Security technologies

Editor's Notes

1. Learning Objectives: Upon completion of this chapter you should be able to: Define and identify the various types of firewalls. Discuss the approaches to firewall implementation. Discuss the approaches to dial-up access and protection. Identify and describe the two categories of intrusion detection systems. Discuss the two strategies behind intrusion detection systems. Discuss the process of encryption and define key terms. Identify and discuss common approaches to cryptography. Compare and contrast symmetric and asymmetric encryption. Discuss various approaches to biometric access control.
2. Learning Objectives: Upon completion of this chapter you should be able to: Define and identify the various types of firewalls. Discuss the approaches to firewall implementation. Discuss the approaches to dial-up access and protection. Identify and describe the two categories of intrusion detection systems. Discuss the two strategies behind intrusion detection systems. Discuss the process of encryption and define key terms. Identify and discuss common approaches to cryptography. Compare and contrast symmetric and asymmetric encryption. Discuss various approaches to biometric access control.
3. Introduction Information security- A discipline that relies people, policy, education, training, awareness, procedures, and technology to improve the protection of an organization’s information assets Technical solutions can maintain Confidentiality of information Integrity of information Availability of information in each of its three states (storage, transmission, and processing).
4. Physical Design Of The SecSDLC The physical design phase of the SecSDLC is made up of two parts: security technologies and physical security. Physical design takes the logical design, expressed by the information security blueprint and the contingency planning elements and extends the design to the next level.
5. Physical Design Of The SecSDLC The physical design phase encompasses the selection of technologies and processes to implement controls to manage risk from threats to the information assets of the organization. At the end of the physical design phase you have: Selected technologies needed to support the information security blueprint Defined what the successful solution for a secured environment will encompass Designed physical security measures that support the technical solutions Prepared to create project plans in the implementation phase to follow
6. Firewalls A firewall as part of an information security program is any device that prevents a specific type of information from moving between the outside world, known as the untrusted network, and the inside world, known as the trusted network, and vice versa. Firewalls have made significant advances since the earliest implementations At the present time, there are five generally recognized generations of firewalls, and these generations can be implemented in a wide variety of architectures. The firewall may be a separate computer system, a service running on an existing router or server, or a separate network containing a number of supporting devices.
7. First Generation The first generation of firewalls are called packet filtering firewalls, because they are simple networking devices that filter packets based on their headers as they travel to and from the organization’s networks. In this case the firewall examines every incoming packet header and it can selectively filter packets (accepting or rejecting as needed) based on: address, packet type, port request and others factors. These devices scan network data packets looking for compliance with or violation of rules configured into the firewall’s database. If a first generation firewall finds a packet that matches a restriction, it simply refuses to forward it. The restrictions most commonly implemented are based on: IP source and destination address Direction (inbound or outbound) Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port-requests Early firewall models examine one aspect of the packet header: the destination and source address. They enforce address restrictions, rules designed to prohibit packets with certain addresses or partial addresses, from passing through the device. They accomplish this through access control lists (ACLs), created and modified by the firewall administrators. The ability to restrict a specific service is now considered standard in most modern routers, and is invisible to the user. Unfortunately these systems are unable to detect if packet headers have been modified, as occurs from IP spoofing attacks.
8. Second Generation The next generation of firewalls is called the application-level firewall. The application firewall is frequently a dedicated computer separate from the filtering router and quite commonly used in conjunction with a filtering router. The application firewall is also known as a proxy server, since it runs special software designed to serve as a proxy for a service request. With this configuration the proxy server, rather than the Web server is exposed to the outside world, in the DMZ. A demilitarized zone (DMZ) is an intermediate area between a trusted network and an un-trusted network. Additional filtering routers can be implemented behind the proxy server restricting the access of internal systems to the proxy server alone, thus further protecting internal systems. The primary disadvantage of application-level firewalls is that they are designed for a specific protocol and cannot easily be reconfigured to protect against attacks on protocols for which they are not designed.
