1 / 23

Internet Security Protocols

Internet Security Protocols. Internet Layers, Basics Intenet Security layers Sec Protocols: Kerberos, AAA, IPsec, IKE, IKEv2, Wlan, PKI, TLS Outlook: MobileIP, HIP, Pana. Contents. Protocols define Format and order of msgs sent and received among network entities, and

djessie
Download Presentation

Internet Security Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Security Protocols

  2. Internet Layers, Basics Intenet Security layers Sec Protocols: Kerberos, AAA, IPsec, IKE, IKEv2, Wlan, PKI, TLS Outlook: MobileIP, HIP, Pana Contents

  3. Protocols define Format and order of msgs sent and received among network entities, and actions taken on msg transmission, receipt Examples: TCP, IP, HTTP, FTP,PPP Internet: “network of networks” Standards RFC: Request for Comments IETF: Internet Engineering Task Force administration domains access router local ISP server core router host company network mobile Internet

  4. Application Layer Transport Layer Network Layer Data Link Layer Physical Layer At which layer security? http http Kerberos, CMS, custom token protocols tcp tcp TLS, WTLS ip ip IPsec Ethernet Ethernet Wep Host Access Point or Gateway

  5. Internet Security • Three levels(Network, application, system) • Network - data packet integrity in-transit (Authentication/confidentiality/access controls) • IP layer/ headers + data = IP datagram • Not inherently secure (IP Spoofing - attacks w/false source addresses) • Authentication headers - integrity check values to indicate source & transit integrity of datagram • Security Association / Security Parameter Index

  6. Internet Security (Network) • Packet Encryption - Encapsulating Security Payload (ESP) provides confidentiality + integrity • Algorithm (transforms) • Tunnel-mode encryption (entire datagram encrypted) • Transport-mode encryption (data only encrypted) • Key Management - no single standard • Host-oriented - all users share same association & key • Potential for decrypt another’s messages • User-oriented - user has 1 or more association & keys • Lower risk / Superior method • Firewalls - screening routers/proxy servers, perimeter networks

  7. Internet Security (Network) • Virtual Private Networks (VPN) • Secure groups of network sites using Inet backbone • IP tunneling / firewalls • Messaging - special security needs above network measures • E-mail / mail enabled applications • Writer to reader protection via user agent • Message Transfer Agents (MTAs) = message transfer backbone (originating & delivering)

  8. Internet Security (Messaging) • Basic Message Protection Services • Message origin authentication / content integrity / content confidentiality / non- repudiation of origin • Enhanced Message Protection Services • Confirmation services (proof of delivery & submission, non-repudiation of delivery & submission) • Other - I.e. security labeling service

  9. Internet Security (Messaging) • Secure Messaging Protocols • PEM - Privacy Enhanced Mail (basic services) • Wraps itself around standard mail message • MIME Security Multi-parts • Multi-purpose Internet Extensions - supports structuring of message body • Different body parts - text, image, audio, etc • 1995 specifications: • Security Multi-parts for MIME • MIME Object Security Services (MOSS) • Transforms messages into standard representation for transport

  10. Internet Security (Messaging) • S/MIME - RSA alternative to MOSS spec • built upon Public-Key Cryptography Stds (PKCS) • Protects MIME body parts, w/new data structure that becomes MIME content • Signed, enveloped or both • Mailer must be S/M compliant to read • PGP (Pretty Good Privacy) free app using digital signatures & encryption • Defines own public key pair mgmt system • Casual e-mail, not wide-scale e-commerce

  11. Internet Security (Messaging) • X.400 Security • 1984/1988 international stds for mail gateways • Security features specific to X.400 protocols • X.400 secured mail cannot be conveyed over Inet • Message Security Protocol (MSP) • US/DOS protocol similar to S/MIME, PKCS • Encapsulates message for basic & some enhanced services

