Chapter 13 network security
Download
1 / 90

Chapter 13 Network Security Data Communications and - PowerPoint PPT Presentation


  • 351 Views
  • Updated On :

Data Communications and Computer Networks: A Business User’s Approach. Chapter 13 Network Security. What we will cover. Security measures Firewalls Business on the internet - Encryption. Introduction.

Related searches for Chapter 13 Network Security Data Communications and

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Chapter 13 Network Security Data Communications and' - LionelDale


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Chapter 13 network security l.jpg

Data Communications and

Computer Networks: A

Business User’s Approach

Chapter 13

Network Security


What we will cover l.jpg
What we will cover

  • Security measures

  • Firewalls

  • Business on the internet - Encryption


Slide4 l.jpg

Introduction

  • While computer systems today have some of the best security systems ever, they are more vulnerable than ever before.

  • This vulnerability stems from the world-wide access to computer systems via the Internet.

  • Computer and network security comes in many forms

    • encryption algorithms

    • access to facilities

    • digital signatures

    • fingerprints and face scans as passwords.

  • Where do most security breaches come from?


What is network security l.jpg
What is network security?

  • Network security is preventing attackers from achieving objectives through unauthorized access or unauthorized use of computers and networks.

    www.cert.org


Slide6 l.jpg

Basic Security Measures

The basic security measures for computer systems fall into eight categories:

External security Operational security

Surveillance Passwords/authentication

Auditing Access rights

Standard system attacks Viruses/worms


Slide7 l.jpg

External Security

Protection from environmental damage such as floods, earthquakes, and heat.

Physical security such as locking rooms, locking down computers, keyboards, and other devices.

Electrical protection from power surges.

Noise protection from placing computers away from devices that generate electromagnetic interference.


Personnel security l.jpg
Personnel security

  • Most security violations have one common characteristic:

    • They are caused by people!

      • Training, Auditing, Least Privilege, ...


Slide9 l.jpg

Operational Security

Deciding who has access to what.

Limiting time of day access.

Limiting day of week access.

Limiting access from a location, such as not allowing a user to use a remote login during certain periods or any time.


Slide10 l.jpg

Sample dialog box from a network operating system

for the setting the time of day restrictions


Slide11 l.jpg

Surveillance

Proper placement of security cameras can deter theft and vandalism.

Cameras can also provide a record of activities.

Intrusion detection is a field of study in which specialists try to prevent intrusion and try to determine if a computer system has been violated.


Slide12 l.jpg

Passwords and ID Systems

  • Passwords are the most common form of security and the most abused.

  • Simple rules help support safe passwords, including:

  • Change your password often.

  • Pick a good, random password (minimum 8 characters, mixed symbols).

  • Don’t share passwords or write them down.

  • Don’t select names and familiar objects as passwords.

  • Most common password?


List of common passwords l.jpg
List of common passwords

[email protected]#$%   [email protected]#$%^   [email protected]#$%^&   [email protected]#$%^&*   000000   00000000   0007   007   007007   0246   0249   1022   10sne1   111111   121212   1225   123   123123   1234   12345   123456   1234567   12345678   1234qwer   123abc   123go   1313   131313   13579   14430   1701d   1928   1951   1a2b3c   1p2o3i   1q2w3e   1qw23e   1sanjose   2112   21122112   2222   2welcome   3   369   4   4444   4runner   5   5252   54321  5555   5683   654321   666666   6969   696969   777   7777   80486   8675309   888888   90210   911   92072   99999999   @#$%^&   a   a12345   a1b2c3   a1b2c3d4   aaa   aaaaaa   aaron   abby   abc   abc123   abcd   abcd1234   abcde   abcdef   abcdefg   abigail   about   absolut   academia   access   action   active   acura   adam   adams   adg   adidas   admin   adrian   advil   aeh   aerobics   after   again   aggies   aikman   airhead   airplane   alan   alaska   albany   albatross   albert   alex   alex1   alexande   alexander   alexandr   alexis   alfred   algebra   aliases   alice   alicia   aliens   alison   all   allen   allison   allo   alpha   alpha1   alphabet   alpine   always   alyssa   ama   amanda   amanda1   amber   amelie   america   america7   amiga   amorphous   amour   amy   an   analog   anchor   and   anderson   andre   andrea   andrew   andromache   andy   angel   angela   angela1   angels   angie   angus   animal   animals   ann   anna   anne   annie   answer   anthony   anthropogenic   antonio   anvils   any   anything   apache   apollo   apollo13   apple   apple1   apples   april   archie   arctic   are   aria   ariadne   ariane   ariel   arizona   around   arrow   arthur   artist   as   asdf  asdfg   asdfgh   asdfghjk   asdfjkl   asdfjkl;   ashley   ask   aspen   ass   asshole   asterix   at   ate   ath   athena   atmosphere   attila   august   austin  


