keamanan jaringan apjii.pdf

7/27/2019 Keamanan Jaringan APJII.pdf

1/119

Network SecurityWorkshop

Yogyakarta, Indonesia

25 27 June, 2013

Proudly Supported by:


2/119

PresentersChampika Wijayatunga

Training Unit Manager, APNIC

Champika is responsible for managing its training activities in the

Asia Pacific region and brings several years of experience, having

worked in a number of countries in the IT industry, academia,research, and training environments.

Areas of interests:

Internet Resource Management, IPv6, DNS/DNSSEC, Network

Security

Contact: [email protected]


3/119

PresentersWita Laksono

Internet Resource Analyst, APNIC

Wita is responsible for analyzing IP address and AS number

requests from APNIC members. He also supports APNIC

helpdesk and skilled in Network Engineering aspects.

Areas of interests:

Internet Resource Management, IPv6

Contact: [email protected]


4/119

Overview

Network Security Fundamentals Cryptography and PKI Registration of Internet Resources Security on Different Layers and Attack Mitigation DNS Security and DNSSEC Device and Infrastructure Security Virtual Private Networks and IPSec Route Filtering


5/119

Network SecurityFundamentals

Network Security Workshop


6/119

Overview

Why We Need Security Definitions and ConceptsAccess Control Risk vs. Vulnerability Threats and Attack Types


7/119

Why Security?

The Internet was initially designed for connectivity Trust assumed We do more with the Internet nowadays Security protocols are added on top of the TCP/IP

Fundamental aspects of information must be protected Confidential data Employee information Business models Protect identity and resources

We cant keep ourselves isolated from the Internet Most business communications are done online We provide online services We get services from third-party organizations online


8/119

Internet Evolution

Different ways to handle security as the Internet evolves

LAN connectivity Application-specificMore online content

Cloud computingApplication/data hosted

in the cloud environment


9/119

Why Security?

Key findings: Hacktivism and vandalism are the common DDoS attack motivation High-bandwidth DDoS attacks are the new normal First-ever IPv6 DDoS attacks are reported Trust issues across geographic boundaries

Source: Arbor Networks Worldwide Infrastructure

Security Report Volume VII


10/119

Breach Sources

Infiltration

Aggregation

Exfiltration

Source: Trustwave 2012 Global Security Report


11/119

Types of Security

Computer Security generic name for the collection of tools designed to protect data and

to thwart hackers

Network Security measures to protect data during their transmission

Internet Security measures to protect data during their transmission over a collection

of interconnected networks


12/119

Goals of Information Security

Confidentiality Integrity Availability

SE

CUR

ITY

preventsunauthorizeduse or

disclosure ofinformation

safeguards theaccuracy andcompleteness

of information

authorizedusers havereliable and

timely accessto information


13/119

Access Control

The ability to permit or deny the use of an object by asubject.

It provides 3 essential services:Authentication (who can login)Authorization (what authorized users can do)Accountability (identifies what a user did)


14/119

Authentication

A means to verify or prove a users identity The term user may refer to:

Person Application or process Machine or device

Identification comes before authentication Provide username to establish users identity

To prove identity, a user must present either of the following: What you know (passwords, passphrase, PIN) What you have (token, smart cards, passcodes, RFID) Who you are (biometrics such as fingerprints and iris scan, signature or

voice)


15/119

Examples of Tokens

eTokenRFID cards

Smart Cards

Fingerprint scanner


16/119

Trusted Network

Standard defensive-oriented technologies Firewall Intrusion Detection

Build TRUST on top of the TCP/IP infrastructure Strong authentication Public Key Infrastructure (PKI)


17/119

Strong Authentication

An absolute requirement Two-factor authentication

Passwords (something you know) Tokens (something you have)

Examples: Passwords Tokens Tickets Restricted access PINs Biometrics Certificates


18/119

Two-factor Authentication

Requires a user to provide at least two authenticationfactors to prove his identity

something you knowUsername/userID and password

something you haveToken using a one-time password (OTP)

The OTP is generated using a small electronic device inphysical possession of the user

Different OTP generated each time and expires after some timeAn alternative way is through applications installed on your mobile

device

Multi-factor authentication is also common


19/119

Authorization

Defines the users rights and permissions on a system Typically done after user has been authenticated Grants a user access to a particular resource and what

actions he is permitted to perform on that resourceAccess criteria based on the level of trust:

Roles Groups Location Time Transaction type


20/119

Authentication vs. Authorization

Client

Service

AuthenticationMechanism

AuthorizationMechanism

Authentication simply identifies a party, authorization defines whether they canperform certain action RFC 3552


21/119

Authorization Concepts

Authorization creep When users may possess unnecessarily high access privileges within

an organization

Default to Zero Start with zero access and build on top of that

Need to Know Principle Least privilege; give access only to information that the user

absolutely need

Access Control Lists List of users allowed to perform particular access to an object (read,

write, execute, modify)


22/119

Single Sign On

Property of access control where a user logs in only onceand gains access to all authorized resources within asystem.

