Internet Security System Software Lab 9242020 1998 04

Internet Security System Software Lab 9/24/2020 1998 -04 -09 System Software Lab.

Internet Security x Segmenting the Problem x Network Protocol Security x Firewalls x Messaging Security x Web Security x Security for Electronic Commerce Applications x Internet Service Provider Agreements 9/24/2020 System Software Lab.

Segmenting the Problem(1/4) z 3가지 영역 y 네트워크 보안, 어플리케이션 보안, 시스템 보안 z security safeguards y physical security, personnel security, media security z Internet Site Security Handbook 9/24/2020 System Software Lab.

Network Security(2/4) y 다른 시스템과 하나의 네트워크 end-system 통신보호 y Security-aware x Authentication and integrity • 목적지에 도달하지 않은 packet의 보증과 packet의 신용을 수신자 에게 제공 x Confidentiality • 정상적인 수신인이 아닌 사람으로부터 packet 보안 x Access control • 특별한 end-system에서 목적지, 특별한 원격 packet sources, 특별 한 어플리케이션들과의 통신을 제한 9/24/2020 System Software Lab.

Application Security(3/4) z 특별한 어플리케이션을 넣고 네트워크 security 수단을 각각 조절할 security보호를 의미 z 많은 어플리케이션은 특별한 security를 요구 z message tampering에 대항할 보호 y E-mail store-and-forward기능을 수행할 mail gateway 에서 발생 z E-mail y 진정한 end-to-end 나 writer-to-reader 보호가 요구 9/24/2020 System Software Lab.

System Security(4/4) z Communication 보호의 무관성과 관계 y end-system, local environment, network security or application security measures를 통해 제공 y security의 약점으로 알려진 결점을 안전 y 위험 확장에 의해 형성된 시스템을 보호 y 위험 확장의 가능성에서 보호 y 성공적으로 발견된 보안의 주된 신용을 지속 9/24/2020 System Software Lab.

Network Protocol Security(1/4) z IP (Internet Protocol) y IP 헤더 y IP 데이터그램 y IP spoofing Þ spoofing - 허가 받지 않은 자가 마치 신뢰성 있는 자가 송신한 것처럼 packet을 변조하여 접속을 시도하는 침입형태 y IP 보안 mechanism Þ Authentication Header mechanism, packet encryption or Encapsulating Security Payload mechanism z TCP (Transmission Control Protocol) 9/24/2020 System Software Lab.

Authentication Header(2/4) y IP datagram에 무결성 보호와 인증 제공 y keyed MD 5 y security association y indicator y identifier - Security Parameter Index 9/24/2020 System Software Lab.

Firewall(1/3) y A firewall protects against a dangerous situation x 네트워크와 인터넷 backbone 사이에서 생김 y 기관의 안전 정책이 목적 y 기능 x application set 과 내부 어드레스를 제한 x 들어오는 신호의 source를 인증 x 보안 gateway, 암호화, 다른 보안 gateway 체크 Ý 가상 기밀 네트워크 9/24/2020 System Software Lab.

Firewall Construction(2/3) y Off-the-shelf 해결책 y Screen Routers x routing 할 때 선택적으로 packet을 통과 차단 x packet filtering y Proxy servers x 내부 네트워크 클라이언트와 외부 인터넷 서버 두 시스템 간의 전송을 의미 y Perimeter network x 내부 네트워크와 외부 네트워크 사이에 삽입 9/24/2020 System Software Lab.

Messaging Security(1/17) y End-systems x 다수의 사용자들을 지원 y Message x 사람 또는 메일 가능한 사용자들로부터 수신한 것 x 하나의 송신자와 하나 이상의 수신자 x user agent(mailer) x MTAs(message transfer agents) • store and forward message switches or mail gateway y Broad-ranging : basic services, enhanced services 9/24/2020 System Software Lab.

Cont’d(3/17) z Enhanced message protection services y 확인 서비스 x proof of delivery • 메시지 전송에 대한 확신을 제공 x proof of submissions • 발신 MTA에 대한 확신을 제공 x Non-repudiation of delivery • 메시지 전송에 대한 증거를 제공 x Non-repudiation of submission • 발신 MTA에 대한 증거를 제공 9/24/2020 System Software Lab.

Cont’d(6/17) y networkwide 인증과 키 관리에 관한 접근 x 균형적인 대안과 공용키 대안 y sound technical design y 상업적 전개에서 실패 x MIME과 조화될 수 없음 y MIME x PEM과 거의 동시에 개발 되었던 internet multimedia mail format 9/24/2020 System Software Lab.

MIME Security Multiparts and Object Security Services(7/17) y Body part x 텍스트나 이미지, 오디오, 또는 완벽하게 캡슐에 보호되어지 는 메시지와 같은 형태 y content type x 하나의 메시지 또는 body part의 구조나 형태를 정의 y MIME보안 문제에 관한 2개의 상이한 영역을 해결 x Security Multiparts for MIME, MIME Object Security Services(MOSS) 9/24/2020 System Software Lab.

Cont’d(8/17) y MIME 보안 문제 해결 방안 x Security Multiparts for MIME • 메시지 구조화의 체계를 정의 • 디지털 서명과 암호화를 지원 • multipart/signed 와 multipart/encrypted • multipart – 일반화된 MIME content type의 subtype x MOSS • singing & encrypting MIME body part에 관한 procedure들과 형식 들의 집합을 정의 • Security Multiparts for MIME 9/24/2020 System Software Lab.

Multipart/signed Content Body Part 1 Body Part to be Signed Originator’s Private Key Body Part 2 Application/mosssignature Content Canonicalize Sign Algorithm Identifiers and Parameters 9/24/2020 System Software Lab. Figure 5. 1 MOSS Digital Signature Generation

Cont’d(9/17) z 모든 시스템에서 공통의 전자서명을 평가 z canonical form y hash function 또는 전자적으로 서명 된 것 z new body part y application/moss-signature content type을 가짐 y 전자서명과 제어정보 제공 9/24/2020 System Software Lab.

Random Encryption Key Recipient Public Key(s) Multipart/encrypted Content Body Part 1 Encrypt key under recipient public key(s) Body Part to be Encrypted Application/mosskeys Content Algorithm Identifiers and Parameters Body Part 2 Canonicalize 9/24/2020 Encrypt System Software Lab. Figure 5. 2 MOSS Encryption Process

Cont’d(10/17) y 첫번째 body part x 두 번째 body part를 암호화 하는데 필요한 제어정보 x application/moss-keys, MIME content type이 정의 y 두 번째 body part x 다른 MIME body part의 암호화된 버전을 포함 y application/moss-keys body part x 암호화된 데이터 키 복사본을 암호화 한 것과 특정한 암호화 알고리즘이 사용된 identifier를 포함 9/24/2020 System Software Lab.

S/MIME(11/17) y MIME내의 정보를 암호화 또는 전자서명 전달 y MOSS와 목표는 같으나 해결방법은 다르다 x RSA data security. Inc에 의해 개발 x PKCS라는 defacto 표준을 기초로 개발 y MIME body part 보호에 PKCS#7을 적용 x MIME content : application/x-pkcs 7 -mime type x 보호되지 않은 MIME body part 내용 보호를 제공 9/24/2020 System Software Lab.

Cont’d(12/17) z PKCS#7 y ASN. 1(Abstract Syntax Notation One) y signed data x body part에서 보호 되어진 데이터 구조를 내포 y enveloped data x body part에서 보호 되어진 것을 균형 있게 암호화하고 데이터 구조에 삽입 y signed and enveloped data x enveloped data type 과 signed data type 두개와 함께 결합 K Base 64 encoding – MIME과 같이 이진 데이터를 전송 9/24/2020 System Software Lab.

Body Part to be Encrypted Canonicalize application/ x-pkcs 7 -mime content Originator Private key Sign ASN. 1 Encode Algorithm Identifiers and Parameters 9/24/2020 Base 64 Encode Originator Certificate System Software Lab. Figure 5. 3 S/MIME Digital Signature Generation

Random Encryption Key Body Part to be Encrypted Canonicalize Recipient Public Key(s) Encrypt key under recipient public key(s) Encrypt ASN. 1 Encode application/ x-pkcs 7 -mime content Base 64 Encode Algorithm Identifiers and Parameters 9/24/2020 System Software Lab. Figure 5. 4 S/MIME Encryption Process

Multipart/signed Content Body Part 1 Body Part to be Signed Body Part 2 Application/x-pkcs 7 - signature Canonicalize Sign ASN. 1 Encode Algorithm Identifiers and Parameters Base 64 Encode Originator Certificate 9/24/2020 Software Lab. Figure 5. 5 S/MIME Digital Signature. System Generation with Multipart/signed

Cont’d(13/17) z 단점 y mailer에는 서명 되어 있지만 암호화 되지 않은 body part의 메시지 내용을 읽을 수 없음 y multipart/signed 의 application/x-pkcs 7 -signature를 택 해야 함 z application/x-pkcs 10 y PKCS#10 y 요구 메시지 증명을 전달 9/24/2020 System Software Lab.

Web Security z Security contain two basic categories. y The compromise of a Web server site. y The compromise of user communications. z SSL y Server authentication. y Client authentication. y Integrity. y Confidentiality. 9/24/2020 System Software Lab.

Con’t d z SSL consists of two sub-protocols y The SSL Record Protocol. y The SSL Handshake Protocol. 9/24/2020 System Software Lab.

Secure HTTP ( S-HTTP ) z S-HTTP protect transaction request or response messages. z S-HTTP provides a great deal of flexibility. 9/24/2020 System Software Lab.

Downloadable Executable Software z The Web was a relatively static world. z Java opens up a new set of risks. z The above concerns are not limited, but relate. 9/24/2020 System Software Lab.

Security for Electronic Commerce Applications z EDI Security. z Bank Card Payments - The SET Protocol. z Other Secure Internet Payment Models. 9/24/2020 System Software Lab.

EDI Security interchange Header Functional Funcitional Trailer (ISA) Group (IEA) Functional Group Header Transaction Trailer Set Set (GS) (GE) Transaction Set 9/24/2020 Header Trailer Transaction Set Segments (ST) (SE) Security segment inserted here System Software Lab.

Bank Card Payments - The Set Protocol Authorize Acquirer Confirm Negotiate Order Confirm Cardholder 9/24/2020 Issuer System Software Lab.

Other Secure Internet Payment Models z Cyber. Cash. z Check. Free. z First Virtual 9/24/2020 System Software Lab.

Internet Service Provider Agreements z Use and Acceptance z Service Definitions z Lawful Use and Service Provider Control over Information Content z Quality of Information 9/24/2020 System Software Lab.

Cont’d z Use of Other Network z Commercial Use and Resale of Services z Security z Abuse and Misuse z Other Provisions 9/24/2020 System Software Lab.

Use and Acceptance z Online registration systems provide ISP agreement information to consumers. z ISP establish standardized service. 9/24/2020 System Software Lab.

Service Definitions z ISP agreements describe the Service by the ISP y Internet Accessing y Host Service : E-mail, Home Page 9/24/2020 System Software Lab.

Lawful Use and Service Provider Control over Information Content z Three of the grounds for liability. y Defamation. y Copyright infringement. y Obscenity. 9/24/2020 System Software Lab.

Cont’d z In 1996 case of Cubby v. Compu. Serve, Inc. z In 1995 case of Stratton Oakmont, Inc. v. Prodigy Services Co. z In 1993, late 1995 case of Playboy Magazine. z ISPs are faced with the dilemma. 9/24/2020 System Software Lab.

Cont’d z Compu. Serve ceased offering its subscribers access to certain Usenet newsgroups. y Alt. sex. binaries z To refrain from editorial activity is the best. 9/24/2020 System Software Lab.

Quality of Information z The subscriber has responsibility. y Using the information. y Using the programs. y Using the data. 9/24/2020 System Software Lab.

Use of Other Networks z ISP agreements mandate must comply with the rules of those networks. z The other network’s rules to the customer is relevant to the enforceability. 9/24/2020 System Software Lab.

Commercial Use and Resale of Services z ISP provide the “ connectivity ” z ISP provide the “ resale of IP connectivity 9/24/2020 System Software Lab.

Security z Who have the responsibility for the security? y The ISPs attempt to shift the responsibility. y The responsibility of end-user is important. 9/24/2020 System Software Lab.

Cont’d z Some ISP agreements agree to provide security at “ the currently accepted industry level. ” y There is such a standard. y There is such a level of security 9/24/2020 System Software Lab.

Abuse and Misuse z Various activities are prohibited by ISPA. y Abuse and Misuse. z Abuse and Misuse Provisions. y Harassment. y Sabotage. y Unlawful activities. 9/24/2020 System Software Lab.

Cont’d z Accessing information without authorization. z Applying for or using a password under false pretenses. z Securing a higher level of access privilege without the proper authority. z Copying system files 9/24/2020 System Software Lab.

Cont’d z Creating, using , or distributing malicious software z Decrypting system or user password files. z Deleting, examining, copying, or modifying files and/ or data belonging to other users without prior consent. z Evading or changing resource quotas. 9/24/2020 System Software Lab.

Cont’d z Forging messages. z Crashing network systems or programs. z Posting or using copyrighted material without authorization. z Sharing, disclosing, or compromising passwords or other authenticators. 9/24/2020 System Software Lab.

Other Provisions z Availability z Access to users’ private data z Account termination z Term z Amendments 9/24/2020 System Software Lab.

Cont’d z Limitations of liability z Indemnification z Rees z Disclaimer of warranties 9/24/2020 System Software Lab.