chapter 20: network security business data communications, 4e

Chapter 20:Network Security

Business Data Communications, 4e

Business Data Communications, 4e 2

Security Threats

Passive attacks Eavesdropping on, or monitoring, transmissions Electronic mail, file transfers, and client/server exchanges

are examples of transmissions that can be monitored

Active attacks Modification of transmitted data Attempts to gain unauthorized access to computer

systems


Encryption Methods

The essential technology underlying virtually all automated network and computer security applications is cryptography

Two fundamental approaches are in use: conventional encryption, also known as symmetric

encryption public-key encryption, also known as asymmetric

encryption


Conventional Encryption The only form of encryption prior to late 1970s Five components to the algorithm

Plaintext: The original message or data Encryption algorithm: Performs various substitutions and transformations on

the plaintext. Secret key: Input to the encryption algorithm. Substitutions and

transformations performed depend on this key Ciphertext: Scrambled message produced as output. depends on the plaintext

and the secret key Decryption algorithm: Encryption algorithm run in reverse. Uses ciphertext

and the secret key to produce the original plaintext.


Conventional Encryption Operation


Conventional Encryption Requirements & Weaknesses

Requirements A strong encryption algorithm Secure process for sender & receiver to obtain secret keys

Methods of Attack Cryptanalysis Brute force


Data Encryption Standard (DES) Adopted in 1977, reaffirmed for 5 years in 1994, by

NBS/NIST Plaintext is 64 bits (or blocks of 64 bits), key is 56 bits Plaintext goes through 16 iterations, each producing an

intermediate value that is used in the next iteration. DES is now too easy to crack to be a useful encryption

method


Triple DEA

Alternative to DES, uses multiple encryption with DES and multiple keys

With three distinct keys, TDEA has an effective key length of 168 bits, so is essentially immune to brute force attacks

Principal drawback of TDEA is that the algorithm is relatively sluggish in software


Public-Key Encryption

Based on mathematical functions rather than on simple operations on bit patterns

Asymmetric, involving the use of two separate keys Misconceptions about public key encryption

it is more secure from cryptanalysis it is a general-purpose technique that has made

conventional encryption obsolete


Public-Key Encryption Components

Plaintext Encryption algorithm Public key Private key Ciphertext Decryption algorithm


Public-Key Encryption Operation


Public-Key Signature Operation


Characteristics of Public-Key Infeasible to determine the decryption key given

knowledge of the cryptographic algorithm and the encryption key.

Either of the two related keys can be used for encryption, with the other used for decryption.

Slow, but provides tremendous flexibility to perform a number of security-related functions

Most widely used algorithm is RSA


Location of Encryption Devices Link encryption

Each vulnerable communications link is equipped on both ends with an encryption device.

All traffic over all communications links is secured. Vulnerable at each switch

End-to-end encryption the encryption process is carried out at the two end systems. Encrypted data are transmitted unaltered across the network to the

destination, which shares a key with the source to decrypt the data Packet headers cannot be secured


Conventional EncryptionKey Distribution

Both parties must have the secret key Key is changed frequently Requires either manual delivery of keys, or a third-

party encrypted channel Most effective method is a Key Distribution Center

(e.g. Kerberos)


Public-Key EncryptionKey Distribution

Parties create a pair of keys; public key is broadly distributed, private key is not

To reduce computational overhead, the following process is then used:1. Prepare a message.

2. Encrypt that message using conventional encryption with a one-time conventional session key.

3. Encrypt the session key using public-key encryption with recipient’s public key.

4. Attach the encrypted session key to the message and send it.


Digital Signature Process


Public Key Certificates

1. A public key is generated by the user and submitted to Agency X for certification.

2. X determines by some procedure, such as a face-to-face meeting, that this is authentically the user’s public key.

3. X appends a timestamp to the public key, generates the hash code of the result, and encrypts that result with X’s private key forming the signature.

4. The signature is attached to the public key.


Web Vulnerabilities

Unauthorized alteration of data at the Web site Unauthorized access to the underlying operating

system at the Web server Eavesdropping on messages passed between a Web

server and a Web browser Impersonation


Methods for Improving Web Security

Securing the Web site itself install all operating system security patches install the Web server software with minimal system

privileges use a more secure platform

Securing the Web application


Web Application Security

Secure HyperText Transfer Protocol (SHTTP) Secure Sockets Layer (SSL) Web server packages should incorporate both of

these protocols


Virtual Private Networks (VPNs) The use of encryption and authentication in the lower

protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet.

Generally cheaper than real private networks using private lines but rely on having the same encryption and authentication system at both ends.

The encryption may be performed by firewall software or possibly by routers.


IPSec

Can secure communications across a LAN, WANs, and/or the Internet

Examples of use: Secure branch office connectivity over the Internet Secure remote access over the Internet Establishing extranet and intranet connectivity with

partners Enhancing electronic commerce security


Benefits of IPSec

When implemented in a firewall or router, provides strong security for all traffic crossing the perimeter

IPSec in a firewall is resistant to bypass Runs below the transport layer (TCP, UDP) and so

is transparent to applications Can be transparent to end users Can provide security for individual users if needed


IPSec Functions

IPSec provides three main facilities authentication-only function referred to as Authentication

Header (AH) combined authentication/encryption function called

Encapsulating Security Payload (ESP) a key exchange function

For VPNs, both authentication and encryption are generally desired


ESP Encryption & Authentication


IPSec Key Management Manual

System administrator manually configures each system with its own keys and with the keys of other communicating systems

Practical for small, relatively static environments

Automated Enables the on-demand creation of keys for SAs and facilitates the

use of keys in a large distributed system Most flexible but requires more effort to configure and requires more

software

chapter 20: network security business data communications, 4e

Documents