@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue

@Yuan Xue Outline Security Overview Cryptography Symmetric cipher

@Yuan Xue Security Overview – Quick Review Requirements -Security Triad Confidentiality Integrity Availability

@Yuan Xue Where the problem comes from? - Security Vulnerability, Threat and Attack Vulnerability: an aspect of the system that permits attackers to mount a successful attack, sometimes also called a “security hole”. Weakness: a potential vulnerability, whose risk is not clear. Sometimes several weaknesses might combine to yield a full-fledged vulnerability. Threat: a circumstance or scenario with the potential to exploit a vulnerability, and cause harm to a system. Attack: A deliberate attempt to breach system security. Note that not all attacks are successful. An attack usually refers to a specific action. A threat refers to a broader class of ways that things could go wrong. Attacks are usually classified into two types:  Passive attack refers to attack that does not result in a change to the system, and attempts to break the system solely based upon observed data.  Active attack, on the other hand, involves modifying, replaying, inserting, deleting, or blocking data.

@Yuan Xue Network Threats Attacks against confidentiality eavesdropping traffic flow analysis

@Yuan Xue Network Threats Attacks against integrity

@Yuan Xue Network Threats Attacks against availability Denial of service

@Yuan Xue What are the solutions - Security Mechanisms Network Security Cryptographic Approach  Encryption  Data integrity protection & Digital Signature  Authentication Network Approach  Traffic control System Approach  Intrusion detection systems  Firewall System Security Authentication Access Control (Authorization) Multi-level Security Program Security Programming frameworks Strong typing system

@Yuan Xue An Example Two models to protect files on your disk Encryption Access control

@Yuan Xue OSI Security Architecture X.800 “Security Architecture for OSI” Defines a systematic way of defining and providing security requirements Provides a useful abstract overview of the security concepts Security Attacks Security Mechanisms Security Services

@Yuan Xue Security Mechanism and Service Security Mechanism a mechanism that is designed to detect, prevent, or recover from a security attack. More than a particular algorithm or protocol Specific mechanism Encryption Integrity protection Digital signature Notarization Authentication exchange Access control Traffic padding Routing control Pervasive mechanism: trusted functionality, security labels, event detection, security audit trails, security recovery Security Service (X.800) A service that is provided by a protocol layer that ensures adequate security of the systems or data transfers. Authentication Access Control Data Confidentiality Connection/connectionless/s elective field/traffic flow Data Integrity  Connection/connectionless/s elective field/with or without recovery Non-Repudiation Source/destination Implementation/ Placement Physical/logical

@Yuan Xue Relationship Between Security Service and Security Mechanisms

@Yuan Xue Challenges of Computer Security Requirements are straightforward Mechanisms used to meet these requirements can be quite complex Principle of Easiest Penetration An intruder are expected to use any available means of penetration. Computer security specialists must consider all possible means of penetration. Integration of security design with system design Tension between usability/utility and security/privacy

@Yuan Xue Why many solutions fail? Protect wrong things Protect right things in the wrong way

@Yuan Xue Issues that will be addressed in this class

@Yuan Xue Network Security Issues From a Computer to Internet Single computer Networking environment  Secure communication in a public environment  Computer system security with remote access Internet Link IP TCP/UDP Application Link IP TCP/UDP Application Link IP Link IP Network Security

@Yuan Xue Multi/Demultiplex port CW port Congestion window port Congestion window port SSL_CTX SSL SSL_SESSION HTTP Application Transport Network Link Fragment/Reassemble Forward Routing IP Address Routing table Forwarding table WPA/WPA2 with SMTP PGP FTP User ID/ /Key ID UDPTCP SSL HTTPS CW port Stream Frame Packet payloadTCP hdr payload SSL hdr payloadSSL hdr payloadIPSecSSLIP IPSec SADB TCP payloadIPSecSSLIPTCP (Transport mode) MAC

@Yuan Xue Web Security In A Picture Web Server TCP SSL HTTPS Server side script database Web Browser TCP SSL Client side script HTTP certificate SSL Authentication via X.509 certificate HTTP Authentication User+Password In HTML FORM Password file

@Yuan Xue How to study network security? Learning methodology examine all possible vulnerabilities of the system consider available countermeasures.

@Yuan Xue Readings Required Reading [WS] Chapter 1 Additional Reading [MB]