management and info security
biratpant
chapter10.pptx1
ITC358 ICT Management and Information Security
Chapter 10
Protection Mechanisms
People are the missing link to improving Information Security. Technology alone can’t solve the challenges of Information Security. – The Human Firewall Council
1
Objectives
Upon completion of this chapter, you should be able to:
Describe the various access control approaches, including authentication, authorisation, and biometric access controls
Identify the various types of firewalls and the common approaches to firewall implementation
Enumerate and discuss the current issues in dial-up access and protection
Identify and describe the types of intrusion detection systems and the two strategies on which they are based
Explain cryptography and the encryption process, and compare and contrast symmetric and asymmetric encryption
2
Introduction
Technical controls
Usually an essential part of information security programs
Insufficient if used alone
Must be combined with sound policy and education, training, and awareness efforts
Examples of technical security mechanisms
Access controls, firewalls, dial-up protection, intrusion detection systems, scanning and analysis tools, and encryption systems
3
Introduction (cont’d.)
Figure 10-1 Sphere of security
Source: Course Technology/Cengage Learning
4
Access Controls
The four processes of access control
Identification
Obtaining the identity of the person requesting access to a logical or physical area
Authentication
Confirming the identity of the person seeking access to a logical or physical area
Authorisation
Determining which actions that a person can perform in that physical or logical area
Accountability
Documenting the activities of the authorised individual and systems
A successful access control approach always incorporates all four of these elements
5
Identification
A mechanism that provides information about a supplicant that requests access
Identifier (ID)
The label applied to the supplicant
Must be a unique value that can be mapped to one and only one entity within the security domain
Examples: name, first initial and surname
6
Authentication
Authentication mechanism types
Something you know
Something you have
Something you are
Something you produce
Strong authentication
Uses at least two different authentication mechanism types
7
Authentication (cont’d.)
Something you know
A password, passphrase, or other unique code
A password is a private word or combination of characters that only the user should know
A passphrase is a plain-language phrase, typically longer than a password, from which a virtual password is derived
Passwords should be at least eight characters long and contain at least one number and one special character
8
Table 10-1 Password power
Source: Course Technology/Cengage Learning
9
Authentication (cont’d.)
Something you have
Something that the user or system possesses
Examples:
A card, key, or token
A dumb card (such as an ATM card) with magnetic stripes
A smart card containing a processor
A cryptographic token (a processor in a card that has a display)
Tokens may be either synchronous or asynchronous
10
Authentication (cont’d.)
Figure 10-3 Access control tokens
Source: Course Technology/Cengage Learning
11
Authentication (cont’d.)
Something you are
Something inherent in the user that is evaluated using biometrics
Most technologies that scan human characteristics convert the images to obtain minutiae (unique points of reference that are digitised and stored in an encrypted format)
Something you produce
Something the user performs or produces
Includes technology related to signature recognition and voice recognition
12
Authentication (cont’d.)
Figure 10-4 Recognition characteristics
Source: Course Technology/Cengage Learning
13
Authorisation
Types of authorisation
Each authenticated user
The system performs an authentication process to verify the specific entity and then grants access to resources for only that entity
Members of a group
The system matches authenticated entities to a list of group memberships, and then grants access to resources based on the group’s access rights
Across multiple systems
A central system verifies identity and grants a set of credentials to the verified entity
14
Evaluating Biometrics
Biometric evaluation criteria
False reject rate (Type I error)
Percentage of authorised users who are denied access
False accept rate (Type II error)
Percentage of unauthorised users who are allowed access
Crossover error rate (CER)
Point at which the number of false rejections equals the number of false acceptances
15
Acceptability of Biometrics
Note: Iris Scanning has experienced rapid growth in popularity and due to it’s acceptability, low cost, and effective security
Figure 10-4 Recognition characteristics
Source: Harold F. Tipton and Micki Krause. Handbook of Information Security Management. Boca Raton, FL: CRC Press, 1998: 39–41.
