SSH Technology White Paper
|
|
- Kerry Lenard Cain
- 7 years ago
- Views:
Transcription
1 SSH Technology White Paper Keywords: SSH, SFTP, RSA, DSA, DES, AES, AAA Abstract: Secure Shell (SSH) offers an approach to logging into a remote device securely and performing secure file transfer. By encryption and authentication mechanisms, it protects devices against attacks such as plain text password interception and server spoofing. This document provides the background, security mechanisms, operation procedures, and applications of SSH as well as the technical characteristics of the Comware implementation. Acronyms: Acronym Full spelling AAA AES DES DSA FTP MAC RSA SFTP SSH Stelnet Authentication, Authorization, Accounting Advanced Encryption Standard Data Encryption Standard Digital Signature Algorithm File Transfer Protocol Message Authentication Code Rivest Shamir and Adleman Secure File Transfer Protocol Secure Shell Secure Telnet Hangzhou H3C Technologies Co., Ltd. 1/16
2 Table of Contents Overview 3 Background 3 Benefits 3 Protocol Architecture 4 SSH Transport Layer Protocol 4 SSH Authentication Layer Protocol 4 SSH Connection Layer Protocol 4 Security Mechanisms 5 Ensuring the Confidentiality of Transmitted Data 5 Using Encrypted Channel to Protect Data Against Eavesdropping 5 Using Key Exchange Algorithm to Ensure Security of Keys 5 Perfect User Authentication Mechanism 6 Password Authentication 6 Public Key Authentication 8 Password-Publickey Authentication 8 Defense Against Server Spoofing 9 Operation of SSH 10 Connection Setup 10 SSH Version Negotiation 10 Algorithm Negotiation 10 Key Exchange 11 User Authentication 11 Service Request 13 Data Transmission and Connection Teardown 13 Technical Characteristics 13 Supporting Two Applications 13 SSH 14 SFTP 14 First-Time Authentication 14 Password-Publickey Authentication 14 Application Scenario 14 References 15 Hangzhou H3C Technologies Co., Ltd. 2/16
3 Overview Background Before SSH emerged, the most popular protocol used in network device management was Telnet. The Telnet protocol allows network administrators to log into remote network devices to perform configurations, implementing easy management of remote network devices. However, Telnet has three fatal weaknesses: Telnet transmits data in plain text, providing no protection for data transmitted. Telnet uses the traditional password authentication mechanism and transmits user authentication information over the network in plain text, making it easy to be eavesdropped. A Telnet client has no way to identify the identity of the Telnet server, namely the remote device. Attackers can easily initiate server spoofing attacks. SSH was introduced to solve all the previously mentioned problems. Another popular protocol, File Transfer Protocol (FTP), also faces the similar problems, and the protocol introduced to solve these problems is Secure File Transfer Protocol (SFTP), which is based on SSH. Benefits Secure Shell (SSH) offers an approach to logging into a remote device securely and performing secure file transfer. By using encryption and authentication mechanisms, it protects devices against attacks such as plain text password interception and server spoofing. SSH features the following advantages: SSH transmits data in cipher text, ensuring the confidentiality of the information exchanged. SSH transmits user authentication information in cipher text, efficiently avoiding user identity information eavesdropping. In addition to the traditional password authentication, an SSH server provides multiple user authentication methods (for example, public key authentication, which features higher security) to improve the strength of user authentication. The encryption and decryption keys for communication between SSH servers and SSH clients are dynamically generated in dynamic key exchange processes. Such keys are very hard to get cracked and have much higher security than manually configured keys. SSH clients can authenticate the identities of their servers, avoiding being spoofed by pseudo servers. Hangzhou H3C Technologies Co., Ltd. 3/16
4 Protocol Architecture Figure 1 Protocol architecture SSH client SSH server Application layer Application layer Connection layer protocol SSH protocol layer Transport layer Authentication layer protocol Transport layer protocol TCP connection or connection of another type SSH protocol layer Transport layer As shown in Figure 1, the SSH protocol uses the client/server model and consists of three layers: transport layer, authentication layer, and connection layer. SSH Transport Layer Protocol The SSH transport layer protocol is used to establish a secure, encrypted channel between the server and client, and to provide confidentiality for phases that require higher transmission security, such as the user authentication phase and data exchange phase. The SSH transport layer protocol supports these functions: Checking data reality Checking data integrity Allowing the client to authenticate the server. The SSH transport layer protocol typically runs on top of TCP/IP (the well-known port number of the server side is 22). It can also runs over any other type of reliable connection. SSH Authentication Layer Protocol The SSH authentication layer protocol runs over the SSH transport layer protocol to allow the server to authenticate clients logging in. SSH Connection Layer Protocol The SSH connection layer protocol divides an encrypted channel into multiple logical channels to run different applications. It operates on top of the authentication layer protocol to provide services such as interactive sessions and remote execution of commands. Hangzhou H3C Technologies Co., Ltd. 4/16
