Documente Academic
Documente Profesional
Documente Cultură
Integrity
Availability
CIA
Secret codes
Cryptography
Passwords (hard to implement a strong password policy)
Biometrics, smartcards
Authentication
Different people have different roles and levels of control
Authorization
Eg. firewalls
Access control
Eg. Secure Socket Layer (SSL)
Protocols
Cryptography, Protocols, Access control
Large, complex, bugs
Security flaws
Viruses and worms
Software
Authentication --- Identifying users
Authorization --- Checking permission
Auditing --- Tracking users actions
Confidentiality --- Privacy Preservation
Integrity --- Avoid accidental or malicious data changes/deletion
Availability --- Keeping the system on line for legitimate users.
Services of Security
Interruption, Fabrication, Modification, Interception
Types of attacks
interrupt availability
Eg. WikiLeaks was disrupted by DoS attacks when U.S. diplomatic cables were about be released
Disruption --- denial of service
Eg. WikiLeaks release of diplomatic cables
Disclosure --- release of potentially confidential data
Deception --- acceptance of false data
Usurpation --- unauthorized assumption of control
e.g. sniffing packets for passwords
Snooping or Eavesdropping --- interception of confidential data
e.g. change a salary by editing the payroll file
Modification or Alteration --- changing data
e.g. identity theft (charging stuff to someone else's credit card)
Masquerading or Spoofing --- forging data about origin
Threats
02 Cryptography
Thursday, March 03, 2011
9:42 AM
2011 Spring Page 1
e.g. identity theft (charging stuff to someone else's credit card)
e.g. bad guy order's stuff and refuses to pay claiming he never ordered it
Repudiation of origin --- false denial of creation
e.g. bad guy orders stuff but refuses payment on first shipment claiming it never arrived
Denial of receipt --- falsely claim of nondelivery
Delay (or replay) --- cause a legitimate message to arrive at a later time
Prevention --- Makes an attack fail if attempted
Detection --- Alerts defender of attack
Offline --- Stop an attack, assess and repair damage
Online --- Maintain system functioning during compromise and repair
Recovery --- Reaction to attack
Security System requirements
scramble a message (plaintext)
Use a key and an encryption algorithm
Scrambled message is called ciphertext
Unscramble by using a decryption algorithm (reverse of encryption)
Only holders of key can unscramble
Very old idea has been around for thousands of years (Greek word means secret writing)
a b c d e f g h i j k l m n o p (input)
d e f g h i j k l m n o p q r s (output- cipher)
Replace each input letter with 3 letters to the right (also known as simple substitution cryptography)
Key is 3, encryption algorithm is shift right
receiver reverses it (same key)
Caesar Cipher (used by Julius Caesar) :
Main idea of cryptography
Ceasar cipher is shift by 3
Eg.
plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z
ciphertext: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Shift by n
Eg.
plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z
ciphertext: Z P B Y J R G K F L X Q N W V D H M S U T O I A E C
26! ~= 2
88
possible keys
Exhaustive key search (brute force approach)to break the code not be possible within reasonable amount of
time
Can use statistical data on frequency of occurrence for letters to break the code much faster
Any permutation of the letters
Simple substitution cryptography
Write plain text into an array of given size and then permute the rows and columns according to specified
permutations
Encryption algorithm:
DES (Data Encryption Standard) algorithm
Example
E(D(M) = M
Anyone can decrypt, but only the user can encrypt
Like a signature
Encrypt with user's private key
Can not repudiate
Can be used as a digital signature
Major advantages of public key cryptography
Performance of Public Key Systems
2011 Spring Page 5
Can not repudiate
A trusted third party (TTP) that confirms the identity in the certificate