Security Management

1
Security Management????

• ??? (Yen-Cheng Chen)
• yencheng_at_mcu.edu.tw
• http//www.im.tj.mcu.edu.tw/ycchen/

2
Security Management

• The process of protecting access to sensitive
  information found on systems attached to a data
  network.

3
???????

• The creation, deletion, and control of security
  services and mechanisms.
• The distribution of security-relevant
  information.
• The reporting of security-relevant events.

4
???????

• ??? (Confidentiality)
• ??? (Authentication)
• ??? (Integrity)
• ????? (Non-repudiation)
• ???? (Access control)
• ??? (Availability)

5
????????
1. Identifying the sensitive information to be
protected 2. Finding the access points 3.
Securing the access points 4. Maintaining the
access points
6
Access Point

• A piece of network hardware or software that
  allows access to the data network.
• Software services
• Hardware components
• Network media

7
Finding the Access Points

• Physical Wiring/Media
• Network Services
• Remote Login
• File Transfer
• E-mail
• Remote Execution
• Directory Service
• NMS

8
Securing the Access Points

• (1). Packet Filtering
• (2). Host Authentication
• (3). User Authentication
• (4). Key Authentication
• (5). Encryption

9
(1). Packet Filtering

• Packet filtering usually can be performed in
  bridges, switches, and routers.
• Packet filtering stops packets to or from
  unsecured hosts before they reach an access
  point.
• Issues
• Each network device to perform packet filtering
  must be configured.
• Packet filtering doesn't work if the unsecured
  host changes its address.

10
Packet-Filtering Routers
Protected Network
Users
Router with ACLs
ISP and Internet
Users
E-mail Server
Public Access
Web Server
11
(2). Host Authentication

• Allow access to a service based on a source host
  identifier, e.g. network address.
• Issues
• A host can change its network address.
• Different users in the same host have the same
  authority.

12
(3). User Authentication

• Enable service to identify each user before
  allowing that user access.
• Password Mechanism
• Generally, passwords are transferred on the
  network without any encryption.
• Use encrypted passwords.
• Users tend to make passwords easy to remember.
• If the passwords are not common words, users will
  write them down.
• Host Authentication User Authentication

13
(4). Key Authentication

• Key
• A unique piece of information that authenticates
  the data in a transaction.
• Key Authentication
• The destination host requires the source host of
  a transaction to present a key for the
  transaction.
• Key Server
• A server that validates requests for transactions
  between hosts by giving out keys.

14
Source (S) Key Server (K) Destination
(D)
1. S requests remote login to D 2. S requests a
key to K. 3. K validates the request. 4.
K send a key to S. 5. S requests login with
valid key to D.
S
K
?
?
S
D
15
(5). Encryption
Network
atek49ffdlffffe ffdsfsfsff
atek49ffdlffffe ffdsfsfsff
decryption
encryption
ciphertext
ciphertext
Dear John I am happy to know ...
Dear John I am happy to know ...
plaintext
plaintext
16
Cryptography / Encryption

• Encryption
• Encode, Scramble, or Encipher the plaintext
  information to be sent.
• Encryption Algorithm
• The method performed in encryption.
• Encryption Key
• A stream of bits that control the encryption
  algorithm.
• Plaintext
• The text which is to be encrypted.
• Ciphertext
• the text after encryption is performed.

17
Encryption
Encryption Algorithm
Encryption Key
?
Ciphertext
atek49ffdlffffe ffdsfsfsff
Plaintext
Dear John I am happy to know ...
18
Decryption
Decryption Algorithm
Decryption Key
?
Plaintext
Dear John I am happy to know ...
Ciphertext
atek49ffdlffffe ffdsfsfsff
19
Encryption / Decryption
20
Encryption Techniques

• Private Key Encryption
• Encryption Key Decryption Key
• Also called Symmetric-Key Encryption, Secret-Key
  Encryption, or Conventional Cryptography.
• Public Key Encryption
• Encryption Key ? Decryption Key
• Also called Asymmetric Encryption

21
Private Key Encryption - DES (Data Encryption
Standard)

• Adopted by U.S. Federal Government.
• Both the sender and receiver must know the same
  secret key code to encrypt and decrypt messages
  with DES
• Operates on 64-bit blocks with a 56-bit key
• DES is a fast encryption scheme and works well
  for bulk encryption.
• Issues
• How to deliver the key to the sender safely?