9. Third Generation The next generation of firewalls, stateful inspection firewalls, keeps track of each network connection established between internal and external systems using a state table. These state tables track the state and context of each packet in the conversation, by recording which station sent what packet and when. Like first generation firewalls, stateful inspection firewalls perform packet filtering, but they take it a step further. Whereas simple packet filtering firewalls only allow or deny certain packets based on their address, a stateful firewall can restrict incoming packets by denying access to packets that are responses to internal requests. If the stateful firewall receives an incoming packet that it cannot match in its state table, then it defaults to its ACL to determine whether to allow the packet to pass. The primary disadvantage of this type of firewall is the additional processing requirements of managing and verifying packets against the state table. This can possibly expose the system to a DoS attack. In such an attack, the firewall can be subjected to a large number of external packets, slowing it down as it attempts to compare all of the incoming packets first to the state table and then to the ACL. On the positive side, these firewalls can track connectionless packet traffic such as UDP and remote procedure calls (RPC) traffic.
10. Fourth Generation While static filtering firewalls, such as first and third generation, allow entire sets of one type of packet to enter in response to authorized requests, a dynamic packet filtering firewall allows only a particular packet with a particular source, destination and port address to enter through the firewall. It does this by understanding how the protocol functions, and opening and closing “doors” in the firewall, based on the information contained in the packet header. In this manner, dynamic packet filters are an intermediate form, between traditional static packet filters and application proxies.
11. Fifth Generation The final form of firewall is the kernel proxy, a specialized form that works under the Windows NT Executive, which is the kernel of Windows NT. It evaluates packets at multiple layers of the protocol stack, by checking security in the kernel as data is passed up and down the stack.
12. Packet-filtering Routers Most organizations with an Internet connection have some form of a router as the interface at the perimeter between the organization’s internal networks and the external service provider. Many of these routers can be configured to filter packets that the organization does not allow into the network. This is a simple but effective means to lower the organization’s risk to external attack. The drawback to this type of system includes a lack of auditing and strong authentication. The complexity of the access control lists used to filter the packets can grow and degrade network performance.
13. Screened-Host Firewall Systems The next type of architecture combines the packet-filtering router with a separate, dedicated firewall such as an application proxy server. This approach allows the router to pre-screen packets to minimize the network traffic and load on the internal proxy. The application proxy examines an application layer protocol, such as HTTP, and performs the proxy services. This separate host is often referred to as a bastion-host, as it represents a single, rich target for external attacks, and should be very thoroughly secured.
14. Dual-homed Host Firewalls The next step up in firewall architectural complexity is the dual-homed host. With this configuration, the bastion-host contains two NICs (network interface cards), rather than the one contained by in bastion-host configuration. One NIC is connected to the external network, and one is connected to the internal network, providing an additional layer of protection. With two NICs all traffic must physically go through the firewall to move between the internal and external networks. A technology known as network-address translation is commonly implemented with this architecture. Network-address translation (NAT) is a method of mapping real, valid, external IP addresses to special ranges of internal IP addresses, creating yet another barrier to internal intrusion. These internal addresses can consist of three different ranges.
15. Screened-Subnet Firewalls (with DMZ) The final architecture presented here is the screened-subnet firewall. The subnet firewall consists of two or more internal bastion-hosts, behind a packet-filtering router, with each host protecting the trusted network. There are a many variants of the screened subnet architecture. The first general model consists of two filtering routers, with one or more dual-homed bastion-host between them. The second general model involves the connection from the outside or un-trusted network going through this path: Through an external filtering router Into and then out of a routing firewall to the separate network segment known as the DMZ Connections into the trusted internal network are allowed only from the DMZ bastion-host servers
16. Provides an intermediate area between the trusted network and the untrusted network, known as a demilitarized zone (DMZ) The DMZ can be a dedicated port on the firewall device linking a single bastion-host or it can be connected to a screened subnet or DMZ Until recently, servers providing services through the un-trusted network were commonly placed in the DMZ Examples include Web, file transfer protocol (FTP), and certain database servers More recent strategies utilizing proxy servers have provided much more secure solutions
17. SOCKS Servers The SOCKS system is a proprietary circuit-level proxy server that places special SOCKS client-side agents on each workstation. The general approach is to place the filtering requirements on the individual workstation, rather than on a single point of defense (and thus point of failure). This frees the entry router of filtering responsibilities, but then requires each workstation to be managed as a firewall detection and protection device. A SOCKS system can require additional support and management resources to configure and manage possibly hundreds of individual clients, versus a single device or set of devices.
