Скачать презентацию ECE-6612 http www csc gatech edu copeland jac 6612 Prof John Скачать презентацию ECE-6612 http www csc gatech edu copeland jac 6612 Prof John

5e26d060e3a8b36aa2607d0da60f47ec.ppt

  • Количество слайдов: 22

ECE-6612 http: //www. csc. gatech. edu/copeland/jac/6612/ Prof. John A. Copeland john. copeland@ece. gatech. edu ECE-6612 http: //www. csc. gatech. edu/copeland/jac/6612/ Prof. John A. Copeland john. [email protected] gatech. edu 404 894 -5177 fax 404 894 -0035 Office: Centergy 5188 email or call for office visit, or call Kathy Cheek, 404 894 -5696 Quiz-2 Review

Quiz-2 Topic Areas X. 509 Certificates - Digital Proof of Identity Email Security - Quiz-2 Topic Areas X. 509 Certificates - Digital Proof of Identity Email Security - PGP, S/MIME IP Security - IPsec IP Security Web Security --IPsec Socket Layers (SSL) Secure Web Security --Secure Socket Layers (SSL) Secure Electronic Transactions (SET) - Secure Electronic Transactions (SET) Network Management Security - SNMP v 3 Intruders (and other Malicious Users) Viruses - Worms, Trojan Horses, . . . X 2

X. 509 Authentication Service • An International Telecommunications Union (ITU) recommendation (versus “standard”) for X. 509 Authentication Service • An International Telecommunications Union (ITU) recommendation (versus “standard”) for allowing computer host or users to securely identify themselves over a network. • An X. 509 certificate purchased from a “Certificate Authority” (trusted third party) allows a merchant to give you his public key in a way that your Browser can generate a session key for a transaction, and securely send that to the merchant for use during the transaction (padlock icon on screen closes to indicate transmissions are encrypted). • Once a session key is established, no one can “high jack” the session (for example, after your enter your credit card information, an intruder can not change the order and delivery address). • User only needs a Browser that can encrypt/decrypt with the appropriate algorithm, and generate session keys from truly random numbers. • Merchant’s Certificate is available to the public, only the secret key must be protected. Certificates can be cancelled if secret key is compromised. 3

Raw “Certificate” has user name, public key, expiration date, . . . Raw Cert. Raw “Certificate” has user name, public key, expiration date, . . . Raw Cert. Generate hash code of Raw Certificate MIC Hash Signed Certificate Recipient can verify signature using CA’s public key. Encrypt hash code with CA’s private key to form CA’s signature Certificate Authority generates the “signature” that is added to raw “Certificate” 4

Email Pretty Good Privacy, PGP Establishing Keys • Public Key Certification • Exchange Public Email Pretty Good Privacy, PGP Establishing Keys • Public Key Certification • Exchange Public Keys Multiple Recipients • Encrypt message m with session key, S • Encrypt S with each recipient's key • Send: {S; Kbob}, {S; Kann}, . . . , {m; S} Authentication of Source • Hash (MD 4, MD 5, SHA 1) of message, encrypt with private key (provides ciphertext/plaintext pair) • Secret Key K: MIC is hash of K+m, or CBC residue with K (assuming message not encrypted with K). 5

Things of which to be aware Neither PEM or PGP encode mail headers • Things of which to be aware Neither PEM or PGP encode mail headers • Subject can give away useful info • To and From give an intruder traffic analysis info PGP gives recipient the original file name and modification date PEM may be used in a local system with unknown trustworthiness of certificates Certificates often verify that sender is "John Smith" but he may not be the "John Smith" you think (PGP allows pictures in certificates) 7

Simple Mail Transfer Protocol (SMTP, RFC 822) SMTP Limitations - Can not transmit, or Simple Mail Transfer Protocol (SMTP, RFC 822) SMTP Limitations - Can not transmit, or has a problem with: • executable files, or other binary files (jpeg image). • “national language” characters (non-ASCII) • messages over a certain size • ASCII to EBCDIC translation problems • lines longer than a certain length (72 to 254 characters) MIME Defined Five New Headers • MIME-Version. Must be “ 1. 0” -> RFC 2045, RFC 2046 • Content-Type. More types being added by developers (application/word) • Content-Transfer-Encoding. How message has been encoded (radix-64) • Content-ID. Unique identifying character string. • Content Description. Needed when content is not readable text (e. g. , mpeg) Canonical Form: Standard format for use between systems ( not a “native” format - GIF).

