Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CChhaapptteerr 2288 
SSeeccuurriittyy 
Objectives 
Upon completion you will be able to: 
• Differentiate between two categ...
28.1 CRYPTOGRAPHY 
The word cryptography in Greek means “secret writing.” TThhee tteerrmm ttooddaayy 
rreeffeerrss ttoo tt...
Figure 28.1 Cryptography components 
TCP/IP Protocol Suite 3
NNoottee:: 
In cryptography, the 
encryption/decryption algorithms are 
public; the keys are secret. 
TCP/IP Protocol Suit...
NNoottee:: 
In symmetric-key cryptography, the 
same key is used by the sender (for 
encryption) and the receiver (for 
de...
Figure 28.2 Symmetric-key cryptography 
TCP/IP Protocol Suite 6
NNoottee:: 
In symmetric-key cryptography, the 
same key is used in both directions. 
TCP/IP Protocol Suite 7
Figure 28.3 Caesar cipher 
TCP/IP Protocol Suite 8
Figure 28.4 Transpositional cipher 
TCP/IP Protocol Suite 9
Figure 28.5 DES 
TCP/IP Protocol Suite 10
Figure 28.6 Iteration block 
TCP/IP Protocol Suite 11
Figure 28.7 Triple DES 
TCP/IP Protocol Suite 12
NNoottee:: 
The DES cipher uses the same concept 
as the Caesar cipher, but the 
encryption/ decryption algorithm is 
much...
Figure 28.8 Public-key cryptography 
TCP/IP Protocol Suite 14
Figure 28.9 RSA 
TCP/IP Protocol Suite 15
NNoottee:: 
Symmetric-key cryptography is often 
used for long messages. 
TCP/IP Protocol Suite 16
NNoottee:: 
Asymmetric-key algorithms are more 
efficient for short messages. 
TCP/IP Protocol Suite 17
28.2 PRIVACY 
Privacy means that the sender and the receiver expect ccoonnffiiddeennttiiaalliittyy.. 
TThhee ttrraannssmmi...
Figure 28.10 Privacy using symmetric-key encryption 
TCP/IP Protocol Suite 19
Figure 28.11 Privacy using asymmetric-key encryption 
TCP/IP Protocol Suite 20
NNoottee:: 
Digital signature can provide 
authentication, integrity, and 
nonrepudiation for a message. 
TCP/IP Protocol ...
28.3 DIGITAL SIGNATURE 
Digital signature can provide authentication, iinntteeggrriittyy,, aanndd 
nnoonnrreeppuuddiiaatti...
Figure 28.12 Signing the whole document 
TCP/IP Protocol Suite 23
NNoottee:: 
Digital signature does not provide 
privacy. If there is a need for privacy, 
another layer of encryption/decr...
Figure 28.13 Hash function 
TCP/IP Protocol Suite 25
Figure 28.14 Sender site 
TCP/IP Protocol Suite 26
Figure 28.15 Receiver site 
TCP/IP Protocol Suite 27
28.4 ENTITY AUTHENTICATION 
Entity authentication is a procedure that verifies the iiddeennttiittyy ooff oonnee 
eennttiit...
Figure 28.16 Using a symmetric key only 
TCP/IP Protocol Suite 29
Figure 28.17 Using a nonce 
TCP/IP Protocol Suite 30
