Presentation is loading. Please wait.

Presentation is loading. Please wait.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

Similar presentations

Presentation on theme: "6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National."— Presentation transcript:

1 6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National Digital Certification Agency

2 6/4/2015National Digital Certification Agency2 PLAN  Building a secure infrastructure  Managing trust  General guidelines  Building Incident Response Teams (IRTs)

3 6/4/2015National Digital Certification Agency3 Building a Secure Infrastructure

4 6/4/2015National Digital Certification Agency4 Basic security requirements Security Requirement Definition Authentication Guarantees that a person or system is exactly who or what they claim to be. Availability Protects against loss of system operation as a result of malicious code, request flooding and penetration attempts Data Integrity Protects against unauthorized changes in data whether they are intentional or accidental. Confidentiality Protects against the disclosure of information to unauthorized users. Encryption is typically used to assure confidentiality when information is transmitted over networks. Non-Repudiation Protects against a person denying later that a communication or transaction took place as recorded. Access ControlProvides access to authorized users while denying access to unauthorized users. Auditing Monitors intentional or unintentional misuse of security features.

5 6/4/2015National Digital Certification Agency5 Organizational Issues (1)  Computer security should be integrated in the management process 1.Security responsibilities and roles should be clearly defined (security division, security officer, etc.) 2.Security programs should be built 3.Security should be periodically reassessed

6 6/4/2015National Digital Certification Agency6 Organizational Issues (2)  Computer security should be cost-effective 1.Security decisions should involve an hybrid personnel (technical, administrative) 2.Security programs should aim at protecting the most sensitive assets against the most frequent attacks by making the less expensive decisions 3.Concessions should be made as zero-risk situations are not reachable

7 6/4/2015National Digital Certification Agency7 Human Resources  System users should – be aware of the importance of security –apply security practices –react appropriately to security incidents  An awareness promotion program has to be developed

8 6/4/2015National Digital Certification Agency8 Awareness Promotion Program (APP)  The APP should –apply to all users –be suitable to users’ roles and scientific background –be continuous (follow technology progress)  Key issues include –password protection –social engineering recognition –incident notification and reaction

9 6/4/2015National Digital Certification Agency9 Hardware and Software Equipments  Most common security solutions are: –Routers –Firewalls –Intrusion Detection Systems –Virtual Private Networks (VPNs) Gateways

10 6/4/2015National Digital Certification Agency10 Routers  Designed to transmit packets between networks according to IP addresses  May include Access Control Lists (ACLs)

11 6/4/2015National Digital Certification Agency11 Firewalls  A gateway between two networks having different security levels –All traffic must pass through the firewall –The firewall must allow only authorized traffic to pass –The firewall is supposed to be immune against penetration and compromise

12 6/4/2015National Digital Certification Agency12 Firewalls: types  Packet filters –Operate at the network level of the OSI model –Static packet filtering / stateful inspection  Proxies –Act at the application level –Provide services for specific protocols

13 6/4/2015National Digital Certification Agency13 IDSs  Intrusion detection: detecting unauthorized, inappropriate or anomalous activity  Classification I –Host-based IDSs –Network-based IDSs  Classification II –Signature-based IDSs –Anomaly-Based IDSs

14 6/4/2015National Digital Certification Agency14 IDS reactivity  An IDS can have different reactions –Generating alarms –Blocking ports –Blocking connections –Responding to malicious actions

15 6/4/2015National Digital Certification Agency15 VPN Gateways  Allow the establishment of encrypted tunnels between networks and sub-networks  Can be implemented inside firewalls and routers

16 6/4/2015National Digital Certification Agency16 Security Documents (1) 1. Security strategy  Technology-independent  Applicable to all assets  Long lifetime  Severe update policy 2. Security policy  Implementation of security rules according to a given technology  Three constraints: standards conformance, feasibility, implementation cost

17 6/4/2015National Digital Certification Agency17 Security Documents (2) 3. Security practices  Simple rules that have to be followed by users during their interaction with the system  Apply to humans  Frequently updated

18 6/4/2015National Digital Certification Agency18 Managing Trust

19 6/4/2015National Digital Certification Agency19 Managing Trust (1)  Basic implementation of security mechanisms do not fulfill security policy requirements  Authentication is often based on –IP addresses –E-mail addresses –Passwords and personal data

20 6/4/2015National Digital Certification Agency20 Managing trust (2) Masquerade opportunity Less confidence in the system Malicious User Normal User

21 6/4/2015National Digital Certification Agency21 Asymmetric cryptosystem  Based on key pairs (public key, private key) –What is encrypted by the private key is decrypted by the public key –Multiple copies of a public key can exist –Only one copy of the private key exists (held by its user)  Guarantees authentication, non-repudiation, confidentiality and integrity

22 6/4/2015National Digital Certification Agency22 Authentication, non-repudiation, integrity (1) Hash Process Message Digest Digitally Signed Message Sender’s Private Key Digital Signature

23 6/4/2015National Digital Certification Agency23 Authentication, non-repudiation, integrity (2) Digitally Signed Message Digest Digital Signature Message Digest Sender’s Public Key =  Authentication, non-repudiation, integrity

24 6/4/2015National Digital Certification Agency24 Authentication, non-repudiation, integrity (2) Digitally Signed Message Digest Digital Signature Message Digest Sender’s Public Key   At least one requirement has been violated

25 6/4/2015National Digital Certification Agency25 Confidentiality Encrypted Message Encrypted Message Digitally Signed Message Digitally Signed Message Recipient’s Public Key Recipient’s Private Key SenderReceiver

26 6/4/2015National Digital Certification Agency26 Asymmetric cryptosystems: Are they sufficient ?  Digital signature can be used to verify that a message has been delivered unaltered and verify the identity of the sender by public key  A proof of possession of key materials is needed

27 6/4/2015National Digital Certification Agency27 Public Key Infrastructure (PKI) A B C B does not trust A A trusts C, B trusts C

28 6/4/2015National Digital Certification Agency28 Public Key Infrastructure (PKI) A B C C is a trusted third party  B can trust A if C guarantees his identity

29 6/4/2015National Digital Certification Agency29 Certification Authority (CA)  A trusted third party that delivers digital certificates A B C

30 6/4/2015National Digital Certification Agency30 Digital Certificates User information: (e-mail, URL, IP address) City, Country,etc. CA information User public key CA signature

31 6/4/2015National Digital Certification Agency31 Accessing Public Keys Directory Server A B A’s certificate A’s public key Encrypted Message A’s private key

32 6/4/2015National Digital Certification Agency32 Verifying certificates Directory Server A B Certificate Revocation List B’s private key Signed Message B’s public key

Download ppt "6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National."

Similar presentations

Ads by Google