View
219
Download
2
Category
Preview:
Citation preview
Segurança Informática nas redes 1
Segurança Informática - MIM 2011/12
M I M 2 0 1 1 / 2 0 1 2
P E D R O B R A N D Ã O
Segurança Informática
References
Some slides are based on “Computer Networking: A Top Down Approach 5th edition”. Jim Kurose, Keith Ross Addison-Wesley, April 2009
Others by Dr Lawrie Brown (UNSW@ADFA) for “Computer Security: Principles and Practice”, 1/e, by William Stallings and Lawrie Brown
Still some from Mark Stamp “Information Security: Principles and Practice” 2nd edition (Wiley 2011).
Seg. Informática - pbrandao
2
Segurança Informática nas redes 2
Segurança Informática - MIM 2011/12
Contents
Seg. Informática - pbrandao
3
Overview
Some background (network stuff)
Crypto reminders
Steganography
Authentication
Access control/authorization
Side channels
CAPTCHAs
DoS Attacks
Firewalls
Intrusion Detection Systems (IDS)
Internet Security Protocols
Authentication protocol
SSL, IPsec, VPNs, S/MIME
Other subjects
Seg. Informática - pbrandao
Overview 4
Segurança Informática nas redes 3
Segurança Informática - MIM 2011/12
Key Security Concepts
Seg. Informática - pbrandao
5
Computer Security Challenges
1. not simple
2. must consider potential attacks
3. procedures used counter-intuitive
4. must decide where to deploy mechanisms
5. involve algorithms and secret info
6. battle of wits between attacker / admin
7. not perceived on benefit until fails
8. requires regular monitoring
9. too often an after-thought
10. regarded as impediment to using system
Seg. Informática - pbrandao
6
Segurança Informática nas redes 4
Segurança Informática - MIM 2011/12
Network Security Attacks
classify as passive or active
passive attacks are eavesdropping release of message contents
traffic analysis
are hard to detect so aim to prevent
active attacks modify/fake data masquerade
replay
modification
denial of service
hard to prevent so aim to detect
Seg. Informática - pbrandao
7
Security Taxonomy
Seg. Informática - pbrandao
8
Segurança Informática nas redes 5
Segurança Informática - MIM 2011/12
N E T W O R K S T U F F
Seg. Informática - pbrandao
Background 9
IP Address: intro
Seg. Informática - pbrandao
10
IP Address: 32 bits identifier of network interface
Routers have multiple interfaces
Terminals usually have only one
One IP address per each interface
223.1.1.1
223.1.1.2
223.1.1.3
223.1.1.4 223.1.2.9
223.1.2.2
223.1.2.1
223.1.3.2 223.1.3.1
223.1.3.27
223.1.1.1 = 11011111 00000001 00000001 00000001
223 1 1 1
decimal binary
128 bits for IPv6
Segurança Informática nas redes 6
Segurança Informática - MIM 2011/12
Sub-networks
Seg. Informática - pbrandao
11
IP Address:
Sub-net part (most significant bits)
Node part (less significant bits)
What is a sub-net?
Group of interfaces with the same sub-net IP address part
Nodes can “reach” each other without router intervention
223.1.1.1
223.1.1.2
223.1.1.3
223.1.1.4 223.1.2.9
223.1.2.2
223.1.2.1
223.1.3.2 223.1.3.1
223.1.3.27
Network with 3 sub-networks
sub-net
IP Address: CIDR
Seg. Informática - pbrandao
12
CIDR: Classless Inter Domain Routing Subnet part of arbitrary size
format: a.b.c.d/x, where x is the number of bits of the subnet part
11001000 00010111 00010000 00000000
200.23.16.0/23
subnet node
Segurança Informática nas redes 7
Segurança Informática - MIM 2011/12
Routing – Tables
Seg. Informática - pbrandao
13
Net 1
R1
Net 2
R2
Net 3
R3
Net 4
Net 5
Destination Next Hop
Net 1 R1
Net 2 Direct delivery
Net 3 Direct delivery
Net 4 R3
Net 5 R1
14.0.0.0
R1
145.12.0.0
R2
192.170.1.0
R3
192.170.20.0
81.0.0.0
145.12.0.1 14.0.0.1
81.0.0.1
145.12.0.7 192.170.1.1 192.170.1.7 192.170.20.1
Destination Mask Next Hop
14.0.0.0 255.0.0.0 145.12.0.1
145.12.0.0 255.255.0.0 Direct delivery
192.170.1.0 255.255.255.0 Direct delivery
192.170.20.0 255.255.255.0 192.170.1.7
81.0.0.0 255.0.0.0 145.12.0.1
IP addresses: how to get one?
Who says which machine has which IP address?
hard-coded by system admin in a file
DHCP: Dynamic Host Configuration Protocol: dynamically get address from as server “plug-and-play”
Seg. Informática - pbrandao
14
Segurança Informática nas redes 8
Segurança Informática - MIM 2011/12
DHCP: Dynamic Host Configuration Protocol
Goal: allow host to dynamically obtain its IP address from network server when it joins network
Can renew its lease on address in use
Allows reuse of addresses (only hold address while connected an “on”)
Support for mobile users who want to join network
DHCP overview:
host broadcasts “DHCP discover” msg [optional]
DHCP server responds with “DHCP offer” msg [optional]
host requests IP address: “DHCP request” msg
DHCP server sends address: “DHCP ack” msg
Seg. Informática - pbrandao
15
DHCP client-server scenario
223.1.1.1
223.1.1.2
223.1.1.3
223.1.1.4 223.1.2.9
223.1.2.2
223.1.2.1
223.1.3.2 223.1.3.1
223.1.3.27
A
B
E
DHCP server
arriving DHCP
client needs
address in this
network
Seg. Informática - pbrandao
16
Segurança Informática nas redes 9
Segurança Informática - MIM 2011/12
DHCP: more than IP address
DHCP can return more than just allocated IP address on subnet: address of first-hop router for client
name and IP address of DNS sever
network mask (indicating network versus host portion of address)
Seg. Informática - pbrandao
17
Reminder: Internet Stack
Seg. Informática - pbrandao
18
application: network applications
FTP, SMTP, HTTP
transport: data transfer between processes
TCP, UDP
network: routing of datagrams between source and destination
IP, routing protocols
logic: data transfer between adjacent network elements
PPP, Ethernet
Physical: bits on the “wire”
Physical
Logic
Network
Transport
Application
Segurança Informática nas redes 10
Segurança Informática - MIM 2011/12
Link Layer: Introduction - terminology
Seg. Informática - pbrandao
19
hosts and routers are nodes
communication channels that connect adjacent nodes along communication path are links
wired links
wireless links
LANs
layer-2 packet is a frame, encapsulates datagram
data-link layer has responsibility of transferring datagram from one node to adjacent node over a link
Link Layer Services
Seg. Informática - pbrandao
20
framing, link access: encapsulate datagram into frame, adding header, trailer
channel access if shared medium
“MAC” addresses used in frame headers to identify source, destination
different from IP address!
