hello world

1
Security
2
SECURITY

• Fundamental Requirements
• Privacy
• Integrity
• Authentication
• Non-repudiation
• Availability

3
SECURITY

• Privacy issue
• How do you ensure that that the information you
  transmit over the Internet has not been captured
  or passed on to a third party without your
  knowledge.
• Integrity Issue
• How do you ensure the information you send or
  receive has not been compromised or altered

4
SECURITY

• Authentication issue
• How do sender and receiver of a message prove
  their identities to each other
• Non-Repudiation Issue
• How do you legally prove that a message was sent
  or received
• Availability Issue
• How do we ensure that the network and the
  computer system it connects will stay in
  operation continuously

5
Cryptography

• Cryptography transforms data using a key (a
  string of digits that acts as a password) to make
  the data incomprehensible to all but the sender
  and the intended receiver
• Plaintext unencrypted data
• Ciphertext encrypted data
• Cipher/Cryptosystem technique/algorithm for
  encrypting messages
• Simple examples of cryptosystem
• Substitution
• Transposition

6
Secret key (Symmetric) Cryptography

• uses same (symmetric) keys to encrypt/decrypt a
  message
• fundamental problem before two people can
  communicate, they must first find a way to
  exchange the symmetric key securely
• Point-to-point key exchange
• Centralized Key distribution center generates a
  session key
• DES algorithms developed by NSA and IBM in the
  1950s

7
Public Key (Asymmetric) Cryptography

• developed by Diffie Hellman (Stanford Univ)
  1976
• Two inversely related keys are used
• Public key freely distributed
• Private key kept secret by its owner
• Either the public key or the private key can be
  used to encrypt or decrypt a message
• If the public key is used to encrypt a message,
  only the corresponding private key can decrypt it
• Vice versa if the private key is used to encrypt
  a message, only the corresponding public key can
  decrypt it (this can be used to authenticate the
  sender of the message)

8
Public Key (Asymmetric) Cryptography

• The defining property of a secure public key is
  that it is computationally infeasible to deduce
  the private key from the public key
• Public key algorithms require large amounts of
  computer power
• Symmetric systems are faster
• RSA most commonly used public key algorithm
  (developed by Rivest, Shamir, Adleman, MIT
  Professors, in 1977)

9
Key Agreement Protocols

• Public key algorithms can be used to allow two
  parties to agree upon a key to be used as secret
  key to be used for symmetric key encryption over
  insecure medium
• Digital Envelope
• message is encrypted using a symmetric key
• Symmetric key is encrypted using public key
• Attach encrypted symmetric key to encrypted
  message and send the entire package
• To decrypt receiver first decrypts the symmetric
  key using the receivers private key. Then the
  symmetric key is used to decrypt actual message

10
SECURITY-Hash Function

• Also known as message digest
• Mathematical function that gives message a hash
  value
• The chance that two different messages will have
  the same message digest is statistically
  insignificant
• Collision occurs when multiple messages have the
  same hash value
• It is computationally infeasible to compute a
  message from its hash value or to find two
  messages with the same hash value
• Example MD5

11
SECURITY- Digital signatures

• Solve problems of integrity and authentication
• Like a written signature, authenticates senders
  identity
• To create a digital signature
• Run original plaintext message through hash
  (message digest)
• Encrypt message digest using senders private key
  (creates a digital signature and authenticates
  the sender)
• Encrypt original message with receivers public
  key
• Send (encrypted messagedigital signaturehash
  function) to the receiver

12
SECURITY Digital Signatures

• Receiver
• Receives the package
• Uses senders public key to decipher the digital
  signature and reveal the message digest
• Uses receivers own private key to decipher the
  original message
• Applies the hash function to the original message
• Compare the deciphered message digest to the
  result of hash function

13
SECURITY Digital Signatures

• Digital signatures do not provide the proof that
  a message has been sent
• A time-stamping agency (third party) can help to
  solve the non-repudiation problem by digitally
  signing the time-stamp
• US government recently passed digital-signature
  legislation that makes digital signatures as
  legally binding as hand-written signatures

14
Public Key Infrastructure (PKI)

• How does a customer know that the web site it is
  accessing belongs to a trustworthy merchant and
  not to a third party site that is acting as
  merchant to steal credit-card information
• PKI integrates public-key cryptography with
  digital certificates and certification
  authorities (CA) to authenticate parties in a
  transaction
• Digital Certificate is a digital document issued
  by a CA and includes
• name of the subject (being certified)
• Subjects public key
• Expiration date
• plus other relevant information
• CA is a financial institution or other trusted
  third party such as VeriSign or Thawte

