ImageVerifierCode 换一换
格式:PPT , 页数:71 ,大小:1.99MB ,
文档编号:3602778      下载积分:28 文币
快捷下载
登录下载
邮箱/手机:
温馨提示:
系统将以此处填写的邮箱或者手机号生成账号和密码,方便再次下载。 如填写123,账号和密码都是123。
支付方式: 支付宝    微信支付   
验证码:   换一换

优惠套餐
 

温馨提示:若手机下载失败,请复制以下地址【https://www.163wenku.com/d-3602778.html】到电脑浏览器->登陆(账号密码均为手机号或邮箱;不要扫码登陆)->重新下载(不再收费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  
下载须知

1: 试题类文档的标题没说有答案,则无答案;主观题也可能无答案。PPT的音视频可能无法播放。 请谨慎下单,一旦售出,概不退换。
2: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
3: 本文为用户(三亚风情)主动上传,所有收益归该用户。163文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知163文库(点击联系客服),我们立即给予删除!。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

1,本文(第十一讲-协议安全课件(2).ppt)为本站会员(三亚风情)主动上传,163文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。
2,用户下载本文档,所消耗的文币(积分)将全额增加到上传者的账号。
3, 若此文所含内容侵犯了您的版权或隐私,请立即通知163文库(发送邮件至3464097650@qq.com或直接QQ联系客服),我们立即给予删除!

第十一讲-协议安全课件(2).ppt

1、School of computer,SCUEC1Lecture 11 Protocols and securityProtocols and Security()school of School of computer,SCUEC2Lecture 11 Protocols and securityIPSecSchool of computer,SCUEC3Lecture 11 Protocols and securitySecurity Issues in IP|source spoofing|replay packets|no data integrity or confidentiali

2、ty DOS attacks Replay attacks Spying and moreFundamental Issue:Networks are not(and will never be)fully secureSchool of computer,SCUEC4Lecture 11 Protocols and securityIPSec and SSL|IPSec lives at the network layer|IPSec is transparent to applicationsapplicationtransportnetworklinkphysicalSSLOSUserN

3、ICIPSecSchool of computer,SCUEC5Lecture 11 Protocols and securityAn IPSec scenarioSchool of computer,SCUEC6Lecture 11 Protocols and securityIPSec and Complexity|IPSec is a complex protocol|Over-engineeredLots of generally useless extra features|FlawedSome serious security flaws|Interoperability is s

4、erious challengeDefeats the purpose of having a standard!|Complex|Did I mention,its complex?School of computer,SCUEC7Lecture 11 Protocols and securityIPSec ArchitectureESPAHIKEIPSec Security PolicyEncapsulating SecurityPayloadAuthentication HeaderThe Internet Key ExchangeSchool of computer,SCUEC8Lec

5、ture 11 Protocols and securityIKE and ESP/AH|Two parts to IPSec|IKE:Internet Key ExchangeMutual authenticationEstablish shared symmetric keyTwo“phases”like SSL session/connection|ESP/AHESP:Encapsulating Security Payload for encryption and/or integrity of IP packetsAH:Authentication Header integrity

6、onlySchool of computer,SCUEC9Lecture 11 Protocols and securityIPsec servicesSchool of computer,SCUEC10Lecture 11 Protocols and securityIKESchool of computer,SCUEC11Lecture 11 Protocols and securitySecurity Associations|a one-way relationship between sender&receiver that affords security for traffic

7、flowIf a peer relationship is needed,for two-way secure exchange,then two security associations are required.|uniquely identified by 3 parameters:Security Parameters Index(SPI)IP Destination AddressSecurity Protocol Identifier|has a number of other parametersseq no,AH&EH info,lifetime etc|have a dat

8、abase of Security Associations|Security services are afforded to an SA for the use of AH or ESP,but not both.School of computer,SCUEC12Lecture 11 Protocols and securityAuthentication Header(AH)|provides support for data integrity&authentication of IP packetsend system/router can authenticate user/ap

9、pprevents address spoofing attacks by tracking sequence numbers|based on use of a MACHMAC-MD5-96 or HMAC-SHA-1-96|parties must share a secret keySchool of computer,SCUEC13Lecture 11 Protocols and securityEncapsulating Security Payload(ESP)|provides message content confidentiality&limited traffic flo

10、w confidentiality|can optionally provide the same authentication services as AH|supports range of ciphers,modes,paddingincl.DES,Triple-DES,RC5,IDEA,CAST etcCBC&other modespadding needed to fill block size,fields,for traffic flowSchool of computer,SCUEC14Lecture 11 Protocols and securityIKE|IKE has 2

