ITIS 6010/8010 Security and Privacy Overview - PowerPoint PPT Presentation

Itis 6010 8010 security and privacy overview
1 / 61

  • Uploaded on
  • Presentation posted in: General

ITIS 6010/8010 Security and Privacy Overview. Lecture 3 Dr. Mohamed Shehab Woodward Hall 333F. Lecture Outline. Security Overview Security Design Principles Privacy Overview Cryptography Overview . Information Protection - Why?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

ITIS 6010/8010 Security and Privacy Overview

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Itis 6010 8010 security and privacy overview

ITIS 6010/8010Security and Privacy Overview

Lecture 3

Dr. Mohamed Shehab

Woodward Hall 333F

Lecture outline

Lecture Outline

  • Security Overview

  • Security Design Principles

  • Privacy Overview

  • Cryptography Overview

Information protection why

Information Protection - Why?

  • Information is an important strategic and operational asset for any organization.

  • Damages and misuses of information affect not only a single user or an application; they may have disastrous consequences on the entire organization.

  • Additionally, the advent of the Internet as well as networking capabilities has made the access to information much easier.

Information security examples

Information Security: Examples

  • Consider a payroll database in a corporation, it must be ensured that:

    • Salaries of individual employees are not disclosed to arbitrary users of the database.

    • Salaries are modified by only those individuals that are properly authorized.

    • Paychecks are verified by individuals different than the ones who issued them.

    • Paychecks are printed on time at the end of each pay period.

What is information security

What is Information Security?

  • Confidentiality

    • Is this all?

    • Why not?

  • Availability

    • To whom?

  • Authentication

    • Still not there

  • Integrity



  • Refers to information protection from unauthorized read operations.

  • First formal work in computer security was motivated by the military’s attempt to implement controls to enforce a “need to know” principle.

  • Confidentiality also applies to the existence of data, which is sometimes more revealing than the data itself.



  • Refers to information protection from modifications; it involves several goals:

    • Data integrity, ensuring the integrity of information with respect to the original information.

    • Origin integrity, ensuring source of the data, often referred to as authentication.

    • Semantic Integrity, protecting information from incorrect modifications.

Integrity example

Integrity Example

  • A newspaper may print information obtained from a leak at the White house, but attributes it to the wrong source.

    • This obeys data integrity.

    • Violates origin integrity.



  • It ensures that access to information is not denied to authorized subjects.

  • Attempts to block availability, are called denial of service attacks.

  • Example, SMURF attack.

Additional information security requirements

Additional Information Security Requirements

  • Information Quality – it is not considered traditionally as part of information security but it is very relevant.

  • Completeness – it refers to ensure that subjects receive all information they are entitled to access, according to the stated security policies.

Classes of threats

Classes of Threats

  • Disclosure

    • Snooping,Trojan Horses

  • Deception

    • Modification, spoofing, repudiation of origin, denial of receipt

  • Disruption

    • Modification

  • Usurpation (Unauthorized Control)

    • Modification, spoofing, delay, denial of service

Goals of security

Goals of Security

  • Prevention

    • Prevent attackers from violating security policy

  • Detection

    • Detect attackers’ violation of security policy

  • Recovery

    • Stop attack, assess and repair damage

    • Continue to function correctly even if attack succeeds

Policy and mechanism

Policy and Mechanism

  • A Security Policy:

    • Is a statement of what is and what is not allowed.

  • A Security Mechanism:

    • Is a method, tool, or procedure for enforcing a security policy.

  • Example:

    • Policy - “Students should not copy from each other”.

    • Mechanism – Use an online paper correlator.

Policy and mechanism cont

Policy and Mechanism (Cont.)

  • Policies define security, and mechanisms enforce security

    • Confidentiality

    • Integrity

    • Availability

  • Composition of policies

    • If policies conflict, discrepancies may create security vulnerabilities

Policy and mechanism cont1

Policy and Mechanism (Cont.)

  • Policies

    • Unambiguously partition system states

    • Correctly capture security requirements

  • Mechanisms

    • Assumed to enforce policy

    • Support mechanisms work correctly

Types of mechanism

Types of Mechanism




Set of reachable states

Set of secure states

Information security mechanisms

Information Security – Mechanisms

  • Confidentiality is enforced by the access control mechanism.

