slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
CS 5950/6030 Network Security Class 4 ( F , 9/ 9 /05) PowerPoint Presentation
Download Presentation
CS 5950/6030 Network Security Class 4 ( F , 9/ 9 /05)

Loading in 2 Seconds...

play fullscreen
1 / 28

CS 5950/6030 Network Security Class 4 ( F , 9/ 9 /05) - PowerPoint PPT Presentation


  • 145 Views
  • Uploaded on

CS 5950/6030 Network Security Class 4 ( F , 9/ 9 /05). Leszek Lilien Department of Computer Science Western Michigan University [Using some slides prepared by: Prof. Aaron Striegel, U. of Notre Dame Prof. Barbara Endicott-Popovsky , U. Washington, and Prof. Deborah Frincke , U. Idaho].

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CS 5950/6030 Network Security Class 4 ( F , 9/ 9 /05)' - hazina


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

CS 5950/6030 Network SecurityClass 4 (F, 9/9/05)

Leszek Lilien

Department of Computer Science

Western Michigan University

[Using some slides prepared by:

Prof. Aaron Striegel, U. of Notre Dame

Prof. Barbara Endicott-Popovsky, U. Washington, and Prof. Deborah Frincke, U. Idaho]

slide2

1.2. Survey of Students’Backgroundand Experience (1)

Background Survey

CS 5950/6030 Network Security - Fall 2005

Please print all your answers.

First name: __________________________ Last name: _____________________________

Email _____________________________________________________________________

Undergrad./Year________OR:Grad./Year or Status (e.g., Ph.D. student) ________________

Major _____________________________________________________________________

PART 1. Background and Experience

1-1) Please rate your knowledge in the following areas (0 = None, 5 = Excellent).

UNIX/Linux/Solaris/etc. Experience (use, administration, etc.)

0 1 2 34 5

Network Protocols (TCP, UDP, IP, etc.)

0 1 2 34 5

Cryptography (basic ciphers, DES, RSA, PGP, etc.)

0 1 2 34 5

Computer Security (access control, security fundamentals, etc.)

0 1 2 34 5

Any new students

who did not fill out the survey?

section 1 class 4
Section 1– Class 4

Class 1:

1.1. Course Overview

  • Syllabus - Course Introduction

1.2. Survey of Students’ Background and Experience

1.3. Introduction to Security

Class 2:…

1.3.4. Vulnerabilities, Threats, and Controls– PART 1

Levels of Vulnerabilities / Threats

A) Hardware level / B) Software level

Class 3:

C) Data level / D) Other levels

1.3.5. Attackers

1.3.6. How to React to an Exploit?

1.3.7. Methods of Defense– PART 1

Class 4:

1.3.7. Methods of Defense– PART 2

1.3.8. Principles of Computer Security

1 3 7 methods of defense
1.3.7. Methods of Defense
  • Five basic approaches to defense of computing systems
    • Prevent attack
      • Block attack / Close vulnerability
    • Deter attack
      • Make attack harder (can’t make it impossible )
    • Deflect attack
      • Make another target more attractive than this target
    • Detect attack
      • During or after
    • Recover from attack
a controls
Castle in Middle Ages

Location with natural obstacles

Surrounding moat

Drawbridge

Heavy walls

Arrow slits

Crenellations

Strong gate

Tower

Guards / passwords

A) Controls
  • Computers Today
    • Encryption
    • Software controls
    • Hardware controls
    • Policies and procedures
    • Physical controls
slide6
Multiple controls in computing systems

Fig. 1-6 – p.23

system perimeter – defines „inside/outside”

preemption – attacker scared away

deterrence – attacker could not overcome defenses

faux environment(e.g. honeypot, sandbox) – attack deflected towards a worthless target (but the attacker doesn’t know about it!)

Note layered defense/

multilevel defense / defense in depth (ideal!)

