Internet Security - ComSec Services & Mechanisms

advertisement
Lecture II :
Communication Security Services
Internet Security: Principles & Practices
John K. Zao, PhD (Harvard) SMIEEE
Computer Science Department, National Chiao Tung University
Spring 2012
Internet Security - X.800 Security Services
2
Spring 2012
What is Communication Security?
To provide safe communication over unsafe media
Alice
Bob
Eve
 Safe Communication
 Alice can send a message to Bob that only Bob can understand
 Confidentiality
 Nobody can tamper with message content during communication
 Integrity
 Bob can know for sure it was Alice who sent the message
 Authentication
 Unsafe Media
 Medium over which passive and active attacks are possible
Network (Communication) Security Model
Passive Attacks
Active Attacks
6
Internet Security - X.800 Security Services
X.800 : Security Architecture
 Security Services
 Different kinds of security protection
 Service Types
 Service Layer Mapping
 Security Mechanisms
 Different ways to implement security protection
 Mechanism Definition
 Service - Mechanism Mapping
Spring 2012
Internet Security - X.800 Security Services
7
Spring 2012
Communication Security Services
 Confidentiality
 Data Confidentiality
 Traffic Confidentiality
 Data Integrity
Primary Services
 Authentication
 Data Origin Authentication
 Peer Authentication
 Access Control
 Non-Repudiation
 Non-Repudiation of Origin
 Non-Repudiation of Reception
 Audit
 Availability – an after-thought but increasingly important
Note: all services are defined here in context of Communication Security
Internet Security - X.800 Security Services
8
Spring 2012
Confidentiality
Protection of information from disclosure to unauthorized entities
(organizations, people, machines, processes).
Information includes data contents, size, existence, communication
characteristics, etc.
Service Types
 Data Confidentiality / Disclosure
Protection
 Connection Oriented
 Connectionless
 Selective Field
 Traffic Flow Confidentiality
 Origin Destination Association
 Message Size
 Transmission Patterns
 Accompanied with Data Integrity
Protection Mechanisms
 Data Encryption
 Symmetric (Secret-Key)
 Asymmetric (Public-Key)
Internet Security - X.800 Security Services
9
Spring 2012
Integrity
Protection of data against creation, alteration, deletion, duplication, reordering by unauthorized entities (organizations, people, machines,
processes).
Integrity violation is always caused by active attacks.
Service Types
 Message Integrity
 Associated with
connectionless communication
 Message Stream Integrity
 Associated with
connection oriented communication
Protection Mechanisms
 Message Digests (Hashing)
 Sequence Numbers
 Nonce ID (Random Number)
 Time Stamps
Internet Security - X.800 Security Services
10
Spring 2012
Authentication
Communicating entities are provided with assurance & information of
relevant identities of communicating partners (people, machines,
processes).
Personnel Authentication requires special attention.
Service Types
 Data Origin Authentication
 Associated with
Connectionless Communication
 Peer Entity Authentication
 Associated with
Connection Oriented Communication
 Fundamental for access control
hence, confidentiality & integrity
Protection Mechanisms
 Password
 Manual
 One-Time Password
 Key Sharing
 Manual
 Symmetric Key (Tickets)
 Asymmetric Key (Certificates)
 Challenge – Response
 Nonce Based
 Zero Knowledge Proof
Internet Security - ComSec Services & Mechanisms
11
Spring 2011
Access Control
Protection of information resources or services against unauthorized
access or use by entities (organizations, people, machines, processes).







Policies – Subject-Action-Target rules prescribing access restrictions
Principles – entities own access control privileges
Subjects – entities exercise access control privileges
Privileges – rights to access or use resources or services
Objects / Targets – resources or services accessed/used by subjects
Authorization – Assertion of access control privileges
Delegation – Transfer of access control privileges
Service Types
 Subject Based Typing
 Identity Based
 Role Based
 Enforcement Based Typing
 Mandatory Access Control ―
Management Directed
 Discretionary Access Control ―
Resource Owner Directed
Protection Mechanisms
 Access Control Lists (ACLs)
 Object Based Specification
Ex.: UNIX File System
 Capabilities
 Subject Based Specification
 Issue Tickets/Certificates
Internet Security - X.800 Security Services
12
Spring 2012
Non-Repudiation
Protection against denial of participation by communicating entities in
all or part of a communication.
Service Types
 Non-Repudiation of Origin
 Non-Repudiation of Reception
Protection Mechanisms
 Notarization
 Time Stamp
 Digital Signature
Internet Security - X.800 Security Services
13
Spring 2012
Audit
Recording & analyses of participation, roles and actions in information
communication by relevant entities.
Service Types
 Off-line Analysis
(Computer Forensic)
 On-line Analysis
(Real-time Intrusion Detection)
Protection Mechanisms
 “Syslog”
 Intrusion Monitors / Sensors
 Common Intrusion Detection
Framework (CIDF)
 Common Information Model
(CIM)
Internet Security - X.800 Security Services
14
Spring 2012
Service vs. Layer Mapping
APPLICATION
MSP, PEM
KEY MGMT
PRESENTATION
SESSION
TRANSPORT
NETWORK
TLSP
NLSP, IPSP
DATA LINK
SILS
PHYSICAL
Secure Signaling
Relationship between Security Services and Protocol Layers
Service
Layer
1
2
3
4
5
6
7*
Peer Entity Authentication
·
·
Y
Y
·
·
Y
Data Origin Authentication
·
·
Y
Y
·
·
Y
Access Control
·
·
Y
Y
·
·
Y
Connection Confidentiality
Y
Y
Y
Y
·
Y
Y
Connectionless Confidentiality
·
Y
Y
Y
·
Y
Y
Selective Field Confidentiality
·
·
·
·
·
Y
Y
Traffic Flow Confidentiality
Y
·
Y
·
·
·
Y
Connection Integrity with Recovery
·
·
·
Y
·
·
Y
Connection integrity without Recovery
·
·
Y
Y
·
·
Y
Selective Field Connection Integrity
·
·
·
·
·
·
Y
Connectionless Integrity
·
·
Y
Y
·
·
Y
Selective Field Connectionless Integrity
·
·
·
·
·
·
Y
Non-repudiation, Origin
·
·
·
·
·
·
Y
Non-repudiation, Delivery
·
·
·
·
·
·
Y
Internet Security - X.800 Security Services
15
Spring 2012
Further Reading
 Textbook
 Network Security Essentials, Ch. 1, Introduction, pp. 15 – 35
 Web page: http://williamstallings.com/NetworkSecurity/
 Websites
 X.800 Security Services:
http://en.wikipedia.org/wiki/Security_service_(telecommunicati
on)
 Availability:
http://en.wikipedia.org/wiki/Availability
Download