Nertwork Management Security Lecture Compendium

8/9/2019 Nertwork Management Security Lecture Compendium

1/128

Before we start

Being ethical is not necessarily following ones feelings;feelings frequently deviate from what is ethicalOften because of the way one is raised, ethics and religion are coupled;but ethics is not confined to religion nor is the same as religionBeing ethical is not solely following the law.

lements of practical ethics through basic philosophy! thical thought thical definition thical values

"ample! #f a person conceives of engineering activity as only ma$ingmoney, then one%s definition of practical ethics, one%s actions and valueswill, be guided by this basic philosophical position.


2/128

&ecurity in!

'lient ( )or$station ( *erminal

#ntra+networ$s

#nter+networ$s

#n terms of!

hysical &ecurity

-on+hysical &ecurity


3/128

&ecurity *hreats sources, causes, people behind/!

0ac$ers 'rac$ers &cript 1iddies 2nethical mployees logic bombs, bac$door,/ 'yberterrorists 'orporate &py )orm ( 3irus ( *ro4an incl. $eyloggers,/ &poofing ( &niffing ( hishing 5o& ( 55o& attac$s 0oa" ( &pam ...


4/128

"amples!


5/128

"amples cont/!

6emote 7ccess 3- &ite to &ite 6outer to 6outer/ 3-

3irtual rivate -etwor$ 3-/

8eneric 6outing ncapsulation 86/ ncapsulation &ecurity ayload &/


6/128


7/128


8/128


9/128

"ample of hishing!


10/128


11/128

"Above all else, do no harm"Protect Privacy"Waste not, want not."

Exceed LimitationsThe Communicational ImerativeLeave !o Traceshare#

el$ %e$ense&ac'in( &els ecurityTrust, but Test#

-ew 'ode of thics


12/128

0ac$ers 'ode of thics!

Old code vs new code7re new hac$ers aware of the original

hac$er ethicsC

7re new hac$ers aware of any hac$erethicsC

#nfluence of technology and social issues

on changes in hac$er ethics&imilarity between the old and new ethics

and ethical continuity


13/128


14/128


15/128

thical #ssues in &ecurity 'ourses

?aturity 9evel

?a4ority of computer hac$ers are under theage of DE and many of them are college

students

'ourse material some include! trying55O&, writing and spreading a virus,/

'omfort 9evel

6esponsible presentation


16/128


17/128


18/128


19/128


20/128


21/128


22/128


23/128


24/128


25/128


26/128


27/128

Virus and Worms


28/128


29/128


30/128


31/128


32/128


33/128


34/128


35/128


36/128


37/128


38/128


39/128


40/128


41/128


42/128


43/128


44/128


45/128


46/128


47/128


48/128


49/128


50/128


51/128


52/128


53/128


54/128


55/128


56/128

5efining 'ryptography


57/128

Ob4ectives

5efine cryptography

5escribe hashing

9ist the basic symmetric cryptographicalgorithms

5escribe how asymmetric cryptography

wor$s

9ist types of file and file system

cryptography


58/128


59/128

&teganography


60/128

'aesar 'ipher

2sed by Fulius 'aesar

'aesar shifted each letter of

his messages to his generalsthree places down in the

alphabet

&o B26- *0 B6#58becomes

G2H )10 21I#8

AD

B E

CF

DG

EH

FI

GJ

HK


61/128


62/128


63/128

'ryptography and &ecurity

'ryptography can provide! Con$identialityof information Inte(rityof the information Availabilityof the data

*o users with the $ey

8uarantee Authenticityof the sender nforce !on)reudiation

&ender cannot deny sending the message

#nformation rotection by


64/128

#nformation rotection by

'ryptography


65/128

'ryptographic 7lgorithms


66/128

'ryptographic 7lgorithms

*here are three categories of

cryptographic algorithms!

&ashin(algorithms ymmetricencrytion

algorithms Asymmetricencrytion

algorithms


67/128

0ashing 7lgorithms

0ashing 7lgorithms


68/128

0ashing 7lgorithms

0ashing is a one)way process 'onverting a hash bac$ to the original data is

difficult or impossible

7 hash is a unique signature: for a set of

data *his signature, called a hashor di(est,

represents the contents

0ashing is used only for inte(rityto

ensure that! #nformation is in its original form -o unauthori@ed person or malicious software has

altered the data


69/128

0ashing 7lgorithms continued/


70/128

9in$ 'h a

0 hi 7l ith & it


71/128

0ashing 7lgorithm &ecurity

7 hashing algorithm is considered secure if! *he cipherte"t hash is a fi"ed si@e *wo different sets of data cannot produce the

same hash, which is $nown as a collision #t should be impossible to produce a data set

that has a desired or predefined hash *he resulting hash cipherte"t cannot be

reversed to find the original data

reventing a ?an+in+the+?iddle


72/128

reventing a ?an+in+the+?iddle

7ttac$ with 0ashing


73/128

0ashing 7lgorithms continued/

0ash values are often posted on

#nternet sites

#n order to verify the file integrity offiles that can be downloaded

0ashing 7lgorithms Only


74/128

0ashing 7lgorithms Only

nsure #ntegrity


75/128

JE

?essage 5igest

7lso $nown as hash function: or one+

way transformation:.