18. Selecting the Right Firewall 1.What type of firewall technology offers the right balance of protection features and cost for the needs of the organization? 2.What features are included in the base price? What features are available at extra cost? Are all cost factors known? 3.How easy is it to set up and configure the firewall? How accessible are staff technicians with the mastery to do it well? 4.Can the candidate firewall adapt to the growing network in the target organization? Each firewall device will have its own set of configuration rules that regulate its actions In practice the configuration of firewall policies can be something of a nightmare Simple mistakes can turn the device into a choke point In general, when security rules conflict with the performance of business, security loses since organizations are much more willing to live with a potential risk than a certain failure
19. Each firewall device will have its own set of configuration rules that regulate its actions In practice the configuration of firewall policies can be something of a nightmare Simple mistakes can turn the device into a choke point In general, when security rules conflict with the performance of business, security loses since organizations are much more willing to live with a potential risk than a certain failure
20. Firewall Recommended Practices All traffic from the trusted network is allowed out The firewall device is always inaccessible directly from the public network Allow Simple Mail Transport Protocol (SMTP) data to pass through your firewall, but insure it is all routed to a well-configured SMTP gateway to filter and route messaging traffic securely All Internet Control Message Protocol (ICMP) data should be denied Block telnet (terminal emulation) access to all internal servers from the public networks When Web services are offered outside the firewall, deny HTTP traffic from reaching your internal networks by using some form of proxy access or DMZ architecture
21. Dial-Up Protection While internal network connection via private networks are now less popular due to the high cost of installation, maintenance, and protection, dial-up connections are still quite common. It is a widely held view that unsecured, dial-up access represents a substantial exposure to attack. An attacker who suspects that an organization has dial-up lines can use a device called a war-dialer to locate the connection points. Network connectivity offered by organization by using dial-up connections are usually much simpler and less sophisticated than those deployed with Internet connections. For the most part, simple username and password schemes are the only means of authentication.
22. The RADIUS system centralizes the management of user authentication by placing the responsibility for authenticating each user in the central RADIUS server When a remote access server (RAS) receives a request for network connection from a dial-up client, it passes the request along with the user’s credentials to the RADIUS server. RADIUS then validates the credentials and passes the resulting decision (accept or deny) back to the accepting remote access server (RAS).
23. Terminal Access Controller Access Control System The Terminal Access Controller Access Control System (TACACS) is another remote access authorization system that is based on a client/server configuration. It contains a centralized database, such as RADIUS, and validates the user’s credentials at the TACACS server. There are three versions of TACACS: TACACS, Extended TACACS, and TACACS+.
