Penultimate Review IT Security Ido Rosen University of Chicago 3 - - PowerPoint PPT Presentation

penultimate review
SMART_READER_LITE
LIVE PREVIEW

Penultimate Review IT Security Ido Rosen University of Chicago 3 - - PowerPoint PPT Presentation

Sep 19, 2023 203 likes •546 views

Policy Cryptography Network Security Penultimate Review IT Security Ido Rosen University of Chicago 3 March 2007 Ido Rosen Penultimate Review Policy Cryptography Network Security 1 Policy Information Security Framework Defining

slide-1
SLIDE 1

Policy Cryptography Network Security

Penultimate Review

IT Security Ido Rosen

University of Chicago

3 March 2007

Ido Rosen Penultimate Review

slide-2
SLIDE 2

Policy Cryptography Network Security

1

Policy Information Security Framework Defining Security Risk Assessment

2

Cryptography Terminology Hashing Algorithms

Example: MD5 Example: SHA1

Symmetric Algorithms

Example: DES Example: TDEA (3DES) Example: AES

Public Key Algorithms

Example: RSA

3

Network Security Networks Review Firewalls & NAT Tunneling VPN Protocols

SSL/TLS IPSec Kerberos

Ido Rosen Penultimate Review

slide-3
SLIDE 3

Policy Cryptography Network Security Information Security Framework

Information Security Framework

Strategies & Policies Manage Deployment Monitor Events Technology Solutions & Architecture

Ido Rosen Penultimate Review

slide-4
SLIDE 4

Policy Cryptography Network Security Defining Security

Confidentiality Integrity Availability Consistency Control Audit

Ido Rosen Penultimate Review

slide-5
SLIDE 5

Policy Cryptography Network Security Risk Assessment

Identify assets and their value. Identify threats. Calculate risks.

Ido Rosen Penultimate Review

slide-6
SLIDE 6

Policy Cryptography Network Security Risk Assessment

If only it were this simple... cost of prevention − cost of loss · probability of loss

Ido Rosen Penultimate Review

slide-7
SLIDE 7

Policy Cryptography Network Security Terminology

Terminology

Public Key Private/Secret Key Shared-secret/passphrase/password Hash (and collision) Salt (and salted hash) Cryptanalysis

Ciphertext-only attack Known plaintext attack Chosen plaintext attack

Digital signature Encryption, decryption Signature, verification

Ido Rosen Penultimate Review

slide-8
SLIDE 8

Policy Cryptography Network Security Hashing Algorithms

Concepts

One-way encryption. Some information is lost. Hash usually much smaller than data. Hash usually fixed size. Can ensure integrity if used w/signature or encryption. Collisions are bad!

Ido Rosen Penultimate Review

slide-9
SLIDE 9

Policy Cryptography Network Security Hashing Algorithms

MD5

Takes arbitrary length input. Outputs 128-bit fixed-length hash/digest. Collisions already detected.

Ido Rosen Penultimate Review

slide-10
SLIDE 10

Policy Cryptography Network Security Hashing Algorithms

SHA1

Takes arbitrary length input. Outputs 160-bit hash/digest.

Ido Rosen Penultimate Review

slide-11
SLIDE 11

Policy Cryptography Network Security Symmetric Algorithms

Concepts

Same key to encrypt and decrypt. Faster than public key algorithms. Easier to implement in hardware. Hash(shared-secret + message) can ensure integrity.

Ido Rosen Penultimate Review

slide-12
SLIDE 12

Policy Cryptography Network Security Symmetric Algorithms

DES

Block cipher. 56-bit keys. (3DES: 168-bit keys) 64-bit blocks. 16 rounds. (3DES: 48 rounds)

Ido Rosen Penultimate Review

slide-13
SLIDE 13

Policy Cryptography Network Security Symmetric Algorithms

TDEA (3DES)

Ido Rosen Penultimate Review

slide-14
SLIDE 14

Policy Cryptography Network Security Symmetric Algorithms

AES

State 4 × 4 array of bytes. Key 128, 192, or 256-bit shared secret. Key schedule Given a key, return subkeys for each round. Lookup table Rijndael S-box.

1

ADDROUNDKEY: Combine each byte of state with round key;

each round key is derived from cipher key using key schedule.

2

SUBBYTES: Non-linear substitution step, each byte is replaced

with another according to a lookup table.

3

SHIFTROWS: Transposition step, each row of the state is

shifted cyclically a certain number of steps.

4

MIXCOLUMNS: Mixing operation, operates on the columns of

the state, combines four bytes in each column using linear transformation.

In the last round, replace MIXCOLUMNS with ADDROUNDKEY.

Ido Rosen Penultimate Review

slide-15
SLIDE 15

Policy Cryptography Network Security Symmetric Algorithms

AES: ADDROUNDKEY

Ido Rosen Penultimate Review

slide-16
SLIDE 16

Policy Cryptography Network Security Symmetric Algorithms

AES: SUBBYTES

Ido Rosen Penultimate Review

slide-17
SLIDE 17

Policy Cryptography Network Security Symmetric Algorithms

AES: SHIFTROWS

Ido Rosen Penultimate Review

slide-18
SLIDE 18

Policy Cryptography Network Security Symmetric Algorithms

AES: MIXCOLUMNS

Ido Rosen Penultimate Review

slide-19
SLIDE 19

Policy Cryptography Network Security Public Key Algorithms

Concepts

Public key to encrypt, private key to decrypt. Private key can be passphrase-protected. Rely on difficulty of reverse operation for security. Some allow for signing with private key, and verification with public key.