  12. Message Protocol Comparison • S/MIME - strongest commercial acceptance • PGP - free; not compatible w/public-key infrastructure; scalability questionable • MSP - most comprehensive feature set; not commercially widespread • MOSS - compatibility issues w/public-key; weak commercial vendor acceptance • PEM - not compatible with MIME/outdated • X.400 - most comprehensive features; not compatible with Inet messaging

  13. Web Security • Web Risks - server content / communications • Solutions - SSL / S-HTTP / SET (evolving stds) • SSL (Secure Sockets Layer) - session protection • Developed by Netscape to add communication protection • New layer protocol operating above TCP protocol • Protects any application protocol normally operating over TCP (HTTP, FTP, TELNET) • HTTPs represents SSL communication handling • Services: server authentication / client authentication / integrity (check values) / confidentiality (encryption)

  14. Web Security (SSL cont.) • SSL has two sub-protocols • SSL Record Protocol - defines basic format • Compression/MAC/encryption/data length • Assumes pre-existing keys • SSL Handshake Protocol - coordination • Negotiates protection algorithms between client and server for authentication, transmission of key certificates, establish session keys for use in integrity check and encryption • Domestic (128-bit) and intern’l (40-bit)

  15. Web Security - S-HTTP • Secure HTTP - security extension • Protects individual transaction request or response messages, similar to e-mail • Services: authentication, integrity, confidentiality + digital signatures (adds non-repudiation) • Flexibility in how messages are protected and key management

  16. Web Security Threats • Executable Programs - no foolproof defense • Java Applets - execution occurs on client system • Trusted execution environment (sandbox) • Should not: inspect or alter client files, run system commands or load system s/w libraries • Should: contact only originating server • Potential for hostile applets to send forged e-mail, crash browsers, kill running applets, consume resources • Active-X - reusable software components • Source Authentication Programs -read signed code

  17. Internet Layers, Basics Management, Implementation or Design Errors Designing Correct Protocols: The Avispa contribution IETF Groups and Activities Sec Protocols: Kerberos, AAA, IPsec, IKE, IKEv2, Wlan, PKI, TLS High-level Protocol Spec. Language (hlpsl): Syntax, Semantics, Goals, Examples Outlook: MobileIP, HIP, Pana Contents

  18. Kerberos An authentication system for distributed systems

  19. Introduction • Based on Needham - Schroeder • Three-Party Protocol • Extensions according to Denning - Sacco. • Developed at MIT as part of the project Athena • Versions 1 - 3 internal • Currently the following Kerberos Version are published: • Kerberos v4 • Kerberos v5 • Kerberos v5 Clarifications/Revisions (not finished)

  20. Where is Kerberos used? Architecture: • PacketCable Operating Systems: • Unix • Windows 2000 for all authentication procedures • Windows CE .NET Protocols (examples): • Resource Reservation Protocol (RSVP) • Telnet; NFS; FTP; SNMP; TLS; KINK; DNS APIs / Carriers for Authentication Protocols • GSS-API; SASL; EAP;

  21. What is IPSec? • IPSec is the standard suite of protocols for network-layer confidentiality and authentication of IP packets. • IPSec = AH + ESP + IPComp + IKE • In particular the following features are provided: • Connectionless integrity • Data origin authentication • Replay Protection (window-based mechanism) • Confidentiality • Traffic flow confidentiality (limited) • An IPv6 standard compliant implementation must support IPsec.

  22. Why IPSec? • Users want a secure, private network by • disallowing communication to untrusted sites, • encrypting packets that leave a site, • authenticating packets that enter a site. • By implementing security at the IP level, all distributed applications can be secured (including many security-ignorant, legacyapplications). • Typically, the following threats are prevented: • Impersonation (IP Spoofing); • Session hijacking; • Man-in-the-middle Attacks; • Injecting or re-ordering of IP packets • Eavesdropping; • Message modification

  23. Purpose of Digital Certificates • Scalability • Trusted validation of parties • Transmission and storage of public keys can be insecure • Can provide permissions (Authorizations) • X.509 is part of the ITU-T Directory series of recommendations (= ISO/IEC 9594).

More Related