1

Cryptography and NetworkSecurity

2

About This CourseSuggested books

Cryptography: Theory and Practiceby Douglas R. Stinson CRC press

Cryptography and Network Securit Principles and Practice; By Willia Stallings Prentice Hall

Handbook of Applied Cryptography byAlfred J. Menezes, Paul C. van Oorschotand Scott A. Vanstone, CRC Press I have electronic version!

y:m

3

Course OrganizationIn t roduct ionConvent ional

Encrypt ionBlock CiphersPubl ic Key Sys temKey ManagementHash Funct ion and

Digi ta l S ignatureIdent i f ica t ionSecre t Shar ingEmai l Secur i tyOthers

4

Introduction

5

Information Security

6

C.I.A Confidentiality, Integrity and Availability

Information Systems are decomposed inthree main portions, hardware, softwareand communications with the purpose to identify and apply information

security industry standards, as mechanisms of protection and prevention, at three levels or layers: Physical, personal and organizational

7

Various Securities Data security

Data security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled.

Computer Security The objective of computer security includes protection of

information and property from theft, corruption, or natural disaster, while allowing the information and property to remain accessible and productive to its intended users.

Malware: malicious software includes computer viruses, worms, trojan horses, most

rootkits, spyware, dishonest adware,

Network Security protect the network and the network-accessible resources from

unauthorized access, consistent and continuous monitoring andmeasurement of its effectiveness

8

Network Security network security and information security are often

used interchangeably

network security is generally taken as providing protection at the boundaries of an organization

Network security starts from authenticating any user, most likely ausername and a password

An intrusion prevention system (IPS) helps detect and prevent such malware. IPS also monitors for suspicious network trafficfor contents, volume and irregularities to protect the networkfrom attacks such as denial of service

9

Network Security Model

Trusted Third Party

Principal

(receiver)

Principal

(sender)

Security transformation

Security transformation

attacker

10

Attacks, Services andMechanisms Security Attacks

Action compromises the information security Could be passive or active attacks

Security Services Actions that can prevent, detect such attacks. Such as authentication, identification, encryption, signature, secret

sharing and so on.

Security mechanism The ways to provide such services Detect, prevent and recover from a security attack

11

Attacks Passive attacks

Interception Release of message contents Traffic analysis

Active attacks Interruption, modification, fabrication

Masquerade Replay Modification Denial of service

12

Information Transferring

13

Attack: Interruption

Cut wire lines, Jam wireless

signals,Drop packets,

14

Attack: Interception

Wiring, eavesdrop

15

Attack: Modification

intercept Replaced info

16

Attack: Fabrication

Also called impersonation

Ali: this is…

Ali: this is…

17

Attacks, Services andMechanisms Security Attacks

Action compromises the information security Could be passive or active attacks

Security Services Actions that can prevent, detect such attacks. Such as authentication, identification, encryption,

signature, secret sharing and so on.

Security mechanism The ways to provide such services Detect, prevent and recover from a security attack

18

Important Services of Security Confidentiality, also known as secrecy:

only an authorized recipient should be able to extract the contents of the message from its encrypted form. Otherwise, it should not be possible to obtain any significant information about the message contents.

Integrity: the recipient should be able to determine if the message has been

altered during transmission. Authentication:

the recipient should be able to identify the sender, and verifythat the purported sender actually did send the message.

Non-repudiation: the sender should not be able to deny sending the message.

19

Secure Communication protecting data locally only solves a minor part of

the problem.

The major challenge that is introduced by the Web Service security requirements is to secure datatransport between the different components.

Combining mechanisms at different levels of the Web Services protocol stack can help secure datatransport (see figure next page).

20

Secure Communication

XML DOCUMENTMessage protocol layer

21

Secure Communication The combined protocol HTTP/TLS or SSL is often

referred to as HTTPS. SSL was originally developed byNetscape for secure communication on the Internet, andwas built into their browsers. SSL version 3 was thenadopted and standardized as the Transport Layer Security(TLS) protocol.

Use of Public Key Infrastructure (PKI) for session keyexchange during the handshake phase of TLS has beenquite successful in enabling Web commerce in recentyears.

TLS also has some known vulnerabilities: it is susceptible to man-in-the-middle attacks and denial-of-service attacks.

22

SOAP security SOAP (Simple Object Access Protocol) is designed to pass through

firewalls as HTTP. This is disquieting from a security point of view. Today, the only way we can recognize a SOAP message is by parsingXML at the firewall. The SOAP protocol makes no distinctionbetween reads and writes on a method level, making it impossible tofilter away potentially dangerous writes. This means that a method either needs to be fully trusted or not trusted at all.

The SOAP specification does not address security issues directly,but allows for them to be implemented as extensions. As an example, the extension SOAP-DSIG defines the syntax and

processing rules for digitally signing SOAP messages and validating signatures. Digital signatures in SOAP messages provide integrity and non-repudiation mechanisms.

23

PKI PKI key management provides a sophisticated framework for

securely exchanging and managing keys. The two main technological features, which a PKI can provide to Web Services, are: Encryption of messages: by using the public key of the recipient Digital signatures: non-repudiation mechanisms provided by PKI and

defined in SOAP standards may provide Web Services applications with legal protection mechanisms

Note that the features provided by PKI address the same basic needs as those that are recognized by the standardization organizations as being important in a Web Services context.

In Web Services, PKI mainly intervenes at two levels: At the SOAP level (non-repudiation, integrity) At the HTTPS level (TLS session negotiation, eventually assuring

authentication, integrity and privacy)