Ds
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Ds as PDF for free.
More details
- Words: 3,718
- Pages: 14
DATASECURITY
Nowadays, “SECURITY” become a more sensible issue either it may be in the “REAL WORLD” or in the “CYBER WORLD”.
As citizens are using network for
banking, shopping, filing their tax returns and other purposes, network security is looming on the horizon as a potentially massive problem. Data security involves not only protection, but also detecting offends of secured communication and attacks on the infrastructure, and then responding to these attacks. The main problems that occurred in network security are secrecy, authentication, nonrepudiation and integrity control. This paper discusses with a perspective view of how a continuous cycle of protection, detection and response can be consistently maintained. Also concerns about different types of security attacks such as spoofing, virus, worm and security mechanisms such as firewalls, cryptography and describes about how security provided in mobile networks. Cryptography is defined as information hiding. Cryptography allows two parties to exchange sensitive information in a secure manner. Cryptography has naturally been extended into the realm of computers such as secure access to private networks, electronic commerce, and health care, and provides a solution to the electronic security and privacy issue. This paper mainly concerns about two types of cryptographic standards such as symmetric and asymmetric algorithms and also the specification and implementation of above methods. And also explained Encryption and Decryption Methods, Digital Signatures, Authentication and Keys. The implementation of public key cryptography requires several supporting components to handle key creation, distribution and revocation –Public Key Infrastructure (PKI).While the implementation of private key cryptography requires encryption and decryption methods which are also specified. Today’s new cryptography system and advanced elliptic curve technology in smartcard technology are also specified.
INTRODUCTION 1. DEFINITION: Security is defined as “a guarantee that an obligation will be met”. In simplest form it is concerned with people trying to access remote services that they are not authorized to use or it is concerned with making sure that nosy people cannot read, or worse yet, modify messages intended for other recipients. Security is a broad topic and covers a multitude of sins. Most security problems intentionally caused by malicious people trying to gain some benefit or harm someone. A few of the most common perpetrators are student, hacker, sales representative, business man, ex-employee, accountant, stock broker, conman, spy, etc. The intruders would first have a panoramic view of the victim’s network and then start digging the holes. Today the illicit activities of the hackers are growing by leaps and bounds. Data security problems can be divided roughly into four intertwined areas: Secrecy, Authentication, NonRepudiation and Integrity control. The solutions for various type of security attacks are provided by cryptography, firewalls etc. a) Secrecy – has to do with keeping information out of the hands of unauthorized users. b) Authentication- deals with determining whom you are talking to before revealing sensitive information or entering into a business deal. c) Non repudiation- deals with signatures d) Data integrity- Ensures that the information exchanged in an electronic transaction is not alterable without detection, typically provided by digital signatures. 2. TYPES OF SECURITY ATTACKS: I.
D enial-of-Service (DoS) attacks (attacks and counter-attacks): User’s system is simply saturated by an excessive workload as the attacker sends spurious traffic into resource. This is DoS attack. Typically, a DoS attack works by creating so much work for the infrastructure under attack that legitimate work cannot be performed. There are two types of DoS attacks: Operating System Attacks and Networking Attacks.
II. PACKET SNIFFING: A Packet sniffer is a program running in a network-attached device that passively receives all data-link layer frames passing by the device’s network adapter. In a broadcast environment such as an Ethernet LAN, this means that the packet sniffer receives all frames being transmitted from or to all hosts on the LAN. III.SPOOFING: Any Network-connected device necessarily sends IP datagrams into the network. These data grams carry the sender’s IP address, as well as upper-layer data. A user with complete control over that device’s software can easily modify the device’s protocols to place an arbitrary IP address into a datagram’s Source Address Field. This is known as IP Spoofing.
IP spoofing is used in DoS attacks to hide the originator(s) of
attack. IV.VIRUS: It’s a piece of code that copies itself into a program and executes when the program runs. Similarly to how viruses attack humans, computer viruses can grow, replicate, travel, and consume resources. There are some other attacks like DDOS, TROJAN HORSE, and WORM etc. 3. Network security in TCP/IP STACK: a. Physical layer: Wild tapping can be foiled by enclosing transmission lines in sealed tubes containing organ gas at high pressure. Any attempt to drill into a tube will release some gas, reducing the pressure and triggering an alarm. Some military systems use this technique. b.
Data link Layer: In packet transmission from one machine to another machine packet have to traverse multiple routers because packets have to be decrypted at each router leaving them vulnerable to attacks from with in the router. Link Encryption method can be easily used.
c.
Network layer: IP Protcol is an Internet Security Protocol for transporting secure traffic across untrusted link. Services provided are Access Control, Connection Less Integrity, Origin Authentication, confidentiality.
