04-01-98 j.w. ryder basic internet security concepts j.w. ryder [email protected]
Post on 22-Dec-2015
227 views
TRANSCRIPT
04-01-98 J.W. Ryder
Introduction
• The internet is a vast wilderness, an infinite world of opportunity
• Exploring, e-mail, free software, chat, video, e-business, information, games
• Explored by humans
04-01-98 J.W. Ryder
Internet Security Concepts
• Introduction of several basic security concepts
• General mechanisms for protection
04-01-98 J.W. Ryder
Sniffing and Spoofing
• [1]
• Sniffing– The ability to inspect IP
Datagrams which are not destined for the current host.
• Spoofing– After sniffing, create malicious
havoc on the internet
04-01-98 J.W. Ryder
Unprotected Internet node
Private Network node
Secure Gateway node A Guy
GabriellePoirot (C)
Sears
Bank (I)
A Guy’s Swiss Bank
Wall Street (N)
SteveBurns (C)
RamonSanchez (A)
1
04-01-98 J.W. Ryder
A Guy has no integrity
• Swiss Bank Scam
• Integrity - The guarantee that, upon receipt of a datagram from the network, the receiver will be able to determine if the data was changed in transit
04-01-98 J.W. Ryder
Ramon springs for sound
• Sears solid state stereos
• Authentication - The guarantee that, upon receipt of a datagram from the network, the receiver will be able to determine if the stated sender of the datagram is, in fact, the sender
04-01-98 J.W. Ryder
A guy sniffs success
• Gabrielle and Steve almost strike it rich
• Confidentiality - Ensure that each party, which is supposed to see the data, sees the data and ensure that those who should not see the data, never see the data.
04-01-98 J.W. Ryder
Wall Street Woes
• A guy spots a hot stock tip
• Non-repudiation - Once a host has sent a datagram, ensure that that same host cannot later claim that they did not send the datagram
04-01-98 J.W. Ryder
A guy becomes desperate
• Bring Wall St. to its knees
• Denial of Service Attack - Flood a given IP Address (Host) with packets so that it spends the majority of its processing time denying service
04-01-98 J.W. Ryder
Physical Adapter
IP
InComm. Stack
One WayHashFunctions(MD5, SHA1)
CryptoFunctions (DES, CDMF, 3DES)
Key Mgmt. Functions
Application
2
04-01-98 J.W. Ryder
Protocol Flow
• [2, 3]
• Through layers, each layer has a collection of responsibilities
• ISO OSI Reference Model - (Open Systems Interconnection)
• IP Datagram
04-01-98 J.W. Ryder
IP Hdr. Data
IP Datagram
Data MAC Fn Digest
MAC Function
IP Hdr. Data Digest
Integrity
3
04-01-98 J.W. Ryder
Keys
• Bit values fed into cryptographic algorithms and one way hashing functions which provide help provide confidentiality, integrity, and authentication
• The longer the better - 40, 48, 56, 128
• Brute force attacks can win with small keys
04-01-98 J.W. Ryder
Symmetric Keys
• Have qualities such as life times, refresh rates, etc.
• Symmetric - Keys that are shared secrets on N cooperating, trusted hosts
04-01-98 J.W. Ryder
Asymmetric
• Public / Private key pairs
• Public key lists kept on well known public key servers
• Public key is no secret. If it is, the strategy will not work.
• Public and Private keys inverse functional values
• Private key is only known to you and must remain secret
04-01-98 J.W. Ryder
Concept
• Sender encrypts data with private key
• Receiver decrypts data with public key
• Receiver replies after encrypting with public key
• Sender receives response and decrypts with private key
04-01-98 J.W. Ryder
Data
Encryption Function
IP Hdr.
Key
Crypto Fn. Encrypted Data
Encrypted Data
Confidentiality
4
04-01-98 J.W. Ryder
MACs
• Message Authentication Codes, One Way Hashing Functions
• A function, easy to compute but computationally infeasible to find 2 messages M1 and M2 such that– h (M1) = h (M2)
• MD5 (Rivest, Shamir, Adleman) RSA ; SHA1 (NIST)
• MD5 yields a 128 bit digest [3]
04-01-98 J.W. Ryder
DES
• Data Encryption Standard
• U.S. Govt. Standard
• 56 bit key - originally 128 bits
• Absolute elimination of exhaustive search of key space
• U.S. Security Agency Request - Reduce to 56 bits
• Export CDMF (40 bits)
• Keys are secrets to algorithms, not algorithms themselves [4, 5]
04-01-98 J.W. Ryder
IP Hdr. Encrypted Data
Confidentiality, Integrity, & Authentication
IP Hdr.Encrypted Data Digest
DigitalSignature(Enc. Digest)
Confidentiality & Integrity
04-01-98 J.W. Ryder
Data EM
Key MAC
CF
DS
Digest
KeyedDigest
MAC_Time < CF _Time
Why would a guy prefer a Digital Signature over a Keyed Digest ? Why not?
What types of Security are provided with EM, DS, Digest, Keyed Digest?
04-01-98 J.W. Ryder
Msg
Msg
EM
EM
EM
EM
Msg
Msg
MD
MD
DS
DS
KD
KD
No Security
Integrity
Confidentiality
Conf. & Integrity
Integrity & Auth.
Conf., Int., & Auth.
Integrity & Auth.
Conf., Int., & Auth.
04-01-98 J.W. Ryder
Purpose
• Some ideas on Internet Security
• Classes of mischief on Internet, definitions
• Tools to fight mischief
• Combinations of these tools
04-01-98 J.W. Ryder
Purpose continued
• Very high level
• Good starting point for further study about
• General networking & strategies
• Cryptography
• Key Management
• Algorithm Analysis
04-01-98 J.W. Ryder
Post Presentation Results
• Should be familiar with concepts & terms such as– Integrity, Authentication, Non-
repudiation, Confidentiality– Keys, MACs, Cryptography,
Digest, Digital Certificates, Datagram
– High level understanding of some methods to combat some the above types of Internet mischief