1 / 15

Class 1 Background, Tools, and Trust CIS 755: Advanced Computer Security Spring 2014

Class 1 Background, Tools, and Trust CIS 755: Advanced Computer Security Spring 2014. Eugene Vasserman http://www.cis.ksu.edu/~eyv/CIS755_S14/. This class. http://www.cis.ksu.edu/~eyv/CIS755_S14/ Will discuss historical and modern work in security focusing on advanced concepts

carlos-ruiz
Download Presentation

Class 1 Background, Tools, and Trust CIS 755: Advanced Computer Security Spring 2014

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Class 1Background, Tools, and TrustCIS 755: Advanced Computer SecuritySpring 2014 Eugene Vasserman http://www.cis.ksu.edu/~eyv/CIS755_S14/

  2. This class http://www.cis.ksu.edu/~eyv/CIS755_S14/ • Will discuss historical and modern work in security focusing on advanced concepts Coursework consists of: • Reading from “Cryptography Engineering,”“Security Engineering,” and papers • Class discussions • Quizzes, mid-terms, and a final project

  3. Administrative stuff • Me: eyv@ksu • Office: 316A Nichols • Office hours as on syllabus or by appointment • Readings, quizzes, etc. on schedule page • Periodically check main page for news and schedule page for changes and slides http://www.cis.ksu.edu/~eyv/CIS755_S14/

  4. Things to remember • I can be wrong; papers can be wrong; anyone can be wrong! • This class is experimental – if the workload is too heavy, if you’re not learning, if you are bored, let me know! • Please contact me for any reason – email, stop by my office, or make an appointment • If you don’t understand something, ask!

  5. Reading papers • Read critically • Pretend you know it’s broken and let the writer convince you otherwise (or not!) • Think like an adversary • Are there implicit assumptions? • Are the explicit assumptions reasonable? • Some resources are online • (website external resources )

  6. Security basics • “Secure against what?” • Threat/attacker model, players and resources • Kerckhoff’s principle • Roughly, the only thing secret about a security system should be the “secret key” • Shannon’s maxim • “The enemy knows the system”

  7. Safety vs. security • Think like an adversary! • Random → malicious faults • Engineering for security: “What’s the worst that can happen?” Assume it will… • Always, always, ALWAYS state your assumptions!

  8. Always state your assumptions!

  9. Security: fundamental differences • Real world: physical, intuitive • Risk assessment • People are not even good at this in the real world! • Trusted vs. trustworthy • Forensics, physical evidence • Forgery • Fail “evident,” e.g. theft • Scale of failures

  10. Building secure systems • Players • Incentives and resources • Adversary model • Logical or illogical: cost vs. payoff • Levels of assurance • Proactive vs. reactive enforcement • Fail-closed/secure or fail-open/insecure? • Method of returning to secure states

  11. What does “secure” mean? • Secrecy/Confidentiality • Authenticity • Integrity • Privacy/Anonymity • Pseudonymity • Unlinkability • Deniability • Accountability

  12. Security mechanisms (incomplete list) • Access control • Authentication • Separation of roles • Logging • Trusted components in the hands of trustworthy parties

  13. Some things to remember • Secure hardware: FAIL! • Mobile software agents: FAIL! • Loss of security is a one-way trip* * Some exceptions apply • e.g. confidentiality, integrity (sometimes) • Attacks only get better • Security should be considered in design • There issuch a thing as too much security

  14. Final projects • Proposal (with projected timeline) • We will discuss details later • Progress report • Final presentation (in class) • Final report • 50% of your grade

  15. Lastly, a brief anonymous questionnaire Questions?

More Related