Afaleia Ypologiston

’
, 2007
:
.
1 ........................................................................ 4
1.1 ........................................................................................ 4
1.2 , ............................................................. 8
1.3 ............................................................................. 14
1.4 .......................... 17
1.5 ............................................................................... 22
1.6 ....................................................... 24
2 & ........................................30
2.1 ...................................................................................... 30
2.2 ................................................... 33
2.2.1 ....................................................................................... 34
2.2.2 .............................................. 43
2.3 ..................................................... 47
2.3.1 ............................................................................... 47
2.3.2 .......................................................... 52
2.3.2.1 (Fingerprint)............................................. 52
2.3.2.2 (Iris Recognition)........................................... 53
2.3.2.3 (Retina)...................................... 54
2.3.2.4 (Facial Recognition) ............................... 55
2.3.2.5 (Voice Recognition) ..................................... 56
2.3.2.6 .......................................................................... 59
2.3.3 ................................................. 59
2.3.3.1 ................................................................ 59
2.3.3.2 ........................... 61
2.3.4 .............................. 61
3 ....................................................................65
3.1 ...................................................................................... 65
3.2 « » DAC............................................................. 68
3.2.1 Windows (NTFS) ............... 72
3.2.2 Unix......................... 74
3.2.3 DAC.................. 76
3.3 « ’ » MAC............................................................ 77
3.3.1 Bell-LaPadula .............................................................. 78
3.3.2 Biba ............................................................................. 79
3.4 (RBAC) ....................................... 80
4 .........................................................84
4.1 (Malware) ........................................................... 84
4.1.1 & .... 85
4.1.2 « » ............................................................................... 88
4.1.3 (Worms) ......................................................................... 93
4.1.4 (Trojan Horses). ....................................................... 96
4.1.5 Spyware – Adware Hoax............................................................ 97
4.1.6 ..................................................... 99
4.2 ............................................................................103
4.2.1 Antivirus ..................................................................104
4.2.2 Firewall .....................................................108
4.2.3 (Vulnerability Scanners)..............................112
4.2.4 (Intrusion Detection Systems)....113
4.2.5 (Backup).........................................115
5 ........................................................................118
5.1 (Mobile Code) ............................................................118
5.2 Cookies.......................................................................................123
5.3 (e-Mail Security)....................126
5.4 TCP/IP.............................................................................130
5.4.1 DNS (Domain Name System)....................132
5.4.2 (Packet Sniffing) .............................................136
5.4.3 (IP Spoofing).....................................138
5.4.4 ..................................................140
5.5 .................................................................................146
5.5.1 To SSL .......................................................................146
5.5.2 IPSEC..........................................................................147
5.5.3 Firewalls .........................................................................150
6 ....................................................................157
6.1 .....................................................................................157
6.2 ..............................................................................161
6.3 Hash (One-way ash functions) ....................163
6.4 ......165
6.4.1 (MAC) .................................168
6.5 ...............................................................................170
- ..............................................................................172
3
1
1.1
« » ,
.
,
».
( ):
,
.
, .
.
.
.
.
.
,
,
. ,
. ,
, ,
.
–
(Information and Communication Technology Security – ICT Security)
:
1. ,
,
, ,
, ,
.
2. ,
,
,
, ,
.
3. ,
, .
4
.
, :
, ,
1. ( ) ,
2. (
) .
,
(e-crime, computer crime). [Forester
and Morrison, 1994] :
«
»
( )
,
, ,
. :
5
•
.
« » (hackers,
crackers )
-Internet & .
, ,
( ,
Internet, , ).
.
( )
(Information theory),
(linear algebra), (number theory) .,
.
& .
( . & ).
(non-technical)
. ,
,
(Cyber Ethics).
( )
’ ’ ( ,
)
1980 (
– 4).
,
Web,
. ( ) :
6
, . (Viruses), (Worms),
(Trojan Horses), Spyware, Adware,
.
(Hacking).
(Social Engineering)
(Denial Of Service).
.
(Spoofing / Masquerading). « »
,
.
- .
(confidentiality) (integrity) -
(spam).
,
.
. , ,
,
.
9
7
1.2 ,
.
.
(Asset).
.
, :
- (Physical Assets): , , ,
,
- (Data Assets): ( , )
- (Software Assets): ,
, .
(Impact or Value).
. :
,
, .
,
.
:
- :
,
.
,
- :
. ,
,
.
- :
.
,
(Denial-of-Service attack)
,
sms, ).
8
- :
.
,
,
.
(Threat).
(impact) .
. :
: , , , , ,
, ,
: , ,
, , ,
, , , , ,
: ,
, ,
.
(
– .
) (
– . ).
1. . ,
(outsiders): Hackers / Crackers / Vandals / Hacktivists,

