Presentation is loading. Please wait.

Presentation is loading. Please wait.

Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services in Information Systems.

Similar presentations


Presentation on theme: "Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services in Information Systems."— Presentation transcript:

1 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services in Information Systems

2 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Antecedents and Motivation

3 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez What is this part of the course about? In this part of the course we will discuss the following topics –security needs –security services –security mechanisms and protocols for data stored in computers and transmitted across computer networks

4 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez What we will/won’t cover? We will cover –security threats –security protocols in use with emphasis on Authentication –Certificates and PKI –Introduction to Wireless Security We will not cover –cryptography (just an overview will be given) –computer networks –operating systems –computers in general –how to hack

5 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent your assets from being damaged Detection –take measures so that you can detect when, how, and by whom an asset has been damaged Reaction –take measures so that you can recover your assets

6 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Real world example Prevention –locks at doors, window bars, secure the walls around the property, hire a guard Detection –missing items, burglar alarms, closed circuit TV Reaction –attack on burglar, call the police, replace stolen items, make an insurance claim

7 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Services, Mechanisms, Attacks 3 aspects of information security: –security attacks (and threats) actions that compromise security –security services services counter to attacks –security mechanisms used by services E.g. secrecy is a service, encipherment is a mechanism

8 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez NETWORK SECURITY FUNDAMENTALS Security Attacks and Security Services A Model of Network Security Access Policies

9 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez SECURITY ATTACKS & SECURITY SERVICES Unauthorised Access Unauthorised Disclosure of Information Unauthorised Modification of Information Unauthorised Denial of Service Security Threads

10 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Attacker resources and methods vary greatly ResourceTeenagerAcademicOrg. CrimeGov’t TimeLimitedModerateLarge Budget ($)<$1000$10K-$100K$100K+Unknown CreativityVariesHighVaries DetectabilityHigh Low TargetChallengePublicityMoneyVaries NumberManyModerateFewUnknown OrganizedNo Yes Spread info?Yes VariesNo Source: Cryptography Research, Inc. 1999, “Crypto Due Diligence”

11 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Source: Blaze/Diffie/Rivest/Schneier/Shimoura/Thompson/Wiener: Minimal key lengths for symmetric ciphers Type of attacker Budget Tool Time and cost per key recovered Length needed for protection in late bits 56 bits Pedestrian Hacker Small Business Corporate Department Big Company Intelligence Agency tiny $400 $ $300K $10M $300M scavenged computer time FPGA ASIC FPGA ASIC 1 week 5 hours ($0.08) 12 min ($0.08) 24 sec ($0.08) 18 sec ($0.001) 7 sec ($0.08) sec ($0.001) sec ($0.001) infeasible 38 years ($5,000) 556 days ($5,000) 19 days ($5,000) 3 hours ($38) 13 hours ($5,000) 6 min ($38) 12 sec ($38)

12 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez SECURITY ATTACKS & SECURITY SERVICES Passive Attacks

13 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez SECURITY ATTACKS & SECURITY SERVICES Active Attacks

14 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez SECURITY ATTACKS & SECURITY SERVICES Attacks Accidental Intentional Software Errors Hardware Errors Poor Management of Resources PassiveActive Release of Message content Traffic Analysis Data Mod. Data Delay Data Blocking Data Copy Data Replay Data Destruction

15 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Mechanisms Basically cryptographic techniques/technologies –that serve to security services –to prevent/detect/recover attacks Encipherment –use of mathematical algorithms to transform data into a form that is not readily intelligible keys are involved

16 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Message Digest –similar to encipherment, but one-way (recovery not possible) –generally no keys are used Digital Signatures –Data appended to, or a cryptographic transformation of, a data unit to prove the source and the integrity of the data Authentication Exchange –ensure the identity of an entity by exchanging some information Security Mechanisms

17 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Notarization –use of a trusted third party to assure certain properties of a data exchange Timestamping –inclusion of correct date and time within messages Non-cryptographic mechanisms –traffic padding (for traffic analysis) –intrusion detection –firewalls Security Mechanisms

18 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services Confidentiality- protect info value Authentication- protect info origin (sender) Identification- ensure identity of users Integrity- protect info accuracy Non-repudiation - protect from deniability Access control - access to info/resources Availability - ensure info delivery

