Network Security I
CSCI 4971 / 6968
www cs rpi edu/~yener/TEACHING/Netsec/Spring11/
www
.
cs
.
rpi
.
edu/~yener/TEACHING/Netsec/Spring11/
B
ü
lent Yener
B
ü
lent

Yener

Lecture
1
Lecture
-
1
1/26/11
This presentation is in part based on the slides of W. Stallings
Outline
• Class information
Network security I and II
–
Network

security

I

and

II
Bk d ditdti
•
B
ac
k
groun
d
an
d

i
n
t
ro
d
uc
ti
on
• Basic concepts: attacks, services,
mechanisms
2
Aim of the Courses

•
Our focus is on both
Network
&
Internet
Our

focus

is

on

both

Network
&

Internet

Security and Cryptography
•
NetSec I is focusing on a cryptography
•
NetSec

I

is


focusing

on

a

cryptography

and basics
NtS IIbild Nt I
d
•
N
e
tS
ec
II

b
u
ild
s upon
N
e
t
sec
I
an
d
covers

advance topics.
3
CSCI-4971 and 6968
NkSi
N
etwor
k

S
ecur
i
ty
•
Basic Cryptography
Basic

Cryptography
• Basic Number Theory
•
Security Goals
Security

Goals
– Authentication, Privacy, Integrity, Key exchange
•
Security Solutions
Security

Solutions
– SSL, PGP, SSH, IPSEC

•
Security Practice
Security

Practice
– E-mail, IP security, Web security, …
• And more: Internet and Network securit
y
issues
4
y
Definitions
•
Computer Security
-
generic name for
Computer

Security
generic

name

for

the collection of tools designed to protect
data and to thwart hackers
data

and


to

thwart

hackers
• Network Security - measures to protect
data during their transmission
data

during

their

transmission
• Internet Security - measures to protect
dt d i thit i i
d
a
t
a
d
ur
i
ng
th
e
i
r
t

ransm
i
ss
i
on over a
collection of interconnected networks
5
Standards Organizations
Standards

Organizations

National Institute of Standards &

National

Institute

of

Standards

&

Technology (NIST)

Internet Society (ISOC)

Internet


Society

(ISOC)
International Telecommunication Union
Tl i ti St d di ti
T
e
l
ecommun
i
ca
ti
on
St
an
d
ar
di
za
ti
on
Sector (ITU-T)
International Organization for
Standardization (ISO)
Example
XXX bank wants to provide web banking
XXX

bank


wants

to

provide

web

banking

service to its customers. They have
alread
y

p
ro
g
rammed web
p
a
g
es and
yp g p g
applications. Every customer has an id
and password to access their account
if ti
i
n
f
orma

ti
on.
– What are the threats?
Wh t th it h i t t
–
Wh
a
t
are
th
e secur
it
y mec
h
an
i
sms
t
o preven
t

them?
What are the security services?
7
–
What

are

the


security

services?
Case Study
Attacker
Banking Server
Bank Customer
Internet
Bank Network
Internet
Web Serve
r
Bank

Network
Dial-up
A
8
A
ccess
Server
Security Attacks
•
Passive attacks
-
eavesdropping on, or
Passive

attacks

eavesdropping

on,

or

monitoring of, transmissions to:
– obtain message contents, or
– Intercept, or monitor traffic flows
• Active attacks – modification of data stream to:
– masquerade of one entity as some other
– fabricate a message
–
replay previous messages
– modify messages in transit
denial of service
9
–
denial

of

service
Threats
Banking Server
Attacker
Bank Customer
Attacker
Bank Network
Bank


Network
carrier
Web Serve
r
Customer
ISP
Bank ISP
10
Internet
Backbone
carrier
carrier
Targets
• Customer computer
–
DoS
– Malicious codes: Virus, Worms
– Attacker may take control of computer
Ct
WbS i ti
•
C
us
t
omer
–
W
e
b


S
erver commun
i
ca
ti
on
– Eavesdropping
– Man-in-the-middle
dif i j t d d l t
•mo
dif
y,
i
n
j
ec
t
an
d

d
e
l
e
t
e messages
– Session hijacking
– DoS: SYN attack
•

Internet Infrastructure
•
Internet

Infrastructure
– Eavesdropping
– BGP attacks
–
Router OS attacks
11
–
Router

OS

attacks
–DoS
Targets (cont.)
• Web Server
–
Stack smashin
g
g
– Portable programs
– IP spoofing
– Unsafe Services
–
Malicious codes: Virus and worms
– DoS: SYN attack, ping flooding
• Bank Network and Servers

–
Use backdoor to access
– Eavesdropping
– Man-in-the-middle : Web Server to Banking Server
Session hijacking
–
Session

hijacking
–DoS
– DNS attack
–
Use unsafe services in other servers
12
–
Use

unsafe

services

in

other

servers
– Install malicious codes in other servers
Targets (cont.)
• DNS servers
– DNS cache poisoning

