1 / 60

Computer Network Security

Computer Network Security. Hyun-Sung Kim Dept. of Computer Engineering Kyungil University kim@kiu.ac.kr. Index. Necessity of network security Services for network security Security techniques for Internet service Secure Internet banking example. Internet. Necessity. mail server.

deanna-vega
Télécharger la présentation

Computer Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Network Security Hyun-Sung Kim Dept. of Computer Engineering Kyungil University kim@kiu.ac.kr

  2. Index • Necessity of network security • Services for network security • Security techniquesfor Internet service • Secure Internet banking example

  3. Internet . . . Necessity mail server • Web service, Mail service, Telnet service… Router Mobile Node web server Telnet server Router . . . Router Client B Client A

  4. Basic concerns

  5. . . . mail server Router Mobile Node web server Telnet server Internet Router . . . Client A Router Client B Necessity • Basic Scenario Request services to a remote server • Attack : Make the server down by requiring multiple service requests • Defense : Heavy traffic control • Security hole : Other kinds of attacks that could break down the server

  6. Firewall Firewall Internet Firewall . . . Defense(Firewall) mail server • Blocking incoming access by potential attackers • IP check, Port check Router Mobile Node web server Telnet server Router Client A Router Client B

  7. IDS IDS Internet IDS . . . Defense(IDS) server • Detecting unauthorized access to a computer network • Packet analysis, Event analysis Router Mobile Node server Firewall Router Firewall Client A Firewall Router Client B

  8. Internet Defense(N-IDS) IDS 6. Report 5. Database 4. Alert 3. Log 2. Detection Engine 1. Network Packet Mobile Node IDS Router Firewall Client A

  9. S Y N F I N dst port src port Internet … … Internet header Transport header Application header Data link header Data Defense(N-IDS) IDS SYN FIN SCAN Attack was detected from 155.230.90.99 to 203.230.91.25 at 23:00 34 June 2004 6. Report 5. Database 4. Alert 3. Log 2. Detection Engine 1. Network Packet Storing data for the data forensic “SYN FIN SCAN Attack”

  10. Internet . . . Defense(Virus) server • Detecting instruction sequence for lots of types of virus • Checks all the files on disk and instructions in memory Router Mobile Node server IDS Firewall IDS Router Firewall Client A Firewall IDS Router Client B

  11. server Router Mobile Node IDS server Firewall IDS Router Firewall Client A Firewall IDS Router Client B Is that all about the security ? Internet

  12. Other concerns

  13. Internet . . . Necessity mail server Router Mobile Node web server Telnet server Router . . . • Scenario 1 Access to a remote server by Telnet • Attack : Illegal user try to login a Telnet server Client A Router Client B • Defense : Three times of login failure check • Security hole : Un-continuous login attempts

  14. Internet . . . Necessity mail server Router Mobile Node web server Telnet server Router . . . • Scenario 2 Access to files which has no permission • Attack : Unauthorized user try illegal access to files Client A Router Client B • Defense : Role control • Security hole : Is there any method to break the defense mechanism?

  15. Internet . . . Necessity mail server Router Mobile Node 3510 2211… web server Telnet server Router . . . • Scenario 3 Sending a very important information over Internet • Attack : Illegal user try to listen the information Client A Router Client B • Defense : Encoding & decoding • Security hole : Is there any method to break the defense mechanism?

  16. Internet . . . Necessity mail server Router Mobile Node 3510 2211… web server Telnet server Router . . . • Scenario 4 Sending a very important information over Internet • Attack : Illegal user try to modify the information Client A Router Client B • Defense : Encryption • Security hole : Is there any method to break the defense mechanism?

  17. Internet . . . Necessity mail server Router Mobile Node 3510 2211… web server Telnet server Router . . . • Scenario 5 Repudiate what he did • Attack: User denies what he did Client A Router Client B • Defense : Signature • Security hole : Is there any method to break the defense mechanism?

  18. Services Authentication Non-repudiation Access Control Confidentiality Integrity Mechanisms Encryption Digital Signature Access Control Authentication Key-Exchange Algorithms DES AES SEED ElGamal RSA ECC Hash Function PRG Relation of service and mechanism Applications E-money E-contract Intrusion Detection E-commerce Biometric Mobile Security E-auction Secure Multimedia VPN E-vote Firewall

  19. Security services • Authentication -> Scenario 1 • Access control -> Scenario 2 • Confidentiality -> Scenario 3 • Integrity -> Scenario 4 • Non-repudiation -> Scenario 5

  20. Security services • Authentication • An assurance that the identity is not false • Ensures that the origin is correctly identified • Non-repudiation • Requires that neither the sender nor the receiver of a message be able to deny the transmission

  21. Security services • Confidentiality • Ensures that the information are accessible only by authorized parties • Integrity • Ensures that the only authorized parties are able to modify information

  22. Mechanisms • Encryption • Digital signature • Authentication • Key-exchange

  23. Mechanisms • Encryption • DES, AES, SEED, ElGamal, RSA, ECC • Digital signature • Public-key cryptosystem • Authentication • Public-key cryptosystem • Key-exchange • Diffie-Hellman key-exchange protocol

  24. Cryptography Confidentiality Integrity

  25. server Router Mobile Node IDS server Firewall Internet IDS Router Firewall Client A Firewall IDS Router Client B Cryptography Un-secure channel => Secure Channel (Symmetric-key and Public-key system)

  26. Cryptography • Symmetric-key cryptosystem The same key(K) K K ciphertext plaintext Encryption Algorithm Decryption Algorithm plaintext C=E(P,K) P=D(C,K) Sender Receiver

