Cryptography PPT for Unit III and IV

1. CRYPTOGRAPHY AND
NETWORK SECURITY
Prepared by
R. Arthy,
Assistant Professor,
Kamaraj College of Engineering and Technology

2. UNIT III
Message Authentication and Hash
Functions

3. • Message authentication is concerned with:
 Protecting the integrity of a message
 Validating identity of originator
 Non-repudiation of origin (dispute resolution)
• Will consider the security requirements
• Then three alternative functions used:
 Message encryption
 Message authentication code (MAC)
 Hash function
Message Authentication

4. Security Requirements
1. Disclosure
2. Traffic analysis
3. Masquerade
4. Content modification
5. Sequence modification
6. Timing modification
7. Source repudiation
8. Destination repudiation

5. Message Encryption
• Message encryption by itself also provides a measure of
authentication.
• If symmetric encryption is used then:
 Receiver know sender must have created it since only
sender and receiver know the key used
 Content of the message cannot be altered if the message
has a suitable structure, redundancy or a checksum to
detect any changes

6. Message Encryption
• If public-key encryption is used:
 Encryption provides no confidence of sender, since anyone
potentially knows public-key.
 However, if sender signs message using their private-key,
then encrypts with recipients public key, provides both
secrecy and authentication.
 Again need to recognize corrupted messages.
 But at cost of two public-key uses on message.

7. Basic Use of Message Encryption

8. Basic Use of Message Encryption
Confidentiality and Authentication Implications of Message Encryption

9. Basic Use of Message Encryption
Confidentiality and Authentication Implications of Message Encryption

10. MESSAGE AUTHENTICATION CODE

11. Message Authentication Code (MAC)
• Generated by an algorithm that creates a small fixed-sized
block
 Depending on both message and some key.
 Like encryption though need not be reversible.
• Appended to message as a signature.
• Receiver performs same computation on message and checks
it matches the MAC.
• Provides assurance that message is unaltered and comes from
sender.

12. Message Authentication Code (MAC)
• A message authentication code (MAC), also known as a
cryptographic checksum, is an authentication technique
involves the use of a secret key to generate a small fixed-size
block of data.

13. Message Authentication Code (MAC)

14. Message Authentication Code (MAC)

15. Message Authentication Codes (MACs)
• As shown the MAC provides confidentiality.
• Can also use encryption for secrecy:
 Generally use separate keys for each.
 Can compute MAC either before or after encryption.
 Is generally regarded as better done before.
• Why use a MAC?
 Sometimes only authentication is needed.
 Sometimes need authentication to persist longer than the
encryption (e.g., archival use).
• Note that a MAC is not a digital signature.

16. MAC Properties
• A MAC is a cryptographic checksum.
MAC = CK(M)
• Condenses a variable-length message M
• using a secret key K
• to a fixed-sized authenticator.
• It is a many-to-one function
 Potentially many messages have same MAC.
 Finding these needs to be very difficult.

17. Requirements for MACs
• Taking into account the types of attacks.
• Need the MAC to satisfy the following:
1. Knowing a message and MAC, is infeasible to find
another message with same MAC.
2. MACs should be uniformly distributed.
3. MAC should depend equally on all bits of the message.

18. Message Authentication Code Based on DES
• Can use any block cipher chaining mode and use final block as
a MAC.
• Data Authentication Algorithm (DAA) is a widely used MAC
based on DES-CBC.
 Using IV=0 and zero-pad of final block.
 Encrypt message using DES in CBC mode.
 Send just the final block as the MAC or the leftmost M bits
(16≤M≤64) of final block.
• But final MAC is now too small for security.

19. Message Authentication Code Based on DES

20. HASH FUNCTION

21. Hash Functions
• A hash function h is generated by a function H of the form:
h = H(M)
• Condenses arbitrary message to fixed size; usually assume that
the hash function is public and not keyed as compared to MAC
which is keyed.
• Hash used to detect changes to message.
• Can use in various ways with message.
• Most often to create a digital signature.

23. Hash Functions and Digital Signatures
Basic Use of Hash Function.

24. Hash Functions and Digital Signatures
Basic Use of Hash Function.

25. Hash Functions and Digital Signatures
Basic Use of Hash Function H.

26. Hash Function Properties
• A Hash Function produces a fingerprint of some
file/message/data
h = H(M)
 Condenses a variable-length message M to a fixed-sized
fingerprint.
• Assumed to be public.

