Information Security 1 Information Security: Lecture no 7 Jeffy Mwakalinga

Information SecurityInformation Security 1

InformationInformation Security:Security:LectureLecture nono 77

JeffyJeffy MwakalingaMwakalinga


OutlineOutline

IntroductionIntroduction SecuritySecurity ServicesServices HowHow dodo youyou provideprovide Confidentiality?Confidentiality? HowHow dodo youyou ProvideProvide Integrity?Integrity? HowHow dodo youyou ProvideProvide Non-repudiation?Non-repudiation? HowHow dodo youyou provideprovide AccessAccess Control?Control? HowHow dodo youyou ProvideProvide AuthenticationAuthentication SummarySummary


Information security Information security is definedis defined as methods and technologiesas methods and technologies

for deterrence (scaring away hackers), for deterrence (scaring away hackers), protection, detection, response, protection, detection, response,

recovery and extended functionalitiesrecovery and extended functionalities

IntroductionIntroduction


Why do we need Information SecurityWhy do we need Information Security

Importance of Information SecurityImportance of Information Security• Protect data from theftProtect data from theft• Prevent loss of productivityPrevent loss of productivity• Curb theft of intellectual propertyCurb theft of intellectual property• Ensure compliance with law and avoid legal consequencesEnsure compliance with law and avoid legal consequences• PrivacyPrivacy• Protect personal identity theftProtect personal identity theft• Counter cyberterrorismCounter cyberterrorism


Why do we need Computer Security?Why do we need Computer Security?


Creating Good PasswordsCreating Good Passwords

Select a personally interesting topic such as Select a personally interesting topic such as favorite movie. favorite movie.

Develop a password frowm a phrase rather than Develop a password frowm a phrase rather than a single phrase: Gone with the Wind -> GWTWa single phrase: Gone with the Wind -> GWTW

Encode the passwordEncode the password GWTW. (1)Replace W with 2u: GWTW ->G2uTW. GWTW. (1)Replace W with 2u: GWTW ->G2uTW.

(2) Replace W with 2U. (3) Replace 2 wiyj (2) Replace W with 2U. (3) Replace 2 wiyj Spanish ”dos” -> G2uTdosUSpanish ”dos” -> G2uTdosU


Viruses, Trojans and WormsViruses, Trojans and Worms

A virus is a program that infects another A virus is a program that infects another program by putting a copy of itself to the program by putting a copy of itself to the program. When the infected program runs the program. When the infected program runs the virus also runs. It attaches itself to files like virus also runs. It attaches itself to files like message.zip, message.exemessage.zip, message.exe

A worm is an independent program that makes A worm is an independent program that makes copies of itselft from one computer to another. copies of itselft from one computer to another. The worm moves across networks on its own.The worm moves across networks on its own.

A trojan program takes its name from the Greek A trojan program takes its name from the Greek legend Trojan Horse. It is a program that hides legend Trojan Horse. It is a program that hides itself inside another useful program and it itself inside another useful program and it performs operations that the user in unawareperforms operations that the user in unaware


PrivacyPrivacy

Privacy is the right of people to choose freely Privacy is the right of people to choose freely under what circumstances and to what extent under what circumstances and to what extent they will reveal themselves, their attitude and they will reveal themselves, their attitude and their behavior to others.their behavior to others.

Many transactions can link purchase to Many transactions can link purchase to customers: paying by check, credit card, debit customers: paying by check, credit card, debit card; purchasing through mail order; buying card; purchasing through mail order; buying products that be registered;products that be registered;

Threats to privacy: (1)Government – spying on Threats to privacy: (1)Government – spying on her citizens (2) busisness –surveillance of her citizens (2) busisness –surveillance of employees;and use of business related employees;and use of business related information (3) private – data mining to sell information (3) private – data mining to sell customers information to the other parties customers information to the other parties


Cookies:Cookies: FoundFound inin DirectoryDirectory -- C:\DocumentsC:\Documents andand Settings\Settings\UserName\CookiesUserName\Cookies (Explorer)(Explorer)

