You are on page 1of 163

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Network Security and Cryptography


Topic 1: Cryptography Fundamentals

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 1 Lecture 1: Module Overview & Overview of Security

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.3

Scope and Coverage


This topic will cover:
Introduction to module Overview of security Overview of cryptography Block ciphers Public-key ciphers Hash algorithms

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 1

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.4

Learning Outcomes
By the end of this topic students will be able to:
Explain the most common types of cryptographic algorithm (i.e. block ciphers, public-key ciphers and hash algorithms) Select and justify an appropriate algorithm for a particular purpose

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.5

Module Aims
This module will provide you with the underlying theory and practical skills required to secure networks and to send data safely and securely over network communications (including securing the most t common Internet I t t services). i )

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.6

Module Syllabus - 1
Cryptography Fundamentals Public-Key Infrastructure Web Security Email Security Data Protection Vulnerability Assessment Authentication

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 2

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.7

Module Syllabus - 2
Access Control Firewalls VPN Remote Access Wireless Security

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.8

Module Delivery
The teacher-led time for this module is comprised of lectures and laboratory sessions. Lectures are designed to start each topic.
- You will be encouraged to be active during lectures by raising questions and taking part in discussions.

Laboratory sessions are designed to follow the respective topic lecture.


- During these sessions, you will be required to work through practical tutorials and various exercises.

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.9

Private Study
You are also expected to undertake private study to consolidate and extend your understanding. Exercises are provided in your Student Guide for you to complete during this time.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 3

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.10

Assessment
This module will be assessed by:
- an examination worth 75% of the total mark - an assignment worth 25% of the total mark

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.11

Computer Security Definition


The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (i l d h (includes hardware, d software, ft fi firmware, information/data, and telecommunications).
National Institute of Standards and Technology, Special Publication 800-12, (October 1995).

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.12

Cryptography Definition
The discipline that embodies the principles, means, and methods for the transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification. difi ti
National Institute of Standards and Technology, Special Publication 800-59, (August 2003).

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 4

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.13

Security Objectives
NIST gives three objectives (FIPS199):
- Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information information. - Integrity: Guarding against improper information modification or destruction, including ensuring information non-repudiation and authenticity. - Availability: Ensuring timely and reliable access to and use of information.
V1.0 NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.14

Loss of Security
The following defines a loss of security in each objective:
- Loss of Confidentiality: Unauthorized disclosure of information information. - Loss of Integrity: Unauthorized modification or destruction of information. - Loss of Availability: Disruption of access to or use of information or information systems.

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.15

The CIA Triad


These requirements (Confidentiality, Integrity, Availability) are commonly known as the CIA triad. There are many critiques that suggest that this does not provide a complete picture of security requirements. The two most commonly cited extra requirements are: - Authenticity - Accountability

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 5

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.16

Authenticity
Being genuine, verified and trusted. Confidence in the validity of:
- A transmission - A message - A message originator

Verifying that users are who they say they are and that each message came from a trusted source.

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.17

Accountability
Actions of an entity can be traced uniquely to that entity. Supports:
Non-repudiation p Deterrence Fault isolation Intrusion detection and prevention Recovery Legal action

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.18

OSI Security Architecture


ITU-T Recommendation X.800, Security Architecture for OSI, provides a systematic way for:
- Defining the requirements for security - Characterising the approaches to satisfying those requirements

ITU-T stands for International Telecommunication Union Telecommunication Standardization Sector OSI stands for Open Systems Interconnection

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 6

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.19

OSI Security Architecture


The following concepts are used:
- Security attack: Any actions that compromise the security of information owned by an organisation (or a person). - Security mechanism: a mechanism that is designed to detect, prevent, or recover from f a security attack. - Security service: a service that enhances the security of the data processing systems and the information transfers of an organisation. The services make use of one or more security mechanisms to provide the service.

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.20

Security Attacks
It is useful to categorise attacks as:
- Passive attacks - Active attacks

P Passive i attacks tt k make k use of f information i f ti from f a system but do not affect the system resources. Active attacks alter system resources or affect their operation.

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.21

Passive Attacks
Release of message contents: The information in a message is read. Traffic analysis: y message g information cannot be read but traffic patterns are analysed to glean information.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 7

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.22

Active Attacks
Masquerade: one entity pretends to be another entity. Replay: passive capture of data and its retransmission et a s ss o to p produce oduce a an u unauthorized aut o ed e effect. ect Message modification: a message is altered to produce an unauthorized effect. Denial of service: preventing or hindering the use of network resources.

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.23

Security Services
A security service is a service which ensures adequate security of the systems or of data transfer. X.800 Recommendation divides security services into 5 categories:
Authentication Access control Data confidentiality Data integrity Non-repudiation

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.24

Security Mechanisms
Security mechanisms are used to implement security services. They include:
Encipherment Digital signature Access Control mechanisms Data Integrity mechanisms Authentication Exchange Traffic Padding Routing Control Notarisation

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 8

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.25

Number Theory
Many public-key cryptosystems use non-trivial number theory. The RSA public-key cryptosystem is based on the difficulty of factoring large numbers. numbers We will outline the basic ideas of:
- divisors - prime numbers - modular arithmetic

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.26

Divisors and Prime Numbers


Divisors
- Let a and b be integers where b is not equal to 0 - Then we say b is a divisor of a if there is an integer m such that a = mb;

Prime numbers
- An integer p is a prime number if its only divisors are 1, -1, p, -p

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.27

GCD & Relatively Prime Numbers


Greatest Common Divisor (gcd)
- gcd(a,b) is a greatest common divisor of a and b (the largest number that divides into both numbers) - Examples:
gcd(12, 15) = 3 gcd(49,14) = 7

Relatively Prime Numbers


- a and b are relatively prime if gcd(a,b) = 1 - Example: gcd (9,14) = 1

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 9

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.28

Modular Arithmetic
If a is an integer and n is a positive integer, we define a mod n to be the remainder when a is divided by n:
- Example, 10 mod3 = 1

If (a mod n) = (b mod n), then a and b are congruent modulo n (a mod n) = (b mod n) if n is a divisor of a-b

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 1 Lecture 2: Overview of Cryptography

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.30

Cryptography
A collection of mathematical techniques for protecting information Most important technique is encryption/decryption
Symmetric y encryption yp (symmetric ( y key y encryption): yp )
- encrypt/decrypt a message using the same key

- Key: a piece of information or sequence of bits Asymmetric encryption (asymmetric key encryption):
- one key used for encryption (public key), another key used for decryption (private key)

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 10

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.31

Symmetric Encryption

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.32

Elements of Symmetric Encryption


Plaintext Encryption algorithm Secret key Ciphertext (encrypted text) Decryption algorithm

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.33

Principle of Symmetric Encryption


Security of symmetric encryption depends on the secrecy of the key. It does not depend on the secrecy of the algorithm. Why? It is difficult to invent new algorithms and keep them secret. It is relatively simple to produce keys.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 11

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.34

Requirements for Symmetric Encryption


Strong encryption algorithm:
- The attacker should be unable to decrypt encrypted text, even if he/she knows several matching pairs of plaintext and encrypted plaintext. plaintext

The private key must be kept secret:


- Sender and receiver must have obtained copies of the secret key (private key) in a secure way and must keep the key secure.

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.35

Classifying Cryptosystems
As well as classifying as symmetric or asymmetric there are two other main classifications:
- Type of operations used: Substitutions Transpositions - The way in which plaintext is processed: Block cipher where a block of elements is transformed to the output block in one go. Stream cipher where the input elements are processed continuously one element at a time.

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.36

Substitutions
Each element of the plaintext (bit, letter, group of bits) is mapped to another element. AB BC ZA HELLO MISTER becomes IFMMP NJTUFS

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 12

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.37

Transpositions
Elements of the plaintext are re-arranged. HEL LO MIS TER becomes HLMTEOIEL SR

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.38

Real World Encryption


Modern algorithms have multiple stages in converting the plaintext to ciphertext. They usually involve multiple substitutions and transpositions transpositions. The encryption uses a key (unlike the simple examples on the previous slides).

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.39

Cryptanalysis
The main objective of an attacker is to recover the key rather than the plaintext. Relies on knowledge of the nature of the algorithm plus knowledge of the plaintext or access to some plaintext/ciphertext p p p pairs. An encryption scheme is computationally secure if:
- The cost of breaking the scheme exceeds the value of the encrypted information. - The time required to break to the scheme is more than lifetime of the information.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 13

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.40

Brute Force Attacks


Try every possible key until correct translation of the encrypted text into plaintext is obtained. The problem is the time required to do this. On average, an attacker must try half of all possible keys before successfully translating a ciphertext ciphertext. For a key size of 32 bits:
- there are 232 (4.3 x 109) alternative keys - At 1 decryption per microsecond = 35.8 minutes - At 1 million decryptions per microsecond = 2.15 ms!!

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.41

Brute Force Attacks Increasing Key Size


For a key size of 56 bits:
- There are 256 (7.2 x 1016) alternative keys - At 1 decryption per microsecond = 1142 yrs - At 1 million decryptions per microsecond = 10.01 10 01 hours

For a key size of 128 bits:


- There are 2128 (3.4 x 1038) alternative keys - At 1 decryption per microsecond = 5.4 x 1024 yrs - At 1 million decryptions per microsecond = 5.9 x 1030 yrs

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.42

Block Ciphers v Stream Ciphers


Block ciphers use algorithms to encrypt and decrypt a fixed-size block of plaintext and ciphertext, respectively, usually a multiple of 64 bits. Stream ciphers continuously encrypt any amount of data as it is presented, usually by mathematically combining the data with a keystream, an infinitely long key sequence that is generated based on a finite key starting value.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 14

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.43

The Feistel Cipher


A scheme used by almost all modern block ciphers.
- The input is broken into two equal size blocks, generally called left (L) and right (R), which are then repeatedly cycled through the algorithm. y , a function (f) ( ) is applied pp to the right g block - At each cycle, and the key, and the result is XORed into the left block. - The blocks are then swapped. - The XORed result becomes the new right block and the unaltered right block becomes the left block. - The process is then repeated a number of times.

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.44

The Feistel Cipher

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.45

Data Encryption Standard (DES)


A standardized encryption algorithm approved by the U.S. government in 1977. It uses a 56-bit key, which is sometimes stored with additional parity bits, extending its length to 64 bits. DES is a block cipher and encrypts and decrypts 64-bit data blocks. It is now considered insecure. In 1998, a cracker could crack the key in 3 days.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 15

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.46

Advanced Encryption Standard (AES)


AES replaced DES. A fast block cipher, with variable key length and block sizes (each can be independently set to 128, 192 or 256 bits). An official U.S. g government standard since 2002. Now widely used for commercial and private encryption purposes. The algorithm is public, and its use is unrestricted, with no royalties or license fees owed to the inventors or the government.
V1.0 NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.47

AES
Design uses theory of finite fields, a branch of algebra. Every block of 128 bits is presented as 4 by 4 array of bytes. Every E round d except start and d end dh has 4 steps:
Substitution Shift Rows Mix Columns Add Round Key

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.48

AES The Algorithm - 1


KeyExpansion - round keys are derived from the cipher key Initial Round
- AddRoundKey - each byte of the state is combined with the round key using bitwise XOR.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 16

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.49

AES The Algorithm - 2


Rounds
- SubBytes - a non-linear substitution step where each byte is replaced with another according to a lookup table. - ShiftRows - a transposition step where each row of the state is shifted cyclically a certain number of steps. - MixColumns - a mixing operation which operates on the columns of the state, combining the four bytes in each column. - AddRoundKey

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.50

AES The Algorithm - 3


Final Round (no MixColumns)
- SubBytes - ShiftRows - AddRoundKey

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.51

AES SubBytes
Each byte is replaced with another based on a lookup table

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 17

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.52

AES ShiftRows
A transposition step where each row of the state is shifted cyclically a certain number of steps

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.53

AES MixColumns
A mixing operation which operates on the columns of the state, combining the four bytes in each column

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.54

AES AddRoundKey
Each byte of the state is combined with the round key using bitwise XOR

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 18

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Network Security and Cryptography


Topic 1 Lecture 3: Asymmetric Algorithms

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.56

Public Key Cryptography - 1


Uses asymmetric key algorithms The key used to encrypt a message is not the same as the key used to decrypt it. Each user has a p pair of cryptographic yp g p keys: y
- a public encryption key, publicly available and widely distributed. - a private decryption key, known only to the recipient.

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.57

Public Key Cryptography - 2


Messages are encrypted with the recipient's public key and can only be decrypted with the corresponding private key. The keys are related mathematically mathematically. Parameters are chosen so that determining the private key from the public key is prohibitively expensive.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 19

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.58

Public Key Cryptography The Steps


1. Each user generates a pair of keys to be used for encryption/decryption. 2. Each user places one of the keys (the public key) in a public register each user maintains a collection of public keys obtained from others. 3. If Bob sends a message to Alice, he encrypts it using Alices public key. 4. Alice decrypts it using her private key that no-one else has access to.
V1.0 NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.59

Public Key Cryptography - Analogy


An analogy to public-key encryption is that of a locked mailbox for an office.
- The mail slot is exposed and accessible to the public. - Its location (the street address) is like the public key. - Anyone knowing the street address can go to the door and drop a written message through the slot. - Only the person who possesses the key can open the mailbox and read the message.

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.60

Public Key Cryptography

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 20

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.61

Public Key Cryptography Applications


Encryption/decryption: the sender encrypts a message with the recipients public key. Digital signature (authentication): the sender signs the message with its private key; a receiver can verify the identity of the sender using senders public key. Key exchange: both sender and receiver cooperate to exchange a (session) key.

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.62

The RSA Algorithm


Stands for Rivest, Shamir and Adleman who first publicly described it. The RSA algorithm g involves three steps: p
- key generation - encryption - decryption

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.63

RSA Key Generation - 1


1. Choose two distinct prime numbers p and q.
- p and q should be chosen at random, and should be of similar bit-length

2. Compute n = pq.
- n is used as the modulus for both the public and private keys

3. Compute (n) = (p1)(q1) 4. Choose an integer e such that 1 < e < (n) and gcd(e,(n)) = 1, i.e. e and (n) are coprime.
- e is released as the public key exponent

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 21

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.64

RSA Key Generation - 2


5. Determine d = e1 mod (n); i.e. d is the multiplicative inverse of e mod (n).
- This is more clearly stated as solve for d given (d*e)mod (n) = 1, d is kept as the private key exponent.

The public key consists of the modulus n and the public (or encryption) exponent e. The private key consists of the private (or decryption) exponent d which must be kept secret.

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.65

RSA Encryption
Alice transmits her public key (n,e) to Bob and keeps the private key secret. Bob then wishes to send message M to Alice. He first turns M into an integer m, such that 0 < m < n by using an agreed-upon reversible protocol k known as a padding ddi scheme. h He then computes the ciphertext c corresponding to c = me (mod n). Bob then transmits c to Alice. Note that at least nine values of m will yield a ciphertext c equal to m, but this is very unlikely to occur in practice.
V1.0 NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.66

RSA Decryption
Alice can recover m from c by using her private key exponent d via computing m = cd (mod n). Given m, she can recover the original message M by reversing the padding scheme. A simplified example of the whole process is given in the laboratory exercises.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 22

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.67

RSA Security
Relies upon the complexity of the factoring problem. Nobody knows how to factor big numbers in a reasonable time. However, nobody has shown that the fast factoring is impossible!

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.68

Hash Functions
A hash function is a mathematical function that converts a large, possibly variably-sized amount of data into a small datum. Hashing is a method of binding the file contents together to ensure integrity.
- Like using sealing wax on an envelope. - Only by breaking the seal can the contents be accessed, and any tampering is readily apparent.

