Presentation is loading. Please wait.

Presentation is loading. Please wait.

Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services in Information Systems.

Published byEvelyn Crawford Modified over 9 years ago

Similar presentations

Presentation on theme: "Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services in Information Systems."— Presentation transcript:

1 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services in Information Systems

2 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Antecedents and Motivation

3 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez What is this part of the course about? In this part of the course we will discuss the following topics –security needs –security services –security mechanisms and protocols for data stored in computers and transmitted across computer networks

4 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez What we will/won’t cover? We will cover –security threats –security protocols in use with emphasis on Authentication –Certificates and PKI –Introduction to Wireless Security We will not cover –cryptography (just an overview will be given) –computer networks –operating systems –computers in general –how to hack

5 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent your assets from being damaged Detection –take measures so that you can detect when, how, and by whom an asset has been damaged Reaction –take measures so that you can recover your assets

6 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Real world example Prevention –locks at doors, window bars, secure the walls around the property, hire a guard Detection –missing items, burglar alarms, closed circuit TV Reaction –attack on burglar, call the police, replace stolen items, make an insurance claim

7 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Services, Mechanisms, Attacks 3 aspects of information security: –security attacks (and threats) actions that compromise security –security services services counter to attacks –security mechanisms used by services E.g. secrecy is a service, encipherment is a mechanism

8 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez NETWORK SECURITY FUNDAMENTALS Security Attacks and Security Services A Model of Network Security Access Policies

9 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez SECURITY ATTACKS & SECURITY SERVICES Unauthorised Access Unauthorised Disclosure of Information Unauthorised Modification of Information Unauthorised Denial of Service Security Threads

10 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Attacker resources and methods vary greatly ResourceTeenagerAcademicOrg. CrimeGov’t TimeLimitedModerateLarge Budget ($)<$1000$10K-$100K$100K+Unknown CreativityVariesHighVaries DetectabilityHigh Low TargetChallengePublicityMoneyVaries NumberManyModerateFewUnknown OrganizedNo Yes Spread info?Yes VariesNo Source: Cryptography Research, Inc. 1999, “Crypto Due Diligence”

11 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Source: Blaze/Diffie/Rivest/Schneier/Shimoura/Thompson/Wiener: www.bsa.org/policy/encryption Minimal key lengths for symmetric ciphers Type of attacker Budget Tool Time and cost per key recovered Length needed for protection in late 1995 40 bits 56 bits Pedestrian Hacker Small Business Corporate Department Big Company Intelligence Agency tiny $400 $10.000 $300K $10M $300M scavenged computer time FPGA ASIC FPGA ASIC 1 week 5 hours ($0.08) 12 min ($0.08) 24 sec ($0.08) 18 sec ($0.001) 7 sec ($0.08) 0.005 sec ($0.001) 0.0002 sec ($0.001) infeasible 38 years ($5,000) 556 days ($5,000) 19 days ($5,000) 3 hours ($38) 13 hours ($5,000) 6 min ($38) 12 sec ($38) 45 50 55 60 70 75

12 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez SECURITY ATTACKS & SECURITY SERVICES Passive Attacks

13 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez SECURITY ATTACKS & SECURITY SERVICES Active Attacks

14 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez SECURITY ATTACKS & SECURITY SERVICES Attacks Accidental Intentional Software Errors Hardware Errors Poor Management of Resources PassiveActive Release of Message content Traffic Analysis Data Mod. Data Delay Data Blocking Data Copy Data Replay Data Destruction

15 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Mechanisms Basically cryptographic techniques/technologies –that serve to security services –to prevent/detect/recover attacks Encipherment –use of mathematical algorithms to transform data into a form that is not readily intelligible keys are involved

16 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Message Digest –similar to encipherment, but one-way (recovery not possible) –generally no keys are used Digital Signatures –Data appended to, or a cryptographic transformation of, a data unit to prove the source and the integrity of the data Authentication Exchange –ensure the identity of an entity by exchanging some information Security Mechanisms

17 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Notarization –use of a trusted third party to assure certain properties of a data exchange Timestamping –inclusion of correct date and time within messages Non-cryptographic mechanisms –traffic padding (for traffic analysis) –intrusion detection –firewalls Security Mechanisms

18 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services Confidentiality- protect info value Authentication- protect info origin (sender) Identification- ensure identity of users Integrity- protect info accuracy Non-repudiation - protect from deniability Access control - access to info/resources Availability - ensure info delivery

19 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Relationships Integrity Authentication Non-repudiation

20 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Two references ITU-T X.800 Security Architecture for OSI –gives a systematic way of defining and providing security requirements RFC 2828 –over 200 pages glossary on Internet Security

