Presentation is loading. Please wait.

Presentation is loading. Please wait.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

Similar presentations


Presentation on theme: "8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine."— Presentation transcript:

1 8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine what hosts have addresses on network m Port-scanning: try to establish TCP connection (e.g. socket programming) to each port in sequence (see what happens) m nmap (http://www.insecure.org/nmap/) mapper: “network exploration and security auditing” Mapping: countermeasures m record traffic entering network m look for suspicious activity (IP addresses, ports being scanned sequentially)

2 8-2 Internet security threats Packet sniffing: m broadcast media m promiscuous network interface card reads all packets passing by m can read all unencrypted data (e.g. passwords) m e.g.: C sniffs B’s packets A B C src:B dest:A payload Packet sniffing: countermeasures m all hosts in organization run software that checks periodically if host interface in promiscuous mode. m encrypt all data.

3 8-3 Internet security threats IP Spoofing: m can generate “raw” IP packets directly from application, putting any value into IP source address field m receiver can’t tell if source is spoofed m e.g.: C pretends to be B A B C src:B dest:A payload IP Spoofing: ingress filtering m routers should not forward outgoing packets with invalid source addresses (= ingress filtering), e.g. datagram source address not in router’s network. m great, but ingress filtering can not be mandated for all networks

4 8-4 Denial of service (DOS): m flood of maliciously generated packets “swamp” receiver (e.g. TCP SYN-attack, incomplete IP datagram) m Distributed DOS (DDOS): multiple coordinated sources swamp receiver: e.g., C and remote host TCP SYN- attack A A B C SYN Denial of service (DOS): countermeasures m Difficult to filter bad from good packets because of IP spoofing m filter out flooded packets (e.g., TCP SYN) before reaching host: throw out good with bad m traceback to source of floods (most likely an innocent, compromised machine), current research

5 8-5 Why security and many layers? Security in many layers (upper layer services may take advantage of lower level security) 1. Secure email (application layer) 2. Secure sockets (transport layer) 3. IPsec (network layer) 4. Security in 802.11 (link layer) r Lower layers cannot offer user-level security, m A commerce site need to authenticate customers r Easier to deploy services, including security, at the higher layers r Security is not broadly deployed at the network layer m E.g. IP spoofing m IPsec (with source authentication, hence no IP spoofing) is many years away m Performance?

6 8-6 Secure e-mail Alice:  generates random symmetric private session key, K S.  encrypts message with K S (for efficiency)  also encrypts K S with Bob’s public key.  sends both K S (m) and K B (K S ) to Bob.  Alice wants to send confidential e-mail, m, to Bob. K S ( ). K B ( ). + + - K S (m ) K B (K S ) + m KSKS KSKS KBKB + Internet K S ( ). K B ( ). - KBKB - KSKS m K S (m ) K B (K S ) + Bob:  uses his private key to decrypt and recover K S  uses K S to decrypt K S (m) to recover m

7 8-7 Secure e-mail (continued) Alice wants to provide sender authentication and message integrity. Alice digitally signs message. sends both message (in the clear) and digital signature. H( ). K A ( ). - + - H(m ) K A (H(m)) - m KAKA - Internet m K A ( ). + KAKA + K A (H(m)) - m H( ). H(m ) compare

8 8-8 Secure e-mail (continued) Alice wants to provide secrecy, sender authentication, message integrity. Alice uses three keys: her private key, Bob’s public key, newly created symmetric session key H( ). K A ( ). - + K A (H(m)) - m KAKA - m K S ( ). K B ( ). + + K B (K S ) + KSKS KBKB + Internet KSKS

9 8-9 Pretty good privacy (PGP) r Internet e-mail encryption scheme, de-facto standard. r uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described on previous slides r provides secrecy, sender authentication, integrity. r inventor, Phil Zimmerman, was target of 3-year federal investigation. ---BEGIN PGP SIGNED MESSAGE--- Hash: SHA1 Bob:My husband is out of town tonight. Passionately yours, Alice ---BEGIN PGP SIGNATURE--- Version: PGP 5.0 Charset: noconv yhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJ hFEvZP9t6n7G6m5Gw2 ---END PGP SIGNATURE--- A PGP signed message:

10 8-10 Network Security (summary) Basic techniques…... m cryptography (symmetric and public) m authentication m message integrity m key distribution …. used in many different security scenarios m secure email m secure transport (SSL) m IP sec m 802.11


Download ppt "8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine."

Similar presentations


Ads by Google