IPSec
software can be directly placed into IP Source Code, or under IP Protocol Stack or use a separate piece of equipment and attach it to a host. d. Transport layer:
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are provided security in this layer. e. Application layer: The PGP is used in this layer. 4 .FIRE WALLS:: . DEFINITION: A Firewall is best described as a s/w or h/w or both s/w & h/w packet filter that allows only selected packets to pass through from the internet to a private internal network by listening to all ports on a system attempting to open a connection. When it detects such an attempt, it reacts according to a predefined set of rules. There are two types of firewalls: Packet-filtering firewalls (which operate in network layer) and Application-level gateways (which operate at the application layer). •
WHY GO FOR A FIREWALL? None can connect to the internet solitarily. If somehow a crazy guy
succeeds in finding an IP address he can exploit any vulnerability existing in that systemdamage the data or even use that system to hack other computers. •
HOW A FIREWALL WORKS? This is where the firewalls are inextricable with a secured network. They,
just like their name suggests, protect from unsolicited connection probes, scans and attacks. They listen to all ports for any connection requests received and sent. As such an instance is recorded, it pops up a warning asking whether to allow the connection to initiate or not. This warning message also contains the IP that is trying to initiate connection and also the port number to which it is trying to connect i.e., the port to which the packet was sent. It also protects a system from port scans, DoS attacks, vulnerability attacks etc. •
AN EXAMPLE FIREWALL- “A PROXY SERVER”: Each of the techniques employed by the attackers to obtain the target
system’s IP address can be counter-attacked. A proxy server basically acts as a shield by protecting your IP address form getting into malicious hands. It acts as a very own personal secretary and a buffer between thy and thy host. A proxy server removes the need of a system to receive or send messages directly to the remote host. When any message is intended to be transmitted, then it is actually sent to the proxy server, which in turn passes it on to the remote host. All communication between the two parties is conducted indirectly, via the proxy server. Such a scenario can be depicted in the following manner:
OUR SYS. •
PROXY SERVER
REMOTE SYSTEM
BREAKING THROUGH FIREWALLS: Firewalls can create as many problems as they solve if they are not
implemented properly. Firewalls themselves are vulnerable to security violations. Remember firewalls are not clairvoyant. There are several holes existing in popular firewalls waiting to be exploited. Here, we quote a hole in Zone Alarm Version 2.1.10 to 2.0.26, which allows the attacker to port scan the target system (although normally, it should stop such scans). If one uses port-67 as the source port of a TCP or UDP scan; Zone Alarm will let the packet through and will not notify the user. This means, that one can TCP or UDP port scan a Zone Alarm protected computer as If there was no firewall if one uses port-67 as the source port on the packets. 5. SECURITY IN WIRELESS NETWORKS: The WEP (Wired Equivalent Privacy) Protocol is meant to provide security in 802.11 Networks. It provides both authentication and data encryption between a host and a wireless access point (Base station) using a symmetric shared approach. Steps involved -I. A wireless host first requests authentication by an access point. II. The access point responds to the authentication request with 128-byte nonce value. III. The wireless host encrypts the nonce using the symmetric key that it shares with the access point. CRYPTOGRAPHY Encryption and decryption typically occur using complex mathematical algorithms with the use of a key. The two key-based encryption algorithms are A. symmetric (private key) B. asymmetric (public key)
1. USAGE OF KEYS: Since the key forms the basis of the encryption, its strength against attack is an important feature. An indication of a key’s strength can be obtained from its length – for a given encryption algorithm the longer the key, the stronger the key. Current symmetric encryption technologies typically use 128-bit length keys – this means that there are 2128 different key combinations. Current asymmetric encryption technologies typically use 1024-bit length keys. Finally, note that the key strength becomes weaker as computing power increases. 2. Symmetric (Private key) encryption: Symmetric encryption is the simpler of the two classes of key-based encryption algorithms. In this class, the same key is used to encrypt and decrypt the message as shown in fig.
In the symmetric encryption schemes (the classical form of cryptography) the same key (called the secret key) is used to both encrypt and decrypt the text. The problem with these systems is to transport the secret key from the sender to the receiver, without security exposures. Some systems use only symmetric secret-keys to communicate
securely over public networks, but they are difficult to implement in large organizations and need some extra security procedures like a central "trusted and secure” server. The DES (Data Encryption Standard) algorithm is one good example. In a group of N people wishing to communicate securely, N*(N-1)/2 private keys need to exist. As the number of people N increases, the management of the private keys becomes a costly and cumbersome exercise.
