Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 99 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
99
Dung lượng
514,45 KB
Nội dung
NetworkSecurityI
CSCI 4971/ 6968
www cs rpi edu/~yener/TEACHING/Netsec/Spring11/
www
.
cs
.
rpi
.
edu/~yener/TEACHING/Netsec/Spring11/
B
ü
lent Yener
B
ü
lent
Yener
yener@cs.rpi.edu
Lecture
1
Lecture
-
1
1/26/11
This presentation is in part based on the slides of W. Stallings
Outline
• Class information
Network securityI and II
–
Network
security
I
and
II
Bk d ditdti
•
B
ac
k
groun
d
an
d
i
n
t
ro
d
uc
ti
on
• Basic concepts: attacks, services,
mechanisms
2
Aim of the Courses
•
Our focus is on both
Network
&
Internet
Our
focus
is
on
both
Network
&
Internet
Security and Cryptography
•
NetSec I is focusing on a cryptography
•
NetSec
I
is
focusing
on
a
cryptography
and basics
NtS IIbild Nt I
d
•
N
e
tS
ec
II
b
u
ild
s upon
N
e
t
sec
I
an
d
covers
advance topics.
3
CSCI-4971 and 6968
NkSi
N
etwor
k
S
ecur
i
ty
•
Basic Cryptography
Basic
Cryptography
• Basic Number Theory
•
Security Goals
Security
Goals
– Authentication, Privacy, Integrity, Key exchange
•
Security Solutions
Security
Solutions
– SSL, PGP, SSH, IPSEC
•
Security Practice
Security
Practice
– E-mail, IP security, Web security, …
• And more: Internet and Network securit
y
issues
4
y
Definitions
•
Computer Security
-
generic name for
Computer
Security
generic
name
for
the collection of tools designed to protect
data and to thwart hackers
data
and
to
thwart
hackers
• NetworkSecurity - measures to protect
data during their transmission
data
during
their
transmission
• Internet Security - measures to protect
dt d i thit i i
d
a
t
a
d
ur
i
ng
th
e
i
r
t
ransm
i
ss
i
on over a
collection of interconnected networks
5
Standards Organizations
Standards
Organizations
National Institute of Standards &
National
Institute
of
Standards
&
Technology (NIST)
Internet Society (ISOC)
Internet
Society
(ISOC)
International Telecommunication Union
Tl i ti St d di ti
T
e
l
ecommun
i
ca
ti
on
St
an
d
ar
di
za
ti
on
Sector (ITU-T)
International Organization for
Standardization (ISO)
Example
XXX bank wants to provide web banking
XXX
bank
wants
to
provide
web
banking
service to its customers. They have
alread
y
p
ro
g
rammed web
p
a
g
es and
yp g p g
applications. Every customer has an id
and password to access their account
if ti
i
n
f
orma
ti
on.
– What are the threats?
Wh t th it h i t t
–
Wh
a
t
are
th
e secur
it
y mec
h
an
i
sms
t
o preven
t
them?
What are the security services?
7
–
What
are
the
security
services?