Figure 28.18 Bidirectional authentication 
TCP/IP Protocol Suite 31
28.5 KEY MANAGEMENT 
In this section we explain how symmetric keys aarree ddiissttrriibbuutteedd aanndd hhooww 
ppuubbllii...
NNoottee:: 
A symmetric key between two parties is 
useful if it is used only once; it must be 
created for one session an...
Figure 28.19 Diffie-Hellman method 
TCP/IP Protocol Suite 34
NNoottee:: 
The symmetric (shared) key in the 
Diffie-Hellman protocol is 
K = G xy mod N. 
TCP/IP Protocol Suite 35
ExamplE 1 
Let us give an example to make the procedure clear. Our example uses small 
numbers, but note that in a real si...
Figure 28.20 Man-in-the-middle attack 
TCP/IP Protocol Suite 37
Figure 28.21 First approach using KDC 
TCP/IP Protocol Suite 38
Figure 28.22 Needham-Schroeder protocol 
TCP/IP Protocol Suite 39
Figure 28.23 Otway-Rees protocol 
TCP/IP Protocol Suite 40
NNoottee:: 
In public-key cryptography, everyone 
has access to everyone’s public key. 
TCP/IP Protocol Suite 41
TTaabbllee 2288..11 XX..550099 ffiieellddss 
TCP/IP Protocol Suite 42
Figure 28.24 PKI hierarchy 
TCP/IP Protocol Suite 43
Figure 28.25 Kerberos servers 
TCP/IP Protocol Suite 44
Figure 28.26 Kerberos example 
TCP/IP Protocol Suite 45
28.6 SECURITY IN THE INTERNET 
In this section we discuss a security method for each ooff tthhee ttoopp 33 llaayyeerrss 
o...
Figure 28.27 Transport mode 
TCP/IP Protocol Suite 47
Figure 28.28 Tunnel mode 
TCP/IP Protocol Suite 48
Figure 28.29 AH 
TCP/IP Protocol Suite 49
NNoottee:: 
The AH protocol provides message 
authentication and integrity, 
but not privacy. 
TCP/IP Protocol Suite 50
Figure 28.30 ESP 
TCP/IP Protocol Suite 51
NNoottee:: 
ESP provides message authentication, 
integrity, and privacy. 
TCP/IP Protocol Suite 52
Figure 28.31 Position of TLS 
TCP/IP Protocol Suite 53
Figure 28.32 TLS layers 
TCP/IP Protocol Suite 54
Figure 28.33 Handshake protocol 
TCP/IP Protocol Suite 55
Figure 28.34 Record Protocol 
TCP/IP Protocol Suite 56
Figure 28.35 PGP at the sender site 
TCP/IP Protocol Suite 57
Figure 28.36 PGP at the receiver site 
TCP/IP Protocol Suite 58
28.7 FIREWALLS 
A firewall is a device (usually a router or a computer) iinnssttaalllleedd bbeettwweeeenn 
tthhee iinnttee...
Figure 28.37 Firewall 
TCP/IP Protocol Suite 60
Figure 28.38 Packet-filter firewall 
TCP/IP Protocol Suite 61
NNoottee:: 
A packet-filter firewall filters at the 
network or transport layer. 
TCP/IP Protocol Suite 62
Figure 28.39 Proxy firewall 
TCP/IP Protocol Suite 63
NNoottee:: 
A proxy firewall filters at the 
application layer. 
TCP/IP Protocol Suite 64
Upcoming SlideShare
Loading in …5
×