Authentication l.jpg
Authentication

  • Authentication is the process of reliably verifying the identity of someone (or something) by means of:

    • A secret (password [one-time], ...)

    • An object (smart card, ...)

    • Physical characteristics (fingerprint, retina, ...)

    • Trust

  • Do not mistake authentication for authorization!



Slide16 l.jpg

Passwords and ID Systems -

Authentication?

  • Many new forms of “passwords” are emerging:

  • Fingerprints

  • Face prints

  • Retina scans and iris scans

  • Voice prints

  • Ear prints


Slide17 l.jpg

Auditing

Creating a computer or paper audit can help detect wrongdoing.

Auditing can also be used as a deterrent.

Many network operating systems allow the administrator to audit most types of transactions.

Many types of criminals have been caught because of computer-based audits.



Slide19 l.jpg

Access Rights

Two basic questions to access right: who and how?

Who do you give access right to? No one, group of users, entire set of users?

How does a user or group of users have access? Read, write, delete, print, copy, execute?

Most network operating systems have a powerful system for assigning access rights.



Slide21 l.jpg

Viruses

Many different types of viruses, such as parasitic, boot sector, stealth, polymorphic, and macro.

A Trojan Horse virus is a destructive piece of code that hides inside a harmless looking piece of code.

Sending an e-mail with a destructive attachment is a form of a Trojan Horse virus.


Slide22 l.jpg

Virus Detection and Scanning

Signature-based scanners look for particular virus patterns or signatures and alert the user.

Terminate-and-stay-resident programs run in the background constantly watching for viruses and their actions.

Multi-level generic scanning is a combination of antivirus techniques including intelligent checksum analysis and expert system analysis.

http://www.symantec.com/avcenter/



What is the difference between a computer virus and a computer worm l.jpg
What is the difference between a computer virus and a computer worm?

  • Viruses are computer programs that are designed to spread themselves from one file to another on a single computer. A virus might rapidly infect every application file on an individual computer, or slowly infect the documents on that computer, but it does not intentionally try to spread itself from that computer to other computers. In most cases, that's where humans come in. We send e-mail document attachments, trade programs on diskettes, or copy files to file servers. When the next unsuspecting user receives the infected file or disk, they spread the virus to their computer, and so on.

  • Worms, on the other hand, are insidious because they rely less (or not at all) upon human behavior in order to spread themselves from one computer to others.

  • The computer worm is a program that is designed to copy itself from one computer to another over a network (e.g. by using e-mail). The worm spreads itself to many computers over a network, and doesn't wait for a human being to help. This means that computer worms spread much more rapidly than computer viruses.


Slide26 l.jpg

HOAXES computer worm?


Slide27 l.jpg

Standard System Attacks computer worm?

Denial of service attacks, or distributed denial of service attacks, bombard a computer site with so many messages that the site is incapable of answering valid request.

In e-mail bombing, a user sends an excessive amount of unwanted e-mail to someone.

Smurfing is a nasty technique in which a program attacks a network by exploiting IP broadcast addressing operations.

Ping storm is a condition in which the Internet Ping program is used to send a flood of packets to a server.


Slide28 l.jpg

Standard System Attacks computer worm?

