chap 28 security
DESCRIPTION
TCP-IP BY FOROUZANTRANSCRIPT
![Page 1: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/1.jpg)
TCP/IP Protocol Suite 1
Chapter 28Chapter 28
Upon completion you will be able to:
SecuritySecurity
• Differentiate between two categories of cryptography schemes • Understand four aspects of security• Understand the concept of digital signature• Understand the role of key management in entity authentication• Know how and where IPSec, TLS, and PPG provide security
Objectives
![Page 2: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/2.jpg)
TCP/IP Protocol Suite 2
28.1 CRYPTOGRAPHY
The word cryptography in Greek means “secret writing.” The term today The word cryptography in Greek means “secret writing.” The term today refers to the science and art of transforming messages to make them refers to the science and art of transforming messages to make them secure and immune to attacks.secure and immune to attacks.
The topics discussed in this section include:The topics discussed in this section include:
Symmetric-Key Cryptography Symmetric-Key Cryptography Asymmetric-Key Cryptography Asymmetric-Key Cryptography Comparison Comparison
![Page 3: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/3.jpg)
TCP/IP Protocol Suite 3
Figure 28.1 Cryptography components
![Page 4: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/4.jpg)
TCP/IP Protocol Suite 4
In cryptography, the encryption/decryption algorithms are
public; the keys are secret.
Note:Note:
![Page 5: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/5.jpg)
TCP/IP Protocol Suite 5
In symmetric-key cryptography, the same key is used by the sender (for encryption) and the receiver (for decryption). The key is shared.
Note:Note:
![Page 6: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/6.jpg)
TCP/IP Protocol Suite 6
Figure 28.2 Symmetric-key cryptography
![Page 7: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/7.jpg)
TCP/IP Protocol Suite 7
In symmetric-key cryptography, the same key is used in both directions.
Note:Note:
![Page 8: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/8.jpg)
TCP/IP Protocol Suite 8
Figure 28.3 Caesar cipher
![Page 9: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/9.jpg)
TCP/IP Protocol Suite 9
Figure 28.4 Transpositional cipher
![Page 10: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/10.jpg)
TCP/IP Protocol Suite 10
Figure 28.5 DES
![Page 11: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/11.jpg)
TCP/IP Protocol Suite 11
Figure 28.6 Iteration block
![Page 12: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/12.jpg)
TCP/IP Protocol Suite 12
Figure 28.7 Triple DES
![Page 13: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/13.jpg)
TCP/IP Protocol Suite 13
The DES cipher uses the same concept as the Caesar cipher, but the
encryption/ decryption algorithm is much more complex.
Note:Note:
![Page 14: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/14.jpg)
TCP/IP Protocol Suite 14
Figure 28.8 Public-key cryptography
![Page 15: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/15.jpg)
TCP/IP Protocol Suite 15
Figure 28.9 RSA
![Page 16: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/16.jpg)
TCP/IP Protocol Suite 16
Symmetric-key cryptography is often used for long messages.
Note:Note:
![Page 17: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/17.jpg)
TCP/IP Protocol Suite 17
Asymmetric-key algorithms are more efficient for short messages.
Note:Note:
![Page 18: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/18.jpg)
TCP/IP Protocol Suite 18
28.2 PRIVACY
Privacy means that the sender and the receiver expect confidentiality. Privacy means that the sender and the receiver expect confidentiality. The transmitted message must make sense to only the intended receiver. The transmitted message must make sense to only the intended receiver. To all others, the message must be unintelligible.To all others, the message must be unintelligible.
The topics discussed in this section include:The topics discussed in this section include:
Privacy with Symmetric-Key Cryptography Privacy with Symmetric-Key Cryptography Privacy with Asymmetric-Key Cryptography Privacy with Asymmetric-Key Cryptography
![Page 19: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/19.jpg)
TCP/IP Protocol Suite 19
Figure 28.10 Privacy using symmetric-key encryption
![Page 20: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/20.jpg)
TCP/IP Protocol Suite 20
Figure 28.11 Privacy using asymmetric-key encryption
![Page 21: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/21.jpg)
TCP/IP Protocol Suite 21
Digital signature can provide authentication, integrity, and
nonrepudiation for a message.
