This preview shows page 1. Sign up to view the full content.
Unformatted text preview: Chapter 28 Security
Upon completion you will be able to: • Differentiate between two categories of cryptography schemes • Understand four aspects of security • Understand the concept of digital signature • Understand the role of key management in entity authentication • Know how and where IPSec, TLS, and PPG provide security
TCP/IP Protocol Suite 1 28.1 CRYPTOGRAPHY
The word cryptography in Greek means “secret writing.” The term today The refers to the science and art of transforming messages to make them secure and immune to attacks. secure The topics discussed in this section include: Symmetric-Key Cryptography Symmetric-Key Asymmetric-Key Cryptography Comparison TCP/IP Protocol Suite 2 Figure 28.1 Cryptography components TCP/IP Protocol Suite 3 Note: In cryptography, the encryption/decryption algorithms are public; the keys are secret. TCP/IP Protocol Suite 4 Note: In symmetric-key cryptography, the same key is used by the sender (for encryption) and the receiver (for decryption). The key is shared. TCP/IP Protocol Suite 5 Figure 28.2 Symmetric-key cryptography TCP/IP Protocol Suite 6 Note: In symmetric-key cryptography, the same key is used in both directions. TCP/IP Protocol Suite 7 Figure 28.3 Caesar cipher TCP/IP Protocol Suite 8 Figure 28.4 Transpositional cipher TCP/IP Protocol Suite 9 Figure 28.5 DES TCP/IP Protocol Suite 10 Figure 28.6 Iteration block TCP/IP Protocol Suite 11 Figure 28.7 Triple DES TCP/IP Protocol Suite 12 Note: The DES cipher uses the same concept as the Caesar cipher, but the encryption/ decryption algorithm is much more complex. TCP/IP Protocol Suite 13 Figure 28.8 Public-key cryptography TCP/IP Protocol Suite 14 Figure 28.9 RSA TCP/IP Protocol Suite 15 Note: Symmetric-key cryptography is often used for long messages. TCP/IP Protocol Suite 16 Note: Asymmetric-key algorithms are more efficient for short messages. TCP/IP Protocol Suite 17 28.2 PRIVACY
Privacy means that the sender and the receiver expect confidentiality. Privacy The transmitted message must make sense to only the intended receiver. To all others, the message must be unintelligible. To The topics discussed in this section include: Privacy with Symmetric-Key Cryptography Privacy Privacy with Asymmetric-Key Cryptography TCP/IP Protocol Suite 18 Figure 28.10 Privacy using symmetric-key encryption TCP/IP Protocol Suite 19 Figure 28.11 Privacy using asymmetric-key encryption TCP/IP Protocol Suite 20 Note: Digital signature can provide authentication, integrity, and nonrepudiation for a message. TCP/IP Protocol Suite 21 28.3 DIGITAL SIGNATURE
Digital signature can provide Digital nonrepudiation for a message. authentication, integrity, and The topics discussed in this section include: The Signing the Whole Document Signing Signing the Digest TCP/IP Protocol Suite 22 Figure 28.12 Signing the whole document TCP/IP Protocol Suite 23 Note: Digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption must be applied. TCP/IP Protocol Suite 24 Figure 28.13 Hash function TCP/IP Protocol Suite 25 Figure 28.14 Sender site TCP/IP Protocol Suite 26 Figure 28.15 Receiver site TCP/IP Protocol Suite 27 28.4 ENTITY AUTHENTICATION
Entity authentication is a procedure that verifies the identity of one Entity entity for another. An entity can be a person, a process, a client, or a server. In entity authentication, the identity is verified once for the entire duration of system access. duration The topics discussed in this section include: Entity Authentication with Symmetric-Key Cryptography Entity Entity Authentication with Asymmetric-Key Cryptography TCP/IP Protocol Suite 28 Figure 28.16 Using a symmetric key only TCP/IP Protocol Suite 29 Figure 28.17 Using a nonce TCP/IP Protocol Suite 30 Figure 28.18 Bidirectional authentication TCP/IP Protocol Suite 31 28.5 KEY MANAGEMENT
In this section we explain how symmetric keys are distributed and how In public keys are certified. The topics discussed in this section include: The Symmetric-Key Distribution Symmetric-Key Public-Key Certification Kerberos TCP/IP Protocol Suite 32 Note: A symmetric key between two parties is useful if it is used only once; it must be created for one session and destroyed when the session is over. TCP/IP Protocol Suite 33 Figure 28.19 Diffie-Hellman method TCP/IP Protocol Suite 34 Note: The symmetric (shared) key in the Diffie-Hellman protocol is K = G xy mod N. TCP/IP Protocol Suite 35 Example 1
Let us give an example to make the procedure clear. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume G = 7 and N = 23. The steps are as follows: 1. Alice chooses x = 3 and calculates R1 = 73 mod 23 = 21. 2. Alice sends the number 21 to Bob. 3. Bob chooses y = 6 and calculates R2 = 76 mod 23 = 4. 4. Bob sends the number 4 to Alice. 5. Alice calculates the symmetric key K = 43 mod 23 = 18. 6. Bob calculates the symmetric key K = 216 mod 23 = 18. The value of K is the same for both Alice and Bob; G = 18.