Spoofing is when a user creates a packet that appears to be something else or from someone else.

Trojan Horse is a malicious piece of code hidden inside a seemingly harmless piece of code.

Stealing, guessing, and intercepting passwords is also a tried and true form of attack.


Web spoofing l.jpg
Web Spoofing computer worm?

  • Web Spoofing is a security attack that allows an adversary to observe and modify all web pages sent to the victim's machine, and observe all information entered into forms by the victim. Web Spoofing works on both of the major browsers and is not prevented by "secure" connections. The attacker can observe and modify all web pages and form submissions, even when the browser's "secure connection" indicator is lit. The user sees no indication that anything is wrong.

  • The attack is initiated when the victim visits a malicious Web page, or receives a malicious email message (if the victim uses an HTML-enabled email reader).



Smurfing l.jpg
Smurfing computer worm?

  • Smurfing is the attacking of a network by exploiting Internet Protocol (IP) broadcast addressing and certain other aspects of Internet operation. Smurfing uses a program called Smurf and similar programs to cause the attacked part of a network to become inoperable. The exploit of smurfing, as it has come to be known, takes advantage of certain known characteristics of the Internet Protocol (IP) and the Internet Control Message Protocol (ICMP). The ICMP is used by network nodes and their administrators to exchange information about the state of the network. ICMP can be used to ping other nodes to see if they are operational. An operational node returns an echo message in response to a ping message. A smurf program builds a network packet that appears to originate from another address (this is known as spoofing an IP address). The packet contains an ICMP ping message that is addressed to an IP broadcast address, meaning all IP addresses in a given network. The echo responses to the ping message are sent back to the "victim" address. Enough pings and resultant echoes can flood the network making it unusable for real traffic.

  • One way to defeat smurfing is to disable IP broadcast addressing at each network router since it is seldom used. This is one of several suggestions provided by the CERT Coordination Center.


What is ssh l.jpg
What is SSH? computer worm?

  • SSH (Secure Shell) is a full replacement for rsh, rlogin, rcp, telnet, rexec, and ftp

  • Automatic authentication (?) of users, no passwords are sent in clear text

  • Secure remote login, file copying, and tunneling X11 and TCP connections (POP, IMAP, SMTP, HTTP)


Slide33 l.jpg

www.cert.org computer worm?


What is a firewall l.jpg
What is a firewall? computer worm?

  • Used to control the flow of traffic (both inflows and outflows, but primarily inflows) between networks

  • The connected networks can be internal or a combination of internal and external networks


Slide35 l.jpg

Firewalls computer worm?

A system or combination of systems that supports an access control policy between two networks.

A firewall can limit the types of transactions that enter a system, as well as the types of transactions that leave a system.

Firewalls can be programmed to stop certain types or ranges of IP addresses, as well as certain types of TCP port numbers (applications such as ftp, telnet, etc.)


Transmission control protocol internet protocol tcp ip l.jpg
Transmission Control Protocol/ Internet Protocol - TCP/IP computer worm?

  • A conglomeration of underlying protocols designed to enable communications between computers across networks


4 basic layers of tcp ip l.jpg
4 Basic Layers of TCP/IP computer worm?

  • Physical/Network Layer - Accepts and transmits network packets over the physical network. Physical networking protocols, such as Ethernet, and logical protocols, such as Address Resolution Protocol (ARP), are run at this layer.

  • IP Layer - Responsible for routing packets across the network. Routing protocols, such as Routing Information Protocol (RIP) and Interior Gateway Routing Protocol (IGRP), are run at this layer.


4 basic layers of tcp ip cont l.jpg
4 Basic Layers of TCP/IP computer worm?(cont.)

  • Transport Layer - Manages the virtual session between two computers for TCP for providing end-to-end communication.

  • Application Layer - Manages the networking applications and formats data for transmission.


Open systems interconnect osi l.jpg
Open Systems Interconnect (OSI) computer worm?

