Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCI-351 Data communication and Networks

Published byJesko Hertz Modified over 5 years ago

Similar presentations

Presentation on theme: "CSCI-351 Data communication and Networks"— Presentation transcript:

1 CSCI-351 Data communication and Networks
Lecture 15: Security Basics Something that you do not want to memorize The slide is built with the help of Prof. Alan Mislove, Christo Wilson, and David Choffnes's class

2 Outline Principles Basics Vulnerabilities
Ask for definitions of security

3 3 principles of information security
CIA Triangles: Confidentiality Integrity Availability

4 Confidentiality "Hey, we're attacking at dawn!"
Data must only be released to authorized principals Cryptography has historically focused on providing confidentiality But, there are other mechanisms Can have a temporal aspect

5 Integrity "Retreat at dawn."
Data must not be modified (in an undetectable manner) What constitutes a modification? Corruption Dropped, replayed, or reordered messages Cryptography has also historically provided this e.g, (cryptographic) hash functions, HMAC

6 Availability “Xfk3^#M3mf a __ q3rf” – jamming results in garbled message Data and resources must be accessible when required Related to integrity, but more concerned with denial of service (DoS) attacks Resource exhaustion (e.g., CPU, memory, network bandwidth) Usually easy to perform, can be difficult to defend

7 Authenticity Enemy commander: "Attack at dawn."
Establishment of identity Or, verification of "genuineness" Again, cryptography has long considered this e.g., HMAC, signatures

8 Non-repudiation "I never said to attack at dawn!"
Data must be bound to identity Prevents denial of message transmission or receipt Cryptographic techniques e.g., HMAC, certificates

9 Access Control Policy specifying how entities can interact with resources i.e., Who can access what? Requires authentication and authorization

10 Authentication Verification of identity claim made by a subject on behalf of a principal Involves examination of factors, or credentials Something you have – e.g., a badge Something you know – e.g., a password Something you are – e.g., your fingerprint Desirable properties include being unforgeable, unguessable, and revocable

11 Outline Principals Basics Vulnerabilities
Ask for definitions of security

12 Security Principles We've seen some basic properties, policies, mechanisms, models, and approaches to security But, designing secure systems (and breaking them) remains an art Security principles help bridge the gap between art and science Let's look at a few

13 Separation of Privilege
Privilege, or authority, should only be distributed to subjects that require it Some components of a system should be less privileged than others Not every subject needs the ability to do everything Not every subject is deserving of full trust Contrast with "ambient authority"

14 Least Privilege Subjects should possess only that authority that is required to operate successfully Closely related to separation of privilege Not only should privilege be separated, but subjects should have the least amount necessary to perform a task

15 Security vs. Usability Security often comes with a trade-off between the level of protection provided and ease-of-use Systems that try to provide very strong security guarantees tend to be unusable in practice Completely insecure systems are usually easy to use

16 Outline Principals Basics Vulnerabilities
Ask for definitions of security

17 Cryptographic Algorithms
Security foundation: cryptographic algorithms Secret key cryptography, e.g. Data Encryption Standard (DES) Public key cryptography, e.g. RSA algorithm Message digest, e.g. MD5

18 Symmetric Key Both the sender and the receiver use the same secret keys Plaintext Plaintext Internet Encrypt with secret key Decrypt with secret key Ciphertext

19 Public-Key Cryptography: RSA
Sender uses a public key Advertised to everyone Receiver uses a private key See RSA if you’re interested in Plaintext Plaintext Internet Encrypt with public key Decrypt with private key Ciphertext

20 Hash Time complexity Obtaining a hash value is O(1)
Conjecturing keys from the hash is…. In case of sha256, it takes 10**57 minutes (theoretically)

21 Message Digest (MD) MD5/SHA1
Can provide data integrity Used to verify the authenticity of a message Idea: compute a hash value on the message and send it along with the message Receiver can apply the same hash function on the message and see whether the result coincides with the received hash Very hard to forge a message that produces the same hash value i.e. Message -> hash is easy Hash -> Message is hard Compare to other error detection methods (CRC, parity, etc)

22 MD 5 (cont’d) Basic property: digest operation very hard to invert
Send the digest via a different channel corrupted msg Plaintext Plaintext NO = digest’ Internet Digest (MD5) Digest (MD5) digest

23 Outline Principals Basics An example of Vulnerabilities
Ask for definitions of security

24 Heartbleed Serious vulnerability discovered in OpenSSL in April 2014
Involves a bug in the TLS heartbeat extension Allows adversaries to read memory of vulnerable services i.e., buffer over-read vulnerability Discloses addresses, sensitive data, potentially TLS secret keys Major impact OpenSSL is the de facto standard implementation of TLS, so used everywhere Many exposed services, often on difficult-to-patch devices Trivial to exploit We'll see why memory disclosure (even without disclosing TLS keys) is such a problem when we talk about memory corruption vulnerabilities

25 Heartbleed

26 Heartbleed Fundamental problem is that server trusts and does not verify the length value Stupid mistake

27

28 Firewall Security device whose goal is to prevent computers from outside to gain control to inside machines Hardware or software Attacker Firewall Internet

29 Firewall (cont’d) Restrict traffic between Internet and devices (machines) behind it based on Source address and port number Payload Stateful analysis of data Examples of rules Block any external packets not for port 80 Block any with an attachment Block any external packets with an internal IP address Ingress filtering

30 Firewalls: Properties
Easier to deploy firewall than secure all internal hosts Doesn’t prevent user exploitation Tradeoff between availability of services (firewall passes more ports on more machines) and security If firewall is too restrictive, users will find way around it, thus compromising security E.g., have all services use port 80 Can’t prevent problem from spreading from within

Download ppt "CSCI-351 Data communication and Networks"

Similar presentations

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
L0. Introduction Rocky K. C. Chang, January 2013.

L0. Introduction Rocky K. C. Chang, January 2013.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
8.1 Learning Objectives To become familiar with the range of security threats faced by networked and distributed systems (DSs); To examine various cryptographic.

8.1 Learning Objectives To become familiar with the range of security threats faced by networked and distributed systems (DSs); To examine various cryptographic.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.

Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.
Cryptography, Authentication and Digital Signatures

Cryptography, Authentication and Digital Signatures
© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.

© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Welcome to Introduction to Computer Security. Why Computer Security The past decade has seen an explosion in the concern for the security of information.

Welcome to Introduction to Computer Security. Why Computer Security The past decade has seen an explosion in the concern for the security of information.
Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.

Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.

Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.

Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.

Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

Similar presentations

Ads by Google