27. Other Hash Function Uses
 to create a one-way password file
 store hash of password not actual password
 for intrusion detection and virus detection
 keep & check hash of files on system
 pseudorandom function (PRF) or pseudorandom number
generator (PRNG)

28. Requirements for Hash Functions
1. Can be applied to any sized message M.
2. Produces fixed-length output h.
3. It is easy to compute h=H(M) for any message M.
4. Given h is infeasible to find x (H(x)=h)
• One-way property
5. Given x is infeasible to find y (H(y)=H(x))
• Weak collision resistance
6. It is infeasible to find any x, y (H(y)=H(x))
• Strong collision resistance

29.  consider two simple insecure hash functions
 bit-by-bit exclusive-OR (XOR) of every block
 Ci = bi1 xor bi2 xor . . . xor bim
 a longitudinal redundancy check
 reasonably effective as data integrity check
 one-bit circular shift on hash value
 for each successive n-bit block
 rotate current hash value to left by1bit and XOR block
 good for data integrity but useless for security
Simple Hash Functions

30. Simple Hash Function Using Bitwise XOR
Bit 1 Bit 2 … Bit n
Block 1 b11 b21 … bn1
Block 2 b12 b22 … Bn2
… … … … …
Block m b1m b2m … bnm
Hash Code C1 C2 … Cn

32. Simple Hash Functions
Two Simple Hash Functions

33. Requirements for Hash Functions

34.  have brute-force attacks and cryptanalysis
 a preimage or second preimage attack
 find y s.t. H(y) equals a given hash value
 collision resistance
 find two messages x & y with same hash so H(x)
= H(y)
 hence value 2m/2 determines strength of hash code
against brute-force attacks
 128-bits inadequate, 160-bits suspect
Attack on Hash Function

35. Birthday Attacks
• Might think a 64-bit hash is secure, but by Birthday Paradox is
not
• Birthday attack works thus:
 given user prepared to sign a valid message x
 opponent generates 2
m/2 variations x’ of x, all with
essentially the same meaning, and saves them
 opponent generates 2
m/2 variations y’ of a desired
fraudulent message y
 two sets of messages are compared to find pair with same
hash (probability > 0.5 by birthday paradox)
 have user sign the valid message, then substitute the
forgery which will have a valid signature
 conclusion is that need to use larger MAC/hash

36. General Structure of Secure Hash code
L
 cryptanalytic attacks exploit some property of alg so faster
than exhaustive search
 hash functions use iterative structure
 process message in blocks (incl length)
 attacks focus on collisions in function f

37. Block Ciphers as Hash Functions
• Can use block ciphers as hash functions
 Using H0=0 and zero-pad of final block
 compute: Hi = EMi
[Hi-1]
 Use final block as the hash value
 Similar to CBC but without a key
• Resulting hash is too small (64-bit)
 Due to direct birthday attack
 Due to “meet-in-the-middle” attack
• Other variants also susceptible to attack

38. Hash Functions and MAC Security
• Brute-force attacks exploiting:
 Strong collision resistance hash have cost 2
m/2.
 Have proposal for hardware MD5 cracker.
 128-bit hash looks vulnerable, 160-bits better.
 MACs with known message-MAC pairs
 Can either attack keyspace (key search) or MAC.
 At least 128-bit MAC is needed for security.

39. • Cryptanalytic attacks exploit structure
 Like block ciphers want brute-force attacks to be the best
alternative.
• Have a number of analytic attacks on iterated hash functions.
CVi = f[CVi-1, Mi]; H(M)=CVN
 Typically focus on collisions in function f.
 Like block ciphers is often composed of rounds.
 Attacks exploit properties of round functions.
Hash Functions and MAC Security

40. MD5 ALGORITHM

41. 41
MD5
 designed by Ronald Rivest (the “R” in RSA)
 latest in a series of MD2, MD4
 produces a 128-bit hash value
 until recently was the most widely used hash algorithm
 in recent times have both brute-force & cryptanalytic
concerns
 specified as Internet standard RFC1321

