COEN 350 Network Security

Introduction

Computer Networks OSI Reference Model

Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer

OSI Reference Model

Useful to establish terminology Not implemented Upper layer implemented in terms

of lower layer.

OSI Reference Model Application Layer

Locus of applications that use networking P2P HTTP ftp

Presentation Layer Encodes application data into a canonical

form Decodes it into system-dependent format at

the receiving end.

OSI Reference Model

Session Layer Extra functions over reliable one-to-

one connection RPC

Transport Layer Reliable communication stream

between a pair of systems. IP, UDP, TCP, ICMP

OSI Reference Model

Network Layer Computes paths across an

interconnected mesh of links and packet switches

Forwards packets over multiple links from source to destination

OSI Reference Model

Data Link Layer Organizes physical layer’s bits into

packets and controls who on a shared link gets each packet.

Physical Layer Delivers an unstructured stream of

bits across a single link of some sort.

TCP/IP Suite

Protocol Layers and Security

Security measures often layer network protocols. Protect contents of packages is

protection at layer 2. Still allows traffic analysis.

IPSec protects (encrypts) packages at layer 4

Does not work with NAT.

Goals Authentication

Who are you? Authorization

Are you allowed to do that? Integrity

Is this the real message? Privacy

Does anyone else know about it?

Zone of Control The zone that needs to be secured in order to prevent

eavesdropping. Physical access needs to be prevented.

Tempest program (US military) All computer systems radiate information.

Possible to reconstruct image on a monitor from 20 ft. Wireless access point rated for e.g. 50 ft radius for receiving

data. Special antenna (built from a Pringles box, etc.) can read

traffic from a mile away. Define a perimeter of a commercial wired network:

Need to include backdoor channels like modems, etc. Tempest: Set of standards for limiting electric or

electromagnetic radiation emanations from electronic equipment.

Shortcut for filed of compromising emanations / Emissions Security

Legal Issues Patent Law

First inventor has the right to invention. In other countries: First one to file.

Patents issued based on what inventors present regarding

Novelty ( Prior Art) Importance (“Aha” effect)

Patent process flawed since Reagan under-funding, but slowly getting better

Patent decision needs to be made within a day. Many cryptography algorithms are / were patented.

Are now moving into the public domain. Still, many standards are built around patented methods.

Kerberos uses secret key encryption instead of public key encryption.

Legal Issues Export Control

Cryptographic algorithms and tools were considered to be restricted technology.

Treated like ammunition. Taking a laptop to Mexico for a week-end could be a

violation of export control. Government gave up after PGP fiasco

Zimmermann invented PGP 1.0 in 1991. PGP fell under the ammunition clause. Zimmermann circumvented export restriction by

publishing code in book form (under first amendment protection)

Book was intended to be bought by exactly one person in Norway to scan in code and publish PGP outside of US (for free downloads).

Legal Issues Key Escrow

Cryptography algorithms became unbreakable in the nineties.

Prevent wiretaps, computer forensics, etc. National security efforts sponsored Clipper:

1993 Encryption chip with secret key. User gets chip, secret key is broken up and stored at

two different agencies. Two different agencies needed to cooperate to recover

secret key. Considered to be almost impossible if cooperation were

legal and impossible if cooperation were illegal. Government gave up.