������������������ ���������������������� � � �������������������������������� ����������������������������������������� �������������������������������������������� CSE543 Computer and Network Security Module: Network Security Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security Page 1 Thursday, October 31, 13
Exam • Three kinds of questions ‣ 12 short answer • What (3pts each) ‣ 5 long answer • Why (6-7pts each) ‣ 3 constructions • How (10 pts each) CMPSC443 - Introduction to Computer and Network Security Page 2 Thursday, October 31, 13
Short Answer • Three kinds of questions ‣ 12 short answer • What (3pts each) 4. ( 4pts ) What is the purpose of a public key infrastructure ? Why is there a risk for “who is using my key?” answer : Bind a public key to an identity securely on internet scale. System cannot protect private key from compromise. CMPSC443 - Introduction to Computer and Network Security Page 3 Thursday, October 31, 13
Exam • Three kinds of questions ‣ 5 long answer • Why (6-7pts each) • Longer what questions that want to know why and how 17. ( 7pts ) Why is it necessary to prevent forgery of capabilities in capability systems to meet reference monitor guarantees? Specify the conditions under which it is necessary to weaken (reduce) the permissions available to a capability. answer : If a capability can be forged, then a process can create its own permissions to any object that it can name. This would circumvent the tamperproofing of system policies, and nothing would be verifiable. We must weaken a capability when a high secrecy subject fetches a capability from a low secrecy memory. Because this capability may have been created by a low secrecy subject, it may have write permission to low secrecy objects. Since this would violate the *-property, such capabilities must be weakened to remove the write permission. CMPSC443 - Introduction to Computer and Network Security Page 4 Thursday, October 31, 13
Exam • Three kinds of questions ‣ 3 constructions • How (10 pts each) 19. ( 10pts ) Consider the Needham-Schroeder protocol for shared key distribution. Assume XOR for encryption/decryption. In the NH protocol, the initiating party, we will call A , forwards the conversation key CK in a message encrypted by the authentication server AS for the verifying party B . Suppose A ’s identity is represented by the 4-bit quantity 0001 and the key shared between B and the AS is 0101. (a) (2pts) If the message forwarded from A to B is 11010100, then what is the conversation key? (Hint: Use the format of the conversation key message in the NH protocol. Note that the key is 4 bits long). CMPSC443 - Introduction to Computer and Network Security Page 5 Thursday, October 31, 13
Topics • Cryptography ‣ Encryption, Hashing, Signatures, HMACs ‣ Cryptographic Notation for Protocols • Symmetric key ‣ Basic symmetric key operations (substitution, permutation) • Hash Functions ‣ Properties ‣ Some things you can do • Public key ‣ RSA ‣ Diffie-Hellman CMPSC443 - Introduction to Computer and Network Security Page 6 Thursday, October 31, 13
Topics • Authentication ‣ Basics ‣ Passwords ‣ Protocols • Authentication Protocols ‣ Web ‣ Needham-Schroeder ‣ Kerberos ‣ PKI • Differences between N-S and Kerberos • PKI (certificates, validation, issues) CMPSC443 - Introduction to Computer and Network Security Page 7 Thursday, October 31, 13
Topics • System Security ‣ Vulnerabilities ‣ Access Control ‣ OS Security • Vulnerabilities ‣ Overflows, etc ‣ Name Resolution • Access Control ‣ Concepts ‣ Models (matrix, RBAC, MLS, Clark-Wilson) • OS ‣ Multics, Capabilities, Sandboxes, UNIX/Windows CMPSC443 - Introduction to Computer and Network Security Page 8 Thursday, October 31, 13
Topics • Network Security ‣ Vulnerabilities ‣ Secure communication: IPsec, SSL, SSH • Vulnerabilities ‣ TCP and other protocols • Secure communication ‣ Concepts ‣ IPsec ‣ SSL ‣ SSH ‣ Use of modes, use of crypto, authentication CMPSC443 - Introduction to Computer and Network Security Page 9 Thursday, October 31, 13
