itis 6010 8010 security and privacy overview
Download
Skip this Video
Download Presentation
ITIS 6010/8010 Security and Privacy Overview

Loading in 2 Seconds...

play fullscreen
1 / 61

ITIS 6010 - PowerPoint PPT Presentation


  • 154 Views
  • Uploaded on

ITIS 6010/8010 Security and Privacy Overview. Lecture 3 Dr. Mohamed Shehab [email protected] Woodward Hall 333F. Lecture Outline. Security Overview Security Design Principles Privacy Overview Cryptography Overview . Information Protection - Why?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'ITIS 6010' - bowen


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
itis 6010 8010 security and privacy overview

ITIS 6010/8010Security and Privacy Overview

Lecture 3

Dr. Mohamed Shehab

[email protected]

Woodward Hall 333F

lecture outline
Lecture Outline
  • Security Overview
  • Security Design Principles
  • Privacy Overview
  • Cryptography Overview
information protection why
Information Protection - Why?
  • Information is an important strategic and operational asset for any organization.
  • Damages and misuses of information affect not only a single user or an application; they may have disastrous consequences on the entire organization.
  • Additionally, the advent of the Internet as well as networking capabilities has made the access to information much easier.
information security examples
Information Security: Examples
  • Consider a payroll database in a corporation, it must be ensured that:
    • Salaries of individual employees are not disclosed to arbitrary users of the database.
    • Salaries are modified by only those individuals that are properly authorized.
    • Paychecks are verified by individuals different than the ones who issued them.
    • Paychecks are printed on time at the end of each pay period.
what is information security
What is Information Security?
  • Confidentiality
    • Is this all?
    • Why not?
  • Availability
    • To whom?
  • Authentication
    • Still not there
  • Integrity
confidentiality
Confidentiality
  • Refers to information protection from unauthorized read operations.
  • First formal work in computer security was motivated by the military’s attempt to implement controls to enforce a “need to know” principle.
  • Confidentiality also applies to the existence of data, which is sometimes more revealing than the data itself.
integrity
Integrity
  • Refers to information protection from modifications; it involves several goals:
    • Data integrity, ensuring the integrity of information with respect to the original information.
    • Origin integrity, ensuring source of the data, often referred to as authentication.
    • Semantic Integrity, protecting information from incorrect modifications.
integrity example
Integrity Example
  • A newspaper may print information obtained from a leak at the White house, but attributes it to the wrong source.
    • This obeys data integrity.
    • Violates origin integrity.
availability
Availability
  • It ensures that access to information is not denied to authorized subjects.
  • Attempts to block availability, are called denial of service attacks.
  • Example, SMURF attack.
additional information security requirements
Additional Information Security Requirements
  • Information Quality – it is not considered traditionally as part of information security but it is very relevant.
  • Completeness – it refers to ensure that subjects receive all information they are entitled to access, according to the stated security policies.
classes of threats
Classes of Threats
  • Disclosure
    • Snooping,Trojan Horses
  • Deception
    • Modification, spoofing, repudiation of origin, denial of receipt
  • Disruption
    • Modification
  • Usurpation (Unauthorized Control)
    • Modification, spoofing, delay, denial of service
goals of security
Goals of Security
  • Prevention
    • Prevent attackers from violating security policy
  • Detection
    • Detect attackers’ violation of security policy
  • Recovery
    • Stop attack, assess and repair damage
    • Continue to function correctly even if attack succeeds
policy and mechanism
Policy and Mechanism
  • A Security Policy:
    • Is a statement of what is and what is not allowed.
  • A Security Mechanism:
    • Is a method, tool, or procedure for enforcing a security policy.
  • Example:
    • Policy - “Students should not copy from each other”.
    • Mechanism – Use an online paper correlator.
policy and mechanism cont
Policy and Mechanism (Cont.)
  • Policies define security, and mechanisms enforce security
    • Confidentiality
    • Integrity
    • Availability
  • Composition of policies
    • If policies conflict, discrepancies may create security vulnerabilities
policy and mechanism cont1
Policy and Mechanism (Cont.)
  • Policies
    • Unambiguously partition system states
    • Correctly capture security requirements
  • Mechanisms
    • Assumed to enforce policy
    • Support mechanisms work correctly
types of mechanism
Types of Mechanism