19 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Relationships Integrity Authentication Non-repudiation

20 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Two references ITU-T X.800 Security Architecture for OSI –gives a systematic way of defining and providing security requirements RFC 2828 –over 200 pages glossary on Internet Security

21 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Systems by layers Computer Arithmetic : Addition, Squaring, multiplication, inversion and exponentiation Public Key Crypto Algorithms: RSA, ECC Symmetric Crypto Algorithms: AES, DES, RC4, etc. Public Key Crypto Algorithms: RSA, ECC Symmetric Crypto Algorithms: AES, DES, RC4, etc. Crypto User Functions: Encrypt/Decrypt, Sign/verify Crypto User Functions: Encrypt/Decrypt, Sign/verify Security Services: Confidentiality, Data Integrity, Data Authentication, Non-Repudiation Communication Protocols : SSL, TLS, WTLS, WAP, etc. Applications: Secure , Digital Money, Smart Cards, Firewalls, etc.

22 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Fundamental Dilemma of Security Security unaware users have specific security requirements but no security expertise. –from D. Gollmann –Solution: level of security is given in predefined classes specified in some common criteria

23 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Fundamental Tradeoff Absolutely secure systems do no exist To half your vulnerability you have to double your expenditure Cryptography is typically bypassed not penetrated.

24 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez The Three Laws of Security Security unaware users have specific security requirements but no security expertise. –from D. Gollmann –Solution: level of security is given in predefined classes specified in some common criteria

25 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Kerckhkoffs’s Principle While assessing the strength of a cryptosystem, one should always assume that the enemy knows the cryptographic algorithm used. The security of the system, therefore, should be based on * the quality (strength) of the algorithm but not its obscurity * the key space (or key length)

26 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez A Cryptosystem Classification Public key cryptography (RSA, ECC, NTRU) Secret key Cryptography (DES, AES, RC4) Block ciphers (DES, IDEA, RSA) bits Stream ciphers (A5, RC4, SEAL) encryption in a bit to bit basis.

27 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez A Simplified Model of Conventional Encryption

28 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Message Digest A message digest, also known as a one-way hash function, is a fixed length computionally unique identifier corresponding to a set of data. That is, each unit of data (a file, a buffer, etc.) will map to a particular short block, called a message digest. It is not random: digesting the same unit of data with the same digest algorithm will always produce the same short block. A good message digest algorithm possesses the following qualities –The algorithm accepts any input data length. –The algorithm produces a fixed length output for any input data. –The digest does not reveal anything about the input that was used to generate it. –It is computationally infeasible to produce data that has a specific digest. –It is computationally infeasible to produce two different unit of data that produce the same digest.

29 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Hash Algorithms Reduce variable-length input to fixed- length (128 or 160bit) output Requirements –Can't deduce input from output –Can't generate a given output –Can't find two inputs which produce the same output

30 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Hash Algorithms Used to –Produce fixed-length fingerprint of arbitrary- length data –Produce data checksums to enable detection of modifications –Distill passwords down to fixed-length encryption keys Also called message digests or fingerprints

31 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Message Authentication Code MAC Hash algorithm + key to make hash value dependant on the key Most common form is HMAC (hash MAC) –hash( key, hash( key, data )) Key affects both start and end of hashing process Naming: hash + key = HMAC-hash –MD5 1 HMAC-MD5 –SHA-1 1 HMAC-SHA (recommended)

32 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez An Example

33 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Digital Signature/Verification Schemes

34 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Digital Signature/Verification Schemes

35 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Digital Signature/Verification Schemes

36 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Seven-Layer OSI Model

37 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez SECURITY ATTACKS & SECURITY SERVICES OSI Security Services Authentication Access Control Data Confidentiality Traffic Flow Confidentiality Data Integrity Non-Repudiation of both Origin and Delivery of Data

38 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez SECURITY ATTACKS & SECURITY SERVICES OSI Security Mechanisms Encipherment Digital Signatures Access Control Mechanisms Data Integrity Mechanisms Authentication Exchange Mechanisms Traffic Padding Mechanisms Notarisation Mechanisms Routing Control Mechanisms

39 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Inter-network Protocol (IP)


Download ppt "Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services in Information Systems."

Similar presentations


Ads by Google