Post on 22-Dec-2015
Laboratory for Reliable Laboratory for Reliable ComputingComputingDepartment of Electrical Department of Electrical EngineeringEngineeringNational Tsing Hua UniversityNational Tsing Hua UniversityHsinchu, TaiwanHsinchu, Taiwan
Security Processor: A ReviewSecurity Processor: A Review
Chih-Pin Su and Cheng-Wen Wu
Chih-Pin Su 2
OutlineOutline Introduction to Security System
Security service, mechanism and algorithm
Security System Architecture
Conclusion
Chih-Pin Su 3
ReferenceReference “Cryptography and Network Security”, William Stalli
ngs “Network Processors: Architectures, Protocols and, Pl
atforms”, Panos C. Lekkas “SSL: Foundation for Web Security” , William Stalling
s, IPJ, Vol.1, No.1 “Security: Adding Protection to the Network via the Ne
twork Processor”, Intel Technology journal, Vol.6, Issue 3, P40-49
Chih-Pin Su 4
Security RequirementSecurity Requirement Access Control – unauthorized users are kept
out
Authentication – Assurance of identity of person or originator of data
Confidentiality – Protection from disclosure to unauthorized person
Integrity – Maintain data consistency, protection against unauthorized data alternation
Non-repudiation – Originator of communications can not deny it later
Availability – Legitimate users have access when they need it
Chih-Pin Su 5
Security ThreatSecurity Threat Information disclosure
Integrity violation
Masquerading
Denial of service
Illegitimate use
Generic threat: backdoors, Trojan horses, insider attacks
Chih-Pin Su 6
Security ServiceSecurity Service From Open System Interconnection (OSI)
definition Access Control Authentication Confidentiality Integrity Non-repudiation
ITU-TT, X.800: Security Service of OSI
Chih-Pin Su 7
Security MechanismsSecurity Mechanisms Three basic building blocks are used
Encryption is used to provide confidentiality, can provide authentication and integrity protection
Digital signatures are used to provide authentication, integrity protection, and non-repudiation
Checksums/hash algorithms are used to provide integrity, can provide authentication
Multiple security mechanisms are combined to provide a security service
Chih-Pin Su 8
Service, Mechanism, AlgorithmService, Mechanism, Algorithm Services are built from Mechanisms
Mechanisms are implemented using algorithms
SSL
Signatures Encryption Hashing
RSA DSA AES SHA1MD5DES
Service (in security
Protocol)
Mechanism
Algorithm
Chih-Pin Su 9
Conventional EncryptionConventional Encryption Using a shared key
Problem of transferring a large message in secret reduced to transferring a small key in secret
Also called Private- or Symmetric-Key Encryption Block cipher and stream cipher Cryptographic mode – ECB, CBC, CFB, OFB mode
Chih-Pin Su 10
Public-Key EncryptionPublic-Key Encryption Uses matched public/private key pairs
Asymmetric-key encryption
Anyone can encrypt with the public key, only one person can decrypt with the private key
Chih-Pin Su 11
Key AgreementKey Agreement Allow two parties to agree on a shared key
Provides part of the required secured channel for exchanging a conventional encryption key
Chih-Pin Su 12
Hash FunctionHash Function Create a unique “fingerprint” for a message
Anyone can alter the message and create a new hash value
Chih-Pin Su 13
MACMAC Message Authentication Code, adds a
password/key to a hash Only password/key holder can generate the MAC HMAC-SHA, HMAC-MD5
Chih-Pin Su 14
Digital SignaturesDigital Signatures Combines a hash with a digital signature
algorithm
Chih-Pin Su 15
Message/Data EncryptionMessage/Data Encryption Combines symmetric- and asymmetric-key
encryption
Chih-Pin Su 17
SSLSSL Secure Socket Layer – TCP/IP socket encryption
Usually authenticates server using digital signature
Can authenticate client but never used
Confidentiality protection via encryption
Integrity protection via MAC’s
Provides end-to-end protection of communication sessions
Chih-Pin Su 18
SSL HandshakeSSL Handshake Negotiate the cipher suite
Established a shared session key
Authenticate the server (opt.)
Authenticate the client (opt.)
Authenticate previously exchange data
Chih-Pin Su 20
Popular Security AlgorithmPopular Security Algorithm Hash algorithm: HMAC-MD5, HMAC-SHA1,
RIPEMD-128/160
Encryption algorithm: DES/3DES, AES, ARC4
Public Key algorithm: RSA, DSA sign and verify, ECC
Chih-Pin Su 21
Key ManagementKey Management Key management is the hardest part of
cryptography
Two classes of keys Short-term session keys
Generated automatically and invisibly Used for one message or session and discarded
Long-term keys Generated explicitly by the user
Long-term keys are used for two purposes Authentication (including access control, integrity, and non-
repudiation) Confidentiality (encryption)
Establish session keys Protect stored data
Chih-Pin Su 22
Key Management ProblemKey Management Problem Key certification
Key distribution Obtaining someone else’s public key Distributing your own public key
Establishing a shared key with another party Confidentiality: Is it really known only to the other party? Authentication: is it really shared with the intended party?
Key storage Secure storage of keys
Revocation Revoking published key Determining whether the published key is still valid
Chih-Pin Su 23
Key DistributionKey Distribution A Certification Authority (CA) solve the problem
Intercept!
Chih-Pin Su 24
Functional Block of Network ProcessingFunctional Block of Network Processing
Host
Processing
Switch Fabric chip
PHY layer chip
Queuing
CompressionEncryption
Modification
Lookup/classification
Parsing/Framing
Slow
Path
Processing
Transmission medium
Chih-Pin Su 25
Security System Architecture (1)Security System Architecture (1) Look-aside architecture
Switch Fabric
Network
Processor
PHY/MAC
Security
Coprocessor
Host CPU
subsystem
SDRAMSession
Statememory
Incoming trafficOutgoing traffic
Chih-Pin Su 26
Security System Architecture (2)Security System Architecture (2) Flow-through architecture
Switch Fabric
Network
Processor
PHY/MAC
Security
Coprocessor
Host CPU
subsystem
SDRAMSession
Statememory
Incoming trafficOutgoing traffic