NETWORKING SECURITY AND STANDARDS978-1-4615-6153-8/1.pdf · 2.5 Digital Signature 18 2.6 Key...
13
NETWORKING SECURITY AND STANDARDS NETWORKING SECURITY AND STANDARDS
Transcript of NETWORKING SECURITY AND STANDARDS978-1-4615-6153-8/1.pdf · 2.5 Digital Signature 18 2.6 Key...
NETWORKING SECURITY AND STANDARDS
NETWORKING SECURITY AND STANDARDS
THE KLUWER INTERNATIONAL SERIES IN ENGINEERING AND COMPUTER SCIENCE
THE KLUWER INTERNATIONAL SERIES IN ENGINEERING AND COMPUTER SCIENCE
NETWORKING SECURITY ANDSTANDARDS
by
WeidongKou
SPRINGER-SCIENCE+BUSINESS MEDIA, LLC
Library of Congress Cataloging-in-Publication Data
A C.I.P. Catalogue record for this book is available from the Library of Congress.
ISBN 978-1-4613-7820-4 ISBN 978-1-4615-6153-8 (eBook) DOI 10.1007/978-1-4615-6153-8
Copyright © 1997 by Springer Science+Business Media New York Originally published by Kluwer Academic Publishers in 1997 Softcover reprint of the hardcover 1 st edition 1997
AII rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, mechanical, photocopying, recording, or otherwise, without the prior written permis sion of the publisher, Springer-Science+ Business Media, LLC.
Printed on acid-free paper.
To Dr. Zhiming Kou and Ms Min Liang
Yuxia and Daniel
To Dr. Zhiming Kou and Ms Min Liang
Yuxia and Daniel
Contents
Preface xi Acknowledgments xv
1. Business Fundamentals of Security 1 1.1 Principles of Security 1 1.2 Identification and Authentication 2 1.3 Access Control 3 1.4 Confidentiality 4 1.5 Data Integrity 6 1.6 Non-Repudiation 7 1.7 Security Management 7 1.8 Security Regulation 9 1.9 Security Standards 10
2. Technical Fundamentals of Security 13 2.1 Secret and Public Key Cryptography l3 2.2 Secret Key Encryption 15 2.3 Public Key Encryption 16 2.4 Message Digest and Authentication 17 2.5 Digital Signature 18 2.6 Key Management 20 2.7 Identity Authentication 21 2.8 Key Escrow Encryption 22 2.9 Cryptoana1ysis 23
3. Security Architecture Standard 25 3.1 ISO 7498 Basic Reference Model for OSI 25 3.2 ISO 7498-2 Security Architecture 28 3.3 Security Services 28 3.4 Security Mechanisms 32 3.5 Relationship of Security Services, Mechanisms and 36
Layers 3.6 Placement of Security Services and Mechanisms 39
vii
Contents
Preface xi Acknowledgments xv
1. Business Fundamentals of Security 1 1.1 Principles of Security 1 1.2 Identification and Authentication 2 1.3 Access Control 3 1.4 Confidentiality 4 1.5 Data Integrity 6 1.6 Non-Repudiation 7 1.7 Security Management 7 1.8 Security Regulation 9 1.9 Security Standards 10
2. Technical Fundamentals of Security 13 2.1 Secret and Public Key Cryptography l3 2.2 Secret Key Encryption 15 2.3 Public Key Encryption 16 2.4 Message Digest and Authentication 17 2.5 Digital Signature 18 2.6 Key Management 20 2.7 Identity Authentication 21 2.8 Key Escrow Encryption 22 2.9 Cryptoana1ysis 23
3. Security Architecture Standard 25 3.1 ISO 7498 Basic Reference Model for OSI 25 3.2 ISO 7498-2 Security Architecture 28 3.3 Security Services 28 3.4 Security Mechanisms 32 3.5 Relationship of Security Services, Mechanisms and 36
Layers 3.6 Placement of Security Services and Mechanisms 39
vii
viii Networking Security and Standards
3.7 Security Management 44
4. Data Encryption Standards 49 4.1 ANSI X3.92 Data Encryption Standard (DES) 49 4.2 ANSI X3 .106 DEA - Modes of Operation 57 4.3 ANSI X9.23 Standard 62
5. Key Management Standards 69 5.1 ANSI X9.17 Standard 69 5.2 ANSI X9.24 Standard 83
6. Data Integrity Standards 91 6.1 ANSI X9. 9 Standard 91 6.2 ANSI X9.19 Standard 98 6.3 NIST FIPS 180 Secure Hash Standard 104
