Presentation is loading. Please wait.

Presentation is loading. Please wait.

Saad Haj Bakry, PhD, CEng, FIEE 1 Basic Security Issues Saad Haj Bakry, PhD, CEng, FIEE.

Similar presentations


Presentation on theme: "Saad Haj Bakry, PhD, CEng, FIEE 1 Basic Security Issues Saad Haj Bakry, PhD, CEng, FIEE."— Presentation transcript:

1 Saad Haj Bakry, PhD, CEng, FIEE 1 Basic Security Issues Saad Haj Bakry, PhD, CEng, FIEE

2 2 Cost Issues IssueFact Virus Damage The damage of the “I Love Virus” (May 2000) was estimated to be “$ 10-15 billion” with the majority of the damage done in the first few hours. (The virus destroyed files and sent itself to others through MS Outlook Address Book) Spending on Data Security Estimated by “IDC” (International Data Corporation). “$ 6.2 billion” (1999) / “$ 14.8 billion” (2003) Building a “Digital Certificate Infrastructure” Estimated by “Identrus” ( Consortium of Global Financial Companies) for financial organizations to provide trusted B-to-B e-Commerce. “$ 5 – 10 million”

3 Saad Haj Bakry, PhD, CEng, FIEE 3 Secure Transactions Requirements IssueFact PrivacyNo Disclosure IntegrityNo Alteration AuthenticationProof of Identity: Sender to Receiver / Receiver to Sender Non-RepudiationLegal Proof of Transaction: Message is Sent or Received AvailabilitySystem in Operation “S-Business”Outcome: “Secure Business”

4 Saad Haj Bakry, PhD, CEng, FIEE 4 Basic Data Security Terms TermDefinition Plaintext Source text / Unencrypted data CryptographyTransforming “plaintext” to “cipher text” (encrypted text) using a “cipher” and a “key” Cipher text Encrypted text / Incomprehensible data Cipher / Cryptosystem A technique / A procedure / An algorithm (a computer science term) for encrypting data / messages A Key A string of digits used to encrypt data (like a password) / Longer keys lead to stronger encryption CryptanalysisBreaking / cracking encyption

5 Saad Haj Bakry, PhD, CEng, FIEE 5 Old Cryptographic Ciphers CipherAlgorithmExample Substitution Replacing “a” by “b” “b” by “c” “c” by “d”…. “information security” becomes “jogpsnbujpo tfdvsjuz” Transposition Changing the sequence of letters to become: “odd” followed by “even” “information security” becomes “ifrain-nomto scrt-euiy” Both Substitution and transposition together (see above) “information security” becomes “jgsbjo-opnup tdsu-fvjz”

6 Saad Haj Bakry, PhD, CEng, FIEE 6 Symmetric: Sender / Receiver Less Sophisticated: Relative to Public-Key More Efficient: Sending Large Amounts of Data Problem (1): S-R “Key Exchange” Problem (2): Many Keys “One for Each Receiver” Secret-Key Cryptography

7 Saad Haj Bakry, PhD, CEng, FIEE 7 Sender Secret-Key Cryptography Sender Receiver Communication Network Symmetric Key Plain Text Cipher Text Encrypt / Decrypt

8 Saad Haj Bakry, PhD, CEng, FIEE 8 KDC: Key Distribution Centre To Solve “Key-Exchange” Problem S-R Session Key: Generated by KDC per Transaction Problem: Centralized Security “ Challenges to KDC !” All Transactions: Exchanged Through KDC KDC Shares a “Secrete Key”: With “Every User” Session Key Sent to S-R : Using their Shared Keys with KDC

9 Saad Haj Bakry, PhD, CEng, FIEE 9 Sender KDC Operation Receiver Communication Network Symmetric Key (S) Plain Text Cipher Text KDC Symmetric Key (R) Symmetric Key (S) Session Key Plain Text 1 2 2 33 Initiation Generation Assignment Transaction