1

Share

Download to read offline

Chap 28 security

Download to read offline

TCP-IP BY FOROUZAN

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

Chap 28 security

  1. 1. CChhaapptteerr 2288 SSeeccuurriittyy Objectives Upon completion you will be able to: • Differentiate between two categories of cryptography schemes • Understand four aspects of security • Understand the concept of digital signature • Understand the role of key management in entity authentication • Know how and where IPSec, TLS, and PPG provide security TCP/IP Protocol Suite 1
  2. 2. 28.1 CRYPTOGRAPHY The word cryptography in Greek means “secret writing.” TThhee tteerrmm ttooddaayy rreeffeerrss ttoo tthhee sscciieennccee aanndd aarrtt ooff ttrraannssffoorrmmiinngg mmeessssaaggeess ttoo mmaakkee tthheemm sseeccuurree aanndd iimmmmuunnee ttoo aattttaacckkss.. TThhee ttooppiiccss ddiissccuusssseedd iinn tthhiiss sseeccttiioonn iinncclluuddee:: SSyymmmmeettrriicc--KKeeyy CCrryyppttooggrraapphhyy AAssyymmmmeettrriicc--KKeeyy CCrryyppttooggrraapphhyy CCoommppaarriissoonn TCP/IP Protocol Suite 2
  3. 3. Figure 28.1 Cryptography components TCP/IP Protocol Suite 3
  4. 4. NNoottee:: In cryptography, the encryption/decryption algorithms are public; the keys are secret. TCP/IP Protocol Suite 4
  5. 5. NNoottee:: In symmetric-key cryptography, the same key is used by the sender (for encryption) and the receiver (for decryption). The key is shared. TCP/IP Protocol Suite 5
  6. 6. Figure 28.2 Symmetric-key cryptography TCP/IP Protocol Suite 6
  7. 7. NNoottee:: In symmetric-key cryptography, the same key is used in both directions. TCP/IP Protocol Suite 7
  8. 8. Figure 28.3 Caesar cipher TCP/IP Protocol Suite 8
  9. 9. Figure 28.4 Transpositional cipher TCP/IP Protocol Suite 9
  10. 10. Figure 28.5 DES TCP/IP Protocol Suite 10
  11. 11. Figure 28.6 Iteration block TCP/IP Protocol Suite 11
  12. 12. Figure 28.7 Triple DES TCP/IP Protocol Suite 12
  13. 13. NNoottee:: The DES cipher uses the same concept as the Caesar cipher, but the encryption/ decryption algorithm is much more complex. TCP/IP Protocol Suite 13
  14. 14. Figure 28.8 Public-key cryptography TCP/IP Protocol Suite 14
  15. 15. Figure 28.9 RSA TCP/IP Protocol Suite 15
  16. 16. NNoottee:: Symmetric-key cryptography is often used for long messages. TCP/IP Protocol Suite 16
  17. 17. NNoottee:: Asymmetric-key algorithms are more efficient for short messages. TCP/IP Protocol Suite 17
  18. 18. 28.2 PRIVACY Privacy means that the sender and the receiver expect ccoonnffiiddeennttiiaalliittyy.. TThhee ttrraannssmmiitttteedd mmeessssaaggee mmuusstt mmaakkee sseennssee ttoo oonnllyy tthhee iinntteennddeedd rreecceeiivveerr.. TToo aallll ootthheerrss,, tthhee mmeessssaaggee mmuusstt bbee uunniinntteelllliiggiibbllee.. TThhee ttooppiiccss ddiissccuusssseedd iinn tthhiiss sseeccttiioonn iinncclluuddee:: PPrriivvaaccyy wwiitthh SSyymmmmeettrriicc--KKeeyy CCrryyppttooggrraapphhyy PPrriivvaaccyy wwiitthh AAssyymmmmeettrriicc--KKeeyy CCrryyppttooggrraapphhyy TCP/IP Protocol Suite 18
  19. 19. Figure 28.10 Privacy using symmetric-key encryption TCP/IP Protocol Suite 19
  20. 20. Figure 28.11 Privacy using asymmetric-key encryption TCP/IP Protocol Suite 20
  21. 21. NNoottee:: Digital signature can provide authentication, integrity, and nonrepudiation for a message. TCP/IP Protocol Suite 21