3. Asymmetric (Public key) encryption: Asymmetric cryptosystems (also called public key cryptosystems) use one key the public key to encrypt a message and a different key the private key to decrypt it. Given an encryption key it is virtually impossible to determine the decryption key (and vice versa). The main disadvantage is its slower computing speed when compared to the symmetric encryption (due to its computing complexity). Two different asymmetric algorithms are RSA (Rivest Shamir Adleman) which is permutable (one key may either encrypt or decrypt) and ECDSA (Elliptic Curve Digital Signature Algorithm, a variant of the well-known DSA), that may implement existing algorithms using elliptic curves. The keys are smaller and consequently faster processing times. This is shown in below fig.
Three different formats of messages can be used in public-key cryptosystems:
Encrypted message: A symmetric key encrypts the message and the public key encrypts the symmetric key. Signed message: The message is hashed into a digital fingerprint, which is Encrypted into a digital signature using a private key. Signed and encrypted message: A combination of the above concepts, in which the message is signed using the private key of the sender and after encrypted using the public key. 4. Digital Signatures: An authentication mechanism that enables the creator to attach a code that acts as a signature. The signature guarantees the source and integrity of the file and provides authenticity and integrity. Digital signature solves (I). Information integrity (II). Authentication
(III). Non repudiation
5. AN EXAMPLE CRYPTOGRAPHY SYSTEM:
6. The Implementation of Public Key Cryptography Infrastructure (PKI) Turning the theory of public key cryptography into a useful, real-world system requires more than just the implementation of the core algorithm. A number of supporting operational elements need to be in place before public key cryptography can be used
effectively. The supporting infrastructure is collectively known as Public Key Infrastructure or PKI for short. A PKI consists of a set of policies, procedures and services to support applications of public key cryptography. A PKI can therefore be split into the following components a. A Security Policy c. A Registration Authority (RA)
b. A Certificate Authority (CA) d. A Directory Service
a. Security Policy: The security policy contains definitions of the actual operation of the PKI. The operation of the other PKI components should be detailed here, as well as procedures for key generation, issuance, storage, and revocation. The security policy in effect acts as the framework on which the PKI is built. b. Certificate Authority (CA): However, a key by itself does not contain supporting information such as who it belongs to, who issued the key, and the period over which it is valid. Without this information, then there is nothing linking a public key with its correct owner. The solution takes the form of digital certificates. A certificate contains information linking a specific public key to a specific individual. The current industry standard for digital certificates is the CCITT X.509 international standard. c. Registration Authority (RA): When a user applies for a digital certificate from a CA, the CA has to verify that the applicant is truly who he claims to be. The role of the Registration Authority is to provide this verification. A real-world analogy would be a Notary Public, for example. Certain legal contracts require the signing process to be witnessed by a Notary Public, who acts to verify the signer’s identity. In a similar way, the RA verifies the identity of the applicant and passes the application on to the CA. The degree of rigor applied by the RA during the verification will affect the degree of trust in the digital certificate. d. Directory Service:
In our example with A sending an encrypted message to B, we have not yet discussed where and how A gets hold of B’s certificate. The solution forms another component of a PKI – the directory service. In the same way that you might look in a standard phonebook to look up a telephone number, the directory service allows you to look up the digital certificate for someone to whom you wish to send an encrypted message.
Elliptic Curve Cryptography (A New Trend Cryptography) Since the invention of public-key cryptography,
numerous public-key
cryptographic systems have been proposed. Each of these systems relies on a difficult mathematical problem for its security. None has been proven to be intractable rather, They are believed to be intractable. Implementation of public-key cryptosystems in smart cards has usually been associated with high-end cards, typically with both large memory configurations and a Cryptographic coprocessor. Today, the elliptic curve discrete logarithmic system is provided according to the mathematical problem on which it is based, and considered as both secure and efficient. In 1985, Neal Koblitz and Victor Miller independently proposed public-key systems using a group of points on an elliptic curve, and elliptic curve cryptography (ECC) was born. Today it offers those looking for a smaller, faster public-key system a practical and secure technology for even the most constrained environments. ECC delivers the highest strength per bit of any known public-key system because of the difficulty of the hard problem upon which it is based. This greater difficulty of the hard problem – the elliptic curve discrete logarithm problem (ECDLP) – means that smaller key sizes yield equivalent levels of security. 1. ECC Implementation: An elliptic curve is a set of points specified by two variables that are elements over a field Fq. A field is a set of elements with two custom-defined arithmetic operations, usually addition and multiplication.