5 Security Mechanisms Ensuring the Confidentiality of Transmitted Data To solve the flaw of plain data transmission in Telnet and ensure the confidentiality of data transmission, SSH takes these measures: Establishing an encrypted channel between two peers to ensure that data is not eavesdropped during transmission. Using key exchange algorithms to guarantee the security of keys. Using Encrypted Channel to Protect Data Against Eavesdropping With an encrypted channel, the sender encrypts data through the encryption key before transmitting the data to the receiver, and the receiver decrypts the received data through the decryption key. There are two types of encryption/decryption algorithms: Symmetric algorithm: The encryption process and decryption process use the same key and algorithm. Asymmetric algorithm: The encryption process and decryption process use different keys, the public key and the private key respectively, where the private key is kept secret by the client. As asymmetric algorithms usually take more time, they are usually used for digital signature and identity authentication. Encryption and decryption on an SSH channel are mainly implemented by symmetric algorithms. Currently supported algorithms include Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES). These algorithms can effectively prevent eavesdropping and, using initialization vector (IV) for protection, prevent attacks from password analyzing tools, such as reused key attack. Using Key Exchange Algorithm to Ensure Security of Keys A symmetric algorithm requires that the decryption key be the same as the encryption key to decrypt ciphered data successfully. Therefore, to establish an encrypted channel, two peers must have the same key. Manual configuration and third-party assignment are two of the methods for deploying keys. The former has the disadvantage of low extensibility, and therefore applies to only small local networks. The latter requires an extra third-party server and keys may be eavesdropped during transmission. SSH supports using a key exchange algorithm to deploy keys. By a key exchange algorithm, two peers can dynamically generate their key, which only the two peers can obtain and no one else can eavesdrop. This ensures the security of keys and solves the deployment problem. Here is how a key exchange algorithm works: 1) The client generates a random number Xc (1<Xc<p-1) as the private key, calculates Yc=g^Xc mod p, and sends Yc to the server. Here, p is a large safe prime, and g is a generator for a subgroup of GF(p). P and G are a pair of parameters that the two peers share. The SSH protocol allows the two peers to negotiate the values of p and g. Hangzhou H3C Technologies Co., Ltd. 5/16
6 2) The server also generates a random number Xs (1<Xs<p-1), calculates Ys=g^Xs mod p, and sends Ys to the client. 3) When the server receives Yc from the client, it uses the following formula to calculate the key: K=(Yc)^Xs mod p 4) When the client receives Ys from the server, it uses the following formula to calculate the key: K=(Ys)^Xc mod p Now, the client and server have the same key. As the previous procedure shows, security of a key exchange algorithm depends on the difficulty of the discrete logarithm. In expression Y=g^x mod p, it is easy to calculate Y with x, but it is very difficult to calculate x with Y. In a key exchange algorithm, only p, g, Yc, and Ys are public, Xc and Xs are private. Even if a third-party obtains p, g, Yc, and Ys, it is very difficult to calculate Xc and Xs. In this way, security of keys is ensured. Key exchange algorithms feature the following advantages: Better extensibility and no manual configuration. Keys are saved in memory and hard to be read or tampered. Each connection generates a new key dynamically. Thus, key security is further improved. Safe Prime and generator are terms in discrete mathematics. For detailed inforamtion, refer to relevant materials. Perfect User Authentication Mechanism To prevent illegal users from logging into network devices to perform destructive configurations, SSH provides multiple user authentication methods to improve the strength of user authentication. In addition to commonly used user authentication methods including password authentication and public key authentication, the Comware V5 platform offers a new authentication method, that is, password-publickey authentication. Password Authentication SSH can employ the authentication function provided by the Authentication, Authorization, and Accounting (AAA) architecture to implement password authentication of users. Depending on the authentication policy used by AAA, password authentication can be local or remote. Hangzhou H3C Technologies Co., Ltd. 6/16
7 Local authentication Figure 2 Network diagram for local authentication With local authentication, user information is saved on the SSH server and authentication of clients is performed locally. As shown in Figure 2, an administrator wants to log in to the gateway of the community remotely to perform configuration. The gateway acts as the SSH server and authenticates the client by using the user information saved in the local user information database of AAA. Remote authentication Figure 3 Network diagram for remote authentication Community network Gateway Internet Internet SSH server RADIUS server Network management station SSH client With remote authentication, user information is saved on a remote authentication server such as a RADIUS server, and the network device cooperates with the authentication server to authenticate users. As shown in Figure 3, an administrator wants to log into the gateway of the community remotely to perform configuration. The gateway acts as the SSH server and forwards the authentication information of the client to the RADIUS server for authentication. Then, it determines whether to permit the user by the authentication result from the RADIUS server. Remote authentication features centralized configuration and management of users, which not only facilitates user management, but also improves user information security. However, this Hangzhou H3C Technologies Co., Ltd. 7/16
