review and announcement
DESCRIPTION
Review and Announcement. Ethernet Ethernet CSMA/CD algorithm Hubs, bridges, and switches Hub: physical layer Can’t interconnect 10BaseT & 100BaseT Bridges and switches: data link layers Wireless links and LANs 802.11 a, b, g. All use CSMA/CA for multiple access - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/1.jpg)
Review and Announcement Ethernet
Ethernet CSMA/CD algorithm Hubs, bridges, and switches
Hub: physical layer• Can’t interconnect 10BaseT & 100BaseT
Bridges and switches: data link layers Wireless links and LANs
802.11 a, b, g. All use CSMA/CA for multiple access
Homework 4 due tonight so that we can discuss it in final review tomorrow
Final review in Thu. Class Final 3/16 (Th) 12:30-2:00pm
![Page 2: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/2.jpg)
Network Security Overview
What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures
Part of the final
![Page 3: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/3.jpg)
What is network security?Confidentiality:
only sender, intended receiver should “understand” message contents sender encrypts message receiver decrypts message
Authentication: sender, receiver want to confirm identity of each other
Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection
Access and Availability: services must be accessible and available to users
![Page 4: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/4.jpg)
Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate “securely” Trudy (intruder) may intercept, delete, add messages
securesender
securereceiver
channel data, control messages
data data
Alice Bob
Trudy
![Page 5: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/5.jpg)
Who might Bob, Alice be?
… well, real-life Bobs and Alices! Web browser/server for electronic
transactions (e.g., on-line purchases) on-line banking client/server DNS servers routers exchanging routing table updates other examples?
![Page 6: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/6.jpg)
There are bad guys (and girls) out there!Q: What can a “bad guy” do?A: a lot!
eavesdrop: intercept messages actively insert messages into connection impersonation: can fake (spoof) source
address in packet (or any field in packet) hijacking: “take over” ongoing connection
by removing sender or receiver, inserting himself in place
denial of service: prevent service from being used by others (e.g., by overloading resources)
more on this later ……
![Page 7: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/7.jpg)
Overview
What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures
![Page 8: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/8.jpg)
The language of cryptography
symmetric key crypto: sender, receiver keys identicalpublic-key crypto: encryption key public, decryption
key secret (private)
plaintext plaintextciphertext
KA
encryptionalgorithm
decryption algorithm
Alice’s encryptionkey
Bob’s decryptionkey
KB
![Page 9: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/9.jpg)
Symmetric key cryptography
substitution cipher: substituting one thing for another monoalphabetic cipher: substitute one letter for another
plaintext: abcdefghijklmnopqrstuvwxyz
ciphertext: mnbvcxzasdfghjklpoiuytrewq
Plaintext: bob. i love you. aliceciphertext: nkn. s gktc wky. mgsbc
E.g.:
Q: How hard to break this simple cipher?: brute force (how hard?) other?
![Page 10: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/10.jpg)
Symmetric key cryptography
symmetric key crypto: Bob and Alice share know same (symmetric) key: K
e.g., key is knowing substitution pattern in mono alphabetic substitution cipher
Q: how do Bob and Alice agree on key value?
plaintextciphertext
KA-B
encryptionalgorithm
decryption algorithm
A-B
KA-B
plaintextmessage, m
K (m)A-B
K (m)A-Bm = K ( )
A-B
![Page 11: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/11.jpg)
Public Key Cryptography
symmetric key crypto requires sender,
receiver know shared secret key
Q: how to agree on key in first place (particularly if never “met”)?
public key cryptography
radically different approach [Diffie-Hellman76, RSA78]
sender, receiver do not share secret key
public encryption key known to all
private decryption key known only to receiver
![Page 12: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/12.jpg)
Public key cryptography
plaintextmessage, m
ciphertextencryptionalgorithm
decryption algorithm
Bob’s public key
plaintextmessageK (m)
B+
K B+
Bob’s privatekey
K B-
m = K (K (m))B+
B-
![Page 13: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/13.jpg)
Public key encryption algorithms
need K ( ) and K ( ) such thatB B. .
given public key K , it should be impossible to compute private key K
B
B
Requirements:
1
2
RSA: Rivest, Shamir, Adelson algorithm
+ -
K (K (m)) = m BB
- +
+
-
![Page 14: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/14.jpg)
Overview
What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures
![Page 15: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/15.jpg)
Authentication
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap1.0: Alice says “I am Alice”
Failure scenario??“I am Alice”
![Page 16: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/16.jpg)
Authentication
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap1.0: Alice says “I am Alice”
in a network,Bob can not “see”
Alice, so Trudy simply declares
herself to be Alice“I am Alice”
![Page 17: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/17.jpg)
Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packetcontaining her source IP address
Failure scenario??
