6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern...

1National Digital Certification Agency

04/18/23

Security Engineering and PKI Applications in Modern Enterprises

Mohamed [email protected]

National Digital Certification Agency

04/18/23 National Digital Certification Agency

2

PLAN

Building a secure infrastructure Managing trust General guidelines Building Incident Response Teams (IRTs)


3

Building a Secure Infrastructure


4

Basic security requirements

SecurityRequirement

Definition

Authentication

Guarantees that a person or system is exactly who or what they claim to be.

Availability

Protects against loss of system operation as a result of malicious code, request flooding and penetration attempts

Data Integrity

Protects against unauthorized changes in data whether they are intentional or accidental.

Confidentiality

Protects against the disclosure of information to unauthorized users. Encryption is typically used to assure confidentiality when information is transmitted over networks.

Non-Repudiation

Protects against a person denying later that a communication or transaction took place as recorded.

Access Control Provides access to authorized users while denying access to unauthorized users.

Auditing

Monitors intentional or unintentional misuse of security features.


5

Organizational Issues (1)

Computer security should be integrated in the management process

1. Security responsibilities and roles should be clearly defined (security division, security officer, etc.)

2. Security programs should be built

3. Security should be periodically reassessed


6

Organizational Issues (2)

Computer security should be cost-effective

1. Security decisions should involve an hybrid personnel (technical, administrative)

2. Security programs should aim at protecting the most sensitive assets against the most frequent attacks by making the less expensive decisions

3. Concessions should be made as zero-risk situations are not reachable


7

Human Resources

System users should– be aware of the importance of security

– apply security practices

– react appropriately to security incidents

An awareness promotion program has to be developed


8

Awareness Promotion Program (APP) The APP should

– apply to all users– be suitable to users’ roles and scientific

background – be continuous (follow technology progress)

Key issues include– password protection– social engineering recognition– incident notification and reaction


9

Hardware and Software Equipments

Most common security solutions are:– Routers

– Firewalls

– Intrusion Detection Systems

– Virtual Private Networks (VPNs) Gateways


10

Routers

Designed to transmit packets between networks according to IP addresses

May include Access Control Lists (ACLs)


11

Firewalls

A gateway between two networks having different security levels– All traffic must pass through the firewall

– The firewall must allow only authorized traffic to pass

– The firewall is supposed to be immune against penetration and compromise


12

Firewalls: types

Packet filters– Operate at the network level of the OSI model

– Static packet filtering / stateful inspection

Proxies– Act at the application level

– Provide services for specific protocols


13

IDSs

Intrusion detection: detecting unauthorized, inappropriate or anomalous activity

Classification I– Host-based IDSs

– Network-based IDSs

Classification II– Signature-based IDSs

– Anomaly-Based IDSs


14

IDS reactivity

An IDS can have different reactions– Generating alarms

– Blocking ports

– Blocking connections

– Responding to malicious actions


15

VPN Gateways

Allow the establishment of encrypted tunnels between networks and sub-networks

Can be implemented inside firewalls and routers


16

Security Documents (1)

1. Security strategy Technology-independent Applicable to all assets Long lifetime Severe update policy

2. Security policy Implementation of security rules according to a

given technology Three constraints: standards conformance,

feasibility, implementation cost


17

Security Documents (2)

3. Security practices Simple rules that have to be followed by

users during their interaction with the system Apply to humans Frequently updated


18

Managing Trust


19

Managing Trust (1)

Basic implementation of security mechanisms do not fulfill security policy requirements

Authentication is often based on– IP addresses

– E-mail addresses

– Passwords and personal data


20

Managing trust (2)

Masquerade opportunity

Less confidence in the system

Malicious User Normal User


21

Asymmetric cryptosystem

Based on key pairs (public key, private key)– What is encrypted by the private key is decrypted by

the public key

– What is encrypted by the private key is decrypted by the public key

– Multiple copies of a public key can exist

– Only one copy of the private key exists (held by its user)

Guarantees authentication, non-repudiation, confidentiality and integrity


22

Authentication, non-repudiation, integrity (1)

HashProcess

Message

MessageDigest

DigitallySigned

Message

Sender’sPrivate

Key

DigitalSignature


23


DigitallySigned

Message

Message MessageDigest

DigitalSignature

MessageDigest

Sender’sPublic Key

=

Authentication, non-repudiation, integrity


24


DigitallySigned

Message

Message MessageDigest

DigitalSignature

MessageDigest

Sender’sPublic Key

At least one requirement has been violated


25

Confidentiality

EncryptedMessage

EncryptedMessage

DigitallySigned

Message

DigitallySigned

Message

Recipient’sPublic Key

Recipient’s Private Key

Sender Receiver


26

Asymmetric cryptosystems: Are they sufficient ? Digital signature can be used to verify that a

message has been delivered unaltered and verify the identity of the sender by public key

A proof of possession of key materials is needed


27

Public Key Infrastructure (PKI)

A B

C

B does not trust A

A trusts C, B trusts C


28

Public Key Infrastructure (PKI)

A B

C

C is a trusted third party

B can trust A if C guarantees his identity


29

Certification Authority (CA)

A trusted third party that delivers digital certificates

A B

C


30

Digital Certificates

User information:

•(e-mail, URL, IP address)

•City, Country,etc.

CA information

User public key

CA signature


31

Accessing Public KeysDirectory Server

A B

A’s certificate

A’s public key

EncryptedMessage

A’s private key


32

Verifying certificatesDirectory Server

A B

Certificate Revocation List

B’s private key

SignedMessage

B’s public key

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern...

Documents

Transcript of 6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern...