SlideShare ist ein Scribd-Unternehmen logo
1 von 40
Downloaden Sie, um offline zu lesen
Network Security
              Applications

Hatem Mahmoud
hatem@expressionlab.com
Agenda
▪ Introduction
▪ An Authentication Application
▪ A Web Security Standard
▪ Summary
▪ References


               Network Security Applications        2
Introduction


Network Security Applications   3
Introduction
Network security applications:
▪ Authentication Applications (Kerberos)
▪ Web Security Standards (SSL/TLS)
▪ Email Security
▪ IP Security


               Network Security Applications   4
Kerberos
An Authentication Application



         Network Security Applications   5
Kerberos
                                                Overview
▪ Kerberos is a trusted third-party
  authentication protocol designed for
  TCP/IP networks (developed at MIT)
▪ A Kerberos service on the network acts
  as a trusted arbitrator
▪ Kerberos allows clients to access
  different entities (clients/servers) on the
  network
                Network Security Applications          6
Kerberos
              The Kerberos Model
▪ Kerberos keeps a database of clients and
  their secret keys
▪ Services requiring authentication, as
  well as their clients, register their secret
  keys with Kerberos



                 Network Security Applications   7
Kerberos
             The Kerberos Model
▪ Kerberos creates a shared session key
  and gives it to client and server (or two
  clients) to encrypt messages
▪ Kerberos uses DES for encryption
▪ Kerberos Version 4 provided a weak
  nonstandard mode for authentication
▪ Kerberos Version 5 uses CBC mode
                Network Security Applications   8
Kerberos
               How Kerberos Works
1. A client requests a ticket for a TGS (Ticket-
Granting Service) from Kerberos
2. Kerberos sends the ticket to the client,
encrypted in client’s secret key
3. To use a particular service, client requests a
ticket from TGS
4. TGS issues and send a ticket to the client,
encrypted with server's secret key
                   Network Security Applications    9
Kerberos
               How Kerberos Works
- The ticket is used by server to ensure that it is
the same client to whom the ticket was issued
- Client can use the ticket multiple times to
access the server until the ticket expires
5. Client presents ticket to server with an
authenticator (the authenticator contains
client’s name and a timestamp, encrypted with
the shared session key)
                   Network Security Applications      10
Kerberos
               How Kerberos Works
- Unlike a ticket, an authenticator can only be
used once
- The client can generate authenticators as
needed using the shared secret key
6. If client credentials (ticket + authenticator)
are correct, server provides access to service



                   Network Security Applications    11
Kerberos
               How Kerberos Works

  Kerberos                                  TGS

               2             3
           1                           4

                   Client                            Server
                                           5

                     Network Security Applications            12
Kerberos
                Security of Kerberos
   It may be possible to cache and replay old
    authenticators. Although timestamps are
    supposed to prevent this, replays can be
    done during the lifetime of the ticket
   Authenticators assume all clocks in the
    network are synchronized. If a host is fooled
    about the correct time, an old authenticator
    can be replayed

                   Network Security Applications    13
Kerberos
                Security of Kerberos
   Password-guessing attacks: an intruder can
    collect tickets and then try to decrypt them.
    The average user doesn’t usually choose
    good passwords
   Malicious software: Kerberos rely on that its
    software is trustworthy. It is possible to
    replace all client Kerberos software with a
    version that records passwords

                   Network Security Applications    14
Kerberos
               Security of Kerberos
   New enhancements to Kerberos include an
    implementation of public-key cryptography
    and a smart-card interface for key
    management




                  Network Security Applications   15
SSL/TLS
A Web Security Standard



   Network Security Applications         16
SSL/TLS
                                                    Overview
Web security threats:
▪ Location
   ●   Server or client (System Security)
   ●   Network traffic (Web Security)
▪ Type
   ●   Passive attacks
   ●   Active attacks
                    Network Security Applications          17
SSL/TLS
                                                Overview
▪ Passive attacks include accessing
  network traffic between browser and
  server, accessing restricted information
  on a website, etc.
▪ Active attacks includes impersonating
  another user, altering messages in traffic,
  altering information on a website, etc.