AA cookiecookie isis aa recordrecord containingcontaining sevenseven fieldsfields ofof informationinformation thatthat uniquelyuniquely identifiesidentifies aa customer’scustomer’s sessionsession onon youryour computercomputer

PREFPREF ID=40dbd37914242a34:TM=1013725751:LM=1013725751:S=P4MUPnk7WbsID=40dbd37914242a34:TM=1013725751:LM=1013725751:S=P4MUPnk7Wbs

google.com/google.com/ Distributed Distributed byby www.google.comwww.google.com 15361536 26188783362618878336 3211163432111634 4823956848239568 2947216729472167 ThisThis particularparticular cookiecookie isis builtbuilt andand distributeddistributed byby Google.com.Google.com.

TheThe firstfirst lineline isis thethe namename ofof thethe cookie,cookie, andand thethe secondsecond lineline containscontains thethe cookie'scookie's valuevalue (which,(which, inin thisthis case,case, isis actuallyactually aa setset ofof name-valuename-value pairspairs separatedseparated byby colons;colons; thisthis isis Google.com-specific).Google.com-specific). TheThe restrest ofof thethe lineslines areare attributesattributes setset byby Google.com.Google.com.


Fields in the HTTPCookieFields in the HTTPCookie

Name - The name of the cookieName - The name of the cookie ID Value -The individual value ID Value -The individual value Expires -The exact time of expiration. After this Expires -The exact time of expiration. After this

time, client browsers will stop sending this time, client browsers will stop sending this cookie when requested.cookie when requested.

Path -The path under which this cookie is Path -The path under which this cookie is relevant.relevant.

Domain - The domain associated with this Domain - The domain associated with this cookie. The default is the creation domain.cookie. The default is the creation domain.

Secure (True/False ) Whether or not should be Secure (True/False ) Whether or not should be transmitted using SSL (that is, across the HTTPS transmitted using SSL (that is, across the HTTPS port)port)


OutlineOutline



Security Services : ConfidentialitySecurity Services : Confidentiality

To keep a message To keep a message secret to secret to those that are not those that are not authorized authorized to read itto read it

ConfidentialityConfidentiality

AuthenticatioAuthenticationn Access ControlAccess Control Integrity Integrity

AvailabilityAvailability

Non-repudiationNon-repudiation


Security Services: AuthenticationSecurity Services: Authentication


AuthenticationAuthentication

Access ControlAccess Control Integrity Integrity



To verify the identity of To verify the identity of the user / computer the user / computer


Security Services: Access ControlSecurity Services: Access Control






To be able to tell who can do what with which resource


Security Services: IntegritySecurity Services: Integrity






To make sure that a To make sure that a message has not been message has not been changed while on changed while on Transfer, storage, etc Transfer, storage, etc


Security Services: Non-repudiationSecurity Services: Non-repudiation






To make sure that a To make sure that a user/server can’t deny user/server can’t deny later having participated later having participated in a transactionin a transaction


Security Services: AvailabilitySecurity Services: Availability





Non-repudiationNon-repudiationTo make sure that the To make sure that the services are always services are always available to users.available to users.


OutlineOutline



HowHow dodo youyou ProvideProvide Confidentiality?Confidentiality?

Network

Plaintext“Hello”

EncryptionMethod &

Key

Ciphertext “11011101”

EncryptionKey

Ciphertext “11011101” Plaintext“Hello”

DecryptionMethod &

Key

DecryptionKey

Interceptor

Party A

Party B

Note:Interceptor Cannot ReadCiphertext Without the

Decryption Key

(10110101)


Key Length and Number of Possible Key Length and Number of Possible KeysKeys

1

Key Lengthin Bits

2

4

8

16

256

65,536

16

4

2

Number of Possible Keys

40 1,099,511,627,776

56 72,057,594,037,927,900

112 5,192,296,858,534,830,000,000,000,000,000,000


Possible keys form a key of 8 bitsPossible keys form a key of 8 bits

1 (first key) 0 0 0 0 0 0 0 0

2 0 0 0 0 0 0 0 1

3 0 0 0 0 0 0 1 0

4 0 0 0 0 0 1 0 0

5 0 0 0 0 1 0 0 0

6 0 0 0 1 0 0 0 0

7 0 0 1 0 0 0 0 0

8 0 1 0 0 0 0 0 0

… .. .. .. .. .. .. .. ..