  22. 22. 28.3 DIGITAL SIGNATURE Digital signature can provide authentication, iinntteeggrriittyy,, aanndd nnoonnrreeppuuddiiaattiioonn ffoorr aa mmeessssaaggee.. TThhee ttooppiiccss ddiissccuusssseedd iinn tthhiiss sseeccttiioonn iinncclluuddee:: SSiiggnniinngg tthhee WWhhoollee DDooccuummeenntt SSiiggnniinngg tthhee DDiiggeesstt TCP/IP Protocol Suite 22
  23. 23. Figure 28.12 Signing the whole document TCP/IP Protocol Suite 23
  24. 24. NNoottee:: Digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption must be applied. TCP/IP Protocol Suite 24
  25. 25. Figure 28.13 Hash function TCP/IP Protocol Suite 25
  26. 26. Figure 28.14 Sender site TCP/IP Protocol Suite 26
  27. 27. Figure 28.15 Receiver site TCP/IP Protocol Suite 27
  28. 28. 28.4 ENTITY AUTHENTICATION Entity authentication is a procedure that verifies the iiddeennttiittyy ooff oonnee eennttiittyy ffoorr aannootthheerr.. AAnn eennttiittyy ccaann bbee aa ppeerrssoonn,, aa pprroocceessss,, aa cclliieenntt,, oorr aa sseerrvveerr.. IInn eennttiittyy aauutthheennttiiccaattiioonn,, tthhee iiddeennttiittyy iiss vveerriiffiieedd oonnccee ffoorr tthhee eennttiirree dduurraattiioonn ooff ssyysstteemm aacccceessss.. TThhee ttooppiiccss ddiissccuusssseedd iinn tthhiiss sseeccttiioonn iinncclluuddee:: EEnnttiittyy AAuutthheennttiiccaattiioonn wwiitthh SSyymmmmeettrriicc--KKeeyy CCrryyppttooggrraapphhyy EEnnttiittyy AAuutthheennttiiccaattiioonn wwiitthh AAssyymmmmeettrriicc--KKeeyy CCrryyppttooggrraapphhyy TCP/IP Protocol Suite 28
  29. 29. Figure 28.16 Using a symmetric key only TCP/IP Protocol Suite 29
  30. 30. Figure 28.17 Using a nonce TCP/IP Protocol Suite 30
  31. 31. Figure 28.18 Bidirectional authentication TCP/IP Protocol Suite 31
  32. 32. 28.5 KEY MANAGEMENT In this section we explain how symmetric keys aarree ddiissttrriibbuutteedd aanndd hhooww ppuubblliicc kkeeyyss aarree cceerrttiiffiieedd.. TThhee ttooppiiccss ddiissccuusssseedd iinn tthhiiss sseeccttiioonn iinncclluuddee:: SSyymmmmeettrriicc--KKeeyy DDiissttrriibbuuttiioonn PPuubblliicc--KKeeyy CCeerrttiiffiiccaattiioonn KKeerrbbeerrooss TCP/IP Protocol Suite 32
  33. 33. NNoottee:: A symmetric key between two parties is useful if it is used only once; it must be created for one session and destroyed when the session is over. TCP/IP Protocol Suite 33
  34. 34. Figure 28.19 Diffie-Hellman method TCP/IP Protocol Suite 34
  35. 35. NNoottee:: The symmetric (shared) key in the Diffie-Hellman protocol is K = G xy mod N. TCP/IP Protocol Suite 35
  36. 36. ExamplE 1 Let us give an example to make the procedure clear. Our example uses small numbers, but note that in a real situation, the numbers are very large. Assume G = 7 and N = 23. The steps are as follows: 1. Alice chooses x = 3 and calculates R1 = 73 mod 23 = 21. 2. Alice sends the number 21 to Bob. 3. Bob chooses y = 6 and calculates R2 = 76 mod 23 = 4. 4. Bob sends the number 4 to Alice. 5. Alice calculates the symmetric key K = 43 mod 23 = 18. 6. Bob calculates the symmetric key K = 216 mod 23 = 18. The value of K is the same for both Alice and Bob; G xy mod N = 718 mod 23 = 18. TCP/IP Protocol Suite 36
  37. 37. Figure 28.20 Man-in-the-middle attack TCP/IP Protocol Suite 37
  38. 38. Figure 28.21 First approach using KDC TCP/IP Protocol Suite 38
