Course Outline: Fundamental Topics
System Viewof Network Security
Network Security Model
Security Threat Model & Security Services Model
Overview of Network Security
Security Basis: Cryptography
Secret keycryptography
Hashesand message digests
Public keycryptography
Key distribution and management
Spring 2012 EE5723/EE4723
Key distribution and management
Network SecurityApplications:
Authenticationand security handshakes pitfalls
Well known network security protocols such as Kerberos, IPSec, SSL/SET, PGP& PKI, WEP
An Overview of Network An Overview of Network Security (II)
EE5723/EE4723 Spring 2012
Outline
Security Architecture of OSI Reference Model
Security Architecture of OSI Reference Model
Security Placement w/in Multiple Protocol Layers
ISO 7498-2: Security Architecture of OSI Reference Model
Internet Protocol Architecture
The OSI reference model & its services (ISO 7498-1)
Details ofISO 7498-2
Details of ISO 7498-2
Internetworking
Host B Router
Network A
Network B
Spring 2012 EE5723/EE4723
Host A
Internet Protocol Layering
Application Layer Application Layer
HTTP Message
Host B Host A
Transport Layer
Internet Layer
Transport Layer
Internet Layer HTTP Message
TCP Packet
IP Datagram IP Datagram
Internet Layer Router
Spring 2012 EE5723/EE4723
Network Layer
Physical Network
Network Layer Ethernet
Frame
Ethernet Frame Network Layer
Physical Network
The OSI Reference Model:
ISO 7498-1
OSI Reference Model - internationally standardized network architecture.
An abstract representation of an ideal network protocol stack
OSI = Open Systems Interconnection S ifi d i ISO 7498 1
Specified in ISO 7498-1
Model has 7 layers
Internet Protocols vs. OSI
A li ti 7
Internet OSI
Application Presentation Session Transport
Network Application
TCP IP 3
4 5
3 4 6 5 7
Data Link Physical Network Interface
Hardware 1
2
1 2
Lower/Upper Layers
Layers 1-4 often referred to as “lower layers”.y y
Layers 5-7 are the “upper layers”.
Lower layers relate more closely to the communications technology.
Spring 2012 EE5723/EE4723
Upper layers relate to applications.
Layer 7: Application Layer
Home to wide variety of protocols forspecific
Home to wide variety of protocols for specific user needs, e.g.:
virtual terminal service,
filetransfer,
electronic mail,
Spring 2012 EE5723/EE4723
directory services.
Layer 6: Presentation Layer
Concerned with representation of p transmitted data.
Deals with different data representations, e.g. of numbers, characters.
Also deals with data compressionand encryption.
Layer for source coding.
Layer 5: Session Layer
Allows establishment ofAllows establishment of sessionssessionsbetweenbetween machines, e.g. to
allow remote logins
provide file transfer service.
Responsible for dialogue control.
Also performs token management and synchronization.
Layer 4: Transport Layer
Basic function is to take data from Session Layer, split it up into smallery p p units, and ensure that the units arrive correctly.
Concerned with efficient provision of service.
The Transport Layer also determines the
‘type ofservice’ to provide to the Session
Spring 2012 EE5723/EE4723
type of service to provide to the Session Layer.
Also responsible for congestion control.
Layer 3: Network Layer
Controls the subnet.
Key issue is routing in the subnet; can be based on:
static tables,
determined at start of session,
Spring 2012 EE5723/EE4723
highly dynamic(varying for each packet).
Layer 2: Data Link Layer
Provides reliable, error-freeservice on top of raw Level 1 service
of raw Level 1 service.
include encoding, CRC, etc.
Breaks data intoframes. Requires creation of frame boundaries.
Frames used to manage errors via
Frames used to manage errors via acknowledgementsand selective frame retransmission.
Layer 1: Physical Layer
Concerned with bit transmissionover physical channel.
Issues include:
definition of 0/1,
whether channel simplex/duplex,
connector design.
Mechanical, electrical, procedural matters.
Layering Principles
N+1 PDU
(N+1) Entity Service User
(N) Entity Service Provider
(N+1) Entity Service User
(N) Entity Service Provider Layer N Service
Access Point (SAP) Layer N protocol Layer N+1 protocol
SDU
Spring 2012 EE5723/EE4723
PDU - Protocol Data Unit SDU - Service Data Unit N
PDU N PDU
Services & Protocols
Service= set of primitivesprovided by one layer to layer above.y y
Servicedefines whateach layer can do (but not how it does it).