Benefits: Ease of use Reduces logon cycle (time spent re-entering passwords for the same

identity)

Common SSO technologies: Kerberos, RADIUS Smart card based OTP Token

Disadvantage: Single point of attack


23/119

Types of Access Control

Centralized Access Control Radius TACACS+ Diameter

Decentralized Access Control Control of access by people who are closer to the resources No method for consistent control


24/119

Accountability

The security goal that generates the requirement for actionsof an entity to be traced uniquely to that entity

Senders cannot deny sending information Receivers cannot deny receiving it Users cannot deny performing a certain action

Supports nonrepudiation, deterrence, fault isolation,intrusion detection and prevention and after-action recovery

and legal action

Source: NIST Risk Management Guide for

Information Technology Systems


25/119

Integrity

Security goal that generates the requirement for protectionagainst either intentional or accidental attempts to violate

data integrity

Data integrity The property that data has when it has not been altered in an

unauthorized manner

System integrity The quality that a system has when it performs its intended function

in an unimpaired manner, free from unauthorized manipulation

Source: NIST Risk Management Guide for

Information Technology Systems


26/119

Risk, Threat and Vulnerability

Vulnerability - weakness in a system Risk - likelihood that a particular threat using a particular

attack will exploit a particular vulnerability

Exploit - taking advantage of a vulnerability Non-repudiationassurance that both parties are involved

in the transaction


27/119

Vulnerability

A weakness in security procedures, network design, orimplementation that can be exploited to violate a corporate

security policy

Software bugs Configuration mistakes Network design flaw Lack of encryption

Exploit Taking advantage of a vulnerability


28/119

Threat

Any circumstance or event with the potential to cause harmto a networked system.

These are some example of threats: Denial of service

Attacks make computer resources (e.g., bandwidth, disk space, or CPU time)unavailable to its intended users

Unauthorised access Access without permission issues by a rightful owner of devices or networks

Impersonation Worms Viruses


29/119

Risk

The possibility that a particular vulnerability will be exploited IT-related risks arise from:

Unauthorized (malicious or accidental) disclosure, modification, ordestruction of information

Unintentional errors or omissions IT disruptions due to natural or man-made disasters Failure to exercise due care and diligence in implementation and

operation of the IT system

Risk = Threat * Vulnerability

(* Impact)


30/119

Risk Analysis

Identification, assessment and reduction of risks to anacceptable level

the process of identifying security risks and probability ofoccurrence, determining their impact, and identifying areas

that require protection

Three parts: Risk assessment determine the possible risks Risk management evaluating alternatives for mitigating the risk Risk communication presenting this material in an understanble

way to decision makers and/or the public


31/119

Risk Management vs. Cost of Security

Risk mitigation The process of selecting appropriate controls to reduce risk to an

acceptable level

The level of acceptable risk Determined by comparing the risk of security hole exposure to the

cost of implementing and enforcing the security policy

Trade-offs between safety, cost, and availability


32/119

Attack Sources

Active vs. passive Active involves writing data to the network. It is common to disguise

ones address and conceal the identity of the traffic sender Passive involves only reading data on the network. Its purpose is breach

of confidentiality. This is possible if: Attacker has gained control of a host in the communication path between two victim

machines Attacker has compromised the routing infrastructure to arrange the traffic pass through a

compromised machine

Active Attacks Passive Attacks

Denial of Service attacksSpoofing

Man in the MiddleARP poisoning

Smurf attacksBuffer overflow

SQL Injection

ReconnaissanceEavesdropping

Port scanning

Source: RFC 4778


33/119

Attack Sources

On-path vs. Off-path On-path routers (transmitting datagrams) can read, modify, or remove

any datagram transmitted along the path

Off-path hosts can transmit datagrams that appear to come from anyhosts but cannot necessarily receive datagrams intended for other

hosts If attackers want to receive data, they have to put themselves on-path

How easy is it to subvert network topology? It is not easy thing to do but, it is not impossible

Insider vs. outsider What is definition of perimeter/border?