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.69

Hash Function Requirements


To be suitable for message authentication, a hash function H should have the following properties:
H can be applied to a block of data of any size H produces a fixed-length output H(x) is easy to compute for any given x For any value h it is very difficult (infeasible) to compute x such that H(x)=h - For any given x, it is very difficult (infeasible) to find y (not equal to x) such that H(x) = H(y) - It is very difficult (infeasible) to find any pair (x,y) such that H(x) = H(y)

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 23

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.70

One-Way Hash Functions


A method for message authentication is to use oneway hash functions. One-way in the name refers t the to th property t of f such h functions:
- they are easy to compute - but their reverse functions are very difficult to compute

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.71

The SHA-1 Secure Hash Algorithm


Takes as input a message with a maximum length less than 2 to power 64 bits and produces as output a 160-bit message digest. The input is processed in 512 512-bit bit blocks. blocks Each bit of the output is computed using all bits of the input.

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.72

SHA-1 Examples
SHA1("The quick brown fox jumps over the lazy dog") = 2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12 A small change in the message will, with overwhelming probability, result in a completely different hash. SHA1("The quick brown fox jumps over the lazy cog") = de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 24

Topic 1 Cryptography Fundamentals

Network Security and Cryptography

Cryptography Fundamentals Topic 1 - 1.73

References
NIST (Feb. 2004). Standards for Security Categorization of Federal Information and Information Systems. FIPS 199. [Available Online] http://csrc.nist.gov/publications/fips/fips199/FIPSPUB 199 fi l df PUB-199-final.pdf Stallings, W. (2010). Cryptography and Network Security: Principles and Practice. Pearson Education.

V1.0

NCC Education Limited

Cryptography Fundamentals Topic 1 - 1.74

Topic 1 Cryptography Fundamentals


Any Questions?

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 25

Topic 12 Wireless Security

Network Security and Cryptography

Network Security and Cryptography


Topic 12: Wireless Security

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 11 Lecture 1: Introduction to Wireless Security & WEP

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.3

Scope and Coverage


This topic will cover:
Security issues specific to wireless networks Wireless security (WEP, WPA, WPA2) Secure network architectures for wireless deployments

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 1

Topic 12 Wireless Security

Network Security and Cryptography

Wireless Security Topic 12 - 12.4

Learning Outcomes
By the end of this topic students will be able to:
Explain the vulnerabilities inherent in wireless networks Deploy a secure network architecture for wireless access Configure Access Control Lists Encrypt and protect the wireless link

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.5

Wireless Networks
A wireless network typically has a number of wireless-enabled devices connecting to an access point Each access point connects to a wider network
- I In a home h wireless i l network t k thi this wider id network t k may be the Internet - In a business network this wider network is typically a LAN

Wireless networks are less secure than wired

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.6

WLAN

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 2

Topic 12 Wireless Security

Network Security and Cryptography

Wireless Security Topic 12 - 12.7

Wireless Network Security


Essentially a broadcast network between access point and devices Boundary of network is limited by signal strength Signal can usually be received outside of the building in which the network is based Access to network must be restricted Transmissions must be encrypted

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.8

General Security Options


In closed networks (home or an organisation) restrictions are put in place on access to the access point In open, open public networks there are no access restrictions so the network is isolated from all networks that need a level of security End to end encryption may be used for secure traffic in wireless networks that are mixed

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.9

WLAN Access Control


In 1997, the IEEE approved the IEEE 802.11 WLAN standard Access may be controlled via access to the access point (AP) Only authorised devices can connect to the AP One way: Media Access Control (MAC) address filtering

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 3

Topic 12 Wireless Security

Network Security and Cryptography

Wireless Security Topic 12 - 12.10

MAC Address Filtering


Usually implemented to permit rather than prevent

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.11

Wired Equivalent Privacy (WEP)


Original security component of 802.11 Aim: only authorized parties can view transmitted wireless information Uses encryption yp to p protect traffic Designed as an efficient and reasonably strong security Has numerous security flaws and has been superseded by Wi-Fi Protected Access (WPA)

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.12

WEP Encryption
Uses the RC4 stream cipher for confidentiality Uses the CRC-32 checksum for integrity Secret keys can be 64 or 128 bits long
- Some vendors do supply 256-bit key version

Can hold up to four shared secret keys


- One key is designated as the default key

Key size is one of the security limitations in WEP

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 4

Topic 12 Wireless Security

Network Security and Cryptography

Wireless Security Topic 12 - 12.13

WEP Encryption Keys


A 64-bit WEP key has a 40-bit key (10 hexadecimal characters) plus a 24-bit initialisation vector (IV) A 128-bit WEP key has a 104-bit key (26 hexadecimal characters) plus a 24-bit IV An IV is a continuously changing value used in combination with a secret key to encrypt data
- Prevents sequences of identical text from producing the same exact ciphertext when encrypted

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.14

Open System Authentication


Client device, e.g. laptop, does not provide any authentication to the Access Point
- Any wireless-enabled device within range can authenticate with the Access Point

The effect is that no real authentication occurs WEP encryption keys are used for encrypting data frames on the wireless network The client must have the correct keys at this point

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.15

Shared Key Authentication


A five step handshake process: 1.Authentication request from client to Access Point 2.Access Point replies with a clear-text challenge 3 Client encrypts challenge-text 3.Client challenge text using the WEP key 4.Client sends encrypted text back in another authentication request 5.AP decrypts the response if it matches the challenge-text, AP sends a positive reply

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 5

Topic 12 Wireless Security

Network Security and Cryptography

Wireless Security Topic 12 - 12.16

Shared Key Authentication


After authentication the WEP key is used for encryption using RC4 Shared Key authentication is less secure than Open System authentication The key used for the handshake can be derived by capturing the challenge frames Both authentication mechanisms are weak

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.17

WEP Weaknesses
The 24-bit IV is too short and repeats after some time
- there is a 50% probability the same IV will repeat after 5000 packets

Packets can be replayed so that the access point broadcasts Ivs With the right equipment, WEP can be cracked in a few minutes at most

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 12 Lecture 2: WPA, WPA2 and Wireless Architecture

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 6

Topic 12 Wireless Security

Network Security and Cryptography

Wireless Security Topic 12 - 12.19

Wi-Fi Protected Access (WPA)


Aim: to protect present and future wireless devices
- Authentication - Encryption

Developed in response to the weaknesses in WEP WPA implements most of the IEEE 802.11i standard WPA2 is fully compliant with the IEEE 802.11i standard
- This has been incorporated into IEEE 802.11-2007

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.20

IEEE 802.11i
Implemented as WPA2 Uses Counter Mode with Cipher Block Chaining Message Authentication Code Protocol, also known as CCM mode Protocol (CCMP)
- AES based block cipher - Replacing the RC4 stream cipher of WEP

Has been mandatory for Wi-Fi certified devices since 2006

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.21

CCMP
More secure than the protocols in WEP & WPA Uses a 128-bit key Uses a 128-bit block size Provides:
- Data Confidentiality - only authorized parties have access - Authentication proves user identity - Access control - in conjunction with layer management
V1.0 NCC Education Limited

V1.0

Visuals Handout Page 7

Topic 12 Wireless Security

Network Security and Cryptography

Wireless Security Topic 12 - 12.22

Pre-shared Key (PSK) Mode


Also known as Personal mode Used for home and small office networks
- No advanced server capabilities

Does not require an authentication server Wireless Wi l network t k client li t d devices i authenticate th ti t di directly tl with the access point They all use the same 256-bit key Keys are automatically changed and authenticated after a set period of time

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.23

PSK Mode Weaknesses


Keys sent via e-mail or other insecure methods Changing the PSK key is awkward:
- Must type new key on every wireless device - Must type new key on all access points

I In order d to t allow ll a guest t user to t have h access to t a network the key must be given to that guest PSK is a 64-bit hexadecimal number generated from a passphrase
- Passphrase could be open to dictionary attack

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.24

Enterprise Mode
Designed for enterprise networks Provides authentication using IEEE 802.1X and Extensible Authentication Protocol (EAP) Requires a Remote Authentication Dial In User Service (RADIUS) authentication server or similar More complex but provides additional security
- For example against dictionary attacks

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 8

Topic 12 Wireless Security

Network Security and Cryptography

Wireless Security Topic 12 - 12.25

IEEE 802.1X
IEEE Standard for Port-based Network Access Control (PNAC) Requires three parties:
- a supplicant the client device wishing to connect - an authenticator the access point - an authentication server a host running software that supports RADIUS and EAP

Client device only has access through the authenticator when validated and authorized

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.26

EAP
The authentication framework utilised by wireless networks Supplies functions and negotiation of authentication methods
- Called EAP methods

Provides a secure authentication mechanism Negotiates a secure private key between authenticator and client

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.27

IEEE 802.1X Authentication


Initialisation - when new supplicant detected, the port on the authenticator is enabled and set to the unauthorised state Initiation
- Authenticator transmits EAP-Request Identity frames - Supplicant listens and responds with an EAP-Response Identity frame containing an identifier, e.g. user ID - Authenticator then encapsulates this in a RADIUS Access-Request packet and sends to authentication server

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 9

Topic 12 Wireless Security

Network Security and Cryptography

Wireless Security Topic 12 - 12.28

IEEE 802.1X Authentication


Negotiation
- Authentication server replies to the authenticator with EAP Request specifying the EAP Method - Authenticator encapsulates the EAP Request and transmits to supplicant

Authentication
- If EAP Method is agreed, EAP Requests and Responses are sent between supplicant and authentication server until the server responds with EAP-Success message - Authenticator sets port to the authorised state and traffic is allowed

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.29

RADIUS
Protocol providing a centralised Authentication, Authorization, and Accounting (AAA) service Management for the authorisation of computers wishing to connect to a network Client/server protocol Runs in the application layer of the OSI model Uses UDP for transport
- assigned UDP ports 1812 for RADIUS Authentication and 1813 for RADIUS Accounting

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.30

RADIUS Functions
A RADIUS Server has three main functions:
- Authenticating users and/or devices and providing permission for them to access the network - Authorising users and/or devices for specific services on the network - Accounting for usage of network services

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 10

Topic 12 Wireless Security

Network Security and Cryptography

Wireless Security Topic 12 - 12.31

WPA2 Sessions Key


WPA2 creates a new session key with every association The encryption key for each client is unique and specific to that client Every packet is encrypted with a unique key Never reusing keys is good security practice

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.32

Wireless Network Architecture


When planning a wireless network you need to determine which WLAN architecture to adopt Architecture comes in two main categories:
- Standalone access points - Centrally coordinated access points

Both have benefits Suited to different environments.

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.33

Standalone Access Points


Functionality of each access point enables wireless services, authentication and security
All access points operate independently Encryption/decryption at the access point Each access point has its own configuration file Large networks rely on a management application Network configuration is static and does not respond to changing network conditions

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 11

Topic 12 Wireless Security

Network Security and Cryptography

Wireless Security Topic 12 - 12.34

Standalone Access Points


Well suited in environments where:
- There is a small isolated wireless coverage area requiring only a few access points - There is a need for wireless bridging from a main building to another building

The operational overhead to manage and maintain a wireless network increases with the size of the network

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.35

Co-ordinated Access Points


Has thin access points Centralized controller handles:
Roaming Authentication Encryption/decryption Load balancing RF monitoring Performance monitoring Location services

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.36

Co-ordinated Access Points


Configuration is done at the controller Adding additional APs is simple, just plug in to network Redundancy can be provided through extra redundant controllers
- Become active if problems with a neighbouring AP

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 12

Topic 12 Wireless Security

Network Security and Cryptography

Wireless Security Topic 12 - 12.37

Co-ordinated Access Points


Ideal where:
- There are large wireless coverage areas
requiring multiple radio ports perhaps alongside smaller isolated coverage areas

- Network self-healing is required - Redundancy is required

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.38

Benefits of Co-ordinated APs


Lower operational costs. Ease of deployment and management Greater availability Easier to respond to changes in the network performance Better return on investment Fast client roaming Better Quality-of-Service

V1.0

NCC Education Limited

Wireless Security Topic 12 - 12.39

References
Tanenbaum, A.S. (2003). Computer Networks. 4th Edition. Prentice Hall. g , W. (2010). ( ) Cryptography yp g p y and Network Stallings, Security: Principles and Practice. 5th Edition. Pearson Education.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 13

Topic 12 Wireless Security

Network Security and Cryptography

Wireless Security Topic 12 - 12.40

Topic 12 Wireless Security


Any Questions?

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 14

Topic 2 PKI

Network Security and Cryptography

Network Security and Cryptography


Topic 2: PKI

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 2 Lecture 1: The Public Key Infrastructure

V1.0

NCC Education Limited

PKI Topic 2 - 2.3

Scope and Coverage


This topic will cover:
The Public Key Infrastructure Digital Signatures Certification Authorities Digital Certificates

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 1

Topic 2 PKI

Network Security and Cryptography

PKI Topic 2 - 2.4

Learning Outcomes
By the end of this topic students will be able to:
Describe the Public Key Infrastructure Explain digital signatures Explain the role of Certification Authorities

V1.0

NCC Education Limited

PKI Topic 2 - 2.5

Overview
This topic provides an overview to the key terms and concepts used in a PKI including:
Encryption Public keys Private keys Digital signatures Digital certificates

V1.0

NCC Education Limited

PKI Topic 2 - 2.6

What is PKI?
Public Key Infrastructure (PKI) is a security architecture that has been introduced to provide an increased level of confidence for exchanging information over the Internet. It is defined in 2 ways:
- The method, technology and technique used to create a secure data infrastructure. - The use of the public and private key pair to authenticate and for proof of content.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 2

Topic 2 PKI

Network Security and Cryptography

PKI Topic 2 - 2.7

Benefits of PKI
PKI aims to offer its users the following benefits:
- Certainty regarding the quality of information transmitted electronically - Certainty of the source and destination of such information - Assurance of the time and timing of such information - Certainty of the privacy of such information - Assurance that such information may be used as evidence in a court of law

V1.0

NCC Education Limited

PKI Topic 2 - 2.8

Use of PKI
To support secure information exchange over insecure networks.
- e.g. the Internet where such features cannot be provided easily

For information exchange e change over o er private pri ate networks. net orks
- e.g. an organisations internal network

To securely deliver cryptographic keys. To facilitate other cryptographically delivered security services.

V1.0

NCC Education Limited

PKI Topic 2 - 2.9

How Does PKI Work?


PKI uses a mathematical technique called public key cryptography. A pair of related cryptographic keys are used. Verifies the identity of the sender (through signing) Ensures privacy (through encryption of data)

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 3

Topic 2 PKI

Network Security and Cryptography

PKI Topic 2 - 2.10

Public Key Cryptography


Uses a pair of mathematically related cryptographic keys. One key is used to encrypt information. Only the related key can decrypt that information. Knowledge of one key does not allow you to calculate the other.
- Or it is extremely difficult

V1.0

NCC Education Limited

PKI Topic 2 - 2.11

Public Keys and Private Keys


The public key is made public - it is freely distributed and can be seen by all users. A corresponding (and unique) private key is kept secret and is not shared amongst users users. Your private key enables you to prove that you are who you claim to be.

V1.0

NCC Education Limited

PKI Topic 2 - 2.12

Asymmetric v Symmetric
Asymmetric Two keys, one each for encrypting and decrypting Can identify y sender or recipient based on encryption/decryption using private key which is known to one entity in the communication Symmetric Same key for encrypting and decrypting Cannot be used to identify y sender or recipient as all parties involved know the same key

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 4

Topic 2 PKI

Network Security and Cryptography

PKI Topic 2 - 2.13

Public Key Encryption


When a person wants to send confidential data to a private key holder:
- They encrypt the data.
The data is encrypted using a secret key algorithm (symmetric ( y cryptography) yp g p y) which is much faster than the asymmetric cryptography.

- A random session key is generated using a symmetric algorithm to encrypt the data. - The public key is then used to encrypt that key and both are sent securely to the recipient.

V1.0

NCC Education Limited

PKI Topic 2 - 2.14

Private Key Decryption


When a private key holder receives confidential data: - If the private key can decrypt the data, the user is certain that the data is meant for him/her but cannot identify the originator. - The private key decrypts the session key. - The decrypted session key is used to decrypt the actual data. This is more secure as the session key has to be decrypted first in order to proceed to the next process of decrypting the data.

