Security WILEY. Wireless Mobile Internet. Second Edition. Man Young Rhee. Endowed Chair Professor, Kyung Hee University

Transcription

1 Wireless Mobile Internet Security Second Edition Man Young Rhee Endowed Chair Professor, Kyung Hee University Professor Emeritus, Hanyang University, Republic of Korea WILEY A John Wiley & Sons. Ltd., Publication

2 Contents Preface About the Author Acknowledgments xiii xxi xxiii 1 Internetworking and Layered Models Networking Technology Local Area Networks (LANs) Wide Area Networks (WANs) Connecting Devices Switches Repeaters Bridges Routers Gateways The OSI Model TCP/IP Model Network Access Layer Internet Layer Transport Layer Application Layer 14 2 TCP/IP Suite and Internet Stack Protocols Network Layer Protocols Internet Protocol (IP) Address Resolution Protocol (ARP) Reverse Address Resolution Protocol (RARP) Classless Interdomain Routing (CIDR) IP Version 6 (IPv6 or IPng) Internet Control Message Protocol (ICMP) Internet Group Management Protocol (IGMP) Transport Layer Protocols Transmission Control Protocol (TCP) User Datagram Protocol (UDP) 44

3 vi CONTENTS 2.3 World Wide Web Hypertext Transfer Protocol (HTTP) Hypertext Markup Language (HTML) Common Gateway Interface (CGI) Java File Transfer File Transfer Protocol (FTP) Trivial File Transfer Protocol (TFTP) Network File System (NFS) Simple Mail Transfer Protocol (SMTP) Post Office Protocol Version 3 (POP3) Internet Message Access Protocol (IMAP) Multipurpose Internet Mail Extension (MIME) Network Management Service Simple Network Management Protocol (SNMP) Converting IP Addresses Domain Name System (DNS) Routing Protocols Routing Information Protocol (RIP) Open Shortest Path First (OSPF) Border Gateway Protocol (BGP) Remote System Programs TELNET Remote Login (Rlogin) Social Networking Services Facebook Twitter Linkedin Groupon Smart IT Devices Smartphones Smart TV Video Game Console Network Security Threats Worm Virus DDoS Internet Security Threats Phishing SNS Security Threats Computer Security Threats Exploit Password Cracking Rootkit 60

4 CONTENTS vii Trojan Horse Keylogging Spoofing Attack Packet Sniffer Session Hijacking 62 3 Global Trend of Mobile Wireless Technology G Cellular Technology AMPS (Advanced Mobile Phone System) NMT (Nordic Mobile Telephone) TACS (Total Access Communications System) G Mobile Radio Technology CDPD (Cellular Digital Packet Data), North American Protocol GSM (Global System for Mobile Communications) TDMA-136 or IS iden (Integrated Digital Enhanced Network) cdmaone IS-95A PDC (Personal Digital Cellular) i-mode WAP (Wireless Application Protocol) G Mobile Radio Technology ECSD (Enhanced Circuit-Switched Data) HSCSD (High-Speed Circuit-Switched Data) GPRS (General Packet Radio Service) EDGE (Enhanced Data rate for GSM Evolution) cdmaone IS-95B G Mobile Radio Technology (Situation and Status of 3G) UMTS (Universal Mobile Telecommunication System) HSDPA (High-Speed Downlink Packet Access) CDMA2000 lx CDMA2000 lxev (lx Evolution) CDMA2000 lxev-do (lx Evolution Data Only) CDMA2000 lxev-dv (lx Evolution Data Voice) G UMTS Security-Related Encryption Algorithm KASUMI Encryption Function 75 4 Symmetric Block Ciphers Data Encryption Standard (DES) Description of the Algorithm Key Schedule DES Encryption DES Decryption Triple DES DES-CBC Cipher Algorithm with IV

5 viii CONTENTS 4.2 International Data Encryption Algorithm (IDEA) Subkey Generation and Assignment IDEA Encryption IDEA Decryption RC5 Algorithm Description of RC Key Expansion Encryption Decryption RC6 Algorithm Description of RC Key Schedule Encryption Decryption AES (Rijndael) Algorithm Notational Conventions Mathematical Operations AES Algorithm Specification Hash Function, Message Digest, and Message Authentication Code DMDC Algorithm Key Schedule Computation of Message Digests Advanced DMDC Algorithm Key Schedule Computation of Message Digests MD5 Message-Digest Algorithm Append Padding Bits Append Length Initialize MD Buffer Define Four Auxiliary Functions (F, G, H, I) FF, GG, HH, and II Transformations for Rounds 1, 2, 3, and Computation of Four Rounds (64 Steps) Secure Hash Algorithm (SHA-1) Message Padding Initialize 160-bit Buffer Functions Used Constants Used Computing the Message Digest Hashed Message Authentication Codes (HMAC) Asymmetric Public-Key Cryptosystems Diffie-Hellman Exponential Key Exchange RSA Public-Key Cryptosystem 207