16
Managing Access Controls
A formal access control policy
Determines how access rights are granted to entities and groups
Includes provisions for periodically reviewing all access rights, granting access rights to new employees, changing access rights when job roles change, and revoking access rights as appropriate
17
Firewalls
Any device that prevents a specific type of information from moving between two networks
Between the outside (untrusted network: e.g., the Internet), and the inside (trusted network)
May be a separate computer system
Or a service running on an existing router or server
Or a separate network with a number of supporting devices
18
The Development of Firewalls
Packet filtering firewalls
First generation firewalls
Simple networking devices that filter packets by examining every incoming and outgoing packet header
Selectively filter packets based on values in the packet header
Can be configured to filter based on IP address, type of packet, port request, and/or other elements present in the packet
19
The Development of Firewalls (cont’d.)
Table 10-4 Packet filtering example rules
Source: Course Technology/Cengage Learning
20
The Development of Firewalls (cont’d.)
Application-level firewalls
Second generation firewalls
Consists of dedicated computers kept separate from the first filtering router (edge router)
Commonly used in conjunction with a second or internal filtering router - or proxy server
The proxy server, rather than the Web server, is exposed to the outside world from within a network segment called the demilitarised zone (DMZ), an intermediate area between a trusted network and an untrusted network
21
The Development of Firewalls (cont’d.)
Application-level firewalls (cont’d.)
Implemented for specific protocols
Stateful inspection firewalls
Third generation firewalls
Keeps track of each network connection established between internal and external systems using a state table
State tables track the state and context of each packet exchanged by recording which station sent which packet and when
22
The Development of Firewalls (cont’d.)
Stateful inspection firewalls (cont’d.)
Can restrict incoming packets by allowing access only to packets that constitute responses to requests from internal hosts
If the stateful inspection firewall receives an incoming packet that it cannot match to its state table
It uses ACL rights to determine whether to allow the packet to pass
23
The Development of Firewalls (cont’d.)
Dynamic packet filtering firewall
Fourth generation firewall
Allows only a particular packet with a specific source, destination, and port address to pass through the firewall
Understands how the protocol functions, and opens and closes firewall pathways
An intermediate form between traditional static packet filters and application proxies
24
Firewall Architectures
Each firewall generation can be implemented in several architectural configurations
Common architectural implementations
Packet filtering routers
Screened-host firewalls
Dual-homed host firewalls
Screened-subnet firewalls
25
Firewall Architectures (cont’d.)
Packet filtering routers
Most organisations with an Internet connection use some form of router between their internal networks and the external service provider
Many can be configured to block packets that the organisation does not allow into the network
Such an architecture lacks auditing and strong authentication
The complexity of the access control lists used to filter the packets can grow to a point that degrades network performance
26
Firewall Architectures (cont’d.)
Figure 10-5 Packet filtering firewall
Source: Course Technology/Cengage Learning
27
Firewall Architectures (cont’d.)
Screened-host firewall systems
Combine the packet filtering router with a separate, dedicated firewall such as an application proxy server
Allows the router to screen packets
Minimises network traffic and load on the internal proxy
The application proxy examines an application layer protocol, such as HTTP, and performs the proxy services
Bastion host
A single, rich target for external attacks
Should be very thoroughly secured
28
Firewall Architectures (cont’d.)
Figure 10-6 Screened-host firewall
Source: Course Technology/Cengage Learning
29
Firewall Architectures (cont’d.)
Dual-homed host firewalls
The bastion host contains two network interfaces
One is connected to the external network
One is connected to the internal network
Requires all traffic to travel through the firewall to move between the internal and external networks
Network-address translation (NAT) is often implemented with this architecture, which converts external IP addresses to special ranges of internal IP addresses
These special, nonroutable addresses consist of three different ranges:
10.x.x.x: greater than 16.5 million usable addresses
192.168.x.x: greater than 65,500 addresses
172.16.0.x - 172.16.15.x: greater than 4000 usable addresses
30
Firewall Architectures (cont.)
Figure 10-7 Dual-homed host firewall
Source: Course Technology/Cengage Learning
31
Screened-Subnet Firewalls
Consists of one or more internal bastion hosts located behind a packet filtering router, with each host protecting the trusted network
The first general model uses two filtering routers, with one or more dual-homed bastion hosts between them
The second general model shows connections routed as follows:
Connections from the untrusted network are routed through an external filtering router
Connections from the untrusted network are routed into—and then out of—a routing firewall to the separate network segment known as the DMZ
Second general model (cont’d.)