24. Intrusion Detection Systems (IDSs) Information security intrusion detection systems (IDSs) work like a burglar alarms. When the alarm detects a violation of its configuration, it activates the alarm. As with firewall systems, IDSs require complex configurations to provide the level of detection and response desired. An IDS operates as either network-based, when the technology is focused on protecting network information assets, or host-based, when the technology is focused on protecting server or host information assets. IDSs use one of two detection methods, signature based or statistical anomaly-based. Host-based IDSs A host-based IDS resides on a particular computer or server, known as the host, and monitors activity on that system. Most host-based IDSs work on the principle of configuration or change management, in which the systems record the file sizes, locations, and other attributes, and then report when one or more of these attributes changes, when new files are created, and when existing files are deleted. A Host-based IDS can also monitor systems logs for pre-defined events. The IDS maintains its own log files; so when hackers successfully modify a systems log in an attempt to cover their tracks, the IDS provides independent verification that the attack occurred. Once properly configured, host-IDSs are very reliable. A host-based IDS that is managed can monitor multiple computers simultaneously. It does this by storing a client file on each monitored host and has that host report back to the master console, which is usually located on the systems administrator’s computer. Network-based IDSs A network-based IDS works differently than its host-based counterpart. While a host-based IDS resides on a host (or hosts) and monitors only activities on the host, a network-based IDS monitors network traffic. When a pre-defined condition occurs, a network-based IDS responds and notifies the appropriate administrator. The network IDS must match known and unknown attack strategies against its knowledge base to determine whether or not an attack has occurred. Network IDSs result in many more false positive readings than do host-based IDSs, as the system is attempting to read into the pattern of activity on the network to determine what is normal and what is not. Signature-based IDSs A signature-based IDS or knowledge-based IDS examines data traffic looking for something that matches the signatures, which are pre-configured, predetermined attack patterns. The problem with this approach is that the signatures must be continually updated, as new attack strategies are identified. If attackers are slow and methodical, they may slip undetected through the IDS, as their actions may not match the signature that includes factors based on duration of the events. Statistical Anomaly-based IDSs Another common method used in IDS is the statistical anomaly-based IDS (stat IDS) or behavior-based IDS. The stat IDS collects data from normal traffic and establishes a baseline. Once the baseline is established, the IDS periodically samples network activity, based on statistical methods, and compares the samples to the baseline. When the activity is outside the baseline parameters (known as a clipping level), the IDS then notifies the administrator. The advantage of this approach is that the system is able to detect new types of attacks, as it looks for abnormal activity of any type. Unfortunately these systems require much more overhead and processing capacity than signature-based versions, as they must constantly attempt to pattern matched activity to the baseline. These systems also may not detect minor changes to systems variables and may generate many false positives.
25. A network-based IDS works differently than its host-based counterpart. While a host-based IDS resides on a host (or hosts) and monitors only activities on the host, a network-based IDS monitors network traffic. When a pre-defined condition occurs, a network-based IDS responds and notifies the appropriate administrator. The network IDS must match known and unknown attack strategies against its knowledge base to determine whether or not an attack has occurred. Network IDSs result in many more false positive readings than do host-based IDSs, as the system is attempting to read into the pattern of activity on the network to determine what is normal and what is not.
26. Scanning tools are used to collect information needed by an attacker to succeed. One of the preparatory parts of an attack is the collection of information about a potential target, a process known as footprinting. Footprinting is the organized research of the Internet addresses owned or controlled by a target organization. The attacker uses public Internet data sources to perform keyword searches to identify the network addresses of the organization. This research is augmented with the browsing of the organization’s Web pages.
27. The next phase of the pre-attack data gathering process is called fingerprinting. This is the systematic examination of all of the Internet addresses of the organization (collected during the footprinting phase noted above). Accomplished with tools discussed in the next section, fingerprinting reveals useful information for the anticipated attack
28. Although some may not perceive them as defensive tools, scanners, sniffers, and other analysis tools are invaluable to security administrators in enabling them to see what the attacker sees. Scanner and analysis tools can find vulnerabilities in systems, holes in security components, and unsecured aspects of the network. Unfortunately, they cannot detect the unpredictable behavior of people. One word of caution though, many of these tools have distinct signatures, and some Internet service providers (ISPs) scan for these signatures. If the ISP discovers someone using hacker tools, it can pull access privileges. It’s best to establish a working relationship with the ISP and notify it of the purpose and extent of the signatures.
29. Port Scanners Port scanning utilities (or port scanners) are tools used to identify (or fingerprint) computers that are active on a network, as well as the ports and services active on those computers, the functions and roles the machines are fulfilling, and other useful information. The more specific the scanner is, the better it can give you detailed information that will be useful later. A port is a network channel or connection point in a data communications system. Within the TCP/IP networking protocol, TCP and User Datagram Protocol (UDP) port numbers differentiate between multiple communication channels used to connect to network services being offered on the same network device. Why secure open ports? An open port can be used to send commands to a computer, gain access to a server, and exert control over a networking device. The general rule of thumb is to remove from service or secure any port not absolutely necessary for the conduct of business. If a business doesn’t host Web services, there may be no need for port 80 to be available on its servers.
