Course Outline: Fundamental Topics

System View of Network Security

Network Security Model Security Threat Model & Security Services Model Overview of Network Security

Security Basis: Cryptography

Secret key cryptography Hashes and message digests Public key cryptography Key distribution and management

An Overview of Network Security (II)

Network Security Applications:

Authentication and security handshakes pitfalls Well known network security protocols such as

EE5723/EE4723

Spring 2012

Kerberos, IPSec, SSL/SET, PGP& PKI, WEP

EE5723/EE4723 Spring 2012

Outline

ISO 7498-2: Security Architecture of OSI Reference Model

Internet Protocol Architecture The OSI reference model & its services (ISO 7498-1) Details of ISO 7498-2

Security Architecture of OSI Reference Model Security Placement w/in Multiple Protocol Layers

EE5723/EE4723

Spring 2012

EE5723/EE4723

Spring 2012

Internetworking

Internet Protocol Layering

Host A Application Layer
HTTP Message

Host B Application Layer

Router

Network B

Transport Layer Host B Internet Layer

IP Datagram

TCP Packet

Transport Layer

Network A

Router Internet Layer

IP Datagram

Internet Layer

Network Layer Host A

Ethernet Frame

Network Layer

Ethernet Frame

Network Layer

Physical Network

Physical Network

EE5723/EE4723

Spring 2012

EE5723/EE4723

Spring 2012

The OSI Reference Model: ISO 7498-1

OSI Reference Model - internationally standardized network architecture. An abstract representation of an ideal network protocol stack OSI = Open Systems Interconnection Specified S ifi d i in ISO 7498-1 7498 1 Model has 7 layers

Internet Protocols vs. OSI

Internet OSI A li ti Application 5 Application Presentation Session 4 3 2 1 TCP IP Network Interface Hardware Transport Network Data Link Physical 7 6 5 4 3 2 1

EE5723/EE4723

Spring 2012

EE5723/EE4723

Spring 2012

Lower/Upper Layers

Layer 7: Application Layer

Layers y 1-4 often referred to as lower layers. y Layers 5-7 are the upper layers. Lower layers relate more closely to the communications technology. Upper layers relate to applications.

Home to wide variety of protocols for specific user needs, e.g.:

virtual

terminal service, file transfer, electronic mail, directory services.

EE5723/EE4723

Spring 2012

EE5723/EE4723

Spring 2012

Layer 6: Presentation Layer

Layer 5: Session Layer

Concerned with representation p of transmitted data. Deals with different data representations, e.g. of numbers, characters. Also deals with data compression and encryption. Layer for source coding.
Spring 2012

Allows establishment of sessions between machines, e.g. to

allow provide

remote logins file transfer service.

Responsible for dialogue control. Also performs token management and synchronization.

EE5723/EE4723

EE5723/EE4723

Spring 2012

Layer 4: Transport Layer

Layer 3: Network Layer

Basic function is to take data from Session Layer, y split p it up p into smaller units, and ensure that the units arrive correctly. Concerned with efficient provision of service. The Transport Layer also determines the type type of service service to provide to the Session Layer. Also responsible for congestion control.
EE5723/EE4723 Spring 2012

Controls the subnet. Key issue is routing in the subnet; can be based on:
static

tables, determined at start of session, highly dynamic (varying for each packet).

EE5723/EE4723

Spring 2012

Layer 2: Data Link Layer

Layer 1: Physical Layer

Provides reliable, error-free service on top of raw Level 1 service service.

include

encoding, CRC, etc.

Concerned with bit transmission over physical channel. Issues include:

definition

Breaks data into frames. Requires creation of frame boundaries. Frames used to manage errors via acknowledgements and selective frame retransmission.
Spring 2012

of 0/1, whether channel simplex/duplex, connector design.

Mechanical, electrical, procedural matters.

Spring 2012

EE5723/EE4723

EE5723/EE4723

Layering Principles
N+1 PDU

Services & Protocols

Service = set of primitives provided by one layer y to layer y above.

Service

(N+1) Entity Service User

SDU

Layer N+1 protocol Layer N Service Access Point (SAP) Layer N protocol

(N+1) Entity Service User

defines what each layer can do (but not how it does it).

(N) Entity Service Provider

(N) Entity Service Provider

N PDU

N PDU

PDU - Protocol Data Unit SDU - Service Data Unit

Protocol = set of rules g governing g data communication between peer entities, i.e. format and meaning of frames/packets.

