Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Network security-primer-9544

1,290 views

Published on

  • Be the first to comment

Network security-primer-9544

  1. 1. Full-service Software Product Development Life Cycle ServicesA Security Primer
  2. 2. 2Full-service Software Product Development Life Cycle ServicesSecurity TopicsPGP S/MIMESSL TLSIPSecCryptographySymmetricKeyPublicKeyAlgorithmsEncryptionDigital SignaturesCertificatesAlgorithmsEncryptionKey Mgmt
  3. 3. 3Full-service Software Product Development Life Cycle ServicesNeed for message security• Privacy– Am I sure no body else knows this?• Authentication– Am I sure that the sender is genuine and not animposter?• Integrity– Am I sure that the message has not been tampered onits way?• Non-repudiation– What will I do if the sender denies sending themessage?
  4. 4. Full-service Software Product Development Life Cycle ServicesCryptography
  5. 5. 5Full-service Software Product Development Life Cycle ServicesCryptography• Jargon– Cryptography means “Secret Writing”– Original message – plaintext– Encrypted message – ciphertext– Encryption and decryption algorithms – ciphers– The number value that the cipher operates on –key• Types– Symmetric key cryptography– Public key cryptography
  6. 6. 6Full-service Software Product Development Life Cycle ServicesSymmetric Key Cryptography110.icoEncryptNetwork110.icoDecryptShared secret key• Features– Same key used by sender and receiver– Algorithm for decryption is inverse of thealgorithm used for encryptionAlice Bob1 2
  7. 7. 7Full-service Software Product Development Life Cycle ServicesSymmetric Key (contd.)• Algorithms– DES (Data Encryption Standard)– Triple DES• Advantages– Efficient algorithms (takes less time to encrypt anddecrypt)– Simple• Disadvantages– Each pair must have unique keys. i.e. N people willrequire N(N-1)/2 keys– Distribution of keys between two parties can be difficult
  8. 8. 8Full-service Software Product Development Life Cycle ServicesPublic Key Cryptography110.icoEncryptNetwork110.icoDecryptBob’s public keyAliceBobBob’s private keyTo thepublic12• Features– There are two keys: a private key and a publickey– The private key is kept by the receiver and thepublic key is announced to the public
  9. 9. 9Full-service Software Product Development Life Cycle ServicesPublic Key (contd.)• Algorithms– RSA (Rivest, Shamir and Adleman)• Advantages– Need to distribute only the public key. Private key canbe safely kept– Lesser number of keys i.e. 1 million users may needonly 2 million keys (as compared to 500 billion, if theyuse symmetric key cryptography)• Disadvantages– Complex algorithms– Association between the public key and the entity mustbe verified (need for certificates)
  10. 10. 10Full-service Software Product Development Life Cycle ServicesDigital Signatures• Features– Enables integrity, authentication and non-repudiation– Private keys are used to sign a message (or hash)– Public keys are used to verify the signatures• Hash Functions– Signing the whole message is inefficient– Hash functions are used to create a unique digest of themessage– Popular hashing algorithms are SHA-1 (secure hashalgorithm) and MD5 (message digest)
  11. 11. 11Full-service Software Product Development Life Cycle ServicesDigital Signatures (contd.)110.icoAliceHash FunctionDigestEncryptAlice’s private key+110.icoSignedDigestMessage plusSigned DigestTo Bob123Sender site
  12. 12. 12Full-service Software Product Development Life Cycle ServicesDigital Signatures (contd.)110.icoReceiver siteBobFrom AliceDecrypt Hash FunctionDigestAlice’s publickeyDigestXCompare4 56
