1 week 1: introduction & symmetric cryptographic

1

Week 1:Introduction & Symmetric Cryptographic

2

Technology and applications play a big role on community services and security aspects

3

First, Let us look at the Evolution of Communications

Extracted from : Next Generation Home Networks: Driving a New Society?

Consumer Market

4

• The start of the Internet for masses using dial-up:

• Phone line is shared between the PC and the phone– Emergence of the ISP concept

with AOL,…

• New concept:• Content available to everybody

• First Internet boom: • “New economy concept”

Modem

Phone Line28 – 56kbps


80-90s: A New World Called Internet

Consumer Market

5

2000 – 2003: The Beginning of the Always-On Concept

• Emergence of the ADSL technology:– Higher bandwidth than dial-up:

typically 64k to 384kbps– “Always on” concept; i.e., no busy

signal

• Device per service– One phone– One PC

ADSL64 – 384 kbps


Consumer Market

6

xDSL20+ Mbps

• Emergence of the new DSL and xPON technologies:– Higher bandwidth than ADSL:

typically 20Mbps per home

• First signs of home networks with the digitalization of the Home:– Digital Camera, Camcorder,

Playstation, DVD, iPOD…


2003 – 2005: Emergence of Basic Home Networks and Triple Play Services

Consumer Market

7

2005 – 2015: The Digital Connected Home

• Many multi-service devices in the home:– All using IP as a foundation

• Virtualization of Content: – Access content anywhere/anytime,

whether it is home-based (Personal) or network-based (Public)

• Communications and Entertainment


Consumer Market

8

Example of Network Infrastructure

Residential Gateway (RG)

Broadband Termination Unit (BTU)

BTU

9

Example of Network Infrastructure

10

Applications over Network

11

DATA (D) VOICE (V)

IMAGE (I)

Services

DI IV

DV

DIV

12

Services

13

What are we facing?

14

Unwanted visitorsUnwanted visitors

14

Safeguarding assets is responsibility of usersThreat agent may also place value on the assetSuch vulnerability may be exploited by threat agentCountermeasures are imposed to reduce vulnerability

Countermeasures Ｕ ser

ThreatAgents

VulnerabilitiesAssets

15

Multiple AttackMultiple Attack

15

Countermeasures

Ｕ ser

ThreatAgents

AssetsVulnerabilities

16

ObjectivesObjectives

16

OutdoorOutdoor OfficeOfficeHomeHome

Security Policy Level

17

Security mechanism is embedded on technology.Security use in daily basis.

18

Security use in daily basis 1 - biometric

19

Security use in daily basis 2 - Business

20

Security use in daily basis 3 – Voice Communication

21

Security use in daily basis 4 – Integration Operation

22

Security use in daily basis 5 – Operating System

23

Security use in daily basis 6 – WEB

24

Let me share with you on OSI layers and

Internet layers

25

Seventh layers OSI Model

Physical

Network

Data Link

Transport

Session

Presentation

Application

Bits

Packets

Frames

Segments

Presentation

Application

Network

Data Link

Session

Presentation

Application

Media, Signal and binary transmission

Path determination and logicaladdressing (IP)

Physical addressing (MAC & LLC)

End-to-end communications andreliability (TCP)

Interhost communication

Data representation and encryption

Network process to application

Data

MediaLayers

Data Unit

Application

Layer

Application

Function

Network process to application

HostLayers

OSI Model

Presentation

26

Five Layers TCP/IP Model

Ethernet physical layer • ISDN • Modems • PLC • SONET/SDH • G.709 • Wireless •

Presentation

ApplicationDHCP • DNS • FTP • Gopher • HTTP • IMAP4 • IRC • NNTP • XMPP • MIME • POP3 • SIP • SMTP • SNMP • SSH • TELNET • RPC • RTP • RTCP • TLS/SSL •

SDP • SOAP • VPN • PPTP • L2TP • GTP •

TCP • UDP • DCCP • SCTP •

IP (IPv4 • IPv6) • IGMP • ICMP • RSVP • BGP • RIP • OSPF • ISIS • IPsec • ARP • RARP •

802.11 • ATM • DTM • Ethernet • FDDI • Frame Relay • GPRS • EVDO • HSPA • HDLC • PPP •

Physical

Internet

Data Link

Transport

Application

27

Hexadecimal dump of the Packet

• Hexadecimal Dump of the Packet

• 0: 00e0 f726 3fe9 0800 2086 354b 0800 4500 ..÷&?... .5K..E.

