Top Banner
CS475 – Network and Information Security Lecture 1 Introduction Elias Athanasopoulos [email protected]
34

CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Jun 04, 2018

Download

Documents

docong
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

CS475– NetworkandInformationSecurity

Lecture1IntroductionEliasAthanasopoulos

[email protected]

Page 2: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Whatisthiscourseallabout?

• Understandthefundamentalconceptsofsecurityinsoftware,systems,andthenetwork

• Broadrangeofsecuritytopics• Noverydeepdives• Hands-onexperience

2

Page 3: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Whycomputersecurityisimportant?

3

Page 4: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

4

Page 5: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

5

Page 6: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

6

Page 7: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

https://haveibeenpwned.com

7

Page 8: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

8

It’samess…

Page 9: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

9

Page 10: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

10

Itcanonlygetworse…

Page 11: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Whyitsocomplicated?

• Systemshavedifferentbuildinglayers– Hardware,Software,Network,Protocols

• Heavyinterractionandinterconnection– InternetofThings

• People

11

Page 12: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Ourtopics

• AppliedCrypto• SoftwareSecurity• NetworkSecurity• WebSecurity• MobileSecurity• AnonymityandPrivacy

12

Conceptsofdifferenttopicsinterractwitheachother!

Page 13: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Resources• Nosingletextbooktocovereverything,thetopicisrapidly

changing• Iwillprovidemanyresourcesonaper-lecturebasis

(papers,articles,software,etc.)• Somesuggested(free)material:

– HandbookofAppliedCryptography,http://cacr.uwaterloo.ca/hac/

– SecurityEngineering,http://www.cl.cam.ac.uk/~rja14/book.html

• Somesuggested(nonfree)material:– IntroductiontoComputerSecurity,byMichaelT.Goodrichand

RobertoTamassia(ISBN-13:978-0321512949,ISBN-10:0321512944)

13

Page 14: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Let’sgo!

14

Page 15: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Whatiscomputersecurity?“Computersecurity,alsoknownascybersecurity orITsecurity,istheprotectionofcomputer systemsfromthetheft ordamage totheirhardware,softwareorinformation,aswellasfromdisruption ormisdirection oftheservicestheyprovide.”

Gasser,Morrie(1988).BuildingaSecureComputerSystem(PDF).VanNostrandReinhold.p. 3.ISBN 0-442-23022-2,https://ece.uwaterloo.ca/~vganesh/TEACHING/S2014/ECE458/building-secure-systems.pdf)

15

Page 16: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Whatiscomputersecurity?• Apropertythataffectssystems– Hardware,software,network

• Degradingthispropertyleadstobadthings– Theft,damage,disruption,misdirection

• Degradingthispropertyisdeliberate– Anattackerdegradesthesecurityofasystemonpurpose

Suggestedreadhttps://www.cs.columbia.edu/~smb/blog/2017-09/2017-09-01.html

16

Page 17: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Example1

• Anapplicationneedstotransmitsensitivedata– Submittingapassword– Sendingapersonalmessage

• Justreadingsensitivedataisenoughtobreaksecurity– Leakthepassword,orthepersonalmessage

17

Page 18: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Example2

• Anapplicationneedstotransmitsensitivedata– Submitthedetailsofafinancialtransaction– Submitthecastingofavote

• Modifyingthesensitivedatacanbreakthesecurity–Modifythefinancialtransaction,orthevote

18

Page 19: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

SecurityRequirements

• FromExample1and2,wecanseethatsecuritycanimplyseveraldifferent sub-properties

• Differentapplicationshavedifferentsecurityrequirements,whichcanbegrouped– Confidentiality,Integrity,Availability,Authentication,Non-repudiation,Accounting,Privacy

– Suggestedreference:https://www.ietf.org/rfc/rfc2828.txt

19

Page 20: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Confidentiality

Thepropertythatinformationisnotmadeavailableordisclosedtounauthorizedindividuals,entities,orprocesses(i.e.,toanyunauthorizedsystementity)

20

Page 21: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Integrity

Dataintegrity:Thepropertythatdatahasnotbeenchanged,destroyed,orlostinanunauthorizedoraccidentalmannerSystemintegrity:Assuresthatasystemperformsitsintendedfunctioninanunimpairedmanner,freefromdeliberateorinadvertentunauthorizedmanipulationofthesystem