Deliberate attack vs. unintentional event Configuration errors and software bugs are as harmful as a

deliberate malicious network attackSource: RFC 4778


34/119

General Threats

Masquerade An entity claims to be another entity

Eavesdropping An entity reads information it is not intended to read

Authorization violation An entity uses a service or resource it is not intended to use

Loss or modification of information Data is being altered or destroyed

Denial of communication acts (repudiation) An entity falsely denies its participation in a communication act

Forgery of information An entity creates new information in the name of another entity Sabotage

Any action that aims to reduce the availability and/or correct functioning of services orsystems


35/119

Reconnaissance Attack

Unauthorised users to gather information about the networkor system before launching other more serious types of

attacks

Also called eavesdropping Information gained from this attack is used in subsequent

attacks (DoS or DDoS type)

Examples of relevant information: Names, email address Common practice to use a persons first initial and last name for accounts Practically anything


36/119

Man-in-the-Middle Attack

Active eavesdroppingAttacker makes independent connections with victims and

relays messages between them, making them believe that

they are talking directly to each other overa private

connection, when in fact the entire conversation is

controlled by the attacker

Usually a result of lack of end-to-end authentication Masquerading - an entity claims to be another entity


37/119

Session Hijacking

Exploitation of a valid computer session, to gainunauthorized access to information or services in a

computer system.

Theft of a magic cookie used to authenticate a user to aremote server (for web developers)

Four methods: Session fixation attacker sets a users session id to one known to

him, for example by sending the user an email with a link that

contains a particular session id. Session sidejacking attacker uses packet sniffing to read network

traffic between two parties to steal the session cookie.


38/119

Denial of Service (DoS) Attack

Attempt to make a machine or network resource unavailable toits intended users.

Purpose is to temporarily or indefinitely interrupt or suspendservices of a host connected to the Internet

Methods to carry out this attack may vary Saturating the target with external communications requests (such that it

cant respond to legitimate traffic) SERVER OVERLOAD

May include malware to max out target resources (such as CPU), triggererrors, or crash the operating system

DDoS attacks are more dynamic and comes from a broaderrange of attackers

Examples: SYN flooding, Smurf attacks, Starvation Can be used as a redirection and reconnaissance technique


39/119

Questions?


40/119

Cryptography



41/119

Overview

What is Cryptography? Symmetric Key CryptographyAsymmetric Key Cryptography Block and Stream Cipher Digital Signature and Message Digest Diffie-Hellman Algorithm


42/119

Cryptography

Has evolved into a complex science in the field ofinformation security

German Lorenz cipher machine


43/119

Cryptography

Cryptography deals with creating documents that can beshared secretly over public communication channels

Other terms closely associated Cryptanalysis (breaking an encoded data without the knowledge of

the key)

Cryptology (combination of cryptography and cryptanalysis) Cryptography is a function of plaintext and a cryptographic

key

C= F(P,k)Notation:

Plaintext (P)

Ciphertext (C)

Cryptographic Key (k)


44/119

Crypto Algorithms

specifies the mathematical transformation that is performedon data to encrypt/decrypt

Crypto algorithm is NOT proprietaryAnalyzed by public community to show that there are noserious weaknesses Explicitly designed for encryption

44


45/119

Typical Scenario

Alice wants to send a secret message to Bob What are the possible problems?

Data can be interceptedWhat are the ways to intercept this message?

How to conceal the message? Old algorithms such as the substitution cipher


46/119

Types of Cipher

Substitution cipher involves replacing an alphabet with another character of the same

alphabet set

Can be mono-alphabetic (single set for substitution) or poly-alphabetic system (multiple alphabetic sets)

Example: Caesar cipher, a mono-alphabetic system in which each character is

replaced by the third character in succession

Vigenere cipher, a poly-alphabetic cipher that uses a 26x26 table ofcharacters


47/119

Transposition Cipher

No letters are replaced, they are just rearranged. Rail Fence Cipher another kind of transposition cipher in

which the words are spelled out as if they were a rail fence.


