Download presentation
Presentation is loading. Please wait.
Published byChad Williamson Modified over 9 years ago
1
Overview of Security Dr. Sriram Chellappan chellaps@mst.edu These slides are available at BlackBoard
2
Overview q Security Definitions q Security threats and attacks q Security Services q Operational Issues
3
The Definition q Security is a state of well-being of information and infrastructures in which the possibility of successful yet undetected theft, tampering, and disruption of information and services is kept low or tolerable q Security rests on confidentiality, authenticity, integrity, availability, non-repudiation
4
In OS terms q Operating System Computer security – Addresses the issue of preventing unauthorized access to resources and information maintained by computers – Encompasses the following issues: Guaranteeing the privacy and integrity of sensitive data Restricting the use of computer resources Providing resilience against malicious attempts to incapacitate the system – Employs mechanisms that shield resources such as hardware and operating system services from attack
5
The Basic Components q Confidentiality is the concealment of information or resources. q Authenticity is the identification and assurance of the origin of information. m Related to privacy q Integrity refers to the trustworthiness of data or resources in terms of preventing improper and unauthorized changes. q Availability refers to the ability to use the information or resource desired. q Non-repudiation means that it can be verified that the sender and the recipient were, in fact, the parties who claimed to send/ receive a particular message, and the message sent/ received were the same
6
Security Threats and Attacks q A threat is a potential violation of security. m Flaws in design, implementation, and operation. q An attack is any action that violates security. m Active adversary. q A threat is typically a precursor to an attack
7
Eavesdropping - Message Interception (Attack on Confidentiality) q Unauthorized access to information q Packet sniffers and wiretappers q Illicit copying of files and programs S R Eavesdropper
8
Techniques to Enforce Confidentiality q Symmetric key distribution q What are the challenges m How to secure transmit the symmetric keys m Key revocation after a certain point in time m Protect the key from being lost q Latest technique to solve this problem m Asymmetric keys
9
Integrity Attack - Tampering With Messages q Stop the flow of the message q Delay and optionally modify the message q Release the message again S R Perpetrator
10
Techniques to Enforce Integrity q Message Authentication Codes m Accomplished using hash functions m That are collision resistant and have one-way property
11
Authenticity Attack - Fabrication q Unauthorized assumption of other’s identity q Generate and distribute objects under this identity S R Masquerader: from S
12
Techniques to Enforce Authentication q Standard Techniques are passwords m Easy to be captured by adversary m Easy to be guessed by adversary q Evolving techniques m Biometrics m One time password generator m Expand sample space of secret – password mapping q Access control mechanisms q Kerberos – A well known authentication technique
13
What is Kerberos? q Developed by MIT q Shared secret-based strong 3 rd party authentication q Provides single sign-on capability q Passwords never sent across network And now – the players…
14
Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service Susan’s Desktop Computer Think “Kerberos Server” and don’t let yourself get mired in terminology.
15
Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service Susan’s Desktop Computer Represents something requiring Kerberos authentication (web server, ftp server, ssh server, etc…)
16
Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service “I’d like to be allowed to get tickets from the Ticket Granting Server, please.
17
Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service “Okay. I locked this box with your secret password. If you can unlock it, you can use its contents to access my Ticket Granting Service.”
18
Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service myPassword XYZ Service TGT
19
Because Susan was able to open the box (decrypt a message) from the Authentication Service, she is now the owner of a shiny “Ticket-Granting Ticket”. The Ticket-Granting Ticket (TGT) must be presented to the Ticket Granting Service in order to acquire “service tickets” for use with services requiring Kerberos authentication. The TGT contains no password information.
20
Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service “Let me prove I am Susan to XYZ Service. Here’s a copy of my TGT!” use XYZ TGT
21
Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service TGT Hey XYZ: Susan is Susan. CONFIRMED: TGS You’re Susan. Here, take this.
22
Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service TGT Hey XYZ: Susan is Susan. CONFIRMED: TGS I’m Susan. I’ll prove it. Here’s a copy of my legit service ticket for XYZ. Hey XYZ: Susan is Susan. CONFIRMED: TGS
23
Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service TGT Hey XYZ: Susan is Susan. CONFIRMED: TGS Hey XYZ: Susan is Susan. CONFIRMED: TGS That’s Susan alright. Let me determine if she is authorized to use me.
24
Authorization checks are performed by the XYZ service… Just because Susan has authenticated herself does not inherently mean she is authorized to make use of the XYZ service.
25
One remaining note: Tickets (your TGT as well as service-specific tickets) have expiration dates configured by your local system administrator(s). An expired ticket is unusable. Until a ticket’s expiration, it may be used repeatedly.
26
Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service TGT Hey XYZ: Susan is Susan. CONFIRMED: TGS ME AGAIN! I’ll prove it. Here’s another copy of my legit service ticket for XYZ. Hey XYZ: Susan is Susan. CONFIRMED: TGS use XYZ
27
Susan’s Desktop Computer Susan Key Distribution Center Ticket Granting Service Authen- Tication Service XYZ Service TGT Hey XYZ: Susan is Susan. CONFIRMED: TGS Hey XYZ: Susan is Susan. CONFIRMED: TGS That’s Susan… again. Let me determine if she is authorized to use me.
28
Attack on Availability q Destroy hardware (cutting fiber) or software q Corrupt packets in transit q Blatant denial of service (DoS): m Crashing the server m Overwhelm the server (use up its resource) S R
29
Techniques to Enforce Availability q Think of an example m Standard technique is almost always redundancy – Also called over-provisioning m Can be counter-productive sometimes q Think how
30
Impact of Attacks q Economic impacts q Societal impacts q Military impacts All attacks can be related and are dangerous!
31
Some trade-offs w.r.t. security q Availability vs. Privacy q Confidentiality vs. Power management q Privacy vs. Delay q Bandwidth vs. Privacy
32
Security Policy and Mechanism q Policy: a statement of what is, and is not allowed. q Mechanism: a procedure, tool, or method of enforcing a policy. q Security mechanisms implement functions that help prevent, detect, and respond to recovery from security attacks. q Security functions are typically made available to users as a set of security services through APIs or integrated interfaces. q Cryptography underlies many security mechanisms.
33
Operational Issues q Cost-Benefit Analysis q Risk Analysis q Laws and Customs Human Issues q Organizational Problems q People Problems
34
Proprietary and Open-Source Security q Advantages of open-source security applications m Interoperability q Open-source applications tend to implement standards and protocols that many developers include in their products. m An application’s source code is available for extensive testing and debugging by the community at large q Weaknesses of proprietary security m Nondisclosure m The number of collaborative users that can search for security flaws and contribute to the overall security of the application is limited q Proprietary systems, however, can be equally as secure as open- source systems
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.