*ransforms a message of any length

and computes a fi"ed length string.

)e want it to be hard to guess what

the message was given only the digest. 8uessing is always possible.


76/128

?essage 5igest ?5/

*essa(e %i(est +*%algorithm One common hash algorithm

*hree versions ?essage 5igest D ?5D/ ?essage 5igest > ?5>/ ?essage 5igest E ?5E/

&uffer from collisions

-ot secure


77/128

&ecure 0ash 7lgorithm &07/

?ore secure than ?5

7 family of hashes

&A)-

atterned after ?5>, but creates a hash thatis K bits in length instead of D= bits

&A)

'omprised of four variations, $nown as &07+DD>, &07+DEK, &07+L=>, and &07+ED 'onsidered to be a secure hash


78/128

&07+L is Being 'hosen -ow


79/128

assword 0ashes

7nother use for hashes is in storing passwords )hen a password for an account is created, the

password is hashed and stored

*he ?icrosoft -* family of )indows operatingsystems hashes passwords in two different

forms 9? 97- ?anager/ hash -*9? -ew *echnology 97- ?anager/ hash

?ost 9inu" systems use password+hashing

algorithms such as ?5E

7pple ?ac O& G uses &07+ hashes


80/128

&ymmetric 'ryptographic7lgorithms

&ymmetric 'ryptographic


81/128

&ymmetric 'ryptographic

7lgorithms

ymmetric cryto(rahic al(orithms 2se the same single $ey to encrypt and

decrypt a message 7lso called private $ey cryptography

tream ciher *a$es one character and replaces it with one

character ) )ired quivalent rotocol/ is a stream

cipher

ubstitution ciher


82/128


83/128

GO6 G l i O6/


84/128

GO6 eGclusive O6/

)ith most symmetric ciphers, the final

step is to combine the cipher stream with

the plainte"t to create the cipherte"t *he process is accomplished through

the e"clusive O6 GO6/ binary logic

operation

/ne)time ad +/TP 'ombines a truly random $ey with the

plainte"t

GO6


85/128

GO6


86/128

Bloc$ 'ipher

?anipulates an entire bloc$ of plainte"t at onetime

lainte"t message is divided into separate

bloc$s of = to K bytes

7nd then each bloc$ is encrypted independently

&tream cipher advantages and disadvantages Iast when the plainte"t is short ?ore prone to attac$ because the engine that

generates the stream does not vary

0loc'cihersare more secure than stream

cihers


87/128


88/128

5& and L5&%ata Encrytion tandard +%E 5eclared as a standard by the 2.&

8overnment 5& is a bloc$ cipher and encrypts data in

K>+bit bloc$s2ses EK+bit $ey, very insecure

0as been bro$en many times

Trile %ata Encrytion tandard +1%E 2ses three rounds of 5& encryption ffective $ey length D bits

'onsidered secure


89/128

7dvanced ncryption &tandard


90/128

7dvanced ncryption &tandard

7&/

7pproved by the -#&* in late

D as a replacement for 5& Official standard for 2.&.

8overnment

'onsidered secure++has notbeen crac$ed

7nimation of 7& 7lgorithm


91/128

7nimation of 7& 7lgorithm


92/128

Other 7lgorithms

&everal other symmetriccryptographic algorithms are also

used!

6ivest 'ipher 6'/ family from 6'to 6'K

#nternational 5ata ncryption

7lgorithm #57/ Blowfish

*wofish


93/128

7symmetric 'ryptographic7lgorithms

7symmetric 'ryptographic


94/128

7symmetric 'ryptographic

7lgorithmsAsymmetric cryto(rahic al(orithms7lso $nown as ublic 'ey

cryto(rahy 2ses two $eys instead of one

*he ublic 'eyis $nown to everyone and

can be freely distributed

*he rivate 'eyis $nown only to the

recipient of the message

7symmetric cryptography can also be

used to create a di(ital si(nature


95/128

*ransmitting over an insecure


96/128


97/128


98/128


99/128

7lice can sign her messageM


100/128

7lice can sign her messageM

7lice can create a digital signature and

prove she sent the message or

someone with $nowledge of her private

$ey/.