  13. 13. 13Full-service Software Product Development Life Cycle ServicesKey Management• In symmetric key systems:– We need a mechanism to share the key between senderand receiver, and also reduce the number of keys– In some cases, public key systems also use symmetrickey to encrypt a message and encrypt the key usingpublic key– Solution: session keys. Symmetric keys are created fora session and destroyed when the session is over– Techniques for key management:» Deffie Hellman method» Key distribution center (Needham-Schroeder protocol andOtway-Rees protocol)
  14. 14. 14Full-service Software Product Development Life Cycle ServicesKey Management (contd.)• In public key systems:– Alice needs to know whether Bob’s public key is genuine– Solution: Certificates– Bob goes to a Certification Authority (CA), e.g.VeriSign, which binds Bob’s public key to an entity calledcertificate.– Certificate is signed by CA, which has a well knownpublic key, and hence cannot be forged.– Alice can verify the CA’s signature and hence be sureabout Bob’s public key
  15. 15. 15Full-service Software Product Development Life Cycle ServicesCertificates• Certificate is described by X.509 protocol• X.509 uses ASN.1 (Abstract Syntax Notation 1) to define thefields• X.509 fields:Field ExplanationVersion Version number of X.509Serial Number The unique identifier used by the CASignature The certificate signatureIssuer The name of the CA defined by X.509Validity Period Start and end period that certificate is validSubject Name The entity whose public key is being certifiedPublic Key The subject public key and the algorithms that use it
  16. 16. 16Full-service Software Product Development Life Cycle ServicesChain of Trust• Query propagation similar to DNS queries• At any level, the CA can certify performance of CAs in thenext level i.e. level-1 CA can certify level-2 CAs.• Thumb-rule: Everyone trusts Root CARoot CALevel-1CA 1Level-2CA 3Level-2CA 4Level-2CA 5Level-2CA 6Level-2CA 2Level-2CA 1Level-1CA 2
  17. 17. Full-service Software Product Development Life Cycle ServicesSecurity at IP Level
  18. 18. 18Full-service Software Product Development Life Cycle ServicesIPSec – IP Security• Secures the IP packet by adding additional header• Selection of encryption, authentication and hashingmethods left to the user• It requires a logical connection between two hosts,achieved using Security Association (SA)• An SA is defined by:– A 32-bit security parameter index (SPI)– Protocol type: Authentication Header (AH) Or EncapsulatingSecurity Payload (ESP)– The source IP addressIP HeaderIPSec Header Rest of the PacketNew IP HeaderIP Header IPSec Header Rest of the Packet Transport ModeTunnel ModeOR
  19. 19. Full-service Software Product Development Life Cycle ServicesSecurity at Transport Layer
  20. 20. 20Full-service Software Product Development Life Cycle ServicesSecure Sockets Layer (SSL)• Developed by Netscape• Used to establish secure connection between two parties• Protocol similar to TLS (p.t.o)• OpenSSL (www.openssl.org) provides libraries whichimplement SSL and TLS• Several application layer security protocols run on top ofSSL. E.g. Secure HTTP (https)
  21. 21. 21Full-service Software Product Development Life Cycle ServicesTransport Layer Security (TLS)• Designed by IETF; derived from SSL• Lies on top of Transport layer• Uses two protocols:– Handshake Protocol– Data exchange protocol– Uses secret key to encrypt data.– Secret key already shared during handshakeHelloCertificateSecret keyEnd HandshakingEncrypted AckClient Server
  22. 22. 22Full-service Software Product Development Life Cycle ServicesTransport Layer Security (TLS)• Designed by IETF; derived from SSL• Lies on top of Transport layer• Uses two protocols:– Handshake Protocol– Data exchange protocol– Uses secret key to encrypt data.– Secret key already shared during handshakeHelloCertificateSecret keyEnd HandshakingEncrypted AckClient ServerBrowser sends a hellomessage that includesTLS version and otherpreferences
