An Overview Muhammad Najmul Islam Farooqui Assistant Professor Department of Computer Engineering 1
Jan 08, 2016
An Overview
Muhammad Najmul Islam FarooquiAssistant Professor
Department of Computer Engineering
1
M. Najmul Islam Farooqui (DE) Kashif Habib (AB) Ibrahim M. Hussain (C)
2
3
Theory Practical3/4 1/4
Mid Term Exam
Labs
Labs
Theoretical aspects of the course
Practical approachto the course
4
Marks DistributionTotal 100 points
Lectures Labs
Course Work Exams Weekly Labs Attendance
Assign. Quizzes Mid Term Final Lab1, Lab 2 ……Lab n
80 20
10 7014 6
4 6 10 60
Course Coverage
5
6
Week Starting Topics Contents of Topic
Week 1 8-Jul-07 Introduction to Computer Security Historical Review of Computer Security
Threats and attacks to Data Security
A Generic Model of Network Security
Week 2 15-Jul-07 Introduction to Cryptology What is Cryptography & Cryptanalysis?
Concepts of Cryptographic Algorithm
Cryptographic and Cryptanalysis Techniques
Week 3 22-Jul-07 Data Encryption Standard Introduction to DES,SDES
Overview and Mechanism of Encryption in DES
Triple Data Encryption Standard (3-DES)
Week 4 29-Jul-07 Advanced Encryption Standards International Data Encryption Algorithm (IDEA)
Raijndael Algorithm (The Finalist of AES), simplified AES
Mechanism of Encryption in AES
Week 5 05-Aug-07 Key Exchange and Public Key Cryptography Key Exchange Problem
Key Exchange Approaches using Symmetric Key algorithm and Need for Public Key Cryptography
Diffie-Hellman Key Exchange Algorithm
Week 6 12-Aug-07 Rivest-Shamir-Adleman (RSA) Algorithm Introduction to Number Theory,
Cryptographic Techniques in RSA
Examples of RSA
Week 7 19-Aug-07 Elliptic Curve Cryptography Elliptic Curve, Elliptic Curve Groups, Elliptic curve model
ECC Encryption Mechanism
ECC encryption example
Week 8 26-Aug-07 Review of pre-mid-term Topics and Contegential Coverage of Missing Topics
Week X 2-Sep-07 Expected Week for Mid-Term Exam
Course Coverage
7
8
Week 9 09-Sep-07 Digital Signatures Authentication Requirements, Message Authentication Code, Hash Functions
Introduction to Digital Signatures, RSA Approach
Digital Signature Standard (DSS)
Week 10 16-Sep-07 Email Security Email Security Standards
PGP Certificate and Algorithms
Introduction to Trust Models
Week 11 23-Sep-07 IP Security Introduction to IPSec
IPSec Security Model
IPSec Technologies
Week 12 30-Sep-07 Virtual Private Networks Introduction to VPNs
VPN Features
Protocols used in VPNs
Week 13 07-Oct-07 Web and WAP Security Introduction & History of SSL
SSL in Client-Server Architecture
Transport Layer Security
Week 14 14-Oct-07 IDS, Firewall and Viruses Introduction to Firewalls, Components of Firewalls
Types of Firewalls, Architecture and Policies in Intrusion Detection Systems
Introduction to Viruses, Worms and Trojans
Week 15 121-Oct-07 Operating Systems Security Micro-Kernel Security and Authentication (Kerberos)
Resource Management Security
File System Security and Access Control Mechanism
Week 16 28-Oct-07 Review of post-mid-term Topics
Final Quiz, Paper Pattern Discussion
Week 17 04-Nov-07 Final Exams Preparation Break
Week 18 11-Nov-07 Start of Final Exam
Text Book Reference Books
◦ Specific to the course◦ General to the topic
Internet Sources
9
Cryptography and Network Security: Principles & Practice (Fourth Edition)◦ By William Stallings – Prentice Hall Publication
10
Specific to the Course◦ Handbook of Cryptography
By Alfred J. Menezese, Paul C. van Orchi◦ Web Security: A step-by-step Reference Guide
By Lincoln D. Stein – Addison Wesley Publication◦ Internet Security Protocols: Protecting IP Traffic
(Low Price Edition) By Uyless Black – Pearson Education Asia Publication
General to the Topic◦ Active Defense: A Comprehensive Guide to
Network Security By Chris Brenton & Cameron Hunt
11
http://www.ssuet.edu.pk/courses/ce408/CompSec/
http://sites.google.com/site/ibrahimmhr http://www.dcs.ed.ac.uk/home/compsec/ http://www.infosecuritymag.com/ http://www.w3.org/Security/Faq/ http://www.iwar.org.uk/comsec/resources/
security-lecture/
12
Online Access http://www.ssuet.edu.pk/courses/ce408/CompSec/
Soft Copy http://www.ssuet.edu.pk/courses/ce408/CompSec/
Hard Copy Will not be provided
13
Strictly practice your attendance in the class and labs.
