Computer Security CS 426 Lecture 29 - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

Computer Security CS 426 Lecture 29

Description:

Computer Security. CS 426. Lecture 29. Review of Second Half of the Course ... Consult HWs, Quizs, Mid-term, Slides. CS426. Fall 2006/Lecture 29. 2. Cryptography (1) ... – PowerPoint PPT presentation

Number of Views:74
Avg rating:3.0/5.0
Slides: 13
Provided by: NINGH7
Category:

less

Transcript and Presenter's Notes

Title: Computer Security CS 426 Lecture 29


1
Computer Security CS 426Lecture 29
  • Review of Second Half of the Course
  • Exam covers whole course
  • Consult HWs, Quizs, Mid-term, Slides

2
Cryptography (1)
  • Goal of secure communication
  • privacy (secrecy, confidentiality)
  • authenticity, integrity
  • Terminologies
  • Steganography, cryptography, plaintexts,
    ciphertexts
  • Adverserial models
  • ciphertext-only, known-plaintext,
    chosen-plaintext, chosen-ciphertext
  • Classical ciphers
  • shift, substitution (frequency analysis),
    Vigenere
  • One-time Pad, perfect secrecy

3
Cryptography (2)
  • Stream ciphers, PRNG, weaknesses (avoid two-time
    pad)
  • Block ciphers (DES, AES, parameters, brute-force
    attacks)
  • Encryption modes ECB, CBC
  • Public-key cryptography
  • public-key encryption (RSA, how it works, )
  • Cryptographic hash function
  • three security properties, birthday attack
  • well-known algorithms (parameters current
    attacks)

4
Cryptography (3)
  • Message Authentication Code
  • Digital Signature
  • Public-key certificates, CA, root CA, trust
  • Entity authentication
  • password, one-time password, challenge-response
  • Key agreement
  • Diffie-Hellman
  • (Incorrect) Usage web authentication, WEP
  • SSL/TLS (What crypto tools are used?)

5
Intrusion Detection Systems
  • Classification
  • host vs. network,
  • signature vs. anomaly-based (pros cons)
  • Fase positive/false negative
  • Host-based IDS data source, limitation
  • Network-based IDS data source, limitation

6
Basic Network Security Problems
  • Network packets pass by untrusted hosts
  • Eavesdropping, packet sniffing (e.g., ngrep)
  • IP addresses are public
  • Smurf
  • TCP connection requires state
  • SYN flooding attack
  • TCP state can be easy to guess
  • TCP spoofing attack

7
Inherent DNS Vulnerabilities
  • Users/hosts typically trust the host-address
    mapping provided by DNS
  • Attacks
  • Cache poisoning
  • Attacking reverse DNS

8
Firewalls
  • Stateless
  • Stateful
  • Proxy
  • Personal

9
Browser Security Issues
  • Bugs in browser
  • Protecting the browser environment from active
    contents (mobile code), e.g., Java applets,
    ActiveX controls, Browser helpers, Javascripts
  • Sandbox
  • Signed scripts
  • Isolation, same-origin policy
  • Privacy issues
  • Cookies
  • Phishing

10
Common vulnerabilities
  • Inadequate validation of user input
  • Cross site scripting
  • SQL Injection
  • HTTP response splitting
  • Broken session management
  • Can lead to session hijacking and data theft
  • Insecure storage
  • Sensitive data stored in the clear.

11
Database Access Control
  • grant/revoke
  • views
  • store procedure (invokers right/definers right)

12
Coming Attractions
  • December 15
  • Final Exam
Write a Comment
User Comments (0)
About PowerShow.com