AgendaIntroductionATM Security OverviewATM/IP Security DifferencesATM Forum Security Specification V1.0ServicesServicesServicesServicesServicesAdditional ATM Security NeedsConclusionQuestions and AnswersState of the Art in ATM Network SecurityBy Paul C. RollinsFor Dr. Kris GajECE 543George Mason UniversityDecember 12, 2000Agenda• Introduction• ATM Security Overview• ATM/IP Security Differences• ATM Forum Security Specification V1.0• Questions and AnswersIntroduction• Technologies => E-Commerce• E-Commerce => Security• ATM Forum Security Specification V1.0ATM Security Overview• Requirements– Availability– Authentication– Confidentiality– Integrity– Non-Repudiation– Access Control• Threats– Denial of Service– Virtual Circuit (VC) Stealing– Eavesdropping– Traffic AnalysisATM/IP Security DifferencesATM IPConnection-Oriented ConnectionlessPoint to Point Shared MediaQoS Guarantees Best EffortFixed Packet Size Variable Length PacketATM Forum Security Specification V1.0•Goals (8)– Mult Alg/Key Length– Interoperable– Extensible– Back Compatible– Minimal Spec Impact– Plan future Versions– Scalability– Separate Integ/Confid• Services– UP Authentication– UP Confidentiality– UP Integrity– UP Access Control– CP Auth./Integ.UP = User PlaneCP = Control PlaneServices• Authentication– Encrypted MD/Nonce• Signatures– DES/CBC–DSA–ECDSA–ESIGN–FEAL/CBC–RSA– User Defined•Hashes–MD5– SHA-1– RI PEMD-160– User DefinedServices• Confidentiality– Secret Key Algorithms Only• Algorithms– DES (56)– DES(40)– 3-DES (112)–FEAL– User Defined• Modes– CBC– Counter *–ECB– Used DefinedServices• IntegrityMACs Signature Key Exchange Hash Key UpdateHMAC-MD5 RSA RSA MD5 SKE with MD5HMAC-SHA-1 DSA DH SHA-1 SKE with SHA-1HMAC-RIPEMD-160 EC/DSA EC/DH (2) RIPEMD-160 SKE with RIPEMD-160DES56/CBC ESIGN DES56/CBC User Defined User DefinedDES40/CBC DES56/CBC DES40/CBC3DES/CBC DES40/CBC 3DES/CBCFEAL/CBC 3DES/CBC FEAL/CBCUser Defined FEAL/CBC User DefinedUser DefinedServices• Access Control– User Network Interface– ATM Cell Level– Standardized Rule Sets (Traffic Shaping)– NON CRYPTOGRAPHICServices• Control Plane Authentication/Integrity– Manually Pre-Configured (Not Negotiated on Net)– All Else same as for User PlaneAdditional ATM Security Needs• Trunk Encryption• Control Plane Confidentiality• Management Plane Security• Key Management Infrastructure (KMI)Conclusion• Good Start• Need to learn how to implement!!• $$ Market must demand security before companies will invest in developing more secure products $$Questions and
View Full Document