Network security

Code UE : USEEK7

  • Cours
  • 6 crédits

Responsable(s)

Jean-Pierre CHEVALIER

Nicolas PIOCH

Public et conditions d'accès

Not applicable as this Specific Unit (US) is an integral part of a coherent degree.

Objectifs pédagogiques

This course covers the main aspects of network security. It presents general security problems (confidentiality, integrity, availability, authentication and access control, non-repudiation), known standard solutions for these problems and their implementation in the Internet architecture.

Compétences visées

  • Understand security issues.
  • Manage risks related to information technology.
  • Deploy appropriate solutions according to the confidentiality, integrity and availability constraints of business applications.
 

Contenu

0) Introduction to IT security and risk management (ISO 27000 standards)
1) Cryptographic primitives:
  • Cryptographically strong random number generators
  • Historical approaches: codes, steganography, encryption
  • Kerckhoffs principle
  • Taxonomy of cryptanalysis techniques. Example clock attack on smart cards.
  • Friedman’s coincidence index
  • Historical algorithms: Caesar, Vigenère, Playfair, ADFGVX, Enigma
  • Unconditional security of the one-time pad (Vernam cipher)
  • Shannon’s information theory and consequences on algorithmic security
  • Turing’s complexity theory, and computational security. NP-complete problems.
  • Semantic security, cryptogram indistinguishability and non-malleability.
  • Symmetrical ciphers: stream (A5/1, RC4, ChaCha20), block (DES, AES) and their operating modes (ECB, CBC, CTR)
  • Arithmetic notions: modulo n congruences, Euclidean division, GCD, LCM, Euclid’s algorithm, Bézout relations, Chinese remainder theorem, Euler indicator
  • Public-key cryptography: backpack, RSA, OAEP padding, Diffie-Hellman, elliptical curves. Non-repudiation and digital signatures.
  • Cryptographic hash functions: birthday attacks, Merkle-Damgård constructs (MD5, SHA1 and 2), RFC2104 HMACs, sponge functions (SHA3).
  • Public Key Infrastructures: X509v3 certificates, certification authorities, double key pair deployments and encryption private key escrow, revocation (CRL, OCSP RFC6960). Hands-on labs deploying a certification authority, enabling encryption on a web server (HTTPS) and on electronic mail (S/MIME).
  • Applications of quantum theory and consequences on cryptosystem security: Shor and Grover algorithms.
2) Access controls and information security:
  • Authentication: via password (storage techniques : hashing and salt), biometrics (fingerprints, iris recognition…) and token (smart card...) Strong / multifactor authentication.
  • Authorization: access control lists and capacities
  • Hierarchical security models (Bell-LaPadula, Biba…) and compartments. Examples with SELinux and Windows 10. Discretionary vs. Mandatory Access Control.
  • CIA classification (FIPS 199, ISO 27000): impact scale and controls.
  • Access management: role-based access control. Segregation of duties and least privilege.
  • Identity management: generic and privileged accounts
  • Covert channels: example with Covert_TCP
  • Inference control in statistical databases
3) Availability and dependability:
  • Failures, MTBF and MTTR
  • ANSI/TIA-942 standard and Datacenter availability levels
  • Server availability
  • Local storage reliability and virtualization: RAID levels, logical volume management
  • Storage centralization and optimization: Storage Area Networks (SAN), SCSI protocol, Fiber Channel, storage tiering, thin provisioning, over-subscription and thin persistence. Block-level deduplication. World-Wide Names, FC Zoning and LUN masking. SAN fabrics, multi-pathing and ALUA. FCoE and iSCSI.
  • Network redundancy at the link layer: LACP IEEE 802.3ad, multi-switch extensions (Virtual Ports channels), or active/passive mode. VLAN loop management with Multiple Spanning Tree (802.1q)
  • Recovery Time Objective (RTO)
  • High Availability: physical HA clusters, server virtualization (“compute”): license impact
  • Disaster Recovery and Business Continuity Planning: maximum admissible data loss (RPO)
  • SAN-to-SAN data replication, synchronous (metropolitan networks) or asynchronous
  • Stretched VLAN between Data Centers, Network Virtualization (VXLAN) and Overlay Transport Virtualization
4) Security protocols
  • Basic authentication primitives: challenge/response, nonces, mutual authentication schemes, perfect forward secrecy, timestamps
  • TCP-based authentication, and sequence number prediction. Example with SMTP (email).
  • Zero-Knowledge Proofs: transcription, simulators. Examples based on graph isomorphisms, Hamiltonian circuits, and the Feige-Fiat-Shamir protocol. Iteration parallelization.
  • Transport Layer Security: SSL/TLS
  • Network layer security: IPSec, IKE, AH/ESP
  • Applicative layer security: Kerberos (Active Directory), KDC, TGT and resource tickets
  • Link-layer security: GSM security architecture. Roaming, authentication and confidentiality. 3G/4G changes.
 

Modalité d'évaluation

Final exam.

Bibliographie

  • Bruce Schneier : Applied Cryptography
  • Ross Anderson : 'Security Engineering', 2d Edition, Wiley, 2008
  • Alfred J. Menezes, Paul C. van Oorschot et Scott A. Vanstone : 'Handbook of applied cryptography', CRC Press, 2001

Cette UE apparaît dans les diplômes et certificats suivants

Contact

EPN03 - Easy
292 rue Saint-Martin 11-B-2
75141 Paris Cedex 03
Tel :01 40 27 24 81
Françoise Dehaynin

Voir les dates et horaires, les lieux d'enseignement et les modes d'inscription sur les sites internet des centres régionaux qui proposent cette formation

Enseignement non programmé s'il s'agit d'un diplôme, d'un certificat ou d'une UE ou enseignement qui ne fait jamais l'objet d'une programmation s'il s'agit d'une UA ou d'une US (le code formation commence alors par UA ou US).