Introduces aspects on security threats and their countermeasures in both fixed and wireless networks, advising on how countermeasures can provide secure communication infrastructures. Enables the reader to understand the risks of inappropriate network security, what mechanisms and protocols can be deployed to counter these risks, and how these mechanisms and protocols work.
Table of Contents:
About the authors xiii
Preface to the second edition xv
Preface to the first edition xvii
I Foundations of Data Security Technology 1
1 Introduction 3
1.1 Content and Structure of this Book 4
1.2 Threats and Security Goals 6
1.3 Network Security Analysis 9
1.4 Information Security Measures 13
1.5 Important Terms Relating to Communication Security 14
2 Fundamentals of Cryptology 17
2.1 Cryptology, Cryptography and Cryptanalysis 17
2.2 Classification of Cryptographic Algorithms 18
2.3 Cryptanalysis 19
2.4 Estimating the Effort Needed for Cryptographic Analysis 21
2.5 Characteristics and Classification of Encryption Algorithms 23
2.6 Key Management 25
2.7 Summary 27
2.8 Supplemental Reading 28
2.9 Questions 29
3 Symmetric Cryptography 31
3.1 Encryption Modes of Block Ciphers 31
3.2 Data Encryption Standard 37
3.3 Advanced Encryption Standard 43
3.4 RC4 Algorithm 48
3.5 The KASUMI algorithm 51
3.6 Summary 53
3.7 Supplemental Reading 54
3.8 Questions 55
4 Asymmetric Cryptography 57
4.1 Basic Idea of Asymmetric Cryptography 57
4.2 Mathematical Principles 60
4.3 The RSA Algorithm 69
4.4 The Problem of the Discrete Logarithm 71
4.5 The Diffie–Hellman Key Exchange Algorithm 75
4.6 The ElGamal Algorithm 77
4.7 Security of Conventional Asymmetric Cryptographic Schemes 80
4.8 Principles of Cryptography Based on Elliptic Curves 81
4.9 Summary 93
4.10 Supplemental Reading 94
4.11 Questions 95
5 Cryptographic Check Values 97
5.1 Requirements and Classification 97
5.2 Modification Detection Codes 99
5.3 Message Authentication Codes 112
5.4 Message Authentication Codes Based on MDCs 116
5.5 Authenticated Encryption 117
5.6 Summary 121
5.7 Supplemental Reading 122
5.8 Questions 123
6 Random Number Generation 125
6.1 Random Numbers and Pseudo-Random Numbers 125
6.2 Cryptographically Secure Random Numbers 126
6.3 Statistical Tests for Random Numbers 128
6.4 Generation of Random Numbers 129
6.5 Generating Secure Pseudo-Random Numbers 130
6.6 Implementation Security 133
6.7 Summary 134
6.8 Supplemental Reading 135
6.9 Questions 136
7 Cryptographic Protocols 137
7.1 Properties and Notation of Cryptographic Protocols 137
7.2 Data Origin and Entity Authentication 139
7.3 Needham–Schroeder Protocol 143
7.4 Kerberos 147
7.5 International Standard X.509 155
7.6 Security of Negotiated Session Keys 160
7.7 Advanced Password Authentication Methods 161
7.8 Formal Validation of Cryptographic Protocols 166
7.9 Summary 176
7.10 Supplemental Reading 177
7.11 Questions 178
8 Secure Group Communication* 179
8.1 Specific Requirements for Secure Group Communication 179
8.2 Negotiation of Group Keys 181
8.3 Source Authentication 189
8.4 Summary 193
8.5 Supplemental Reading 194
8.6 Questions 194
9 Access Control 197
9.1 Definition of Terms and Concepts 197
9.2 Security Labels 199
9.3 Specification of Access Control Policies 201
9.4 Categories of Access Control Mechanisms 202
9.5 Summary 204
9.6 Supplemental Reading 204
9.7 Questions 205
II Network Security 207
10 Integration of Security Services in Communication Architectures 209
10.1 Motivation 209
10.2 A Pragmatic Model 211
10.3 General Considerations for the Placement of Security Services 213
10.4 Integration in Lower Protocol Layers vs Applications 216
10.5 Integration into End Systems or Intermediate Systems 217
10.6 Summary 219
10.7 Supplemental Reading 219
10.8 Questions 219
11 Link Layer Security Protocols 221
11.1 Virtual Separation of Data Traffic with IEEE 802.1Q 222
11.2 Securing a Local Network Infrastructure Using IEEE 802.1X 224
11.3 Encryption of Data Traffic with IEEE 802.1AE 226
11.4 Point-to-Point Protocol 228
11.5 Point-to-Point Tunneling Protocol 236
11.6 Virtual Private Networks 242
11.7 Summary 243
11.8 Supplemental Reading 245
11.9 Questions 246
12 IPsec Security Architecture 249
12.1 Short Introduction to the Internet Protocol Suite 249
12.2 Overview of the IPsec Architecture 253
12.3 Use of Transport and Tunnel Modes 261
12.4 IPsec Protocol Processing 263
12.5 The ESP Protocol 267
12.6 The AH Protocol 273
12.7 The ISAKMP Protocol 279