Connections into the trusted internal network are allowed only from the DMZ bastion host servers
Firewall Architectures (cont.)
32
Figure 10-8 Screened subnet (DMZ)
Source: Course Technology/Cengage Learning
Firewall Architectures (cont.)
33
Selecting the Right Firewall
Questions to ask when evaluating a firewall:
Firewall technology:
What type offers the right balance between protection and cost for the organisation’s needs?
Cost:
What features are included in the base price? At extra cost? Are all cost factors known?
Maintenance:
How easy is it to set up and configure the firewall?
Maintenance: (cont’d.)
How accessible are the staff technicians who can competently configure the firewall?
Future growth:
Can the candidate firewall adapt to the growing network in the target organisation?
34
Managing Firewalls
Any firewall device must have its own configuration
Regulates its actions
Regardless of firewall implementation
Policy regarding firewall use
Should be articulated before made operable
Configuring firewall rule sets can be difficult
Each firewall rule must be carefully crafted, placed into the list in the proper sequence, debugged, and tested
35
Managing Firewalls (cont’d.)
Configuring firewall rule sets (cont’d.)
Proper sequence: perform most resource-intensive actions after the most restrictive ones
Reduces the number of packets that undergo intense scrutiny
Firewalls deal strictly with defined patterns of measured observation
Are prone to programming errors, flaws in rule sets, and other inherent vulnerabilities
Firewalls are designed to function within limits of hardware capacity
Can only respond to patterns of events that happen in an expected and reasonably simultaneous sequence
36
Managing Firewalls (cont’d.)
Firewall best practices
All traffic from the trusted network allowed out
The firewall is never accessible directly from the public network
Simple Mail Transport Protocol (SMTP) data is allowed to pass through the firewall
Should be routed to a SMTP gateway
All Internet Control Message Protocol (ICMP) data should be denied
37
Managing Firewalls (cont’d.)
Firewall best practices (cont’d.)
Telnet (terminal emulation) access to all internal servers from the public networks should be blocked
When Web services are offered outside the firewall
HTTP traffic should be handled by some form of proxy access or DMZ architecture
38
Intrusion Detection and Prevention Systems
The term intrusion detection/prevention system (IDPS) can be used to describe current anti-intrusion technologies
Can detect an intrusion
Can also prevent that intrusion from successfully attacking the organisation by means of an active response
39
Intrusion Detection and Prevention Systems (cont’d.)
IDPSs work like burglar alarms
Administrators can choose the alarm level
Can be configured to notify administrators via e-mail and numerical or text paging
Like firewall systems, IDPSs require complex configurations to provide the level of detection and response desired
40
The newer IDPS technologies
Different from older IDS technologies
IDPS technologies can respond to a detected threat by attempting to prevent it from succeeding
Types of response techniques:
The IDPS stops the attack itself
The IDPS changes the security environment
The IDPS changes the attack’s content
Intrusion Detection and Prevention Systems (cont’d.)
41
IDPSs are either network based to protect network information assets
Or host based to protect server or host information assets
IDPS detection methods
Signature based
Statistical anomaly based
Intrusion Detection and Prevention Systems (cont’d.)
42
Intrusion Detection and Prevention Systems (cont’d.)