42. 42
MD5 OVERVIEW
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 4-word (128-bit) MD buffer
(A,B,C,D)
4. process message in 16-word (512-bit) blocks:
 using 4 rounds of 16 bit operations on message
block & buffer
 add output to buffer input to form new buffer value
5. output hash value is the final buffer value

43. 43
MD5 OVERVIEW

44. IMPLEMENTATION STEPS
 Step 1: Append padding bits
 The message is Padded so that its bit length ≡ 448 mod 512
(i.e., the length of padded message is 64 bits less than an
integer multiple of 512 bits)
 Padding is always added, even if the message is already of
the desired length (1 to 512 bits)
 Padding bits: 1000….0 (a single 1-bit followed by the
necessary number of 0-bits)

45. IMPLEMENTATION STEPS
 Step 2: Append length A 64-bit length
 contains the length of the original message modulo 264
 The expanded message is Y0, Y1, …, YL-1; the total length is
L × 512 bits
 The expanded message can be thought of as a multiple of 16
32-bit words
 Let M[0 … N-1] denote the word of the resulting message,
where N = L × 16

46. IMPLEMENTATION STEPS
 Step 3: Initialize MD buffer
 128-bit buffer (four 32-bit registers A,B,C,D) is used to hold
intermediate and final results of the hash function
 A,B,C,D are initialized to the following values
 A = 67452301
 B = EFCDAB89
 C = 98BADCFE
 D = 10325476
 Stored in little-endian format (least significant byte of a word
in the low-address byte position)
 word A : 01 23 45 67 (low address … high address)
 word B : 89 AB CD EF
 word C : FE DC BA 98
 word D : 76 54 32 10

47. IMPLEMENTATION STEPS
 Step 4: Process message in 512-bit (16-word) blocks
 Heart of the algorithm called a compression function Consists
of 4 rounds
 The 4 rounds have a similar structure, but each uses a
different primitive logical functions, referred to as F, G, H,
and I
 Each round takes as input the current 512-bit block (Yq), 128-
bit buffer value ABCD and updates the contents of the buffer
 Each round also uses the table T[1 … 64], constructed from
the sine function; T[i] = 232 × abs(sin(i))
 The output of 4th round is added to the CVq to produce
CVq+1

49. IMPLEMENTATION STEPS
 Step 5: Output
 After all L 512-bit blocks have been processed, the output
from the Lth stage is the 128- bit message digest
 CV0 = IV
 CVq+1 = SUM32(CVq, RFI[Yq, RFH[Yq, RFG[Yq, RFF[Yq, CVq]]])
 MD = CVL
Where
 IV = initial value of the ABCD buffer, defined in step 3
 Yq = the qth 512-bit block of the message
 L = the number of blocks in the message (including padding and
length fields)
 CVq = chaining variable processed with the qth block of the message
 RFx = round function using primitive logical function x
 MD = final message digest value
 SUM32 = addition modulo 232 performed separately on each word

50. MD5 COMPRESSION FUNCTION
 Each round consists of a sequence of 16 steps operating on the
buffer ABCD
 Each step is of the form
 a ← b + (( a + g(b, c, d) + X[k] + T[i] <<< s )
 where a,b,c,d = the 4 words of the buffer, in a specified order that varies
across steps g = one of the primitive functions F, G, H, I
 <<s = circular left shift (rotation) of the 32-bit arguments by s bits
 X[k] = M[q × 16 + k] = the kth 32-bit word in the qth 512-bit block of the
message
 T[i] = the ith 32-bit word in table T
 + = addition modulo 232 `

51. 51
MD5 COMPRESSION FUNCTION

52. MD5 OPERATION
 One of the 4 primitive logical functions is used in each 4
rounds of the algorithm
 Each primitive function takes three 32-bit words as input
and produces a 32-bit word output
 Each function performs a set of bitwise logical
operations

53. MD4
 precursor to MD5
 also produces a 128-bit hash of message
 has 3 rounds of 16 steps versus 4 in MD5
 design goals:
 collision resistant (hard to find collisions)
 direct security (no dependence on "hard" problems)
 fast, simple, compact
 favors little-endian systems (eg PCs)

