Information Security Dr. Vedat Coşkun Malardalen September 15th, 2009 08:00 10:00 vedatcoskun@isikun.edu.tr www.isikun.edu.tr/~vedatcoskun
What needs to be secured? With the rapid advances in networked computer technology, the amount of sensitive information stored in digital form has increased private information e-mails phone numbers organisation records budget customer information personnel list national (government) issues military strategic information 2
What are the considerations? Nations, organisations, and people do not agree to share their sensitive information with the public The reasons are different People privacy Companies competition Nations survival 3
What do we want? We want to keep our information secret We want the stored information is not modified or destroyed We want to access our stored information as we like 4
What do we want? We want something (?) to prevent attacks against previous considerations succeed We prefer that the system provides %100 security (?), meaning at all times and with all terms It is possible that we are forced to agree on a model in which we face a harm below a limit that we can survive 5
What is Security? A secure system is one which: does exactly what we want it to do does nothing that we don't want it to do Security: is not only protecting data from unauthorised access but also enabling authorised people to access the data 6
Potential Criminals 1. Programs (virus, worm) 2. Intruders / hackers a. People i. Amateurs ii. Professionals b. Organisations c. Terrorists (Information Warfare) 3. Insiders a. Personnel b. Contractors or partners c. Visitors 7
Model-1: Data Security 8
Model-2: Data Transfer Security 9
Tools for Security? 1. Physical Security Physically block illegal access to the network 2. Computer and Network Security Use technical tools to thwart attacks to data Hardware devices Software tools 10
Security Management tools 1. Security policy 2. Risk management plan 11
Software for Security? Firewall to prevent unwanted packets enter into our computer or intranet Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to control and prevent unwanted access to our computer and intranet Mail Protocols to send / receive mails securely Programs to keep credit card information secret Encrypting data or password files to prevent being read by unauthorised people Virus protection programs to find and remove the malicious programs such as virus 12
Tools for Security tools? Cryptography 13
Basic Cryptography Model Plaintext Encryption Ciphertext Decryption Plaintext Encryption Key Decryption Key 14
Cryptography Used to satisfy security services such as: confidentiality integrity authentication non-repudiation digital signature 15
Primary Security Goals Confidentiality Security Goals Integrity Availability 16
Primary Security Goals Protect the Confidentiality of data So that no unauthorised people can read it Preserve the Integrity of data So that no unauthorised people can delete / modify it Promote the Availability of data for authorised users So that authorised people can acccess data Anytime as required 17
Confidentiality Sender Receiver Plaintext E Cryptotext (Insecure media) D Plaintext Ensures that no unauthorised people can access the plaintext 18
(User) Authentication 1. When a user accesses a web site, (s)he claims to be a specific user (such as customer of a bank) 2. Authentication is assuring that the user is really the person who (s)he claims to be (understanding whether the user is really that customer of the bank or not, for example) 19
(User) Authentication Tools Human authentication factors are classified into three cases: 1. Something the user has (ID card, security token, OTP, software token, phone) 2. Something the user knows (password) 3. Something the user is or does (fingerprint, retinal pattern, signature or voice recognition) 20
Integrity Ensuring that the received (accessed) information is exactly same as the information sent (stored) means it is not modified or destroyed during any operation, such as transfer, storage, and retrieval either accidentally or maliciously 21
Integrity Sender Receiver Plaintext E Cryptotext (Insecure media) D Plaintext Ensures that both plaintexts are identical Means cryptotext has not been changed during transmission 22
Secondary Security Goal Non-repudiation: It can be verified that the sender and the recipient were, in fact, the parties who claimed to send or receive the message, respectively. In other words: non-repudiation of sender proves that data has been sent by the intended sender non-repudiation of receiver proves it has been received by the intended receiver 23
Non - repudiation of sender Sender Receiver Plaintext E Cryptotext D Plaintext Referee Ensures that Sender can not deny sending the ciphertext A Trusted 3rd party decides if the sender actually sent the ciphertext Stronger version of Sender Authentication 24
Non - repudiation of receiver Sender Receiver Plaintext E Cryptotext D Plaintext Referee Ensures that Receiver can not deny receiving the ciphertext (if she uses plaintext content) A Trusted 3rd party decides if the sender actually has sent the ciphertext 25
Message Authentication Sender Receiver Plaintext E Cryptotext D Plaintext Referee Being positive about the originality of the cryptotext Digital signatures, like written signatures, are used to provide authentication (hence, non-repudiation of origin) of the associated document Related with Nonrepudiation of Sender 26
Authorization Authorization is allowing access to resources only to users who are permitted to use them Resources include files, computer programs, computer devices etc. Users include computer users, computer programs etc. 27
Authentication & Authorization Authentication is verifying identity of a user Authorization is deciding whether to grant access by an authenticated user or not 28
Anonymous users Anonymous users or guests are consumers that have not been required to authenticate They often have very few permissions It is often desirable to grant access without requiring a unique identity in large systems 29
Digital Certificates Digital Certificate binds identity to private key owned (that matches the corresponding public key) usually with other info such as period of validity, rights of use etc Contents of the certificate is signed by a trusted Certificate Authority (CA) such as VeriSign or Thawte can be verified by anyone who knows the publickey of the CA typically by the web client (browser) 30
Public-Key Certificates 31
Digital Signature Source: www.wikipedia.org 32
Digital Certificate 33
Digital Signature 34
Cryptographic Functions 1. Public key: 2 different keys are used for encryption and decryption Asymmetric cryptography Modern cryptography 2. Secret (private) key: 1 key is used for both encryption and decryption Symmetric cryptography Conventional cryptography 3. Hash functions: No keys are used for neither encryption nor decryption Message digest 35
Usage of cryptography 1. Secret key Cryptography Secrecy (/Confidentiality) Authentication 2. Public key Secrecy (/Confidentiality) Authentication & Digital signatures Integrity Nonrepudiation (of sender & receiver) 3. Hash functions Message authentication (integrity) 36
Using Encryption Functions integrity confidentiality user authentication Symmetric encryption 37
Using Encryption Functions integrity user authentication Symmetric encryption 38
Using Encryption Functions integrity user authentication digital signature Public-key encryption 39
Using Encryption Functions integrity user authentication confidentiality digital signature Public-key encryption 40
Using Encryption Functions user authentication integrity common secret information S is used 41
Using Encryption Functions integrity confidentiality user authentication common secret information S is used 42
Using Encryption Functions Message authentication Integrity 43
Using Encryption Functions 44
Using Encryption Functions 45