Figure 10-9 Intrusion detection and prevention systems
Source: Course Technology/Cengage Learning
43
Host-Based IDPS
Configures and classifies various categories of systems and data files
IDPSs provide only a few general levels of alert notification
Unless the IDPS is very precisely configured, benign actions can generate a large volume of false alarms
Host-based IDPSs can monitor multiple computers simultaneously
44
Network-Based IDPS
Monitor network traffic
When a predefined condition occurs, notifies the appropriate administrator
Looks for patterns of network traffic
Match known and unknown attack strategies against their knowledge base to determine whether an attack has occurred
Yield many more false-positive readings than host-based IDPSs
45
Signature-Based IDPS
Examines data traffic for something that matches the preconfigured, predetermined attack pattern signatures
Also called knowledge-based IDPS
The signatures must be continually updated as new attack strategies emerge
A weakness of this method:
If attacks are slow and methodical, they may slip undetected through the IDPS, as their actions may not match a signature that includes factors based on duration of the events
46
Statistical Anomaly-Based IDPS
Also called behavior-based IDPS
First collects data from normal traffic and establishes a baseline
Then periodically samples network activity, based on statistical methods, and compares the samples to the baseline
When activity falls outside the baseline parameters (clipping level)
The IDPS notifies the administrator
Advantage: Able to detect new types of attacks, because it looks for abnormal activity of any type
47
Managing Intrusion Detection and Prevention Systems
If there is no response to an alert, then an alarm does no good
IDPSs must be configured to differentiate between routine circumstances and low, moderate, or severe threats
A properly configured IDPS can translate a security alert into different types of notifications
A poorly configured IDPS may yield only noise
48
Managing Intrusion Detection and Prevention Systems (cont’d.)
Most IDPSs monitor systems using agents
Software that resides on a system and reports back to a management server
Consolidated enterprise manager
Software that allows the security professional to collect data from multiple host- and network-based IDPSs and look for patterns across systems and subnetworks
Collecting responses from all IDPSs
Used to identify cross-system probes and intrusions
49
Remote Access Protection
War-dialer
A device used by an attacker to locate an organisation’s dial-up connection points
Network connectivity using dial-up connections
Usually much simpler and less sophisticated than Internet connections
Simple user name and password schemes are usually the only means of authentication
50
RADIUS and TACACS
Systems that authenticate the credentials of dial-up access users
Typical dial-up systems place the authentication of users on the system connected to the modems
A Remote Authentication Dial-In User Service (RADIUS) system
Centralises the management of user authentication
Placing the responsibility for authenticating each user in the central RADIUS server
51
RADIUS and TACACS (cont’d.)
A remote access server receives a request for a network connection from a dial-up client
It passes the request along with the user’s credentials to the RADIUS server, which validates the credentials
The Terminal Access Controller Access Control System (TACACS) works similarly
Based on a client/server configuration
52
RADIUS and TACACS (cont’d.)
Figure 10-10 RADIUS configuration
Source: Course Technology/Cengage Learning
53
Managing Dial-Up Connections
Organisations that continue to offer dial-up (VPN to be concerned) remote access must:
Determine how many dial-up connections the organisation has
Control access to authorised modem numbers
Use call-back whenever possible
Use token-based authentication if at all possible
54
Wireless Networking Protection
Most organisations that make use of wireless networks use an implementation based on the IEEE 802.11 protocol
The size of a wireless network’s footprint
Depends on the amount of power the transmitter/receiver wireless access points (WAP) emit
Sufficient power must exist to ensure quality connections within the intended area
But not allow those outside the footprint to connect
55
Wireless Networking Protection (cont’d.)
War driving
Moving through a geographic area or building, actively scanning for open or unsecured WAPs
Common encryption protocols used to secure wireless networks
Wired Equivalent Privacy (WEP)
Wi-Fi Protected Access (WPA)
56
Wired Equivalent Privacy (WEP)
Provides a basic level of security to prevent unauthorised access or eavesdropping
Does not protect users from observing each others’ data
Has several fundamental cryptological flaws
Resulting in vulnerabilities that can be exploited, which led to replacement by WPA
57
Wi-Fi Protected Access (WPA)
WPA is an industry standard
Created by the Wi-Fi Alliance
Some compatibility issues with older WAPs
IEEE 802.11i
Has been implemented in products such as WPA2
WPA2 has newer, more robust security protocols based on the Advanced Encryption Standard
WPA /WPA 2 provide increased capabilities for authentication, encryption, and throughput
58
Wi-Max
Wi-Max (WirelessMAN)
An improvement on the technology developed for cellular telephones and modems
Developed as part of the IEEE 802.16 standard
A certification mark that stands for Worldwide Interoperability for Microwave Access
59
Bluetooth
A de-facto industry standard for short range (approx 30 ft) wireless communications between devices
The Bluetooth wireless communications link can be exploited by anyone within range
Unless suitable security controls are implemented
In discoverable mode devices can easily be accessed
Even in nondiscoverable mode, the device is susceptible to access by other devices that have connected with it in the past
60
Bluetooth (cont’d.)
