View
230
Download
4
Tags:
Embed Size (px)
Citation preview
Information SecurityInformation Security 1
InformationInformation Security:Security:LectureLecture nono 77
JeffyJeffy MwakalingaMwakalinga
Information SecurityInformation Security 2
OutlineOutline
IntroductionIntroduction SecuritySecurity ServicesServices HowHow dodo youyou provideprovide Confidentiality?Confidentiality? HowHow dodo youyou ProvideProvide Integrity?Integrity? HowHow dodo youyou ProvideProvide Non-repudiation?Non-repudiation? HowHow dodo youyou provideprovide AccessAccess Control?Control? HowHow dodo youyou ProvideProvide AuthenticationAuthentication SummarySummary
Information SecurityInformation Security 3
Information security Information security is definedis defined as methods and technologiesas methods and technologies
for deterrence (scaring away hackers), for deterrence (scaring away hackers), protection, detection, response, protection, detection, response,
recovery and extended functionalitiesrecovery and extended functionalities
IntroductionIntroduction
Information SecurityInformation Security 4
Why do we need Information SecurityWhy do we need Information Security
Importance of Information SecurityImportance of Information Security• Protect data from theftProtect data from theft• Prevent loss of productivityPrevent loss of productivity• Curb theft of intellectual propertyCurb theft of intellectual property• Ensure compliance with law and avoid legal consequencesEnsure compliance with law and avoid legal consequences• PrivacyPrivacy• Protect personal identity theftProtect personal identity theft• Counter cyberterrorismCounter cyberterrorism
Information SecurityInformation Security 5
Why do we need Computer Security?Why do we need Computer Security?
Information SecurityInformation Security 6
Creating Good PasswordsCreating Good Passwords
Select a personally interesting topic such as Select a personally interesting topic such as favorite movie. favorite movie.
Develop a password frowm a phrase rather than Develop a password frowm a phrase rather than a single phrase: Gone with the Wind -> GWTWa single phrase: Gone with the Wind -> GWTW
Encode the passwordEncode the password GWTW. (1)Replace W with 2u: GWTW ->G2uTW. GWTW. (1)Replace W with 2u: GWTW ->G2uTW.
(2) Replace W with 2U. (3) Replace 2 wiyj (2) Replace W with 2U. (3) Replace 2 wiyj Spanish ”dos” -> G2uTdosUSpanish ”dos” -> G2uTdosU
Information SecurityInformation Security 7
Viruses, Trojans and WormsViruses, Trojans and Worms
A virus is a program that infects another A virus is a program that infects another program by putting a copy of itself to the program by putting a copy of itself to the program. When the infected program runs the program. When the infected program runs the virus also runs. It attaches itself to files like virus also runs. It attaches itself to files like message.zip, message.exemessage.zip, message.exe
A worm is an independent program that makes A worm is an independent program that makes copies of itselft from one computer to another. copies of itselft from one computer to another. The worm moves across networks on its own.The worm moves across networks on its own.
A trojan program takes its name from the Greek A trojan program takes its name from the Greek legend Trojan Horse. It is a program that hides legend Trojan Horse. It is a program that hides itself inside another useful program and it itself inside another useful program and it performs operations that the user in unawareperforms operations that the user in unaware
Information SecurityInformation Security 8
PrivacyPrivacy
Privacy is the right of people to choose freely Privacy is the right of people to choose freely under what circumstances and to what extent under what circumstances and to what extent they will reveal themselves, their attitude and they will reveal themselves, their attitude and their behavior to others.their behavior to others.
Many transactions can link purchase to Many transactions can link purchase to customers: paying by check, credit card, debit customers: paying by check, credit card, debit card; purchasing through mail order; buying card; purchasing through mail order; buying products that be registered;products that be registered;
Threats to privacy: (1)Government – spying on Threats to privacy: (1)Government – spying on her citizens (2) busisness –surveillance of her citizens (2) busisness –surveillance of employees;and use of business related employees;and use of business related information (3) private – data mining to sell information (3) private – data mining to sell customers information to the other parties customers information to the other parties
Information SecurityInformation Security 9
Cookies:Cookies: FoundFound inin DirectoryDirectory -- C:\DocumentsC:\Documents andand Settings\Settings\UserName\CookiesUserName\Cookies (Explorer)(Explorer)
AA cookiecookie isis aa recordrecord containingcontaining sevenseven fieldsfields ofof informationinformation thatthat uniquelyuniquely identifiesidentifies aa customer’scustomer’s sessionsession onon youryour computercomputer
PREFPREF ID=40dbd37914242a34:TM=1013725751:LM=1013725751:S=P4MUPnk7WbsID=40dbd37914242a34:TM=1013725751:LM=1013725751:S=P4MUPnk7Wbs
google.com/google.com/ Distributed Distributed byby www.google.comwww.google.com 15361536 26188783362618878336 3211163432111634 4823956848239568 2947216729472167 ThisThis particularparticular cookiecookie isis builtbuilt andand distributeddistributed byby Google.com.Google.com.