10 Saad Haj Bakry, PhD, CEng, FIEE 10 DES: Data Encryption Standard A Symmetric Encryption Algorithm: 1950s Triple Use (3 Keys in a Row): For More Security Being Replaced BY: AES Key Length is “56 bits”: Short / Easy to Crack By US NSA (National Security Agency) & IBM DES (K-1)DES (K-2) DES (K-3)

11 Saad Haj Bakry, PhD, CEng, FIEE 11 AES: Advanced Encryption Standard A Symmetric Encryption Algorithm Criteria of Choice: Strength Efficiency Speed Other Factors Five Finalists Under Consideration: 2001 By US NIST: : to Replace DES (National Institute of Standards & Technology)

12 Saad Haj Bakry, PhD, CEng, FIEE 12 Asymmetric: Sender / Receiver Public Key: Distributed Freely Started at the MIT in 1976 by: Whitfield Diffe Martin Hellman Public-Key Cryptography (1/2) Private Key: Kept by the Owner RSA P-K Algorithm: Rivest / Shamir / Adleman, MIT 1977, RSA Inc. 1982 Used by “Fortune 1000” “e-Commerce Transactions”

13 Saad Haj Bakry, PhD, CEng, FIEE 13 Public-Key Cryptography (2/2) The Two Keys are “Mathematically Related”, BUT Computationally “Infeasible to Deduce” Private Key from the Public Key Per Organization: One “Public Key” One“Private Key” Not One “Secret Key” per receiver. “Secret Key” Exchange Not Needed Problem: Requires high computer power / Not efficient for data volumes / Performance: Slower

14 Saad Haj Bakry, PhD, CEng, FIEE 14 Organization Public Key Public-Key: Case (1) Networ k Customer Organization Organization Private Key Problem: Validation of customer’s identity

15 Saad Haj Bakry, PhD, CEng, FIEE 15 Customer Private Key Public-Key: Case (2) Networ k Customer Organization Customer Public Key Problem: Proving the identity of the receiving organization’s

16 Saad Haj Bakry, PhD, CEng, FIEE 16 Customer Private Key Public-Key: Case (3) “Combination” Networ k Customer Organization Customer Public Key Organization Public Key Organization Private Key Identities of both partners are authenticated

17 Saad Haj Bakry, PhD, CEng, FIEE 17 KAP: Key Agreement Protocol Subject of Agreement: Symmetric Secret Key Secret Key: Suitable for Volumes of Data Agreement Security: Use of Public Key Protocol: Rules of Agreement Process Public Key: Suitable for Limited Volumes Digital Envelop

18 Saad Haj Bakry, PhD, CEng, FIEE 18 Encrypt (Secret Key) Using Receiver’s “Public Key” KAP Example: The Digital Envelop Sender Receiver Decrypt Receiver’s “Private Key” Encrypt (Message) Using “ Secret Key” Message: “Plain Text” Message: “Cipher Text” (S-K) Message “Cipher Text ” (S-K) Plus “Cipher SK” (P-K) “Digital Signature”: Possible “ Secret Key” Decrypt (Message) Using “Secret Key” Message: “Plain Text” Message: “Cipher Text” (S-K)

19 Saad Haj Bakry, PhD, CEng, FIEE 19 Key Management Theft (mishandling) v. Attack (cryptanalysis) Key Generation: Secure “Long Keys” Key Generation Problem: Sometimes choice is from a small set Recommendation: Key generation should be truly “random”

20 Saad Haj Bakry, PhD, CEng, FIEE 20 The “Hash Function” Objective: Checking Message Integrity Hash Function MessageMessage Digest Mathematical Function Applied to the Message “Contents” “Hash Value” Simple Function: “adding up the 1’s of the message” Collision: Messages with the same “hash value” Chance of Collision: Statistically insignificant Messages can be checked but not reconstructed from their hash value