“I am Alice”Alice’s
IP address
![Page 18: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/18.jpg)
Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packetcontaining her source IP address
Trudy can createa packet
“spoofing”Alice’s address“I am Alice”
Alice’s IP address
![Page 19: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/19.jpg)
Authentication: another try
Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it.
Failure scenario??
“I’m Alice”Alice’s IP addr
Alice’s password
OKAlice’s IP addr
![Page 20: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/20.jpg)
Authentication: another try
Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it.
playback attack: Trudy records Alice’s
packetand later
plays it back to Bob
“I’m Alice”Alice’s IP addr
Alice’s password
OKAlice’s IP addr
“I’m Alice”Alice’s IP addr
Alice’s password
![Page 21: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/21.jpg)
Authentication: yet another try
Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it.
Failure scenario??
“I’m Alice”Alice’s IP addr
encrypted password
OKAlice’s IP addr
![Page 22: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/22.jpg)
Authentication: another try
Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it.
recordand
playbackstill works!
“I’m Alice”Alice’s IP addr
encrypptedpassword
OKAlice’s IP addr
“I’m Alice”Alice’s IP addr
encryptedpassword
![Page 23: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/23.jpg)
Authentication: yet another try
Goal: avoid playback attack
Failures, drawbacks?
Nonce: number (R) used only once –in-a-lifetime
ap4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice
must return R, encrypted with shared secret key“I am Alice”
R
K (R)A-B
Alice is live, and only Alice knows key to encrypt
nonce, so it must be Alice!
![Page 24: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/24.jpg)
Overview
What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures
![Page 25: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/25.jpg)
Firewalls
isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others.
firewall
administerednetwork
publicInternet
firewall
![Page 26: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/26.jpg)
Firewalls: Why
prevent denial of service attacks: SYN flooding: attacker establishes many bogus
TCP connections, no resources left for “real” connections.
prevent illegal modification/access of internal data. e.g., attacker replaces CIA’s homepage with
something elseallow only authorized access to inside network (set of
authenticated users/hosts)two types of firewalls:
application-level packet-filtering
![Page 27: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/27.jpg)
Packet Filtering
internal network connected to Internet via router firewall
router filters packet-by-packet, decision to forward/drop packet based on: source IP address, destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits
Should arriving packet be allowed
in? Departing packet let out?
![Page 28: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/28.jpg)
Packet Filtering
Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. All incoming and outgoing UDP flows and
telnet connections are blocked. Example 2: Block inbound TCP segments with
ACK=0. Prevents external clients from making TCP
connections with internal clients, but allows internal clients to connect to outside.
![Page 29: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/29.jpg)
Overview
What is network security? Principles of cryptography Authentication Access control: firewalls Attacks and counter measures
![Page 30: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/30.jpg)
Internet security threatsPacket sniffing:
broadcast media promiscuous NIC reads all packets passing by can read all unencrypted data (e.g. passwords) e.g.: C sniffs B’s packets
A
B
C
src:B dest:A payload
Countermeasures?
![Page 31: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/31.jpg)
Internet security threatsPacket sniffing: countermeasures
all hosts in organization run software that checks periodically if host interface in promiscuous mode.
A
B
C
src:B dest:A payload
![Page 32: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/32.jpg)
Internet security threatsIP Spoofing:
can generate “raw” IP packets directly from application, putting any value into IP source address field
receiver can’t tell if source is spoofed e.g.: C pretends to be B
A
B
C
src:B dest:A payload
Countermeasures?
![Page 33: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/33.jpg)
Internet security threatsIP Spoofing: ingress filtering
routers should not forward outgoing packets with invalid source addresses (e.g., datagram source address not in router’s network)
great, but ingress filtering can not be mandated for all networks
A
B
C
src:B dest:A payload
![Page 34: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/34.jpg)
Malicious Software
![Page 35: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/35.jpg)
1988: Less than 10 known viruses 1990: New virus found every day 1993: 10-30 new viruses per week 1999: 45,000 viruses and variants
Source: McAfee
Virus Growth
0
10000
20000
30000
40000
50000
60000
1988 1990 1993 1999
![Page 36: Review and Announcement](https://reader036.vdocuments.net/reader036/viewer/2022062500/56815163550346895dbf8ca1/html5/thumbnails/36.jpg)
The Spread of the Sapphire/Slammer SQL Worm