Professional Documents
Culture Documents
Notice
This lecture note (Cryptography and Network Security) is prepared by
Xiang-Yang Li. This lecture note has benefited from numerous
textbooks and online materials. Especially the Cryptography and
Network Security 2nd edition by William Stallings and the
Cryptography: Theory and Practice by Douglas Stinson.
You may not modify, publish, or sell, reproduce, create derivative
works from, distribute, perform, display, or in any way exploit any
of the content, in whole or in part, except as otherwise expressly
permitted by the author.
The author has used his best efforts in preparing this lecture note.
The author makes no warranty of any kind, expressed or implied,
with regard to the programs, protocols contained in this lecture
note. The author shall not be liable in any event for incidental or
consequential damages in connection with, or arising out of, the
furnishing, performance, or use of these.
IPsec
XiangYang Li
IP Security
If a secret piece of news is divulged by a spy
before the time is ripe, he must be put to
death, together with the man to whom the
secret was told.
The Art of War, Sun Tzu
IP Security
have considered some application specific
security mechanisms
IPSec
general IP Security mechanisms
provides
authentication
confidentiality
key management
IPSec Uses
Benefits of IPSec
in a firewall/router provides strong
IP Security Architecture
specification is quite complex
IPSec Services
Access control
Connectionless integrity
Data origin authentication
Rejection of replayed packets
a
Confidentiality (encryption)
Limited traffic flow confidentiality
10
Security Associations
a one-way relationship between sender &
11
authentication of IP packets
HMAC-MD5-96 or HMAC-SHA-1-96
12
Authentication Header
13
14
15
16
17
18
19
Key Management
handles key generation & distribution
20
Oakley
a key exchange protocol
21
ISAKMP
Internet Security Association and Key
Management Protocol
provides framework for key management
defines procedures and packet formats to
establish, negotiate, modify, & delete SAs
independent of key exchange protocol,
encryption alg, & authentication method
22
ISAKMP
23
Summary
have considered:
IPSec
security framework
AH
ESP
key management & Oakley/ISAKMP
24
25
Firewalls
The function of a strong position is to make the
forces holding it practically unassailable
On War, Carl Von Clausewitz
26
Introduction
seen evolution of information systems
27
What is a Firewall?
a choke point of control and monitoring
trust
imposes restrictions on network services
only
28
Firewall Limitations
cannot protect from attacks bypassing it
eg
eg disgruntled employee
29
30
31
32
33
context
34
35
36
37
38
Bastion Host
highly secure host system
39
Firewall Configurations
40
Firewall Configurations
41
Firewall Configurations
42
Access Control
given system has identified a user
can decompose by
43
44
45
46
Reference Monitor
47
48
Summary
have considered:
firewalls
types of firewalls
configurations
access control
trusted systems
49
50
Intruders
They agreed that Graham should set the test
for Charles Mabledene. It was neither more
nor less than that Dragon should get Stern's
code. If he had the 'in' at Utting which he
claimed to have this should be possible, only
loyalty to Moscow Centre would prevent it. If
he got the key to the code he would prove his
loyalty to London Central beyond a doubt.
Talking to Strange Men, Ruth Rendell
Cryptography and Network Security
51
Intruders
significant issue for networked systems is
misfeasor
clandestine user
52
Intruders
clearly a growing publicized problem
from
other attacks
53
Intrusion Techniques
aim to increase privileges on system
54
Password Guessing
one of the most common attacks
attacker knows a login (from email/web page etc)
then attempts to guess password for it
55
Password Capture
another attack involves password capture
watching over shoulder as password is entered
using a trojan horse program to collect
monitoring an insecure network login (eg. telnet, FTP,
web, email)
extracting recorded info after successful login (web
history/cache, last number dialed etc)
using valid login/password can impersonate
user
users need to be educated to use suitable
precautions/countermeasures
Cryptography and Network Security
56
Intrusion Detection
inevitably will have security failures
a legitimate user
57
profile based
rule-based detection
anomaly
penetration identification
58
Audit Records
fundamental tool for intrusion detection
59
60
61
62
63
Base-Rate Fallacy
practically an intrusion detection system
record
64
65
66
67
Honeypots
decoy systems to lure attackers
away
68
Password Management
front-line defense against intruders
69
Managing Passwords
need policies and good user education
70
Managing Passwords
may reactively run password guessing tools
note that good dictionaries exist for almost any
language/interest group
may enforce periodic changing of passwords
71
password security
allow users to select own password
but have system verify it is acceptable
simple
72
Summary
have considered:
problem
of intrusion
intrusion detection (statistical & rule-based)
password management
73