30. Vulnerability Scanners Vulnerability scanners are capable of scanning networks for very detailed information. As a class, they identify exposed usernames and groups, show open network shares, expose configuration problems, and other vulnerabilities in servers.
31. Packet Sniffers A packet sniffer is a network tool that collects copies of packets from the network and analyzes them. It can provide a network administrator with valuable information to diagnose and resolve networking issues. In the wrong hands, a sniffer can be used to eavesdrop on the network traffic. Typically, to use these types of programs most effectively, you must be internal to a network. Simply tapping into an Internet connection floods you with more data than you can process, and technically constitutes a violation of the wiretapping act. To use a packet sniffer legally, you must be: 1) on a network that the organization owns; 2) under direct authorization of the owners of the network, and 3) have knowledge and consent of the content creators (users).
32. Content Filters Although technically not a firewall, a content filter is a software filter that allows administrators to restrict accessible content from within a network. The most common application of a content filter is the restriction of Web sites with non-business related material, such as pornography. Another application is the restriction of spam e-mail from outside sources.
33. Trap And Trace The trap function describes software designed to entice individuals who are illegally perusing the internal areas of a network. These individuals either discover directly or find indicators of rich content areas on the network, that turn out to be areas set up exclusively to distract potential miscreants. Better known as honey pots, these directories or servers distract the attacker while notifying the administrator. The newest accompaniment to the trap is the trace. Similar in concept to Caller ID, the trace is a process by which the organization attempts to determine the identity of someone discovered in unauthorized areas of the network or systems. If this individual turns out to be someone internal to the organization, the administrators are completely within their purview to track them down and turn them over to internal or external authorities If it turns out that the individual is outside the security perimeter, then numerous legal issues arise, as described in earlier chapters.
34. Cryptography And Encryption-Based Solutions Although not a specific application or security tool, encryption represents a sophisticated approach to security that is implemented in many security systems. In fact, many security-related tools use embedded encryption technologies to protect sensitive information handled by the application. Encryption is the process of converting an original message into a form that is unreadable by unauthorized individuals, that is anyone without the tools to convert the encrypted message back to its original format. The science of encryption, known as cryptology encompasses cryptography, from the Greek words kryptos, meaning hidden, and graphein, meaning to write, and cryptanalysis, the process of obtaining the original message (or plaintext) from an encrypted message (or ciphertext), without the knowledge of the algorithms and keys used to perform the encryption.
35. Encryption Definitions Algorithm: the mathematical formula used to convert an unencrypted message into an encrypted message. Cipher: the transformation of the individual components (characters, bytes or bits) of an unencrypted message into encrypted components. Ciphertext or cryptogram: the unintelligible encrypted or encoded message resulting from an encryption. Code: the transformation of the larger components (words or phrases) of an unencrypted message into encrypted components. Cryptosystem: the set of transformations necessary to convert an unencrypted message into an encrypted message. Decipher: to decrypt or convert ciphertext to plaintext. Encipher: to encrypt or convert plaintext to ciphertext.
36. Cryptography And Encryption-Based Solutions The notation used to describe the encryption process differs depending on the source. The first uses the letters M to represent the original message, C to represent the ending ciphertext, and E to represent the encryption process: E(M) = C. This formula represents the application of encryption to a message to create ciphertext. D represents the decryption or deciphering process, thus D[E(M)]=M. K is used to represent the key, thus E(M, K) = C, or encrypting the message with the key results in the ciphertext. Now look at a simple form of encryption based on two concepts: the block cipher and the exclusive OR operation. With the block cipher method, the message is divided into blocks, i.e., 8 or 16 bit blocks, and then each block is transformed using the algorithm and key. The exclusive or operation (XOR) is a function of Boolean algebra whereby two bits are compared, and if the two bits are identical, the result is a binary 0. If the two bits are NOT the same, the result is a binary 1.