ECC requires the use of two types of mathematics: • •
elliptic curve point arithmetic The underlying finite field arithmetic. Most of the computation for ECC takes place at the finite field level. The two most common choices for the underlying finite field are:
• •
F2m, also known as characteristic two or even (containing 2m elements, where m is an integer greater than one) Fp, also known as integers modulo p, odd, or odd prime (containing p elements, where p is an odd prime number). Both of these finite fields are included in draft standards for ECC. Point compression allows the points on an elliptic curve to be represented with
fewer bits of data. In smart card implementations, point compression is essential .It can be accomplished with negligible computation usingF2 SIZE="1">m, but can affect Fp implementations
considerablyF2
SIZE="1">m
hardware
implementations
offer
significant performance and die size advantages over Fp hardware implementations. Existing crypto coprocessors, which are optimized for modular arithmetic over Fp, do not substantially increase the performance of F2 SIZE="1">m modular arithmetic. If the field F2 SIZE="1">m is used as the underlying finite field, then the elements of F2 SIZE="1">m can be represented in two efficient ways .These two ways are. • •
an optimal normal basis representation a polynomial basis representation.
2. Smart Cards and ECC: Smart cards are small, portable, tamper-resistant devices providing users with convenient storage and processing capability. Smart cards are proposed for use in a wide variety of applications such as electronic commerce, identification, and health care. For many of these proposed applications, cryptographic services offered by digital signatures would
be
required.
Smart
cards
also
need
to
be
inexpensive.
Meeting the Implementation Constraints with ECC: (i).Less EEPROM and Shorter Transmission Times: The strength of the ECDLP algorithm means that strong security is achievable with proportionately smaller key and certificate sizes. The smaller key size in turn means that less EEPROM is required to store keys and certificates and that less data needs to be passed between the card and the application so that transmission times are shorter. (ii). Scalability:
As smart card applications require stronger and stronger security (with longer keys), ECC can continue to provide the security with proportionately fewer additional system resources. This means that with ECC, smart cards are capable of providing higher levels of security without increasing their cost. (iii). No Coprocessor: The nature of the actual computations – more specifically, ECC's reduced processing times – also contribute significantly to why ECC meets the smart card platform requirements so well. Other public-key systems involve so much computation that a dedicated hardware device known as a crypto coprocessor is required. With ECC, the algorithm can be implemented in available ROM, so no additional hardware is required to perform strong, fast authentication. Advantages: Since the crypto sensitive operations (signing and decrypting) can be many times faster using ECC than using RSA, ECC is more appropriate for use in secure devices such as smart cards and wireless devices with constrained computational power. The non cryptosensitive (public key) operations can usually be performed in terminal or PC environments that typically have more computational power. Because the RSA cryptosensitive operations require more computational power, they are less suitable for use in constrained environments, and as security (key size) requirements increase in the future, the problem could become worse. Related Cryptography technologies: I. C MS - Cryptographic Message Syntax: The Cryptographic Message Syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary messages. Its main goal is to define the data structures and processes for digitally signing and encrypting other data structures and it can Support a variety of architectures for certificate-based key management, such as the one defined by the PKIX working group. II.
S
SL: The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP. It allows a server to authenticate itself to a client, allows the Client to authenticate itself to the server, and allows both machines to establish an encrypted connection. III. ecure e-mail / S/MIME:
S Security services can be added to each communication link
along a path, or it can be wrapped around the data being sent, so that it is independent of the communication mechanism. Short for Secure Multipurpose Internet Mail Extension -
A new version of the MIME protocol that supports encryption of messages S/MIME is based on RSA's public-key encryption technology.
IV. VPN:
A virtual private network (VPN) is a private data network that makes use of
the Public telecommunication infrastructure - instead of owned or leased lines -maintaining privacy through the use of a tunneling protocol and security procedures. The idea of VPN is to give a company the same capabilities at much lower cost by using the shared public infrastructure rather than a private one. VPNs are an important part of an e-business tool. V.PGP: Pretty Good Privacy is a product family that enables people to securely exchange messages, and to secure files, disk volumes and network connections with both privacy and strong authentication. PGP is a freely available encryption program that protects the privacy of files and electronic mail, using powerful public key.
Conclusion:
The capability of security enabled components still lags behind the claims.
Basic
security challenges in the corporate realm are not yet completely addressed. A case in point is that, E-ATTACKS are becoming notoriously peerless as compared with the traditional nuke-wars. Consequently, in the quench of thirst for more and more secured systems BIOMETRIC SYSTEMS, QUANTUM-CRYPTOGRAPHY and many more are innovatively being implemented at a cumulative pace. If we are not exaggerating, let’s be optimistic of a 100% foolproof, secured global village in the near future Cryptography provides a solution to the problem of information security and privacy. For electronic communications, the techniques of private and public key cryptography are becoming increasingly popular.
BIBLIOGRAPHY: 1. Computer Networks (III edition) Andrew S. Tanenbaum. 2. Smith, Internet Cryptography, Addison-Wesley, 1997. 4. Cheswick and Bellovin, Firewalls and Internet Security, Addison-Wesley, 1994. 5. Simson Garfinkel, PGP: Pretty Good Privacy, O’Reilly, 1995.
