Security Services in Information Systems - PowerPoint PPT Presentation

About This Presentation
Title:

Security Services in Information Systems

Description:

Security Services in Information Systems Antecedents and Motivation What is this part of the course about? In this part of the course we will discuss the following ... – PowerPoint PPT presentation

Number of Views:186
Avg rating:3.0/5.0
Slides: 40
Provided by: anarodrig2
Category:

less

Transcript and Presenter's Notes

Title: Security Services in Information Systems


1
Security Services in Information Systems
2
Antecedents and Motivation
3
What is this part of the course about?
  • In this part of the course we will discuss the
    following topics
  • security needs
  • security services
  • security mechanisms and protocols
  • for data stored in computers and transmitted
    across computer networks

4
What we will/wont cover?
  • We will cover
  • security threats
  • security protocols in use with emphasis on
    Authentication
  • Certificates and PKI
  • Introduction to Wireless Security
  • We will not cover
  • cryptography (just an overview will be given)
  • computer networks
  • operating systems
  • computers in general
  • how to hack

5
What security is about in general?
  • Security is about protection of assets
  • D. Gollmann, Computer Security, Wiley
  • Prevention
  • take measures that prevent your assets from being
    damaged
  • Detection
  • take measures so that you can detect when, how,
    and by whom an asset has been damaged
  • Reaction
  • take measures so that you can recover your assets

6
Real world example
  • Prevention
  • locks at doors, window bars, secure the walls
    around the property, hire a guard
  • Detection
  • missing items, burglar alarms, closed circuit TV
  • Reaction
  • attack on burglar, call the police, replace
    stolen items, make an insurance claim

7
Services, Mechanisms, Attacks
  • 3 aspects of information security
  • security attacks (and threats)
  • actions that compromise security
  • security services
  • services counter to attacks
  • security mechanisms
  • used by services
  • E.g. secrecy is a service, encipherment is a
    mechanism

8
NETWORK SECURITY FUNDAMENTALS
  • Security Attacks and Security Services
  • A Model of Network Security
  • Access Policies

9
SECURITY ATTACKS SECURITY SERVICES
Security Threads
  • Unauthorised Access
  • Unauthorised Disclosure of Information
  • Unauthorised Modification of Information
  • Unauthorised Denial of Service

10
Attacker resources and methods vary greatly
Resource Teenager Academic Org. Crime Govt
Time Limited Moderate Large Large
Budget () lt1000 10K-100K 100K Unknown
Creativity Varies High Varies Varies
Detectability High High Low Low
Target Challenge Publicity Money Varies
Number Many Moderate Few Unknown
Organized No No Yes Yes
Spread info? Yes Yes Varies No
Source Cryptography Research, Inc. 1999, Crypto
Due Diligence
11
Minimal key lengths for symmetric ciphers
Source Blaze/Diffie/Rivest/Schneier/Shimoura/Thom
pson/Wiener www.bsa.org/policy/encryption
Type of attacker
Length needed for protection in late 1995
Budget
Tool
Time and cost per key recovered
40 bits
56 bits
Pedestrian Hacker SmallBusiness CorporateDepar
tment Big Company IntelligenceAgency
scavengedcomputer time FPGA FPGA FPGA ASIC FPGA
ASIC ASIC
infeasible 38 years(5,000)556
days(5,000)19 days(5,000)3 hours(38) 13
hours(5,000)6 min(38)12 sec(38)
tiny 400 10.000 300K 10M 300M
45 5055607075
1 week5 hours(0.08)12 min(0.08)24
sec(0.08)18 sec(0.001) 7 sec(0.08)0.005
sec(0.001)0.0002 sec(0.001)
12
SECURITY ATTACKS SECURITY SERVICES
Passive Attacks
13
SECURITY ATTACKS SECURITY SERVICES
Active Attacks
14
SECURITY ATTACKS SECURITY SERVICES
Attacks
Accidental
Intentional
Passive
Active
  • Release of Message content
  • Traffic Analysis
  • Data Mod.
  • Data Delay
  • Data Blocking
  • Data Copy
  • Data Replay
  • Data Destruction

15
Security Mechanisms
  • Basically cryptographic techniques/technologies
  • that serve to security services
  • to prevent/detect/recover attacks
  • Encipherment
  • use of mathematical algorithms to transform data
    into a form that is not readily intelligible
  • keys are involved

16
Security Mechanisms
  • Message Digest
  • similar to encipherment, but one-way (recovery
    not possible)
  • generally no keys are used
  • Digital Signatures
  • Data appended to, or a cryptographic
    transformation of, a data unit to prove the
    source and the integrity of the data
  • Authentication Exchange
  • ensure the identity of an entity by exchanging
    some information

17
Security Mechanisms
  • Notarization
  • use of a trusted third party to assure certain
    properties of a data exchange
  • Timestamping
  • inclusion of correct date and time within
    messages
  • Non-cryptographic mechanisms
  • traffic padding (for traffic analysis)
  • intrusion detection
  • firewalls

