security overview hofstra university university college for continuing education - advanced java...
Post on 19-Dec-2015
213 views
TRANSCRIPT
Security OverviewSecurity Overview
Hofstra UniversityHofstra University
University College for Continuing University College for Continuing EducationEducation
- Advanced Java Programming- Advanced Java Programming
Lecturer: Engin YaltLecturer: Engin Yalt
May 24, 2006May 24, 2006
DisclaimerDisclaimer
The images in this presentation are The images in this presentation are taken from taken from
http://williamstallings.com/NetSec2e.hhttp://williamstallings.com/NetSec2e.htmltml
Network Security Essentials, William Network Security Essentials, William Stallings Stallings
Security AttacksSecurity Attacks
Interruption: attack on availabilityInterruption: attack on availability Interception: attack on Interception: attack on
confidentialityconfidentiality Modification: attack on integrityModification: attack on integrity Fabrication: attack on authenticityFabrication: attack on authenticity
Security ServicesSecurity Services
Confidentiality (privacy)Confidentiality (privacy) Authentication (who created or sent the Authentication (who created or sent the
data)data) Integrity (has not been altered)Integrity (has not been altered) Non-repudiation (the order is final)Non-repudiation (the order is final) Access control (prevent misuse of Access control (prevent misuse of
resources)resources) Availability (permanence, non-erasure)Availability (permanence, non-erasure)
Denial of Service AttacksDenial of Service Attacks Virus that deletes filesVirus that deletes files
Methods of DefenseMethods of Defense
EncryptionEncryption Software Controls (access limitations Software Controls (access limitations
in a data base, in operating system in a data base, in operating system protect each user from other users)protect each user from other users)
Hardware Controls (smartcard)Hardware Controls (smartcard) Policies (frequent changes of Policies (frequent changes of
passwords)passwords) Physical ControlsPhysical Controls
CryptographyCryptography
Classified along three independent Classified along three independent dimensions:dimensions:
The type of operations used for The type of operations used for transforming plaintext to cipher texttransforming plaintext to cipher text
The number of keys usedThe number of keys used symmetric (single key) (DES, 3DES)symmetric (single key) (DES, 3DES) asymmetric (two-keys, or public-key) (RSA)asymmetric (two-keys, or public-key) (RSA)
The way in which the plaintext is The way in which the plaintext is processedprocessed
Block cipher vs. Stream cipher processingBlock cipher vs. Stream cipher processing
Average time required for Average time required for exhaustiveexhaustive key search key search
Key Size Key Size (bits)(bits)
Number of Number of Alternative KeysAlternative Keys
Time required at Time required at 101066 Decryption/ Decryption/µsµs
3232 223232 = 4.3 x 10 = 4.3 x 1099 2.15 milliseconds2.15 milliseconds
5656 225656 = 7.2 x 10 = 7.2 x 101616 10 hours10 hours
128128 22128 128 = 3.4 x 10= 3.4 x 103838 5.4 x 105.4 x 101818 yearsyears
168168 22168 168 = 3.7 x 10= 3.7 x 105050 5.9 5.9 xx 10 103030 yearsyears
Key DistributionKey Distribution A key could be selected by A and A key could be selected by A and
physically delivered to B.physically delivered to B. A third party could select the key and A third party could select the key and
physically deliver it to A and B.physically deliver it to A and B. If A and B have previously used a key, one If A and B have previously used a key, one
party could transmit the new key to the party could transmit the new key to the other, encrypted using the old key.other, encrypted using the old key.
If A and B each have an encrypted If A and B each have an encrypted connection to a third party C, C could connection to a third party C, C could deliver a key on the encrypted links to A deliver a key on the encrypted links to A and B.and B.
Key DistributionKey Distribution
Session key:Session key: Data encrypted with a one-time session Data encrypted with a one-time session
key. At the conclusion of the session, key. At the conclusion of the session, the key is destroyedthe key is destroyed
Permanent key:Permanent key: Used between entities for the purpose Used between entities for the purpose
of distributing session keysof distributing session keys
AuthenticationAuthentication
• Requirements - must be able to verify Requirements - must be able to verify that:that:1. Message came from apparent source1. Message came from apparent source or authoror author2. Contents have not been altered,2. Contents have not been altered,3. Sometimes, it was sent at a certain 3. Sometimes, it was sent at a certain time or time or sequence.sequence.