48/119

Encryption

process of transforming plaintext to ciphertext using acryptographic key Used all around us

In Application Layer used in secure email, database sessions, andmessaging

In session layer using Secure Socket Layer (SSL) or Transport LayerSecurity (TLS) In the Network Layer using protocols such as IPSec

Benefits of good encryption algorithm: Resistant to cryptographic attack They support variable and long key lengths and scalability They create an avalanche effect No export or import restrictions

Two general types: Symmetric and Asymmetric


49/119

Encryption and Decryption

Plaintext

ENCRYPTIONALGORITHM

DECRYPTIONALGORITHM

Ciphertext Plaintext

Encryption Key Decryption Key


50/119

Symmetric Key Algorithm

Uses a single key to both encrypt and decrypt informationAlso known as a secret-key algorithm

The key must be kept a secret to maintain security This key is also known as a private key

Follows the more traditional form of cryptography with keylengths ranging from 40 to 256 bits.

Examples of symmetric key algorithms:

DES, 3DES, AES, IDEA, RC5, RC6, Blowfish


51/119

Symmetric Encryption

Plaintext

ENCRYPTIONALGORITHM

DECRYPTIONALGORITHM



Same shared secret key

Shared Key Shared KeySymmetric KeyCryptography


52/119


DES block cipher using shared key encryption, 56-bit 3DES (Triple DES) a block cipher that applies DES three

times to each data block

AES replacement for DES; it is the current standard

IDEA RC4 variable-length key, stream cipher (generate

stream from key, XOR with data)

RC6 Blowfish


53/119


Symmetric Algorithm Key Size

DES 56-bit keys

Triple DES (3DES) 112-bit and 168-bit keys

AES 128, 192, and 256-bit keys

IDEA 128-bit keysRC2 40 and 64-bit keys

RC4 1 to 256-bit keys

RC5 0 to 2040-bit keys

RC6 128, 192, and 256-bit keys

Blowfish 32 to 448-bit keys

Note:Longer keys are more difficult to crack, but more computationally expensive.


54/119

Block and Stream Cipher

Block cipher takes a block of bits and encrypts them as a single unit operate on a pre-determined block of bits (one byte, one word, 512

bytes, so forth), mixing key data in with the message data in a variety

of different ways.

Stream cipher encrypts bits of the message at a time typically bit-wise. They either have a very long key (that eventually repeats) or a

reusable key that generates a repeatable but seemingly random

string of bits.

They perform some operation (typically an exclusive OR) with one ofthese key bits and one of the message bits.


55/119

Block Cipher

Transforms a fixed-length block of plain text into a block ofciphertext

Works with data per blockCommon block ciphers:

DES and 3DES (in ECB and CBC mode) Skipjack Blowfish RSAAES IDEA Secure and Fast Encryption Routing (SAFER)


56/119

Stream Cipher

Use smaller units of plaintext than what are used with blockciphers.

Typically work with bitsCommon stream ciphers:

RC4 DES and 3DES (running OFB or CFB mode) Software encryption algorithm (SEAL)


57/119

Data Encryption Standard (DES)

Developed by IBM for the US government in 1973-1974,and approved in Nov 1976.

Based on Horst Feistels Lucifer cipherblock cipher using shared key encryption, 56-bit key length

Block size: 64 bits


58/119

DES: Illustration

Plaintext

ENCRYPTIONALGORITHM

DECRYPTIONALGORITHM



56-bit keys +8 bits parity

64-bit blocks of input text


59/119

Triple DES

3DES (Triple DES) a block cipher that applies DES threetimes to each data block

Uses a key bundle comprising of three DES keys (K1, K2,K3), each with 56 bits excluding parity.

DES encrypts with K1, decrypts with K2, then encrypts withK3

Disadvantage: very slowC

i= E

K3(D

K2(E

K1(P

i)))


60/119

3DES: Illustration

Note: If Key1 = Key2 = Key3, this is similar to DES Usually, Key1 = Key3

Plaintext

ENCRYPT

Ciphertext

Key 1

DECRYPT ENCRYPT

Key 2 Key 3


61/119

Advanced Encryption Standard (AES)

Published in November 2001 Symmetric block cipher Has a fixed block size of 128 bits Has a key size of 128, 192, or 256 bits Based on Rijndael cipher which was developed by Joan

Daemen and Vincent Rijmen

Better suited for high-througput, low latency environments


62/119

Rivest Cipher

RC Algorithm Description

RC2 Variable key-sized cipher used as a drop in replacementfor DES

RC4 Variable key sized stream cipher; Often used in fileencryption and secure communications (SSL)

RC5 Variable block size and variable key length; uses 64-bitblock size; Fast, replacement for DES

