1 / 56

Security Properties

Security Properties. Authentication is the process of reliably determining the genuine identity of the communicating computer or user. Integrity is the correctness of data as it was originally sent. Confidentiality ensures that data is disclosed only to intended recipients.

ava-contreras
Download Presentation

Security Properties

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Properties • Authentication is the process of reliably determining the genuine identity of the communicating computer or user. • Integrity is the correctness of data as it was originally sent. • Confidentiality ensures that data is disclosed only to intended recipients. • Anti-replay ensures that datagrams are not retransmitted.

  2. Cryptography • Cryptography is a set of mathematical techniques for encrypting and decrypting data. • Cryptography uses keys in conjunction with algorithms to secure data. • The algorithm provides the infrastructure in which the key is applied. • A number of well-known cryptographic algorithms support security operations. • Microsoft Windows 2000 supports public key cryptography. • A secret key is used in much the same way as a public key.

  3. Public Key Cryptography • Overview of public key cryptography • Data encryptions • Digital message signing

  4. Secret Keys

  5. Certificates • Public key encryption assumes that the identity of the key pair owner is established beyond doubt. • A digital certificate is a set of data that completely identifies an entity. • The recipient of the message can use the sender’s public key to verify that the sender is legitimate.

  6. X.509 • The term X.509 refers to the ITU-T standard for certificate syntax and format. • The Windows 2000 certificate-based processes use the X.509 standard. • At a minimum, certifications should contain certain specific attributes.

  7. Certificate Revocation Lists (CRLs) • Certificates can expire and become invalid. • The Certificate Authority (CA) can revoke a certificate for any reason. • The CA maintains a CRL.

  8. CA Hierarchy • CAs can certify other CAs. • The chaining of CAs provides several benefits.

  9. Microsoft Certificate Services • Enables an organization to manage the issuance, renewal, and revocation of digital certificates • Allows an organization to control the policies associated with issuing, managing, and revoking certificates • Logs all transactions

  10. Features of Certificate Services • Policy independence • Transport independence • Adherence to standards • Key management

  11. Certificate Services Architecture

  12. Processing a Certificate Request

  13. Enrolling Certificates

  14. CA Certificates • The CA validates the identity of the individual requesting the certificate and then signs the certificate with its own private key. • A client application checks the CA signature before accepting a certificate. • The CA certificate is a signature certificate that contains a public key used to verify digital signatures. • A self-signed CA certificate is also called a root certificate. • CA certificates can be distributed and installed.

  15. Installing Certificate Services • You can install Certificate Services by using Add/Remove Programs in Control Panel. • Certificate Services supports four Certificate Authority types. • You must supply information about the initial CA that is created when you install Certificate Services. • The advanced configuration contains options for the type of cryptography algorithms to be used for the CA that you are creating.

  16. Administering Certificate Services

  17. Secure Channel (SChannel) Authentication Package

  18. Smart Cards • Smart cards can be used to store a user’s public key, private key, and certificate. • To use a smart card, a computer must have a smart card reader. • A smart card contains an embedded microprocessor, a cryptography coprocessor, and local storage. • Windows 2000 supports PK-based smart card logon as an alternative to passwords for domain authentication.

  19. Authenticode • Ensures accountability and authenticity for software components on the Internet • Verifies that the software hasn’t been tampered with and identifies the publisher of the software • Allows software publishers to digitally sign any form of active content

  20. Encrypting File System (EFS) • EFS is an extension of NTFS that provides strong data protection and encryption for files and folders. • The encryption technology is based on use of public keys and runs as an integrated system service. • The encrypting user’s public key is used in the encryption process. • Encryption and decryption are done transparently during the I/O process. • EFS supports encryption and decryption of files stored on remote NTFS volumes.

  21. Data Protection • EFS uses a combination of the user’s public key and private keys as well as a file encryption key. • Windows 2000 uses the Data Encryption Standard X algorithm to encrypt files.

  22. Data Recovery • The Encrypted Data Recovery Policy is used to specify who can recover data in case a user’s private key is lost. • For security, recovery is limited to the encrypted data; it is not possible to recover users’ keys.