7. Digital Signature Standards 107 7.1 NIST FIPS 186 Digital Signature Standard 107 7.2 RSA Digital Signature 112
(CCITT X509, ANSI X9.31, and ISO 9796)
8. Sign-On Authentication Standard 117 8.1 ANSI X9.26 Sign-On Authentication 117 8.2 ANSI X9.26 Interoperability 121
9. Directory and Certificate Standards 127 9.1 CCITT X500 Standard 127 9.2 CCITT X509 Standard 133
10. Electronic Mail Standards 139 10.1 CCITT X400 Message Handling Systems 139 10.2 Security in CCITT X400 142 10.3 Security in CCITT X411 146 10.4 Security in CCITT X420 150
11. Electronic Data Interchange Standards 153 11.1 ANSI X12 ED! and ISO ED IFACT Standards 153 11.2 Secure ED! (ANSI Xl2.58) 158 11.3 Secure ED IFACT (ISO 9735) 160
12. Security Application Technologies 169 12.1 RSA Public Key Cryptography Standards 169 12.2 DoD Security Classifications 171
viii Networking Security and Standards
3.7 Security Management 44
4. Data Encryption Standards 49 4.1 ANSI X3.92 Data Encryption Standard (DES) 49 4.2 ANSI X3 .106 DEA - Modes of Operation 57 4.3 ANSI X9.23 Standard 62
5. Key Management Standards 69 5.1 ANSI X9.17 Standard 69 5.2 ANSI X9.24 Standard 83
6. Data Integrity Standards 91 6.1 ANSI X9. 9 Standard 91 6.2 ANSI X9.19 Standard 98 6.3 NIST FIPS 180 Secure Hash Standard 104
7. Digital Signature Standards 107 7.1 NIST FIPS 186 Digital Signature Standard 107 7.2 RSA Digital Signature 112
(CCITT X509, ANSI X9.31, and ISO 9796)
8. Sign-On Authentication Standard 117 8.1 ANSI X9.26 Sign-On Authentication 117 8.2 ANSI X9.26 Interoperability 121
9. Directory and Certificate Standards 127 9.1 CCITT X500 Standard 127 9.2 CCITT X509 Standard 133
10. Electronic Mail Standards 139 10.1 CCITT X400 Message Handling Systems 139 10.2 Security in CCITT X400 142 10.3 Security in CCITT X411 146 10.4 Security in CCITT X420 150
11. Electronic Data Interchange Standards 153 11.1 ANSI X12 ED! and ISO ED IFACT Standards 153 11.2 Secure ED! (ANSI Xl2.58) 158 11.3 Secure ED IFACT (ISO 9735) 160
12. Security Application Technologies 169 12.1 RSA Public Key Cryptography Standards 169 12.2 DoD Security Classifications 171
Contents
12.3 12.4 12.5 12.6 12.7 12.8 12.9 12.10 12.11 12.12 12.13 12.14
Kerberos and KryptoKnight Firewall Internet Secure Protocols: SSL and SHTTP Private Communication Technology Protocols Java Security Internet Keyed Payment Protocols Security Transaction Technology Secure Electronic Transaction Digital Cash and Digital Check Smart Cards Security for Lotus Notes Database Security
Bibliography Index
173 176 178 180 181 183 186 188 191 192 193 195
199 203
ix Contents
12.3 12.4 12.5 12.6 12.7 12.8 12.9 12.10 12.11 12.12 12.13 12.14
Kerberos and KryptoKnight Firewall Internet Secure Protocols: SSL and SHTTP Private Communication Technology Protocols Java Security Internet Keyed Payment Protocols Security Transaction Technology Secure Electronic Transaction Digital Cash and Digital Check Smart Cards Security for Lotus Notes Database Security
Bibliography Index
173 176 178 180 181 183 186 188 191 192 193 195
199 203
ix
Preface
Security is the science and technology of secure communications and resource protection from security violation such as unauthorized access and modification. Putting proper security in place gives us many advantages. It lets us exchange confidential information and keep it confidential. We can be sure that a piece of information received has not been changed. Nobody can deny sending or receiving a piece of information. We can control which piece of information can be accessed, and by whom. We can know when a piece of information was accessed, and by whom. Networks and databases are guarded against unauthorized access.