  23. 23. 23Full-service Software Product Development Life Cycle ServicesTransport Layer Security (TLS)• Designed by IETF; derived from SSL• Lies on top of Transport layer• Uses two protocols:– Handshake Protocol– Data exchange protocol– Uses secret key to encrypt data.– Secret key already shared during handshakeHelloCertificateSecret keyEnd HandshakingEncrypted AckClient ServerServer sends acertificate that has itspublic key
  24. 24. 24Full-service Software Product Development Life Cycle ServicesTransport Layer Security (TLS)• Designed by IETF; derived from SSL• Lies on top of Transport layer• Uses two protocols:– Handshake Protocol– Data exchange protocol– Uses secret key to encrypt data.– Secret key already shared during handshakeHelloCertificateSecret keyEnd HandshakingEncrypted AckClient ServerBrowser verifies thecertificate. It generates asession key, encryptswith server’s public keyand sends it to the server
  25. 25. 25Full-service Software Product Development Life Cycle ServicesTransport Layer Security (TLS)• Designed by IETF; derived from SSL• Lies on top of Transport layer• Uses two protocols:– Handshake Protocol– Data exchange protocol– Uses secret key to encrypt data.– Secret key already shared during handshakeHelloCertificateSecret keyEnd HandshakingEncrypted AckClient ServerBrowser sendshandshake terminatingmessage, encrypted bythe secret key
  26. 26. 26Full-service Software Product Development Life Cycle ServicesTransport Layer Security (TLS)• Designed by IETF; derived from SSL• Lies on top of Transport layer• Uses two protocols:– Handshake Protocol– Data exchange protocol– Uses secret key to encrypt data.– Secret key already shared during handshakeHelloCertificateSecret keyEnd HandshakingEncrypted AckClient ServerServer decrypts secretkey with its private key.Uses secret key todecode message adsends encrypted ack
  27. 27. Full-service Software Product Development Life Cycle ServicesSecurity at Application Layer
  28. 28. 28Full-service Software Product Development Life Cycle ServicesPretty Good Privacy (PGP)110.icoAliceHash FunctionDigestEncryptAlice’s private key+110.icoSignedDigestMessage plusSigned DigestEncrypted (secret key &message + digest) to Bob123EncryptBob’s public keyEncryptOne-time secret key+456Sender site
  29. 29. 29Full-service Software Product Development Life Cycle ServicesPretty Good Privacy (PGP)110.icoAliceHash FunctionDigestEncryptAlice’s private key+110.icoSignedDigestMessage plusSigned DigestEncrypted (secret key &message + digest) to Bob123EncryptBob’s public keyEncryptOne-time secret key+456Sender siteEmail message is hashed tocreate digest
  30. 30. 30Full-service Software Product Development Life Cycle ServicesPretty Good Privacy (PGP)110.icoAliceHash FunctionDigestEncryptAlice’s private key+110.icoSignedDigestMessage plusSigned DigestEncrypted (secret key &message + digest) to Bob123EncryptBob’s public keyEncryptOne-time secret key+456Sender siteDigest is encrypted usingAlice’s private key
  31. 31. 31Full-service Software Product Development Life Cycle ServicesPretty Good Privacy (PGP)110.icoAliceHash FunctionDigestEncryptAlice’s private key+110.icoSignedDigestMessage plusSigned DigestEncrypted (secret key &message + digest) to Bob123EncryptBob’s public keyEncryptOne-time secret key+456Sender siteSigned digest added to themessage
  32. 32. 32Full-service Software Product Development Life Cycle ServicesPretty Good Privacy (PGP)110.icoAliceHash FunctionDigestEncryptAlice’s private key+110.icoSignedDigestMessage plusSigned DigestEncrypted (secret key &message + digest) to Bob123EncryptBob’s public keyEncryptOne-time secret key+456Sender siteThe message and digestare encrypted using onetime secret key created byAlice