21 Saad Haj Bakry, PhD, CEng, FIEE 21 Digital Signature (1/2) Objective: (P-K) Authentication / Integrity Hash Function Message: Plain Text SENDERSENDER Message Digest Encrypt (Sender Private Key) “Sender Authenticated” Encrypt (Receiver Public Key) Message: Cipher Text Electronic Signature + Receiver Decrypt (Sender Public Key) Message: Plain Text Message Digest Decrypt (Receiver Private Key) Message Digest Message: Cipher Text Hash Function “Message Integrity”

22 Saad Haj Bakry, PhD, CEng, FIEE 22 Handwritten Signature: Document Independent (same for all documents) Authentication Only Digital Signature: Document Dependent (based on message contents) Authentication & Integration Problem (Digital Signature): Non-repudiation (proof that the message has been sent) Digital Signature (2/2) Use: US DSA : “Digital Signature Algorithm”

23 Saad Haj Bakry, PhD, CEng, FIEE 23 Time-stamping / Non-Repudiation (1/2) Objective: Binding “time and date” to digital documents Important for electronic contracts Third Party: Time-stamping Agency / Legal Witness Time-Stamping Agency Sender / Receiver Sender / Receiver

24 Saad Haj Bakry, PhD, CEng, FIEE 24 1 SENDERSENDER Time-stamping Agency: Input: Ciphered & Signed Message Output: Time & Date Stamp Agency Stamp (Signature) (Using the Agency’s Private Key) Message: Cipher Text Sender Electronic Signature Time-stamping / Non-Repudiation (2/2) 2 1 2 3 Time & Date Stamp 4 Agency Stamp (Signature) Proof of receipt may be required “same route back” from the “receiver”

25 Saad Haj Bakry, PhD, CEng, FIEE 25 PKI: Public Key Infrastructure (1/2) Objective: Authentication of Parties in a Transaction IPRA: Internet Policy Registration Authority (The Root Certification Authority) Hierarchy IPA Policy Creation Authorities CA: Certification Authorities

26 Saad Haj Bakry, PhD, CEng, FIEE 26 PKI: Public Key Infrastructure (2/2) CA take the responsibility of authentication DC are publicly available and are issued / held by CA in “CR: Certificate Repository” CA: Certification Authorities DC: Digital Certificates Using Public Key Cryptography DS: Digital Signatures

27 Saad Haj Bakry, PhD, CEng, FIEE 27 Digital Certificate: Structure FieldExplanation Name (Subject) Individual / company being certified Serial Number For management / organization Public Key Public key of the individual / company Expiration Date Certification need to be renewed Signature of Trusted CAFor confirmation Other InformationRelevant / needed data.

28 Saad Haj Bakry, PhD, CEng, FIEE 28 Digital Certificate: Signature of Trust Public Key (Name / Subject) Private Key (CA) Hash Function Signature of Trusted CA OR

29 Saad Haj Bakry, PhD, CEng, FIEE 29 Digital Certificate: Expiration Need for Change of Key (Pairs) Expiration Date: Long use of key leads to vulnerability Key Compromised: Cancellation / Renew CA has “CRL : Certificate Revocation List ”

30 Saad Haj Bakry, PhD, CEng, FIEE 30 Cryptanalysis Objectives: Attack “to break key” Test “key strength” How: Analysis of encryption algorithm to find relations between “bits of encryption key” and “bits of cipher-text” in order to “determine key” Key / Cipher-text Relationship: “Statistical” nature “Plain-text” knowledge

31 Saad Haj Bakry, PhD, CEng, FIEE 31 SSL: Secure Sockets Layer (1/2) SenderReceiver Application Software by: Netscape Communications also used by: MS Internet Explorer SSL TCP IP TCP/IP Data--gram Virtual Circuit “Message Interpretation” (to protect Internet transactions) Messages “Browsers”