21 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Systems by layers Computer Arithmetic : Addition, Squaring, multiplication, inversion and exponentiation Public Key Crypto Algorithms: RSA, ECC Symmetric Crypto Algorithms: AES, DES, RC4, etc. Public Key Crypto Algorithms: RSA, ECC Symmetric Crypto Algorithms: AES, DES, RC4, etc. Crypto User Functions: Encrypt/Decrypt, Sign/verify Crypto User Functions: Encrypt/Decrypt, Sign/verify Security Services: Confidentiality, Data Integrity, Data Authentication, Non-Repudiation Communication Protocols : SSL, TLS, WTLS, WAP, etc. Applications: Secure e-mail, Digital Money, Smart Cards, Firewalls, etc.

22 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Fundamental Dilemma of Security Security unaware users have specific security requirements but no security expertise. –from D. Gollmann –Solution: level of security is given in predefined classes specified in some common criteria

23 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Fundamental Tradeoff Absolutely secure systems do no exist To half your vulnerability you have to double your expenditure Cryptography is typically bypassed not penetrated.

24 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez The Three Laws of Security Security unaware users have specific security requirements but no security expertise. –from D. Gollmann –Solution: level of security is given in predefined classes specified in some common criteria

25 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Kerckhkoffs’s Principle While assessing the strength of a cryptosystem, one should always assume that the enemy knows the cryptographic algorithm used. The security of the system, therefore, should be based on * the quality (strength) of the algorithm but not its obscurity * the key space (or key length)

26 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez A Cryptosystem Classification Public key cryptography (RSA, ECC, NTRU) Secret key Cryptography (DES, AES, RC4) Block ciphers (DES, IDEA, RSA) 64-128 bits Stream ciphers (A5, RC4, SEAL) encryption in a bit to bit basis.

27 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez A Simplified Model of Conventional Encryption

28 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Message Digest A message digest, also known as a one-way hash function, is a fixed length computionally unique identifier corresponding to a set of data. That is, each unit of data (a file, a buffer, etc.) will map to a particular short block, called a message digest. It is not random: digesting the same unit of data with the same digest algorithm will always produce the same short block. A good message digest algorithm possesses the following qualities –The algorithm accepts any input data length. –The algorithm produces a fixed length output for any input data. –The digest does not reveal anything about the input that was used to generate it. –It is computationally infeasible to produce data that has a specific digest. –It is computationally infeasible to produce two different unit of data that produce the same digest.

29 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Hash Algorithms Reduce variable-length input to fixed- length (128 or 160bit) output Requirements –Can't deduce input from output –Can't generate a given output –Can't find two inputs which produce the same output

30 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Hash Algorithms Used to –Produce fixed-length fingerprint of arbitrary- length data –Produce data checksums to enable detection of modifications –Distill passwords down to fixed-length encryption keys Also called message digests or fingerprints

31 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Message Authentication Code MAC Hash algorithm + key to make hash value dependant on the key Most common form is HMAC (hash MAC) –hash( key, hash( key, data )) Key affects both start and end of hashing process Naming: hash + key = HMAC-hash –MD5 1 HMAC-MD5 –SHA-1 1 HMAC-SHA (recommended)

32 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez An Example

33 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Digital Signature/Verification Schemes

34 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Digital Signature/Verification Schemes

35 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Digital Signature/Verification Schemes

36 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Seven-Layer OSI Model

37 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez SECURITY ATTACKS & SECURITY SERVICES OSI Security Services Authentication Access Control Data Confidentiality Traffic Flow Confidentiality Data Integrity Non-Repudiation of both Origin and Delivery of Data

38 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez SECURITY ATTACKS & SECURITY SERVICES OSI Security Mechanisms Encipherment Digital Signatures Access Control Mechanisms Data Integrity Mechanisms Authentication Exchange Mechanisms Traffic Padding Mechanisms Notarisation Mechanisms Routing Control Mechanisms

39 Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Inter-network Protocol (IP)

Download ppt "Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services in Information Systems."

Similar presentations

Network Security Chapter 1 - Introduction.

Network Security Chapter 1 - Introduction.
Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Computer and Network Security Mini Lecture by Milica Barjaktarovic.

Computer and Network Security Mini Lecture by Milica Barjaktarovic.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Cryptography and Network Security Chapter 1

Cryptography and Network Security Chapter 1
Information Security Principles & Applications Topic 4: Message Authentication 虞慧群

Information Security Principles & Applications Topic 4: Message Authentication 虞慧群
Chapter 1 – Introduction

Chapter 1 – Introduction
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not.

Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Introduction (Pendahuluan)  Information Security.

Introduction (Pendahuluan)  Information Security.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google