Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Published byCornelius Newman Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University."— Presentation transcript:

1 Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University Fall 2005

2 Internet Security - ComSec Services & Mechanisms 2 What is Communication Security? To provide safe communication over unsafe medium Alice Bob Eve  Safe Communication  Alice can send a message to Bob that only Bob can understand  Confidentiality  Nobody can tamper with message content during communication  Integrity  Bob can know for sure it was Alice who sent the message  Authentication  Unsafe Medium  Medium over which passive and active attacks are possible

3 Fall 2005 Internet Security - ComSec Services & Mechanisms 3 Outline  What types of services do we need to protect communication?  What kinds of mechanisms do we use to protect communication?

4 Fall 2005 Internet Security - ComSec Services & Mechanisms 4 ISO 7498-2 : Security Framework Architecture  Security Services  Service Types  Service Layer Mapping  Security Mechanisms  Mechanism Definition  Service - Mechanism Mapping

5 Fall 2005 Internet Security - ComSec Services & Mechanisms 5 Communication Security Services  Confidentiality  Data Confidentiality  Traffic Confidentiality  Data Integrity  Authentication  Data Origin Authentication  Peer Authentication  Access Control  Non-Repudiation  Non-Repudiation of Origin  Non-Repudiation of Reception  Audit  Availability – an after-thought but increasingly important Note: all services are defined here in context of Communication Security Primary Services

6 Fall 2005 Internet Security - ComSec Services & Mechanisms 6 Confidentiality Service Types  Data Confidentiality / Disclosure Protection  Connection Oriented  Connectionless  Selective Field  Traffic Flow Confidentiality  Origin Destination Association  Message Size  Transmission Patterns  Accompanied with Data Integrity Protection Mechanisms  Data Encryption  Symmetric (Secret-Key)  Asymmetric (Public-Key) Protection of information from disclosure to unauthorized entities (organizations, people, machines, processes). Information includes data contents, size, existence, communication characteristics, etc.

7 Fall 2005 Internet Security - ComSec Services & Mechanisms 7 Integrity Service Types  Message Integrity  Associated with connectionless communication  Message Stream Integrity  Associated with connection oriented communication Protection Mechanisms  Message Digests (Hashing)  Sequence Numbers  Nonce ID (Random Number)  Time Stamps Protection of data against creation, alteration, deletion, duplication, re- ordering by unauthorized entities (organizations, people, machines, processes). Integrity violation is always caused by active attacks.

8 Fall 2005 Internet Security - ComSec Services & Mechanisms 8 Authentication Service Types  Data Origin Authentication  Associated with Connectionless Communication  Peer Entity Authentication  Associated with Connection Oriented Communication  Fundamental for access control hence, confidentiality & integrity Protection Mechanisms  Password  Manual  One-Time Password  Key Sharing  Manual  Symmetric Key (Tickets)  Asymmetric Key (Certificates)  Challenge – Response  Nonce Based  Zero Knowledge Proof Communicating entities are provided with assurance & information of relevant identities of communicating partners (people, machines, processes). Personnel Authentication requires special attention.

9 Fall 2005 Internet Security - ComSec Services & Mechanisms 9 Access Control Service Types  Subject Based Typing  Identity Based  Role Based  Enforcement Based Typing  Mandatory Access Control ― Management Directed  Discretionary Access Control ― Resource Owner Directed Protection Mechanisms  Access Control Lists (ACLs)  Object Based Specification Ex.: UNIX File System  Capabilities  Subject Based Specification  Issue Tickets/Certificates Protection of information resources or services from access or use by unauthorized entities (organizations, people, machines, processes).  Privileges – rights to access or use resources or services  Principles – entities own access control privileges  Subjects – entities exercise access control privileges  Objects / Targets – resources or services accessed/used by subjects  Delegation – transfer of access control privileges among principals  Authorization – transfer of access control privileges from principals to subjects

10 Fall 2005 Internet Security - ComSec Services & Mechanisms 10 Non-Repudiation Service Types  Non-Repudiation of Origin  Non-Repudiation of Reception Protection Mechanisms  Notarization  Time Stamp  Digital Signature Protection against denial of participation by communicating entities in all or part of a communication.

11 Fall 2005 Internet Security - ComSec Services & Mechanisms 11 Audit Service Types  Off-line Analysis (Computer Forensic)  On-line Analysis (Real-time Intrusion Detection) Protection Mechanisms  “Syslog”  Intrusion Monitors / Sensors  Common Intrusion Detection Framework (CIDF)  Common Information Model (CIM) Recording & analyses of participation, roles and actions in information communication by relevant entities.

12 Fall 2005 Internet Security - ComSec Services & Mechanisms 12 Layers of Protocol Protection Security Protection is provided in multiple protocol layers.

