internet security: an overview

1
internet securityan overview (3)
hooman nili
2
"Security is a chain it's only as secure as
the weakest link." "Security is a process, not a
product." Bruce Schneier
3
Lets put it all together

• How can we use cryptography to assure
• confidentiality?
• Sounds simple enough now
• The little secret key
• If we encrypt a message with our secret key and
  only
• trusted parties have the secret key, anyone
  without the secret
• key would get gibberish (garbage characters).
• Even if the blackhat gets a copy of the encrypted
  message, hes
• Going to have a hard time decrypting it.
• Question
• Can public key be used for confidentiality
  assurance?

4
Notation
AlicePub Alices public key AlicePriv Alices
private key BobPub Bobs public key BobPriv
Bobs private key ? Plaintext/decrypted
message ? Ciphertext/encrypted message
5
Notation

• BobPub (?) ?
• Alice encrypts message with Bobs pub key
• BobPriv BobPub(?) ?
• Bobs decrypts Alices message with his private
  key
• AlicePub (?) ?
• Bob encrypts message with Alices pub key
• AlicePriv AlicePub(?) ?
• Alice decrypts Bobs message with her private key

6
What we need to remember

• As mentioned earlier, the public and private keys
  are related by
• mathematical functions. It can be shown that
• BobPriv BobPub(?) BobPub BobPriv(?) ?
• AlicePriv AlicePub(?) AlicePub AlicePriv(?) ?
  
• This is the basis of RSA
• Were sayingIt can be shown that applying the
  public and private key to a message in any order
  will reveal the plaintext message. Believe that,
  or you will face the consequences (watching the
  mathematical proof!!)

7
Now, think again! Can the public key model be
used for confidentiality assurance?
8
What daCant read the damn thing. I dont have
Bobs private key

(?)
( ?)
BobPub
(?)
(?)
BobPriv
BobPub
9
So far weve sorted out confidentiality. Both
secret and public key models can be used to
assure confidentiality. Which method is better
and why?
10
Lets put it all together..

• How can we use cryptography for
• authentication?
• Using the secret key model (Sharing the same
  secret key)
• Alice picks a pick a random number, A, from a
  huge set, encrypts it with her secret key and
  gets a.
• She then sends A to Bob and asks him to encrypt
  it and send back the result.
• If Bob sends back a, Alice know that shes
  talking to Bob and therefore Bob is
  authenticated.
• Bob will use the same method to authenticate
  Alice. This method is usually known as challenge
  and response.
• Question
• Why must A be a random number?

11
Lets put it all together

• How can we use cryptography for
• authentication?
• Using the public key model
• Alice encrypt the message with her private key
  and sends it to Bob (Encrypting with private key
  is usually referred to as digital signing
  AlicePriv (?) ?
• Bob decrypts the message with Alices public key.
• AlicePub AlicePriv(?) ?
• If Bob decrypts the message correctly, he knows
  that the message had been signed by Alice, so
  Alice is authenticated.

12
Lets put it all together

• How can we use cryptography for
• authentication?
• Using the public key model
• Any comments?

13
Lets put it all together.

• How can we use cryptography to assure message
  integrity?
• Using the secret key model
• Alice encrypts a message with the secret key that
  she shares with bob.
• Bob can decrypt the message correctly only if it
  has remained absolutely intact during
  transmission.
• Using the public key model
• Alice encrypts a message with her private key
  (signs it).
• If Bob decrypts the message correctly with
  Alices public key, he can be assured that the
  message has not been altered during transmission.

14
Lets put it all together.

• How can we use cryptography to assure
  nonrepudiation?
• How can we assure that the sender of a message
  cant deny or repudiate sending it?
• Using the secret key model Lets demo this.
• Using the public key model
• Alice encrypts a message with her private key
  (signs it).
• If Bob decrypts the message correctly with
  Alices public key, Alice cannot deny later
  sending the message. Nobody other than Alice has
  access to Alices private key.

15
Lets put it all together.

• Summary of key models

16
Secure Socket Layer (SSL) A 10-minute intro

• Developed in 1994 by Netscape SSL is a data
  communication protocol that implements three
  cryptographic assurances
• Authentication
• Confidentiality
• Message integrity
• SSL per se (on its own) doesnt offer
  nonrepudiation.
• SSL uses public-key cryptography to establish a
  secure communication between the client and the
  server.
• The open version of SSL is referred to as the
  Transport Layer Security (TLS) protocol.