TheThe firstfirst lineline isis thethe namename ofof thethe cookie,cookie, andand thethe secondsecond lineline containscontains thethe cookie'scookie's valuevalue (which,(which, inin thisthis case,case, isis actuallyactually aa setset ofof name-valuename-value pairspairs separatedseparated byby colons;colons; thisthis isis Google.com-specific).Google.com-specific). TheThe restrest ofof thethe lineslines areare attributesattributes setset byby Google.com.Google.com.
Information SecurityInformation Security 10
Fields in the HTTPCookieFields in the HTTPCookie
Name - The name of the cookieName - The name of the cookie ID Value -The individual value ID Value -The individual value Expires -The exact time of expiration. After this Expires -The exact time of expiration. After this
time, client browsers will stop sending this time, client browsers will stop sending this cookie when requested.cookie when requested.
Path -The path under which this cookie is Path -The path under which this cookie is relevant.relevant.
Domain - The domain associated with this Domain - The domain associated with this cookie. The default is the creation domain.cookie. The default is the creation domain.
Secure (True/False ) Whether or not should be Secure (True/False ) Whether or not should be transmitted using SSL (that is, across the HTTPS transmitted using SSL (that is, across the HTTPS port)port)
Information SecurityInformation Security 11
OutlineOutline
IntroductionIntroduction SecuritySecurity ServicesServices HowHow dodo youyou provideprovide Confidentiality?Confidentiality? HowHow dodo youyou ProvideProvide Integrity?Integrity? HowHow dodo youyou ProvideProvide Non-repudiation?Non-repudiation? HowHow dodo youyou provideprovide AccessAccess Control?Control? HowHow dodo youyou ProvideProvide AuthenticationAuthentication SummarySummary
Information SecurityInformation Security 12
Security Services : ConfidentialitySecurity Services : Confidentiality
To keep a message To keep a message secret to secret to those that are not those that are not authorized authorized to read itto read it
ConfidentialityConfidentiality
AuthenticatioAuthenticationn Access ControlAccess Control Integrity Integrity
AvailabilityAvailability
Non-repudiationNon-repudiation
Information SecurityInformation Security 13
Security Services: AuthenticationSecurity Services: Authentication
ConfidentialityConfidentiality
AuthenticationAuthentication
Access ControlAccess Control Integrity Integrity
AvailabilityAvailability
Non-repudiationNon-repudiation
To verify the identity of To verify the identity of the user / computer the user / computer
Information SecurityInformation Security 14
Security Services: Access ControlSecurity Services: Access Control
ConfidentialityConfidentiality
AuthenticationAuthentication
Access ControlAccess Control Integrity Integrity
AvailabilityAvailability
Non-repudiationNon-repudiation
To be able to tell who can do what with which resource
Information SecurityInformation Security 15
Security Services: IntegritySecurity Services: Integrity
ConfidentialityConfidentiality
AuthenticationAuthentication
Access ControlAccess Control Integrity Integrity
AvailabilityAvailability
Non-repudiationNon-repudiation
To make sure that a To make sure that a message has not been message has not been changed while on changed while on Transfer, storage, etc Transfer, storage, etc
Information SecurityInformation Security 16
Security Services: Non-repudiationSecurity Services: Non-repudiation
ConfidentialityConfidentiality
AuthenticationAuthentication
Access ControlAccess Control Integrity Integrity
AvailabilityAvailability
Non-repudiationNon-repudiation
To make sure that a To make sure that a user/server can’t deny user/server can’t deny later having participated later having participated in a transactionin a transaction
Information SecurityInformation Security 17
Security Services: AvailabilitySecurity Services: Availability
ConfidentialityConfidentiality
AuthenticationAuthentication
Access ControlAccess Control Integrity Integrity
AvailabilityAvailability
Non-repudiationNon-repudiationTo make sure that the To make sure that the services are always services are always available to users.available to users.
