S.38153 Security of Communication Protocols • General: • Lectures Tu 10-12 S2 lecturer J. Jormakka • Exercises We 14-16 and We 16-18 laboratory M. Nardonne • in groups, each group every second week 2 hours. • Credits 2 = (>1 cr) exam + (<1 cr) exercise reports • Content: Security attack and defense mechanisms. • Lecture material: • Find any thick book of security of the Internet dealing with the matters on the course. • Lecture notes 2004 are copies of transparencies, they are not good as a stand-alone study material, they are a check list of issues treated on the course so that you know what to study from books. The exam is largely based on the lecture notes. • The slides from year 2003 maybe nicer to read than mine.
General content • GOAL: The course is about security attacks to the Internet and ways to protect the network. • LECTURES: The lectures explain different attack and defense mechanisms on a beginner level. • The first lectures explain basic mechanisms which can be used in the exercises, later lectures deal with some special issues and cannot be tried in the laboratory at least this year. • EXERCISES: The exercises are mandatory (you do not need to attend always, but returning a report by the end of the course is required, the report is made by the group). • It is known that there were problems with the laboratory equipment and arrangements last year. • In order to partially improve this, each group will make a laboratory work description from one work.
What the course is not? • This is not a basic course of applied cryptography. For instance B. Schneier: Applied Cryptography is a source for this kind of information for engineers. This kind of knowledge is not assumed to be known in this course. • This is not a course giving up-to-date information of current security products and tools, take instead some course from TIK with visiting lecturers from industry. • This course does not teach good hacking tricks. All information on lectures 2004 is available in books on these matters. In the exercises you may be trying attacks that might still work somewhere. Attacking any real network is illegal, do not do so. • The course ignores security policies, security in organization... • What this course is then? It is a basic course of security for our students as TIK’s courses have too many students already.
Content should cover something like • Security tools & mechanisms: • Firewalls, Scanners • Antivirus tools, viruses,worms, trojans • Intruder Detection & logs • IPsec, IKE • Java security, Web security (CGI etc.) • eCommerce security issues, PKI • secure email,like PGP • authentication (AAA, Kerberos/Active directory... etc.) • SSH, SSL, what ever security protocols,WLAN security etc. • Information warfare • attacks, statistics, importance • That is, technical aspects of practical security
PLAN • 20.1 Introduction, Hacking • 27.1 Scanning, Viruses • 3.2 Denial of Service attack, Firewalls • 10.2 Security logs, Intruder Detection Systems • 17.2 Basics of cryptography and cryptoanalysis • 24.2 IPsec, IKE • 2.3 Java security, CGI security • 9.3 WLAN security,Bluetooth security • 16.3 Overview of ISO17799 standard and SAML • 23.3 PGP, Kerberos • 30.3 Security of operating systems (Win 2000/NT) • 6.4 L23 GSM, GPRS, UMTS security features • 13.4 no lecture • 20.4 PKI, WPKI, SET, smart cards • 27.4 Information warfare, hints to the exam
Exercises • Exercise assistant: Nardone Massimo • 7 exercise time, every second week • In groups of 3, each time 4 groups have place in the laboratory • Exercise report returned by the group by 31.5.2004 on paper to a place announced later. • Exercise report is free form, must contain names and the name of the course. • Report is evaluated accepted/not accepted=returned • Should explain what you did. Minimum 7 exercises done, not necessarily successfully but a good try is needed. • You are encouraged to try something new, pick up some new tools, try some new attacks, do not do useless things here! • You can also make one individual larger exercise.
What should be protected? • Security attacks usually violate: • Privacy (confidentiality) - data is not disclosed to unauthorized people. • Integrity - data is not changed by unauthorized people. • Availability - data is not available to authorized users (people or something else). • Let us define that people do security breaches. There must be one or more intentional human attackers to make a security attack. • This means that destruction of data by a natural catastrophe, or forgetting to lock a door are not attacks. They may enable attacks but that requires a person doing the attack intentionally.
Security=(Privacy, Integrity, Availability)? • Almost, but not quite - there are some other aspects in security not covered by this triplet. • One is Nonrepudiability (cannot deny having done something). • Privacy, integrity and availability are not independent aspects: • Integrity and availability can be related: If an unauthorized user manages to crypt some protected data does it become unavailable data or is the integrity violated? • Privacy and integrity can be related: If an unauthorized user plans a trapdoor which can later be used for violation of privacy (like read files) or violation of integrity (like remove files), what area planting the trapdoor violates? • Privacy and unavailability can be related: the trapdoor could be used to violate unavailability.
What should be protected? • A type of security attack which does not attack privacy, integrity or availability is for instance faking somebody’s digital signature and faking an agreement on somebody’s name for a business deal outside data communications. • The classification (privacy, integrity and availability) apply best to attacks to stored data. • There are other areas, like • attacks to processes (like forcing a process to misbehave) • attacks to transmitted data • security as a service (like giving digital signatures) • These areas may require a wider classification scheme.
