1 / 108

Network and System Security

Network and System Security. Introduction. Information Security. Computer security Protect system resources Protect data (dynamic/stored) Network security Protect network resources Protect exchanged data Security = confidentiality + integrity + availability + authenticity. Attacks.

mirandap
Download Presentation

Network and System Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network and System Security Introduction CSE 5349/7349

  2. Information Security • Computer security • Protect system resources • Protect data (dynamic/stored) • Network security • Protect network resources • Protect exchanged data Security = confidentiality + integrity + availability + authenticity CSE 5349/7349

  3. Attacks • Passive attacks • Affects data confidentiality • More difficult to detect, less harmful • Active attacks • Affects data confidentiality, integrity, and/or availability • Easier detection, more harmful CSE 5349/7349

  4. Attacks (cont’d) • Interruption • Interception • Modification • Fabrication CSE 5349/7349

  5. Interruption • An asset of the system is destroyed of becomes unavailable or unusable • Attack on availability • Destruction of hardware • Cutting of a communication line • Disabling the file management system CSE 5349/7349

  6. Interception • An unauthorized party gains access to an asset • Attack on confidentiality • Wiretapping to capture data in a network • Illicit copying of files or programs CSE 5349/7349

  7. Modification • An unauthorized party not only gains access but tampers with an asset • Attack on integrity • Change values in a data file • Alter a program to make it perform differently • Modify content of messages transmitted on a network CSE 5349/7349

  8. Fabrication • Unauthorized party inserts counterfeit objects into the system • Attack on authenticity • Insertion of spurious messages in a network • Addition of records to a file CSE 5349/7349

  9. Network Security Services • Authentication • validate authenticity claims (identity/data) • Authorization • Enforce selective access (information/resources) • Confidentiality • Prevent disclosure of data (entire message/selected fields/traffic characteristics) • Integrity • Prevent tampering of data (entire message/selected fields) • Non-repudiation • Proof of origin, proof of delivery CIA CSE 5349/7349

  10. Security Mechanisms • Specific mechanisms • Access control list - resource protection • Encryption – data confidentiality • Digital signature – origin verification, non-repudiation • Notarization – trusted third party assurance • Traffic padding – traffic characteristic confidentiality • Routing control – flow protection CSE 5349/7349

  11. Mechanisms (cont’d) • Pervasive mechanisms • Event detection • Security audit trail • Security recovery CSE 5349/7349

  12. Password Security CSE 5349/7349

  13. System Security • Two issues • Attack by unauthorized users • Attack by authorized users • Solution • Unauthorized – authenticate • Authorized – access control CSE 5349/7349

  14. Authentication • Usual User ID + passwd • ID public, passwd private • When to authenticate • Beginning of session • Periodically within session • After a pause • Beginning of sensitive operation CSE 5349/7349

  15. Selection of Passwd • Psychological issues • Disclosing passwd – social engineering • Difficulty in entering • Difficulty in remembering • System issues • Targeted and general attacks • Multi-lateral security • User training CSE 5349/7349

  16. Attacks on Passwd • Attack on passwd entry • Interface design • Eavesdropping • Trusted path (ex. Ctrl-Alt-Del) • Passwd retry counters • Timing attack • Attack on smart cards • Attack on passwd storage • Audit trail • Need for one-way encryption CSE 5349/7349

  17. Passwd Cracking • Brute force attack • Use all combination of characters • Knowledge of victim • Names, license plate numbers… • Dictionary attack CSE 5349/7349

  18. Defense • Use different passwds for users/systems • No default passwds • Against brute force • Longer passwds • More than letters and numbers • Case sensitive • Against dictionary • No words • No “obvious” passwds CSE 5349/7349

  19. System Defenses • Run passwd filters to weed out weak ones • Generate random passwds for users • Enforce passwd life-time • Limit failed logins • Notifying history to users CSE 5349/7349

  20. Salting the Passwd • What happens if two users choose the same passwd? • Will result in same hash • Add some random information (salt)to the passwd before hashing • Makes it harder to crack CSE 5349/7349

  21. Access Control CSE 5349/7349

  22. Authentication vs. Access Control • Authentication about who you are • Access control – who may do what to what? • Major portion of security breaches organized by authorized users CSE 5349/7349

  23. Control Structures • Formalism • Subjects, Objects, Access permissions • Access control matrix • Example CSE 5349/7349

  24. Capabilities and Access Control Lists (ACL) • For large systems • Large number of subjects and objects • Control matrix very large and sparse • Store the matrix rows and columns as linked lists • Rows – capabilities • Columns - ACLs CSE 5349/7349

  25. Capabilities • What subject A is allowed to do • Whenever a new object is created, other subjects may be given the capabilities to access it CSE 5349/7349

  26. Intermediate Solutions • Group permissions • Negative permissions • Protection rings • Permission trees CSE 5349/7349