21

Page 22: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Availability

Thepropertyofasystemorasystemresourcebeingaccessibleandusableupondemandbyanauthorizedsystementity,accordingtoperformancespecificationsforthesystem;i.e.,asystemisavailableifitprovidesservicesaccordingtothesystemdesignwheneverusersrequestthem

22

Page 23: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

CIA• Confidentiality

– Thepropertythatinformationisnotmadeavailableordisclosedtounauthorizedindividuals,entities,orprocesses(i.e.,toanyunauthorizedsystementity)

• Integrity– Dataintegrity:Thepropertythatdatahasnotbeenchanged,destroyed,or

lostinanunauthorizedoraccidentalmanner– Systemintegrity:Assuresthatasystemperformsitsintendedfunctioninan

unimpairedmanner,freefromdeliberateorinadvertentunauthorizedmanipulationofthesystem

• Availability– Thepropertyofasystemorasystemresourcebeingaccessibleandusable

upondemandbyanauthorizedsystementity,accordingtoperformancespecificationsforthesystem;i.e.,asystemisavailableifitprovidesservicesaccordingtothesystemdesignwheneverusersrequestthem

23

Page 24: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

AnExample

24

Confidentiality:Badguyscannotseemessages

Integrity: Badguyscannotchange

messages

Availability: Thesystemisoperational

System/ServiceCommunication

Page 25: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Example1– Confidentiality

• Anapplicationneedstotransmitsensitivedata– Submittingapassword– Sendingapersonalmessage

• Justreadingsensitivedataisenoughtobreaksecurity– Leakthepassword,orthepersonalmessage

25

Page 26: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Example2– Integrity

• Anapplicationneedstotransmitsensitivedata– Submitthedetailsofafinancialtransaction– Submitthecastingofavote

• Modifyingthesensitivedatacanbreakthesecurity–Modifythefinancialtransaction,orthevote

26

Page 27: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

AdditionalRequirements

• Non-repudiation– Onepartyofatransactioncannotdenyhavingreceivedatransactionnorcantheotherpartydenyhavingsentatransaction

27

Page 28: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

AdditionalRequirements

• AccessControl– Identification• IclaimIamJohnSmith(i.e.,bysubmittingausername)

– Authentication• SystemverifiesthatIamJohnSmith(e.g.,throughpassword)

– Authorization• AsJohnSmithIamauthorizedtoperformaparticularaction(i.e.,postamessage)

28

Page 29: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Privacy

Therightofanentity(normallyaperson),actinginitsownbehalf,todeterminethedegreetowhichitwillinteractwithitsenvironment,includingthedegreetowhichtheentityiswillingtoshareinformationaboutitselfwithothers

29

Page 30: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

SecurityContext

• ThreatModel– Listtheattacker’scapabilities– Listtheattacker’sgoal– Often,listthedefensesthatareinplace– Often,listtheaffectedrisksofthetargetsystemusingsecurityrequirements(CIA)

“Securityisn’tascalar.Itdoesn’tmakesensetoask‘IsdeviceXsecure?’withoutacontext:‘secureagainstwhomandinwhatenvironment?’”

30

Page 31: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

ExampleThreatModel

• PassiveMan-in-the-Middle– Anattackerthatcanpassivelymonitornetworkpacketsexchangedbetweentwoparties

– Attackerwantstorevealtheconversation– ConversationisencryptedusingthecryptosystemX

– ConfidentialitycanbeaffectedifattackercanbreakcryptosystemX

– Integrity,andAvailabilitycannotbeaffected

31

Page 32: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

CourseLogistics

32

Page 33: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Ethics

• Thecoursehasmanyoffensiveparts• Usingtheoffensivepartinthewildisstrictlyforbidden

• Ourgoalistounderstandattacksforbuildingbetterdefenses

33

Page 34: CS475 –Network and Information Security · CS475 –Network and Information Security Lecture 1 Introduction ... , through password) ... •25% Midterm

Logistics• 45%Final• 25%Midterm• 30%Assignments– 20%Programmingassignments(4intotalandinC/C++)

– 10%Quiz• Success– Allassignmentshavebeensubmitted– Finalwrittenexamisatleast4,5– Finalscoreisatleast5

34