13 Fall 2005 Internet Security - ComSec Services & Mechanisms 13 Service vs. Layer Mapping

14 Fall 2005 Internet Security - ComSec Services & Mechanisms 14 ISO 7498-2 : Security Architecture  Security Services  Service Types  Service Layer Mapping  Security Mechanisms  Mechanism Definition  Service - Mechanism Mapping

15 Fall 2005 Internet Security - ComSec Services & Mechanisms 15 Security Mechanisms  Encipherment – with Secret / Public Key Cryptography  Data Integrity – with One-Way Hash Function  Authentication – with Public-Key Challenge/Response  Access Control  Digital Signature – with Public-Key Cryptography  Traffic Padding  Notarization

16 Fall 2005 Internet Security - ComSec Services & Mechanisms 16 Symmetric / Secret Key Encipherment Algorithms use same keys for encryption & decryption :  Symmetric / Secret Key must be dispatched in secret  Used for bulk encryption / decryption Also used in following security services :  Authentication Encryption Engine Decryption Engine Clear Text Cipher Text Clear Text Symmetric Key Symmetric Key Random Number Generator

17 Fall 2005 Internet Security - ComSec Services & Mechanisms 17 Asymmetric / Public Key Encipherment Algorithms use different keys for encryption & decryption  Public Key is disclosed but Private Key is kept secret  Computationally intensive - based on large prime numbers Also used in following security services :  Digital Signatures  Authentication  Key Exchange Encryption Engine Decryption Engine Clear Text Cipher Text Clear Text Private Key Public Key

18 Fall 2005 Internet Security - ComSec Services & Mechanisms 18 Data Encryption & Key Distribution Encryption Engine Decryption Engine Public Key Private Key Encryption Engine Decryption Engine Clear Text Cipher Text Clear Text Symmetric Key Symmetric Key Random Number Generator { Symmetric Key

19 Fall 2005 Internet Security - ComSec Services & Mechanisms 19 Message Digest or Hash Message Originator Computes a fixed-length message digest from the message using a one-way hash transformation Message Recipient Validate message integrity by computing the message hash and comparing with the message digest MD5 Digest Message

20 Fall 2005 Internet Security - ComSec Services & Mechanisms 20 Challenge-Response Authentication  Challenger sends a challenge of random number to Responder  Responder creates a response by digitally signing the challenge with its private key and returns the response to the Challenger  Challenger processes the response with public key of legitimate Responder and compare it with original challenge = Same? Response Challenge Challenge (Recovered) Encryption Engine Public Key Random Number Generator Decryption Engine Private Key

21 Fall 2005 Internet Security - ComSec Services & Mechanisms 21 Digital Signature Decryption Engine Private Key Signed Document Digital Signature MD5 Hash Signature is public-key encrypted hash of a document and its relevant parameters Message

22 Fall 2005 Internet Security - ComSec Services & Mechanisms 22 Digital Signature Validation Message recipients can validate the signature by “encrypting it” with the public key and comparing with document’s hash value Signed Document Encryption Engine Public Key = Valid? MD5 Hash Digital Signature Message

23 Fall 2005 Internet Security - ComSec Services & Mechanisms 23 Service - Mechanism Mapping Service: Data Confidentiality  Mechanism [1]: Encipherment  Symmetric (Secret-Key) Cipher  Asymmetric (Public-Key) Cipher  Mechanism [2]: Integrity  Message Digest / Digital Hash  Mechanism [3]: Key Management  Key Distribution Centers (Secret-Key)  Public Key Infrastructure (Public-Key)  Manual Keying Service: Peer Authentication  Mechanism [1]: Challenge+Response  Nonce (Random Number) Based  Zero-Knowledge Proof  Mechanism [2] Integrity  Message Digest / Digital Hash Single security services may need to be implemented by multiple and different security mechanisms.

Download ppt "Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University."

Similar presentations

Network Security Chapter 1 - Introduction.

Network Security Chapter 1 - Introduction.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Cryptography and Network Security Chapter 1

Cryptography and Network Security Chapter 1
Chapter 1 – Introduction

Chapter 1 – Introduction
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not.

Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Introduction CS-480b Dick Steflik. X.800 – OSI Security Services Security Service – a service provided by a protocol layer of communicating open systems,

Introduction CS-480b Dick Steflik. X.800 – OSI Security Services Security Service – a service provided by a protocol layer of communicating open systems,
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Introduction (Pendahuluan)  Information Security.

Introduction (Pendahuluan)  Information Security.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Information Security. Information Security Requirements Confidentiality: Protection from disclosure to unauthorised persons Access control: Unauthorised.

Information Security. Information Security Requirements Confidentiality: Protection from disclosure to unauthorised persons Access control: Unauthorised.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 DISTRIBUTED SYSTEMS.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Review security basic concepts IT 352 : Lecture 2- part1 Najwa AlGhamdi, MSc – 2012 /1433.

Review security basic concepts IT 352 : Lecture 2- part1 Najwa AlGhamdi, MSc – 2012 /1433.
Chapter 31 Network Security

Chapter 31 Network Security

Similar presentations

Ads by Google