Secure

Precise

Broad

Set of reachable states

Set of secure states

information security mechanisms
Information Security – Mechanisms
  • Confidentiality is enforced by the access control mechanism.
  • Integrity is enforced by the access control mechanism and by the semantic integrity constraints
  • Availability is enforced by the recovery mechanism and by detection techniques for DoS attacks – an example of which is query flood
information security additional mechanisms
Information Security- Additional Mechanisms:
  • User authentication - to verify the identity of subjects wishing to access the information.
  • Information authentication - to ensure information authenticity - it is supported by signature mechanisms.
  • Encryption - to protect information when being transmitted across systems and when being stored on secondary storage.
  • Intrusion detection – to protect against impersonation of legitimate users and also against insider threats.
information security how
Information Security – How?
  • Information must be protected at various levels:
    • The operating system
    • The network
    • The data management system
    • Physical protection is also important
data vs information
Data vs Information
  • Computer security is about controlling access to information and resources
  • Controlling access to information can sometimes be quite elusive and it is often replaced by the more straightforward goal of controlling access to data
  • The distinction between data and information is subtle but it is also the root of some of the more difficult problems in computer security
  • Data represents information. Information is the (subjective) interpretation of data
data vs information cont
Data vs Information (Cont.)

Data Physical phenomena chosen by convention to represent certain aspects of our conceptual and real world. The meaning we assign to data are called information. Data is used to transmit and store information and to derive new information by manipulating the data according to formal rules.

from:

P.Brinch Hansen. Operating Systems Principles.

Prentice-Hall, 1973.

data vs information cont1
Data vs Information (Cont.)
  • Protecting information means to protect not only the data directly representing the information
  • Information must be protected also against transmissions through:
    • Covert channels
    • Inference
      • It is typical of database systems
      • It refers to the derivation of sensitive information from non-sensitive data
inference example cont
Inference – Example (Cont.)
  • Assume that there is a policy stating that the average grade of a single student cannot be disclosed; however statistical summaries can be disclosed
  • Suppose that an attacker knows that Carol is a female CS student
  • By combining the results of the following legitimate queries:
    • Q1: SELECT Count (*) FROM Students WHERE Sex =‘F’ AND Programme = ‘CS’
    • Q2: SELECT Avg (Grade Ave) FROM Students WHERE Sex =‘F’ AND Programme = ‘CS’
  • The attacker learns from Q1 that there is only one female student so the value 70 returned by Q2 is precisely her average grade
information security a complete solution
Information Security:A Complete Solution.
  • It consists of:
    • First defining a security policy.
    • Then choosing some mechanism to enforce the policy.
    • Finally providing assurance that both the mechanism and the policy are sound.
overview
Overview
  • Saltzer and Schroeder [1975] defined the 8 principles that are based on the ideas of simplicity and restriction
  • Simplicity
    • Less to go wrong
    • Fewer possible inconsistencies
    • Easy to understand
  • Restriction
    • Minimize access – an entity can access only information it needs (also known as “need to know” principle)
    • Inhibit communication – an entity can communicate with other entities only when necessary, and in few (and narrow) ways as possible
principle of least privilege
Principle of Least Privilege
  • The principle of least privilege states that an entity should be given only those privileges that it needs in order to complete its task
    • The function of an entity, and not its identity, should control the assignment of rights
    • Rights should be added as needed, discarded after use
principle of fail safe defaults
Principle of Fail-Safe Defaults
  • The principle of fail-safe defaults state that, unless an entity is given explicit access to an object, it should be denied access to that object
    • This principle requires that the default access permission to an object be none
principle of economy of mechanism
Principle of Economy of Mechanism
  • The principle of economy of mechanism states that security mechanisms should be as simple as possible
  • Simpler means less can go wrong
    • And when errors occur, they are easier to understand and fix
  • Interfaces and interactions
    • Interfaces to other modules are crucial, because modules often make implicit assumptions about input or output parameters or the current system state
principle of complete mediation
Principle of Complete Mediation
  • The principle of complete mediation requires that all accesses to objects be checked to ensure that they are allowed
  • Usually done once, on first action
    • UNIX: access checked on open, not checked thereafter
    • If permissions change after, may get unauthorized access
    • This approach violates the principle of complete mediation
principle of open design
Principle of Open Design
  • The principle of open design states that the security of a mechanism should not depend on secrecy of its design or implementation
    • If the strength of a program’s security depends on the ignorance of user, a knowledgeable user can defeat the security mechanism
      • “Security through obscurity” is not a good principle
    • This principles does not apply to information such as passwords or cryptographic keys (these are data and not algorithms)
principle of open design cont
Principle of Open Design (Cont.)
  • Issues of proprietary software and trade secrets complicate the application of this principle
  • In some cases companies do not want their designs made public to protect them from competitors
  • The principle then requires that the design and implementation be available to people barred from disclosing it outside the company
principle of separation of privilege
Principle of Separation of Privilege
  • The principle of separation of privileges states that a system should not grant permission based on a single condition.
  • In other words: more than one condition must be verified in order to gain access
    • Separation of duty
      • Example: company check for more than $75,000 must be signed by two officers of the company
      • Example: On Berkeley-based versions of Unix, a user is not allowed to change from his accounts to the root account unless two conditions are verified: (i) the user knows the root password; (ii) the user is in the wheel group (with GID 0)
principle of least common mechanism
Principle of Least Common Mechanism
  • The principle of least common mechanism states that mechanisms used to access resources should not be shared
    • Information can flow along shared channels
    • Covert channels
  • Isolation
    • Virtual machines
    • Sandboxes
slide36