Does not authenticate connections
It does implement some degree of security when devices access certain services like dial-up accounts and local-area file transfers
To secure Bluetooth enabled devices:
Turn off Bluetooth when you do not intend to use it
Do not accept an incoming communications pairing request unless you know who the requestor is
61
Managing Wireless Connections
One of the first management requirements is to regulate the size of the wireless network footprint
By adjusting the placement and strength of the WAPs
Select WPA or WPA2 over WEP
Protect preshared keys
62
Scanning and Analysis Tools
Used to find vulnerabilities in systems
Holes in security components, and other unsecured aspects of the network
Conscientious administrators frequently browse for new vulnerabilities, recent conquests, and favorite assault techniques
Security administrators may use attacker’s tools to examine their own defenses and search out areas of vulnerability
63
Scanning and Analysis Tools (cont’d.)
Scanning tools
Collect the information that an attacker needs to succeed
Footprinting
The organised research of the Internet addresses owned by a target organisation
Fingerprinting (nmap –sV des_host)
The systematic examination of all of the organisation’s network addresses
Yields useful information about attack targets
64
Port Scanners
A port is a network channel or connection point in a data communications system
Port scanning utilities (port scanners)
Identify computers that are active on a network, as well as their active ports and services, the functions and roles fulfilled by the machines, and other useful information
65
Port Scanners (cont’d.)
Well-known ports
Those from 0 through 1023
Registered ports are those from 1024 through 49151
Dynamic and private ports are those from 49152 through 65535
Open ports must be secured
Can be used to send commands to a computer, gain access to a server, and exert control over a networking device
66
Table10-5 Commonly used port numbers
Source: Course Technology/Cengage Learning
Port Scanners (cont’d.)
67
Vulnerability Scanners
Capable of scanning networks for very detailed information
Variants of port scanners
Identify exposed user names and groups, show open network shares, and expose configuration problems and other server vulnerabilities
68
Packet Sniffers
A network tool that collects and analyses packets on a network
It can be used to eavesdrop on network traffic
Connects directly to a local network from an internal location
To use a packet sniffer legally, you must:
Be on a network that the organisation owns
Be directly authorised by the network’s owners
Have the knowledge and consent of the users
Have a justifiable business reason for doing so
69
Content Filters
Protect the organisation’s systems from misuse
And unintentional denial-of-service conditions
A software program or a hardware/software appliance that allows administrators to restrict content that comes into a network
Common application of a content filter
Restriction of access to Web sites with non-business-related material, such as pornography, or restriction of spam e-mail
Content filters ensure that employees are using network resources appropriately
70
Trap and Trace
Growing in popularity
Trap function
Describes software designed to entice individuals who are illegally perusing the internal areas of a network
Trace
A process by which the organisation attempts to determine the identity of someone discovered in unauthorised areas of the network or systems
If the identified individual is outside the security perimeter
Policy will guide the process of escalation to law enforcement or civil authorities
71
Managing Scanning and Analysis Tools
The security manager must be able to see the organisation’s systems and networks from the viewpoint of potential attackers
The security manager should develop a program to periodically scan his or her own systems and networks for vulnerabilities with the same tools that a typical hacker might use
Using in-house resources, contractors, or an outsourced service provider
72
Managing Scanning and Analysis Tools (cont’d.)
Drawbacks:
Tools do not have human-level capabilities
Most tools function by pattern recognition, so they only handle known issues
Most tools are computer-based, so they are prone to errors, flaws, and vulnerabilities of their own
Tools are designed, configured, and operated by humans and are subject to human errors
Some governments, agencies, institutions, and universities have established policies or laws that protect the individual user’s right to access content
Tool usage and configuration must comply with an explicitly articulated policy, and the policy must provide for valid exceptions
73
Cryptography
Encryption
The process of converting an original message into a form that cannot be understood by unauthorised individuals
Cryptology
The science of encryption
Composed of two disciplines: cryptography and cryptanalysis
74
Cryptography (cont’d.)