No relaxation, compensation or adjustment in your attendance.
Be in Uniform (at least in the class) Preserve the sanity of the class, teachers,
department and the University. Help us in serving you for a better future.
14
The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications) is called Computer Security.
15
16
Computer security is a heady Computer security is a heady concoction of science, technology, concoction of science, technology, and engineering. A secure system and engineering. A secure system is only as strong as the weakest is only as strong as the weakest
link, so each part of the mix needs link, so each part of the mix needs to be good.to be good.
Security◦ The protection of assets.
Computer Security ◦ Focuses on protecting assets within computer
systems. Just as real-world physical security systems vary in their security provision (e.g., a building may be secure against certain kinds of attack, but not all), so computer security systems provide different kinds and amounts of security.
17
For some Computer Security is controlling access to hardware, software and data of a computerized system.
A large measure of computer security is simply keeping the computer system's information secure.
In broader terms, computer security can be thought of as the protection of the computer and its resources against accidental or intentional disclosure of confidential data, unlawful modification of data or programs, the destruction of data, software or hardware.
Computer security also includes the denial of use of one’s computer facilities for criminal activities including computer related fraud and blackmail.
Finally, computer security involves the elimination of weaknesses or vulnerabilities that might be exploited to cause loss or harm.
18
Why the need for Computer Security?◦ The value of computer assets and services
What is the new IT environment?◦ Networks and distributed applications/services◦ Electronic Commerce (E-commerce, E-business)
19
Most companies use electronic information extensively to support their daily business processes.
Data is stored on customers, products, contracts, financial results, accounting etc.
If this electronic information were to become available to competitors or to become corrupted, false or disappear, what would happen? What would the consequences be? Could the business still function?
20
“The network is the computer” Proliferation of networks has increased
security risks much more. Sharing of resources increases complexity of
system. Unknown perimeter (linked networks),
unknown path. Many points of attack. Computer security has to find answers to
network security problems. Hence today the field is called Computer and
Network Security.
21
22
Computer fraud in the U.S. alone exceeds $3 billion each year.
Less than 1% of all computer fraud cases are detectedover 90% of all computer crime goes unreported.
“Although no one is sure how much is lost to EFT crime annually, the consensus is that the losses run in the billions of dollars. Yet few in the financial community are paying any heed.”
Average computer bank theft amounts to $1.5 million.
23
24
25
Millions of dollars of damage resulted from the 1989 San Francisco earthquake.
The fire at Subang International Airport knocked out the computers controlling the flight display system. A post office near the Computer Room was also affected by the soot which decommissioned the post office counter terminals. According to the caretaker, the computers were not burnt but crashed because soot entered the hard disks.
Fire, Earthquakes, Floods, Electrical hazards, etc.
How to prevent?
26
Secrecy Integrity Availability Authenticity Non-repudiation Access control
27
Secrecy requires that the information in a computer system only be accessible for reading by authorized parties.
This type of access includes:◦ Printing◦ Displaying◦ Other forms of disclosure, including simply
revealing the existing of an object
28
Integrity requires that the computer system asset can be modified only by authorized parties.
Modification includes:◦ Writing◦ Changing◦ Changing status◦ Deleting and ◦ Creating
29
Availability requires that computer system assets are available to authorized parties.
Availability is a requirement intended to assure that systems work promptly and service is not denied to authorized users.
30
Integrity: In lay usage, information has integrity when it is timely, accurate, complete, and consistent. However, computers are unable to provide or protect all of these qualities. Therefore, in the computer security field, integrity is often discussed more narrowly as having two data integrity and system integrity.
“Data integrity is a requirement that information and programs are changed only in a specified and authorized manner.”
System integrity is a requirement that a system “performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.”
