470 likes | 484 Views
Understand the importance of information security and learn about security services such as confidentiality, integrity, and more. Explore the need for computer security and creating strong passwords for protection. Discover the threats to privacy and the role of cookies in online sessions.
E N D
1 InformationSecurity: Lectureno7 JeffyMwakalinga
2 Outline • Introduction • SecurityServices • HowdoyouprovideConfidentiality? • HowdoyouProvideIntegrity? • HowdoyouProvideNon-repudiation? • HowdoyouprovideAccessControl? • HowdoyouProvideAuthentication • Summary
3 Introduction Information security is defined as methods and technologies for deterrence (scaring away hackers), protection, detection, response, recovery and extended functionalities
Importance of Information Security Protect data from theft Prevent loss of productivity Curb theft of intellectual property Ensure compliance with law and avoid legal consequences Privacy Protect personal identity theft Counter cyberterrorism 4 Why do we need Information Security
5 Why do we need Computer Security?
Select a personally interesting topic such as favorite movie. Develop a password frowm a phrase rather than a single phrase: Gone with the Wind -> GWTW Encode the password GWTW. (1)Replace W with 2u: GWTW ->G2uTW. (2) Replace W with 2U. (3) Replace 2 wiyj Spanish ”dos” -> G2uTdosU 6 Creating Good Passwords
A virus is a program that infects another program by putting a copy of itself to the program. When the infected program runs the virus also runs. It attaches itself to files like message.zip, message.exe A worm is an independent program that makes copies of itselft from one computer to another. The worm moves across networks on its own. A trojan program takes its name from the Greek legend Trojan Horse. It is a program that hides itself inside another useful program and it performs operations that the user in unaware 7 Viruses, Trojans and Worms
Privacy is the right of people to choose freely under what circumstances and to what extent they will reveal themselves, their attitude and their behavior to others. Many transactions can link purchase to customers: paying by check, credit card, debit card; purchasing through mail order; buying products that be registered; Threats to privacy: (1)Government – spying on her citizens (2) busisness –surveillance of employees;and use of business related information (3) private – data mining to sell customers information to the other parties 8 Privacy
Acookieisarecordcontainingsevenfieldsofinformationthatuniquelyidentifiesacustomer’ssessiononyourcomputerAcookieisarecordcontainingsevenfieldsofinformationthatuniquelyidentifiesacustomer’ssessiononyourcomputer PREF ID=40dbd37914242a34:TM=1013725751:LM=1013725751:S=P4MUPnk7Wbs google.com/ Distributedbywww.google.com 1536 2618878336 32111634 48239568 29472167 ThisparticularcookieisbuiltanddistributedbyGoogle.com.Thefirstlineisthenameofthecookie,andthesecondlinecontainsthecookie'svalue(which,inthiscase,isactuallyasetofname-valuepairsseparatedbycolons;thisisGoogle.com-specific).TherestofthelinesareattributessetbyGoogle.com. 9 Cookies:FoundinDirectory-C:\DocumentsandSettings\UserName\Cookies(Explorer)
Name - The name of the cookie ID Value -The individual value Expires -The exact time of expiration. After this time, client browsers will stop sending this cookie when requested. Path -The path under which this cookie is relevant. Domain - The domain associated with this cookie. The default is the creation domain. Secure (True/False ) Whether or not should be transmitted using SSL (that is, across the HTTPS port) 10 Fields in the HTTPCookie
11 Outline • Introduction • SecurityServices • HowdoyouprovideConfidentiality? • HowdoyouProvideIntegrity? • HowdoyouProvideNon-repudiation? • HowdoyouprovideAccessControl? • HowdoyouProvideAuthentication • Summary
12 Security Services : Confidentiality Confidentiality To keep a message secret to those that are not authorized to read it Authentication Access Control Integrity Non-repudiation Availability
13 Security Services: Authentication Confidentiality Authentication To verify the identity of the user / computer Access Control Integrity Non-repudiation Availability