11、 phasesPhase 1 IKE security association(SA)Phase 2 AH/ESP security association|Phase 1 is comparable to SSL session|Phase 2 is comparable to SSL connection|Not an obvious need for two phases in IKE|If multiple Phase 2s do not occur,then it is more expensive to have two phases!School of computer,SCUE

12、C15Lecture 11 Protocols and securityIKE Phase 1|Four different“key”optionsPublic key encryption(original version)Public key encryption(improved version)Public key signatureSymmetric key|For each of these,two different“modes”Main modeAggressive mode|There are 8 versions of IKE Phase 1!|Evidence that

13、IPSec is over-engineered?School of computer,SCUEC16Lecture 11 Protocols and securityIKE Phase 1|Well discuss 6 of 8 phase 1 variantsPublic key signatures(main and aggressive modes)Symmetric key(main and aggressive modes)Public key encryption(main and aggressive)|Why public key encryption and public

14、key signatures?Always know your own private keyMay not(initially)know other sides public keySchool of computer,SCUEC17Lecture 11 Protocols and securityIKE Phase 1|Uses ephemeral Diffie-Hellman to establish session keyAchieves perfect forward secrecy(PFS)|Let a be Alices Diffie-Hellman exponent|Let b

15、 be Bobs Diffie-Hellman exponent|Let g be generator and p prime|Recall p and g are publicSchool of computer,SCUEC18Lecture 11 Protocols and securityIKE Phase 1:Digital Signature(Main Mode)|CP=crypto proposed,CS=crypto selected|IC=initiator“cookie”,RC=responder“cookie”|K=h(IC,RC,gab mod p,RA,RB)|SKEY

16、ID=h(RA,RB,gab mod p)|proofA=h(SKEYID,ga,gb,IC,RC,CP,“Alice”)AliceAliceBobIC,CPIC,RC,CSIC,RC,ga mod p,RAIC,RC,E(“Alice”,proofA,K)IC,RC,gb mod p,RBIC,RC,E(“Bob”,proofB,K)School of computer,SCUEC19Lecture 11 Protocols and securityIKE Phase 1:Public Key Signature(Aggressive Mode)|Main difference from m

17、ain modeNot trying to protect identitiesCannot negotiate g or pAliceBobIC,“Alice”,ga mod p,RA,CPIC,RC,“Bob”,RB,gb mod p,CS,proofBIC,RC,proofASchool of computer,SCUEC20Lecture 11 Protocols and securityMain vs Aggressive Modes|Main mode MUST be implemented|Aggressive mode SHOULD be implementedIn other

18、 words,if aggressive mode is not implemented,“you should feel guilty about it”|Might create interoperability issues|For public key signature authenticationPassive attacker knows identities of Alice and Bob in aggressive modeActive attacker can determine Alices and Bobs identity in main modeSchool of

19、 computer,SCUEC21Lecture 11 Protocols and securityIKE Phase 1:Symmetric Key(Main Mode)|Same as signature mode except KAB=symmetric key shared in advance K=h(IC,RC,gab mod p,RA,RB,KAB)SKEYID=h(K,gab mod p)proofA=h(SKEYID,ga,gb,IC,RC,CP,“Alice”)AliceBobIC,CPIC,RC,CSIC,RC,ga mod p,RAIC,RC,E(“Alice”,pro

20、ofA,K)IC,RC,gb mod p,RBIC,RC,E(“Bob”,proofB,K)School of computer,SCUEC22Lecture 11 Protocols and securityProblems with Symmetric Key(Main Mode)|Catch-22Alice sends her ID in message 5Alices ID encrypted with KTo find K Bob must know KABTo get KAB Bob must know hes talking to Alice!|Result:Alices ID

21、must be IP address!|Useless mode for the“road warrior”|Why go to all of the trouble of trying to hide identities in 6 message protocol?School of computer,SCUEC23Lecture 11 Protocols and securityIKE Phase 1:SymmetricKey(Aggressive Mode)|Same format as digital signature aggressive mode|Not trying to h

22、ide identities|As a result,does not have problems of main mode|But does not(pretend to)hide identitiesAliceBobIC,“Alice”,ga mod p,RA,CPIC,RC,“Bob”,RB,gb mod p,CS,proofBIC,RC,proofASchool of computer,SCUEC24Lecture 11 Protocols and securityIKE Phase 1:Public Key Encryption(Main mode)|CP=crypto propos

23、ed,CS=crypto selected|IC=initiator“cookie”,RC=responder“cookie”|K=h(IC,RC,gab mod p,RA,RB)|SKEYID=h(RA,RB,gab mod p)|proofA=h(SKEYID,ga,gb,IC,RC,CP,“Alice”)AliceBobIC,CPIC,RC,CSIC,RC,ga mod p,RABob,“Alice”BobIC,RC,E(proofA,K)IC,RC,gb mod p,RBAlice,“Bob”AliceIC,RC,E(proofB,K)School of computer,SCUEC2