Cryptology (cont’d.)
Cryptography
Describes the processes involved in encoding and decoding messages so that others cannot understand them
Cryptanalysis
The process of deciphering the original message (or plaintext) from an encrypted message (or ciphertext), without knowing the algorithms and keys used to perform the encryption
75
Cryptography (cont’d.)
Algorithm
A mathematical formula or method used to convert an unencrypted message into an encrypted message
Cipher
The transformation of the individual components of an unencrypted message into encrypted components
Ciphertext or cryptogram
The unintelligible encrypted or encoded message resulting from an encryption
76
Cryptography (cont’d.)
Cryptosystem
The set of transformations that convert an unencrypted message into an encrypted message
Decipher
To decrypt or convert ciphertext to plaintext
Encipher
To encrypt or convert plaintext to ciphertext
77
Cryptography (cont’d.)
Key
The information used in conjunction with the algorithm to create the ciphertext from the plaintext
Can be a series of bits used in a mathematical algorithm, or the knowledge of how to manipulate the plaintext
78
Keyspace
The entire range of values that can possibly be used to construct an individual key
Plaintext (differ to Cleartext??)
The original unencrypted message that is encrypted and results from successful decryption
Steganography
The process of hiding messages, usually within graphic images
Work factor
The amount of effort (usually expressed in hours) required to perform cryptanalysis on an encoded message
Cryptography (cont’d.)
79
Encryption Operations
Common ciphers
Most commonly used algorithms include three functions: substitution, transposition, and XOR
In a substitution cipher, you substitute one value for another
A monoalphabetic substitution uses only one alphabet
A polyalphabetic substitution uses two or more alphabets
80
Encryption Operations (cont’d.)
Transposition cipher (or permutation cipher)
Simply rearranges the values within a block to create the ciphertext
Can be done at the bit level or at the byte (character) level
XOR cipher conversion
The bit stream is subjected to a Boolean XOR function against some other data stream, typically a key stream
81
Encryption Operations (cont’d.)
XOR works as follows:
‘0’ XOR’ed with ‘0’ results in a ‘0’. (0 0 = 0)
‘0’ XOR’ed with ‘1’ results in a ‘1’. (0 1 = 1)
‘1’ XOR’ed with ‘0’ results in a ‘1’. (1 0 = 1)
‘1’ XOR’ed with ‘1’ results in a ‘0’. (1 1 = 0)
If the two values are the same, you get “0”; if not, you get “1”
Process is reversible; if you XOR the ciphertext with the key stream, you get the plaintext
82
Encryption Operations (cont’d.)
Vernam cipher
Also known as the one-time pad
Was developed at AT&T
Uses a set of characters that are used for encryption operations only one time and then discarded
Values from this one-time pad are added to the block of text, and the resulting sum is converted to text
83
Encryption Operations (cont’d.)
Book or running key cipher
Used in the occasional spy movie
Uses text in a book as the algorithm to decrypt a message
The key relies on two components:
Knowing which book to use
A list of codes representing the page number, line number, and word number of the plaintext word
84
Encryption Operations (cont’d.)
Symmetric encryption
Known as private key encryption, or symmetric encryption
The same key (a secret key) is used to encrypt and decrypt the message
Methods are usually extremely efficient
Requiring easily accomplished processing to encrypt or decrypt the message
Challenge in symmetric key encryption is getting a copy of the key to the receiver
85
Encryption Operations (cont’d.)
Figure 10-11 Symmetric encryption
Source: Course Technology/Cengage Learning
86
Encryption Operations (cont’d.)
Data Encryption Standard (DES)
Developed in 1977 by IBM
Based on the Data Encryption Algorithm which uses a 64-bit block size and a 56-bit key
A Federally approved standard for non-classified data
Was cracked in 1997 when the developers of a new algorithm, Rivest-Shamir-Aldeman, offered a $10,000 reward for the first person or team to crack the algorithm
87
Encryption Operations (cont’d.)