37. Encryption Operations In encryption the most commonly used algorithms include two functions: substitution and transposition. In a substitution cipher, you substitute one value for another. This is a simple enough method by itself but very powerful if combined with other operations. This type of substitution is based on a monoalphabetic substitution, since it only uses one alphabet. More advanced substitution ciphers use two or more alphabets, and are referred to as polyalphabetic substitutions. Caesar reportedly used a three-value shift to the right giving that particular substitution cipher his name – the “Caesar Cipher. Just like the substitution operation, the transposition cipher is simple to understand but can be complex to decipher if properly used. Unlike the substitution cipher, the transposition cipher (or permutation cipher) simply rearranges the values within a block to create the ciphertext. This can be done at the bit level or at the byte (character) level. Transposition ciphers move these bits or bytes to another location in the block, so that bit 1 becomes bit 4, bit 2 becomes bit 7 etc.
38. Vernam Cipher Also known as the one-time pad, the Vernam cipher was developed at AT&T and uses a one-use set of characters, the value of which is added to the block of text. The resulting sum is then converted to text. When the two are added, if the values exceed 26, 26 is subtracted from the total (Modulo 26). The corresponding results are then converted back to text:
39. Book or Running Key Cipher Another method, made popular by spy movies, is the use of text in a book as the algorithm to decrypt a message. The key consists of 1) knowing which book to use, and 2) a list of codes representing the page number, line number, and word number of the plaintext word. Dictionaries and thesauruses make the most popular sources as they guarantee every word needed, although almost any book will suffice.
40. Symmetric encryption uses the same key, also known as a secret key to conduct both the encryption and decryption of the message Symmetric encryption methods can be extremely efficient, requiring minimal processing to either encrypt or decrypt the message The problem is that both the sender and the receiver must possess the encryption key If either copy of the key is compromised, an intermediate can decrypt and read the messages One of the challenges of symmetric key encryption is getting a copy of the key to the receiver, a process that must be conducted out of band to avoid interception
41. Symmetric Encryption There are a number of popular symmetric encryption cryptosystems. One of the most familiar is Data Encryption Standard (DES), developed in 1977 by IBM and based on the Data Encryption Algorithm (DEA). DEA uses a 64-bit block size and a 56-bit key. The algorithm begins by adding parity bits to the key (resulting in 64 bits) and then apples the key in 16 rounds of XOR, substitution, and transposition operations. With a 56 bit key, the algorithm has 256 possible keys to choose from (over 72 quadrillion). DES is a federally approved standard for nonclassified data. DES was cracked in 1997 when Rivest-Shamir-Aldeman (RSA) put a bounty on the algorithm. RSA offered a $10,000 reward for the first person or team to crack the algorithm. Fourteen thousand users collaborated over the Internet to finally break the encryption.
42. Triple DES or 3DES Triple DES or 3DES was developed as an improvement to DES and uses up to three keys in succession. It is substantially more secure than DES, not only because it uses up to three keys to DES’s one, but because it also performs three different encryption operations as described below: 1)3DES encrypts the message with key 1, then decrypts it with key 2, and then it encrypts it with key 1 again. 2)3DES encrypts the message with key 1, then it encrypts it again with key 2, and then it encrypts it a third time with key 1 again. 3)3DES encrypts the message three times with three different keys, the most secure level of encryption possible with 3DES. Symmetric Encryption The successor to 3DES is Advanced Encryption Standard (AES), based on the Rinjndael Block Cipher, which is a block cipher with a variable block length and a key length of either128, 192, or 256 bits. In 1998, it took a special computer designed by the Electronic Freedom Frontier (www.eff.org) over 56 hours to crack DES. It would take the same computer approximately 4,698,864 quintillion years to crack AES.
43. Another category of encryption techniques also known as public key encryption Symmetric encryption uses a single key to encrypt and decrypt but asymmetric encryption uses two different, but related keys, one public and one private If Key A is used to encrypt the message, only Key B can decrypt Public key is stored in a public location, where anyone can use it and the private key, is known only to the owner of the key pair
44. The problem with asymmetric encryption is that it requires four keys to hold a single conversation between two parties. Asymmetric encryption is not as efficient as symmetric encryptions in terms of CPU computations. As a result, the hybrid system described in the section on Public Key Infrastructure is more commonly used, instead of a pure asymmetric system.