V1.0

NCC Education Limited

PKI Topic 2 - 2.15

Digital Signature
A digital signature is a unique, encrypted numerical value. It differs each time it is generated and is used to prove the ownership or copyright of data. A hashing algorithm is performed on the document to be signed producing a unique numerical value.
- This is why it differs each time it is generated

This is then encrypted using a private cryptographic key and links the result to the document.
V1.0 NCC Education Limited

V1.0

Visuals Handout Page 5

Topic 2 PKI

Network Security and Cryptography

PKI Topic 2 - 2.16

Using a Private Key for Signature


To prove you are the source of data, use a private key to digitally sign it. The encrypted value is sent either at the end of the data or as a separate file with the message. The corresponding public key may also be sent either on its own or as a certificate. This does not prove anonymity as anyone receiving the protected or digitally signed data can easily check the signature, read and process the data.
V1.0 NCC Education Limited

PKI Topic 2 - 2.17

Using a Public Key for Signature - 1


The message receiver can use the correct public key to verify the digital signature as follows: 1.The correct public key is used by the receiver to decrypt the hash value which was calculated by the sender for the data. 2.Then, using the hashing algorithm, the hash value of the data received is calculated.

V1.0

NCC Education Limited

PKI Topic 2 - 2.18

Using a Public Key for Signature - 2


3. The newly calculated hash value is compared to the hash value calculated by the sender. If the two values are the same, the receiver knows that the data was sent originally by the owner of the private key and the data has not been edited since it was signed. 4. If a public key certificate was sent together with the data, it is then validated with the Certificate Authority (CA) that issued the certificate.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 6

Topic 2 PKI

Network Security and Cryptography

PKI Topic 2 - 2.19

Receiving a Document
You receive a document via email. This was digitally signed by the sender by calculating a hash value for the document and encrypting it with their private key. You calculate a hash value for the same document and decrypt the encrypted hash value.
- If the both values are the same, this verifies the sender and that the document has not been edited. - If the two values don't match, then the document has been edited or the sender is not who they claim to be.

V1.0

NCC Education Limited

PKI Topic 2 - 2.20

Summary
Public Key Cryptography is the encryption & decryption and signing/verification of data.
- Ensures privacy between sender and receiver of the y directly y preventing p g unintended disclosure of data by the data. - Identifies the sender of the data by authentication. - Ensures that the data has not been modified or tampered with.

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 2 Lecture 2: The Public Key Infrastructure

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 7

Topic 2 PKI

Network Security and Cryptography

PKI Topic 2 - 2.22

What is a Digital Certificate?


A digital document that binds your public key to an identity that the issuing Certification Authority (CA) is willing to vouch for. Users of the popular encryption software Pretty Good Privacy*(PGP) have the ability to generate their own digital certificates. Otherwise you will have to approach a Certification Authority (CA) in order to validate your identity.
* More on this in Topic 4

V1.0

NCC Education Limited

PKI Topic 2 - 2.23

Digital Certificate Usage


A digital certificate issued by one of the public CAs will contain information in the key usage field of the certificate. This means that the private key may be used for specific p p purposes p such as:
digital signatures certificate signing encipher or decipher only key encipherment data encipherment

V1.0

NCC Education Limited

PKI Topic 2 - 2.24

Checking Usage
Key usage may be set in the certificate but this does not ensure that the software which uses the public key has done any checks on the content of the certificate. Someone receiving a digitally signed document needs to check if the key was authorized for what it has been used for.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 8

Topic 2 PKI

Network Security and Cryptography

PKI Topic 2 - 2.25

Certificate Standards
The data in a certificate usually conforms to the ITU (IETF) standard X.509. Includes information about:
the identity of the owner of the corresponding private key the length of the key the algorithm used by the key the associated hashing algorithm dates of validity of the certificate the actions that the key can be used for

V1.0

NCC Education Limited

PKI Topic 2 - 2.26

The Components of a PKI


Certification Authority (CA) Revocation Registration Authority (RA) Certificate Publishing Methods Certificate Management System PKI-aware Applications

V1.0

NCC Education Limited

PKI Topic 2 - 2.27

Certification Authority (CA)


Issues and verifies certificates. Takes responsibility for identifying (to a stated extent) the correctness of the identity of the person asking for a certificate to be issued. issued Ensures that the information contained within the certificate is correct and digitally signs it.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 9

Topic 2 PKI

Network Security and Cryptography

PKI Topic 2 - 2.28

CA Generating Key Pairs


The CA may generate a public key and a private key for their client. Alternatively the person applying for a certificate may generate their own key pair and send a signed request containing their public key to the CA.
- The person applying for a certificate may prefer to do this to ensure that the private key never leaves their own control.

V1.0

NCC Education Limited

PKI Topic 2 - 2.29

CA Issuing Digital Certificates


The CA will make a variety of checks to prove your identity. The CA may state the quality of the checks that were carried out before the certificate was issued. issued Different classes of certificate can be purchased that correspond to the different levels of these checks.

V1.0

NCC Education Limited

PKI Topic 2 - 2.30

CA Digital Certificate Classes


Class 1 certificates can be easily acquired by supplying an email address. Class 2 certificates require additional personal information to be supplied. Class 3 certificates can only be purchased after detailed checks have been made. A 4th class may be used by governments and organisations needing very high levels of checking.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 10

Topic 2 PKI

Network Security and Cryptography

PKI Topic 2 - 2.31

CA Digital Certificates
A person may have many certificates issued by many CAs. Some applications may insist that you use certificates issued by certain CAs. The CA may be:
- part of your own organisation - a company (e.g. a bank or a post office) - or an independent entity (e.g. VeriSign)

V1.0

NCC Education Limited

PKI Topic 2 - 2.32

CA Verifying Digital Certificates


The public key certificate is signed by the CA to prevent its modification or falsification. This is used when checking the public key is valid. The signature is validated against a list of 'Root CAs' contained within various 'PKI aware' applications such as your browser. Certificate validation occurs automatically using the public certificate contained within the root CA list.
V1.0 NCC Education Limited

PKI Topic 2 - 2.33

Revocation
There is a system for making it known that certificates are no longer valid (revoked). A system of revocation lists has been developed that exists outside the directory/database that stores certificates.
- It is a list of certificates that are no longer valid.

Revocation lists may be publicly available as certificates may have been widely distributed.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 11

Topic 2 PKI

Network Security and Cryptography

PKI Topic 2 - 2.34

Registration Authority (RA)


A registration authority is a third-party used by the CA to perform checks on the person or company applying for the certificate to ensure that they are who they claim to be. RAs may appear to the requestor of the certificate as CAs but they don't digitally sign the certificate.

V1.0

NCC Education Limited

PKI Topic 2 - 2.35

Certificate Publishing Methods


PKI systems require the publishing of certificates so that users can find them. There are two means of doing this:
- Publishing it in the equivalent of an electronic telephone directory - Sending it to parties who might need it

V1.0

NCC Education Limited

PKI Topic 2 - 2.36

Publishing in Directories
Directories are databases that are X.500/LDAP compliant.
- The databases contain certificates in the X.509 format. - They provide specific search facilities which are specified in the LDAP standards p published by y the IETF.

Directories can be public or remain private:


- Private directories usually contain confidential data that the owner does not wish to be publicly accessible. - Public directories contain information which can be read by anyone with access to them.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 12

Topic 2 PKI

Network Security and Cryptography

PKI Topic 2 - 2.37

Publishing in Databases
Databases can be configured to accept X.509 format certificates. This can be done for private systems where search methods do not follow the LDAP structure. structure This method is not used for public directories because it is essentially a proprietary system.

V1.0

NCC Education Limited

PKI Topic 2 - 2.38

Sending to Potential Users


Certificates can be sent through email so that the recipient can add them to their server or desktop. Certificates can also be carried in portable storage media such as:
- DVDs - CDs - USB storage devices

V1.0

NCC Education Limited

PKI Topic 2 - 2.39

Certificate Management System


Systems that manage certificates:
publish suspend renew Revoke

Do not usually delete certificates because they may be required for future legal reasons. Typically a CA will run these systems to keep track of their certificates.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 13

Topic 2 PKI

Network Security and Cryptography

PKI Topic 2 - 2.40

PKI Aware Applications


Applications are those that have had a particular CA software supplier's toolkit added to them.
- enables them to use the supplier's CA and certificates to implement PKI functions.

These applications have no knowledge base built in to them about what the security requirements really are, or which PKI services are relevant in their delivery.

V1.0

NCC Education Limited

PKI Topic 2 - 2.41

References
Stallings, W. (2010). Cryptography and Network Security: Principles and Practice. Pearson Education. Network Working Group (1999). Internet X.509 Public Key Infrastructure [Available Online] http://www.ietf.org/rfc/rfc2459.txt

V1.0

NCC Education Limited

PKI Topic 2 - 2.42

Topic 2 PKI
Any Questions?

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 14

Topic 3 Web Security

Network Security and Cryptography

Network Security and Cryptography


Topic 3: Web Security

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 3 Lecture 1: Web Security and IPSEC

V1.0

NCC Education Limited

Web Security Topic 3 - 3.3

Scope and Coverage


This topic will cover:
Overview of web security IPSEC SSL/TLS HTTPS

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 1

Topic 3 Web Security

Network Security and Cryptography

Web Security Topic 3 - 3.4

Learning Outcomes
By the end of this topic students will be able to:
Explain the concept of web security with SSL/TLS Demonstrate applying for and deploying a Digital Certificate

V1.0

NCC Education Limited

Web Security Topic 3 - 3.5

Web Security
The Web presents us with some security issues that may not be present in other networks:
Two-way systems Multiple types of communication Importance to business Complex software Multiple connections to a server Untrained users

V1.0

NCC Education Limited

Web Security Topic 3 - 3.6

Two-way Systems
The Web works on a client-server model that allows communication in both directions:
- Server sends files to clients - Clients send files to servers

Servers must be protected from malicious content uploaded by clients:


- Deliberate upload - Accidental upload, e.g. unwittingly uploading an infected file

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 2

Topic 3 Web Security

Network Security and Cryptography

Web Security Topic 3 - 3.7

Multiple Types of Communication


The web does not deal with a limited small number of file types:
Text Image Video Sound

The web delivers real-time content. Multiple file types = multiple security threats
V1.0 NCC Education Limited

Web Security Topic 3 - 3.8

Importance to Business
Used to supply corporate information Used to supply product/service information Used for business transactions including financial transactions
- banking, online shops, ordering systems, etc.

If web servers are compromised, there may be very serious consequences to a business.
- Loss of money & trade - Loss of reputation

V1.0

NCC Education Limited

Web Security Topic 3 - 3.9

Complex Software
Servers are relatively easy to set up and configure. It is simple to create web content.
- Even complex looking web applications are often simple to create

This simplicity is made possible by complex underlying software. Complex software often has undetected security holes.
- You can be sure that someone will detect them!

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 3

Topic 3 Web Security

Network Security and Cryptography

Web Security Topic 3 - 3.10

Multiple Connections
The Web works because there are multiple connections to a server. Different servers are connected to each other. What happens pp if a server is subverted and a malicious attacker gains control?
- How many clients will be affected? - How many other servers will be affected?

An attack could have widespread consequences.

V1.0

NCC Education Limited

Web Security Topic 3 - 3.11

Untrained Users
The Web is used by many, many clients with no training or understanding of security issues.
- How many people surf the Internet without antivirus software? - Add in the people who have out of date virus definitions

Many people do not have the tools or knowledge to deal with threats on the Web. These same people will be interacting with servers around the world.
V1.0 NCC Education Limited

Web Security Topic 3 - 3.12

Traffic Security
Maintaining the security of a server as a piece of hardware is not fundamentally different to general computer security. We will concentrate on the security of Web traffic
- At the Network level (IPSec) - At the Transport level (SSL/TLS)

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 4

Topic 3 Web Security

Network Security and Cryptography

Web Security Topic 3 - 3.13

TCP/IP and the OSI Model

V1.0

NCC Education Limited

Web Security Topic 3 - 3.14

Network Level Security


IPSec
HTTP FTP SMTP

TCP

IP/IPSec

V1.0

NCC Education Limited

Web Security Topic 3 - 3.15

Transport Level Security


SSL/TLS
HTTP FTP SMTP

SSL or TLS TCP

IP

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 5

Topic 3 Web Security

Network Security and Cryptography

Web Security Topic 3 - 3.16

IP Security (IPSec)
Provides security services at the IP layer for other TCP/IP protocols and applications to use Provides the tools that devices on a TCP/IP network need in order to communicate securely
- When two devices wish to securely communicate, they create a secure path between themselves that may traverse across many insecure intermediate systems.

V1.0

NCC Education Limited

Web Security Topic 3 - 3.17

Steps for an IPSec Connection


1. Agree on a set of security protocols to use so that data is in a format both parties can understand. 2. Decide on an encryption algorithm to use in encoding data. 3. Exchange the keys that are used to decrypt the cryptographically encoded data. 4. Use the protocols, methods and keys agreed upon to encode data and send it across the network.

V1.0

NCC Education Limited

Web Security Topic 3 - 3.18

IPSec Core Protocols


IPSec Authentication Header (AH)
Provides authentication services Verifies the originator of a message Verifies that the data has not been changed on route P id protection Provides t ti against i t replay l attacks tt k

Encapsulating Security Payload (ESP)


- AH ensures integrity but not privacy - Datagram can be further protected using ESP - Encrypts the payload of the IP datagram

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 6

Topic 3 Web Security

Network Security and Cryptography

Web Security Topic 3 - 3.19

Support Protocols & Mechanisms


The core protocols are quite generic and rely on other protocols and mechanisms to be agreed. Common algorithms used are MD5 and SHA-1 IPSec provides flexibility in letting devices decide how they want to implement security.
- Security policies and security associations are created.

Devices need a way to exchange security information.


- The Internet Key Exchange (IKE) provides this.

V1.0

NCC Education Limited

Web Security Topic 3 - 3.20

IPSec Applications
Securing a companys Virtual Private network (VPN) over the Internet Securing remote access over the Internet Establishing connections with partners via an extranet Enhancing eCommerce security by adding to the security mechanism in the application layer

V1.0

NCC Education Limited

Web Security Topic 3 - 3.21

IPSec Advantages
Can be applied to a firewall or router and apply to all traffic across that boundary It is transparent to applications. It is transparent to end users. It can provide security for individual users if required.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 7

Topic 3 Web Security

Network Security and Cryptography

Network Security and Cryptography


Topic 3 Lecture 2: SSL/TLS and HTTPS

V1.0

NCC Education Limited

Web Security Topic 3 - 3.23

Secure Socket Layer (SSL)


Originally developed by Netscape in 1995 to provide secure and authenticated connections between browsers and servers Provides transport layer security Transport Layer Security (TLS) Version 1 is essentially SSLv3.1

V1.0

NCC Education Limited

Web Security Topic 3 - 3.24

SSL Architecture
SSL uses TCP to provide a reliable and secure endto-end service. It is not a single protocol but two layers of protocols (see next slide) slide). The Hypertext Transfer Protocol (HTTP) used for server/client interaction on the Internet can operate on top of the SSL Record Protocol.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 8

Topic 3 Web Security

Network Security and Cryptography

Web Security Topic 3 - 3.25

SSL Architecture
SSL Handshake Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol HTTP

SSL Record Protocol TCP IP

V1.0

NCC Education Limited

Web Security Topic 3 - 3.26

SSL Connections
A connection is a transport* that provides a suitable service. SSL connections are peer-to-peer relationships. These SSL connections are transient.
- They only last for a certain length of time.

Each connection is associated with a session.


*as defined by the OSI model

V1.0

NCC Education Limited

Web Security Topic 3 - 3.27

SSL Sessions
A session in SSL is an association between a client and a server. Such sessions are created by the SSL Handshake Protocol. A session i d defines fi the h security i parameters. A session may be shared by multiple connections.
- Allows the same settings to be used by many connections without the need for repeatedly sending the security parameters

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 9

Topic 3 Web Security

Network Security and Cryptography

Web Security Topic 3 - 3.28

SSL Record Protocol - 1


Provides two services for SSL connections
- Confidentiality - Integrity

Transmitted T itt d data: d t


Fragmented into manageable blocks Compressed (optional) Encrypted Header added and transmitted in a TCP segment

V1.0

NCC Education Limited

Web Security Topic 3 - 3.29

SSL Record Protocol - 2


Received data:
Decrypted Verified Decompressed Reassembled Delivered to higher level users

V1.0

NCC Education Limited

Web Security Topic 3 - 3.30

SSL Change Cipher Spec Protocol


Very simple One single byte containing the value 1 Has one single purpose:
- Causes the pending state to be copied into the current state - This updates the cipher suite to be used on a connection.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 10

Topic 3 Web Security

Network Security and Cryptography

Web Security Topic 3 - 3.31

SSL Alert Protocol


Used to convey SSL alerts to the peer entity Alert messages are compressed and encrypted as specified by the session. Each message consists of two bytes:
- The first values indicates a warning or fatal alert - The second indicates the type of alert

A fatal alert will cause SSL to immediately terminate the connection, but not other connections on the same session.

