Security Goals Services



Similar documents
Security & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

E-commerce. business. technology. society. Kenneth C. Laudon Carol Guercio Traver. Second Edition. Copyright 2007 Pearson Education, Inc.

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Content Teaching Academy at James Madison University

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

CS5008: Internet Computing

Chapter 10. Cloud Security Mechanisms

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Last update: February 23, 2004

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Information Security Basic Concepts

Overview. SSL Cryptography Overview CHAPTER 1

COSC 472 Network Security

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Skoot Secure File Transfer

Chap. 1: Introduction

SSL/TLS: The Ugly Truth

Chapter 15: Security

DEVELOPING CERTIFICATE-BASED PROJECTS FOR WEB SECURITY CLASSES *

Fundamentals of Network Security - Theory and Practice-

Introduction to Computer Security

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

IY2760/CS3760: Part 6. IY2760: Part 6

Security vulnerabilities in the Internet and possible solutions

Security + Certification (ITSY 1076) Syllabus

Notes on Network Security - Introduction

Chapter 10. Network Security

Homeland Security Red Teaming

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Security. Definitions

Cryptography and Network Security

Network Security Fundamentals

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Chapter 18: System Security

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Three attacks in SSL protocol and their solutions

Internet Programming. Security

Cornerstones of Security

TELE 301 Network Management. Lecture 18: Network Security

Chapter 17. Transport-Level Security

Passing PCI Compliance How to Address the Application Security Mandates

Client Server Registration Protocol

Network Security Protocols

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Thick Client Application Security

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun


Chapter 7 Transport-Level Security

Compter Networks Chapter 9: Network Security

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

Web Security: Encryption & Authentication

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

Security Policy Revision Date: 23 April 2009

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

E-COMMERCE and SECURITY - 1DL018

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Introduction to Network Security. 1. Introduction. And People Eager to Take Advantage of the Vulnerabilities

1. Computer Security: An Introduction. Definitions Security threats and analysis Types of security controls Security services

Implementing Cisco IOS Network Security

Network Security and Firewall 1

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

Tim Bovles WILEY. Wiley Publishing, Inc.

SSL Protect your users, start with yourself

Alexander Nikov. 9. Information Assurance and Security, Protecting Information Resources. Learning Objectives. You re on Facebook? Watch Out!

Introduction to Security

Savitribai Phule Pune University

Contents Introduction xxvi Chapter 1: Understanding the Threats: Viruses, Trojans, Mail Bombers, Worms, and Illicit Servers

Web Application Report

IINS Implementing Cisco Network Security 3.0 (IINS)

Securing Cisco Network Devices (SND)

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

Security aspects of e-tailing. Chapter 7

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

ITM661 Database Systems. Database Security and Administration

Security Digital Certificate Manager

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

What is Web Security? Motivation

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

8 Steps for Network Security Protection

Transcription:

1 2 Lecture #8 2008 Freedom from danger, risk, etc.; safety. Something that secures or makes safe; protection; defense. Precautions taken to guard against crime, attack, sabotage, espionage, etc. An assurance; guarantee. Archaic. overconfidence; cockiness. (definitions from dictionary.com) Physical security - protecting the infrastructure, e.g. - fire alarms - locked doors Data security - protecting the content, e.g. - privacy - integrity Network security - protecting the access, e.g. - firewalls - encryption Goals in layers Prevention (may hinder system availability) Detection (does not prevent system compromization) Recovery - stop attack - assess damage - repair damage (complex) - retaliate (?) System security is the sum of component securities Designing security in many levels increases the effort required to attack the system Attackers choose targets based on a risk-reward-effort analysis

Who, What, and Why Perpetrators - single and groups of hackers - organized crime - military organizations Targets - individual end-users - organizations and companies - infrastructure Goals - fame - financial assets - botnet access Snooping (disclosure) - Confidentiality Modification, alteration (deception, usurpation) - Integrity Masquerading, spoofing (deception, usurpation) - Integrity Repudiation (deception) - Integrity, non-repudiation Denial of receipt (deception) - Integrity, availability Delay (usurpation, deception) - Availability Denial of service - Availability Threat Analysis Threat Analysis Level of protection - Physical security - Psychological security (awareness, knowledge etc) - Virtual security Trust models System life cycles (do we need to protect old systems?) Detection Reaction Protect against the greatest risks Value of protected items? Loss expectancy (immediate and annual) Attack trees Failure Modes and Effect Analysis (FMEA) - Bottom up - How does component failure affect the system? Combine as a matrix Attack types (Active) Attack Methodology Passive: hard to detect & hard to prevent - surveillance - publication of message contents - traffic analysis Active: easier to detect, hard to prevent (alt. detect and recover) - masquerade - replay - alteration of message content - denial of service 1 Identify target 2 Gather information 3 Analyze information / locate vulnerabilities 4 Gain access 5 Execute attack 6 Erase attack traces Usually enough to stop one of the above