  • Medieval castles –photos nad drawings
    • location (steep hill, island, etc.)
    • moat / drawbridge / walls / gate / guards /passwords
    • another wall / gate / guards /passwords
    • yet another wall / gate / guards /passwords
    • tower / ladders up
a 1 controls encryption
A.1) Controls: Encryption
  • Primary controls!
  • Cleartext scambled into ciphertext (enciphered text)
  • Protects CIA:
    • confidentiality – by „masking” data
    • integrity – by preventing data updates
      • e.g., checksums included
    • availability – by using encryption-based protocols
      • e.g., protocols ensure availablity of resources for different users
  • Much more later

[cf. Barbara Edicott-Popovsky and Deborah Frincke, CSSE592/492, U. Washington]

a 2 controls software controls
A.2) Controls: Software Controls
  • Secondary controls – second only to encryption
  • Software/program controls include:
    • OS and network controls
      • E.g. OS: sandbox / virtual machine
      • Logs/firewalls, OS/net virus scans, recorders
    • independent control programs (whole programs)
      • E.g. password checker, virus scanner, IDS(intrusion detection system)
    • internal program controls (part of a program)
      • E.g. read/write controls in DBMSs
    • development controls
      • E.g. quality standards followed by developers
        • incl. testing
slide9
Considerations for Software Controls:
    • Impact on user’s interface and workflow
      • E.g. Asking for a password too often?
a 3 controls hardware controls
A.3) Controls: Hardware Controls
  • Hardware devices to provide higher degree of security
    • Locks and cables (for notebooks)
    • Smart cards, dongles, hadware keys, ...
    • ...
a 4 controls policies and procedures
A.4) Controls: Policies and Procedures
  • Policy vs. Procedure
    • Policy: What is/what is not allowed
    • Procedure:How you enforce policy
  • Advantages of policy/procedure controls:
    • Can replace hardware/software controls
    • Can be least expensive
      • Be careful to consider all costs
        • E.g. help desk costs often ignored for for passwords (=> look cheap but migh be expensive)
slide12
Policy - must consider:
    • Alignment with users’ legal and ethical standards
    • Probability of use(e.g. due to inconvenience)

Inconvenient: 200 character password,

change password every week

(Can be) good: biometrics replacing passwords

    • Periodic reviews
      • As people and systems, as well as their goals, change
a 5 controls physical controls
A.5) Controls: Physical Controls
  • Walls, locks
  • Guards, security cameras
  • Backup copies and archives
  • Cables an locks(e.g., for notebooks)
  • Natural and man-made disaster protection
    • Fire, flood, and earthquake protection
    • Accident and terrorism protection
  • ...
b effectiveness of controls
B) Effectiveness of Controls
  • Awareness of problem
    • People convined of the need for these controls
  • Likelihood of use
    • Too complex/intrusive security tools are often disabled
  • Overlapping controls
    • >1 control for a given vulnerability
      • To provide layered defense – the next layer compensates for a failure of the previous layer
  • Periodic reviews
    • A given control usually becomess less effective with time
    • Need to replace ineffective/inefficient controls with better ones
1 3 8 principles of computer security
1.3.8. Principles of Computer Security
  • Principle of Easiest Penetration(p.5)

An intruder must be expected to use anyavailable means of penetration.

The penetration may not necessarily be by the most obvious means, nor is it necessarily the one against which the most solid defense has been installed.

  • Principle of Adequate Protection(p.16)

Computer items must be protected to a degree consistent with their value and only until theylose their value. [modified by LL]

slide16
Principle of Effectiveness(p.26)

Controls must be used—and used properly—to be effective.

They must be efficient, easy to use, and appropriate.

  • Principle of Weakest Link(p.27)

Security can be no stronger than its weakest link.

