©the mcgraw-hill companies, inc., 2000© adapted for use at jmu by mohamed aboutabl, 2003mohamed...
TRANSCRIPT
1©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 200311
Chapter 29
InternetSecurity
2©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 200322
CONTENTSCONTENTS• INTRODUCTION• PRIVACY• DIGITAL SIGNATURE• SECURITY IN THE INTERNET• APPLICATION LAYER SECURITY• TRANSPORT LAYER SECURITY: TLS• SECURITY AT THE IP LAYER: IPSEC• FIREWALLS
3©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 200333
29.1 Aspects of security
Privacy = Confidentiality of the transmitted message (encryption) Authentication = The sender ( not an imposter) sent the message Integrity = Message arrives without corruption Nonrepudiation = Sender cannot deny the message.
4©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 200344
29.2 Privacy : Secret-key Encryption
the same key is used by the sender (for encryption) and the receiver (for decryption). The key is shared.
Often called symmetric encryption because the same key can be used in both directions
Efficient algorithms, takes less time to compute. Often used for long messages.
Each pair must have a secret key. N people need ½N(N-1) Difficult to distribute the secret key
KDC can solve the problem of secret-key distribution.
5©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 200355
Privacy: Public-key Encryption
Each entity has two distinct keys: Private key and a Public key. Sender uses Receiver’s public key to encrypt the plaintext Receiver uses its own private key to decrypt the ciphertext.
No other private key can decrypt the ciphertext. N people need 2 N keys. Easy key distribution. Requires more time to encrypt/decrypt than the Secret Key method.
• More suitable for short messages How to authenticate the binding between an entity and its public key?
6©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 200366
Certification Authorities (CAs)
A trusted agency used to verify that a public key belongs to a specific entity.
Issues a certificate: Public key + entity’s information (e.g. name, router IP) and encrypt it using the CA private key
Each receiver uses the CA’s public key to decrypt the sender’s certificate thus obtains the sender’s public key.
7©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 200377
Secret Key + Public Key Combination
8©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 200388
29.3 Digital Signature
Encryption achieves privacy only. Digital Signature’s goal is to achieve authentication and
nonrepudiation of sender + integrity of the message. Sender signs the message with a unique signature. Receiver verifies the sender’s signature. Two options:
Signing the whole document Signing a Digest of the document.
9©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 200399
Signing the Whole Document
Sender uses its private key to encrypt (i.e. sign) the messgae Receiver uses the sender’s public key to decrypt (i.e. verify the signature) of
the message.
Integrity: If message is intercepted and/or corrupted, the decrypted message is unreadable.
Authentication: If an imposter sent the message, using the intended sender’s public key to decrypt results in garbage.
Nonrepudiation: If sender denies the message, its private key is used by the authorities to decrypt the ciphertext. If results match, then the messages realy belongs to the sender.
10©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 20031010
Digital signature does not provide privacy.
If there is a need for privacy, another layer of
encryption/decryption must be applied.
11©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 20031111
Signing the digest
Two common has functions: MD5 → 120-bit digest SHA-1 → 160-bit digest
Properties of hash function:
1. One-Way: Massage to digest but not vice versa
2. One-to-One: No two distinct messages generate the same digest
12©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 20031212
Sender site
+
13©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 20031313
Receiver site
+
Integrity, authenticity and nonrepudiation of Digest guarantees the same for the Message. Why so?
14©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 20031414
29.4 Security in the Internet
At the Application layer The PGP scheme
At the Transport layer TLS protocol
At the IP layer IPSec
Firewalls
15©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 20031515
29.5 Application-Layer Security: PGP at the sender site
+ +
16©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 20031616
PGP at the receiver site
17©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 20031717
29.6 Transport Layer Security (TLS)
18©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 20031818
Encrypted by Server’s public key
Encrypted by client’s secret key
Includes Server’s public key
Encrypted by client’s secret key
TLS: 1) The Handshake Protocol
Data transfer is encrypted using the client-generated secret key
19©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 20031919
29.7 Security at the IP-Layer: 1) Authentication Header Protocol
20©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 20032020
2) Encapsulating Security Payload (ESP)
21©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 20032121
Figure 29-16
ESP format
22©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 20032222
FIREWALLSFIREWALLS
29.829.8
23©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 20032323
Figure 29-17
Firewall
24©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 20032424
Packet-filter firewall
A packet-filter firewall filters at the network or transport layer.
25©The McGraw-Hill Companies, Inc., 2000 © Adapted for use at JMU by Mohamed Aboutabl, 20032525
Proxy firewall
A proxy firewall A proxy firewall filters at the application layer.filters at the application layer.