  • Developed by the International Organization for Standardization

  • A seven layer model that further divides the layers from the TCP/IP model


Slide40 l.jpg

APPLICATION computer worm? HTTP the desired program

LAYER

TRANSPORT TCP provides the

LAYER or connection

UDP

NETWORK IP locates the destination

LAYER IP address

& routes message

LINK Ethernet physical devices

LAYER

Application-based

filtering-

firewall

Packet-filtering-

routers

TCP/IP


Slide41 l.jpg

TCP/IP MODEL computer worm?

OSI MODEL

APPLICATION

APPLICATION

PRESENTATION

SESSION

TRANSPORT

TRANSPORT

INTERNET (IP)

NETWORK

NETWORK

INTERFACE

DATA LINK

PHYSICAL


Characteristics of good firewalls l.jpg
Characteristics of Good Firewalls computer worm?

  • All traffic from inside the corporate network to outside the network, and vice-versa, must pass through it;

  • Only authorized traffic, as defined by the security policy, is allowed to pass through it; and the system itself is immune to penetration.



Slide44 l.jpg

Firewalls – 2 types transactions

A packet filter firewall is essentially a router that has been programmed to filter out or allow to pass certain IP addresses or TCP port numbers.

A proxy server is a more advanced firewall that acts as a doorman into a corporate network. Any external transaction that request something from the corporate network must enter through the proxy server.

Proxy servers are more advanced but make external accesses slower.


Firewall filtering l.jpg
Firewall Filtering transactions

  • Firewall features that are standard on routers.

    • Separate input and output filters on:

      • Source and destination address

      • Protocol (TCP/IP, IPX, UDP, ICMP, RIP, OSPF, BGP)

      • Protocol service (Web, e-mail, FTP)

      • Established sessions

    • Packet logging

    • Extended Frame Relay filtering (variable-length packet switching data transmission)

www.lucent.com


Static firewalls l.jpg
Static Firewalls transactions

  • Pre-configured rulebases are used for traffic passing decisions

  • Default permit - the firewall allows all traffic except that which is explicitly blocked by the firewall rulebase

  • Default deny - the firewall denies all traffic except that which is explicitly allowed by the firewall rulebase


Dynamic firewalls l.jpg
Dynamic Firewalls transactions

  • Also uses rulebases, but the denial and permission of any service can be established for a given time period

  • Stateful inspection is also a dynamic configuration

    • A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table. Because of this, filtering decisions are based not only on administrator-defined rules (as in static packet filtering) but also on context that has been established by prior packets that have passed through the firewall.


Components of firewalls l.jpg
Components of Firewalls transactions

  • Chokes - limit the flow of packets between networks. Read packets and determine, based on the rules, if the traffic should pass

  • Gates - act as a control point for external connections. They control the external connections.


Slide49 l.jpg

TELNET FTP SMTP SMTP transactions

HTTP TELNET FTP FTP SMTP HTTP

SMTP FTP FTP SMTP TELNET

PACKETS

Rejected Packets

SMTP HTTP SMTP

CHOKE

DEFAULT

DENY

GATE

Application Level

Filtering Rule -

Deny everything except

Telnet & FTP

Corporate

Internal

Network

FTP FTP TELNET


Firewall functions l.jpg
Firewall Functions transactions

  • Packet Filtering

  • Network Address Translation

  • Application-level Proxies

  • Stateful Inspection

  • Virtual Private Networks

  • Real-time Monitoring


Slide51 l.jpg

Proxy Server sitting outside the protection of transactions

the corporate network


Last time l.jpg
Last time transactions

  • Security issues

  • Firewalls

This time

  • Business over the internet

  • Cryptography


So you want to do business over the internet l.jpg
So you want to do business transactionsover the internet

  • What do you have to worry about?


Slide54 l.jpg

Message is reassembled transactions

at destination

Message is split into

packets and may travel

along different paths

B

A

Intended destination

is Point B

Message originating

from Point A

?

?

Did Point B receive the message?

Was the message really sent by Point A?

?

?

Did anyone else see the message?

If Point B did in fact receive the message -

Is it exactly the same message or could it have been altered in any way?

