- Количество слайдов: 12
Computer and Network Security Mini Lecture by Milica Barjaktarovic
Why do we need computer security? • Potentially very costly loss of data and/or equipment due to: – Hardware and software failures – Natural disasters – External attacks: • From the Internet – Internal attacks: • From employees
Disaster prevention and recovery • • Disaster scenarios Backup/restore procedures Network fault tolerance Attack protection: – Network-based intrusion detection • Detect dangers coming into our network from the outside and going from our network to the outside – Host-based intrusion detection • Detect tampering with individual hosts
Protecting Data and Networks • Data/file types: – Public, internal, confidential, secret • On UNIX: set file permission with chmod • On PC: file permission window • Network access levels: – Local, remote, public • Solution: LAN behind a firewall
Attacks 101 • Types: – Internal attack – Organizational attacks – Accidental security breaches • Ways of attacking: – – Social engineering Denial of Service (Do. S) Automated computer attacks Probing (precursor to a real attack) • SATAN, ISS tools – – Spoofing Viruses, worms, trojan horses Spamming Steganography • Players: – Hackers – Security analysts – Security watchdogs (e. g. CERT) and resources (e. g. SANS)
Organizational Attacks and Defense • Organizational attacks: – For (financial) crime – For terrorism/espionage • Organizational defense: – By the military: mandatory access controls, levels of security, Orange Book, professional and numerous security analysts – By corporations: system administrators often doubling as security analysts – – – Firewalls Network and host intrusion detection Tight grip on employees Security evaluation and certification Cryptographic services
Cryptography 101 • Cryptography allows production and exchange of “secret messages” • Cryptography is used to provide security services: – Privacy • Only the intended recipient can access data – Authentication • The identity of communicating parties can be verified – Message integrity • Nobody tampered with the message • Cryptography utilizes: – cryptographic hash functions: • provide a way to “scramble” data. No possibility of unscrambling. – cryptographic algorithms: • provide a way to “scramble” data using a specific key. The data can be “unscrambled” only with another specific key.
Cryptographic Hash Functions • A hash function H is a mathematical transformation that takes an input message m and returns a fixed-size string, which is called the hash value h – h = H(m) • A cryptographic hash function is a hash function with additional properties: – – – • • • The input can be of any length. The output has a fixed length. H(x) is relatively easy to compute for any given x. H(x) is one-way. H(x) is collision-free. A hash function H is said to be one-way if it is hard to invert, where ``hard to invert'' means that given a hash value h, it is computationally infeasible to find some input x such that H(x) = h. A hash function H is said to be a weakly collision-free if, given a message x, it is computationally infeasible to find a message y not equal to x such that H(x) = H(y). A hash function H is said to be strongly collision-free if it is computationally infeasible to find any two messages x and y such that H(x) = H(y).
Cryptographic Algorithms • Secret key (e. g. DES) – The same secret key is used to scramble and unscramble data – Pros: only one key – Cons: both parties must share the same key • Public key (e. g. RSA) – The sender scrambles with receiver’s public key, the receiver unscrambles with his private key – Pros: the public keys can be publicly posted – Cons: how do you distribute public keys in a trustworthy manner • PKI (Public Key Infrastructure) and X. 509 standard for public key distribution • Chain of trust of Certification Authorities (CAs)
Protecting a Message: Levels of Protection Strength 1. 2. CRC Message digest (i. e. message hash) – Message digest is the string obtained by applying a cryptographic hash function to message • – 3. Sample algorithms: MD 2, MD 5, SHA. Encrypted message – – • Cryptographic hash function is an irreversible, collision-free hash function that takes as input data of any length and produces a fixed length string Obtained by applying a cryptographic algorithm (public or secret key) to message Sample algorithms: RSA, DES, Blowfish, IDEA, etc. Crypto++ library http: //www. amasci. com/~weidai/cryptlib. html
Cryptographic Applications • Message Integrity Code (MIC): – • A fixed-length quantity generated cryptographically and associated with the message. Usually: compute message digest (i. e. message hash) and encrypt it, usually using secret key cryptography. Digital Signature (Digital Signature Algorithm (DSA)) – • the sender encrypts message using his private key, recipient verifies it using sender’s public key. Usually: compute message digest and then encrypt it. Secure email – – • PGP assumes that each user decides whom to trust PEM assumes a rigid hierarchy of CAs Transmitting over insecure channel (virtual encrypted tunnel) – Tunneling protocols: • • Point-to-point Layer 2 tunneling protocol (L 2 TP) / IPsec Secure storage on insecure media Authentication – – – 3 -way handshake Third trusted party Digital signature: the sender signs using his private key, others verify it using the sender’s public key
Network Security • Firewalls: – Filter based – Proxy based • Application level security (e. g. HTTPS) • Transport layer security – TSL (Secure Transport Layer) • E-commerce, public key, 3 -way handshake • Network Layer Security: – IPsec • SSL (Secure Sockets Layer)