Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 21 – Internet Security.

Published byPaulina Bond Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 21 – Internet Security."— Presentation transcript:

1 Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 21 – Internet Security Protocols and Standards

2 Internet Security Protocols and Standards  Secure Sockets Layer (SSL) / Transport Layer Security (TLS)  IPv4 and IPv6 Security  S/MIME (Secure/Multipurpose Internet Mail Extension)

3 Secure Sockets Layer (SSL)  transport layer security service originally developed by Netscape originally developed by Netscape version 3 designed with public input version 3 designed with public input  subsequently became Internet standard RFC2246: Transport Layer Security (TLS)  use TCP to provide a reliable end-to-end service  may be provided in underlying protocol suite  or embedded in specific packages

4 SSL Protocol Stack

5 SSL Record Protocol Services  message integrity using a MAC with shared secret key using a MAC with shared secret key similar to HMAC but with different padding similar to HMAC but with different padding  confidentiality using symmetric encryption with a shared secret key defined by Handshake Protocol using symmetric encryption with a shared secret key defined by Handshake Protocol AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 message is compressed before encryption message is compressed before encryption

6 SSL Record Protocol Operation

7 SSL Change Cipher Spec Protocol  one of 3 SSL specific protocols which use the SSL Record protocol  a single message  causes pending state to become current  hence updating the cipher suite in use

8 SSL Alert Protocol  conveys SSL-related alerts to peer entity  severity warning or fatalwarning or fatal  specific alert fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameterfatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknownwarning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown  compressed & encrypted like all SSL data

9 SSL Handshake Protocol  allows server & client to: authenticate each other authenticate each other to negotiate encryption & MAC algorithms to negotiate encryption & MAC algorithms to negotiate cryptographic keys to be used to negotiate cryptographic keys to be used  comprises a series of messages in phases 1. Establish Security Capabilities 2. Server Authentication and Key Exchange 3. Client Authentication and Key Exchange 4. Finish

10 SSL Handshake Protocol

11 IP Security  various application security mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPS eg. S/MIME, PGP, Kerberos, SSL/HTTPS  security concerns cross protocol layers  hence would like security implemented by the network for all applications  authentication & encryption security features included in next-generation IPv6  also usable in existing IPv4

12 IPSec  general IP Security mechanisms  provides authentication authentication confidentiality confidentiality key management key management  applicable to use over LANs, across public & private WANs, & for the Internet

13 IPSec Uses

14 Benefits of IPSec  in a firewall/router provides strong security to all traffic crossing the perimeter  in a firewall/router is resistant to bypass  is below transport layer, hence transparent to applications  can be transparent to end users  can provide security for individual users  secures routing architecture

15 IP Security Architecture  mandatory in IPv6, optional in IPv4  have two security header extensions: Authentication Header (AH) Authentication Header (AH) Encapsulating Security Payload (ESP) Encapsulating Security Payload (ESP) Key Exchange function Key Exchange function  VPNs want both authentication/encryption hence usually use ESP hence usually use ESP  specification is quite complex numerous RFC’s 2401/2402/2406/2408 numerous RFC’s 2401/2402/2406/2408

16 Security Associations  a one-way relationship between sender & receiver that affords security for traffic flow  defined by 3 parameters: Security Parameters Index (SPI) Security Parameters Index (SPI) IP Destination Address IP Destination Address Security Protocol Identifier Security Protocol Identifier  has a number of other parameters seq no, AH & EH info, lifetime etc seq no, AH & EH info, lifetime etc  have a database of Security Associations

17 Authentication Header (AH)  provides support for data integrity & authentication of IP packets end system/router can authenticate user/app end system/router can authenticate user/app prevents address spoofing attacks by tracking sequence numbers prevents address spoofing attacks by tracking sequence numbers  based on use of a MAC HMAC-MD5-96 or HMAC-SHA-1-96 HMAC-MD5-96 or HMAC-SHA-1-96  parties must share a secret key

18 Authentication Header

19 Encapsulating Security Payload (ESP)

20 Key Management  handles key generation & distribution  typically need 2 pairs of keys 2 per direction for AH & ESP 2 per direction for AH & ESP  manual key management sysadmin manually configures every system sysadmin manually configures every system  automated key management automated system for on demand creation of keys for SA’s in large systems automated system for on demand creation of keys for SA’s in large systems has Oakley & ISAKMP elements has Oakley & ISAKMP elements

21 S/MIME (Secure/Multipurpose Internet Mail Extensions)  security enhancement to MIME email original Internet RFC822 email was text only original Internet RFC822 email was text only MIME provided support for varying content types and multi-part messages MIME provided support for varying content types and multi-part messages with encoding of binary data to textual form with encoding of binary data to textual form S/MIME added security enhancements S/MIME added security enhancements  have S/MIME support in many mail agents eg MS Outlook, Mozilla, Mac Mail etc eg MS Outlook, Mozilla, Mac Mail etc

22 S/MIME Functions  enveloped data encrypted content and associated keys encrypted content and associated keys  signed data encoded message + signed digest encoded message + signed digest  clear-signed data cleartext message + encoded signed digest cleartext message + encoded signed digest  signed & enveloped data nesting of signed & encrypted entities nesting of signed & encrypted entities

23 S/MIME Process

24 S/MIME Cryptographic Algorithms  digital signatures: DSS & RSA  hash functions: SHA-1 & MD5  session key encryption: ElGamal & RSA  message encryption: AES, 3DES, etc  MAC: HMAC with SHA-1  must map binary values to printable ASCII use radix-64 or base64 mapping use radix-64 or base64 mapping

25 S/MIME Public Key Certificates  S/MIME has effective encryption and signature services  but also need to manage public-keys  S/MIME uses X.509 v3 certificates  each client has a list of trusted CA’s certs  and own public/private key pairs & certs  certificates must be signed by trusted CA’s

26 Summary  Secure Sockets Layer (SSL) / Transport Layer Security (TLS)  IPv4 and IPv6 Security  S/MIME (Secure/Multipurpose Internet Mail Extension)

Download ppt "Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 21 – Internet Security."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Cryptography and Network Security Chapter 16

Cryptography and Network Security Chapter 16
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Lecture 6: Web security: SSL

Lecture 6: Web security: SSL
Cryptography and Network Security

Cryptography and Network Security
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 22: Internet Security Protocols and.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 22: Internet Security Protocols and.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Lecture 22 Internet Security Protocols and Standards

Lecture 22 Internet Security Protocols and Standards
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Cryptography and Network Security

Cryptography and Network Security
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
Lecture 22 Internet Security Protocols and Standards modified from slides of Lawrie Brown.

Lecture 22 Internet Security Protocols and Standards modified from slides of Lawrie Brown.
Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 15 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google