Class on Security Raghu. Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are.

Slides:



Advertisements
Similar presentations
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Advertisements

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Digital Signatures and Hash Functions. Digital Signatures.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
Security Through Encryption. Different ways to achieve security of communication data Keep things under lock and key – Physical Encryption Through password.
23 Oct PKI for the Mystified Introduction to Public Key Infrastructure and Cryptography Ivaylo Kostadinov.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Cryptography: Keeping Your Information Safe. Information Assurance/Information Systems –What do we do? Keep information Safe Keep computers Safe –What.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Security Management.
Computer Science Public Key Management Lecture 5.
Strong Password Protocols
Cryptography 101 Frank Hecker
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
1 Chapter 8 Securing Information Systems. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized.
Unit 19 INTERNET SECURITY
May 2002Patroklos Argyroudis1 A crash course in cryptography and network security Patroklos Argyroudis CITY Liberal Studies.
8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.
Security Keys, Signatures, Encryption. Slides by Jyrki Nummenmaa ‘
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Types of Electronic Infection
Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.
23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Network Security – Special Topic on Skype Security.
Upper OSI Layers Natawut Nupairoj, Ph.D. Department of Computer Engineering Chulalongkorn University.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 2: Message integrity.
Digital Signatures, Message Digest and Authentication Week-9.
1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.
1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
SSL. Why Is Security Important ●Security is important on E-Commerce because it makes sure that your information gets from your computer to their server.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Public Key Encryption, Secure WWW Transactions & Digital Signatures.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
Information Systems Design and Development Security Precautions Computing Science.
Secure HTTP (HTTPS) Pat Morin COMP 2405.
Computer Communication & Networks
Secure Sockets Layer (SSL)
The Secure Sockets Layer (SSL) Protocol
Protocol ap1.0: Alice says “I am Alice”
Chapter 8 roadmap 8.1 What is network security?
Presentation transcript:

Class on Security Raghu

Current state of Security Cracks appear all the time Band Aid solutions Applications are not designed properly OS designs are not good Internet is a can of worms Hardware is secure Applications Operating System Hardware

Problems Badly designed Libraries Trojans exploit Buffer Overflow attack – read exploits on MDAC Most attacks originate on the Internet How? – Social Engineering Messenger Mail

Problems Continued Credit Card thefts are quite common Passwords are stolen Social Security is stolen Why? – Shared secret – Is shared secret really a secret? No

Solutions None! – Not really, none in the current set up So what can be done? – Some sort of overhaul is required – So what can we do to avoid shared secret?

The first step Public – Private Key encryption You encrypt/decrypt using one key, and the corresponding decryption/encryption happens through the other key. If encryption is done using public key, decryption is done using private key, and vice versa.

Public – private key contd Your public Key is known to everyone. Only you have the private key. All authentication based on challenge response Your private key is never exposed* * Standard terms and conditions apply

Example of a Secure System SSL – Secure Sockets Layer – Based on Public Private Key – Server’s Public key is stored at the client side – Data exchanged is encrypted with session key

SSL connection establishment Client hello Server hello Client sends session key, password Communication is encrypted using session key

SSL Can someone impersonate server? – As long as the client knows the public key of the server - NO

SSL continued SSL was designed even before the internet was up. SSL is well thought through. It is a nice example of public – private key scheme that works. Public – Private key systems should replace Shared Secret systems

Digital Certificates Alice goes and asks Bob for a certificate. Bob generates* a public – private key pair and gives it to Alice. Bob generates a document and places on it the following – Alice’s Name/Info – Alice’s public Key – Bob’s Info which can be the Certificate – Signature ALICE Pub Key of Alice Bob’s Info – [certificate] Signature * Is this Completely Correct?

Signature?? Bob takes Alice’s Public key and finds its Hash Then he encrypts the above value with his private key This is the signature Public Key K pub [A] Hashing Algorithm H(K pub [A]) RSA Encryptor Bob’s Private Key K priv [B] Priv [B]{H(Kpub[A])}

So what is a signature Your Identity The certificate proves that you are indeed who you claim you are. So can I get a certificate in the name Ronaldo Luiz Nazário de Lima – Yes – Then what is the point?

You are who you claim? I claim to be a person, say Ronaldo for instance. I produce a certificate saying the holder of this certificate is Ronaldo Now If I do have the private key corresponding to the public key on the certificate, then I am indeed the person who owns the certificate.

So where does that leave us Suppose Alice wants to talk to the server Bob How does Bob know if Alice is indeed Alice? Digital Certificates helps Bob identify Alice Suppose Bob trusts Trent Alice has a certificate signed by Trent, which says – this certificate belongs to Alice Bob Sees the certificate and agrees that Alice is indeed Alice. Can Mallory steal the certificate and pose as Alice to Bob?

Stolen Certificates? We show our digital certificate everywhere for authentication. So can someone who has seen the certificate not replicate it. – Sure, Yes. – So what good is a certificate

Challenge Response This problem is solved by challenge response. Mallory has Alice’s certificate – Does she become Alice Bob does a challenge response. – He sends a random number encrypted in the public key on the certificate. – If Mallory produces the random number from the encrypted value, great, impersonation achieved Otherwise she is not the holder of the certificate.

So where can certificates be used Authentication If I have a certificate from ASU, I can get authenticated using my certificate. – No ASU id required – No password required If I have a certificate from my bank, I can log on to the Bank’s website without a password. Moreover, If I have a certificate from the government, do I need to show my Social Security Number at every step?

Recap Shared Secrets are pretty much shared non secrets – Why? A password is entered on every computer that you have to log on. – My Social Security # is in a number of offices. Wherever I worked on campus Division of Graduate Studies Human Resources Financial Aid Services – Great, so how many people know my secret? I have lost count

Recap We saw two protocols that work Why do they work – They are NOT based on shared secrets – If we all shift to using the public private key system, my private key will never be revealed* *Blah, Blah Apply Will tell the reason in a few slides

Fixing Bad designs We saw how to fix the problem of authentication using Public Private Key systems We saw how to get rid of shared secrets What about credit cards? – That is another mess that can be cleaned

Fixing Credit Cards Bob – card Provider Alice – card holder Bob provides a credit card based on Public – private key Alice signs the hash of a bill using the private key Bob decrypts the sign using Alice’s public key

Small Terms and Conditions Private Key of a digital certificate is stored on a computer How secure is a computer – Not very secure What can a Virus do? – Delete files, format system…., No this is old hat – Steal your Private Key. Your certificate is as good as nothing – It can install a spurious certificate

Viruses How many trojans*/ viruses in the open – Probably thousands * NOT USC Trojans

How is a computer made secure Anti – Virus Firewall Anti Spyware …. So these software protect the Computer Now who protects these software?

Attacks on Anti viruses Anti virus is a process It can be easily identified It can be killed It can be patched on Examples – SpamThru Trojan – Beast – Win32.Glieder.AF

So what am I doing Trying to create an anti virus process that is undetectable A funky name coined for this project is – “The Undetectable Virus Detector” Steganography principles

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.