8 authentication mode requires that the connection between the SSH server and the authentication server is absolutely secure. Public Key Authentication As the strength of password authentication is relatively low, the SSH protocol supports public key authentication. Currently, the device supports using RSA and DSA asymmetric key algorithms to implement public key authentication. The public key authentication process goes through two steps: 1) Public key authentication: The client sends the public key of its key pair as a string to the server. The server compares the received public key of the client against that locally maintained, thereby checking the validity of the public key. 2) Digital signature authentication: If the public key authentication succeeds, the client uses the private key of its key pair to perform digest calculation of a specific packet and then sends the result, namely the digital signature, to the server to prove its identity. The server uses the locally maintained public key of the client to authenticate the signature of the client. If either of the public key authentication and digital signature authentication fails, the authentication of the user fails. Public key authentication features these advantages: High authentication strength, protecting the system against attacks such as password crack. Easier to use. Once configured, the authentication can go on automatically, without requiring users to provide passwords. However, public key authentication also has disadvantages: Compared with password authentication, public key authentication is more complex to be configured. Public authentication can only distinguish users by their private keys. To implement more granular security control, every user must have a private key and the server must be configured with the public key of every user. This is obviously neither proper nor necessary for scenarios where multiple users use the same terminal to log in. Password-Publickey Authentication The Comware V5 platform defines a new authentication method: password-publickey authentication. This method requires that users must pass both public key authentication and password authentication. The password-publickey authentication method combines the advantages of password authentication and public key authentication: It requires that users must pass both password authentication and public key authentication, and therefore can provide higher security. By binding the password with the public key, this method can prevent the security risks of a SSH client from affecting the security of the SSH server. This method allows you to configure a single key pair for a group of users, and specify different passwords and authorize different rights for the users, facilitating user management. Hangzhou H3C Technologies Co., Ltd. 8/16
9 This method not only makes use of the security of public key authentication, but also reduces the cost in saving and configuring keys. With public key authentication, you need to configure one key pair for every user to implement more granular user authentication. With passwordpublickey authentication, however, you can configure multiple users to share the same key pair. This method can corporate with the existing Comware V5 feature of AAA to use the various functions of remote servers. Defense Against Server Spoofing The user authentication mechanisms allow the server to authenticate its clients but provide no way for clients to authenticate the server, leaving attackers the chance to disguise themselves as the server. Figure 4 Server spoofing As shown in Figure 4, when a client tries to establish a connection with the server, an attacker may disguise itself as the server to interact with client to obtain the identity information of the client. Then, the attacker may use the identity information of the client to log into the real server, so as to access the resources on the server or attack the server. To prevent such attacks, SSH enables the clients to authenticate the server. In the key exchange phase, the server uses its private key to add a digital signature to some data in a fixed format and sends the signature to the client. The client uses the locally saved public key of the server to authenticate the signature, so as to authenticate the server. This mechanism for a client to authenticate the server assumes that the server side public key that the client keeps is really the server s public key. Therefore, it is critical to guarantee that the client obtains the right server side public key. Currently, Comware V5 provides two methods for obtaining the public key of a server. Manual configuration: You can manually configure the public key of a server on a client and associate the public key with the server s name. First-time authentication: During SSH protocol interactions, the sever sends its public key through a protocol packet to the client. Based on this, Comware V5 allows you to enable firsttime authentication on SSH clients. With first-time authentication, when an SSH client not configured with the server s public key accesses the server for the first time, it can get the Hangzhou H3C Technologies Co., Ltd. 9/16
10 server s public key from the protocol packet and save the key locally for future use. For details, refer to First-Time Authentication. Operation of SSH SSH packet exchange goes through these phases: Connection Setup SSH Version Negotiation Algorithm Negotiation Key Exchange User Authentication Service Request Data Transmission and Connection Teardown Connection Setup The SSH server listens to connection requests from clients on port 22. After detecting a connection request, it performs three handshake operations to establish a TCP connection. All subsequent packet exchanges will go on over this TCP connection. SSH Version Negotiation After the TCP connection is established, the server and client notify each other of the supported SSH version and compare the peer s version with its own version. The highest version that both the server and client support will be used. SSH1.99 is a specical version in that it can commumucate with both SSH2.0 and SSH1.5. If the version negotiation is successful, the server and the client proceed with algorithm negotiation; otherwise, the server breaks the TCP connection. Algorithm Negotiation Exchange of SSH protocol packets require multiple algorithms: Key exchange algorithm for generating the session key, which can be Diffie-Hellman-groupexchange-SHA1, Diffie-Hellman-group1-SHA1, or Diffie-Hellman-group14-SHA1. Encryption algorithm for data encryption, which can be 3DES-CBC, AES128-CBC, or DES- CBC. Host public key algorithm for digital signature and authentication, which can be RSA or DSA. Message Authentication Code (MAC) algorithm for protecting data integrity, which can be HMAC-MD5, MHAC-MD5-96, HMAC-SHA1 or HMAC-SHA1-96. Hangzhou H3C Technologies Co., Ltd. 10/16