Was it delivered promptly or could it have been stalled?


Important techniques used to prevent detect data interception l.jpg
Important Techniques used to prevent/detect data interception

  • Message Origin Authentication

  • Proof of Delivery (non-repudiation)

  • Message Integrity

    • Same message

    • Not seen by others

  • Timely Delivery of Messages


Encryption l.jpg
Encryption…. interception

  • Is the best device for ensuring message (and data) confidentiality

  • involves transforming plaintext into ciphertext using a KEY

  • the level of secrecy is a function of

    • strength of the algorithm

    • key length

    • key management policies


What is cryptography l.jpg
What is cryptography? interception

  • “hidden writing”

    • versus steganography (hiding the message)

  • Until recently: military tool

  • Like any military technology: methods change over time

  • Two sides: designing codes breaking codes (cryptanalysis)

  • Computers have changed both


Slide58 l.jpg

Basic Encryption and Decryption Terms interception

Cryptography is the study of creating and using encryption and decryption techniques.

Encryption vs decryption

Plaintext (sometimes called cleartext) is the the data that exists before any encryption has been performed.

Ciphertext is the data after encryption has been performed.

The key(s) is(are) the unique piece of information that is used to create ciphertext and decrypt the ciphertext back into plaintext. Key is also called the cryptovariable.

The cipher is the algorithm for encrypting and decrypting; also called the protocol or scheme.


Uses of cryptography l.jpg
Uses of Cryptography interception

  • Besides confidentiality, cryptography provides

    • Authentication: knowing who sent the message actually sent it.

    • Integrity: message has not been tampered with and/or the message is legit

    • Nonrepudiation: a user should not be able to deny that he sent the message



Simple encryption methods l.jpg
Simple encryption methods interception

  • Pig Latin

  • Decoder rings


Slide62 l.jpg

Monoalphabetic Substitution-based Ciphers interception

Monoalphabetic substitution-based ciphers replace a character or characters with a different character or characters, based upon some key.

Replacing: abcdefghijklmnopqrstuvwxyz

With the key: POIUYTREWQLKJHGFDSAMNBVCXZ

The message: how about lunch at noon

encodes into EGVPO GNMKN HIEPM HGGH


Simple example caesar shift l.jpg
Simple example: Caesar Shift interception

  • Protocol: shift each letter by the same amount

  • Key: amount to shift

IBM

HAL

-1

Veni, vidi, vici

Foxs, fsns, fsms

10

• Decryption: shift back the same amount


Caesar cipher l.jpg
Caesar Cipher interception

ABCDEFGHIJKLMNOPQRSTUVWXYZ

NOPQRSTUVWXYZABCDEFGHIJKLM

rotate 13 positions

Plaintext

THE GOTHS COMETH

Key

13

Ciphertext

FUR TAFUE PAYRFU


Example caesar shift l.jpg
Example: Caesar Shift interception

  • What is:

    • ozqsx shld


Types of keys l.jpg
Types of Keys interception

  • Symmetric (one key)

  • Asymmetric (two keys)


Slide67 l.jpg

identical interceptionkeys

Transmitted

Message

SYMMETRIC ENCRYPTION METHOD

Receiver

Sender

Encoded

Message

Plaintext

Message

Plaintext

Message

encrypt

decrypt

Same key for encryption and decryption.

How is key shared?


Slide68 l.jpg

  • Enigma Machine interception

  • Key changed daily

  • 3 scramblers in one of 6 orders

    • In 1938: 3 of 5, so 60 arrangements

  • 263 = 17,576 settings for scramblers

  • Billions of plugboard settings

  • Alan Turing: bypassed plugboard

  • Used known plaintext, exhausted over space

  • British were able to read traffic!


Paradigm shift l.jpg
Paradigm Shift! interception

  • Alice wants to mail Bob a letter securely

  • If they share a “key”, Alice locks, Bob unlocks

  • If not: Alice puts on padlock, sends box to Bob

  • Bob adds his padlock, sends box back to Alice

  • Alice removes her padlock, sends box to Bob

  • Bob unlocks box, reads letter

  • Problem: how to translate this to a protocol?


