Академический Документы
Профессиональный Документы
Культура Документы
Application Layer Presentation Layer Peer-to-peer Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical Layer Flow of bits
Courtesy of Professors Chris Clifton & Matt Bishop INFSCI 2935: Introduction of Computer Security 1 INFSCI 2935: Introduction to Computer Security 2
Session Layer Transport Layer Network Layer Data Link Layer Physical Layer
l Connection information
Random data for the server & client Server and client keys (used for encryption) Server and client MAC key Initialization vector for the cipher, if needed Server and client sequence numbers
l Provides a set of supported cryptographic mechanisms that are setup during negotiation (handshake protocol)
3 INFSCI 2935: Introduction to Computer Security 4
SSL Architecture
Handshake Protocol
l The most complex part of SSL l Allows the server and client to authenticate each other
Based on interchange cryptosystem (e.g., RSA)
Other protocols
l SSL Change Cipher Spec Protocol
A single byte is exchanged After new cipher parameters have been negotiated (renegotiated)
IPSec
l Set of protocols/mechanisms
Encrypts and authenticates all traffic at the IP level l Protects all messages sent along a path l Intermediate host with IPSec mechanism (firewall, gateway) is called a security gateway Use on LANs, WANs, public, and private networks
Peer-to-peer
SG
Internet/ Intranet
SG
SG Intranet
IPSec Protocols
l Authentication header (AH) protocol
Message integrity Origin authentication Anti-replay services
IPSec Modes
l Two modes
Transport mode
lEncapsulates IP packet data area lIP Header is not protected
Protection is provided for the upper layers Usually used in host-to-host communications
l Next header
Identifies what protocol header follows Next Header Payload length Security Parameters Index Sequence Number Authentication Data
l Payload length
Indicates the number of 32-bit words in the authentication header
Tunnel mode
lEncapsulates entire IP packet in an IPSec envelope
Helps against traffic analysis The original IP packet is untouched in the Internet
INFSCI 2935: Introduction to Computer Security 17
l Sequence number
Counter that increases with each IP packet sent from the same host to the same destination and SA
l Authentication Data
INFSCI 2935: Introduction to Computer Security 18
Preventing replay
l Using 32 bit sequence numbers helps detect replay of IP packets l The sender initializes a sequence number for every SA
Each succeeding IP packet within a SA increments the sequence number
Transport Mode AH
Internet/ Intranet
Payload Data
Without IPSec
l Receiver implements a window size of W to keep track of authenticated packets l Receiver checks the MAC to see if the packet is authentic
INFSCI 2935: Introduction to Computer Security 19
Payload Data
SPI
MAC
20
10
Tunnel Mode AH
Internet SG Intranet
Security Parameters Index (SPI) 32 bits Sequence Number 32 bits Payload Data Padding/ Next Header Authentication Data
Payload Data
Without IPSec
TCP Header
Payload Data
SPI
MAC
22
11
Details of ESP
l Security Parameters Index (SPI)
Specifies to the receiver the algorithms, type of keys, and lifetime of the keys used
l Sequence number
Counter that increases with each IP packet sent from the same host to the same destination and SA
Payload Data
Without IPSec
l Payload
Application data carried in the TCP segment
l Padding
0 to 255 bytes of data to enable encryption algorithms to operate properly To mislead sniffers from estimating the amount of data transmitted
TCP Header
Payload Data
ESP Trailer
ESP Auth
Encrypted Authenticated
l Authentication Data
MAC created over the packet
23
24
12
Perimeter Defense
l Organization system consists of a network of many host machines
the system is as secure as the weakest link
TCP Header
Payload Data
ESP Trailer
ESP Auth
Encrypted Authenticated
l If host machines are scattered and need to use public network, use encryption
Virtual Private Networks (VPNs)
25
26
13
Perimeter Defense
l Is it adequate?
Locating and securing all perimeter points is quite difficult
lLess effective for large border
Firewalls
l Total isolation of networked systems is undesirable
Use firewalls to achieve selective border control
l Firewall
Is a configuration of machines and software Limits network access Come for free inside many devices: routers, modems, wireless base stations etc. Alternate: a firewall is a host that mediates access to a network, allowing and disallowing certain type of access based on a configured security policy
27 INFSCI 2935: Introduction to Computer Security 28
Inspecting/ensuring that remote connections are adequately protected is difficult Insiders attack is often the most damaging
14
l Cannot prevent insider attack l Firewalls act a particular layer (or layers)
15
Secure IP VPNs
l Use the public Internet as part of the virtual private network l Provide security!