:
o Footprinting – . IP
, e-mail , ,
,
o Scanning & enumerating - ,
,
o Hacking -
).
9
: (Viruses), (Worms), (Trojan
Horses), spyware/adware .
(Social Engineers):
2. . , « »
-
.
-
.
(Vulnerability).
. ,
, .
,
.
« »( . –« »
.),
( . « » -
permissions ).
18
(attacks)
( )
10
, ,
.
.
:
- - . , , , ..
- – . hackers, crackers, vandals,..
( ),
), , ,
. ,
,
,
. , :
(Interception)
- .
( . -
), ( . sniffing,
, (password files),
, PIN, password
), ( .
, )
( . -traffic
analysis).
(Confidentiality) .
(Interruption)
- , , .
, , ,
(DOS attacks)
( , ,
, ),
( .),
( . , –
file system) ( .
).
(Availability) .
(Modification)
-
.
11
( .
.
,
), ( .
),
, ,
/ .
(Integrity) .
(Fabrication)
- ( ) .
(Spoofing),
(Phishing), (Man in the Middle),
(replay attacks)
.
20
(Interception)
(Interruption)
, ,
(Modification)
(Fabrication)
)
( .
), ( .
, ),
( . , IP/DNS
spoofing, , Phishing,
). (Integrity)
.
:
,
.
12
:
• (Passive): « »
.
« » ( )
, .
• (Active):
, , .
.
;
:
• (Privacy). .
- (Anonymity):
, , )
.
- / (Confidentiality, Secrecy).
( ).
• (Authenticity, Authentication). ,
:
- (Identification) (Entity
Authentication): «
;»
- (Data Origin Authentication):

