ECE Lecture 1. Security Services. Need for information security. widespread use of data processing equipment: computer security

Transcription

1 ECE Lecture 1 Security Services Need for information security widespread use of data processing equipment: computer security widespread use of computer networks and distributed computing systems: network security Security Threats in Banking Systems Bank A interception Bank B modification ATM fabrication unauthorized access Timing attacks Radiation analysis 1

2 Electronic Commerce ELECTRONIC FUND TRANSFER - EFT intra-bank fund transfers inter-bank fund transfers home banking electronic cash ELECTRONIC DATA INTERCHANGE - EDI financial transactions among companies HOME-SHOPPING non-digital goods (e.g., books, CDs) services (e.g., travel reservations) digital goods (e.g., software, music, video) micropayments (e.g., database access) Electronic Data Interchange transactions between computers human participation in routine transactions limited or non-existent paper records eliminated less time to detect and correct errors Other types of data needing security financial records medical records commercial secrets business and private correspondence technical specifications 2

3 Potential attackers hackers industrial competitors spies press government agencies Security on the Internet Alice, Love you, Bob Alice Smurftown, SL Smurfland SECURE NSA National Security Agency (also known as No Such Agency or Never Say Anything ) Created in 1952 by president Truman Goals: designing strong ciphers (to protect U.S. communications) breaking ciphers (to listen to non-u.s. communications) Budget and number of employees kept secret Largest employer of mathematicians in the world Larger purchaser of computer hardware 3

4 Worldwide Survey of Cryptographic Products NAI Labs, June 2001 Companies Products domestic foreign domestic foreign Foreign products developed in 43 countries distributed in at least 76 countries Foreign Cryptographic Products Other (222) Germany (118) UK (93) Isreal (19) Japan (26) South Korea (26) Australia (29) Russia (31) Sweden (35) Switzerland (74) Canada (85) Increase in the number of foreign cryptographic products and companies products companies Trusted Information Systems GWU NAI

5 RSA Security Inc. (currently the security division of EMC) original patents for RSA (expired in 2000), RC5, RC6 and other cryptographic algorithms over 1 billion users of the basic cryptographic library BSAFE RSA Laboratories RSA Conference spin-off companies VeriSign - Public Key Infrastructure American and international regarding public key cryptography Informal industrial RSA Labs PKCS PKCS Industrial IEEE P1363 Banking ANSI ANSI X9 International ISO ISO Federal NIST FIPS American and international regarding public key cryptography IEEE - Institute of Electrical and Electronics Engineers ANSI - American National Standards Institute NIST - National Institute of Standards and Technology ISO International Organization for Standardization PKCS Public Key Cryptography Standards FIPS - Federal Information Processing Standards 5

6 Security services Protecting data in transit confidentiality integrity authentication non-repudiation at rest access control - identification - authorization - auditing availability On the basis of Identification (User Authentication) what you know (passwords, PINs) what you have (magnetic card, smart card) what you are (fingerprints, handprints, voiceprints, keystroke timing, signatures, retinal scanners) 6

7 Basic Security Services (1) 1. Confidentiality Bob 2. Message integrity Bob Charlie Alice Alice 3. Message authentication Bob Charlie Alice Charlie Basic Security Services (2) 4. Non-repudiation - of sender - of receiver - mutual Technique: DIGITAL digital signature Signature A6E3891F2939E38C745B CA345BEF CBA653448E349EA47 HANDWRITTEN Main Goals: unique identification proof of agreement to the contents of the document 7

8 Handwritten and digital signatures Common Features Handwritten signature Digital signature 1. Unique 2. Impossible to be forged 3. Impossible to be denied by the author 4. Easy to verify by an independent judge 5. Easy to generate Handwritten and digital signatures Differences Handwritten signature 6. Associated physically with the document 7. Almost identical for all documents 8. Usually at the last page Digital signature 6. Can be stored and transmitted independently of the document 7. Function of the document 8. Covers the entire document Relations among security services NON-REPUDIATION AUTHENTICATION CONFIDENTIALITY INTEGRITY 8

9 Network Security Threats (1) Interruption Interception Modification Fabrication Network Security Threats (2) Passive Active Release of message contents Interception Traffic analysis Interruption (availability) Modification (integrity) Fabrication (authenticity) 9