reliable delivery between adjacent nodes Similar techniques to transport layer
seldom used on low bit-error link (fiber, some twisted pair)
wireless links: high error rates
Segurança Informática nas redes 11
Segurança Informática - MIM 2011/12
MAC Addresses and ARP
Seg. Informática - pbrandao
21
32-bit IP address: network-layer address
used to get datagram to destination IP subnet
MAC (or LAN or physical or Ethernet) address: function: get frame from one interface to another physically-
connected interface (same network)
48 bit MAC address (for most LANs)
burned in NIC ROM, also sometimes software settable
LAN Addresses and ARP
Seg. Informática - pbrandao
22
Each adapter on LAN has unique LAN address
Broadcast address = FF-FF-FF-FF-FF-FF
= adapter
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN (wired or wireless)
Segurança Informática nas redes 12
Segurança Informática - MIM 2011/12
ARP: Address Resolution Protocol
Seg. Informática - pbrandao
24
Each IP node on LAN has ARP table
ARP table: IP/MAC address mappings for some LAN nodes
Question: how to determine MAC address of B knowing B’s IP address?
1A-2F-BB-76-09-AD
58-23-D7-FA-20-B0
0C-C4-11-6F-E3-98
71-65-F7-2B-08-53
LAN
137.196.7.23
137.196.7.78
137.196.7.14
137.196.7.88
Ethernet – Star topology
Seg. Informática - pbrandao
25
bus topology popular through mid 90s all nodes in same collision domain (can collide with each other)
today: star topology prevails active switch in center
each “spoke” runs a (separate) Ethernet protocol (nodes do not collide with each other)
switch
bus: coaxial cable star
Segurança Informática nas redes 13
Segurança Informática - MIM 2011/12
Switches vs. Routers
Seg. Informática - pbrandao
26
both store-and-forward devices routers: network layer devices (examine network layer headers)
switches are link layer devices
routers maintain routing tables, implement routing algorithms
switches maintain switch tables, implement filtering, learning algorithms
Elements of a wireless network
Seg. Informática - pbrandao
27
network infrastructure
wireless hosts
laptop, PDA, IP phone
run applications
may be stationary (non-mobile) or mobile
wireless does not always mean mobility
Segurança Informática nas redes 14
Segurança Informática - MIM 2011/12
Elements of a wireless network
Seg. Informática - pbrandao
28
network infrastructure
base station
typically connected to wired network
relay - responsible for sending packets between wired network and wireless host(s) in its “area”
e.g., cell towers, 802.11 access points
Elements of a wireless network
Seg. Informática - pbrandao
29
network infrastructure
wireless link
typically used to connect mobile(s) to base station
also used as backbone link
multiple access protocol coordinates link access
various data rates, transmission distance
Segurança Informática nas redes 15
Segurança Informática - MIM 2011/12
Elements of a wireless network
Seg. Informática - pbrandao
30
network infrastructure
infrastructure mode
base station connects mobiles into wired network
handoff: mobile changes base station providing connection into wired network
Elements of a wireless network
Seg. Informática - pbrandao
31
ad hoc mode
no base stations
nodes can only transmit to other nodes within link coverage
nodes organize themselves into a network: route among themselves
Segurança Informática nas redes 16
Segurança Informática - MIM 2011/12
Characteristics of selected wireless link standards
Seg. Informática - pbrandao
32
Indoor 10-30m
Outdoor 50-200m
Mid-range
outdoor 200m – 4 Km
Long-range
outdoor 5Km – 20 Km
.056
.384
1
4
5-11
54
IS-95, CDMA, GSM 2G
UMTS/WCDMA, CDMA2000 3G
802.15
802.11b
802.11a,g
UMTS/WCDMA-HSPDA, CDMA2000-1xEVDO 3G cellular
enhanced
802.16 (WiMAX)
802.11a,g point-to-point
200 802.11n
Data
ra
te (
Mb
ps) data
Mesh Networks
Seg. Informática - pbrandao
33
Internet
ISP A
ISP B
Wired link
Wireless link to infrastructure
Wireless link to Mesh
Segurança Informática nas redes 17
Segurança Informática - MIM 2011/12
Seg. Informática - pbrandao
Crypto reminders 34
Symmetric Encryption
Seg. Informática - pbrandao
35
Segurança Informática nas redes 18
Segurança Informática - MIM 2011/12
Public Key Encryption
Seg. Informática - pbrandao
36
Public Key Authentication
Seg. Informática - pbrandao
37
Segurança Informática nas redes 19
Segurança Informática - MIM 2011/12
Message Authentication Codes
Seg. Informática - pbrandao
38
Secure Hash Functions
Seg. Informática - pbrandao
39
Segurança Informática nas redes 20
Segurança Informática - MIM 2011/12
Message Authentication
Seg. Informática - pbrandao
40
X.509 Certificates
Seg. Informática - pbrandao
41
Segurança Informática nas redes 21
Segurança Informática - MIM 2011/12
CA root certificates
42
Seg. Informática - pbrandao
CA gratuitas para email.
Server Certificate
43
Seg. Informática - pbrandao
Segurança Informática nas redes 22
Segurança Informática - MIM 2011/12
Mail certificate
44
Seg. Informática - pbrandao
45
Steganography
Cry
pto
rem
ind
ers
Seg. Informática - pbrandao
Segurança Informática nas redes 23
Segurança Informática - MIM 2011/12
Steganography
According to Herodotus (Greece 440 BC)
Shaved slave’s head
Wrote message on head
Let hair grow back
Send slave to deliver message
Shave slave’s head to expose message (warning of Persian invasion)
Historically, steganography used more than cryptography!