:« ;»
- (Authorization) :
«
;»
- (Non-Repudiation): ( )
: «
;» « »
.
:
, ;
13
• (Integrity).
. ,
.
: , , .
, , ,
.
• (Availability).
[ / / / / ]
.
1.3
( ).
(Security Policy) ,
.
, « »
.
.
,
.
29
…;
…
A. ; (Attacker model)
1. Derek is a 19-year old. He's looking for a low-risk
opportunity to steal something like a video recorder which he
can sell.
2. Charlie is a 40-year old inadequate with seven convictions for
burglary. He's spent seventeen of the last twenty-ve years in
prison. Although not very intelligent he is cunning and
experienced; he has picked up a lot of `lore' during his spells
inside. He steals from small shops and prosperous looking
suburban houses, and takes whatever he thinks he can sell to
local fences. Ross Anderson, Security Engineering, 2001
[Anderson 2001] .
Derek, Charlie, Bruno Abdurrahman
.
14
:
Charlie,
Bruno Abdurrachman.
30
…;
…
3. Bruno is a `gentleman criminal'. His business is mostly
stealing art. As a cover, he runs a small art gallery. He has a
(forged) university degree in art history on the wall, and one
conviction for robbery eighteen years ago. After two years in
jail, he changed his name and moved to a different part of
the country. He has done occasional `black bag' jobs for
intelligence agencies who know his past. He'd like to get into
computer crime, but the most he's done so far is stripping
$100,000 worth of memory chips from a university's PCs
back in the mid-1990s time when there was a memory famine.
Ross Anderson, Security Engineering, 2001
(Amateurs)
hacker, Derek,
[Anderson 2001]. (amateurs)
,
( )
.
(elite) hackers ( . port scanning, sniffing, toolkits
, trojans, -
cracking, ).
( .«
;») .
– insiders) .
(Hackers, Crackers)
Hacker, ,
( )
. , hacker
( ) , ,
Internet,
) ( ) .
15
( , ,
).
, ,
.
hacker, Charlie [Anderson 2001].
31
…;
…
4. Abdurrahman heads a cell of a dozen militants, most with
military training. They have infantry weapons and explosives,
with PhD-grade technical support provided by a disreputable
country. Abdurrahman himself came third out of a class of
280 at the military academy of that country but was not
promoted because he's from the wrong ethnic group. He
thinks of himself as a good man rather than a bad man. His
mission is to steal plutonium..
:
;
Ross Anderson, Security Engineering, 2001
, Crackers
, ,
, ,
hackers. ( )
crackers. hacker cracker
.
(Career Criminals)
(career criminals)
hackers (Social Engineer).
( . , ,
, ).
( . phishing). H « »
, ..
Anderson, ,
Bruno.
: [Anderson 2001],
Abdurrahman .
16
1.4
. , , ;
: (access control)
.
:
(Organizational Security)
. , ,
( . ) ,
(False Reject) ,
.
(Security Policy)
.
: ,
( .
- phishing).
:
.
37
…;
…
B. ,
, ;
17
. ;
,
, .
, , :
• . « » (tamper-resistant smartcards)
–
.
,
,
) .
• ( .).
.
(permissions) . ( Unix Windows),
(log files) ., (Domains) .
Windows 2000 .
• .
.
( . PGP),
( . SS ), antivirus,
firewalls, anti-spyware, (Vulnerability
Scanners), (IDS),
(Logging and Audit systems), ( .
DRM)
• .
,
.
39
…;
…
C. ;
18
. (prevention), (detection),
(recovery) ;
• .
, . ,
.
, firewall
( ) ( ) .
., ,
, , antivirus,
(vulnerability scanners)
.
• .
, 100% .
, .
(alarm systems)
. ,
(Intrusion
Detection Systems) (logging &
audit systems). IDS,
( )
, IDS , ,
( . firewalls).
• .
. ,
.
(backup)
.
(survivability) (Continuity)
: ( )
(backup), ,
(redundancy) (fault-tolerant systems)
RAID, hot swapping, UPS,
, load balancing .
19
40
…;
…
D. (prevention),
(detection), (recovery) ;
(Security Cost).
. ,
,
.
,
. .
, password,
, ,
. -
, ’ )
, ) )
.
(trade-off) ( & ),
.
: ,
,
(Risk Analysis)
.
20
38
(Infosec goal)
,
<<
>>
.
,
( . Domain Server ),
. ,
(Domains), (login)
(Domain Server),
. server,
. server proxy
(Web),
Web.
: ( ) ,
.
. ( ) ,
.
(Peer to Peer),
.
, .
.
(Logical Access Control)
21
,
.
.
. ,
. Internet
, ,
, .
, , ,
.
« » ( )
« »
. ,
,
(phishing)
(Social Engineering).
1.5
( , ),
, ,
,
.
( ).
.
,
, ).
:
• ,
• ,
•
22
.
. ( , )
,
. ,
,
(risk analysis),
,
,
. :
1.
• , ,
)
( , , )
•
2.
• ISO, BSI,
NIST, Open
Forum .
•
• .
3.
• , ,
(
,
)
23
•
• :
-
-
-
- .
1.6
(subjects)
. ,
’ .
: , ,
( ) .
: (
) .
:
(subjects) .
( .
,
)
, ,
.
’ .
(Anderson, 2001):
PIN ( )
.
PIN .
PIN ATM,
. :
.
. ,
PIN ,
.
,
.
24
: -
90 :
remote control 16-bit,
(password).
(grabbers) ( )
, « » . :
. , « »
,
( ). :
, 16 32 bit.
(grabbers).
: & : (1993, 1994).

.
.
, .
:
,
Utrecht. « »
(card reader) PC
ATM, ,
reader PC. :
(standards)
80. ,
.
,
) . ,
, .
,
,
. O A ( . ,
) (
), ={ , }
,
, .
. : ,
, , )
, )
.
25
51
(Identification)
A : ,{ }
A= . 16-bit )
=
= )
} = .
: ,
, .
,
(Number used ONCE - nonce). , (replay attacks)
(
).
: ,
( . _2)
( . _1). : « »
grabber (session) . ,
. ,
« » ( )
, ( )
.
: :
« »
;» (counter):
: , +1, +2…. .
: , ,
, ;
, « »
grabber
. N+3.
26
(Challenge-Response)
« -
» (challenge-response). H (Verifier)
, ,
( . )
, .
:
, (symmetric).
6 ( .
).
53
: Challenge-
Response ( / )
(replay attacks)
: (One time Passwords).