11 As different clients and servers may support different algorithms, a client and its server need to negotiate the algorithms to be used. The algorithm negotiation goes through three steps: 1) The client and server send a list of the supported algorithms to each other. 2) The two peers negotiate each type of algorithm in this procedure: Get the first algorithm of the type from the client s algorithm list and match it against the server s algorithm list. If a match is found, negotiation of the algorithm type succeeds and the matching process ends. Otherwise, get the next algorithm of the type from the client s algorithm list and match it against the server s algorithm list. This process continues until a match is found or the peers find that they have no algorithm of the type in common, in which case negotiation of the algorithm type fails. 3) If the negotiation of an algorithm type succeeds, the peers continue to negotiate other types of algorithms. If the negotiation of any algorithm type fails, the algorithm negotiation between the peers are considered a failure and the server will break the connection with the client. The following table takes the encryption algorithm as an example to show the algorithm negotiation process: Encryption algorithms that the client supports 3DES, 3DES-CBC, AES128- CBC Encryption algorithms that the server supports AES128-CBC, 3DES-CBC, DES-CBC Negotiated encryption algorithm 3DES-CBC Key Exchange After the algorithm negotiation process ends successfully, the SSH server and client generate and exchange the encryption key dynamically and securely to ensure the security of the key. This can prevent the key from being intercepted by any third-party. For details about key exchange algorithm, refer to Using Key Exchange Algorithm to Ensure Security of Keys. User Authentication After the key exchange process is complete, the user authentication process begins. Hangzhou H3C Technologies Co., Ltd. 11/16
12 Figure 5 User authentication process As shown in Figure 5, the user authentication procedure is as follows: 1) The client sends to the server an authentication request packet, which specifies the authentication method of none. 2) When receiving the authentication request, the server responds with an authentication challenge packet, which carries a list of the authentication methods that it supports and the client must pass. 3) The client selects an authentication method from the list and initiates an authentication request, which carries its username, authentication method, and information relevant to the authentication method: For password authentication, the information is the client s password. For public key authentication, the information is the public key of the client s local key pair (during public key authentication) or the digital signature (during digital signature authentication). 4) When the server receives the authentication request, it authenticates the client: For password authentication, the server compares the username and password of the client with those locally maintained or sends them to the remote authentication server to authenticate the client. For public key authentication, the server checks the validity of the public key of the client. If the public key is invalid, the authentication fails; otherwise, the server checks the validity of the digital signature to authenticate the client. 5) Based on the locally maintained configurations of the client and whether the client has passed the previous authentication, the server determines whether to authenticate the client further: If the client passed the last authentication and no other type of authentication is required for the client, the server sends to the client a success notification. If the client passed the last authentication but must pass other types of authentication, the server sends to the client an authentication challenge that carries the authentication types that the client must also pass. If the client failed the last authentication but the number of authentication attempts has not reached the limit, the server resends the authentication challenge to the client. Hangzhou H3C Technologies Co., Ltd. 12/16
13 If the client failed the last authentication and the number of authentication attempts has reached the limit, the server sends to the client an authentication failure notification and tears down the connection with the client. An authentication challenge carries a list of the authentication types that the client has not passed and must pass. Upon receiving an authentication challenge, the client selects one authenticaiton type and initiates the authentication. Service Request SSH supports multiple services. After the SSH client passes all types of authentication that the server requires, it sends a service request to the server to apply for a service. The following details the service request procedure: 1) The client sends an SSH_MSG_CHANNEL_OPEN message to initiate a session with the server. 2) Upon receiving the SSH_MSG_CHANNEL_OPEN message, the server responds with an SSH_MSG_CHANNEL_OPEN_CONFIRMATION message to establish a session with the client if it supports the requested session type. 3) After the session is established, the client applies for the shell (SSH) or subsystem (SFTP) service. Data Transmission and Connection Teardown After the service request is granted and the session is established, the server and client can exchange data securely through the session as follows: 1) The client encrypts and sends the command to be executed to the server. 2) Upon receiving the packet, the server decrypts the packet, executes the command, and sends the result to the client. 3) The client displays the result on the screen. 4) After the communication is over or the client is timed out for it has been idle for too long, the session is closed and connection is torn down. Technical Characteristics Supporting Two Applications Currently, Comware V5 supports two types of SSH applications: SSH and SFTP. Hangzhou H3C Technologies Co., Ltd. 13/16
