Security

Balaji Shanmugam

2
Balaji.S

Security services related to the message or entity

Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service provides entity authentication or identification.

MESSAGE CONFIDENTIALITY

The concept of how to achieve message confidentiality or privacy has not changed for thousands of years. The message must be encrypted at the sender site and decrypted at the receiver site. This can be done using either symmetric-key cryptography or asymmetric-key cryptography.

Topics discussed in this section:

Confidentiality with Symmetric-Key Cryptography Confidentiality with Asymmetric-Key Cryptography

Message confidentiality using symmetric keys in two directions

MESSAGE INTEGRITY

Encryption and decryption provide secrecy, or confidentiality, but not integrity. However, on occasion we may not even need secrecy, but instead must have integrity.

Topics discussed in this section:

Document and Fingerprint Message and Message Digest Creating and Checking the Digest Hash Function Criteria

31.6

Message and message digest

Checking integrity

PGP

PGP
One of the protocols to provide security at the application layer is Pretty Good Privacy (PGP). PGP is designed to create authenticated and confidential e-mails.

Topics discussed in this section:

Security Parameters Services PGP Algorithms Key Rings PGP Certificates
32.10

Position of PGP in the TCP/IP protocol suite

Note In PGP, the sender of the message needs to include the identifiers of the algorithms used in the message as well as the values of the keys.

32.12

SSH Operation
(Secure Shell )
The Swiss Army Knife of encryption tools

SSH Features
Command line terminal connection tool Replacement for rsh, rcp, telnet, and others All traffic encrypted Both ends authenticate themselves to the other end Ability to carry and encrypt non-terminal traffic

SSH Features
Command line terminal connection tool Replacement for rsh, rcp, telnet, and others All traffic encrypted Both ends authenticate themselves to the other end Ability to carry and encrypt non-terminal traffic

Port Forwarding real server on remote machine

I want to listen on port 5110 on this machine; all packets arriving here get sent to mailserver, port 110:
ssh L 5110:mailserver:110 mailserver

Port Forwarding real server on this machine

All web traffic to my firewall should be redirected to the web server running on port 8000 on my machine instead:
ssh R 80:MyMachine:8000 firewall

SSH key background

Old way: password stored on server, user supplied password compared to stored version New way: private key kept on client, public key stored on server.

SSH key installation

3 versions of ssh: interoperability is good, but poorly documented ssh-keyinstall utility automates the creation and installation
ssh-keyinstall s SshServerName creates keys, if needed, and installs them on the remote server Need password during key install only

END