Data Encryption Standard (cont’d.)
Fourteen thousand users collaborated over the Internet to finally break the encryption
Triple DES (3DES) was developed as an improvement to DES and uses as many as three keys in succession
88
Encryption Operations (cont’d.)
Advanced Encryption Standard (AES)
The successor to 3DES
Based on the Rinjndael Block Cipher
Features a variable block length and a key length of either 128, 192, or 256 bits
In 1998, it took a computer designed by the Electronic Freedom Frontier more than 56 hours to crack DES
The same computer would take approximately 4,698,864 quintillion years to crack AES
89
Encryption Operations (cont’d.)
Asymmetric encryption
Also known as public key encryption
Uses two different, but related keys
Either key can be used to encrypt or decrypt the message
However, if Key A is used to encrypt the message, then only Key B can decrypt it; conversely, if Key B is used to encrypt a message, then only Key A can decrypt it
This technique is most valuable when one of the keys is private and the other is public
Problem: it requires four keys to hold a single conversation between two parties, and the number of keys grows geometrically as parties are added
90
Figure 10-12 Public key encryption
Source: Course Technology/Cengage Learning
Encryption Operations (cont’d.)
91
Digital signatures
Encrypted messages that are independently verified by a central facility (registry) as authentic
When the asymmetric process is reversed, the private key encrypts a message, and the public key decrypts it
The fact that the message was sent by the organisation that owns the private key cannot be refuted
This nonrepudiation is the foundation of digital signatures
Encryption Operations (cont’d.)
92
Digital certificate
An electronic document, similar to a digital signature, attached to a file certifying that the file is from the organisation it claims to be from and has not been modified from the original format
A certificate authority (CA)
An agency that manages the issuance of certificates and serves as the electronic notary public to verify their origin and integrity
Encryption Operations (cont’d.)
93
Encryption Operations (cont’d.)
Public key infrastructure (PKI)
The entire set of hardware, software, and cryptosystems necessary to implement public key encryption
PKI systems are based on public key cryptosystems and include digital certificates and certificate authorities
94
Encryption Operations (cont’d.)
PKI provides the following services
Authentication
Digital certificates in a PKI system permit individuals, organisations, and Web servers to authenticate the identity of each of the parties in an Internet transaction
Integrity
A digital certificate demonstrates that the content signed by the certificate has not been altered while in transit
Confidentiality
PKI keeps information confidential by ensuring that it is not intercepted during transmission over the Internet
95
Encryption Operations (cont’d.)
PKI provides the following services (cont’d.)
Authorisation
Digital certificates issued in a PKI environment can replace user IDs and passwords, enhance security, and reduce overhead required for authorisation processes and controlling access privileges for specific transactions
Nonrepudiation (contrast to steganography)
Digital certificates can validate actions, making it less likely that customers or partners can later repudiate a digitally signed transaction, such as an online purchase
96
Encryption Operations (cont’d.)
Figure 10-13 Digital signature
Source: Course Technology/Cengage Learning
97
Hybrid systems
Pure asymmetric key encryption is not widely used except in the area of certificates
It is typically employed in conjunction with symmetric key encryption, creating a hybrid system
The hybrid process in current use is based on the Diffie-Hellman key exchange method, which provides a way to exchange private keys using public key encryption without exposure to any third parties
Encryption Operations (cont’d.)
98
Hybrid systems (cont’d.)
In this method, asymmetric encryption is used to exchange symmetric keys so that two organisations can conduct quick, efficient, secure communications based on symmetric encryption
Diffie-Hellman provided the foundation for subsequent developments in public key encryption
Encryption Operations (cont’d.)
99
Figure 10-14 Hybrid encryption
Source: Course Technology/Cengage Learning
Encryption Operations (cont’d.)
100
Using Cryptographic Controls
Modem cryptosystems can generate unbreakable ciphertext
Possible only when the proper key management infrastructure has been constructed and when the cryptosystems are operated and managed correctly
Cryptographic controls can be used to support several aspects of the business:
Confidentiality and integrity of e-mail and its attachments
101
Using Cryptographic Controls (cont’d.)