V1.0

NCC Education Limited

Web Security Topic 3 - 3.32

SSL Alert Types


There are a number of alerts including the following. The top four are fatal:
unexpected_message decompression_failure h d h k f il handshake_failure illegal_parameter close_notify no_certificate certificate_revoked

V1.0

NCC Education Limited

Web Security Topic 3 - 3.33

SSL Handshake Protocol - 1


The most complex part of SSL Allows server and client to authenticate each other Allows server and client to negotiate the encryption algorithms g and keys y that be used to p protect data in an SSL record This protocol is used before any application data is sent.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 11

Topic 3 Web Security

Network Security and Cryptography

Web Security Topic 3 - 3.34

SSL Handshake Protocol - 2


Consists of a series of messages, all with the same format Each message has 3 fields
- Type (1 byte) indicates 1 of 10 message types - Length (3 bytes) the length of the message in bytes - Content (0 or more bytes) parameters associated with the message

V1.0

NCC Education Limited

Web Security Topic 3 - 3.35

Messages
The series of messages are initiated by the client. The first phase establishes the security credentials. The second phase involves authenticating the server and exchanging g g keys. y The third phase involves authentication the client and exchanging keys. The fourth phase is completing the exchange.

V1.0

NCC Education Limited

Web Security Topic 3 - 3.36

HTTPS
HTTP over SSL/TLS Used to create secure communications between a Web browser and Web server Built into modern browsers Requires server to support HTTPS communication
- For example, at the time of writing, the Google search engine does not support connections via HTTPS

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 12

Topic 3 Web Security

Network Security and Cryptography

Web Security Topic 3 - 3.37

HTTPS Compared to HTTP


URL begins with https:// rather than http:// HTTPS connections use port 443 whereas HTTP uses port 80.
- Port 443 invokes SSL

If all is well, the browser will typically show a padlock or some other symbol to indicate the use of SSL/TLS.

V1.0

NCC Education Limited

Web Security Topic 3 - 3.38

HTTPS and Encryption


The following elements of an HTTPS communication are encrypted:
- URL of the requested document - Contents of the document - Contents of browser forms
The fields filled in by the user in the browser

- Cookies
From server to browser From browser to server

- Contents of the HTTP header

V1.0

NCC Education Limited

Web Security Topic 3 - 3.39

SSL Advantages
It is independent of the applications once a connection has been created.
- After the initiating handshake, it acts as a secure tunnel through which you can send almost anything.

Has several implementation packages, both commercial and freely available


- All major platforms (Windows, Linux, etc.) support SSL - No requirement for extra software packages

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 13

Topic 3 Web Security

Network Security and Cryptography

Web Security Topic 3 - 3.40

SSL Disadvantages
The extra security comes with extra processing overhead. This overhead is largely at the server end. Means communications using g SSL/TLS are a slower than those without it
- Some sources suggest that HTTPS communication can be up to three time slower than HTTP. - With modern browsers, servers and connection speeds, this should not cause significant problems.

V1.0

NCC Education Limited

Web Security Topic 3 - 3.41

SSL/TLS Broken
September 2011 - appears SSL/TLS cryptography has been broken by researchers This has major implications for the secure communications via the Internet
Reference for news emerging (September 2011): http://www.computerweekly.com/Articles/2011/09/22/247969/Researchers-claim-to-havebroken-SSLTLS-encryption.htm

V1.0

NCC Education Limited

Web Security Topic 3 - 3.42

References
Stallings, W. (2010). Cryptography and Network Security: Principles and Practice. Pearson Education. Thomas, S.A. (2000). SSL & TLS Essentials: Securing the Web. Wiley.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 14

Topic 3 Web Security

Network Security and Cryptography

Web Security Topic 3 - 3.43

Topic 3 Web Security


Any Questions?

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 15

Topic 4 Email Security

Network Security and Cryptography

Network Security and Cryptography


Topic 4: Email Security

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 4 Lecture 1: Email Security Threats

V1.0

NCC Education Limited

Email Security Topic 4 - 4.3

Scope and Coverage


This topic will cover:
Email security threats Email security solutions PGP S/MIME

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 1

Topic 4 Email Security

Network Security and Cryptography

Email Security Topic 4 - 4.4

Learning Outcomes
By the end of this topic students will be able to:
Describe email security mechanisms Digitally sign an email

V1.0

NCC Education Limited

Email Security Topic 4 - 4.5

Importance of Email
Business has come to rely on email as a means of communication:
- fast - cost cost-effective effective - easy collaboration and information-sharing

Email has become the primary method for corresponding with colleagues, customers, and business partners

V1.0

NCC Education Limited

Email Security Topic 4 - 4.6

Email Security Threats


Viruses can corrupt mission-critical documents and applications Hackers will try to obtain confidential information Spam can greatly deteriorate the performance of other components within the communications infrastructure Threats can stop business systems and missioncritical activities

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 2

Topic 4 Email Security

Network Security and Cryptography

Email Security Topic 4 - 4.7

Viruses
Viruses are very sophisticated and often appear to be harmless correspondence:
- personal communication - jokes - marketing promotions

Most viruses require recipients to download attachments in order to spread Some are designed to launch automatically, with no user action required

V1.0

NCC Education Limited

Email Security Topic 4 - 4.8

Protection from Viruses


Email security solutions offer highly advanced virus protection:
- automatically scan all ingoing and outgoing g messages - automatically scan all attachments - automatic update capabilities

New threats emerge all the time and updates offer protection from all the latest threats

V1.0

NCC Education Limited

Email Security Topic 4 - 4.9

Spam
A large proportion of all corporate email is spam Spam costs US business billions of dollars in lost productivity and system slow-downs annually Most spam is annoying and slows down the network Hackers may sometimes disguise viruses, spyware, and malware as innocent-looking spam

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 3

Topic 4 Email Security

Network Security and Cryptography

Email Security Topic 4 - 4.10

Protection from Spam


Email security packages usually contain spam filters that:
Identify non-relevant communications Use key words and phrases May also use format, size, or ratio of graphics to text Spam is moved to a separate folder or deleted from email server - May also block email addresses that are known to have sent spam, preventing further disruptive emails

V1.0

NCC Education Limited

Email Security Topic 4 - 4.11

Phishing
Used for identity theft and fraud Posing as authorised emails from trustworthy institutions Attempt to get recipients to surrender personal information such as bank account details Most are aimed at individuals Some have targeted smaller businesses

V1.0

NCC Education Limited

Email Security Topic 4 - 4.12

Protection from Phishing


Email security packages provide anti-phishing protection Combination of methods:
Authentication Detection Prevention Reporting

Enables threat analysis, attack prioritisation and response to minimise risk and impact of phishing

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 4

Topic 4 Email Security

Network Security and Cryptography

Email Security Topic 4 - 4.13

Spyware
Enables hackers to record activities and data from the infected computer Done via a program that dynamically gathers information and transmits it via an Internet connection Often bundled in with shareware and freeware programs Usually installs and runs without user knowledge

V1.0

NCC Education Limited

Email Security Topic 4 - 4.14

Protection from Spyware


Firewalls alone are insufficient Email security packages will scan devices regularly for spyware programs Blocks known spyware programs before they can be downloaded and installed

V1.0

NCC Education Limited

Email Security Topic 4 - 4.15

Email Authentication
Aims to provide enough information to the recipient so that they know the nature of the email A valid identity on an email is a vital step in stopping spam, forgery, fraud, and other serious crimes SMTP was not designed with security in mind and thus had no formal verification of the sender Signing emails identifies the origin of a message, but not if it should be trusted

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 5

Topic 4 Email Security

Network Security and Cryptography

Email Security Topic 4 - 4.16

Authenticating Source IP Address


TCP allows an email recipient to automatically verify the message senders IP address This does not verify the identity of the sender Forged headers can be used to create a spam message that appears to be real The sending IP address may belong to a zombie machine under the control of a hacker

V1.0

NCC Education Limited

Email Security Topic 4 - 4.17

Blacklisting IP Addresses
The IP addresses originating spam and phishing emails can be blacklisted so that future email from them is not received but either quarantined or deleted Many IP addresses are dynamic
Change frequently An organisation has a block of IP addresses IP addresses are allocated when needed May get a new address every time a connection is made

Therefore, spammer will not have a permanent IP address


V1.0 NCC Education Limited

Email Security Topic 4 - 4.18

Controlling Traffic
Some ISPs use techniques to prevent spamming by their customers:
- Port 25 can be blocked so that port 587 is used and that requires authentication - Limiting the number of received headers in relayed mail - Infected computers can be cleaned and patched - Outgoing email can be monitored for any sudden increase in flow or in content (a typical spam signature)

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 6

Topic 4 Email Security

Network Security and Cryptography

Email Security Topic 4 - 4.19

Other Email Threats


So far we have not even mentioned the following issues:
- Sensitive information transmitted unencrypted between mail server and client may be intercepted - All popular email communication standards default to sending usernames, passwords, and email messages unencrypted - Information within email messages may be altered at some point between the sender and recipient

V1.0

NCC Education Limited

Email Security Topic 4 - 4.20

Securing Email Content


The next lecture deals with securing the content of email It will include the techniques for:
- Digitally signing an email - Encrypting the content of an email - Encrypting the header of an email

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 4 Lecture 2: PGP and S/MIME

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 7

Topic 4 Email Security

Network Security and Cryptography

Email Security Topic 4 - 4.22

Cryptography in Email Systems


Cryptography can be used in email to:
- Sign an email message to ensure its integrity and confirm the identity of its sender - Encrypt the body of an email message to ensure its confidentiality - Encrypt the communications between mail servers to protect the confidentiality of both the message body and message header

V1.0

NCC Education Limited

Email Security Topic 4 - 4.23

Digitally Sign & Encrypt


Signing a message and encrypting the body are often used together to provide authentication and privacy When a message needs to be encrypted to protect its confidentiality, confidentiality it is usually digitally signed
- so that the recipient can ensure the integrity of the message and also verify the identity of the signer

Digitally signed messages are usually not encrypted if the confidentiality does not need to be protected

V1.0

NCC Education Limited

Email Security Topic 4 - 4.24

Encrypting Transmission
Encrypting the transmissions between mail servers is used only when two organisations want to protect emails regularly sent between themselves The organisations could establish a virtual private network (VPN) to encrypt the communications between their mail servers over the Internet A VPN can be used encrypt entire messages including header information
- E.g. senders, recipients, subject lines

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 8

Topic 4 Email Security

Network Security and Cryptography

Email Security Topic 4 - 4.25

Individual Emails
Most email messages are protected individually rather than along a secure VPN Each message is protected by digitally signing and optionally encrypting it Widely used standards for signing and encrypting message bodies are:
- Open Pretty Good Privacy (OpenPGP) - Secure/Multipurpose Internet Mail Extensions (S/MIME)

V1.0

NCC Education Limited

Email Security Topic 4 - 4.26

OpenPGP
A protocol for encrypting and signing messages and creating certificates using public key cryptography Based on an earlier protocol, PGP First released in June 1991 The original PGP protocol used some encryption algorithms with intellectual property restrictions OpenPGP was developed as a standard protocol based on PGP Version 5

V1.0

NCC Education Limited

Email Security Topic 4 - 4.27

OpenPGP Algorithms
A number of OpenPGP based products fully support cryptographic algorithms recommended by NIST including:
- 3DES and AES for data encryption - Digital Signature Algorithm (DSA) and RSA for digital signatures - SHA for hashing

Other implementations of OpenPGP support other encryption schemes

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 9

Topic 4 Email Security

Network Security and Cryptography

Email Security Topic 4 - 4.28

OpenPGP Cryptography
OpenPGP use both public key cryptography and symmetric key cryptography Public key y cryptography yp g p y is used to create digitally g y signed message digests Encryption of the message body is performed using a symmetric key algorithm

V1.0

NCC Education Limited

Email Security Topic 4 - 4.29

OpenPGP Signing & Encrypting - 1


The plaintext is compressed A random session key is created g signature g is g generated for the message g A digital using the senders private key and then added to the message The message and signature are encrypted using the session key and a symmetric algorithm

V1.0

NCC Education Limited

Email Security Topic 4 - 4.30

OpenPGP Signing & Encrypting - 2


The session key is encrypted using the recipients public key and added to the encrypted message The encrypted message is sent to the recipient The recipient reverses these steps

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 10

Topic 4 Email Security

Network Security and Cryptography

Email Security Topic 4 - 4.31

Using OpenPGP
Many popular mail clients require the installation of a plug-in in order to operate OpenPGP, e.g.:
- Mozilla Thunderbird, - Apple Mail - Microsoft Outlook

There are a number of OpenPGP distribution websites that contain instructions on how to use OpenPGP with various mail client applications

V1.0

NCC Education Limited

Email Security Topic 4 - 4.32

MIME
Multipurpose Internet Mail Extensions - an Internet standard that extends the format of email to support:
Text that uses character sets other than ASCII Attachments that are not text based Message bodies with multiple parts Header information in non-ASCII character sets

V1.0

NCC Education Limited

Email Security Topic 4 - 4.33

S/MIME
Secure/MIME is a version of the MIME protocol It supports encryption of email messages and their contents via public-key encryption technology Created in 1995 by a group of software vendors to prevent interception and forgery of email Builds on the existing MIME protocol standard Is easily integrated into existing email products

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 11

Topic 4 Email Security

Network Security and Cryptography

Email Security Topic 4 - 4.34

S/MIME Functions
Provides cryptographic security services for electronic messaging applications, including:
Authentication (via digital signatures) Message integrity (via digital signatures) Non-repudiation of origin (via digital signatures) Privacy (using encryption) Data security (using encryption)

V1.0

NCC Education Limited

Email Security Topic 4 - 4.35

S/MIME Interoperability
Based on widely supported standards
- likely to continue to be widely implemented across a variety of operating systems and email clients

Is supported by many email clients and can be used to securely communicate between them
- Not always simple

For example, a Windows operating system user with the Outlook email client can send a secure, digitally signed email to a Unix operating system user without installing any additional software

V1.0

NCC Education Limited

Email Security Topic 4 - 4.36

S/MIME Certificates
An individual key/certificate must be obtained from a Certificate Authority (CA) Accepted best practice is to use separate private keys for signature and encryption
- permits escrow of the encryption key without compromise to the non-repudiation property of the signature key

Encryption requires having the destination party's certificate stored

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 12

Topic 4 Email Security

Network Security and Cryptography

Email Security Topic 4 - 4.37

S/MIME Process
S/MIME-enabled mail clients send messages in a similar way to OpenPGP S/MIME version 3.1 supports two recommended symmetric key encryption algorithms:
- AES - 3DES

AES is considered a stronger algorithm than 3DES

V1.0

NCC Education Limited

Email Security Topic 4 - 4.38

Key Management
OpenPGP and S/MIME use digital certificates to manage keys A digital certificate identifies:
- the entity that the certificate was issued to - the public key of the entitys public key pair - other information, such as the date of expiration, signed by some trusted party

There are differences in how the two protocols manage trust

V1.0

NCC Education Limited

Email Security Topic 4 - 4.39

Key Management in OpenPGP


Uses the web of trust which has no central key issuing or approving authority:
- The web of trust relies on the personal decisions of users for management and control - Suitable for individual users and very small organisations - Unworkable in most medium to large organisations - Some organisations deploy keyservers that users can access to get others keys and store their own keys

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 13

Topic 4 Email Security

Network Security and Cryptography

Email Security Topic 4 - 4.40

Key Management in S/MIME


Has a hierarchical structure:
- Typically, there is a master registration and approving authority, the root Certificate Authority (CA), that issues a public key certificate for itself and any subordinate CAs - Subordinate CAs normally issue certificates to users and also to any other subordinate CAs C - They in turn sanction to users and their subordinate CAs, forming a hierarchy - This public key infrastructure can be used to establish a chain of trust between two users holding valid certificates

V1.0

NCC Education Limited

Email Security Topic 4 - 4.41

Third Party Services


Third-party services are available that allow organisations to exchange encrypted email Removes the need to establish trust relationships No worries about mail application pp compatibility p y But the use of such services means placing sensitive messages on third-party servers
- This is also a security concern

V1.0

NCC Education Limited

Email Security Topic 4 - 4.42

References
Stallings, W. (2010). Cryptography and Network Security: Principles and Practice. Pearson Education. NIST (2007). Guidelines on Electronic Mail Security. NIST.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 14

Topic 4 Email Security

Network Security and Cryptography

Email Security Topic 4 - 4.43

Topic 4 Email Security


Any Questions?

