Skip section 32.1 (IPSec and Virtual Private Network-VPN) – They require information on IP that I’ve not yet covered. Possible paper topic Will cover after TCP/IP, if time, but probably won’t have it. X.509 certificate (end of chapter 31) identifies a server site and verifies it is who it says it is. It’s like an ID card stored electronically. Used for Internet transactions as part of a security protocol Issued by a trusted Certification Authority (CA) Examples: thawte, verisign, entrust, godaddy. EV (Extended validation) certificates http://en.wikipedia.org/wiki/Extended_Validation_C ertificate I will not distinguish X.509 and EV but could be a paper topic that gets into more detail than I will CA’s responsibilities Verify the entity is who they say they are. This is an investigative procedure into the entity requesting the certificate. Create a certificate (and issue to the entity) to contain the following information: Certificate Contains: Owner's public key (and algorithm) Owner's name Expiration date of the public key Name of the issuer (the CA that issued the Digital Certificate) Serial number of the Digital Certificate Certificate thumbprint calculated with the CA’s private key. This establishes the authenticity of the certificate and guarantees the certificate cannot be tampered with Version # more SSL/TLS – 32.2 TCP establishes a connection between two sites. SSL-Secure Sockets Layer End-to-end security protocols Authenticate server and client to each other Message integrity Originally designed by Netscape Used by virtually every Internet commerce site TLS-Transport Layer Security TLS is the IETF version of SSL Openssl. For those of you with Linux accounts – man openssl or man x509. Won’t distinguish here but plenty of room for a paper topic. Figure 32.14 Location of SSL and TLS in the Internet model 32.8 Possible sequence of steps for SSL is. Client sends info to server SSL or TLS version # list of compression/encryption techniques key exchange algorithms supported session ID random data. Server sends info to client what it supports and wants to use random data certificate Both sides now know what the other can do. Authenticate the server Client verifies certificate it received from the server Check certificate expiration date Check certificate authority (is it in a list of trusted CAs maintained by the client) use CA’s public key and apply it to the digital signature (fingerprint, thumbprint) to get the digest value and authenticate – is this a valid certificate? compare domain name in certificate w/ domain name of server (to prevent man-in-the-middle attack) Client creates pre-master secret key and encrypts using server’s public key (obtained from the certificate); sends to server. Server gets it and decrypts using its private key. Server may authenticate client. Client and server feed random data from both sides and premaster secret into a hash algorithm to generate a session key. Exchange information securely Figure 32.15 Creation of cryptographic secrets in SSL 32.13 Some other references [http://support.microsoft.com/kb/257591] [http://msdn2.microsoft.com/en-us/library/aa380513.aspx] [http://www.cisco.com/en/US/tech/tk583/tk618/tsd_technolog y_support_protocol_home.html] You can see certificates connect to an https site (e.g. www.bankmutual.com and select customer login) Note the lock icon at the top next to the URL). click on the icon and select view certificates and select various tabs and options. DO NOT ASSUME sites are secure Look for the lock icon or https as opposed to http in the URL. To see trusted CAs: Tools Internet Options and select Content tab Select Certificates button followed by one of the tabs. Select a CA and click the View button. Explore various tabs. Book has a little more on SSL and TLS and could be used as part of a paper topic. What if the certificate does not check out? PGP (Pretty good Privacy) In the early 1990s, encryption algorithms were in the same category as weapons and were declared as a munitions – making them subject to strict export laws. PGP was developed by Phillip Zimmerman Putting it on the Internet was akin to exporting it, according to the State dept. Subject of a 3-year criminal investigation Since then, export laws governing encryption have been relaxed. Another reference at www.pgpi.org (trial versions used to be available but are hard to find now-at least Figure 32.19 Position of PGP in the TCP/IP protocol suite 32.19 Table 32.4 PGP Algorithms 32.20 Example use of PGP (run on an older environment) When the message is open the receiver sees: ---BEGIN PGP SIGNED MESSAGE--Hash: SHA1 this is a test message ---BEGIN PGP SIGNATURE--Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPVHAkz012x9/xPKqEQL7UQCg65yJ8I4c5o7s37iMvLcqqRtokhAAn 3E2 EzQd3vhFE41QGj3O8zvDSawR =knKs ---END PGP SIGNATURE--- With the message open the user can select decrypt/verify from the PGP dropdown menu *** PGP Signature Status: good *** Signer: William Shay ,[email protected]. *** Signed: 8/7/02 7:51:31 PM *** Verified: 8/7/02 8:50:46 PM *** BEGIN PGP VERIFIED MESSAGE *** this is a test message *** END PGP VERIFIED MESSAGE *** Textbook covers a bit more and gets into key rings and such. I will skip that but this a possible paper topic. Firewalls. - 32.4 Allows or disallows data to pass through. How does it decide? Packet filtering IP packet format May accept or reject a packet based on its IP address and/or port number For example, the client/server project works, in theory, if one machine is on campus and the other is off. It is, however, subject to firewall rules. Examples Disallow incoming packets with port # 23 (disables telnet). Disallow outgoing packets with specified destination addresses. Could be used to restrict employees from access certain external sites (competitors or game playing sites) during work hours. Example: Some businesses disallow employees to access youtube, facebook, or similar sites. Disallow outgoing with specified source addresses (to prevent address spoofing – a form of attack discussed later) Initial firewall setup. Can allow all by default then specify which to reject Runs the risk of missing something that should be rejected Can reject all by default and then specify which to allow Runs the risk of people getting PO’d if you miss an application that should pass Possible policies: firewall setting (from Kurose & Ross) No outside web access: Drop all outgoing packets to an IP address, port 80 (HTTP). No incoming TCP connections, except those for organization's public Web server (130.207.244.203): Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80. Prevent web-radios from eating up the available bandwidth: Drop all incoming UDP packets – except DNS packets. Prevent network from being used for a smurf DoS attack: drop all ICMP ping packets going to a broadcast address. Prevent your network from being tracerouted: drop all outgoing ICMP TTL expired traffic. Application level gateway (proxy server) Packet filtering uses layer 3/4 information Book example: Only those Internet users who have previously established business relations with the company can have access to certain web pages. Packet filtering won’t work Cannot distinguish the above cases Runs a program for each type of application Intercepts all requests at a high layer and forwards (or rejects) them as needed. More overhead than packet filtering (firewall must run duplicate apps) Increased flexibility based on intent of applications Stateful inspection (not in text) Packets examined based on contents AND context (i.e. what has happened previously). Admin defines a rule base that determines course of action. Example: a ping packet sends an echo-request packet Example: type ping url in a dos window – or in Linux Could reject an echo-response packet if there was no previous echo-request packet in the other direction. Deny an incoming acknowledgment to a request that never happened. Client established a ftp connection and server attempts to initiate a file transfer before the client has requested it. Denied. Maybe client tries to sneak a packet with a different port # through the existing connection. Denied. Refs: [http://en.wikipedia.org/wiki/Stateful_firewall] [http://www.webopedia.com/TERM/S/stateful_inspection.ht ml] Can purchase different levels of firewall protection. Can install on your machine. Can specify which apps can access the Internet or which sources from the Internet can access your computer. Administrator defines a rule base defining actions. Firewalls can also restrict # packets per second (prevent student from setting up game servers on campus) Attacks (not in text) – I will provide an overview only – a possible paper topic Smurf (DoS) attack: send a ping packet but falsify the source and use a broadcast address for the destination. All nodes in the broadcast group reply to the “source” inundating it with traffic. Presumably the attacker creates an infinite loop sending such packets. [http://www.cert.org/advisories/CA-1998-01.html] [http://en.wikipedia.org/wiki/Denial-of-service_attack] SYN flood send connection requests (with a false source) to a site. Site waits for a confirmation and times out if it does not arrive. If requests are sent faster than timeouts occur, problems occur. [http://www.cert.org/advisories/CA-1996-21.html] Slowloris attack Utilizes legitimate HTTP traffic Sends partial http requests Sends additional information periodically to keep socket connections open Ties up connections making them unavailable to legitimate use Like SYN flood but over http http://www.funtoo.org/en/security/slowloris/ and http://en.wikipedia.org/wiki/Slowloris There are bad things are out there Malware – a generic term covering a wide variety of bad things. Virus – program attached to another that does unintended things May be destructive May not be (technically) All are disruptive and cause loss or work or trust Worm: a program that can invade a computer but is NOT attached to another program. Trojan Horse: hidden part of other useful program Might be running something that’s prone to accepting a worm from the internet and run it. Might access your outlook contacts and send a copy of itself to everyone there. Blaster worm: allow others to control your computer. Typically doesn’t replicate like worms and viruses Summary Packet sniffer: Spyware: records copies of packets that it sees A good reason to secure wireless connections watch what you do and perhaps report it to someone else. You may be completely unaware Botnet: collection of computers working together for a purpose Clipper Chip (of historical interest): [http://en.wikipedia.org/wiki/Clipper_chip] [http://www.epic.org/crypto/clipper/] For wiretapping (provided by a court order), each clipper chip has encryption algorithm in a chip inserted into a phone. Press button & security devices exchange encryption keys. Designed by engineers at NSA w/ no input from private industry in response to private sectors developing their own to combat business and industrial espionage. K = 80-bit session key to encrypt – needed for wiretap F = 80-bit family key (all chips in a group have the same one) N = 30-bit serial # (unique to a chip) S = 80-bit secret key – unique to each chip, used by law enforcement V = voice message – Ek(V) is the transmitted voice message Clipper chip also generates EF(ES(K)+N) (+ is concatenate here) Suppose a wiretap is approved; Apply DF to above to get ES(K)+N. Easy since F is not secret S IS secret so cannot apply DS easily. Need to use N to get S but first need to know how S is formed and stored. Two parties – each generates one 80-bit string. Call them S1 and S2. Calculate S= S1 S2 Each of S1 and S2 are maintained by separate key escrow agencies along with chip serial number. Who the agencies are and who they report to is an issue. Officials get N and, with a court order, get S1 and S2 from each agency. Apply DS to get K and then apply DK to get V
© Copyright 2026 Paperzz