• Protection against active attack Protection against active attack (falsification of data and transactions)(falsification of data and transactions)
Public-Key CryptographyPublic-Key Cryptography
Use of two keys (public key, private Use of two keys (public key, private key)key)
The scheme has six ingredientsThe scheme has six ingredients Public keyPublic key Private keyPrivate key PlaintextPlaintext Encryption algorithmEncryption algorithm CiphertextCiphertext Decryption algorithmDecryption algorithm
Public-Key Cryptographic Public-Key Cryptographic AlgorithmsAlgorithms
RSA - Ron Rives, Adi Shamir and Len RSA - Ron Rives, Adi Shamir and Len Adleman at MIT, in 1977.Adleman at MIT, in 1977. RSA is a block cipherRSA is a block cipher The most widely implementedThe most widely implemented
Diffie-Hellman Diffie-Hellman Echange a secret key securelyEchange a secret key securely Compute discrete logarithmsCompute discrete logarithms
Public-Key Infrastructure Public-Key Infrastructure (PKI) (PKI)
Creating CertificateCreating Certificate
* CA = Certificate Authority
Public-Key Infrastructure Public-Key Infrastructure (PKI) (PKI)
Obtaining a CertificateObtaining a Certificate
http://www.sdl.hitachi.co.jp/english/people/pki/index04.html
X.509 Authentication X.509 Authentication ServiceService
Distributed set of servers that Distributed set of servers that maintains a database about users.maintains a database about users.
Each certificate contains the public key Each certificate contains the public key of a user and is signed with the private of a user and is signed with the private key of a CA*.key of a CA*.
Is used in S/MIME, IP Security, Is used in S/MIME, IP Security, SSL/TLS and SET.SSL/TLS and SET.
RSA is recommended to use.RSA is recommended to use.
* CA = Certificate Authority* CA = Certificate Authority
Revocation of Revocation of CertificatesCertificates
Reasons:Reasons: The users secret key is assumed to be The users secret key is assumed to be
compromised.compromised. The user is no longer certified by this The user is no longer certified by this
CA.CA. The CA’s certificate is assumed to be The CA’s certificate is assumed to be
compromised.compromised.
E-Mail SecurityE-Mail Security PGP – PGP – (Pretty Good Privacy)(Pretty Good Privacy)
Philip R. Zimmerman is the creatorPhilip R. Zimmerman is the creator Provides a confidentiality and authentication Provides a confidentiality and authentication
serviceservice Can be used for email and file storage applicationsCan be used for email and file storage applications
S/MIME - S/MIME - ((Secure/Multipurpose Internet Mail Secure/Multipurpose Internet Mail Extension)Extension) Enveloped Data:Enveloped Data: content and session keys content and session keys
encrypted for recipients.encrypted for recipients. Signed Data:Signed Data: Message Digest encrypted with Message Digest encrypted with
private key of “signer.”private key of “signer.” Clear-Signed Data:Clear-Signed Data: Signed but not encrypted. Signed but not encrypted. Signed and Enveloped DataSigned and Enveloped Data
Secure Sockets Layer - Secure Sockets Layer - SSLSSL
Browser connects to a secure server https://.....Browser connects to a secure server https://..... The server sends it’s certificateThe server sends it’s certificate The browser The browser
verifies the certificateverifies the certificate creates a session key (shared secret)creates a session key (shared secret) encrypts the session key with server’s public keyencrypts the session key with server’s public key sends it to the server.sends it to the server.
The server decrypts the session key using it’s private The server decrypts the session key using it’s private keykey
The handshake is comlete! Now browser and server The handshake is comlete! Now browser and server can talk using a shared secret key.can talk using a shared secret key.
The browser send sensitive info (credit card) over a The browser send sensitive info (credit card) over a secure channel.secure channel.
http://www.ourshop.com/resources/ssl.htmlhttp://www.ourshop.com/resources/ssl.html
Security and Java Security and Java PlatformPlatform
Platform Security (Java Language, Sand Platform Security (Java Language, Sand Box)Box)
Cryptography (JCA, JCE)Cryptography (JCA, JCE) Authentication and Access Control Authentication and Access Control
(JAAS)(JAAS) Secure Communications (JSSE, JGSS)Secure Communications (JSSE, JGSS) Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)
http://java.sun.com/security/http://java.sun.com/security/