Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Transcription

1 Course Outline: Fundamental Topics System View of Network Security Network Security Model Security Threat Model & Security Services Model Overview of Network Security Security Basis: Cryptography Secret key cryptography Hashes and message digests Public key cryptography Key distribution and management Network Security Applications: Authentication and security handshakes pitfalls Well known network security protocols such as Kerberos, IPSec, SSL/SET, PGP& PKI, WEP An Overview of Network Security (II) Outline Security Architecture of OSI Reference Model Security Placement w/in Multiple Protocol Layers ISO : Security Architecture of OSI Reference Model Internet Protocol Architecture The OSI reference model & its services (ISO ) Details of ISO

2 Internetworking Internet Protocol Layering Host A Host B Application Layer Application Layer HTTP Message Router Network B Host B Transport Layer TCP Packet Transport Layer Network A Internet Layer IP Datagram Router Internet Layer IP Datagram Internet Layer Host A Network Layer Ethernet Frame Physical Network Network Layer Ethernet Frame Physical Network Network Layer The OSI Reference Model: ISO OSI Reference Model - internationally standardized network architecture. An abstract representation of an ideal network protocol stack OSI = Open Systems Interconnection Specified in ISO Model has 7 layers Internet Protocols vs. OSI Internet OSI Application Application TCP IP Presentation Session Transport Network Network Interface Data Link 2 1 Hardware Physical 1 2

3 Lower/Upper Layers Layers 1-4 often referred to as lower layers. Layers 5-7 are the upper layers. Lower layers relate more closely to the communications technology. Upper layers relate to applications. Layer 7: Application Layer Home to wide variety of protocols for specific user needs, e.g.: virtual terminal service, file transfer, electronic mail, directory services. Layer 6: Presentation Layer Concerned with representation of transmitted data. Deals with different data representations, e.g. of numbers, characters. Also deals with data compression and encryption. Layer for source coding. Layer 5: Session Layer Allows establishment of sessions between machines, e.g. to allow remote logins provide file transfer service. Responsible for dialogue control. Also performs token management and synchronization. 3

4 Layer 4: Transport Layer Basic function is to take data from Session Layer, split it up into smaller units, and ensure that the units arrive correctly. Concerned with efficient provision of service. The Transport Layer also determines the type of service to provide to the Session Layer. Also responsible for congestion control. Layer 3: Network Layer Controls the subnet. Key issue is routing in the subnet; can be based on: static tables, determined at start of session, highly dynamic (varying for each packet). Layer 2: Data Link Layer Provides reliable, error-free service on top of raw Level 1 service. include encoding, CRC, etc. Breaks data into frames. Requires creation of frame boundaries. Frames used to manage errors via acknowledgements and selective frame retransmission. Layer 1: Physical Layer Concerned with bit transmission over physical channel. Issues include: definition of 0/1, whether channel simplex/duplex, connector design. Mechanical, electrical, procedural matters. 4

5 Layering Principles SDU (N+1) Entity Service User (N) Entity Service Provider N+1 PDU Layer N+1 protocol Layer N Service Access Point (SAP) Layer N protocol N PDU N PDU (N+1) Entity Service User (N) Entity Service Provider PDU - Protocol Data Unit SDU - Service Data Unit Services & Protocols Service = set of primitives provided by one layer to layer above. Service defines what each layer can do (but not how it does it). Protocol = set of rules governing g data communication between peer entities, i.e. format and meaning of frames/packets. ISO : Security Architecture Provides standard definitions of security terminology Provides standard descriptions for security services and mechanisms Defines where in OSI reference model security services may be provided Introduces security management concepts Policies, threats, services, & mechanisms In a secure system, the rules governing security behavior should be made explicit in the form of a security policy. Security policy: the set of criteria for the provision of security services. A security threat is a possible means by which a security policy may be breached (e.g. loss of integrity or confidentiality). A security service is a measure which can be put in place to address a threat (e.g. provision of confidentiality). A security mechanism is a means to provide a service (e.g. encryption, digital signature). 5

6 Security life-cycle in ISO Define security Model Define security policy Analyze security threats (according to policy) Define security services to meet threats Define security mechanisms to provide services Provide on-going management of security Step1: Generic security policy ISO generic authorization policy: Information may not be given to, accessed by, nor permitted to be inferred by, nor may any resource be used by, those not appropriately authorized. Possible basis for more detailed policy. Does not cover availability (e.g. DoS attack) issues (for legitimate user). Policy Types ISO distinguishes between 2 types of security policies: Identity-based: where access to and use of resources are determined on the basis of the identities of users and resources Rule-based: where resource access is controlled by global rules imposed on all users, e.g. using security labels. Step 2: Fundamental threats A threat is: a person, thing, event or idea which poses some danger to an asset (in terms of confidentiality, integrity, availability or legitimate t use). ) An attack is a realization of a threat Safeguards = countermeasures (e.g. controls, procedures) to protect against threats. Vulnerabilities = weaknesses in safeguards Four fundamental threats: Information leakage Integrity violation DoS illegitimate use 6