14 SSH In Comware V5, Stelnet is often referred to as SSH. Using the secure channel provided by the SSH protocol, Stelnet implements secure remote access to network devices. Stelnet is one of the basic applications of SSH. Currently, Comware V5 provides both the SSH client and SSH server features, where the SSH client is based on SSH2.0, while the SSH server supports both SSH1.5 and SSH2.0. As SSH1.5 and SSH2.0 are not compatible, a device running the Comware SSH client can communicate with only a server running SSH2.0, but a device running the Comware SSH server can communicate with clients running SSH1.5 or SSH2.0. SFTP SFTP uses the SSH connection to provide secure data transfer. It is an important, extended SSH application. Currently, Comware V5 provides both the SFTP client and SFTP server features First-Time Authentication To allow an SSH client to authenticate a server, the Comware provides two ways for the client to obtain the server s public key: manually configuring the server s public key on the client or configuring the client to obtain the server s public key when accessing the server for the first time. The latter is called the first-time authentication feature. Without first-time authentication, a client not configured with the server s public key cannot access the server because it cannot authenticate the server. To access the server, the client must be configured with the server s public key manually in advance. With first-time authentication, when an SSH client not configured with the server public key accesses the server for the first time, it can obtain the server s public key from the protocol packet and save the key locally. When accessing the server again, the client will use the locally saved server public key to authenticate the server. Password-Publickey Authentication Comware defines a new authentication method called password-publickey authentication. For details, refer to Password-Publickey Authentication. Application Scenario SSH is used on insecure networks to support applications such as secure remote access and file operations by implementing a series of encryption and authentication mechanisms. As shown in Figure 6 and Figure 7, the SSH client can access the SSH server securely through a local connection or WAN connection established with the SSH server. Hangzhou H3C Technologies Co., Ltd. 14/16
15 Figure 6 SSH channel through a local connection Figure 7 SSH channel through a WAN connection Laptop Host A Local LAN Router Server SSH client WAN Laptop Host B Remote LAN SSH server Host C Server References RFC 4251: The Secure Shell (SSH) Protocol Architecture RFC 4252: The Secure Shell (SSH) Authentication Protocol RFC 4253: The Secure Shell (SSH) Transport Layer Protocol RFC 4254: The Secure Shell (SSH) Connection Protocol Hangzhou H3C Technologies Co., Ltd. 15/16
16 Copyright 2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 16/16
Portal Authentication Technology White Paper
Portal Authentication Technology White Paper Keywords: Portal, CAMS, security, authentication Abstract: Portal authentication is also called Web authentication. It authenticates users by username and password
More informationSSL VPN Technology White Paper
SSL VPN Technology White Paper Keywords: SSL VPN, HTTPS, Web access, TCP access, IP access Abstract: SSL VPN is an emerging VPN technology based on HTTPS. This document describes its implementation and
More informationChapter 17. Transport-Level Security
Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationH3C SSL VPN RADIUS Authentication Configuration Example
H3C SSL VPN RADIUS Authentication Configuration Example Copyright 2012 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by
More informationSSL A discussion of the Secure Socket Layer
www.harmonysecurity.com info@harmonysecurity.com SSL A discussion of the Secure Socket Layer By Stephen Fewer Contents 1 Introduction 2 2 Encryption Techniques 3 3 Protocol Overview 3 3.1 The SSL Record
More informationSecurity. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1
Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions
More informationAccellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.
Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0 Accellion, Inc. December 24, 2009 Copyright Accellion, Inc. 2009. May be reproduced only in its original entirety
More informationSecure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt,
Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt, authenticate, and compress transmitted data. The main
More informationNetwork Security Essentials Chapter 5
Network Security Essentials Chapter 5 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 5 Transport-Level Security Use your mentality Wake up to reality From the song, "I've Got
More informationDDoS Protection Technology White Paper
DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of
More informationSSH Secure Shell. What is SSH?
Security, like correctness, is not an add-on feature. -- Andrew S. Tanenbaum SSH Secure Shell - - Binary Packet Protocol - key exchange - server authentication - - SSH Connection Protocol What is SSH?
More informationIPsec Details 1 / 43. IPsec Details
Header (AH) AH Layout Other AH Fields Mutable Parts of the IP Header What is an SPI? What s an SA? Encapsulating Security Payload (ESP) ESP Layout Padding Using ESP IPsec and Firewalls IPsec and the DNS
More informationCS 348: Computer Networks. - Security; 30 th - 31 st Oct 2012. Instructor: Sridhar Iyer IIT Bombay
CS 348: Computer Networks - Security; 30 th - 31 st Oct 2012 Instructor: Sridhar Iyer IIT Bombay Network security Security Plan (RFC 2196) Identify assets Determine threats Perform risk analysis Implement
More informationNetwork Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide
Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead
More informationChapter 7 Transport-Level Security
Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell
More informationCRYPTOGRAPHY IN NETWORK SECURITY
ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIEN-CHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can
More informationTransport Layer Security Protocols
SSL/TLS 1 Transport Layer Security Protocols Secure Socket Layer (SSL) Originally designed to by Netscape to secure HTTP Version 2 is being replaced by version 3 Subsequently became Internet Standard known
More informationSecure Sockets Layer
SSL/TLS provides endpoint authentication and communications privacy over the Internet using cryptography. For web browsing, email, faxing, other data transmission. In typical use, only the server is authenticated
More information7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?