Note:Note:
![Page 22: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/22.jpg)
TCP/IP Protocol Suite 22
28.3 DIGITAL SIGNATURE
Digital signature can provide authentication, integrity, and Digital signature can provide authentication, integrity, and nonrepudiation for a message. nonrepudiation for a message.
The topics discussed in this section include:The topics discussed in this section include:
Signing the Whole Document Signing the Whole Document Signing the Digest Signing the Digest
![Page 23: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/23.jpg)
TCP/IP Protocol Suite 23
Figure 28.12 Signing the whole document
![Page 24: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/24.jpg)
TCP/IP Protocol Suite 24
Digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption
must be applied.
Note:Note:
![Page 25: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/25.jpg)
TCP/IP Protocol Suite 25
Figure 28.13 Hash function
![Page 26: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/26.jpg)
TCP/IP Protocol Suite 26
Figure 28.14 Sender site
![Page 27: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/27.jpg)
TCP/IP Protocol Suite 27
Figure 28.15 Receiver site
![Page 28: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/28.jpg)
TCP/IP Protocol Suite 28
28.4 ENTITY AUTHENTICATION
Entity authentication is a procedure that verifies the identity of one Entity authentication is a procedure that verifies the identity of one entity for another. An entity can be a person, a process, a client, or a entity for another. An entity can be a person, a process, a client, or a server. In entity authentication, the identity is verified once for the entire server. In entity authentication, the identity is verified once for the entire duration of system access.duration of system access.
The topics discussed in this section include:The topics discussed in this section include:
Entity Authentication with Symmetric-Key Cryptography Entity Authentication with Symmetric-Key Cryptography Entity Authentication with Asymmetric-Key Cryptography Entity Authentication with Asymmetric-Key Cryptography
![Page 29: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/29.jpg)
TCP/IP Protocol Suite 29
Figure 28.16 Using a symmetric key only
![Page 30: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/30.jpg)
TCP/IP Protocol Suite 30
Figure 28.17 Using a nonce
![Page 31: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/31.jpg)
TCP/IP Protocol Suite 31
Figure 28.18 Bidirectional authentication
![Page 32: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/32.jpg)
TCP/IP Protocol Suite 32
28.5 KEY MANAGEMENT
In this section we explain how symmetric keys are distributed and how In this section we explain how symmetric keys are distributed and how public keys are certified. public keys are certified.
The topics discussed in this section include:The topics discussed in this section include:
Symmetric-Key Distribution Symmetric-Key Distribution Public-Key Certification Public-Key Certification Kerberos Kerberos
![Page 33: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/33.jpg)
TCP/IP Protocol Suite 33
A symmetric key between two parties is useful if it is used only once; it must be created for one session and destroyed
when the session is over.
Note:Note:
![Page 34: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/34.jpg)
TCP/IP Protocol Suite 34
Figure 28.19 Diffie-Hellman method
![Page 35: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/35.jpg)
TCP/IP Protocol Suite 35
The symmetric (shared) key in the Diffie-Hellman protocol is
K = G xy mod N.
Note:Note:
![Page 36: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/36.jpg)
TCP/IP Protocol Suite 36
Let us give an example to make the procedure clear. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume G = 7 and N = 23. The steps are as follows:
1. Alice chooses x = 3 and calculates R1 = 73 mod 23 = 21.
2. Alice sends the number 21 to Bob.
3. Bob chooses y = 6 and calculates R2 = 76 mod 23 = 4.
4. Bob sends the number 4 to Alice.
5. Alice calculates the symmetric key K = 43 mod 23 = 18.
6. Bob calculates the symmetric key K = 216 mod 23 = 18.
The value of K is the same for both Alice and Bob; G xy mod N = 718 mod 23 = 18.
Example 1
![Page 37: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/37.jpg)
TCP/IP Protocol Suite 37
Figure 28.20 Man-in-the-middle attack
![Page 38: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/38.jpg)
TCP/IP Protocol Suite 38
Figure 28.21 First approach using KDC
![Page 39: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/39.jpg)
TCP/IP Protocol Suite 39
Figure 28.22 Needham-Schroeder protocol
![Page 40: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/40.jpg)
TCP/IP Protocol Suite 40
Figure 28.23 Otway-Rees protocol
![Page 41: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/41.jpg)
TCP/IP Protocol Suite 41
In public-key cryptography, everyone has access to everyone’s public key.
