CSE 4482, Fall 2009, D Chan Session 2 – Common Security Techniques.
-
Upload
harold-moore -
Category
Documents
-
view
217 -
download
1
Transcript of CSE 4482, Fall 2009, D Chan Session 2 – Common Security Techniques.
CSE 4482, Fall 2009, D Chan
Session 2 – Common Security TechniquesSession 2 – Common Security Techniques
CSE 4482, Fall 2009, D Chan
Two-factor Authentication
Used to compensate for the inherent weaknesses of passwords, i.e., guessing and hacking.
Uses what the user has and what the user knows.
Examples are to use a token with a dynamic password and ATM.
CSE 4482, Fall 2009, D Chan
Biometrics
Can include fingerprint, hand geometry, voice etc.
Held back by privacy concerns.
Not recognised legally in place of signature
CSE 4482, Fall 2009, D Chan
Operating System Security
Use a standard checklist for configuration
Implement vendor updates
Use scanning software to detect vulnerabilities before implementation and periodically
CSE 4482, Fall 2009, D Chan
Firewall
Can be hardware based only, e.g., a router.
Can be a server with sophisticated software, more granular and reliable than a router, provides better logs.
Can use artificial intelligence to check for patterns.
CSE 4482, Fall 2009, D Chan
Firewall
Every organization that hosts a web site should have a firewall to protect its internal network from hackers
The firewall would block traffic that is definitely unacceptable.
CSE 4482, Fall 2009, D Chan
Firewall
A typical firewall uses rules to determine whether traffic is acceptable, e.g., port scanning is not allowed by some organizations.
A data packet typically consists of a source Internet Protocol (IP) address, a port and a destination Internet Protocol address.
CSE 4482, Fall 2009, D Chan
Firewall
A port is a logical connection point in a network device including a computer.
It is used to standardize Internet traffic, e.g., web browsing uses port 80, e-commerce uses port 443.
CSE 4482, Fall 2009, D Chan
Virus Protection
Companies around the world spend about US $20 billion a year to clean up viruses
All critical servers are protectedAll internet email is scannedAutomated identification of workstations
that do not have up-to-date signature filesOrganizations should block common virus
file types to be proactive
CSE 4482, Fall 2009, D Chan
Virtual Private Network
To secure remote access to company systems by staff or contractors.
Should require two-factor authentication.
Encrypted traffic, bypasses firewall, secure tunnel should end at another firewall with traffic decrypted.
CSE 4482, Fall 2009, D Chan
Intrusion Detection System
Installed at critical points of a network to inspect incoming and outgoing traffic for anomalies and malicious messages.
Alerts systems administrators to take pre-emptive or corrective actions.
CSE 4482, Fall 2009, D Chan
Intrusion Prevention System
Combines firewall and intrusion detection technologies.
Rejects highly questionable or unacceptable traffic.
More effective than firewalls but may have false positive.
CSE 4482, Fall 2009, D Chan
Encryption
Uses mathematics to scramble data.
Uses a key and an algorithm . Commercial algorithms are public knowledge.
Symmetric key.
Asymmetric keys (private/public key pair).
CSE 4482, Fall 2009, D Chan
Symmetric Key Encryption
The same key is used to decrypt and encrypt
Simple to encrypt and decryptLarge number of keys required for
one-on-one secret communicationNumber of keys for N people is N(N-
1)/2Need to secure the key
CSE 4482, Fall 2009, D Chan
Asymmetric Encryption
A pair of key is generated by a user, a private key and a corresponding public key.
The public key can be disclosed. The private key is secured.
People can use the public key to encrypt material.
CSE 4482, Fall 2009, D Chan
Asymmetric Encryption
The corresponding private key is needed to decrypt.
The 2 keys cannot be reengineered, i.e., you cannot use the public key to derive the private key.
Longer keys than symmetric and therefore a longer process to encrypt and decrypt.
CSE 4482, Fall 2009, D Chan
Asymmetric Encryption
Needed for email encryption.
Used for e-commerce, digital certificates and digital signatures.
Number of keys for N users is 2N.
CSE 4482, Fall 2009, D Chan
Digital Signature
A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and to ensure that the original content of the message or document that has been sent is unchanged.
CSE 4482, Fall 2009, D Chan
Digital Signature
The sender uses an algorithm to compute a hash (garbled digest) of the document
Sender uses its private key to encrypt the hash.
Recipient uses same algorithm to hash the plain text document when received.
Recipient uses the public key to decrypt the digital signature and compare to the hash the recipient created, to confirm integrity.
CSE 4482, Fall 2009, D Chan
Digital Certificate
• An electronic business card that establishes your credentials when doing business or other transactions on the Web.
• It is issued and digitally signed by a certification authority. It contains your name, a serial number, expiration dates, the certificate authority’s name and public key, and your public key.
• People can use the certificate authority’s public key to verify the signature.
CSE 4482, Fall 2009, D Chan
Certificate Authority
An organization that issues digital certificates to companies and individuals
An organization can issue digital certificates to its own customers or employees to authenticate local transactions
The certificate authority will do due diligence to confirm the existence and authenticity of the party before issuing a certificate.
CSE 4482, Fall 2009, D Chan
E-commerce Encryption
Uses both symmetric keys and asymmetric keys
Enforced by the merchant
Merchant sends its certificate and public key to the browser
CSE 4482, Fall 2009, D Chan
E-commerce Encryption
Browser generates a symmetric key
Browser encrypts the symmetric key with the merchant’s public key
Browser authenticates the digital certificate
Encrypted symmetric key is sent to merchant
CSE 4482, Fall 2009, D Chan
E-commerce Encryption
Merchant decrypts the symmetric key with its private key
The symmetric key is used for all subsequent transfer of information between the 2 parties until the user logs off.
CSE 4482, Fall 2009, D Chan
Email Encryption
Sender uses the recipient’s public key to encrypt the message
Sender signs the message with own private key
Recipient uses own private key to decrypt message
Recipient uses sender’s public key to authenticate the digital signature