Security technologies

TransformingLives. InventingtheFuture. www.iit.edu
I ELLINOIS T UINS TI T
OF TECHNOLOGY
ITM 578 1
Security Technologies
Ray Trygstad
ITM 478/578
Spring 2004
Master of Information Technology & Management Program
CenterforProfessional Development
Slides based on Whitman, M. and Mattord, H., Principles of InformationSecurity; Thomson Course Technology 2003

ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:
Upon completion of this lesson the student
should be able to:
– Define and identify the various types of firewalls.
– Discuss the approaches to firewall
implementation.
– Discuss the approaches to dial-up access and
protection.
– Identify and describe the two categories of
intrusion detection systems.
– Discuss the two strategies behind intrusion
detection systems.

ITM 578 3
Learning Objectives:
Upon completion of this lesson the student
should be able to:
– Discuss scanning, analysis tools, and content
filters.
– Understand trap and trace technologies.
– Discuss the process of encryption and define key
terms.
– Identify and discuss common approaches to
cryptography.
– Compare and contrast symmetric and asymmetric
encryption.
– Discuss various approaches to biometric access
control.

ITM 578 4
Introduction
 Information security: a discipline relying on
the synthesis of people, policy, education,
training, awareness, procedures, and
technology to improve protection of an
organization’s information assets
 Technical solutions can maintain
– Confidentiality, Integrity & Availability of
information
– In each of its three states
• Storage
• Transmission
• processing

ITM 578 5
Physical Design of the SecSDLC
The physical design phase of the
SecSDLC is made up of two parts:
– security technologies
– physical security
Physical design takes the logical
design, expressed by the information
security blueprint and the contingency
planning elements and extends the
design to the next level

ITM 578 6
Analyze
Physical Design:
Security Technologies
Chapter 8
Physical Design:
Physical Security
Chapter 9
Logical Design
Implement
Maintain
FIG URE 8-1 Physical Design within the SecSDLCPhysical Design within the SecSDLC

ITM 578 7
 The physical design phase encompasses the
selection of technologies and processes to
manage risk
 At the end of the physical design phase you
have:
– Selected technologies needed to support the information
security blueprint
– Defined what the successful solution for a secured
environment will encompass
– Designed physical security measures that support the
technical solutions
– Prepared to create project plans in the implementation
phase to follow

ITM 578 8
Firewalls
 A firewall is any device that prevents a
specific type of information from moving
between the untrusted network outside and
the trusted network inside
 There are five recognized generations of
firewalls
 The firewall may be:
– a separate computer system
– a service running on an existing router or server
– a separate network containing a number of
supporting devices

ITM 578 9
First Generation
 Called packet filtering firewalls
 Examines every incoming packet header and
selectively filters packets based on
– address, packet type, port request, and others
factors
 The restrictions most commonly
implemented are based on:
– IP source and destination address
– Direction (inbound or outbound)
– TCP or UDP source and destination port-requests

ITM 578 10
Packet Filtering Firewall
Packet filtering router
used as a first generation
firewall Trusted network
Untrusted
Network
FilteredFiltered
Data PacketsData Packets
UnrestrictedUnrestricted
BlockedBlocked
FIGURE 8-2 Packet Filtering Firewall

ITM 578 11
Second Generation
 Called application-level firewall or proxy server
 Often a dedicated computer separate from the
filtering router
 With this configuration the proxy server, rather
than the Web server, is exposed to the outside world
in the DMZ
 Additional filtering routers can be implemented
behind the proxy server
 The primary disadvantage of application-level
firewalls is that they are designed for a specific
protocol and cannot easily be reconfigured to protect
against attacks on protocols for which they are not
designed

ITM 578 12
Third Generation
 Called stateful inspection firewalls
 Keeps track of each network connection
established between internal and external
systems using a state table which tracks the
state and context of each packet in the
conversation by recording which station sent
what packet and when
 If the stateful firewall receives an incoming
packet that it cannot match in its state
table, then it defaults to its ACL to
determine whether to allow the packet to
pass

ITM 578 13
Third Generation
 The primary disadvantage is the additional
processing requirements of managing and
verifying packets against the state table
which can possibly expose the system to a
DoS attack
 These firewalls can track connectionless
packet traffic such as UDP and remote
procedure calls (RPC) traffic

