SSL Firewalls

(1)

& 2009 - 2010 & ( ) SSL Firewalls : . : . . byte 0x01 : 1, “ ”.

(2)

, : , , : ( ) ) . : : (Confidentiality) (Integrity) (Availability) : . , , . : . : . . . , , . : , , .

(3)

(Identification)

. , ₎ , , .

(Authentication)

. .

(Authorization)

. .

(Accountability)

. (Non-repudiation) . .

;

. Hackers- : . ( )

;

; : . : ( , ) . . : . .

(4)

(Vulnerability) , , , . (Threat) . : : : . : , . : .

(risk)

.

(attack)

.

(Countermeasures)

. : . : . : . : , . : .

:

.

:

.

:

.

:

.

(5)

( , ): ( ). : ( , ). : . .

)

(6)

. : : ( , , ) , ). : ( ). : (MAC): . (unilateral authentication): . (mutual authentication): . Password ( ) PIN (challenge-response). Security token (password generator) Smart card, magnetic stripe card

“ ”

-Passwords

string x . passwords: . . dictionary attacks. ( ) password checkers password . . www.passwordmeter.com/

Passwords

password:

dictionary attacks. passwords , , . passwords. default passwords.

(7)

.

: ( )

.

: .

Crossover Error Rate:

. . ( ) : : . : . , , . : . : . : . . : . . : .

(8)

:

(MAC): . , . , , . ( ) .

(one-way hash function) . (

) (hash

value) (message digest).

: m, f(m). f(m), m. m m f(m) = f(m ) . . , . .

(9)

. ( , ) . : (access) . (subject) , , . (object) . , , , , . : . : : (observe): (alter): . : . : : : , . (execute): (delete - windows):

(change ownership - windows):

(

)

:

. :

(discretionaryaccess control DAC):

( ),

.

(

manager ).

.

DAC ACLs (Access Control Lists

(10)

(

)

(mandatoryaccess control MAC):

. . .

.

(security clearance) secret, top secret, confidential,

(classified) secret, top secret, confidential. . security clearance . .

(

)

(role based access control

RBAC) (Nondiscretionary access

control): . . : , . RBAC . .

(

)

:

( ) (access control matrix): . (DAC). . : ( capabilities) ( access control lists)

(

)

(capabilities): , .

. .

: alpha.exe: execute; beta.com: execute, read

: delta.doc: read, write; alpha.exe: execute; beta.com: execute DAC. . : ( administrator) . . . .

(11)

(

)

(Access control list ACL): .

ACL

. .

ACL alpha.exe: A: execute, : execute.

(groups) . ACLs . . . . (Bell-LaPadula), (Biba, Clark-Wilson).

:

. . : . : . .

(Bell-LaPadula)

. , . Bell-LaPadula . . (subject’s security clearance)

(data classification):

(12)

(Bell-LaPadula)

Bell-LaPadula:

(Simple security rule):

.

(no read up)”.

*- (*-property rule):

(no write down)”. : . , . . .

(Biba)

Bell-LaPadula . . :

” (no write up):

.

” (no read down)

.

(Clark-Wilson)

.

. (separation of duties): . .

(13)

, , . : , : : : . : . : . : . : . Plaintext: . Ciphertext: .

1/3

( -GSM) (cryptophones) ( ) ( )

2/3

( , )

(14)

3/3

(VPN)

Word Wide Web

( ) (Hipperlan, bluetooth, 802.11x) (VOIP)

(1900

. – 1900

.)

4000 . . . 400 . , « » . 2000 ( ) Caesar cipher.

(1900

. – 1900

.)

, , 1908

(1900

. – 1950

.)

Enigma.

(15)

(1950

. -

)

Claude Shannon 1949, «

» (Communication Theory of Secrecy Systems).

17 1975

DES (Data Encryption Standard)

17 1975. DES AES 2001 NIST FIPS 197. -) ) -) This is plain-text This is plain-text &cW*4l %$?e}

:

k

“

k ,

.

,

k = k .

.

(16)

:

. . . = k ) k Y k -X = k(Y) X This is plain-text This is plain-text &cW*4l %$?e} X . . m . . . , , . . :

(17)

, , . . :

:

)

.