RC6 Block cipher based on RC5, meets AES requirement


63/119

RC4

Most widely used stream cipher Popularly used in Secure Socket Layer (SSL) and Wired

Equivalent Privacy (WEP) protocols

Although simple and fast, it is vulnerable and can lead toinsecure systems


64/119

Asymmetric Key Algorithm

Also called public-key cryptography Keep private key privateAnyone can see public key

separate keys for encryption and decryption (public andprivate key pairs)

Examples of asymmetric key algorithms: RSA, DSA, Diffie-Hellman, El Gamal, Elliptic Curve and PKCS


65/119

Asymmetric Encryption

Plaintext

ENCRYPTIONALGORITHM

DECRYPTIONALGORITHM



Public Key Private KeyAsymmetric KeyCryptography

Different keys


66/119

Asymmetric Key Algorithm

RSA the first and still most common implementation DSA specified in NISTs Digital Signature Standard

(DSS), provides digital signature capability for

authentication of messages

Diffie-Hellman used for secret key exchange only, and notfor authentication or digital signature

ElGamal similar to Diffie-Hellman and used for keyexchange

PKCS set of interoperable standards and guidelines


67/119

Symmetric vs. Asymmetric Key

Symmetric Asymmetric

generally fastSame key for both encryption and

decryption

Can be 1000 times slowerUses two different keys (public and

private)Decryption key cannot be calculated

from the encryption keyKey lengths: 512 to 4096 bits

Used in low-volume


68/119

Hash Functions

produces a condensed representation of a message (hashing) The fixed-length output is called the hash or message digest A hash function takes an input message of arbitrary length and

outputs fixed-length code. The fixed-length output is called the

hash, or the message digest, of the original input message.

A form of signature that uniquely represents the data Uses:

Verifying file integrity - if the hash changes, it means the data is eithercompromised or altered in transit.

Digitally signing documents Hashing passwords


69/119

Hash Functions

Message Digest (MD) Algorithm Outputs a 128-bit fingerprint of an arbitrary-length input

Secure Hash Algorithm (SHA) SHA-1 produces a 160-bit message digest similar to MD5 Widely-used on security applications (TLS, SSL, PGP, SSH, S/MIME,

IPsec)

SHA-256, SHA-384, SHA-512 are also commonly used, which canproduce hash values that are 256, 384, and 512-bits respectively

RIPEMD


70/119

Digital Signature

A digital signature is a message appended to a packet The sender encrypts message with own private key instead

of encrypting with intended receivers public key

The receiver of the packet uses the sender

s public key toverify the signature.

Used to prove the identity of the sender and the integrity ofthe packet


71/119

Digital Signature

Two common public-key digital signature techniques: RSA (Rivest, Shamir, Adelman) DSS (Digital Signature Standard)

Successful verification assures: The packet has not been altered The identity of the sender

71


72/119

Digital Signature Process

1. Hash the data using one of the supported hashingalgorithms (MD5, SHA-1, SHA-256)

2. Encrypt the hashed data using the senders private key3.

Append the signature (and a copy of the senders publickey) to the end of the data that was signed)

DATAHASH(DATA)

DIGITALSIGNATURE

MD5/SHA-1 PRIVATE KEY


73/119

Signature Verification Process

1. Hash the original data using the same hashing algorithm2. Decrypt the digital signature using the senders public key. All

digital signatures contain a copy of the signers public key

3. Compare the results of the hashing and the decryption. If thevalues match then the signature is verified. If the values do notmatch, then the data or signature was probably modified.

DATAHASH

(DATA)

HASH(DIGITAL SIG)

MD5/SHA-1

MATCH?


74/119

RSA Public Key Cryptography

Based on relative ease of multiplying large primes togetherbut almost impossible to factor the resulting product

RSA keys: 3 special numeric valuesAlgorithm produces public keys that are tied to specificprivate keys

Provides both digital signatures and public-key encryption

74


75/119

What Is Diffie-Hellman?

Arguably the first public key algorithm (1976) Diffie Hellman is a key establishment algorithm

Two parties in a DH exchange can generate a shared secret Combining ones private key and the others public key, both parties

can compute the same shared secret number. There can even be N-party DH exchanges where N peers can all

establish the same secret key

Diffie Hellman can be done over an insecure channel

75


76/119

Diffie-Hellman

http://en.wikipedia.org/wiki/File:DiffieHellman.png


77/119

DH Man-in-the-Middle Attack

Diffie-Hellman is subject to a man-in-the-middle attack Digital signatures of the public values can enable each

party to verify that the other party actually generated the

value

=> DH exchanges need to be authenticated!!