  33. 33. 33Full-service Software Product Development Life Cycle ServicesPretty Good Privacy (PGP)110.icoAliceHash FunctionDigestEncryptAlice’s private key+110.icoSignedDigestMessage plusSigned DigestEncrypted (secret key &message + digest) to Bob123EncryptBob’s public keyEncryptOne-time secret key+456Sender siteThe secret key is encryptedusing Bob’s public key
  34. 34. 34Full-service Software Product Development Life Cycle ServicesPretty Good Privacy (PGP)110.icoAliceHash FunctionDigestEncryptAlice’s private key+110.icoSignedDigestMessage plusSigned DigestEncrypted (secret key &message + digest) to Bob123EncryptBob’s public keyEncryptOne-time secret key+456Sender siteThe encrypted message,digest and secret key is sentto Bob
  35. 35. 35Full-service Software Product Development Life Cycle ServicesPGP (contd.)110.icoReceiver siteBobDecrypt Hash FunctionDigestAlice’s publickeyDigestXCompare9 1011Encrypted (secret key &message + digest)Bob’s private keyDecryptDecryptEncrypted (message +digest)One-timesecret key78
  36. 36. 36Full-service Software Product Development Life Cycle ServicesPGP (contd.)110.icoReceiver siteBobDecrypt Hash FunctionDigestAlice’s publickeyDigestXCompare9 1011Encrypted (secret key &message + digest)Bob’s private keyDecryptDecryptEncrypted (message +digest)One-timesecret key78Bob decrypts the secret keywith his private key
  37. 37. 37Full-service Software Product Development Life Cycle ServicesPGP (contd.)110.icoReceiver siteBobDecrypt Hash FunctionDigestAlice’s publickeyDigestXCompare9 1011Encrypted (secret key &message + digest)Bob’s private keyDecryptDecryptEncrypted (message +digest)One-timesecret key78Bob decrypts the encryptedmessage and digest usingthe decrypted secret key
  38. 38. 38Full-service Software Product Development Life Cycle ServicesPGP (contd.)110.icoReceiver siteBobDecrypt Hash FunctionDigestAlice’s publickeyDigestXCompare9 1011Encrypted (secret key &message + digest)Bob’s private keyDecryptDecryptEncrypted (message +digest)One-timesecret key78Bob decrypts the encrypteddigest with Alice’s public key
  39. 39. 39Full-service Software Product Development Life Cycle ServicesPGP (contd.)110.icoReceiver siteBobDecrypt Hash FunctionDigestAlice’s publickeyDigestXCompare9 1011Encrypted (secret key &message + digest)Bob’s private keyDecryptDecryptEncrypted (message +digest)One-timesecret key78Bob hashes the receivedmessage to create a digest(for message integrity)
  40. 40. 40Full-service Software Product Development Life Cycle ServicesPGP (contd.)110.icoReceiver siteBobDecrypt Hash FunctionDigestAlice’s publickeyDigestXCompare9 1011Encrypted (secret key &message + digest)Bob’s private keyDecryptDecryptEncrypted (message +digest)One-timesecret key78The two digests arecompared, thus providingauthentication and integrity
  41. 41. 41Full-service Software Product Development Life Cycle ServicesSample PGP SignatureFrom: alice@wonderland.comDate: Mon, 16 Nov 1998 19:03:30 -0600Subject: Message signed with PGPMIME-Version: 1.0Content-Type: text/plain; charset=US-ASCIIContent-Transfer-Encoding: 7bitContent-Description: "cc:Mail Note Part"-----BEGIN PGP SIGNED MESSAGE-----Bob,This is a message signed with PGP, so you can see how much overhead PGPsignatues introduce. Compare this with a similar message signed with S/MIME.Alice-----BEGIN PGP SIGNATURE-----Version: PGP for Personal Privacy 5.0Charset: noconviQCVAwUBM+oTwFcsAarXHFeRAQEsJgP/X3noON57U/6XVygOFjSY5lTpvAduPZ8MaIFalUkCNuLLGxmtsbwRiDWLtCeWG3k+7zXDfx4YxuUcofGJn0QaTlk8b3nxADL0O/EIvC/k8zJ6aGaPLB7rTIizamGOt5n6/08rPwwVkRB03tmT8UNMAUCgoM02d6HXrKvnc2aBPFI==mUaH-----END PGP SIGNATURE-----
