Chap 28 security

CChhaapptteerr 2288
SSeeccuurriittyy
Objectives
Upon completion you will be able to:
• Differentiate between two categories of cryptography schemes
• Understand four aspects of security
• Understand the concept of digital signature
• Understand the role of key management in entity authentication
• Know how and where IPSec, TLS, and PPG provide security
TCP/IP Protocol Suite 1

28.1 CRYPTOGRAPHY
The word cryptography in Greek means “secret writing.” TThhee tteerrmm ttooddaayy
rreeffeerrss ttoo tthhee sscciieennccee aanndd aarrtt ooff ttrraannssffoorrmmiinngg mmeessssaaggeess ttoo mmaakkee tthheemm
sseeccuurree aanndd iimmmmuunnee ttoo aattttaacckkss..
TThhee ttooppiiccss ddiissccuusssseedd iinn tthhiiss sseeccttiioonn iinncclluuddee::
SSyymmmmeettrriicc--KKeeyy CCrryyppttooggrraapphhyy
AAssyymmmmeettrriicc--KKeeyy CCrryyppttooggrraapphhyy
CCoommppaarriissoonn

Figure 28.1 Cryptography components

NNoottee::
In cryptography, the
encryption/decryption algorithms are
public; the keys are secret.

NNoottee::
In symmetric-key cryptography, the
same key is used by the sender (for
encryption) and the receiver (for
decryption). The key is shared.

Figure 28.2 Symmetric-key cryptography

NNoottee::
In symmetric-key cryptography, the
same key is used in both directions.

Figure 28.3 Caesar cipher

Figure 28.4 Transpositional cipher

Figure 28.5 DES

Figure 28.6 Iteration block

Figure 28.7 Triple DES

NNoottee::
The DES cipher uses the same concept
as the Caesar cipher, but the
encryption/ decryption algorithm is
much more complex.

Figure 28.8 Public-key cryptography

Figure 28.9 RSA

NNoottee::
Symmetric-key cryptography is often
used for long messages.

NNoottee::
Asymmetric-key algorithms are more
efficient for short messages.

28.2 PRIVACY
Privacy means that the sender and the receiver expect ccoonnffiiddeennttiiaalliittyy..
TThhee ttrraannssmmiitttteedd mmeessssaaggee mmuusstt mmaakkee sseennssee ttoo oonnllyy tthhee iinntteennddeedd rreecceeiivveerr..
TToo aallll ootthheerrss,, tthhee mmeessssaaggee mmuusstt bbee uunniinntteelllliiggiibbllee..
PPrriivvaaccyy wwiitthh SSyymmmmeettrriicc--KKeeyy CCrryyppttooggrraapphhyy
PPrriivvaaccyy wwiitthh AAssyymmmmeettrriicc--KKeeyy CCrryyppttooggrraapphhyy

Figure 28.10 Privacy using symmetric-key encryption

Figure 28.11 Privacy using asymmetric-key encryption

NNoottee::
Digital signature can provide
authentication, integrity, and
nonrepudiation for a message.

28.3 DIGITAL SIGNATURE
Digital signature can provide authentication, iinntteeggrriittyy,, aanndd
nnoonnrreeppuuddiiaattiioonn ffoorr aa mmeessssaaggee..
SSiiggnniinngg tthhee WWhhoollee DDooccuummeenntt
SSiiggnniinngg tthhee DDiiggeesstt

Figure 28.12 Signing the whole document

NNoottee::
Digital signature does not provide
privacy. If there is a need for privacy,
another layer of encryption/decryption
must be applied.

Figure 28.13 Hash function

Figure 28.14 Sender site

Figure 28.15 Receiver site

28.4 ENTITY AUTHENTICATION
Entity authentication is a procedure that verifies the iiddeennttiittyy ooff oonnee
eennttiittyy ffoorr aannootthheerr.. AAnn eennttiittyy ccaann bbee aa ppeerrssoonn,, aa pprroocceessss,, aa cclliieenntt,, oorr aa
sseerrvveerr.. IInn eennttiittyy aauutthheennttiiccaattiioonn,, tthhee iiddeennttiittyy iiss vveerriiffiieedd oonnccee ffoorr tthhee eennttiirree
dduurraattiioonn ooff ssyysstteemm aacccceessss..
EEnnttiittyy AAuutthheennttiiccaattiioonn wwiitthh SSyymmmmeettrriicc--KKeeyy CCrryyppttooggrraapphhyy
EEnnttiittyy AAuutthheennttiiccaattiioonn wwiitthh AAssyymmmmeettrriicc--KKeeyy CCrryyppttooggrraapphhyy

Figure 28.16 Using a symmetric key only

Figure 28.17 Using a nonce

Figure 28.18 Bidirectional authentication

28.5 KEY MANAGEMENT
In this section we explain how symmetric keys aarree ddiissttrriibbuutteedd aanndd hhooww
ppuubblliicc kkeeyyss aarree cceerrttiiffiieedd..
SSyymmmmeettrriicc--KKeeyy DDiissttrriibbuuttiioonn
PPuubblliicc--KKeeyy CCeerrttiiffiiccaattiioonn
KKeerrbbeerrooss

NNoottee::
A symmetric key between two parties is
useful if it is used only once; it must be
created for one session and destroyed
when the session is over.

