network security and public key infrastructure pki n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Network Security and Public Key Infrastructure (PKI) PowerPoint Presentation
Download Presentation
Network Security and Public Key Infrastructure (PKI)

Loading in 2 Seconds...

play fullscreen
1 / 27

Network Security and Public Key Infrastructure (PKI) - PowerPoint PPT Presentation


  • 149 Views
  • Uploaded on

Network Security and Public Key Infrastructure (PKI). Bill Chu. Introduction to Security. Internet environment Information security addresses: Confidentiality E.g. illegal access to secret information Integrity E.g. illegal addition/deletion/modification of data

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Network Security and Public Key Infrastructure (PKI)' - anakin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide2

Introduction to Security

  • Internet environment
  • Information security addresses:
    • Confidentiality
      • E.g. illegal access to secret information
    • Integrity
      • E.g. illegal addition/deletion/modification of data
      • E.g. perform illegal operations
      • E.g. nonrepudiation
    • Availability
      • E.g. Severely load the system so that the system cannot perform normal functions
    • Usability
      • Appropriate use of information
slide3

Requirements for Electronic Business Transactions

  • Authentication of transacting partners
    • Am I dealing with the one who claim to be
    • Once authenticated, business evaluations become possible
      • credit history (report), bank verifications
  • Data integrity
    • any change to data are detected by receiver
  • Non-repudiation
    • can not deny if one issued a transaction
  • Confidentiality
    • keep transactions to only transacting partners
slide4

How can We Meet these Requirements?

  • Solutions: cryptography-based technologies
    • Cryptography for
      • authentication
        • private key of cryptography is the evident you are who you claim to be
          • you are the only one who has that key
      • data confidentiality
        • data encrypted prevents eavesdrops by others
      • non-repudiation
        • the data is encrypted with your key, you can not deny you did not send it
          • you are the only one who has that encryption key
        • it is typically called encryptedly signed (digital signature)
    • Message digest for
      • data integrity
        • run a “checksum” over the data & encrypt it
        • changing data will be detected by the encrypted “checksum”
          • others can not decrypt the checksum
slide5

“hello”

~!#@$%

“hello”

Encryption

Decryption

cleartext

ciphertext

cleartext

Cryptography

  • Concept: Secret writing
    • communicating in secret writing
      • prevent others from reading your message
  • Process
      • encrypt messages before send
      • decrypt message after receive
      • secret writing can not be read by others
  • Keys
      • encryption and decryption is private knowledge
      • it is computationally difficult to break encryption/decryption
slide6

“hello”

~!#@$%

“hello”

Encryption

Decryption

cleartext

ciphertext

cleartext

key

key

Key-based Cryptography

  • Encryption/Decryption with keys
    • computationally difficult without keys
  • Two types
    • private key or symmetric key cryptography
      • one key used for encryption and decryption
      • key has to be kept secret between partners
      • how to distribute the shared private key is a problem
    • public key or asymmetric key cryptography
      • a pair of keys for encryption and decryption
      • each partner has a pair of keys
        • it keeps one key private to itself & publishes another for others to use
slide7

“hello”

~!#@$%

“hello”

Encryption

Decryption

cleartext

ciphertext

cleartext

Private key

Private key

Using Cryptography

Bob

Alice

Alice

“I love you”

~!#@$%

“I love you”

Bob

Encryption

Decryption

cleartext

ciphertext

cleartext

Allice’s public key

Alice’s private key

Digital Signature, non-repudiation

“Meet me at 3”

~!#@$%

“Meet me at 3”

Alice

Bob

Encryption

Decryption

cleartext

ciphertext

cleartext

Bob’s private key

Bob’s Public key

Confidential message

cryptographic hash function
Cryptographic hash function
  • A hash function is a one-way function (analogous to meat grinder).
  • A cryptographic hash function typically hashes objects of any size to a fixed length hash (e.g. 128 bits)
  • A cryptographic has function has to satisfy the following properties:
    • It is computationally infeasible to find the original object based on the hash result
    • It is computationally infeasible to find two documents that produce the same hash result
digital signature and its verification
Digital Signature and its verification

I love you + 67(*% +

MD5 + RSA

“I love you”

~!#@$%

67Y(*%

Send

Hash

Encription

Allice’s private key

MD5

Digital signature

67Y(*%

“I love you”

=?

Hash

Decription

Yes=verification success

MD5

Allice’s public key

Verification of digital signature

the trust establishment problem
The trust establishment problem
  • In order to verify a signature of Alice we must trust that we know that we have Alice’s public key.
  • Closed trust model: we verify the public keys ourselves, or we know everyone we are dealing with
  • Open trust model: we must deal with people we do not know
  • The Internet is definitely an open world, therefore a closed trust model will not work
public key infrastructure
Public key infrastructure
  • Have a third trusted party to verify the identity of public keys using signed statements (digital certificates) from the trusted party (certification authority)
  • Have an directory of valid digital certificates so that users can check (analogous to credit card validation)
slide12

Digital Certificate

  • A Public-key certificate binds an entity’s (e.g. amazon.com) public key and one or more attributes relating to its identity.
    • Trusted authority
    • Binding process, verification by the trusted authoraty
    • Digital document (digital certificate) as proof
  • Helps key distribution as digital certificates can be transmitted without encryption
  • Fields in a digital certificate:
  • subject name: unique for a CA, however, multiple certificates may be issued to the same entity by a CA
  • subject public key
  • Optional fields
  • Signature of the above.
  • version (1,2,or 3)
  • serial number: unique within a CA
  • signature algorithm id
  • issuer: CA
  • validity period
slide13