XA XB

a , p

YAYB


78/119

Questions?


79/119

Public Key Infrastructure



80/119

Overview

Typical Scenario Public Key Infrastructure Digital Certificates Certificate Authority


81/119


Framework that builds the network of trust Combines public key cryptography, digital signatures, to

ensure confidentiality, integrity, authentication,

nonrepudiation, and access control

Protects applications that require high level of security


82/119

Functions of a PKI

Registration Initialization Certification Key pair recovery Key generation Key update Cross-certification Revocation

f


83/119


Source: http://commons.wikimedia.org

C f PKI


84/119

Components of a PKI

Certificate authority The trusted third party Trusted by both the owner of the certificate and the party relying upon

the certificate.

Validation authority Registration authority Central directory

C tifi t


85/119

Certificates

Public key certificates bind public key values to subjects A trusted certificate authority (CA) verifies the subjects identity

and digitally sign each certificate Validates

Has a limited valid lifetime Can be used using untrusted communications and can be

cached in unsecured storage Because client can independently check the certificates signature

Certificate is NOT equal to signature It is implemented using signature

Certificates are static If there are changes, it has to be re-issued

Di it l C tifi t


86/119

Digital Certificate

Digital certificate basic elementof PKI; secure credential that

identifies the owner

Also called public key certificate

Di it l C tifi t


87/119

Digital Certificate

deals with the problem of Binding a public key to an entityA major legal issue related to eCommerce

A digital certificate contains: Users public key Users ID Other information e.g. validity period

Certificate examples: X509 (standard) PGP (Pretty Good Privacy) Certificate Authority (CA) creates and digitally signs certificates

Di it l C tifi t


88/119

Digital Certificate

To obtain a digital certificate, Alice must: Make a certificate signing request to the CAAlice sends to CA:

Her identifier IdA Her public key KA_PUB Additional information

CA returns Alices digital certificate, cryptographicallybinding her identity to public key:

CertA = {IDA, KA_PUB, info, SigCA(IDA,KA_PUB,info)}

Di it l C tifi t


89/119

Digital Certificate

To obtain a digital certificate, Alice must: Make a certificate signing request to the CAAlice sends to CA:

Her identifier IdA Her public key KA_PUB Additional information

CA returns Alices digital certificate, cryptographicallybinding her identity to public key:

CertA = {IDA, KA_PUB, info, SigCA(IDA,KA_PUB,info)}

X 509


90/119

X.509

An ITU-T standard for a public key infrastructure (PKI) andPrivilege Management Infrastructure (PMI)

Assumes a strict hierarchical system of CertificateAuthorities (CAs)

RFC 1422 basis of X.509-based PKI Current version X.509v3 provides a common baseline for

the Internet

Structure of a Certificate, certificate revocation (CRLs)

X 509 C tifi t U


91/119

X.509 Certificate Usage

Fetch certificate Fetch certificate revocation list

(CRL)

Check the certificate against theCRL

Check signature using thecertificate

Certificate CRL

Signature

Check

Check

E tifi t t i


92/119

Every certificate contains

Body of the certificate Version number, serial number, names of the issuer and subject Public key associated with the subject Expiration date (not before, not after) Extensions for additional tributes

Signature algorithm Used by the CA to sign the certificate

Signature Created by applying the certificate body as input to a one-way hash

function. The output value is encrypted with the CAs private key to

form the signature value

C tifi t A th it


93/119

Certificate Authority

Issuer and signer of the certificate Trusted (Third) Party

Based on trust model Who to trust?

Types: Enterprise CA Individual CA (PGP) Global CA (such as VeriSign)

Functions: Enrolls and Validates Subscribers Issues and Manages Certificates Manages Revocation and Renewal of Certificates Establishes Policies & Procedures

Registration A thorit


94/119

Registration Authority

For big CAs, a separate RA might be necessary to takesome work off the CA

Purpose: Identity verification and registration of the entity applying for a

certificate

Certificate Revocation Lists


95/119

Certificate Revocation Lists

CA periodically publishes a data structure called acertificate revocation list (CRL).

Described in X.509 standard. Each revoked certificate is identified in a CRL by its serial

number.

CRL might be distributed by posting at known Web URL orfrom CAs own X.500 directory entry.


