Upload
jennifer-sutton
View
220
Download
0
Tags:
Embed Size (px)
Citation preview
04/18/23 Madhumita. Chatterjee 2
Security concerns on the Internet
Highly contagious viruses Defacing web pages Credit card no theft On-line scams Intellectual property theft Wiping out data Denial of service Spam emails Etc etc etc………….
04/18/23 M. Chatterjee 3
Who are the attackers?
Unintended blunders Hackers driven by technical
challenges Disgrunted employees or customers Petty criminals Organized crimes Organized terror groups Information warfare
04/18/23 M. Chatterjee 4
Vulnerabilities
Application security Buggy code Buffer overflows
Host security Server side Client side
Transmission security Network Security
04/18/23 M. Chatterjee 5
Security Requirements Confidentiality Protection from
disclosure to unauthorized persons Authenticity is the identification and
assurance of the origin of information. Integrity refers to the trustworthiness
of data or resources in terms of preventing improper and unauthorized changes.
Non-Repudiation: Originator cannot deny sending the message
04/18/23 M. Chatterjee 6
Security Requirements……
Availability refers to the ability to use the information or resource desired.
Access control Anonymity
04/18/23 M. Chatterjee 7
Security Mechanisms
System security: “Nothing bad happens to
my computers and equipment”Virus, trojan horse, logic/time bombs.
Network Security: Authentication Mechanisms: “you say who you say
you are”Access control: Firewalls, proxies…..who can do what? Data Security: “For your eyes only”
Encryption, digests, signatures…..
Security Mechanisms…. Encipherment
Hiding or covering data Data Integrity
Appends a checkvalue to data Digital Signature
Electronic signature Authentication exchange
Two parties exchange messages to prove their identities
04/18/23 Madhumita. Chatterjee 8
Security Mechanisms…. Traffic padding
Inserting bogus data into traffic Routing control
Changing different available routes between sender and receiver
Notarization Selecting a trusted third party to control
communication Access control04/18/23 Madhumita. Chatterjee 9
04/18/23 M. Chatterjee 10
Security Threats and Attacks
A threat is a potential violation of security. Flaws in design, implementation, and
operation. An attack is any action that
violates security. Active adversary.
Threat to confidentiality Snooping Traffic Analysis
Threat to Integrity Modification Masquerading Replaying Repudiation
04/18/23 Madhumita. Chatterjee 11
04/18/23 M. Chatterjee 13
Eavesdropping - Message Interception (Attack on Confidentiality) Unauthorized access to information Packet sniffers and wiretappers Illicit copying of files and programs
S R
Eavesdropper
04/18/23 M. Chatterjee 14
Integrity Attack - Tampering With Messages
Stop the flow of the message Delay and optionally modify the
message Release the message again
S R
Perpetrator
04/18/23 M. Chatterjee 15
Authenticity Attack - Fabrication Unauthorized assumption of other’s
identity Generate and distribute objects under
this identity
S R
Masquerader: from S
04/18/23 M. Chatterjee 16
Attack on Availability Destroy hardware (cutting fiber) or software Modify software in a subtle way (alias
commands) Corrupt packets in transit
Blatant denial of service (DoS): Crashing the server Overwhelm the server (use up its resource)
S R
04/18/23 M. Chatterjee 17
Impact of Attacks
Theft of confidential information Unauthorized use of
Network bandwidth Computing resource
Spread of false information Disruption of legitimate servicesAll attacks can be related and are
dangerous!
Passive vs Active AttacksAttacks Passive/Active Threatening
Snooping,Traffic Analysis
Passive Confidentiality
Modification,Masquerading,Replaying,Repudiation
Active Integrity
Denial of Service Active Availibility
04/18/23 Madhumita. Chatterjee 18
04/18/23 M. Chatterjee 19
Close-knit Attack Family
who toimpersonate
sniff forcontent
traffic analysis- who is talking
re-targetjam/cut it
capture &modify
pretend
re-target
I need tobe Bill
Passive attacks Active Attacks
04/18/23 M. Chatterjee 20
Security Policy and Mechanism Policy: a statement of what is, and is not
allowed. Mechanism: a procedure, tool, or method of
enforcing a policy. Security mechanisms implement functions
that help prevent, detect, and respond to recovery from security attacks.
Security functions are typically made available to users as a set of security services through APIs or integrated interfaces.
Cryptography underlies many security mechanisms.
04/18/23 M. Chatterjee 21
Security Services
Confidentiality: protection of any information from being exposed to unintended entities. Information content. Parties involved. Where they are, how they
communicate, how often, etc.
04/18/23 M. Chatterjee 22
Security Services - Cont’d
Authentication: assurance that an entity of concern or the origin of a communication is authentic - it’s what it claims to be or from
Integrity: assurance that the information has not been tampered with
Non-repudiation: offer of evidence that a party indeed is the sender or a receiver of certain information
04/18/23 M. Chatterjee 23
Security Services - Cont’d
Access control: facilities to determine and enforce who is allowed access to what resources, hosts, software, network connections
Monitor & response: facilities for monitoring security attacks, generating indications, surviving (tolerating) and recovering from attacks
04/18/23 M. Chatterjee 24
Security Services - Cont’d
Security management: facilities for coordinating users’ service requirements and mechanism implementations throughout the enterprise network and across the Internet Trust model Trust communication protocol Trust management infrastructure
Relation between security services and mechanisms
Security Service
Security Mechanisms
Data Confidentiality
Encipherment and routing control
Data Integrity Encipherment, digital signature, data integrity
Authentication Encipherment, digital signature, authentication exchanges
Non-repudiation
Digital signature, data integrity and notarization
Access control Access control mechanisms
04/18/23 Madhumita. Chatterjee 25
Security Techniques
Cryptography Symmetric key encipherment Asymmetric key encipherment
Hashing Steganography
Covered writing
04/18/23 Madhumita. Chatterjee 27