Copyrighted material John Tullis 12/3/2015 page 1 04/08/00 Security John Tullis DePaul Instructor [email protected]

Copyrighted materialJohn Tullis

04/18/23page 1

04/08/00 Security

John TullisDePaul [email protected]


04/18/23page 2

Security

Security

• The Internet was designed to provide dynamic, flexible and open communications among a large diversity of entities. However, the Internet was not designed to protect confidential or sensitive information. Unless carefully studied security procedures are used, both information being communicated and resources used for communication are unprotected from mischief or malice.


04/18/23page 3

Security

Security - major concerns• The major concerns about Internet transactions include authenticity, authorization, privacy, integrity of information and non-repudiation.


04/18/23page 4

Security

Security - authenticity

• "Is this person who they say they are?”• Authentication is the process in which a user (human user or server process) proves to the system that they are who they purport to be. This means that when a user wishes to use a system, they must first prove their identity by some means. Some example mechanisms for authenticating to a system include userid/password pairs, smart cards, and finger print verification. Choosing which authentication mechanism is appropriate for a given system highly depends upon the usage of that system. The degree of certainty that must be assured will dictate the authentication mechanism.


04/18/23page 5

Security

Security - authorization

• ”May this person/program have access?”• Once a user has been authenticated to a system, a determination must be made as to the rights that user has to the system. An example of this would be giving a user the ability to read certain data on a system without giving them the rights to change that data. There are many mechanisms that a system can use to determine a user’s authorization rights. Some examples of authorization mechanisms include access control lists, permission bits, and user written code that check a user’s identity and determines their rights.


04/18/23page 6

Security

Security - privacy

• "Is any personal information I give out being compromised?”• Data privacy refers to the sending of data across a network with the confidence that no undesired party can interpret it. This is accomplished using data encryption. Encryption is a technique that ensures data, which is sent between two or more authorized parties, can only be interpreted by those desired parties. It ensures that the data is not meaningful to a non-authorized party that is attempting to eaves drop on the conversation. Using data privacy is very important when sensitive information needs to be sent across an unsecured network where only the intended receiver has the ability to interpret it.


04/18/23page 7

Security

Security - information integrity• "Am I confident that the data I receive and send is not being tampered with?”• When data is sent across a physical network, conditions may alter the data before it gets to its intended receiver. An electrical spike in the line may change the bits of a data packet, or an unauthorized entity may have intercepted and changed the data as it was traveling across the network. The assurance that data sent across a network will be received exactly as it was sent is labeled information integrity. We can not change the fact that data may be corrupted when it travels across a network, but we can detect it. The detection of corrupted network data is often done by cryptographic checksums. Cryptographic checksums give the receiver of data the ability to determine if it has been changed since it was sent.


04/18/23page 8

Security

Security - non repudiation

• "How can I ensure the data was received, signed for, and time stamped? Will it stand up in court?”• Non reputation refers to the ability to associate a particular instance of data to a specific user. This means that when a user originates data, there is a mechanism that provides a receiver of that data to verify the user’s identity. Non repudiation provides the assurance to the receiver that certain data was sent from a specific user, and that the sender can not deny it at a later time. This is usually accomplished using digital signatures.


04/18/23page 9

Security

Security - MQSeries

• MQSeries administrative commands that define queues, channels, etc.• Messages contained within queues• Messages traveling between queue managers • Connections between queue managers• Application Security


04/18/23page 10

Security

Security - MQSeries administrative commands

• The ability for a user to issue MQSeries commands must be given only to the appropriate individuals who are charged with the task of maintaining an MQSeries system. The use of these commands, by an unauthorized individual, can result in serious security exposures.• Typically, the granting of authority to the MQSeries administrative commands is controlled by the operating system on which the MQSeries product is running.


04/18/23page 11

Security

Security - messages within queues

• The data that resides in message queues may be of a sensitive nature and must be secured accordingly. If it is determined that security is necessary, access to queues can be controlled by authorizing only certain individuals to those queues. This will protect the queue from being accessible by unauthorized users, however all users which are granted authority to that queue can see all messages. If it is desired to protect each message, even from others authorized to the same queue, some form of data encryption must be used on the messages.


04/18/23page 12

Security


• Authorization to queues is typically managed by the operating system in which MQSeries is running. Neither the operating system nor MQSeries natively provide data encryption. For encryption of messages on a queue, some other mechanism must be used.