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 15

Topic 6 Vulnerability Assessment

Network Security and Cryptography

Network Security and Cryptography


Topic 6: Vulnerability Assessment

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 6 Lecture 1: An Overview of Vulnerability

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.3

Scope and Coverage


This topic will cover:
Overview of network vulnerability Port scanners Password crackers

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 1

Topic 6 Vulnerability Assessment

Network Security and Cryptography

Vulnerability Assessment Topic 6 - 6.4

Learning Outcomes
By the end of this topic students will be able to:
Use port scanners to highlight open ports Perform password cracking using dictionary and brute-force brute force methods

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.5

Security Vulnerability - 1
A security vulnerability is a flaw or a weakness in a system or network that allows an attack to harm the system or network in some way, such as:
- Allowing an unauthorised user to access the system or network - Causing a deterioration in the performance of the system or network - Damaging or altering the data held by a system or network

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.6

Security Vulnerability - 2
The vulnerability may be inherent in the system
- E.g. new software includes a vulnerability when it is deployed, even if installed and operated correctly

The vulnerability may be as a result of the implementation of a system


- E.g. the configuration of new software

The vulnerability may be as a result of the operation and management of a system


- E.g. poor security procedures

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 2

Topic 6 Vulnerability Assessment

Network Security and Cryptography

Vulnerability Assessment Topic 6 - 6.7

Causes
Software - flaws in new software, not tested sufficiently before deployment Hardware dust Organisation procedures poor password policy, lack of audits Personnel not training staff properly Physical environment no physical access controls, risks from flooding Combinations of the above

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.8

Complex Systems
Computer networks in large businesses are usually large and also complex A larger system is more likely to have security holes A complex system is more likely to have security holes Complete testing of large, complex networks is very difficult and extremely time consuming

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.9

Common Components
Modern networks will use common components:
- Software used by many others (sometimes opensource) - Hardware used by many others - Operating p g systems y used by y many y others

Attackers will have access to these components and be familiar with any security flaws they have The Internet rapidly spreads the knowledge of these flaws and increases the likelihood of them being quickly exploited
V1.0 NCC Education Limited

V1.0

Visuals Handout Page 3

Topic 6 Vulnerability Assessment

Network Security and Cryptography

Vulnerability Assessment Topic 6 - 6.10

Many Services
A typical modern network will provide numerous services to an organisation More services means:
- M More protocols t l - More ports - More connections

The network is therefore more open to attack

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.11

Password Vulnerability
Vital to enforce the use of strong passwords Vital to regularly change passwords
- And ensure this is a real change not abc1 changed to abc2

Most users will use a really weak password if they can as it is easier to remember
- A 2006 UK survey gave the top 3 passwords as:
123 Password Liverpool

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.12

Operating Systems (OS)


Default settings can leave system open to attack
- E.g. granting full access rights to any user this gives every program, including any malware on the privileges g network, full administration p

Even where an OS has no inherent flaws the network administrator must set suitable permissions in order to protect the network.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 4

Topic 6 Vulnerability Assessment

Network Security and Cryptography

Vulnerability Assessment Topic 6 - 6.13

Surfing the Internet


The Internet is awash with viruses, spyware and other malware
- And, of course, a lot of very useful and high quality content!

The web browsing policy of an organisation, plus its firewall etc. is vital in protecting the whole network Acceptable use policies and staff training form a vital part of the protection

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.14

Software Bugs
New software may contain security flaws that can be exploited by a hacker This is not a malicious act but the complexity and amount of code in modern software applications make this inevitable Updates and regular patches are issued by software providers to fix these vulnerabilities as they are discovered
- One of the many reasons for using genuine software

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.15

User Input
Programs that allow user input must check that input to prevent malicious code inclusion Common attacks on systems are:
- SQL Injection attacks - Buffer Overflow attacks - (See Private Study Exercises for more on these)

Human error is the biggest threat to security:


- May be malicious or not - Includes designers, programmers and users

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 5

Topic 6 Vulnerability Assessment

Network Security and Cryptography

Vulnerability Assessment Topic 6 - 6.16

Repeating Mistakes
It is important to learn from past mistakes Modern programming code reuses old programming libraries Must ensure that any vulnerabilities that have been discovered are removed The Open Web Application Security Project (OWASP) publishes known vulnerabilities to help system designers and programmers from repeating past mistakes

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.17

Prevention
Vulnerabilities have been found in every operating system
- Hence the updates and patches that appear and should be installed

The best p prevention is sound security yp practices:


V1.0

System maintenance Firewalls and anti-virus Staff training Access controls Audits
NCC Education Limited

Vulnerability Assessment Topic 6 - 6.18

Testing Your Own Security


Software is available to test your own network for security vulnerabilities In some instance it will remove the vulnerability
- The vulnerability scanner will be covered in more detail in the next lecture

No matter how good the software is it is still important to have trained staff who follow sound security practices and report any potential threats

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 6

Topic 6 Vulnerability Assessment

Network Security and Cryptography

Network Security and Cryptography


Topic 6 Lecture 2: Managing Vulnerability, Port Scanners & Password Cracking

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.20

Vulnerability Management
All networks will contain vulnerabilities Therefore managing these vulnerabilities and the risks associated with them is a key task of network management Managing vulnerability includes:
Prioritising vulnerabilities Fixing vulnerabilities Reducing the effects of potential breeches Monitoring for new/unknown vulnerabilities

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.21

Known and Unknown


Known vulnerabilities in software, operating systems and networks are well documented Tools (vulnerability scanners) are available to test for know vulnerabilities (penetration testing) Networks will also have unknown vulnerabilities that have not yet been discovered The implementation of sound security policies and the use of best practise is the best defence

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 7

Topic 6 Vulnerability Assessment

Network Security and Cryptography

Vulnerability Assessment Topic 6 - 6.22

Penetration Testing
A penetration test mimics the actions of a malicious attack on a network The aim is to discover the vulnerabilities that exist and that could be discovered by an attacker Provides information on:
Threats to the system Strength of defensive measures in place Possible effects of successful attacks Areas of security requiring upgrade and investment

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.23

Vulnerability Scanner
A vulnerability scanner can be used in a penetration test It is software that tests a system or network for weaknesses Different types are available Each type focuses on a particular area of potential weakness Can only discover known vulnerabilities

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.24

Vulnerability Scanners
Types are available for scanning:
Ports Networks Databases Web applications Individual computers

We will take a closer look at Port Scanners

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 8

Topic 6 Vulnerability Assessment

Network Security and Cryptography

Vulnerability Assessment Topic 6 - 6.25

Port Scanners
Software that probes for open ports Used by network administrators to test the network Used by attackers to look for vulnerabilities The TCP/IP protocol suite has services being supplied by a host through a port There are 65536 different port numbers available Most services use only a very limited number of ports
V1.0 NCC Education Limited

Vulnerability Assessment Topic 6 - 6.26

Port Status
A port scan will generally give one of three results:
- Open there is a service using the port and the host has replied with a message that it is listening for port communications on this p - Filtered no reply is received meaning that there is some filtering occurring on this port, typically via a firewall - Closed a reply is received stating that communication is denied on this port

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.27

Port Scan Types


There are several types of scan, including:
TCP connect scan TCP SYN scan TCP FIN scan TCP Xmas Tree scan TCP Null scan TCP ACK scan TCP Windows scan TCP RPC scan UDP scan

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 9

Topic 6 Vulnerability Assessment

Network Security and Cryptography

Vulnerability Assessment Topic 6 - 6.28

TCP Connect Scan


Connects to the target port and performs the TCP three-way handshake
- Sends a synchronise (SYN) packet to host - Host returns a synchronise acknowledgement (SYN/ACK) - Sends an acknowledgement (ACK) to host - SYN and ACK are indicated by a bit in the TCP header

This scan is easily detected by the target system

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.29

TCP Three-Way Handshake


Scanner
SYN

System port

SYN/ACK

ACK

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.30

TCP SYN Scan


A full TCP connection is not made Also known as a half-open scanning
- SYN packet sent to host port - Either SYN/ACK or RST/ACK (reset/acknowledgement) received - This tells the scanner whether it is open or closed - RST/ACK sent to port so full connection is never made

May not be detected by host

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 10

Topic 6 Vulnerability Assessment

Network Security and Cryptography

Vulnerability Assessment Topic 6 - 6.31

TCP FIN scan


A FIN packet is sent to the port This means no more data from sender The targeted host should send back a reset RST packet for all closed hosts Usually only works on Unix based hosts

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.32

TCP Xmas Tree and Null scans


Xmas Tree sends FIN, URG and PSH packets to the target port
- Finished, urgent and push buffered data to receiving application

The target system should send RST S f for all closed ports Null turns off all flags in the packet to the target system This should return RST for all closed ports

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.33

TCP ACK Scan


Used to map the rulesets associated with firewalls By sending an ACK packet the aim is to determine the type of firewall. A simple packet filter firewall will only allow established connections (with the ACK bit set) More complex stateful firewalls use more complex rules with advanced packet filtering (We look at firewalls in more detail later in the course)

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 11

Topic 6 Vulnerability Assessment

Network Security and Cryptography

Vulnerability Assessment Topic 6 - 6.34

TCP Windows & RPC Scans


TCP Windows scan may be able to detect open ports on some operating systems This is due to an anomaly in the way TCP window size is reported p TCP RPC scans detect remote procedure call (RPC) ports on Unix systems They can also detect associated programs and version numbers

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.35

UDP Scans
Sends a UDP packet to the target port If it receives a ICMP port unreachable message the port is closed If the message is not received it may be assumed that the port is open UDP scans are slow Results are unreliable as no message may be received for other reasons

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.36

Password Cracking
Cracking a password can enable an attacker to gain access to:
- A network - A computer - Individual files

Does not necessarily require intelligent techniques


- May involve reading the note the user has kept, sometimes stuck on the monitor!

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 12

Topic 6 Vulnerability Assessment

Network Security and Cryptography

Vulnerability Assessment Topic 6 - 6.37

Dictionary Attack
A simple and fast way to crack a password A text file contains a set of dictionary words (the dictionary file) This Thi i is l loaded d di into t th the software ft package k It runs against user accounts in the application the hacker is attacking Most passwords are simple and easy to crack

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.38

Brute Force Attack


May take a long time to work
- Depends upon password complexity

All possible combinations of characters are used until the correct combination is found Software packages do the work for you but it can still take weeks to crack a password this way Best defence is to use cryptographic methods allied to strong passwords

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.39

Password Cracking Software


Many packages available, popular ones are:
Cain and Abel John the Ripper Hydra ElcomSoft Lastbit

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 13

Topic 6 Vulnerability Assessment

Network Security and Cryptography

Vulnerability Assessment Topic 6 - 6.40

References
Scambrey, J., McClure, S. and Kurtz, J. (2001). Hacking Exposed: Network Security Secrets & Solutions. 2nd Edition. McGraw Hill. The Open Web Application Security Project (OWASP) website: https://www.owasp.org/index.php/Main_Page

V1.0

NCC Education Limited

Vulnerability Assessment Topic 6 - 6.41

Topic 6 Vulnerability Assessment


Any Questions?

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 14

Topic 7 Authentication

Network Security and Cryptography

Network Security and Cryptography


Topic 7: Authentication

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 7 Lecture 1: An Overview of Authentication and Passwords

V1.0

NCC Education Limited

Authentication Topic 7 - 7.3

Scope and Coverage


This topic will cover:
Overview of Authentication Passwords Multi-factor Authentication Biometrics

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 1

Topic 7 Authentication

Network Security and Cryptography

Authentication Topic 7 - 7.4

Learning Outcomes
By the end of this unit students will be able to:
Explain the different authentication mechanisms; Describe multifactor authentication; Describe biometrics and their issues. issues

V1.0

NCC Education Limited

Authentication Topic 7 - 7.5

Authentication Overview
We are taking a network-based view of user authentication User authentication is the first line of defence of a network It aims to prevent unauthorised access to a network It is the basis of setting access controls It is used to provide user accountability

V1.0

NCC Education Limited

Authentication Topic 7 - 7.6

Verifying User Identity


User authentication has two steps:
- Identification presenting the user to the security system - Verification providing information that binds the entity to the identity

Identification is the means by which a user claims to be a specific identity Verification is the method used to prove that claim

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 2

Topic 7 Authentication

Network Security and Cryptography

Authentication Topic 7 - 7.7

Means of Authentication
Something the individual knows
- E.g. password, PIN

Something the individual possesses (tokens)


- E.g. cryptographic key, smartcard

Something the individual is


- E.g. fingerprint, retina

Something the individual does


- E.g. handwriting pattern, speech pattern

V1.0

NCC Education Limited

Authentication Topic 7 - 7.8

Authentication Problems
Guess or steal passwords, PIN, etc Forget passwords, PIN Steal or forge smartcards Lose smartcard False positives in biometrics False negatives in biometrics The most common method of network authentication uses passwords and cryptographic keys

V1.0

NCC Education Limited

Authentication Topic 7 - 7.9

Smartcards
Tamper-resistant devices Have a small amount of memory Have a small processor
- Simple p computations, p , e.g. g encryption/decryption, yp yp , digital signatures

Difficult to duplicate Easily transferable Can be used with PIN/password

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 3

Topic 7 Authentication

Network Security and Cryptography

Authentication Topic 7 - 7.10

Smartcard Examples
Bank/ATM cards Credit cards Travel cards Pass cards for a workplace

V1.0

NCC Education Limited

Authentication Topic 7 - 7.11

Passwords
Most common means of authentication Require no special hardware Typical authentication by password
1. User supplies a username and password 2. System looks up the username in the relevant database table 3. Checks that username, password pair exists 4. Provides system access to the user

V1.0

NCC Education Limited

Authentication Topic 7 - 7.12

Password Strength
Users tend to pick weak passwords if allowed Easy to crack via dictionary attack Users can be forced to create more complex passwords System can supply users with a strong password Many users will write down a stronger password and this can be a greater security risk than a weak password

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 4

Topic 7 Authentication

Network Security and Cryptography

Authentication Topic 7 - 7.13

Attacks on Password Security


Eavesdropping may allow an attacker to listen in and gain password information
- Encrypting messages will prevent this

A direct attack on the database storing passwords can be used to discover or change passwords Sessions can be hijacked the attacker disconnects the user but remains connected themselves Never use the same password for different applications
V1.0 NCC Education Limited

Authentication Topic 7 - 7.14

Losing Passwords
Not uncommon for a user to lose or forget a password Can be dealt with by regularly changing passwords Password generators can be used to change passwords
- Automatically generate new passwords based upon a master secret

V1.0

NCC Education Limited

Authentication Topic 7 - 7.15

Challenge - Response
Systems are used that request specific characters in a password rather than the whole password. Commonly used in online banking Example
- The password is MyPassword - The system asks for the 2nd, 3rd and 8th characters - The user enters y, P and o

The idea is that it would take an eavesdropper many sessions to determine the whole password

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 5

Topic 7 Authentication

Network Security and Cryptography

Authentication Topic 7 - 7.16

Hash Functions
A database of plaintext passwords makes stealing all passwords more likely
- Sony!!