                Network Security Applications          18
SSL/TLS
                                                Overview
▪ Netscape originated the SSL (Secure
  Socket Layer) protocol to provide a
  reliable secure service on TCP
▪ TLS (Transport Layer Service) is the
  Internet standard version of SSL
▪ TLS is very similar to SSLv3

                Network Security Applications          19
SSL/TLS
     Connections and Sessions
▪ A connection is a transport that provides
  a suitable type of service
▪ An session is an association between a
  client and a server
▪ Sessions define a set security parameters
  which can be shared among multiple
  connections
               Network Security Applications   20
SSL/TLS
     Connections and Sessions
▪ A number of states are associated with
  each session
▪ During the handshake, pending read
  and write states are created
▪ Upon successful conclusion of the
  handshake, the pending states become
  the current states
               Network Security Applications   21
SSL/TLS
                         SSL Architecture
▪ Layer1 (provides basic security services
  to higher-layer protocols such as HTTP):
   ●   Record Protocol
▪ Layer 2 (manages SSL exchanges):
   ●   Handshake Protocol
   ●   Change Cipher Spec Protocol
   ●   Alert Protocol
                   Network Security Applications   22
SSL/TLS
                SSL Architecture




          Network Security Applications   23
SSL/TLS
                1. Record Protocol
Provides:
▪ Confidentiality: a shared secret key is
  used for encryption
▪ Message Integrity: a shared secret key is
  used to form a MAC (message
  authentication code)


                Network Security Applications   24
SSL/TLS
               1. Record Protocol
1)Fragments data into blocks
2)Compresses the data (optional)
3)Applies a MAC
4)Encrypts using a symmetric encryption
 such as AES and RC4
5)Adds a header (length, SSL version, etc.)
6)Transmits in a TCP segment
               Network Security Applications   25
SSL/TLS
                1. Record Protocol
Received data are:
1)Decrypted
2)Verified
3)Decompressed
4)Reassembled
5)Delivered to higher levels
                Network Security Applications   26
SSL/TLS
          1. Record Protocol




          Network Security Applications   27
SSL/TLS
              2. Handshake Protocol
   Used before any data is transmitted
   Allows the server and client to
    authenticate each other through a series
    of messages. Each message has:
       Type: one of 10 types
       Length: length in bytes
       Content: session id, version, hash, etc.
                     Network Security Applications   28
SSL/TLS
          2. Handshake Protocol




             Network Security Applications   29
SSL/TLS
          2. Handshake Protocol




             Network Security Applications   30
SSL/TLS
            3. Change Cipher Spec
   Consists of a single message which
    consists of a single byte with the value 1
   Copies the pending state into the current
    state, which updates the cipher suite to
    be used on this connection



                  Network Security Applications   31
SSL/TLS
                            4. Alert Protocol
   Conveys SSL-related alert messages
   Each message consists of two bytes:
    ●   Severity
        – Warning (1): certificate_expired, etc.
        – Fatal (2) - terminates the connection:
          handshake_failure, bad_record_mac, etc.
    ●   Code

                     Network Security Applications   32
SSL/TLS
                            SSL Protocols




          Network Security Applications   33
SSL/TLS
                                       TLS vs SSLv3
Differences include:
   Version number: 3.x vs 3
   MAC algorithm
   Pseudorandom function for key
    generation and validation
   Alert Codes

                  Network Security Applications   34
Summary


Network Security Applications   35
Summary
▪ Kerberos is a trusted third-party
  authentication protocol that enables
  clients and servers to establish
  authenticated communication
▪ SSL provides security services between
  TCP and applications that use TCP
▪ TLS is the Internet standard version
               Network Security Applications         36
Summary
▪ SSL/TLS provides confidentiality using
  symmetric encryption and message
  integrity using a MAC
▪ SSL/TLS enables two TCP users to
  determine the security mechanisms and
  services they will use


               Network Security Applications         37
References


Network Security Applications   38
References
▪ Cryptography and Network Security
  Principles and Practices, 4th Edition,
  William Stallings
▪ Applied Cryptography, 2nd Edition,
  Bruce Schneier



                Network Security Applications       39
Thank You!

Hatem Mahmoud
hatem@expressionlab.com
                   Network Security Applications   40

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Wi fi protected access
Wi fi protected accessWi fi protected access
Wi fi protected access
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentation
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIME
 
Firewalls
FirewallsFirewalls
Firewalls
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems  and Intrusion Prevention Systems Intrusion Detection Systems  and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
IP Security
IP SecurityIP Security
IP Security
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
kerberos
kerberoskerberos
kerberos
 
Block Cipher and its Design Principles
Block Cipher and its Design PrinciplesBlock Cipher and its Design Principles
Block Cipher and its Design Principles
 
Network security
Network security Network security
Network security
 
What is AES? Advanced Encryption Standards
What is AES? Advanced Encryption StandardsWhat is AES? Advanced Encryption Standards
What is AES? Advanced Encryption Standards
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 
Security services and mechanisms
Security services and mechanismsSecurity services and mechanisms
Security services and mechanisms
 
Authentication services
Authentication servicesAuthentication services
Authentication services
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
 

Ähnlich wie Network Security Applications Guide

SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )Monodip Singha Roy
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Network Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarNetwork Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarDr. Shivashankar
 