Seg. Informática - pbrandao
46
Images and Steganography
Seg. Informática - pbrandao
Images use 24 bits for color: RGB
8 bits for red, 8 for green, 8 for blue
For example
0x7E 0x52 0x90 is this color
0xFE 0x52 0x90 is this color
While
0xAB 0x33 0xF0 is this color
0xAB 0x33 0xF1 is this color
Low-order bits don’t matter…
47
Segurança Informática nas redes 24
Segurança Informática - MIM 2011/12
Images and Stego
Seg. Informática - pbrandao
Given an uncompressed image file…
For example, BMP format
…we can insert information into low-order RGB bits
Since low-order RGB bits don’t matter, result will be “invisible” to human eye
But, computer program can “see” the bits
48
Stego Example 1
Left side: plain Alice image
Right side: Alice with entire Alice in Wonderland (pdf) “hidden” in the image
Seg. Informática - pbrandao
49
Segurança Informática nas redes 25
Segurança Informática - MIM 2011/12
Non-Stego Example
Seg. Informática - pbrandao
Walrus.html in web browser
“View source” reveals: <font color=#000000>"The time has come," the Walrus said,</font><br>
<font color=#000000>"To talk of many things: </font><br>
<font color=#000000>Of shoes and ships and sealing wax </font><br>
<font color=#000000>Of cabbages and kings </font><br>
<font color=#000000>And why the sea is boiling hot </font><br>
<font color=#000000>And whether pigs have wings." </font><br>
50
Stego Example 2
Seg. Informática - pbrandao
stegoWalrus.html in web browser
“View source” reveals: <font color=#000100>"The time has come," the Walrus said,</font><br>
<font color=#010000>"To talk of many things: </font><br>
<font color=#010100>Of shoes and ships and sealing wax </font><br>
<font color=#010000>Of cabbages and kings </font><br>
<font color=#010000>And why the sea is boiling hot </font><br>
<font color=#010000>And whether pigs have wings." </font><br>
Hidden” message: 010 100 110 100 100 100 01010011 = S, 01001001 = I, 00…
51
Segurança Informática nas redes 26
Segurança Informática - MIM 2011/12
Seg. Informática - pbrandao
Authentication 52
User Authentication
fundamental security building block basis of access control & user accountability
is the process of verifying an identity claimed by or for a system entity
has two steps: identification - specify identifier
verification - bind entity (person) and identifier
distinct from message authentication
Seg. Informática - pbrandao
53
Segurança Informática nas redes 27
Segurança Informática - MIM 2011/12
Means of User Authentication
four means of authenticating user's identity
based one something the individual knows - e.g. password, PIN
possesses - e.g. key, token, smartcard
is (static biometrics) - e.g. fingerprint, retina
does (dynamic biometrics) - e.g. voice, sign
can use alone or combined
all can provide user authentication
all have issues
Seg. Informática - pbrandao
54
Why Passwords?
Why is “something you know” more popular than “something you have” and “something you are”?
Cost: passwords are free
Convenience: easier for admin to reset pwd than to issue a new thumb
Seg. Informática - pbrandao
55
Segurança Informática nas redes 28
Segurança Informática - MIM 2011/12
Keys vs Passwords
Crypto keys
Suppose key is 64 bits
Then 264 keys
Choose key at random…
…then attacker must try about 263 keys
Passwords
Suppose passwords are 8 characters, and 256 different characters
Then 2568 = 264 pwds
Users do not select passwords at random
Attacker has far less than 263 pwds to try (dictionary attack)
Seg. Informática - pbrandao
56
Bank password: m1S3cr3t
Good and Bad Passwords
Seg. Informática - pbrandao
Bad passwords frank
Fido
password
4444
Pikachu
102560
AustinStamp
Good Passwords?
jfIej,43j-EmmL+y
09864376537263
P0kem0N
FSa7Yago
0nceuP0nAt1m8
PokeGCTall150
57
Segurança Informática nas redes 29
Segurança Informática - MIM 2011/12
Token Authentication
object user possesses to authenticate, e.g. embossed card
magnetic stripe card
memory card
smartcard
Smart card
Seg. Informática - pbrandao
58
Cartão de Cidadão
Seg. Informática - pbrandao
59
From [SecHISSantos]
Segurança Informática nas redes 30
Segurança Informática - MIM 2011/12
Cartão de Cidadão
Seg. Informática - pbrandao
60
From [SecHISSantos]
CC Properties
61
Seg. Informática - pbrandao
Properties Visible Machine
Readable Zone
Integrated
Circuit
Last names X X X
First names X X X
Parents Names X X
Nacionality X X X
Birth date X X X
Sex X X X
Height X X
Facial Image X X
Signature X
Civil ID Number X X
Tax ID Number X X
Health ID Number X X
Social Security ID Number X X
Document Number X X X
Emitting Country (Portuguese Republic) X
Type of document X
Expiry date X X
Emission date X
Address X1
Fingerprints (2) X2
Eventual indications, according to the law X
Authentication certificate X2
Electronic signature certificate X
Software applications needed X
Free writing zone for citizen use X
Additional health data (health sub-system,
etc) X
1 Data not accessible 2 PIN (password) protected access/use
From [SecHISSantos]
Segurança Informática nas redes 31
Segurança Informática - MIM 2011/12
Biometric Authentication
authenticate user based on one of their physical characteristics
Seg. Informática - pbrandao
62
Operation of a Biometric System
63
Seg. Informática - pbrandao
Segurança Informática nas redes 32
Segurança Informática - MIM 2011/12
Remote User Authentication
authentication over network more complex problems of eavesdropping, replay
generally use challenge-response user sends identity
host responds with random number
user computes f(r,h(P)) and sends back
host compares value from user with own computed value, if match user authenticated
protects against a number of attacks
Seg. Informática - pbrandao
64
Authentication Security Issues
client attacks
host attacks
eavesdropping
replay
trojan horse
denial-of-service
Seg. Informática - pbrandao
65
Segurança Informática nas redes 33
Segurança Informática - MIM 2011/12
Seg. Informática - pbrandao
Access Control 66
Access Control
“The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner“
central element of computer security
assume users and groups authenticate to system
assigned access rights to certain resources on system
Seg. Informática - pbrandao
67
Segurança Informática nas redes 34
Segurança Informática - MIM 2011/12
Access Control Principles
Seg. Informática - pbrandao
68
Access Control Elements
subject - entity that can access objects a process representing user/application
often have 3 classes: owner, group, world
object - access controlled resource e.g. files, directories, records, programs etc
number/type depend on environment
access right - way in which subject accesses an object e.g. read, write, execute, delete, create, search
Seg. Informática - pbrandao
69
Segurança Informática nas redes 35
Segurança Informática - MIM 2011/12
UNIX File Access Control
Seg. Informática - pbrandao
70
rwxrw----
Owner can read, write and execute
the file
Any user in the owner ‘s group can read, write
the file
All other users cannot read,
write or execute the file
Role-Based Access Control
Seg. Informática - pbrandao
71
Segurança Informática nas redes 36
Segurança Informática - MIM 2011/12
Side channels
Acc
ess
co
ntr
ol
Seg. Informática - pbrandao
72
Multilevel Security (MLS)
MLS needed when subjects/objects at different levels use/on same system
Security levels for subjects and objects
For DoD levels, we have:
TOP SECRET > SECRET >
CONFIDENTIAL > UNCLASSIFIED
Subjects have clearance and objects have classifications
Seg. Informática - pbrandao
73
Segurança Informática nas redes 37
Segurança Informática - MIM 2011/12
Seg. Informática - pbrandao
Covert Channel
MLS designed to restrict legitimate channels of communication
May be other ways for information to flow
For example, resources shared at different levels could be used to “signal” information
Covert channel: a communication path not intended as such by system’s designers
74
Covert Channel Example
Seg. Informática - pbrandao
Alice has TOP SECRET clearance, Bob has CONFIDENTIAL clearance
Suppose the file space shared by all users
Alice creates file FileXYzW to signal “1” to Bob, and removes file to signal “0”
Once per minute Bob lists the files
If file FileXYzW does not exist, Alice sent 0
If file FileXYzW exists, Alice sent 1
Alice can leak TOP SECRET info to Bob!