Figure 28.19 Diffie-Hellman method

NNoottee::
The symmetric (shared) key in the
Diffie-Hellman protocol is
K = G xy mod N.

ExamplE 1
Let us give an example to make the procedure clear. Our example uses small
numbers, but note that in a real situation, the numbers are very large. Assume G
= 7 and N = 23. The steps are as follows:
1. Alice chooses x = 3 and calculates R1 = 73 mod 23 = 21.
2. Alice sends the number 21 to Bob.
3. Bob chooses y = 6 and calculates R2 = 76 mod 23 = 4.
4. Bob sends the number 4 to Alice.
5. Alice calculates the symmetric key K = 43 mod 23 = 18.
6. Bob calculates the symmetric key K = 216 mod 23 = 18.
The value of K is the same for both Alice and Bob; G xy mod N = 718 mod 23
= 18.

Figure 28.20 Man-in-the-middle attack

Figure 28.21 First approach using KDC

Figure 28.22 Needham-Schroeder protocol

Figure 28.23 Otway-Rees protocol

NNoottee::
In public-key cryptography, everyone
has access to everyone’s public key.

TTaabbllee 2288..11 XX..550099 ffiieellddss

Figure 28.24 PKI hierarchy

Figure 28.25 Kerberos servers

Figure 28.26 Kerberos example

28.6 SECURITY IN THE INTERNET
In this section we discuss a security method for each ooff tthhee ttoopp 33 llaayyeerrss
ooff tthhee IInntteerrnneett mmooddeell.. AAtt tthhee IIPP lleevveell wwee ddiissccuussss aa pprroottooccooll ccaalllleedd IIPPSSeecc;;
aatt tthhee ttrraannssppoorrtt llaayyeerr wwee ddiissccuussss aa pprroottooccooll tthhaatt ““gglluueess”” aa nneeww llaayyeerr ttoo
tthhee ttrraannssppoorrtt llaayyeerr;; aatt tthhee aapppplliiccaattiioonn llaayyeerr wwee ddiissccuussss aa sseeccuurriittyy mmeetthhoodd
ccaalllleedd PPGGPP..
IIPP LLeevveell SSeeccuurriittyy:: IIPPSSeecc
TTrraannssppoorrtt LLaayyeerr SSeeccuurriittyy
AApppplliiccaattiioonn LLaayyeerr SSeeccuurriittyy:: PPGGPP

Figure 28.27 Transport mode

Figure 28.28 Tunnel mode

Figure 28.29 AH

NNoottee::
The AH protocol provides message
authentication and integrity,
but not privacy.

Figure 28.30 ESP

NNoottee::
ESP provides message authentication,
integrity, and privacy.

Figure 28.31 Position of TLS

Figure 28.32 TLS layers

Figure 28.33 Handshake protocol

Figure 28.34 Record Protocol

Figure 28.35 PGP at the sender site

Figure 28.36 PGP at the receiver site

28.7 FIREWALLS
A firewall is a device (usually a router or a computer) iinnssttaalllleedd bbeettwweeeenn
tthhee iinntteerrnnaall nneettwwoorrkk ooff aann oorrggaanniizzaattiioonn aanndd tthhee rreesstt ooff tthhee IInntteerrnneett.. IItt iiss
ddeessiiggnneedd ttoo ffoorrwwaarrdd ssoommee ppaacckkeettss aanndd ffiilltteerr ((nnoott ffoorrwwaarrdd)) ootthheerrss..
PPaacckkeett--FFiilltteerr FFiirreewwaallll
PPrrooxxyy FFiirreewwaallll

Figure 28.37 Firewall

Figure 28.38 Packet-filter firewall

NNoottee::
A packet-filter firewall filters at the
network or transport layer.

Figure 28.39 Proxy firewall

NNoottee::
A proxy firewall filters at the
application layer.

Chap 28 security

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (11)

Ähnlich wie Chap 28 security

Ähnlich wie Chap 28 security (20)

Mehr von Noctorous Jamal

Mehr von Noctorous Jamal (6)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Chap 28 security