Nowadays, “SECURITY” become a more sensible issue either it may be in the “REAL WORLD” or in the “CYBER WORLD”.
As citizens are using network for
banking, shopping, filing their tax returns and other purposes, network security is looming on the horizon as a potentially massive problem. Data security involves not only protection, but also detecting offends of secured communication and attacks on the infrastructure, and then responding to these attacks. The main problems that occurred in network security are secrecy, authentication, nonrepudiation and integrity control. This paper discusses with a perspective view of how a continuous cycle of protection, detection and response can be consistently maintained. Also concerns about different types of security attacks such as spoofing, virus, worm and security mechanisms such as firewalls, cryptography and describes about how security provided in mobile networks. Cryptography is defined as information hiding. Cryptography allows two parties to exchange sensitive information in a secure manner. Cryptography has naturally been extended into the realm of computers such as secure access to private networks, electronic commerce, and health care, and provides a solution to the electronic security and privacy issue. This paper mainly concerns about two types of cryptographic standards such as symmetric and asymmetric algorithms and also the specification and implementation of above methods. And also explained Encryption and Decryption Methods, Digital Signatures, Authentication and Keys. The implementation of public key cryptography requires several supporting components to handle key creation, distribution and revocation –Public Key Infrastructure (PKI).While the implementation of private key cryptography requires encryption and decryption methods which are also specified. Today’s new cryptography system and advanced elliptic curve technology in smartcard technology are also specified.
INTRODUCTION 1. DEFINITION: Security is defined as “a guarantee that an obligation will be met”. In simplest form it is concerned with people trying to access remote services that they are not authorized to use or it is concerned with making sure that nosy people cannot read, or worse yet, modify messages intended for other recipients. Security is a broad topic and covers a multitude of sins. Most security problems intentionally caused by malicious people trying to gain some benefit or harm someone. A few of the most common perpetrators are student, hacker, sales representative, business man, ex-employee, accountant, stock broker, conman, spy, etc. The intruders would first have a panoramic view of the victim’s network and then start digging the holes. Today the illicit activities of the hackers are growing by leaps and bounds. Data security problems can be divided roughly into four intertwined areas: Secrecy, Authentication, NonRepudiation and Integrity control. The solutions for various type of security attacks are provided by cryptography, firewalls etc. a) Secrecy – has to do with keeping information out of the hands of unauthorized users. b) Authentication- deals with determining whom you are talking to before revealing sensitive information or entering into a business deal. c) Non repudiation- deals with signatures d) Data integrity- Ensures that the information exchanged in an electronic transaction is not alterable without detection, typically provided by digital signatures. 2. TYPES OF SECURITY ATTACKS: I.
D enial-of-Service (DoS) attacks (attacks and counter-attacks): User’s system is simply saturated by an excessive workload as the attacker sends spurious traffic into resource. This is DoS attack. Typically, a DoS attack works by creating so much work for the infrastructure under attack that legitimate work cannot be performed. There are two types of DoS attacks: Operating System Attacks and Networking Attacks.
II. PACKET SNIFFING: A Packet sniffer is a program running in a network-attached device that passively receives all data-link layer frames passing by the device’s network adapter. In a broadcast environment such as an Ethernet LAN, this means that the packet sniffer receives all frames being transmitted from or to all hosts on the LAN. III.SPOOFING: Any Network-connected device necessarily sends IP datagrams into the network. These data grams carry the sender’s IP address, as well as upper-layer data. A user with complete control over that device’s software can easily modify the device’s protocols to place an arbitrary IP address into a datagram’s Source Address Field. This is known as IP Spoofing.
IP spoofing is used in DoS attacks to hide the originator(s) of
attack. IV.VIRUS: It’s a piece of code that copies itself into a program and executes when the program runs. Similarly to how viruses attack humans, computer viruses can grow, replicate, travel, and consume resources. There are some other attacks like DDOS, TROJAN HORSE, and WORM etc. 3. Network security in TCP/IP STACK: a. Physical layer: Wild tapping can be foiled by enclosing transmission lines in sealed tubes containing organ gas at high pressure. Any attempt to drill into a tube will release some gas, reducing the pressure and triggering an alarm. Some military systems use this technique. b.
Data link Layer: In packet transmission from one machine to another machine packet have to traverse multiple routers because packets have to be decrypted at each router leaving them vulnerable to attacks from with in the router. Link Encryption method can be easily used.
c.
Network layer: IP Protcol is an Internet Security Protocol for transporting secure traffic across untrusted link. Services provided are Access Control, Connection Less Integrity, Origin Authentication, confidentiality.
