X.509 Authentication Service Part of CCITT X.500 directory service standards distributed servers maintaining some info database Define framework for authentication services dire
Trang 1Certificates
Network Systems Security
Trang 2 An instrument signed by an authority to certify something about a subject
Original function is to bind names to
keys or keys to names
Now it can contain authorization,
delegation, and validity conditions
Trang 4X.509 Authentication
Service
Part of CCITT X.500 directory service standards
distributed servers maintaining some info database
Define framework for authentication services
directory may store public-key certificates
with public key of user
signed by certification authority
Also define authentication protocols
Use public-key cryptography and digital
signatures
algorithms not standardised, but RSA recommended
Trang 5X.509 Certificates
Issued by a Certification Authority (CA), containing:
version (1, 2, or 3)
serial number (unique within CA) identifying certificate
signature algorithm identifier
issuer X.500 name (CA)
period of validity (from - to dates)
subject X.500 name (name of owner)
subject public-key info (algorithm, parameters, key)
issuer unique identifier (v2+)
subject unique identifier (v2+)
Trang 6X.509 Certificates
Trang 7Obtaining a Certificate
Any user with access to CA can get any certificate from it
Only the CA can modify a certificate
Certificates can be placed in a public
directory since they cannot be forged
Trang 8CA Hierarchy
If both users share a common CA then
they are assumed to know its public key
Otherwise CA's must form a hierarchy
Use certificates linking members of
hierarchy to validate other CA's
each CA has certificates for clients (forward) and parent (backward)
each client trusts parents certificates
enable verification of any certificate from one CA by users of all other CAs in
hierarchy
Trang 9CA Hierarchy Use
Trang 10Certificate Revocation
certificates have a period of validity
may need to revoke before expiry, eg:
1. user's private key is compromised
2. user is no longer certified by this CA
3. CA's certificate is compromised
CA’s maintain list of revoked certificates
the Certificate Revocation List (CRL)
users should check certs with CA’s CRL
Trang 12One-Way Authentication
1 message (A->B) used to establish
the identity of A and that message is from A
message was intended for B
integrity & originality of message
message must include timestamp,
nonce, B's identity and is signed by A
Trang 13 that reply is intended for A
integrity & originality of reply
Trang 14Three-Way Authentication
3 messages (A->B, B->A, A->B) which enables above authentication without synchronized clocks
has reply from A back to B containing
signed copy of nonce from B
means that timestamps need not be
checked or relied upon
Trang 15X.509 Version 3
It has been recognized that additional information is needed in a certificate
email/URL, policy details, usage constraints
Define a general extension method
rather than naming new fields
Components of extensions
extension identifier
Trang 16Certificate Extensions
key and policy information
convey info about subject & issuer keys,
plus indicators of certificate policy
certificate subject and issuer attributes
support alternative names, in alternative
formats for certificate subject and/or issuer
certificate path constraints
allow constraints on use of certificates by other CA’s
Trang 17Need of Firewalls
Everyone want to be on the Internet and
to interconnect networks
Persistent security concerns
cannot easily secure every system in organization
Use firewall to provide “harm
Trang 18Functions of Firewalls
only authorized traffic is allowed
can implement alarms for abnormal behavior
Trang 19What Firewalls Can Do
Service control
Direction control
User control
Behavior control
Trang 20What Firewalls Cannot Do
Cannot protect from attacks bypassing it
e.g sneaker net, utility modems, trusted
organisations, trusted services (e.g SSL/SSH)
Cannot protect against internal threats
e.g disgruntled employee
Cannot protect against transfer of all virus infected programs or files
because of huge range of OS and file types
Trang 22Packet-filtering Router
Trang 23Packet-filtering Router
Foundation of any firewall system
Examine each IP packet (no context)
and permit or deny according to rules
Restrict access to services (ports)
Possible default policies
prohibited if not expressly permitted
Trang 24Examples of Rule Sets
Trang 25Attacks on Packet Filters
IP address spoofing
fake source address to be trusted
add filters on router to block
Source routing attacks
attacker sets a route other than default
block source routed packets
Tiny fragment attacks
Trang 26Stateful Packet Filters
Examine each IP packet in context
keep tracks of client-server sessions
check each packet validly belongs to one
Better able to detect bogus packets out
of context
Trang 27Application Level Gateway
Trang 28Application Level Gateway
Use an application specific gateway /
proxy
Has full access to protocol
user requests service from proxy
proxy validates request as legal
then actions request and returns result to user
Need separate proxies for each service
some services naturally support proxying
others are more problematic
custom services generally not supported
Trang 29Circuit Level Gateway
Trang 30Circuit Level Gateway
Relay two TCP connections
Impose security by limiting which such
connections are allowed
Once created, usually relays traffic
without examining contents
Typically used when trust internal users by allowing general outbound connections
SOCKS commonly used for this
Trang 31Bastion Host
Potentially exposed to "hostile" elements,
so need to be secured to withstand this
separation between network connections
Trang 32Firewall Configurations
Trang 33Firewall Configurations
Trang 34Firewall Configurations