Slide70 l.jpg

  • Public Key Cryptography interception

  • Very powerful encryption technique in which two keys are used:

    • first key (the public key) encrypts the message

    • second key (the private key) decrypts the message

  • Not possible to deduce one key from the other.

  • Not possible to break the code given the public key.

  • If you want someone to send you secure data, give them your public key, you keep the private key.

  • Secure sockets layer (SSL) on the Internet is a common example of public key cryptography

    • Connection between application layer and transport layer (TCP)

    • S-HTTP another method


Slide72 l.jpg

Sender – Johnny B. interception

Receiver - Professor

Professor’s

Public Key

Professor’s

Private Key

Transmitted

Message

Plaintext

message from

Johnny B.

explaining

his personal

medical

condition

Encoded

Message

encrypt

decrypt

Plaintext

message from

Johnny B.

explaining

his personal

medical

condition

By encrypting his message with his Professor’s publicly

available key, Johnny B. can be assured that no one besides

that professor can read his message.

Confidentiality


Slide73 l.jpg

Sender - Professor interception

Receiver – Johnny B.

Professor’s

Private Key

Professor’s

Public Key

Transmitted

Message

Encoded

Message

Plaintext

message from

Professor

requesting

a conference

with Johnny B.

encrypt

decrypt

Plaintext

message from

Professor

requesting

a conference

with Johnny B.

Because the professor encrypted the message with his private

key, Johnny B. can be assured that the message really

is from that professor by decrypting it with the professor’s public key.

Authenticate sender


Slide74 l.jpg

Sender - Professor interception

Receiver – Johnny B.

Professor’s

Private Key

Johnny’s

Public Key

Johnny’s

Private Key

Professor’s

Public Key

Transmitted

Message

Message

from

Professor

requesting

a conference

with

Johnny B.

and

disclosing

his grade.

Double

encoded

message

encrypt

encrypt

decrypt

decrypt

Message

from

Professor

requesting

a conference

with

Johnny B.

and

disclosing

his grade.

By decrypting the message with the professor’s private key

and Johnny’s publicly available key, Johnny can be assured

that the message really is from that professor and that no one

else can read the message containing his grade.

Authenticate and confidentiality of sender


Slide75 l.jpg

Data Encryption Standard (DES) – interceptionmaking good keys

GOT TO HAVE GOOD KEYS!

Created in 1977 and in operation into the 1990s, the data encryption standard took a 64-bit block of data and subjected it to 16 levels of encryption.

The choice of encryption performed at each of the 16 levels depends on the 56-bit key applied.

Even though 56 bits provides over 72 quadrillion combinations, a system using this standard has been cracked.

Larger keys is the answer to better security.


Slide76 l.jpg

Basic operations of the data interception

encryption standard


Slide77 l.jpg

Triple-DES interception

A more powerful data encryption standard.

Data is encrypted using DES three times: the first time by the first key, the second time by a second key, and the third time by the first key again.

While virtually unbreakable, triple-DES is CPU intensive.

With more smart cards, cell phones, and PDAs, a faster (and smaller) piece of code is highly desirable.


Slide78 l.jpg

Advanced Encryption Standard (AES) interception

Selected by the U.S. government to replace DES.

National Institute of Standards and Technology selected the algorithm Rijndael (pronounced rain-doll) in October 2000 as the basis for AES.

AES has more elegant mathematical formulas, requires only one pass, and was designed to be fast, unbreakable, and able to support even the smallest computing device.

Key size of AES: 128, 192, or 256 bits

Estimated time to crack (assuming one machine could try 255 keys per second (NIST)) : 149 trillion years

Very fast execution with very good use of resources

AES should be widely implemented by 2004


Slide80 l.jpg

Pretty Good privacy interception

  • PGP is a digital data encryption program created by Phil Zimmerman.

  • Provides confidentiality, authentication, and compression for email and data storage.