75
Segurança Informática nas redes 38
Segurança Informática - MIM 2011/12
Inference Control Example
Seg. Informática - pbrandao
Suppose we query a database
Question: What is average salary of female CS professors at SJSU?
Answer: $95,000
Question: How many female CS professors at SJSU?
Answer: 1
Specific information has leaked from responses to general questions!
76
Inference Control and Research
Seg. Informática - pbrandao
For example, medical records are private but valuable for research
How to make info available for research and protect privacy?
How to allow access to such data without leaking specific information?
77
Segurança Informática nas redes 39
Segurança Informática - MIM 2011/12
Naïve Inference Control
Seg. Informática - pbrandao
Remove names from medical records?
Still may be easy to get specific info from such “anonymous” data
Removing names is not enough
As seen in previous example
What more can be done?
78
Less-naïve Inference Control
Seg. Informática - pbrandao
Query set size control
Don’t return an answer if set size is too small
N-respondent, k% dominance rule
Do not release statistic if k% or more contributed by N or fewer
Example: Avg salary in Bill Gates’ neighborhood
This approach used by US Census Bureau
Randomization
Add small amount of random noise to data
Many other methods none satisfactory
79
Segurança Informática nas redes 40
Segurança Informática - MIM 2011/12
Side Channel Attacks on Crypto
Seg. Informática - pbrandao
Sometimes possible to recover key without directly attacking the crypto algorithm
A side channel consists of “incidental information”
Side channels can arise due to The way that a computation is performed
Media used, power consumed, unintended emanations, etc.
Induced faults can also reveal information
Side channel may reveal a crypto key
80
Side Channels
Seg. Informática - pbrandao
Emanations security (EMSEC) Electromagnetic field (EMF) from computer screen can allow
screen image to be reconstructed at a distance
Smartcards have been attacked via EMF emanations
Differential power analysis (DPA) Smartcard power usage depends on the computation
Differential fault analysis (DFA) Key stored on smartcard in GSM system could be read using a
flashbulb to induce faults
Timing analysis Different computations take different time
RSA keys recovered over a network (openSSL)!
81
Segurança Informática nas redes 41
Segurança Informática - MIM 2011/12
CAPTCHA
Acc
ess
Co
ntr
ol
Seg. Informática - pbrandao
82
Turing Test
Seg. Informática - pbrandao
Proposed by Alan Turing in 1950
Human asks questions to one human and one computer, without seeing either
If questioner cannot distinguish human from computer, computer passes the test
The gold standard in artificial intelligence
No computer can pass this today
But some claim to be close to passing
83
Segurança Informática nas redes 42
Segurança Informática - MIM 2011/12
CAPTCHA
Seg. Informática - pbrandao
CAPTCHA
Completely Automated Public Turing test to tell Computers and Humans Apart
Automated test is generated and scored by a computer program
Public program and data are public
Turing test to tell… humans can pass the test, but machines cannot pass
Also known as HIP == Human Interactive Proof
Like an inverse Turing test (well, sort of…)
84
CAPTCHA Paradox?
Seg. Informática - pbrandao
“…CAPTCHA is a program that can generate and grade tests that it itself cannot pass…”
“…much like some professors…”
Paradox computer creates and scores test that it cannot pass!
CAPTCHA used so that only humans can get access (i.e., no bots/computers)
CAPTCHA is for access control
85
Segurança Informática nas redes 43
Segurança Informática - MIM 2011/12
CAPTCHA Uses?
Seg. Informática - pbrandao
Original motivation: automated bots stuffed ballot box in vote for best CS grad school
SJSU vs Stanford?
Free email services spammers like to use bots to sign up for 1000’s of email accounts
CAPTCHA employed so only humans get accounts
Sites that do not want to be automatically indexed by search engines
CAPTCHA would force human intervention
86
CAPTCHA: Rules of the Game
Seg. Informática - pbrandao
Easy for most humans to pass
Difficult or impossible for machines to pass
Even with access to CAPTCHA software
From attacker’s perspective, the only unknown is a random number
Desirable to have different CAPTCHAs in case some person cannot pass one type
Blind person could not pass visual test, etc.
87
Segurança Informática nas redes 44
Segurança Informática - MIM 2011/12
Do CAPTCHAs Exist?