A level of protection is supplied by using a one-way hashing g function on the p passwords


- Public function - Easy to compute - Hard to invert

All passwords stored in the database are encrypted


V1.0 NCC Education Limited

Authentication Topic 7 - 7.17

Hashing Passwords
MD5 and SHA-1 are commonly used hashing algorithms User sends a username, password pair to the system The system hashes the password The database stores a username, h(password) pair
- h(password) is the result of applying the hashing function to the password

V1.0

NCC Education Limited

Authentication Topic 7 - 7.18

Cracking Hashed Passwords


Hashing works on the principal that it would take a very long time to crack the hashed password via trial and error If users use short and simple passwords this is not the case Strong passwords are still required for the hashing function to provide a good level of security

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 6

Topic 7 Authentication

Network Security and Cryptography

Network Security and Cryptography


Topic 7 Lecture 2: Multifactor Authentication and Biometrics

V1.0

NCC Education Limited

Authentication Topic 7 - 7.20

Multi-Factor Authentication
An identity is verified and authenticated using more than one verification method User/password authentication is single factor authentication
- Only O l one verification ifi ti method, th d th the password d

A stronger form of identity verification Used for applications where security is more important
- E.g. bank ATM card and PIN

V1.0

NCC Education Limited

Authentication Topic 7 - 7.21

Multi-Factor Systems
This does not mean using two or three different passwords but two or three different methods ATM Two-factor authentication
- Something you possess bank card - Something you know PIN

Three-factor systems exist for financial transactions via mobile phone


- Something you possess mobile phone - Something you know PIN - Something you do voice recognition

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 7

Topic 7 Authentication

Network Security and Cryptography

Authentication Topic 7 - 7.22

Disadvantages
Cost
- Cost of supplying smartcards, USB tokens, etc. - Cost of hardware/software to read the tokens

Inconvenience
- Users may not like the inconvenience of having to carry around a token

A balance has to be made between the cost and inconvenience of security and the sensitivity of the data and transactions being protected

V1.0

NCC Education Limited

Authentication Topic 7 - 7.23

Increased Security - Probability


Combining two or more verification methods greatly decreases the probability of randomly producing the correct verification information Voiceprint
- There Th is i around d a 1 in i 10000 chance h of f matching t hi

PIN
- There is a 1 in 10000 chance of guessing a PIN

Combined
- There is a 1 in 100,000,000 chance of matching both

V1.0

NCC Education Limited

Authentication Topic 7 - 7.24

Biometrics
Automated methods used to recognise the unique characteristics of humans Uses one or more traits:
- Physical traits (static biometrics) - Behavioural B h i lt traits it (d (dynamic i bi biometrics) ti )

Biometric authentication aims to provide a nontransferable authentication method


- Someone else could use your ATM card - Can someone else use your finger?

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 8

Topic 7 Authentication

Network Security and Cryptography

Authentication Topic 7 - 7.25

Biometric Types
Physical characteristics:
Fingerprints Retinas Irises Facial patterns Hand measurements

Behavioural characteristics
- Signature - Typing patterns - Voice recognition

V1.0

NCC Education Limited

Authentication Topic 7 - 7.26

Registering Biometric Data


User registers with the biometric system Measurements of biometric data are taken Can take several measurements of biometric data if required Algorithm is applied to the measurement to obtain a template Template is stored in a database

V1.0

NCC Education Limited

Authentication Topic 7 - 7.27

Authenticating Biometric Data


User identifies themself to the system (e.g. username) Biometric data measurement of the user is taken Again processed into a digital template This template is compared to template in database See if there is a match Matching process is approximate If biometric data matches the stored template the user is authenticated

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 9

Topic 7 Authentication

Network Security and Cryptography

Authentication Topic 7 - 7.28

Matching Biometric Data


Not an exact science
- No two measurements of biometric data will match exactly

Multiple p measurements are taken when a user first enrols in the system Matching with template is a success Tolerances are built into the algorithm that matches the templates

V1.0

NCC Education Limited

Authentication Topic 7 - 7.29

Fingerprints
Fingertips have ridges and valleys that are unique to that fingertip
- Used by police for a long time

Most common biometric method Available for laptops and PCs Access to systems provided via touch technology

V1.0

NCC Education Limited

Authentication Topic 7 - 7.30

Face Recognition
Capture facial image in the visible spectrum
Use a standard camera Use central portion of face Extract features that remain constant over time Avoid changing features, e.g. hair

An alternative version captures an infra-red image of the heat emitted by a face Most users accept use of such systems Problems caused by lighting, masks, etc.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 10

Topic 7 Authentication

Network Security and Cryptography

Authentication Topic 7 - 7.31

Speech Recognition
Some features of speech differ between individuals These patterns produced reflect the anatomy of the speaker These patterns reflect the patterns of speech learned as a result of:
- Location - Peers - Language

V1.0

NCC Education Limited

Authentication Topic 7 - 7.32

Iris Recognition
Iris is the coloured area around the pupil Iris patterns are thought to be unique Video systems are used to capture an image of the iris Becoming economically viable as equipment prices have lowered Works with glasses and contact lenses

V1.0

NCC Education Limited

Authentication Topic 7 - 7.33

Hand Geometry
Can utilise measures of fingers or whole hands
Length Width Thickness Surface area

Used for access control in commercial and residential premises

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 11

Topic 7 Authentication

Network Security and Cryptography

Authentication Topic 7 - 7.34

Written Signatures
Uses measurement of the way the signature is written not just the final signature Can measure a range of parameters:
- Speed - Pressure - Angle of writing

Used in business applications where a signature is commonly used to identify a user

V1.0

NCC Education Limited

Authentication Topic 7 - 7.35

Typing Patterns
Similar to the recognition of written signatures Uses a standard keyboard Recognises the password that is typed Recognises the way the password is typed:
- Intervals between characters - Speed of typing

V1.0

NCC Education Limited

Authentication Topic 7 - 7.36

Errors in Biometric Systems


Has a false accept rate (FAR): measures the rate at which an invalid user is accepted by the system Has a false rejection rate (FRR): measures the rate at which a valid user is rejected by the system In many systems it is possible to adjust both rates by changing some variables In modern systems both rates are low

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 12

Topic 7 Authentication

Network Security and Cryptography

Authentication Topic 7 - 7.37

Concerns with Biometric Systems


Privacy
- All transactions in different systems are linked to a real identity - For passwords etc. different identities can be presented to different systems

Injury
- Hygiene concerns about equipment - Criminals chopping off fingers to use!!

Exclusion
- An amputee may have no fingers

V1.0

NCC Education Limited

Authentication Topic 7 - 7.38

The Market Leader


Fingerprint authentication is widely used Laptops and computer peripherals come with builtin fingerprint readers They are relatively inexpensive Allow user to authenticate by putting finger on the reader May be used with a password or PIN for two-factor authentication.

V1.0

NCC Education Limited

Authentication Topic 7 - 7.39

References
Stallings, W. (2010). Cryptography and Network Security: Principles and Practice. Pearson Education. Scambrey, J., McClure, S. and Kurtz, J. (2001). Hacking Exposed: Network Security Secrets & Solutions, 2nd Edition. McGraw Hill.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 13

Topic 7 Authentication

Network Security and Cryptography

Authentication Topic 7 - 7.40

Topic 7 Authentication
Any Questions?

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 14

Topic 8 Access Control

Network Security and Cryptography

Network Security and Cryptography


Topic 8: Access Control

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 8 Lecture 1: Packet Filters & Access Control Lists

V1.0

NCC Education Limited

Access Control Topic 8 - 8.3

Scope and Coverage


This topic will cover:
Packet filtering Access control lists NAT IDS

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 1

Topic 8 Access Control

Network Security and Cryptography

Access Control Topic 8 - 8.4

Learning Outcomes
By the end of this topic students will be able to:
Configure access control mechanisms Apply and manage port forwarding rules

V1.0

NCC Education Limited

Access Control Topic 8 - 8.5

Access Control
Network traffic is in the form of IP/TCP/UDP packets The headers of these packets contain information as to source and destination of the packets Routing devices uses the source and destination addresses to route traffic through the network These addresses can be used to create access control rules We will examine methods for determining if traffic is allowed on a network or section of a network
V1.0 NCC Education Limited

Access Control Topic 8 - 8.6

Packet Filtering
Routing devices examine a packet's destination address and decide where to send it Packet filtering adds an extra layer to this process First the destination address is examined If the router determines that it should process the packet it then applies a set of rules to determine what happens to it Can apply these rules to both incoming and outgoing packets
V1.0 NCC Education Limited

V1.0

Visuals Handout Page 2

Topic 8 Access Control

Network Security and Cryptography

Access Control Topic 8 - 8.7

Filtering Rules
Implement security policies as services that are allowed or disallowed Examples:
- Packets for particular machines can be blocked - Specific types of packets can be blocked - Packets going out of your network can be blocked

Packet filtering rules can be very general or can be applied to specific machines or ports

V1.0

NCC Education Limited

Access Control Topic 8 - 8.8

Use of Packet Filtering


Commonly used to protect a network from attack from machines outside of the network Most routing devices have packet filtering capabilities An inexpensive option as no extra equipment required Very powerful tool Does not provide full protection

V1.0

NCC Education Limited

Access Control Topic 8 - 8.9

Packet Filtering Possibilities


Can be applied to:
a. Machines b. Ports c. Combinations of machines and p ports

Examples:
a. Block all traffic to machine A b. Block all traffic to port 80 (http) c. Block all traffic to port 80 except on machine A

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 3

Topic 8 Access Control

Network Security and Cryptography

Access Control Topic 8 - 8.10

Stateless Filtering - 1
Simple rules Easy to implement Not flexible For example:
- If all traffic to port 80 is blocked a static filter will block all http traffic - It cannot be set to block all traffic to port 80 except that from http://campus.nccedu.com in a single rule

V1.0

NCC Education Limited

Access Control Topic 8 - 8.11

Stateless Filtering - 2
Filtering process is dumb
- Applies a set of static rules to every packet - Does not store any results from previous packets - No intelligence or learning built into the filtering system

The set of rules is an Access Control List (ACL)


- Rules are checked in a specific order - The first matching rule found is applied to the packet - If there are no rules matching the packet is blocked

V1.0

NCC Education Limited

Access Control Topic 8 - 8.12

Stateful Filtering
Also known as Dynamic Packet Filtering Uses a state table that stores detail of legitimate traffic requests:
IP addresses Ports P t Handshake status Route/Time

Compare packets with previous valid traffic Allows traffic based upon connections
V1.0 NCC Education Limited

V1.0

Visuals Handout Page 4

Topic 8 Access Control

Network Security and Cryptography

Access Control Topic 8 - 8.13

Configuring Static Packet Filters


There are three main steps to correctly configuring static packet filters 1.Decide what traffic to permit and what traffic to block
- Determined by nature of business and assessment of security y risks

2.Define this as a set of rules that includes IP addresses and port numbers 3.Translate these rules into a language that the router or other device understands
- May be vendor specific so we do not cover this

V1.0

NCC Education Limited

Access Control Topic 8 - 8.14

What is Permitted?
This is done at a conceptual level
- Is internet access allowed - Can individual machines accept email from the Internet or will it all come through a central mail server - Are all messages from a specific location blocked

A good general rule is to block all packets except those that have been specifically allowed
- Default is to block all packets not processed by the rule list

V1.0

NCC Education Limited

Access Control Topic 8 - 8.15

Access Control Lists - 1


A simple tabular template should be used that has one rule for each line of the table The following columns should be included:
Source IP address Source p port Destination IP address Destination port Action (block/allow) Comments (allow a brief text explanation)

Protocol can be included in this


V1.0 NCC Education Limited

V1.0

Visuals Handout Page 5

Topic 8 Access Control

Network Security and Cryptography

Access Control Topic 8 - 8.16

Access Control Lists - 2


The order of the rules is important The first rule that matches with the packet being inspected will be implemented All remaining rules will be ignored

V1.0

NCC Education Limited

Access Control Topic 8 - 8.17

Access Control Lists - 3


What happens when 81.109.47.141 sends an email message to 192.37.22.01? What happens if 81.109.47.142 sends an email message to 192.37.22.01? What happens if f 81.109.47.142 81 109 1 2 sends a telnet message to 192.37.22.01? What if the rule order is swapped?

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 8 Lecture 2: NAT and IDS

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 6

Topic 8 Access Control

Network Security and Cryptography

Access Control Topic 8 - 8.19

Network Address Translation


NAT provides a means to connect multiple computers to an IP network using only one IP address Three reasons this is useful:
- Shortage of IP addresses (under IPv4) - Security - Flexible network administration

V1.0

NCC Education Limited

Access Control Topic 8 - 8.20

The Number of IP Addresses


A typical IP address is written as dotted quad
- E.g. 81.109.47.141

In IPv4 there was theoretical limit on the number of available IP addresses


- 4b bytes t = 232 = 4,294,967,296 4 294 967 296 possible ibl addresses dd

Method was required to create extra IP addresses or the Internet would reach capacity The main reason for the use of NAT originally was to create extra IP addresses

V1.0

NCC Education Limited

Access Control Topic 8 - 8.21

The IP Address
An IP address has two parts:
- a network number - a host number

Computers on one physical network have the same network t k number b


- Think street name in a postal address

The rest of the IP address defines an individual computer


- Think house number in a postal address

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 7

Topic 8 Access Control

Network Security and Cryptography

Access Control Topic 8 - 8.22

IP Address Classes - 1
The network size determines the class of IP address There is a network and host part in each IP address IP addresses come in 4 classes (A, B, C and D) Each class suits a different network size

V1.0

NCC Education Limited

Access Control Topic 8 - 8.23

IP Address Classes - 2
Network addresses with first byte between 1 and 126 are class A with approx.17 million hosts each Network addresses with first byte between 128 and 191 are class B with approx. 65000 hosts each Network addresses with first byte between 192 and 223 are class C with 256 hosts All other networks are class D, used for special functions, or class E which is reserved

V1.0

NCC Education Limited

Access Control Topic 8 - 8.24

Dynamically Assigning Addresses


Internet Service Providers (ISPs) usually allocate a single address to a single customer This is assigned dynamically
- every time a client connects to the ISP a different address is provided

Large companies can buy several addresses It is more economic for small businesses to use a single address

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 8

Topic 8 Access Control

Network Security and Cryptography

Access Control Topic 8 - 8.25

Connecting Multiple Computers


In theory one IP address means only one computer can connect to the Internet By using a NAT gateway running on a single computer, multiple local computers can connect using the single IP address To the Internet this appears as a single computer End-to-end connections are not created and this can prevent some protocols from working

V1.0

NCC Education Limited

Access Control Topic 8 - 8.26

Dynamic NAT
A small number of public IP addresses are dynamically assigned to a large number of private IP addresses Port Address Translation ( (PAT) ) is a variant of NAT:
- Allows one or more private networks to share a single public IP address - Commonly used in small businesses - Remaps both source and destination addresses and source and destination ports of packets

V1.0

NCC Education Limited

Access Control Topic 8 - 8.27

NAT and Security


NAT only allows connections that come from inside the network Internal servers can allow connections from outside via inbound mapping
- Specific ports are mapped to specific internal addresses - Makes services such as FTP or the Internet available but in a highly controlled way

NATs use their own protocol stack not that of the host machine
- Protects against some attacks

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 9

Topic 8 Access Control

Network Security and Cryptography

Access Control Topic 8 - 8.28

NAT and Network Administration


Can aid network administration in several ways:
- May contain a dynamic host configuration protocol (DHCP) server - Provide methods for restricting Internet access - Have traffic logging capabilities - Can divide a network into sub-networks

V1.0

NCC Education Limited

Access Control Topic 8 - 8.29

NAT Operation
Changes the source address on every outgoing packet to the single public address Renumbers source ports to be unique
- Used to keep track of each client connection

H Has a port t mapping i t table bl t to record d ports t f for each h client computer
- Relates real local IP address and source port to translated port number, destination address and port - Allows the process to be reversed for incoming packets so they are routed to the correct client