We have seen the rapid development of the Internet and also increasing security requirements in information networks, databases, systems, and other information resources. This comprehensive book responds to increasing security needs in the marketplace, and covers networking security and standards.
There are three types of readers who are interested in security: non-technical readers, general technical readers who do not implement security, and technical readers who actually implement security. This book serves all three by providing a comprehensive explanation of fundamental issues of networking security, concept and principle of security standards, and a description of some emerging security technologies. The approach is to answer the following questions:
1. What are common security problems and how can we address them? 2. What are the algorithms, standards, and technologies that can solve
common security problems? 3. How do they work?
Non-technical readers, such as corporate strategists, managers, product planners, and marketing professionals, will benefit from the answers of the first two questions. After reading this book, they will know the importance of security, the availability of security standards and technologies, and the security products that the marketplace needs. With such knowledge, they can make the right decisions on
xi
Preface
Security is the science and technology of secure communications and resource protection from security violation such as unauthorized access and modification. Putting proper security in place gives us many advantages. It lets us exchange confidential information and keep it confidential. We can be sure that a piece of information received has not been changed. Nobody can deny sending or receiving a piece of information. We can control which piece of information can be accessed, and by whom. We can know when a piece of information was accessed, and by whom. Networks and databases are guarded against unauthorized access.
We have seen the rapid development of the Internet and also increasing security requirements in information networks, databases, systems, and other information resources. This comprehensive book responds to increasing security needs in the marketplace, and covers networking security and standards.
There are three types of readers who are interested in security: non-technical readers, general technical readers who do not implement security, and technical readers who actually implement security. This book serves all three by providing a comprehensive explanation of fundamental issues of networking security, concept and principle of security standards, and a description of some emerging security technologies. The approach is to answer the following questions:
1. What are common security problems and how can we address them? 2. What are the algorithms, standards, and technologies that can solve
common security problems? 3. How do they work?
Non-technical readers, such as corporate strategists, managers, product planners, and marketing professionals, will benefit from the answers of the first two questions. After reading this book, they will know the importance of security, the availability of security standards and technologies, and the security products that the marketplace needs. With such knowledge, they can make the right decisions on
xi
xii Networking Security and Standards
developing security products, purchasing security products, or implementing security strategies in their organizations.
Technical readers, such as architects, designers, analysts, engineers, university students, professors, and researchers, in addition to the previous benefits, can learn the technical principles of security algorithms, standards, and technologies covered in this book.
For those who actually implement a specific security algorithm, standard, or technology covered in this book, this book provides an overview as the first step for their implementation. In addition to this book, they need to refer to the specification of the particular algorithm, standard, or technology.
The purpose of this book is to introduce readers to security at a conceptual level, with a strong emphasis on standards. The author believes that majority of readers are interested in the concepts and principles of security standards rather the detailed implementation specifications. Thus the readers who implement security should be well-prepared to go to the original standards from ISO, ccrn, ANSI, NIST, and other standard organizations; those documents are the best technical references. Our approach should thus satisfy the needs of the majority.
The book is organized in three logical parts as follows:
Security Fundamentals: The business fundamentals of security are presented in Chapter 1. The purpose of this chapter is to help the readers to understand the security principle, services, management, and regulations. In Chapter 2, the fundamental security techniques are introduced, including secret and public key cryptography, encryption, message digest and authentication, digital signature, key management, identity authentication, key escrow encryption, and cryptoanalysis.
Security Standards: From Chapter 3 to Chapter 11, major security standards are discussed. These security standards include:
• Security architecture standard (ISO 7498-2) (Chapter 3), • Data encryption standards (ANSI X3 . 92 and X3.1 06) together with the
standard of encryption of wholesale financial messages (ANSI X9.23) (Chapter 4),
• Key management standards (ANSI X9 .17 and X9 .24 )(Chapter 5), • Hashing and message authentication standards (ANSI X9.9, X9.19,
and NIST FIPS 180) (Chapter 6), . • Digital signature standards (NIST FIPS 186, ISO 9796, ANSI X9.31,
and CCITT X.509) (Chapter 7), • Sign-on authentication standard (ANSI X9.26) (Chapter 8),
xii Networking Security and Standards
developing security products, purchasing security products, or implementing security strategies in their organizations.