17
Secure Socket Layer (SSL) A 10-minute intro
SSL sits between TCP (Transport Layer) and the
application layer. This makes it easy to adapt
application protocols to SSL. For example HTTP
or FTP can be easily modified to use SSL (https,
sftp)
18
Secure Socket Layer (SSL) A 10-minute intro

• We will concentrate on using SSL with a web
  server (e.g. Apache). SSL is not a part of HTTP.
  Its a separate layer in its own right.
• Secure HTTP (https) is usually distinguished from
  the unencrypted HTTP by being served on port 443
  instead of 80. e.g.
• http//www.brunel.ac.uk (port 80)
• https//www.brunel.ac.uk (port 443)
• Authentication over SSL is handled through a
  trusted third party known as Certificate
  Authority (CA). The CA is a trusted body, often
  independent, which verifies the identity of the
  web server. The we server identity verification
  is done using digital certificates which is send
  by the server to the client before transmitting
  data. (X.509 is the most common standard for
  digital certificate implementation)

19
Server
Client
Hello Alice, my browser can talk over SSL. Can
we establish a connection?
OK, let me check, Yes and here is my digital
Certificate including my public key.
I checked your certificate with my browsers list
of certificates, generated a random number, R,
and encrypted it with your public key. Im
sending you the result

I applied my private key to and recovered the
random number you generated. This is now our
session key.
Bob Authenticates Alice
We now both have the same secret key that we can
apply to all our data to ensure confidentiality
and integrity. Next time we can do the same thing
and generate a different secret key.
R
R
20
When youre connected to the Internet, the
internet is connected to you."
21
Firewalls for access control Nilis 10-minute
intro

• FirewallsGenerally speaking, we can define a
  firewall as a system that acts as a checkpoint
  between two segments of a network in order to
  control the traffic by examining the packets
  exchanged between the segments. Think!
• You could think of a firewall as a gateway
  between a private network and one or more public
  networks. It selectively decides what passes
  through and in what direction.
• A firewall must be the sole gateway between the
  network it protects and the outside. If traffic
  can bypass (go around) a firewall, the security
  it provides is rendered worthless. (This
  situation is not rare!) The basic rule is that
  all external traffic must pass through the
  firewall.

22
Firewalls for access control Nilis 10-minute
intro

• How Firewalls work
• Packets passing through a firewall are examined
  and filtered based
• Source address The IP from which the packet
  originated
• Destination Address The IP to which the packet
  is addressed
• Port number The application-layer protocol the
  packet will use. and ports, a packet is either
  forwarded, dropped, or blocked.
• A decision is then made by the firewall to
• Drop the packet Packet is killed
• Block Packet is rejected
• Forward Packet is forwarded to the destination
  IP.
• The above process is usually referred to as
  packet filtering.

23
Security is matter of policy, not technology!"

24
A common firewall configuration

• The risk we cant avoid
• In network security we usually talk about how
  much control we choose to exert rather than how
  much control we can exert.
• Practically, when were dealing with the
  Internet, we usually need to open our networks
  (or part of it) to the public to some degree.
• Firewalls can be used to implement this
  intentional (and often unavoidable) security
  compromise by creating a middle ground that
  accommodates our public servers and separates
  them from our Intranet. This part of the network
  that contains our public serves is usually called
  the demilitarised zone or DMZ for short. See the
  next slide for a simple example.

25
A common firewall configuration

Two-way traffic is confined to the demilitarised
zone, DMZ.
Green arrows indicate that traffic is allowed in
a given direction
Red arrows indicate that traffic is disallowed in
a given direction
26
Activity NAT PAT

• NAT (Network Address Translation)
• PAT (Port Address Translation)

27
Thats all you need to know about firewalls,
for now!
28
Some examples

• Firewalls
• SSL and CAs

29
Discussion time

• How can cryptography help if physical security is
  compromised?
• Is public-key cryptography (e.g. RSA) 100
  secure?
• Why not use SSL for all connections? (Designing
  web pages for SSL)
• Browser compatibility and SSL certificates a
  conspiracy theory
• How secure and reliable is SSL?
• Future of cryptography

30
I hop will have time for (can you do the job?)

• VPL (Virtual Private LAN)
• PGP (Pretty Good Privacy)
• Digital Certificates and possible attacks
• Checksums
• Wireless security

31
Useful web resources

• Search engines
• Search for cryptography
• http//www.rsasecurity.com - again