V1.0

NCC Education Limited

Access Control Topic 8 - 8.30

PAT Operation
An example of how IP and port are changed

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 10

Topic 8 Access Control

Network Security and Cryptography

Access Control Topic 8 - 8.31

Intrusion Detection Systems (IDS)


Monitors network traffic for suspicious activity Alerts the network administrator if suspicious activity discovered May also respond to suspicious traffic by:
- blocking the user from accessing the network - blocking the IP address from accessing the network

Different types that use different methods to detect suspicious activity

V1.0

NCC Education Limited

Access Control Topic 8 - 8.32

IDS Types
Network based intrusion detection systems (NIDS) Host based intrusion detection systems (HIDS) IDS that look for signatures of known threats IDS that compare traffic patterns against a network baseline and look for anomalies in the patterns

V1.0

NCC Education Limited

Access Control Topic 8 - 8.33

NIDS
Positioned in strategic locations in the network Monitor all traffic to and from network devices In a perfect world all traffic would be monitored This would create a bottleneck in the network with a huge processing overhead
- It would deteriorate network speed

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 11

Topic 8 Access Control

Network Security and Cryptography

Access Control Topic 8 - 8.34

HIDS
Operate on individual hosts or network devices Monitors all inbound and outbound packets but only to and from the device it operates p on If suspicious activity is detected it usually alerts the user and/or network administrator of that activity

V1.0

NCC Education Limited

Access Control Topic 8 - 8.35

Signature-based IDS
Monitors packets on the network Compare packets against a stored database of known malicious threats
- Similar to the operation of antivirus software

When a new threat appears there is a period of time before this is added to the database Any new threat is undetected until such time as the database is updated to include this threat
- Similar to the operation of antivirus software

V1.0

NCC Education Limited

Access Control Topic 8 - 8.36

Anomaly-based IDS
Monitors network traffic Compare network traffic with a baseline Baseline is normal traffic for that network:
Bandwidth Protocols Ports Devices

User and/or network administrator is alerted if there is a significant change from the baseline
V1.0 NCC Education Limited

V1.0

Visuals Handout Page 12

Topic 8 Access Control

Network Security and Cryptography

Access Control Topic 8 - 8.37

IDS Overview
Ideal for monitoring and protecting a network Can be prone to false alarms Must be correctly set up to recognize what is normal traffic on the network Network administrators and users must:
- Understand the alerts - Know the most effective course of action upon receiving an alert

V1.0

NCC Education Limited

Access Control Topic 8 - 8.38

References
Scambrey, J., McClure, S. and Kurtz, J. (2001). Hacking Exposed: Network Security Secrets & Solutions. 2nd Edition. McGraw Hill.

V1.0

NCC Education Limited

Access Control Topic 8 - 8.39

Topic 8 Access Control


Any Questions?

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 13

Topic 9 Firewalls

Network Security and Cryptography

Network Security and Cryptography


Topic 9: Firewalls

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 9 Lecture 1: Firewall Operation

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.3

Scope and Coverage


This topic will cover:
Firewall architectures and their limitations The DMZ firewall and its limitations

V1.0

NCC Education Limited

V1.0

Visuals Handout - Page 1

Topic 9 Firewalls

Network Security and Cryptography

Firewalls Topic 9 - 9.4

Learning Outcomes
By the end of this topic students will be able to:
Describe the components of a firewall Configure a DMZ firewall Evaluate the limitations of firewalls

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.5

Network Firewall
A firewall is the first line of defence for your network The purpose of a firewall is to keep intruders from gaining access to your network U Usually ll placed l d at t th the perimeter i t of f network t kt to act t as a gatekeeper for incoming and outgoing traffic It protects your computer from Internet threats by erecting a virtual barrier between your network or computer and the Internet

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.6

How Does a Firewall Work?


Examines the traffic sent between two networks
- e.g. examines the traffic being sent between your network and the Internet

Data is examined to see if it appears legitimate:


- if so the data is allowed to pass through - If not, the data is blocked

A firewall allows you to establish certain rules to determine what traffic should be allowed in or out of your private network

V1.0

NCC Education Limited

V1.0

Visuals Handout - Page 2

Topic 9 Firewalls

Network Security and Cryptography

Firewalls Topic 9 - 9.7

Creating Rules
Traffic blocking rules can be based upon:
Words or phrases Domain names IP addresses Ports Protocols (e.g. FTP)

While firewalls are essential, they can block legitimate transmission of data and programs

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.8

Common Firewall Types


In general there are software firewalls and hardware firewalls
- Even in home networks

Hardware firewalls are typically found in routers, which distribute incoming traffic from an Internet connection to computers Software firewalls reside in individual computers Ideally a network has both

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.9

Software Firewall
Protect only the computer on which they are installed Provide excellent protection against threats ( i (viruses, worms, etc.) ) Have a user-friendly interface Have flexible configuration

V1.0

NCC Education Limited

V1.0

Visuals Handout - Page 3

Topic 9 Firewalls

Network Security and Cryptography

Firewalls Topic 9 - 9.10

Router Firewall
Protect your entire network or part of a network Located on your router Protect network hardware which cannot have a software firewall installed on it Allows the creation of network-wide rules that govern all computers on the network

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.11

Firewall Operation
Can be divided into three main methods:
- Packet filters (see last topic) - Application gateways - Packet inspection p

Individual vendors of firewalls may provide additional features


- You should look at their products for details

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.12

Application Gateways
Application-layer firewalls can understand the traffic flowing through them and allow or deny traffic based on the content Host-based firewalls designed to block objectionable bj ti bl W Web b content t tb based d on k keywords d are a form of application-layer firewall Application-layer firewalls can inspect packets bound for an internal Web server to ensure the request isnt really an attack in disguise

V1.0

NCC Education Limited

V1.0

Visuals Handout - Page 4

Topic 9 Firewalls

Network Security and Cryptography

Firewalls Topic 9 - 9.13

Advantages of Application Gateways


Provide a buffer from port scans and application attacks
- if an attacker finds a vulnerability in an application, the attacker would have to compromise p the application/proxy pp p y firewall before attacking devices behind the firewall

Can be patched quickly in the event of a vulnerability being discovered


- This may not be true for patching all the internal devices

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.14

Disadvantages
Needs to know how to handle traffic to and from your specific application
- If you have an application that's unique, your application layer firewall may not be able to support it without making some significant modifications

Application firewalls are generally much slower than packet-filtering or packet-inspection firewalls
- They run applications, maintain state for both the client and server, and also perform inspection of traffic

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.15

Packet Inspection Firewalls


Examine the session information between devices:
Protocol New or existing connection Source IP address Destination IP address Port numbers IP checksum Sequence numbers Application-specific information

V1.0

NCC Education Limited

V1.0

Visuals Handout - Page 5

Topic 9 Firewalls

Network Security and Cryptography

Firewalls Topic 9 - 9.16

Outbound Internet Traffic


Client initiates connection to IP address of the web server destined for port 80 (HTTP) Firewall determines whether that packet is allowed through the firewall based on the current rule-set Firewall looks into the data portion of the IP packet and determine whether it is legitimate HTTP traffic If all the requirements are met, a flow entry is created in the firewall based on the session information, and that packet is allowed to pass

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.17

Inbound Internet Traffic


Web server receives the packet and responds Return traffic is received by the firewall Firewall determines if return traffic is allowed by comparing the session information with the information contained in the local translation table If return traffic matches the previous requirements, payload is inspected to validate appropriate HTTP Then it is forwarded to the client

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.18

Advantages
Generally much faster than application firewalls
- They are not required to host client applications

Most of the packet-inspection firewalls today also offer deep-packet inspection


- The firewall can dig into the data portion of the packet and also: - Match on protocol compliance - Scan for viruses - Still operate very quickly

V1.0

NCC Education Limited

V1.0

Visuals Handout - Page 6

Topic 9 Firewalls

Network Security and Cryptography

Firewalls Topic 9 - 9.19

Disadvantages
Open to certain denial-of-service attacks These can be used to fill the connection tables with illegitimate connections

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 9 Lecture 2: Firewall Architecture

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.21

Firewall Architecture
Firewalls are used to protect the perimeter of a network and the perimeter of sections of networks A key question for a network administrator is where firewalls should be located The positioning of firewalls in relation to other network elements is the firewall architecture We will only look at the position of firewalls and the consequences of this
- Other security devices should also be used

V1.0

NCC Education Limited

V1.0

Visuals Handout - Page 7

Topic 9 Firewalls

Network Security and Cryptography

Firewalls Topic 9 - 9.22

Firewall Architecture
The following are common firewall architectures:
Screening router Screened host Dual homed host Screened subnet Screened subnet with multiple DMZs Dual firewall

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.23

Screening Router
Simplest of firewall architectures Traffic is screened by a router
- Packet filtering - Using ACLs

Traffic is screened according to:


- Source or destination IP address - Transport layer protocol - Services requested

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.24

Screening Router
Usually deployed at the perimeter of the network May be used to control access to a Demilitarized Zone (DMZ) see later More often used in conjunction j with other firewall technologies

V1.0

NCC Education Limited

V1.0

Visuals Handout - Page 8

Topic 9 Firewalls

Network Security and Cryptography

Firewalls Topic 9 - 9.25

Advantages & Disadvantages


Advantages
- Simple - Cheap

Disadvantages
- No logging - No user authentication - Difficult to hide internal network structure

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.26

Demilitarised Zones (DMZ)


A DMZ is part of the internal network but separated from the rest of the internal network Traffic moving between the DMZ and other interfaces on the protected side of the firewall still goes through the firewall This traffic has firewall protection policies applied Common to put public-facing servers on the DMZ:
- Web servers - Email servers

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.27

Demilitarised Zones (DMZ)

V1.0

NCC Education Limited

V1.0

Visuals Handout - Page 9

Topic 9 Firewalls

Network Security and Cryptography

Firewalls Topic 9 - 9.28

Screened Host Firewall


Adds an extra layer of protection in comparison to a screening router Has a Bastion Host/Firewall between networks Bastion B ti H Host/Firewall t/Fi ll h has t two NIC NICs Bastion Host/Firewall connects the trusted network to the untrusted network
- Stateful and proxy technologies are used to filter traffic up to the application layer

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.29

Bastion Host
A special purpose computer specifically designed and configured to withstand attacks

The router is the first line of defence


- packet filtering/access control is carried out at the router

The bastion host is the server that connects to the unsecure network through the router
V1.0 NCC Education Limited

Firewalls Topic 9 - 9.30

Advantages & Disadvantages


Advantages
- Security is distributed between two points - Greater security than screening router - Transparent p outbound access/restricted inbound access

Disadvantages
- Difficult to hide internal structure - There is a single point of failure in the network

V1.0

NCC Education Limited

V1.0

Visuals Handout - Page 10

Topic 9 Firewalls

Network Security and Cryptography

Firewalls Topic 9 - 9.31

Dual-Homed Host
A Bastion Host/Firewall is surrounded with packet filtering routers
- Dual-homed - outside world and protected network - Multi-homed - outside world and multiple protected networks

Routers filter traffic to the Bastion Host Bastion Host adds additional filtering capabilities Bastion Host has no routing capabilities

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.32

Advantages & Disadvantages


Advantages
- Hides internal network structure

Disadvantages
- Requires users to log onto bastion host or the use of proxy servers

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.33

Screened Subnet DMZ


Bastion Host is surrounded with packet filtering routers These control traffic into and out of the trusted and untrusted network sections Has an extra layer of functionality with a DMZ Traffic from DMZ to trusted network must go through Bastion Host and packet filtering router

V1.0

NCC Education Limited

V1.0

Visuals Handout - Page 11

Topic 9 Firewalls

Network Security and Cryptography

Firewalls Topic 9 - 9.34

Advantages & Disadvantages


Advantages
- Provides services to outside without compromising inside - Internal network hidden

Disadvantages
- Single point of failure

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.35

Screened Subnet Multiple DMZs


Allows configuration of varying levels of security between:
- DMZs and the untrusted network - Different DMZs - DMZs and the trusted network

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.36

Dual Firewall Architecture


Using two or more firewalls enhances security Can be used to create DMZs Using technology from multiple vendors can enhance security y

V1.0

NCC Education Limited

V1.0

Visuals Handout - Page 12

Topic 9 Firewalls

Network Security and Cryptography

Firewalls Topic 9 - 9.37

References
Scambrey, J., McClure, S. and Kurtz, J. (2001). Hacking Exposed: Network Security Secrets & Solutions, 2nd Edition. McGraw Hill. Zwicky, E.D. (2000). Building Internet Firewalls, 2nd Edition. OReilly Media.

V1.0

NCC Education Limited

Firewalls Topic 9 - 9.38

Topic 9 Firewalls
Any Questions?

V1.0

NCC Education Limited

V1.0

Visuals Handout - Page 13

Topic 10 - Virtual Private Networks

Network Security and Cryptography

Network Security and Cryptography


Topic 10: Virtual Private Networks

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 10 Lecture 1: Introduction to VPN

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.3

Scope and Coverage


This topic will cover:
Virtual Private Network technologies Issues with Virtual Private Networks

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 1

Topic 10 - Virtual Private Networks

Network Security and Cryptography

Virtual Private Networks Topic 10 - 10.4

Learning Outcomes
By the end of this topic students will be able to:
Configure access control mechanisms Explain Virtual Private Networks

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.5

What is VPN?
A private network that uses public telecommunication, such as the Internet, instead of leased lines to communicate Remote network communication via the Internet Used by companies/organisations / who want to communicate confidentially Two parts:
- Protected or inside network - Outside network or segment (less trustworthy)

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.6

The Users Perspective


From the users perspective, it appears as a network consisting of dedicated network links These links appear as if they are reserved for the VPN clients only
- Hence it appears to be a private connection

Because of encryption, the data appears to be private

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 2

Topic 10 - Virtual Private Networks

Network Security and Cryptography

Virtual Private Networks Topic 10 - 10.7

How VPN Works


Two connections - one is made to the Internet and the second is made to the VPN
Datagrams - contain data, destination and source

information
Firewalls - VPNs allow authorised users and data to

pass through the firewalls


Protocols - protocols create the VPN tunnels that

allow a private connection over a public network

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.8

How VPN Works

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.9

Key Functions
Authentication - validates that the data was sent from the sender
Access Control - preventing unauthorised users from

accessing the network


Confidentiality - preventing the data from being read

or copied as the data is being transported


Data Integrity - ensuring that the data has not been

altered

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 3

Topic 10 - Virtual Private Networks

Network Security and Cryptography

Virtual Private Networks Topic 10 - 10.10

Encryption & Tunnelling


Encryption public key encryption techniques are used Authentication digital signatures A virtual connection is made through the Internet Datagrams are sent along the virtual connection The outer part of the datagram contains a header and may or may not be encrypted The inner part is encrypted

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.11

A Network
Multiple VPN connections can be made to create a genuine network

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.12

Protocols
There are three main protocols used:
- IP Security (IPsec) - Point-to-Point Tunneling Protocol (PPTP) - Layer 2 Tunneling Protocol (L2TP)

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 4

Topic 10 - Virtual Private Networks

Network Security and Cryptography

Virtual Private Networks Topic 10 - 10.13

IPsec
An open standard protocol suite Provides privacy and authentication services Has two modes of operation Transport Mode encrypts data but not the header Tunnel Mode encrypts both data and header Each connection is a security association (SA)
- Has one security identifier for each direction - Each security identifier is carried in packets and used to look up keys, etc.

