1 / 29

Computer Security: Principles and Practice

Computer Security: Principles and Practice. Chapter 21 – Internet Security Protocols and Standards. First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown. Objectives. The student should be able to Define VPN .

gale
Download Presentation

Computer Security: Principles and Practice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Computer Security: Principles and Practice Chapter 21 – Internet Security Protocols and Standards First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown

  2. Objectives The student should be able to Define VPN. Describe the advantages of link versus end-to-end encryption. Define the protection provided by SSL/TLS, IPsec. Show where the following protocols exist in the protocol stack, and describe which applications they can be used with: SSL/TLS, IPSec, S-MIME. Show a diagram of what happens to a packet during Tunnel versus Transport mode in IPSEC.

  3. Internet Security Protocols and Standards • Secure Sockets Layer (SSL) / Transport Layer Security (TLS) • IPv4 and IPv6 Security • S/MIME (Secure/Multipurpose Internet Mail Extension)

  4. VPNs Virtual Private Network (VPN): A means of carrying private traffic over a public network Uses link encryption to give users sense that they are operating on a private network when they are actually transmitting over a public network Communications pass through an encrypted tunnel Intranet VPN: Connects two or more private networks within the same company Extranet VPN: Connects two or more private networks between different companies E.g., B2B or business-to-business communication. Remote Access VPN: A roaming user has access to a private network via wireless, hotel room, etc.

  5. End-to-End Encryption Link Encryption Encryption Types Source Destination Router

  6. Importance of Encryption Location: MAC A P L I C A P L I C TCP TCP IP IP IP LLC MAC LLC MAC LLC MAC LLC MAC Physical Physical Physical Physical Wireless Wired

  7. Importance of Encryption Location: IP A P L I C A P L I C VPN Router/Firewall may unencrypt TCP TCP IPSEC/ IP IPSEC/ IP IP LLC MAC LLC MAC LLC MAC LLC MAC Physical Physical Physical Physical

  8. Importance of Encryption Location: App. HTTPS HTTPS HTTP HTTP A P L I C A P L I C TCP TCP IP IP IP LLC MAC LLC MAC LLC MAC LLC MAC Physical Physical Physical Physical

  9. Link versus End-to-EndEncryption

  10. Encryption Protocols VPN HTTPS

  11. Secure Sockets Layer (SSL) • transport layer security service • originally developed by Netscape • version 3 designed with public input • subsequently became Internet standard RFC2246: Transport Layer Security (TLS) • use TCP to provide a reliable end-to-end service • may be provided in underlying protocol suite • or embedded in specific packages • SSL + HTTP used together = HTTPS

  12. SSL Record Protocol Services • message integrity • using a MAC with shared secret key • similar to HMAC but with different padding • confidentiality • using symmetric encryption with a shared secret key defined by Handshake Protocol • AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 • message is compressed before encryption

  13. SSL Record Protocol Operation

  14. SSL Handshake ProtocolFirst 3 phases: Handshake ProtocolPhase 4: Change Cipher Spec

  15. Public Key Infrastructure (PKI) 7. Tom confirms Sue’s DS 5. Tom requests Sue’s DC  6. CA sends Sue’s DC  Tom Digital Certificate User: Sue Public Key: 2456 4. Sue sends Tom message signed with Digital Signature Certificate Authority (CA) 3. Send approved Digital Certificates 1. Sue registers with CA through RA 2. Registration Authority (RA) verifies owners Sue Register(Owner, Public Key)

  16. IPSec • general IP Security mechanisms • provides • authentication • confidentiality • key management • applicable to use over LANs, across public & private WANs, & for the Internet

  17. IPSec Uses

  18. Encrypted: Transport Mode: End-to-End Encryption Host D Host A Internet Gtwy C Gtwy B IP=D | ESP | Data IP=D | ESP | Data IP=D | ESP | Data Host D Host A Internet Gtwy C Gtwy B IP=D | Data IP=D | Data IP=C | ESP | IP=D | Data Tunnel Mode: Encryption between two gateways: Virtual Private Network (A form of link encryption) Tunnel vs. Transport Mode

  19. Benefits of IPSec • in a firewall/router provides strong security to all traffic crossing the perimeter • in a firewall/router is resistant to bypass • is below transport layer, hence transparent to applications • can be transparent to end users • can provide security for individual users • secures routing architecture

  20. IP Security Architecture • mandatory in IPv6, optional in IPv4 • have two security header extensions: • Authentication Header (AH) • Encapsulating Security Payload (ESP) • Key Exchange function • VPNs want both authentication/encryption • hence usually use ESP • specification is quite complex • numerous RFC’s 2401/2402/2406/2408

  21. Two Modes (From Network Security Essentials 2nd Ed., W. Stallings, Prentice Hall)

  22. Authentication Header (AH) • provides support for data integrity & authentication of IP packets • end system/router can authenticate user/app • prevents address spoofing attacks by tracking sequence numbers • based on use of a MAC • HMAC-MD5-96 or HMAC-SHA-1-96 • parties must share a secret key

  23. Authentication Header SPI = Security Association # Authentication Data = Message Authentication Code

  24. Encapsulating Security Payload (ESP)

  25. S/MIME (Secure/Multipurpose Internet Mail Extensions) • security enhancement to MIME email • original Internet RFC822 email was text only • MIME provided support for varying content types and multi-part messages • with encoding of binary data to textual form • S/MIME added security enhancements • have S/MIME support in many mail agents • eg MS Outlook, Mozilla, Mac Mail etc

  26. S/MIME Process

  27. S/MIME Cryptographic Algorithms • digital signatures: DSS & RSA • hash functions: SHA-1 & MD5 • session key encryption: ElGamal & RSA • message encryption: AES, 3DES, etc • MAC: HMAC with SHA-1 • must map binary values to printable ASCII • use radix-64 or base64 mapping

  28. S/MIME Public Key Certificates • S/MIME has effective encryption and signature services • but also need to manage public-keys • S/MIME uses X.509 v3 certificates • each client has a list of trusted CA’s certs • and own public/private key pairs & certs • certificates must be signed by trusted CA’s

  29. Summary • Secure Sockets Layer (SSL) / Transport Layer Security (TLS) • IPsec: IPv4 and IPv6 Security • S/MIME (Secure/Multipurpose Internet Mail Extension)

More Related