7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk
More informationSecuring Ship-to-Shore Data Flow
Securing Ship-to-Shore Data Flow Background on Common File Transfer Methods Today corporations, government entities, and other organizations rely on Electronic File Transfers as an important part of their
More informationBandwidth Management Technology White Paper
Bandwidth Management Technology White Paper Keyword: Bandwidth management, segment-based bandwidth management, user-based bandwidth management, service-based bandwidth management, connection-based bandwidth
More informationSecure Data Transfer
Secure Data Transfer INSTRUCTIONS 3 Options to SECURELY TRANSMIT DATA 1. FTP 2. WinZip 3. Password Protection Version 2.0 Page 1 Table of Contents Acronyms & Abbreviations...1 Option 1: File Transfer Protocol
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash
More informationOverview SSL/TLS HTTPS SSH. TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol. SSH Protocol Architecture SSH Transport Protocol
SSL/TLS TLS Protocol Architecture TLS Handshake Protocol TLS Record Protocol HTTPS SSH SSH Protocol Architecture SSH Transport Protocol Overview SSH User Authentication Protocol SSH Connection Protocol
More informationVPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu
VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining
More informationDRAFT Standard Statement Encryption
DRAFT Standard Statement Encryption Title: Encryption Standard Document Number: SS-70-006 Effective Date: x/x/2010 Published by: Department of Information Systems 1. Purpose Sensitive information held
More informationIPS Attack Protection Configuration Example
IPS Attack Protection Configuration Example Keywords: IPS Abstract: This document presents a configuration example for the attack protection feature of the IPS devices. Acronyms: Acronym Full spelling
More informationConfiguring CSS Remote Access Methods
CHAPTER 11 Configuring CSS Remote Access Methods This chapter describes how to configure the Secure Shell Daemon (SSH), Remote Authentication Dial-In User Service (RADIUS), and the Terminal Access Controller
More informationCornerstones of Security
Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to
More informationLab 2.5.2a Configure SSH
Lab 2.5.2a Configure SSH Objective Scenario Topology In this lab, the students will complete the following tasks: Configuring a router as a Secure Shell (SSH) server Version 1. Install and configure a
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationFL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SFTP (Secure File Transfer Protocol)
FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE This troubleshooting guide covers secure file transfers using the SFTP file transfer protocols for Claims, POC, and Medical EDI transmissions. SFTP
More informationSecure Network Communications FIPS 140 2 Non Proprietary Security Policy
Secure Network Communications FIPS 140 2 Non Proprietary Security Policy 21 June 2010 Table of Contents Introduction Module Specification Ports and Interfaces Approved Algorithms Test Environment Roles
More informationTransport Level Security
Transport Level Security Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More informationSecure Shell (SSH) Protocol
Vanguard Applications Ware IP and LAN Feature Protocols Secure Shell (SSH) Protocol Notice 2008 Vanguard Networks 25 Forbes Blvd. Foxboro, MA 02035 (508) 964-6200 All rights reserved Printed in U.S.A.
More informationRelease: 1. ICANWK502A Implement secure encryption technologies
Release: 1 ICANWK502A Implement secure encryption technologies ICANWK502A Implement secure encryption technologies Modification History Release Release 1 Comments This Unit first released with ICA11 Information
More informationIntroduction to Security and PIX Firewall
Introduction to Security and PIX Firewall Agenda Dag 28 Föreläsning LAB PIX Firewall VPN A Virtual Private Network (VPN) is a service offering secure, reliable connectivity over a shared, public network
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure
More informationE-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)
E-Commerce Security An e-commerce security system has four fronts: LECTURE 7 (SECURITY) Web Client Security Data Transport Security Web Server Security Operating System Security A safe e-commerce system
More informationTable of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2
Table of Contents 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2 2 Features and Benefits 2-1 Key Features 2-1 Support for the Browser/Server Resource Access Model 2-1 Support for Client/Server
More informationIP Security. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49
IP Security Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security
More informationUsing etoken for SSL Web Authentication. SSL V3.0 Overview
Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents
More informationSecure Socket Layer (SSL) and Transport Layer Security (TLS)
Secure Socket Layer (SSL) and Transport Layer Security (TLS) Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available
More informationSecuring an IP SAN. Application Brief
Securing an IP SAN Application Brief All trademark names are the property of their respective companies. This publication contains opinions of StoneFly, Inc., which are subject to change from time to time.
More informationOverview of CSS SSL. SSL Cryptography Overview CHAPTER
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers
More informationTELE 301 Network Management. Lecture 16: Remote Terminal Services
TELE 301 Network Management Lecture 16: Remote Terminal Services Haibo Zhang Computer Science, University of Otago TELE301 Lecture 16: Remote Terminal Services 1 Today s Focus Remote Terminal Services
More informationModule 8. Network Security. Version 2 CSE IIT, Kharagpur
Module 8 Network Security Lesson 2 Secured Communication Specific Instructional Objectives On completion of this lesson, the student will be able to: State various services needed for secured communication
More informationStrong Encryption for Public Key Management through SSL
Strong Encryption for Public Key Management through SSL CH.SUSHMA, D.NAVANEETHA 1,2 Assistant Professor, Information Technology, Bhoj Reddy Engineering College For Women, Hyderabad, India Abstract: Public-key
More informationFile transfer clients manual File Delivery Services
File transfer clients manual File Delivery Services Publisher Post CH Ltd Information Technology Webergutstrasse 12 CH-3030 Berne (Zollikofen) Contact Post CH Ltd Information Technology Webergutstrasse
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and
More informationLukasz Pater CMMS Administrator and Developer
Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign
More informationLab 8.3.1.2 Configure Basic AP Security through IOS CLI
Lab 8.3.1.2 Configure Basic AP Security through IOS CLI Estimated Time: 30 minutes Number of Team Members: Students will work in teams of two. Objective In this lab, the student will learn the following
More informationRemote Logging. Tanveer Brohi(14cs28)
Remote Logging Tanveer Brohi(14cs28) 1 Contents Introduction TELNET SSH Advantages and Disadvantages Conclusion References 2 Introduction What is remote logging? Remote logging is the capability to access
More informationIntroduction to Network Security. 1. Introduction. And People Eager to Take Advantage of the Vulnerabilities
TÜBİTAK Ulusal Elektronik ve Kriptoloji Araştırma Enstitüsü Introduction to Network Security (Revisit an Historical 12 year old Presentation) Prof. Dr. Halûk Gümüşkaya Why Security? Three primary reasons
More informationWritten by Edmond Ng on behalf of D-Link for a Thai magazine (before translation) Page 1 of 4
Increasing Network Security Introduction Network and data security has been a growing concern in many organizations. With the emergence of wireless networking, security preemptives have been primarily
More informationChapter 10. Network Security
Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce
More informationIPS Anti-Virus Configuration Example
IPS Anti-Virus Configuration Example Keywords: IPS, AV Abstract: This document presents a configuration example for the AV feature of the IPS devices. Acronyms: Acronym Full spelling IPS AV Intrusion Prevention
More informationSecurity Policy. Trapeze Networks
MX-200R-GS/MX-216R-GS Mobility Exchange WLAN Controllers Security Policy Trapeze Networks August 14, 2009 Copyright Trapeze Networks 2007. May be reproduced only in its original entirety [without revision].
