Lecture II : Communication Security Services Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Computer Science Department, National Chiao Tung University Spring 2012 Internet Security - X.800 Security Services 2 Spring 2012 What is Communication Security? To provide safe communication over unsafe media Alice Bob Eve Safe Communication Alice can send a message to Bob that only Bob can understand Confidentiality Nobody can tamper with message content during communication Integrity Bob can know for sure it was Alice who sent the message Authentication Unsafe Media Medium over which passive and active attacks are possible Network (Communication) Security Model Passive Attacks Active Attacks 6 Internet Security - X.800 Security Services X.800 : Security Architecture Security Services Different kinds of security protection Service Types Service Layer Mapping Security Mechanisms Different ways to implement security protection Mechanism Definition Service - Mechanism Mapping Spring 2012 Internet Security - X.800 Security Services 7 Spring 2012 Communication Security Services Confidentiality Data Confidentiality Traffic Confidentiality Data Integrity Primary Services Authentication Data Origin Authentication Peer Authentication Access Control Non-Repudiation Non-Repudiation of Origin Non-Repudiation of Reception Audit Availability – an after-thought but increasingly important Note: all services are defined here in context of Communication Security Internet Security - X.800 Security Services 8 Spring 2012 Confidentiality Protection of information from disclosure to unauthorized entities (organizations, people, machines, processes). Information includes data contents, size, existence, communication characteristics, etc. Service Types Data Confidentiality / Disclosure Protection Connection Oriented Connectionless Selective Field Traffic Flow Confidentiality Origin Destination Association Message Size Transmission Patterns Accompanied with Data Integrity Protection Mechanisms Data Encryption Symmetric (Secret-Key) Asymmetric (Public-Key) Internet Security - X.800 Security Services 9 Spring 2012 Integrity Protection of data against creation, alteration, deletion, duplication, reordering by unauthorized entities (organizations, people, machines, processes). Integrity violation is always caused by active attacks. Service Types Message Integrity Associated with connectionless communication Message Stream Integrity Associated with connection oriented communication Protection Mechanisms Message Digests (Hashing) Sequence Numbers Nonce ID (Random Number) Time Stamps Internet Security - X.800 Security Services 10 Spring 2012 Authentication Communicating entities are provided with assurance & information of relevant identities of communicating partners (people, machines, processes). Personnel Authentication requires special attention. Service Types Data Origin Authentication Associated with Connectionless Communication Peer Entity Authentication Associated with Connection Oriented Communication Fundamental for access control hence, confidentiality & integrity Protection Mechanisms Password Manual One-Time Password Key Sharing Manual Symmetric Key (Tickets) Asymmetric Key (Certificates) Challenge – Response Nonce Based Zero Knowledge Proof Internet Security - ComSec Services & Mechanisms 11 Spring 2011 Access Control Protection of information resources or services against unauthorized access or use by entities (organizations, people, machines, processes). Policies – Subject-Action-Target rules prescribing access restrictions Principles – entities own access control privileges Subjects – entities exercise access control privileges Privileges – rights to access or use resources or services Objects / Targets – resources or services accessed/used by subjects Authorization – Assertion of access control privileges Delegation – Transfer of access control privileges Service Types Subject Based Typing Identity Based Role Based Enforcement Based Typing Mandatory Access Control ― Management Directed Discretionary Access Control ― Resource Owner Directed Protection Mechanisms Access Control Lists (ACLs) Object Based Specification Ex.: UNIX File System Capabilities Subject Based Specification Issue Tickets/Certificates Internet Security - X.800 Security Services 12 Spring 2012 Non-Repudiation Protection against denial of participation by communicating entities in all or part of a communication. Service Types Non-Repudiation of Origin Non-Repudiation of Reception Protection Mechanisms Notarization Time Stamp Digital Signature Internet Security - X.800 Security Services 13 Spring 2012 Audit Recording & analyses of participation, roles and actions in information communication by relevant entities. Service Types Off-line Analysis (Computer Forensic) On-line Analysis (Real-time Intrusion Detection) Protection Mechanisms “Syslog” Intrusion Monitors / Sensors Common Intrusion Detection Framework (CIDF) Common Information Model (CIM) Internet Security - X.800 Security Services 14 Spring 2012 Service vs. Layer Mapping APPLICATION MSP, PEM KEY MGMT PRESENTATION SESSION TRANSPORT NETWORK TLSP NLSP, IPSP DATA LINK SILS PHYSICAL Secure Signaling Relationship between Security Services and Protocol Layers Service Layer 1 2 3 4 5 6 7* Peer Entity Authentication · · Y Y · · Y Data Origin Authentication · · Y Y · · Y Access Control · · Y Y · · Y Connection Confidentiality Y Y Y Y · Y Y Connectionless Confidentiality · Y Y Y · Y Y Selective Field Confidentiality · · · · · Y Y Traffic Flow Confidentiality Y · Y · · · Y Connection Integrity with Recovery · · · Y · · Y Connection integrity without Recovery · · Y Y · · Y Selective Field Connection Integrity · · · · · · Y Connectionless Integrity · · Y Y · · Y Selective Field Connectionless Integrity · · · · · · Y Non-repudiation, Origin · · · · · · Y Non-repudiation, Delivery · · · · · · Y Internet Security - X.800 Security Services 15 Spring 2012 Further Reading Textbook Network Security Essentials, Ch. 1, Introduction, pp. 15 – 35 Web page: http://williamstallings.com/NetworkSecurity/ Websites X.800 Security Services: http://en.wikipedia.org/wiki/Security_service_(telecommunicati on) Availability: http://en.wikipedia.org/wiki/Availability