4-Jun-164/598N: Computer Networks Differentiated Services Problem with IntServ: scalability Idea: segregate packets into a small number of classes –e.g.,

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.
Introduction to Cryptography
Guide to Network Defense and Countermeasures Second Edition
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Chapter 29 Internet Security
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Chapter 31 Network Security
INE1020: Introduction to Internet Engineering 6: Privacy and Security Issues1 Lecture 9: E-commerce & Business r E-Commerce r Security Issues m Secure.
CSE Computer Networks Prof. Aaron Striegel Department of Computer Science & Engineering University of Notre Dame Lecture 23 – April 6, 2010.
5-Sep-154/598N: Computer Networks Recap UDP: IP with port abstraction TCP: Reliable, in order, at most once semantics –Sliding Windows –Flow control: ensure.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
CSS432 Network Security Textbook Ch8
Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.
Network Security. Cryptography Cryptography functions Secret key (e.g., DES) Public key (e.g., RSA) Message digest (e.g., MD5) Security services Privacy:
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.
Krerk Piromsopa. Network Security Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
Network Security David Lazăr.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
Network Security Understand principles of network security:
Chapter 8 – Network Security Two main topics Cryptographic algorithms and mechanisms Firewalls Chapter may be hard to understand if you don’t have some.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 14 Network Security: Firewalls and VPNs.
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
CS 6401 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Group 9 Chapter 8.3 – 8.6. Public Key Algorithms  Symmetric Key Algorithms face an inherent problem  Keys must be distributed to all parties but kept.
1 Some Backgrounds on Network Security Rocky K. C. Chang 12 February 2003.
ClientServer ClientID, E(x, CHK) E(x+1, SHK), E(y, SHK) E(y+1, CHK) E(SK, SHK) Three-way handshake Authentication Protocols CHK, SHK are keys known by.
EE 122: Lecture 24 (Security) Ion Stoica December 4, 2001.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
IPSec Detailed Description and VPN
Security Outline Encryption Algorithms Authentication Protocols
Security Outline Encryption Algorithms Authentication Protocols
Advanced Computer Networks
Chapter 18 IP Security  IP Security (IPSec)
UNIT.4 IP Security.
Message Digest Cryptographic checksum One-way function Relevance
Security Outline Homework 1, selected solutions Encryption Algorithms
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
Taxonomy of real time applications
Public-Key, Digital Signatures, Management, Security
Advanced Computer Networks
Presentation transcript:

4-Jun-164/598N: Computer Networks Differentiated Services Problem with IntServ: scalability Idea: segregate packets into a small number of classes –e.g., premium vs best-effort Packets marked according to class at edge of network Core routers implement some per-hop-behavior (PHB) Example: Expedited Forwarding (EF) –rate-limit EF packets at the edges –PHB implemented with class-based priority queues or Weighted Fair Queue (WFQ)

4-Jun-164/598N: Computer Networks DiffServ (cont) Assured Forwarding (AF) –customers sign service agreements with ISPs –edge routers mark packets as being “in” or “out” of profile –core routers run RIO: RED with in/out

4-Jun-164/598N: Computer Networks livestream.htmlhttp:// livestream.html

4-Jun-164/598N: Computer Networks Chapter 8: Security Outline –Encryption Algorithms –Authentication Protocols –Message Integrity Protocols –Key Distribution –Firewalls

4-Jun-164/598N: Computer Networks Overview Cryptography functions –Secret key (e.g., DES) –Public key (e.g., RSA) –Message digest (e.g., MD5) Security services –Privacy: preventing unauthorized release of information –Authentication: verifying identity of the remote participant –Integrity: making sure message has not been altered

4-Jun-164/598N: Computer Networks Secret Key (DES)

4-Jun-164/598N: Computer Networks Each Round + F L i─ 1 R i─ 1 R i K i L i 64-bit key (56-bits + 8-bit parity) 16 rounds

4-Jun-164/598N: Computer Networks Repeat for larger messages

4-Jun-164/598N: Computer Networks Public Key (RSA) Encryption & Decryption c = m e mod n m = c d mod n

4-Jun-164/598N: Computer Networks RSA (cont) Choose two large prime numbers p and q (each 256 bits) Multiply p and q together to get n Choose the encryption key e, such that e and (p - 1) x (q - 1) are relatively prime. Two numbers are relatively prime if they have no common factor greater than one Compute decryption key d such that –d = e-1mod ((p - 1) x (q - 1)) Construct public key as (e, n) Construct public key as (d, n) Discard (do not disclose) original primes p and q