  27. Group Permissions • Place number of users in a named group • ACLs for groups CSE 5349/7349

  28. Negative Permission • To exclude specific permission from the group grant CSE 5349/7349

  29. Protection Rings • Assigning priority levels to objects and subjects • 0 kernel • 1 OS • 2 system utilities • 3 other programs • Access decisions based on comparing the levels of Ss and Os. CSE 5349/7349

  30. Hardware Protection • Protection problem • Preventing one processor from interfering with another • Confinement problem • Preventing programs communicate outside the authorized channels • Memory management • Reference monitor CSE 5349/7349

  31. Security Processors • Pentium 3 processor serial number • ARM (Acorn Risc Machine) • Smart cards • Protection of protection hardware • Tamper resistance CSE 5349/7349

  32. Attack (cont’d) • Smashing the stack • Finger bug in UNIX • Does not check the length of the input string • Trailing edge could be used to overwrite the system stack • Want to be a root user? CSE 5349/7349

  33. Cryptography CSE 5349/7349

  34. Terminology • Cryptography • Cryptanalysis • Cryptology • Plain text • Cipher text CSE 5349/7349

  35. Historical Background • Mono-alphabetic substitution • Caesar cipher • Stream ciphers C= P + K mod 26 • One-time pad • Perfect secrecy (Shannon’s theorem) • No integrity • Block codes • Playfair • One-way functions CSE 5349/7349

  36. Formal Classifications • Type of operation • Substitution • Transposition • Number of keys used • Symmetric (one key, private) • Asymmetric (two keys, public) • Mode of plain text processing • Block vs. stream CSE 5349/7349

  37. Cryptanalysis • Attacks • Known plain text attack • Chosen plain text • Chosen cipher text • Security • Unconditionally secure • Computationally secure CSE 5349/7349

  38. Block Ciphers • Block of plain text converted into block of cipher of equal length • Based on Fiestal block structure • Unique transformation • Reversible • Example • Small blocks vulnerable to attacks • Large blocks impractical to implement CSE 5349/7349

  39. Fiestal Cipher (FC) • Based on product ciphers • Alternate substitutions and permutations • Shannon’s proposal • Diffusion • Dissipate plain text statistics into long-range cipher statistics • Example: Averaging operation on characters • A permutation on binary bits followed by some operations • Confusion • To make the deduction of the key difficult CSE 5349/7349

  40. FC Structure • Multiple rounds • Round function (based on the round key) • Substitution (XOR) • Permutation (Exchange of halves) • Parameters • Block size (64 bits) • Key size (128 bits) • Number of rounds (16) • Sub-key generation algorithm • Round function CSE 5349/7349

  41. Plaintext Plaintext Encrypt with Decrypt with secret key secret key Ciphertext DES CSE 5349/7349

  42. DES • Currently the most widely used block cipher in the world • IBM’s LUCIFER was the precursor • One of the largest users of the DES is the banking industry, particularly with EFT • Although the standard is public, the design criteria used are classified CSE 5349/7349

  43. DES Security • Recent analysis has shown that DES is well designed (diffusion & confusion) • Rapid advances in computing speed though have rendered the 56 bit key susceptible to exhaustive key search • 1997 on a large network of computers in a few months • 1998 on dedicated h/w in a few days • 1999 above combined in 22hrs! • DES also theoretically broken using Differential or Linear Cryptanalysis • In practice, unlikely to be a problem yet CSE 5349/7349

  44. Overview of DES Encryption • Basic process consists of: • An initial permutation (IP) • 16 rounds of a complex key dependent calculation F • A final permutation, being the inverse of IP CSE 5349/7349

  45. Initial permutation Round 1 L R i – 1 i – 1 Round 2 K F 56-bit i key … + Round 16 L R i i Final permutation • Each Round • 64-bit key (56-bits + 8-bit parity) • 16 rounds CSE 5349/7349

  46. Initial Permutation • No improvement in security, cipher gets more complex 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, 62, 54, 46, 38, 30, 22, 14, 6, 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7 CSE 5349/7349

  47. DES Key Generation • Sub-keys used in each round are formed by • An initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves • 16 stages consisting of: • selecting 24-bits from each half • permuting them by PC2 for use in function f, • rotating each half separately either 1 or 2 places depending on the key rotation schedule KS • Can be described functionally as: SKi = PC2(KS(PC1(Key),i)) CSE 5349/7349

  48. Expansion Function E • Expands RH side data input from 32 to 48 bits by duplicating some bits • Specifically split input into 8 groups of 4 bits • Duplicate bits from either side to form groups of 6 bits CSE 5349/7349

  49. Substitution (S) Boxes • 8 S-boxes, each of which maps 6 bits to 4 bits • Each S-box is actually 4 little 4 bit boxes • Outer bits 1 & 6 (row bits) select one of the 4 rows • Inner bits 2-5 (col bits) are substituted for 4 others CSE 5349/7349

  50. DES Decryption • To decrypt a block of data must unwind all steps of data computation • With Feistel design, same as just doing encryption steps again • Except that must use subkeys in reverse order (SK16 first, then SK15 etc.) CSE 5349/7349

More Related