hello world - PowerPoint PPT Presentation

About This Presentation
Title:

hello world

Description:

hello world - Department of Computer Engineering | CMPE ... Security * – PowerPoint PPT presentation

Number of Views:101
Avg rating:3.0/5.0
Slides: 27
Provided by: CanO150
Category:

less

Transcript and Presenter's Notes

Title: hello world


1
Security
2
SECURITY
  • Fundamental Requirements
  • Privacy
  • Integrity
  • Authentication
  • Non-repudiation
  • Availability

3
SECURITY
  • Privacy issue
  • How do you ensure that that the information you
    transmit over the Internet has not been captured
    or passed on to a third party without your
    knowledge.
  • Integrity Issue
  • How do you ensure the information you send or
    receive has not been compromised or altered

4
SECURITY
  • Authentication issue
  • How do sender and receiver of a message prove
    their identities to each other
  • Non-Repudiation Issue
  • How do you legally prove that a message was sent
    or received
  • Availability Issue
  • How do we ensure that the network and the
    computer system it connects will stay in
    operation continuously

5
Cryptography
  • Cryptography transforms data using a key (a
    string of digits that acts as a password) to make
    the data incomprehensible to all but the sender
    and the intended receiver
  • Plaintext unencrypted data
  • Ciphertext encrypted data
  • Cipher/Cryptosystem technique/algorithm for
    encrypting messages
  • Simple examples of cryptosystem
  • Substitution
  • Transposition

6
Secret key (Symmetric) Cryptography
  • uses same (symmetric) keys to encrypt/decrypt a
    message
  • fundamental problem before two people can
    communicate, they must first find a way to
    exchange the symmetric key securely
  • Point-to-point key exchange
  • Centralized Key distribution center generates a
    session key
  • DES algorithms developed by NSA and IBM in the
    1950s

7
Public Key (Asymmetric) Cryptography
  • developed by Diffie Hellman (Stanford Univ)
    1976
  • Two inversely related keys are used
  • Public key freely distributed
  • Private key kept secret by its owner
  • Either the public key or the private key can be
    used to encrypt or decrypt a message
  • If the public key is used to encrypt a message,
    only the corresponding private key can decrypt it
  • Vice versa if the private key is used to encrypt
    a message, only the corresponding public key can
    decrypt it (this can be used to authenticate the
    sender of the message)

8
Public Key (Asymmetric) Cryptography
  • The defining property of a secure public key is
    that it is computationally infeasible to deduce
    the private key from the public key
  • Public key algorithms require large amounts of
    computer power
  • Symmetric systems are faster
  • RSA most commonly used public key algorithm
    (developed by Rivest, Shamir, Adleman, MIT
    Professors, in 1977)

9
Key Agreement Protocols
  • Public key algorithms can be used to allow two
    parties to agree upon a key to be used as secret
    key to be used for symmetric key encryption over
    insecure medium
  • Digital Envelope
  • message is encrypted using a symmetric key
  • Symmetric key is encrypted using public key
  • Attach encrypted symmetric key to encrypted
    message and send the entire package
  • To decrypt receiver first decrypts the symmetric
    key using the receivers private key. Then the
    symmetric key is used to decrypt actual message

10
SECURITY-Hash Function
  • Also known as message digest
  • Mathematical function that gives message a hash
    value
  • The chance that two different messages will have
    the same message digest is statistically
    insignificant
  • Collision occurs when multiple messages have the
    same hash value
  • It is computationally infeasible to compute a
    message from its hash value or to find two
    messages with the same hash value
  • Example MD5

11
SECURITY- Digital signatures
  • Solve problems of integrity and authentication
  • Like a written signature, authenticates senders
    identity
  • To create a digital signature
  • Run original plaintext message through hash
    (message digest)
  • Encrypt message digest using senders private key
    (creates a digital signature and authenticates
    the sender)
  • Encrypt original message with receivers public
    key
  • Send (encrypted messagedigital signaturehash
    function) to the receiver

12
SECURITY Digital Signatures
  • Receiver
  • Receives the package
  • Uses senders public key to decipher the digital
    signature and reveal the message digest
  • Uses receivers own private key to decipher the
    original message
  • Applies the hash function to the original message
  • Compare the deciphered message digest to the
    result of hash function

13
SECURITY Digital Signatures
  • Digital signatures do not provide the proof that
    a message has been sent
  • A time-stamping agency (third party) can help to
    solve the non-repudiation problem by digitally
    signing the time-stamp
  • US government recently passed digital-signature
    legislation that makes digital signatures as
    legally binding as hand-written signatures

14
Public Key Infrastructure (PKI)
  • How does a customer know that the web site it is
    accessing belongs to a trustworthy merchant and
    not to a third party site that is acting as
    merchant to steal credit-card information
  • PKI integrates public-key cryptography with
    digital certificates and certification
    authorities (CA) to authenticate parties in a
    transaction
  • Digital Certificate is a digital document issued
    by a CA and includes
  • name of the subject (being certified)
  • Subjects public key
  • Expiration date
  • plus other relevant information
  • CA is a financial institution or other trusted
    third party such as VeriSign or Thawte

