Avishai Wool lecture 13 - 1 Introduction to Systems Programming Lecture 13 Security.

Slides:



Advertisements
Similar presentations
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Advertisements

Digital Signatures and Hash Functions. Digital Signatures.
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.
1 Security Chapter The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Security Chapter The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
1 Pertemuan 23 Sistem Keamanan Matakuliah: T0316/sistem Operasi Tahun: 2005 Versi/Revisi: 5.
1 Security and Protection Chapter 9. 2 The Security Environment Threats Security goals and threats.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Public Key Algorithms 4/17/2017 M. Chatterjee.
8: Network Security8-1 Symmetric key cryptography symmetric key crypto: Bob and Alice share know same (symmetric) key: K r e.g., key is knowing substitution.
Lecture 24 Cryptography CPE 401 / 601 Computer Network Systems slides are modified from Jim Kurose and Keith Ross and Dave Hollinger.
Computer Science Lecture 22, page 1 Security in Distributed Systems Introduction Cryptography Authentication Key exchange Readings: Tannenbaum, chapter.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
Introduction to Public Key Cryptography
Public Key Model 8. Cryptography part 2.
 Introduction  Requirements for RSA  Ingredients for RSA  RSA Algorithm  RSA Example  Problems on RSA.
1 Fluency with Information Technology Lawrence Snyder Chapter 17 Privacy & Digital Security Encryption.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
Chi-Cheng Lin, Winona State University CS 313 Introduction to Computer Networking & Telecommunication Network Security (A Very Brief Introduction)
Security 0 The Secure Environment. Security 1 The Secure Environment Security goals (C.I.A.) and threats.
1 Security Chapter The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.
Cryptography, Authentication and Digital Signatures
David Evans CS150: Computer Science University of Virginia Computer Science Class 31: Cookie Monsters and Semi-Secure.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Types of Electronic Infection
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Module 3 – Cryptography Cryptography basics Ciphers Symmetric Key Algorithms Public Key Algorithms Message Digests Digital Signatures.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
1 Public-Key Cryptography and Message Authentication.
Computer and Network Security Rabie A. Ramadan Lecture 6.
Cryptography and Network Security Chapter 9 - Public-Key Cryptography
Network Security David Lazăr.
11-Basic Cryptography Dr. John P. Abraham Professor UTPA.
Public / Private Keys was a big year… DES: Adopted as an encryption standard by the US government. It was an open standard. The NSA calls it “One.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Privacy versus Authentication Confidentiality (Privacy) –Interceptors cannot read messages Authentication: proving the sender’s identity –The Problem of.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Lecture 2: Introduction to Cryptography
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
Chapter 3 – Public Key Cryptography and RSA (A). Private-Key Cryptography traditional private/secret/single-key cryptography uses one key shared by both.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Invitation to Computer Science 5 th Edition Chapter 8 Information Security.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Cryptography services Lecturer: Dr. Peter Soreanu Students: Raed Awad Ahmad Abdalhalim
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Network Security  introduction  cryptography  authentication  key exchange  required reading: text section 7.1.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Cryptographic Hash Function
ICS 454 Principles of Cryptography
ICS 454 Principles of Cryptography
Presentation transcript:

Avishai Wool lecture Introduction to Systems Programming Lecture 13 Security

Avishai Wool lecture Security goals and threats GOAL Data confidentiality Data integrity User authentication Privilege separation System availability THREAT Data exposure Data modification Masquerading Privilege elevation Denial of service

Avishai Wool lecture Introduction to Cryptography

Avishai Wool lecture Basics of Cryptography Relationship between the plaintext and the ciphertext

Avishai Wool lecture Encryption key == decryption key Monoalphabetic substitution –each letter replaced by different letter: a->x, b->t, … –very easy to break Modern computer ciphers: –DES (Data Encryption Standard, 1977) – 56bit keys –3-DES / triple DES: use DES 3 times - 112/168bit keys –AES (Advanced Encryption Standard, 2001) – bit Symmetric-Key Cryptography

Avishai Wool lecture Brute force attack Attacker knows –Algorithm –a pair of matching plaintext/ciphertext pair C=E k (P) Try all possible keys k to find the right key. Defense: have many possible keys. If key is n-bits then attacker needs to try 2 n keys How big should n be? –40 bits not enough –56 bits (DES) borderline –128 bits (AES) is good

Avishai Wool lecture Key distribution problem Both sides need the secret key before communication can start. For n parties, n 2 secret keys. Does not scale! OK for small or centralized systems (military). How to communicate securely with someone you have never met? Large-scale e-commerce?

Avishai Wool lecture Public-Key Cryptography All users pick a public key/private key pair –publish the public key in a directory –private key not published Public key is the encryption key –private key is the decryption key Idea invented by Diffie/Hellman

Avishai Wool lecture Public key systems First working public-key crypto-system: Rivest- Shamir-Adelman (RSA). Based on difficulty of factoring large numbers Typical size of numbers: 1024 bits! Free, good public-key crypto software: PGP (pretty-good-privacy) (commercial) (international, free)

Avishai Wool lecture RSA Setup –Pick 2 secret large prime numbers p,q ( bits) –Compute n=p*q (n is the public modulus) –Let  = (p-1)*(q-1) (Euler’s phi) –Pick e such that gcd(e,  ) = 1 (e is public exponent) Usually e=3 or e=5 or e=65537 work OK –Calculate d such that e*d = 1 (modulo  ) (secret exponent)

Avishai Wool lecture RSA Usage Public key: n, e Secret key: d (also p,q, and  remain secret) Encryption: –Message: a number M < n (e.g bits) –Ciphertext: C = M e (mod n) –Anyone can encrypt, both n & e public Decryption: – M’ = C d (mod n) –By number theory magic, M’ == M (always) –Only receiver can decrypt because d is secret

Avishai Wool lecture RSA example p=3, q=11  n=3*11 = 33  = 2*10 = 20 e = 7 d = 3 [verify: 7*3 = 21 = 1 (mod 20)] Assume the message is M = 2 Encrypt: C = 2 7 (mod 33) = 128 (mod 33) = 29 Decrypt: M’ = 29 3 (mod 33) = (mod 33) = 2

Avishai Wool lecture How to send secure Get PGP-compliant software –has plugins for Thunderbird and Outlook Get recipient’s public key – – Encrypt your message with recipient’s key & send Sender cannot decrypt message w/o saving a plaintext copy!

Avishai Wool lecture One-Way Functions Function such that given x –easy to evaluate y = h(x) But given y and the (source code for) h() –computationally infeasible to find x Also known as cryptographic hash functions Popular examples: –MD5 –SHA-1, SHA-256

Avishai Wool lecture Properties of hash functions Not secret: no key involved. Anyone can compute h(x) Given x, very hard to find y != x with h(y) = h(x) Like a CRC (error correction code) To distribute file F securely: –Compute h 1 =h(F), publish h 1 on website –Receiver downloads F, verifies that h(F) == h 1 –If attacker modifies F to F’, the hash will not match

Avishai Wool lecture User Authentication

Avishai Wool lecture Basic Principles Authentication must identify: 1.Something the user knows 2.Something the user has 3.Something the user is This is done before user can use the system

Avishai Wool lecture Authentication Using Passwords A successful login Login rejected after name entered Login rejected after name and password typed Not good! better

Avishai Wool lecture How are passwords stored on server? Pairs of (username, password) –very bad: –Steal the password file  know all passwords Hashed passwords: pairs of (username, h(pwd)) –much better –but: users choose bad passwords

Avishai Wool lecture Dictionary attack Attacker knows h() Offline: compute h(apple), …, h(zebra) –Maybe with variants (apple/Apple/4pple) Store in database (a few million entries) Steal password file Check if one of the hash values is in database –Reported 25% success rate

Avishai Wool lecture Improvements Make password file harder to steal –Old Unix let all users read /etc/passwd –New Unixes store passwords in /etc/shadow which only root can access Force users to pick better passwords –Annoying, hard to remember passwords

Avishai Wool lecture Selecting good passwords Idea: pronounceable random passwords –Program suggests things like “ArTiZu” “ricOpam” –Google for “apg” (automatic password generator) Idea: use an acronym –Pick a sentence: David Melech Israel Hay Hay VeKayam –Password: dmihhvk / dm1hhvk

Avishai Wool lecture Using “salt” Makes dictionary attack harder: attacker needs separate dictionary for each salt value. Salt Password,,,,

Avishai Wool lecture Challenge-response system Instead of fixed password: Server sends a “challenge” (a number or string) User types challenge into small “calculator”, gets “response” User sends response back to server To activate “calculator”, user needs a “PIN”.

Avishai Wool lecture Authentication using a smartcard Magnetic cards –magnetic stripe cards –chip cards: stored value cards, smart cards

Avishai Wool lecture Authentication Using Biometrics A device for measuring finger length.

Avishai Wool lecture Problems with biometrics What if attacker can fake the protocol between the measuring device and server? Fake (plastic) fingerprints? Impossible to generate a “new password”… False positives and negatives –injury, illness, weather, moisture,...

Avishai Wool lecture Countermeasures Limiting times when someone can log in Automatic callback at number prespecified Limited number of login tries A database of all logins

Avishai Wool lecture Operating System Security

Avishai Wool lecture Trojan Horses Free program made available to unsuspecting user –Actually contains code to do harm Place altered version of utility program on victim's computer –trick user into running that program

Avishai Wool lecture Example: Login Spoofing (a) Correct login screen (b) Phony login screen

Avishai Wool lecture Trap Doors (a) Normal code. (b) Code with a trapdoor inserted

Avishai Wool lecture Buffer Overflows Example: web server, accepts a url program copies what’s after ‘req=’ into buffer (a character array) without checking the input length! Attacker uses url zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz-many-hex-values-here Example: code-red, nimda, …

Avishai Wool lecture How Buffer Overflow Works (a) Situation when main program is running (b) After procedure A called (c) Buffer overflow shown in gray

Avishai Wool lecture Viruses

Avishai Wool lecture Viruses Virus = program can reproduce itself –attach its code to another program –additionally, do harm Goals of virus writer –quickly spreading virus –difficult to detect –hard to get rid of

Avishai Wool lecture Infected program structure An executable program With a virus at the front With the virus at the end With a virus spread over free space within program

Avishai Wool lecture How Viruses Spread Virus placed where likely to be copied When copied –infects programs on hard drive, floppy –may try to spread over LAN Attach to innocent looking –when it runs, use mailing list to replicate

Avishai Wool lecture Antivirus techniques Keep database of pieces of virus code (signatures) look at files and search for all virus signatures.

Avishai Wool lecture Anti-Antivirus Techniques: compress & encrypt (a) A program (b) Infected program (c) Compressed infected program (d) Encrypted virus (e) Compressed virus with encrypted compression code

Avishai Wool lecture Anti-Antivirus Techniques: polymorphism Examples of a polymorphic virus All of these examples do the same thing

Avishai Wool lecture Recent viruses Mellisa, 1999: Microsoft Word document with malicious macro sent itself to 1st 50 addresses in infected user’s Outlook address book People open attachments from people they know.

Avishai Wool lecture General Lessons Mono-culture is risky: –if everyone uses Outlook, and there is a bug in Outlook, everyone will be in trouble. Diversify! No separation: why does a word macro have the ability & permissions to send ? Social engineering is very powerful.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.