1. 8/30/2010CS 686 Definition of Security/Privacy EJ Jung ejung@cs.usfca.edu CS 686 Special Topics in CS Privacy and Security

2. 8/30/2010CS 686 Announcements  Course Questionnaire and Consent Form No submission, no grades  Service Lab community partners are coming  Reading assignment in schedule read “ahead”

3. 8/30/2010CS 686 Course questionnaire results  20 students  Previous courses 13 networks, 10 OS, 3 crypto, 1 security  Familiar technology 13 hash, 10 proxy, 9 SSL/TLS, 9 PKC, 3 TOR, 2 PGP, 1 IPsec,

4. 8/30/2010CS 686 Current challenging problems  Conflicting goals: privacy vs. utility, anonymity vs. authenticity safety vs. convenience, usability right to opt-out happy medium  Hackers  User education and admin education  Data sharing among many parties  Data leak from social networks

5. 8/30/2010CS 686 Want to solve  Hacking prevention, Server protection, Data protection  Vulnerability (loophole) analysis and mitigation  Intrusion detection packet sniffing and monitoring  User education, usability  Malware, e.g. virus, key-loggers, prevention&detection  Identity theft, Phishing prevention/detection  Right to opt-out, Pay for privacy  Anonymity, Finding happy medium between anonymity and authenticity TOR  Security software development  Secure data sharing among multiple parties, Data tracing

6. 8/30/2010CS 686 After this course  Become knowledgeable  Find vulnerabilities  Protect systems and websites without hurting performance and usability too much  Work as security specialist

7. 8/30/2010CS 686 Henric Johnson 7 Attacks, Services and Mechanisms  Security Attack: Any action that compromises the security of information.  Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack.  Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.

8. 8/30/2010CS 686 Passive attack (1) - Eavesdrop  Code talkers Code talkers

9. 8/30/2010CS 686 Passive attack (2) - Analysis uAlexaAlexa

10. 8/30/2010CS 686 Active attack (1) - impersonation  Impostors on Facebook Impostors on Facebook

11. 8/30/2010CS 686 Active (2) - replay

12. 8/30/2010CS 686 Active (3) – intercept&modify

13. 8/30/2010CS 686 Active (4) - DoS  Distributed DoS Distributed DoS

14. 8/30/2010CS 686 Summary of attacks Henric Johnson 14

15. 8/30/2010CS 686 Henric Johnson 15 Security Services  Confidentiality (privacy)  Authentication (who created or sent the data)  Integrity (has not been altered)  Non-repudiation (the order is final)  Access control (prevent misuse of resources)  Availability (permanence, non-erasure) Denial of Service Attacks Virus that deletes files

16. 8/30/2010CS 686 network Attack on Authenticity  Authenticity is identification and assurance of origin of information Unauthorized assumption of another’s identity

17. 8/30/2010CS 686 network Attack on Confidentiality  Confidentiality is concealment of information Eavesdropping, packet sniffing, illegal copying

18. 8/30/2010CS 686 network Attack on Integrity  Integrity is prevention of unauthorized changes Intercept messages, tamper, release again

19. 8/30/2010CS 686 network Attack on Availability  Availability is ability to use information or resources desired Overwhelm or crash servers, disrupt infrastructure

20. 8/30/2010CS 686 Famous words  Encrypt and decrypt  Plaintext and ciphertext encrypt plaintext -> ciphertext decrypt ciphertext -> plaintext easy example: XOR  Digital signature as you sign on paper for non-repudiation and accountability  Session one conversation/communication unit

21. 8/30/2010CS 686 Model for Network Security

22. 8/30/2010CS 686 Access Control Model