Seg. Informática - pbrandao
Test: Find 2 words in the following
Easy for most humans
A (difficult?) OCR problem for computer o OCR == Optical Character Recognition
88
D E N I A L O F S E R V I C E
Seg. Informática - pbrandao
DoS Attacks 89
Segurança Informática nas redes 45
Segurança Informática - MIM 2011/12
Classic Denial of Service Attacks
Seg. Informática - pbrandao
90
Source Address Spoofing
Seg. Informática - pbrandao
91
use forged source addresses given sufficient privilege to “raw sockets”
easy to create
generate large volumes of packets directed at target
with different, random, source addresses
cause same congestion on attacked link responses are scattered across Internet
real source is much harder to identify
Segurança Informática nas redes 46
Segurança Informática - MIM 2011/12
SYN Spoofing
Seg. Informática - pbrandao
92
other common attack
attacks ability of a server to respond to future connection requests
overflowing tables used to manage them
hence an attack on system resource
TCP Connection Handshake
Seg. Informática - pbrandao
93
Segurança Informática nas redes 47
Segurança Informática - MIM 2011/12
SYN Spoofing Attack
Seg. Informática - pbrandao
94
DDoS Control Hierarchy
Seg. Informática - pbrandao
95
Segurança Informática nas redes 48
Segurança Informática - MIM 2011/12
Seg. Informática - pbrandao
Firewalls 96
Firewalls
Seg. Informática - pbrandao
Firewall must determine what to let in to internal network and/or what to let out
Access control for the network
Internet Internal network Firewall
97
Segurança Informática nas redes 49
Segurança Informática - MIM 2011/12
Firewall as Secretary
Seg. Informática - pbrandao
A firewall is like a secretary
To meet with an executive
First contact the secretary
Secretary decides if meeting is important
So, secretary filters out many requests
You want to meet chair of CS department?
Secretary does some filtering
You want to meet the PotUS?
Secretary does lots of filtering
98
Firewall Terminology
Seg. Informática - pbrandao
No standard firewall terminology
Types of firewalls
Packet filter works at network layer
Stateful packet filter transport layer
Application proxy application layer
Other names often used
E.g., “deep packet inspection”
99
Segurança Informática nas redes 50
Segurança Informática - MIM 2011/12
Types of Firewalls
Seg. Informática - pbrandao
100
inside outside
Packet Filter
Seg. Informática - pbrandao
101
Operates at network layer
Can filter based on… Source IP address
Destination IP address
Source Port
Destination Port
Flag bits (SYN, ACK, etc.)
Egress or ingress Physical
Logic
Network
Transport
Application
Segurança Informática nas redes 51
Segurança Informática - MIM 2011/12
Packet Filter
Seg. Informática - pbrandao
102
Advantages? Speed
Disadvantages? No concept of state
Cannot see TCP connections
Blind to application data
Physical
Logic
Network
Transport
Application
Packet Filter
Seg. Informática - pbrandao
103
Configured via Access Control Lists (ACLs)
Allow Inside Outside Any 80 HTTP
Allow Outside Inside 80 > 1023 HTTP
Deny All All All All All
Action Source
IP Dest
IP Source
Port Dest Port Protocol
Q: Intention?
A: Restrict traffic to Web browsing
Any
ACK
All
Flag Bits
Segurança Informática nas redes 52
Segurança Informática - MIM 2011/12
TCP ACK Scan
Seg. Informática - pbrandao
104
Attacker scans for open ports thru firewall Port scanning is first step in many attacks
Attacker sends packet with ACK bit set, without prior 3-way handshake Violates TCP/IP protocol
ACK packet pass thru packet filter firewall
Appears to be part of an ongoing connection
RST sent by recipient of such packet
TCP ACK Scan
Seg. Informática - pbrandao
105
Attacker knows port 1209 open thru firewall
A stateful packet filter can prevent this Since scans not part of established connections
Packet Filter
Trudy Internal Network
ACK dest port 1207
ACK dest port 1208
ACK dest port 1209
RST
Segurança Informática nas redes 53
Segurança Informática - MIM 2011/12
Stateful Packet Filter
Seg. Informática - pbrandao
106
Adds state to packet filter
Operates at transport layer
Remembers TCP connections, flag bits, etc.
Can even remember UDP packets (e.g., DNS requests)
Physical
Logic
Network
Transport
Application
Stateful Packet Filter
Seg. Informática - pbrandao
107
Advantages? Can do everything a packet filter can do
plus...
Keep track of ongoing connections (so prevents TCP ACK scan)
Disadvantages? Cannot see application data
Slower than packet filtering Physical
Logic
Network
Transport
Application
Segurança Informática nas redes 54
Segurança Informática - MIM 2011/12
Application Proxy
Seg. Informática - pbrandao
108
A proxy is something that acts on your behalf
Application proxy looks at incoming application data
Verifies that data is safe before letting it in
Physical
Logic
Network
Transport
Application
Application Proxy
Seg. Informática - pbrandao
109
Advantages? Complete view of connections and
applications data
Filter bad data at application layer (viruses, Word macros)
Disadvantages? Speed
Physical
Logic
Network
Transport
Application
Segurança Informática nas redes 55
Segurança Informática - MIM 2011/12
Deep Packet Inspection
Seg. Informática - pbrandao
110
Many buzzwords used for firewalls
One example: deep packet inspection
What could this mean?
Look into packets, but don’t really “process” the packets Effect like application proxy, but faster
Firewalls and Defense in Depth
Seg. Informática - pbrandao
111
Typical network security architecture
Internet
Intranet with additional
defense
Packet Filter
Application Proxy
DMZ FTP server
DNS server
Web server
Segurança Informática nas redes 56
Segurança Informática - MIM 2011/12
Seg. Informática - pbrandao
Intrusion Detection Systems 112
Intruders
Seg. Informática - pbrandao
113
significant issue hostile/unwanted trespass from benign to serious
user trespass unauthorized logon, privilege abuse
software trespass virus, worm, or trojan horse
classes of intruders: masquerader, misfeasor, clandestine user
Segurança Informática nas redes 57
Segurança Informática - MIM 2011/12
Examples of Intrusion
Seg. Informática - pbrandao
114
remote root compromise
web server defacement
guessing / cracking passwords
copying viewing sensitive data / databases
running a packet sniffer
distributing pirated software
using an unsecured modem to access net
impersonating a user to reset password
using an unattended workstation
Security Intrusion & Detection
Seg. Informática - pbrandao
115
Security Intrusion a security event, or combination of multiple
security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.
Intrusion Detection a security service that monitors and analyzes
system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner.
