Network Security Concepts Review Raj Jain Washington University in Saint Louis Saint Louis MO 63130 Jain cse wustl edu These slides are available on line at http www cse wustl edu jain cse574 06 Washington University in St Louis CSE574s 11 1 2005 Raj Jain Overview Types of security attacks and solutions Secret Key and Public Key Encryption Hash Functions Message Authentication Code MAC Digital Signature and Digital Certificates RSA Public Key Encryption Washington University in St Louis CSE574s 11 2 2005 Raj Jain Types of Security Attacks Denial of Service DoS DoS by Flooding Lots of packets from one node to victim DoS on DNS or root name servers ARP flooding ping broadcasts TCP SYN flooding DoS by Forging Send incorrect routing message Distributed DoS DDoS Lots of packets from multiple nodes to victim Attacker Washington University in St Louis Victim CSE574s 11 3 2005 Raj Jain Security Attacks Cont Sniffing Listen to unencrypted traffic Replay Record and reuse messages later Traffic Redirection Poison ARP tables in routers Reaction Send spurious packets monitor the response Challenge response authentication Jamming RF interference Rogue AP Man in the middle attacks Easily deployed in public areas Fake SSID Fraud Criminal deception E g identity theft DNS query and responses are in clear Can be spoofed by a man in the middle DNS cache poisoning BGP routing messages can be spoofed Washington University in St Louis CSE574s 11 4 2005 Raj Jain Security Attacks Cont Trojan Horse Programs with hidden functionality Could be triggered when a specific time or condition Trap Doors Backdoor Code segment to circumvent access control Virus A program that reproduces by introducing a copy of itself in other programs Jump to Viral code and return to beginning Worms Creates copies of itself on other machines Unlike virus worms do not require user action Morris worm spread by finding IP addresses on the machine Slammer worm sent UDP packets to cause buffer overflow Buffer Overflow Overwrite code segments and execute code in data space Many programming languages do enforce bound checking Washington University in St Louis CSE574s 11 5 2005 Raj Jain Security Attacks Cont Covert Communications Channel Hidden channel Capture electromagnetic radiations from keyboards screens and processors Pizza deliveries to White House Steganography or Information Hiding Lower bits of pictures or music files Reverse Engineering dismantling and inspecting to infer internal function and structure Code dumping and decompiling Scavenging Acquisition of data from residue Searching through rubbish bins Buffer space in memory deleted files on disks bad blocks on disks Cryptanalysis Find encryption key encryption method or clear text Get plain text and cipher text pairs Washington University in St Louis CSE574s 11 6 2005 Raj Jain Security Solutions Audits May including testing by a red team Keep good system logs Formal methods Used to verify no human errors in the code and protocols Attack Graphs Show paths that an attacker can take to get access Security Automata Security policies expressed as finite state machines Encryption Secret key and public key Steganography Digital water marking Information hidden in images sound or video can be used to find the origin of data Washington University in St Louis CSE574s 11 7 2005 Raj Jain Security Solutions Cont Obfuscation Make a concept confusing and difficult to understand Common in politics Write programs so that they can not be reverse engineered Virus Scanners Proof Carrying Code Mobile code contains a proof that it is safe Sandboxing Limiting access Firewalls Scan and filter network traffic Red black separation Handle sensitive and insensitive data on different machines Secure Hardware Temperproof Physical security Washington University in St Louis CSE574s 11 8 2005 Raj Jain Security Requirements Integrity Received sent Availability Legal users should be able to use Ping continuously No useful work gets done Confidentiality and Privacy No snooping or wiretapping Authentication You are who you say you are A student at Dartmouth posing as a professor canceled the exam Authorization Access Control Only authorized users get to the data No repudiation Neither sender nor receiver can deny the existence of a message Washington University in St Louis CSE574s 11 9 2005 Raj Jain Secret Key Encryption Also known as symmetric encryption Encrypted Message Encrypt Key Message Message Decrypt Key Encrypted Message Example Encrypt division 433 48 R 1 using divisor of 9 Washington University in St Louis CSE574s 11 10 2005 Raj Jain Public Key Encryption Invented in 1975 by Diffie and Hellman Encrypted Message Encrypt Key1 Message Message Decrypt Key2 Encrypted Message Key1 Text Ciphertext Key2 Ciphertext Washington University in St Louis Text CSE574s 11 11 2005 Raj Jain Public Key Encryption RSA Encrypted Message m3 mod 187 Message Encrypted Message107 mod 187 Key1 3 187 Key2 107 187 Message 5 Encrypted Message 53 125 Message 125107 mod 187 5 125 64 32 8 2 1 mod 187 12564 mod 187 12532 mod 187 1252 mod 187 125 mod 187 mod 187 Washington University in St Louis CSE574s 11 12 2005 Raj Jain Modular Arithmetic xy mod m x mod m y mod m mod m x4 mod m x2 mod m x2 mod m mod m xij mod m xi mod m j mod m 125 mod 187 125 1252 mod 187 15625 mod 187 104 1254 mod 187 1252 mod 187 2 mod 187 1042 mod 187 10816 mod 187 157 1258 mod 187 1572 mod 187 152 12516 mod 187 1522 mod 187 103 12532 mod 187 1032 mod 187 137 12564 mod 187 1372 mod 187 69 12564 32 8 2 1 mod 187 69 137 152 104 125 mod 187 18679128000 mod 187 5 Washington University in St Louis CSE574s 11 13 2005 Raj Jain Public Key Cont One key is private and the other is public Message Decrypt Public Key Encrypt Private Key Message Message Decrypt Private Key Encrypt Public Key Message Msg Msg Alice s Public Key Alice s Private Key Bob s Public Key Washington University in St Louis Bob s Private Key CSE574s 11 14 Msg Msg 2005 Raj Jain Hash Functions 12345678901234567 12345678901234767 Hash Hash Example CRC can be used as a hash not recommended for security applications Requirements 1 Applicable to any size message 2 Fixed length output 3 Easy to compute 4 Difficult to Invert Can t find x given H x One way 5 Difficult to find y such that H x H y Can t change msg 6 Difficult to find any pair x y such that H x H y Strong hash Washington University in St Louis CSE574s 11 15 2005 Raj Jain Digital Signature Message Digest Hash Message Signature Encrypt Private Key
View Full Document
Unlocking...