Whether it is the power supply that powers the firewall or the operating system under the security application or the human, who plans, implements, and administers controls, a failure of any control can lead to a security failure.

section 1 summary
Section 1 Summary
  • 1.1. Course Overview
    • Syllabus - Course Introduction
  • 1.2. Survey of Students’ Background and Experience
  • 1.3. Introduction to Security
    • Examples – Security in Practice
    • What is „Security?”
section 2 outline
Section 2 Outline
  • 2. Cryptology

2.1. Threats to Messages

2.2. Basic Terminology and Notation

2.3. Requirements for Crypto Protocols

    • ...
2 1 threats to messages
2.1. Threats to Messages
  • Interception
  • Interruption
    • Blocking msgs
  • Modification
  • Fabrication

“A threat is blocked by control of a vulnerability”

[Pfleeger & Pfleeger]

[cf. B. Endicott-Popovsky, U. Washington]

2 2 basic terminology notation
2.2. Basic Terminology & Notation
  • Cryptology:
    • cryptography + cryptanalysis
  • Cryptography:
    • art/science of keeping message secure
  • Cryptanalys:
    • art/science of breaking ciphertext
      • Enigma in WW2
        • Read the real story – not fabrications!
basic cryptographic scheme

original plaintext

ENCRYPTION

ENCODING

ENCIPHERING

E

DECRYPTION

DECODING

DECIPHERING

D

plaintext

ciphertext

P

C

P

Basic Cryptographic Scheme
  • P = <p1, p2, ..., pn>pi = i-th char of P
    • P = „DO NOT TELL ANYBODY” p1 = „D”, p2 = „O”, etc.
    • By convention, cleartext in uppercase
  • C = <c1, c2, ..., cn>ci = i-th char of C
    • C = „ep opu ufmm bozcpez” c1 = „e”, c2 = „p”, etc.
    • By convention, ciphertext in lowercase
benefits of cryptography
Benefits of Cryptography
  • Improvement not a Solution!
    • Minimizes problems
    • Doesn’t solve them
        • Remember: There is no solution!
    • Adds an envelope (encoding)to an open postcard(cleartext)

[cf. D. Frincke,U. of Idaho]

formal notation

original plaintext

ENCRYPTION

ENCODING

ENCIPHERING

E

DECRYPTION

DECODING

DECIPHERING

D

plaintext

ciphertext

P

C

P

Formal Notation
  • C = E(P) E – encryption rule/algorithm
  • P = D(C) D – decryption rule/algorithm
  • We need a cryptosystem, where:
    • P = D(C)= D(E(P))
      • i.e., able to get the original message back
cryptography in practice

ENCRYPTION

ENCODING

ENCIPHERING

E

plaintext

ciphertext

hostile environment

P

C

original plaintext

DECRYPTION

DECODING

DECIPHERING

D

ciphertext

C

P

Cryptography in Practice
  • Sending a secure message
  • Receiving a secure message

hostile environment

crypto system with keys

Encryption

Key

DecryptionKey

KE

KD

E

D

P

C

P

Crypto System with Keys
  • C = E(KE, P)
    • E = set of encryption algorithms / KE selects Ei  E
  • P = D(KD, C)
    • D = set of decryption algorithms / KD selects Dj  D
  • Crypto algorithms and keys like door locks and keys (p.37)
  • W need: P = D(KD, E(KE, P))
cryptosystems w r t keys
Cryptosystems w.r.t. Keys
  • Keyless cryptosystems exist (e.g., Caesar’s cipher - below)
    • Less secure
  • Symmetric cryptosystems: KE = KD (p.38)
    • Classic
    • Encipher and decipher using the same key
      • Or one key is easily derived from other
  • Asymmetric cryptosystems: KE ≠ KD (revious slide)
    • Public key system
    • Encipher and decipher using different keys
      • Computationally infeasible to derive one from other

[cf. B. Endicott-Popovsky, U. Washington]

2 3 requirements for crypto protocols
2.3. Requirements for Crypto Protocols
  • Messages should get to destination
  • Only the recipient should get it
  • Only the recipient should see it
  • Proof of the sender’s identity
  • Message shouldn’t be corrupted in transit
  • Message should be sent/received once
  • Proofs that message was sent/received (non-repudiation)

[cf. D. Frincke,U. of Idaho]