14 Security Services: Access Control Confidentiality Authentication Access Control To be able to tell who can do what with which resource Integrity Non-repudiation Availability
15 Security Services: Integrity Confidentiality Authentication Access Control To make sure that a message has not been changed while on Transfer, storage, etc Integrity Non-repudiation Availability
16 Security Services: Non-repudiation Confidentiality Authentication Access Control To make sure that a user/server can’t deny later having participated in a transaction Integrity Non-repudiation Availability
17 Security Services: Availability Confidentiality Authentication Access Control Integrity To make sure that the services are always available to users. Non-repudiation Availability
18 Outline • Introduction • SecurityServices • HowdoyouprovideConfidentiality? • HowdoyouProvideIntegrity? • HowdoyouProvideNon-repudiation? • HowdoyouprovideAccessControl? • HowdoyouProvideAuthentication • Summary
Encryption Key Plaintext “Hello” Encryption Method & Key Ciphertext “11011101” Network Decryption Key Ciphertext “11011101” Decryption Method & Key Plaintext “Hello” 19 HowdoyouProvideConfidentiality? (10110101) Note: Interceptor Cannot Read Ciphertext Without the Decryption Key Interceptor Party A Party B
20 Key Length and Number of Possible Keys Key Length in Bits Number of Possible Keys 1 2 2 4 4 16 8 256 16 65,536 40 1,099,511,627,776 56 72,057,594,037,927,900 112 5,192,296,858,534,830,000,000,000,000,000,000
21 Possible keys form a key of 8 bits
22 Symmetric Key Encryption – One Key System Symmetric Key Note: A single key is used to encrypt and decrypt in both directions. Plaintext “Hello” Encryption Method & Key Ciphertext “11011101” Interceptor Network Same Symmetric Key Ciphertext “11011101” Decryption Method & Key Plaintext “Hello” Party A Party B
DES Key DES 23 Data Encryption Standard (DES) Cleartext Ciphertext Cleartext
K-1 24 Advanced EncryptionAlgorithm (AES) 1, 2, 3, ... ... .128, 192,256 1, 2, 3, ... ... ... ... ... ...128 Key Cleartext If key = 128 Rounds = 9 If key = 192 Rounds = 11 If key = 256 Rounds = 13 K-2 K-Rounds Ciphertext 1, 2, 3, ... ... ... ... ... ...... 64
25 Public Key System (Asymmetric system – two keys) Encrypted Message Encrypt with Party B’s Public Key Decrypt with Party B’s Private Key Party A Party B Decrypt with Party A’s Private Key Encrypt with Party A’s Public Key Encrypted Message
26 Outline • Introduction • SecurityServices • HowdoyouprovideConfidentiality? • HowdoyouProvideIntegrity? • HowdoyouProvideNon-repudiation? • HowdoyouprovideAccessControl? • HowdoyouProvideAuthentication • Summary
27 How do You Provide Integrity? Hashing (Message Digest) • Hashing is a one-way function. It cannot be reversed • From the hash, you cannot compute the original message • Hashing is repeatable • If two parties apply the same hashing method to the same bit string, they will get the same hash
28 Integrity Security Service Some confidential text (message) in clear (readable) form 1011100011001101010101010011101 0011 1010 1001 Hashing Message Authentication Code (MAC) 1101 0011 1010 1001
29 Integrity cont’d
30 Outline • Introduction • SecurityServices • HowdoyouprovideConfidentiality? • HowdoyouProvideIntegrity? • HowdoyouProvideNon-repudiation? • HowdoyouprovideAccessControl? • HowdoyouProvideAuthentication • Summary
DS Plaintext 31 How do you Provide Non-repudiation? Digital Signature (DS) To Create the Digital Signature: 1. Hash the plaintext to create a brief message digest; this is NOT the Digital Signature. 2. Sign (encrypt) the message Digest (MD) with the sender’s private key to create the digital signature. 3. Transmit the plaintext + digital signature, encrypted with symmetric key encryption. Plaintext Hash MD Sign (Encrypt) with Sender’s Private Key DS
32 Outline • Introduction • SecurityServices • HowdoyouprovideConfidentiality? • HowdoyouProvideIntegrity? • HowdoyouProvideNon-repudiation? • HowdoyouprovideAccessControl? • HowdoyouProvideAuthentication • Summary
33 How do you Provide Access Control? • First Steps • Enumeration of Resources • Sensitivity of Each Resource • Next, who Should Have Access? • Can be made individual by individual • More efficient to define by roles (logged-in users, system administrators, project team members, etc.)
