View
216
Download
1
Tags:
Embed Size (px)
Citation preview
Computer and Computer and Network SecurityNetwork Security
Risanuri Hidayat, Ir., M.Sc.Risanuri Hidayat, Ir., M.Sc.
Chapter 7Chapter 7Outline7.1 Introduction7.2 Ancient Ciphers to Modern Cryptosystems7.3 Secret-key Cryptography7.4 Public Key Cryptography7.5 Key Agreement Protocols7.6 Key Management7.7 Digital Signatures7.8 Public Key Infrastructure, Certificates and Certification Authoritities7.9 Cryptoanalysis7.10 Security Protocols
7.10.1 Secure Sockets Layer (SSL)7.10.2 Secure Electronic Transaction™ (SET™)
7.11 Security Attacks7.12 Network Security
7.12.1 Firewalls7.12.2 Kerberos7.12.3 Biometrics
7.13 Steganography
7.1 Introduction7.1 Introduction
Internet securityInternet security Consumers entering highly confidential informationConsumers entering highly confidential information Number of security attacks increasingNumber of security attacks increasing Four requirements of a secure transactionFour requirements of a secure transaction
Privacy Privacy – information not read by third party– information not read by third party
Integrity Integrity – information not compromised or altered– information not compromised or altered
Authentication Authentication – sender and receiver prove identities– sender and receiver prove identities
Non-repudiation Non-repudiation – legally prove message was sent and – legally prove message was sent and receivedreceived
AvailabilityAvailabilityComputer systems continually accessibleComputer systems continually accessible
7.2 Ancient Ciphers to Modern 7.2 Ancient Ciphers to Modern CryptosystemsCryptosystems
CryptographyCryptography Used to secure information, by encrypting itUsed to secure information, by encrypting it Transforms data by using a keyTransforms data by using a key
Key is a string of digits that acts as a password and makes the data Key is a string of digits that acts as a password and makes the data incomprehensible to those without itincomprehensible to those without it
Plaintext Plaintext – unencrypted data– unencrypted data Cipher-text – encrypted dataCipher-text – encrypted data Cipher of cryptosystem Cipher of cryptosystem – technique for encrypting messages– technique for encrypting messages
CiphersCiphers Substitution cipherSubstitution cipher
Every occurrence of a given letter is replaced by a different letterEvery occurrence of a given letter is replaced by a different letter
7.2 Ancient Ciphers to Modern 7.2 Ancient Ciphers to Modern CryptosystemsCryptosystems
Transposition cipherTransposition cipherShifts the ordering of lettersShifts the ordering of letters
Modern cryptosystemsModern cryptosystemsDigital, based on bits not the alphabetDigital, based on bits not the alphabet
Key length Key length – length of string used to encrypt and – length of string used to encrypt and decryptdecrypt
7.3 Secret-key Cryptography7.3 Secret-key Cryptography
Secret-key cryptographySecret-key cryptography Same key to encrypt and decrypt messageSame key to encrypt and decrypt message Sender sends message and key to receiverSender sends message and key to receiver
Problems with secret-key cryptographyProblems with secret-key cryptography Key must be transmitted to receiverKey must be transmitted to receiver Different key for every receiverDifferent key for every receiver Key distribution centers used to reduce these problemsKey distribution centers used to reduce these problems
Generates session key and sends it to sender and receiver Generates session key and sends it to sender and receiver encrypted with the unique keyencrypted with the unique key
Encryption algorithmsEncryption algorithms Dunn Encryption Standard (DES), Triple DES, Advanced Dunn Encryption Standard (DES), Triple DES, Advanced
Encryption Standard (AES)Encryption Standard (AES)
7.3 Secret-key Cryptography7.3 Secret-key Cryptography
Encrypting and decrypting a message Encrypting and decrypting a message using a symmetric keyusing a symmetric key
7.3 Secret-key Cryptography7.3 Secret-key Cryptography
Distributing a session key with a key Distributing a session key with a key distribution centerdistribution center
7.4 Public Key Cryptography7.4 Public Key Cryptography
Public key cryptographyPublic key cryptography Asymmetric Asymmetric – two inversely related keys– two inversely related keys
Private keyPrivate key
Public keyPublic key If public key encrypts only private can decrypt and vice If public key encrypts only private can decrypt and vice
versaversa Each party has both a public and a private keyEach party has both a public and a private key Either the public key or the private key can be used to Either the public key or the private key can be used to
encrypt a messageencrypt a message Encrypted with public key and private keyEncrypted with public key and private key
Proves identity while maintaining securityProves identity while maintaining security
RSA public key algorithm RSA public key algorithm www.rsasecurity.comwww.rsasecurity.com
7.4 Public Key Cryptography7.4 Public Key Cryptography
Encrypting and decrypting a message Encrypting and decrypting a message using public-key cryptographyusing public-key cryptography
