Presentation is loading. Please wait.

Presentation is loading. Please wait.

You Can’t Get There From Here! Prof. Neil Barrett BCS Oxford – 29 th Nov. 2005.

Published byCordelia Rose Modified over 9 years ago

Similar presentations

Presentation on theme: "You Can’t Get There From Here! Prof. Neil Barrett BCS Oxford – 29 th Nov. 2005."— Presentation transcript:

1 You Can’t Get There From Here! Prof. Neil Barrett BCS Oxford – 29 th Nov. 2005

2 Introduction Information Security Identification, Authentication, Authorisation and Non-repudiation Crimes committed on or with computers Evidential issues The limitations of information security –Practical –Theoretical Conclusions

3 Information Security A collection of measures to establish –Confidentiality –Integrity –Availability Only authorised users should be able to access information –To create, delete, read, change… But crucially, how do we establish who is and is not ‘authorised’?

4 Identification, Authentication, Authorisation and Non-Repudiation Identification – Who is this user and do we recognise them? Authentication – Can we prove that this is indeed the person? Authorisation – If it is the right person, what information should they be able to access and in what fashion? Non-Repudiation – Can we ensure that the person cannot deny responsibility for any access that they carry out?

5 Identification User name Some way of allowing the computer system to recognise the person

6 Authentication Type 1 – Something they know – a password Type 2 – Something they have – a token Type 3 – Something they are – a fingerprint One or Two factor Determines trust level of the computer

7 Authorisation Access to data by means of some controlling data structure –An Access Control List or similar structure Based on reliable identification and successful authentication Ensures that users can only access what they are meant to access

8 Non-Repudiation Arises from clean, reliable and unalterable records of “who did what to what piece of data”? Records can be digitally signed, reliably stored etc

9 Crimes on Computers Raising permission levels Accessing information Altering or preventing access to information Manipulating records All involve, to some extent, exceeding ‘authorised access’ –Presuming always, of course, that the authorised access has been suitably well-defined.

10 Evidential Issues Computers record the actions of authenticated users –In terms of the access granted to processes based on the authorisation data structure But a process cannot be prosecuted –Only a person can stand in the dock So, the data collected for non-repudiation purposes must be capable of presenting in court

11 Evidential Issues (2) This means that the auditing data must be –Comprehensive –Complete –Clear –Capable of preservation Reliable copies of original data is fine –But the process of that copying must itself be capable of analysis Data can be put in front of the court –It forms ‘documentary’ evidence

12 Limitations Of course, this depends on the reliability and integrity of the information security –Can we reliably restrict access to information based upon some rules –The rules relate to the authentication and authorisation controls We need to be able to analyse the operation of the program elements to achieve this

13 Limitations (2) Unfortunately, this analysis is not rigorously possible Turing proved elements of the ‘Halting Problem’ –That determining in advance whether a given program would or would not halt is in fact undecidable That is, it is mathematically impossible to determine a program’s actions in advance –The only way to determine the actions is to run it

14 Implications Anti-virus is impossible! –Requires you to know in advance what a given program will do Program monitoring is impossible –Requires you to wrap a program inside another program But then, what happens to that program? –It too needs to be wrapped »Etc…

15 Implications (2) Because information security cannot be algorithmically determined –Authorisation cannot be –So, the task of determining whether or not a given user is responsible for a given action is impossible We are left only with heuristics

16 Implications (3) Heuristics provide technical solutions –In which the task of exceeding authorised access is made as difficult as possible Information security should Protect, Detect and Deter –Detection and Deterrence therefore must be seen as important elements Can we determine what a user has done? Can we persuade them therefore not to do it because we will be able to detect it?

17 Conclusions Information security is useful, important… but mathematically impossible The best we can do is a form of ‘best endeavours’ But this will give us problems in the courts as evidence is presented!

18 Thank You! Prof. Neil Barrett FBCS

Download ppt "You Can’t Get There From Here! Prof. Neil Barrett BCS Oxford – 29 th Nov. 2005."

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Fundamentals of Computer Forensics Fundamentals of Computer Forensics by Jim Bates,published Feb 1997, International Journal of Forensic Computing “…This.

Fundamentals of Computer Forensics Fundamentals of Computer Forensics by Jim Bates,published Feb 1997, International Journal of Forensic Computing “…This.
Opening Presentation of Notary Reqs 8/5/2004 Tobias Gondrom.

Opening Presentation of Notary Reqs 8/5/2004 Tobias Gondrom.
Chapter 1 – Introduction

Chapter 1 – Introduction
Copyright Infringement

Copyright Infringement
1 Introduction to Computability Theory Lecture13: Mapping Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture13: Mapping Reductions Prof. Amos Israeli.
SOA Security Chapter 12 SOA for Dummies. Outline User Authentication/ authorization Authenticating Software and Data Auditing and the Enterprise Service.

SOA Security Chapter 12 SOA for Dummies. Outline User Authentication/ authorization Authenticating Software and Data Auditing and the Enterprise Service.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
Review security basic concepts IT 352 : Lecture 2- part1 Najwa AlGhamdi, MSc – 2012 /1433.

Review security basic concepts IT 352 : Lecture 2- part1 Najwa AlGhamdi, MSc – 2012 /1433.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

Similar presentations

Ads by Google