IPSec
software can be directly placed into IP Source Code, or under IP Protocol Stack or use a separate piece of equipment and attach it to a host. d. Transport layer:
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are provided security in this layer. e. Application layer: The PGP is used in this layer. 4 .FIRE WALLS:: . DEFINITION: A Firewall is best described as a s/w or h/w or both s/w & h/w packet filter that allows only selected packets to pass through from the internet to a private internal network by listening to all ports on a system attempting to open a connection. When it detects such an attempt, it reacts according to a predefined set of rules. There are two types of firewalls: Packet-filtering firewalls (which operate in network layer) and Application-level gateways (which operate at the application layer). •
WHY GO FOR A FIREWALL? None can connect to the internet solitarily. If somehow a crazy guy
succeeds in finding an IP address he can exploit any vulnerability existing in that systemdamage the data or even use that system to hack other computers. •
HOW A FIREWALL WORKS? This is where the firewalls are inextricable with a secured network. They,
just like their name suggests, protect from unsolicited connection probes, scans and attacks. They listen to all ports for any connection requests received and sent. As such an instance is recorded, it pops up a warning asking whether to allow the connection to initiate or not. This warning message also contains the IP that is trying to initiate connection and also the port number to which it is trying to connect i.e., the port to which the packet was sent. It also protects a system from port scans, DoS attacks, vulnerability attacks etc. •
AN EXAMPLE FIREWALL- “A PROXY SERVER”: Each of the techniques employed by the attackers to obtain the target
system’s IP address can be counter-attacked. A proxy server basically acts as a shield by protecting your IP address form getting into malicious hands. It acts as a very own personal secretary and a buffer between thy and thy host. A proxy server removes the need of a system to receive or send messages directly to the remote host. When any message is intended to be transmitted, then it is actually sent to the proxy server, which in turn passes it on to the remote host. All communication between the two parties is conducted indirectly, via the proxy server. Such a scenario can be depicted in the following manner:
OUR SYS. •
PROXY SERVER
REMOTE SYSTEM
BREAKING THROUGH FIREWALLS: Firewalls can create as many problems as they solve if they are not
implemented properly. Firewalls themselves are vulnerable to security violations. Remember firewalls are not clairvoyant. There are several holes existing in popular firewalls waiting to be exploited. Here, we quote a hole in Zone Alarm Version 2.1.10 to 2.0.26, which allows the attacker to port scan the target system (although normally, it should stop such scans). If one uses port-67 as the source port of a TCP or UDP scan; Zone Alarm will let the packet through and will not notify the user. This means, that one can TCP or UDP port scan a Zone Alarm protected computer as If there was no firewall if one uses port-67 as the source port on the packets. 5. SECURITY IN WIRELESS NETWORKS: The WEP (Wired Equivalent Privacy) Protocol is meant to provide security in 802.11 Networks. It provides both authentication and data encryption between a host and a wireless access point (Base station) using a symmetric shared approach. Steps involved -I. A wireless host first requests authentication by an access point. II. The access point responds to the authentication request with 128-byte nonce value. III. The wireless host encrypts the nonce using the symmetric key that it shares with the access point. CRYPTOGRAPHY Encryption and decryption typically occur using complex mathematical algorithms with the use of a key. The two key-based encryption algorithms are A. symmetric (private key) B. asymmetric (public key)
1. USAGE OF KEYS: Since the key forms the basis of the encryption, its strength against attack is an important feature. An indication of a key’s strength can be obtained from its length – for a given encryption algorithm the longer the key, the stronger the key. Current symmetric encryption technologies typically use 128-bit length keys – this means that there are 2128 different key combinations. Current asymmetric encryption technologies typically use 1024-bit length keys. Finally, note that the key strength becomes weaker as computing power increases. 2. Symmetric (Private key) encryption: Symmetric encryption is the simpler of the two classes of key-based encryption algorithms. In this class, the same key is used to encrypt and decrypt the message as shown in fig.
In the symmetric encryption schemes (the classical form of cryptography) the same key (called the secret key) is used to both encrypt and decrypt the text. The problem with these systems is to transport the secret key from the sender to the receiver, without security exposures. Some systems use only symmetric secret-keys to communicate
securely over public networks, but they are difficult to implement in large organizations and need some extra security procedures like a central "trusted and secure” server. The DES (Data Encryption Standard) algorithm is one good example. In a group of N people wishing to communicate securely, N*(N-1)/2 private keys need to exist. As the number of people N increases, the management of the private keys becomes a costly and cumbersome exercise.
