Network Security and Public Key Infrastructure (PKI) - PowerPoint PPT Presentation

About This Presentation

Title:

Network Security and Public Key Infrastructure (PKI)

Description:

Network Security and Public Key Infrastructure (PKI) Bill Chu Cryptographic hash function A hash function is a one-way function (analogous to meat grinder). – PowerPoint PPT presentation

Number of Views:109

Avg rating:3.0/5.0

Slides: 28

Provided by: BillC175

Learn more at: https://webpages.charlotte.edu

Category:

more less

Transcript and Presenter's Notes

Title: Network Security and Public Key Infrastructure (PKI)

1
Network Security and Public Key Infrastructure
(PKI)

Bill Chu

2
Introduction to Security

Internet environment
Information security addresses
Confidentiality
E.g. illegal access to secret information
Integrity
E.g. illegal addition/deletion/modification of
data
E.g. perform illegal operations
E.g. nonrepudiation
Availability
E.g. Severely load the system so that the system
cannot perform normal functions
Usability
Appropriate use of information

3
Requirements for Electronic Business Transactions

Authentication of transacting partners
Am I dealing with the one who claim to be
Once authenticated, business evaluations become
possible
credit history (report), bank verifications
Data integrity
any change to data are detected by receiver
Non-repudiation
can not deny if one issued a transaction
Confidentiality
keep transactions to only transacting partners

4
How can We Meet these Requirements?

Solutions cryptography-based technologies
Cryptography for
authentication
private key of cryptography is the evident you
are who you claim to be
you are the only one who has that key
data confidentiality
data encrypted prevents eavesdrops by others
non-repudiation
the data is encrypted with your key, you can not
deny you did not send it
you are the only one who has that encryption key
it is typically called encryptedly signed
(digital signature)
Message digest for
data integrity
run a checksum over the data encrypt it
changing data will be detected by the encrypted
checksum
others can not decrypt the checksum

5
Cryptography

Concept Secret writing
communicating in secret writing
prevent others from reading your message
Process
encrypt messages before send
decrypt message after receive
secret writing can not be read by others
Keys
encryption and decryption is private knowledge
it is computationally difficult to break
encryption/decryption

6
Key-based Cryptography

Encryption/Decryption with keys
computationally difficult without keys
Two types
private key or symmetric key cryptography
one key used for encryption and decryption
key has to be kept secret between partners
how to distribute the shared private key is a
problem
public key or asymmetric key cryptography
a pair of keys for encryption and decryption
each partner has a pair of keys
it keeps one key private to itself publishes
another for others to use

7
Using Cryptography
Bob
Alice
Alice
I love you
!_at_
I love you
Bob
Encryption
Decryption
cleartext
ciphertext
cleartext
Allices public key
Alices private key
Digital Signature, non-repudiation
Meet me at 3
!_at_
Meet me at 3
Alice
Bob
Encryption
Decryption
cleartext
ciphertext
cleartext
Bobs private key
Bobs Public key
Confidential message
8
Cryptographic hash function

A hash function is a one-way function (analogous
to meat grinder).
A cryptographic hash function typically hashes
objects of any size to a fixed length hash (e.g.
128 bits)
A cryptographic has function has to satisfy the
following properties
It is computationally infeasible to find the
original object based on the hash result
It is computationally infeasible to find two
documents that produce the same hash result

9
Digital Signature and its verification
I love you 67( MD5 RSA
I love you
!_at_
67Y(
Send
Hash
Encription
Allices private key
MD5
Digital signature
67Y(
I love you
?
Hash
Decription
Yesverification success
Allices public key
MD5
Verification of digital signature
10
The trust establishment problem

In order to verify a signature of Alice we must
trust that we know that we have Alices public
key.
Closed trust model we verify the public keys
ourselves, or we know everyone we are dealing
with
Open trust model we must deal with people we do
not know
The Internet is definitely an open world,
therefore a closed trust model will not work

11
Public key infrastructure

Have a third trusted party to verify the identity
of public keys using signed statements (digital
certificates) from the trusted party
(certification authority)
Have an directory of valid digital certificates
so that users can check (analogous to credit card
validation)

12
Digital Certificate

A Public-key certificate binds an entitys (e.g.
amazon.com) public key and one or more attributes
relating to its identity.
Trusted authority
Binding process, verification by the trusted
authoraty
Digital document (digital certificate) as proof
Helps key distribution as digital certificates
can be transmitted without encryption
Fields in a digital certificate

subject name unique for a CA, however, multiple
certificates may be issued to the same entity by
a CA
subject public key
Optional fields
Signature of the above.