• 16: 0028 08b9 4000 ff06 999a 8b85 d96e 8b85 .([email protected]..

• 32: e902 9005 0017 7214 f115 9431 1028 5010 ......r....1.(P.• 48: 2238 1c80 0000 "8....

28

Packet Decode

• ETHER: ----- Ether Header -----• ETHER:• ETHER: Packet 5 arrived at 17:37:23.94• ETHER: Packet size = 54 bytes• ETHER: Destination = 0:e0:f7:26:3f:e9, CISCO

Router• ETHER: Source = 8:0:20:86:35:4b, Sun• ETHER: Ethertype = 0800 (IP)• ETHER:

29

Packet Decode

IP: ----- IP Header -----IP:IP: Version = 4IP: Header length = 20 bytesIP: Type of service = 0x00 (normal)IP: Total length = 40 bytesIP: Identification = 2233IP: Flags = 0x4IP: .1.. .... = do not fragmentIP: ..0. .... = last fragmentIP: Fragment offset = 0 bytesIP: Time to live = 255 seconds/hopsIP: Protocol = 6 (TCP)IP: Header checksum = 999aIP: Source address = 139.133.217.110, clientIP: Destination address = 139.133.233.2, server.abdn.ac.ukIP: No optionsIP:

30

Packet Decode

TCP: ----- TCP Header -----TCP:TCP: Source port = 36869TCP: Destination port = 23 (TELNET)TCP: Sequence number = 1913975061TCP: Acknowledgement number = 2486243368TCP: Data offset = 20 bytesTCP: Flags = 0x10TCP: ..0. .... = No urgent pointerTCP: ...1 .... = AcknowledgementTCP: .... 0... = No pushTCP: .... .0.. = No resetTCP: .... ..0. = No SynTCP: .... ...0 = No FinTCP: Window = 8760TCP: Checksum = 0x1c80TCP: Urgent pointer = 0TCP: No options

31

Five Layers TCP/IP Model

TCP/IP Fundamentals

Connection-oriented and connectionless services

The TCP/IP layers

Differences between OSI and TCP/IP models

32

Connection-Oriented Services

• Connection-oriented service modeled after the telephone system– To talk to someone, pick up a phone, dial the

number, talk and disconnect• Similarly, in a network, the service user will– Establish a connection– Use the connection– Release the connection– The sender, receiver and the network may

conduct a negotiation about data transfer speed, maximum message size, etc

33

Connection-Oriented Services

• Connection-oriented service is used when reliability is important– E.g., for file transfer, we want that all bits arrive

correctly and in the order they were sent

34

Connectionless Services

• Connectionless service modeled after the postal system– Each message (letter) carries the full destination address– Each message is routed through the system independent

of all others– If two messages are sent to the same destination,

normally the first one to be sent should arrive first. But it is possible that the second message arrives first

35

TCP/IP Protocol Suite• TCP / IP – Transmission Control Protocol / Internet Protocol• Developed prior to the OSI model• Layers of TCP/IP do not match exactly with those in the OSI

model• Used in the Internet• Ability to connect multiple networks in a seamless way was one

of the major design goals which led to development of TCP / IP

36

TCP/IP Protocol Suite• TCP / IP – refers to a collection of data communication protocols

• This name TCP/IP is misleading because TCP and IP are only two of the many protocols that compose the suite

• TCP / IP has its origins in the work done by the US Department of Defense.

37

TCP / IP Suite

• The TCP / IP suite does not define any specific protocols at the data link and physical layers

38

Application Layer• The Application layer is equivalent to the combined OSI

Session, Presentation, and Application layers

• All the functions handled by these 3 layers in the OSI model are handled by the Application layer in TCP / IP model

39

Application Layer

This layer contains all the higher-level protocolsFTP – File Transfer Protocol – basic file transfer between hosts (computers)SMTP – Simple Mail Transfer Protocol (for email)HTTP – Hyper Text Transfer Protocol (for web browsing)

Data unit created at this layer is called a message

40

Encapsulation of Data

• TCP/IP protocol suite encapsulates data units at various layers of the model

• At the Application layer, the data unit created is called a message.

• The Transport layer adds a header to form either a segment with TCP.