  • Its building blocks are made of the best available cryptographic algorithms: RSA, DSS, Diffie-Hellman.

  • It is independent of operating system and processor.

  • It has a small set of easy-to-use commands


Slide81 l.jpg
PGP interception

  • Because PGP is freely available via the Internet, and has a fully compatible low-cost commercial version it is now widely used.

  • It has a wide range of applicability from corporations to individuals who wish to communicate worldwide securely over the Internet and other networks.

  • It is not controlled by any government which makes it attractive to many.


Digital signatures l.jpg
Digital Signatures interception

  • A digital signature is much like a hand signature in that it provides proof that you are the originator of the message (Authentication); assigns a code to a document.

  • Used to bound the message originator with the exact contents of the message through the use of key pairs. This allows for the feature of non-repudiation to be achieved - this is crucial for electronic commerce.

  • Non-repudiation is a property achieved through cryptographic methods which prevents an individual or entity from denying having performed a particular action related to data.

  • The private key of the sender is used to compute a message digest.


Slide83 l.jpg

  • Digital Signatures interception

  • Reason for digital signatures? integrity of transactions

  • How they work:

  • Document to be signed is sent through a complex mathematical computation that generates a hash, called the message digest.

    • (reduces the size of the message)

  • Hash is encoded with the owner’s private key.

  • To prove future ownership, the hash is decoded using the owner’s public key and the hash is compared with a current hash of the document.

  • If the two hashes agree, the document belongs to the owner.

  • The U.S.A. approved legislation to accept digitally signed documents as legal proof.


Slide84 l.jpg

Sender interception

Receiver

Transmitted

Message &

digital

signature

Compute

expected

digest

from

hashing

algorithm

Plaintext

Message

Expected

Digest

Not

confidential

Compute

digest

from

hashing

algorithm

Digital

Signature

(encrypted

digest)

Digest

Encrypt

Digest

Decrypt

Digest

Confirm

or deny

integrity

of

message

Digest

Sender’s

Public

Key

Sender’s

Private

Key

Plaintext

Message


Slide85 l.jpg

Public Key Infrastructure interception

Putting it all together!!

The combination of encryption techniques, software, and services that involves all the necessary pieces to support digital certificates, certificate authorities, and public key generation, storage, and management.

A certificate, or digital certificate, is an electronic document, similar to a passport, that establishes your credentials when you are performing transactions.


Slide86 l.jpg

Public Key Infrastructure (PKI) interception

  • Applications that benefit from PKI:

  • World Wide Web transactions

  • Virtual private networks

  • Electronic mail

  • Client-server applications

  • Banking transactions


Slide87 l.jpg

Security Policy Design Issues interception

What is the company’s desired level of security?

How much money is the company willing to invest in security?

If the company is serious about restricting access through an Internet link, what about restricting access through all other entry ways?

The company must have a well-designed security policy.


Slide88 l.jpg

Network Security In Action: interception

Banking and PKI

If you want to perform online banking transactions, how does the system know you are a legitimate user?

ScotiaBank uses a PKI system designed by Entrust.

Each customer is assigned a digital certificate.

Whenever a customer wants to perform an online transaction, they “present” their certificate.


What did we cover l.jpg
What did we cover? interception

  • Security for internet communications

    • Message Origin Authentication

    • Proof of Delivery (non-repudiation)

    • Message Integrity

      • Same message

      • Not seen by others

  • Cryptography

    • Keys

    • PKI


Slide90 l.jpg

SECURITY ISSUE SECURITY OBJECTIVE SECURITY TECHNIQUES interception

Confidentiality Privacy of Message Encryption

Message Integrity Detecting Message Hashing (Digest)

Tampering

Authentication Origin Verification Digital Signatures

Biometric Devices

Non-repudiation Proof of Origin, Receipt, Digital Signatures

and Contents Transaction Certificates

Time Stamps

Confirmation Services

Bi-Directional Hashing

Access Controls Limiting entry to Firewalls

authorized users Passwords

Biometric devices


ad