International Journal of Network Security & Its Applications
Network Security Applications
-
Upload
hatem-mahmoud -
Category
Technology
-
view
14.454 -
download
0
description
Transcript of Network Security Applications
![Page 2: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/2.jpg)
Network Security Applications 2
AgendaAgenda
▪ Introduction
▪ An Authentication Application
▪ A Web Security Standard
▪ Summary
▪ References
![Page 3: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/3.jpg)
Network Security Applications 3
IntroductionIntroduction
![Page 4: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/4.jpg)
Network Security Applications 4
IntroductionIntroduction
Network security applications:
▪ Authentication Applications (Kerberos)
▪ Web Security Standards (SSL/TLS)
▪ Email Security
▪ IP Security
![Page 5: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/5.jpg)
Network Security Applications 5
KerberosAn Authentication Application
KerberosAn Authentication Application
![Page 6: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/6.jpg)
Network Security Applications 6
OverviewOverview
▪ Kerberos is a trusted third-party authentication protocol designed for TCP/IP networks (developed at MIT)
▪ A Kerberos service on the network acts as a trusted arbitrator
▪ Kerberos allows clients to access different entities (clients/servers) on the network
Kerberos
![Page 7: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/7.jpg)
Network Security Applications 7
The Kerberos ModelThe Kerberos Model
▪ Kerberos keeps a database of clients and their secret keys
▪ Services requiring authentication, as well as their clients, register their secret keys with Kerberos
Kerberos
![Page 8: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/8.jpg)
Network Security Applications 8
The Kerberos ModelThe Kerberos Model
▪ Kerberos creates a shared session key and gives it to client and server (or two clients) to encrypt messages
▪ Kerberos uses DES for encryption
▪ Kerberos Version 4 provided a weak nonstandard mode for authentication
▪ Kerberos Version 5 uses CBC mode
Kerberos
![Page 9: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/9.jpg)
Network Security Applications 9
How Kerberos WorksHow Kerberos Works
1. A client requests a ticket for a TGS (Ticket-Granting Service) from Kerberos
2. Kerberos sends the ticket to the client, encrypted in client’s secret key
3. To use a particular service, client requests a ticket from TGS
4. TGS issues and send a ticket to the client, encrypted with server's secret key
Kerberos
![Page 10: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/10.jpg)
Network Security Applications 10
How Kerberos WorksHow Kerberos Works
- The ticket is used by server to ensure that it is the same client to whom the ticket was issued
- Client can use the ticket multiple times to access the server until the ticket expires
5. Client presents ticket to server with an authenticator (the authenticator contains client’s name and a timestamp, encrypted with the shared session key)
Kerberos
![Page 11: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/11.jpg)
Network Security Applications 11
How Kerberos WorksHow Kerberos Works
- Unlike a ticket, an authenticator can only be used once
- The client can generate authenticators as needed using the shared secret key
6. If client credentials (ticket + authenticator) are correct, server provides access to service
Kerberos
![Page 12: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/12.jpg)
Network Security Applications 12
How Kerberos WorksHow Kerberos WorksKerberos
Kerberos TGS
Client Server
1
2 3
4
5
![Page 13: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/13.jpg)
Network Security Applications 13
Security of KerberosSecurity of Kerberos It may be possible to cache and replay old
authenticators. Although timestamps are supposed to prevent this, replays can be done during the lifetime of the ticket
Authenticators assume all clocks in the network are synchronized. If a host is fooled about the correct time, an old authenticator can be replayed
Kerberos
![Page 14: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/14.jpg)
Network Security Applications 14
Security of KerberosSecurity of Kerberos Password-guessing attacks: an intruder can
collect tickets and then try to decrypt them. The average user doesn’t usually choose good passwords
Malicious software: Kerberos rely on that its software is trustworthy. It is possible to replace all client Kerberos software with a version that records passwords
Kerberos
![Page 15: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/15.jpg)
Network Security Applications 15
Security of KerberosSecurity of Kerberos New enhancements to Kerberos include an
implementation of public-key cryptography and a smart-card interface for key management
Kerberos
![Page 16: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/16.jpg)
Network Security Applications 16
SSL/TLSA Web Security Standard
SSL/TLSA Web Security Standard
![Page 17: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/17.jpg)
Network Security Applications 17
OverviewOverview
Web security threats:
▪ Location● Server or client (System Security)● Network traffic (Web Security)
▪ Type● Passive attacks● Active attacks
SSL/TLS
![Page 18: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/18.jpg)
Network Security Applications 18
OverviewOverview
▪ Passive attacks include accessing network traffic between browser and server, accessing restricted information on a website, etc.
▪ Active attacks includes impersonating another user, altering messages in traffic, altering information on a website, etc.