• The Network (or Internet) layer adds another header to form a datagram

41

Encapsulation of Data

• Datagram – A self-contained message unit which contains sufficient information to allow it to be routed from the source to the destination

• The protocol used at the data link layer encapsulates the datagram into a frame and this is transmitted across the transmission medium.

42

Transport Layer - UDP

• This layer is represented by two protocols – TCP and UDP– TCP – Transmission Control Protocol– UDP – User Datagram Protocol

• UDP is simpler but is used when reliability and security are less important than size and speed – such as speech, video

• Since security and reliability are essential for most applications, TCP is used more often

43

Transport Layer - TCP• TCP is a reliable connection-oriented protocol• Allows error-free transmission• Incoming byte stream is fragmented into a number of shorter

messages and these are passed on to the next layer • At the receiving end the TCP reassembles the messages into

an output stream• TCP also handles flow control – to control data transfer rate

44

Transport Layer - TCP

• A connection must be established between the sender and the receiver before transmission begins

• TCP creates a circuit between sender and receiver for the duration of the transmission

• TCP begins each transmission by alerting the receiver that segments are on their way (connection establishment).

• Each transmission is ended with connection termination

45

Transport Layer - TCP

• Each segment created by TCP includes – A sequencing number for re-ordering after receipt. – An acknowledgement ID number – Source address– Destination address– Checksum – for error detection– Data– And other fields

46

Internetwork or Network LayerAlso referred to as Network Layer or Internetwork LayerInternetwork Protocol (IP) is an unreliable and connectionless protocolIt offers a best–effort delivery service

No error checkingIP does its best to get a transmission through to its destination but with no guaranteesNoise can cause bit errors during transmissionDatagrams maybe discarded due to timeout errorsExample of best-effort delivery service is: post-office

47

Internetwork or Network Layer

IP transports data in packets called datagramsEach datagram is transported separatelyDatagrams can be of variable lengths (up to 64 KB)Datagrams may travel along different routes and may arrive out of sequenceIP does not keep track of the routesIP does not have the facility to reorder datagrams once they arriveA datagram contains a header and dataThe header contains a number of fields including source and destination address

48

Comparison of OSI and TCP/IP Models

• The OSI model makes a clear distinction between services, interfaces and protocols– Each layer performs some service for the layer above it– A layer’s interface tells the processes above it how to

access it. It specifies what the parameters are and what results to expect (somewhat like a function declaration)

– The protocols used in a layer are used to get the job done.

49

Comparison of OSI and TCP/IP Models• The OSI model has 7 layers while the TCP/ IP model has 5

layers• Both have network, transport, and application layers, but the

other layers are different• OSI model supports both connectionless and connection-

oriented communication • TCP/IP supports only connectionless communication

50

Before I explain to you on security layerLet review back the slides that presenting on

“security use in daily basis”

51

What is behind of these applications?

What is a mechanism that make it secure?

52

Security Flows

CryptographyAlgorithm:Symmetric, Asymmetric (i.e.:Cipher, DES, AES)

Protocol

Applications

Protocol:SSL, TLS

Applications:Web, email, any application use security mechanism

* This approach is totally under my knowledge and experience, is not a standard, just to understand the layer concept.

53

Security versus OSI & TCP/IP Model

Physical

Network

Data Link

Transport

Session

Presentation

Application

Physical

Internet

Data Link

Transport

Presentation

Application

Application

OSI TCP/IP

Cryptography

Protocol

Applications

Security

54

Concept

Why we want security?

Let review back the slides that presenting on “security use in daily basis”

55

Intruder

56

Hacking - 1

57

Hacking - 2

DATA CENTER

58

ObjectivesObjectives

58

OutdoorOutdoor OfficeOfficeHomeHome

Security Policy Level

59

Type of Attacks

Passive

Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are release of message contents and traffic analysis.

Active

Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service.

60

Passive Attack

Read contents of message from Bobto Alice

Release of Message Contents

Observe pattern ofmessages from Bobto Alice

Traffic Analysis

61

Active Attack - 1

Message from Hackerthat appears to be from Bob

Masquerade

Capture message fromBob to Alice; laterreplay message to Alice

Replay*

* An attack in which a service already authorized and completed is forged by another "duplicate request" in an attempt to repeat authorized commands.

62

Active Attack - 2

Modifies message from Bob to Alice

Modification of messages

disrupts service provided by server

Denial of Service

63

Could you explain to me why we need security?