Information SecurityInformation Security 18
OutlineOutline
IntroductionIntroduction SecuritySecurity ServicesServices HowHow dodo youyou provideprovide Confidentiality?Confidentiality? HowHow dodo youyou ProvideProvide Integrity?Integrity? HowHow dodo youyou ProvideProvide Non-repudiation?Non-repudiation? HowHow dodo youyou provideprovide AccessAccess Control?Control? HowHow dodo youyou ProvideProvide AuthenticationAuthentication SummarySummary
Information SecurityInformation Security 19
HowHow dodo youyou ProvideProvide Confidentiality?Confidentiality?
Network
Plaintext“Hello”
EncryptionMethod &
Key
Ciphertext “11011101”
EncryptionKey
Ciphertext “11011101” Plaintext“Hello”
DecryptionMethod &
Key
DecryptionKey
Interceptor
Party A
Party B
Note:Interceptor Cannot ReadCiphertext Without the
Decryption Key
(10110101)
Information SecurityInformation Security 20
Key Length and Number of Possible Key Length and Number of Possible KeysKeys
1
Key Lengthin Bits
2
4
8
16
256
65,536
16
4
2
Number of Possible Keys
40 1,099,511,627,776
56 72,057,594,037,927,900
112 5,192,296,858,534,830,000,000,000,000,000,000
Information SecurityInformation Security 21
Possible keys form a key of 8 bitsPossible keys form a key of 8 bits
1 (first key) 0 0 0 0 0 0 0 0
2 0 0 0 0 0 0 0 1
3 0 0 0 0 0 0 1 0
4 0 0 0 0 0 1 0 0
5 0 0 0 0 1 0 0 0
6 0 0 0 1 0 0 0 0
7 0 0 1 0 0 0 0 0
8 0 1 0 0 0 0 0 0
… .. .. .. .. .. .. .. ..
28 1 1 1 1 1 1 1 1
Information SecurityInformation Security 22
Symmetric Key Encryption – One Key Symmetric Key Encryption – One Key SystemSystem
Network
Plaintext“Hello”
EncryptionMethod &
Key
Ciphertext “11011101”
SymmetricKey
Ciphertext “11011101” Plaintext“Hello”
DecryptionMethod &
Key
SameSymmetric
Key
Interceptor
Party A
Party B
Note:A single key is used to
encrypt and decryptin both directions.
Information SecurityInformation Security 23
CleartextCleartext
CiphertextCiphertext
CleartextCleartext
KeyKey
DESDES
DESDES
Data Encryption Standard (DES)Data Encryption Standard (DES)
Information SecurityInformation Security 24
CleartextCleartextKeyKey1, 2, 1, 2, 3, ... ... ... ... ... ...1283, ... ... ... ... ... ...128
1, 2, 3, ... ... .128, 192,2561, 2, 3, ... ... .128, 192,256
CiphertextCiphertext1, 2, 3, ... ... ... ... ... ...... 641, 2, 3, ... ... ... ... ... ...... 64
K-1K-1
K-2K-2
K-K-RoundsRounds
Advanced EncryptionAdvanced Encryption
Algorithm (AES)Algorithm (AES)
If key = 128 Rounds = 9If key = 192Rounds = 11If key = 256Rounds = 13
Information SecurityInformation Security 25
Public Key System (Asymmetric Public Key System (Asymmetric system – two keys)system – two keys)
Party A Party B
Decrypt withParty A’s Private Key
Encrypt withParty A’s Public Key
Encrypt withParty B’s Public Key
Decrypt withParty B’s Private Key
EncryptedMessage
EncryptedMessage
Information SecurityInformation Security 26
OutlineOutline
IntroductionIntroduction SecuritySecurity ServicesServices HowHow dodo youyou provideprovide Confidentiality?Confidentiality? HowHow dodo youyou ProvideProvide Integrity?Integrity? HowHow dodo youyou ProvideProvide Non-repudiation?Non-repudiation? HowHow dodo youyou provideprovide AccessAccess Control?Control? HowHow dodo youyou ProvideProvide AuthenticationAuthentication SummarySummary
Information SecurityInformation Security 27
How do You Provide Integrity? How do You Provide Integrity? Hashing (Message Digest) Hashing (Message Digest)
Hashing is a one-way function. It cannot Hashing is a one-way function. It cannot be reversedbe reversed• From the hash, you cannot compute the From the hash, you cannot compute the
original messageoriginal messageHashing is repeatableHashing is repeatable
