Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 219 times |
Download: | 1 times |
1National Digital Certification Agency
04/18/23
Security Engineering and PKI Applications in Modern Enterprises
Mohamed [email protected]
National Digital Certification Agency
04/18/23 National Digital Certification Agency
2
PLAN
Building a secure infrastructure Managing trust General guidelines Building Incident Response Teams (IRTs)
04/18/23 National Digital Certification Agency
4
Basic security requirements
SecurityRequirement
Definition
Authentication
Guarantees that a person or system is exactly who or what they claim to be.
Availability
Protects against loss of system operation as a result of malicious code, request flooding and penetration attempts
Data Integrity
Protects against unauthorized changes in data whether they are intentional or accidental.
Confidentiality
Protects against the disclosure of information to unauthorized users. Encryption is typically used to assure confidentiality when information is transmitted over networks.
Non-Repudiation
Protects against a person denying later that a communication or transaction took place as recorded.
Access Control Provides access to authorized users while denying access to unauthorized users.
Auditing
Monitors intentional or unintentional misuse of security features.
04/18/23 National Digital Certification Agency
5
Organizational Issues (1)
Computer security should be integrated in the management process
1. Security responsibilities and roles should be clearly defined (security division, security officer, etc.)
2. Security programs should be built
3. Security should be periodically reassessed
04/18/23 National Digital Certification Agency
6
Organizational Issues (2)
Computer security should be cost-effective
1. Security decisions should involve an hybrid personnel (technical, administrative)
2. Security programs should aim at protecting the most sensitive assets against the most frequent attacks by making the less expensive decisions
3. Concessions should be made as zero-risk situations are not reachable
04/18/23 National Digital Certification Agency
7
Human Resources
System users should– be aware of the importance of security
– apply security practices
– react appropriately to security incidents
An awareness promotion program has to be developed
04/18/23 National Digital Certification Agency
8
Awareness Promotion Program (APP) The APP should
– apply to all users– be suitable to users’ roles and scientific
background – be continuous (follow technology progress)
Key issues include– password protection– social engineering recognition– incident notification and reaction
04/18/23 National Digital Certification Agency
9
Hardware and Software Equipments
Most common security solutions are:– Routers
– Firewalls
– Intrusion Detection Systems
– Virtual Private Networks (VPNs) Gateways
04/18/23 National Digital Certification Agency
10
Routers
Designed to transmit packets between networks according to IP addresses
May include Access Control Lists (ACLs)
04/18/23 National Digital Certification Agency
11
Firewalls
A gateway between two networks having different security levels– All traffic must pass through the firewall
– The firewall must allow only authorized traffic to pass
– The firewall is supposed to be immune against penetration and compromise
04/18/23 National Digital Certification Agency
12
Firewalls: types
Packet filters– Operate at the network level of the OSI model
– Static packet filtering / stateful inspection
Proxies– Act at the application level
– Provide services for specific protocols
04/18/23 National Digital Certification Agency
13
IDSs
Intrusion detection: detecting unauthorized, inappropriate or anomalous activity
Classification I– Host-based IDSs
– Network-based IDSs
Classification II– Signature-based IDSs
– Anomaly-Based IDSs
04/18/23 National Digital Certification Agency
14
IDS reactivity
An IDS can have different reactions– Generating alarms
– Blocking ports
– Blocking connections
– Responding to malicious actions
04/18/23 National Digital Certification Agency
15
VPN Gateways
Allow the establishment of encrypted tunnels between networks and sub-networks
Can be implemented inside firewalls and routers
04/18/23 National Digital Certification Agency
16
Security Documents (1)
1. Security strategy Technology-independent Applicable to all assets Long lifetime Severe update policy
2. Security policy Implementation of security rules according to a
given technology Three constraints: standards conformance,
feasibility, implementation cost
04/18/23 National Digital Certification Agency
17
Security Documents (2)
3. Security practices Simple rules that have to be followed by
users during their interaction with the system Apply to humans Frequently updated
04/18/23 National Digital Certification Agency
19
Managing Trust (1)
Basic implementation of security mechanisms do not fulfill security policy requirements
Authentication is often based on– IP addresses
– E-mail addresses
– Passwords and personal data
04/18/23 National Digital Certification Agency
20
Managing trust (2)
Masquerade opportunity
Less confidence in the system
Malicious User Normal User
04/18/23 National Digital Certification Agency
21
Asymmetric cryptosystem
Based on key pairs (public key, private key)– What is encrypted by the private key is decrypted by
the public key
– What is encrypted by the private key is decrypted by the public key
– Multiple copies of a public key can exist
– Only one copy of the private key exists (held by its user)
Guarantees authentication, non-repudiation, confidentiality and integrity
04/18/23 National Digital Certification Agency
22
Authentication, non-repudiation, integrity (1)
HashProcess
Message
MessageDigest
DigitallySigned
Message
Sender’sPrivate
Key
DigitalSignature
04/18/23 National Digital Certification Agency
23
Authentication, non-repudiation, integrity (2)
DigitallySigned
Message
Message MessageDigest
DigitalSignature
MessageDigest
Sender’sPublic Key
=
Authentication, non-repudiation, integrity
04/18/23 National Digital Certification Agency
24
Authentication, non-repudiation, integrity (2)
DigitallySigned
Message
Message MessageDigest
DigitalSignature
MessageDigest
Sender’sPublic Key
At least one requirement has been violated
04/18/23 National Digital Certification Agency
25
Confidentiality
EncryptedMessage
EncryptedMessage
DigitallySigned
Message
DigitallySigned
Message
Recipient’sPublic Key
Recipient’s Private Key
Sender Receiver
04/18/23 National Digital Certification Agency
26
Asymmetric cryptosystems: Are they sufficient ? Digital signature can be used to verify that a
message has been delivered unaltered and verify the identity of the sender by public key
A proof of possession of key materials is needed
04/18/23 National Digital Certification Agency
27
Public Key Infrastructure (PKI)
A B
C
B does not trust A
A trusts C, B trusts C
04/18/23 National Digital Certification Agency
28
Public Key Infrastructure (PKI)
A B
C
C is a trusted third party
B can trust A if C guarantees his identity
04/18/23 National Digital Certification Agency
29
Certification Authority (CA)
A trusted third party that delivers digital certificates
A B
C
04/18/23 National Digital Certification Agency
30
Digital Certificates
User information:
•(e-mail, URL, IP address)
•City, Country,etc.
CA information
User public key
CA signature
04/18/23 National Digital Certification Agency
31
Accessing Public KeysDirectory Server
A B
A’s certificate
A’s public key
EncryptedMessage
A’s private key