Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services...

Seguridad en Sistemas de Información

verano 2004Francisco Rodríguez Henríquez

Security Services in Information Systems

Antecedents and Motivation

What is this part of the course about?

In this part of the course we will discuss the following topics

– security needs– security services– security mechanisms and protocols

for data stored in computers and transmitted across computer networks

What we will/won’t cover?

• We will cover– security threats– security protocols in use with emphasis on Authentication– Certificates and PKI– Introduction to Wireless Security

• We will not cover– cryptography (just an overview will be given)– computer networks– operating systems– computers in general– how to hack

What security is about in general?

• Security is about protection of assets– D. Gollmann, Computer Security, Wiley

• Prevention– take measures that prevent your assets from being damaged

• Detection– take measures so that you can detect when, how, and by

whom an asset has been damaged

• Reaction– take measures so that you can recover your assets

Real world example

• Prevention– locks at doors, window bars, secure the walls

around the property, hire a guard

• Detection– missing items, burglar alarms, closed circuit TV

• Reaction– attack on burglar, call the police, replace stolen

items, make an insurance claim

Services, Mechanisms, Attacks

• 3 aspects of information security:– security attacks (and threats)

• actions that compromise security

– security services• services counter to attacks

– security mechanisms• used by services• E.g. secrecy is a service, encipherment is a mechanism

NETWORK SECURITY FUNDAMENTALS

•Security Attacks and Security Services

•A Model of Network Security

•Access Policies

SECURITY ATTACKSSECURITY ATTACKS

&&SECURITY SERVICESSECURITY SERVICES

•Unauthorised Access

•Unauthorised Disclosure of Information

•Unauthorised Modification of Information

•Unauthorised Denial of Service

Security Threads

Attacker resources and methods vary greatly

Resource Teenager Academic Org. Crime Gov’t

Time Limited Moderate Large Large

Budget ($) <$1000 $10K-$100K $100K+ Unknown

Creativity Varies High Varies Varies

Detectability High High Low Low

Target Challenge Publicity Money Varies

Number Many Moderate Few Unknown

Organized No No Yes Yes

Spread info? Yes Yes Varies No

Source: Cryptography Research, Inc. 1999, “Crypto Due Diligence”

Source: Blaze/Diffie/Rivest/Schneier/Shimoura/Thompson/Wiener: www.bsa.org/policy/encryption

Minimal key lengths for symmetric ciphers

Typeof attacker

Budget Tool Time and costper key recovered

Length needed forprotection in late 1995

40 bits 56 bits

Pedestrian Hacker

SmallBusiness

CorporateDepartment

Big Company

IntelligenceAgency

$10.000

scavengedcomputer time

1 week

5 hours($0.08)12 min($0.08)24 sec($0.08)18 sec

($0.001) 7 sec

($0.08)0.005 sec($0.001)

0.0002 sec($0.001)

infeasible

38 years($5,000)556 days($5,000)19 days($5,000)3 hours($38)

13 hours($5,000)

6 min($38)

12 sec($38)

Passive Attacks

Active Attacks

Attacks

Accidental Intentional•Software Errors

•Hardware Errors

•Poor Management of Resources

Passive Active•Release of Message content•Traffic Analysis

•Data Mod.•Data Delay•Data Blocking•Data Copy•Data Replay•Data Destruction

Security Mechanisms

• Basically cryptographic techniques/technologies – that serve to security services – to prevent/detect/recover attacks

• Encipherment– use of mathematical algorithms to transform data

into a form that is not readily intelligible• keys are involved

• Message Digest– similar to encipherment, but one-way (recovery not

possible)– generally no keys are used

• Digital Signatures– Data appended to, or a cryptographic transformation of, a

data unit to prove the source and the integrity of the data

• Authentication Exchange– ensure the identity of an entity by exchanging some

information

Security Mechanisms

• Notarization– use of a trusted third party to assure certain properties of a

data exchange

• Timestamping– inclusion of correct date and time within messages

• Non-cryptographic mechanisms– traffic padding (for traffic analysis)

– intrusion detection

– firewalls

Security Mechanisms

Security Services

• Confidentiality - protect info value • Authentication - protect info origin (sender)

• Identification - ensure identity of users

• Integrity - protect info accuracy • Non-repudiation - protect from deniability • Access control - access to info/resources • Availability - ensure info delivery

Relationships

Integrity

Authentication

Non-repudiation

Two references

• ITU-T X.800 Security Architecture for OSI– gives a systematic way of defining and providing

security requirements

• RFC 2828– over 200 pages glossary on Internet Security

Security Systems by layers

Computer Arithmetic : Addition, Squaring, multiplication, inversion and exponentiationComputer Arithmetic : Addition, Squaring, multiplication, inversion and exponentiation

Public Key Crypto Algorithms: RSA, ECCSymmetric Crypto Algorithms: AES, DES, RC4, etc.

Crypto User Functions: Encrypt/Decrypt, Sign/verify

Security Services: Confidentiality, Data Integrity, Data Authentication, Non-Repudiation

Communication Protocols : SSL, TLS, WTLS, WAP, etc.

