Conclusion 1
Conclusion
Conclusion 2
Course Summary Crypto
o Basics, symmetric key, public key, hash functions and other topics, cryptanalysis
Access Controlo Authentication, authorization, firewalls, IDS
Protocolso Simplified authentication protocolso Real-World protocols
Softwareo Flaws, malware, SRE, development, trusted
OS
Conclusion 3
Crypto Basics Terminology Classic ciphers
o Simple substitutiono Double transpositiono Codebooko One-time pad
Basic cryptanalysis
Conclusion 4
Symmetric Key Stream ciphers
o A5/1o RC4
Block cipherso DESo AES, TEA, etc.o Modes of operation
Data integrity (MAC)
Conclusion 5
Public Key Knapsack (insecure) RSA Diffie-Hellman Elliptic curve crypto (ECC) Digital signatures and non-
repudiation PKI
Conclusion 6
Hashing and Other Birthday problem Tiger Hash HMAC Clever uses (online bids, spam
reduction, …) Other topics
o Secret sharingo Random numberso Information hiding (stego, watermarking)
Conclusion 7
Advanced Cryptanalysis Enigma RC4 (as used in WEP) Linear and differential
cryptanalysis Knapsack attack (lattice reduction) RSA timing attacks
Conclusion 8
Authentication Passwords
o Verification and storage (salt, etc.)o Cracking (math)
Biometricso Fingerprint, hand geometry, iris scan, etc.o Error rates
Two-factor, single sign on, Web cookies
Conclusion 9
Authorization History/system certification ACLs and capabilities Multilevel security (MLS)
o BLP, Biba, compartments, covert channel, inference control
CAPTCHA Firewalls IDS
Conclusion 10
Simple ProtocolsAuthentication
oUsing symmetric keyoUsing public keyoSession keyoPerfect forward secrecy (PFS)oTimestamps
Zero knowledge proof (Fiat-Shamir)
Conclusion 11
Real-World ProtocolsSSHSSLIPSec
o IKEoESP/AH, tunnel/transport modes,
…KerberosWireless: WEP & GSM
Conclusion 12
Software Flaws and Malware
Flawso Buffer overflowo Incomplete mediation, race condition, etc.
Malwareo Brain, Morris Worm, Code Red, Slammero Malware detectiono Future of malware, botnets, etc.
Other software-based attackso Salami, linearization, etc.
Conclusion 13
Insecurity in Software Software reverse engineering
(SRE)o Software protection
Digital rights management (DRM) Software development
o Open vs closed sourceo Finding flaws (do the math)
Conclusion 14
Operating Systems OS security functions
o Separationo Memory protection, access control
Trusted OSo MAC, DAC, trusted path, TCB, etc.
NGSCBo Technical issueso Criticisms
Conclusion 15
Crystal BallCryptography
o Well-established fieldo Don’t expect major changeso But some systems will be brokeno ECC is a major “growth” areao Quantum crypto may prove
worthwhile…o …but for now it’s mostly (all?) hype
Conclusion 16
Crystal Ball Authentication
o Passwords will continue to be a problemo Biometrics should become more widely usedo Smartcard/tokens will be used more
Authorizationo ACLs, etc., well-established areaso CAPTCHA’s interesting new topico IDS is a very hot topic
Conclusion 17
Crystal Ball Protocols are challenging Difficult to get protocols right Protocol development often haphazard
o “Kerckhoffs’ Principle” for protocols?o Would it help?
Protocols will continue to be a source of subtle problem
Conclusion 18
Crystal Ball Software is a huge security problem today
o Buffer overflows are on the decline…o …but race condition attacks might increase
Virus writers are getting smartero Botnetso Polymorphic, metamorphic, sophisticated
attacks, …o Future of malware detection?
Malware will continue to be a BIG problem
Conclusion 19
Crystal Ball Other software issues
o Reverse engineering will not go awayo Secure development will remain hard o Open source is not a panacea
OS issueso NGSCB (or similar) might change
things…o …but, for better or for worse?
Conclusion 20
The Bottom Line Security knowledge is needed today… …and it will be needed in the future Necessary to understand technical
issueso The focus of this class
But technical knowledge is not enougho Human nature, legal issues, business issues,
...o As with anything, experience is helpful
Conclusion 21
A True Story The names have been changed… “Bob” took my information security
class Bob then got an intern position
o At a major company that does lots of security
One meeting, an important customer askedo “Why do we need signed certificates?”o “After all, they cost money!”
The silence was deafening
Conclusion 22
A True Story Bob’s boss remembered that Bob had
taken a security classo So he asked Bob, the lowly intern, to answero Bob mentioned man-in-the-middle attack on
SSL Customer wanted to hear more
o So, Bob explained MiM attack in some detail The next day, “Bob the lowly intern”
became “Bob the fulltime employee”