EE5723/EE4723

Spring 2012

EE5723/EE4723

Spring 2012

ISO 7498-2: Security Architecture

Policies, threats, services, & mechanisms

Provides standard definitions of security terminology Provides standard descriptions for security services and mechanisms Defines where in OSI reference model security services may be provided Introduces security management concepts
Spring 2012

In a secure system, the rules governing security behavior should be made explicit in the form of a security policy.
Security

policy: the set of criteria for the provision of security services.

A security threat is a possible means by which a security policy may be breached (e.g. loss of integrity or confidentiality). A security service is a measure which can be put in place to address a threat (e.g. provision of confidentiality). A security mechanism is a means to provide a service (e.g. encryption, digital signature).
EE5723/EE4723 Spring 2012

EE5723/EE4723

Security life-cycle in ISO 7498-2

Step1: Generic security policy

Define security Model

Define D fi

ISO 7498-2 generic authorization policy:

Information Information

security it policy li security threats (according to policy)

Analyze Define

security services to meet threats

may not be given to, accessed by, nor permitted to be inferred by, nor may any resource be used by, those not appropriately authorized.

Define security y mechanisms to p provide services Provide on-going management of security

EE5723/EE4723 Spring 2012

Possible basis for more detailed policy. Does not cover availability (e.g. DoS attack) issues (for legitimate user).
Spring 2012

EE5723/EE4723

Policy Types

Step 2: Fundamental threats

ISO 7498-2 distinguishes between 2 types of security policies:

Identity-based:

A threat is:

a person, thing, event or idea which poses some danger to an asset (in terms of confidentiality, integrity, availability or l iti t use). legitimate )

where access to and use of resources are determined on the basis of the identities of users and resources

An attack is a realization of a threat Safeguards = countermeasures (e.g. controls, procedures) to

protect against threats.

Vulnerabilities = weaknesses in safeguards Four fundamental threats:

Rule Rule-based: based:

where resource access is controlled by global rules imposed on all users, e.g. using security labels.

Information leakage Integrity violation DoS illegitimate use

EE5723/EE4723

Spring 2012

EE5723/EE4723

Spring 2012

Step3: Security Services

Step 4: Security Mechanisms

Security services in ISO 7498-2 are a special class of safeguards applying to a communication environment. ISO 7498-2 defines 5 main categories of security service:
Authentication

To p provide and support pp security y services Can be divided into two classes:
Specific

(including entity authentication and origin authentication) Access control Data confidentiality Data integrity Non-repudiation
EE5723/EE4723 Spring 2012

security mechanisms, used to provide specific security services, and Pervasive security mechanisms (e.g., trust functionality, intrusion/event detection, security recovery), not specific to particular services.

Often expensive
Spring 2012

EE5723/EE4723

Specific security mechanisms

Specific Mechanisms (Contd)

Eight types:
encipherment digital

Encipherment mechanisms = encryption or cipher algorithms. g

Can

signature access control mechanisms data integrity mechanisms authentication exchanges traffic padding routing control notarization
EE5723/EE4723 Spring 2012

provide data and traffic flow confidentiality.

Digital signature mechanisms

signing

procedure (private) verification procedure (public). Can provide non-repudiation, non repudiation origin authentication and data integrity services.

Both can be basis of some authentication exchange mechanisms.

Spring 2012

EE5723/EE4723

Specific Mechanisms (Contd)

Specific Mechanisms (Contd)

Access Control mechanisms

A server

Traffic padding mechanisms

The

using client information to decide whether to grant access to resources

E.g. access control lists, capabilities, security labels.

addition of pretend data to conceal real volumes of data traffic. traffic Provides traffic flow confidentiality.

Routing control mechanisms

Used to prevent E.g. route might

Data integrity mechanisms

Protection

against modification of data.

Provide data integrity and origin authentication services. Also b i of basis f some authentication th ti ti exchange h mechanisms. h i

sensitive data using insecure channels. be chosen to use only physically secure network components. origin and/or destination of data can be guaranteed by using a 3rd party trusted notary.

N t i ti mechanisms Notarization h i
Integrity,

Authentication exchange mechanisms

Provide

entity authentication service.

Spring 2012

Notary typically applies a cryptographic transformation to the data.