The definition of integrity has been, and continues to be, the subject of much debate among computer security experts.
31
32
Data
Confidentiality
Data
Integrity
Data
Availability
Secure Data
Data
Authenticity means that parties in a information services can ascertain the identity of parties trying to access information services.
Also means that the origin of the message is certain.
Therefore two types:◦ Principal Authentication◦ Message Authentication
33
Originator of communications can’t deny it later.
Without non-repudiation you could place an order for 1 million dollars of equipment online and then simply deny it later.
Or you could send an email inviting a friend to the dinner and then disclaim it later.
Non-repudiation associates the identity of the originator with the transaction in a non-deniable way.
34
Unauthorized users are kept out of the system. Unauthorized users are kept out of places on
the system/disk. Typically makes use of Directories or Access
Control Lists (ACLs) or Access Control Matrix Objects: Resources that need to be protected Subjects: Entities that need access to
resources Rights: Permissions Each entry is a triple <subject, object, rights>
35
36
OBJECT 1 OBJECT 2 OBJECT 3 OBJECT 4
SUBJECT 1 RW RW R X
SUBJECT 2 R RW R R
SUBJECT 3 X X RW RW
SUBJECT 4 R R R RW
SUBJECT N X R R X
37
For example: User
authentication used for access authorization control purposes in confidentiality.
Non-repudiation is combined with authentication.
Confidentiality
AvailabilityIntegrity
38
A threat is a danger which could affect the security (confidentiality, integrity, availability) of assets, leading to a potential loss or damage.
Interruption Interception Modification Fabrication
39
40
An asset of the system is destroyed or becomes unavailable or unusable. This is an attack on the availability.
Examples include destruction of a piece of hardware, such as a hard disk, the cutting of a communication link, or the disabling of the file management system.
DOS - Denial of Service Attacks have become very well known.
41
42
Information disclosure/information leakage An unauthorized party gains access to an
asset. This is an attack on confidentiality. The unauthorized party could be a person, a
program, or a computer. Examples include:
◦ wiretapping to capture data in a network◦ the illicit copying of files or programs
43
44
Modification is integrity violation. An unauthorized party not only gains access
to but tampers with an asset. This is an attack on the integrity. Examples include changing values in a data
file, altering a program so that it performs differently, and modifying the content of a message being transmitted in a network.
45
46
An unauthorized party inserts counterfeit objects into the system. This is an attack on the authenticity.
Examples include the insertion of spurious messages in a network or the addition of records to a file.
47
48
Computer Security attacks can be classified into two broad categories:◦ Passive Attacks can only observe
communications or data.◦ Active Attacks can actively modify
communications or data. Often difficult to perform, but very powerful. Examples include Mail forgery/modification TCP/IP spoofing/session hijacking
49
50
51
Eavesdropping on or monitoring of transmission.
The goal of the opponent is to obtain information that is being transmitted.
Two types:◦ Release-of-message contents◦ Traffic Analysis
52
Opponent finds out the contents or the actual messages being transmitted.
How to protect?◦ Encryption◦ Steganography
53
More subtle than release-of-message contents.
Messages may be kept secret by masking or encryption but …
The opponent figures out information being carried by the messages based on the frequency and timings of the message.
How to protect?◦ Data/Message Padding◦ Filler Sequences
54
Difficult to detect because there is no modification of data.
Protection approach should be based on prevention rather than detection.
55
Active attacks involve some sort of modification of the data stream or the creation of a false stream.
Four sub-categories:◦ Masquerade◦ Replay◦ Modification of Messages◦ Denial of service
56
An entity pretends to be another. For the purpose of doing some other form of
attack. Example a system claims its IP address to
be what it is not, IP spoofing. How to protect?
◦ Principal/Entity Authentication
57
First passive capture of data and then its retransmission to produce an unauthorized effect.
Could be disastrous in case of critical messages such as authentication sequences, even if the password were encrypted.
How to protect?◦ Time stamps◦ Sequence Numbers
58
Some portion of a legitimate message is altered or messages are delayed or reordered to produce an unauthorized effect.
How to protect?◦ Message Authentication Codes◦ Chaining
59
Prevents the normal use or management of communication facilities.
Such attacks have become very common on the Internet especially against web servers.
On the Internet remotely located hackers can crash the TCP/IP software by exploiting known vulnerabilities in various implementations.