Cryptographic controls can be used to support several aspects of the business: (cont’d.)
Authentication, confidentiality, integrity, and nonrepudiation of e-commerce transactions
Authentication and confidentiality of remote access through VPN connections
A higher standard of authentication when used to supplement access control systems
102
Using Cryptographic Controls (cont’d.)
Secure Multipurpose Internet Mail Extensions (S/MIME)
Builds on Multipurpose Internet Mail Extensions (MIME) encoding format
Adds encryption and authentication via digital signatures based on public key cryptosystems
Privacy Enhanced Mail (PEM, for instance *.CRT format)
Proposed by the Internet Engineering Task Force (IETF) as a standard that will function with public key cryptosystems
Uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures
103
Pretty Good Privacy (PGP)
Developed by Phil Zimmerman
Uses the IDEA Cipher
A 128-bit symmetric key block encryption algorithm with 64-bit blocks for message encoding
Like PEM, it uses RSA for symmetric key exchange and to support digital signatures
Using Cryptographic Controls (cont’d.)
104
Using Cryptographic Controls (cont’d.)
IP Security (IPSec)
The primary and dominant cryptographic authentication and encryption product of the IETF’s IP Protocol Security Working Group
Combines several different cryptosystems:
Diffie-Hellman key exchange for deriving key material between peers on a public network
Public key cryptography for signing the Diffie-Hellman exchanges to guarantee the identity of the two parties
Bulk encryption algorithms, such as DES, for encrypting the data
Digital certificates signed by a certificate authority to act as digital ID cards
105
Using Cryptographic Controls (cont’d.)
IPSec has two components:
The IP Security protocol
Specifies the information to be added to an IP packet and indicates how to encrypt packet data
The Internet Key Exchange, which uses asymmetric key exchange and negotiates the security associations
106
Using Cryptographic Controls (cont’d.)
IPSec works in two modes of operation:
Transport (http over SSL = remote VPN)
Only the IP data is encrypted, not the IP headers themselves
Allows intermediate nodes to read the source and destination addresses
Tunnel (site-to-site VPN)
The entire IP packet is encrypted and inserted as the payload in another IP packet
Often used to support a virtual private network
107
Using Cryptographic Controls (cont’d.)
Secure Electronic Transactions (SET)
Developed by MasterCard and VISA to provide protection from electronic payment fraud
Encrypts credit card transfers with DES for encryption and RSA for key exchange
Secure Sockets Layer (SSL)
Developed by Netscape in 1994 to provide security for e-commerce transactions
Uses RSA for key transfer
On IDEA, DES, or 3DES for encrypted symmetric key-based data transfer
108
Secure Hypertext Transfer Protocol
Provides secure e-commerce transactions and encrypted Web pages for secure data transfer over the Web, using different algorithms
Secure Shell (SSH)
Provides security for remote access connections over public networks by using tunneling, authentication services between a client and a server
Used to secure replacement tools for terminal emulation, remote management, and file transfer applications
Using Cryptographic Controls (cont’d.)
109
Cryptosystems provide enhanced and secure authentication
One approach is provided by Kerberos (V5 currently), which uses symmetric key encryption to validate an individual user’s access to various network resources
Keeps a database containing the private keys of clients and servers that are in the authentication domain that it supervises
Kerberos system knows these private keys and can authenticate one network node (client or server) to another
Kerberos also generates temporary session keys—that is, private keys given to the two parties in a conversation
Using Cryptographic Controls (cont’d.)
110
Managing Cryptographic Controls
Don’t lose your keys
Know who you are communicating with
It may be illegal to use a specific encryption technique when communicating to some nations
Every cryptosystem has weaknesses
Give access only to those with a business need
When placing trust into a certificate authority, ask “Who watches the watchers?”
There is no security in obscurity
Security protocols and the cryptosystems they use are installed and configured by humans
They are only as good as their installers
Make sure that your organisation’s use of cryptography is based on well-constructed policy and supported with sound management procedures
111
Summary
Introduction
Access controls
Firewalls
Intrusion detection and prevention systems
Dial-up protection
Wireless network protection
Scanning and analysis tools
Cryptography
112