  23. Encrypted Backup and Restoration • Members of the Backup Operators group do not have the keys necessary for decryption. • Encrypted data is read and stored in the backup as an opaque stream of data.

  24. Fault Tolerance • The processes of encryption and decryption are automatic and transparent to users and applications. • You can encrypt a file or folder in Windows Explorer and from the command prompt.

  25. EFS Encryption

  26. EFS Decryption

  27. EFS Recovery

  28. Cipher Command-Line Utility • The cipher command-line utility allows you to encrypt and decrypt files from a command prompt. • The cipher command includes a number of parameters.

  29. IP Security (IPSec) • IPSec protects sensitive data on a TCP/IP network. • The computer initiating communication transparently decrypts the data by using IPSec. • The destination computer transparently decrypts the data before passing it to the destination process. • IPSec ensures that any TCP/IP-based communication is secure from network eavesdropping.

  30. IPSec Policies • Negotiation policies • IP filters • Security policies

  31. IPSec Components • IPSec Policy Agent service • ISAKMP/Oakley (IKE) protocols • IPSec driver

  32. Example of IPSec Communication

  33. Kerberos Protocol in Windows 2000 • Kerberos is the default authentication provider in Windows 2000 and the primary security protocol. • Kerberos verifies the identity of the user and the integrity of the session data. • Kerberos operates as a trusted third party to generate session keys and grant tickets for specific client/server sessions. • When the Kerberos service issues a ticket, it contains a number of components. • The expiration period of a ticket is defined by the domain policy.

  34. Kerberos Terminology • Principal • Realm • Secret key • Session key • Authenticator • Key distribution center (KDC) • Privilege attribute certificate (PAC) • Ticket • Ticket granting ticket (TGT)

  35. Features of the Kerberos Protocol • Mature open standard • Faster connection authentication • Mutual authentication • Delegation of authentication • Transitive trust

  36. Kerberos Authentication Process

  37. Kerberos Delegation

  38. Local Interactive Logon

  39. Domain Interactive Logon

  40. Security Configuration • The Security Configuration and Analysis snap-in can be used to directly configure local system security. • You can import security templates and apply them to the group policy object (GPO) for the local computer.

  41. Security Analysis • The state of the operating system and applications is dynamic. • Regular analysis enables an administrator to track and ensure an adequate level of security. • The Security Configuration and Analysis snap-in enables quick review of security analysis results. • You can use the Secedit command-line utility to analyze a large number of computers.

  42. Security Configuration and Analysis Snap-In

  43. Security Templates Snap-In

  44. Group Policy Snap-In • Through the use of GPOs in Active Directory services, administrators can centrally apply the security levels required to protect enterprise systems. • The Group Policy snap-in allows you to configure security centrally in the Active Directory store. • The security settings allow group policy administrators to set policies.

  45. Windows 2000 Auditing • Auditing is the process of tracking both user activities and Windows 2000 activities on a computer. • An audit entry in the Security log contains several types of information. • You can use an audit policy to define security events.

  46. Planning an Audit Policy • You must determine the computers on which to set up auditing. • Auditing is turned off by default. • You can audit a number of events. • You must determine whether to audit the successes and failures of events. • Follow the recommended guidelines when determining an audit policy.

  47. Configuring Auditing • You can implement an audit policy based on the role of the computer in the Windows 2000 network. • You must follow specific requirements to set up auditing. • Setting up auditing is a two-part process.

  48. Setting an Audit Policy

  49. Auditing Access to Files and Folders • You can set up auditing for files and folders on NTFS partitions. • Once you set up an audit policy, you enable auditing for specific files and folders and specify which types of access, by which types of users or groups, to audit.

  50. Auditing Access to Active Directory Objects • You must configure an audit policy and then set auditing for specific objects. • To enable auditing of access to Active Directory objects, enable the appropriate policy in the Group Policy snap-in. • To enable auditing for specific Active Directory objects, use the Active Directory Users and Computers snap-in.

More Related