One has to constantly look out for software updates and security patches to protect against these attacks.
60
Easy to detect but difficult to prevent. Efforts are directed to quickly recover from
disruption or delays. Good thing is that detection will have a
deterrent effect.
61
62
HARDWARE
SOFTWARE
DATA
Interception (Theft)
Interruption (Denial of Service)
Interception (Eavesdropping)
Interruption (Loss)
Interception (Theft)
Interruption (Deletion)
Modification (Malicious Code)
FabricationModification
63
A protocol is a series of steps, involving two or more parties, designed to accomplish a task.◦ Every one involved in a protocol must know the
protocol and all of the steps to follow in advance.◦ Everyone involved in the protocols must agree to
follow it.◦ The protocol must be unambiguous; each step must
be well defined and there must be no chance of misunderstanding.
◦ The protocol must be complete; there must be a specified action for every possible situation.
◦ It should not be possible to do more or learn more than what is specified in the protocol.
64
Alice First participant in all the protocols Bob Second participant in all the protocols Carol Participant in three- and four-party
protocols Dave Participant in four-party protocols Eve Eavesdropper Mallory Malicious active intruder Trent Trusted arbitrator Victor Verifier Peggy Prover Walter Warden; he’ll be guarding Alice
and Bob in some protocols
65
Arbitrated Protocols
Adjudicated Protocols
Self Enforcing Protocols
Example Protocols◦ Key Exchange
Protocols◦ Authentication
Protocols◦ Time stamping
Service◦ Digital Cash
66
Bob
Trent
Alice
(a) Arbitrated Protocol
Bob TrentAlice
(b) Adjudicated Protocol
Evidence Evidence(After the fact)
BobAlice
(c) Self-enforcing Protocol
67
The further down you go, the more transparent it is
The further up you go, the easier it is to deploy
Application
Presentation
Session
Transport
Netw ork
Datalink
Physical
Application
Presentation
Session
Transport
Netw ork
Datalink
Physical
Email - S/M IM E
SSL
IPSec
PPP - ECP
PHYSICAL NETW ORKEncrypting
NICEncrypting
NIC
Access control: Protects against unauthorized use.
Authentication: Provides assurance of someone's identity.
Confidentiality: Protects against disclosure to unauthorized identities.
Integrity: Protects from unauthorized data alteration.
Non-repudiation: Protects against originator of communications later denying it.
68
Three basic building blocks are used:◦ Encryption is used to provide confidentiality, can
provide authentication and integrity protection.◦ Digital signatures are used to provide
authentication, integrity protection, and non-repudiation.
◦ Checksums/hash algorithms are used to provide integrity protection, can provide authentication.
One or more security mechanisms are combined to provide a security service/protocol.
69
A typical security protocol provides one or more security services (authentication, secrecy, integrity, etc.)
Services are built from mechanisms. Mechanisms are implemented using
algorithms.
70
SSL
Signatures Encryption Hashing
DSA RSA RSA DES SHA1 MD5
Services (Security Protocols)
Mechanisms
Algorithms
71
Security Protocols (Services)
Standards-based Security Protocols Proprietary Security Protocols
SSL IPSec PrivateWire Big Brother
Mechanisms
Encryption Signature Hashing Key Exchange
Algorithms
Symmetric Asymmetric Asymmetric Symmetric
MD-5SHA-1
Diffie-HellmanDESAES
RSAECC
DSARSA
DESMAC
Encryption is a key enabling technology to implement computer security.
But Encryption is to security like bricks are to buildings.
In the next module we will study encryption in detail.
72
73
Firewalls and Security Gateways are based on this model
1. Computer security should support the mission of the organization.
2. Computer security is an integral element of sound management.
3. Computer security should be cost-effective.
4. Computer security responsibilities and accountability should be made explicit.
5. System owners have computer security responsibilities outside their own organizations.
6. Computer security requires a comprehensive and integrated approach.
7. Computer security should be periodically reassessed.
8. Computer security is constrained by societal factors.
74
75
Security
Convenience / Usability
0
Determine where on this
line your organization
needs lie
Physical security Encryption Access control Automatic call back Node authentication Differentiated
access rights Antivirus software Public Key
Infrastructure Firewalls
User authentication Passwords and
passphrases Challenge-response
systems Token or smart cards Exchange of secret
protocol Personal
characteristics - Biometrics
76