Protocol= set of rulesgoverning data
Spring 2012 EE5723/EE4723
g g
communication between peerentities, i.e.
formatand meaningof frames/packets.
ISO 7498-2: Security Architecture
Provides standard definitions of security terminology
Provides standard descriptionsfor security services and mechanisms
Defines wherein OSI reference model security services may be provided
Introduces security managementconcepts
Policies, threats, services, & mechanisms
In a secure system, the rulesgoverning security behaviorshould be made explicit in the form of a security policy.
Security policy:‘the set of criteria for the provision of security services’.
A security threatis a possible meansby which a security policy may be breached (e.g. loss of integrity or confidentiality).
Asecurity serviceis ameasurewhich can be put in
A security serviceis a measurewhich can be put in place to address a threat (e.g. provision of
confidentiality).
A security mechanismis a meansto provide a service (e.g. encryption, digital signature).
Security life-cycle in ISO 7498-2
Define security Model
D fi it li
Define security policy
Analyze security threats(according to policy)
Define security servicesto meet threats
Define security mechanismsto provide
Spring 2012 EE5723/EE4723
y p
services
Provide on-going management of security
Step1: Generic security policy
ISO 7498-2 generic authorization policy:
‘Informationmay not begiven to, accessed by,
Informationmay not begiven to, accessed by, nor permitted to be inferred by, nor may any resourcebe used by,those not appropriately authorized.’
Possible basisfor more detailed policy.
Spring 2012 EE5723/EE4723
Does not cover availability(e.g. DoS attack) issues (for legitimateuser).
Policy Types
ISO 7498-2 distinguishes between 2 types of security policies:
of security policies:
Identity-based:where access to and use of resourcesare determined on the basis of the identitiesof users and resources
Rule-based:whereresourceaccess is
Rule based:where resourceaccess is
controlled by global rulesimposed on all users, e.g. using security labels.
Step 2: Fundamental threats
A threatis:
a person, thing, event or idea which poses some dangerto an asset (in terms of confidentiality, integrity, availability or
l iti t )
legitimate use).
An attackis a realizationof a threat
Safeguards= countermeasures (e.g. controls, procedures) to protectagainst threats.
Vulnerabilities= weaknesses in safeguards
Four fundamental threats:
Four fundamental threats:
Information leakage
Integrityviolation
DoS
illegitimateuse
Step3: Security Services
Security servicesin ISO 7498-2 are a special class of safeguardsapplying to a communication environment.
ISO 7498-2 defines 5 main categories of security service:
Authentication (including entityauthentication and originauthentication)
Access control
Spring 2012 EE5723/EE4723
Access control
Data confidentiality
Data integrity
Non-repudiation
Step 4: Security Mechanisms
To provide and support security servicesp pp y
Can be divided into two classes:
Specificsecurity mechanisms, used to provide specific security services, and
Pervasivesecurity mechanisms (e.g., trust
Spring 2012 EE5723/EE4723
functionality, intrusion/event detection, security recovery), not specific to particular services.
Often expensive
Specific security mechanisms
Eight types:
encipherment
encipherment
digital signature
access control mechanisms
data integrity mechanisms
authentication exchanges
traffic padding
routing control
notarization
Specific Mechanisms (Cont’d)
Encipherment mechanisms = encryption or cipher algorithms.g
Can provide data and traffic flow confidentiality.
Digital signaturemechanisms
signing procedure (private)
verification procedure (public).
Can providenon repudiation origin authentication and
Can provide non-repudiation, origin authentication and data integrityservices.
Both can be basis of some authentication exchangemechanisms.
Specific Mechanisms (Cont’d)
Access Controlmechanisms
A server using client informationto decide whether to grant accessto resources
E.g. access control lists, capabilities, security labels.
Data integritymechanisms
Protection against modificationof data.
Provide data integrity and origin authentication services. Also
b i f th ti ti h h i
Spring 2012 EE5723/EE4723
basis of some authentication exchange mechanisms.
Authentication exchangemechanisms
Provide entity authentication service.
Specific Mechanisms (Cont’d)
Traffic paddingmechanisms
The addition of ‘pretend’ data to concealreal volumes of data traffic
data traffic.
Provides traffic flow confidentiality.
Routing controlmechanisms
Used to prevent sensitive data using insecure channels.
E.g. route might be chosen to use only physically secure networkcomponents.
N t i ti h i
Spring 2012 EE5723/EE4723
Notarization mechanisms
Integrity, origin and/or destination of data can be guaranteed by using a 3rd party trusted notary.