ITM 578 14
Fourth Generation
 A dynamic packet filtering firewall allows only a
particular packet with a particular source,
destination, and port address to enter through the
firewall
 Does this by understanding how the protocol
functions, and opening and closing “doors” in the
firewall, based on the information contained in the
packet header
 In this manner, dynamic packet filters are an
intermediate form, between traditional static packet
filters and application proxies

ITM 578 15
Fifth Generation
The final form of firewall is the kernel
proxy, a specialized form that works
under the Windows NT Executive,
which is the kernel of Windows NT
It evaluates packets at multiple layers
of the protocol stack, by checking
security in the kernel as data is
passed up and down the stack

ITM 578 16
Packet-filtering Routers
Most organizations with an Internet
connection have some form of a router
as the interface at the perimeter
between the organization’s internal
networks and the external service
provider
Many of these routers can be
configured to filter packets that the
organization does not allow into the
network

ITM 578 17
Packet-filtering Routers
This is a simple but effective means
to lower the organization’s risk to
external attack
The drawback to this type of system
includes a lack of auditing and strong
authentication
The complexity of the access control
lists used to filter the packets can
grow and degrade network
performance

ITM 578 18
Screened-Host Firewall Systems
 Combine the packet-filtering router with a separate,
dedicated firewall such as an application proxy
server
 Allows the router to pre-screen packets to minimize
the network traffic and load on the internal proxy
 Application proxy examines an application layer
protocol, such as HTTP, and performs the proxy
services
 This separate host often referred to as a bastion-
host, as it represents a single, rich target for
external attacks, and should be very thoroughly
secured

ITM 578 19
Filtered
Data
Packets
Screened-Host Firewall
Trusted network
Untrusted
Network
Unrestricted
Data Packets
Blocked
Data Packets
FIGURE 8-3 Screened Host Firewall
Bastion-host
Application Level
Firewall
Proxy access

ITM 578 20
Dual-homed Host Firewalls
 The bastion-host contains two NICs (network
interface cards)
 One NIC connected to the external network,
and one connected to the internal network
 With two NICs all traffic must physically go
through the firewall to move between the
internal and external networks
 A technology known as network-address
translation (NAT) is commonly implemented
with this architecture to map from real,
valid, external IP addresses to ranges of
internal IP addresses that are non-routable

ITM 578 21
Dual-homed Host Firewall
Trusted network
Untrusted
Network
Unrestricted
Data Packets
Blocked External
Data Packets
FIGURE 8-4 Dual-homed Host Firewall
Dual-homed Host
used as a firewall providing
Network Address Translation
(NAT)
External
filtering router
Internal
filtering router
Public IP Addresses NAT assigned local addresses
Blocked Internal
Data Packets
Proxy Access

ITM 578 22
Screened-Subnet Firewalls (with DMZ)
Consists of two or more internal
bastion-hosts, behind a packet-filtering
router, with each host protecting the
trusted network
The first general model consists of two
filtering routers, with one or more
dual-homed bastion-host between
them

ITM 578 23
Screened-Subnet Firewalls (with DMZ)
 The second general model involves the
connection from the outside or untrusted
network going through this path:
– Through an external filtering router
– Into and then out of a routing firewall to the
separate network segment known as the DMZ
 Connections into the trusted internal
network are allowed only from the DMZ
bastion-host servers

ITM 578 24
Screened-Subnet Firewall
Trusted network
Untrusted
Network
Blocked
Data Packets
Proxy access
FIGURE 8-5 Screened Subnet (DMZ)
External
filtering router Internal
filtering router
Controlled access
Demilitarized zone
(DMZ)
ServersServers

ITM 578 25
SOCKS Servers
 The SOCKS system is a proprietary circuit-level
proxy server that places special SOCKS client-side
agents on each workstation
 Places the filtering requirements on the individual
workstation, rather than on a single point of defense
(and thus point of failure)
 This frees the entry router of filtering
responsibilities, but then requires each workstation
to be managed as a firewall detection and protection
device
 A SOCKS system can require additional support and
management resources to configure and manage
possibly hundreds of individual clients, versus a
single device or set of devices

ITM 578 26
Selecting the Right Firewall
 What type of firewall technology offers the
right balance of protection features and cost
for the needs of the organization?
 What features are included in the base price?
What features are available at extra cost?
Are all cost factors known?
 How easy is it to set up and configure the
firewall? How accessible are staff technicians
with the mastery to do it well?
 Can the candidate firewall adapt to the
growing network in the target organization?