:

)

.

: . , . : . Block ciphers (blocks) t blocks . Stream ciphers block ciphers block 1 bit. bits .

(18)

Stream ciphers

stream cipher bit byte

bit byte . stream ciphers .

Stream ciphers

stream cipher

:

. . 1 0.

bit

,

.

Stream ciphers

Vernam

:

t m1m2…mt k1k2…kt c1c2…ct : ci= mi ki, 1 i t

.

: 100111010100

: 010001101001

: 110110111101

Stream ciphers

Vernam cipher

one-time-pad.

O one-time-pad

.

(19)

Symmetric-key block ciphers

block cipher n-bit n-bit. k-bit . : C = EK(P) : P = DK(C) : ECB, CBC, CFB, OFB.

(Electronic CodeBook Mode; ECB mode)

: : k-bit K; n-bit x1,x2,…,xt. : c1,c2,…,ct : 1 j t, cj EK( xj). : 1 j t, xj DK( cj).

E

D

/ n / n / n / n c_j c_j x_j x_j x_j x_j k k

(Electronic CodeBook Mode; ECB).

ECB:

). . : bits .

:

.

(Cipher

Block Chaining mode; CBC)

:

: k-bit K; n-bit IV; n-bit

x1,x2,…,xt.

: c1,c2,…,ct

: 1 j t, cj EK(cj-1 xj).

(20)

(Cipher

CBC:

. , IV, . cj xj . .

(Cipher

CBC: : bit cj cj cj+1 xj cj cj-1) : CBC self-synchronizing cj cj+1, cj+2 xj+2. IV , .

E(x) = E

_K2

(E

_K1

(x))

K1 2

E(x) = Y

_K3

(Y

_K2

(Y

_K1

(x))).

Y

.

E(x) =

_K3

(D

_K2

(E

_K1

(x))).

K1= 3. K1= 2= 3;

Symmetric-key Block Ciphers

:

(substitution) ( ) ( ). Caesar cipher 3 : plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: defghijklmnopqrstuvwxyzabc Caesar cipher k . k .

(21)

Caesar Chipher

: : : : C = (M + 3) mod 24 ( ) : M = (C–3) mod 24 (C–3) , 24, . , mod 24, mod 26.

:

(substitution) , , ”, . . plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: rIvnsojltzkgaqsmwvbyex (26!=4x1026₎ . . .

: (substitution) Vigenere) t k1k2…kt. m=m1m2m3… c=c1c2c3… c1= m1+ ktmod s s . t. : : : : , « » 6, , « » 3, « », 9, (6 + 3) mod 24 = 9. , « » 17, , « » 5, « », (17 + 5) mod 24 = 22. , .

(22)

Vigenere

Vigenere, – «cryptography». :C R Y P T O G R AP H Y C R Y P T O G R A P H Y C R Y :N E W D I R E C T I O N S I N C R Y P T O G R A P H Y : : «P» «V».

:

(transposition) . t, t , e 1 t. . . t = 6 e = (641352). “ ” ”. d = (364251).

(23)

: 3 ( )

:

: « » « »

(Product cipher):

.

block cipher (iterated block

cipher):

block cipher

(round function).

Feistel:

“

” 2t-bit

(L

₀

, R

₀

),

t-bit

L

₀

R

₀

,

(R

_r

, L

_r

)

r

r 1.

1 i r

L

_i

= R

_i-1

, R

_i

= L

_i-1

f(R

_i-1

, K

_i

)

K

_i

f

.

r 3

.

DES

O Data Encryption Standard (DES)

block cipher

.

FIPS

46-2.

n = 64bits

64bits.

64bits

8

(8,16,...,64)

bits

(parity).

,

Feistel.

(24)

DES

: 16 . K 16 48-bit , , . 64-bit. 2 32-bit L0 R0. 16 32-bit

Li-1 Ri-1 32-bit Li Ri

: Li= Ri-1; Ri= Li-1 f(Ri-1, Ki) f ( S-boxes) . 8 S-boxes DES. . DES 16 ( 16 1).

