Network Security Primer

A Security Primer Venkatesh Iyer Created: 30/11/2005

Security Topics Algorithms Encryption Digital Signatures Certificates Algorithms Encryption Key Mgmt PGP S/MIME SSL TLS IPSec Cryptography Symmetric Key Public Key

Need for message security ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Cryptography ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Symmetric Key Cryptography Encrypt Network Decrypt Shared secret key ,[object Object],[object Object],[object Object],Alice Bob 1 2

Symmetric Key (contd.) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Public Key Cryptography Encrypt Network Decrypt Bob’s public key Alice Bob Bob’s private key To the public 1 2 ,[object Object],[object Object],[object Object]

Public Key (contd.) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Digital Signatures ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Digital Signatures (contd.) Alice Hash Function Digest Encrypt Alice’s private key + Signed Digest Message plus Signed Digest To Bob 1 2 3 Sender site

Digital Signatures (contd.) Receiver site Bob From Alice Decrypt Hash Function Digest Alice’s public key Digest X Compare 4 5 6

Key Management ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Key Management (contd.) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Certificates ,[object Object],[object Object],[object Object],The subject public key and the algorithms that use it Public Key The entity whose public key is being certified Subject Name Start and end period that certificate is valid Validity Period The name of the CA defined by X.509 Issuer The certificate signature Signature The unique identifier used by the CA Serial Number Version number of X.509 Version Explanation Field

Chain of Trust ,[object Object],[object Object],[object Object],Root CA Level-1 CA 1 Level-2 CA 3 Level-2 CA 4 Level-2 CA 5 Level-2 CA 6 Level-2 CA 2 Level-2 CA 1 Level-1 CA 2

IPSec – IP Security ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],IP Header IPSec Header Rest of the Packet New IP Header IP Header IPSec Header Rest of the Packet Transport Mode Tunnel Mode OR

Secure Sockets Layer (SSL) ,[object Object],[object Object],[object Object],[object Object],[object Object]

Transport Layer Security (TLS) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Hello Certificate Secret key End Handshaking Encrypted Ack Client Server

Transport Layer Security (TLS) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Hello Certificate Secret key End Handshaking Encrypted Ack Client Server Browser sends a hello message that includes TLS version and other preferences

Transport Layer Security (TLS) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Hello Certificate Secret key End Handshaking Encrypted Ack Client Server Server sends a certificate that has its public key

Transport Layer Security (TLS) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Hello Certificate Secret key End Handshaking Encrypted Ack Client Server Browser verifies the certificate. It generates a session key , encrypts with server’s public key and sends it to the server

Transport Layer Security (TLS) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Hello Certificate Secret key End Handshaking Encrypted Ack Client Server Browser sends handshake terminating message, encrypted by the secret key

Transport Layer Security (TLS) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Hello Certificate Secret key End Handshaking Encrypted Ack Client Server Server decrypts secret key with its private key. Uses secret key to decode message ad sends encrypted ack

Pretty Good Privacy (PGP) Alice Hash Function Digest Encrypt Alice’s private key + Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site

Pretty Good Privacy (PGP) Alice Hash Function Digest Encrypt Alice’s private key + Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site Email message is hashed to create digest

Pretty Good Privacy (PGP) Alice Hash Function Digest Encrypt Alice’s private key + Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site Digest is encrypted using Alice’s private key

Pretty Good Privacy (PGP) Alice Hash Function Digest Encrypt Alice’s private key + Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site Signed digest added to the message

Pretty Good Privacy (PGP) Alice Hash Function Digest Encrypt Alice’s private key + Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site The message and digest are encrypted using one time secret key created by Alice

Pretty Good Privacy (PGP) Alice Hash Function Digest Encrypt Alice’s private key + Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site The secret key is encrypted using Bob’s public key

Pretty Good Privacy (PGP) Alice Hash Function Digest Encrypt Alice’s private key + Signed Digest Message plus Signed Digest Encrypted (secret key & message + digest) to Bob 1 2 3 Encrypt Bob’s public key Encrypt One-time secret key + 4 5 6 Sender site The encrypted message, digest and secret key is sent to Bob

PGP (contd.) Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8

PGP (contd.) Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8 Bob decrypts the secret key with his private key

PGP (contd.) Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8 Bob decrypts the encrypted message and digest using the decrypted secret key

PGP (contd.) Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8 Bob decrypts the encrypted digest with Alice’s public key

PGP (contd.) Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8 Bob hashes the received message to create a digest (for message integrity)

PGP (contd.) Receiver site Bob Decrypt Hash Function Digest Alice’s public key Digest X Compare 9 10 11 Encrypted (secret key & message + digest) Bob’s private key Decrypt Decrypt Encrypted (message + digest) One-time secret key 7 8 The two digests are compared, thus providing authentication and integrity