Case Study
Attacker
Banking Server
Bank Customer
Internet
Bank Network
Internet
Web Serve
r
Bank
Network
Dial-up
A
8
A
ccess
Server
Security Attacks
•
Passive attacks
-
eavesdropping on, or
Passive
attacks
eavesdropping
on,
or
monitoring of, transmissions to:
– obtain message contents, or
– Intercept, or monitor traffic flows
• Active attacks – modification of data stream to:
– masquerade of one entity as some other
– fabricate a message
–
replay previous messages
– modify messages in transit
denial of service
9
–
denial
of
service
Threats
Banking Server
Attacker
Bank Customer
Attacker
Bank Network
Bank
Network
carrier
Web Serve
r
Customer
ISP
Bank ISP
10
Internet
Backbone
carrier
carrier
[...]... whether it is a real ID: – Is it like a real license of the NY DMV? – Does picture and name match? – Expiration date? • Your browser checks whether it is a real certificate: – Is it like a real certificate of the certificate authority under consideration? – Does ID, Name and/or other information match? ID – Expiration date? 25 Digital Certificates (cont…) • Just like a driver’s license: driver s – (issued... Authentication – UserID/Password: “you know” – Cli t C tifi t “ i Client Certificate: “given t you” to ” – Prevent stolen client certificates • Short life time, not feasible! • Associate certificate to User ID Accept a certificate if: – It is valid » Check authority » Check expiration date » Check black list (certificate revoke list) » Has user correctly proven his knowledge of the private key associated... (issued to): Stores information about the owner – (issued by): Stores information about the Authority issuing the ID – Stores validity information • Also stores Fingerprints 26 Digital Certificates Signature 27 Digital Certificates (cont…) • Fingerprint – Generated by the issuer (Verisign) • Issuer has two keys – An encryption key (private) – A decryption key ( (public) ) • Public key is known to every... methods to distribute and share the secret information – specify protocols enabling the principals to use the transformation and secret information for a security service y 20 Model for Network Access Security 21 Model for Network Access Security • Using this model requires us to: – select appropriate gatekeeper functions to identify users – implement security controls to ensure only authorised users... with the certificate – User entered matching user ID (stored in certificate) and correct password – Server certificate – Generate one time session key (we do not want to use our password or private key to provide confidentiality!) 15 Customer-Web Server Comm • Confidentiality & Integrity – Key exchange • Authenticated must be part of the authentication Authenticated, process • One time for life time... a picture ID (Driver’s License, Passport) • Your browser as s a ce t cate ou b o se asks certificate – They both trust the issuer of ID • Bank teller trusts Department of Motor Vehicle – DMV checks bi h certificate to i h k birth ifi issue the li h license • Your browser trusts certificate authorities – VeriSign, Entrust, Entrust, RSA, AOL 24 SSL – Authentication (cont…) – They both validate the ID... session – Strong crypto algorithms • Access co t o at custo e a d ba s de ccess control customer and bank side 16 Customer-Web Server Comm Client Hello Server Server Certificate Client Certificate Proof : Server Certificate Proof: Client Certificate Secret key exchange Communication with Confidentiality & Integrity with the secret Looks like SSL! 17 SSL • What is SSL? – Secure Sockets Layer – Provides... communication between you and the server – How do you know that it is active: • The lock shown by your browser – When the lock is close or unbroken • Web address starting with HTTPS 18 Model for NetworkSecurity 19 Model for NetworkSecurity • Using this model requires us to: – design a suitable algorithm for the security transformation – generate the secret information (keys) used by the algorithm... as root certificates 28 Digital Certificates (Cont…) • Your browser trusts issuer (Verisign) • Your browser knows the public key of the issuer • Your browser knows that a public key can only decrypt a fingerprint encrypted by matching yp g p yp y g private key • Your browser verifies that the certificate is given by the trusted authority • Your browser authenticates the owner of the certificate 29 SSL... programs IP spoofing Unsafe Services Malicious codes: Virus and worms DoS: SYN attack, ping flooding • Bank Network and Servers – – – – – – – – Use backdoor to access Eavesdropping Man-in-the-middle : Web Server to Banking Server Session hijacking DoS DNS attack Use unsafe services in other servers Install malicious codes in other servers 12 Targets (cont.) • DNS servers – DNS cache poisoning – DNS . Network Security I
CSCI 4971 / 6968
www cs rpi edu/~yener/TEACHING/Netsec/Spring1 1/
www
.
cs
.
rpi
.
edu/~yener/TEACHING/Netsec/Spring1 1/
B
ü
lent. Authentication, Privacy, Integrity, Key exchange
•
Security Solutions
Security
Solutions
– SSL, PGP, SSH, IPSEC
•
Security Practice
Security
Practice
–