24、5Lecture 11 Protocols and securityIKE Phase 1:Public Key Encryption(Aggressive Mode)|K,proofA,proofB computed as in main mode|Note that identities are hiddenThe only aggressive mode to hide identitiesThen why have main mode?AliceBobIC,CP,ga mod p,“Alice”Bob,RABobIC,RC,CS,gb mod p,“Bob”Alice,RBAlice,

25、proofBIC,RC,proofASchool of computer,SCUEC26Lecture 11 Protocols and securityPublic Key Encryption Issue?|Public key encryption,aggressive mode|Suppose Trudy generatesExponents a and bNonces RA and RB|Trudy can compute“valid”keys and proofs:gab mod p,K,SKEYID,proofA and proofB|Also true of main mode

26、School of computer,SCUEC27Lecture 11 Protocols and securityPublic Key Encryption Issue?Trudyas AliceTrudyas Bob|Trudy can create exchange that appears to be between Alice and Bob|Appears valid to any observer,including Alice and Bob!IC,RC,CS,gb mod p,“Bob”Alice,RBAlice,proofBIC,RC,proofAIC,CP,ga mod

27、 p,“Alice”Bob,RABobSchool of computer,SCUEC28Lecture 11 Protocols and securityPlausible Deniability|Trudy can create“conversation”that appears to be between Alice and Bob|Appears valid,even to Alice and Bob!|A security failure?|In this mode of IPSec,it is a featurePlausible deniability:Alice and Bob

28、 can deny that any conversation took place!|In some cases it might be a security failureIf Alice makes a purchase from Bob,she could later repudiate it(unless she had signed)School of computer,SCUEC29Lecture 11 Protocols and securityIKE Phase 1 Cookies|Cookies(or“anti-clogging tokens”)supposed to ma

29、ke denial of service more difficult|No relation to Web cookies|To reduce DoS,Bob wants to remain stateless as long as possible|But Bob must remember CP from message 1(required for proof of identity in message 6)|Bob must keep state from 1st message on!|These cookies offer little DoS protection!Schoo

30、l of computer,SCUEC30Lecture 11 Protocols and securityIKE Phase 1 Summary|Result of IKE phase 1 is Mutual authenticationShared symmetric keyIKE Security Association(SA)|But phase 1 is expensive(in public key and/or main mode cases)|Developers of IKE thought it would be used for lots of things not ju

31、st IPSec|Partly explains over-engineeringSchool of computer,SCUEC31Lecture 11 Protocols and securityIKE Phase 2|Phase 1 establishes IKE SA|Phase 2 establishes IPSec SA|Comparison to SSL SSL session is comparable to IKE Phase 1SSL connections are like IKE Phase 2|IKE could be used for lots of things|

32、But in practice,its not!School of computer,SCUEC32Lecture 11 Protocols and securityIKE Phase 2|Key K,IC,RC and SA known from Phase 1|Proposal CP includes ESP and/or AH|Hashes 1,2,3 depend on SKEYID,SA,RA and RB|Keys derived from KEYMAT=h(SKEYID,RA,RB,junk)|Recall SKEYID depends on phase 1 key method

33、|Optional PFS(ephemeral Diffie-Hellman exchange)AliceBobIC,RC,CP,E(hash1,SA,RA,K)IC,RC,CS,E(hash2,SA,RB,K)IC,RC,E(hash3,K)School of computer,SCUEC33Lecture 11 Protocols and securityIPSec|After IKE Phase 1,we have an IKE SA|After IKE Phase 2,we have an IPSec SA|Both sides have a shared symmetric key|

34、Now what?We want to protect IP datagrams|But what is an IP datagram?From the perspective of IPSecSchool of computer,SCUEC34Lecture 11 Protocols and securityIP Review|Where IP header is IP headerdata|IP datagram is of the form School of computer,SCUEC35Lecture 11 Protocols and securityIP and TCP|Cons

35、ider HTTP traffic(over TCP)|IP encapsulates TCP|TCP encapsulates HTTPIP headerTCP hdrHTTP hdrapp dataIP headerdata|IP data includes TCP header,etc.School of computer,SCUEC36Lecture 11 Protocols and securityIPSec Transport Mode|IPSec Transport ModeIP headerdataIP headerESP/AHdata|Transport mode desig

36、ned for host-to-host|Transport mode is efficientAdds minimal amount of extra header|The original header remainsPassive attacker can see who is talkingSchool of computer,SCUEC37Lecture 11 Protocols and securityIPSec Tunnel Mode|IPSec Tunnel ModeIP headerdatanew IP hdrESP/AHIP header data|Tunnel mode