  39. 39. Figure 28.22 Needham-Schroeder protocol TCP/IP Protocol Suite 39
  40. 40. Figure 28.23 Otway-Rees protocol TCP/IP Protocol Suite 40
  41. 41. NNoottee:: In public-key cryptography, everyone has access to everyone’s public key. TCP/IP Protocol Suite 41
  42. 42. TTaabbllee 2288..11 XX..550099 ffiieellddss TCP/IP Protocol Suite 42
  43. 43. Figure 28.24 PKI hierarchy TCP/IP Protocol Suite 43
  44. 44. Figure 28.25 Kerberos servers TCP/IP Protocol Suite 44
  45. 45. Figure 28.26 Kerberos example TCP/IP Protocol Suite 45
  46. 46. 28.6 SECURITY IN THE INTERNET In this section we discuss a security method for each ooff tthhee ttoopp 33 llaayyeerrss ooff tthhee IInntteerrnneett mmooddeell.. AAtt tthhee IIPP lleevveell wwee ddiissccuussss aa pprroottooccooll ccaalllleedd IIPPSSeecc;; aatt tthhee ttrraannssppoorrtt llaayyeerr wwee ddiissccuussss aa pprroottooccooll tthhaatt ““gglluueess”” aa nneeww llaayyeerr ttoo tthhee ttrraannssppoorrtt llaayyeerr;; aatt tthhee aapppplliiccaattiioonn llaayyeerr wwee ddiissccuussss aa sseeccuurriittyy mmeetthhoodd ccaalllleedd PPGGPP.. TThhee ttooppiiccss ddiissccuusssseedd iinn tthhiiss sseeccttiioonn iinncclluuddee:: IIPP LLeevveell SSeeccuurriittyy:: IIPPSSeecc TTrraannssppoorrtt LLaayyeerr SSeeccuurriittyy AApppplliiccaattiioonn LLaayyeerr SSeeccuurriittyy:: PPGGPP TCP/IP Protocol Suite 46
  47. 47. Figure 28.27 Transport mode TCP/IP Protocol Suite 47
  48. 48. Figure 28.28 Tunnel mode TCP/IP Protocol Suite 48
  49. 49. Figure 28.29 AH TCP/IP Protocol Suite 49
  50. 50. NNoottee:: The AH protocol provides message authentication and integrity, but not privacy. TCP/IP Protocol Suite 50
  51. 51. Figure 28.30 ESP TCP/IP Protocol Suite 51
  52. 52. NNoottee:: ESP provides message authentication, integrity, and privacy. TCP/IP Protocol Suite 52
  53. 53. Figure 28.31 Position of TLS TCP/IP Protocol Suite 53
  54. 54. Figure 28.32 TLS layers TCP/IP Protocol Suite 54
  55. 55. Figure 28.33 Handshake protocol TCP/IP Protocol Suite 55
  56. 56. Figure 28.34 Record Protocol TCP/IP Protocol Suite 56
  57. 57. Figure 28.35 PGP at the sender site TCP/IP Protocol Suite 57
  58. 58. Figure 28.36 PGP at the receiver site TCP/IP Protocol Suite 58
  59. 59. 28.7 FIREWALLS A firewall is a device (usually a router or a computer) iinnssttaalllleedd bbeettwweeeenn tthhee iinntteerrnnaall nneettwwoorrkk ooff aann oorrggaanniizzaattiioonn aanndd tthhee rreesstt ooff tthhee IInntteerrnneett.. IItt iiss ddeessiiggnneedd ttoo ffoorrwwaarrdd ssoommee ppaacckkeettss aanndd ffiilltteerr ((nnoott ffoorrwwaarrdd)) ootthheerrss.. TThhee ttooppiiccss ddiissccuusssseedd iinn tthhiiss sseeccttiioonn iinncclluuddee:: PPaacckkeett--FFiilltteerr FFiirreewwaallll PPrrooxxyy FFiirreewwaallll TCP/IP Protocol Suite 59
  60. 60. Figure 28.37 Firewall TCP/IP Protocol Suite 60
  61. 61. Figure 28.38 Packet-filter firewall TCP/IP Protocol Suite 61
  62. 62. NNoottee:: A packet-filter firewall filters at the network or transport layer. TCP/IP Protocol Suite 62
  63. 63. Figure 28.39 Proxy firewall TCP/IP Protocol Suite 63
  64. 64. NNoottee:: A proxy firewall filters at the application layer. TCP/IP Protocol Suite 64
  • mrsaisai

    Oct. 1, 2015

TCP-IP BY FOROUZAN

Views

Total views

1,231

On Slideshare

0

From embeds

0

Number of embeds

11

Actions

Downloads

60

Shares

0

Comments

0

Likes

1

×