cs 54001-1: large-scale networked systems
DESCRIPTION
CS 54001-1: Large-Scale Networked Systems. Professor: Ian Foster TAs: Xuehai Zhang, Yong Zhao Lecture 4 www.classes.cs.uchicago.edu/classes/archive/2003/winter/54001-1. Week 1: Internet Design Principles & Protocols. An introduction to the mail system An introduction to the Internet - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/1.jpg)
CS 54001-1: Large-Scale Networked Systems
Professor: Ian Foster
TAs: Xuehai Zhang, Yong Zhao
Lecture 4
www.classes.cs.uchicago.edu/classes/archive/2003/winter/54001-1
![Page 2: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/2.jpg)
CS 54001-1 Winter Quarter 2
Week 1:Internet Design Principles & Protocols
An introduction to the mail system An introduction to the Internet Internet design principles and layering Brief history of the Internet Packet switching and circuit switching Protocols Addressing and routing Performance metrics A detailed FTP example
![Page 3: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/3.jpg)
CS 54001-1 Winter Quarter 3
Week 2:Routing and Transport
Routing techniques– Flooding
– Distributed Bellman Ford Algorithm
– Dijkstra’s Shortest Path First Algorithm Routing in the Internet
– Hierarchy and Autonomous Systems
– Interior Routing Protocols: RIP, OSPF
– Exterior Routing Protocol: BGP Transport: achieving reliability Transport: achieving fair sharing of links
![Page 4: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/4.jpg)
CS 54001-1 Winter Quarter 4
Week 3:Measurement & Characterization
What does the Internet look like? What does Internet traffic look like? How do I measure such things? How do such characteristics evolve? What Internet characteristics are shared
with other networks? Are all those Faloutsos’ related?
![Page 5: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/5.jpg)
CS 54001-1 Winter Quarter 5
Week 4: Security
Context: Attacks, services, & mechanisms Message encryption Public key cryptography Authentication protocols Message integrity Public key infrastructure Firewalls
![Page 6: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/6.jpg)
CS 54001-1 Winter Quarter 6
Attacks, Services and Mechanisms
Security Attack: Any action that compromises the security of information.
Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack.
Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.
![Page 7: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/7.jpg)
CS 54001-1 Winter Quarter 7
Security Attacks
![Page 8: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/8.jpg)
CS 54001-1 Winter Quarter 8
Security Attacks
Interruption: This is an attack on availability
Interception: This is an attack on confidentiality
Modification: This is an attack on integrity Fabrication: This is an attack on
authenticity
![Page 9: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/9.jpg)
CS 54001-1 Winter Quarter 9
Active and Passive Threats
![Page 10: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/10.jpg)
CS 54001-1 Winter Quarter 10
Methods of Defense
Encryption Software Controls (access limitations in a
data base, in operating system protect each user from other users)
Hardware Controls (smartcard) Policies (frequent changes of passwords) Physical Controls
![Page 11: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/11.jpg)
April 22, 2023 Chapter 8, Figure 3CS 54001-1 Winter Quarter 11
Security
Cryptographyalgorithms
Publickey
(e.g., RSA)
Secretkey
(e.g., DES)
Messagedigest
(e.g., MD5)
Securityservices
AuthenticationPrivacy Messageintegrity
Security Algorithms & Services
![Page 12: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/12.jpg)
CS 54001-1 Winter Quarter 12
Security Services
Confidentiality (privacy) Authentication (who created or sent the data) Integrity (has not been altered) Non-repudiation (the order is final) Access control (prevent misuse of resources) Availability (permanence, non-erasure)
– Denial of Service Attacks
– Virus that deletes files
![Page 13: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/13.jpg)
CS 54001-1 Winter Quarter 13
![Page 14: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/14.jpg)
CS 54001-1 Winter Quarter 14
![Page 15: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/15.jpg)
CS 54001-1 Winter Quarter 15
Week 4: Security
Context: Attacks, services, & mechanisms Message encryption Public key cryptography Authentication protocols Message integrity Public key infrastructure Firewalls
![Page 16: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/16.jpg)
CS 54001-1 Winter Quarter 16
Conventional Encryption Principles
An encryption scheme has five ingredients:– Plaintext
– Encryption algorithm
– Secret Key
– Ciphertext
– Decryption algorithm Security depends on the secrecy of the
key, not the secrecy of the algorithm
![Page 17: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/17.jpg)
CS 54001-1 Winter Quarter 17
Conventional Encryption Principles
![Page 18: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/18.jpg)
CS 54001-1 Winter Quarter 18
Cryptography
Classified along three independent dimensions:– The type of operations used for
transforming plaintext to ciphertext
– The number of keys used> symmetric (single key)
> asymmetric (two-keys, or public-key encryption)
– The way in which the plaintext is processed
![Page 19: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/19.jpg)
CS 54001-1 Winter Quarter 19
Average time required for exhaustive key search
Key Size (bits)
Number of Alternative Keys
Time required at 106 Decryption/µs
32 232 = 4.3 x 109 2.15 milliseconds
56 256 = 7.2 x 1016 10 hours
128 2128 = 3.4 x 1038 5.4 x 1018 years
168 2168 = 3.7 x 1050 5.9 x 1030 years
![Page 20: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/20.jpg)
CS 54001-1 Winter Quarter 20
Conventional Encryption Algorithms
Data Encryption Standard (DES)– The most widely used encryption scheme
– The algorithm is reffered to the Data Encryption Algorithm (DEA)
– DES is a block cipher
– The plaintext is processed in 64-bit blocks
– The key is 56-bits in length
![Page 21: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/21.jpg)
CS 54001-1 Winter Quarter 21
![Page 22: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/22.jpg)
CS 54001-1 Winter Quarter 22
![Page 23: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/23.jpg)
April 22, 2023 Chapter 8, Figure 6CS 54001-1 Winter Quarter 23
4-bit chunk
Expanded to 6 bits by stealinga bit from left and right chunks
…
… …
…
Expansion Phase of DES
![Page 24: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/24.jpg)
April 22, 2023 Chapter 8, Figure 7CS 54001-1 Winter Quarter 24
Block1
IV
DES
Cipher1
Block2
DES
Block3
DES
Block4
DES
+
Cipher2 Cipher3 Cipher4
+++
Cipher Block Chaining
![Page 25: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/25.jpg)
CS 54001-1 Winter Quarter 25
Time to break a code (10Time to break a code (1066 decryptions/µs)decryptions/µs)
![Page 26: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/26.jpg)
CS 54001-1 Winter Quarter 26
Week 4: Security
Context: Attacks, services, & mechanisms Message encryption Public key cryptography Authentication protocols Message integrity Public key infrastructure Firewalls
![Page 27: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/27.jpg)
CS 54001-1 Winter Quarter 27
Public-Key Cryptography
![Page 28: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/28.jpg)
CS 54001-1 Winter Quarter 28
Applications for Public-Key Cryptosystems
Three categories:– Encryption/decryption: The sender
encrypts a message with the recipient’s public key
– Digital signature: The sender ”signs” a message with its private key
– Key exchange: Two sides cooperate to exhange a session key
![Page 29: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/29.jpg)
CS 54001-1 Winter Quarter 29
Requirements for Public-Key Cryptography
Computationally easy for a party B to generate a pair (public key KUb, private key KRb)
Easy for sender to generate ciphertext
Easy for the receiver to decrypt ciphertect using private key
)(MEC KUb
)]([)( MEDCDM KUbKRbKRb
![Page 30: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/30.jpg)
CS 54001-1 Winter Quarter 30
Requirements for Public-Key Cryptography
Computationally infeasible to determine private key (KRb) knowing public key (KUb)
Computationally infeasible to recover message M, knowing KUb and ciphertext C
Either of the two keys can be used for encryption, with the other used for decryption
)]([)]([ MEDMEDM KRbKUbKUbKRb
![Page 31: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/31.jpg)
CS 54001-1 Winter Quarter 31
Public-Key Cryptographic Algorithms
RSA and Diffie-Hellman RSA - Ron Rives, Adi Shamir and Len
Adleman at MIT, in 1977.– RSA is a block cipher
– The most widely implemented Diffie-Hellman
– Exchange a secret key securely
– Compute discrete logarithms
![Page 32: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/32.jpg)
CS 54001-1 Winter Quarter 32
The RSA Algorithm – Key Generation
1. Select p,q p and q both prime
2. Calculate n = p x q
3. Calculate
4. Select integer e
5. Calculate d
6. Public Key KU = {e,n}
7. Private key KR = {d,n}
)1)(1()( qpn)(1;1)),(gcd( neen
)(mod1 ned
![Page 33: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/33.jpg)
CS 54001-1 Winter Quarter 33
Example of RSA Algorithm
![Page 34: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/34.jpg)
CS 54001-1 Winter Quarter 34
The RSA Algorithm - Encryption
Plaintext: M<n
Ciphertext: C = Me (mod n)
![Page 35: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/35.jpg)
CS 54001-1 Winter Quarter 35
The RSA Algorithm - Decryption
Ciphertext: C
Plaintext: M = Cd (mod n)
![Page 36: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/36.jpg)
CS 54001-1 Winter Quarter 36
Key ManagementPublic-Key Certificate Use
![Page 37: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/37.jpg)
CS 54001-1 Winter Quarter 37
Week 4: Security
Context: Attacks, services, & mechanisms Message encryption Public key cryptography Authentication protocols Message integrity Public key infrastructure Firewalls
![Page 38: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/38.jpg)
CS 54001-1 Winter Quarter 38
Authentication Protocols
Simple three-way handshake– Assume two parties share a secret key
Trusted third party– E.g., Kerberos
Public key authentication
![Page 39: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/39.jpg)
April 22, 2023 Chapter 8, Figure 9CS 54001-1 Winter Quarter 39
Client Server
ClientId, E(x, CHK)
E(y + 1, CHK)
E(SK, SHK)
E(x + 1, SHK), E(y, SHK)
Simple Three-Way Handshake
E(m,k) denotes encryption of message m with key k
![Page 40: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/40.jpg)
April 22, 2023 Chapter 8, Figure 10CS 54001-1 Winter Quarter 40
AS B
E((T, L, K, B), KA),
E((A, T), K),
E((T, L, K, A), KB)
A, B
E(T + 1, K)
E((T, L, K, A), KB)
Trusted Third Party
Ka and Kb are secret keys shared with server S
T=timestamp, L=lifetime, K=session key
![Page 41: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/41.jpg)
April 22, 2023 Chapter 8, Figure 11CS 54001-1 Winter Quarter 41
A B
E(x, PublicB)
x
Public Key Cryptography
![Page 42: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/42.jpg)
CS 54001-1 Winter Quarter 42
Message Integrity
Requirements - must be able to verify that:– Message came from apparent source or
author,
– Contents have not been altered,
– Sometimes, it was sent at a certain time or sequence.
Protection against active attack (falsification of data and transactions)
![Page 43: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/43.jpg)
CS 54001-1 Winter Quarter 43
Approaches to Message Integrity
Conventional encryption– Only the sender and receiver should share a key
Message integrity without message encryption– An authentication tag is generated and
appended to each message Message Authentication Code
– Calculate the MAC as a function of the message and the key. MAC = F(K, M)
![Page 44: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/44.jpg)
CS 54001-1 Winter Quarter 44
![Page 45: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/45.jpg)
CS 54001-1 Winter Quarter 45
One-way HASH One-way HASH functionfunction
![Page 46: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/46.jpg)
CS 54001-1 Winter Quarter 46
One-way HASH function
Secret value is added before the hash and removed before transmission.