PKI Basic Components

  • PKI public key certificate or simply certificate
    • an electronic record that binds a public key to an identity of the owner of a public-private key pair, signed by a trusted entity (CA)
  • Certificate Revocation List (CRL)
      • a list of certificates that have been revoked
  • Certification Authority (CA)
      • a trusted entity that issues and revokes public key certificates
  • Registration Authority (RA)
      • an entity trusted by CA to register user identity & associated public key to CA
  • Certificate Repository
      • electronic site that holds certificates & CRLs
  • Relying Party (Certificate user)
      • an entity that uses certificates to know, with certainty, the public key of another entity
pki policy and practice
PKI policy and practice
  • Certificate policy statements
    • The CA specifies what a give certificate can be used for (e.g. email, secure server)
    • Driver’s License analogy: this license authorizes the holder to operate 4-wheeled vehicles of up to certain size and weight.
  • Certification practice statements
    • Describes the detailed processes/mechanisms used by registration authorities.
    • Driver’s License analogy: types of id accepted, questions for the written test, criterion and mechanism for eye sight test, criterion for road test
  • Cross certification
    • Accepting certificates issued by different CA’s
    • Driver’s License analogy: most state will accept driver’s licenses issued by other states, but additional tests may be necessary, details vary in different states.
secure socket layer ssl
Secure Socket Layer (SSL)
  • The client (e.g.SSL inside a browser) chooses a protocol
    • Key exchange algorithm
    • Private key cryptography algorithm
    • Message integrity algorithm
  • Server (e.g. SSL inside a web server) informs the client that it supports the propose protocol
  • Server asserts its identity by sending a digital certificate
  • The client verifies the digital certificate by using public keys of CA’s the client trusts
  • The client then generates a session key and encrypt it with the server’s public key and sends the ciphertext to the server
  • Server decrypts the session key and complete the handshake by sending a message back to the client using the session key for encryption.
  • The client decrypts the messages and is then certain that a secure channel has been established.
  • All data transacted in this session (both directions) are encrypted using the session key
virtual private network
Virtual Private Network
  • SSL/HTTPs provides encrypted communication for web traffic
  • VPN provides an encrypted communication pipe for all network traffic
slide17

Intrusion Techniques:

  • Discovery Scanning
    • Target acquisition: map host names, ip addresses
    • Host discovery
  • Port scanning
  • Banner retrieval: types of machines, version information.
  • Vulnerability Scanning: discover known bugs and attacks
  • Exploits
    • NT: obtain user/admin access, NT resource Kit, cover tracks
    • UNIX: obtain root access, root kit, cover tracks
    • Install sniffers, keyboard loggers, acquire access to other parts of the network
    • Spoofing
    • Change data, delete files, steal secrets
  • Dialin and backdoor
  • Social engineering
slide18

Summary of Intrusion Techniques

  • Brute force
  • Patience
  • Mis-configurations
  • Out-of-date software versions
slide19

Firewalls

  • Characteristics
    • All traffic goes through firewalls
    • Only authorized traffic can go through
    • The firewall itself is immune to penetration
  • Service control, e.g. no ftp
  • direction control
  • user control
  • behavior control (e.g. filter emails, and web addresses)
  • Types of firewalls
    • packet filtering router
    • application level gateway
    • circuit level gateway (prevents end to end TCP connection), e.g. SOCKS
packet filtering router firewall
Packet filtering router firewall

www.any.com web server

Send to port 80 At www.any.com

OK

Server

Client

Send to port 670

Send to port 890

Internet

Private network

circuit gateway firewall
Circuit gateway firewall

Server

Client

Socks

lib

Socks

lib

Relay

Internet

Private network

  • Relay will examine all packets and filter out illegal packets
  • For example, a company’s policy may want to filter out all java applets through the firewall.
application gateway firewall
Application gateway firewall

Server

Client

App.

gateway

Internet

Private network

  • Application gateway is a proxy server
  • For every application made available through the firewall, there must be a proxy on the application gateway
  • The application gateway forwards requests to the server, it can also do customized filtering of messages
slide23

Deterring pranks

  • Install appropriate defensive tools (some of)
    • use files
    • virus scans, detect port scans
    • Intrusion Detection Systems (IDS)
  • Install decoys and deception tools (all.net)
slide24

More serious threats

  • Customized virus will evade popular virus scan programs
    • Virus immunology techniques may help, but there is no guarantee!
  • Customized trojans
  • IDS and popular tools are generally ineffective
  • Attack techniques:
    • Be noisy
    • Be quiet
    • Be clever
slide25

Denial of service

  • Noisy sync flooding
  • Typical denial of service starts with a hacked account (e.g. AOL surveys!)
  • Synchronized attacks uses multiple staging points, very difficult to detect and deal with.
slide26

Best defenses

  • Educate users about password and common sense security precautions
  • Don’t execute active MIME contents
    • Christmas cards etc.
  • Security is a system engineering problem
    • the system is only as secure as its weakest link
  • Clear risk assessment
  • Turn off unwanted services, simplify, simplify and simplify
  • Don’t blindly use defaults!
  • Upgrade software
  • Don’t make information easily available
  • Use biometrics when appropriate
  • User education and more user education
slide27

Resources

  • Www.securityfocus.com
  • www.hackernews.com