SSL/TLS
![Page 19: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/19.jpg)
Network Security Applications 19
OverviewOverview
▪ Netscape originated the SSL (Secure Socket Layer) protocol to provide a reliable secure service on TCP
▪ TLS (Transport Layer Service) is the Internet standard version of SSL
▪ TLS is very similar to SSLv3
SSL/TLS
![Page 20: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/20.jpg)
Network Security Applications 20
Connections and SessionsConnections and Sessions
▪ A connection is a transport that provides a suitable type of service
▪ An session is an association between a client and a server
▪ Sessions define a set security parameters which can be shared among multiple connections
SSL/TLS
![Page 21: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/21.jpg)
Network Security Applications 21
Connections and SessionsConnections and Sessions
▪ A number of states are associated with each session
▪ During the handshake, pending read and write states are created
▪ Upon successful conclusion of the handshake, the pending states become the current states
SSL/TLS
![Page 22: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/22.jpg)
Network Security Applications 22
SSL ArchitectureSSL Architecture
▪ Layer1 (provides basic security services to higher-layer protocols such as HTTP):● Record Protocol
▪ Layer 2 (manages SSL exchanges):● Handshake Protocol● Change Cipher Spec Protocol● Alert Protocol
SSL/TLS
![Page 23: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/23.jpg)
Network Security Applications 23
SSL ArchitectureSSL ArchitectureSSL/TLS
![Page 24: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/24.jpg)
Network Security Applications 24
1. Record Protocol1. Record Protocol
Provides:
▪ Confidentiality: a shared secret key is used for encryption
▪ Message Integrity: a shared secret key is used to form a MAC (message authentication code)
SSL/TLS
![Page 25: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/25.jpg)
Network Security Applications 25
1. Record Protocol1. Record Protocol
1)Fragments data into blocks
2)Compresses the data (optional)
3)Applies a MAC
4)Encrypts using a symmetric encryption such as AES and RC4
5)Adds a header (length, SSL version, etc.)
6)Transmits in a TCP segment
SSL/TLS
![Page 26: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/26.jpg)
Network Security Applications 26
1. Record Protocol1. Record Protocol
Received data are:
1)Decrypted
2)Verified
3)Decompressed
4)Reassembled
5)Delivered to higher levels
SSL/TLS
![Page 27: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/27.jpg)
Network Security Applications 27
1. Record Protocol1. Record ProtocolSSL/TLS
![Page 28: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/28.jpg)
Network Security Applications 28
2. Handshake Protocol2. Handshake Protocol Used before any data is transmitted Allows the server and client to
authenticate each other through a series of messages. Each message has: Type: one of 10 types Length: length in bytes Content: session id, version, hash, etc.
SSL/TLS
![Page 29: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/29.jpg)
Network Security Applications 29
2. Handshake Protocol2. Handshake ProtocolSSL/TLS
![Page 30: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/30.jpg)
Network Security Applications 30
2. Handshake Protocol2. Handshake ProtocolSSL/TLS
![Page 31: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/31.jpg)
Network Security Applications 31
3. Change Cipher Spec3. Change Cipher Spec Consists of a single message which
consists of a single byte with the value 1 Copies the pending state into the current
state, which updates the cipher suite to be used on this connection
SSL/TLS
![Page 32: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/32.jpg)
Network Security Applications 32
4. Alert Protocol4. Alert Protocol Conveys SSL-related alert messages Each message consists of two bytes:
● Severity– Warning (1): certificate_expired, etc.– Fatal (2) - terminates the connection:
handshake_failure, bad_record_mac, etc.● Code
SSL/TLS
![Page 33: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/33.jpg)
Network Security Applications 33
SSL ProtocolsSSL ProtocolsSSL/TLS
![Page 34: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/34.jpg)
Network Security Applications 34
TLS vs SSLv3TLS vs SSLv3
Differences include: Version number: 3.x vs 3 MAC algorithm Pseudorandom function for key
generation and validation Alert Codes
SSL/TLS
![Page 35: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/35.jpg)
Network Security Applications 35
SummarySummary
![Page 36: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/36.jpg)
Network Security Applications 36
SummarySummary
▪ Kerberos is a trusted third-party authentication protocol that enables clients and servers to establish authenticated communication
▪ SSL provides security services between TCP and applications that use TCP
▪ TLS is the Internet standard version
![Page 37: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/37.jpg)
Network Security Applications 37
SummarySummary
▪ SSL/TLS provides confidentiality using symmetric encryption and message integrity using a MAC
▪ SSL/TLS enables two TCP users to determine the security mechanisms and services they will use
![Page 38: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/38.jpg)
Network Security Applications 38
ReferencesReferences
![Page 39: Network Security Applications](https://reader033.fdocuments.net/reader033/viewer/2022052823/5552eb86b4c90587048b4644/html5/thumbnails/39.jpg)
Network Security Applications 39
ReferencesReferences
▪ Cryptography and Network Security Principles and Practices, 4th Edition,William Stallings
▪ Applied Cryptography, 2nd Edition,Bruce Schneier