Applications: Secure e-mail, Digital Money, Smart Cards, Firewalls, etc.

Fundamental Dilemma of Security

• Security unaware users have specific security requirements but no security expertise.– from D. Gollmann– Solution: level of security is given in predefined

classes specified in some common criteria

Fundamental Tradeoff

• Absolutely secure systems do no exist

• To half your vulnerability you have to double your expenditure

• Cryptography is typically bypassed not penetrated.

The Three Laws of Security

• Security unaware users have specific security requirements but no security expertise.– from D. Gollmann– Solution: level of security is given in predefined

classes specified in some common criteria

Kerckhkoffs’s Principle

While assessing the strength of a cryptosystem, one should always assume that the enemy knows the cryptographicalgorithm used.

The security of the system, therefore, should be based on

* the quality (strength) of the algorithm but not its obscurity* the key space (or key length)

A Cryptosystem Classification

• Public key cryptography (RSA, ECC, NTRU)

• Secret key Cryptography (DES, AES, RC4)

• Block ciphers (DES, IDEA, RSA) 64-128 bits

• Stream ciphers (A5, RC4, SEAL) encryption in a bit to

bit basis.

A Simplified Model of Conventional Encryption

Message Digest

• A message digest, also known as a one-way hash function, is a fixed length computionally unique identifier corresponding to a set of data. That is, each unit of data (a file, a buffer, etc.) will map to a particular short block, called a message digest. It is not random: digesting the same unit of data with the same digest algorithm will always produce the same short block.

• A good message digest algorithm possesses the following qualities– The algorithm accepts any input data length.

– The algorithm produces a fixed length output for any input data.

– The digest does not reveal anything about the input that was used to

generate it. – It is computationally infeasible to produce data that has a specific digest.

– It is computationally infeasible to produce two different unit of data that produce the same digest.

Hash Algorithms

• Reduce variable-length input to fixed-

length (128 or 160bit) output

• Requirements

– Can't deduce input from output

– Can't generate a given output

– Can't find two inputs which produce the

same output

Hash Algorithms

• Used to

– Produce fixed-length fingerprint of arbitrary-length data

– Produce data checksums to enable detection of modifications

– Distill passwords down to fixed-length encryption keys

• Also called message digests or fingerprints

Message Authentication Code MAC

• Hash algorithm + key to make hash value dependant on the key

• Most common form is HMAC (hash MAC)

– hash( key, hash( key, data ))

• Key affects both start and end of hashing process

• Naming: hash + key = HMAC-hash

– MD5 HMAC-MD5

– SHA-1 HMAC-SHA (recommended)

An Example

Digital Signature/Verification Schemes

Seven-Layer OSI Model

OSI Security Services•Authentication

•Access Control

•Data Confidentiality

•Traffic Flow Confidentiality

•Data Integrity

•Non-Repudiation of both Origin and Delivery of Data

OSI Security Mechanisms•Encipherment•Digital Signatures•Access Control Mechanisms•Data Integrity Mechanisms•Authentication Exchange Mechanisms•Traffic Padding Mechanisms•Notarisation Mechanisms•Routing Control Mechanisms

Inter-network Protocol (IP)

Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services...

Documents

Transcript of Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services...

verano tropical

Qualatex verano Graduacion

Verano 2016 Mundicursos

VERANO SMART CODE

Verano 2004

Glosas, de Francisco Henríquez

Act. Verano Matemat.

Catálogo Verano 2013

Variable aleatoria: definiciones básicasdelta.cs.cinvestav.mx/~francisco/prope/v_aleatoria_short.pdf · Introducción a la Probabilidad Francisco Rodríguez Henríquez Variable Aleatoria

Códigos y Criptografía Francisco Rodríguez Henríquez Security Attacks: Active and Passive Active Masquerade (impersonation) Replay Modification of message.

Códigos y Criptografía Francisco Rodríguez Henríquez A Short Introduction to Stream Ciphers.

Ariel Henríquez Renzo Stanley Ing. Software Avanzada.

RECOSS Region XI - Pastoral Juvenil CURSO DE VERANO 2016 · CURSO DE VERANO 2016 - FAQs What is Curso de Verano? Curso de Verano is an immersion and formation experience in Pastoral

The Advanced Encryption Standard (Rijndael)delta.cs.cinvestav.mx/~francisco/ssi/SSI_inalambrico.pdf · Seguridad en Sistemas de Información Francisco Rodríguez Henríquez Redes

Pedro Henríquez Ureña y El Español en Santo Domingo

Códigos y Criptografía Francisco Rodríguez Henríquez The Advanced Encryption Standard (Rijndael)

Introducción a la Probabilidad - CINVESTAVdelta.cs.cinvestav.mx/~francisco/prope/intro_prob.pdf · 2016. 7. 4. · Introducción a la Probabilidad Francisco Rodríguez Henríquez

DUOMO VERANO

Data Encryption Standard (DES) - Departamento de …delta.cs.cinvestav.mx/~francisco/cripto/des.pdfCódigos y Criptografía Francisco Rodríguez Henríquez Data Encryption Standard

VERANO y PLAYA