15
CA

• CA takes the responsibility for authentication,
  it checks the validity of information before
  issuing a digital certificate
• Digital certificates are publicly available in
  CA certificate repositories
• CA signes the certificate by encrypting either
  the public key or a hash value of the public key
  using the CAs own private key
• CA has to verify every individuals public key.
  Thus users must trust the public key of a CA.
• A certificate authority is a chain of
  certificates starting with the root certification
  authority IPRA (Internet Policy Registration
  Authority)
• Root only signs certificates for policy creation
  authorities (organizations that set policies for
  obtaining digital certificates)
• Policy creation authorities sign digital
  certificates for Cas
• CA s sign digital certificates for individuals,
  organizations

16
SECURE SOCKETS LAYER (SSL)

• SSL protocol developed by Netscape
• Built into web browsers and numerous other
  products
• When you use the Internet, the connection between
  you and any other point can be routed through
  dozens of independent systems (unauthorized
  people can steal confidential information, credit
  card numbers etc by eavesdropping)
• SSL protocol was developed to transfer
  information privately and securely across the
  Internet
• SSL is the de facto standard for encrypted and
  authenticated communications between clients and
  servers on the Internet
• Virtually all online purchases and monetary
  tansactions on the Internet are secured by SSL
• URL starts with https

17
SSL

• SSL usage is not just limited to securing
  e-commerce transactions other SSL usage
  examples
• financial institutions, insurance companies, B2B,
  private organizations
• SSL ensures that connection is private and
  secure by providing authentication and encryption
• Authentication confirms the server and
  optionally the client are who they say they are
• Encryption creates a secure tunnel between the
  client and the server which prevents any
  unauthorized system from reading the data
• SSL-enabled clients Netscape, MS Internet
  Explorer
• SSL-enabled servers Apache or MS IIS
• Clients and Servers confirm each others
  identities using digital certificates which are
  issued by CA.

18
SSL

• SSL is comprised of two protocols
• Handshake Protocol (key exchange)
• Record Protocol (bulk data transfer)

19
SSL- Handshake Protocol

• Authenticates the server to the client
  (optionally the client to the server) using
  public-key encryption (asymmetric) techniques
• Allows client and server to negotiate the cipher
  suite to be used
• Allows the client and the server to generate
  symmetric session keys
• Establishes the encrypted session
• Once key exchange is complete, client and server
  use symmetric session keys to encrypt all
  communication between them (SSL Record Protocol)
• Symmetric encryption algorithm such as DES or RC4
  is used.

20
SSL Negotiation Steps

1. Initially request for SSL session comes from the
   browser to the web server
2. Web server sends the browser its digital
   certificate (contains info about the server and
   servers public key)
3. Browser verifies that certificate is valid and
   that a CA listed in the clients list of trusted
   CAs issued it. Browser also checks expiration
   date and web server domain name
4. Once browser has determined that the server
   certificate is valid, browser generates a 48-byte
   master secret. This master secret is encrypted
   using servers public key and is then sent to the
   Web server
5. Web server receives the encrypted master secret
   from the browser and decrypts it using the
   servers private key
6. Both web server and the browser have the same
   secret key
7. Communicate securely by encrypting data using
   symmetric technique

21
SSL Negotiation Steps
SSL Negotiation Steps
22

• SSL sits on top of TCP at the transport layer
• SSL operates independently and transparently of
  other protocols so it will work with any
  application layer and transport layer protocol
• This allows clients servers to establish secure
  SSL connections w/o requiring knowledge of other
  partys code

23
Secure Electronic Transaction (SET)

• developed by Visa and Mastercard
• Uses digital certificates to authenticate each
  party in an e-commerce transaction, including the
  customer, the merchant, and the merchants bank
• Public-key cryptography is used to secure
  information as it is passed over the web
• Merchants must have digital certificate and
  special SET software to process transactions
• Customers must have digital certificate and
  digital wallet software
• Digital wallet is similar to a real wallet it
  stores credit card information as well as digital
  certificate verifying cardholders identity
• Clients credit card number is not stored on the
  merchants server

24
SET

• When a customer is ready to place an order
• Merchants SET software sends the order
  information and the merchants digital
  certificate to the customers digital wallet
• Customer selects credit card to be used for the
  transaction
• Credit card and order information is encrypted by
  using the merchants bank public key and sent to
  the merchant along with the customers digital
  certificate
• Merchant then forwards the information to the
  merchants bank to process the payment
• Only merchants bank can decrypt the message
  since the message was encrypted using banks
  public key

25
SET
6. The merchants bank then sends the amount of
purchase and its own digital certificate to the
customers bank to get approval to process the
transaction 7. If the customers charge is
approved, customers bank sends an authorization
back to the merchants bank. 8. Merchants bank
then sends a credit card authorization back to
the merchant 9. Finally merchant sends a
confirmation of order to the customer
26
Microsoft Authenticode

• How do you know software you ordered online is
  safe and has not been altered ?
• Do you trust the source of the software ?
• Microsoft authenticode combined with VeriSign
  digital certificates authenticates the publisher
  of the software
• Authenticode is a security feature built into
  Microsoft Internet Explorer