04/18/23page 13

Security


• MQSeries provides programming exits that allow for security modifications to messages at appropriate points in message flows. The programmer can use these exits to pass control to their own routines during message puts, gets, and just before the message is sent to, or received from the physical network. An example of this is a sender process which encrypts an MQ message just before it’s put on a queue; and a receiver process that decrypts the message just before it is presented to the application it is destined for.


04/18/23page 14

Security

Security - messages between Q Managers

• Messages traveling between queue managers may potentially need to be protected against being changed or seen by an unauthorized individual. To ensure that no messages are intercepted or compromised while traveling between queue managers, some combination of data encryption and data integrity techniques must be used. Neither the operating system nor MQSeries natively provide data encryption and data integrity between queue managers.


04/18/23page 15

Security

Security - connections between Q Managers

• In a non-trusted environment it is necessary for communicating queue managers to authenticate their identities to each other. This will prevent an unauthorized queue manager from connecting to an authorized queue manager. Not authenticating queue managers to each other creates serious security exposures. This also pertains to an MQSeries client which connects to an MQSeries server.


04/18/23page 16

Security

Security - applications

• Application security refers to the ability of an application to both determine the identity of a user making a request, and then to determine what access rights that user has within the application.• An example of this can be seen when a Windows NT user places a message on a queue destined for MVS. The Windows system will place the NT userid in the message. When the message arrives at the MVS system, where MVS uses Top Secret identities, MVS will not be able to use the identity. This issue might be resolved by ensuring the MVS and the NT userid are identical. Another mechanism might be to write logic in the MVS server to map the NT userid to its valid Top Secret userid.


04/18/23page 17

Security

Security - areas & MQSeries

• Authentication - none - done by operating system• Authorization - none - depends on external software• Information privacy - none - depends on external software• Information integrity - none - depends on external software• Non-repudiation - none - depends on external software

• Note - there is a vendor package called MQSecure by Candle Corporation that satisfies the above requirements. It is a “bolt-on” to MQSeries. For details see: http://www.candle.com/productservices/perfavailmgmt/msgmiddleware/mqseries/secure.html


04/18/23page 18

Security

Security - MQSeries Channel Exits


04/18/23page 19

Security


• Security exit - the security exit is intended, primarily, for (mutual) authentication of partner MCAs when they connect to one another. This exit is invoked after the MCAs have connected but before any user data is exchanged.• The naming of this exit is misleading as the implication is that it is only for security and that all security functions need to be performed within it. Both of these are incorrect. Because the data exchange is arbitrary, any exchange is possible and so functions unconnected with security may be implemented.


04/18/23page 20

Security


• Message exit - The message exit is called once for each message (in each MCA) and has access to both the MQSeries message headers and the message data. This exit is useful for functions which require access to all of the message data, rather than a portion of it. Some enterprises choose to use the message exit for signing messages, adding data integrity tokens or for encrypting data.


04/18/23page 21

Security


• Send/Receive exit - Because MQSeries allows message sizes greater than the capacity of the underlying transport, it is sometimes necessary for the MCA to segment messages before sending to the partner MCA – which will reconstitute them at the receiving side. For each segment, the send exit is called at the sending MCA and the receive exit called at the receiving MCA. Usually, the send/receive exits are used where the structure of the message data is not significant. In fact, MQSeries does not expose the data content of each segment so it is important to treat each segment as an opaque ‘blob’. But, it is quite possible to implement security functions such as signing messages, adding integrity tokens and encryption within the send/receive exits if required.


04/18/23page 22

Security

Security - at the message level

• As has been identified, it is possible to ensure security for message transmission & reception via the message channel exits. But there is no security provided while the messages are in the queues. What is the main problem here?• The primary issue associated with message level security has been the fragmentation of the distributed security environment. Put simply, with the large number of different platforms available and different levels of security functions available, there has never been any assurance that a message encrypted on one platform could be decrypted on the receiving platform. Thus the need for either much customer coding, or the use of a product such as MQSecure.


04/18/23page 23

Security

Security - encryption• Cryptography -- the "art" of hiding and securing information for storage and transmission.

• Encryption -- the process of converting readable information called plain text into unreadable information called cipher text• Decryption -- the process of reverting encrypted information (cipher text) back to plain text• Algorithm -- the computational procedures used to encrypt and decrypt information• Key -- a value that causes a crptographic algorithm to run in a specific way and to produce a specific cipher text (e. g., a 128 bit key)


04/18/23page 24

Security

Security - cryptography• Cryptography - The derivation of the word cryptography is from Greek and means literally secret writing. Modern cryptography is still involved in keeping data secret, but the ability to authenticate a user (and hence apply some kind of access control) is even more important.• Although there are many cryptographic techniques and protocols, they mostly fall into one of three categories:


04/18/23page 25

Security

Security - bulk encryption• Technique 1: Bulk Encryption- This is the modern equivalent of secret writing. A bulk encryption algorithm uses a key to scramble (or encrypt) data for transmission or storage. It can then only be unscrambled (or decrypted) using the same key. Bulk encryption is so called because it is effective for securing large chunks of data. Some common algorithms are Data Encryption Standard (DES), Data Encryption Algorithm (DEA) and RC4. This is also called the symmetric encryption.


