1 week 1: introduction & symmetric cryptographic
Post on 21-Dec-2015
220 views
TRANSCRIPT
1
Week 1:Introduction & Symmetric Cryptographic
2
Technology and applications play a big role on community services and security aspects
3
First, Let us look at the Evolution of Communications
Extracted from : Next Generation Home Networks: Driving a New Society?
Consumer Market
4
• The start of the Internet for masses using dial-up:
• Phone line is shared between the PC and the phone– Emergence of the ISP concept
with AOL,…
• New concept:• Content available to everybody
• First Internet boom: • “New economy concept”
Modem
Phone Line28 – 56kbps
Extracted from : Next Generation Home Networks: Driving a New Society?
80-90s: A New World Called Internet
Consumer Market
5
2000 – 2003: The Beginning of the Always-On Concept
• Emergence of the ADSL technology:– Higher bandwidth than dial-up:
typically 64k to 384kbps– “Always on” concept; i.e., no busy
signal
• Device per service– One phone– One PC
ADSL64 – 384 kbps
Extracted from : Next Generation Home Networks: Driving a New Society?
Consumer Market
6
xDSL20+ Mbps
• Emergence of the new DSL and xPON technologies:– Higher bandwidth than ADSL:
typically 20Mbps per home
• First signs of home networks with the digitalization of the Home:– Digital Camera, Camcorder,
Playstation, DVD, iPOD…
Extracted from : Next Generation Home Networks: Driving a New Society?
2003 – 2005: Emergence of Basic Home Networks and Triple Play Services
Consumer Market
7
2005 – 2015: The Digital Connected Home
• Many multi-service devices in the home:– All using IP as a foundation
• Virtualization of Content: – Access content anywhere/anytime,
whether it is home-based (Personal) or network-based (Public)
• Communications and Entertainment
Extracted from : Next Generation Home Networks: Driving a New Society?
Consumer Market
8
Example of Network Infrastructure
Residential Gateway (RG)
Broadband Termination Unit (BTU)
BTU
9
Example of Network Infrastructure
10
Applications over Network
11
DATA (D) VOICE (V)
IMAGE (I)
Services
DI IV
DV
DIV
12
Services
13
What are we facing?
14
Unwanted visitorsUnwanted visitors
14
Safeguarding assets is responsibility of usersThreat agent may also place value on the assetSuch vulnerability may be exploited by threat agentCountermeasures are imposed to reduce vulnerability
Countermeasures U ser
ThreatAgents
VulnerabilitiesAssets
15
Multiple AttackMultiple Attack
15
Countermeasures
U ser
ThreatAgents
AssetsVulnerabilities
16
ObjectivesObjectives
16
OutdoorOutdoor OfficeOfficeHomeHome
Security Policy Level
17
Security mechanism is embedded on technology.Security use in daily basis.
18
Security use in daily basis 1 - biometric
19
Security use in daily basis 2 - Business
20
Security use in daily basis 3 – Voice Communication
21
Security use in daily basis 4 – Integration Operation
22
Security use in daily basis 5 – Operating System
23
Security use in daily basis 6 – WEB
24
Let me share with you on OSI layers and
Internet layers
25
Seventh layers OSI Model
Physical
Network
Data Link
Transport
Session
Presentation
Application
Bits
Packets
Frames
Segments
Presentation
Application
Network
Data Link
Session
Presentation
Application
Media, Signal and binary transmission
Path determination and logicaladdressing (IP)
Physical addressing (MAC & LLC)
End-to-end communications andreliability (TCP)
Interhost communication
Data representation and encryption
Network process to application
Data
MediaLayers
Data Unit
Application
Layer
Application
Function
Network process to application
HostLayers
OSI Model
Presentation
26
Five Layers TCP/IP Model
Ethernet physical layer • ISDN • Modems • PLC • SONET/SDH • G.709 • Wireless •
Presentation
ApplicationDHCP • DNS • FTP • Gopher • HTTP • IMAP4 • IRC • NNTP • XMPP • MIME • POP3 • SIP • SMTP • SNMP • SSH • TELNET • RPC • RTP • RTCP • TLS/SSL •
SDP • SOAP • VPN • PPTP • L2TP • GTP •
TCP • UDP • DCCP • SCTP •
IP (IPv4 • IPv6) • IGMP • ICMP • RSVP • BGP • RIP • OSPF • ISIS • IPsec • ARP • RARP •
802.11 • ATM • DTM • Ethernet • FDDI • Frame Relay • GPRS • EVDO • HSPA • HDLC • PPP •
Physical
Internet
Data Link
Transport
Application
27
Hexadecimal dump of the Packet
• Hexadecimal Dump of the Packet
• 0: 00e0 f726 3fe9 0800 2086 354b 0800 4500 ..÷&?... .5K..E.
• 16: 0028 08b9 4000 ff06 999a 8b85 d96e 8b85 .([email protected]..
• 32: e902 9005 0017 7214 f115 9431 1028 5010 ......r....1.(P.• 48: 2238 1c80 0000 "8....
28
Packet Decode
• ETHER: ----- Ether Header -----• ETHER:• ETHER: Packet 5 arrived at 17:37:23.94• ETHER: Packet size = 54 bytes• ETHER: Destination = 0:e0:f7:26:3f:e9, CISCO
Router• ETHER: Source = 8:0:20:86:35:4b, Sun• ETHER: Ethertype = 0800 (IP)• ETHER:
29
Packet Decode
IP: ----- IP Header -----IP:IP: Version = 4IP: Header length = 20 bytesIP: Type of service = 0x00 (normal)IP: Total length = 40 bytesIP: Identification = 2233IP: Flags = 0x4IP: .1.. .... = do not fragmentIP: ..0. .... = last fragmentIP: Fragment offset = 0 bytesIP: Time to live = 255 seconds/hopsIP: Protocol = 6 (TCP)IP: Header checksum = 999aIP: Source address = 139.133.217.110, clientIP: Destination address = 139.133.233.2, server.abdn.ac.ukIP: No optionsIP:
30
Packet Decode
TCP: ----- TCP Header -----TCP:TCP: Source port = 36869TCP: Destination port = 23 (TELNET)TCP: Sequence number = 1913975061TCP: Acknowledgement number = 2486243368TCP: Data offset = 20 bytesTCP: Flags = 0x10TCP: ..0. .... = No urgent pointerTCP: ...1 .... = AcknowledgementTCP: .... 0... = No pushTCP: .... .0.. = No resetTCP: .... ..0. = No SynTCP: .... ...0 = No FinTCP: Window = 8760TCP: Checksum = 0x1c80TCP: Urgent pointer = 0TCP: No options
31
Five Layers TCP/IP Model
TCP/IP Fundamentals
Connection-oriented and connectionless services
The TCP/IP layers
Differences between OSI and TCP/IP models
32
Connection-Oriented Services
• Connection-oriented service modeled after the telephone system– To talk to someone, pick up a phone, dial the
number, talk and disconnect• Similarly, in a network, the service user will– Establish a connection– Use the connection– Release the connection– The sender, receiver and the network may
conduct a negotiation about data transfer speed, maximum message size, etc
33
Connection-Oriented Services
• Connection-oriented service is used when reliability is important– E.g., for file transfer, we want that all bits arrive
correctly and in the order they were sent
34
Connectionless Services
• Connectionless service modeled after the postal system– Each message (letter) carries the full destination address– Each message is routed through the system independent
of all others– If two messages are sent to the same destination,
normally the first one to be sent should arrive first. But it is possible that the second message arrives first
35
TCP/IP Protocol Suite• TCP / IP – Transmission Control Protocol / Internet Protocol• Developed prior to the OSI model• Layers of TCP/IP do not match exactly with those in the OSI
model• Used in the Internet• Ability to connect multiple networks in a seamless way was one
of the major design goals which led to development of TCP / IP
36
TCP/IP Protocol Suite• TCP / IP – refers to a collection of data communication protocols
• This name TCP/IP is misleading because TCP and IP are only two of the many protocols that compose the suite
• TCP / IP has its origins in the work done by the US Department of Defense.
37
TCP / IP Suite
• The TCP / IP suite does not define any specific protocols at the data link and physical layers
38
Application Layer• The Application layer is equivalent to the combined OSI
Session, Presentation, and Application layers
• All the functions handled by these 3 layers in the OSI model are handled by the Application layer in TCP / IP model
39
Application Layer
This layer contains all the higher-level protocolsFTP – File Transfer Protocol – basic file transfer between hosts (computers)SMTP – Simple Mail Transfer Protocol (for email)HTTP – Hyper Text Transfer Protocol (for web browsing)
Data unit created at this layer is called a message
40
Encapsulation of Data
• TCP/IP protocol suite encapsulates data units at various layers of the model
• At the Application layer, the data unit created is called a message.
• The Transport layer adds a header to form either a segment with TCP.
• The Network (or Internet) layer adds another header to form a datagram
41
Encapsulation of Data
• Datagram – A self-contained message unit which contains sufficient information to allow it to be routed from the source to the destination
• The protocol used at the data link layer encapsulates the datagram into a frame and this is transmitted across the transmission medium.