Secure/MIME Can “sign” and/or encrypt messages Functions: • Enveloped Data: Encrypted content and encrypted Secure/MIME Can “sign” and/or encrypt messages Functions: • Enveloped Data: Encrypted content and encrypted session keys for recipients. • Signed Data: Message Digest encrypted with private key of “signer. ” • Clear-Signed Data: Signed but not encrypted. • Signed and Enveloped Data: Various orderings for encrypting and signing. Algorithms Used • Message Digesting: SHA-1 and MDS • Digital Signatures: DSS • Secret-Key Encryption: Triple-DES, RC 2/40 (exportable) • Public-Private Key Encryption: RSA with key sizes of 512 and 1024 bits, and Diffie-Hellman (for session keys). 9

X. 509 Chain of Authentication Actually, there is are sets of top-level CA’s, those X. 509 Chain of Authentication Actually, there is are sets of top-level CA’s, those included with browser programs (W, Y, . . . ). 10

Router Network - Table Set Up In an Router Network, circuits are defined by Router Network - Table Set Up In an Router Network, circuits are defined by entries in the Routing Tables along the way. These may be Static (manually set up) or Dynamic (set up according to Algorithm in the Router). B A to D A 1 E 4 2 6 5 A 1 Station ( on a LAN) Router 3 C 7 D Local Connection Trunk or Long-Haul 11

Browser Web Server Application Layer (HTTP) Port 80 Transport Layer (TCP, UDP) Segment No. Browser Web Server Application Layer (HTTP) Port 80 Transport Layer (TCP, UDP) Segment No. Network Layer (IP) IP Address 130. 207. 22. 5 E'net Data Link Layer Ethernet Phys. Layer Router Buffers Packets that need to be forwarded (based on IP address). Network Layer Token Ring E'net Data Link Layer E'net Phys. Layer Token Ring Phys. Layer Application Layer (HTTP) Port 31337 Transport Layer (TCP, UDP) Segment No. Network Layer (IP) IP Address 24. 88. 15. 22 Token Ring Data-Link Layer Token Ring Phys. Layer 12

Internet (IP) Layer Security The Internet Engineering Task Force (IETF) • Internet Protocol Security Internet (IP) Layer Security The Internet Engineering Task Force (IETF) • Internet Protocol Security protocol (IPSEC) working group to standardize an IP Security Protocol (IPSP) and an Internet Key Management Protocol (IKMP). • objective of IPSP is to make available cryptographic security mechanisms to users who desire security. • mechanisms should work for both the current version of IP (IPv 4) and the new IP (IPng or IPv 6). • should be algorithm-independent, in that the cryptographic algorithms can be altered. • should be useful in enforcing different security policies, but avoid adverse impacts on users who do not employ them. Rolf Oppliger, "Internet Security: Firewalls and Beyond, " p 92, Comm. ACM 40, May 1997 13

(SNMP version 3) 14 (SNMP version 3) 14

SET (Secure Electronic Transactions) • Provides a secure communications channel among all the parties SET (Secure Electronic Transactions) • Provides a secure communications channel among all the parties involved in a transaction: Customer, Seller, Customer’s credit provider, Seller’s bank. • Provides trust by the use of X. 509 v 3 certificates. • Ensures privacy because information is only made available to the parties that need it. * Cardholder account authentication to the Merchant (Cardholder must have a Certificate issued by the credit company). Merchant may issue a temporary Certificate to insure the session is not high-jacked). * Verifies that Merchant has a business relationship with a financial institution. * Integrity of data customer sends to Merchant (order info tied to funds transfer). 15

16 16

17 17

Network Intruders Masquerader: A person who is not authorized to use a computer, but Network Intruders Masquerader: A person who is not authorized to use a computer, but gains access appearing to be someone with authorization (steals services, violates the right to privacy, destroys data, . . . ) Misfeasor: A person who has limited authorization to use a computer, but misuses that authorization (steals services, violates the right to privacy, destroys data, . . . ) Clandestine User: A person who seizes supervisory control of a computer and proceeds to evade auditing and access controls. 19

The Stages of a Network Intrusion [RAERU] 1. Scan the network to: [RECONNAISANCE] • The Stages of a Network Intrusion [RAERU] 1. Scan the network to: [RECONNAISANCE] • locate which IP addresses are in use, Flow-based* "CI", signature-based? • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers). Vulnerability Scan Signature? , Flow-Based 2. Run “Exploit” scripts against open ports. [ACCESS] Port Profile* 3. Elevate privileges to “root” privileges. [ELEVATE] Host-based 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. [ROOT KIT] Signature? , "Port-Profile*", Forbidden Zones*, Host-based 5. Use IRC (Internet Relay Chat) to invite friends to the feast, or use the computer and its info another way. [UTILIZE] Signature? , "Port-Profile*", Forbidden Zones*, Host-based * Stealth. Watch 20

Protection from a Network Intrusion 1. Use a “Firewall” between the local area network Protection from a Network Intrusion 1. Use a “Firewall” between the local area network and the worldwide Internet to limit access (Chapter 10). 2. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or monitor and prosecute). 3. Use a program like Trip. Wire on each host to detect when systems files are altered, and email an alert to Sys Admin. 4. On Microsoft PC’s, a program like Zone Alarm or Black Ice is easier to install than learning how to reset default parameters to make the system safe (and fun besides). 21

Anomaly-Based Intrusion Detection High statistical variation in most measurable network behavior parameters results in Anomaly-Based Intrusion Detection High statistical variation in most measurable network behavior parameters results in high false-alarm rate #FP = #Normal Events x FP-rate False Alarms, False Positives Undetected Intrusions, False Negatives #FN = #Bad Events x FN-rate Detection Threshold 22