Notary typically applies a cryptographic transformation to the data.
Service/mechanism table
ISO 7498-2 indicates which mechanismscan be used to provide which services
Illustrative NOT definitive.
Mechanism S i
Enciph - t
Digital i
Access C t l
Data i t it
Service erment sign. Control integrity
Entity authentication Y Y
Origin authentication Y Y
Access control Y
Connection confidentiality Y
Connectionless confidentiality Y
Selective field confidentiality Y
Traffic flow confidentiality Y
Connection integrity with recovery Y Y
Connection integrity without recovery Y Y
Selective field connection integrity Y Y
Connectionless integrity Y Y Y
Selective field connectionless integrity Y Y Y
Non -repudiation of origin Y Y
Non -repudiation of delivery Y Y
Service/mechanism table (cont’d)
Mechanism Service
Auth.
exchange Traffic padding
Routing Control
Notaris - ation
Entity authentication Y
Origin authentication Origin authentication Access control
Connection confidentiality Y
Connectionlessconfidentiality Y
Selective field confidentiality
Traffic flow confidentiality Y Y
Connection integrity with recovery Connection integrity without recovery Selecti e field connection integrit Selective field connection integrity Connectionless integrity
Sele ctive field connectionless integrity
Non-repudiation of origin Y
Non-repudiation of delivery Y
Pervasive security mechanisms
Five types identified:
Five types identified:
trusted functionality,
security labels,
event detection,
security audit trail,
Spring 2012 EE5723/EE4723
security recovery.
Pervasive Mechanisms
Trusted functionality
Any functionality providing or accessing security
Any functionality providing or accessing security mechanisms should be trustworthy.
May involve combination of software and hardware.
Security labels
Any resource(e.g. stored data, processing power, communications bandwidth) may have security label
Spring 2012 EE5723/EE4723
communications bandwidth) may have security label associated with it to indicate security sensitivity.
Similarly labels may be associated with users. Labels may need to be securely bound to transferred data.
Pervasive Mechanisms (Cont’d)
Event detection
Includes detection of
attempted security violations,
legitimate security-related activity.
Can be used to triggerevent reporting (alarms), event logging, automated recovery.
Security audit trail
Log of past security-related events.
Permits detection and investigation of pastsecurity breaches
Security recovery
Includes mechanisms to handle requests to recover from security failures(security tolerant).
May include immediate abortof operations, temporary invalidation of an entity, addition of entity to a blacklist.
Link vs. End-to-End Encryption
Link and E2E Encryption:
(1) Link encryption:
–A lot of encryption devices –Decrypt each packet at everyyp p y
switch
-Intermediate switchmust be trusted -Invisible to the users
(2) End-to-end encryption
–Addresses potential flaws in lower layers –The source encrypt and the receiver
decrypts
P l d t d
–Payload encrypted –Header in the clear
–Only end nodesmust be trusted
(3) High Security: Both link and E2E encrypion are needed
Ref: Network Security Essential, by Stallings
Link-to-link Encryption
Protocol Sender Intermediate Host Receiver
Security Services & Layering in General
layer Message
message (plaintext)
exposed 5. application
4. transport 3. network 2. data link
Spring 2012 EE5723/EE4723
Message encrypted Message in plaintext
Ref: Security in Computing, by Charles P.
Pfleeger & Shari Lawrence Pfleeger 1. physical
Typical Message: Link Encryption
M T
N
B E
Message Transport Header
Network Header Data Link Header
Spring 2012 EE5723/EE4723
Data Link Trailer
If all hostson a network are reasonably trustworthy, but the communications mediumis shared w/ other users or is not secure, link encryption is an easy control to use
Security Services & Layering in General End-to-End Encryption
S d I t di t H t R i
5. application 4. transport 3. network 2 d t li k
Protocol layer
Sender Intermediate Host Receiver
Message
message (plaintext)
exposed
2. data link 1. physical
Message encrypted Message in plaintext
Typical Message: End-to-End Encryption
Message Transport Header
Network Header M T
N
B E
Network Header Data Link Header Data Link Trailer
Comparison of Encryption Architecture
Link-to-linkencryption
Message is plaintext inside of hosts (trustworthy?): node authentication needed
F t ( tl h d ) E i /i i ibl f
Faster (mostly hardware); Easier/invisible for user
one key per node/interface pair
End-to-end encryption
Flexible (hardware or software)
Application & user aware
Spring 2012 EE5723/EE4723
No trustin intermediate nodes required: need end user authentication
One key per host pair
Unavoidable multilayer security provisioning