  • Integrity is enforced by the access control mechanism and by the semantic integrity constraints

  • Availability is enforced by the recovery mechanism and by detection techniques for DoS attacks – an example of which is query flood

Information security additional mechanisms

Information Security- Additional Mechanisms:

  • User authentication - to verify the identity of subjects wishing to access the information.

  • Information authentication - to ensure information authenticity - it is supported by signature mechanisms.

  • Encryption - to protect information when being transmitted across systems and when being stored on secondary storage.

  • Intrusion detection – to protect against impersonation of legitimate users and also against insider threats.

Information security how

Information Security – How?

  • Information must be protected at various levels:

    • The operating system

    • The network

    • The data management system

    • Physical protection is also important

Data vs information

Data vs Information

  • Computer security is about controlling access to information and resources

  • Controlling access to information can sometimes be quite elusive and it is often replaced by the more straightforward goal of controlling access to data

  • The distinction between data and information is subtle but it is also the root of some of the more difficult problems in computer security

  • Data represents information. Information is the (subjective) interpretation of data

Data vs information cont

Data vs Information (Cont.)

Data Physical phenomena chosen by convention to represent certain aspects of our conceptual and real world. The meaning we assign to data are called information. Data is used to transmit and store information and to derive new information by manipulating the data according to formal rules.


P.Brinch Hansen. Operating Systems Principles.

Prentice-Hall, 1973.

Data vs information cont1

Data vs Information (Cont.)

  • Protecting information means to protect not only the data directly representing the information

  • Information must be protected also against transmissions through:

    • Covert channels

    • Inference

      • It is typical of database systems

      • It refers to the derivation of sensitive information from non-sensitive data

Inference example

Inference - Example

Inference example cont

Inference – Example (Cont.)

  • Assume that there is a policy stating that the average grade of a single student cannot be disclosed; however statistical summaries can be disclosed

  • Suppose that an attacker knows that Carol is a female CS student

  • By combining the results of the following legitimate queries:

    • Q1: SELECT Count (*) FROM Students WHERE Sex =‘F’ AND Programme = ‘CS’

    • Q2: SELECT Avg (Grade Ave) FROM Students WHERE Sex =‘F’ AND Programme = ‘CS’

  • The attacker learns from Q1 that there is only one female student so the value 70 returned by Q2 is precisely her average grade

Information security a complete solution

Information Security:A Complete Solution.

  • It consists of:

    • First defining a security policy.

    • Then choosing some mechanism to enforce the policy.

    • Finally providing assurance that both the mechanism and the policy are sound.

Security design principles

Security Design Principles



  • Saltzer and Schroeder [1975] defined the 8 principles that are based on the ideas of simplicity and restriction

  • Simplicity

    • Less to go wrong

    • Fewer possible inconsistencies

    • Easy to understand

  • Restriction

    • Minimize access – an entity can access only information it needs (also known as “need to know” principle)

    • Inhibit communication – an entity can communicate with other entities only when necessary, and in few (and narrow) ways as possible

Principle of least privilege

Principle of Least Privilege

  • The principle of least privilege states that an entity should be given only those privileges that it needs in order to complete its task

    • The function of an entity, and not its identity, should control the assignment of rights

    • Rights should be added as needed, discarded after use

Principle of fail safe defaults

Principle of Fail-Safe Defaults

  • The principle of fail-safe defaults state that, unless an entity is given explicit access to an object, it should be denied access to that object

    • This principle requires that the default access permission to an object be none

Principle of economy of mechanism

Principle of Economy of Mechanism

  • The principle of economy of mechanism states that security mechanisms should be as simple as possible

  • Simpler means less can go wrong

    • And when errors occur, they are easier to understand and fix

  • Interfaces and interactions

    • Interfaces to other modules are crucial, because modules often make implicit assumptions about input or output parameters or the current system state

Principle of complete mediation

Principle of Complete Mediation

  • The principle of complete mediation requires that all accesses to objects be checked to ensure that they are allowed

  • Usually done once, on first action

    • UNIX: access checked on open, not checked thereafter

    • If permissions change after, may get unauthorized access

    • This approach violates the principle of complete mediation

Principle of open design

Principle of Open Design

  • The principle of open design states that the security of a mechanism should not depend on secrecy of its design or implementation

    • If the strength of a program’s security depends on the ignorance of user, a knowledgeable user can defeat the security mechanism

      • “Security through obscurity” is not a good principle

    • This principles does not apply to information such as passwords or cryptographic keys (these are data and not algorithms)

Principle of open design cont

Principle of Open Design (Cont.)