(challenge) server, . 8 .
( -
password generator), PIN 4 (
).
12 ,
o server. , 8
. server
8 . server ,
, . ,
.
. ,
. ,
IFF (Identification Friend-or-Foe).
27
. (replay attack)
IFF . ,
:
1) . (SA)
2) (ANG) ,
.
3) ANG
(SAAF) .
4) SAAF (challenge)
ANG.
5) ANG N
(SAMS) .
6) SAMS N SA.
7) SA [ ]
8) SAMS ANG
9) ANG SAAF
[N]
10) T SAAF ANG

.
H “MIG-in the MIDDLE” (Anderson)
Cuban MIG South African bomber
{N}K Secret key K

{N}K Response
5 {N}K
N
6 4
2 3
Challenge N
Retransmit
1 challenge N
Secret key K
Response correct!
Namibia Angola
http://www.cs.utexas.edu/~shmat/courses/cs378_spring05/03auth.ppt
28
:
(Man in the Middle attacks).
H “Mafia in the Middle”
1
2
4 3
6
5
(Digital Signatures),
. ,
, S ( o A
site S, ). To site S
.
, site S, A,
T A
. site S
, , .
1) ( , )
, .
2) ( .
),
( . ,
). , ,
[ , customer, porn_site], .
29
2 &
2.1
( . , , ,
, .), .
« »,
, ,
, ,
) .
: (trade-off)
, ,
1.
B, A,
2. « » A,
.
http://www.cs.uwf.edu/~rdavid/CEN4540/sec3.ppt
X X
X X
(smartcards) X
X X
X X
X X
(ACLs), MAC, RBAC,… X
Antivirus, Anti-Spyware,.. X X X
Firewalls (Packet Filters, Application Gateways) X X
& (IDS/IPS) X X X
– . ,
. , , passwords, PINs,
30
, .)
– , , .) B, oA :
• .. , , ,
, , ,
• .. ,
,
• .. ( .
- spam, , phishing)
. worm
.
• .. ( . ,
, ) .
,
, . ,
)
) )
.
:
. ; !
•
• , .
•
(Access Control)
: Host-to-Host
Network-Based Authentication
Internet IP
(IP-based authentication)
Internet DNS
(name-based authentication).
).
challenge-response
. Kerberos),
. SSL, Ssh, DNSSec),…
31
.
: 1) SYK, 2) SYH, 3)
SYA.
,
.
(“Something ou now”)
Passwords, PIN, ,…
(“Something ou ave”)
PDA, USB flash, (smart or magnetic)
(“Something ou re”)
: , , ,…
: SYK...
SYK (Something You Know - SYK)

,
:
1. (
): Passwords, PINs,…
( ).
.
2. – (challenge-response)
3. (one-time passwords)
4.
2 4
( . Password generators – ). ,
SYK ( .
PIN) SYH (
).
(Something you Have –

SYH) ,
.
, , ,
32
.
(Something you Are - SY )

, .
:
. ,
( . ),
SYK, SYH, SYA,
.
SYK ( - user name - password).
PIN
PIN
web banking log-in Windows
2.2
. :
• ( . log-on Windows, Unix,..):

(username)
• server ( . Domain Server, Unix server):
server.
• mail server , e-mail:
(incoming
33
mail server) e-mail
(outgoing mail server)
• SIM ,
(ATM): PIN (Personal Identification Number).
« » . (
)
, :
, , ,
, . , .
, . ,
,
.
: ( . phone banking)
.
2.2.1
. :«
)
( , – random),
) ; ,
.
:
SYK, ( , , PIN). H
S.
S « »
.
: ,
, S;
(repudiation)
.
• « »
• « »
34
• : « » ,
( ,
, )
: , ,
« »
:
• ( – .«
», – . «
PIN », –
phishing - M ).
(Phishing). To approved-
password.zip .
webmaster@ionio.gr , , .
« » ,
1.
2. .
: , o
« – SYK» « –
SYH», SYH ( .
, , , )
35
« »
,
1. « »
2. ,
.
:
12 . .
,
.
, ,
.
: « »
( . e-banking,
e-mail ),
»
( . forum, , web mail, newsgroups, )
(case study)
Sydney [Anderson, 2001]