ITM 578 27
Configuring and Managing Firewalls
 Each firewall device will have its own set of
configuration rules that regulate its actions
 Simple mistakes can turn the device into a
choke point
 When security rules conflict with the
performance of business, security loses since
organizations are much more willing to live
with a potential risk than a certain failure

ITM 578 28
Firewall Recommended Practices
 All traffic from the trusted network is allowed out
 The firewall device is always inaccessible directly
from the public network
 Allow Simple Mail Transport Protocol (SMTP) data
to pass through your firewall, but insure it is all
routed to a well-configured SMTP gateway to filter
and route messaging traffic securely
 All Internet Control Message Protocol (ICMP) data
should be denied
 Block telnet (terminal emulation) access to all
internal servers from the public networks
 When Web services are offered outside the firewall,
deny HTTP traffic from reaching your internal
networks by using some form of proxy access or
DMZ architecture

ITM 578 29
Dial-Up Protection
 While internal network connection via
private networks are now less popular due to
the high cost of installation, maintenance,
and protection, dial-up connections are still
quite common
 Unsecured, dial-up access represents a
substantial exposure to attack
– An attacker who suspects that an organization
has dial-up lines can use a device called a war-
dialer to locate the connection points
 For the most part, simple username and
password schemes are the only means of
authentication

ITM 578 30
Remote Authentication Dial-in User Service
 RADIUS system centralizes management of user
authentication by placing the responsibility for
authenticating each user in the central RADIUS
server
Radius serverRemote access server(RAS)
1. Remote worker dials RAS and submits username and password
2. RAS passes username and password to RADIUS server
3. RADIUS server approves or rejects request and provides access authorization
4. RAS provides access to authorized remote worker
(1) (2)
(3)(4)
Tele-worker
FIGURE 8-6 RADIUS Configuration

ITM 578 31
Terminal Access Controller Access Control System
TACACS contains a centralized
database, such as RADIUS, and
validates the user’s credentials at the
TACACS server
There are three versions of TACACS
– TACACS
– Extended TACACS
– TACACS+

ITM 578 32
Intrusion Detection Systems (IDSs)
 IDSs work like burglar alarms
 IDSs require complex configurations to
provide the level of detection and response
desired
 An IDS operates as either network-based,
when the technology is focused on protecting
network information assets, or host-based,
when the technology is focused on protecting
server or host information assets
 IDSs use one of two detection methods,
signature-based or statistical anomaly-based

ITM 578 33
Intrusion Detection System
External
Router
Host IDS: Examines the data in files
stored on host and alerts systems
administrators to any any changes
Network IDS: Examines packets
on network and alerts admin to
unusual patterns.
Header
0100101011Untrusted
Network
FIGURE 8-7 Intrusion Detection Systems

ITM 578 34
Host-based IDSs
 Resides on a particular computer or server
(known as the host) and monitors activity on
that system.
 Most work on principle of configuration or
change management, in which the systems
record the file sizes, locations, and other
attributes, and reports when one or more of
these attributes changes, when new files are
created, and when existing files are deleted.
 Can also monitor systems logs for pre-
defined events.

ITM 578 35
Host-based IDSs
 Maintains own log files so when hackers
successfully modify a systems log the IDS
provides independent verification of the
attack Once properly configured, host-IDSs
are very reliable.
 Managed host-based IDS can monitor
multiple computers simultaneously.
– Stores a client file on each monitored host
– Has that host report back to the master console
(usually located on the sysadmin’s computer)

ITM 578 36
Host-based IDS
Host-based
IDS
FIGURE 8-8

ITM 578 37
Network-based IDSs
 Works differently than its host-based
counterpart; monitors network traffic
 When a pre-defined condition occurs, it
responds and notifies the appropriate
administrator
 Must match known and unknown attack
strategies against knowledge base to
determine if an attack has occurred
 Result in more false positive readings than
do host-based IDSs
– System is attempting to read into the pattern of
activity on the network to determine what is
normal and what is not

ITM 578 38
Network-based IDS
Network-
based
IDS
FIGURE 8-8

ITM 578 39
Signature-based IDSs
 AKA knowledge-based IDS; examines data
traffic looking for something that matches
signatures, which are pre-configured,
predetermined attack patterns
 Problem: signatures must be continually
updated as new attack strategies are
identified
 Attackers who are slow and methodical may
slip undetected through the IDS, as actions
may not match the signature that includes
factors based on duration of the events