96/119

Questions?


97/119

Internet Resource

Registration WhoisDatabase

What is the APNIC Database?


98/119

What is the APNIC Database?

Public network management database Operated by IRs

Public data only For private data: Please see Privacy of customer

assignment module

Tracks network resources IP addresses, ASNs, Reverse Domains, Routing policies

Records administrative information

Contact information (persons/roles)

Authorisation

Whois Database Query Clients


99/119

Whois Database Query - Clients

Standard whois client Included with many Unix distributions

RIPE extended whois client http://ftp.apnic.net/apnic/dbase/tools/

ripe-dbase-client.tar.gz

Query via the APNIC website http://www.apnic.net/apnic-bin/whois2.pl

Query clients - MS-Windows etc

Object Types


100/119

Object Types

OBJECT PURPOSE

person contact persons

role contact groups/roles

inetnum IPv4 addresses

inet6num IPv6 addresses

aut-num Autonomous System number

domain reverse domains

route prefixes being announced

mntner (maintainer) data protection

http://www.apnic.net/db/

Database Object


101/119

Database Object

An object is a set of attributes and values Each attribute of an object...

Has a value Has a specific syntax Is mandatory or optional Is single- or multi-valued

Some attributes ... Are primary (unique) keys Are lookup keys for queries Are inverse keys for queries

Object templates illustrate this structure

Inter related Objects


102/119

Inter-related Objects

inetnum:202.64.10.0 202.64.10.255admin-c: KX17-APtech-c: ZU3-AP

mnt-by: MAINT-WF-EX

IPv4 addresses

person:

nic-hdl: ZU3-AP

Contactinfo

person:

nic-hdl: KX17-AP

Contact info

mntner:

MAINT-WF-EX

Data protection

Database Query Look up Keys


103/119

Database Query Look-up Keys

OBJECT TYPE ATTRIBUTES LOOK-UP KEYS

* Whois supports queries on any of these objects/keys

name, nic-hdl, e-mail

name, nic-hdl, e-mail

maintainer name

network number, namedomain name

as number

as-macro name

route value

network number, name

person

role

mntner

inetnumdomain

aut-num

as-macro

route

inet6num

Object Templates


104/119

Object Templates

person: [mandatory] [single] [primary/look-up key]

address: [mandatory] [multiple] [ ]

country: [mandatory] [single] [ ]

phone: [mandatory] [multiple] [ ]

fax-no: [optional] [multiple] [ ]

e-mail: [mandatory] [multiple] [look-up key]

nic-hdl: [mandatory] [single] [primary/look-up key]

remarks: [optional] [multiple] [ ]

notify: [optional] [multiple] [inverse key]

mnt-by: [mandatory] [multiple] [inverse key]

changed: [mandatory] [multiple] [ ]

source: [mandatory] [single] [ ]

% whois -h whois.apnic.net -t person

To obtain template structure*, use :whois -t

*Recognised by the RIPE whois client/server

Person Object Example


105/119

Person Object Example

Person objects contain contact information

person:

address:

address:address:

country:

phone:

fax-no:

e-mail:nic-hdl:

mnt-by:

changed:

source:

Attributes Values

Ky Xander

ExampleNet Service Provider

2 Pandora St BoxvilleWallis and Futuna Islands

WF

+680-368-0844

+680-367-1797

[email protected]

MAINT-WF-EX

[email protected] 20100731

APNIC

What is a nic-hdl?


106/119

What is a nic-hdl?

Unique identifier for a person Represents a person object

Referenced in objects for contact details (inetnum, aut-num, domain)

format: Eg: KX17-APperson: Ky Xanderaddress: ExampleNet Service Provider

address: 2 Pandora St Boxville

address: Wallis and Futuna Islands

country: WF

phone: +680-368-0844fax-no: +680-367-1797

e-mail: [email protected]

nic-hdl: KX17-APmnt-by: MAINT-WF-EX

changed: [email protected] 20020731

source: APNIC

Inetnum Object Example


107/119

Inetnum Object Example

Contain IP address allocations / assignmentsinetnum:netname:

descr:descr:

country:

admin-c:

tech-c:

mnt-by:mnt-lower:

changed:

status:

source:

