Académique Documents
Professionnel Documents
Culture Documents
• Security Goals
• Security Design Principles
• Worms
• Buffer Overflows
• Client-State Manipulation
• Password Security
• Intro to SQL Injection
• Intro to Cross-Site Attacks
• Intro to Crypto
• Symmetric: block & stream ciphers, MACs
• Asymmetric: RSA, digital signatures, etc.
Security Is Holistic
Physical Security
Technological Security
• Application Security
• Operating System Security
• Network Security
All Required!
Example:
Dumpster diving: gathering sensitive
information by sifting through the company’s
garbage
Example Issues:
Example:
Authentication
Authorization
Confidentiality
Data / Message Integrity
Accountability
Availability
Non-Repudiation
Alice Bob
Identity Verification
Example: Passwords
• Pros:
Simple to implement
Simple for users to understand
• Cons:
Easy to crack (unless users choose strong ones)
Passwords are reused many times
ATM Card
assigned based on
roles (e.g. admin)
Mandatory
• computer system decides exactly who has access to which
resources
Role-Based (Non-Discretionary)
• User’s access & privileges determined by role
Classifications:
• Top Secret
• Secret
• Confidential
• Unclassified
3 Rules/Properties
• Simple property
• *-property
(confinement)
• Tranquility property
Techniques:
• Hashing (MD5, SHA-1, …)
• Checksums (CRC…)
• Message Authentication Codes (MACs)
Requirements:
• Secure Timestamping (OS vs. Network)
• Data integrity in logs & audit trails, must not be able to change
trails, or must be able to detect changes to logs
• Otherwise attacker can cover their tracks
Solutions:
• Add redundancy to remove single point of failure
• Impose “limits” that legitimate users can use
Undeniability of a transaction
B2B
Alice
PCs-R-US DVD- website
orders parts Factory
Is DVD-Factory Secure?
Availability:
• DVD-Factory, Inc. makes sure its web site is running 24 x 7
Authentication:
authenticates itself to Alice
(lock on bottom left of
browser)
Confidentiality:
• Alice’s browser and DVD-Factory Inc. web server set up an
encrypted connection (lock on bottom left of browser)
Foundations Computer Security Certificate Program
Copyright 2007 Daswani Enterprises, Inc. Licensed to SCPD. Stanford Center for Professional Development • 28
Concepts at Work
Authorization:
• DVD-Factory, Inc. web site consults database to check if Alice
is authorized to order widgets on behalf of PCs-R-Us, Inc.
Message / Data Integrity:
• Checksums are sent as part of each TCP/IP packets
exchanged (+ SSL uses MACs)
Accountability:
• DVD-Factory, Inc. logs that Alice placed an order for Sony
DVD-R 1100
Non-Repudiation:
• Typically not provided with web sites since requires TTP.