SlideShare a Scribd company logo

Information on Information Security for CS3002

F
FumikageTokoyami4

This document discusses various methods of implementing information security. It describes message/data security, channel security, security internal and external to applications, and Secure Sockets Layer (SSL). SSL provides secure transport channels using authentication, encryption, and message integrity. The document also discusses IPsec, which implements security at the network layer and can protect all network traffic and applications transparently. It describes how IPsec uses Authentication Headers (AH) and Encapsulating Security Payloads (ESP) to provide integrity, authentication, confidentiality, and anti-replay protection to IP packets.

Technology
1 of 36
Download to read offline
Information Security CS 3002 Dr. Haroon Mahmood Assistant Professor NUCES Lahore
2 Information Security Message/data security  authentication (single), integrity and privacy self contained in the message  possibility of non repudiation  requires modification of applications
3 Information Security Channel Security  authentication (single or mutual), integrity and privacy only during the transit inside the communication channel  no possibility of non repudiation  requires no (or small) modification of applications
4 Information Security Security internal to applications  each application implements security internally  the common part is limited to the communication channels (socket)  possible implementation errors (inventing security protocols is not simple!)  does not guarantee interoperability
5 Information Security Security External to Applications  the session level would be the ideal one to be used to implement many security functions  … but it does not exist in TCP/IP!  a “secure session” level was proposed:  it simplifies the work of application developers  it avoids implementation errors  it is up to the application to select it (or not)
6 Information Security SSL what is it?  Security at layer 4 (Transport layer)  Secure Sockets Layer (SSL)  secure transport channel (session level):  peer authentication (server, server+client)  message confidentiality  message authentication and integrity  protection against replay attacks  Easily applicable to all protocols based on TCP:  HTTP, SMTP, FTP, TELNET, ...  e.g. the famous secure HTTP (https://....) = 443/TCP
7 Information Security SSL/TLS  Philosophy of SSL: Easier to deploy something if no changes in OS required  Application’s API (Socket) is interface to SSL: Hence secure socket layer  API to SSL is the superset of API to TCP  SSL/TLS operate above TCP. OS doesn’t change applications do!
8 Information Security SSL handshake  agree on a set of algorithms for confidentiality, integrity and authentication  exchange random numbers between the client and the server to be used for the subsequent generation of the keys  establish a symmetric key by means of public key operations, e.g. RSA  negotiate the session-id  exchange the necessary certificates
9 Information Security SSL handshake simplified  Secrets are: Pre-master key S, Master Key K  Server authentication  Client authentication by password (optional)
10 Information Security SSL handshake in detail
11 Information Security Key Terms  HELLO Extensions: request extended functionality by sending data in the extensions field.  E.g: max_fragment_length, status request  The server may not oblige  Client may abort the handshake  Pre-shared Secret (key): generated by client OR directly obtained from the key exchange. E.g: (DH: gab mod p)  Master keys: generated from the pre-shared secret + random.client + random.server by applying a PRF  Master key = PRF (pre-shared secret, random.client, random.server)  PRF = Pseudo Random Function
12 Information Security SSL V3 Architecture  Handshake: enables the SSL or TLS client and server to establish the secret keys with which they communicate  Change cipher spec: indicates the usage of secret key for data communication  Alert: signal problems with SSL connection, give current status  Record protocol: permits the encapsulation of higher level protocols
13 Information Security SSL3/TLS record protocol
14 Information Security SSL MAC computation  MAC = message_digest ( key, seq_number | type | version | length | fragment )  message_digest  depends on the chosen algorithm  key  sender-write-key or receiver-read-key  seq_number  32-bit integer  Type  Type of record  change cipher spec (20)  alert (21)  Handshake (22)  Application data (23)  length  length of the fragment/plaintext
15 Information Security Data protection in SSL
16 Information Security SSL-3 new features with respect to SSL-2  data compression:  optional  Done before encryption  data encryption is optional: in order to have only authentication and integrity  possibility to re-negotiate the SSL connection:  periodical change of keys  change of the algorithms