27
SECURITY ATTACKS

• Denial-of-service attack occurs when a networks
  resources are taken up by unauthorized
  individual, leaving the network unavailable for
  legitimate users
• Another type of attack modifies routing tables
  of a network, thus disabling network ability or
  funneling all data to one address in the network
• Distributed denial service attacks ( attack does
  not come from one single source, but rather from
  multiple sources

28
Denial of Service Attack

• A "denial-of-service" attack is characterized by
  an explicit attempt by attackers to prevent
  legitimate users of a service from using that
  service. Examples include
• - attempts to "flood" a network, thereby
  preventing legitimate network traffic
• - attempts to disrupt connections between two
  machines, thereby preventing access to a service
• - attempts to prevent a particular individual
  from accessing a service
• - attempts to disrupt service to a specific
  system or person
• Illegitimate use of resources may also result in
  denial of service. For example, an intruder may
  use your anonymous ftp area as a place to store
  illegal copies of commercial software, consuming
  disk space and generating network traffic

29
Modes of Attack

• Consumption of scarce, limited, or non-renewable
  resources
• - Network connectivity,
• - Using Your Own Resources Against You
• - Bandwidth Consumption
• - Consumption of Other Resources
• Destruction or alteration of configuration
  information
• Physical destruction or alteration of network
  components

30
Network Connectivity

• half open connection (client does not send ACK)

Client
Server SYN--------------------gt
lt--------------------SYN-ACK
ACK--------------------gt -- Client and server
can now send service-specific data --
31
Using Your Own Resources Against You

• The intruder uses forged UDP packets to connect
  the echo service on one machine to another
  machine
• The result is that the two services consume all
  available network bandwidth between them
• Thus, the network connectivity for all machines
  on the same networks as either of the targeted
  machines may be affected.

32
Bandwidth Consumption

• An intruder may also be able to consume all the
  available bandwidth on your network by generating
  a large number of packets directed to your
  network.
• Typically, these packets are ICMP ECHO packets,
  but in principle they may be anything.
• Further, the intruder need not be operating from
  a single machine he may be able to coordinate or
  co-opt several machines on different networks to
  achieve the same effect.

33
Network Security

• Firewalls protect local area network from
  intruders outside the network (packet filters)
• Kerberos (internal authentication) employs
  symmetric secret-key cryptography to authenticate
  users in a network and to maintain integrity and
  privacy of network communications

34
Further Reading
http//www.cert.org/tech_tips/denial_of_service.ht
ml
35
Databases
36
NEO4J (Graphbase)

• A graph is a collection nodes (things) and edges
  (relationships) that connect
• pairs of nodes.
• Attach properties (key-value pairs) on nodes and
  relationships
• Relationships connect two nodes and both nodes
  and relationships can hold an
• arbitrary amount of key-value pairs.
• A graph database can be thought of as a
  key-value store, with full support for
• relationships.
• http//neo4j.org/

37
NEO4J
38
NEO4J
39
NEO4J
40
NEO4J
41
NEO4J
42
NEO4J
Properties
43
NEO4J Features

• Dual license open source and commercial
• Well suited for many web use cases such as
  tagging, metadata annotations,
• social networks, wikis and other network-shaped
  or hierarchical data sets
• Intuitive graph-oriented model for data
  representation. Instead of static and
• rigid tables, rows and columns, you work with a
  flexible graph network
• consisting of nodes, relationships and
  properties.
• Neo4j offers performance improvements on the
  order of 1000x
• or more compared to relational DBs.
• A disk-based, native storage manager completely
  optimized for storing
• graph structures for maximum performance and
  scalability
• Massive scalability. Neo4j can handle graphs of
  several billion
• nodes/relationships/properties on a single
  machine and can be sharded to
• scale out across multiple machines
• Fully transactional like a real database
• Neo4j traverses depths of 1000 levels and beyond
  at millisecond speed.
• (many orders of magnitude faster than
  relational systems)

44
Transactions
1. Debit 100 TL to Groceries Expense Account 2.
Credit 100 to Checking Account
UPDATE account1 SET balancebalance-500 UPDATE
account1 SET balancebalance500

• A transaction is simply a number of individual
  queries that are grouped
• together.
• Transactions provide an "all-or-nothing"
  proposition, stating that each
• work-unit performed in a database must either
  complete in its entirety
• or have no effect whatsoever.

45
Transactions

• four conditions (ACID) to which transactions need
  to adhere
• Atomicity The queries that make up the
  transaction must either all be carried out, or
  none at all should be carried out
• Consistency Refers to the rules of the data.
  During the transaction, rules may be broken, but
  this state of affairs should never be visible
  from outside of the transaction.
• Isolation Simply put, data being used for one
  transaction cannot be used by another transaction
  until the first transaction is complete.
• Connection 1 SELECT balance FROM
  account1
• Connection 2 SELECT balance FROM account1
• Connection 1 UPDATE account1 SET balance
  900100
• Connection 2 UPDATE account1 SET balance
  900-100
• 4. Durability Once a transaction has completed,
  its effects should remain, and not be reversible.