54. STRENGTH OF MD5
 MD5 hash is dependent on all message bits
 Rivest claims security is good as can be
 known attacks are:
 Berson 92 attacked any 1 round using differential
cryptanalysis (but can’t extend)
 Boer & Bosselaers 93 found a pseudo collision (again
unable to extend)
 Dobbertin 96 created collisions on MD compression
function (but initial constants prevent exploit)
 conclusion is that MD5 looks vulnerable soon

55. SHA 512

56. OVERVIEW
 Developed by NIST (National Institute of Standards and
Technology)
 Published as a FIPS 180 in 1993
 A revised version is issued as FIPS 180-1 IN 1995
 Generally referred to as SHA-1
 SHA is based on the hash function MD4 and its design closely
models MD4.
 SHA- 1 produces a hash value of 160 bits.
 Revised version of the standard, FIPS 180-2, that defined three new
versions of SHA, with hash value lengths of 256, 384 and 512 bits,
known as SHA-256, SHA-384 and SHA-512.

57. SHA OVERVIEW
1. pad message so its length is 896 mod 1024
2. append a 128-bit length value to message
3. initialise 8-word (512-bit) buffer (A,B,C,D,E,F,G,H)
4. process message in 128-word (1024-bit) chunks:
5. output hash value is the final buffer value

58. OVERVIEW

59. IMPLEMENTATION STEPS
 Step 1: Append padding bits
 The message is Padd d so that its bit length is congruent to
896 modulo 1024 [length K ≡ 896 mod 1024]
 Padding is always added, even if the message is already of
the desired length.
 Thus, the number of padding bits is in the range of 1 to 1024.
 The padding consists of a single 1-bit followed by the
necessary number of 0-bits.

60. IMPLEMENTATION STEPS
 Step 2: Append length
 A block of 128-bits is appended to the message.
 This block is treated as an unsigned 128-bit integer (most
significant byte first) and contains the length of the original
message (before the padding).
 The outcome of the first two steps yields a message that is an
integer multiple of 1024 bits in length.
 In Figure, the expanded message is represented as the
sequence of 1024-bit blocks M1, M2,.., Mn, so that the total
length of the expanded message is N x 1024 bits.

61. IMPLEMENTATION STEPS
 Step 3: Initialize hash buffer
 A 512-bit buffer is used to hold intermediate and final results of the hash
function.
 The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g and
h).
 These registers are initialized to the following 64-bit integers (hexadecimal
values):
 These values are stored in big-endian format, which is the most significant
byte of a word in the low-address (leftmost) byte position.
 These words were obtained by taking the first sixty-four bits of the
fractional parts of the square roots of the first eight prime numbers.

62. IMPLEMENTATION STEPS
 Step 4: Process message in 1024-bit (128-word) blocks
 The heart of the algorithm is a module that consists of 80 rounds; this
module is labeled F in above figure.
 Each round takes as input the 512-bit buffer value, abcdefgh, and
updates the contents of the buffer.
 At input to the first round, the buffer has the value of the intermediate
hash value, Hi-1.
 Each round t makes use of a 64-bit value Wt, derived from the current
1024-bit block being processed (Mi).
 Each round also makes use of an additive constant Kt, where 0 ≤ t ≤ 79
indicates one of the 80 rounds.
 The output of the eightieth round is added to the input to the first round
(Hi-1) to produce Hi. The addition is done independently for each of the
eight words in the buffer with each of the corresponding words in Hi-1,
using addition modulo 264.

64. IMPLEMENTATION STEPS
 Step 5: Output
 After all N 1024-bit blocks have been processed, the output
from the Nth stage is the 512-bit message digest.
 H0 = IV,Hi = SUM64 (Hi-1, abcdefghi)
 MD = HN
where,
 IV = initial value of the abcdefgh buffer, defined in step 3.
 abcdefghi = the output of the last round of processing of the ith
message block.
 N = the number of blocks in the message (including padding and
length fields).
 SUM64 = Addition modulo 264 performed separately on each word of
the pair of inputs.
 MD = final message digest value.

