Network Security I CSCI 4971 / 6968 www cs rpi edu/~yener/TEACHING/Netsec/Spring11/ www . cs . rpi . edu/~yener/TEACHING/Netsec/Spring11/ B ü lent Yener B ü lent Yener yener@cs.rpi.edu Lecture 1 Lecture - 1 1/26/11 This presentation is in part based on the slides of W. Stallings Outline • Class information Network security I and II – Network security I and II Bk d ditdti • B ac k groun d an d i n t ro d uc ti on • Basic concepts: attacks, services, mechanisms 2 Aim of the Courses • Our focus is on both Network & Internet Our focus is on both Network & Internet Security and Cryptography • NetSec I is focusing on a cryptography • NetSec I is focusing on a cryptography and basics NtS IIbild Nt I d • N e tS ec II b u ild s upon N e t sec I an d covers advance topics. 3 CSCI-4971 and 6968 NkSi N etwor k S ecur i ty • Basic Cryptography Basic Cryptography • Basic Number Theory • Security Goals Security Goals – Authentication, Privacy, Integrity, Key exchange • Security Solutions Security Solutions – SSL, PGP, SSH, IPSEC • Security Practice Security Practice – E-mail, IP security, Web security, … • And more: Internet and Network securit y issues 4 y Definitions • Computer Security - generic name for Computer Security generic name for the collection of tools designed to protect data and to thwart hackers data and to thwart hackers • Network Security - measures to protect data during their transmission data during their transmission • Internet Security - measures to protect dt d i thit i i d a t a d ur i ng th e i r t ransm i ss i on over a collection of interconnected networks 5 Standards Organizations Standards Organizations  National Institute of Standards &  National Institute of Standards & Technology (NIST)  Internet Society (ISOC)  Internet Society (ISOC) International Telecommunication Union Tl i ti St d di ti T e l ecommun i ca ti on St an d ar di za ti on Sector (ITU-T) International Organization for Standardization (ISO) Example XXX bank wants to provide web banking XXX bank wants to provide web banking service to its customers. They have alread y p ro g rammed web p a g es and yp g p g applications. Every customer has an id and password to access their account if ti i n f orma ti on. – What are the threats? Wh t th it h i t t – Wh a t are th e secur it y mec h an i sms t o preven t them? What are the security services? 7 – What are the security services? Case Study Attacker Banking Server Bank Customer Internet Bank Network Internet Web Serve r Bank Network Dial-up A 8 A ccess Server Security Attacks • Passive attacks - eavesdropping on, or Passive attacks eavesdropping on, or monitoring of, transmissions to: – obtain message contents, or – Intercept, or monitor traffic flows • Active attacks – modification of data stream to: – masquerade of one entity as some other – fabricate a message – replay previous messages – modify messages in transit denial of service 9 – denial of service Threats Banking Server Attacker Bank Customer Attacker Bank Network Bank Network carrier Web Serve r Customer ISP Bank ISP 10 Internet Backbone carrier carrier [...]... whether it is a real ID: – Is it like a real license of the NY DMV? – Does picture and name match? – Expiration date? • Your browser checks whether it is a real certificate: – Is it like a real certificate of the certificate authority under consideration? – Does ID, Name and/or other information match? ID – Expiration date? 25 Digital Certificates (cont…) • Just like a driver’s license: driver s – (issued... Authentication – UserID/Password: “you know” – Cli t C tifi t “ i Client Certificate: “given t you” to ” – Prevent stolen client certificates • Short life time, not feasible! • Associate certificate to User ID Accept a certificate if: – It is valid » Check authority » Check expiration date » Check black list (certificate revoke list) » Has user correctly proven his knowledge of the private key associated... (issued to): Stores information about the owner – (issued by): Stores information about the Authority issuing the ID – Stores validity information • Also stores Fingerprints 26 Digital Certificates Signature 27 Digital Certificates (cont…) • Fingerprint – Generated by the issuer (Verisign) • Issuer has two keys – An encryption key (private) – A decryption key ( (public) ) • Public key is known to every... methods to distribute and share the secret information – specify protocols enabling the principals to use the transformation and secret information for a security service y 20 Model for Network Access Security 21 Model for Network Access Security • Using this model requires us to: – select appropriate gatekeeper functions to identify users – implement security controls to ensure only authorised users... with the certificate – User entered matching user ID (stored in certificate) and correct password – Server certificate – Generate one time session key (we do not want to use our password or private key to provide confidentiality!) 15 Customer-Web Server Comm • Confidentiality & Integrity – Key exchange • Authenticated must be part of the authentication Authenticated, process • One time for life time... a picture ID (Driver’s License, Passport) • Your browser as s a ce t cate ou b o se asks certificate – They both trust the issuer of ID • Bank teller trusts Department of Motor Vehicle – DMV checks bi h certificate to i h k birth ifi issue the li h license • Your browser trusts certificate authorities – VeriSign, Entrust, Entrust, RSA, AOL 24 SSL – Authentication (cont…) – They both validate the ID... session – Strong crypto algorithms • Access co t o at custo e a d ba s de ccess control customer and bank side 16 Customer-Web Server Comm Client Hello Server Server Certificate Client Certificate Proof : Server Certificate Proof: Client Certificate Secret key exchange Communication with Confidentiality & Integrity with the secret Looks like SSL! 17 SSL • What is SSL? – Secure Sockets Layer – Provides... communication between you and the server – How do you know that it is active: • The lock shown by your browser – When the lock is close or unbroken • Web address starting with HTTPS 18 Model for Network Security 19 Model for Network Security • Using this model requires us to: – design a suitable algorithm for the security transformation – generate the secret information (keys) used by the algorithm... as root certificates 28 Digital Certificates (Cont…) • Your browser trusts issuer (Verisign) • Your browser knows the public key of the issuer • Your browser knows that a public key can only decrypt a fingerprint encrypted by matching yp g p yp y g private key • Your browser verifies that the certificate is given by the trusted authority • Your browser authenticates the owner of the certificate 29 SSL... programs IP spoofing Unsafe Services Malicious codes: Virus and worms DoS: SYN attack, ping flooding • Bank Network and Servers – – – – – – – – Use backdoor to access Eavesdropping Man-in-the-middle : Web Server to Banking Server Session hijacking DoS DNS attack Use unsafe services in other servers Install malicious codes in other servers 12 Targets (cont.) • DNS servers – DNS cache poisoning – DNS . Network Security I CSCI 4971 / 6968 www cs rpi edu/~yener/TEACHING/Netsec/Spring1 1/ www . cs . rpi . edu/~yener/TEACHING/Netsec/Spring1 1/ B ü lent. Authentication, Privacy, Integrity, Key exchange • Security Solutions Security Solutions – SSL, PGP, SSH, IPSEC • Security Practice Security Practice –