Académique Documents
Professionnel Documents
Culture Documents
9 March,
mark.baker@compute
Concerns.
Objectives.
Basic Definitions
Security Components:
Symmetric/asymmetric systems,
Public Key Encryption.
Summary.
9 March,
mark.baker@compute
Security Concerns
9 March,
mark.baker@compute
Contributing Factors
Increased Internet use:
Home broadband,
Greater coverage (wired and wireless):
More ubiquitous on-line use:
Education,
Business,
Games,
Shopping
9 March,
mark.baker@compute
The Actors
9 March,
mark.baker@compute
Intruder Knowledge
Stealth/Advanced
Scanning Techniques
High
BOTS
Denial of Service
Zombies
Sniffers
Hijacking Sessions
Exploiting Known Vulnerabilities
Intruders
Password Cracking
Self-Replicating Code
Password Guessing
Low
1980
1985
1990
Attack Sophistication
1995
2000
Sources: Carnegie Mellon University, 2002 and Idaho National Laboratory, 2005
9 March,
mark.baker@compute
2005
2010
Trust who you are and what you are authorized to do,
Non-repudiation you cant deny doing something you did,
Auditability I can check what you did to the data,
Reliability the system does what I want, when I want it to,
Privacy within certain limits no one should know who I am or
what I do.
9 March,
mark.baker@compute
9 March,
mark.baker@compute
Security Terms
Authentication:
The process by which a person or other entity proves
that it is who (or what) it says it is.
Want to authenticate the person or entity that you
are dealing before transferring something valuable,
such as information or money, to or from, it.
Authentication is achieved by presenting some unique
identifying entity to the endpoint that is undertaking
the process:
An example of this process is the way you authenticate
yourself with an ATM: here you insert your bank card
(something you have) and enter your personal identification
number (PIN, something you know).
9 March,
mark.baker@compute
Identification
Being able to identify yourself to a computer
is absolutely essential:
ATM, e-banking,
Access to e-mail, computer accounts,
Access to personal information (e.g., staff or
student portal).
Non-computer identification
Computer Identification
How we identify a human to a computer?
Username/Passwords (common),
Token, e.g. ATM card,
Cryptographic protocols,
Combinations, e.g. token and password,
Biometrics, e.g. face recognition, finger prints, and
retina/iris scans.
9 March,
mark.baker@compute
Passwords
Most common identification technique:
9 March,
mark.baker@compute
Vulnerabilities
Biometric identification
Passwords are pretty useless at identifying people.
Can we identify them by their properties?
Face, handwriting, retina, DNA, voice, signature, fingerprint
9 March,
mark.baker@compute
Other issues
Cost:
User comfort:
Theoretical accuracy:
Excluded population:
Variability:
9 March,
mark.baker@compute
Security Terms
Authorisation:
Is the act of providing the rights to perform some
action:
Typically based on based on what are known as Access Control
Lists (ACLs), which for some set of resources, a list of user
names and their rights are provided.
9 March,
mark.baker@compute
9 March,
mark.baker@compute
Program-specific permissions:
Allows application-specific restrictions:
(NHS, blood-test.db, SPSS) AIDS/region
9 March,
mark.baker@compute
Security Terms
Trust:
9 March,
mark.baker@compute
Security Terms
Integrity:
This is the assurance that the data has not changed
since it was written:
e.g., prevent a potential intruder-in-the-middle from changing
messages.
9 March,
mark.baker@compute
Security Terms
Confidentiality:
This is the act of ensuring no one but authorised
parties (who know some secret) can understand the
data.
There are two mechanisms used to ensure data
confidentiality, the more common encryption, and
steganography:
With encryption an algorithm or function (encrypt) that
transforms plain text to cypher text where the meaning is
hidden, but which can be restored to the original plain text by
another algorithm (decrypt).
Steganography, on the other hand is where a message is
hidden in another message or image:
It is used when it is necessary to conceal the fact that a secret
message is being transmitted.
9 March,
mark.baker@compute
Security Components
Encryption and Decryption:
Encryption is the conversion of data into a form, called a
ciphertext, which cannot be easily understood by
unauthorised entities.
Decryption is the process of converting encrypted data back
into its original form, so it can be understood.
9 March,
mark.baker@compute
Security Components
Encryption and Decryption:
We assume that the more difficult it is to decrypt
the ciphertext, the better.
Trade-off - if the algorithm is too complex and it
takes too long to use, or requires keys that are too
large to store easily, it becomes impractical to use:
Need a balance between the strength of the encryption; that
is, how difficult it is for someone to discover the algorithm
and the key, and ease of use.
9 March,
mark.baker@compute
Symmetric Key
Symmetric key cryptography, also called private or
secret key cryptography, is the classic cryptographic
use of keys:
Here the same key is used to encrypt and decrypt the data.
Plaintext
Plaintext
Encrypt with
secret key
Ciphertext
9 March,
Decrypt with
secret key
Internet
mark.baker@compute
Symmetric Key
Key management is an issue.
Each pair of communicating entities needs a shared
key:
K1
Session keys.
Public keys.
K5
K7
K2
K6
K4
K3
K8
K9
K10
9 March,
mark.baker@compute
Asymmetric Keys
In asymmetric key cryptography, different keys are
used for encrypting and decrypting a message.
In that case, one key can be made public while the other
is kept private.
There are advantages to this public-keyprivate-key
arrangement, often referred to as public key
cryptography:
The necessity of distributing secret keys to large numbers of
users is eliminated,
The algorithm can be used for authentication as well as for
creating cipertext.
9 March,
mark.baker@compute
Public key
Message
Encrypt
Private key
Message
Decrypt
9 March,
mark.baker@compute
Public
Key
Send Jill's
public Key
Jill
Mark
Private
Key
Decrypt with
Jill's public Key
9 March,
mark.baker@compute
Public key
Typically slower
Examples:
Examples:
9 March,
mark.baker@compute
If the end point trusts the CA, then it will trust that entity
and who it claim to be.
9 March,
mark.baker@compute
Certification Authority
CAs issue digital certificates after verifying
that a public key belongs to a certain owner:
Driving licenses, identification cards and
fingerprints are examples of documentation
required.
9 March,
mark.baker@compute
The e-Science CA
9 March,
mark.baker@compute
9 March,
mark.baker@compute
9 March,
mark.baker@compute
E-Science Certificate
9 March,
mark.baker@compute
E-Science Certificate
9 March,
mark.baker@compute
9 March,
mark.baker@compute
E-Science Certificate
9 March,
mark.baker@compute
Sender
Signed Document
Decrypt
Message
Sender
Public Key
CA
9 March,
CA Public
Key
mark.baker@compute
Recipient
Digital Signatures
Integrity is guaranteed in public-key systems
by using digital signatures:
This is a method of authenticating digital
information, in the same manner that an individual
would sign a paper document to authenticate it.
9 March,
mark.baker@compute
Digital Signatures
Often, a cryptographically strong hash
function is applied to the message.
A hash function is an algorithm which creates a
digital representation in the form of a "hash value"
of a standard length, which is typically much
smaller than the message but nevertheless unique
to it.
mark.baker@compute
mark.baker@compute
9 March,
mark.baker@compute
Digital signatures
Private key
Message
Sign
(fixed-length signature)
Public key
Valid/Invalid
Message
Verify
9 March,
mark.baker@compute
9 March,
mark.baker@compute
9 March,
mark.baker@compute
Security Summary
Security Concerns:
Secret key,
Public key,
Certificates,
Digital Signatures.
9 March,
mark.baker@compute
Questions?
9 March,
mark.baker@compute