Cryptography and Network

Security

1
About This Course
 Suggested books
 Cryptography: Theory and Practice
by Douglas R. Stinson CRC press

y:
 Cryptography and Network Securit
m
Principles and Practice; By Willia
Stallings Prentice Hall

 Handbook of Applied Cryptography by

Alfred J. Menezes, Paul C. van Oorschot
and Scott A. Vanstone, CRC Press
 I have electronic version!
2
Course Organization
Introduction
Conventional
Encryption
Block Ciphers
Public Key System
Key Management
Hash Function and
Digital Signature
Identification
Secret Sharing
Email Security
Others
3
Introduction

4
Information Security

5
 C.I.A
 Confidentiality, Integrity and Availability
 Information Systems are decomposed in
three main portions, hardware, software
and communications
 with the purpose to identify and apply information
security industry standards, as mechanisms of
protection and prevention, at three levels or layers:
 Physical, personal and organizational

6
 Various Securities
 Data security
 Data security is the means of ensuring that data is kept safe from
corruption and that access to it is suitably controlled.
 Computer Security
 The objective of computer security includes protection of
information and property from theft, corruption, or natural disaster,
while allowing the information and property to remain accessible
and productive to its intended users.
 Malware: malicious software
 includes computer viruses, worms, trojan horses, most
rootkits, spyware, dishonest adware,
 Network Security
 protect the network and the network-accessible resources from
unauthorized access, consistent and continuous monitoring and
measurement of its effectiveness 7
 Network Security
 network security and information security are often
used interchangeably

 network security is generally taken as providing

protection at the boundaries of an organization

 Network security starts from authenticating any user, most

likely a
username and a password
 An intrusion prevention system (IPS) helps detect and prevent
such malware. IPS also monitors for suspicious network traffic
for contents, volume and irregularities to protect the network
from attacks such as denial of service
8
 Network Security Model
Trusted Third Party

Principal Principal
(sender) (receiver)

Security Security
transformation transformation

attacker
9
Attacks, Services and
Mechanisms
 Security Attacks
 Action compromises the information security
 Could be passive or active attacks

 Security Services
 Actions that can prevent, detect such attacks.
 Such as authentication, identification, encryption, signature, secret
sharing and so on.

 Security mechanism
 The ways to provide such services
 Detect, prevent and recover from a security attack

10
Attacks
 Passive attacks
 Interception
 Release of message contents
 Traffic analysis
 Active attacks
 Interruption, modification, fabrication
 Masquerade
 Replay
 Modification
 Denial of service

11
Information Transferring

12
Attack: Interruption

Cut wire lines,

Jam wireless
signals,
Drop packets,

13
Attack: Interception

Wiring,
eavesdrop

14
Attack: Modification

Replaced
intercept
info

15
Attack: Fabrication
Ali: this is
…

Also called impersonation

Ali: this is
…
16
Attacks, Services and
Mechanisms
 Security Attacks
 Action compromises the information security
 Could be passive or active attacks

 Security Services
 Actions that can prevent, detect such attacks.
 Such as authentication, identification, encryption,
signature, secret sharing and so on.

 Security mechanism
 The ways to provide such services
 Detect, prevent and recover from a security attack
17
Important Services of Security
 Confidentiality, also known as secrecy:
 only an authorized recipient should be able to extract the
contents of the message from its encrypted form. Otherwise, it
should not be possible to obtain any significant information
about the message contents.
 Integrity:
 the recipient should be able to determine if the message has been
altered during transmission.
 Authentication:
 the recipient should be able to identify the sender, and verify
that the purported sender actually did send the message.
 Non-repudiation:
 the sender should not be able to deny sending the message.

18
 Secure Communication
 protecting data locally only solves a minor part of
the problem.

 The major challenge that is introduced by the Web

Service security requirements is to secure data
transport between the different components.

 Combining mechanisms at different levels of the

Web Services protocol stack can help secure data
transport (see figure next page).

19
Secure Communication

Message protocol layer XML DOCUMENT

20
 Secure Communication
 The combined protocol HTTP/TLS or SSL is often
referred to as HTTPS. SSL was originally developed by
Netscape for secure communication on the Internet, and
was built into their browsers. SSL version 3 was then
adopted and standardized as the Transport Layer Security
(TLS) protocol.
 Use of Public Key Infrastructure (PKI) for session key
exchange during the handshake phase of TLS has been
quite successful in enabling Web commerce in recent
years.
 TLS also has some known vulnerabilities: it is
susceptible to man-in-the-middle attacks and denial-
of-service attacks.

21
 SOAP security
 SOAP (Simple Object Access Protocol) is designed to pass through
firewalls as HTTP. This is disquieting from a security point of view.
Today, the only way we can recognize a SOAP message is by parsing
XML at the firewall. The SOAP protocol makes no distinction
between reads and writes on a method level, making it impossible to
filter away potentially dangerous writes. This means that a method
either needs to be fully trusted or not trusted at all.
 The SOAP specification does not address security issues directly,
but allows for them to be implemented as extensions.
 As an example, the extension SOAP-DSIG defines the syntax and
processing rules for digitally signing SOAP messages and validating
signatures. Digital signatures in SOAP messages provide integrity and
non-repudiation mechanisms.

22
PKI
 PKI key management provides a sophisticated framework for
securely exchanging and managing keys. The two main
technological features, which a PKI can provide to Web
Services, are:
 Encryption of messages: by using the public key of the recipient
 Digital signatures: non-repudiation mechanisms provided by PKI and
defined in SOAP standards may provide Web Services applications with
legal protection mechanisms
 Note that the features provided by PKI address the same
basic needs as those that are recognized by the
standardization organizations as being important in a Web
Services context.
 In Web Services, PKI mainly intervenes at two levels:
 At the SOAP level (non-repudiation, integrity)
 At the HTTPS level (TLS session negotiation, eventually assuring
authentication, integrity and privacy)

23