File A Read 34 44 Formal approach to access control Access control Subject can do ... Action ... with which object under which conditions ? File B Copy Execute
35 45 Access control matrix O1 O2 O3 O4 O5 O6 S1 r, w S2 x, d S3 S4 S5 l, c S6
36 Outline • Introduction • SecurityServices • HowdoyouprovideConfidentiality? • HowdoyouProvideIntegrity? • HowdoyouProvideNon-repudiation? • HowdoyouprovideAccessControl? • HowdoyouProvideAuthentication • Summary
37 How do you Provide Authentication? ... to identify the user (who he/she is) ... to verify the identity, if the user really is who he/she claims to be Identification Authentication • - something who you are • - something what you have • something what you know • -where you are - terminal
Simple authentication – using passwords, challenge-response, PINS Strong authentication – using public key system, digital certificates What are digital certificates? – it is an object that binds an identity of a person or machine to her public key and this object is used for electronic authentication before transactions in the open networks. 38 Types of Authentication
39 Authentication- Biometrics Fingerprint scanner • Biometrics • Biometrics used for door locks, can also be used for access control to personal computers • Fingerprint scanners
40 What are Digital Certificates? (X.509 Standard) Field Description Version Number Version number of the X.509. Most certificates follow Version 3. Different versions have different fields. This figure reflects the Version 3 standard. Issuer Name of the Certificate Authority (CA). Serial Number Unique serial number for the certificate, set by the CA.
41 Authentication: X.509 Digital Certificate Fields Field Description Subject The name of the person, organization, computer, or program to which the certificate has been issued. This is the true party. Public Key The public key of the subject—the public key of the true party. Public Key Algorithm The algorithm the subject uses to sign messages with digital signatures.
42 Authentication: X.509 Digital Certificate Fields Field Description Valid Period The period before which and after which the certificate should not be used. Note: Certificate may be revoked before the end of this period. Digital Signature The digital signature of the certificate, signed by the CA with the CA’s own private key. Provides authentication and certificate integrity. User must know the CA’s public key independently.
43 Digital Signature and Digital Certificate in Authentication Digital Certificate Digital Signature Public Key of True Party Signature to Be Tested with Public Key of True Party Authentication
44 Public Key Infrastructure (PKI) with a Certificate Authority (CA) Certificate Authority PKI Server Verifier (Cheng) 6. Request Certificate Revocation List (CRL) 3. Request Certificate for Lee 7. Copy of CRL 5. Certificate for Lee 4. Certificate for Lee • Create & • Distribute • Private Key • and • (2) Digital Certificate Applicant (Lee) Verifier (Brown)
45 Certificate Authority (CA) • CAs are not regulated in any country today • Anyone can be a CA • Even an organized crime syndicate • Some, such as VeriSign, are widely trusted • Companies can be their own CAs • Assign keys and certificates to their internal computers • This gets around the need to trust public CAs
46 Public Key Distribution for Symmetric Session Keys Party A Party B 3. Send the Symmetric Session Key Encrypted for Confidentiality 2. Encrypt Session Key with Party B’s Public Key 4. Decrypt Session Key with Party B’s Private Key 5. Subsequent Encryption with Symmetric Session Key
47 Summary • Introduction • SecurityServices • HowdoyouprovideConfidentiality? • HowdoyouProvideIntegrity? • HowdoyouProvideNon-repudiation? • HowdoyouprovideAccessControl? • HowdoyouProvideAuthentication • Summary