Security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 39

Security PowerPoint PPT Presentation


  • 93 Views
  • Uploaded on
  • Presentation posted in: General

Security. Security Needs. Computers and data are used by the authorized persons Computers and their accessories, data, and information are available to the genuine users. Security policy is to ensure that. Security Services. Authentication Access control Data confidentiality

Download Presentation

Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Security

Security


Security

Security Needs

  • Computers and data are used by the authorized persons

  • Computers and their accessories, data, and information are available to the genuine users

Security policy is to ensure that


Security

Security Services

  • Authentication

  • Access control

  • Data confidentiality

  • Data integrity

  • Non-repudiation


Security

Security Services

Authentication

  • A user proves its identity to another party

  • A data sender proves that the data is actually sent by him/her


Security

Security Services

Access control

  • Guard against unauthorized use of resources


Security

Security Services

Data confidentially

  • Data and its meanings are only available to those who are the genuine receivers

  • For other parties, the data would appear to be “rubbish”


Security

Security Services

Data integrity

  • Guards against active attack – modification, insertion, deletion, replay

  • If a piece of data is changed, such a change can be detected


Security

Security Services

Non-repudiation

  • When a party sends a piece of information, it can be proved that the sender is actually that party

  • The sender cannot subsequently deny the act of having sent a piece of information


Security

Security Mechanisms

To provide security services, some specific security mechanisms may be implemented:

  • Encipherment

  • Digital signature

  • Access control


Security

DES

  • The Data Encryption Standard (DES) is a private key encryption system developed by the U.S. government in the 1970s

  • It was based on a previous IBM encryption system called “Lucifer”

  • It was adopted as a U.S. federal standard in 1976, and then as an international standard


Security

Encryption

64 bit message

56 bit key

DES Overview

  • Plaintext size : 64 bits

  • Key size : 64 bits input, only 56 bits are used

  • Ciphertext size : 64 bits

64 bit ciphertext


Security

Strength of DES

  • DES has been cryptanalyzed for many years by many people, no serious flaws have been revealed up to now

  • The 56-bit key size : there are 256=7.2x1016 different possible keys

  • May not be sufficient to resist brute-force key search attack


Security

Strength of DES

  • If it takes 1 sec to test 1 key then 228 million years are needed to test all keys

  • If it takes 1 μsec to test 1 key then 2,280 years to test all keys

  • If there are 1 million machines working in parallel then the key can be found in a day!


Security

k2

k1

k1

DES

Encrypt

DES

Decrypt

DES

Encrypt

ciphertext

plaintext

Triple DES

  • Triple DES employs the Encrypt-Decrypt-Encrypt (EDE) mode of operation with two different keys – equivalent to a key of 112 bits


Security

k2

k1

k1

DES

Decrypt

DES

Encrypt

DES

Decrypt

plaintext

ciphertext

Triple DES

  • The decryption process is:


Security

Triple DES

  • Triple DES can use the existing DES block

  • When K2=K1, the triple DES system “falls back” to the single DES system

  • It is “backward compatible” with single key DES


Security

AES

  • AES stands for “Advanced Encryption System”

  • NIST (National Institute of Standards and Technology) of USA announced AES in 1997, and then called for algorithms from the public on 12 Sept 1997


Security

AES

  • Researchers from 12 different countries submitted 15 algorithms for the AES

  • As at Aug 1999, 5 algorithms have been chosen by NIST for further consideration

  • On 3-Oct-2000, the proposal by Rijdael [pro. Rhine doll] – Joan Daemen and Vincent Rijmen of Belgium was selected


Security

Public Key Encryption


Security

Public Key Encryption

  • Each user will have a pair of keys K1 & K2

  • Use keys K1 to encrypt and K2 to decrypt

  • Keep K1 private and top secret

  • Gives out K2 to anybody who needs it

  • K1 is called the private key

  • K2 is called the public key


Security

Plaintext

Encryption

Decryption

Key K1

Key K2

Two Keys

  • In a public key encryption system, the encryption key and the decryption key are different


Security

English

Message

Encryption

Decryption

English

Message

Alice’s

Private

Key K1

Alice’s

Public

Key K2

Bob

Alice

Proof of Identity

  • Alice sends a message to Bob

  • Bob can prove that the message could only have been created by Alice


Security

English

Message

Encryption

Encryption

Encrypted

Message

Alice’s

Private Key

Bob’s

Public Key

Alice

Confidentiality + Identity

  • Alice sends an encrypted message to Bob so that only Bob can decrypt the message and Bob can later prove that the creator was Alice


Security

RSA Algorithm

  • The most widely used public key algorithm

  • Proposed by Rivest, Shamir, and Adleman

  • Security is based on the difficulty in factorizing a large integer that is the product of two large prime numbers

  • E.g. 437 = ? x ?

  • 437 = 19 x 23

  • Reference web page: http://www.rsa.comhttp://www.orst.edu/dept/honors/makmur/


Security

Input = x

(variable

Length)

Hash Function

Output = y

(fixed length)

Hash Function

  • A Hash Functionis a one-way function y=H(x), designed to produced a fixed length “message digest” or a “fingerprint” of a variable-length message


Security

MD5

  • MD5 – Message Digest 5

  • Designed by Prof. R. Rivest of MIT

  • Internet standard – RFC1321

  • Thought to be a strong hash function

  • The message digest is 128 bits

  • Message is processed in 512-bit blocks


Security

Secure Hash Algorithm (SHA)

  • SHA was FIPS PUB 180-1, designed by the U.S. National Security Agency (NSA)

  • To be used in the Digital Signature Algorithm (DSA) – part of the Digital Signature Standard (DSS)

  • Input data length is less than 264 bits

  • Message digest is 160 bits


Security

Digital Signature

  • A digital signature has functions similar to those of conventional signature

  • Support authentic messages:

    • Signer of document can be confirmed

    • Contents of a signed document can be verified


Security

…..

……

…..

…..

…..

……

…..

…..

Alice’s Private key

DS

Hash

Encrypt

Alice

Digital Signature Generation

  • A widely adopted scheme is based on hash function and public key encryption


Security

…..

……

…..

…..

Hash

Alice’s Public key

DS

Compare

Decrypt

Equal => authentic message

Not equal => non-authentic

Bob

Digital Signature Verification


Security

Public Key Infrastructure

  • How to give your public key to your friend?

  • How can you be sure that the public key you obtain is indeed your friend’s public key?

  • For a small number of mutually trusted users, a “web of trust” system is O.K.


Security

Bob

Public key

Alice

Public key

Eve

Public key

David

Public key

Web of Trust


Security

Certification Authority

  • For a large population of users, a central trusted party can act as a Certification Authority (CA)

  • Users may deposit their public keys in a CA who they trust

  • The CA may pass out the public keys to any user who need them in certificates


Security

CA

d

c

a

b

A CA Supporting Many Users


Security

Certificate

  • A certificate for a user (also called a subscriber) contains the user’s particulars and the user’s public key

  • The certificate is an electronic document signed by the CA who issue it


Security

CA

Alice’s certificate

Other certificates

to other users

Cert. I.D.:123716

Name:Alice

Public key:001010…

Valid date:xx to yy

……

……

Sign:________

Signed by CA

Certificate


Security

Revocation

  • A user may revoke the validity of his/her certificate before the actual expiry date

  • Revocation information about a CA’s subscribers are published in a Certificate Revocation List (CRL)


Security

Public Key Infrastructure

  • When there are many CA’s and many subscribers, a hierarchy can be formed linking all the CA’s and the subscribers

  • This form a public key infrastructure

  • The subscribers can communicate securely by using digital signature techniques


Security

Public Key Infrastructure

CA 3

CA 2

CA 4

CA 1

user 6

user 1

user2

user 3

user 4

user 5


  • Login