Segurança Informática nas redes 58
Segurança Informática - MIM 2011/12
Intrusion Detection Systems
Seg. Informática - pbrandao
116
Intrusion detection approaches Signature-based IDS
Anomaly-based IDS
Intrusion detection architectures Host-based IDS
Network-based IDS
logical components: sensors - collect data
analyzers - determine if intrusion has occurred
user interface - manage / direct / view IDS
Host-Based IDS 117
Monitor activities on hosts for Known attacks
Suspicious behavior
Designed to detect attacks such as Buffer overflow
Escalation of privilege, …
Little or no view of network activities
Seg. Informática - pbrandao
Segurança Informática nas redes 59
Segurança Informática - MIM 2011/12
Distributed Host-Based IDS
Seg. Informática - pbrandao
118
Network-Based IDS
Seg. Informática - pbrandao
119
Monitor activity on the network for… Known attacks
Suspicious network activity
Designed to detect attacks such as Denial of service
Network probes
Malformed packets, etc.
Some overlap with firewall
Little or no view of host-base attacks
Can have both host and network IDS
Segurança Informática nas redes 60
Segurança Informática - MIM 2011/12
NIDS Sensor Deployment
Seg. Informática - pbrandao
120
IDS Principles
Seg. Informática - pbrandao
121
assume intruder behavior differs from legitimate users expect overlap as shown
observe deviations
from past history
problems of:
false positives
false negatives
must compromise
Segurança Informática nas redes 61
Segurança Informática - MIM 2011/12
Seg. Informática - pbrandao
Internet security protocols 122
Protocol
Human protocols the rules followed in human interactions Example: Asking a question in class
Networking protocols rules followed in networked communication systems Examples: HTTP, FTP, etc.
Security protocol the (communication) rules followed in a security application Examples: SSL, IPSec, Kerberos, etc.
Seg. Informática - pbrandao
123
Segurança Informática nas redes 62
Segurança Informática - MIM 2011/12
Secure Entry to NSA
1. Insert badge into reader
2. Enter PIN
3. Correct PIN? Yes? Enter
No? Get shot by security guard
Seg. Informática - pbrandao
124
ATM Machine Protocol
1. Insert ATM card
2. Enter PIN
3. Correct PIN? Yes? Conduct your transaction(s)
No? Machine (eventually) eats card
125
Seg. Informática - pbrandao
Segurança Informática nas redes 63
Segurança Informática - MIM 2011/12
Identify Friend or Foe (IFF) 126
Namibia K
Angola
1. N
2. E(N,K) SAAF Impala
K
Russian MIG
Seg. Informática - pbrandao
MIG in the Middle 127
Namibia K
Angola
1. N
2. N
3. N
4. E(N,K)
5. E(N,K)
6. E(N,K)
SAAF Impala
K
Russian MiG
Seg. Informática - pbrandao
Segurança Informática nas redes 64
Segurança Informática - MIM 2011/12
128
Authentication protocol
Inte
rne
t se
curi
ty
pro
toco
ls
Seg. Informática - pbrandao
Authentication
Alice must prove her identity to Bob Alice and Bob can be humans or computers
May also require Bob to prove he’s Bob (mutual authentication)
Probably need to establish a session key
May have other requirements, such as Use public keys
Use symmetric keys
Use hash functions
Anonymity, plausible deniability, etc., etc.
Seg. Informática - pbrandao
129
Segurança Informática nas redes 65
Segurança Informática - MIM 2011/12
Authentication
Authentication on a stand-alone computer is relatively simple Hash password with salt, etc.
“Secure path,” attacks on authentication software, keystroke logging, etc., are issues
Authentication over a network is challenging Attacker can passively observe messages
Attacker can replay messages
Active attacks possible (insert, delete, change)
Seg. Informática - pbrandao
130
Simple Authentication
Simple and may be OK for standalone system
But insecure for networked system Subject to a replay attack (next 2 slides)
Also, Bob must know Alice’s password
Alice Bob
“I’m Alice”
Prove it
My password is “frank”
131
Seg. Informática - pbrandao
Segurança Informática nas redes 66
Segurança Informática - MIM 2011/12
Authentication Attack 132
Alice Bob
“I’m Alice”
Prove it
My password is “frank”
Trudy
Seg. Informática - pbrandao
Authentication Attack 133
This is an example of a replay attack
How can we prevent a replay?
Bob
“I’m Alice”
Prove it
My password is “frank”
Trudy
Seg. Informática - pbrandao
Segurança Informática nas redes 67
Segurança Informática - MIM 2011/12
Better Authentication 134
Better since it hides Alice’s password From both Bob and Trudy
But still subject to replay
Alice Bob
“I’m Alice”
Prove it
h(Alice’s password)
Seg. Informática - pbrandao
Challenge-Response 135
To prevent replay, use challenge-response Goal is to ensure “freshness”
Suppose Bob wants to authenticate Alice Challenge sent from Bob to Alice
Challenge is chosen so that Replay is not possible
Only Alice can provide the correct response
Bob can verify the response
Seg. Informática - pbrandao
Segurança Informática nas redes 68
Segurança Informática - MIM 2011/12
Nonce 136
To ensure freshness, can employ a nonce Nonce == number used once
What to use for nonces? That is, what is the challenge?
What should Alice do with the nonce? That is, how to compute the response?
How can Bob verify the response?
Should we rely on passwords or keys?
Seg. Informática - pbrandao
Challenge-Response 137
Bob
“I’m Alice”
Nonce
h(Alice’s password, Nonce)
Nonce is the challenge
The hash is the response
Nonce prevents replay, ensures freshness
Password is something Alice knows
Bob must know Alice’s pwd to verify
Alice
Seg. Informática - pbrandao
Segurança Informática nas redes 69
Segurança Informática - MIM 2011/12
Generic Challenge-Response 138
In practice, how to achieve this?
Hashed pwd works…
Encryption is better here (Why?)
Bob
“I’m Alice”
Nonce
Something that could only be
Alice from Alice (and Bob can verify)
Seg. Informática - pbrandao
Symmetric Key Notation 139
Encrypt plaintext P with key K
C = E(P,K)
Decrypt ciphertext C with key K
P = D(C,K)
Here, we are concerned with attacks on protocols, not attacks on crypto
So, we assume crypto algorithms secure
Seg. Informática - pbrandao
Segurança Informática nas redes 70
Segurança Informática - MIM 2011/12
Authentication: Symmetric Key 140
Alice and Bob share symmetric key K
Key K known only to Alice and Bob
Authenticate by proving knowledge of shared symmetric key
How to accomplish this? Must not reveal key, must not allow replay (or other) attack,
must be verifiable, …
Seg. Informática - pbrandao
Authentication with Symmetric Key 141
Alice, K Bob, K
“I’m Alice”
E(R,K)
Secure method for Bob to authenticate Alice
Alice does not authenticate Bob
So, can we achieve mutual authentication?
