November 8, 2005ISO/OSI ModelProtocolsElectronic MailSecurity at the Application Layer: Privacy-enhanced Electronic Mail (PEM)Design Considerations/goals for PEMPEM Basic DesignSlide 8ISO/OSI Model SSL: Security at Transport LayerSecurity at the Transport Layer Secure Socket Layer (SSL)Secure Socket Layer (SSL)SSL ArchitectureSSL Record Protocol OperationHandshake ProtocolOther protocolsISO/OSI Model IPSec: Security at Network LayerIPSecCases where IPSec can be usedCases where IPSec can be used (2)IPSec ProtocolsSecurity Association (SA)Security Association (2)Security Association DatabasesIPSec ModesAuthentication Header (AH)Preventing replayTransport Mode AHTunnel Mode AHESP – Encapsulating Security PayloadDetails of ESPTransport mode ESPTunnel mode ESPPerimeter DefenseSlide 34FirewallsWhat Firewalls can’t doVirtual Private Networks What is it?What is a VPN? (2)Tunneling in VPN“Typical” corporate networkSlide 41What is Authentication?Authentication System: Formal DefinitionAuthentication System: PasswordsPasswordsAuthentication SystemAttacks on PasswordsPassword SelectionSlide 49Slide 50Authentication Systems: Challenge-ResponseSlide 52Authentication Systems: BiometricsAttacks on BiometricsAuthentication Systems: Location1IS 2150/TEL 2810: Introduction of Computer SecurityNovember 8, 2005November 8, 2005Network Security Network Security Authentication & IdentityAuthentication & IdentityLecture 9Lecture 92IS 2150/TEL 2810: Introduction of Computer SecurityISO/OSI ModelISO/OSI ModelApplication LayerApplication LayerPresentation LayerPresentation LayerSession LayerSession LayerTransport LayerTransport LayerNetwork LayerNetwork LayerData Link LayerData Link LayerPhysical LayerPhysical LayerApplication LayerApplication LayerPresentation LayerPresentation LayerSession LayerSession LayerTransport LayerTransport LayerNetwork LayerNetwork LayerData Link LayerData Link LayerPhysical LayerPhysical LayerNetwork LayerNetwork LayerData Link LayerData Link LayerPhysical LayerPhysical LayerPeer-to-peerFlow of bits3IS 2150/TEL 2810: Introduction of Computer SecurityProtocolsProtocolsEnd-to-end protocolEnd-to-end protocolCommunication protocol that involves end systems with one or more intermediate systemsIntermediate host play no part other than forwarding messagesExample: telnet Link protocolLink protocolProtocol between every directly connected systemsExample: IP – guides messages from a host to one of its immediate hostLink encryptionLink encryptionEncipher messages between intermediate hostEach host share a cryptographic key with its neighborAttackers at the intermediate host will be able to read the messageEnd-to-end encryption End-to-end encryption Example: telnet with messages encrypted/decrypted at the client and serverAttackers on the intermediate hosts cannot read the message4IS 2150/TEL 2810: Introduction of Computer SecurityElectronic Mail Electronic Mail UA interacts with UA interacts with the senderthe senderUA hands it to a UA hands it to a MTAMTAMTAUAMTAUAMTAUAMessage TransferAgentsUser AgentAttacker can read email Attacker can read email on any of the computer on any of the computer with MTAwith MTAForgery possibleForgery possible5IS 2150/TEL 2810: Introduction of Computer SecuritySecurity at the Application Layer:Security at the Application Layer:Privacy-enhanced Electronic Mail (PEM)Privacy-enhanced Electronic Mail (PEM)Study by Internet Research Task Force on Study by Internet Research Task Force on Privacy or Privacy Research Group to develop Privacy or Privacy Research Group to develop protocols with following servicesprotocols with following servicesConfidentiality, by making the message unreadable except to the sender and recipientsOrigin authentication, by identifying the sender preciselyData integrity, by ensuring that any changes In the message are easy to detectNon-repudiation of the origin (if possible)6IS 2150/TEL 2810: Introduction of Computer SecurityDesign Considerations/goalsDesign Considerations/goalsfor PEMfor PEMNot to redesign existing mail system Not to redesign existing mail system protocolsprotocolsTo be compatible with a range of MTAs, To be compatible with a range of MTAs, UAs and other computersUAs and other computersTo make privacy enhancements available To make privacy enhancements available separately so they are not requiredseparately so they are not requiredTo enable parties to use the protocol to To enable parties to use the protocol to communicate without prearrangementcommunicate without prearrangement7IS 2150/TEL 2810: Introduction of Computer SecurityPEMPEMBasic DesignBasic DesignDefines two keysDefines two keysData Encipherment Key (DEK) to encipher the message sentGenerated randomlyUsed only onceSent to the recipientInterchange key: to encipher DEKMust be obtained some other way than the through the message8IS 2150/TEL 2810: Introduction of Computer SecurityProtocolsProtocolsConfidential message (DEK: Confidential message (DEK: ks))Authenticated, integrity-checked messageAuthenticated, integrity-checked messageEnciphered, authenticated, integrity Enciphered, authenticated, integrity checked messagechecked messageAlice Bob{m}ks || {ks}kBobAlice Bobm || {h(m)}kAliceAlice Bob{m}ks || {h(m)}kAlice || {ks}kBob9IS 2150/TEL 2810: Introduction of Computer SecurityISO/OSI ModelISO/OSI ModelSSL: Security at Transport LayerSSL: Security at Transport LayerApplication LayerApplication LayerPresentation LayerPresentation LayerSession LayerSession LayerTransport LayerTransport LayerNetwork LayerNetwork LayerData Link LayerData Link LayerPhysical LayerPhysical LayerApplication LayerApplication LayerPresentation LayerPresentation LayerSession LayerSession LayerTransport LayerTransport LayerNetwork LayerNetwork LayerData Link LayerData Link LayerPhysical LayerPhysical LayerNetwork LayerNetwork LayerData Link LayerData Link LayerPhysical LayerPhysical LayerPeer-to-peerFlow of bits10IS 2150/TEL 2810: Introduction of Computer SecuritySecurity at the Transport LayerSecurity at the Transport LayerSecure Socket Layer (SSL)Secure Socket Layer (SSL)Developed by Netscape to provide security in Developed by Netscape to provide security in WWW browsers and serversWWW browsers and serversSSL is the basis for the Internet standard SSL is the basis for the Internet standard protocol – Transport Layer Security (TLS) protocol – Transport
View Full Document