17 Information Security IPsec  Philosophy of IPsec: implementing security within the operating systems automatically causes applications to be protected without changing applications  IPsec is within the OS. OS changes, applications and API to TCP don’t.
18 Information Security End-to-end security with basic VPN
19 Information Security Transport mode IPsec  used for end-to-end security, that is used by hosts, not gateways (exception: traffic for the gateway itself e.g: SNMP, ICMP)  pro: computationally light  con: no protection of header variable fields
20 Information Security Tunnel Mode IPsec  used to create a VPN, usually by gateways  Gateway-to-gateway mode  pro: protection of header variable fields  con: computationally heavy
21 Information Security IPsec  Security at layer 3  IPsec ensures:  Confidentiality, integrity, and authenticity  Allows secure communication in the Internet  Independent from the application or higher protocols  Network-layer security instead of application-layer security  Compatible with schemes providing security at the application layer  Can be applied simultaneously
22 Information Security IPSec  Further advantages:  Can be applied to all network traffic  Routers/firewalls vendors can implement it (Can't implement SSL)  Transparent to the applications  Transparent to the users  Limitations:  Limited to IP Addresses  Has no concept of application users
23 Information Security Applications of IPsec  Secure connection among different branches of the same company  Virtual Private Network (VPN)  Secure remote access to an Intranet through the (insecure) Internet  Allows secure remote workers  Secure communication between peers  Adding security for electronic commerce applications
24 Information Security IPsec overview  IETF architecture for L3 security in IPv4 / IPv6:  definition of two specific packet types:  AH (Authentication Header)  for integrity, authentication, no replay  ESP (Encapsulating Security Payload)  for confidentiality, integrity, authentication, no replay  protocol for key exchange:  IKE (Internet Key Exchange)
25 Information Security Security Association  Establishment of shared security attributes between sender and receiver to support secure communication  Usually considered unidirectional  contain all the information required for execution of various network security services  Three SA identification parameters  Security parameter index  IP destination address  Security protocol identifier  two SA are needed to get complete protection of a bidirectional packet flow in IPsec
26 Information Security IPsec local databases  SAD (SA Database)  list of active SA and their characteristics (algorithms, keys, parameters)  maintained by user-processes  SPD (Security Policy Database)  list of security policies to apply to the different packet flows  a-priori configured (e.g. manually) or connected to an automatic system (e.g. ISPS, Internet Security Policy System)
27 Information Security How IPsec works (sending)
28 Information Security AH  Authentication Header  mechanism (first version, RFC-1826):  data integrity and sender authentication  compulsory support of keyed-MD5 (RFC-1828)  optional support of keyed-SHA-1 (RFC-1852)  mechanism (second version, RFC-2402):  data integrity, sender authentication and protection from replay attack  HMAC-MD5  HMAC-SHA-1
29 Information Security AH Packet  Next header: identifies the nature of the payload (TCP/UDP)  Length: Indicates the length of the AH header  SPI: Identifies the correct security association for the communication  Sequence Number: Provides anti-replay protection for the SA  Auth. Data: contains the Integrity Check Value (ICV) that is used to verify the integrity of the message. The receiver calculates the hash value and checks it against this value (calculated by the sender) to verify integrity.
30 Information Security AH verification
31 Information Security ESP  Encapsulating Security Payload (ESP)  first version (RFC-1827) gave only confidentiality  base mechanism: DES-CBC (RFC-1829)  Second version (RFC-2406):  provides confidentiality & authentication (but not the IP header, so the coverage is not equivalent to that of AH)
32 Information Security ESP in transport mode  pro: the payload is hidden (including info needed for QoS or intrusion detection)  con: the header remains in clear
33 Information Security ESP Packet  SPI: Identifies the correct security association for the communication  Sequence number: Provides anti-replay protection for the SA  Next header: Identifies the nature of the payload (TCP/UDP)  Auth. Data: Contains the Integrity Check Value (ICV), and a message authentication code that is used to verify the sender's identity and message integrity. The ICV is calculated over the ESP header, the payload data and the ESP trailer  Initialization Vector (IV): optional. Is after the Sequence number
34 Information Security ESP Packet: Encryption & Authentication Next header
35 Information Security ESP tunnel mode  pro: hides both the payload and (original) header  con: larger packet size
36 Information Security IPSec: AH & ESP packet format