«336 e-mail
…»
138
30
H :
phishing . ,
. , . . 1/1000,
mail 1.000.000 ,
1000 . , Internet,
36
(security awareness).
.
.
( . PIN
, ATM )
(design errors).
.
,
( .
),
. ,
.
, POS ,
. ,
WC (
).
« » -WC- .
.
. -
(default) , )
, ) .
.
, , .
router, dial-up, voice mail, ..
:
PIN . PIN
.
, PIN 4
, PIN,
1 104 ( )1 100. « » « »,
. , PIN
,
. ,
.
: ,
( ) 4X10 : PIN
2256. 4 ( . Blue)
37
2 , 2 , 5 6 .
« » .
; ,
SYK SYH. , ,
4x10 40-50
(Anderson 2001). ’ , « »
PIN 1 3000 (
4
10 / 3 3000) 1 ~15 ( 45/3=15).
) -
PIN 2256
4 . blue)
. )
1 2 3 4 5 6 7 8 9 0
a b F z P D N m v E
o L i k L U E Y t C
I r t w U E B n g E
L j o s B e A o S H
To
:
1. ( ) .
.
.
2. .
. ,
( . : Microsoft) ,
.
. « microsoft.com,
»).
(insiders)
(outsiders). , ( , )
« »
) (
).
38
.
3. . .
( ,
, ).
DOS DDOS ( . zombie
BotNet).
. , : )
» )
« »
.
,
( )
.
Online ( )
Offline ( )
Online
O Mallory (log-in)
)
(username), . footprinting
HTTP, Telnet, Pop, FTP, SMB
:
online . , ,
(lockout)
( . 3)
: Brutus, ObiWan, pop.c, TeeNet, SNMPbrute, …
1.
- Spyware .
, spyware
. e-mail « ».
39
( : Anderson 2001). o
PDP-10 TENEX
.
.
. « »
( ) .
(Interface):
(
) .
2. (eavesdropping, interception)
( . routers, servers ). ,
(LAN), ( ,
),
« » ). ,
) .
, Secure Socket Layer (SSL)
,
Internet. ,
(Telnet, rcp .) -
( . OpenSSH)
host . ,
( . IPSEC, WPA .),
.
- (fabrication).
(Man in the Middle attacks) – 1
Web spoofing,
» ( .
phishing . )
, . .
3. (password storage)
, (password
file), , ,
(server). To ,
(dictionary attack)
( . password crackers) .
. « »
, ,
« » ( )
.
(dictionary
attack), . ( .
L0phtcrack) :
40
,
.
Offline
O Mallory
(« »)
.
/etc/passwd, SAM file)
H o
Mallory
, .
administrator
Mallory
(cracking software)
: pwdump, L0phtCrack,
John Ripper, Crack …
(dictionary attack):
(hashed)
(password file).
(word lists -dictionaries)
. , , ,
, « »
. , ,
(password cracker)
« » « »
. (
hash)
, .
hash
1 hash -1
2 hash -2
3 hash -3 ,,
4 hash -4
… …
… …
… …
… …
… …
n hash -n
http://www.csse.monash.edu.au/courseware/cse2500/ppt/Authentication.ppt
41
:
. , hash (hash function)
,
. hash, ( )
(one way). , (
)
.
« » .
(brute force).
brute force,
. ,
« » .
2.2.2, ,
«brute force». ,
, brute force
. brute force
(update)
.
( )
.
[a,b] 2,
:
aa, ab, ba, bb 4
3, =
aaa, aab, aba, abb, baa,bab, bba, bbb = 8
26 ( .
), :
2 26 26 = 676
3 26 26 26 = 17576
96 ( .
: 52, : 10,
: 34),
8 96^8 = 7213895789838336
42
: (Schneier, 2000). ,
(brute force) ,
. ,
, ,
« » . L0phtcrack ,
Windows NT.
(« ») Pentium II 400 Mhz, L0phtcrack
7- ( ) 5.5 ,
7- ( )
480 .
2.2.2
• 8
• :
- (A-Z)
- (a-z)
- (0-9)
- (!, @, #, %, : .)
•
• ( )
• …
100 3 (Anderson, 2001)
password
6 ., & .)
(passphrase)
“It’s 12 noon and I am hungry” I’S12&IAH
): « 8 .
. 1 …»
,
,
. ,
,
43
:( ) ( )
.
–
[1]
30%
– cracking software)
2 10%
; …….
"My son Eiten is three years older than my daughter Anna."
M$8ni3y0tmd@
« »
,
:
(8) .
.
, , ,
( . "123456").
, ,
, ( .
"X34JAN"
"X34FEB" ).
44
:
-
-
-
- ( , )
(180) .
. ,
(5)
.
- (10) .
- (90)
password filter) ,
. :
• (
)
• ( ) passwords
• (
)
• …
: (cracking),
.
( .)
(shadow) : UNIX,
(password file) /etc/passwd.
45
,
(world readable) .
( ).
, ( )
.
(shadow).
(
Online): To IDS/IPS ,
online .
, ( .
),
,
(DOS),
,
. ,
:
, .
(
),
. manos01 ,
manos02 .
http://www.albany.edu/~goel/classes/spring2005/msi416/password.ppt
46
.– Salting
salting
. :
1) O .T (salt:
[1 – 4096])
salt, hash.
To , salt.
2) : .
, salt ,
. ,
hash,
salt. (hashed) .
,
.
: (password file)
.
( salt ),
hash [ 1, salt], [ 2,
salt]….[ , salt]. , (« »)
, .
« » passwords ,
( ) 4096
( ,
4096 salt).
salting .
: hash ( 6).
(hashed)
salt, .
dictionary attack ( brute force).
2.3
2.3.1
.
. ,
,
,
(physical security) .
: (Identity Verification):
,
» (matching). :
47
;
: (Identification):
, « ».
:
.
,
. ,
(identity verification) ,
SYA (Something You Are).
( ) :
•
,
• ( . - )
,
• ( ).
: ,
.
. ,
. , ,
.
.
:
, .
,
. ,
,
( ) .
, .
: (lossy):
,
.
48
:
:
( ) ,
(server), (workstation)
.
: « » ,
. ,
.
(background) ,
, . ,
,
: ( . ,
, )
( . , , ).
( . , )
.
49
FAR –
FRR –
[2]
(tradeoff)
100%
.
( , , , ,
, , )
. , ( ) 100%
, ,
( – False Rejection).
, « »,
. ,
( -
False Acceptance).
FRR FAR .
(security threshold)
FAR FRR,
. ,
: ,
, .
• ,
, FAR
.
, .
.
50
• ,
, FRR ,
. ,
FRR.
d
Non-matching
prints
Matching
Threshold
Matching
prints
False non-matches False matches
. ,
.
, ,
( ) .
(fingerprint)
: &
:
(optical readers)
(Silicon chip)
(ultrasonic)
51
2.3.2
2.3.2.1 (Fingerprint)
.
60
.
:
.
.
(readers) :
• ( – optical):
( LED)
.
• (Silicon): To
(pixels) -
pixels ( )
( 500 dpi).
pixels.
(chips) ,
( . , ).
Minutiae
www.cis.rit.edu
52
• (ultrasonic):
(
). ( )
.
,
( «Minutiae»)
, ( )
. 30 ,
1 .
8-10 ,
.
:H
, &
. ,
( , ).
:
, , , ,
. ,
, .
2.3.2.2 (Iris Recognition)
200 ), .
(accurate) :H
DNA.
H &
2 : 1:1052
(replay attacks):
10-40 . (IR)
<= 512 bytes
http://www.globalsecurity.org/security/systems/eye_scan.htm
53
: (
) .
, .
:
, (replay
attacks) – . .
:
. ,
, ,
.
:
.
. ,
, ( .
).
(Retina)
laser)
&
(identity verification)
Twin One Twin Two