202.51.64.0 - 202.51.95.255

CCNEP-NP-APCommunication & Communicate Nepal Ltd

VSAT Service Provider, Kathmandu

NP

AS75-APAS75-AP

APNIC-HMMAINT-NP-ARUN

[email protected] 20010205

ALLOCATED PORTABLEAPNIC

Attributes Values

ISP Registration Responsibilities


108/119

ISP Registration Responsibilities

1. Create person objects for contacts To provide contact info in other objects

2. Create mntner object To provide protection of objects

3. Create inetnum objects for all customer

address assignments as private data But you may change these to be public data if you wish Allocation object created by APNIC

4. Protect all the Objects

Using the db Step by Step


109/119

inetnum:

Allocation

(Created by APNIC)

3Using the db Step by Step

Customer Assignments

(Created by ISP)

person:

nic-hdl:

KX17-AP

Contact info

1

Data Protection

mntner:2

inetnum:...

KX17-AP

...

mnt-by:...

4inetnum:...

KX17-AP

...

mnt-by:...

5inetnum:...

KX17-AP

...

mnt-by:...

6

Database Protection - Maintainer Object


110/119

Database Protection - Maintainer Object

mntner: MAINT-WF-EXdescr: Maintainer for ExampleNet Service Provider

country: WF

admin-c: ZU3-AP

tech-c: KX17-AP

upd-to: [email protected]: [email protected]

auth: CRYPT-PW apHJ9zF3o

mnt-by: MAINT-WF-EX

referral-by: MAINT-APNIC-AP

changed: [email protected] 20020731source: APNIC

protects other objects in the APNIC database

Database Protection


111/119

Database Protection

Authorisation mnt-by references a mntner object

Can be found in all database objects mnt-by should be used with every object!

Authentication Updates to an object must pass the authentication rule specified by

its maintainer object

Authorisation Mechanism


112/119

Authorisation Mechanism

mntner: MAINT-WF-EXdescr: Maintainer for ExampleNet Service Provider

country: WFadmin-c: ZU3-AP

tech-c: KX17-APupd-to: [email protected]

mnt-nfy: [email protected]: CRYPT-PW apHJ9zF3omnt-by: MAINT-WF-EX

changed: [email protected] 20020731

source: APNIC

inetnum: 202.137.181.0 202.137.185.255

netname: EXAMPLENET-WFdescr: ExampleNet Service Provider.

mnt-by: MAINT-WF-EX

Authentication Methods


113/119

Authentication Methods

auth attribute Crypt-PW

Crypt (Unix) password encryption Use web page to create your maintainer

PGP GNUPG Strong authentication Requires PGP keys

MD5 Available

Mnt-by & Mnt-lower


114/119

y

mnt-by attribute

Can be used to protect any object Changes to protected object must satisfy authentication

rules of mntner object.

mnt-lower attributeAlso references mntner object Hierarchical authorisation for inetnum & domain objects

The creation of child objects must satisfy this mntner Protects against unauthorised updates to an allocatedrange - highly recommended!

Authentication / Authorisation


115/119

Inetnum: 203.146.96.0 - 203.146.127.255

netname: LOXINFO-TH

descr: Loxley Information Company Ltd.

Descr: 304 Suapah Rd, Promprab,Bangkok

country: TH

admin-c: KS32-AP

tech-c: CT2-AP

mnt-by: APNIC-HM

mnt-lower: LOXINFO-IS


Authentication / Authorisation APNIC allocation to member

Created and maintained by APNIC

1. Only APNIC can change this object2. Only LOXINFO-TH can create assignments within this allocation

1

2



116/119

Member assignment to customer Created and maintained by APNIC member

Inetnum: 203.146.113.64 - 203.146.113.127

netname: SCC-TH

descr: Sukhothai Commercial CollegeCountry: TH

admin-c: SI10-AP

tech-c: VP5-AP

mnt-by: LOXINFO-IS



Only LOXINFO-IS can change this object

Customer Privacy


117/119

Customer Privacy

Privacy issues Concerns about publication of customer information Increasing government concern

APNIC legal risk Legal responsibility for accuracy and advice Damages incurred by maintaining inaccurate personal

data

Customer data is hard to maintainAPNIC has no direct control over accuracy of data

Customer assignment registration is stillmandatory

What Needs to be Visible?


118/119

must bevisible

visibilityoptional

ISP

PORTABLE addresses

NON-PORTABLE addresses

IANA range

Non-APNIC range APNIC range

NIR rangeAPNIC allocations & assignments

NIR allocations & assignments

Customer assignments Infrastructure Sub-allocations


119/119

Questions?

keamanan jaringan apjii.pdf

Documents