This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This assignment involves the critical evaluation and analysis of the cryptographic protocols that can be implemented to secure a system. The assignment concerns a case study which discusses about UOB manufacturing company. Our job is to provide some of the cryptographic algorithms for securing the system as mentioned in the network diagram section 19 of the case study.
"UoB Manufacturing" is a Manufacturing Company that produces a range of general engineering products and brackets for Monitors/Displays. They also have a small subsidiary selling direct to the public, mainly credit card transactions via the phone.
Here the assignment deals with providing of security to UoB manufacturing Company by using some of the existing cryptographic protocols such as IPsec, Kerberos, SSH, TSL, SSL, Diffie-Hellman key exchange, WPA etc. which use cryptographic algorithms such as TripleDES, AES, RSA, PGP, SHA1 etc. These cryptographic algorithms are efficient in providing authenticity, powerful encryption, and integrity protection using symmetric and asymmetric key techniques.
The network diagram consists of different communication medium for Client-server communications and to provide internet service; a telephone system which will be useful for the employees to communicate with the employees in the first floor. It is connected to a Private Branch Exchange (PBX) which acts as a switch. To provide internet service there is CABLE/DSL ROUTER for wired connections and Wireless access point (WAP) in the first floor for wired communication devices to connect to a wireless network. A Primary Domain Controller (PDC) is provided which allows a user to be granted access to a number of computer resources with the use of a single username and password combination. CNC programming work stations are also provided for the automation of machine tools. A CAD/CAM server is also
provided. A CAD/CAM server is provided which allows user to design and assists all operations of manufacturing. The PBX, WAP, PDC server, CNC programming work stations through different hubs are connected to a Main room Switch.
A Cryptographic protocol or an encryption protocol performs a security-related function and applies cryptographic methods to the message and data. Some of the Cryptographic protocols providing that provide security are as IPsec, Kerberos, SSH, TSL, SSL, Diffie-Hellman key exchange, WPA etc.
Internet Protocol Security (IPsec) is a network layer protocol which provides security by authenticating and encrypting each packet of a data stream transferred between a pair of hosts, or gateways or between a security gateway and a host. It provides security services such as
ï‚· Security association (SA): generates the encryption and authentication keys to be used by IPsec.
ï‚· Authentication Header (AH): provide integrity and authentication for IP packets and protection against replay attacks.
ï‚· Encapsulating Security Payload (ESP): provide integrity, confidentiality and limited traffic flow of data packets.
IPSec has two modes of operation transport mode and tunnel mode. In transport mode only data is encrypted and in tunnel mode whole IP packet i.e. data and IP header are encrypted. It uses AES, TripleDES and SHA1 cryptographic algorithms.
Kerberos is a network Authentication protocol which provides mutual authentication of a client-server model- where both the user and the server verify each other's identity. It is useful in providing s------------------ Kerberos uses symmetric key cryptography which requires a third party termed as a key distribution center (KDC), which consists of two parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). The KDC maintains a database of secret keys; where a client or a server shares a secret key known only to itself and to the KDC. Knowledge of this key serves to prove their identity. For communication between a client and a server, the KDC generates a session key which they can use to secure their interactions. The security of the protocol relies heavily on participants called Kerberos tickets. Kerberos works on the basis of "tickets" which serve to prove the identity of users. Kerberos also uses asymmetric key cryptography during certain phases of authentication.
SSH (Secure Shelled Protocol):
SSH is a network protocol. It uses public key cryptography for to transfer, authenticate or exchange of data. For authentication it uses x.509 digital certificates and the key generations are done using DSA and RSA.
SSL (Secure Shell Layer):
SSL is an Application Layer Protocol. Its successor is known as TLS (transport layer security). TLS and SSL encrypt the segments of data at the Application Layer and ensure secure end-to-end transit at the Transport Layer. The encryption techniques used for Authentication is RSA, DSA and for key exchange it uses RSA, Diffie-Hellman Key Exchange, ECHH,SRP and PSK.
The Network diagram can be divided into four primary parts where the security aspects are considered for each part; providing security to the Telephone system with a PBX, Securing Wireless Access Point (WAP),Securing the PDC Server and Securing the CAD/CAM server.
PART 1: Providing security to Telephone System using different Cryptographic protocols
The Telephone system in the above diagram uses Voice over Internet Protocol (VoIP) for communication. It is connected to a PBX. The Private Branch Exchange (PBX) is a sophisticated computer-based switch which is an essential element that supports the critical infrastructure of the company. It is very important to secure the VoIP from Network Sniffing, Message Replay attacks and Resource Exhaustion.
Securing VoIP include authorization, authentication, integrity and privacy. Authorization is achieved through proper configuration established during set-up of the subscriber by authorizing the device in the network system. After authorization Customer
Premise Equipment (CPE) provides a secure identification number to the network server. An authentication key is then exchanged between CPE and the network server. The CPE gateway is authenticated, and then the server provides an encryption key. The encryption key is used for secure communication between CPE and the network server.
VoIP signal Security can is provided to the VoIP using Transport Layer Security (TLS) at Application layer, an advanced version of SSL. TLS provides encryption using Data Encryption Standard (DES). The TLS allows the server and CPE to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged. This protocol is efficient in reducing the computational and processing burdens than other protocols.