4-Jun-164/598N: Computer Networks Message Digest Cryptographic checksum –just as a regular checksum protects the receiver from accidental changes to the message, a cryptographic checksum protects the receiver from malicious changes to the message. One-way function –given a cryptographic checksum for a message, it is virtually impossible to figure out what message produced that checksum; it is not computationally feasible to find two messages that hash to the same cryptographic checksum. Relevance –if you are given a checksum for a message and you are able to compute exactly the same checksum for that message, then it is highly likely this message produced the checksum you were given.

4-Jun-164/598N: Computer Networks IP Security Payload is in the clear text - anyone in the middle can see it No way of knowing who the sender is - just trust the header No way of knowing if the data was modified - checks protect against network errors, not malicious attacks Solution: Virtual Private Network (VPN) –Make node appear in the same network as say a company, while actually outside the network –IPSEC is a secure VPN technology

4-Jun-164/598N: Computer Networks IPSEC Authentication - Know the sender Encryption - Cannot eves drop Operates in host-to-host or host-to-network or network-to-network modes With Two Major modes –Tunnel –Transport AH (Authentication Header) ESP (Encapsulating Security Protocol) AH + ESP

4-Jun-164/598N: Computer Networks Exchanging Keys Exchange keys between client and server –Manual Keying –Internet Security Association and Key Management Protocol (ISAKMP) –Certificates IPSEC: –Works for all IP datagrams (UDP, TCP, RTSP, etc.) –Complicated to setup and not interoperable (yet) Application level: –SSL, SSH tunnels

4-Jun-164/598N: Computer Networks ClientServer ClientId, E (, CHK) E( y +, CHK) E(SK, SHK) Y Authentication Protocols Three-way handshake

4-Jun-164/598N: Computer Networks Trusted third party (Kerberos)

4-Jun-164/598N: Computer Networks AB E ( x, Public B ) x Public key authentication

4-Jun-164/598N: Computer Networks Message Integrity Protocols Digital signature using RSA –special case of a message integrity where the code can only have been generated by one participant –compute signature with private key and verify with public key Keyed MD5 –sender: m + MD5(m + k) + E(k, private) –receiver recovers random key using the sender’s public key applies MD5 to the concatenation of this random key message MD5 with RSA signature –sender: m + E(MD5(m), private) –receiver decrypts signature with sender’s public key compares result with MD5 checksum sent with message

4-Jun-164/598N: Computer Networks Message Integrity Protocols Digital signature using RSA –special case of a message integrity where the code can only have been generated by one participant –compute signature with private key and verify with public key Keyed MD5 –sender: m + MD5(m + k) + E(E(k, rcv-pub), private) –receiver recovers random key using the sender’s public key applies MD5 to the concatenation of this random key message MD5 with RSA signature –sender: m + E(MD5(m), private) –receiver decrypts signature with sender’s public key compares result with MD5 checksum sent with message

4-Jun-164/598N: Computer Networks Key Distribution Certificate –special type of digitally signed document: “I certify that the public key in this document belongs to the entity named in this document, signed X.” –the name of the entity being certified –the public key of the entity –the name of the certified authority –a digital signature Certified Authority (CA) –administrative entity that issues certificates –useful only to someone that already holds the CA’s public key.

4-Jun-164/598N: Computer Networks Key Distribution (cont) Chain of Trust –if X certifies that a certain public key belongs to Y, and Y certifies that another public key belongs to Z, then there exists a chain of certificates from X to Z –someone that wants to verify Z’s public key has to know X’s public key and follow the chain Certificate Revocation List

4-Jun-164/598N: Computer Networks Firewalls Filter-Based Solution –example ( , 1234, , 80 ) (*,*, , 80 ) –default: forward or not forward? –how dynamic? –stateful

4-Jun-164/598N: Computer Networks Proxy-Based Firewalls Problem: complex policy Example: web server Solution: proxy Design: transparent vs. classical Limitations: attacks from within

4-Jun-164/598N: Computer Networks Denial of Service Attacks on end hosts –SYN attack Attacks on routers –Christmas tree packets –pollute route cache Authentication attacks Distributed DoS attacks

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.