  42. 42. 42Full-service Software Product Development Life Cycle ServicesS/MIME• Working principle similar to PGP• S/MIME uses multipart MIME type to include the cryptographicinformation with the message• S/MIME uses Cryptographic Message Syntax (CMS) to specify thecryptographic information• Creating S/MIME message:MIME EntityCMS Object S/MIMECertificatesAlgo identifiersCMSProcessingMIMEWrapping
  43. 43. 43Full-service Software Product Development Life Cycle ServicesSample SMIME SignatureFrom: alice@wonderland.comDate: Mon, 16 Nov 1998 19:03:08 -0600Subject: Message signed with S/MIMEMIME-Version: 1.0Content-Type: multipart/mixed; boundary="simple boundary"--simple boundaryContent-Type: text/plain; charset=US-ASCIIContent-Transfer-Encoding: 7bitContent-Description: "cc:Mail Note Part"Bob,This is a message signed with S/MIME, so you can see how much overhead S/MIMEsignatures introduce. Compare this with a similar message signed with PGP.Alice--simple boundaryContent-Type: application/octet-stream; name="smime.p7s"Content-Transfer-Encoding: base64Content-Disposition: attachment; filename="smime.p7s"MIIQQwYJKoZIhvcNAQcCoIIQNDCCEDACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCDnwwggnGMIIJL6ADAgECAhBQQRR9a+DX0FHXfQOVHQhPMA0GCSqGSIb3DQEBBAUAMGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NzAxMjcwMDAwMDBaFw05ODAxMjcyMzU5NTlaMIIBFzERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJpU2lnbiBDbGFzcyAxIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMUYwRAYD
  44. 44. 44Full-service Software Product Development Life Cycle ServicesSample SMIME SignatureUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwNjI3MDAwMDAwWhcNOTkwNjI3MjM1OTU5WjBiMREwDwYDVQQHEwhJbnRlcm5ldDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNDAyBgNVBAsTK1ZlcmlTaWduIENsYXNzIDEgQ0EgLSBJbmRpdmlkdWFsIFN1YnNjcmliZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALYUps9N0AUN2Moj0G+qtCmSY44s+G+W1y6ddksRsTaNV8nD/RzGuv4eCLozypXqvuNbzQaot3kdRCrtc/KxUoNoEHBkkdc+a/n3XZ0UQ5tul0WYgUfRLcvdu3LXTD9xquJA8lQ5vBbuz3zsuts/bCqzFrGGEp2ukzTVuNXQ9z6pAgMBAAGjMzAxMA8GA1UdEwQIMAYBAf8CAQEwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG9w0BAQIFAAOBgQDB+vcC51fKEXXGnAz6K3dPh0UXO+PSwdoPWDmOrpWZA6GooTj+eZqTFwuXhjnHymg0ZrvHiEX2yAwF7r6XJe/g1G7kf512XM59uhSirguf+2dbSKVnJa8ZZIj2ctgpJ6o3EmqxKK8ngxhlbI3tQJ5NxHiohuzpLFC/pvkN27CmSjCCAjEwggGaAgUCpAAAATANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNOTkxMjMxMjM1OTU5WjBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiHmgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEAUnO6mlXc3D+CfbCQmGIqgkx2AG4lPdXCCXBXAQwPdx8YofscYA6gdTtJIUH+p1wtTEJJ0/8o2Izqnf7JB+J3glMj3lXzzkST+vpMvco281tmsp7I8gxeXtShtCEJM8o7WfySwjj8rdmWJOAt+qMp9TNoeE60vJ9pNeKomJRzO8QxggGPMIIBiwIBATB2MGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcgIQUEEUfWvg19BR130DlR0ITzAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwIwYJKoZIhvcNAQkEMRYEFE5W9YE9GtbjlD5A52LLaEi96zCKMBwGCSqGSIb3DQEJBTEPFw05NzA4MDcxODQwMTBaMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgFAMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABEDI3mvHr3SAJkdoMqxZnSjJ+5gfZABJGQVOfyEfcKncY/RYFvWuHBAEBySImIQZjMgMNrQLL7QXJ/eIxIwDet+c--simple boundary--
  45. 45. Full-service Software Product Development Life Cycle ServicesReferences
  46. 46. 46Full-service Software Product Development Life Cycle ServicesReferences• Overview of cryptography:– www.rsalabs.com/faq/– http://www.faqs.org/faqs/cryptography-faq/part06/• Implementation of SSL and TSL:– www.openssl.org• S/MIME Internet task force:– www.imc.org/ietf-smime/index.html• Relationship between S/MIME and PGP/MIME:– www.imc.org/smime-pgpmime.html

×