28 1 1 1 1 1 1 1 1


Symmetric Key Encryption – One Key Symmetric Key Encryption – One Key SystemSystem

Network

Plaintext“Hello”

EncryptionMethod &

Key

Ciphertext “11011101”

SymmetricKey

Ciphertext “11011101” Plaintext“Hello”

DecryptionMethod &

Key

SameSymmetric

Key

Interceptor

Party A

Party B

Note:A single key is used to

encrypt and decryptin both directions.


CleartextCleartext

CiphertextCiphertext

CleartextCleartext

KeyKey

DESDES

DESDES

Data Encryption Standard (DES)Data Encryption Standard (DES)


CleartextCleartextKeyKey1, 2, 1, 2, 3, ... ... ... ... ... ...1283, ... ... ... ... ... ...128

1, 2, 3, ... ... .128, 192,2561, 2, 3, ... ... .128, 192,256

CiphertextCiphertext1, 2, 3, ... ... ... ... ... ...... 641, 2, 3, ... ... ... ... ... ...... 64

K-1K-1

K-2K-2

K-K-RoundsRounds

Advanced EncryptionAdvanced Encryption

Algorithm (AES)Algorithm (AES)

If key = 128 Rounds = 9If key = 192Rounds = 11If key = 256Rounds = 13


Public Key System (Asymmetric Public Key System (Asymmetric system – two keys)system – two keys)

Party A Party B

Decrypt withParty A’s Private Key

Encrypt withParty A’s Public Key

Encrypt withParty B’s Public Key

Decrypt withParty B’s Private Key

EncryptedMessage

EncryptedMessage


OutlineOutline



How do You Provide Integrity? How do You Provide Integrity? Hashing (Message Digest) Hashing (Message Digest)

Hashing is a one-way function. It cannot Hashing is a one-way function. It cannot be reversedbe reversed• From the hash, you cannot compute the From the hash, you cannot compute the

original messageoriginal messageHashing is repeatableHashing is repeatable

• If two parties apply the same hashing If two parties apply the same hashing method to the same bit string, they will get method to the same bit string, they will get the same hashthe same hash


Some confidential text (message) in clear (readable) form

1101 0011 1010 10011101 0011 1010 1001Message Message

Authentication CodeAuthentication Code ((MACMAC))

Integrity Security Service Integrity Security Service

1011100011001101010101010011101 0011 1010 1011100011001101010101010011101 0011 1010 10011001

Hashing


Integrity cont’dIntegrity cont’d


OutlineOutline



How do you Provide Non-repudiation? How do you Provide Non-repudiation? Digital Signature (DS)Digital Signature (DS)

To Create the Digital Signature:

1. Hash the plaintext to create abrief message digest; this is

NOT the Digital Signature.

2. Sign (encrypt) the messageDigest (MD) with the sender’s private

key to create the digital signature.

3. Transmit the plaintext + digitalsignature, encrypted withsymmetric key encryption.

Plaintext

MD

DS

DS Plaintext

Hash

Sign (Encrypt)with Sender’sPrivate Key


OutlineOutline



How do you Provide Access Control?How do you Provide Access Control?First StepsFirst Steps

• Enumeration of ResourcesEnumeration of Resources

•Sensitivity of Each ResourceSensitivity of Each ResourceNext, who Should Have Access?Next, who Should Have Access?

•Can be made individual by individualCan be made individual by individual

•More efficient to define by roles (logged-in More efficient to define by roles (logged-in users, system administrators, project users, system administrators, project team members, etc.)team members, etc.)


Access control Access control Access control Access control Subject can do ... Action ... with which object under which conditions ?