65. COMPRESSION FUNCTION

67. GENERATION OF INPUT SEQUENCE

68. HMAC

69. HMAC DESIGN PRINCIPLES
 To use, without modifications, in available hash functions. In
particular, to use hash functions that perform well in software
and for which code is freely and widely available.
 To allow for easy replaceability of the embedded hash
function in case faster or more secure hash functions are
found or required.
 To preserve the original performance of the hash function
without incurring a significant degradation.
 To use and handle keys in a simple way.
 To have a well understood cryptographic analysis of the
strength of the authentication mechanism based on reasonable
assumptions about the embedded hash function.

70. ALGORITHM
 HMAC defines the following terms.
 H = embedded hash function (e.g., MD5, SHA-1, RIPEMD-
160) IV = initial value input to hash function
 M = message input to HMAC (including the padding specified
in the embedded hash function)
 Yi = i th block of M, 0 ≤ i ≤ (L - 1)
 L = number of blocks in M
 b = number of bits in a block
 n = length of hash code produced by embedded hash fu ction
 K = secret key; recommended length is ≥ n; if key length s
greater than b, the key is input to the hash function to produce
an n-bit key
 K+ = K padded with zeros on the left so that the result is b bits
in length ipad = 00110110 (36 in hexadecimal) repeated b/8
times opad = 01011100 (5C in hexadecimal) repeated b/8
times

72. ALGORITHM
 The algorithm is as follows:
 1. Append zeros to the left end of K to create a b-bit string K+
(e.g., if K is of length 160 bits and b = 512, then K will be
appended with 44 zeroes).
 2. XOR (bitwise exclusive-OR) K+ with ipad to produce the b-
bit block Si.
 3. Append M to Si.
 4. Apply H to the stream generated in step 3.
 5. XOR K+ with opad to produce the b-bit block So.
 6. Append the hash result from step 4 to So.
 7. Apply H to the stream generated in step 6 and output the
result.

73. CMAC

74. DIGITAL SIGNATURE STANDARD

77. ELGAMAL DIGITAL SIGNATURE

80. SCHNORR DIGITAL SIGNATURE

83. CS6701 – CRYPTOGRAPHY AND
NETWORK SECURITY
Unit IV

84. INTRUSION DETECTION

85. INTRUDERS
 significant issue for networked systems is hostile or
unwanted access
 either via network or local
 can identify classes of intruders:
 masquerader
 misfeasor
 clandestine user
 varying levels of competence

86. INTRUDERS
 clearly a growing publicized problem
 from “Wily Hacker” in 1986/87
 to clearly escalating CERT stats
 may seem benign, but still cost resources
 may use compromised system to launch other
attacks
 awareness of intruders has led to the development
of CERTs

87. INTRUSION TECHNIQUES
 aim to gain access and/or increase privileges on a
system
 basic attack methodology
 target acquisition and information gathering
 initial access
 privilege escalation
 covering tracks
 key goal often is to acquire passwords
 so then exercise access rights of owner

88. PASSWORD CAPTURE
 another attack involves password capture
 watching over shoulder as password is entered
 using a trojan horse program to collect
 monitoring an insecure network login
 eg. telnet, FTP, web, email
 extracting recorded info after successful login
(web history/cache, last number dialed etc)
 using valid login/password can impersonate
user
 users need to be educated to use suitable
precautions/countermeasures

89. INTRUSION DETECTION
 inevitably will have security failures
 so need also to detect intrusions so can
 block if detected quickly
 act as deterrent
 collect info to improve security
 assume intruder will behave differently to a
legitimate user
 but will have imperfect distinction between

90. PASSWORD GUESSING
 one of the most common attacks
 attacker knows a login (from email/web page etc)
 then attempts to guess password for it
 defaults, short passwords, common word searches
 user info (variations on names, birthday, phone,
common words/interests)
 exhaustively searching all possible passwords
 check by login or against stolen password file
 success depends on password chosen by user
 surveys show many users choose poorly

91. APPROACHES TO INTRUSION
DETECTION
 statistical anomaly detection
 threshold
 profile based
 rule-based detection
 anomaly
 penetration identification

92. AUDIT RECORDS
 fundamental tool for intrusion detection
 native audit records
 part of all common multi-user O/S
 already present for use
 may not have info wanted in desired form
 detection-specific audit records
 created specifically to collect wanted info
 at cost of additional overhead on system

93. STATISTICAL ANOMALY DETECTION
 threshold detection
 count occurrences of specific event over time
 if exceed reasonable value assume intrusion
 alone is a crude & ineffective detector
 profile based
 characterize past behavior of users
 detect significant deviations from this
 profile usually multi-parameter

94. AUDIT RECORD ANALYSIS
 foundation of statistical approaches
 analyze records to get metrics over time
 counter, gauge, interval timer, resource use
 use various tests on these to determine if current
behavior is acceptable
 mean & standard deviation, multivariate, markov
process, time series, operational
 key advantage is no prior knowledge used

95. RULE-BASED INTRUSION DETECTION
 observe events on system & apply rules to decide if
activity is suspicious or not
 rule-based anomaly detection
 analyze historical audit records to identify usage
patterns & auto-generate rules for them
 then observe current behavior & match against rules to
see if conforms
 like statistical anomaly detection does not require prior
knowledge of security flaws

96. RULE-BASED INTRUSION DETECTION
 rule-based penetration identification
 uses expert systems technology
 with rules identifying known penetration, weakness patterns,
or suspicious behavior
 compare audit records or states against rules
 rules usually machine & O/S specific
 rules are generated by experts who interview & codify
knowledge of security admins
 quality depends on how well this is done

97. BASE-RATE FALLACY
 practically an intrusion detection system needs to
detect a substantial percentage of intrusions with
few false alarms
 if too few intrusions detected -> false security
 if too many false alarms -> ignore / waste time
 this is very hard to do
 existing systems seem not to have a good record

98. DISTRIBUTED INTRUSION DETECTION
 traditional focus is on single systems
 but typically have networked systems
 more effective defense has these working together
to detect intrusions
 issues
 dealing with varying audit record formats
 integrity & confidentiality of networked data
 centralized or decentralized architecture

99. DISTRIBUTED INTRUSION DETECTION
- ARCHITECTURE

100. DISTRIBUTED INTRUSION DETECTION
– AGENT IMPLEMENTATION

101. HONEYPOTS
 decoy systems to lure attackers
 away from accessing critical systems
 to collect information of their activities
 to encourage attacker to stay on system so administrator can
respond
 are filled with fabricated information
 instrumented to collect detailed information on attackers
activities
 single or multiple networked systems
 cf IETF Intrusion Detection WG standards

102. PASSWORD MANAGEMENT
 front-line defense against intruders
 users supply both:
 login – determines privileges of that user
 password – to identify them
 passwords often stored encrypted
 Unix uses multiple DES (variant with salt)
 more recent systems use crypto hash function
 should protect password file on system

103. PASSWORD STUDIES
 Purdue 1992 - many short passwords
 Klein 1990 - many guessable passwords
 conclusion is that users choose poor passwords too
often
 need some approach to counter this

104. MANAGING PASSWORDS - EDUCATION
 can use policies and good user education
 educate on importance of good passwords
 give guidelines for good passwords
 minimum length (>6)
 require a mix of upper & lower case letters, numbers,
punctuation
 not dictionary words
 but likely to be ignored by many users

105. MANAGING PASSWORDS - COMPUTER
GENERATED
 let computer create passwords
 if random likely not memorisable, so will be written
down (sticky label syndrome)
 even pronounceable not remembered
 have history of poor user acceptance
 FIPS PUB 181 one of best generators
 has both description & sample code
 generates words from concatenating random
pronounceable syllables

106. MANAGING PASSWORDS - REACTIVE
CHECKING
 reactively run password guessing tools
 note that good dictionaries exist for almost any
language/interest group
 cracked passwords are disabled
 but is resource intensive
 bad passwords are vulnerable till found

107. MANAGING PASSWORDS - PROACTIVE
CHECKING
 most promising approach to improving password
security
 allow users to select own password
 but have system verify it is acceptable
 simple rule enforcement (see earlier slide)
 compare against dictionary of bad passwords
 use algorithmic (markov model or bloom filter) to detect
poor choices

108. FIREWALLS

109.  Establish a controlled link
 Protect the premises network from Internet-based
attacks
 Provide a single choke point
FIREWALL DESIGN PRINCIPLES:

110. Design Goals
 All traffic from inside to outside must pass through
the firewall (physically blocking all access to the
local network except via the firewall)
 Only authorized traffic (defined by the local security
police) will be allowed to pass
 The firewall itself is immune to penetration (use of
trusted system with a secure operating system)
FIREWALL CHARACTERISTICS

111. General Techniques
 Service control
 Direction control
 User control
 Behavior control
CONTD…

112.  Scope of Firewall
 A firewall defines a single choke point that keeps unauthorized
users out of the protected network, prohibits potentially
vulnerable services from entering or leaving the network, and
provides protection from various kinds of IP spoofing and routing
attacks. The use of a single choke point simplifies security
management because security capabilities are consolidated on a
single system or set of systems.
 A firewall provides a location for monitoring security-related
events. Audits and alarms can be implemented on the firewall
system.
 A firewall is a convenient platform for several Internet functions
that are not security related. These include a network address
translator, which maps local addresses to Internet addresses, and
a network management function that audits or logs Internet
usage.
 A firewall can serve as the platform for IPsec. Using the tunnel
mode capability described in Chapter 19, the firewall can be used
to implement virtual private networks
CONTD….

113.  Limitations
 The firewall cannot protect against attacks that bypass the
firewall. Internal systems may have dial-out capability to
connect to an ISP. An internal LAN may support a modem
pool that provides dial-in capability for traveling employees
and telecommuters.
 The firewall may not protect fully against internal threats,
such as a disgruntled employee or an employee who
unwittingly cooperates with an external attacker.
 An improperly secured wireless LAN may be accessed from
outside the organization. An internal firewall that separates
portions of an enterprise network cannot guard against
wireless communications between local systems on different
sides of the internal firewall.
 A laptop, PDA, or portable storage device may be used and
infected outside the corporate network, and then attached and
used internally.
CONTD…

114.  Applies a set of rules to each incoming IP packet and then
forwards or discards the packet
 Filter packets going in both directions
 The packet filter is typically set up as a list of rules based on
matches to fields in the IP or TCP header
 Source IP address: The IP address of the system that originated the IP
packet (e.g., 192.178.1.1)
 Destination IP address: The IP address of the system the IP packet is
trying to reach (e.g., 192.168.1.2)
 Source and destination transport-level address: The transport-level (e.g.,
TCP or UDP) port number, which defines applications such as SNMP or
TELNET
 IP protocol field: Defines the transport protocol
 Interface: For a firewall with three or more ports, which interface of the
firewall the packet came from or which interface of the firewall the packet
is destined for
 Two default policies (discard or forward)
 Default = discard: That which is not expressly permitted is prohibited.
 Default = forward: That which is not expressly prohibited is permitted
PACKET FILTERING ROUTERS:

115. CONTD…

116. CONTD…

117.  Advantages:
 Simplicity
 Transparency to users
 High speed
 Disadvantages:
 Difficulty of setting up packet filter rules
 Lack of Authentication
CONTD…

118.  IP address spoofing
 fake source address to be trusted
 add filters on router to block
 source routing attacks
 attacker sets a route other than default
 block source routed packets
 tiny fragment attacks
 split header info over several tiny packets
 either discard or reassemble before check
CONTD…

119.  An application-level gateway (or proxy server), acts
as a relay of application-level traffic.
 The user contacts the gateway using a TCP/IP
application, such as Telnet or FTP, and the gateway
asks the user for the name of the remote host to be
accessed.
 When the user responds and provides a valid user
ID and authentication information, the gateway
contacts the application on the remote host and
relays TCP segments containing the application
data between the two endpoints
APPLICATION-LEVEL GATEWAY

120. FIREWALLS - APPLICATION LEVEL
GATEWAY (OR PROXY)

121.  Advantages:
 Higher security than packet filters
 Only need to scrutinize a few allowable applications
 Easy to log and audit all incoming traffic
 Disadvantages:
 Additional processing overhead on each connection
(gateway as splice point)
CONTD…

122.  A circuit-level gateway relays two TCP connections,
one between itself and an inside TCP user, and the
other between itself and a TCP user on an outside
host.
 Once the two connections are established, it relays
TCP data from one connection to the other without
examining its contents.
 The security function consists of determining which
connections will be allowed.
 It is typically used when internal users are trusted
to decide what external services to access.
CIRCUIT-LEVEL GATEWAY