R
Seg. Informática - pbrandao
Segurança Informática nas redes 71
Segurança Informática - MIM 2011/12
Mutual Authentication? 142
What’s wrong with this picture?
“Alice” could be Trudy (or anybody else)!
Alice, K Bob, K
“I’m Alice”, R
E(R,K)
E(R,K)
Seg. Informática - pbrandao
Mutual Authentication 143
Since we have a secure one-way authentication protocol…
The obvious thing to do is to use the protocol twice Once for Bob to authenticate Alice
Once for Alice to authenticate Bob
This has got to work…
Seg. Informática - pbrandao
Segurança Informática nas redes 72
Segurança Informática - MIM 2011/12
Mutual Authentication 144
This provides mutual authentication…
…or does it? See the next slide
Alice, K Bob, K
“I’m Alice”, RA
RB, E(RA, K)
E(RB, K)
Seg. Informática - pbrandao
Mutual Authentication Attack 145
Bob, K
1. “I’m Alice”, RA
2. RB, E(RA, K)
Trudy
Bob, K
3. “I’m Alice”, RB
4. RC, E(RB, K)
Trudy
Seg. Informática - pbrandao
Segurança Informática nas redes 73
Segurança Informática - MIM 2011/12
Mutual Authentication 146
Our one-way authentication protocol is not secure for mutual authentication Protocols are subtle!
The “obvious” thing may not be secure
Also, if assumptions or environment change, protocol may not be secure This is a common source of security failure
For example, Internet protocols
Seg. Informática - pbrandao
Symmetric Key Mutual Authentication 147
Do these “insignificant” changes help?
Yes!
Alice, K Bob, K
“I’m Alice”, RA
RB, E(“Bob”,RA,K)
E(“Alice”,RB,K)
Seg. Informática - pbrandao
Segurança Informática nas redes 74
Segurança Informática - MIM 2011/12
148
Protocols – SSL
Inte
rne
t se
curi
ty
pro
toco
ls
Seg. Informática - pbrandao
Secure Sockets Layer (SSL)
transport layer security service originally developed by Netscape
version 3 designed with public input
subsequently became Internet standard RFC2246: Transport Layer Security (TLS)
use TCP to provide a reliable end-to-end service
may be provided in underlying protocol suite
or embedded in specific packages
Seg. Informática - pbrandao
149
Segurança Informática nas redes 75
Segurança Informática - MIM 2011/12
What is SSL?
Seg. Informática - pbrandao
150
SSL is the protocol used for majority of secure transactions on the Internet
For example, if you want to buy a book at amazon.com… You want to be sure you are dealing with Amazon
(authentication)
Your credit card information must be protected in transit (confidentiality and/or integrity)
As long as you have money, Amazon doesn’t really care who you are
So, no need for mutual authentication
SSL Protocol Stack
Seg. Informática - pbrandao
151
Physical
Logic
Network
Transport
Application
Socket “Layer”
User
OS
NIC
Segurança Informática nas redes 76
Segurança Informática - MIM 2011/12
SSL Record Protocol Services
message integrity using a MAC with shared secret key
similar to HMAC but with different padding
confidentiality using symmetric encryption with a shared secret key defined
by Handshake Protocol
AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128
message is compressed before encryption
Seg. Informática - pbrandao
152
Simple SSL-like Protocol
Is Alice sure she’s talking to Bob?
Is Bob sure he’s talking to Alice?
Alice Bob
I’d like to talk to you securely
Here’s my certificate
{K}Bob
protected HTTP
Segurança Informática nas redes 77
Segurança Informática - MIM 2011/12
SSL Authentication
Alice authenticates Bob, not vice-versa How does client authenticate server?
Why would server not authenticate client?
Mutual authentication is possible: Bob sends certificate request in message 2 Then client must have a valid certificate
If server wants to authenticate client, server could instead require password
Alice
155
Protocols – IPsec
Inte
rne
t se
curi
ty
pro
toco
ls
Seg. Informática - pbrandao
Segurança Informática nas redes 78
Segurança Informática - MIM 2011/12
IP Security
various application security mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPS
security concerns cross protocol layers
hence would like security implemented by the network for all applications
authentication & encryption security features included in next-generation IPv6
also usable in existing IPv4
Seg. Informática - pbrandao
156
SSL vs IPSec
IPSec Lives at the network layer (part of the OS)
Encryption, integrity, authentication, etc.
Is overly complex (some security issues)
SSL (and IEEE standard known as TLS) Lives at socket layer (part of user space)
Encryption, integrity, authentication, etc.
Relatively simple and elegant specification
Segurança Informática nas redes 79
Segurança Informática - MIM 2011/12
SSL vs IPSec
Part 3 Protocols
158
IPSec: OS must be aware, but not apps
SSL: Apps must be aware, but not OS
SSL built into Web early-on (Netscape)
IPSec often used in VPNs (secure tunnel)
Reluctance to retrofit applications for SSL
IPSec not widely deployed (complexity, etc.)
The bottom line…
Internet less secure than it should be!
Ipsec and SSL
Seg. Informática - pbrandao
159
IPsec lives at the network layer
IPsec is transparent to applications
Physical
Logic
Network
Transport
Application SSL
User
OS
NIC
IPsec
Segurança Informática nas redes 80
Segurança Informática - MIM 2011/12
IPSec
general IP Security mechanisms
provides authentication
confidentiality
key management
applicable to use over LANs, across public & private WANs, & for the Internet
Seg. Informática - pbrandao
160
IPSec Uses
Seg. Informática - pbrandao
161
Segurança Informática nas redes 81
Segurança Informática - MIM 2011/12
Two protocols
Authentication Header (AH) protocol provides source authentication & data integrity but not
confidentiality
Encapsulation Security Protocol (ESP) provides source authentication, data integrity, and
confidentiality
more widely used than AH
Comparison of IPsec Modes
Transport Mode
Tunnel Mode
IP header data
IP header ESP/AH data
IP header data
new IP hdr ESP/AH IP header data
Transport Mode
o Host-to-host
Tunnel Mode
o Firewall-to-firewall
Transport Mode not necessary…
…but it’s more efficient
Segurança Informática nas redes 82
Segurança Informática - MIM 2011/12
IPsec Transport mode
Seg. Informática - pbrandao
164
IPsec datagram emitted and received by end-system.