Confidentiality and integrity of data User authentication Network access control
l IPSec
31
32
16
Tunneling in VPN
Mail server
17
Issues
l IP: Intranet hidden from outside world
Internal addresses can be real
lProxy maps between real address and firewall
l Network Boundaries
Firewall
l Filtering firewall: Based on packet headers l Audit mechanism
l Mail Forwarding
Hide internal addresses Map incoming mail to real server Additional incoming/outgoing checks
INFSCI 2935: Introduction to Computer Security 36
Proxy
l Proxy firewall: Gives external view that hides intranet l Contents of packets and messages besides attributes of packet headers
INFSCI 2935: Introduction to Computer Security 35
18
Firewalls: Configuration
l External Firewall
What traffic allowed
lExternal source: IP restrictions lWhat type of traffic: Ports (e.g., SMTP, HTTP)
DMZ Administration
l Direct console access required?
Real hassle
l Special access
SSH connections allowed from internal to DMZ administration connections Only from specified internal IPs Only through internal firewall
l Internal Firewall
Traffic restrictions: Ports, From/to IP Proxy between intranet and outside
37
38
19
Overview
l Trust l Problems from lack of assurance l Types of assurance l Life cycle and assurance l Waterfall life cycle model l Other life cycle models
Assurance
39
40
20
Trust
l Trustworthy entity has sufficient credible evidence leading one to believe that the system will meet a set of requirements l Trust is a measure of trustworthiness relying on the evidence l Assurance is confidence that an entity meets its security requirements based on evidence provided by the application of assurance techniques
Formal methods, design analysis, testing etc.
INFSCI 2935: Introduction to Computer Security 41
Relationships
Policy Statement of requirements that explicitly defines the security expectations of the mechanism(s) Provides justification that the mechanism meets policy through assurance evidence and approvals based on evidence Executable entities that are designed and implemented to meet the requirements of the policy
Evaluation standards Trusted Computer System Evaluation Criteria Information Technology Security Evaluation Criteria Common Criteria
INFSCI 2935: Introduction to Computer Security 42
Assurance
Mechanisms
21
Examples
l Challenger explosion (1986)
Sensors removed from booster rockets to meet accelerated launch schedule
22
Role of Requirements
l Requirements are statements of goals that must be met
Vary from high-level, generic issues to lowlevel, concrete issues
Types of Assurance
l Policy assurance is evidence establishing security requirements in policy is complete, consistent, technically sound
To counter threats and meet objectives
l Security objectives are high-level security highissues and business goals l Security requirements are specific, concrete issues
l Design assurance is evidence establishing design sufficient to meet requirements of security policy l Implementation assurance is evidence establishing implementation consistent with security requirements of security policy
Need to use good engineering practices
45 INFSCI 2935: Introduction to Computer Security 46
23
Types of Assurance
l Operational assurance is evidence establishing system sustains the security policy requirements during installation, configuration, and day -to- day operation day-toAlso called administrative assurance Example, Do a thorough review of product or system documentation and procedures, to ensure that the system cannot accidentally be placed in a non-secure state.
INFSCI 2935: Introduction to Computer Security 47
Assurance steps
Design
Implementation
48
24
Life Cycle
l Conception l Manufacture l Deployment l Fielded Product Life
INFSCI 2935: Introduction to Computer Security 49
Conception
l Idea
Decisions to pursue it
l Proof of concept
See if idea has merit Rapid prototyping, analysis, etc.
l High-level requirements analysis High What does secure mean for this concept?
l Identify threats
Is it possible for this concept to meet this meaning of security? Is the organization willing to support the additional resources required to make this concept meet this meaning of security?
INFSCI 2935: Introduction to Computer Security 50
25
Manufacture
l Develop detailed plans for each group involved
May depend on use; internal product requires no sales Plans : marketing, sales training, development, testing Software development and engineering process
Deployment
l Delivery
Assure that correct (assured) masters are delivered to production and protected Distribute to customers, sales organizations
51
52
26
l System and software design l Implementation and unit testing l Integration and system testing l Operation and maintenance
53 INFSCI 2935: Introduction to Computer Security 54
27
Relationship of Stages
55
56
28
Models
l Formal transformation
Create formal specification Translate it into program using correctnesspreserving transformations Very conducive to assurance methods
Models
l Extreme programming
Rapid prototyping and best practices Project driven by business decisions Requirements open until project complete Programmers work in teams Components tested, integrated several times a day Objective is to get system into production as quickly as possible, then enhance it Evidence adduced after development needed for assurance
58
29
Key Points
l Assurance critical for determining trustworthiness of systems l Different levels of assurance, from informal evidence to rigorous mathematical evidence l Assurance needed at all stages of system life cycle
59
60
30