File B File B

File A File A

ReadCopy

Execute

Formal approach to access controlFormal approach to access control

44 44


S1S2S3S4S5S6

O1 O2 O3 O4 O5 O6r, w

x, d

l, c

Access control matrixAccess control matrix

45 45


OutlineOutline



How do you Provide Authentication?How do you Provide Authentication?

Identification Identification


... to identify the user (who he/she is)

... to verify the identity, if the user really is who he/she claims to be

- something who you are- something what you have-something what you know-where you are - terminal


Types of AuthenticationTypes of Authentication

Simple authentication – using passwords, Simple authentication – using passwords, challenge-response, PINSchallenge-response, PINS

Strong authentication – using public key Strong authentication – using public key system, digital certificatessystem, digital certificates

What are digital certificates? – it is an What are digital certificates? – it is an object that binds an identity of a person object that binds an identity of a person or machine to her public key and this or machine to her public key and this object is used for electronic object is used for electronic authentication before transactions in the authentication before transactions in the open networks.open networks.


Authentication- BiometricsAuthentication- Biometrics

BiometricsBiometrics• Biometrics used for Biometrics used for

door locks, can also be door locks, can also be used for access control used for access control to personal computersto personal computers

• Fingerprint scanners Fingerprint scanners

Fingerprint scanner


What are Digital Certificates? (X.509 What are Digital Certificates? (X.509 Standard)Standard)

Field Description

VersionNumber

Version number of the X.509. Most certificates follow Version 3. Different versions have different fields. This figure reflects the Version 3 standard.

Issuer Name of the Certificate Authority (CA).

SerialNumber

Unique serial number for the certificate, set by the CA.


Authentication: X.509 Digital Authentication: X.509 Digital Certificate FieldsCertificate Fields

Field Description

Subject The name of the person, organization, computer, or program to which the certificate has been issued. This is the true party.

Public KeyThe public key of the subject—the public key of the true party.

Public KeyAlgorithm

The algorithm the subject uses to sign messages with digital signatures.


Authentication: X.509 Digital Authentication: X.509 Digital Certificate FieldsCertificate Fields

Field Description

ValidPeriod

The period before which and after which the certificate should not be used.Note: Certificate may be revoked before the end of this period.

DigitalSignature

The digital signature of the certificate, signed by the CA with the CA’s own private key.Provides authentication and certificate integrity.User must know the CA’s public key independently.


Digital Signature and Digital Digital Signature and Digital Certificate in AuthenticationCertificate in Authentication

Digital Certificate

Authentication

Public Key ofTrue Party

Signature to BeTested with

Public Key ofTrue Party

Digital Signature


Public Key Infrastructure (PKI) with a Public Key Infrastructure (PKI) with a Certificate Authority (CA)Certificate Authority (CA)

Create &Distribute

(1) Private Keyand

(2) Digital Certificate

4.Certificate

for Lee

3.Request Certificate

for Lee

5.Certificate

for Lee

6. Request CertificateRevocation List (CRL)

7. Copy of CRL

Verifier(Brown)

Applicant (Lee)

Verifier(Cheng)

CertificateAuthority

PKI Server


Certificate Authority (CA)Certificate Authority (CA)

CAs are not regulated in any country CAs are not regulated in any country todaytoday•Anyone can be a CAAnyone can be a CA• Even an organized crime syndicateEven an organized crime syndicate•Some, such as VeriSign, are widely trustedSome, such as VeriSign, are widely trusted

Companies can be their own CAsCompanies can be their own CAs•Assign keys and certificates to their internal Assign keys and certificates to their internal

computerscomputers• This gets around the need to trust public CAsThis gets around the need to trust public CAs


Public Key Distribution for Symmetric Public Key Distribution for Symmetric Session KeysSession Keys

Party A Party B

2. EncryptSession Key with

Party B’s Public Key

4. DecryptSession Key with

Party B’s Private Key

3. Send the SymmetricSession Key Encrypted

for Confidentiality

5. Subsequent Encryption withSymmetric Session Key


SummarySummary