  • Issues of proprietary software and trade secrets complicate the application of this principle

  • In some cases companies do not want their designs made public to protect them from competitors

  • The principle then requires that the design and implementation be available to people barred from disclosing it outside the company

Principle of separation of privilege

Principle of Separation of Privilege

  • The principle of separation of privileges states that a system should not grant permission based on a single condition.

  • In other words: more than one condition must be verified in order to gain access

    • Separation of duty

      • Example: company check for more than $75,000 must be signed by two officers of the company

      • Example: On Berkeley-based versions of Unix, a user is not allowed to change from his accounts to the root account unless two conditions are verified: (i) the user knows the root password; (ii) the user is in the wheel group (with GID 0)

Principle of least common mechanism

Principle of Least Common Mechanism

  • The principle of least common mechanism states that mechanisms used to access resources should not be shared

    • Information can flow along shared channels

    • Covert channels

  • Isolation

    • Virtual machines

    • Sandboxes

Itis 6010

Principle of Least Common Mechanism(Example)

  • For example, serving an application on the Internet allows both attackers and users to gain access to the application. Sensitive information can potentially be shared between the subjects via the mechanism.

  • A different mechanism for each subject or class of subjects can provide flexibility of access control among various users and prevent potential security violations that would otherwise occur if only one mechanism was implemented.

Principle of psychological acceptability

Principle of Psychological Acceptability

  • The principle of psychological acceptability states that security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present

    • Hide complexity introduced by security mechanisms

    • Ease of installation, configuration, use

    • Human factors critical here

    • On the other hand, security requires that the messages impart no unnecessary information

      • For example, if a user supplies the wrong password, the system should reject the attempt with a message saying that the login failed. If it were to say that the password was incorrect, the user would know that the account name was legitimate




Privacy ??

  • Information Privacy is the ability of an individual to control the use and dissemination of information that relates to himself or herself.

  • The word “Privacy” means different things in different contexts:

    • Freedom from intrusion.

    • Control of personal information.

    • Control of one’s image or name.

  • The historic driver of the privacy problem is the “bad people” problem.

Approaches to privacy enforcement

Approaches to Privacy Enforcement

  • Governmental Standards

    • Enforcement by regulatory agencies, states, etc.

  • Industry Standards

    • “Codes of conduct”

    • Limited enforcement through licensing

    • Limited enforcement from government

  • Unregulated Market

    • Reputation

  • Technology can help in all of these cases.

Fair credit reporting act 1970

Fair Credit Reporting Act, 1970

  • Right to:

    • See your credit report.

    • Challenge incorrect information.

    • Information automatically expire after 7 years.

    • Know who accesses your report.

    • Free credit report if you are denied credit.

The code of fair information practice 1973

The Code of Fair Information Practice (1973)

  • Included:

    • No Secret record-keeping systems.

    • Right to see your record.

    • Information obtained for one purpose may not be used for another purpose.

    • Right to correct or amend incorrect records.

    • Organizations must assure the reliability of data and take precautions to prevent misuse.

Other privacy acts

Other Privacy Acts

  • HIPAA: Health Insurance Portability and Accountability Act

  • COPPA: Children’s Online Privacy Protection Act

    • Applies to online collection of info on children under 13.

  • Gramm-Leach-Bliley Act

  • Sarbanes-Oxley: Public Company Accounting Reform and Investor Protection Act

Other privacy acts1

Other Privacy Acts

  • Gramm-Leach-Bliley Act

    • Consumers must be informed of privacy policies

      • Initial notice

      • Annual notice

      • Notices were mostly ignored!

    • Consumers must have a chance to “opt-out”

      • Many different ways to “opt-out”

      • Have you ever opted out?

Other privacy acts2

Other Privacy Acts

  • Sarbanes-Oxley: Public Company Accounting Reform and Investor Protection Act

    • Insider Trading

    • Conflict of Interest

    • Public disclosures

    • Assessment of internal controls

    • Mandatory disclosures

Example patient records

Example: Patient Records

Voter Registration Data

Released Medical Data

Cryptography overview

Cryptography Overview



  • Basic assumptions

    • Message to be encrypted

    • Algorithms (publicly known) to encrypt/decrypt message

    • Key (known only to sender/recipient)

    • Given only algorithms and encrypted message, nobody knows a method to decrypt that is significantly faster than trying all keys

  • Types of attacks

    • Ciphertext only

    • Known plaintext

    • Chosen plaintext

  • Real attacks generally don’t break cryptography!