04/18/23page 26

Security

Security - public key encryption• Technique 2: Public Key Encryption - This is also a technique for securing data but instead of using a single key for encryption and decryption, it uses two related keys, called public key and private key, which together form what is known as a key pair. As the word suggests, public keys are made available to everyone, but each entity that holds a key pair should keep the private key as secret. If data is encrypted using one of the keys, it can only be decrypted using the other, and vice versa.


04/18/23page 27

Security

Security - hashing• Technique 3: Hashing - A secure hash is an algorithm that takes a stream of data and creates a fixed-length digest of it. This digest is a fingerprint for the data. A digest has two main properties:

• If even one single bit of data is changed, then the message digest changes as well. Notice, however, there is a very remote probability that two different arbitrary messages can have the same fingerprint.

• Even if someone was able to intercept transmitted data and its fingerprint, that person would not be practically able to modify the original data so that the resulting data has the same digest as the original one.


04/18/23page 28

Security

Security - symmetric key cryptography• Single shared secret key (Encryption Key = Decryption Key)• Provides some degree of Confidentiality, Integrity and Authenticity• DES, 3DES, IDEA, Skipjack, RC 2/ 4/ 5• Much faster than Asymmetric• Key distribution is a consideration


04/18/23page 29

Security

Security - symmetric key cryptography


04/18/23page 30

Security

Security - asymmetric key cryptography• Public key encryption is a form of asymmetric encryption, because the key that is used to encrypt is different from the key used to decrypt. With this technology, the sender in a secure communication can use the receiver’s public key to encrypt the data, because at that point in time only the receiver can decrypt the data, by using its own private key.


04/18/23page 31

Security

Security - asymmetric key cryptography


04/18/23page 32

Security

Security - asymmetric key cryptography• Be aware that the public and the private keys are bound by a well known mathematical relationship, so that having one of the two keys it would be theoretically possible to obtain the other one. However, especially when the size of the building block of the keys is very long (for instance, 512 bits), the computational effort required makes the probability of breaking a key very small.• Compared to bulk encryption, public key encryption is more secure, because it does not require the transmission of a shared key that both the parties must hold. However, public key encryption is computationally expensive and is therefore not suited to large amounts of data.


04/18/23page 33

Security

Security - asymmetric key cryptography• For this reason the most common solution, implemented for example in the SSL protocol, is for the two parties (sender and receiver) to use public key encryption to agree on and share a common key. After the common key has been shared using asymmetric encryption, so that only the two parties really know it, then bulk encryption is used. Notice that a common key is shared only for the time of a single connection. After a secure connection is closed, a new connection requires that the two parties agree on a new shared key.• The most commonly-used algorithm for public key encryption is the Rivest, Shamir and Adleman (RSA) system.


04/18/23page 34

Security

Security - U.S. rules for export encryption.• The National Security Agency (NSA) is responsible for monitoring communications between the United States and the rest of the world, aiming to intercept such things as the messages of unfriendly governments and organized crime. Clearly, it is not a good thing for people who want to blow up buildings & other people to have access to unbreakable encryption, so the United States government sets limits on the strength of cipher that a United States company can export for commercial purposes.• Obviously non-US companies & non-US branches of multinationals are not bound by this restriction. But, if you buy a Web browser, for example, from Microsoft or Netscape, it has security restrictions for the non-US versions (because those are US companies).


04/18/23page 35

Security

Security - cipher strength.• Cipher strength is controlled by the size of the key used in the encryption algorithm. Current export rules limit the key size for bulk encryption to 40 bits, which can now be cracked in a matter of hours with modest computing facilities. Each extra bit doubles the key space, so a key size of 64 bits is 16 million times tougher than 40 bits. A similar rule applies to public key encryption, where an export-quality 512-bit modulus is inadequate, but a 1024-bit modulus is expected to remain effective for the next ten years, at least for commercial use.


04/18/23page 36

Security

Security - firewalls.• By firewall, we mean any computer system, network hardware or combination of them that links two or more networks, and enforces some access control policy between them. Thus one side of the network is protected from any dangers in the other part of the network, analogous to the solid firewalls in buildings, which prevent a fire from spreading from one part of the building to another.