• If two parties apply the same hashing If two parties apply the same hashing method to the same bit string, they will get method to the same bit string, they will get the same hashthe same hash
Information SecurityInformation Security 28
Some confidential text (message) in clear (readable) form
1101 0011 1010 10011101 0011 1010 1001Message Message
Authentication CodeAuthentication Code ((MACMAC))
Integrity Security Service Integrity Security Service
1011100011001101010101010011101 0011 1010 1011100011001101010101010011101 0011 1010 10011001
Hashing
Information SecurityInformation Security 29
Integrity cont’dIntegrity cont’d
Information SecurityInformation Security 30
OutlineOutline
IntroductionIntroduction SecuritySecurity ServicesServices HowHow dodo youyou provideprovide Confidentiality?Confidentiality? HowHow dodo youyou ProvideProvide Integrity?Integrity? HowHow dodo youyou ProvideProvide Non-repudiation?Non-repudiation? HowHow dodo youyou provideprovide AccessAccess Control?Control? HowHow dodo youyou ProvideProvide AuthenticationAuthentication SummarySummary
Information SecurityInformation Security 31
How do you Provide Non-repudiation? How do you Provide Non-repudiation? Digital Signature (DS)Digital Signature (DS)
To Create the Digital Signature:
1. Hash the plaintext to create abrief message digest; this is
NOT the Digital Signature.
2. Sign (encrypt) the messageDigest (MD) with the sender’s private
key to create the digital signature.
3. Transmit the plaintext + digitalsignature, encrypted withsymmetric key encryption.
Plaintext
MD
DS
DS Plaintext
Hash
Sign (Encrypt)with Sender’sPrivate Key
Information SecurityInformation Security 32
OutlineOutline
IntroductionIntroduction SecuritySecurity ServicesServices HowHow dodo youyou provideprovide Confidentiality?Confidentiality? HowHow dodo youyou ProvideProvide Integrity?Integrity? HowHow dodo youyou ProvideProvide Non-repudiation?Non-repudiation? HowHow dodo youyou provideprovide AccessAccess Control?Control? HowHow dodo youyou ProvideProvide AuthenticationAuthentication SummarySummary
Information SecurityInformation Security 33
How do you Provide Access Control?How do you Provide Access Control?First StepsFirst Steps
• Enumeration of ResourcesEnumeration of Resources
•Sensitivity of Each ResourceSensitivity of Each ResourceNext, who Should Have Access?Next, who Should Have Access?
•Can be made individual by individualCan be made individual by individual
•More efficient to define by roles (logged-in More efficient to define by roles (logged-in users, system administrators, project users, system administrators, project team members, etc.)team members, etc.)
Information SecurityInformation Security 34
Access control Access control Access control Access control Subject can do ... Action ... with which object under which conditions ?
File B File B
File A File A
ReadCopy
Execute
Formal approach to access controlFormal approach to access control
44 44
Information SecurityInformation Security 35
S1S2S3S4S5S6
O1 O2 O3 O4 O5 O6r, w
x, d
l, c
Access control matrixAccess control matrix
45 45
Information SecurityInformation Security 36
OutlineOutline
IntroductionIntroduction SecuritySecurity ServicesServices HowHow dodo youyou provideprovide Confidentiality?Confidentiality? HowHow dodo youyou ProvideProvide Integrity?Integrity? HowHow dodo youyou ProvideProvide Non-repudiation?Non-repudiation? HowHow dodo youyou provideprovide AccessAccess Control?Control? HowHow dodo youyou ProvideProvide AuthenticationAuthentication SummarySummary
Information SecurityInformation Security 37
How do you Provide Authentication?How do you Provide Authentication?