Recommended

IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
Web Security
Web SecurityWeb Security
Web SecurityRam Dutt Shukla
 
Websecurity
Websecurity Websecurity
Websecurity Merve Bilgen
 
Unit 6
Unit 6Unit 6
Unit 6KRAMANJANEYULU1
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
CNS UNIT-VI.pptx
CNS UNIT-VI.pptxCNS UNIT-VI.pptx
CNS UNIT-VI.pptxnandan543979
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1Sankaranarayanan Subramanian
 

Recommended

IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
Web Security
Web SecurityWeb Security
Web SecurityRam Dutt Shukla
 
Websecurity
Websecurity Websecurity
Websecurity Merve Bilgen
 
Unit 6
Unit 6Unit 6
Unit 6KRAMANJANEYULU1
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
CNS UNIT-VI.pptx
CNS UNIT-VI.pptxCNS UNIT-VI.pptx
CNS UNIT-VI.pptxnandan543979
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1Sankaranarayanan Subramanian
 
Ipsecurity
IpsecurityIpsecurity
IpsecurityJyoshna Cec Cse Staf bejjam
 
Ipsecurity
IpsecurityIpsecurity
IpsecurityChinmay Patel
 
Network security
Network securityNetwork security
Network securityanoop negi
 
WLAN and IP security
WLAN and IP securityWLAN and IP security
WLAN and IP securityChaitanya Tata, PMP
 
Ch16
Ch16Ch16
Ch16Joe Christensen
 
Ip Sec
Ip SecIp Sec
Ip SecRam Dutt Shukla
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 
1643129870-internet-security.pptx
1643129870-internet-security.pptx1643129870-internet-security.pptx
1643129870-internet-security.pptxMARIA401634
 
Network IP Security.pdf
Network IP Security.pdfNetwork IP Security.pdf
Network IP Security.pdfgeorgejustymirobi1
 
Ip Sec
Ip SecIp Sec
Ip SecRam Dutt Shukla
 
Ip Sec Rev1
Ip Sec Rev1Ip Sec Rev1
Ip Sec Rev1Ram Dutt Shukla
 
Unit 6
Unit 6Unit 6
Unit 6Vinod Kumar Gorrepati
 
IP Security
IP SecurityIP Security
IP SecurityAmbo University
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecuritySarthak Patel
 
Network Security Practices-IP Security
Network Security Practices-IP SecurityNetwork Security Practices-IP Security
Network Security Practices-IP SecurityGayathridevi120
 
Web security
Web securityWeb security
Web securityLayla Tk
 
college assignment on Applications of ipsec
college assignment on Applications of ipsec college assignment on Applications of ipsec
college assignment on Applications of ipsec bigchill29
 
Lec 9.pptx
Lec 9.pptxLec 9.pptx
Lec 9.pptxssuserbab2f4
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfsolimankellymattwe60
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdfAlaaElhaddad3
 
Chap014.pdf
Chap014.pdfChap014.pdf
Chap014.pdfFumikageTokoyami4
 
Lecture 2 - Profession and Professional Bodies in IT.pptx
Lecture 2 - Profession and Professional Bodies in IT.pptxLecture 2 - Profession and Professional Bodies in IT.pptx
Lecture 2 - Profession and Professional Bodies in IT.pptxFumikageTokoyami4
 

More Related Content

Similar to Information on Information Security for CS3002

Network security
Network securityNetwork security
Network securityanoop negi
 
1643129870-internet-security.pptx
1643129870-internet-security.pptx1643129870-internet-security.pptx
1643129870-internet-security.pptxMARIA401634
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecuritySarthak Patel
 