04/18/23page 37

Security

Security - firewalls.• Firewalls can affect any type of network traffic, depending on their configuration.• Current literature on firewalls is filled with buzzwords used by specialists to describe the different software techniques that can be used to create firewalls. Techniques include packet filtering, application gateways, proxy servers, dynamic filters, bastion hosts, demilitarized zones, and dual-homed gateways.• The basic security functions of any firewall are to examine data packets sent through the firewall, and to accept, reject or modify the packets according to the security policy requirements. Most of today’s firewalls work with TCP/IP data only, so it is worth seeing what is inside a TCP/IP data packet, in order to understand the firewall’s actions.


04/18/23page 38

Security

Security - firewalls.• Simple packet-filtering firewalls use the source and destination IP addresses and ports to determine whether packets may pass through the firewall. Packets going to a Web server on destination port 80, and the replies on source port 80, may be permitted, while packets to other port numbers might be rejected by the firewall. This may be allowed in one direction only and it may be further restricted by only allowing packets to and from a particular group of Web servers, as shown in the following figure:


04/18/23page 39

Security

Security - firewalls.


04/18/23page 40

Security

Security - SSL.• SSL is a standard protocol proposed by Netscape for implementing cryptography and enabling secure transmission on the Web. The primary goal of the SSL protocol is to provide privacy and reliability between two communicating parties. As the name suggests, SSL provides a secure alternative to the standard TCP/IP sockets protocol. In fact, SSL is not a drop-in replacement because the application has to specify additional cryptographic information. Nonetheless, it is not a large step for an application that uses regular sockets to be converted to SSL. Although the most common implementation of SSL is for HTTP, several other application protocols have also been adapted.


04/18/23page 41

Security

Security - SSL.• SSL has two security aims:• 1. To authenticate the server and the client using public key signatures and digital certificates.• 2. To provide an encrypted connection for the client and server to exchange messages securely.


04/18/23page 42

Security

Security - SSL.• The SSL connection is private and reliable. Encryption is used after an initial handshake to define a secret key. Message integrity checks are maintained.• Notice that in SSL, symmetric cryptography is used for data encryption, while asymmetric or public key cryptography is used to authenticate the identities of the communicating parties and encrypt the shared encryption key when an SSL session is established. This way, the shared encryption key can be exchanged in a secure manner, and client and server can be sure that only they know the shared secret key. Also, you have the advantage that client and server can encrypt and decrypt the communication flow with a single encryption key, which is much faster than using asymmetric encryption.


04/18/23page 43

Security

Security - SSL provides...• Privacy - The connection is made private by encrypting the data to be exchanged between the client and the server. In other words, only they can decrypt it and make sense of the data. This allows for secure transfer of private information such as credit card numbers, passwords, secret contracts, etc.• Data integrity - The SSL connection is reliable. The message transport includes a message integrity check based on a secure hash function. So there is practically no possibility of data corruption without detection.


04/18/23page 44

Security

Security - SSL provides...• Authenticity - The client can authenticate the server and an authenticated server can authenticate the client (optionally). This means that the information is guaranteed to be exchanged only between the intended parties. The authentication mechanism is based on the exchange of digital certificates.• Non-repudiation - Digital signatures and certificates together imply non-repudiation. This establishes accountability of information about a particular event or action to its originating entity, and the communications between the parties can be proved later.


04/18/23page 45

Security

Process

DesignDesign

AssessAssess

PlanPlan

ImplementImplement

RunRun A Total A Total Security Security SolutionSolution

HealthcheckHealthcheck

Ethical HackingEthical Hacking

AssessmentsAssessments

SiteSite

ProcessProcess

ApplicationApplication

SystemSystem

NetworkNetwork

InternetInternet

Workshops:Workshops:

SecuritySecurity

PrivacyPrivacy

Information Asset ProfileInformation Asset Profile

Policy DefinitionPolicy Definition

Standards DefinitionStandards Definition

Process DevelopmentProcess Development

Privacy Strategy and Privacy Strategy and ImplementationImplementation

Enterprise ArchitectureEnterprise Architecture

Internet ArchitectureInternet Architecture

Secure Solution DesignSecure Solution Design

Product SelectionProduct Selection

Product ImplementationProduct Implementation

Vault Registry ServicesVault Registry Services

Documents

Copyrighted material John Tullis 12/3/2015 page 1 04/08/00 Security John Tullis DePaul Instructor [email protected]