32 Saad Haj Bakry, PhD, CEng, FIEE 32 SSL: Secure Sockets Layer (2/2) Functions: Protects “private information from source to destination” Authenticates “receiver / server in a transaction” Tools: Public Key / Digital Certificate Session (Secret) Keys PCI: “Peripheral Component Interconnect” cards Installed on “Web Servers” to secure data over an entire SSL transaction “from sender / client to receiver / server”

33 Saad Haj Bakry, PhD, CEng, FIEE 33 SET: Secure Electronic Transaction Objective: protecting e-commerce payment transactions by: Visa & Master-Card Authenticating the Parties Involved: “Customer” “Merchant” “Bank” Using “Public-Key Cryptography

34 Saad Haj Bakry, PhD, CEng, FIEE 34 Microsoft Authenticode Objective: Safety of software ordered online Authenticode is built into MS Internet Explorer Authenticode interacts with Digital Certificates Digital Certificates should be obtained by software publishers Digital Certificates can be obtained from CA “VeriSign”

35 Saad Haj Bakry, PhD, CEng, FIEE 35 Viruses / Worms Viruses: Computer programs sent as attachments or hidden in audio and video clips / executable files attached to e-mail. Worms: Independent (not attached) They can cause “denial of service / loss of availability”, “corruption / wipe out of files” /…

36 Saad Haj Bakry, PhD, CEng, FIEE 36 Types of Viruses VirusDescription Transient Attached to a program. It is activated only when the program is run. Resident Stored in the computer, and only activated when the computer is used. Logic Bomb Triggered when a given condition is met: “Time Bomb” (activated by time) Trojan Horse A malicious program hidden in a friendly program / or simulates its identity.

37 Saad Haj Bakry, PhD, CEng, FIEE 37 Examples of Viruses ExampleDescription Melissa March 1999 Spread in MS document sent via e-mail. Activated on opening to infect Outlook and send itself to first 50 addresses. Also infects other files. I Love You May 2000 Sent as an e-mail attachment, claiming to be a love letter. Activated on opening to infect Outlook and send itself to all addresses. Also corrupted files, including system files. Trojan Horse June 2000 Sent as an e-mail attachment (Video Clip) to give attackers access to launch denial of service. Timofonica June 2000 A worm, propagated through e-mail to the cellular network of Spain to generate calls & messages.

38 Saad Haj Bakry, PhD, CEng, FIEE 38 Denial of Service Attacks: (1/2) Flooding: Flooding servers with data packets “very high traffic” causing “congestion” / “denial of service” Targeting Routing Tables: Changing “routing tables” directing packets to certain addresses “disabling certain network components”

39 Saad Haj Bakry, PhD, CEng, FIEE 39 Denial of Service Attacks: (2/2) Example (February 2000): “Distributed” denial of service attacks shut down “high traffic web sites”: “Yahoo / CNN Interaction / Amazon / eBay /.. Distributed Denial of Service : “Packet flooding” comes from different sources

40 Saad Haj Bakry, PhD, CEng, FIEE 40 Web Defacing Definition: Entering a web site illegally, and changing its contents. Example (Swedish Hackers, 1996): Entered USA CIA web site (www.odci.gov/cia).www.odci.gov/cia Changes included: “Central Stupidity Agency” Hyper Links to “adult content” sites.

41 Saad Haj Bakry, PhD, CEng, FIEE 41 Anti-Virus Utilities Conventional Utilities They are reactive, going after discovered viruses rather than discovering new viruses. New Utilities www.finjan.com Searches for executable files attached to e-mail. Runs the files in a secure area to test their effect Well-Known Producers McAfee: www.mcafee.comwww.mcafee.com Norton: www.symantec.comwww.symantec.com

42 Saad Haj Bakry, PhD, CEng, FIEE 42 Security Policies Key to the security of the Organization / Network / Information Vulnerability Possible Attackers Possible Threats Possible Damage Data Theft www.cerias.com www.baselinesoft.com www.sans.org Response Security Needs Security V. Performance

