main

Security

Security requires a protection system but also consideration of the external environment.

A system is secure if its resources are used and accessed as intended under all circumstances. Total security cannot be achieved.

Security Violations:

  • breach of confidentiality: unauthorized reading of data.
  • breach of integrity: unauthorized modification of data.
  • breach of availability: unauthorized destruction of data.
  • theft of service: unauthorized use of resources.
  • denial of service: preventing legitimate use of the system.

Protecting a system:

  • Physical: secure physical site and/or computer(s).
  • Human: authorization of users. phishing, password re-use.
  • Operating system: system must protect itself from security breaches.
  • Network: Interception of data, interruption of communication.

Trojan Horse: A code segment that misuses its environment. (e.g. spyware) Trap door: a hole left in the system usable by the creator of a program. Logic bomb: code written to detect a certain condition and executes when it occurs. Buffer Overflow: pop a shell. Virus: a fragment of code embedded in a legitimate program. Worm: a process that uses the spawn mechanism to duplicate itself. Port Scanning: detects what ports are open on systems in a network. Denial of Service: disrupting legitimate use of a system.

Protection mechanisms:

Cryptography: used to constrain the potential senders and/or receivers of a message. Encryption: used to send messages securely across the network, protect data, files, disks etc.

Encryption algorithm consists of the following components:

  • A set of K of keys.
  • A set of M of messages.
  • A set of C of ciphertexts.
  • An encrypting function E : K -> (M -> C)
  • A decrypting function D : K -> (C -> M)

Symmetric Encryption: same key is used to encrypt and decrypt. Asymmetric Encryption: different encryption and decryption keys.

RSA is the most widely used asymmetric encryption algorithm. (elliptic curves uses shorter keys with same cryptographic strength)

Ke: public_key
Kd: private_key
N: (p * q) # two large prime numbers.

Eke,N(m) = m^ke mod N: encryption

Authentication: constraining set of potential senders of a message.

A hash function produces a fixed-size block of data called a message digest or hash value from message m.

Authentication algorithms:

  • message-authentication code MAC: a crypto checksum is generated from the message using a secret key. The key must be shared to authenticate.
  • digital-signature: enable anyone to verify authenticity of a message.

Key distribution

  • out of band: share key via paper or conversation.

digital certificate: is a public key digitially signed by a trusted party. certificate authority: have their public keys included within web browsers.

implementation

   ----------------
   | Application  |
   ----------------
   | Presentation |
   ----------------
   | Session      |
   ----------------     -------------
   | Transport    |     | SSL/TLS   |
   ----------------     -------------
   | Network      |     | IPSec/IKE |
   ----------------     -------------
   | Data link    |
   ----------------
   | Physical     |
   ----------------