Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer and Network Security

Published byCora Harrington Modified over 6 years ago

Similar presentations

Presentation on theme: "Computer and Network Security"— Presentation transcript:

1 Computer and Network Security
CSEN 1001 Computer and Network Security Amr El Mougy Alaa Gohar Heba Anwar **Slides are attributed to William Stallings

2 Lecture (10) Internet Security

3 Internet Security Protocols and Standards
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) IPv4 and IPv6 Security

4 Secure Sockets Layer (SSL)
Transport layer security service originally developed by Netscape version 3 designed with public input Subsequently became Internet standard RFC2246: Transport Layer Security (TLS) Use TCP to provide a reliable end-to-end service May be provided in underlying protocol suite Or embedded in specific packages

5 Secure Sockets Layer (SSL)
SSL identifies two main concepts: Session: an association between client and server that defines security parameters. Created by the Handshake Protocol Connection: A transport within a session supporting particular services. Every connection is associated with one session Handshake Protocol Change Cipher Spec Protocol Alert Protocol HTTP SSL Record Protocol TCP A client and a server may have more than one connections within a session They may also have several sessions but this is not common

6 SSL Record Protocol Services
Message integrity using a MAC with shared secret key Confidentiality using symmetric encryption with a shared secret key defined by Handshake Protocol AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption

7 Record Protocol Operation

8 SSL Handshake Protocol
Allows server & client to: authenticate each other to negotiate encryption & MAC algorithms to negotiate cryptographic keys to be used Comprises a series of messages in phases Establish Security Capabilities Server Authentication and Key Exchange Client Authentication and Key Exchange Finish

9 SSL Handshake Protocol

10 Change Cipher Spec Protocol
One of 3 SSL specific protocols which use the SSL Record protocol A single message Causes pending state to become current Hence updating the cipher suite in use

11 SSL Alert Protocol Conveys SSL-related alerts to peer entity Severity
warning or fatal Specific alert fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown Compressed & encrypted like all SSL data

12 HTTPS HTTP over SSL or TLS Uses port 443 instead of port 80
When HTTPS is used, the following are encrypted: URL of requested object Contents of object Contents of browser forms (filled in by user) Cookies HTTP header The client initiates the SSL/TLS session and connection Once the handshake is complete, the HTTP request can be sent Multiple TCP connections can be established in one session

13 IPSec Scheduled to be integral component of IPv6, optional in IPv4
Supports strong authentication and encryption at layer 3 Bi-directional tunnel Packet filtering is primary access control method Requires Public Key Infrastructure (PKI)

14 IPSec Uses

15 IPSec Functionality Functionality
AH (Authentication Header): integrity and authenticity ESP (Encrypted Security Payload): confidentiality, optional authentication & integrity Security Association (for each pair of hosts): determined by destination IP address and the SPI (Security Parameters Index) Specification of the crypto methods to be used by SPI Keys to be used by the crypto methods for that SPI The hosts and other entities associated with this traffic Key Management Manual Keying (required) Key Management Protocols (in flux)

16 IPSec Modes Transport Mode: Tunnel mode:
Provides protection to the payload of the packet (everything that comes after the IP header). Thus, headers are not encrypted Typically used for end-to-end communications between hosts Tunnel mode: Provides protection to the whole packet After AH or ESP headers are added, the entire packet plus the new headers are encrypted New outer IP header is then added Routers in the middle do not read the internal headers Used when one or both ends of the security association is a gateway, not a host

17

18 Security Policy (SP) and Security Association (SA)
SA is a one-way relationship between sender & receiver that affords security for traffic flow Defined by 3 parameters: Security Parameters Index (SPI) IP Destination Address Security Protocol Identifier Has a number of other parameters seq no, AH & EH info, lifetime etc. SP determines how traffic in an SA is handled

19 IP Traffic Processing IPSec Architecture Inbound Packets
Outbound Packets Inbound Packets

20 Authentication Header
Provides data integrity and authentication Prevents source address spoofing Based on MAC Scope covers payload and parts of the IP header

21 Encapsulating Security Payload Header
Provides confidentiality and optional integrity Based on symmetric encryption techniques (AES) Scope depends on transport or tunnel modes

22 Combining Security Associations

23 Whatsapp End-to-End Encryption
Link encryption: data is visible to the server End-to-end encryption: data is encrypted in the server

24 Whatsapp End-to-End Encryption
New encryption system supports regular and group chats, images, videos, voice messages, files, and voice calls At the center of this system is the new “Signal Protocol” developed by Open Whisper Systems Even if a user’s key is physically compromised from a device, an attacker cannot decrypt previously encrypted messages

25 The Signal Protocol: Keys
Each user has three types of public keys: Long-term identity key generated at installation Medium-term key generated at installation and rotated periodically. The medium-term key is signed by the identity key One-time key: generated as needed In addition, there are three types of session keys: Root key: 32-byte value used to create chain keys Chain key: 32-byte value used to create message keys Message key: 80-byte value used to encrypt messages. Out of these 80 bytes, 32 are used for AES 256, another 32 are used for HMAC-SHA256, and 16 bytes IV

26 The Signal Protocol: Operation
At registration time, the client sends the public identity key, public medium-term key (signed by the private identity key) , and a set of one-time keys The private keys are never sent To chat with someone you need to establish a session (any open whatsapp chat is a session) A session does not need to be re-established unless the app is re-installed

27 The Signal Protocol: Operation
To establish a session, the initiator requests the public keys of the recipient from the server (identity key, signed medium term key, and one of the stored one-time keys) Once the server returns those keys, the initiator generates a new key and uses its own identity key in addition to the recipient’s public keys to calculate a master secret. The master secret is then used to create a root key and a chain key (using an algorithm similar to Diffie Hellman)

28 The Signal Protocol: Operation
Now, the initiator can start sending messages to the recipient, even if he/she is offline To establish the session at the receiving end, the initiator inserts all values necessary for the receiver to calculate the root and chain keys in the header of all messages The receiver uses this information together with its own private keys to calculate the master secret The master secret is used as input to the key-derivation function to calculate the root and chain keys

29 The Signal Protocol: Operation
Each message is encrypted with a message key that includes AES256 encryption and HMAC-SHA256 for integrity and authentication Each time a new message needs to be sent, a new message key is derived from the chain key The message key cannot be derived from the message The chain key is also rotated every time a message is sent

30 The Signal Protocol: Special Functions
To transmit media, the sender first saves it in an encrypted cloud store The sender then sends an encrypted pointer to the receiver to download the media Group messages in whatsapp are disseminated using server-side fan out (message is copied N times) Pairwise sessions are created between all members of the group Each of these session has a different chain key used to create message keys Thus, the sender encrypts the message N times (one for each member) and the server sends them Calls are established using encrypted RTP

Download ppt "Computer and Network Security"

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Cryptography and Network Security Chapter 16

Cryptography and Network Security Chapter 16
Web security: SSL and TLS

Web security: SSL and TLS
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Lecture 6: Web security: SSL

Lecture 6: Web security: SSL
Cryptography and Network Security

Cryptography and Network Security
Secure Socket Layer.

Secure Socket Layer.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 22: Internet Security Protocols and.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 22: Internet Security Protocols and.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Lecture 22 Internet Security Protocols and Standards modified from slides of Lawrie Brown.

Lecture 22 Internet Security Protocols and Standards modified from slides of Lawrie Brown.
Chapter 8 Web Security.

Chapter 8 Web Security.
Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Similar presentations

Ads by Google