TCP/IP and Encryption. CIT304 University of Sunderland Harry R. Erwin, PhD

Transcription

1 TCP/IP and Encryption CIT304 University of Sunderland Harry R. Erwin, PhD

2 Resources Garfinkel and Spafford, 1996, Practical UNIX and Internet Security, O Reilly, ISBN: B. Schneier, 2000, Secrets and Lies, Wiley, ISBN:

3 TCP/IP The most general packet and message-level protocol in use. Operates on LANs, WANs and other network protocol. We will discuss IPv4 Be aware the internet is moving towards IPv6.

4 Internet Addresses Dotted quartile 4 8-bit integers separated by periods ( ) Unique in some sense (except that a local LAN may have only one address visible to the outside) Multiple address classes mean that not all addresses are usable. Classless InterDomain Routing (CIDR) has been introduced to address this.

5 Routing Routing is transparent Local hosts send packets to their gateway. The gateway is a router and handles matters from that point. The architecture routes around outages and failures.

6 Hostnames The name of the computer (not its address). Hostname<-->IP Addresses may be many to many! Hostnames begin with an alphanumeric character and may contain letters, numbers, and a few symbols. Case is ignored. Two parts: machine name and domain. The first period is the separator.

7 Packets and Protocols ICMP for control TCP for connection-oriented service UDP for connectionless service IGMP for multicasting control

8 ICMP In-band control of internet operations. Examples: Echo request and echo reply Destination unreachable Source quench Redirect Etc

9 TCP Reliable, ordered, connection-oriented service. Connects (16 bit) ports at (32 bit) IP addresses. SYN and ACK bits in the packet header are used to negotiate new connections. SYN set to request the connection SYN and ACK set to ack the request ACK set to confirm the connection Three-way handshake This protocol allows unfriendly outsiders to detect which ports are being listened to.

10 UDP Unreliable connection-less service 10 times more throughput than TCP 53 dns 69 tftp 111 sunrpc 137 windows blithering 161 snmp

11 Clients and Services Clients initiate connections to servers. Sometimes this is logically backwards as in X-Windows, where the client is the sender of the information, and the server is the machine requesting the information. Daemons are servers that wait for user requests.

12 Name Service The conversion from a name to an address is handed by a domain name server (DNS). UDP is used, so a workstation may need to make multiple requests. In UNIX systems, DNS is usually handled by bind. Alternatives: NIS NetInfo DCE

13 21 ftp 23 telnet 25 smtp 42 nameserver 43 whois 79 finger 80 http 109, 110 pop 113 auth 119 nntp TCP Services

14 Encryption Secures electronic communications by converting data to a form that a third party cannot read. Basic to modern computer security Protects against disclosure Authenticates identity of a user Discloses unauthorized tampering

15 Limitations of Encryption Does not protect against deletion Trapdoors may exist in the encryption program Data can be accessed when not encrypted. Encryption can be broken. Keys can be weak.

16 Definition Encryption is a process by which plaintext is transformed into ciphertext using a mathematical function and a key. Decryption is the reverse. The key is so important in this process that it should be backed up in a secure place. The longer the key, the stronger the encryption.

17 Private and Public Key Cryptography In private key (symmetric) cryptography, the same key is used for encryption and decryption. The key must be protected. In public key (asymmetric) cryptography, different keys are used and one cannot be deduced from the other. Only one of the keys is protected; the other is made public. In hybrid systems, a private session key is exchanged using public key cryptography. This is the usual approach.

18 Private Key Systems ROT13 (very insecure) Crypt (insecure) DES (and Triple DES) RC2 RC4 RC5 IDEA Skipjack (Clipper chip)

19 Public Key Systems Diffie-Hellman RSA ElGamal DSA

20 Cryptographic Checksums and Digital Signatures Used for: Integrity checking Authentication Enforcing non-repudiation Message digests allow the authentication of digital documents. Digital signatures have the same legal status as a written signature

21 Digest Algorithms MD2, MD4, and MD5 SHA HAVAL SNEFRU

22 UNIX Security Programs crypt des pgp

23 Advice on Encryption Cryptography is fiendishly difficult to do right. Even the systems designed by experts fail regularly. It doesn t matter how clever you are, or how much experience you have in other fields. (Ferguson and Schneier, 2003, Practical Cryptography, Wiley) So don t design your own cryptographic system leave it to the experts. In particular, don t design a cryptographic system for a final-year or masters project!

24 TCP/IP Security Risks include: Sniffers IP spoofing Connection hijacking Data spoofing

25 Causes of Weak Internet Security Underestimation of the hostility of the internet environment Overriding importance of message/packet transfer Evolution

26 Alternatives Encrypt the link Protect the link Encrypt the packets Encrypt the message Encrypt the session