the encrypted message.  Say for example, the encrypted message of pay 1000 is 89^&oiu, he/she can modify 89^&aiu by changing o to a. The resulting plaintext message is (This assumes that 89^&aiu will produce 9000.)

20 Example of Rewrite  Here, the encrypted message is modified via a switcher.

21 How to resolve this? - rewrite There are many methods. Below are some of them 1. Avoid products using other modes. Always use block ciphers or Vernam techniques. (crude rewrite attacks are still possible with block mode.); or 2. Insert a random number into each packet, include it in the packet checksum and encrypt the resulting packet; or 3. Use Message Digest that you learnt in lecture 4; or 4. Use digital signature to authenticate the source of data. (the message is signed)

22 Convert Signaling Attacks  The attack is done by inserting a subverted program (spy software) into a host on the plaintext side of an encryptor  The program collects sensitive data and then transmits it to the program outside the security boundary.

23 Example – subverted program

24 Deployment – Point to point between sender and receiver  This deployment uses a pair of trusted lines between a pair of hosts.  There is no need to connect to the Internet.  For example, you can apply for a leased line via Pacific Century Cyber Work (PCCW) between two computers (example from Central to Kowloon Tong). Now, it uses VPN, a pair of encryptors through the Internet) Arrangement

25 Point to point – Connection  Each host’s data link is connected to the plaintext port of in-line encryptor. It is commonly used in military applications. Protect

26 Point to point limitation  It is hard to use as it limits between two in-line encryptors. (between two points)  You don’t have any choice on the encryption.

27 Deployment Example: Ip routed  Link encryption can also be applied to links carrying IP traffic. ( means network layer)  This yields a flexible networking environment. (any workstation in the network can access.)  For example, assume that there are two networks that are connected by a pair of routers.  Any workstation, server etc can access the remote networking components through the leased line that is protected by the in-line encryptors.

28 Ip routed network diagram (to any host within the network) This arrangement is more flexible

29 Site protection – Ip routed  Given in the previous slide, the machines (server and workstations) are within the protected boundary of the site.  The in-line encryptors are used to further to protect from unnecessary physical access. (messages are encrypted.)

30 Site Protection – Unsafe arrangement  The workstation out of physical protection is unsafe.

31 Key Recovery – how to get the key  The protection of in-line encryptors lies in the key used.  Key recovery means the keys that are used to encrypt the data is recovered by someone else without notice.

32 Escrowed Encryption  Escrowed encryption is the system or method by which secret keys are stored to be used for key recovery.  That is to say, the secret keys are held in escrow (a separate organisation) until an authorised person (FBI or CIA in US) accesses it.  There is no commercial value as the encryption lasts for the transfer of data, but is used by government to decrypt the encrypted message (for anti-terrorism). No need to memorise

33 Example – sequence no need to memorise  The FBI first stores the ciphertext and then uses the family key (product of in-line encryptor) to obtain the session key.  Different manufacturer will produce different family keys for their products  FBI then approaches escrow agency to obtain the sender’s key based on device ID.  FBI then use the key to together with the session key to decrypt the ciphertext.

34 Example – picture

35 Summary  Link Security – between two parties, layer 2  Link security objectives – extend the security coverage  In-line encryptor – a pair of devices, to encrypt/decrypt message, there is no need to configure, and no need to encrypt document, it is done by the in-line encryptors.  Point to point – there is a limitation of the use of in-line encryptor, only to known location, The solution is to extend by IP routed  Key Recovery - less common in business, but is required by U.S. law to recover ciphertext for in-line encryptors  Link Security – between two parties, layer 2  Link security objectives – extend the security coverage  In-line encryptor – a pair of devices, to encrypt/decrypt message, there is no need to configure, and no need to encrypt document, it is done by the in-line encryptors.  Point to point – there is a limitation of the use of in-line encryptor, only to known location, The solution is to extend by IP routed  Key Recovery - less common in business, but is required by U.S. law to recover ciphertext for in-line encryptors

36 Next Week IPSec (Security at the IP Layer, Layer 3) In-line encryptor This Week

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.