ITM 578 40
Statistical Anomaly-based IDSs
AKA behavior-based IDS
Collects data from normal traffic and
establishes a baseline
Once the baseline is established,
periodically samples network activity,
based on statistical methods, and
compares samples to baseline
If activity is outside baseline
parameters (known as a clipping level),
IDS notifies administrator

ITM 578 41
Statistical Anomaly-based IDSs
 Advantage: system able to detect new types of
attacks as it looks for abnormal activity of any
type
 Unfortunately require much more overhead
and processing capacity than signature-based
versions, as they must constantly attempt to
pattern matched activity to the baseline
 Also may not detect minor changes to systems
variables can generate many false positives

ITM 578 42
Scanning And Analysis Tools
 Used to collect information needed by an
attacker to succeed
 One of the preparatory parts of an attack is
collection of information about a potential
target, a process called footprinting
– Organized research of the Internet addresses
owned or controlled by a target organization
 Attacker uses public Internet data sources to
perform keyword searches to identify the
network addresses of the organization
 This research augmented with browsing
organization’s Web pages

ITM 578 43
Next phase of the pre-attack data
gathering process: fingerprinting
Systematic examination of all Internet
addresses of the organization (collected
during the footprinting)
Accomplished with tools discussed in
the next section, fingerprinting reveals
useful information for the anticipated
attack

ITM 578 44
Scanners, sniffers, and other analysis
tools are invaluable to security
administrators; enables them to see
what the attacker sees
Can find vulnerabilities in systems,
holes in security components, and
unsecured aspects of the network
– Unfortunately, they cannot detect the
unpredictable behavior of people.

ITM 578 45
Many of these tools have distinct
signatures & some Internet service
providers (ISPs) scan for these
signatures.
– If an ISP discovers someone using
“hacker tools” it can pull access privileges
– Best to establish working relationship
with the ISP & notify them of the purpose
and extent of the signatures.

ITM 578 46
Port Scanners
 Port scanners fingerprint networks to find
ports and services and other useful
information
 Why secure open ports?
– An open port can be used to send commands to a
computer, gain access to a server, and exert
control over a networking device
– The general rule of thumb is to remove from
service or secure any port not absolutely
necessary for the conduct of business

ITM 578 47
Well-known Port Numbers
Port numbers Description
20 and 21 File Transfer Protocol (FTP)
25 Simple Mail Transfer Protocol (SMTP)
53 Domain Name Services (DNS)
67 and 68 Dynamic Host Configuration Protocol (DHCP)
80 Hypertext Transfer Protocol (HTTP)
110 Post Office Protocol (POP3)
161 Simple Network Management Protocol (SNMP)
194 IRC Chat port (used for device sharing)
443 HTTP over SSL
8080 Used for proxy services
Table 8-2 Well-known Port Numbers

ITM 578 48
Source:http://support.gfi.com/manuals/en/lanscan2/analyzingthescanresults.htm
FIGURE 8-11
LANGuard
Network Scanner
LANguard Network Scanner

ITM 578 49
Vulnerability Scanners
Vulnerability scanners are capable of
scanning networks for very detailed
information
As a class, they identify exposed
usernames and groups, show open
network shares, expose configuration
problems, and other vulnerabilities
in servers

ITM 578 50
Source:http://www.insecure.org/nmap/images/nmapfe.gif
Nmap Vulnerability Scanner
FIGURE 8-12
Nmap Vulnerability Scanner

ITM 578 51
Packet Sniffers
 A network tool that collects copies of
packets from the network and analyzes
them
 Can be used to eavesdrop on the network
traffic
 To use a packet sniffer legally, you must be:
– on a network that the organization owns
– under direct authorization of the owners of the
network
– have knowledge and consent of the content
creators (users)

ITM 578 52
Source http://www.ethereal.com/docs/user-guide/x885.html
Ethereal Sample Screen
FIGURE 8-13
Ethereal
Sample Screen

ITM 578 53
Content Filters
Although technically not a firewall, a
content filter is a software filter that
allows administrators to restrict
accessible content from within a
network
The content filtering restricts Web
sites with inappropriate content

