7: Network Security 1

Chapter 7: Network security –Author?Foundations: what is security? cryptography authentication message integrity key distribution and certification

Security in practice: application layer: secure e-mail transport layer: Internet commerce, SSL, SET network layer: IP security

7: Network Security 2

Importance of Network Security? Think about…

The most private, embarrassing or valuable piece of information you’ve ever stored on a computer

How much you rely on computer systems to be available when you need them

The degree to which you question whether a piece of email really came from the person listed in the From field

How convenient it is to be able to access private information online (e.g. buy without entering all data, look up your transcript without requesting a copy,…)

7: Network Security 3

Importance of Network Security Society is becoming increasingly reliant

on the correct and secure functioning of computer systems Medical records, financial transactions, etc.

It is our jobs as professional computer scientists: To evaluate the systems we use to

understand their weaknesses To educate ourselves and others to be wise

network consumers To design networked systems that are

secure

7: Network Security 4

Overview of Attacks and responses

Probably from: James Kurose & Keith Ross; Computer Networking: A Top-Down Approach Featuring the Internet, 3rd Edition, Addison Wesley, 2005, ISBN: 0-321- 22735-2. Copyright 1996-2005 J.F Kurose and K.W. Ross, All Rights Reserved Acknowledgments

7: Network Security 5

Taxonomy of Attacks (1)

Process based model to classify methods of attack

Passive: Interception: attacks confidentiality.

a.k.a., eavesdropping, “man-in-the-middle” attacks. Traffic Analysis: attacks confidentiality, or

anonymity.Can include traceback on a network, CRT radiation.

Active: Interruption: attacks availability.

(a.k.a., denial-of-service attacks Modification: attacks integrity. Fabrication: attacks authenticity.

7: Network Security 6

Taxonomy of Attacks (2)

‘Result of the attack’ taxonomy Increased Access the quest for root Disclosure of Information credit card numbers Corruption of Information changing grades, etc Denial of Service self explanatory Theft of Resources stealing accounts,

bandwidth

7: Network Security 7

Fundamentals of Defense

Cryptography Restricted Access

Restrict physical access, close network ports, isolate from the Internet, firewalls, NAT gateways, switched networks

Monitoring Know what normal is and watch for

deviations Heterogeneity/Randomness

Variety of Implementations, Random sequence numbers, Random port numbers

7: Network Security 8

Fundamentals of Defense

Cryptography: the study of mathematical techniques related to information security that have the following objectives:IntegrityNon-repudiationConfidentialityAuthentication

7: Network Security 9

Objectives of Cryptography

Integrity : ensuring information has not been altered by unauthorized or unknown means Integrity makes it difficult for a third party to

substitute one message for another. It allows the recipient of a message to verify it

has not been modified in transit. Nonrepudiation : preventing the denial of

previous commitments or actions makes it difficult for the originator of a

message to falsely deny later that they were the party that sent the message.

E.g., your signature on a document.

7: Network Security 10

Objectives of Cryptography

Secrecy/Confidentiality : ensuring information is accessible only by authorized persons Traditionally, the primary objective of cryptography. E.g. encrypting a message

Authentication : corroboration of the identity of an entity allows receivers of a message to identify its origin makes it difficult for third parties to masquerade as

someone else e.g., your driver’s license and photo authenticates

your image to a name, address, and birth date.

7: Network Security 11

Security Services

Authorization Access Control Availability Anonymity Privacy Certification Revocation

7: Network Security 12

Security Services

Authorization: conveyance of official sanction to do or be something to another entity. Allows only entities that have been authenticated

and who appear on an access list to utilize a service. E.g., your date of birth on your driver’s license

authorizes you to drink as someone who is over 21.

Access Control: restricting access to resources to privileged entities. ensures that specific entities may perform specific

operations on a secure object. E.g. Unix access control for files (read, write, execute

for owner, group, world)

7: Network Security 13

Security Services

Availability: ensuring a system is available to authorized entities when needed ensures that a service or information is

available to an (authorized) user upon demand and without delay.

Denial-of-service attacks seek to interrupt a service or make some information unavailable to legitimate users.

7: Network Security 14

Security Services

Anonymity : concealing the identity of an entity involved in some process Concealing the originator of a message

within a set of possible entities.• The degree of anonymity of an entity is the sum

chance that everyone else in the set is the originator of the message.

• Anonymity is a technical means to privacy.

Privacy: concealing personal information, a form of confidentiality.

7: Network Security 15

Security Services

Certification: endorsement of information by a trusted entity.

Revocation: retraction of certification or authorization

Certification and Revocation Just as important as certifying an entity, we

need to be able to take those rights away, in case the system is compromised, we change policy, or the safety that comes from a “refresh”.

7: Network Security 16

Friends and enemies: Alice, Bob, Trudy

well-known in network security world Bob, Alice want to communicate “securely” Trudy, the “intruder” may intercept, delete, add

messages

Figure 7.1 goes here

7: Network Security 17

What is network security?

Secrecy: only sender, intended receiver should “understand” msg contents sender encrypts msg receiver decrypts msg

Authentication: sender, receiver want to confirm identity of each other

Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection

7: Network Security 18

Internet security threatsPacket sniffing:

broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (e.g. passwords) e.g.: C sniffs B’s packets

A

B

C

src:B dest:A payload

7: Network Security 19

Internet security threatsIP Spoofing:

can generate “raw” IP packets directly from application, putting any value into IP source address field

receiver can’t tell if source is spoofed e.g.: C pretends to be B

A

B

C

src:B dest:A payload

7: Network Security 20

Internet security threatsDenial of service (DOS):

flood of maliciously generated packets “swamp” receiver Distributed DOS (DDOS): multiple coordinated sources swamp

receiver e.g., C and remote host SYN-attack A

A

B

C

SYN

SYNSYNSYN

SYN

SYN

SYN

7: Network Security 21

The language of cryptography

symmetric key crypto: sender, receiver keys identical

public-key crypto: encrypt key public, decrypt key secret

Figure 7.3 goes here

plaintext plaintext

ciphertext

KA

KB