*he signature can be a message

digest encrypted with 7rivate.

5i i l &i


101/128

5igital &ignature

7 digital signature can! 3erify the sender rove the integrity of the message revent the sender from disowning

the message non)reudiation/

7 digital signature does not encrypt

the message, it only signs it


102/128

#nformation rotections by


103/128

#nformation rotections by

7symmetric 'ryptography

6&7


104/128

6&7

*he most common asymmetric cryptographyalgorithm

6&7 ma$es the public and private $eys by

multiplying two large prime numbersp and q *o compute their product n=pq/ #t is very difficult to $actor the number nto find

pand q

Iinding the private $ey from the public $eywould require a factoring operation

6&7 is comple" and slow, but secure

times slower than 5&

5iffi 0 ll


105/128

5iffie+0ellman

7 $ey e"change algorithm, not an

encryption algorithm

7llows two users to share a secret $eysecurely over a public networ$

Once the $ey has been shared

*hen both parties can use it to encryptand decrypt messages using symmetric

cryptography

0**&


106/128

0**&

&ecure )eb ages typically use 6&7,5iffie+0ellman, and a symmetric algorithm

li$e 6'>

6&7 is used to send the private $ey for thesymmetric encryption

6&7 2sed by eBay


107/128

6&7 2sed by eBay

6'> 2sed by eBay


108/128

6'> 2sed by eBay

lli ti ' ' t h


109/128

lliptic 'urve 'ryptography

7n elliptic curve is a function drawn on an

G+A a"is as a gently curved line By adding the values of two points on the

curve, you can arrive at a third point on the

curve

*he public aspect of an elliptic curve

cryptosystem is that users share an ellipticcurve and one point on the curve

-ot common, but may one day replace

6&7


110/128

2sing 'ryptography on Iilesand 5is$s

ncrypting Iiles! 8 and


111/128

yp g

88

Pretty 2ood Privacy +P2P One of the most widely used

asymmetric cryptography system forfiles and e+mail messages on )indows

systems

2!3 Privacy 2uard +2P27 similar open+source program

8 and 88 use both asymmetric and

symmetric cryptography

ncrypting Iiles! ncrypting


112/128

yp g yp g

Iile &ystem I&/

art of )indows

2ses the )indows -*I& file system

Because I& is tightly integrated with thefile system, file encryption and decryption

are transparent to the user

I& encrypts the data as it is written todis$

On ?acs, 4ilevault encrypts a user%s

home folder

)hole 5is$ ncr ption


113/128

)hole 5is$ ncryption

Windows 0itLoc'er 7 hardware+enabled data encryption feature 'an encrypt the entire )indows volume

#ncludes )indows system files as well as all user

files

ncrypts the entire system volume, including

the )indows 6egistry and any temporary filesthat might hold confidential information

TrueCryt Open+source, free, and can encrypt folders or

*rusted latform ?odule *?/


114/128

*rusted latform ?odule *?/

7 chip on the motherboard of thecomputer that provides cryptographic

services

#f the computer does not supporthardware+based *? then the encryption

$eys for securing the data on the hard

drive can be stored by Bit9oc$er on a 2&Bflash drive

'old Boot 7ttac$


115/128

'old Boot 7ttac$

'an defeat all currently available wholedis$ encryption techniques lin$ 'h i/

2nderstanding 'ryptographic


116/128

K

7ttac$s

&niffing and port scanning are passiveattac$s N 4ust watching

7ctive attac$s attempt to determine the

secret $ey being used to encrypt plainte"t'ryptographic algorithms are usually

public

Iollows the open+source culture "cept the -&7 and '#7 and etc.

Birthday 7ttac$


117/128

J

Birthday 7ttac$

#f DL people are in the room, what is thechance that they all have differentbirthdaysC

LKE LK> LKL LKL LK LK L>LLKE

"LKE

"LKE

"LKE

"LKE

"LKE

" . . .LKE

>


118/128

=

Birthday 7ttac$

#f there are - possible hash values, Aoull find collisions when you have

calculated .D " sqrt-/ values

&07+ uses a K+bit $ey *heoretically, it would require D=

computations to brea$

&07+ has already been bro$en, because of

other wea$nesses

?athematical 7ttac$s


119/128

Nertwork Management Security Lecture Compendium

Documents

Transcript of Nertwork Management Security Lecture Compendium