    • Don’t pick the lock, tunnel into the vault

Symmetric cryptography

Symmetric Cryptography

  • The secret key that seals also unseals

    • M’ = f(M,key) encryption or sealing

    • M = f’(M’,key) decryption or unsealing

  • Uses:

    • Prevent eavesdropping

      • Must be secure channel for key exchange

    • Secure storage

      • I have to remember my key

    • Authentication

      • Challenge/response

    • Integrity Check

      • Checksum on the message

      • Encrypt the checksum

Public key assymetric cryptography

Public Key (Assymetric) Cryptography

  • First published in 1976 (Diffie-Hellman)

    • More common today: RSA

  • Matched pair of keys

    • Public key (e) to encrypt

    • Private key (d) to decrypt

  • For integrity, encrypt checksum with sender’s private key

    • Only sender’s public key will decrypt properly

Public key assymetric cryptography1

Public Key (Assymetric) Cryptography

  • Uses:

    • Prevent eavesdropping

    • Authentication

    • Integrity

  • Problem: public key algorithms slow

    • Solution: Use to share secret key

Public key cryptography non repudiation

Public Key Cryptography:Non-repudiation

  • Message Integrity Checksum (MAC) can convince Recipient that Sender created message

    • Message correct, from right source

  • But can’t convince anyone else!

    • Sender, recipient share key

    • Either could generate message

  • Public key solves this problem

    • Private key required to encrypt

    • Only known to sender

Public key cryptography

Public Key Cryptography

  • Public key d, private key e

    • m = e(d(m)) = d(e(m))

  • Given d, d(m), hard to find m

    • same for e, e(m)

  • Given d, hard to find e

    • same for e, d

  • Most based on modular arithmetic

    • Modular exponentiation

Algorithms diffie hellman

Algorithms: Diffie-Hellman

  • Goal: Two parties agree on common number

    • E.g., learn shared key

  • Initial: large prime p, g < p

    • publicly known

  • Each chooses secret

  • T = gs mod p

  • Exchange and repeat

    • Result is the same

Algorithms diffie hellman problems

Algorithms: Diffie-Hellman (Problems)

  • Authentication

    • Am I talking to the right person?

  • Man in the middle

    • Sets up session with either end

Algorithms rsa rivest shamir adleman

Algorithms: RSA(Rivest, Shamir, Adleman)

  • Key generation

    • Choose primes p,q

    • Choose e relatively prime to (p-1)(q-1)

    • Public key <e,n>

    • Private key <d,n> where d = 1/(e mod (p-1)(q-1))

  • Encrypt: c = me mod n

    • Decrypt: m = cd mod n

  • de = 1 mod (p-1)(q-1), so m = (me)d mod n

  • Breakable if we can factor (why?)

Hash algorithms

Hash Algorithms

  • Transform arbitrarily long message m into (short) fixed-length message h(m)

    • Must be easy to compute h(m)

    • Given h(m), hard to find (an) m

    • Hard to find m1 and m2 such that h(m1)=h(m2)

  • Goal: h(m) should appear random

    • Non-trivial to define “appear random”

  • Uses

    • Password storage (easy to verify that it is probably correct)

    • Integrity: Send m, h(m|s)

    • Storage integrity

Changing one input bit should change 50 of the output bits

Changing one input bit should change ~50% of the output bits.

How big is 2 128

How big is 2128 ?

  • MD5 is 128 bits long

  • 2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456

  • If you could try a billion2 combinations a second, it would take 10,790 billion years

Message digest algorithms

Message Digest Algorithms

  • Rivest Functions:

    • MD2 (128 bits)

    • MD4 (128 bits)

    • MD5 (128 bits)

  • NIST Functions:

    • SHA (160 bits) SHA-1 (160 bits)

    • SHA-512, SHA-1024

  • Other Functions:

    • Snerfu, N-Hash, RIPE-MD, HAVAL

Strange hash uses

(Strange) Hash Uses

  • Authentication

    • A sends challenge rA

    • B responds with h(k|rA) and rB

    • A responds with h(k|rB)

  • Integrity / Message Authentication Code

    • h(m | k)

  • Generate a one-time pad

    • h(k | r) gives first block, then h(k | bi-1) gives bi

  • Can also generate a hash using symmetric encryption


  • Login