Identification Identification
AuthenticationAuthentication
... to identify the user (who he/she is)
... to verify the identity, if the user really is who he/she claims to be
- something who you are- something what you have-something what you know-where you are - terminal
Information SecurityInformation Security 38
Types of AuthenticationTypes of Authentication
Simple authentication – using passwords, Simple authentication – using passwords, challenge-response, PINSchallenge-response, PINS
Strong authentication – using public key Strong authentication – using public key system, digital certificatessystem, digital certificates
What are digital certificates? – it is an What are digital certificates? – it is an object that binds an identity of a person object that binds an identity of a person or machine to her public key and this or machine to her public key and this object is used for electronic object is used for electronic authentication before transactions in the authentication before transactions in the open networks.open networks.
Information SecurityInformation Security 39
Authentication- BiometricsAuthentication- Biometrics
BiometricsBiometrics• Biometrics used for Biometrics used for
door locks, can also be door locks, can also be used for access control used for access control to personal computersto personal computers
• Fingerprint scanners Fingerprint scanners
Fingerprint scanner
Information SecurityInformation Security 40
What are Digital Certificates? (X.509 What are Digital Certificates? (X.509 Standard)Standard)
Field Description
VersionNumber
Version number of the X.509. Most certificates follow Version 3. Different versions have different fields. This figure reflects the Version 3 standard.
Issuer Name of the Certificate Authority (CA).
SerialNumber
Unique serial number for the certificate, set by the CA.
Information SecurityInformation Security 41
Authentication: X.509 Digital Authentication: X.509 Digital Certificate FieldsCertificate Fields
Field Description
Subject The name of the person, organization, computer, or program to which the certificate has been issued. This is the true party.
Public KeyThe public key of the subject—the public key of the true party.
Public KeyAlgorithm
The algorithm the subject uses to sign messages with digital signatures.
Information SecurityInformation Security 42
Authentication: X.509 Digital Authentication: X.509 Digital Certificate FieldsCertificate Fields
Field Description
ValidPeriod
The period before which and after which the certificate should not be used.Note: Certificate may be revoked before the end of this period.
DigitalSignature
The digital signature of the certificate, signed by the CA with the CA’s own private key.Provides authentication and certificate integrity.User must know the CA’s public key independently.
Information SecurityInformation Security 43
Digital Signature and Digital Digital Signature and Digital Certificate in AuthenticationCertificate in Authentication
Digital Certificate
Authentication
Public Key ofTrue Party
Signature to BeTested with
Public Key ofTrue Party
Digital Signature
Information SecurityInformation Security 44
Public Key Infrastructure (PKI) with a Public Key Infrastructure (PKI) with a Certificate Authority (CA)Certificate Authority (CA)
Create &Distribute
(1) Private Keyand
(2) Digital Certificate
4.Certificate
for Lee
3.Request Certificate
for Lee
5.Certificate
for Lee
6. Request CertificateRevocation List (CRL)
7. Copy of CRL
Verifier(Brown)
Applicant (Lee)
Verifier(Cheng)
CertificateAuthority
PKI Server
Information SecurityInformation Security 45
Certificate Authority (CA)Certificate Authority (CA)
CAs are not regulated in any country CAs are not regulated in any country todaytoday•Anyone can be a CAAnyone can be a CA• Even an organized crime syndicateEven an organized crime syndicate•Some, such as VeriSign, are widely trustedSome, such as VeriSign, are widely trusted
Companies can be their own CAsCompanies can be their own CAs•Assign keys and certificates to their internal Assign keys and certificates to their internal
computerscomputers• This gets around the need to trust public CAsThis gets around the need to trust public CAs
Information SecurityInformation Security 46
Public Key Distribution for Symmetric Public Key Distribution for Symmetric Session KeysSession Keys
Party A Party B
2. EncryptSession Key with
Party B’s Public Key
4. DecryptSession Key with
Party B’s Private Key
3. Send the SymmetricSession Key Encrypted
for Confidentiality
5. Subsequent Encryption withSymmetric Session Key
Information SecurityInformation Security 47
SummarySummary
IntroductionIntroduction SecuritySecurity ServicesServices HowHow dodo youyou provideprovide Confidentiality?Confidentiality? HowHow dodo youyou ProvideProvide Integrity?Integrity? HowHow dodo youyou ProvideProvide Non-repudiation?Non-repudiation? HowHow dodo youyou provideprovide AccessAccess Control?Control? HowHow dodo youyou ProvideProvide AuthenticationAuthentication SummarySummary