Protects upper level protocols
Ipsec secured
IPsec Tunnel mode
Seg. Informática - pbrandao
165
End routers are IPsec aware. Hosts need not be
Ipsec secured
Plain IP Plain IP
Segurança Informática nas redes 83
Segurança Informática - MIM 2011/12
Benefits of IPsec
in a firewall/router provides strong security to all traffic crossing the perimeter
in a firewall/router is resistant to bypass
is below transport layer, hence transparent to applications
can be transparent to end users
can provide security for individual users
secures routing architecture
Seg. Informática - pbrandao
166
167
Protocols – VPNs
Inte
rne
t se
curi
ty
pro
toco
ls
Seg. Informática - pbrandao
Segurança Informática nas redes 84
Segurança Informática - MIM 2011/12
What are VPNs?
Seg. Informática - pbrandao
168
Provide a private network service using a shared (non-private) infrastructure
Shared infrastructure (eg. Internet)
Private network
site 2
Private network
site 1
Private network
Types of VPNs
Seg. Informática - pbrandao
169
Shared infrastructure (e.g. Internet)
Headquarters
Branch
Home user
Mobile user
Partner
Segurança Informática nas redes 85
Segurança Informática - MIM 2011/12
VPN Types
Seg. Informática - pbrandao
170
Site-to-site Connectivity between sites
Intranet VPNs: sites of a single organization
Extranet VPNs: sites of different organizations (business partners)
Remote access Mobile or home based users access organization
Provisioned by: Provider: a network provider offers the interconnection service
User: the organization deploys/administers the VPN infrastructure
Technologies for site to site
Seg. Informática - pbrandao
171
IPsec Encryption/authentication
GRE – Generic Routing Encapsulation Limited/no Encryption/authentication
IP-in-IP No Encryption/authentication
Headquarters Branch
Segurança Informática nas redes 86
Segurança Informática - MIM 2011/12
Technologies for Remote access
Seg. Informática - pbrandao
172
IPsec
SSL/TLS Clientless VPNs
PPTP – Point-to-Point Tunnelling Protocol Encryption/authentication
L2TP – Layer two Tunnelling Protocol Limited/no Encryption/authentication
Headquarters
Mobile user
173
Protocols – S/MIME
Inte
rne
t se
curi
ty
pro
toco
ls
Seg. Informática - pbrandao
Segurança Informática nas redes 87
Segurança Informática - MIM 2011/12
S/MIME (Secure/Multipurpose Internet Mail Extensions)
security enhancement to MIME email original Internet RFC822 email was text only
MIME provided support for varying content types and multi-part messages
with encoding of binary data to textual form
S/MIME added security enhancements
have S/MIME support in many mail agents eg MS Outlook, Mozilla, Mac Mail etc
Seg. Informática - pbrandao
174
S/MIME Functions
enveloped data encrypted content and associated keys
signed data encoded message + signed digest
clear-signed data cleartext message + encoded signed digest
signed & enveloped data nesting of signed & encrypted entities
Seg. Informática - pbrandao
175
Segurança Informática nas redes 88
Segurança Informática - MIM 2011/12
S/MIME Process
Seg. Informática - pbrandao
176
Seg. Informática - pbrandao
Others subjects 177
Segurança Informática nas redes 89
Segurança Informática - MIM 2011/12
Phishing/Scamms
Fake email tries to lure victim to website
Website tries to steal details of credit cards, authentication to website
Usually website mimics a real website
Test your might From verisign
From sonicwall
From paypal
Examples of fraud from CGD
Seg. Informática - pbrandao
178
Malware
Seg. Informática - pbrandao
179
Virus Encrypted, polymorphic, metamorphic malware
Trojan
Worms
Botnets
Segurança Informática nas redes 90
Segurança Informática - MIM 2011/12
Bot nets
Seg. Informática - pbrandao
180
Picture from Microsoft press
Injections
Seg. Informática - pbrandao
181
SQL Injections
XSS – Cross-site scripting
CSRF – Cross-Site Request Forgery
Segurança Informática nas redes 91
Segurança Informática - MIM 2011/12
Identity management
Seg. Informática - pbrandao
182
Shibboleth
Windows cardspace
OpenID
Medical Device attacks
Seg. Informática - pbrandao
183
Image from mymethodist.net
See http://www.secure-medicine.org/
Segurança Informática nas redes 92
Segurança Informática - MIM 2011/12
Seg. Informática - pbrandao
The end 184
References
Seg. Informática - pbrandao
185
[SecHISSantos] Santos, R.; Correia, M.E.; Antunes, L.; "Securing a Health Information System with a government issued digital identification card," Security Technology, 2008. ICCST 2008. 42nd Annual IEEE International Carnahan Conference on , pp.135-141, 13-16 Oct. 2008, doi: 10.1109/CCST.2008.4751292
[VPNsCisco] “What is a Virtual Private Network”, Chapter from “Comparing, Designing, and Deploying VPNs” by Mark Lewis, Cisco Press See also VPNC White Papers
Segurança Informática nas redes 93
Segurança Informática - MIM 2011/12
Acronyms
Seg. Informática - pbrandao
186
ARP – Address Resolution Protocol AH – Authentication Header (IPsec) CAPTCHA – Completely Automated Public Turing test to
tell Computers and Humans Apart CIDR – Classless Inter Domain Routing DHCP – Dynamic Host Configuration Protocol DMZ – De Militarized Zone DoS – Denial of Service DDoS – Distributed DoS ESP – Encapsulation Security Protocol (IPsec) GRE – Generic Routing Encapsulation IDS – Intrusion Detection Systems
Acronyms
Seg. Informática - pbrandao
187
IPsec – Internet Protocol security
L2TP – Layer two tunnelling protocol
MLS – MultiLevel Security
Nonce – Number Once
OCR – Optical Character Recognition
PPTP – Point-to-Point Tunneling Protocol
PotUS – President of the US
SSO – Single Sign On
S/MIME – Secure/Multipurpose Internet Mail Extensions
VPN – Virtual Private Network
Recommended