Spring 2012

EE5723/EE4723

EE5723/EE4723

Service/mechanism table
ISO 7498-2 indicates which mechanisms can be used to provide which services Illustrative NOT definitive.
Mechanism Service S i Entity authentication Origin authentication Access control Connection confidentiality Connectionless confidentiality Selective field confidentiality Traffic flow confidentiality Connection integrity with recovery Connection integrity without recovery Selective field connection integrity Connectionless integrity Selective field connectionless integrity Non -repudiation of origin Non -repudiation of delivery Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Enciph erment t Y Y Digital sign. i Y Y Y Access C t l Control Data i t integrity it

Service/mechanism table (contd)

Mechanism Auth. Service exchange Entity authentication Y Origin authentication Access control Connection confidentiality Connectionlessconfidentiality Selective field confidentiality Traffic flow confidentiality Connection integrity with recovery Connection integrity without recovery Selecti e field connection integrity Selective integrit Connectionless integrity Sele ctive field connectionless integrity Non-repudiation of origin Non-repudiation of delivery Traffic padding Routing Control Notaris ation

Y Y Y Y

Y Y

EE5723/EE4723

Spring 2012

EE5723/EE4723

Spring 2012

Pervasive security mechanisms

Pervasive Mechanisms

Trusted functionality
Any

Five types identified:

trusted

functionality, security labels, event detection, security audit trail, security recovery.

functionality providing or accessing security mechanisms should be trustworthy. May involve combination of software and hardware.

Security labels
Any

resource (e.g. stored data, processing power, communications bandwidth) may have security label associated with it to indicate security sensitivity. Similarly labels may be associated with users. Labels may need to be securely bound to transferred data.
EE5723/EE4723 Spring 2012

EE5723/EE4723

Spring 2012

Pervasive Mechanisms (Contd)

Link vs. End-to-End Encryption

Link and E2E Encryption:
(1) Link encryption: A lot of encryption devices Decrypt yp each p packet at every y switch -Intermediate switch must be trusted -Invisible to the users (2) End-to-end encryption Addresses potential flaws in lower layers The source encrypt and the receiver decrypts Payload P l d encrypted t d Header in the clear Only end nodes must be trusted (3) High Security: Both link and E2E encrypion are

Event detection

Includes detection of

attempted security violations, legitimate security-related activity.

Can be used to trigger event reporting (alarms), event logging, automated recovery.

Security audit trail

Log of past security-related events. Permits detection and investigation of past security breaches

Security recovery

Includes mechanisms to handle requests to recover from security failures (security tolerant). May include immediate abort of operations, temporary invalidation of an entity, addition of entity to a blacklist.
EE5723/EE4723 Spring 2012

Ref: Network Security Essential, by Stallings

EE5723/EE4723

needed Spring 2012

Security Services & Layering in General Link-to-link Encryption

Protocol layer 5. application 4. transport 3. network 2. data link 1. physical Sender
Message message (plaintext) exposed

Typical Message: Link Encryption

B N T M E

Intermediate Host

Receiver Message Transport Header Network Header Data Link Header Data Link Trailer

Message encrypted Message in plaintext

EE5723/EE4723

Ref: Security in Computing, by Charles P. Pfleeger & Shari Lawrence Pfleeger

Spring 2012

If all hosts on a network are reasonably trustworthy, but the communications medium is shared w/ other users or is not secure, link encryption is an easy control to use
Spring 2012

EE5723/EE4723

Security Services & Layering in General End-to-End Encryption

Protocol layer 5. application 4. transport 3. network 2 d 2. data t li link k 1. physical S d Sender
Message message (plaintext) exposed

Typical Message: End-to-End Encryption

I t Intermediate di t Host H t

R i Receiver

Message Transport Header Network Header Data Link Header Data Link Trailer

Message encrypted Message in plaintext

EE5723/EE4723 Spring 2012 EE5723/EE4723 Spring 2012

10

Comparison of Encryption Architecture

Link-to-link encryption Message is plaintext inside of hosts (trustworthy?): node authentication needed Faster F t (mostly ( tl hardware); h d ) Easier/invisible E i /i i ibl f for user one key per node/interface pair End-to-end encryption Flexible (hardware or software) Application & user aware No trust in intermediate nodes required: need end user authentication One key per host pair Unavoidable multilayer security provisioning
EE5723/EE4723 Spring 2012

11