ITM 578 54
Trap and Trace
 Software designed to entice individuals
illegally perusing the internal areas of a
network
 Better known as honey pots, they distract
the attacker while notifying the
administrator
 Trace: attempt to determine the identity of
someone using unauthorized access
– Main purpose: capture system abusers internal to
the network

ITM 578 55
Cryptography and Encryption
Sophisticated approach to security
Many security-related tools use
embedded encryption technologies
Encryption is the process of converting
an original message into a form that is
unreadable by unauthorized
individuals
The science of encryption, known as
cryptology, encompasses cryptography
and cryptanalysis

ITM 578 56
Encryption Definitions
 Algorithm: the mathematical formula used to
convert an unencrypted message into an encrypted
message.
 Cipher: the transformation of the individual
components (characters, bytes, or bits) of an
unencrypted message into encrypted components.
 Ciphertext or cryptogram: the unintelligible
encrypted or encoded message resulting from an
encryption.
 Code: the transformation of the larger components
(words or phrases) of an unencrypted message into
encrypted components.

ITM 578 57
 Cryptosystem: the set of transformations necessary
to convert an unencrypted message into an
encrypted message.
 Decipher: to decrypt or convert ciphertext to
plaintext.
 Encipher: to encrypt or convert plaintext to
ciphertext.
 Key or cryptovariable: the information used in
conjunction with the algorithm to create ciphertext
from plaintext.
 Keyspace: the entire range of values that can
possibly be used to construct an individual key.

ITM 578 58
 Link encryption: a series of encryptions and
decryptions between a number of systems, whereby
each node decrypts the message sent to it and then
re-encrypts it using different keys and sends it to
the next neighbor, until it reaches the final
destination.
 Plaintext: the original unencrypted message that is
encrypted and results from successful decryption.
 Steganography: the process of hiding messages in a
picture or graphic.
 Work factor: the amount of effort (usually in hours)
required to perform cryptanalysis on an encoded
message.

ITM 578 59
Cryptography & Encryption-Based Solutions
 Simple forms of encryption are based on two
concepts: the block cipher and the exclusive
OR operation
 With the block cipher method
– the message is divided into blocks, i.e., 8 or 16 bit
– and then each block is transformed using the
algorithm and key
 The “exclusive or operation” (XOR) is a
function of Boolean algebra

ITM 578 60
Exclusive OR Operations
Bit 1 Bit 2 Exclusive OR result
0 0 0
0 1 1
1 0 1
1 1 0
Exclusive OR OperationsTABLE 8-3

ITM 578 61
Encryption Algorithms
 In encryption the most commonly used
algorithms include two functions:
substitution and transposition
 In a substitution cipher, you substitute one
value for another
 This type of substitution is based on a
monoalphabetic substitution, since it only
uses one alphabet
 More advanced substitution ciphers use two
or more alphabets, and are referred to as
polyalphabetic substitutions

ITM 578 62
Encryption Operations
 Just like the substitution operation, the
transposition cipher is simple to understand
but can be complex to decipher if properly
used
 Unlike the substitution cipher, the
transposition cipher (or permutation cipher)
simply rearranges the values within a block
to create the ciphertext
 This can be done at the bit level or at the
byte (character) level - transposition ciphers
move these bits or bytes to another location
in the block, so that bit 1 becomes bit 4, bit 2
becomes bit 7 etc

ITM 578 63
Vernam Cipher
 Also known as the one-time pad, the Vernam
cipher was developed at AT&T and uses a
one-use set of characters, the value of which
is added to the block of text
 The resulting sum is then converted to text
 When the two are added, if the values
exceed 26, 26 is subtracted from the total
(Modulo 26) - the corresponding results are
then converted back to text

ITM 578 64
Book or Running Key Cipher
 Another method, made popular by spy
movies, is the use of text in a book as the
algorithm to decrypt a message
 The key consists of
– knowing which book to use
– a list of codes representing the page number, line
number, and word number of the plaintext word
 Dictionaries and thesauruses make the most
popular sources as they guarantee every
word needed, although almost any book will
suffice

ITM 578 65
Symmetric Encryption
 The same key, also known as a secret key
used to conduct both encryption and
decryption of the message
 Can be extremely efficient, requiring minimal
processing to either encrypt or decrypt the
message
 Problem: both sender & receiver must own
the encryption key
– If either copy of the key is compromised, an
intermediate can decrypt and read the messages
 Challenges: get copy of the key to the
receiver, a process that must be conducted
out-of-band to avoid interception

