Escolar Documentos
Profissional Documentos
Cultura Documentos
1. Confidentiality
2. Integrity
3. Availability
þ Eavesdropping on transmissions
þ To obtain information
þ Release of message contents
Outsider learns content of transmission
þ Traffic analysis
By monitoring frequency and length of messages,
even encrypted, nature of communication may be
guessed
þ Difficult to detect
þ Can be prevented
þ £asquerade
Pretending to be a different entity
þ Replay
þ £odification of messages
þ Denial of service
þ Easy to detect
Detection may lead to deterrent
þ Hard to prevent
=
þ Plain text
þ Encryption algorithm
þ Secret key
þ Cipher text
þ Decryption algorithm
þ Strong encryption algorithm
Even if known, should not be able to decrypt or work
out key
Even if a number of cipher texts are available
together with plain texts of them
þ Once key is known, all communication using this
key is readable
þ Sender and receiver must obtain secret key
securely
þ Crypt analysis
Relay on nature of algorithm plus some knowledge of
general characteristics of plain text
Attempt to deduce plain text or key
þ Brute force
Try every possible key until plain text is achieved
þ Block cipher
Process plain text in fixed block sizes producing block
of cipher text of equal size
Data encryption standard (DES)
Triple DES (TDES)
|
þ - bit plain text blocks
þ 5- bit key
þ US standard
|
|
=
|
þ Declared insecure in 1998
þ Electronic Frontier Foundation
þ DES Cracker machine
þ DES now worthless
þ Alternatives include TDEA
|
þ ANSI X9.17 (1985)
þ Incorporated in DEA standard 1999
þ Uses 3 keys and 3 executions of DEA algorithm
þ Effective key length 1-8 bit
ü
|
ü
þ Each communication link equipped at both ends
þ All traffic secure
þ High level of security
þ Requires lots of encryption devices
þ £essage must be decrypted at each switch to
read address (virtual circuit number)
þ Security vulnerable at switches
Particularly on public switched network
þ Encryption done at ends of system
þ Data in encrypted form crosses network
unaltered
þ Destination shares key with source to decrypt
þ Host can only encrypt user data
Otherwise switching nodes could not read header or
route packet
þ Traffic pattern not secure
G
$ % &
þ Accepts variable size message and produces
fixed size tag (message digest)
þ Advantages of authentication without encryption
Encryption is slow
Encryption hardware expensive
Encryption hardware optimized to large data
Algorithms covered by patents
Algorithms subject to export controls (from USA)
#
G
$
%
% &
þ Hash function must have following properties:
Can be applied to any size data block
Produce fixed length output
Easy to compute
Not feasible to reverse
Not feasible to find two message that give the same
hash
%'
þ Secure Hash Algorithm 1
þ Input message less than 2- bits
Processed in 512 bit blocks
þ Output 1- bit digest
þ Based on mathematical algorithms
þ Asymmetric
Use two separate keys
þ Ingredients
Plain text
Encryption algorithm
Public and private key
Cipher text
Decryption algorithm
G
þ One key made public
Used for encryption
þ Other kept private
Used for decryption
þ Infeasible to determine decryption key given
encryption key and algorithm
þ Either key can be used for encryption, the other
for decryption
þ User generates pair of keys
þ User places one key in public domain
þ To send a message to user, encrypt using public
key
þ User decrypts using private key
|
=) =*
þ IPSec
þ Secure branch office connectivity over Internet
þ Secure remote access over Internet
þ Extranet and intranet connectivity
þ Enhanced electronic commerce security
=
þ Authentication header
þ Encapsulated security payload
þ ey exchange
þ RFC 2 1,2 2,2 -,2 8
þ One way relationship between sender and
receiver
þ For two way, two associations are required
þ Three SA identification parameters
Security parameter index
IP destination address
Security protocol identifier
þ Sequence number counter
þ Sequence counter overflow
þ Anti-reply windows
þ AH information
þ ESP information
þ Lifetime of this association
þ IPSec protocol mode
Tunnel, transport or wildcard
þ Path £TU
£
þ Transport mode
Protection for upper layer protocols
Extends to payload of IP packet
End to end between hosts
þ Tunnel mode
Protection for IP packet
Entire packet treated as payload for outer IP Ơpacketơ
No routers examine inner packet
£ay have different source and destination address
£ay be implemented at firewall
%
þ ESP
þ Confidentiality services
£
þ £anual
þ Automatic
X ISA£P/Oakley
Oakley key determination protocol
Internet security association and key management
protocol