version (1,2,or 3)
serial number unique within a CA
signature algorithm id
issuer CA
validity period

13
PKI Basic Components

PKI public key certificate or simply certificate
an electronic record that binds a public key to
an identity of the owner of a public-private key
pair, signed by a trusted entity (CA)
Certificate Revocation List (CRL)
a list of certificates that have been revoked
Certification Authority (CA)
a trusted entity that issues and revokes public
key certificates
Registration Authority (RA)
an entity trusted by CA to register user identity
associated public key to CA
Certificate Repository
electronic site that holds certificates CRLs
Relying Party (Certificate user)
an entity that uses certificates to know, with
certainty, the public key of another entity

14
PKI policy and practice

Certificate policy statements
The CA specifies what a give certificate can be
used for (e.g. email, secure server)
Drivers License analogy this license authorizes
the holder to operate 4-wheeled vehicles of up to
certain size and weight.
Certification practice statements
Describes the detailed processes/mechanisms used
by registration authorities.
Drivers License analogy types of id accepted,
questions for the written test, criterion and
mechanism for eye sight test, criterion for road
test
Cross certification
Accepting certificates issued by different CAs
Drivers License analogy most state will accept
drivers licenses issued by other states, but
additional tests may be necessary, details vary
in different states.

15
Secure Socket Layer (SSL)

The client (e.g.SSL inside a browser) chooses a
protocol
Key exchange algorithm
Private key cryptography algorithm
Message integrity algorithm
Server (e.g. SSL inside a web server) informs the
client that it supports the propose protocol
Server asserts its identity by sending a digital
certificate
The client verifies the digital certificate by
using public keys of CAs the client trusts
The client then generates a session key and
encrypt it with the servers public key and sends
the ciphertext to the server
Server decrypts the session key and complete the
handshake by sending a message back to the client
using the session key for encryption.
The client decrypts the messages and is then
certain that a secure channel has been
established.
All data transacted in this session (both
directions) are encrypted using the session key

16
Virtual Private Network

SSL/HTTPs provides encrypted communication for
web traffic
VPN provides an encrypted communication pipe for
all network traffic

17
Intrusion Techniques

Discovery Scanning
Target acquisition map host names, ip addresses
Host discovery
Port scanning
Banner retrieval types of machines, version
information.
Vulnerability Scanning discover known bugs and
attacks
Exploits
NT obtain user/admin access, NT resource Kit,
cover tracks
UNIX obtain root access, root kit, cover tracks
Install sniffers, keyboard loggers, acquire
access to other parts of the network
Spoofing
Change data, delete files, steal secrets
Dialin and backdoor
Social engineering

18
Summary of Intrusion Techniques

Brute force
Patience
Mis-configurations
Out-of-date software versions

19
Firewalls

Characteristics
All traffic goes through firewalls
Only authorized traffic can go through
The firewall itself is immune to penetration
Service control, e.g. no ftp
direction control
user control
behavior control (e.g. filter emails, and web
addresses)
Types of firewalls
packet filtering router
application level gateway
circuit level gateway (prevents end to end TCP
connection), e.g. SOCKS

20
Packet filtering router firewall
www.any.com web server
Send to port 80 At www.any.com
Server
OK
Client
Send to port 670
Send to port 890
Internet
Private network
21
Circuit gateway firewall
Server
Client
Socks lib
Socks lib
Relay
Internet
Private network

Relay will examine all packets and filter out
illegal packets
For example, a companys policy may want to
filter out all java applets through the firewall.

22
Application gateway firewall
Server
Client
App. gateway
Internet
Private network

Application gateway is a proxy server
For every application made available through the
firewall, there must be a proxy on the
application gateway
The application gateway forwards requests to the
server, it can also do customized filtering of
messages

23
Deterring pranks

Install appropriate defensive tools (some of)
use files
virus scans, detect port scans
Intrusion Detection Systems (IDS)
Install decoys and deception tools (all.net)

24
More serious threats

Customized virus will evade popular virus scan
programs
Virus immunology techniques may help, but there
is no guarantee!
Customized trojans
IDS and popular tools are generally ineffective
Attack techniques
Be noisy
Be quiet
Be clever

25
Denial of service

Noisy sync flooding
Typical denial of service starts with a hacked
account (e.g. AOL surveys!)
Synchronized attacks uses multiple staging
points, very difficult to detect and deal with.

26
Best defenses