SECURITY

Based on lecture notes by Scott Shenker and Mike Freedman

Abenoja, Michael Joseph B

Campos, Jennylyn T

Dugenia, Marrieda C

TOPICS• What is Security?

• Classes of attacks

• Basic security requirements

• Simple cryptographic methods

• Cryptographic toolkit

• DNSSec

• Certificate Authorities

• SSL / HTTPS

WHAT IS “SECURITY”• Dictionary.com says:

• 1. Freedom from risk or danger; safety.

• 2. Freedom from doubt, anxiety, or fear; confidence.

• 3. Something that gives or assures safety, as:

• 1. A group or department of private guards: Call building security if a visitor acts suspicious.

• 2. Measures adopted by a government to prevent espionage, sabotage, or attack.

• 3. Measures adopted, as by a business or homeowner, to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant.

• …etc.

CLASSES OF ATTACKS• Passive Attack - monitors unencrypted traffic and looks for clear-

text passwords and sensitive information that can be used in other types of attacks.

• Active Attack - the attacker tries to bypass or break into secured systems. This can be done through stealth, viruses, worms, or Trojan horses.

• Distributed Attack - focus on the malicious modification of hardware or software at the factory or during distribution.

• Insider Attack involves someone from the inside, such as a disgruntled employee, attacking the network.

• Close-in Attack involves someone attempting to get physically close to network components, data, and systems in order to learn more about a network.

• Phishing Attack - the hacker creates a fake web site that looks exactly like a popular site such as the SBI bank or paypal.

CLASSES OF ATTACKS• Hijack Attack - a hacker takes over a session between you and

another individual and disconnects the other individual from the communication.

• Spoof Attack - the hacker modifies the source address of the packets he or she is sending so that they appear to be coming from someone else.

• Buffer Overflow Attack - is when the attacker sends more data to an application than is expected.

• Exploit Attack - the attacker knows of a security problem within an operating system or a piece of software and leverages that knowledge by exploiting the vulnerability.

• Password Attack - an attacker tries to crack the passwords stored in a network account database or a password-protected file.

BASIC REQUIREMENTS FOR SECURE COMMUNICATION

• Availability

• Authentication

• Integrity

• Confidentiality

• Provenance

• Authorization

• Accountability/Attribution

• Audit/Forensics

• Appropriate use

• Freedom from traffic analysis

• Anonymity

INTERNET’S DESIGN: INSECURE

• Designed for simplicity in a naïve era

• “On by default” design

• Readily available zombie machines

• Attacks look like normal traffic

• Internet’s federated operation obstructs cooperation for diagnosis/mitigation

EAVESDROPPING - MESSAGE INTERCEPTION (ATTACK ON

CONFIDENTIALITY)

• Unauthorized access to information

• Packet sniffers and wiretappers

• Illicit copying of files and programs

Integrity Attack - Tampering• Stop the flow of the message

• Delay and optionally modify the message • Release the message again

AUTHENTICITY ATTACK - FABRICATION• Unauthorized assumption of other’s identity

• Generate and distribute objects under this identity

Attack on Availability• Destroy hardware (cutting fiber) or software • Modify software in a subtle way • Corrupt packets in transit

• Blatant denial of service (DoS): - Crashing the server - Overwhelm the server (use up its resource)

• Cryptography: describes a process of encrypting information so that its meaning is hidden from those who do not know how to decrypt the information.

• Cryptographic Algorithm (cipher) - is a step by step sequence of mathematical calculations used to encrypt and decrypt information.

• 3 different types of cryptographic algorithms:

- hashing algorithms

- symmetric-key algorithms

- asymmetric key algorithms.

BASIC FORMS OF CRYPTOGRAPHY

HASHING ALGORITHM• is a mathematical algorithm designed to perform one-way

encryption. When we say one-way we mean that once the information has been encrypted there is no way to retrieve the original information from the hashed form.

The two most common hash methods are as follows:

• Message Digest Service Algorithm - The message digest family of encryption algorithms provides encryption of 128-bits in strength and is designed to be fast and simple. Current standards are MD2, MD4 and MD5.

• Secure Hash Algorithm - SHA is used extensively by the US government and was developed by the National Security Agency (NSA). Two version of SHA have so far been developed - SHA and SHA1. SHA1 provides 160-bit hashing. SHA-1 is more secure than MD5 but involves a slower encryption process.

SYMMETRIC KEY ENCRYPTION

• Same key for encryption and decryption• Both sender and receiver know key• But adversary does not know key

Symmetric key encryption is one of the most basic forms of cryptography and is based on the premise that both the sending and receiving parties are in possession of the key used to encrypt the data

ASYMMETRIC ENCRYPTION (PUBLIC KEY)

- based on the concept of using a pair of keys, one private and one public.

The private key is held by the host or application which is to receive the encrypted data. The corresponding public key is made available to anyone who wishes to encrypt data such that it can be decrypted by the holder of the private key. The cornerstone of public key encryption is the level of difficulty involved in inferring the private key from the public key

CRYPTOGRAPHIC TOOLKIT

Cryptographic Toolkit is a collection of standards, recommendations and guidance about cryptographic security components and functionality for protecting their data, communications, and operations.

DNSSEC

Domain Name System Security Extensions (DNSSEC)

- is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks.

- it is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

CERTIFICATE AUTHORITIES

Certificate Authority or Certification Authority (CA)

- is an entity that issues digital certificates.

Digital Certificate - certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made by the private key that corresponds to the certified public key.

SSL/HTTPSSSL

• SSL (Secure Socket Layer)

- is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.

• To be able to create an SSL connection a web server requires an SSL Certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key.

HTTPS• https = “Use HTTP over SSL/TLS”

SSL = Secure Socket Layer

TLS = Transport Layer Security

- is a communications protocol for secure communication over a computer network, with especially wide deployment on the Internet.

- it is not a protocol in and of itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL or TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications. The main motivation for HTTPS is to provide authentication of the visited website and prevent wiretapping and man-in-the-middle attacks.

END OF PRESENTATION

Based on lecture notes by Scott Shenker and Mike Freedman

PENDONG