– DNS DoS
13
Customer Computer
• Physical security
• Strong passwords
• OS security patches
•
Application security patches
•
Application

security

patches
• Unsafe services
– telnet, ftp, nfs
– rpc, remote commands (rlogin, rsh, …)
– dns, web
• Browser confi
g
uration
g
– Not to accept mobile codes automatically
– Selection of strongest crypto algorithms as default
•
Personnel Firewall
14
•
Personnel


Firewall
– Not a Swiss cheese! must be carefully configured
• Virus guard and scanners
Customer-Web Server Comm.
• Authentication
– UserID/Password: “you know”
Cli t C tifi t “ i t ”
–
Cli
en
t

C
er
tifi
ca
t
e:
“
g
i
ven
t
o you
”
– Prevent stolen client certificates
• Short life time, not feasible!
• Associate certificate to User ID. Accept a certificate if:
– It is valid
» Check authority

»
Check expiration date
»
Check

expiration

date
» Check black list (certificate revoke list)
» Has user correctly proven his knowledge of the private key
associated with the certificate
User entered matching user ID (stored in certificate) and
–
User

entered

matching

user

ID

(stored

in

certificate)

and


correct password
– Server certificate
–
Generate one time session key (we do not want to
15
Generate

one

time

session

key

(we

do

not

want

to

use our password or private key to provide
confidentiality!)
Customer-Web Server Comm.
•

Confidentiality & Integrity
Confidentiality

&

Integrity
– Key exchange
•
Authenticated must be part of the authentication
•
Authenticated
,
must

be

part

of

the

authentication

process
• One time for life time of a session
– Strong crypto algorithms
•
Access


co
n
t
r
o
l
at

custo
m
e
r
a
n
d

ba
nk
s
i
de
ccess co t o at custo e a d ba s de
16
Customer-Web Server Comm.
Client
Server
Hello
Server Certificate
Client Certificate
Proof : Server Certificate

Proof: Client Certificate
Secret key exchange
Secret

key

exchange
Communication with
Confidentiality & Integrity with the secret
Looks like SSL!
17
SSL
•
What is SSL?
What

is

SSL?
– Secure Sockets Layer
Provides secure communication between you
–
Provides

secure

communication

between


you

and the server
–
How do you know that it is active:
–
How

do

you

know

that

it

is

active:
• The lock shown by your browser
–
When the lock is close or unbroken
• Web address starting with HTTPS
18
Model for Network Security
19
Model for Network Security
•

Using this model requires us to:
Using

this

model

requires

us

to:

– design a suitable algorithm for the security
transformation
– generate the secret information (keys) used
by the algorithm
–
develop methods to distribute and share the
secret information
specify
protocols
enabling the principals to
–
specify

protocols
enabling

the


principals

to

use the transformation and secret information
for a securit
y
service
20
y
Model for Network Access Security
21
Model for Network Access Security
•
Using this model requires us to:
Using

this

model

requires

us

to:

– select appropriate gatekeeper functions to
identify users

identify

users

– implement security controls to ensure only
authorised users access designated
authorised

users

access

designated

information or resources
•
Trusted computer systems can be used to
Trusted

computer

systems

can

be

used

to


implement this model
22
How SSL Works?
•
How SSL works?
How

SSL

works?
– Authentication:
•
Uses Digital certificates
•
Uses

Digital

certificates

– Privacy
•
Encrypts the data
Encrypts

the

data


– Integrity
•
Generates a digest from the data
Generates

a

digest

from

the

data
23
SSL - Authentication
•
Your browser authenticates the web server just
Your

browser

authenticates

the

web

server


just

like a bank teller authenticates you!
– They both ask for an ID
• Bank teller asks you to show a picture ID (Driver’s License,
Passport)
•Y
ou
r
b
r
o
w
se
r
as
k
s

a

ce
r
t
ifi
cate

ou b o se as s a ce t cate
– They both trust the issuer of ID
• Bank teller trusts Department of Motor Vehicle

DMV h k bi h ifi i h li
–
DMV
c
h
ec
k
s
bi
rt
h
cert
ifi
cate to
i
ssue t
h
e
li
cense
• Your browser trusts certificate authorities
– VeriSign, Entrust, Entrust, RSA, AOL
24
SSL – Authentication (cont…)
–
They both validate the ID
They

both


validate

the

ID
• Bank teller checks whether it is a real ID:
– Is it like a real license of the NY DMV?
– Does picture and name match?
– Expiration date?
•
Your browser checks whether it is a real certificate:
Your

browser

checks

whether

it

is

a

real

certificate:
– Is it like a real certificate of the certificate authority under
consideration?

Does ID Name and/or other information match?
–
Does

ID
,
Name

and/or

other

information

match?
– Expiration date?
25