15
CA
  • CA takes the responsibility for authentication,
    it checks the validity of information before
    issuing a digital certificate
  • Digital certificates are publicly available in
    CA certificate repositories
  • CA signes the certificate by encrypting either
    the public key or a hash value of the public key
    using the CAs own private key
  • CA has to verify every individuals public key.
    Thus users must trust the public key of a CA.
  • A certificate authority is a chain of
    certificates starting with the root certification
    authority IPRA (Internet Policy Registration
    Authority)
  • Root only signs certificates for policy creation
    authorities (organizations that set policies for
    obtaining digital certificates)
  • Policy creation authorities sign digital
    certificates for Cas
  • CA s sign digital certificates for individuals,
    organizations

16
SECURE SOCKETS LAYER (SSL)
  • SSL protocol developed by Netscape
  • Built into web browsers and numerous other
    products
  • When you use the Internet, the connection between
    you and any other point can be routed through
    dozens of independent systems (unauthorized
    people can steal confidential information, credit
    card numbers etc by eavesdropping)
  • SSL protocol was developed to transfer
    information privately and securely across the
    Internet
  • SSL is the de facto standard for encrypted and
    authenticated communications between clients and
    servers on the Internet
  • Virtually all online purchases and monetary
    tansactions on the Internet are secured by SSL
  • URL starts with https

17
SSL
  • SSL usage is not just limited to securing
    e-commerce transactions other SSL usage
    examples
  • financial institutions, insurance companies, B2B,
    private organizations
  • SSL ensures that connection is private and
    secure by providing authentication and encryption
  • Authentication confirms the server and
    optionally the client are who they say they are
  • Encryption creates a secure tunnel between the
    client and the server which prevents any
    unauthorized system from reading the data
  • SSL-enabled clients Netscape, MS Internet
    Explorer, Firefox, Chrome etc.
  • SSL-enabled servers Apache, MS IIS, etc.
  • Clients and Servers confirm each others
    identities using digital certificates which are
    issued by CA.

18
SSL
  • SSL is comprised of two protocols
  • Handshake Protocol (key exchange)
  • Record Protocol (bulk data transfer)

19
SSL- Handshake Protocol
  • Authenticates the server to the client
    (optionally the client to the server) using
    public-key encryption (asymmetric) techniques
  • Allows client and server to negotiate the cipher
    suite to be used
  • Allows the client and the server to generate
    symmetric session keys
  • Establishes the encrypted session
  • Once key exchange is complete, client and server
    use symmetric session keys to encrypt all
    communication between them (SSL Record Protocol)
  • Symmetric encryption algorithm such as DES or RC4
    is used.

20
SSL Negotiation Steps
  1. Initially request for SSL session comes from the
    browser to the web server
  2. Web server sends the browser its digital
    certificate (contains info about the server and
    servers public key)
  3. Browser verifies that certificate is valid and
    that a CA listed in the clients list of trusted
    CAs issued it. Browser also checks expiration
    date and web server domain name
  4. Once browser has determined that the server
    certificate is valid, browser generates a 48-byte
    master secret. This master secret is encrypted
    using servers public key and is then sent to the
    Web server
  5. Web server receives the encrypted master secret
    from the browser and decrypts it using the
    servers private key
  6. Both web server and the browser have the same
    secret key
  7. Communicate securely by encrypting data using
    symmetric technique

21
SSL Negotiation Steps
SSL Negotiation Steps
22
  • SSL sits on top of TCP at the transport layer
  • SSL operates independently and transparently of
    other protocols so it will work with any
    application layer and transport layer protocol
  • This allows clients servers to establish secure
    SSL connections w/o requiring knowledge of other
    partys code

23
SECURITY ATTACKS
  • Denial-of-service attack occurs when a networks
    resources are taken up by unauthorized
    individual, leaving the network unavailable for
    legitimate users
  • Another type of attack modifies routing tables
    of a network, thus disabling network ability or
    funneling all data to one address in the network
  • Distributed denial service attacks ( attack does
    not come from one single source, but rather from
    multiple sources

24
Denial of Service Attack
  • A "denial-of-service" attack is characterized by
    an explicit attempt by attackers to prevent
    legitimate users of a service from using that
    service. Examples include
  • - attempts to "flood" a network, thereby
    preventing legitimate network traffic
  • - attempts to disrupt connections between two
    machines, thereby preventing access to a service
  • - attempts to prevent a particular individual
    from accessing a service
  • - attempts to disrupt service to a specific
    system or person
  • Illegitimate use of resources may also result in
    denial of service. For example, an intruder may
    use your anonymous ftp area as a place to store
    illegal copies of commercial software, consuming
    disk space and generating network traffic

25
Modes of Attack
  • Consumption of scarce, limited, or non-renewable
    resources
  • - Network connectivity,
  • - Using Your Own Resources Against You
  • - Bandwidth Consumption
  • - Consumption of Other Resources
  • Destruction or alteration of configuration
    information
  • Physical destruction or alteration of network
    components

26
Further Reading
http//www.cert.org/tech_tips/denial_of_service.ht
ml
Write a Comment
User Comments (0)
About PowerShow.com