Principle of Least Common Mechanism(Example)

  • For example, serving an application on the Internet allows both attackers and users to gain access to the application. Sensitive information can potentially be shared between the subjects via the mechanism.
  • A different mechanism for each subject or class of subjects can provide flexibility of access control among various users and prevent potential security violations that would otherwise occur if only one mechanism was implemented.
principle of psychological acceptability
Principle of Psychological Acceptability
  • The principle of psychological acceptability states that security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present
    • Hide complexity introduced by security mechanisms
    • Ease of installation, configuration, use
    • Human factors critical here
    • On the other hand, security requires that the messages impart no unnecessary information
      • For example, if a user supplies the wrong password, the system should reject the attempt with a message saying that the login failed. If it were to say that the password was incorrect, the user would know that the account name was legitimate
privacy1
Privacy ??
  • Information Privacy is the ability of an individual to control the use and dissemination of information that relates to himself or herself.
  • The word “Privacy” means different things in different contexts:
    • Freedom from intrusion.
    • Control of personal information.
    • Control of one’s image or name.
  • The historic driver of the privacy problem is the “bad people” problem.
approaches to privacy enforcement
Approaches to Privacy Enforcement
  • Governmental Standards
    • Enforcement by regulatory agencies, states, etc.
  • Industry Standards
    • “Codes of conduct”
    • Limited enforcement through licensing
    • Limited enforcement from government
  • Unregulated Market
    • Reputation
  • Technology can help in all of these cases.
fair credit reporting act 1970
Fair Credit Reporting Act, 1970
  • Right to:
    • See your credit report.
    • Challenge incorrect information.
    • Information automatically expire after 7 years.
    • Know who accesses your report.
    • Free credit report if you are denied credit.
the code of fair information practice 1973
The Code of Fair Information Practice (1973)
  • Included:
    • No Secret record-keeping systems.
    • Right to see your record.
    • Information obtained for one purpose may not be used for another purpose.
    • Right to correct or amend incorrect records.
    • Organizations must assure the reliability of data and take precautions to prevent misuse.
other privacy acts
Other Privacy Acts
  • HIPAA: Health Insurance Portability and Accountability Act
  • COPPA: Children’s Online Privacy Protection Act
    • Applies to online collection of info on children under 13.
  • Gramm-Leach-Bliley Act
  • Sarbanes-Oxley: Public Company Accounting Reform and Investor Protection Act
other privacy acts1
Other Privacy Acts
  • Gramm-Leach-Bliley Act
    • Consumers must be informed of privacy policies
      • Initial notice
      • Annual notice
      • Notices were mostly ignored!
    • Consumers must have a chance to “opt-out”
      • Many different ways to “opt-out”
      • Have you ever opted out?
other privacy acts2
Other Privacy Acts
  • Sarbanes-Oxley: Public Company Accounting Reform and Investor Protection Act
    • Insider Trading
    • Conflict of Interest
    • Public disclosures
    • Assessment of internal controls
    • Mandatory disclosures
example patient records
Example: Patient Records