42
Transport Layer - UDP
• This layer is represented by two protocols – TCP and UDP– TCP – Transmission Control Protocol– UDP – User Datagram Protocol
• UDP is simpler but is used when reliability and security are less important than size and speed – such as speech, video
• Since security and reliability are essential for most applications, TCP is used more often
43
Transport Layer - TCP• TCP is a reliable connection-oriented protocol• Allows error-free transmission• Incoming byte stream is fragmented into a number of shorter
messages and these are passed on to the next layer • At the receiving end the TCP reassembles the messages into
an output stream• TCP also handles flow control – to control data transfer rate
44
Transport Layer - TCP
• A connection must be established between the sender and the receiver before transmission begins
• TCP creates a circuit between sender and receiver for the duration of the transmission
• TCP begins each transmission by alerting the receiver that segments are on their way (connection establishment).
• Each transmission is ended with connection termination
45
Transport Layer - TCP
• Each segment created by TCP includes – A sequencing number for re-ordering after receipt. – An acknowledgement ID number – Source address– Destination address– Checksum – for error detection– Data– And other fields
46
Internetwork or Network LayerAlso referred to as Network Layer or Internetwork LayerInternetwork Protocol (IP) is an unreliable and connectionless protocolIt offers a best–effort delivery service
No error checkingIP does its best to get a transmission through to its destination but with no guaranteesNoise can cause bit errors during transmissionDatagrams maybe discarded due to timeout errorsExample of best-effort delivery service is: post-office
47
Internetwork or Network Layer
IP transports data in packets called datagramsEach datagram is transported separatelyDatagrams can be of variable lengths (up to 64 KB)Datagrams may travel along different routes and may arrive out of sequenceIP does not keep track of the routesIP does not have the facility to reorder datagrams once they arriveA datagram contains a header and dataThe header contains a number of fields including source and destination address
48
Comparison of OSI and TCP/IP Models
• The OSI model makes a clear distinction between services, interfaces and protocols– Each layer performs some service for the layer above it– A layer’s interface tells the processes above it how to
access it. It specifies what the parameters are and what results to expect (somewhat like a function declaration)
– The protocols used in a layer are used to get the job done.
49
Comparison of OSI and TCP/IP Models• The OSI model has 7 layers while the TCP/ IP model has 5
layers• Both have network, transport, and application layers, but the
other layers are different• OSI model supports both connectionless and connection-
oriented communication • TCP/IP supports only connectionless communication
50
Before I explain to you on security layerLet review back the slides that presenting on
“security use in daily basis”
51
What is behind of these applications?
What is a mechanism that make it secure?
52
Security Flows
CryptographyAlgorithm:Symmetric, Asymmetric (i.e.:Cipher, DES, AES)
Protocol
Applications
Protocol:SSL, TLS
Applications:Web, email, any application use security mechanism
* This approach is totally under my knowledge and experience, is not a standard, just to understand the layer concept.
53
Security versus OSI & TCP/IP Model
Physical
Network
Data Link
Transport
Session
Presentation
Application
Physical
Internet
Data Link
Transport
Presentation
Application
Application
OSI TCP/IP
Cryptography
Protocol
Applications
Security
54
Concept
Why we want security?
Let review back the slides that presenting on “security use in daily basis”
55
Intruder
56
Hacking - 1
57
Hacking - 2
DATA CENTER
58
ObjectivesObjectives
58
OutdoorOutdoor OfficeOfficeHomeHome
Security Policy Level
59
Type of Attacks
Passive
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are release of message contents and traffic analysis.
Active
Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service.
60
Passive Attack
Read contents of message from Bobto Alice
Release of Message Contents
Observe pattern ofmessages from Bobto Alice
Traffic Analysis
61
Active Attack - 1
Message from Hackerthat appears to be from Bob
Masquerade
Capture message fromBob to Alice; laterreplay message to Alice
Replay*
* An attack in which a service already authorized and completed is forged by another "duplicate request" in an attempt to repeat authorized commands.
62
Active Attack - 2
Modifies message from Bob to Alice
Modification of messages
disrupts service provided by server
Denial of Service
63
Could you explain to me why we need security?
64
Why We Need Security
Privacy
Integrity
Authentication
Nonrepudation
The protection of data from unauthorized disclosure.
The assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification, insertion, deletion.
The assurance that the communicating entity is the one that it claims to be.
Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication.
65
International Standards
Common Criteria for Information Technology Security Evaluation. Part 1-3.Common Criteria for Information Technology Security Evaluation. Part 1-3.