What about the law? • The Finnish legislation treats communication security in several places: • Constitution 10§ • “Privacy of a telephone call or some other confidential message must not be violated.” • A law can make an exception to this general rule in the constitution. • Law of privacy in work life • 9§ states that there is separate legislation giving an employer some right to monitor and control communications and email. This legislation does not exist yet but there is a new proposal. • Then personal email, even if coming to a work place mail server, is protected by privacy including header information. • The employer has right to search and filter out letters which are by content addressed to the firm even if they come to the mailbox of an employer and are addressed to the employer.
What about the law? • Law of privacy in telecommunication • Concerns personnel of telecommunication firms • Reading transmitted data is a security breach, • Criminal law • If access is obtained by breaking security mechanisms it is a criminal action. • Writing/ spreading viruses is a crime. • Law of personnel registers • 5§ states that registers must be kept in such a way that privacy of people whose information is registered is not compromised. • There are many other relevant references in the law.
What about the law? • The present legislation is not considered to cover all cases: • If for instance a system administrator reads emails sent to a former employer when the mail is in a mailbox, it was still 3 years ago unclear if he violates privacy of mail. • Now email security is rather clear (he does, but some mechanisms for the employer are coming for filtering letters which by content are to the employer). • Copying data protected by security mechanisms is a theft, if the data is not well protected it may be a theft. • Damaging somebody’s system is most probably criminal as any unauthorized damaging act. • Writing/spreading a virus is a crime, but what is a virus.
Who are the attackers? • The attackers contain different types of people like teenage hackers wanting to impress peers, university students/personnel trying some nice new trick, tiger teems, dissatisfied former employees, computer criminals, industrial and military spies, vandals and terrorists. • Rather than making a list of all types, we can classify the attackers by their goals: • wish to show ability (hackers) • economic gain (criminals) • wish to destroy (vandals) • political and military gain (terrorists, military, spies)
Why security problems in data networks? • It is customary to mention when discussing security of the Internet that there are security problems in all communication networks, but it is not quite so, there are more problems in the Internet than in, say PSTN. • If you compare the Internet to a telecommunication network like PSTN of GSM you see that a telecommunication network is basically a service network. • What we can do with a service network is: cheat in bills if signaling is too simple, block the network if it is not enough protected, listen to transmissions unless they are encrypted well enough, cause problems like crash some services by exploiting bugs and abuse services. • There were early PSTN phreakers, but they could never be the threat what Internet crackers are. Phreakers only could call on somebody else’s account.
Why security problems in data networks? • To a large extent we can design the network and services so well that these problems can be avoided. I think it is possible to offer a sufficiently large set of sufficiently secure services. • A data communication network like the Internet is basically a platform for making any computing in networked computers. Its origin is networked computing in a LAN in a secure environment. • Such an environment wants to offer things like remote access which make possible stealing files, destroying data etc. • I think a general purpose convenient distributed computing environment will not be secure.
Why security problems in data networks? • What is the future? • To a large extent the Internet is not any more a distributed computing platform. Firewalls block remote access to hosts outside your own network. • People mostly use a small set of services: email, file transfer, web, maybe in the future voice and video services. There is little need for a possibility to remotely log into a system at all. Maybe we could drop all dangerous features. • But there are other development scenarios: mobile code is still one of the favorite ideas in the Internet community. Executable attachments in email, like macros, applets and scripts cause security problems. • Seems that the Internet may not become a secure service network.
Why security problems in data networks? • Some think that Internet security will be solved in a short time and maybe is almost solved with IPsec and IKE. • There are indeed methods to solve some security problems: • privacy of transmitted data through IPsec • privacy of transmitted and stored data like PGP. • authentication through public key cryptography or by one-time passwords • protection to some forms of address spoofing and use of vulnerabilities through firewalls • protection against some known types of malicious code through virus protection • protection against misbehaving malicious code through sandbox model like in Java security • use of scanners for locating vulnerabilities
Why security problems in data networks? • There are security problems which are not yet solved and may not be solvable. • My favorites are the following problems: • Denial of Service (DoS) attacks. At the moment these attacks use features of some protocols but in general, overload protection is very difficult for a network whose structure is not carefully planned. • Bugs in software and design. These vulnerabilities can usually be fixed if they are found but if new applications are introduced in a fast pace without careful quality control there is no hope of getting all bugs removed. In general, avoiding bugs is impossible. • There are no complete protection methods for harmful mobile code of different type (Java scripts, mobile agents etc.) • Additionally, social engineering works fine.
Why security problems in data networks? • Often it is stated that the problem is not technical – it is organizational: The organization is not security-aware. • Then personnel uses poor passwords and social engineering attacks work. • Thus: security can be fixed by organizational means. • There are organizations which need high security policy (like the army) including a security classification of all documents. • However, this way also leads to more control. • Higher security may become counterproductive.