http://perso.wanadoo.fr/fingerchip/biometrics/types/retinal.htm
2.3.2.3 (Retina)
. . ,
( , laser) /
.
.
,
. ,
54
.
.
:
( , . ).
( 400 ),
(<100 B),
, .
: ,
.
.
,
,
, laser ).
:
,
.
(Hand Geometry)
Accuracy Moderate
Acceptability Moderate
Ease of Use High
& & (2 ) Sensor Cost $1500-$2000
Template Size 9 Bytes
, & (3 ) User Time 2-3 Seconds
: http://www.montgomerycollege.edu/faculty/~cchiang/public_html/nist.ppt
, , )
,
:
: »
FAR 3% - FRR 10%
(identity verification)
2.3.2.4 (Facial Recognition)
: ,
.
: ,
.
55
( . , , ,
).
,
.
: ,
, .
:
. ). ( . )
( . , , , , ).
,
:
, ( .
).
( . , , ).
(facial recognition)
»( )
:
, ,
:
&
FAR . )
(life detector)
)
2.3.2.5 (Voice Recognition)
( – speaker recognition)
.
( .
56
),
.
: H
, .
). , ,
.
:
,
( :
,
17 cm)
(Speaker recognition)
www.eie.polyu.edu.hk/ ~mwmak/SpeakerVerSys.htm
(speech recognition)
,
»)
)
FRR)
, , ,
: ,
« ».
, ( )
. ( .
). ,
, .
57
:
( . ) ( ,
, ).
:
, .
(challenge-response):
( . ).
, ( )
.
(Palmprint)
http://biometrics.cse.msu.edu/
(Hand vein)
http://www.cedar.buffalo.edu/~govind/CSE666/presentations/cse666/hand_vein.ppt
DNA
(ear shape) www.htgadvancesystems.com
http://perso.wanadoo.fr/fingerchip/biometrics/types/ear.htm
(nail bed)
(body odor)
http://www.nail-id.com/
58
2.3.2.6
• –
. .
• - o
( )
.
:
’
. .
• . ,
,
.
. .
• DNA. .H
DNA ,
.
( ,
10 ).
• .
. .
• . .
2.3.3
2.3.3.1
(
. 3-10 ) .
.
(dynamics)
.
, ,
, .
. ( )
, .
59
:
, , …
: , , z)
, ,…
: »
&
. ,
(
)
.
,
- .
: – ,
. ,
( )
, .
Biometric Technology Comparison
Biometric / Fingerprint Facial Hand Iris Retinal Voice Signature