Network Security_Module_2.pdf
Network Security_Module_2.pdfNetwork Security_Module_2.pdf
Network Security_Module_2.pdfDr. Shivashankar
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web securityrajakhurram
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxjithu26327
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
BSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALBSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALGlenn Haley
 
SecureSocketLayer.ppt
SecureSocketLayer.pptSecureSocketLayer.ppt
SecureSocketLayer.pptPranavUndre1
 
VULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOLVULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOLcscpconf
 
Vulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS ProtocolVulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS Protocolcsandit
 
ch22.ppt
ch22.pptch22.ppt
ch22.pptImXaib
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfNiharikaDubey17
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4limsh
 

Ähnlich wie Network Security Applications Guide (20)

SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
Network Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarNetwork Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr Shivashankar
 
Network Security_Module_2.pdf
Network Security_Module_2.pdfNetwork Security_Module_2.pdf
Network Security_Module_2.pdf
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web security
 
Secure socket later
Secure socket laterSecure socket later
Secure socket later
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
BSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINALBSET_Lecture_Crypto and SSL_Overview_FINAL
BSET_Lecture_Crypto and SSL_Overview_FINAL
 
SecureSocketLayer.ppt
SecureSocketLayer.pptSecureSocketLayer.ppt
SecureSocketLayer.ppt
 
VULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOLVULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOL
 
Vulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS ProtocolVulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS Protocol
 
Unit 6
Unit 6Unit 6
Unit 6
 
ssl
sslssl
ssl
 
Secure Socket Layer.pptx
Secure Socket Layer.pptxSecure Socket Layer.pptx
Secure Socket Layer.pptx
 
ch22.ppt
ch22.pptch22.ppt
ch22.ppt
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL?
 
Web Security
Web SecurityWeb Security
Web Security
 

Kürzlich hochgeladen

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Network Security Applications Guide