Sample PGP Signature From: alice@wonderland.com Date: Mon, 16 Nov 1998 19:03:30 -0600 Subject: Message signed with PGP MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: "cc:Mail Note Part" -----BEGIN PGP SIGNED MESSAGE----- Bob, This is a message signed with PGP, so you can see how much overhead PGP signatues introduce. Compare this with a similar message signed with S/MIME. Alice -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQCVAwUBM+oTwFcsAarXHFeRAQEsJgP/X3noON57U/6XVygOFjSY5lTpvAduPZ8M aIFalUkCNuLLGxmtsbwRiDWLtCeWG3k+7zXDfx4YxuUcofGJn0QaTlk8b3nxADL0 O/EIvC/k8zJ6aGaPLB7rTIizamGOt5n6/08rPwwVkRB03tmT8UNMAUCgoM02d6HX rKvnc2aBPFI= =mUaH -----END PGP SIGNATURE-----

S/MIME ,[object Object],[object Object],[object Object],[object Object],MIME Entity CMS Object S/MIME Certificates Algo identifiers CMS Processing MIME Wrapping

Sample SMIME Signature From: alice@wonderland.com Date: Mon, 16 Nov 1998 19:03:08 -0600 Subject: Message signed with S/MIME MIME-Version: 1.0 Content-Type: multipart/mixed ; boundary="simple boundary" --simple boundary Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Description: "cc:Mail Note Part" Bob, This is a message signed with S/MIME, so you can see how much overhead S/MIME signatures introduce. Compare this with a similar message signed with PGP. Alice --simple boundary Content-Type: application/octet-stream; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIQQwYJKoZIhvcNAQcCoIIQNDCCEDACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCDnww ggnGMIIJL6ADAgECAhBQQRR9a+DX0FHXfQOVHQhPMA0GCSqGSIb3DQEBBAUAMGIxETAPBgNVBAcT CEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xh c3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzAxMjcwMDAwMDBaFw05ODAxMjcy MzU5NTlaMIIBFzERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQw MgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMUYwRAYD

Sample SMIME Signature UzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1h cnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwNjI3MDAwMDAwWhcNOTkwNjI3MjM1OTU5 WjBiMREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsT K1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBALYUps9N0AUN2Moj0G+qtCmSY44s+G+W1y6ddksRsTaNV8nD/RzGuv4e CLozypXqvuNbzQaot3kdRCrtc/KxUoNoEHBkkdc+a/n3XZ0UQ5tul0WYgUfRLcvdu3LXTD9xquJA 8lQ5vBbuz3zsuts/bCqzFrGGEp2ukzTVuNXQ9z6pAgMBAAGjMzAxMA8GA1UdEwQIMAYBAf8CAQEw CwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQDB+vcC51fK EXXGnAz6K3dPh0UXO+PSwdoPWDmOrpWZA6GooTj+eZqTFwuXhjnHymg0ZrvHiEX2yAwF7r6XJe/g 1G7kf512XM59uhSirguf+2dbSKVnJa8ZZIj2ctgpJ6o3EmqxKK8ngxhlbI3tQJ5NxHiohuzpLFC/ pvkN27CmSjCCAjEwggGaAgUCpAAAATANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUG A1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNOTkxMjMxMjM1OTU5WjBfMQsw CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVi bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiH mgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF 4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEAUnO6mlXc3D+CfbCQ mGIqgkx2AG4lPdXCCXBXAQwPdx8YofscYA6gdTtJIUH+p1wtTEJJ0/8o2Izqnf7JB+J3glMj3lXz zkST+vpMvco281tmsp7I8gxeXtShtCEJM8o7WfySwjj8rdmWJOAt+qMp9TNoeE60vJ9pNeKomJRz O8QxggGPMIIBiwIBATB2MGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwg SW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJl cgIQUEEUfWvg19BR130DlR0ITzAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B BwEwIwYJKoZIhvcNAQkEMRYEFE5W9YE9GtbjlD5A52LLaEi96zCKMBwGCSqGSIb3DQEJBTEPFw05 NzA4MDcxODQwMTBaMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCA MAcGBSsOAwIHMA0GCCqGSIb3DQMCAgFAMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABEDI 3mvHr3SAJkdoMqxZnSjJ+5gfZABJGQVOfyEfcKncY/RYFvWuHBAEBySImIQZjMgMNrQLL7QXJ/eI xIwDet+c --simple boundary--

References ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Network Security Primer

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (16)

Ähnlich wie Network Security Primer

Ähnlich wie Network Security Primer (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Network Security Primer