Note:Note:
![Page 42: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/42.jpg)
TCP/IP Protocol Suite 42
Table 28.1 X.509 fieldsTable 28.1 X.509 fields
![Page 43: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/43.jpg)
TCP/IP Protocol Suite 43
Figure 28.24 PKI hierarchy
![Page 44: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/44.jpg)
TCP/IP Protocol Suite 44
Figure 28.25 Kerberos servers
![Page 45: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/45.jpg)
TCP/IP Protocol Suite 45
Figure 28.26 Kerberos example
![Page 46: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/46.jpg)
TCP/IP Protocol Suite 46
28.6 SECURITY IN THE INTERNET
In this section we discuss a security method for each of the top 3 layers In this section we discuss a security method for each of the top 3 layers of the Internet model. At the IP level we discuss a protocol called IPSec; of the Internet model. At the IP level we discuss a protocol called IPSec; at the transport layer we discuss a protocol that “glues” a new layer to at the transport layer we discuss a protocol that “glues” a new layer to the transport layer; at the application layer we discuss a security method the transport layer; at the application layer we discuss a security method called PGP.called PGP.
The topics discussed in this section include:The topics discussed in this section include:
IP Level Security: IPSec IP Level Security: IPSec Transport Layer Security Transport Layer Security Application Layer Security: PGP Application Layer Security: PGP
![Page 47: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/47.jpg)
TCP/IP Protocol Suite 47
Figure 28.27 Transport mode
![Page 48: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/48.jpg)
TCP/IP Protocol Suite 48
Figure 28.28 Tunnel mode
![Page 49: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/49.jpg)
TCP/IP Protocol Suite 49
Figure 28.29 AH
![Page 50: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/50.jpg)
TCP/IP Protocol Suite 50
The AH protocol provides message authentication and integrity,
but not privacy.
Note:Note:
![Page 51: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/51.jpg)
TCP/IP Protocol Suite 51
Figure 28.30 ESP
![Page 52: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/52.jpg)
TCP/IP Protocol Suite 52
ESP provides message authentication, integrity, and privacy.
Note:Note:
![Page 53: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/53.jpg)
TCP/IP Protocol Suite 53
Figure 28.31 Position of TLS
![Page 54: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/54.jpg)
TCP/IP Protocol Suite 54
Figure 28.32 TLS layers
![Page 55: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/55.jpg)
TCP/IP Protocol Suite 55
Figure 28.33 Handshake protocol
![Page 56: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/56.jpg)
TCP/IP Protocol Suite 56
Figure 28.34 Record Protocol
![Page 57: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/57.jpg)
TCP/IP Protocol Suite 57
Figure 28.35 PGP at the sender site
![Page 58: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/58.jpg)
TCP/IP Protocol Suite 58
Figure 28.36 PGP at the receiver site
![Page 59: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/59.jpg)
TCP/IP Protocol Suite 59
28.7 FIREWALLS
A firewall is a device (usually a router or a computer) installed between A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others.designed to forward some packets and filter (not forward) others.
The topics discussed in this section include:The topics discussed in this section include:
Packet-Filter Firewall Packet-Filter Firewall Proxy Firewall Proxy Firewall
![Page 60: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/60.jpg)
TCP/IP Protocol Suite 60
Figure 28.37 Firewall
![Page 61: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/61.jpg)
TCP/IP Protocol Suite 61
Figure 28.38 Packet-filter firewall
![Page 62: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/62.jpg)
TCP/IP Protocol Suite 62
A packet-filter firewall filters at the network or transport layer.
Note:Note:
![Page 63: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/63.jpg)
TCP/IP Protocol Suite 63
Figure 28.39 Proxy firewall
![Page 64: Chap 28 security](https://reader036.vdocuments.net/reader036/viewer/2022062707/55851c53d8b42ada748b48ab/html5/thumbnails/64.jpg)
TCP/IP Protocol Suite 64
A proxy firewall filters at the application layer.
Note:Note: