Please enable JavaScript.
Coggle requires JavaScript to display documents.
Network Security 3 - Application Level Security (04 - Key Management and…
Network Security 3 - Application Level Security
01 - What to secure?
Integration into lower level protocols
Security
network itself need protection
network is harder to attack
Application Independence
Quality of Service
Efficency
integration into end systems
can be done on application or end system level
integration into intermediate systems
can be done on all four levels
Developers perspective:
Pro's / Cons
everything is under controll of application developer
we have to modify every single application
application designers are not necessarily security experts
general approach
use security software package
use provided functions
link application software with the security library
02 - E-mail Security
email security today
message contents are not secured in transit
need to worry about sniffing, modifying, replaying, masquerading
goals should be:
protection from disclosure
protection from modificatoin
protection of authentication of sender of message
protection from denial by sender
possible features
Confidentiality (Privacy)
Authenticatoin
integrity
non-repudiation
plausible deniability
proof of submission
proof of delivery
more possible features:
message flow confidentiality
anonymity
containment
self-destruct
message sequence integrity
preventing post or back dating
auditing, accounting
PGP - Pretty Good Privacy
services
Authentication
Confidentiality
compressoin
e-mail compatibilty
segmentation
03 - Key Management
PGP does not relay on certificate authoritys (CA)
Web of trust
also revocation
04 - Key Management and Certificates
often Achilles Heel of systems
distribution of keys
public announcement
weakness is forgery (Fälschung)
public available directory
tampering (Manipulation) or forgery
public key authority
tampering
public key certificates
CA Hierachy
tree level hierachy
Certificate Revocation
Certificate has period of validity
CA's maintin list of revoked vertificates
Public Key Infrastructure (PKIX)
functions
registration
initizialization
certificatoin
key pari recovery
key pair update
revocatoin request
cross certificatoin
protocols
CMP, CMC
problems
to many CA's that are trusted by default
scope of certificaton
verisign
trust agility
vertification process
05 - Problem of Certificates and PKI
What is a Certificate?
makes an association between a user identity/job/attribute and a private key
contains public information
has a validity period
is signed by some CA
maybe vetted by a registration authority
PKI and Revocaton
Certificate maybe revoked before expiration
lost private key
compromised
owner no longer authorized
revocation is hard
Verifier need to check revocation state
revocation state must be authenticated
Certificate Revocation List (CRL)
contains list of revoked certificates
in reality browsers do not check them
Compromised CA's
affects all domains
are now a legitimate threat
10 Risks of PKI
Who do we trust and for what?
Who is using my key?
How secure is the verifier?
Which John Robinson is here?
Is the CA an authority?
Is the user part of design?
Was it one CA or CA+RA?
How was the user authenticated?
How secure are the certificate practices?
Why are we using PKI?