Basic Internet Security Concepts
© MMII JW Ryder
CS 428 Computer Networking
1
Purpose • • • •
Some ideas on Internet Security Classes of mischief on Internet, definitions Tools to fight mischief Combinations of these tools
© MMII JW Ryder
CS 428 Computer Networking
2
Purpose continued
Very high level Good starting point for further study about General networking & strategies Cryptography Key Management Algorithm Analysis
© MMII JW Ryder
CS 428 Computer Networking
3
Introduction • The Internet is a vast wilderness, an infinite world of opportunity • Exploring, e-mail, free software, chat, video, e-business, information, games • Explored by humans
© MMII JW Ryder
CS 428 Computer Networking
4
Internet Security Concepts
Introduction of several basic security concepts General mechanisms for protection
© MMII JW Ryder
CS 428 Computer Networking
5
Sniffing and Spoofing
[1] Sniffing
The ability to inspect IP Datagrams which are not destined for the current host.
Spoofing
After sniffing, create malicious havoc on the internet
© MMII JW Ryder
CS 428 Computer Networking
6
Private Network node Secure Gateway node
Unprotected Internet node A Guy
Gabrielle Poirot (C)
1
Bank (I)
Sears
Steve Burns (C) Wall Street (N)
© MMII JW Ryder
Ramon Sanchez (A)
A Guy’s Swiss Bank CS 428 Computer Networking
7
A Guy has no Integrity
Swiss Bank Scam Integrity - The guarantee that, upon receipt of a datagram from the network, the receiver will be able to determine if the data was changed in transit
© MMII JW Ryder
CS 428 Computer Networking
8
Ramon springs for sound
Sears solid state stereos Authentication - The guarantee that, upon receipt of a datagram from the network, the receiver will be able to determine if the stated sender of the datagram is, in fact, the sender
© MMII JW Ryder
CS 428 Computer Networking
9
A guy sniffs success
Gabrielle and Steve almost strike it rich Confidentiality - Ensure that each party, which is supposed to see the data, sees the data and ensure that those who should not see the data, never see the data.
© MMII JW Ryder
CS 428 Computer Networking
10
Wall Street Woes
A guy spots a hot stock tip Non-repudiation - Once a host has sent a datagram, ensure that that same host cannot later claim that they did not send the datagram
© MMII JW Ryder
CS 428 Computer Networking
11
A guy becomes desperate
Bring Wall St. to its knees Denial of Service Attack - Flood a given IP Address (Host) with packets so that it spends the majority of its processing time denying service
© MMII JW Ryder
CS 428 Computer Networking
12
One Way Hash Functions (MD5,SHA1)
Application
2
In Comm. Stack Key Mgmt. Functions
IP
Crypto Functions (DES, CDMF, 3DES) © MMII JW Ryder
Physical Adapter
CS 428 Computer Networking
13
Protocol Flow
[2, 3] Through layers, each layer has a collection of responsibilities ISO OSI Reference Model - (Open Systems Interconnection) IP Datagram
© MMII JW Ryder
CS 428 Computer Networking
14
3 IP Hdr.
Data
IP Datagram Data
MAC Fn
Digest
MAC Function IP Hdr.
Data
Digest
Integrity © MMII JW Ryder
CS 428 Computer Networking
15
Keys
Bit values fed into cryptographic algorithms and one way hashing functions which provide help provide confidentiality, integrity, and authentication The longer the better - 40, 48, 56, 128 Brute force attacks can win with small keys
© MMII JW Ryder
CS 428 Computer Networking
16
Symmetric Keys
Have qualities such as life times, refresh rates, etc. Symmetric - Keys that are shared secrets on N cooperating, trusted hosts
© MMII JW Ryder
CS 428 Computer Networking
17
Asymmetric
Public / Private key pairs Public key lists kept on well known public key servers Public key is no secret. If it is, the strategy will not work. Public and Private keys inverse functional values Private key is only known to you and must remain secret
© MMII JW Ryder
CS 428 Computer Networking
18
Concept
Sender encrypts data with private key Receiver decrypts data with public key Receiver replies after encrypting with public key Sender receives response and decrypts with private key
© MMII JW Ryder
CS 428 Computer Networking
19
4 Data
Crypto Fn.
Encrypted Data
Key
Encryption Function IP Hdr.
Encrypted Data
Confidentiality © MMII JW Ryder
CS 428 Computer Networking
20
5 Encrypted Data
Crypto Fn.
Data
Key
Decryption Function Data
© MMII JW Ryder
Confidentialit y CS 428 Computer Networking
21
MACs
Message Authentication Codes, One Way Hashing Functions A function, easy to compute but computationally infeasible to find 2 messages M1 and M2 such that
h (M1) = h (M2)
MD5 (Rivest, Shamir, Adleman) RSA ; SHA1 (NIST) MD5 yields a 128 bit digest [3]
© MMII JW Ryder
CS 428 Computer Networking
22
DES
Data Encryption Standard U.S. Govt. Standard 56 bit key - originally 128 bits Absolute elimination of exhaustive search of key space U.S. Security Agency Request - Reduce to 56 bits Export CDMF (40 bits) Keys are secrets to algorithms, not algorithms themselves [4, 5]
© MMII JW Ryder
CS 428 Computer Networking
23
IP Hdr.
Encrypted Data
Confidentiality & Integrity Encrypted IP Hdr. Data
Digest
Digital Signature (Encrypted Digest)
Confidentiality, Integrity, & Authentication © MMII JW Ryder
CS 428 Computer Networking
24
Data
CF
EM DS
Key
MAC Digest
MAC_Time < CF _Time Why would a guy prefer a Digital Signature over a Keyed Digest? Why not?
Keyed Digest
What types of Security are provided with EM, DS, Digest, Keyed Digest? © MMII JW Ryder
CS 428 Computer Networking
25
No Security
Msg Msg
MD
Confidentiality
EM EM Msg EM
© MMII JW Ryder
Integrity
MD DS DS
Msg
KD
EM
KD
Conf. & Integrity Integrity & Auth. Conf., Int., & Auth. Integrity & Auth. Conf., Int., & Auth.
CS 428 Computer Networking
26
Post Presentation Results
You should be familiar with concepts & terms such as
Integrity, Authentication, Non-repudiation, Confidentiality Keys, MACs, Cryptography, Digest, Digital Certificates, Datagram High level understanding of some methods to combat some the above types of Internet mischief
© MMII JW Ryder
CS 428 Computer Networking
27
One-Way Hashing Function Demo
Show MD5 example
© MMII JW Ryder
CS 428 Computer Networking
28
Sniffers
Threads comment Show Sniffer.java
© MMII JW Ryder
CS 428 Computer Networking
29