ITM 578 66
Symmetric Encryption

ITM 578 67
Data Encryption Standard (DES)
Developed in 1977 by IBM
Based on the Data Encryption
Algorithm (DEA)
Uses a 64-bit block size and a 56-bit
key
With a 56-bit key, the algorithm has
256 possible keys to choose from (over
72 quadrillion)

ITM 578 68
Data Encryption Standard (DES)
 DES is a federally approved standard for
non classified data
 RSA put a bounty on the algorithm offering
$10,000 to the team to crack the algorithm
 Fourteen thousand users collaborated over
the Internet to finally break the encryption
 On 19 October 1997 at 1325 UTC, the 56 bit
DES algorithm was cracked by a distributed
processing system coordinated by a
computer in my lab at IIT’s Main Campus

ITM 578 69
Triple DES (3DES)
 Developed as an improvement to DES
 Uses up to three keys in succession and also
performs three different encryption
operations:
– 3DES encrypts the message three times with
three different keys, the most secure level of
encryption possible with 3DES
 In 1998, it took a dedicated computer
designed by the Electronic Freedom Frontier
(www.eff.org) over 56 hours to crack DES

ITM 578 70
Advanced Encryption Standard
(AES)
The successor to 3DES is Advanced
Encryption Standard (AES), based on
the Rijndael Block Cipher, a block
cipher with a variable block length
and a key length of either128, 192, or
256 bits
It would take the same computer
approximately 4,698,864 quintillion
years to crack AES

ITM 578 71
Asymmetric Encryption
 Best known as public key encryption
 Uses two different keys
 Either key can be used to encrypt or decrypt
the message, however, if Key A is used to
encrypt the message, only Key B can decrypt,
and if Key B is used to encrypt a message,
only Key A can decrypt it.
 Public key is stored in a public location,
where anyone can use it
 Private key is a secret known only to the
owner of the key pair

ITM 578 72
Using Public Keys

ITM 578 73
Digital Signatures
 An interesting thing happens when the
asymmetric process is reversed, that is the
private key is used to encrypt a short
message
 The public key can be used to decrypt it, and
the fact that the message was sent by the
organization that owns the private key
cannot be refuted
 This is known as nonrepudiation, which is
the foundation of digital signatures
 Digital Signatures are encrypted messages
that are independently verified by a central
facility (registry) as authentic

ITM 578 74
RSA
 One of the most popular public key
cryptosystems
 Stands for Rivest-Shamir-Aldeman, its
developers
 First public key encryption algorithm
developed and published for commercial use
 Part of Web browsers from both Microsoft
and Netscape
 56 bit version is not secure; 128 bit version is
acceptable

ITM 578 75
PKI or Public Key Infrastructure
 Public Key Infrastructure is the entire set of
hardware, software, and cryptosystems
necessary to implement public key
encryption
 PKI systems are based on public-key
cryptosystems and include digital
certificates and certificate authorities (CAs)
and can:
– Issue digital certificates
– Issue crypto keys
– Provide tools to use crypto to secure information
– Provide verification and return of certificates

ITM 578 76
PKI Benefits
PKI protects information assets in
several ways:
– Authentication
– Integrity
– Privacy
– Authorization
– Nonrepudiation

ITM 578 77
Digital Certificates & Certificate Authorities
 A digital certificate is an electronic
document, similar to a digital signature,
attached to a file certifying that this file is
from the organization it claims to be from
and has not been modified from the original
format
 A Certificate Authority is an agency that
manages the issuance of certificates and
serves as the electronic notary public to
verify their worth and integrity

ITM 578 78
Hybrid Systems
 In practice, pure asymmetric key encryption not
widely used except in the area of certificates
 More often used in conjunction with symmetric
key encryption creating a hybrid system
 Use the Diffie-Hellman Key Exchange method
that uses asymmetric techniques to exchange
symmetric keys to enable efficient, secure
communications based on symmetric keys
 Diffie-Hellman provided the foundation for
subsequent developments in public key
encryption