Voter Registration Data

Released Medical Data

cryptography
Cryptography
  • Basic assumptions
    • Message to be encrypted
    • Algorithms (publicly known) to encrypt/decrypt message
    • Key (known only to sender/recipient)
    • Given only algorithms and encrypted message, nobody knows a method to decrypt that is significantly faster than trying all keys
  • Types of attacks
    • Ciphertext only
    • Known plaintext
    • Chosen plaintext
  • Real attacks generally don’t break cryptography!
    • Don’t pick the lock, tunnel into the vault
symmetric cryptography
Symmetric Cryptography
  • The secret key that seals also unseals
    • M’ = f(M,key) encryption or sealing
    • M = f’(M’,key) decryption or unsealing
  • Uses:
    • Prevent eavesdropping
      • Must be secure channel for key exchange
    • Secure storage
      • I have to remember my key
    • Authentication
      • Challenge/response
    • Integrity Check
      • Checksum on the message
      • Encrypt the checksum
public key assymetric cryptography
Public Key (Assymetric) Cryptography
  • First published in 1976 (Diffie-Hellman)
    • More common today: RSA
  • Matched pair of keys
    • Public key (e) to encrypt
    • Private key (d) to decrypt
  • For integrity, encrypt checksum with sender’s private key
    • Only sender’s public key will decrypt properly
public key assymetric cryptography1
Public Key (Assymetric) Cryptography
  • Uses:
    • Prevent eavesdropping
    • Authentication
    • Integrity
  • Problem: public key algorithms slow
    • Solution: Use to share secret key
public key cryptography non repudiation
Public Key Cryptography:Non-repudiation
  • Message Integrity Checksum (MAC) can convince Recipient that Sender created message
    • Message correct, from right source
  • But can’t convince anyone else!
    • Sender, recipient share key
    • Either could generate message
  • Public key solves this problem
    • Private key required to encrypt
    • Only known to sender
public key cryptography
Public Key Cryptography
  • Public key d, private key e
    • m = e(d(m)) = d(e(m))
  • Given d, d(m), hard to find m
    • same for e, e(m)
  • Given d, hard to find e
    • same for e, d
  • Most based on modular arithmetic
    • Modular exponentiation
algorithms diffie hellman
Algorithms: Diffie-Hellman
  • Goal: Two parties agree on common number
    • E.g., learn shared key
  • Initial: large prime p, g < p
    • publicly known
  • Each chooses secret
  • T = gs mod p
  • Exchange and repeat
    • Result is the same
algorithms diffie hellman problems
Algorithms: Diffie-Hellman (Problems)
  • Authentication
    • Am I talking to the right person?
  • Man in the middle
    • Sets up session with either end
algorithms rsa rivest shamir adleman
Algorithms: RSA(Rivest, Shamir, Adleman)
  • Key generation
    • Choose primes p,q
    • Choose e relatively prime to (p-1)(q-1)
    • Public key <e,n>
    • Private key <d,n> where d = 1/(e mod (p-1)(q-1))
  • Encrypt: c = me mod n
    • Decrypt: m = cd mod n
  • de = 1 mod (p-1)(q-1), so m = (me)d mod n
  • Breakable if we can factor (why?)
hash algorithms
Hash Algorithms
  • Transform arbitrarily long message m into (short) fixed-length message h(m)
    • Must be easy to compute h(m)
    • Given h(m), hard to find (an) m
    • Hard to find m1 and m2 such that h(m1)=h(m2)
  • Goal: h(m) should appear random
    • Non-trivial to define “appear random”
  • Uses
    • Password storage (easy to verify that it is probably correct)
    • Integrity: Send m, h(m|s)
    • Storage integrity
how big is 2 128
How big is 2128 ?
  • MD5 is 128 bits long
  • 2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456
  • If you could try a billion2 combinations a second, it would take 10,790 billion years
message digest algorithms
Message Digest Algorithms
  • Rivest Functions:
    • MD2 (128 bits)
    • MD4 (128 bits)
    • MD5 (128 bits)
  • NIST Functions:
    • SHA (160 bits) SHA-1 (160 bits)
    • SHA-512, SHA-1024
  • Other Functions:
    • Snerfu, N-Hash, RIPE-MD, HAVAL
strange hash uses
(Strange) Hash Uses
  • Authentication
    • A sends challenge rA
    • B responds with h(k|rA) and rB
    • A responds with h(k|rB)
  • Integrity / Message Authentication Code
    • h(m | k)
  • Generate a one-time pad
    • h(k | r) gives first block, then h(k | bi-1) gives bi
  • Can also generate a hash using symmetric encryption

CS526

ad