Exploits Exploit Examples System vulnerabilities are exploited in attacks Aims to escalate privileges or take control Very common in large systems are mechanized and shared in communities Malicious ActiveX controls Scripts targeting web browser bugs Malicious code in codecs Malicious code in images (GDI+) Known security vulnerabilities are published and addressed Automatic programs probing network services Buffer Overflow SQL Injection Data are stored beyond buffer boundaries The extra data overwrites adjacent memory locations Overflows can cause - changed program behavior - crashes - memory exceptions - usurpation of process... Addresses vulnerabilities in database access layers Targets unescaped data literals or weak type access Injects an SQL snippet within regular SQL commands Countered by data filtering Countered by bounds checking (automatic in Java) Man In The Middle Spoofing A form of active eavesdropping An attacker places himself between a two parties, assuming the identity of each and relays messages Technically advanced and hard to detect Countered by (correct) use of authentication and key exchange protocols and infrastructures A system masquerades as a target system A distributed form of a Trojan horse versions used for phishing user data Countered by raising user awareness

Denial of Service the availability of a system Systems are overloaded to stop access to them Often performed from distributed botnets (DDOS) Countered by sound system design, firewalls, and redundancy in system infrastructure Based on cryptography SSL / TLS current encryption standards = HTTP through a SSL tunnel (no changes in JSP required) One-Way Encryption Mathematical tools for enabling trust Based on fundamental assumptions - algorithms are safe (there are no shortcuts) - parameter space searches for keys takes a long time - techniques used as intended Message: data Algorithm: the encryption method Key: encryption key, parameter to encryption algorithm Cipher text: the encrypted message Messages are encrypted using secret keys Messages can not be decrypted Cipher texts are (to a high probability) uniquely mapped to message content Cipher texts are used instead of messages in situations where messages must be kept secret (e.g., passwords) Closely related to hashcodes and Message Authentication Codes (MACs) Symmetric Encryption Asymmetric Encryption Commonly referred to as private key encryption Messages are encrypted and decrypted using the same key Anyone with access to the key can decrypt the message Fast Suffers from the key distribution problem Commonly referred to as public key encryption Messages are encrypted using key pairs (public & private) One key used for encryption, the other for decryption Public key distributed as much as possible Private key kept secret Versatile and more secure than symmetric algorithms Slow

Asymmetric Encryption Certificates Encrypt message using public key - encryption Encrypt message using private key - signatures Messages can be both encrypted and signed As long as the keys can be trusted - messages can be kept secret (only receiver can decrypt) - senders and receivers can be authenticated - message content can be trusted Certificate = signed tuple of public key & identity Certificates can be self-signed or signed by others Self-signed certificates can be used for encryption (but suffer from the key distribution problem) Certificates signed by trusted parties can be used for encryption, authentication and message integrity checks (PKI) Secure Socket Layer (SSL) Virtual infrastructures consisting of clients, servers and Certificate Authorities (CA) CAs are trusted third parties which provide signed certificates (i.e., signs public keys) CA certificates are distributed in browsers and similar tools (trusted and considered known by all) Since CA public keys are known, (signed) certificates can be validated offline (without connecting to the CA) Secure connections are established between parties using certificates and encryption algorithms A protocol for establishing secure connections using certificates and cryptography algorithms Transport Level (TLS) = SSL v3.0 (almost) Clients use server certificate to authenticate server Servers use client certificate to authenticate client (optional) Once identities have been established, encryption keys are exchanged and symmetric encryption algorithms are used SSL clients uses keystores to manage certificates and keys Network traffic tunneled through encrypted channels Secure Socket Layer (SSL) Keystores Bruce Schneir, Secrets and Lies (page 239): As it is used, with the average user not bothering to verify the certificates and no revocation mechanism, SSL is simply a (very slow) Diffie-Hellman key-exchange method. Digital certificates provide no actual security for electronic commerce: it s a complete sham. An encrypted database used to store keys and certificates Usually stored in a single file called.keystore Applications must provide database decryption key (username & password) to access keystore content Keystores only containing public keys and certificates are commonly referred to as truststores Keystores can be shared between SSL applications (usually only done for truststores)

Summary Not an actual protocol = HTTP through a SSL/TLS tunnel The server needs to be provided with a certificate If the server is to authenticate clients, the clients need (CA signed) certificates as well servers usually references keystores via configuration (providing filename, username, password) is a process, not a product is the tool for web security No changes in JSP required to use (web server reconfiguration may be required) server needs a certificate Default port 443 (HTTP default port is 80) JSP can require clients to use JSP can check if a page was requested via using request.issecure() / SSL is considered safe (today) XML & XML Schema

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information