VoIP packet Security can be done by using Secure Real-Time Transport Protocol at Network Layer (SRTP) with advanced encryption standard (AES). SRTP provides message authentication, integrity checking, confidentiality and replay protection for voice packets. The data is encrypted using AES. A hash of the header and encrypted data is created using Keyed-Hashing for Message Authentication Code Secure Hash Algorithm-1 (HMAC-SHA1). SRTP is presented to reduce an attacker's ability to exploit system vulnerabilities.
PART 1. Providing Security to the Wireless Access Point (WAP)
Wireless Access Point (WAP) is commonly known as WAP, is a device which connects the different communication devices that allows communication between the wireless network and wireless communicating devices with the help of different wireless technologies such as Wi-Fi, Bluetooth, etc. It acts as a transmitter and receiver of WLAN radio signals.
Features of Wireless Access Points are
1. It allows very high speed networking with very long coverage area for both indoor and outdoor networking.
2. It provides security to the communication data through MAC addressing filtering
3. It plays an important role in providing encrypted security where 64 bits to 128 bit of data
Wireless Network's Threats and Vulnerabilities
The four basic components of a Wireless Network are Transmission of data, Wireless Access Points in the organization, Client devices (Ex: PC's, Laptop, PDA) and Users. Each of these components can be vulnerable to different attacks that can result in the compromise of confidentiality and integrity. Some of the attacks of can be seen in the following
1. Accidental association : Unauthorized access to the devices from a number of different methods and intents is referred as Accidental Association
2. Malicious association: Instead of connecting to the Wireless Access Points of a company, the user's wireless devices are actively connected to company's network by crackers with the help of their devices (laptop, PDA etc.).
3. MAC spoofing: This occurs when a cracker identifies the MAC Address of a computer with network privileges.
4. Denial of service: This occurs when an attacker continually sends to a targeted Access point or network with invalid requests, failure of connection establishment messages, invalid commands etc.
5. Caffe Latte attack: This attack is used to break a cryptographic protocol such as WEP. An attacker tries to obtain a WEP key from a remote client by sending a flood of encrypted ARP requests. The assailant uses the ARP responses to obtain the WEP key within a short span of time.
Security Protocols for Wireless Networks
Effective Encryption using cryptographic protocols is the best possible way of providing security and confidentiality of information transmitted over wireless networks. This is especially important for companies where Communication devices are connected all over and security is an important aspect.
The efficient protocol for wireless Networks used now-a-day is Wi-Fi Protected Access (WPA) which overcomes some of the weakness of Wireless Equivalent Privacy (WEP) designed by Wi-Fi Alliance designed to work with existing IEEE802.11 products and offers compatibility with IEEE802.11i.
Key Features of WPA
2. Encryption Key Management using Temporal Key Integrity Protocol (TKIP), Michael message integrity code (MIC) mechanism and AES Support
3. Support for both of WPA and WEP clients and mixture of them.
The strength of WPA is by using 802.1X/EAP authentication and sophisticated key management and encryption techniques.
Authentication mechanism using WPA v2
WPA supports Extensible Authentication Protocol (EAP) for environments with a RADIUS infrastructure and for environments without a RADIUS infrastructure; it supports the use of a Pre-Shared Key (PSK). PSK is especially designed for home user and RADIUS is designed for enterprise usage. In a wireless network the RADIUS server holds user credentials (user names and passwords) and authenticates before they gain access to the network. IEEE 802.1x offers an effective framework for authentication and control of user traffic to a network and varying data encryption keys via EAP from a RADIUS server.
Authentication steps using WPAv2
1. The client device (unauthenticated supplicant) which attempts to connect to a Wireless Access Point (authenticator) sends an EAP start-up message. A series of messages are exchanged for the authentication of the client
2. The Wireless access point replies with an EAP-request identity message.
3. After receiving the reply from the access point, the client sends an EAP-response packet containing its identity to the authentication server.
3(a) the access point responds to this packet by enabling a port for passing only EAP packets from the client to an authentication server (for example, RADIUS). Until the access point verifies the client's identity, it blocks all other packets such as HTTP, RTP and POP3 packets.
4. The authentication server verifies the client's identity by using a specific authentication algorithm, either using digital certificates or some other EAP authentication type.
5. Depending on the authenticity of the user, the authentication server will either sends an accept or reject message to the access point.
6. If the authentication server sends an accept message, the access point sends an EAP-success packet to the client or else a reject packet for a reject message.
7. Once the authentication server accepts the client, the access point allows transition of all other packets previously blocked.
Data Encryption using WPAv2
WPA uses Temporal Key Integrity Protocol (TKIP) for data encryption which includes a key mixing function per packet, a message integrity check (MIC) named Michael, an Initialization Vector (IV) with sequencing rules, and a rekeying mechanism. Including these TKIP provides verification of security configuration, changing of the unicast encryption key for each frame in synchronization.
IEEE 802.11 and WEP provide data integrity by appending a 32-bit Integrity check value (ICV) to 802.11 payload and is encrypted with WEP. With WPA a new algorithm is known that calculates an 8-byte message integrity code (MIC) using wireless devices which is called Michael. The MIC is placed between the data portion of the IEEE 802.11 frame and the 32 bit ICV. The MIC field is encrypted together with the frame data and the ICV. Michael provides protection from replay attacks using a frame counter present in the IEEE 802.11 frame Besides using TKIP, WPA uses advanced encryption standard (AES). AES can be viewed as the optimal choice for companies which are concerned with security aspects.