37、for firewall to firewall traffic|Original IP packet encapsulated in IPSec|Original IP header not visible to attackerNew header from firewall to firewallAttacker does not know which hosts are talkingSchool of computer,SCUEC38Lecture 11 Protocols and securityComparison of IPSec Modes|Transport Mode|Tu

38、nnel ModeIP headerdataIP headerESP/AHdataIP headerdatanew IP hdrESP/AHIP header data|Transport ModeHost-to-host|Tunnel ModeFirewall-to-firewall|Transport mode not necessary|Transport mode is more efficientSchool of computer,SCUEC39Lecture 11 Protocols and securityCombining Security Associations|SAs

39、can implement either AH or ESP|to implement both need to combine SAsform a security association bundlemay terminate at different or same endpointscombined by transport adjacency iterated tunneling|issue of authentication&encryption order School of computer,SCUEC40Lecture 11 Protocols and securityIPS

40、ec ModesSchool of computer,SCUEC41Lecture 11 Protocols and securityTransport Mode vs.Tunnel Mode EncryptionSchool of computer,SCUEC42Lecture 11 Protocols and securityTransport Mode vs.Tunnel Mode EncryptionSchool of computer,SCUEC43Lecture 11 Protocols and securityCombining Security AssociationsScho

41、ol of computer,SCUEC44Lecture 11 Protocols and securityCombining Security AssociationsSchool of computer,SCUEC45Lecture 11 Protocols and securityCombining Security AssociationsSchool of computer,SCUEC46Lecture 11 Protocols and securityCombining Security AssociationsSchool of computer,SCUEC47Lecture

42、11 Protocols and securityIPSec Security|What kind of protection?Confidentiality?Integrity?Both?|What to protect?Data?Header?Both?|ESP/AH do some combinations of theseSchool of computer,SCUEC48Lecture 11 Protocols and securitySSL vs IPSec|IPSec discussed in next sectionLives at the network layer(part

43、 of the OS)Has encryption,integrity,authentication,etc.Is overly complex(including serious flaws)|SSL(and IEEE standard known as TLS)Lives at socket layer(part of user space)Has encryption,integrity,authentication,etc.Has a simpler specificationSchool of computer,SCUEC49Lecture 11 Protocols and secu

44、ritySSL vs IPSec|IPSec implementationRequires changes to OS,but no changes to applications|SSL implementationRequires changes to applications,but no changes to OS|SSL built into Web application early on(Netscape)|IPSec used in VPN applications(secure tunnel)|Reluctance to retrofit applications for S

45、SL|Reluctance to use IPSec due to complexity and interoperability issues|Result?Internet less secure than it should be!School of computer,SCUEC50Lecture 11 Protocols and securityKerberosSchool of computer,SCUEC51Lecture 11 Protocols and securityKerberos trusted key server system from MIT provides ce

46、ntralised symmetric encryption third-party authentication in a distributed networkl allows users access to services distributed through networkl without needing to trust all workstationsl rather all trust a central authentication server two versions in use:4&5School of computer,SCUEC52Lecture 11 Pro

47、tocols and securityKerberos Requirements its first report identified requirements as:l securel reliablel transparentl scalable implemented using an authentication protocol based on Needham-SchroederSchool of computer,SCUEC53Lecture 11 Protocols and securityMotivation for Kerberos|Authentication usin

48、g public keysN users N key pairs|Authentication using symmetric keysN users requires about N2 keys|Symmetric key case does not scale!|Kerberos based on symmetric keys but only requires N keys for N usersBut must rely on TTPAdvantage is that no PKI is requiredSchool of computer,SCUEC54Lecture 11 Prot

49、ocols and securityKerberos KDC|Kerberos Key Distribution Center or KDCActs as a TTPTTP must not be compromised!KDC shares symmetric key KA with Alice,key KB with Bob,key KC with Carol,etc.Master key KKDC known only to KDCKDC enables authentication and session keysKeys for confidentiality and integri

50、tyIn practice,the crypto algorithm used is DESSchool of computer,SCUEC55Lecture 11 Protocols and securityKerberos Tickets|KDC issues a ticket containing info needed to access a network resource|KDC also issues ticket-granting tickets or TGTs that are used to obtain tickets|Each TGT containsSession k

侵权处理QQ:3464097650--上传资料QQ:3464097650

【声明】本站为“文档C2C交易模式”,即用户上传的文档直接卖给(下载)用户,本站只是网络空间服务平台,本站所有原创文档下载所得归上传人所有,如您发现上传作品侵犯了您的版权,请立刻联系我们并提供证据,我们将在3个工作日内予以改正。


163文库-Www.163Wenku.Com |网站地图|