![Page 47: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/47.jpg)
CS 54001-1 Winter Quarter 47
Secure HASH Functions Purpose of the HASH function is to produce a
”fingerprint. Properties of a HASH function H :
1. H can be applied to a block of data at any size2. H produces a fixed length output3. H(x) is easy to compute for any given x.4. For any given block x, it is computationally
infeasible to find x such that H(x) = h5. For any given block x, it is computationally
infeasible to find with H(y) = H(x).6. It is computationally infeasible to find any pair (x,
y) such that H(x) = H(y)
xy
![Page 48: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/48.jpg)
CS 54001-1 Winter Quarter 48
Simple Hash Function
One-bit circular shift on the hash value after each block is processed would improve
![Page 49: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/49.jpg)
CS 54001-1 Winter Quarter 49
Message Digest Generation Using SHA-1
![Page 50: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/50.jpg)
CS 54001-1 Winter Quarter 50
SHA-1 Processing of single 512-Bit Block
![Page 51: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/51.jpg)
April 22, 2023 Chapter 8, Figure 13CS 54001-1 Winter Quarter 51
Sender identity and messageintegrity confirmed
if checksums match
Calculate MD5 checksum onreceived message and compare
against received value
Decrypt signed checksumwith sender’ s public key
Calculate MD5 checksumover message contents
Sign checksum using RSAwith sender’ s private key
Transmitted message
![Page 52: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/52.jpg)
April 22, 2023 Chapter 8, Figure 14CS 54001-1 Winter Quarter 52
Decrypt message usingDES with secret key k
Decrypt E(k ) using RSA withmy private key -> k
Convert ASCII message
Encrypt k using RSA withrecipient’ s public key
Encode message + E(k )in ASCII for transmission
Encrypt message usingDES with secret key k
Create a random secret key k Original message
Transmitted message
![Page 53: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/53.jpg)
CS 54001-1 Winter Quarter 53
Week 4: Security
Context: Attacks, services, & mechanisms Message encryption Public key cryptography Authentication protocols Message integrity Public key infrastructure Firewalls
![Page 54: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/54.jpg)
CS 54001-1 Winter Quarter 54
Public-Key Cryptography Principles
The use of two keys has consequences in: key distribution, confidentiality and authentication.
The scheme has six ingredients– Plaintext
– Encryption algorithm
– Public and private key
– Ciphertext
– Decryption algorithm
![Page 55: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/55.jpg)
CS 54001-1 Winter Quarter 55
Encryption using Public-Key system
![Page 56: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/56.jpg)
CS 54001-1 Winter Quarter 56
X.509 Authentication Service
Distributed set of servers that maintains a database about users
Each certificate contains the public key of a user and is signed with the private key of a CA
Is used in S/MIME, IP Security, SSL/TLS and SET
RSA is recommended
![Page 57: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/57.jpg)
CS 54001-1 Winter Quarter 57
X.509 Formats
![Page 58: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/58.jpg)
CS 54001-1 Winter Quarter 58
Typical Digital Signature Approach
![Page 59: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/59.jpg)
CS 54001-1 Winter Quarter 59
Obtaining a User’s Certificate
Characteristics of certificates generated by CA:– Any user with access to the public key of
the CA can recover the user public key that was certified.
– No part other than the CA can modify the certificate without this being detected.
![Page 60: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/60.jpg)
April 22, 2023 Chapter 8, Figure 12CS 54001-1 Winter Quarter 60
User User User
User User User User User
CA CA
CA
CA CA CA
PCA1 PCA2
IPRA
PCA3
CA
CA
IPRA = Internet PolicyRegistration Authority (root)
PCAn = policy certification authorityCA =certification authority
![Page 61: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/61.jpg)
CS 54001-1 Winter Quarter 61
X.509 CA Hierarchy
![Page 62: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/62.jpg)
CS 54001-1 Winter Quarter 62
Revocation of Certificates
Reasons for revocation:– The users secret key is assumed to be
compromised.
– The user is no longer certified by this CA.
– The CA’s certificate is assumed to be compromised.