22
Symmetric Key in DES
23
Other Symmetric Key Encryption Techniques

• 3DES
• Triple DES
• RC2, RC4
• IDEA
• International Data Encryption Algorithm

24
Key Size Matters!
Centuries Decades Years Hours
168-bits
Triple-DES (recommended for commercial
corporate information)
Information Lifetime
56-bits
40-bits
100s 10K 1M 10M
100M Budget ()
25
Public Key Encryption - RSA

• The public key is disseminated as widely as
  possible. The secrete key is only known by the
  receiver.
• Named after its inventors Ron Rivest, Adi Shamir,
  and Leonard Adleman
• RSA is well established as a de facto standard
• RSA is fine for encrypting small messages

26
Asymmetric Key in RSA
27
Key Length
Average Time for Exhaustive Key Search
9
32
32 Bits 2 4.3 X 10
56
16
Number of Possible Key
56 Bits 2 7.2 X 10
Symmetric Cipher (Conventional)
Asymmetric (RSA/D-H)
128
38
128 Bits 2 3.4 X 10
40 Bits 274 Bits
56 Bits 384 Bits 64
Bits 512 Bits 80
Bits 1024 Bits 96 Bits
1536 Bits 112 Bits
2048 Bits 120 Bits
2560 Bits 128 Bits
3072 Bits 192 Bits
10240 Bits
31
32 Bits gt 2 usec 36 min
Time required at 1 Encryption/uSEC
127
24
128 Bits gt 2 usec 5X10 Years
32 Bits gt 2 millsec
Time required at 10 Encryption/uSEC
56 Bits gt 10 Hours
Performance
6
18
128 Bits gt 5X10 Years
30200 1
28
Hybrid Encryption Technology PGP (Pretty Good
Privacy)

• Hybrid Encryption Technique
• First compresses the plaintext.
• Then creates a session key, which is a
  one-time-only secret key.
• Using the session key, apply a fast conventional
  encryption algorithm to encrypt the plaintext.
• The session key is then encrypted to the
  recipients public key.
• This public key-encrypted session key is
  transmitted along with the ciphertext to the
  recipient.

29
PGP Encryption
30
PGP Decryption

• The recipient uses its private key to recover the
  temporary session key
• Use the session key to decrypt the
  conventionally-encrypted ciphertext.

31
PGP Decryption
32
Digital Signatures

• Digital signatures enable the recipient of
  information to verify the authenticity of the
  informations origin, and also verify that the
  information is intact.
• Public key digital signatures provide
• authentication
• data integrity
• non-repudiation
• Technique public key cryptography

33
Simple Digital Signatures
34
Secure Digital Signatures
35
Maintaining the Secure Access Points

• Locate potential and actual security breaches.
• Audit Trail
• Security Test Programs

36
Attaching to a Public Network

• No Access
• Full Access
• All individual computers should have security
  management.
• Limited Access
• Use a firewall to enforce security between
  private and public networks.

37
??? (Firewall)

• Firewall????????,????????????????
• Firewall????
• Packet Filtering Firewall
• Dual-Homed Host Firewall
• Screened Host Firewall
• Screened Subnet Firewall

http//www.movies.acmecity.com/silent/6/doc/fwppt.
zip
38
VPN (Virtual Private Network)

• VPN ??????
• ???????,????????????????????????
• VPN??????????
• X.25
• Frame Relay
• ATM
• Internet

39
VPN (Virtual Private Network)
40
VPN??

• ???? (Tunneling)
• IPSec (IP Security)
• PPTP (Point-to-Point Tunneling Protocol)
• L2TP (Layer 2 Tunneling Protocol)
• ????? (Encryption/Decryption)
• Private/Public/Hybrid Key Encryption
• ???? (Key Management)
• SKIP (Simple Key Management for IP)
• IKE (ISAKMP/Oakley)
• ???????????? (Authentication)
• Username/Password Token Number
• X.509 Certificate by Certificate Authority (CA)