Business Data Communications, 4e2 Security Threats ✘ Passive attacks ✘ Eavesdropping on, or monitoring, transmissions ✘ Electronic mail, file transfers, and client/server exchanges are e
Trang 1Chapter 20:
Network Security
Business Data Communications, 4e
Trang 2Business Data Communications, 4e
2
Security Threats
✘ Passive attacks
✘ Eavesdropping on, or monitoring, transmissions
✘ Electronic mail, file transfers, and client/server exchanges are examples of transmissions that can be monitored
✘ Active attacks
✘ Modification of transmitted data
✘ Attempts to gain unauthorized access to computer
systems
Trang 3Encryption Methods
✘ The essential technology underlying virtually all automated network and computer security applications is cryptography
✘ Two fundamental approaches are in use:
✘ conventional encryption, also known as symmetric
encryption
✘ public-key encryption, also known as asymmetric
encryption
Trang 4Business Data Communications, 4e
4
Conventional Encryption
✘ The only form of encryption prior to late 1970s
✘ Five components to the algorithm
✘ Plaintext: The original message or data
✘ Encryption algorithm: Performs various substitutions and transformations on the plaintext.
✘ Secret key: Input to the encryption algorithm Substitutions and transformations performed depend on this key
✘ Ciphertext: Scrambled message produced as output depends on the plaintext and the secret key
✘ Decryption algorithm: Encryption algorithm run in reverse Uses ciphertext and the secret key to produce the original plaintext.
Trang 5Conventional Encryption
Operation
Trang 6Business Data Communications, 4e
6
Conventional Encryption Requirements & Weaknesses
✘ Requirements
✘ A strong encryption algorithm
✘ Secure process for sender & receiver to obtain secret keys
✘ Methods of Attack
✘ Cryptanalysis
✘ Brute force
Trang 7Data Encryption Standard (DES)
✘ Adopted in 1977, reaffirmed for 5 years in 1994, by
NBS/NIST
✘ Plaintext is 64 bits (or blocks of 64 bits), key is 56 bits
✘ Plaintext goes through 16 iterations, each producing an
intermediate value that is used in the next iteration
✘ DES is now too easy to crack to be a useful encryption
method
Trang 8Business Data Communications, 4e
8
Triple DEA
✘ Alternative to DES, uses multiple encryption with DES and multiple keys
✘ With three distinct keys, TDEA has an effective key length of
168 bits, so is essentially immune to brute force attacks
✘ Principal drawback of TDEA is that the algorithm is
relatively sluggish in software
Trang 9Public-Key Encryption
✘ Based on mathematical functions rather than on simple
operations on bit patterns
✘ Asymmetric, involving the use of two separate keys
✘ Misconceptions about public key encryption
✘ it is more secure from cryptanalysis
✘ it is a general-purpose technique that has made
conventional encryption obsolete
Trang 10Business Data Communications, 4e
Trang 11Public-Key Encryption Operation
Trang 12Business Data Communications, 4e
12
Public-Key Signature Operation
Trang 13Characteristics of Public-Key
✘ Infeasible to determine the decryption key given knowledge
of the cryptographic algorithm and the encryption key
✘ Either of the two related keys can be used for encryption,
with the other used for decryption
✘ Slow, but provides tremendous flexibility to perform a
number of security-related functions
✘ Most widely used algorithm is RSA
Trang 14Business Data Communications, 4e
✘ All traffic over all communications links is secured.
✘ Vulnerable at each switch
✘ End-to-end encryption
✘ the encryption process is carried out at the two end systems
✘ Encrypted data are transmitted unaltered across the network to the
destination, which shares a key with the source to decrypt the data
✘ Packet headers cannot be secured
Trang 15Conventional Encryption
Key Distribution
✘ Both parties must have the secret key
✘ Key is changed frequently
✘ Requires either manual delivery of keys, or a third-party
encrypted channel
✘ Most effective method is a Key Distribution Center (e.g
Kerberos)
Trang 16Business Data Communications, 4e
16
Public-Key Encryption
Key Distribution
✘ Parties create a pair of keys; public key is broadly distributed,
private key is not
✘ To reduce computational overhead, the following process is then used:
1 Prepare a message.
2 Encrypt that message using conventional encryption with a one-time
conventional session key.
3 Encrypt the session key using public-key encryption with recipient’s public key.
4 Attach the encrypted session key to the message and send it.
Trang 17Digital Signature Process
Trang 18Business Data Communications, 4e
18
Public Key Certificates
1 A public key is generated by the user and submitted to
Agency X for certification
2 X determines by some procedure, such as a face-to-face
meeting, that this is authentically the user’s public key
3 X appends a timestamp to the public key, generates the hash code of the result, and encrypts that result with X’s private key forming the signature
4 The signature is attached to the public key
Trang 19Web Vulnerabilities
✘ Unauthorized alteration of data at the Web site
✘ Unauthorized access to the underlying operating system at the Web server
✘ Eavesdropping on messages passed between a Web server and a Web browser
✘ Impersonation
Trang 20Business Data Communications, 4e
20
Methods for Improving
Web Security
✘ Securing the Web site itself
✘ install all operating system security patches
✘ install the Web server software with minimal system
privileges
✘ use a more secure platform
✘ Securing the Web application
Trang 21Web Application Security
✘ Secure HyperText Transfer Protocol (SHTTP)
✘ Secure Sockets Layer (SSL)
✘ Web server packages should incorporate both of these
protocols
Trang 22Business Data Communications, 4e
22
Virtual Private Networks (VPNs)
✘ The use of encryption and authentication in the lower
protocol layers to provide a secure connection through an otherwise insecure network, typically the Internet
✘ Generally cheaper than real private networks using private lines but rely on having the same encryption and
authentication system at both ends
✘ The encryption may be performed by firewall software or possibly by routers
Trang 23✘ Can secure communications across a LAN, WANs, and/or the Internet
✘ Examples of use:
✘ Secure branch office connectivity over the Internet
✘ Secure remote access over the Internet
✘ Establishing extranet and intranet connectivity with
partners
Trang 24Business Data Communications, 4e
24
Benefits of IPSec
✘ When implemented in a firewall or router, provides strong security for all traffic crossing the perimeter
✘ IPSec in a firewall is resistant to bypass
✘ Runs below the transport layer (TCP, UDP) and so is
transparent to applications
✘ Can be transparent to end users
✘ Can provide security for individual users if needed
Trang 25IPSec Functions
✘ IPSec provides three main facilities
✘ authentication-only function referred to as Authentication Header (AH)
✘ combined authentication/encryption function called
Encapsulating Security Payload (ESP)
✘ a key exchange function
✘ For VPNs, both authentication and encryption are generally
Trang 26Business Data Communications, 4e
26
ESP Encryption & Authentication
Trang 27IPSec Key Management