7 Step3: Security Services Security services in ISO are a special class of safeguards applying to a communication environment. ISO defines 5 main categories of security service: Authentication (including entity authentication and origin authentication) Access control Data confidentiality Data integrity Non-repudiation Step 4: Security Mechanisms To provide and support security services Can be divided into two classes: Specific security mechanisms, used to provide specific security services, and Pervasive security mechanisms (e.g., trust functionality, intrusion/event detection, security recovery), not specific to particular services. Often expensive Specific security mechanisms Eight types: encipherment digital signature access control mechanisms data integrity mechanisms authentication exchanges traffic padding routing control notarization Specific Mechanisms (Cont d) Encipherment mechanisms = encryption or cipher algorithms. Can provide data and traffic flow confidentiality. Digital signature mechanisms signing procedure (private) verification procedure (public). Can provide non-repudiation, origin authentication and data integrity services. Both can be basis of some authentication exchange mechanisms. 7

8 Specific Mechanisms (Cont d) Access Control mechanisms A server using client information to decide whether to grant access to resources E.g. access control lists, capabilities, security labels. Data integrity mechanisms Protection against modification of data. Provide data integrity and origin authentication services. Also basis of some authentication ti ti exchange mechanisms. Authentication exchange mechanisms Provide entity authentication service. Specific Mechanisms (Cont d) Traffic padding mechanisms The addition of pretend data to conceal real volumes of data traffic. Provides traffic flow confidentiality. Routing control mechanisms Used to prevent sensitive data using insecure channels. E.g. route might be chosen to use only physically secure network components. Notarization ti mechanisms Integrity, origin and/or destination of data can be guaranteed by using a 3rd party trusted notary. Notary typically applies a cryptographic transformation to the data. Service/mechanism table ISO indicates which mechanisms can be used to provide which services Illustrative NOT definitive. Mechanism Enciph - Digital Access Data Service erment sign. Control integrity it Entity authentication Origin authentication Access control Connection confidentiality Connectionless confidentiality Selective field confidentiality Traffic flow confidentiality Connection integrity with recovery Connection integrity without recovery Selective field connection integrity Connectionless integrity Selective field connectionless integrity Non -repudiation of origin Non -repudiation of delivery Service/mechanism table (cont d) Service Entity authentication Origin authentication Access control Connection confidentiality Connectionlessconfidentiality Mechanism Auth. exchange Traffic padding Selective field confidentiality Traffic flow confidentiality Connection integrity with recovery Connection integrity without recovery Selective e field connection integrity Connectionless integrity Selective field connectionless integrity Non-repudiation of origin Non-repudiation of delivery Routing Control Notaris - ation 8

9 Pervasive security mechanisms Five types identified: trusted functionality, security labels, event detection, security audit trail, security recovery. Pervasive Mechanisms Trusted functionality Any functionality providing or accessing security mechanisms should be trustworthy. May involve combination of software and hardware. Security labels Any resource (e.g. stored data, processing power, communications bandwidth) may have security label associated with it to indicate security sensitivity. Similarly labels may be associated with users. Labels may need to be securely bound to transferred data. Pervasive Mechanisms (Cont d) Event detection Includes detection of attempted security violations, legitimate security-related activity. Can be used to trigger event reporting (alarms), event logging, automated recovery. Security audit trail Log of past security-related events. Permits detection and investigation of past security breaches Security recovery Includes mechanisms to handle requests to recover from security failures (security tolerant). May include immediate abort of operations, temporary invalidation of an entity, addition of entity to a blacklist. Link vs. End-to-End Encryption Ref: Network Security Essential, by Stallings Link and E2E Encryption: (1) Link encryption: A lot of encryption devices Decrypt each packet at every switch -Intermediate switch must be trusted -Invisible to the users (2) End-to-end encryption Addresses potential flaws in lower layers The source encrypt and the receiver decrypts Payload encrypted Header in the clear Only end nodes must be trusted (3) High Security: Both link and E2E encrypion are needed 9

10 Link-to-link Encryption Protocol layer 5. application 4. transport 3. network 2. data link 1. physical Security Services & Layering in General Sender Message Intermediate Host message (plaintext) exposed Receiver Typical Message: Link Encryption B N T M E Message Transport Header Network Header Data Link Header Data Link Trailer Message encrypted Message in plaintext Ref: Security in Computing, by Charles P. Pfleeger & Shari Lawrence Pfleeger If all hosts on a network are reasonably trustworthy, but the communications medium is shared w/ other users or is not secure, link encryption is an easy control to use Security Services & Layering in General End-to-End Encryption Typical Message: End-to-End Encryption Protocol layer 5. application 4. transport 3. network 2dt 2. data lik link Sender Intermediate t Host Receiver Message message (plaintext) exposed B N T M Message Transport Header Network Header E 1. physical Data Link Header Message encrypted Message in plaintext Data Link Trailer 10

11 Comparison of Encryption Architecture Link-to-link encryption Message is plaintext inside of hosts (trustworthy?): node authentication needed Faster (mostly hardware); Easier/invisible i ibl for user one key per node/interface pair End-to-end encryption Flexible (hardware or software) Application & user aware No trust in intermediate nodes required: need end user authentication One key per host pair Unavoidable multilayer security provisioning 11