7.4 Public Key Cryptography7.4 Public Key Cryptography
Authentication with a public-key algorithmAuthentication with a public-key algorithm
7.5 Key Agreement Protocols7.5 Key Agreement Protocols
Key agreement protocolKey agreement protocol Process by which parties can exchange keysProcess by which parties can exchange keys Use public-key cryptography to transmit Use public-key cryptography to transmit
symmetric keyssymmetric keys
Digital envelopeDigital envelope Encrypted message using symmetric keyEncrypted message using symmetric key Symmetric key encrypted with the public keySymmetric key encrypted with the public key Digital signatureDigital signature
7.5 Key Agreement Protocols7.5 Key Agreement Protocols
Creating a digital envelopeCreating a digital envelope
7.6 Key Management7.6 Key Management
Key managementKey management Handling and security of private keysHandling and security of private keys Key-generation is the process by which keys Key-generation is the process by which keys
are createdare createdMust be truly randomMust be truly random
7.7 Digital Signatures7.7 Digital Signatures
Digital signatureDigital signature Authenticates sender’s identityAuthenticates sender’s identity Run plaintext through hash functionRun plaintext through hash function
Gives message a mathematical value called hash valueGives message a mathematical value called hash value
Hash value also known as message digestHash value also known as message digest Collision occurs when multiple messages have same hash valueCollision occurs when multiple messages have same hash value Encrypt message digest with private-keyEncrypt message digest with private-key Send signature, encrypted message (with public-key) and hash Send signature, encrypted message (with public-key) and hash
functionfunction
TimestampingTimestamping Binds a time and date to message, solves non-repudiationBinds a time and date to message, solves non-repudiation Third party, timestamping agency, timestamps messagsThird party, timestamping agency, timestamps messags
7.8 Public Key Infrastructure, 7.8 Public Key Infrastructure, Certificates and Certification Certificates and Certification
AuthoritiesAuthoritiesPublic Key Infrastructure (PKI)Public Key Infrastructure (PKI) Integrates public key cryptography with digital Integrates public key cryptography with digital
certificates and certification authoritiescertificates and certification authorities Digital certificateDigital certificate
Digital document issued by certification authorityDigital document issued by certification authority
Includes name of subject, subject’s public key, serial Includes name of subject, subject’s public key, serial number, expiration date and signature of trusted third number, expiration date and signature of trusted third partyparty
Verisign (Verisign (www.verisign.comwww.verisign.com))Leading certificate authorityLeading certificate authority
Periodically changing key pairs helps securityPeriodically changing key pairs helps security
7.9 Cryptoanalysis7.9 Cryptoanalysis
CrpytoanalysisCrpytoanalysis Trying to decrypt ciphertext without Trying to decrypt ciphertext without
knowledge of the decryption keyknowledge of the decryption key Try to determine the key from ciphertextTry to determine the key from ciphertext
7.10 Security Protocols7.10 Security Protocols
Transaction security protocolsTransaction security protocols Secure Sockets Layer (SSL)Secure Sockets Layer (SSL) Secure Electronic TransactionSecure Electronic Transaction™™ (SET (SET™)™)
7.10.1 Secure Sockets layer 7.10.1 Secure Sockets layer (SSL)(SSL)
SSLSSL Uses public-key technology and digital Uses public-key technology and digital
certificates to authenticate the server in a certificates to authenticate the server in a transactiontransaction
Protects information as it travels over InternetProtects information as it travels over InternetDoes not protect once stored on receivers serverDoes not protect once stored on receivers server
Peripheral component interconnect (PCI) Peripheral component interconnect (PCI) cardscards
Installed on servers to secure data for an SSL Installed on servers to secure data for an SSL transactiontransaction
7.10.2 Secure Electronic7.10.2 Secure ElectronicTransaction™ (SET™)Transaction™ (SET™)
SET protocolSET protocol Designed to protect e-commerce paymentsDesigned to protect e-commerce payments Certifies customer, merchant and merchant’s bankCertifies customer, merchant and merchant’s bank RequirementsRequirements
Merchants must have a digital certificate and SET softwareMerchants must have a digital certificate and SET softwareCustomers must have a digital certificate and digital walletCustomers must have a digital certificate and digital wallet
Digital walletDigital walletStores credit card information and identificationStores credit card information and identification
Merchant never sees the customer’s personal informationMerchant never sees the customer’s personal informationSent straight to banksSent straight to banks
