1 / 31

Security Basics

Security Basics. Agenda. Properties of a secure communication Symmetric encryption Asymmetric encryption Public key encryption Digital Signatures Encryption in the network History. Authentication (identity) Who are you? Authorization What can you do ? Accounting (active audit)

Download Presentation

Security Basics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Basics

  2. Agenda • Properties of a secure communication • Symmetric encryption • Asymmetric encryption • Public key encryption • Digital Signatures • Encryption in the network • History

  3. Authentication (identity) Who are you? Authorization What can you do ? Accounting (active audit) What did you do ? Confidentiality What can you see ? Properties of a secure communication • Integrity • Nothing has been modified • Non Repudiation • The sender cannot deny he has sent it • Anti Replay

  4. Encryption: Basic Model Encrypt Key Decrypt Key OriginalCleartext Cleartext Ciphertext Encryption Decryption Networkers &^$!@#l:{Q Networkers • Encryption turns cleartext into ciphertext • Encryption key as parameter to algorithm • Decryption restores cleartext from ciphertext • Decryption key as parameter to algorithm

  5. Symmetric Encryption Key Key Encryption Decryption Networkers &^$!@#l:{Q Networkers • Encryption and decryption use same mathematical function • Encryption and decryption use same key • Example: Data Encryption StandardDES, 3DES, RC2, RC4, AES

  6. Challenges with Symmetric Encryption • Keys must be changed frequentlyto avoid analysis, limit risks • Shared keys must be generatedand distributed securely • Multiple techniques to achieve this

  7. Diffie-Hellman Key Exchange a , p Alice Bob XA XB YA= (aXA) mod p YB= (aXB) mod p Z= (YB) XAmod p Z= (YA)XB mod p • By exchanging numbers in the clear, two entities can determine a new uniquenumber known only to them • Result is a shared key which can be usedas DES key—repeated as often as required • Scalable and secure key generation

  8. Symmetric Encryption • Provides confidentiality, data integrity • Relies on a shared secret (key) • Creates a flat community of trust • A relatively fast and efficient mechanism for bulk data encryption

  9. Asymmetric Encryption Key Key Encryption Decryption Networkers &^$!@#l:{Q Networkers • Encryptor and decryptor use pair of different keys • Encryptor and decryptor use different functions • Example: Public key algorithms (RSA, Diffie-Hellman)

  10. Asymmetric Encryption • Provides authentication, confidentiality, data integrity (basis for non-repudiation) • Relies on individual key pairs • Allows for assurance among strangers • Relatively slow and cpu-intensive

  11. Public Key Encryption • Public/private keys • Digital signatures • Certificates • Certifying Authority (CA)

  12. Encryption Decryption Authenticate Recipient Alice Bob Clear Encrypted Clear Bob’s Public Key Bob’s Private Key • Alice needs to send Bob an encrypted message • Alice picks up Bob’s public key • Alice encrypts the message with Bob’s public key • Alice sends the encrypted message • Bob decrypts using his private key

  13. Encryption Decryption Authenticate Sender Alice Bob Clear Encrypted Clear Alice’s Private Key Alice’s Public Key • Bob needs to know that Alice sent a message • Alice picks up her own private key • Alice encrypts the message with her private key • Alice sends the encrypted message • Bob decrypts using Alice’s public key

  14. Invoice Payment Signature Digital Signature • A digital signature is a message thatis appended to a document • It can be used to prove the identity of thesender and the integrity of the document

  15. Message Hash Function Alice Digital Signature • How does Alice sign her message? Hash of Message Encrypt Hash Using Alice’s Private Key Digital Signature = Encrypted Hash of Message

  16. Message Alice Digital Signature Verification • How does Bob verify Alice’s signature ? Re-Hash the Received Message Signature Decrypt theReceived Signature Message withAppended Signature Signature Decrypt Using Alice’s Public Key Hash Function Hash of Message Hash of Message If Hashes Are Equal, Signature Is Authentic.

  17. Digital Signature • Two common public-key digitalsignature techniques: • RSA (Rivest, Shamir, Adelman) • DSS (Digital Signature Standard) • A sender uses his secret key to sign a document • The receiver of the document uses the sender’s public key to verify the signature • If the verification is successful, we areassured of two things: • The document has not been altered • The identity of the author

  18. Key Attack Secure

  19. Where Did the Public Key Come From? • How can Bob be assured that Alice’s public key belongs to the real Alice? Alice Bob “I’m Margaret Thatcher.” “I’m Mickey Mouse.”