  • 1. Network Security Applications Hatem Mahmoud hatem@expressionlab.com
  • 2. Agenda ▪ Introduction ▪ An Authentication Application ▪ A Web Security Standard ▪ Summary ▪ References Network Security Applications 2
  • 4. Introduction Network security applications: ▪ Authentication Applications (Kerberos) ▪ Web Security Standards (SSL/TLS) ▪ Email Security ▪ IP Security Network Security Applications 4
  • 5. Kerberos An Authentication Application Network Security Applications 5
  • 6. Kerberos Overview ▪ Kerberos is a trusted third-party authentication protocol designed for TCP/IP networks (developed at MIT) ▪ A Kerberos service on the network acts as a trusted arbitrator ▪ Kerberos allows clients to access different entities (clients/servers) on the network Network Security Applications 6
  • 7. Kerberos The Kerberos Model ▪ Kerberos keeps a database of clients and their secret keys ▪ Services requiring authentication, as well as their clients, register their secret keys with Kerberos Network Security Applications 7
  • 8. Kerberos The Kerberos Model ▪ Kerberos creates a shared session key and gives it to client and server (or two clients) to encrypt messages ▪ Kerberos uses DES for encryption ▪ Kerberos Version 4 provided a weak nonstandard mode for authentication ▪ Kerberos Version 5 uses CBC mode Network Security Applications 8
  • 9. Kerberos How Kerberos Works 1. A client requests a ticket for a TGS (Ticket- Granting Service) from Kerberos 2. Kerberos sends the ticket to the client, encrypted in client’s secret key 3. To use a particular service, client requests a ticket from TGS 4. TGS issues and send a ticket to the client, encrypted with server's secret key Network Security Applications 9
  • 10. Kerberos How Kerberos Works - The ticket is used by server to ensure that it is the same client to whom the ticket was issued - Client can use the ticket multiple times to access the server until the ticket expires 5. Client presents ticket to server with an authenticator (the authenticator contains client’s name and a timestamp, encrypted with the shared session key) Network Security Applications 10
  • 11. Kerberos How Kerberos Works - Unlike a ticket, an authenticator can only be used once - The client can generate authenticators as needed using the shared secret key 6. If client credentials (ticket + authenticator) are correct, server provides access to service Network Security Applications 11
  • 12. Kerberos How Kerberos Works Kerberos TGS 2 3 1 4 Client Server 5 Network Security Applications 12
  • 13. Kerberos Security of Kerberos  It may be possible to cache and replay old authenticators. Although timestamps are supposed to prevent this, replays can be done during the lifetime of the ticket  Authenticators assume all clocks in the network are synchronized. If a host is fooled about the correct time, an old authenticator can be replayed Network Security Applications 13
  • 14. Kerberos Security of Kerberos  Password-guessing attacks: an intruder can collect tickets and then try to decrypt them. The average user doesn’t usually choose good passwords  Malicious software: Kerberos rely on that its software is trustworthy. It is possible to replace all client Kerberos software with a version that records passwords Network Security Applications 14
  • 15. Kerberos Security of Kerberos  New enhancements to Kerberos include an implementation of public-key cryptography and a smart-card interface for key management Network Security Applications 15
  • 16. SSL/TLS A Web Security Standard Network Security Applications 16
  • 17. SSL/TLS Overview Web security threats: ▪ Location ● Server or client (System Security) ● Network traffic (Web Security) ▪ Type ● Passive attacks ● Active attacks Network Security Applications 17
  • 18. SSL/TLS Overview ▪ Passive attacks include accessing network traffic between browser and server, accessing restricted information on a website, etc. ▪ Active attacks includes impersonating another user, altering messages in traffic, altering information on a website, etc. Network Security Applications 18
  • 19. SSL/TLS Overview ▪ Netscape originated the SSL (Secure Socket Layer) protocol to provide a reliable secure service on TCP ▪ TLS (Transport Layer Service) is the Internet standard version of SSL ▪ TLS is very similar to SSLv3 Network Security Applications 19
  • 20. SSL/TLS Connections and Sessions ▪ A connection is a transport that provides a suitable type of service ▪ An session is an association between a client and a server ▪ Sessions define a set security parameters which can be shared among multiple connections Network Security Applications 20
  • 21. SSL/TLS Connections and Sessions ▪ A number of states are associated with each session ▪ During the handshake, pending read and write states are created ▪ Upon successful conclusion of the handshake, the pending states become the current states Network Security Applications 21
  • 22. SSL/TLS SSL Architecture ▪ Layer1 (provides basic security services to higher-layer protocols such as HTTP): ● Record Protocol ▪ Layer 2 (manages SSL exchanges): ● Handshake Protocol ● Change Cipher Spec Protocol ● Alert Protocol Network Security Applications 22
  • 23. SSL/TLS SSL Architecture Network Security Applications 23
  • 24. SSL/TLS 1. Record Protocol Provides: ▪ Confidentiality: a shared secret key is used for encryption ▪ Message Integrity: a shared secret key is used to form a MAC (message authentication code) Network Security Applications 24
  • 25. SSL/TLS 1. Record Protocol 1)Fragments data into blocks 2)Compresses the data (optional) 3)Applies a MAC 4)Encrypts using a symmetric encryption such as AES and RC4 5)Adds a header (length, SSL version, etc.) 6)Transmits in a TCP segment Network Security Applications 25
  • 26. SSL/TLS 1. Record Protocol Received data are: 1)Decrypted 2)Verified 3)Decompressed 4)Reassembled 5)Delivered to higher levels Network Security Applications 26
  • 27. SSL/TLS 1. Record Protocol Network Security Applications 27
  • 28. SSL/TLS 2. Handshake Protocol  Used before any data is transmitted  Allows the server and client to authenticate each other through a series of messages. Each message has:  Type: one of 10 types  Length: length in bytes  Content: session id, version, hash, etc. Network Security Applications 28
  • 29. SSL/TLS 2. Handshake Protocol Network Security Applications 29
  • 30. SSL/TLS 2. Handshake Protocol Network Security Applications 30
  • 31. SSL/TLS 3. Change Cipher Spec  Consists of a single message which consists of a single byte with the value 1  Copies the pending state into the current state, which updates the cipher suite to be used on this connection Network Security Applications 31
  • 32. SSL/TLS 4. Alert Protocol  Conveys SSL-related alert messages  Each message consists of two bytes: ● Severity – Warning (1): certificate_expired, etc. – Fatal (2) - terminates the connection: handshake_failure, bad_record_mac, etc. ● Code Network Security Applications 32
  • 33. SSL/TLS SSL Protocols Network Security Applications 33
  • 34. SSL/TLS TLS vs SSLv3 Differences include:  Version number: 3.x vs 3  MAC algorithm  Pseudorandom function for key generation and validation  Alert Codes Network Security Applications 34
  • 36. Summary ▪ Kerberos is a trusted third-party authentication protocol that enables clients and servers to establish authenticated communication ▪ SSL provides security services between TCP and applications that use TCP ▪ TLS is the Internet standard version Network Security Applications 36
  • 37. Summary ▪ SSL/TLS provides confidentiality using symmetric encryption and message integrity using a MAC ▪ SSL/TLS enables two TCP users to determine the security mechanisms and services they will use Network Security Applications 37
  • 39. References ▪ Cryptography and Network Security Principles and Practices, 4th Edition, William Stallings ▪ Applied Cryptography, 2nd Edition, Bruce Schneier Network Security Applications 39
  • 40. Thank You! Hatem Mahmoud hatem@expressionlab.com Network Security Applications 40