45. Digital Signatures An interesting thing happens when the asymmetric process is reversed, that is the private key is used to encrypt a short message. The public key can be used to decrypt it, and the fact that the message was sent by the organization that owns the private key cannot be refuted. This is known as non-repudiation, which is the foundation of digital signatures. Digital Signatures are encrypted messages that are independently verified by a central facility (registry) as authentic.
46. RSA One of the most popular public key cryptosystems is RSA. RSA stands for Rivest-Shamir-Aldeman, its developers. RSA is the first public key encryption algorithm developed and published for commercial use. RSA is very popular and is part of Web browsers from both Microsoft and Netscape.
47. PKI Public Key Infrastructure is the entire set of hardware, software, and cryptosystems necessary to implement public key encryption. PKI systems are based on public-key cryptosystems and include digital certificates and certificate authorities (CAs). A common implementation of PKI includes: systems to issue digital certificates to users and servers; encryption enrollment; key issuing systems; tools for managing the key issuance; verification and return of certificates; and any other services associated with PKI.
48. PKI protects information assets in several ways: Authentication. Digital certificates in a PKI system permit parties to validate the identity of other of the parties in an Internet transaction. Integrity. A digital certificate demonstrates that the content signed by the certificate has not been altered while being moved from server to client. Privacy. Digital certificates keep information from being intercepted during transmission over the Internet. Authorization. Digital certificates issued in a PKI environment can replace user IDs and passwords, enhance security, and reduce some of the overhead required for authorization processes and controlling access privileges. Nonrepudiation. Digital certificates can validate actions, making it less likely that customers or partners can later repudiate a digitally signed transaction.
49. Digital Certificates and Certificate Authorities As alluded to earlier, a digital certificate is an electronic document, similar to a digital signature, attacked to a file certifying that this file is from the organization it claims to be from and has not been modified from the originating format. A Certificate Authority is an agency that manages the issuance of certificates and serves as the electronic notary public to verify their worth and integrity.
50. Hybrid Systems In practice asymmetric key encryption is not widely used except in the area of certificates. Instead, it is more often used in conjunction with symmetric key encryption creating a hybrid system. The current process is based on the Diffie-Hellman Key Exchange method, which is a way to exchange private keys without exposure to any third parties using public key encryption. With this method asymmetric encryption is used as a method to exchange symmetric keys, so that two organizations can conduct quick, efficient, secure communications based on symmetric encryption. Diffie-Hellman provided the foundation for subsequent developments in public key encryption.
51. Securing E-mail A number of encryption cryptosystems have been adapted in an attempt to inject some degree of security into e-mail, a notoriously unsecured medium. S/MIME builds on the Multipurpose Internet Mail Extensions (MIME) encoding format by adding encryption and authentication through digital signatures based on public key cryptosystems. Securing E-mail Privacy Enhanced Mail (PEM) was proposed by the Internet Engineering Task Force (IETF) as a standard to function with the public key cryptosystems. PEM uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures. Pretty Good Privacy (PGP) was developed by Phil Zimmerman and uses the IDEA Cipher, a 128-bit symmetric key block encryption algorithm with 64 bit blocks for message encoding. IDEA performs 8 rounds on 16 bit sub-blocks using algebraic calculations. PGP also uses RSA for symmetric key exchange and for digital signatures.
52. Securing the Web Secure Electronic Transactions (SET) was developed by MasterCard and Visa in 1997 to provide protection from electronic payment fraud. SET works by encrypting the credit card transfers with DES for encryption and RSA for key exchange, much as other algorithms do. SET provides the security for both Internet-based credit card transactions and the encryption of swipe systems of those credit cards in retail stores. Secure Socket Layer was developed by Netscape in 1994 to provide security in online electronic commerce transactions. It uses a number of algorithms, but mainly relies on RSA for key transfer and IDEA, DES or 3DES for encrypted symmetric key-based data transfer. Secure Hypertext Transfer Protocol (SHTTP) is an encrypted solution to the unsecured version of HTTP. It provides an alternative to the aforementioned protocols and can provide secure e-commerce transactions as well as encrypted Web pages for secure data transfer over the Web, using a number of different algorithms. Secure Shell (SSH) provides security over remote access connections using tunneling. It provides authentication services between a client and server. IP Security (IPSec) is the cryptographic authentication and encryption product of the IETF’s IP Protocol Security Working Group, defined in RFC 1825, 1826 and 1827. IP Security (IPSec) is used to create Virtual Private Networks (VPNs) and is an open framework for security development within the TCP/IP family of protocol standards.