3. Asymmetric (Public key) encryption: Asymmetric cryptosystems (also called public key cryptosystems) use one key the public key to encrypt a message and a different key the private key to decrypt it. Given an encryption key it is virtually impossible to determine the decryption key (and vice versa). The main disadvantage is its slower computing speed when compared to the symmetric encryption (due to its computing complexity). Two different asymmetric algorithms are RSA (Rivest Shamir Adleman) which is permutable (one key may either encrypt or decrypt) and ECDSA (Elliptic Curve Digital Signature Algorithm, a variant of the well-known DSA), that may implement existing algorithms using elliptic curves. The keys are smaller and consequently faster processing times. This is shown in below fig.
Three different formats of messages can be used in public-key cryptosystems:
Encrypted message: A symmetric key encrypts the message and the public key encrypts the symmetric key. Signed message: The message is hashed into a digital fingerprint, which is Encrypted into a digital signature using a private key. Signed and encrypted message: A combination of the above concepts, in which the message is signed using the private key of the sender and after encrypted using the public key. 4. Digital Signatures: An authentication mechanism that enables the creator to attach a code that acts as a signature. The signature guarantees the source and integrity of the file and provides authenticity and integrity. Digital signature solves (I). Information integrity (II). Authentication
(III). Non repudiation
5. AN EXAMPLE CRYPTOGRAPHY SYSTEM:
6. The Implementation of Public Key Cryptography Infrastructure (PKI) Turning the theory of public key cryptography into a useful, real-world system requires more than just the implementation of the core algorithm. A number of supporting operational elements need to be in place before public key cryptography can be used
effectively. The supporting infrastructure is collectively known as Public Key Infrastructure or PKI for short. A PKI consists of a set of policies, procedures and services to support applications of public key cryptography. A PKI can therefore be split into the following components a. A Security Policy c. A Registration Authority (RA)
b. A Certificate Authority (CA) d. A Directory Service
a. Security Policy: The security policy contains definitions of the actual operation of the PKI. The operation of the other PKI components should be detailed here, as well as procedures for key generation, issuance, storage, and revocation. The security policy in effect acts as the framework on which the PKI is built. b. Certificate Authority (CA): However, a key by itself does not contain supporting information such as who it belongs to, who issued the key, and the period over which it is valid. Without this information, then there is nothing linking a public key with its correct owner. The solution takes the form of digital certificates. A certificate contains information linking a specific public key to a specific individual. The current industry standard for digital certificates is the CCITT X.509 international standard. c. Registration Authority (RA): When a user applies for a digital certificate from a CA, the CA has to verify that the applicant is truly who he claims to be. The role of the Registration Authority is to provide this verification. A real-world analogy would be a Notary Public, for example. Certain legal contracts require the signing process to be witnessed by a Notary Public, who acts to verify the signer’s identity. In a similar way, the RA verifies the identity of the applicant and passes the application on to the CA. The degree of rigor applied by the RA during the verification will affect the degree of trust in the digital certificate. d. Directory Service:
In our example with A sending an encrypted message to B, we have not yet discussed where and how A gets hold of B’s certificate. The solution forms another component of a PKI – the directory service. In the same way that you might look in a standard phonebook to look up a telephone number, the directory service allows you to look up the digital certificate for someone to whom you wish to send an encrypted message.
Elliptic Curve Cryptography (A New Trend Cryptography) Since the invention of public-key cryptography,
numerous public-key
cryptographic systems have been proposed. Each of these systems relies on a difficult mathematical problem for its security. None has been proven to be intractable rather, They are believed to be intractable. Implementation of public-key cryptosystems in smart cards has usually been associated with high-end cards, typically with both large memory configurations and a Cryptographic coprocessor. Today, the elliptic curve discrete logarithmic system is provided according to the mathematical problem on which it is based, and considered as both secure and efficient. In 1985, Neal Koblitz and Victor Miller independently proposed public-key systems using a group of points on an elliptic curve, and elliptic curve cryptography (ECC) was born. Today it offers those looking for a smaller, faster public-key system a practical and secure technology for even the most constrained environments. ECC delivers the highest strength per bit of any known public-key system because of the difficulty of the hard problem upon which it is based. This greater difficulty of the hard problem – the elliptic curve discrete logarithm problem (ECDLP) – means that smaller key sizes yield equivalent levels of security. 1. ECC Implementation: An elliptic curve is a set of points specified by two variables that are elements over a field Fq. A field is a set of elements with two custom-defined arithmetic operations, usually addition and multiplication.