Network Security Practices-IP Security
Network Security Practices-IP SecurityNetwork Security Practices-IP Security
Network Security Practices-IP SecurityGayathridevi120
 
Web security
Web securityWeb security
Web securityLayla Tk
 
college assignment on Applications of ipsec
college assignment on Applications of ipsec college assignment on Applications of ipsec
college assignment on Applications of ipsec bigchill29
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfsolimankellymattwe60
 

Similar to Information on Information Security for CS3002 (20)

Ipsecurity
IpsecurityIpsecurity
Ipsecurity
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
 
Network security
Network securityNetwork security
Network security
 
WLAN and IP security
WLAN and IP securityWLAN and IP security
WLAN and IP security
 
Ch16
Ch16Ch16
Ch16
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
1643129870-internet-security.pptx
1643129870-internet-security.pptx1643129870-internet-security.pptx
1643129870-internet-security.pptx
 
Network IP Security.pdf
Network IP Security.pdfNetwork IP Security.pdf
Network IP Security.pdf
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
Ip Sec Rev1
Ip Sec Rev1Ip Sec Rev1
Ip Sec Rev1
 
Unit 6
Unit 6Unit 6
Unit 6
 
IP Security
IP SecurityIP Security
IP Security
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email Security
 
Network Security Practices-IP Security
Network Security Practices-IP SecurityNetwork Security Practices-IP Security
Network Security Practices-IP Security
 
Web security
Web securityWeb security
Web security
 
college assignment on Applications of ipsec
college assignment on Applications of ipsec college assignment on Applications of ipsec
college assignment on Applications of ipsec
 
Lec 9.pptx
Lec 9.pptxLec 9.pptx
Lec 9.pptx
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdf
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdf
 

More from FumikageTokoyami4

Lecture 2 - Profession and Professional Bodies in IT.pptx
Lecture 2 - Profession and Professional Bodies in IT.pptxLecture 2 - Profession and Professional Bodies in IT.pptx
Lecture 2 - Profession and Professional Bodies in IT.pptxFumikageTokoyami4
 
Lecture 1 - Introduction-LAW.pptx
Lecture 1 - Introduction-LAW.pptxLecture 1 - Introduction-LAW.pptx
Lecture 1 - Introduction-LAW.pptxFumikageTokoyami4
 
a STORY OF A GREAT LEADER.pptx
a STORY OF A GREAT LEADER.pptxa STORY OF A GREAT LEADER.pptx
a STORY OF A GREAT LEADER.pptxFumikageTokoyami4
 

More from FumikageTokoyami4 (9)

Chap014.pdf
Chap014.pdfChap014.pdf
Chap014.pdf
 
Lecture 2 - Profession and Professional Bodies in IT.pptx
Lecture 2 - Profession and Professional Bodies in IT.pptxLecture 2 - Profession and Professional Bodies in IT.pptx
Lecture 2 - Profession and Professional Bodies in IT.pptx
 
Lecture 1 - Introduction-LAW.pptx
Lecture 1 - Introduction-LAW.pptxLecture 1 - Introduction-LAW.pptx
Lecture 1 - Introduction-LAW.pptx
 
Lecture 15-16.pdf
Lecture 15-16.pdfLecture 15-16.pdf
Lecture 15-16.pdf
 
a STORY OF A GREAT LEADER.pptx
a STORY OF A GREAT LEADER.pptxa STORY OF A GREAT LEADER.pptx
a STORY OF A GREAT LEADER.pptx
 
lec-01-WP.pdf
lec-01-WP.pdflec-01-WP.pdf
lec-01-WP.pdf
 
IS - Firewall
IS - FirewallIS - Firewall
IS - Firewall
 
IS - User Authentication
IS - User AuthenticationIS - User Authentication
IS - User Authentication
 