53. IPSec IPSec combines several different cryptosystems including: Diffie-Hellman key exchange for deriving key material between peers on a public network Public key cryptography for signing the Diffie-Hellman exchanges to guarantee the identity of the two parties Bulk encryption algorithms, such as DES, for encrypting the data Digital certificates signed by a certificate authority to act as digital ID cards. IPSec includes: 1) the IP Security Protocol itself, which defines the information to add to an IP packet, as well as how to encrypt packet data; and 2) the Internet Key Exchange, which uses asymmetric-based key exchange and negotiates the security associations.
54. IPSec Operation IPSec works in two modes of operation: In transport mode only the IP data is encrypted, not the IP headers themselves. In tunnel mode, the entire IP packet is encrypted and is then placed as the payload in another IP packet. The implementation of these technologies is very popular through a process known as Virtual Private Networks (VPNs). A VPN is a network within a network. In the most common implementation, a VPN allows a user to turn the Internet into a private network. However, using the tunneling approach described earlier, an individual or organization can set up tunneling points across the Internet and send encrypted data back and forth, using the IP-packet-within-an-IP-packet method to get the data across safely and securely. VPNs are simple to set up and maintain and usually just require the tunneling points to be dual-homed, connecting a private network to the Internet or to another outside connection point.
55. Kerberos uses symmetric key encryption to validate an individual user to various network resources Kerberos keeps a database containing the private keys of clients and servers Network services running on servers in the network register with Kerberos, as do the clients that wish to use those services The Kerberos system knows these private keys and can authenticate one network node (client or server) to another
56. Sesame To solve some of the problems associated with Kerberos, a new project, the Secure European System for Applications in a Multi-vendor Environment (SESAME), was developed as a European research and development project, partly funded by the European Commission. SESAME is similar in part to Kerberos in that the user is first authenticated to an authentication server to receive a token.
57. Access Control Devices There are a number of components to a successful access control physical design, the most important of which is the need for strong authentication (two-factor authentication). This authentication can consist of the user’s personal password or passphrase but requires at least one other factor to represent strong authentication. Frequently a physical device is used for the second factor. When considering access control you address: What you know: for example, passwords and pass-phrase What you have: tokens and smart cards Who you are: fingerprints, hand topography, hand geometry, retinal, and iris recognition What you produce: voice and signature pattern recognition Authentication is the validation of a user’s identity, in other words, “Are you whom you claim to be?”
58. What You Are Most of the technologies that scan human characteristics convert these images to some form of minutiae. Minutiae are unique points of reference that are digitized and stored in an encrypted format. Each subsequent scan is also digitized and then compared with the encoded value to determine if users are who they claim to be. The problem is that some human characteristics can change over time, due to normal development, injury, or illness.
59. Effectiveness of Biometrics Biometric technologies are evaluated on three basic criteria: False Reject Rate False Accept Rate Crossover Error Rate
60. False Reject Rate The false reject rate is the percentage or value associated with the rate at which authentic users are denied or prevented access to authorized areas, as a result of a failure in the biometric device. This error rate is also known as a Type I error. This error rate, while a nuisance to authorized users, is probably of the least concern to security individuals.
61. Crossover Error Rate (CER) The crossover error rate is the point at which the number of false rejections equals the false acceptances, also known as the equal error rate. It is possibly the most common and important overall measure of the accuracy of a biometric system. The optimal setting is somewhere near the equal error rate or CER.
62. Acceptability of Biometrics While the use of one authentication area is necessary for access to the system, the more devices used the better. To obtain strong authentication, the systems must use two or more authentication areas.