  20. Digital Certificate • A signed message that attests to the authenticity of the users public key • A digital certificate contains: • Serial number of the certificate • Issuer algorithm information (digest/hash, PK type, PK) • Valid to/from date • User public key information (PK type, PK) • Signature of issuing authority 0000123 SHA,DH, 3837829.... 1/1/93 to 12/31/98 Alice Smith, Acme Corporation DH, 3813710... Acme Corporation, Security Dept. SHA,DH, 2393702347 ...

  21. B’s Public Number CA’s Signature Ca’s Public Number Certification AuthorityIssuing Certificates Certification Authority Public Number Public Number Certificate Certificate User A User B A’s Public Number CA’s Signature Ca’s Public Number Cisco Systems Confidential Cisco Systems Confidential 96NWK_ekaufman.ppt 21

  22. Example of X.509 Hierarchical Authority Structure CA Int Cert Int-UK Cert Int-US Cert US-Int Cert UK-Int CA CA UK US Cert UK-A Cert US-C Cert US-D Cert UK-B B C A D Example: Certificates Used by A to Obtain Public Key of C: Cert UK-Int Cert UK-US Cert US-IC

  23. Policy Objectives Access Security Connectivity Performance Ease of use Authenticity Confidentiality Integrity Auditability

  24. Encryption Alternatives Application-Layer Encryption Application Layers (5-7) Network-Layer Encryption Transport/Network Layers (3-4) Link/Physical Layers (1-2) Link-LayerEncryption Link-LayerEncryption

  25. Application Encryption • Encrypts traffic to/from interoperable applications • Specific to application, but network independent • Application dependent • All users must have interoperable applications • Examples: S/MIME, https, ssh, ssl

  26. Network Encryption A to HR Server—Encrypted All Other Traffic—Clear HR Server A E-mail Server B D • Encrypts traffic between specific networks, subnets,or address/port pairs • Specific to protocol, but media/interface independent • Does not need to supported by intermediate network devices • Independent of intermediate topology

  27. Link Encryption • Encrypts all traffic on a link, including network-layer headers • Specific to media/interface type, but protocol independent • Topology dependent • Traffic is encrypted/decrypted on link-by link basis • All alternative paths must be encrypted/decrypted

  28. Evolution of Public Key Cryptography • 1976 Public key principles established by Diffie and Hellman • 1978 Public key implementation defined by Rivest, Shamir, Aldeman for digital signatures • 1985 First product incorporating public key introduced by Cylink • 1985 El Gamal develops public key digital signature and encryption scheme based on exponentiation

  29. Evolution of Public Key Cryptography (Cont.) • 1987-89 Public key emerging as standard in Europe • Endorsed by SWIFT, EFTPOS (1987) ISO/OSI standards in review phase (1988) • 1987-95 Public key evolving as U.S. standard • Used in STU-III Secure Telephone (1987) Adopted by Treasury and Justice (1988) Adopted by Internet (1989) NIST standards in review phase (1989) ANSI X9.17 proposal in review (1989) Digital signature standard (DSS) (1994) FIPS-186 DSS (1994) ANSI X0.42 (draft) for Diffie-Hellman (1995)

  30. Public Key Standards • OSI/IEC 9594-8 Recommendation X.509 (also ITU X.509):the Directory: Authentication Framework • AS28095.5.3 (Australian Government)—Electronic DataTransfer-Requirements for Interfaces: Part 5.3 Data Encipherment Algorithms (RSA) • ISO9796: Information Technology, Security Techniques: Digital Signature Scheme Giving Message Recovery • ANSI X9.31 (Draft): Public Key Cryptography using Reversible Algorithms for the Financial Services Industry: Part 1: the RSA Signature Algorithm

  31. Public Key Standards (Cont.) • ANSI X9.30 (Draft): Public Key Cryptography forthe Financial Service Industry: Part 1: The DigitalSignature Algorithm • X9.42 (Draft): Diffie-Hellman Public Key Exchange • Federal Information Processing Standard FIPS-186:Digital Signature Standard • Federal Information Processing Standard FIPS-186:Digital Signature Standard • Others: • ETEBAC5, (France)ISO draft standard CD 11166IEEE draft 802.11 Secure Interoperability Standard for LANs

More Related