Internet Security CS457 Seminar Zhao Cheng

advertisement
Internet Security
CS457 Seminar
Zhao Cheng
Security attacks
• interruption, interception, modification,
fabrication
• passive attack, active attack
Security services
•
•
•
•
Confidentiality
Authentication
Integrity
Nonrepudiation
IPSec services
SA(Security Association): one way relationship, identified by
• SPI(Security Parameter Index).
• IP Destination Address.
• Security Protocol Identifier:
AH(authentication Header)
ESP(Encapsulation Security Payload)
Two modes
• Transport mode: protection for upper layer
protocol.
• Tunnel mode: protection to entire IP packet.
Authentication header
• Header definition.
• Anti-Replay service
• Integrity check value
Encapsulating Security Payload
• Format.
• Encryption and authentication.
Key management
• Manual: configured by system
administrator with its own keys and keys of
other systems.
• Automated: on demand creation of keys for
SAs, ISAKMP(Internet Security
Association and Key Management Protocol)
by default.
Benefit of IPSec
• Strong and easy security for group behind
firewall.
• Transparent to applications.
• Transparent to end users.
• Security for individual users can be
provided.
TLS(transport layer security)
• Object: reliable end to end security over
TCP.
• Construction: two layers of protocols.
SSL Record Protocol
• Record Protocol Operation and format.
SSL Handshake Protocol
Phases:
1. Establish Security Capabilities.
2. Server Authentication and Key Exchange.
3. Client Authentication and Key Exchange.
4. Finish.
Example on handshake protocol
Services of TSL
1. Integrity: by cryptographic checksums.
2. Confidentiality: by encryption on SSL
payloads.
3. Authentication: by handshake protocol.
Summary
• Attacks on network security and
corresponding security services.
• IPSec: Services approaches on IP layer.
• TLS: Services approaches on transport
layer.
Download