CS2020:   Web Science, Sytems and Design
   Symmetric Encryption



The Idea:
  • A cryptographic system that uses ONLY ONE key
  • When John wants to send a secure message to Jane, he uses hekey to encrypt the message. Jane then uses the same key to decrypt it.

Important:

 

    • both sender and recipient must have the same key.

Problem:

 

    • How do you send the key to someone without it being intercepted.
    • Not as good as Asymmetric (Public-key) Encryption.

Possible Solutions

  • Software-based
  • Hardware-based
  • Freeware versus Commercial Products
  • Use of Security Protocols

  • Use of security-oriented system administration tools
     
Web-Based System Security Strategies
Firewalls

"A mechanism used to prevent unauthorized entry into a company's internal network"  --from e-Commerce Applications Using Oracle 8i and ...
 

"A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria." -- from www.webopedia.com

  • may be SW or SW/HW combination
  • may have firewall installed on its own server (separate physical device).
  • one of the best ways to restrict network to network access.
  • typically, will not protect hacking, security violations from the local network, meaning from within the confines of the firewall.  Where you place your firewall in your system architecture can be important!!
    • SEE FIGURE 11.1 of e-Commerce book!!!!
  • Restricts capabilities in terms of techniques can use to access the protected network facilities (servers, etc.)
    • Many configurations of Firewalls will not allow direct socket connections through the firewall.  
    • May also restrict use of RMI (dependent on sockets), through Firewall.  
  • Usually can configure so that access inbound and outbound is assymetric.
    • Meaning you may restrict access incomming to only go to port 80 (typically the web-server...HTTP access)
    • But, you may allow any kind out outbound traffic. So, you users on the network can do whatever they like.
  • Design Warning: 
    • Need to be careful, that there are not systems internal to your network that do not go through a firewall when using firewalls for a main security option.  This is a potential opening into your network to other devices supposedly protected by a firewlall.
  • Common  techniques:
    • IP filtering 
      • = controls access by solely looking at information contained in the IP header of data packets being sent to the server.
    • Circuit-level gateway

      = Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

    • Application Proxy
        =does not look at data packets, instead this kind of firewall sits on a separate server and will actually look at the information being sent to it.  Acts as a kind of filter. 
        • Can be specific to the application at hand and only allow certain kinds of information/requests to be sent through it on to the back-end.   Example:  IBM and other companies producs a firewall that provides a SQL*Net proxy that when a port is opened for SQL*Net traffic (SQL - Oracle database activities), only SQL*Net traffic is allowed to use this port.
Terminology:   Types of Firewalls
Screening Router
  • Routes traffic pased on header information
  • Implements IP filtering
Proxy Gateway
    • Can define types of commands that can legally pass through this kind of firewall on to the back-end
    • Simplist form of Application Proxy Server
Gaurd
    • This is an integration of both the Screening Router capabilities and Proxy Gateway capabilities
SATAN
Security Analysis Tool for Auditing Networks.
    • Commonly used SW tool Admins use to monitor security capabilities of their system.
    • Use to identify weaknesses in security on the server.
    • In usage-concept, like how you use Norton Anti-Virus SW on your own personal machine.
Protocols
 
SOCKS
  • Network protocol that allows hosts from one side of SOCKS server access to devices on other side without direct IP accessibility between them.
  • A protocol for handling TCP traffic through a proxy server. It can be used with virtually any TCP application, including Web browsers and FTP clients.
  • It provides a simple firewall because it checks incoming and outgoing packets and hides the IP addresses of client applications.
  • Unlike many firewalls, allows outgoing RMI calls (but, not incomming nor callbacks)
  • Free: See www.socks.nec.com
  • Commercial packages also available, e.g. www.sun.com

  •  
SSL
Secure Socket Layers. Protocol to setup a secure connection between a Server and Client over which can send any amount of secure data.
    • Data Encryption supported (see below)
    • SSL works by using a private key to encrypt data that's transferred over the SSL connection.
    • Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers.
    • By convention, Web pages that require an SSL connection start with https: instead of http:
    • Data Integrity Checking supported.

Secure HTTP (S-HTTP)

Protocol for transmitting data securely over the World Wide Web.

  • Whereas SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely, S-HTTP is designed to transmit individual messages securely.
  • Not as prevalent as SSL.
RADIUS
Remote Authentication Dial-In User Service
    • Authentication and accounting system used by many Internet Service Providers (ISPs). When you dial in to the ISP you must enter your username and password. This information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system. Though not an official standard, the RADIUS specification is maintained by a working group of the IETF.
    • Password authentication support
    • Token device support
      • Uses a physical device to help establish the connection.  Typically the physical device will send some token that verifies the user has access permission

        Smartcards can be considered a kind of Token device.
         
         

    • Network Authentication services support.  ( uses external authenticator)
Proxy Servers 

"A server that sits between a client application, such as a Web browser, and a real server. It intercepts all requests to the real server to see if it can fulfill the requests itself. If not, it forwards the request to the real server. "

 

  • Used to either provide filtering (security) or to improve performance (fulfill requests itself rather than forwarding....it can do this because for some short period of time will save the results of a request to the real server and if this request is made again will not bother the real server but, simply return the result it has cached).
  • Recall, one type of Firewall is the Application Proxy Server (used for security).
HTTP proxy server
In particular, this kind of proxy server controls HTTP access.  May do so via port control (called HTTP-to-port tunneling) or via CGI control (called HTTP-to-CGI tunneling).  This kind of Firewall can allow for RMI access through a firewall.
Data Encryption
The concept is to Encode the data before transmission and Decode it for prcessing at the recieving end.  Encoding is the process of translating one set of symbols to another set.  This results in the data often not being understandable and hence secure.  Decoding is the inversion process.
  • Many techniques. 
  • 2 main techniques:
  • 1) Assymetric: Public-Key Encryption

    2) Symmetric: Public/Private key Encryption.

  • This doesn't protect network facilities, but, rather data during transmission.
  • Government Restrictions:
    • U.S. government considers encryption techniques developed in the U.S (many of which have a basis from government funded research), as prprietary and an important national security measure.  As such, there are restrictuions on U.S. companies exporting this technology.  They have categorized a different in what can be used and sold domestically compared to what can be exported.  Basically, the latest, state of the art, is restricted for domestic use only.  
        Example:  In the year 2000, Oracle Corporation provided data encription solution suport for its databases.  For U.S and Canada they use a 128-bit (length of key) RSA algorithm.  For non-US/Canadian use, they provide a 40-bit RSA algorithm.
Digital Certificates
  • Concept here is that a third-party, that is trusted, acts as a certifying agency...saying this person is who they claim to be.
  • Uses encryption technology to send an encrypted key that can be used via access to the Certifiers server to verify the user (sender/requester of data) is who they claim to be.
  • You purchase a certificate.  There are different kinds of certificate...identify data, organization, individual.
  • Certificate contains information about the certificate owner, the certifier (certifying authority), public key of certificate owner, validity date, serial number of certificate.
  • Verisign Corporation is a leader in providing this service,  they are a "certifier".
Authentication Servers
  • Commonly based on password access or some other form of identify/verify approach.
  • More Advanced - Can implment even physical or bio-physical input (e.g. finger-print analysis, voice-recognition, etc).
Application Specific Security Products
 
  • Example:  Oracle's Advanced Security Option (ASO) protects data and communication to and from the Oracle Database via support of data encryption, authentication, SSL support, RADIUS support, etc.  See www.oracle.com for more details
Server System Restrictions
 
Depending on Operating System of Server, there are other O.S. specific options to restrict access to the server.  These are different than the above in that they were designed not with the Internet in mind but, rather with regards to restricting access to a particular machine (not a network or set of devices).   They tend to be simplistic, but often there are free solutions.  Here is an example:
  • HTAccess (originally designed for UNIX machines)
  • Account Access (password required)
No External (Internet, etc) Network Access
  • For the most sensitvie data, you may not even allow ANY kind of direct access to it (even through a firewall) from external networks.
     
© Lynne Grewe