  27. Cryptography • Symmetric-key cryptosystem • Caesar Cipher(Basic scheme) Key => 3 Plain text : meet me after the party Cipher text : phhw ph diwhu wkh sduwb Encryption algorithm : Addition Decryption algorithm : Subtraction

  28. Cryptography • Symmetric-key cryptosystem • Problems in Caesar Cipher • The key size is so small : -25 ~ 25 (about 50 keys) • Weak at the brute force attack • Solutions • Enlarge the key size • Apply more complex operations

  29. Cryptography • Symmetric-key cryptosystem • DES(Data Encryption Standard) • Key size : 56 bits • Basic operations • Transposition • Substitution • XOR • Shift • USA standard • DES : from 1977 to 1998 • AES : 2001 draft

  30. DES(Data Encryption Standard) 64-bits plaintext 56-bits key Initial permutation Permuted choice 1 K1 Round 1 Permuted choice 2 Left circular shift K2 Round 2 Permuted choice 2 Left circular shift K3 Round 16 Permuted choice 2 Left circular shift 32-bit swap Inverse IP 64-bits ciphertext

  31. DES(Data Encryption Standard) 32-bits 32-bits 28-bits 28-bits Li-1 Ri-1 Ci-1 Di-1 expansion /permutation left shift left shift 48 Ki 48 XOR permutation/contraction permuted choice 2 48 substition/choice (S-box) 32 permutation 32 XOR Li Ri Ci Di

  32. Cryptography • Symmetric-key cryptosystem • The strength of DES Key size Number of One Encryption 106 Encryption • Alternative Keys per micro sec per micro sec 32bits 223 = 4.3 * 109 35.8 minutes 2.15ms 56bits 256 = 7.2 * 1016 1142years 10.01h 128bits 2128 = 3.4 * 1038 1024years 5.4 * 1018 years

  33. Cryptography • Is DES secure enough? • No! • There are potential weaknesses • Key size is not secure enough • Is there any alternative? • Yes! • Enlarge key size from 56 to 128 => Triple DES • AES

  34. The same key K K Cryptography • Symmetric-key cryptosystem ciphertext plaintext Encryption Algorithm Decryption Algorithm plaintext C=E(P,K) P=D(C,K) Sender Receiver

  35. Public-key(PUR) Private-key (PRR) Cryptography • Public-key cryptosystem PUR PUS PRR PRS ciphertext plaintext Encryption Algorithm Decryption Algorithm plaintext C=E(P,PUR) P=D(C,PRR) Sender Receiver

  36. Cryptography • Public-key cryptosystem • RSA(Rivest, Shamir, Adleman) Input size : less than or equal to n Encryption : C = Me mod n Decryption : M = Cd mod n = (Me)d mod n Public-key = {e,n}, Private-key = {d,n}

  37. Cryptography • Public-key cryptosystem • RSA(Rivest, Shamir, Adleman) * Key Generation • Select p,q, both prime • Calculate n=p*q • Calculate (n)=(p-1)(q-1) • Select integer e, which gcd((n),e)=1; 1<e<(n) • Calculate d, d=e-1 mod (n) • Public key = {e,n}, Private key = {d,n}

  38. Key Generation Select p,q, both prime Calculate n=p*q Calculate (n)=(p-1)(q-1) Select integer e, which gcd((n),e)=1; 1<e<(n) Calculate d, d=e-1 mod (n) Public key = {e,n}, Private key = {d,n} Example p=7, q=17 n=pq=7*17=119 (n)=6*16=96 e=5 Determine d de = 1 mod 96 d = 77, 77*5=385 mod 96 Public key = {5,119}, Private key = {77,119} Cryptography

  39. Encryption Decryption 66 195 mod 119 6677 mod 119 M=19 195=2476099/119 20807 with a remainder of 66 RSA(Rivest, Shamir, Adleman) {5,119} {77,119} M=19 Sender Receiver

  40. Cryptography • Public-key cryptosystem • The security of RSA • Brute force • Mathematical attacks • The factoring problem, finding large two primes from p and q • Timing attacks

  41. Cryptography • Is RSA secure enough? • Yes! • But, requires the large key size, 1024 • Is there any alternative? • Yes! • ECC with much less key size, 160 bits

  42. Symmetric-key system One key is used Disadvantage Difficult to share the key Advantage High speed, substitution and transposition Public-key system Two keys are used Advantage Easy to share the public key Disadvantage Low speed, exponentiation Cryptography

  43. Cryptography Digital signature Authentication

  44. Private-key (PRS) Public-key(PUS) C=E(P,PRS) P=D(C,PUS) Cryptography • Public-key cryptosystem • Digital signature and authentication PUR PUS PRR PRS Signedtext plaintext Encryption Algorithm Decryption Algorithm plaintext Sender Receiver

  45. Encryption PUR PRR Encryption Algorithm Decryption Algorithm Sender Receiver • Digital signature PRS PUS Encryption Algorithm Decryption Algorithm Sender Receiver Encryption vs. Digital signature

  46. Cryptography Confidentiality with Digital signature

  47. Second step for Encryption PUS PUR PRR Decryption Algorithm Encryption Algorithm Sender Receiver • First step for Digital signature PRS Encryption Algorithm Sender

  48. Cryptography Non-repudiation

  49. PUA PUB CA=EPRCA[Time1,IDA,PUA] CB=EPRCA[Time2,IDB,PUB] CA CB Cryptography • Public-key distribution with a trusted third party(Certificate authority) CA PUCA PUCA User A User B

  50. Cryptography Key exchange

More Related