More informationCleaning Encrypted Traffic
Optenet Documentation Cleaning Encrypted Traffic Troubleshooting Guide iii Version History Doc Version Product Date Summary of Changes V6 OST-6.4.300 01/02/2015 English editing Optenet Documentation
More informationTopics in Network Security
Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure
More informationSBClient SSL. Ehab AbuShmais
SBClient SSL Ehab AbuShmais Agenda SSL Background U2 SSL Support SBClient SSL 2 What Is SSL SSL (Secure Sockets Layer) Provides a secured channel between two communication endpoints Addresses all three
More informationThree attacks in SSL protocol and their solutions
Three attacks in SSL protocol and their solutions Hong lei Zhang Department of Computer Science The University of Auckland zhon003@ec.auckland.ac.nz Abstract Secure Socket Layer (SSL) and Transport Layer
More informationWireless Encryption Protection
Wireless Encryption Protection We re going to jump around a little here and go to something that I really find interesting, how do you secure yourself when you connect to a router. Now first and foremost
More informationVPN Lesson 2: VPN Implementation. Summary
VPN Lesson 2: VPN Implementation Summary 1 Notations VPN client (ok) Firewall Router VPN firewall VPN router VPN server VPN concentrator 2 Basic Questions 1. VPN implementation options for remote users
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationSecurity & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173
Security & Privacy on the WWW Briefing for CS4173 Topic Outline 1. Information Security Relationship to safety Definition of important terms Where breaches can occur Web techniques Components of security
More informationWeb Security Considerations
CEN 448 Security and Internet Protocols Chapter 17 Web Security Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa
More informationIf you prefer to use your own SSH client, configure NG Admin with the path to the executable:
How to Configure SSH Each Barracuda NG Firewall system is routinely equipped with an SSH daemon listening on TCP port 22 on all administrative IP addresses (the primary box IP address and all other IP
More informationChapter 10. Cloud Security Mechanisms
Chapter 10. Cloud Security Mechanisms 10.1 Encryption 10.2 Hashing 10.3 Digital Signature 10.4 Public Key Infrastructure (PKI) 10.5 Identity and Access Management (IAM) 10.6 Single Sign-On (SSO) 10.7 Cloud-Based
More informationKey Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards
White Paper Key Hopping A Security Enhancement Scheme for IEEE 802.11 WEP Standards By Dr. Wen-Ping Ying, Director of Software Development, February 2002 Introduction Wireless LAN networking allows the
More informationSecure Socket Layer. Introduction Overview of SSL What SSL is Useful For
Secure Socket Layer Secure Socket Layer Introduction Overview of SSL What SSL is Useful For Introduction Secure Socket Layer (SSL) Industry-standard method for protecting web communications. - Data encryption
More informationFL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE. SSL/FTP (File Transfer Protocol over Secure Sockets Layer)
FL EDI SECURE FTP CONNECTIVITY TROUBLESHOOTING GUIDE This troubleshooting guide covers secure file transfers using the SFTP and SSL/FTP file transfer protocols for Claims, POC, and Medical EDI transmissions.
More informationDirectory and File Transfer Services. Chapter 7
Directory and File Transfer Services Chapter 7 Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP over traditional authentication systems Identify major
More informationFile Transfer Protocol (FTP) & SSH
http://xkcd.com/949/ File Transfer Protocol (FTP) & SSH Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Some materials copyright 1996-2012 Addison-Wesley J.F Kurose and K.W.
More informationKey Management (Distribution and Certification) (1)
Key Management (Distribution and Certification) (1) Remaining problem of the public key approach: How to ensure that the public key received is really the one of the sender? Illustration of the problem
More informationPulse Secure, LLC. January 9, 2015
Pulse Secure Network Connect Cryptographic Module Version 2.0 Non-Proprietary Security Policy Document Version 1.1 Pulse Secure, LLC. January 9, 2015 2015 by Pulse Secure, LLC. All rights reserved. May
More informationWireless Networks. Welcome to Wireless
Wireless Networks 11/1/2010 Wireless Networks 1 Welcome to Wireless Radio waves No need to be physically plugged into the network Remote access Coverage Personal Area Network (PAN) Local Area Network (LAN)
More informationLinksys E2000 Wireless-N Router Configuration Guide
Linksys E2000 Wireless-N Router Configuration Guide Revision 1.1 Copyright 2012 Maretron, LLP All Rights Reserved Maretron, LLP 9014 N. 23 rd Ave #10 Phoenix, AZ 85021-7850 http://www.maretron.com Maretron
More informationSecure File Transfer Appliance Security Policy Document Version 1.9. Accellion, Inc.