18
Security Services
  • Confidentiality - protect info value
  • Authentication - protect info origin (sender)
  • Identification - ensure identity of users
  • Integrity - protect info accuracy
  • Non-repudiation - protect from deniability
  • Access control - access to info/resources
  • Availability - ensure info delivery

19
Relationships
20
Two references
  • ITU-T X.800 Security Architecture for OSI
  • gives a systematic way of defining and providing
    security requirements
  • RFC 2828
  • over 200 pages glossary on Internet Security

21
Security Systems by layers
Applications Secure e-mail, Digital Money, Smart
Cards, Firewalls, etc.
Communication Protocols SSL, TLS, WTLS, WAP,
etc.
Security Services Confidentiality, Data
Integrity, Data Authentication, Non-Repudiation
Crypto User Functions Encrypt/Decrypt,
Sign/verify
Public Key Crypto Algorithms RSA, ECC Symmetric
Crypto Algorithms AES, DES, RC4, etc.
Computer Arithmetic Addition, Squaring,
multiplication, inversion and exponentiation
22
Fundamental Dilemma of Security
  • Security unaware users have specific security
    requirements but no security expertise.
  • from D. Gollmann
  • Solution level of security is given in
    predefined classes specified in some common
    criteria

23
Fundamental Tradeoff
  • Absolutely secure systems do no exist
  • To half your vulnerability you have to double
    your expenditure
  • Cryptography is typically bypassed not
    penetrated.

24
The Three Laws of Security
  • Security unaware users have specific security
    requirements but no security expertise.
  • from D. Gollmann
  • Solution level of security is given in
    predefined classes specified in some common
    criteria

25
Kerckhkoffss Principle While assessing the
strength of a cryptosystem, one should always
assume that the enemy knows the
cryptographic algorithm used. The security of
the system, therefore, should be based on the
quality (strength) of the algorithm but not its
obscurity the key space (or key length)
26
A Cryptosystem Classification
  • Public key cryptography (RSA, ECC, NTRU)
  • Secret key Cryptography (DES, AES, RC4)
  • Block ciphers (DES, IDEA, RSA) 64-128 bits
  • Stream ciphers (A5, RC4, SEAL) encryption in a
    bit to bit basis.

27
A Simplified Model of Conventional Encryption
28
Message Digest
  • A message digest, also known as a one-way hash
    function, is a fixed length computionally unique
    identifier corresponding to a set of data. That
    is, each unit of data (a file, a buffer, etc.)
    will map to a particular short block, called a
    message digest. It is not random digesting the
    same unit of data with the same digest algorithm
    will always produce the same short block.
  • A good message digest algorithm possesses the
    following qualities
  • The algorithm accepts any input data length.
  • The algorithm produces a fixed length output for
    any input data.
  • The digest does not reveal anything about the
    input that was used to generate it.
  • It is computationally infeasible to produce data
    that has a specific digest.
  • It is computationally infeasible to produce two
    different unit of data that produce the same
    digest.

29
Hash Algorithms
  • Reduce variable-length input to fixed-length (128
    or 160bit) output
  • Requirements
  • Can't deduce input from output
  • Can't generate a given output
  • Can't find two inputs which produce the same
    output

30
Hash Algorithms
  • Used to
  • Produce fixed-length fingerprint of
    arbitrary-length data
  • Produce data checksums to enable detection of
    modifications
  • Distill passwords down to fixed-length encryption
    keys
  • Also called message digests or fingerprints

31
Message Authentication Code MAC
  • Hash algorithm key to make hash value dependant
    on the key
  • Most common form is HMAC (hash MAC)
  • hash( key, hash( key, data ))
  • Key affects both start and end of hashing process
  • Naming hash key HMAC-hash
  • MD5 1 HMAC-MD5
  • SHA-1 1 HMAC-SHA (recommended)

32
An Example
33
Digital Signature/Verification Schemes
34
Digital Signature/Verification Schemes
35
Digital Signature/Verification Schemes
36
Seven-Layer OSI Model
37
SECURITY ATTACKS SECURITY SERVICES
OSI Security Services
  • Authentication
  • Access Control
  • Data Confidentiality
  • Traffic Flow Confidentiality
  • Data Integrity
  • Non-Repudiation of both Origin and Delivery of
    Data

38
SECURITY ATTACKS SECURITY SERVICES
OSI Security Mechanisms
  • Encipherment
  • Digital Signatures
  • Access Control Mechanisms
  • Data Integrity Mechanisms
  • Authentication Exchange Mechanisms
  • Traffic Padding Mechanisms
  • Notarisation Mechanisms
  • Routing Control Mechanisms

39
Inter-network Protocol (IP)
Write a Comment
User Comments (0)
About PowerShow.com