43 Saad Haj Bakry, PhD, CEng, FIEE 43 Cyber-Crimes National Security Policy: USA National Infrastructure Protection Act Denial of Service Attack / Distribution of Viruses (Federal Crimes: Fines & Jail Time). Web Sites www.usdoj.gov/criminalwww.usdoj.gov/criminal/cyberc rime/ compcrime.html www.cybertime.gov

44 Saad Haj Bakry, PhD, CEng, FIEE 44 CERT: Computer Emergency Response Time Carnegie Mellon University: Software Engineering Institute More Help www.irchelp.org/itchelp/nuke For Security Support: (www.cert.org)www.cert.org Incident reports of viruses / denial of service CERT Security Improvement Modules (Tutorials)

45 Saad Haj Bakry, PhD, CEng, FIEE 45 Firewalls Objective: Protecting private networks from intruders outside the network (not inside) ( Safety Barrier: Incoming / Outgoing flow). Prohibiting data flow not expressly allowed Allowing data flow not expressly Prohibited OR

46 Saad Haj Bakry, PhD, CEng, FIEE 46 Kerberos (Free MIT System) Objective: to authenticate users in a private network; and to maintain the integrity and the privacy of network communication (using symmetric secret key cryptography) Need: facing internal challenges ( 70-90% of attacks are internal) Kerberos TGS Authentication of Client Identity Authentication of Client Right to Access Specific Service Ticket Granting Service Network Service Client Symmetric Secret Key Communications

47 Saad Haj Bakry, PhD, CEng, FIEE 47 Biometrics (Identities) Definition: Using unique personal information to identify a user. (reducing dependence on passwords) Finger Prints Eyeball Iris scan Face scan BAPI: Biometric Application Programming Interface “ MS Promise (Windows)” www.iriscan.com www.keytronic.com

48 Saad Haj Bakry, PhD, CEng, FIEE 48 Steganography (Hiding Information) Objective: To hide information within other information Examples: Message: David Owen Hidden Message: DO Watermarks bank notes / papers / Digital Watermark: Adobe PhotoShop www.adobe.com Solutions www.digimark.com www.conginity.com Proof of Ownership: Music recorded with frequencies not audible to humans

49 Saad Haj Bakry, PhD, CEng, FIEE 49 Important “Security” Webs (1/3) SubjectWeb RSA Algorithmwww.rsasecurity.com PGP (Pretty Good Privacy): MIT P-K “Web of Trust” Web.mit.edu/network/pgp.html Time-stampingwww.authentidate.com US Legislation in Information Security www.itaa.org/infosec Certification Authoritieswww.verisign.com www.thawte.com

50 Saad Haj Bakry, PhD, CEng, FIEE 50 Important “Security” Webs (2/3) SubjectWeb Netscape SSL: Secure Socket Layer www.netscape.com/security/index.html developer.netscape.com/tech/ security/ss1/protocol.html PCI: Peripheral Component Interconnect cards www.phobos.com/products/ infamily.htm SET: Secure Electronic Transaction www.setco.org www.visa.com www.visa.com/nt/ecomm/security/mail.html www.mastercard.com

51 Saad Haj Bakry, PhD, CEng, FIEE 51 Important “Security” Webs (3/3) SubjectWeb MS Authenticode msdn.microsoft.com/workshop/ security/authcode/signfaq.asp msdn.microsoft.com/workshop/ security/authcode/authwp.asp Firewalls www.interhack.net/pubs/fwfaq Kerberos www.pdc.kth.se/kth-krb Magazines www.networkcomputing.com/consensus www.scmagazine.com www.insightview.com

52 Saad Haj Bakry, PhD, CEng, FIEE 52 Reference H.M. Deitel, P.J. Deitel, K. Steinbuhler, e- Business and e-Commerce for Managers, Prentice-Hall, Upper Saddler River, New Jersey, 2001


Download ppt "Saad Haj Bakry, PhD, CEng, FIEE 1 Basic Security Issues Saad Haj Bakry, PhD, CEng, FIEE."

Similar presentations


Ads by Google