Network and Internet Security - Essay Example

? Network and Internet Security Lecturer: Part Session Keys (10 pts) Session keys are a critical component to theoperation of different security solutions. Examine the establishment of session keys such that the session key is incomputable and non-spoofable. You may wish to study systems that rely on: a) A shared secret; b) Authenticated public keys (including Diffie-Hellman); c) A single public key; and d) One time passwords (including Lamport's Hash). To better understand how these methods are used, study their implementation in various protocols/products such as: Kerberos V4 Kerberos V5 Secure Socket Layer Show attacks and defences to these session key establishment protocols at all levels, including one or both of the communicating machines being compromised. Answer Session keys are used to ensure that communication between two parties can be initiated when needed and terminated when there is no use of it. As a result, session keys can be termed as temporary keys (symmetric keys) since their use is no longer needed once the communication session between the hosts had been terminated. The reason behind the generation of new keys is that, network communication attackers can pick up a key that had been used previously and use them to initiate the same communication. To avoid such occurrences, session keys for all systems are designed to be used only once. Session keys have a number of benefits. These include the fact that: They limit the number of attacks on a system by making it difficult to attack a system since the amount of data being processed by the respective key is minimal. Secondly, public-key cryptography also known as asymmetric cryptography is very slow as it uses a two key encryption method (public and private). Due to the fact that communication channels are very vulnerable to attacks. The establishment of session keys should be placed as a priority in a bid to prevent and withstand attacks. With that, the establishment of a session key depends on the encryption technique. There are a number of encryption techniques that can be used. These techniques have been categorized into either: symmetric, asymmetric and/ or hybrid encryption. Symmetric encryption (Single key encryption) - requires the use of only a single key for the process of encrypting messages as well as decrypting them. This technique ensures that there is only one key which will be used – that is a secret key. Asymmetric encryption (Public key encryption) - requires the use of a two keys where one is a private key and the other is a public key which is known to a number of people. With that, these two keys (public and private keys) are used interchangeable to encrypt and decrypt messages. Hybrid encryption (single key and public key) – this technique used both the symmetric and asymmetric encryption techniques. It is important to note that, modern systems have been designed to be dynamic in terms of the encryption technique (s) that they are using. As a result; they can use both the symmetric and asymmetric encryption techniques interchangeably. Encryption by a shared secret: As the name suggests, two hosts can be in a position to exchange information through the use of a shared secret and/ or a secret key. This mechanism is characterised by the fact that the shared secret key is used to encrypt both the senders and the recipient’s messages. Based on that, this channel faces very high security risks since if the message is tapped or eavesdropped, the attacker can be in a position to use the shared secret key to either encrypt or decrypt the entire conversation. Based on that, data security is highly compromised. The other challenge faced with the shared secret key encryption is the fact that the higher the messages that are being sent on the communication channel by the hosts, their corresponding keys will also be increased. As a result, there will be too many keys being shared. Thirdly, due to the fact that it is a shared key, if the sender’s key is not known, decrypting the ciphered text will be a challenge to the recipient. Based on the above challenges, the solution that has so far countered the challenges associated with the shared secret key is the use of session keys which are created and terminated easily. Encryption using session keys: Sessions keys are implemented using the following process description: If Host A, B and C want to communicate to each other; they have to set up an encrypted link among themselves. With that, if Host A wants to send an encrypted message to B and C, then A will have to provide its key that will be used by B and C in a bid to decrypt the ciphered message. This key exchange process requires the availability of a Key Distribution Centre (KDC) that is used to store the shared session keys. It is worthy to note that, this scheme totally depends on the KDC and if the KDC encounters any problems, then that will compromise on data security. With that stated, below are some of the challenges that may be faced by the KDC. First, if the KDC fails to store the session keys, then the hosts will not be in a position to encrypt and decrypt the messages. Secondly, if the number of keys grows then there is need for a scalable KDC else it will fail to provide the keys. Thirdly, the KDC is not used for connection less protocols. Fourth, transporting the keys physically can be tedious. The above encryption techniques can be used in the following protocols and/ or products: Kerberos V4, Kerberos V5 and Secure Socket Layer (SSL). Kerberos is a network authentication protocol that is used in a bid to provide security for both the client and the server through the use of the secret-key cryptography. Kerberos also depends entirely on the KDC so as to ensure secure communication between the hosts. Kerberos V4 and Kerberos V5 provide the same functionality only that the V5 is an improvement of the V4 based on its minor challenges. One of the major challenges (attacks) which can be encountered through using the Kerberos V4 is the fact that its re-uses keys based on the previous communication link on a new session of the same communication. As a result, an attacker can be in a position to retrieve the key and use it to gain access to the previous communication as well as the new communication session that was being shared by the hosts. The defences to this challenge have been implemented by the Kerberos V5. In the V5 the client can be in a position to “negotiate” the creation of a new session key at each instance. Based on that, the chances of attacks to the system are minimized. Secure socket layer (SSL) is a protocol that provides stable and reliable end to end connection between the server and the client. There are two layer protocols that are associated with SSL. These include: SSL record protocol and the upper layer protocol which encapsulates the handshake, alert and cipher spec protocol. The challenges encountered with SSL include: lack of authenticity in browser certificates. This is due to the reason that if the browser trusts the certificate it goes ahead to create, encrypt and then send back the private key by using the public key that belongs to the server. A defence to this challenge would be to optimally use Certificate Signing Request (CSR) which ensures that the private key and CSR data file generated are directly sent to the SSL Certificate issuer. Part 2: Group Discussion Question (10pts) Discuss the relative advantages and disadvantages of implementing cryptographic protocols at the application layer (layer 7), network layer (layer 3), and transport layer (layer 4) of the OSI basic reference model. Justify your answer by referring to the different security related technologies/solutions seen in the course (or others you read about) and the strengths and weaknesses they show because of their position in the protocol stack. We suggest that you answer this question as a group, with each student arguing for a different layer and the other students commenting on his/her answers, using blackboard. Answer The advantages of implementing cryptographic protocols at the application layer includes: the protection of data that is transmitted in channels such as emails; data stored in databases. In addition to that, cryptographic protocols at the application ensure that there is efficient and effective transfer between the hosts. Some of the protocols in this layer include: FTP, HTTP, TELNET and DNS. The disadvantage of implementing cryptographic protocols at the application layer is that they can fall redundant due to change in security application technologies. With regard to the discussed security technologies, it should be noted that protocols such as SSL can fall short while handling the session communication. The web browser (client) may accept a certificate from an organisation that is not legitimate and this may in turn lead to the lack of data security. References Angel Fire. Session Keys. Web. Retrieved from: http://www.angelfire.com/nj2/raisahmad/sessionKeys.htm MIT. Kerberos: The Network Authentication Protocol. 2013. Web. Retrieved from: http://web.mit.edu/kerberos/ Microsoft. The OSI Model's Seven Layers Defined and Functions Explained. 2013. Web. Retrieved from: http://support.microsoft.com/kb/103884 Networking. Seven layer Model. 2013. Web. Retrieved from: http://networking.ringofsaturn.com/Protocols/sevenlayer.php Read More