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.14

IPsec Transport Mode


IPsec header is inserted just after the IP header Protocol field of IP header is modified to indicate that the IPsec header follows IPsec header contains security information:
- SA identifier - Sequence number - Possibly an integrity check on the payload

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.15

IPsec Tunnel Mode


Whole IP packet including header is encapsulated in a new IP packet with a IPsec header Useful when the tunnel end is not the final destination
- E E.g. tunnel t l ends d at t company firewall fi ll - Firewall deals with encapsulating IP packets into IPsec packets and decapsulating - Machines on internal network do not have to be aware of IPsec as they receive and send IP packets

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 5

Topic 10 - Virtual Private Networks

Network Security and Cryptography

Virtual Private Networks Topic 10 - 10.16

PPTP
A data link protocol Used to establish a direct connection between two networking nodes Creates the virtual connection across the Internet Can provide:
- Connection authentication - Transmission encryption - Compression

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.17

L2TP
A tunnelling protocol Does not provide encryption or confidentiality but relies on an encryption protocol that it passes within the h tunnel l The entire L2TP packet, including payload and header, is sent within a UDP datagram

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.18

Protocols Working Together


It is common to carry PPTP sessions within an L2TP tunnel L2TP does not provide confidentiality or strong authentication by itself IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity The combination of these two protocols is generally known as L2TP/IPsec

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 6

Topic 10 - Virtual Private Networks

Network Security and Cryptography

Virtual Private Networks Topic 10 - 10.19

Advantages
Cost effective Greater scalability Easy to add/remove users Mobility Security

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.20

Disadvantages
Understanding of security issues Unpredictable Internet traffic Difficult to accommodate products from different vendors

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 10 Lecture 2: VPN Connections

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 7

Topic 10 - Virtual Private Networks

Network Security and Cryptography

Virtual Private Networks Topic 10 - 10.22

VPN Connections
A VPN is a secure, private communication tunnel between two or more devices across a public network (e.g. the Internet) VPN devices can be:
- a computer running VPN software - a special device like a VPN enabled router

Remote computer can connect to an office network Two computers in different locations can connect over the Internet
V1.0 NCC Education Limited

Virtual Private Networks Topic 10 - 10.23

VPN Categories
There are several types of VPN There are different ways of classifying VPNs We use two broad categories based upon architecture:
- Client-initiated VPNs - Network access server (NAS)-initiated VPNs

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.24

Client-Initiated VPNs
Users establish a tunnel across the ISP shared network to the customer network Customer manages the client software that initiates the tunnel Advantage is that they secure the connection between the client and ISP Disadvantage is that they are not as scalable and are more complex than NAS-initiated VPNs

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 8

Topic 10 - Virtual Private Networks

Network Security and Cryptography

Virtual Private Networks Topic 10 - 10.25

NAS-Initiated VPNs
Users connect to the ISP NAS which establishes a tunnel to the private network More robust than client-initiated VPNs Do not require the client to maintain the tunnelcreating software Do not encrypt the connection between the client and the ISP
- not a concern for most customers because the Public Switched Telephone Network (PSTN) is much more secure than the Internet

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.26

VPNs and the Workplace


VPNs can run from a remote client PC or remote office router across the Internet or an IP service provider network to one or more corporate gateway routers (remote access) VPNs between a companys offices are a company intranet VPNs to external business partners are extranets

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.27

Extranet
An extranet is where the Internet or one or two Service Providers are used to connect to business partners Extends network connectivity to:
- Customers - Business partners - Suppliers

Security policy is very important as potentially the VPN could be used for large orders or contracts

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 9

Topic 10 - Virtual Private Networks

Network Security and Cryptography

Virtual Private Networks Topic 10 - 10.28

Intranet
Intranet VPNs extend a basic remote access VPN to other corporate offices Connectivity is across the Internet or across the Service Provider IP backbone S Service levels are likely to be maintained and enforced within a single Service Provider For VPNs across the Internet (multiple Service Providers) there are no performance guarantees
- no one is in charge of the Internet!

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.29

Remote Access VPN


Encrypted connections between mobile or remote users and their corporate networks Remote user can make a local call to an ISP, as opposed pp to a long g distance call to the corporate p remote access server Ideal for a telecommuter or mobile sales people VPN allows mobile workers & telecommuters to take advantage of broadband connectivity

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.30

Remote Access VPN


Utilises access technologies to allow remote users to become part of a corporate VPN Usually involves the use of the Point-to-Point Protocol (PPP) and tunnels that extend the PPP connection from the access server to the corporate network In Microsofts Point-to-Point Tunneling Protocol (PPTP) it also extends the tunnel from the access server out to the end-user PC

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 10

Topic 10 - Virtual Private Networks

Network Security and Cryptography

Virtual Private Networks Topic 10 - 10.31

Virtual Private Dial-Up Networking


Virtual private dial-up networking (VPDN) enables users to configure secure networks that rely upon ISPs to tunnel remote access traffic Remote users can connect using local dial-up Dial-up Dial up service provider forwards the traffic Network configuration and security remains in the control of the client The dial-up service provider provides a virtual pipe between the sites
V1.0 NCC Education Limited

Virtual Private Networks Topic 10 - 10.32

VPN in Industry
Healthcare: transferring confidential patient information within a health care provider Manufacturing: suppliers can view inventories & allow clients to purchase online safely Retail: securely transfer sales data or customer info between stores & headquarters Banking: enables account information to be transferred safely within departments & branches

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.33

VPN in Small Businesses


Operating systems often have built-in VPN protocols These often rely on usernames and passwords
- Not very secure or private

Standard VPNs require the deployment of software and clients


- Costs money and time

SSL VPNs are easy to install and use ports already available for secure traffic over the Internet
V1.0 NCC Education Limited

V1.0

Visuals Handout Page 11

Topic 10 - Virtual Private Networks

Network Security and Cryptography

Virtual Private Networks Topic 10 - 10.34

SSL VPNs
Connect securely via a standard Web browser No special software required on client computers Traffic between Web browser and the SSL VPN device is encrypted with the SSL protocol Support access control by:
- User - Device - Location

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.35

SSL & Data Protection


SSL encrypts data Each SSL certificate uses public key encryption techniques The SSL handshake either authenticates the server and client or blocks unauthorized users Keeps data confidential and protected

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.36

SSL Portal VPN


Allows a single SSL connection to a website User securely accesses multiple network services from the website Can use any modern browser User is authenticated via method supported by the portal User then has access to a web page that acts as the portal to other services

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 12

Topic 10 - Virtual Private Networks

Network Security and Cryptography

Virtual Private Networks Topic 10 - 10.37

SSL Tunnel VPN


Allows a web browser to securely access multiple network services through a tunnel running under SSL
- Includes applications and protocols that are not webbased

Requires a web browser that can run active content Can provide functionality not accessible via SSL portal VPNs

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.38

SSL Costs
Initial costs are higher
- Requires purchase of SSL Certificate

Can save money in the long run


- Reduced management/administration costs - Plus the savings from having secure communications

V1.0

NCC Education Limited

Virtual Private Networks Topic 10 - 10.39

References
Sybex, (2001). Hacking Exposed: Networking Complete. 2nd Edition. John Wiley & Sons. Tanenbaum, A A.S. S (2003) (2003). Computer Networks. 4th Tanenbaum Edition. Prentice Hall.

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 13

Topic 10 - Virtual Private Networks

Network Security and Cryptography

Virtual Private Networks Topic 10 - 10.40

Topic 10 Virtual Private Networks


Any Questions?

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 14

Topic 11 Remote Access

Network Security and Cryptography

Network Security and Cryptography


Topic 11: Remote Access

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 11 Lecture 1: Introduction to Remote Access & Web Applications

V1.0

NCC Education Limited

Remote Access Topic 11 - 11.3

Scope and Coverage


This topic will cover:
Alternative remote access technologies:
- Web applications - Remote desktops

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 1

Topic 11 Remote Access

Network Security and Cryptography

Remote Access Topic 11 - 11.4

Learning Outcomes
By the end of this topic students will be able to:
Configure access control mechanisms Select an appropriate remote access solution

V1.0

NCC Education Limited

Remote Access Topic 11 - 11.5

What is Remote Access?


Accessing a computer where the user does not have physical access to it
- Remote control of a computer - Using another device - Over a network, e.g. the Internet

A common example is the remote troubleshooting services offered by computer manufacturers

V1.0

NCC Education Limited

Remote Access Topic 11 - 11.6

Why Have Remote Access?


Allows staff to work from any location they are no longer required to be physically in the office
- Home working - Out of hours working - Mobile staff

Has become a critical part of many modern businesses

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 2

Topic 11 Remote Access

Network Security and Cryptography

Remote Access Topic 11 - 11.7

Uses of Remote Access


Comes under two categories:
- Accessing files remotely - Accessing applications remotely

By accessing files a remote user can transfer any individual files they need whilst working remotely By accessing applications the remote user can use software on the network and therefore also process files and data in the same way as if they were in the workplace

V1.0

NCC Education Limited

Remote Access Topic 11 - 11.8

Remote Application Architecture


In order to create remote access facilities an understanding of the application architecture is necessary Three Th general l models: d l
- Client/Database - Client/Server - Web-based

V1.0

NCC Education Limited

Remote Access Topic 11 - 11.9

Client/Database Architecture
Complete applications are installed on the client computer
- Fat clients

Client connects to a database via a network Data for applications is held on the database Usually used where there is only a small number of clients

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 3

Topic 11 Remote Access

Network Security and Cryptography

Remote Access Topic 11 - 11.10

Client/Server Architecture
Typically has a stripped down version of applications installed on the client
- Sufficient to connect to the server application

A full version of the software is installed on the server Business logic rules are applied at the server and a connection created to the database Example is mail client such as MS Outlook

V1.0

NCC Education Limited

Remote Access Topic 11 - 11.11

Web-based Architecture
Web browser is used as the client Requires minimal software on the client computer Interacts with web server Provides web-based user interface Server may communicate with other application servers to provide functionality
- These are usually on other hardware

Results are displayed in the web browser E.g. webmail

V1.0

NCC Education Limited

Remote Access Topic 11 - 11.12

Remote Access Technologies


A number of means of gaining remote access, for example:
Virtual Private Network (VPN) Remote Desktop Connection (RDC) Application Hosting Web-based applications

There are implications to consider:


- Security - Bandwidth requirements

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 4

Topic 11 Remote Access

Network Security and Cryptography

Remote Access Topic 11 - 11.13

Virtual Private Network (VPN)


Secure tunnel between remote user and internal network Once session is created user can pass data in/out of network Limits due to available bandwidth
- User or network end

Works well with web-based applications

V1.0

NCC Education Limited

Remote Access Topic 11 - 11.14

Remote Desktop Connection (RDC)


Applications are hosted on a remote server Appears as though screenshots have been sent to the client Keyboard and mouse inputs are forwarded to the server Results are shown in the screenshots that are returned to the client Uses a constant and relatively small amount of bandwidth
V1.0 NCC Education Limited

Remote Access Topic 11 - 11.15

Application Hosting
Application hosting involves using an external partner to host applications on their servers Removes the need for internal IT departments to manage the architecture, servers and applications Use of software and hosting management is via the external partner who charges for this service The remote access is to this external partners servers, whether from inside the office or from a remote location

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 5

Topic 11 Remote Access

Network Security and Cryptography

Remote Access Topic 11 - 11.16

Web-based Applications
Clients do not require any dedicated software other than a standard web browser Data passes over the Internet Data transfer is encrypted Can be provided as Software-as-a-Service (SaaS)
- Software vendors provide access to the software via the Internet

V1.0

NCC Education Limited

Remote Access Topic 11 - 11.17

General Security Considerations


Security best practice should be followed:
Firewalls Anti-virus software Updates and patches Security policies and procedures Staff training IDS Vulnerability scanning Separating web server, database server, etc.

V1.0

NCC Education Limited

Network Security and Cryptography


Topic 11 Lecture 2: Remote Desktops

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 6

Topic 11 Remote Access

Network Security and Cryptography

Remote Access Topic 11 - 11.19

Remote Desktop
Allows applications to be run on a remote server but displayed locally Can be achieved via software installed on the client or via a feature provided by the OS May be command line applications May be applications with a graphical user interface (GUI) There are many OS that provide this functionality

V1.0

NCC Education Limited

Remote Access Topic 11 - 11.20

Display Data Remotely


The controlling computer displays the image received from the controlled computer This image is updated:
- At regular intervals g on screen is noted by y the - Or when a change software

The controlling computer transmits input from its own keyboard or mouse to the controlled computer The software implements these actions on the controlled computer
V1.0 NCC Education Limited

Remote Access Topic 11 - 11.21

Display Data Remotely


The controlled computer acts as though these input actions were operated directly on itself Any changes to the display as a result of these actions are transmitted back to the controlling computer The controlling computer then displays this new display image on its screen Input devices and screen on the controlled computer may be disabled

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 7

Topic 11 Remote Access

Network Security and Cryptography

Remote Access Topic 11 - 11.22

A Warning!!
Attackers have used remote access software to gain control of many computers A typical scenario involves the user receiving a telephone call from someone pretending to be a legitimate corporation They offer to fix your computer remotely Once the remote access is allowed they use the computer for other purposes

V1.0

NCC Education Limited

Remote Access Topic 11 - 11.23

Remote Desktop Protocols


There are a number of protocols that may be used for remote desktop applications, including:
Virtual Network Computing (VNC) Remote Desktop Protocol (RDP) Apple Remote Desktop (ARD) Independent Computing Architecture (ICA) Appliance Link Protocol (ALP)

We will look at the first two in a little detail

V1.0

NCC Education Limited

Remote Access Topic 11 - 11.24

Virtual Network Computing (VNC)


A graphical desktop sharing application Provides remote access to a GUI Transmits keyboard and mouse actions in one direction Transmits graphical screen updates in the other direction Original source code and many derivative packages are open source

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 8

Topic 11 Remote Access

Network Security and Cryptography

Remote Access Topic 11 - 11.25

Platform Independence
VNC is platform independent A VNC viewer can connect to a VNC server using a different operating system Multiple clients can connect to the same VNC server at the same time VNC clients and servers are available for most GUI based operating systems

V1.0

NCC Education Limited

Remote Access Topic 11 - 11.26

VNC Components
VNC server is the program on the server that allows the client to take control of it VNC client (also known as the viewer) is the program that controls the server The remote framebuffer (RFB) protocol sends simple graphic messages to the client and input actions to the server The machine with the VNC server does not have to have a physical display

V1.0

NCC Education Limited

Remote Access Topic 11 - 11.27

Framebuffer
A memory buffer Drives video output display Stores information on the colour value of every pixel in a display Used in all systems that use windows Information can be transmitted storing the colour and position of each pixel in a rectangle

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 9

Topic 11 Remote Access

Network Security and Cryptography

Remote Access Topic 11 - 11.28

The RFB Protocol


RFB sends information regarding rectangles of screen display The colour information of rectangles for display are transmitted as a framebuffer Incl Includes des compression techniq techniques es and sec security rit features Client uses port 5900 for server access Server may connect in listening mode on port 5500
V1.0 NCC Education Limited

Remote Access Topic 11 - 11.29

VNC Security
VNC does not use plaintext passwords But it is not very secure Open to sniffing attacks Can be tunnelled over SSH or VPN connection for enhanced security There are SSH clients for most platforms

V1.0

NCC Education Limited

Remote Access Topic 11 - 11.30

Remote Desktop Protocol (RDP)


Microsoft protocol Provides a GUI to another computer
- Remote display - Remote input

Supports a number of technologies Supports a number of LAN protocols An extension of the ITU T.120 family of protocols Clients exist for most operating systems

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 10

Topic 11 Remote Access

Network Security and Cryptography

Remote Access Topic 11 - 11.31

RDP Operation
RDP uses its own video driver to convert rendering information into packets Sends them to the client via the network RDP receives rendering data at client and converts into Windows graphics device interface (GDI) calls Mouse/keyboard events are sent from client to server RDP uses its own on-screen events driver to receive these events
V1.0 NCC Education Limited

Remote Access Topic 11 - 11.32

RDP Features
RDP offers many features:
Encryption Bandwidth reduction Roaming disconnect Cli b d mapping Clipboard i Print redirection Sound redirection Support for 24 bit colour Smart Card authentication

V1.0

NCC Education Limited

Remote Access Topic 11 - 11.33

References
Sybex, (2001). Networking Complete. 2nd Edition. John Wiley & Sons. Tanenbaum, A.S. (2003). Computer Networks. 4th Edition. Prentice Hall. Microsoft Developer Network,
http://msdn.microsoft.com/en-us/library/aa383015.aspx

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 11

Topic 11 Remote Access

Network Security and Cryptography

Remote Access Topic 11 - 11.34

Topic 11 Remote Access


Any Questions?

V1.0

NCC Education Limited

V1.0

Visuals Handout Page 12