Conclusion 1

Conclusion

Conclusion 2

Course Summary Crypto

o Basics, symmetric key, public key, hash functions and other topics, cryptanalysis

Access Controlo Authentication, authorization, firewalls, IDS

Protocolso Simplified authentication protocolso Real-World protocols

Softwareo Flaws, malware, SRE, development, trusted

OS

Conclusion 3

Crypto Basics Terminology Classic ciphers

o Simple substitutiono Double transpositiono Codebooko One-time pad

Basic cryptanalysis

Conclusion 4

Symmetric Key Stream ciphers

o A5/1o RC4

Block cipherso DESo AES, TEA, etc.o Modes of operation

Data integrity (MAC)

Conclusion 5

Public Key Knapsack (insecure) RSA Diffie-Hellman Elliptic curve crypto (ECC) Digital signatures and non-

repudiation PKI

Conclusion 6

Hashing and Other Birthday problem Tiger Hash HMAC Clever uses (online bids, spam

reduction, …) Other topics

o Secret sharingo Random numberso Information hiding (stego, watermarking)

Conclusion 7

Advanced Cryptanalysis Enigma RC4 (as used in WEP) Linear and differential

cryptanalysis Knapsack attack (lattice reduction) RSA timing attacks

Conclusion 8

Authentication Passwords

o Verification and storage (salt, etc.)o Cracking (math)

Biometricso Fingerprint, hand geometry, iris scan, etc.o Error rates

Two-factor, single sign on, Web cookies

Conclusion 9

Authorization History/system certification ACLs and capabilities Multilevel security (MLS)

o BLP, Biba, compartments, covert channel, inference control

CAPTCHA Firewalls IDS

Conclusion 10

Simple ProtocolsAuthentication

oUsing symmetric keyoUsing public keyoSession keyoPerfect forward secrecy (PFS)oTimestamps

Zero knowledge proof (Fiat-Shamir)

Conclusion 11

Real-World ProtocolsSSHSSLIPSec

o IKEoESP/AH, tunnel/transport modes,

…KerberosWireless: WEP & GSM

Conclusion 12

Software Flaws and Malware

Flawso Buffer overflowo Incomplete mediation, race condition, etc.

Malwareo Brain, Morris Worm, Code Red, Slammero Malware detectiono Future of malware, botnets, etc.

Other software-based attackso Salami, linearization, etc.

Conclusion 13

Insecurity in Software Software reverse engineering

(SRE)o Software protection

Digital rights management (DRM) Software development

o Open vs closed sourceo Finding flaws (do the math)

Conclusion 14

Operating Systems OS security functions

o Separationo Memory protection, access control

Trusted OSo MAC, DAC, trusted path, TCB, etc.

NGSCBo Technical issueso Criticisms

Conclusion 15

Crystal BallCryptography

o Well-established fieldo Don’t expect major changeso But some systems will be brokeno ECC is a major “growth” areao Quantum crypto may prove

worthwhile…o …but for now it’s mostly (all?) hype

Conclusion 16

Crystal Ball Authentication

o Passwords will continue to be a problemo Biometrics should become more widely usedo Smartcard/tokens will be used more

Authorizationo ACLs, etc., well-established areaso CAPTCHA’s interesting new topico IDS is a very hot topic

Conclusion 17

Crystal Ball Protocols are challenging Difficult to get protocols right Protocol development often haphazard

o “Kerckhoffs’ Principle” for protocols?o Would it help?

Protocols will continue to be a source of subtle problem

Conclusion 18

Crystal Ball Software is a huge security problem today

o Buffer overflows are on the decline…o …but race condition attacks might increase

Virus writers are getting smartero Botnetso Polymorphic, metamorphic, sophisticated

attacks, …o Future of malware detection?

Malware will continue to be a BIG problem

Conclusion 19

Crystal Ball Other software issues

o Reverse engineering will not go awayo Secure development will remain hard o Open source is not a panacea

OS issueso NGSCB (or similar) might change

things…o …but, for better or for worse?

Conclusion 20

The Bottom Line Security knowledge is needed today… …and it will be needed in the future Necessary to understand technical

issueso The focus of this class

But technical knowledge is not enougho Human nature, legal issues, business issues,

...o As with anything, experience is helpful

Conclusion 21

A True Story The names have been changed… “Bob” took my information security

class Bob then got an intern position

o At a major company that does lots of security

One meeting, an important customer askedo “Why do we need signed certificates?”o “After all, they cost money!”

The silence was deafening

Conclusion 22

A True Story Bob’s boss remembered that Bob had

taken a security classo So he asked Bob, the lowly intern, to answero Bob mentioned man-in-the-middle attack on

SSL Customer wanted to hear more

o So, Bob explained MiM attack in some detail The next day, “Bob the lowly intern”

became “Bob the fulltime employee”