![Page 63: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/63.jpg)
CS 54001-1 Winter Quarter 63
Week 4: Security
Context: Attacks, services, & mechanisms Message encryption Public key cryptography Authentication protocols Message integrity Public key infrastructure Firewalls
![Page 64: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/64.jpg)
CS 54001-1 Winter Quarter 64
Firewall DesignPrinciples
The firewall is inserted between the premises network and the Internet
Aims:– Establish a controlled link
– Protect the premises network from Internet-based attacks
– Provide a single choke point
![Page 65: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/65.jpg)
CS 54001-1 Winter Quarter 65
Firewall Characteristics
Design goals:– All traffic from inside to outside must pass
through the firewall (physically blocking all access to the local network except via the firewall)
– Only authorized traffic (defined by the local security police) will be allowed to pass
– The firewall itself is immune to penetration (use of trusted system with a secure operating system)
![Page 66: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/66.jpg)
CS 54001-1 Winter Quarter 66
Four General Techniques Service control
– Determines the types of Internet services that can be accessed, inbound or outbound
Direction control– Determines the direction in which particular service
requests are allowed to flow User control
– Controls access to a service according to which user is attempting to access it
Behavior control– Controls how particular services are used (e.g. filter e-
mail)
![Page 67: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/67.jpg)
CS 54001-1 Winter Quarter 67
Types of Firewalls
Three common types of Firewalls:– Packet-filtering routers
– Application-level gateways
– Circuit-level gateways
– (Bastion host)
![Page 68: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/68.jpg)
CS 54001-1 Winter Quarter 68
Types of Firewalls
Packet-filtering Router
![Page 69: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/69.jpg)
CS 54001-1 Winter Quarter 69
Types of Firewalls
Packet-filtering Router– Applies a set of rules to each incoming IP
packet and then forwards or discards the packet
– Filter packets going in both directions
– The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header
– Two default policies (discard or forward)
![Page 70: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/70.jpg)
CS 54001-1 Winter Quarter 70
Types of Firewalls
Advantages:– Simplicity
– Transparency to users
– High speed Disadvantages:
– Difficulty of setting up packet filter rules
– Lack of Authentication
![Page 71: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/71.jpg)
CS 54001-1 Winter Quarter 71
Types of Firewalls
Possible attacks and appropriate countermeasures– IP address spoofing
– Source routing attacks
– Tiny fragment attacks
![Page 72: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/72.jpg)
CS 54001-1 Winter Quarter 72
Types of Firewalls
Application-level Gateway
![Page 73: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/73.jpg)
CS 54001-1 Winter Quarter 73
Types of Firewalls
Application-level Gateway– Also called proxy server
– Acts as a relay of application-level traffic Advantages:
– Higher security than packet filters
– Only need to scrutinize a few allowable applications
– Easy to log and audit all incoming traffic Disadvantages:
– Additional processing overhead on each connection (gateway as splice point)
![Page 74: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/74.jpg)
CS 54001-1 Winter Quarter 74
Types of Firewalls
Circuit-level Gateway
![Page 75: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/75.jpg)
CS 54001-1 Winter Quarter 75
Types of Firewalls
Circuit-level Gateway– Stand-alone system or
– Specialized function performed by an Application-level Gateway
– Sets up two TCP connections
– The gateway typically relays TCP segments from one connection to the other without examining the contents
![Page 76: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/76.jpg)
CS 54001-1 Winter Quarter 76
Types of Firewalls
Circuit-level Gateway– The security function consists of
determining which connections will be allowed
– Typically use is a situation in which the system administrator trusts the internal users
– An example is the SOCKS package
![Page 77: CS 54001-1: Large-Scale Networked Systems](https://reader035.vdocuments.mx/reader035/viewer/2022062520/56815702550346895dc4a97f/html5/thumbnails/77.jpg)
CS 54001-1 Winter Quarter 77
Course Outline (Subject to Change)
1. (January 9th) Internet design principles and protocols
2. (January 16th) Internetworking, transport, routing
3. (January 23rd) Mapping the Internet and other networks
4. (January 30th) Security
5. (February 6th) P2P technologies & applications (Matei Ripeanu)(plus midterm)
6. (February 13th) Optical networks (Charlie Catlett)
7. *(February 20th) Web and Grid Services (Steve Tuecke)
8. (February 27th) Network operations (Greg Jackson)
9. *(March 6th) Advanced applications (with guest lecturers: Terry Disz, Mike Wilde)
10. (March 13th) Final exam
* Ian Foster is out of town.