Transport Security • A host wants to establish a secure channel to remote hosts over an untrusted network ‣ Not Login – end-users may not even be aware that protections in place (transparent) ‣ Remote hosts may be internal or external • The protection service must … ‣ Authenticate the end-points (each other) ‣ Negotiate what security is necessary (and how achieved) ‣ Establish a secure channel (e.g., key distribution/agreement) ‣ Process the traffic between the end points • Also known as communications security . CSE543 - Introduction to Computer and Network Security Page 10 Thursday, October 31, 13
IPsec (not IPSec!) • Host level protection service ‣ IP-layer security (below TCP/UDP) ‣ De-facto standard for host level security ‣ Developed by the IETF (over many years) ‣ Available in most operating systems/devices • E.g., XP , Vista, OS X, Linux, BSD*, … ‣ Implements a wide range of protocols and cryptographic algorithms • Selectively provides …. ‣ Confidentiality, integrity, authenticity, replay protection, DOS protection CSE543 - Introduction to Computer and Network Security Page 11 Thursday, October 31, 13
IPsec and the IP protocol stack • IPsec puts the two main HTTP FTP SMTP protocols in between IP and the TCP UDP other protocols ‣ AH - authentication header AH ESP ‣ ESP - encapsulating security payload IP • Other functions provided by external protocols and architectures CSE543 - Introduction to Computer and Network Security Page 12 Thursday, October 31, 13
Modes of operation • Transport : the payload is encrypted and the non- mutable fields are integrity verified (via MAC) MACed encrypted Header Payload Header Payload • Tunnel : each packet is completely encapsulated (encrypted) in an outer IP packet ‣ Hides not only data, but some routing information MACed encrypted Header Payload Header Header Payload CSE543 - Introduction to Computer and Network Security Page 13 Thursday, October 31, 13
Tunneling • “IP over IP” ‣ Network-level packets are encapsulated ‣ Allows traffic to avoid firewalls … IP layer CSE543 - Introduction to Computer and Network Security Page 14 Thursday, October 31, 13
Tunneling • “IP over IP” ‣ Network-level packets are encapsulated ‣ Allows traffic to avoid firewalls … IP layer CSE543 - Introduction to Computer and Network Security Page 14 Thursday, October 31, 13
Tunneling • “IP over IP” ‣ Network-level packets are encapsulated ‣ Allows traffic to avoid firewalls … IP layer CSE543 - Introduction to Computer and Network Security Page 14 Thursday, October 31, 13
Tunneling • “IP over IP” ‣ Network-level packets are encapsulated ‣ Allows traffic to avoid firewalls … IP layer … IP layer CSE543 - Introduction to Computer and Network Security Page 14 Thursday, October 31, 13
Tunneling • “IP over IP” ‣ Network-level packets are encapsulated ‣ Allows traffic to avoid firewalls … IP layer … IP layer CSE543 - Introduction to Computer and Network Security Page 14 Thursday, October 31, 13
Tunneling • “IP over IP” ‣ Network-level packets are encapsulated ‣ Allows traffic to avoid firewalls … IP layer … IP layer CSE543 - Introduction to Computer and Network Security Page 14 Thursday, October 31, 13
Tunneling • “IP over IP” ‣ Network-level packets are encapsulated ‣ Allows traffic to avoid firewalls … IP layer … IP layer CSE543 - Introduction to Computer and Network Security Page 14 Thursday, October 31, 13
Tunneling • “IP over IP” ‣ Network-level packets are encapsulated ‣ Allows traffic to avoid firewalls … IP layer … IP layer CSE543 - Introduction to Computer and Network Security Page 14 Thursday, October 31, 13
Tunneling • “IP over IP” ‣ Network-level packets are encapsulated ‣ Allows traffic to avoid firewalls … IP layer … IP layer CSE543 - Introduction to Computer and Network Security Page 14 Thursday, October 31, 13
Tunneling • “IP over IP” ‣ Network-level packets are encapsulated ‣ Allows traffic to avoid firewalls … IP layer … IP layer CSE543 - Introduction to Computer and Network Security Page 14 Thursday, October 31, 13
Tunneling • “IP over IP” ‣ Network-level packets are encapsulated ‣ Allows traffic to avoid firewalls … IP layer … IP layer CSE543 - Introduction to Computer and Network Security Page 14 Thursday, October 31, 13
Recommend
More recommend