Lecture 1-2.pdf
Lecture 1-2.pdfLecture 1-2.pdf
Lecture 1-2.pdf
 

Recently uploaded

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 

Recently uploaded (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 

Information on Information Security for CS3002

  • 1. Information Security CS 3002 Dr. Haroon Mahmood Assistant Professor NUCES Lahore
  • 2. 2 Information Security Message/data security  authentication (single), integrity and privacy self contained in the message  possibility of non repudiation  requires modification of applications
  • 3. 3 Information Security Channel Security  authentication (single or mutual), integrity and privacy only during the transit inside the communication channel  no possibility of non repudiation  requires no (or small) modification of applications
  • 4. 4 Information Security Security internal to applications  each application implements security internally  the common part is limited to the communication channels (socket)  possible implementation errors (inventing security protocols is not simple!)  does not guarantee interoperability
  • 5. 5 Information Security Security External to Applications  the session level would be the ideal one to be used to implement many security functions  … but it does not exist in TCP/IP!  a “secure session” level was proposed:  it simplifies the work of application developers  it avoids implementation errors  it is up to the application to select it (or not)
  • 6. 6 Information Security SSL what is it?  Security at layer 4 (Transport layer)  Secure Sockets Layer (SSL)  secure transport channel (session level):  peer authentication (server, server+client)  message confidentiality  message authentication and integrity  protection against replay attacks  Easily applicable to all protocols based on TCP:  HTTP, SMTP, FTP, TELNET, ...  e.g. the famous secure HTTP (https://....) = 443/TCP
  • 7. 7 Information Security SSL/TLS  Philosophy of SSL: Easier to deploy something if no changes in OS required  Application’s API (Socket) is interface to SSL: Hence secure socket layer  API to SSL is the superset of API to TCP  SSL/TLS operate above TCP. OS doesn’t change applications do!
  • 8. 8 Information Security SSL handshake  agree on a set of algorithms for confidentiality, integrity and authentication  exchange random numbers between the client and the server to be used for the subsequent generation of the keys  establish a symmetric key by means of public key operations, e.g. RSA  negotiate the session-id  exchange the necessary certificates
  • 9. 9 Information Security SSL handshake simplified  Secrets are: Pre-master key S, Master Key K  Server authentication  Client authentication by password (optional)
  • 11. 11 Information Security Key Terms  HELLO Extensions: request extended functionality by sending data in the extensions field.  E.g: max_fragment_length, status request  The server may not oblige  Client may abort the handshake  Pre-shared Secret (key): generated by client OR directly obtained from the key exchange. E.g: (DH: gab mod p)  Master keys: generated from the pre-shared secret + random.client + random.server by applying a PRF  Master key = PRF (pre-shared secret, random.client, random.server)  PRF = Pseudo Random Function
  • 12. 12 Information Security SSL V3 Architecture  Handshake: enables the SSL or TLS client and server to establish the secret keys with which they communicate  Change cipher spec: indicates the usage of secret key for data communication  Alert: signal problems with SSL connection, give current status  Record protocol: permits the encapsulation of higher level protocols
  • 14. 14 Information Security SSL MAC computation  MAC = message_digest ( key, seq_number | type | version | length | fragment )  message_digest  depends on the chosen algorithm  key  sender-write-key or receiver-read-key  seq_number  32-bit integer  Type  Type of record  change cipher spec (20)  alert (21)  Handshake (22)  Application data (23)  length  length of the fragment/plaintext
  • 16. 16 Information Security SSL-3 new features with respect to SSL-2  data compression:  optional  Done before encryption  data encryption is optional: in order to have only authentication and integrity  possibility to re-negotiate the SSL connection:  periodical change of keys  change of the algorithms
  • 17. 17 Information Security IPsec  Philosophy of IPsec: implementing security within the operating systems automatically causes applications to be protected without changing applications  IPsec is within the OS. OS changes, applications and API to TCP don’t.