Characteristic Verification Recognition Geometry Scanning Scanning Verification Verification
Verify/Identify Either Either Verify Either Either Verify Verify
Accuracy High Moderate Moderate Very High Very High Low Low
Security Level High Moderate Moderate Very High Very High Moderate Moderate
Uniqueness High Low Moderate High Very High Low Low
Robustness Moderate Moderate Moderate High High Moderate Low
Acceptability Moderate High Moderate Low Very Low High High
Intrusiveness Touching 12+ inches Touching 12+ inches 1-2 inches Remote Touching
Ease of Use High Moderate High Moderate Low High High
Template Size 512-1000 B 100-3500 B 9B 256 B 96 B 3-15 KB 50-300 B
User Time 2-3 seconds 3-6 seconds 2-3 seconds 3-6 seconds 5-9 seconds 4-7 seconds 4-6 seconds
Cost/HW Unit Low Low Moderate High High Low Low
Potential Dryness, Dirt, Lighting, Hair, Hand Injury, Poor Lighting Glasses Noise, Colds Changing
Age, Race Age, Glasses Age Signatures
Interference
http://www.montgomerycollege.edu/faculty/~cchiang/public_html/nist.ppt
60
2.3.3.2
(keystroke dynamics) –
(
)
(log-in) ,
( & ).
, hardware.
) vs ..
1
Affordability >>
Accuracy >>
2.3.4
: 1
. ,
: , , , , ,
.
61
:
–
;
(Universality)
To ,
»
&
, &
,
FAR FRR
, ( .
» « » )
(security threshold)
. ,
,
. ,
,
.
, ,
: :
,
).
.
, PIN password. ,
, /
, . ,
(replay attack) « »
.
(challenge-response)
,
, ( . –
).
62
. ,
( . SSL
)
. « »
,
.
( .
), . ,
,
« » (reader)
.
« »
.
(smartcards).
(tamper-resistant)
(template)
, ( )
.
..
passwords
(replay attacks)
(liveness detection)
challenge-response
, ,
: Internet
(tamper-resistant smartcards)
Tamper-resistance: ,
).
:
, .
. ,
.
. ,
.
63
:
;
PC…
…
;
;
: (
PIN)
.
64
3
3.1
.
» (passive) ,
.
»
( . ),
« »
.
. ( )
« » (active)
/ . ,
(write)
.
:H
, -
( . , ),
(
).
. , ,
. (fault-
tolerance) .
( ) ,
, .
(Authorization). 2( )
, ( .),
«
;». ,
, ;
,
;
, (Authorization)
.
: ,
. .
. ,
65
, . .,
, ,
‘ . ,
,
,
. , ,
,
, , (services)
, , , hardware
.
.T
( ).
,
. :
), ( ), .
: , ,
( . ).
&
(Authorization)
(objects) , , ,
, hardware,.)
(Subjects)
, ,
, hosts..)
, , ..
Web, …
: ,
(user names).
.
.
66
.
,
, (
; ;)
/ .
.
op on o op
s Reference
o
s monitor
s? op
s
o?
s?
.
MAC, DAC, RBAC.
(Reference Monitor).
. ( – kernel),
, , .
,
-
,
.
« » (DAC – Discretionary Access Control):