12.8 Internet Key Exchange Version 1 286
12.9 Internet Key Exchange Version 2 293
12.10 Other Aspects of IPsec 297
12.11 Summary 299
12.12 Supplemental Reading 300
12.13 Questions 301
13 Transport Layer Security Protocols 303
13.1 Secure Socket Layer 303
13.2 Transport Layer Security 315
13.3 Datagram Transport Layer Security 322
13.4 Secure Shell 323
13.5 Summary 332
13.6 Supplemental Reading 333
13.7 Questions 334
III Secure Wireless and Mobile Communications 335
14 Security Aspects of Mobile Communication 337
14.1 Threats in Mobile Communication Networks 337
14.2 Protecting Location Confidentiality 338
14.3 Summary 343
14.4 Supplemental Reading 343
14.5 Questions 343
15 Security in Wireless Local Area Networks 345
15.1 The IEEE 802.11 Standard for WLANs 345
15.2 Entity Authentication 347
15.3 Wired Equivalent Privacy 353
15.4 Robust Secure Networks 358
15.5 Security in Public WLANs 365
15.6 Summary 367
15.7 Supplemental Reading 368
15.8 Questions 369
16 Security in Mobile Wide-Area Networks 371
16.1 Global System for Mobile Communication 371
16.2 Universal Mobile Telecommunications System 378
16.3 Long-Term Evolution385
16.4 Summary 389
16.5 Supplemental Reading 390
16.6 Questions 391
IV Protecting Communications Infrastructures 393
17 Protecting Communications and Infrastructure in Open Networks 395
17.1 Systematic Threat Analysis 396
17.2 Security of End Systems 399
17.3 Summary 411
17.4 Supplemental Reading 411
17.5 Questions 412
18 Availability of Data Transport 413
18.1 Denial-of-Service Attacks 413
18.2 Distributed Denial-of-Service Attacks 420
18.3 Countermeasures 422
18.4 Summary 433
18.5 Supplemental Reading 434
18.6 Questions 435
19 Routing Security 437
19.1 Cryptographic Protection of BGP 441
19.2 Identification of Routing Anomalies* 450
19.3 Summary 455
19.4 Supplemental Reading 456
19.5 Questions 457
20 Secure Name Resolution 459
20.1 The DNS Operating Principle 459
20.2 Security Objectives and Threats 461
20.3 Secure Use of Traditional DNS 467
20.4 Cryptographic Protection of DNS 469
20.5 Summary 481
20.6 Supplemental Reading 482
20.7 Questions 483
21 Internet Firewalls 485
21.1 Tasks and Basic Principles of Firewalls 485
21.2 Firewall-Relevant Internet Services and Protocols 487
21.3 Terminology and Building Blocks 490
21.4 Firewall Architectures 491
21.5 Packet Filtering 495
21.6 Bastion Hosts and Proxy Servers 500
21.7 Other Aspects of Modern Firewall Systems 502
21.8 Summary 503
21.9 Supplemental Reading 504
21.10 Questions 505
22 Automated Attack Detection and Response 507
22.1 Operating Principle and Objectives of Intrusion Detection Systems 508
22.2 Design and operation of network-based IDSs 512
22.3 Response to Attacks and Automatic prevention 521
22.4 Techniques for Evading NIDSs 524
22.5 Summary 526
22.6 Supplemental Reading 527
22.7 Questions 528
23 Management of Complex Communication Infrastructures* 529
23.1 Automatic Certificate Management 529
23.2 Automatic VPN Configuration 536
23.3 Summary 550
23.4 Supplemental Reading 552
23.5 Questions 554
Bibliography 555
Abbreviations 585
Index 595
About the Author :
Guenter Schaefer, Professor, Technische Universität Ilmenau, Germany. After obtaining his Ph.D. degree (1998) he worked at Ecole Nationale Supérieure des Télécommunications, Paris, France (1999 - 2000). Between 2000 and 2005, he was researcher at Technische Universitaet Berlin, Germany where he was leading the network security laboratory. Since 2005 he is at his current post leading the Telematics/Computer Networks research group. His research interests lie in the areas of network security, networking protocols, mobile communications, and innovative communication services/architectures, and he regularly gives courses on network security, networking subjects and basics of computer science.
Michael Rossberg, PostDoc Researcher, Technische Universität Ilmenau, Germany. In 2011 he obtained his Ph.D. in computer science with a thesis on peer-to-peer-based auto-configuration of large scale IPsec VPNs. His research interests lie in network security and performance evaluation/optimization. In 2010, Michael Rossberg and Guenter Schaefer were jointly awarded with the third prize of the German IT Security Award for their work on automatic configuration of large scale VPNs.
Translated by Herbert Eppel at HE Translations, Leicester, UK (https://HETranslations.uk) DISCLAIMER: By including the link to this site, this does not mean the site is endorsed by Wiley