  • 19. 19 Information Security Transport mode IPsec  used for end-to-end security, that is used by hosts, not gateways (exception: traffic for the gateway itself e.g: SNMP, ICMP)  pro: computationally light  con: no protection of header variable fields
  • 20. 20 Information Security Tunnel Mode IPsec  used to create a VPN, usually by gateways  Gateway-to-gateway mode  pro: protection of header variable fields  con: computationally heavy
  • 21. 21 Information Security IPsec  Security at layer 3  IPsec ensures:  Confidentiality, integrity, and authenticity  Allows secure communication in the Internet  Independent from the application or higher protocols  Network-layer security instead of application-layer security  Compatible with schemes providing security at the application layer  Can be applied simultaneously
  • 22. 22 Information Security IPSec  Further advantages:  Can be applied to all network traffic  Routers/firewalls vendors can implement it (Can't implement SSL)  Transparent to the applications  Transparent to the users  Limitations:  Limited to IP Addresses  Has no concept of application users
  • 23. 23 Information Security Applications of IPsec  Secure connection among different branches of the same company  Virtual Private Network (VPN)  Secure remote access to an Intranet through the (insecure) Internet  Allows secure remote workers  Secure communication between peers  Adding security for electronic commerce applications
  • 24. 24 Information Security IPsec overview  IETF architecture for L3 security in IPv4 / IPv6:  definition of two specific packet types:  AH (Authentication Header)  for integrity, authentication, no replay  ESP (Encapsulating Security Payload)  for confidentiality, integrity, authentication, no replay  protocol for key exchange:  IKE (Internet Key Exchange)
  • 25. 25 Information Security Security Association  Establishment of shared security attributes between sender and receiver to support secure communication  Usually considered unidirectional  contain all the information required for execution of various network security services  Three SA identification parameters  Security parameter index  IP destination address  Security protocol identifier  two SA are needed to get complete protection of a bidirectional packet flow in IPsec
  • 26. 26 Information Security IPsec local databases  SAD (SA Database)  list of active SA and their characteristics (algorithms, keys, parameters)  maintained by user-processes  SPD (Security Policy Database)  list of security policies to apply to the different packet flows  a-priori configured (e.g. manually) or connected to an automatic system (e.g. ISPS, Internet Security Policy System)
  • 28. 28 Information Security AH  Authentication Header  mechanism (first version, RFC-1826):  data integrity and sender authentication  compulsory support of keyed-MD5 (RFC-1828)  optional support of keyed-SHA-1 (RFC-1852)  mechanism (second version, RFC-2402):  data integrity, sender authentication and protection from replay attack  HMAC-MD5  HMAC-SHA-1
  • 29. 29 Information Security AH Packet  Next header: identifies the nature of the payload (TCP/UDP)  Length: Indicates the length of the AH header  SPI: Identifies the correct security association for the communication  Sequence Number: Provides anti-replay protection for the SA  Auth. Data: contains the Integrity Check Value (ICV) that is used to verify the integrity of the message. The receiver calculates the hash value and checks it against this value (calculated by the sender) to verify integrity.
  • 31. 31 Information Security ESP  Encapsulating Security Payload (ESP)  first version (RFC-1827) gave only confidentiality  base mechanism: DES-CBC (RFC-1829)  Second version (RFC-2406):  provides confidentiality & authentication (but not the IP header, so the coverage is not equivalent to that of AH)
  • 32. 32 Information Security ESP in transport mode  pro: the payload is hidden (including info needed for QoS or intrusion detection)  con: the header remains in clear
  • 33. 33 Information Security ESP Packet  SPI: Identifies the correct security association for the communication  Sequence number: Provides anti-replay protection for the SA  Next header: Identifies the nature of the payload (TCP/UDP)  Auth. Data: Contains the Integrity Check Value (ICV), and a message authentication code that is used to verify the sender's identity and message integrity. The ICV is calculated over the ESP header, the payload data and the ESP trailer  Initialization Vector (IV): optional. Is after the Sequence number
  • 34. 34 Information Security ESP Packet: Encryption & Authentication Next header
  • 35. 35 Information Security ESP tunnel mode  pro: hides both the payload and (original) header  con: larger packet size
  • 36. 36 Information Security IPSec: AH & ESP packet format