6 CONTENTS ix RSA Encryption Algorithm RSA Signature Scheme ElGamal's Public-Key Cryptosystem ElGamal Encryption ElGamal Signatures ElGamal Authentication Scheme Schnorr's Public-Key Cryptosystem Schnorr's Authentication Algorithm Schnorr's Signature Algorithm Digital Signature Algorithm The Elliptic Curve Cryptosystem (ECC) Elliptic Curves Elliptic Curve Cryptosystem Applied to the ElGamal Algorithm Elliptic Curve Digital Signature Algorithm ECDSA Signature Computation Public-Key Infrastructure Internet Publications for Standards Digital Signing Techniques Functional Roles of PKI Entities Policy Approval Authority Policy Certification Authority Certification Authority Organizational Registration Authority Key Elements for PKI Operations Hierarchical Tree Structures Policy-Making Authority Cross-Certification X.500 Distinguished Naming Secure Key Generation and Distribution X.509 Certificate Formats X.509 vl Certificate Format X.509 v2 Certificate Format X.509 v3 Certificate Format Certificate Revocation List CRL Fields CRL Extensions CRL Entry Extensions Certification Path Validation Basic Path Validation Extending Path Validation Network Layer Security 8.1 IPsec Protocol

7 X CONTENTS IPsec Protocol Documents Security Associations (SAs) Hashed Message Authentication Code (HMAC) IP Authentication Header AH Format AH Location IP ESP ESP Packet Format ESP Header Location Encryption and Authentication Algorithms Key Management Protocol for IPsec OAKLEY Key Determination Protocol ISAKMP Transport Layer Security: SSLv3 and TLSvl SSL Protocol Session and Connection States SSL Record Protocol SSL Change Cipher Spec Protocol SSL Alert Protocol SSL Handshake Protocol Cryptographic Computations Computing Converting the Master Secret into Cryptographic the Master Secret 338 Parameters TLS Protocol HMAC Algorithm Pseudo-random Function Error Alerts Certificate Verify Message Finished Message Cryptographic Computations (for TLS) Electronic Mail Security: PGP, S/MIME PGP Confidentiality via Encryption Authentication via Digital Signature Compression Radix-64 Conversion Packet Headers PGP Packet Structure Key Material Packet Algorithms for PGP 5.x S/MIME MIME S/MIME 379

8 CONTENTS xi Enhanced Security Services for S/MIME Internet Firewalls for Trusted Systems Role of Firewalls Firewall-Related Terminology Bastion Host Proxy Server SOCKS Choke Point Demilitarized Zone (DMZ) Logging and Alarms VPN Types of Firewalls Packet Filters Circuit-Level Gateways Application-Level Gateways Firewall Designs Screened Host Firewall (Single-Homed Bastion Host) Screened Host Firewall (Dual-Homed Bastion Host) Screened Subnet Firewall IDS Against Cyber Attacks Internet Worm Detection Computer Special Kind of Viruses 403 Virus Intrusion Detections Systems Network-Based Intrusion Detection System (NIDS) Wireless Intrusion Detection System (WIDS) Network Behavior Analysis System (NBAS) Host-Based Intrusion Detection System (HIDS) Signature-Based Systems Anomaly-Based Systems Evasion Techniques of IDS Systems SET for E-Commerce Transactions Business Requirements for SET SET System Participants Cryptographic Operation Principles Dual Signature and Signature Verification Authentication and Message Integrity Payment Processing Cardholder Registration Merchant Registration Purchase Request Payment Authorization Payment Capture 437

9 xii CONTENTS 13 4G Wireless Internet Communication Technology Mobile WiMAX Mobile WiMAX Network Architecture Reference Points in WiMAX Network Reference Model (NRM) Key Supporting Technologies Comparison between Mobile WiMAX Network and Cellular Wireless Network WiBro (Wireless Broadband) WiBro Network Architecture Key Elements in WiBro System Configuration System Comparison between HSDPA and WiBro Key Features on WiBro Operation UMB (Ultra Mobile Broadband) Design Objectives of UMB Key Technologies Applicable to UMB UMB IP-Based Network Architecture Conclusive Remarks LTE (Long Term Evolution) LTE Features and Capabilities LTE Frame Structure LTE Time-Frequency Structure for Downlink LTE SC-FDMA on Uplink LTE Network Architecture Key Components Supporting LTE Design Concluding Remarks 464 Acronyms 467 Bibliography 473 Index 481