TCP/IP Protocol Suite
xy mod N = 718 mod 23 36 Figure 28.20 Man-in-the-middle attack TCP/IP Protocol Suite 37 Figure 28.21 First approach using KDC TCP/IP Protocol Suite 38 Figure 28.22 Needham-Schroeder protocol TCP/IP Protocol Suite 39 Figure 28.23 Otway-Rees protocol TCP/IP Protocol Suite 40 Note: In public-key cryptography, everyone has access to everyone’s public key. TCP/IP Protocol Suite 41 Table 28.1 X.509 fields TCP/IP Protocol Suite 42 Figure 28.24 PKI hierarchy TCP/IP Protocol Suite 43 Figure 28.25 Kerberos servers TCP/IP Protocol Suite 44 Figure 28.26 Kerberos example TCP/IP Protocol Suite 45 28.6 SECURITY IN THE INTERNET
In this section we discuss a security method for each of the top 3 layers In of the Internet model. At the IP level we discuss a protocol called IPSec; at the transport layer we discuss a protocol that “glues” a new layer to the transport layer; at the application layer we discuss a security method called PGP. called The topics discussed in this section include: IP Level Security: IPSec IP Transport Layer Security Application Layer Security: PGP TCP/IP Protocol Suite 46 Figure 28.27 Transport mode TCP/IP Protocol Suite 47 Figure 28.28 Tunnel mode TCP/IP Protocol Suite 48 Figure 28.29 AH TCP/IP Protocol Suite 49 Note: The AH protocol provides message authentication and integrity, but not privacy. TCP/IP Protocol Suite 50 Figure 28.30 ESP TCP/IP Protocol Suite 51 Note: ESP provides message authentication, integrity, and privacy. TCP/IP Protocol Suite 52 Figure 28.31 Position of TLS TCP/IP Protocol Suite 53 Figure 28.32 TLS layers TCP/IP Protocol Suite 54 Figure 28.33 Handshake protocol TCP/IP Protocol Suite 55 Figure 28.34 Record Protocol TCP/IP Protocol Suite 56 Figure 28.35 PGP at the sender site TCP/IP Protocol Suite 57 Figure 28.36 PGP at the receiver site TCP/IP Protocol Suite 58 28.7 FIREWALLS
A firewall is a device (usually a router or a computer) installed between the internal network of an organization and the rest of the Internet. It is designed to forward some packets and filter (not forward) others. designed The topics discussed in this section include: Packet-Filter Firewall Packet-Filter Proxy Firewall TCP/IP Protocol Suite 59 Figure 28.37 Firewall TCP/IP Protocol Suite 60 Figure 28.38 Packet-filter firewall TCP/IP Protocol Suite 61 Note: A packet-filter firewall filters at the network or transport layer. TCP/IP Protocol Suite 62 Figure 28.39 Proxy firewall TCP/IP Protocol Suite 63 Note: A proxy firewall filters at the application layer. TCP/IP Protocol Suite 64 ...
View Full Document
- Winter '10