1 / 22

Conclusion

Conclusion. Course Summary. Crypto Basics, symmetric key, public key, hash functions and other topics, cryptanalysis Access Control Authentication, authorization, firewalls, IDS Protocols Simple authentication Real-World: SSL, IPSec, Kerberos, WEP, GSM Software

trory
Download Presentation

Conclusion

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Conclusion Conclusion 1

  2. Course Summary • Crypto • Basics, symmetric key, public key, hash functions and other topics, cryptanalysis • Access Control • Authentication, authorization, firewalls, IDS • Protocols • Simple authentication • Real-World: SSL, IPSec, Kerberos, WEP, GSM • Software • Flaws, malware, SRE, development, trusted OS Conclusion 2

  3. Crypto Basics • Terminology • Classic cipher • Simple substitution • Double transposition • Codebook • One-time pad • Basic cryptanalysis Conclusion 3

  4. Symmetric Key • Stream ciphers • A5/1 • RC4 • Block ciphers • DES • AES, TEA, etc. • Modes of operation • Data integrity (MAC) Conclusion 4

  5. Public Key • Knapsack (insecure) • RSA • Diffie-Hellman • Elliptic curve crypto (ECC) • Digital signatures and non-repudiation • PKI Conclusion 5

  6. Hashing and Other • Birthday problem • Tiger Hash • HMAC • Clever uses: online bids, spam reduction • Other topics • Secret sharing • Random numbers • Information hiding (stego, watermarking) Conclusion 6

  7. Advanced Cryptanalysis • Enigma • RC4 (as used in WEP) • Linear and differential cryptanalysis • Knapsack attack (lattice reduction) • RSA timing attacks Conclusion 7

  8. Authentication • Passwords • Verification and storage (salt, etc.) • Cracking (math) • Biometrics • Fingerprint, hand geometry, iris scan, etc. • Error rates • Two-factor, single sign on, Web cookies Conclusion 8

  9. Authorization • Historyand system certification • ACLsand capabilities • Multilevel security (MLS) • BLP, Biba, compartments, covert channel, inference control • CAPTCHA • Firewalls • IDS Conclusion 9

  10. Simple Protocols • Authentication • Using symmetric key • Using public key • Session key • Perfect forward secrecy (PFS) • Timestamps • Authentication and TCP • Zero knowledge proof (Fiat-Shamir) Conclusion 10

  11. Real-World Protocols • SSH • SSL • IPSec • IKE • ESP/AH, tunnel/transport mode, etc. • Kerberos • WEP • GSM Conclusion 11

  12. Software Flaws and Malware • Flaws • Buffer overflow • Incomplete mediation, race condition, etc. • Malware • Brain, Morris Worm, Code Red, Slammer • Malware detection • Future of malware, botnets, etc. • Other software-based attacks • Salami, linearization, etc. Conclusion 12

  13. Insecurity in Software • Software reverse engineering (SRE) • Software protection • Digital rights management (DRM) • Software development • Open vs closed source • Finding flaws (do the math) Conclusion 13

  14. Operating Systems • OS security functions • Separation • Memory protection, access control • Trusted OS • MAC, DAC, trusted path, TCB, etc. • NGSCB • Technical issues • Criticisms Conclusion 14

  15. Crystal Ball • Cryptography • Well-established field • Don’t expect major changes • But some systems will be broken • ECC is a major “growth” area • Quantum crypto may prove worthwhile… • …but for now it’s mostly (all?) hype Conclusion 15

  16. Crystal Ball • Authentication • Passwords will continue to be a problem • Biometrics should become more widely used • Smartcard/tokens will be used more • Authorization • ACLs, etc., well-established areas • CAPTCHA’s interesting new topic • IDS is a hot topic Conclusion 16

  17. Crystal Ball • Protocols are challenging • Difficult to get protocols right • Protocol development often haphazard • “Kerckhoffs’ Principle” for protocols? • How much would it help? • Protocols will continue to be aproblem Conclusion 17

  18. Crystal Ball • Software is a huge security problem today • Buffer overflows should decrease… • …but race condition attacks might increase • Virus writers are getting smarter • Botnets • Polymorphic, metamorphic, what’s next? • Future of malware detection? • Malware will continue to be a plague Conclusion 18

  19. Crystal Ball • Other software issues • Reverse engineering will not go away • Secure development will remain hard • Open source is not a panacea • OS issues • NGSCB (or similar) could change things… • …but, for better or for worse? Conclusion 19

  20. The Bottom Line • Security knowledge is needed today… • …and it will be needed in the future • Necessary to understand technical issues • The focus of this class • But technical knowledge is not enough • Human nature, legal issues, business issues, etc. • Experienceisimportant Conclusion 20

  21. A True Story • The names have been changed… • “Bob” took my information security class • Bob then got an intern position • At a major company that does lots of security • One meeting, an important customer asked • “Why do we need signed certificates?” • “After all, they cost money!” • The silence was deafening Conclusion 21

  22. A True Story • Bob’s boss remembered that Bob had taken a security class • So he asked Bob, the lowly intern, to answer • Bob mentioned man-in-the-middle attack on SSL • Customer wanted to hear more • So, Bob explained MiM attack in some detail • The next day, “Bob the lowly intern” became “Bob the fulltime employee” Conclusion 22

More Related