ECC requires the use of two types of mathematics: • •
elliptic curve point arithmetic The underlying finite field arithmetic. Most of the computation for ECC takes place at the finite field level. The two most common choices for the underlying finite field are:
• •
F2m, also known as characteristic two or even (containing 2m elements, where m is an integer greater than one) Fp, also known as integers modulo p, odd, or odd prime (containing p elements, where p is an odd prime number). Both of these finite fields are included in draft standards for ECC. Point compression allows the points on an elliptic curve to be represented with
fewer bits of data. In smart card implementations, point compression is essential .It can be accomplished with negligible computation usingF2 SIZE="1">m, but can affect Fp implementations
considerablyF2
SIZE="1">m
hardware
implementations
offer
significant performance and die size advantages over Fp hardware implementations. Existing crypto coprocessors, which are optimized for modular arithmetic over Fp, do not substantially increase the performance of F2 SIZE="1">m modular arithmetic. If the field F2 SIZE="1">m is used as the underlying finite field, then the elements of F2 SIZE="1">m can be represented in two efficient ways .These two ways are. • •
an optimal normal basis representation a polynomial basis representation.
2. Smart Cards and ECC: Smart cards are small, portable, tamper-resistant devices providing users with convenient storage and processing capability. Smart cards are proposed for use in a wide variety of applications such as electronic commerce, identification, and health care. For many of these proposed applications, cryptographic services offered by digital signatures would
be
required.
Smart
cards
also
need
to
be
inexpensive.
Meeting the Implementation Constraints with ECC: (i).Less EEPROM and Shorter Transmission Times: The strength of the ECDLP algorithm means that strong security is achievable with proportionately smaller key and certificate sizes. The smaller key size in turn means that less EEPROM is required to store keys and certificates and that less data needs to be passed between the card and the application so that transmission times are shorter. (ii). Scalability:
As smart card applications require stronger and stronger security (with longer keys), ECC can continue to provide the security with proportionately fewer additional system resources. This means that with ECC, smart cards are capable of providing higher levels of security without increasing their cost. (iii). No Coprocessor: The nature of the actual computations – more specifically, ECC's reduced processing times – also contribute significantly to why ECC meets the smart card platform requirements so well. Other public-key systems involve so much computation that a dedicated hardware device known as a crypto coprocessor is required. With ECC, the algorithm can be implemented in available ROM, so no additional hardware is required to perform strong, fast authentication. Advantages: Since the crypto sensitive operations (signing and decrypting) can be many times faster using ECC than using RSA, ECC is more appropriate for use in secure devices such as smart cards and wireless devices with constrained computational power. The non cryptosensitive (public key) operations can usually be performed in terminal or PC environments that typically have more computational power. Because the RSA cryptosensitive operations require more computational power, they are less suitable for use in constrained environments, and as security (key size) requirements increase in the future, the problem could become worse. Related Cryptography technologies: I. C MS - Cryptographic Message Syntax: The Cryptographic Message Syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary messages. Its main goal is to define the data structures and processes for digitally signing and encrypting other data structures and it can Support a variety of architectures for certificate-based key management, such as the one defined by the PKIX working group. II.
S
SL: The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP. It allows a server to authenticate itself to a client, allows the Client to authenticate itself to the server, and allows both machines to establish an encrypted connection. III. ecure e-mail / S/MIME:
S Security services can be added to each communication link
along a path, or it can be wrapped around the data being sent, so that it is independent of the communication mechanism. Short for Secure Multipurpose Internet Mail Extension -
A new version of the MIME protocol that supports encryption of messages S/MIME is based on RSA's public-key encryption technology.
IV. VPN:
A virtual private network (VPN) is a private data network that makes use of
the Public telecommunication infrastructure - instead of owned or leased lines -maintaining privacy through the use of a tunneling protocol and security procedures. The idea of VPN is to give a company the same capabilities at much lower cost by using the shared public infrastructure rather than a private one. VPNs are an important part of an e-business tool. V.PGP: Pretty Good Privacy is a product family that enables people to securely exchange messages, and to secure files, disk volumes and network connections with both privacy and strong authentication. PGP is a freely available encryption program that protects the privacy of files and electronic mail, using powerful public key.
Conclusion:
The capability of security enabled components still lags behind the claims.
Basic
security challenges in the corporate realm are not yet completely addressed. A case in point is that, E-ATTACKS are becoming notoriously peerless as compared with the traditional nuke-wars. Consequently, in the quench of thirst for more and more secured systems BIOMETRIC SYSTEMS, QUANTUM-CRYPTOGRAPHY and many more are innovatively being implemented at a cumulative pace. If we are not exaggerating, let’s be optimistic of a 100% foolproof, secured global village in the near future Cryptography provides a solution to the problem of information security and privacy. For electronic communications, the techniques of private and public key cryptography are becoming increasingly popular.
BIBLIOGRAPHY: 1. Computer Networks (III edition) Andrew S. Tanenbaum. 2. Smith, Internet Cryptography, Addison-Wesley, 1997. 4. Cheswick and Bellovin, Firewalls and Internet Security, Addison-Wesley, 1994. 5. Simson Garfinkel, PGP: Pretty Good Privacy, O’Reilly, 1995.