Technical readers, such as architects, designers, analysts, engineers, university students, professors, and researchers, in addition to the previous benefits, can learn the technical principles of security algorithms, standards, and technologies covered in this book.
For those who actually implement a specific security algorithm, standard, or technology covered in this book, this book provides an overview as the first step for their implementation. In addition to this book, they need to refer to the specification of the particular algorithm, standard, or technology.
The purpose of this book is to introduce readers to security at a conceptual level, with a strong emphasis on standards. The author believes that majority of readers are interested in the concepts and principles of security standards rather the detailed implementation specifications. Thus the readers who implement security should be well-prepared to go to the original standards from ISO, ccrn, ANSI, NIST, and other standard organizations; those documents are the best technical references. Our approach should thus satisfy the needs of the majority.
The book is organized in three logical parts as follows:
Security Fundamentals: The business fundamentals of security are presented in Chapter 1. The purpose of this chapter is to help the readers to understand the security principle, services, management, and regulations. In Chapter 2, the fundamental security techniques are introduced, including secret and public key cryptography, encryption, message digest and authentication, digital signature, key management, identity authentication, key escrow encryption, and cryptoanalysis.
Security Standards: From Chapter 3 to Chapter 11, major security standards are discussed. These security standards include:
• Security architecture standard (ISO 7498-2) (Chapter 3), • Data encryption standards (ANSI X3 . 92 and X3.1 06) together with the
standard of encryption of wholesale financial messages (ANSI X9.23) (Chapter 4),
• Key management standards (ANSI X9 .17 and X9 .24 )(Chapter 5), • Hashing and message authentication standards (ANSI X9.9, X9.19,
and NIST FIPS 180) (Chapter 6), . • Digital signature standards (NIST FIPS 186, ISO 9796, ANSI X9.31,
and CCITT X.509) (Chapter 7), • Sign-on authentication standard (ANSI X9.26) (Chapter 8),
Preface xiii
• CCITT directory system and authentication framework standards (CCITT X500 and X509) (Chapter 9)~
• Electronic mail standards and security (CCITT X400, X411 and X420) (Chapter 10),
• Electronic data interchange standards and security (ANSI X12.58 and ISO 9735) (Chapter 11).
Emerging Security Technologies are presented in Chapter 12, including:
• RSA public key cryptography standards • DoD security classification • Third party authentication schemes: Kerberos and KryptoKnight • Firewall technology • Internet security: secure sockets layer (SSL), secure hyertext transfer
protocol (SHITP), private communication technology protocols(pCT), and Java security
• Internet secure payment technology: Internet keyed payment (iKP) protocols, secure transaction technology (STT), secure electronic transaction (SET), digital cash, digital check, and smart cards
• Lotus Notes security • Database security.
Preface xiii
• CCITT directory system and authentication framework standards (CCITT X500 and X509) (Chapter 9)~
• Electronic mail standards and security (CCITT X400, X411 and X420) (Chapter 10),
• Electronic data interchange standards and security (ANSI X12.58 and ISO 9735) (Chapter 11).
Emerging Security Technologies are presented in Chapter 12, including:
• RSA public key cryptography standards • DoD security classification • Third party authentication schemes: Kerberos and KryptoKnight • Firewall technology • Internet security: secure sockets layer (SSL), secure hyertext transfer
protocol (SHITP), private communication technology protocols(pCT), and Java security
• Internet secure payment technology: Internet keyed payment (iKP) protocols, secure transaction technology (STT), secure electronic transaction (SET), digital cash, digital check, and smart cards
• Lotus Notes security • Database security.
Acknowledg ments
I would like to thank the IBM Toronto Lab for providing me with an opportunity to serve as Security Architect for IBM WPP (Worldwide Procurement Professional Services), a core technology of IBM's CommercePoint, particularly for the SEPS (Singapore Electronic Procurement Services) project. My thanks go to the IBM Internet Division for providing me with an opportunity to serve as the principal technical author of the bidding proposal for Public Key Certification Infrastructure for a national government. I thank my management team at IBM for their support.