ITM 578 79
Hybrid Encryption Example

ITM 578 80
Securing E-mail
 Encryption cryptosystems have been
adapted to inject some degree of security
into e-mail:
– S/MIME builds on the Multipurpose Internet
Mail Extensions (MIME) encoding format by
adding encryption and authentication
– Privacy Enhanced Mail (PEM) was proposed by
the Internet Engineering Task Force (IETF) as a
standard to function with the public key
cryptosystems
– PEM uses 3DES symmetric key encryption and
RSA for key exchanges and digital signatures
– Pretty Good Privacy (PGP), developed by Phil
Zimmerman, uses the IDEA Cipher along with
RSA for key exchange

ITM 578 81
Securing the Web
Secure Electronic Transactions (SET)
Secure Socket Layer (SSL)
Secure Hypertext Transfer Protocol
(SHTTP)
Secure Shell (SSH)
IPSec

ITM 578 82
IPSec
 IP Security (IPSec) is the cryptographic
authentication and encryption product of the
IETF’s IP Protocol Security Working Group
 Defined in RFC 1825, 1826, and 1827
 Used to create Virtual Private Networks
(VPNs) and is an open framework for
security development within the TCP/IP
family of protocol standards
 Combines several different cryptosystem
elements and includes:
– the IP Security Protocol itself
– the Internet Key Exchange

ITM 578 83
IPSec Operations
 IPSec works in two modes of operation:
– In transport mode only the IP data is encrypted,
not the IP headers themselves
– In tunnel mode, the entire IP packet is encrypted
and is then placed as the payload in another IP
packet
 The implementation of these technologies is
very popular through a process known as
Virtual Private Networks (VPNs)
 In the most common implementation, a VPN
allows a user to turn the Internet into a
private network between points on the
public network

ITM 578 84
Kerberos Scenario: Initial Login

ITM 578 85
Kerberos Scenario: Request for Services

ITM 578 86
Sesame
 To solve some of the problems associated
with Kerberos, a new project, the Secure
European System for Applications in a
Multivendor Environment (SESAME), was
developed as a European research and
development project, partly funded by the
European Commission
 SESAME is similar in part to Kerberos in
that the user is first authenticated to an
authentication server to receive a token

ITM 578 87
Access Control Devices
 To insure secure operation, access control needs
strong authentication (two-factor authentication)
 Consist of the user’s personal password or
passphrase but requires at least one other factor to
represent strong authentication
 Frequently a physical device is used for the second
factor
 When considering access control you address:
– What you know
– What you have
– Who you are
– What you produce

ITM 578 88
What You Are - Biometrics
 Most of the technologies that scan human
characteristics convert these images to some
form of minutiae
 Minutiae are unique points of reference that
are digitized and stored in an encrypted
format
 Each subsequent scan is also digitized and
then compared with the encoded value to
determine if users are who they claim to be
 The problem is that some human
characteristics can change over time, due to
normal development, injury, or illness

ITM 578 89
Voice recognition
Signature recognition
Hand
geometry
Hand and palm
print
Fingerprint Iris
recognition
Retinal
Recognition
Facial
geometry
Recognition Characteristics
FIGURE 8-20
Recognition Characteristics

ITM 578 90
Effectiveness of Biometrics
Biometric technologies are evaluated
on three basic criteria:
–False Reject Rate
–False Accept Rate
–Crossover Error Rate

ITM 578 91
False Reject Rate (FRR)
The percentage or value associated
with the rate at which authentic users
are denied or prevented access to
authorized areas, as a result of a
failure in the biometric device
Type I error
Probably of the least concern to
security

ITM 578 92
False Accept Rate (FAR)
The percentage or value associated
with the rate at which fraudulent or
non-users are allowed access to
systems or areas, as a result of a
failure in the biometric device
Type II error
This type of error is unacceptable to
security, as it represents a clear
breach

ITM 578 93
Crossover Error Rate (CER)
The crossover error rate is the point
at which the number of false
rejections equals the false
acceptances, also known as the equal
error rate
It is possibly the most common and
important overall measure of the
accuracy of a biometric system
The optimal setting is somewhere
near the equal error rate or CER

ITM 578 94
Acceptability of Biometrics
While the use of one authentication
area is necessary to access the
system, the more devices used the
better
To obtain strong authentication, the
systems must use two or more
authentication areas

ITM 578 95
The End…
Questions?

Security technologies

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie Security technologies

Ähnlich wie Security technologies (20)

Mehr von Dhani Ahmad

Mehr von Dhani Ahmad (12)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Security technologies

Hinweis der Redaktion