DES

DES:

x ( (x)) = x

DES:

1

,

2

,

1

(

2

(x)) = x.

DES

4

-.

3-DES (E-D-E)

.

AES

DES. Rijndael. NIST

(National Institute of Standards and Technology). 128bits

128, 192, 256 bits.

DES. :

DES ~1012_{keys / sec}

DES . ES ~1016_{keys / sec} ES ~150,000,000,000 . . DES. .

(25)

AES

bytes ( States)

4x4,

(10

AES-128, 12 AES-192, 14 AES-256).

. : bytes S-box XOR . e d. , d e . e e, Dd. m e e c = e(m). d Dd m = Dd(c). 2 , 2 m . . . .

(26)

. . ( ).

.

RSA

( n n). A (n, e), n modulus e , d. : . m ( [0, n-1]) c = me_{mod n.} _c _.

RSA

modulusn . 512, 768, 1024, 2048, 4096. RSA p q n = pq. : p q, . n = pq = (p -1)(q -1). e, 1<e< , gcd(e, ) = 1. d (1< d ed = 1 (mod ). (n, e d. e e=3 e=216₊₁

,

(session

keys).

(

).

(27)

.

, K,

,

’

E (K)

,

D (E (K)) = K

.

. , , . . m S : s = S (m). (m, s). s m. s m, : VA . u = VA(m, s). , u = true u = false. K . , L .

:

, , m s VA(m, s) = true.

:

, . : .

(28)

. . . . : TTP . .

(one-way hash function) – MD5

hash, H(M), , M, , h. h = H(M), h m : M, h. M, , M’, H(M) = H(M’). h, M, h = H(M). , (collision resistance). , M M’, H(M) = H(M’). . (key distribution centers)

(key translation centers) : . . : . TTP n . TTP . TTP . : ’ , . TTP . TTP: TTP . TTP . : TTP .

(29)

Trusted

Third Parties (TTPs)

. TTP . : In-line: . On-line: ( ) . . Off-line: .

TTPs

: . Registration Authority ( ): . Key Generator ( ): , . Certificate Directory ( ): . Key server ( ): . . Timestamp Agent: . Notary Agent: .

Key Escrow Agent: . . . , , . . ( ) ): TTP . .

(30)

(public-key certificates): , , . (identity certificates): . (attribute certificates): ( , ). .

:

( ) . ( . ) ( . ) , ) , , , . , , , , , . , , , , . . : (repository)

(31)

. . . : . , , , , , . . . : . () ( ) .

(certificate revocation list). CRL

. . (Registration Authority): , , . . . : . (certificate directory): . ( , ). . ( ), .

(32)

: . . ( ). . ( ) . . ( ). . . ( ) . . . , . : , . .

(33)

, , : : (self-replicating) . . , . (Trojan Horses): . . . . (Transient virus): . (Resident Virus): . (Terminate-stay-resident) . (logic bomb): ( . ). (Worm): . e-mail, TCP/IP. . . .

(

)

: : . IBM : ROM. ROM

(master boot sector)

( ).

(sector) 0, (track) 1, (side) 0 .

(partition table)

( bootable). .

(34)

(

)

DOS (DOS boot sector):

(file allocation table

FAT). O FAT . (linked list) (clusters) . : IO.SYS, BIOS SYSINIT. To SYSINIT MSDOS.SYS. DOS (COMMAND.COM) AUTOEXEC.BAT . COMMAND.COM .

(

)

. DOS , BIOS . . : New Zealand : DOS . IO.SYS COMMAND.COM.

(

)

. (parasitic virus) , .COM .EXE , . , . . , , . . , .

(

)

(companion virus) . . DOS, DOS .COM .EXE , .BAT . .EXE , .COM ( ) .COM .

(35)

(Macro

)

macros Word Basic, Visual

Basic, VBScript Microsoft Office. macro . . macro Microsoft Office.

)

(stealth virus):

.

,

antivirus

.

antivirus.

(

)

,

)

antivirus

).

.

. : : . : . : . . : (scanners): ( ). , . (cryptographic checksum): . , .