Ido Rosen Penultimate Review

slide-20
SLIDE 20

Policy Cryptography Network Security Public Key Algorithms

RSA

p, q ∈ {prime numbers} n = p · q e = small odd integer, relatively prime to p and q d = e−1 mod φn (e, n) = public key (d, n) = secret key φn = (p − 1) · (q − 1) ci = me

i

mod n mi = cd

i

mod n

Ido Rosen Penultimate Review

slide-21
SLIDE 21

Policy Cryptography Network Security Networks Review

OSI Model

Physical Link Network Transport Session Presentation Application

Ido Rosen Penultimate Review

slide-22
SLIDE 22

Policy Cryptography Network Security Networks Review

Selected Topics

Hardware (bridges, hubs, switches, routers) Addresses (MAC, IP , etc.) Packet Encapsulation Network Address Translation TCP vs. UDP Switching & Routing Protocols

Address Resolution Protocol Spanning Tree Protocol Border Gateway Protocol

Application Protocols

HTTP , FTP , SMTP , IMAP , POP , SMB, NFS, ... SSH, FTP/SSL, HTTP/SSL, IMAP/SSL, ...

Ido Rosen Penultimate Review

slide-23
SLIDE 23

Policy Cryptography Network Security Firewalls & NAT

Types of Firewalls

Network layer firewalls A packet filter, such as iptables, which decides which packets will pass through to the internal network or protected resource based on packet headers. Can be stateful or stateless. Application layer firewalls A TCP wrapper, for example. Synonymous with proxy sometimes. Knows about the application-level protocol. Proxies Actually responds to/intervenes in the application-level protocol.

Ido Rosen Penultimate Review

slide-24
SLIDE 24

Policy Cryptography Network Security Firewalls & NAT

Network Address Translation

Usually done at router or gateway, between LAN and WAN. For example, masking a home network (multiple computers behind a router) as a single IP address to the rest of the world. Can be its own form of firewall. Works by changing the source/destination IP parts of the IP header in the packet and rerouting to the appropriate interface.

Ido Rosen Penultimate Review

slide-25
SLIDE 25

Policy Cryptography Network Security Firewalls & NAT

Packet Filters

Most firewalls today can be more than packet filters. Act on IP , TCP , UDP , or other encapsulated protocol packet header. “Policy” describes default action. (i.e.: DROP/ACCEPT) “Rules” describe specific actions based on packet headers.

Ido Rosen Penultimate Review

slide-26
SLIDE 26

Policy Cryptography Network Security Tunneling

Tunneling protocols encapsulate one protocol inside another. L2TP , PPTP are commonly used datagram-based tunneling protocols in VPNs. TLS/SSL is most commonly used tunneling protocol. (i.e.: HTTPS) SSH is another tunneling protocol, though not its primary purpose. IPSec is a tunneling protocol to provide security at the IP (network) level.

Ido Rosen Penultimate Review

slide-27
SLIDE 27

Policy Cryptography Network Security VPN

Virtual Private Network

Private network overlaid on a public network. Password or certificate based authentication mechanism. IPSec, PPTP , L2TP are all VPN protocols.

Ido Rosen Penultimate Review

slide-28
SLIDE 28

Policy Cryptography Network Security Protocols

SSL/TLS

Operates on transport/session layer. Peer negotiation for algorithm support PKI-based key exchange and certificate authentication. Symmetrically encrypted traffic.

Ido Rosen Penultimate Review

slide-29
SLIDE 29

Policy Cryptography Network Security Protocols

IPSec

Operates on network layer. Encapsulates IP packets. Encrypts packets “end-to-end,” sometimes. Transport or tunnel mode. Transport mode: Only payload of IP packet is encrypted. (i.e.: host-to-host) Tunnel mode: Entire IP packet is encrypted. (i.e.: net-to-net)

Ido Rosen Penultimate Review

slide-30
SLIDE 30

Policy Cryptography Network Security Protocols

Kerberos

KAS is a pre-established secret key known only to A and S. KBS similarly, for B and S. KAB is a temporary session key between A and B. TS and TA are timestamps generated by S and A. L is a “lifespan” defining validity of a timestamp. A − → S : A, B S − → A : {TS, L, KAB, B, {TS, L, KAB, A}KBS}KAS A − → B : {TS, L, KAB, A}KBS, {A, TA}KAB B − → A : {TA + 1}KAB

Ido Rosen Penultimate Review

slide-31
SLIDE 31

Policy Cryptography Network Security Protocols

Kerberized Protocols

AFS, NFS, SSH, SMB, AppleTalk, LDAP , IMAP , POP , FTP , Telnet, Apache, and many more can use Kerberos for authentication.

Ido Rosen Penultimate Review

slide-32
SLIDE 32

Policy Cryptography Network Security Ido Rosen Penultimate Review