64

Why We Need Security

Privacy

Integrity

Authentication

Nonrepudation

The protection of data from unauthorized disclosure.

The assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification, insertion, deletion.

The assurance that the communicating entity is the one that it claims to be.

Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication.

65

International Standards

Common Criteria for Information Technology Security Evaluation. Part 1-3.Common Criteria for Information Technology Security Evaluation. Part 1-3.

Information technology - Security techniques - Guide for the production of protection profiles and security targets.

Information technology - Security techniques - Guide for the production of protection profiles and security targets.

Information technology - Guidelines for the management of IT Security - Part 1-5Information technology - Guidelines for the management of IT Security - Part 1-5

Information technology - Code of practice for information security management (ISO/IEC 27002)

Information technology - Code of practice for information security management (ISO/IEC 27002)

Federal Information Processing standards publication. FIPS 140-2. Security Requirements for Cryptographic Modules.


NIST Special Publication 800-57, Recommendation for Key Management .NIST Special Publication 800-57, Recommendation for Key Management .

Information technology – Security techniques. Security assessment of operational systems.

Information technology – Security techniques. Security assessment of operational systems.

DevelopmentDevelopmentDevelopmentDevelopment ManagementManagementManagementManagement



Move to

Move to

66

International Standards

We are focus on X.800 security services

67

X.800 Services

• X.800 defines a security service as a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers.

• A clearer definition is found in RFC 2828, which provides the following definition:– a processing or communication service that is provided by a

system to give a specific kind of protection to system resources;

– security services implement security policies and are implemented by security mechanisms.

68

X.800 Services

• Authentication

• Access Control

Five Categories Fourteen Specific Services

The assurance that the communicating entity is the one that it claims to be.

• Peer Entity AuthenticationUsed in association with a logical connection to provide confidence in the identity of the entities connected.

• Data Origin AuthenticationIn a connectionless transfer, provides assurance that the source of received data is as claimed.

The prevention of unauthorized use of a resource (i.e., this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do).

69

X.800 Services

• Data Confidentiality


The protection of data from unauthorized disclosure.

• Connection Confidentiality The protection of all user data on a

connection.• Connectionless Confidentiality The protection of all user data in a single

data block.• Selective-Field Confidentiality The confidentiality of selected fields within

the user data on a connection or in a single data block.

• Traffic Flow Confidentiality The protection of the information that might

be derived from observation of traffic flows.

70

X.800 Services

• Data Integrity


The assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification, insertion, deletion, or replay).

• Connection Integrity with Recovery Provides for the integrity of all user data on

a connection and detects any modification, insertion, deletion, or replay of any data within an entire data sequence, with recovery attempted.

• Connection Integrity without Recovery As above, but provides only detection

without recovery.• Selective-Field Connectionless Integrity

Provides for the integrity of selected fields within a single connectionless data block; takes the form of determination of whether the selected fields have been modified.

71

X.800 Services

• Data Integrity


Selective-Field Connection Integrity Provides for the integrity of selected fields

within the user data of a data block transferred over a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted, or replayed.

Connectionless Integrity

Provides for the integrity of a single connectionless data block and may take the form of detection of data modification. Additionally, a limited form of replay detection may be provided.

72

X.800 Services

• Nonrepudation


Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication.

• Nonrepudiation, OriginProof that the message was sent by the specified party.

• Nonrepudiation, Destination Proof that the message was received by the

specified party.

73

Authentication

X.800

These are the identification and authorization mechanisms used to be certain that the person or computer using the web application is the correct person to be using it.

What It Means

Every time you login to a web page that has your personal data then you are authenticating.

Authentication often means just giving a login and password.

Sometimes it means giving an identification number or even just coming from an acceptable IP Address (white-listing).

Example (WEB)

Example : Goal & Setting

74

Non-repudiation

X.800

A record that proves that the data sent to or from the web application was really sent and where.

What It Means

Although you may not see it, most web applications keep track of purchases you make from a particular IP address using a particular browser on a particular operating system as a record that it was most likely someone on your computer who made that purchase. Without specific “authentication” theycan't guarantee 100% it was you though.

Example (WEB)


75

Confidentiality A way to assure communication with application cannot be on by another person.

The HTTPS part of interaction with a webapplication provides pretty good confidentiality. It does a decent job of making your web traffic with the web app from being publicly readable.

X.800 What It Means Example (WEB)


1 week 1: introduction & symmetric cryptographic

Documents