Secure File Transfer Appliance Security Policy Document Version 1.9 Accellion, Inc. November 11, 2010 Copyright Accellion, Inc. 2010. May be reproduced only in its original entirety [without revision].
More informationTCP/IP and Encryption. CIT304 University of Sunderland Harry R. Erwin, PhD
TCP/IP and Encryption CIT304 University of Sunderland Harry R. Erwin, PhD Resources Garfinkel and Spafford, 1996, Practical UNIX and Internet Security, O Reilly, ISBN: 1-56592-148-8 B. Schneier, 2000,
More informationSecure File Multi Transfer Protocol Design
Journal of Software Engineering and Applications, 2011, 4, 311-315 doi:10.4236/jsea.2011.45034 Published Online May 2011 (http://www.scirp.org/journal/jsea) 311 Murali Krishna, Pradeep Jamwal, K. S. R.
More informationIBM i Version 7.3. Security Digital Certificate Manager IBM
IBM i Version 7.3 Security Digital Certificate Manager IBM IBM i Version 7.3 Security Digital Certificate Manager IBM Note Before using this information and the product it supports, read the information
More informationEnergyAxis System: Security for the Smart Grid
Security for the Smart Grid 2010 by Elster All rights reserved. No part of this document may be reproduced, transmitted, processed or recorded by any means or form, electronic, mechanical, photographic
More informationNetwork Security. Lecture 3
Network Security Lecture 3 Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Security protocols application transport network datalink physical Contents IPSec overview
More informationSoftware Tool for Implementing RSA Algorithm
Software Tool for Implementing RSA Algorithm Adriana Borodzhieva, Plamen Manoilov Rousse University Angel Kanchev, Rousse, Bulgaria Abstract: RSA is one of the most-common used algorithms for public-key
More informationChapter 8 Security. IC322 Fall 2014. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012
Chapter 8 Security IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross, All
More informationNetwork Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion
Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann
More informationEncryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1
Encryption, Data Integrity, Digital Certificates, and SSL Developed by Jerry Scott 2002 SSL Primer-1-1 Ideas Behind Encryption When information is transmitted across intranets or the Internet, others can
More informationPrivyLink Internet Application Security Environment *
WHITE PAPER PrivyLink Internet Application Security Environment * The End-to-end Security Solution for Internet Applications September 2003 The potential business advantages of the Internet are immense.
More informationLinux Network Security
Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols
More informationVPN. VPN For BIPAC 741/743GE
VPN For BIPAC 741/743GE August, 2003 1 The router supports VPN to establish secure, end-to-end private network connections over a public networking infrastructure. There are two types of VPN connections,
More informationAuthentication Types. Password-based Authentication. Off-Line Password Guessing
Authentication Types Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4:
More informationTIBCO BusinessConnect Plug-in for SSH Server Release Notes. Software Release 1.0.0 May 2012
TIBCO BusinessConnect Plug-in for SSH Server Release Notes Software Release 1.0.0 May 2012 SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO SOFTWARE IS
More informationExam Questions SY0-401
Exam Questions SY0-401 CompTIA Security+ Certification http://www.2passeasy.com/dumps/sy0-401/ 1. A company has implemented PPTP as a VPN solution. Which of the following ports would need to be opened
More informationathenahealth Interface Connectivity SSH Implementation Guide
athenahealth Interface Connectivity SSH Implementation Guide 1. OVERVIEW... 2 2. INTERFACE LOGICAL SCHEMATIC... 3 3. INTERFACE PHYSICAL SCHEMATIC... 4 4. SECURE SHELL... 5 5. NETWORK CONFIGURATION... 6
More informationLecture 9: Application of Cryptography
Lecture topics Cryptography basics Using SSL to secure communication links in J2EE programs Programmatic use of cryptography in Java Cryptography basics Encryption Transformation of data into a form that
More informationWIRELESS LAN SECURITY FUNDAMENTALS
WIRELESS LAN SECURITY FUNDAMENTALS Jone Ostebo November 2015 #ATM15ANZ @ArubaANZ Learning Goals Authentication with 802.1X But first: We need to understand some PKI And before that, we need a cryptography
More informationFor the protocol access paths listed in the following table, the Sentry firmware actively listens on server ports to provide security for the CDU.
CDU Security This provides a quick reference for access paths to Server Technology s Cabinet Distribution Unit (CDU) products, shows if the access path is secure, and if so, provides an overview of how
More informationSecurity in Distributed Systems. Network Security
Security in Distributed Systems Introduction Cryptography Authentication Key exchange Computer Science Lecture 18, page 1 Network Security Intruder may eavesdrop remove, modify, and/or insert messages
More information