My thanks go to my former employer, AT&T GIS (NCR) at Waterloo, for supporting me as a member of ANSI standard committees (ANSI X3L3, and ANSI X9B9) for four years, and for letting me be involved in various financial item processing projects.
My data security career began with various cryptographic courses and forums in the early 1980s. I would like to thank Prof. Jim Massey for his short cryptographic class, and Profs. Wang Xinmei, Wang Yumin, Xiao Guozhen, and Lian Chuanjia for their cryptographic courses and forums.
During my research years at the University of Waterloo, Canada, and at the University of Linkoping, Sweden, I benefited from various security and information theory seminars held by Profs. Ian Blake, Gord Agnew, and Thomas Ericsson, to whom lowe thanks.
I specially thank my supervisors, Profs. Jon Mark, Tore Fjallbrant, Hu Zheng, Hu Zhenming, Wu Youshou, and Fen Chongxi for their guidance during my academic years at universities.
Many people have helped me in the proofreading of this book. I would like to thank Karen Bennet, Kelly Lyons, John Henshaw, Carla Quinn, Weng Fatt Fong, Terry Lau, Lev Mirlas, and George Klima for their time spent on the proofreading and for their suggestions to make this book more readable to a wide audience.
xv
Acknowledg ments
I would like to thank the IBM Toronto Lab for providing me with an opportunity to serve as Security Architect for IBM WPP (Worldwide Procurement Professional Services), a core technology of IBM's CommercePoint, particularly for the SEPS (Singapore Electronic Procurement Services) project. My thanks go to the IBM Internet Division for providing me with an opportunity to serve as the principal technical author of the bidding proposal for Public Key Certification Infrastructure for a national government. I thank my management team at IBM for their support.
My thanks go to my former employer, AT&T GIS (NCR) at Waterloo, for supporting me as a member of ANSI standard committees (ANSI X3L3, and ANSI X9B9) for four years, and for letting me be involved in various financial item processing projects.
My data security career began with various cryptographic courses and forums in the early 1980s. I would like to thank Prof. Jim Massey for his short cryptographic class, and Profs. Wang Xinmei, Wang Yumin, Xiao Guozhen, and Lian Chuanjia for their cryptographic courses and forums.
During my research years at the University of Waterloo, Canada, and at the University of Linkoping, Sweden, I benefited from various security and information theory seminars held by Profs. Ian Blake, Gord Agnew, and Thomas Ericsson, to whom lowe thanks.
I specially thank my supervisors, Profs. Jon Mark, Tore Fjallbrant, Hu Zheng, Hu Zhenming, Wu Youshou, and Fen Chongxi for their guidance during my academic years at universities.
Many people have helped me in the proofreading of this book. I would like to thank Karen Bennet, Kelly Lyons, John Henshaw, Carla Quinn, Weng Fatt Fong, Terry Lau, Lev Mirlas, and George Klima for their time spent on the proofreading and for their suggestions to make this book more readable to a wide audience.
xv
xvi Networking Security and Standards
I would like to thank Robert Holland, Jr. for his effort to help me publish this book.
I specially thank my wife, Yuxia, and my son, Daniel, for their support. It is not so hard to imagine how much they have sacrificed in family life during the past four years when I wrote my two books: this book and the book entitled Digital Image Compression: Algorithms and Standards, published in 1995 by Kluwer Academic Publishers. I would like to dedicate this book to Yuxia and Daniel.
Finally, I also dedicate this book to my parents, Dr. Zhiming Kou and Ms Min Liang for their love. Although I did not follow my father to become a medical doctor as my parents wished, they are proud of their son's doctorate and achievements in an engineering field.
xvi Networking Security and Standards
I would like to thank Robert Holland, Jr. for his effort to help me publish this book.
I specially thank my wife, Yuxia, and my son, Daniel, for their support. It is not so hard to imagine how much they have sacrificed in family life during the past four years when I wrote my two books: this book and the book entitled Digital Image Compression: Algorithms and Standards, published in 1995 by Kluwer Academic Publishers. I would like to dedicate this book to Yuxia and Daniel.
Finally, I also dedicate this book to my parents, Dr. Zhiming Kou and Ms Min Liang for their love. Although I did not follow my father to become a medical doctor as my parents wished, they are proud of their son's doctorate and achievements in an engineering field.