123. FIREWALLS - CIRCUIT LEVEL GATEWAY

124.  A bastion host is a critical strong point in the
network’s security, serving as a platform for an
application-level or circuit-level gateway, or for
external services.
BASTION HOST

125.  executes a secure version of its O/S, making it a trusted
system
 has only essential services installed on the bastion host
 may require additional authentication before a user may
access to proxy services
 configured to use only subset of standard commands, access
only specific hosts
 maintains detailed audit information by logging all traffic
 each proxy module a very small software package designed for
network security
 has each proxy independent of other proxies on the bastion
host
 have a proxy performs no disk access other than read its initial
configuration file
 have each proxy run as a non-privileged user in a private and
secured directory
PROPERTIES

126.  In addition to the use of simple configuration of a
single system (single packet filtering router or
single gateway), more complex configurations are
possible
 Three common configurations
FIREWALL CONFIGURATIONS

127.  Screened host firewall system (single-homed
bastion host)
Henric Johnson 1
FIREWALL CONFIGURATIONS

128.  Screened host firewall, single-homed bastion
configuration
 Firewall consists of two systems:
 A packet-filtering router
 A bastion host
Henric Johnson 1
FIREWALL CONFIGURATIONS

129.  Configuration for the packet-filtering router:
 Only packets from and to the bastion host are allowed to
pass through the router
 The bastion host performs authentication and proxy
functions
FIREWALL CONFIGURATIONS

130.  Greater security than single configurations because
of two reasons:
 This configuration implements both packet-level and
application-level filtering (allowing for flexibility in
defining security policy)
 An intruder must generally penetrate two separate
systems
FIREWALL CONFIGURATIONS

131.  This configuration also affords flexibility in
providing direct Internet access (public information
server, e.g. Web server)
FIREWALL CONFIGURATIONS

132.  Screened host firewall system (dual-homed bastion
host)
FIREWALL CONFIGURATIONS

133.  Screened host firewall, dual-homed bastion
configuration
 The packet-filtering router is not completely
compromised
 Traffic between the Internet and other hosts on the
private network has to flow through the bastion host
FIREWALL CONFIGURATIONS

134.  Screened-subnet firewall system
FIREWALL CONFIGURATIONS

135.  Screened subnet firewall configuration
 Most secure configuration of the three
 Two packet-filtering routers are used
 Creation of an isolated sub-network
FIREWALL CONFIGURATIONS

136.  Advantages:
 Three levels of defense to thwart intruders
 The outside router advertises only the existence of the
screened subnet to the Internet (internal network is
invisible to the Internet)
FIREWALL CONFIGURATIONS

137.  Advantages:
 The inside router advertises only the existence of the
screened subnet to the internal network (the systems on
the inside network cannot construct direct routes to the
Internet)
FIREWALL CONFIGURATIONS

138. ACCESS CONTROL

139.  Determine what resources they can access
 General model is that of access matrix with
 subject - active entity (user, process)
 object - passive entity (file or resource)
 access right – way object can be accessed
 can decompose by
 columns as access control lists
 rows as capability tickets
ACCESS CONTROL

140. ACCESS CONTROL MATRIX

141. TRUSTED SYSTEMS

142.  There are varying degrees of sensitivity of
information
 Eg. military info classifications: confidential, secret
etc
 subjects (people or programs) have varying
rights of access to objects (information)
 Want to consider ways of increasing confidence
in systems to enforce these rights
 known as multilevel security
 subjects have maximum & current security level
 objects have a fixed security level classification
TRUSTED COMPUTER SYSTEMS

143.  one of the most famous security models
 implemented as mandatory policies on
system
 has two key policies:
 no read up (simple security property)
 a subject can only read/write an object if the
current security level of the subject dominates (>=)
the classification of the object
 no write down (*-property)
 a subject can only append/write to an object if the
current security level of the subject is dominated by
(<=) the classification of the object
BELL LAPADULA (BLP) MODEL

144. REFERENCE MONITOR

145.  governments can evaluate IT systems
 against a range of standards:
 TCSEC, IPSEC and now Common Criteria
 define a number of “levels” of evaluation with
increasingly stringent checking
 have published lists of evaluated products
 though aimed at government/defense use
 can be useful in industry also
EVALUATED COMPUTER SYSTEMS