Microsoft AuthenticodeMicrosoft Authenticode Authenticates file downloadsAuthenticates file downloads Informs users of the download’s authorInforms users of the download’s author
7.11 Security Attacks7.11 Security Attacks
Types of security attacksTypes of security attacks Denial of service attacksDenial of service attacks
Use a network of computers to overload servers and cause them Use a network of computers to overload servers and cause them to crash or become unavailable to legitimate usersto crash or become unavailable to legitimate users
Flood servers with data packetsFlood servers with data packets
Alter routing tables which direct data from one computer to anotherAlter routing tables which direct data from one computer to another
Distributed denial of service attack comes from multiple computersDistributed denial of service attack comes from multiple computers VirusesViruses
Computer programs that corrupt or delete filesComputer programs that corrupt or delete files
Sent as attachments or embedded in other filesSent as attachments or embedded in other files WormWorm
Can spread itself over a network, doesn’t need to be sentCan spread itself over a network, doesn’t need to be sent
7.11 Security Attacks7.11 Security Attacks
Types of virusesTypes of viruses Transient virusTransient virus
Attaches itself to specific programAttaches itself to specific program
Is run every time the program is runIs run every time the program is run Resident virusResident virus
Once loaded operates for duration of computer’s useOnce loaded operates for duration of computer’s use Logic bombLogic bomb
Triggers when a given condition is met, such as clock on computer Triggers when a given condition is met, such as clock on computer matching a specified timematching a specified time
Trojan horseTrojan horseMalicious program that hides within a friendly programMalicious program that hides within a friendly program
Web defacingWeb defacing Hackers illegally change the content of a Web siteHackers illegally change the content of a Web site
7.11 Security Attacks7.11 Security Attacks
Anti-virus softwareAnti-virus software Reactive Reactive – – goes after already known virusesgoes after already known viruses www.mcafee.comwww.mcafee.com
VirusScan scans to search computer for virusesVirusScan scans to search computer for viruses
ActiveShield checks all downloadsActiveShield checks all downloads www.symantec.comwww.symantec.com
Another virus software distributorAnother virus software distributor
Computer Emergency Response Team (CERTComputer Emergency Response Team (CERT®®)) Responds to reports of viruses and denial of service attacksResponds to reports of viruses and denial of service attacks Provides CERT Security Improvement ModulesProvides CERT Security Improvement Modules www.cert.orgwww.cert.org
7.12 Network Security7.12 Network Security
Network securityNetwork security Allow authorized users accessAllow authorized users access Prevent unauthorized users from obtaining Prevent unauthorized users from obtaining
accessaccess Trade-off between security and performanceTrade-off between security and performance
7.12.1 Firewalls7.12.1 Firewalls
FirewallFirewall Protects local area network (LAN) from outside intrudersProtects local area network (LAN) from outside intruders Safey barrier for data flowing in and outSafey barrier for data flowing in and out Prohibit all data not allowed or permit all data not Prohibit all data not allowed or permit all data not
prohibitedprohibited
Types of firewallsTypes of firewalls Packet-filtering firewallsPacket-filtering firewalls
Rejects all data with local addresses from outsideRejects all data with local addresses from outside
Examine only source not contentExamine only source not content Application level firewallsApplication level firewalls
Attempt to scan dataAttempt to scan data
7.12.2 Kerberos7.12.2 Kerberos
KerberosKerberos Uses symmetric secret-key cryptography to Uses symmetric secret-key cryptography to
authenticate users in a networkauthenticate users in a network Authenticates who a client computer is and if Authenticates who a client computer is and if
he has the right’s to access specific parts of he has the right’s to access specific parts of the networkthe network
7.12.3 Biometrics7.12.3 Biometrics
BiometricsBiometrics Uses unique personal information to identifyUses unique personal information to identify
Examples are fingerprints, eyeball iris scans or Examples are fingerprints, eyeball iris scans or face scansface scans
7.13 Steganorgraphy7.13 Steganorgraphy
SteganographySteganography Practice of hiding information within other Practice of hiding information within other
informationinformation
Digital watermarksDigital watermarks Hidden within documents and can be shown Hidden within documents and can be shown
to prove ownershipto prove ownership
7.13 Steganorgraphy7.13 Steganorgraphy
Example of a conventional watermarkExample of a conventional watermark
Courtesy of Blue Spike, Inc.
7.13 Steganorgraphy7.13 Steganorgraphy
An example of steganography: Blue An example of steganography: Blue Spike’s Giovanni digital watermarking Spike’s Giovanni digital watermarking processprocess
Courtesy of Blue Spike, Inc.