Network security
Public Concerné
Not applicable as this Specific Unit (US) is an integral part of a coherent degree.
Objectifs pédagogiques
This course covers the main aspects of network security. It presents general security problems (confidentiality, integrity, availability, authentication and access control, non-repudiation), known standard solutions for these problems and their implementation in the Internet architecture.
Capacité et compétences acquises
- Understand security issues.
- Manage risks related to information technology.
- Deploy appropriate solutions according to the confidentiality, integrity and availability constraints of business applications.
Contenu de la formation
0) Introduction to IT security and risk management (ISO 27000 standards)
1) Cryptographic primitives:
1) Cryptographic primitives:
- Cryptographically strong random number generators
- Historical approaches: codes, steganography, encryption
- Kerckhoffs principle
- Taxonomy of cryptanalysis techniques. Example clock attack on smart cards.
- Friedman's coincidence index
- Historical algorithms: Caesar, Vigenère, Playfair, ADFGVX, Enigma
- Unconditional security of the one-time pad (Vernam cipher)
- Shannon's information theory and consequences on algorithmic security
- Turing's complexity theory, and computational security. NP-complete problems.
- Semantic security, cryptogram indistinguishability and non-malleability.
- Symmetrical ciphers: stream (A5/1, RC4, ChaCha20), block (DES, AES) and their operating modes (ECB, CBC, CTR)
- Arithmetic notions: modulo n congruences, Euclidean division, GCD, LCM, Euclid's algorithm, Bézout relations, Chinese remainder theorem, Euler indicator
- Public-key cryptography: backpack, RSA, OAEP padding, Diffie-Hellman, elliptical curves. Non-repudiation and digital signatures.
- Cryptographic hash functions: birthday attacks, Merkle-Damgård constructs (MD5, SHA1 and 2), RFC2104 HMACs, sponge functions (SHA3).
- Public Key Infrastructures: X509v3 certificates, certification authorities, double key pair deployments and encryption private key escrow, revocation (CRL, OCSP RFC6960). Hands-on labs deploying a certification authority, enabling encryption on a web server (HTTPS) and on electronic mail (S/MIME).
- Applications of quantum theory and consequences on cryptosystem security: Shor and Grover algorithms.
- Authentication: via password (storage techniques : hashing and salt), biometrics (fingerprints, iris recognition...) and token (smart card...) Strong / multifactor authentication.
- Authorization: access control lists and capacities
- Hierarchical security models (Bell-LaPadula, Biba...) and compartments. Examples with SELinux and Windows 10. Discretionary vs. Mandatory Access Control.
- CIA classification (FIPS 199, ISO 27000): impact scale and controls.
- Access management: role-based access control. Segregation of duties and least privilege.
- Identity management: generic and privileged accounts
- Covert channels: example with Covert_TCP
- Inference control in statistical databases
- Failures, MTBF and MTTR
- ANSI/TIA-942 standard and Datacenter availability levels
- Server availability
- Local storage reliability and virtualization: RAID levels, logical volume management
- Storage centralization and optimization: Storage Area Networks (SAN), SCSI protocol, Fiber Channel, storage tiering, thin provisioning, over-subscription and thin persistence. Block-level deduplication. World-Wide Names, FC Zoning and LUN masking. SAN fabrics, multi-pathing and ALUA. FCoE and iSCSI.
- Network redundancy at the link layer: LACP IEEE 802.3ad, multi-switch extensions (Virtual Ports channels), or active/passive mode. VLAN loop management with Multiple Spanning Tree (802.1q)
- Recovery Time Objective (RTO)
- High Availability: physical HA clusters, server virtualization ("compute"): license impact
- Disaster Recovery and Business Continuity Planning: maximum admissible data loss (RPO)
- SAN-to-SAN data replication, synchronous (metropolitan networks) or asynchronous
- Stretched VLAN between Data Centers, Network Virtualization (VXLAN) and Overlay Transport Virtualization
- Basic authentication primitives: challenge/response, nonces, mutual authentication schemes, perfect forward secrecy, timestamps
- TCP-based authentication, and sequence number prediction. Example with SMTP (email).
- Zero-Knowledge Proofs: transcription, simulators. Examples based on graph isomorphisms, Hamiltonian circuits, and the Feige-Fiat-Shamir protocol. Iteration parallelization.
- Transport Layer Security: SSL/TLS
- Network layer security: IPSec, IKE, AH/ESP
- Applicative layer security: Kerberos (Active Directory), KDC, TGT and resource tickets
- Link-layer security: GSM security architecture. Roaming, authentication and confidentiality. 3G/4G changes.
Description des modalités de validation
Final exam.
Prévisions d'ouverture
| Groupe | Semestre | Modalité | État d'ouverture | Date du premier cours | Lieux | ||
|---|---|---|---|---|---|---|---|
| USEEK7 | Network security | 6 | Cours de Jour | - | - | - | - |
Voir les dates et horaires, les lieux d'enseignement et les modes d'inscription sur les sites internet des centres régionaux qui proposent cette formation