Information technology - Security techniques - Guide for the production of protection profiles and security targets.
Information technology - Security techniques - Guide for the production of protection profiles and security targets.
Information technology - Guidelines for the management of IT Security - Part 1-5Information technology - Guidelines for the management of IT Security - Part 1-5
Information technology - Code of practice for information security management (ISO/IEC 27002)
Information technology - Code of practice for information security management (ISO/IEC 27002)
Federal Information Processing standards publication. FIPS 140-2. Security Requirements for Cryptographic Modules.
Federal Information Processing standards publication. FIPS 140-2. Security Requirements for Cryptographic Modules.
NIST Special Publication 800-57, Recommendation for Key Management .NIST Special Publication 800-57, Recommendation for Key Management .
Information technology – Security techniques. Security assessment of operational systems.
Information technology – Security techniques. Security assessment of operational systems.
DevelopmentDevelopmentDevelopmentDevelopment ManagementManagementManagementManagement
Federal Information Processing standards publication. FIPS 140-3. Security Requirements for Cryptographic Modules.
Federal Information Processing standards publication. FIPS 140-3. Security Requirements for Cryptographic Modules.
Move to
Move to
66
International Standards
We are focus on X.800 security services
67
X.800 Services
• X.800 defines a security service as a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers.
• A clearer definition is found in RFC 2828, which provides the following definition:– a processing or communication service that is provided by a
system to give a specific kind of protection to system resources;
– security services implement security policies and are implemented by security mechanisms.
68
X.800 Services
• Authentication
• Access Control
Five Categories Fourteen Specific Services
The assurance that the communicating entity is the one that it claims to be.
• Peer Entity AuthenticationUsed in association with a logical connection to provide confidence in the identity of the entities connected.
• Data Origin AuthenticationIn a connectionless transfer, provides assurance that the source of received data is as claimed.
The prevention of unauthorized use of a resource (i.e., this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do).
69
X.800 Services
• Data Confidentiality
Five Categories Fourteen Specific Services
The protection of data from unauthorized disclosure.
• Connection Confidentiality The protection of all user data on a
connection.• Connectionless Confidentiality The protection of all user data in a single
data block.• Selective-Field Confidentiality The confidentiality of selected fields within
the user data on a connection or in a single data block.
• Traffic Flow Confidentiality The protection of the information that might
be derived from observation of traffic flows.
70
X.800 Services
• Data Integrity
Five Categories Fourteen Specific Services
The assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification, insertion, deletion, or replay).
• Connection Integrity with Recovery Provides for the integrity of all user data on
a connection and detects any modification, insertion, deletion, or replay of any data within an entire data sequence, with recovery attempted.
• Connection Integrity without Recovery As above, but provides only detection
without recovery.• Selective-Field Connectionless Integrity
Provides for the integrity of selected fields within a single connectionless data block; takes the form of determination of whether the selected fields have been modified.
71
X.800 Services
• Data Integrity
Five Categories Fourteen Specific Services
Selective-Field Connection Integrity Provides for the integrity of selected fields
within the user data of a data block transferred over a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted, or replayed.
Connectionless Integrity
Provides for the integrity of a single connectionless data block and may take the form of detection of data modification. Additionally, a limited form of replay detection may be provided.
72
X.800 Services
• Nonrepudation
Five Categories Fourteen Specific Services
Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication.
• Nonrepudiation, OriginProof that the message was sent by the specified party.
• Nonrepudiation, Destination Proof that the message was received by the
specified party.
73
Authentication
X.800
These are the identification and authorization mechanisms used to be certain that the person or computer using the web application is the correct person to be using it.
What It Means
Every time you login to a web page that has your personal data then you are authenticating.
Authentication often means just giving a login and password.
Sometimes it means giving an identification number or even just coming from an acceptable IP Address (white-listing).
Example (WEB)
Example : Goal & Setting
74
Non-repudiation
X.800
A record that proves that the data sent to or from the web application was really sent and where.
What It Means
Although you may not see it, most web applications keep track of purchases you make from a particular IP address using a particular browser on a particular operating system as a record that it was most likely someone on your computer who made that purchase. Without specific “authentication” theycan't guarantee 100% it was you though.
Example (WEB)
Example : Goal & Setting
75
Confidentiality A way to assure communication with application cannot be on by another person.
The HTTPS part of interaction with a webapplication provides pretty good confidentiality. It does a decent job of making your web traffic with the web app from being publicly readable.
X.800 What It Means Example (WEB)
Example : Goal & Setting