.
-
, « »
) .
« ’ » (MAC – Mandatory Access Control):

,
, , ,
.
(labels)
.
67
(clearance) . ,
MAC ( )
,
( . , , ,
).
« » (RBAC – Role based Access Control):

(role)
.
(DAC)
(MAC),
.
DAC, MAC, RBAC,…

(reference monitor)
, (kernel)
3.2 « » DAC
,
- (owner)
.
( ).
» ,
. , , ).
. T
DAC
, , )
.
68
»
Discretionary Access Control (DAC)
) )
a) ..
b) ..
,
. , , )
a) ..
b) ..
. (
)
.
, .
DAC –
1: (passwords biometrics)
2:
) ;
[i,j] i
j r – read, x – execute, w, write, o- own
file1 file2 program1 file3
User1 orwx rwx r r
User2 rx x - -
Program1 rx r r w
User 3 rx r r r
(Access Control Matrix)
– 50.000
300 50.000 X 300 = 15.000.000 .
.
« »
: ) (user groups)
69
(RBAC)
, )
( - ACLs) (
- Capability Lists).
DAC –
(ACLs)
…
(Scalability)
:
(ACL)
(Capabilities)
: «
;»
« ;»
DAC – (Groups)
(group)
,
(user group)
,
S1 S2 S3 S4 S5
G1 G2 G3
O1 O2 O3 O4 O5 O6
70
DAC .
(identity) (user
group) :
( Guest,
Administrators, )
,
. « »
.
(Access Control Lists)
. .
. DAC
. .
( ,
),
. ,
( )
, . .
: DAC
, .
: «
;»
.
(User Group).
.
(Access Control Matrix) .
DAC –
Plotter – Print
Printer1 – Print
Printer2 – No Access
Accounting.xls – Full Control
Accounting.doc – Read, Write
Payroll.xls – No Access
Clipart – Full Control
User (Subject) Capability Table

http://www.cs.uwf.edu/~rdavid/CEN4540/sec3.ppt
:
Win2k: (Group policy), (domain policy), …

(Public Key certificates)
71
,
,
.
(group policies) Windows 2000 Windows 2003. ,
,
, ,
.
3.2.1 Windows (NTFS)
(Windows) – Windows
NTFS,
(partition) , (ACL).
(user groups) (
) ,
. NTFS
(partition), ( )
(format) NTFS.
NTFS:
• (Read): ,
• (Write):
• & (Read and Execute): ,

, (
).
• (Modify): , , ,
• (Full Control) – , ,
(owner)
( )
(folders) . ,
NTFS
,
( « » -
).
72
DAC –
(ACL) Windows XP Professional (NTFS)
(multi-user)
.
: « » (cumulative).
(user groups) . , Bob

(Read) (
Bob) (Modify)
« », Bob
« ».
. (Deny)
.
, .
(Read) ,
,
.
- : Windows NT/2000/XP
( . )
web (
).
. ,
(RBAC)
.
73
DAC
(Deny) NTFS
http://securitytf.cs.kuleuven.ac.be/teaching/ClassicAccessControlTechniques.ppt
3.2.2 Unix
( Unix).
UNIX . Unix,
(ACLs). ,
(permissions)
( ),
(group), (world).
, 10
. (
«-» , «d» ). ,
3 3
, ,
).
(-) (r), (w)
(x).
• – Read ( ):
• – Write ( ): ( & )
• – eXecute ( ): (
).
(directories).
74
• – Read ( ):
( . ls)
• – Write ( ):
( . , ).
DAC -
(ACL) Unix
1 : .
2–4 : (owner).
5–7 : (group).
8 – 10 : Ta (world).
- rwx rwx rwx . ,
- rwx r-x r-x .

.
d rwx --- --- . ,
:
, .
, ,
.
• - eXecute ( ):
( ):
• ,
. ,
. ls, (
cd)
.
• ,
( cd)
( .
),
( , ,
). ,
75
& (r-x) ,
).
3.2.3 DAC
DAC ,
Web-based
,
.
, DAC
,
( , ).
, .
,
,
, DAC .
DAC ,
.
, »
.
(Trojan Horse)
.
DAC -
(Trojan horse attack)
TH Robert: read, write

Address Reads
Book Classified Robert’
Robert’s Classified
Robert
Manager
Uses shared program
Ivan, Robert: read, write

TH
Copies Robert’
Robert’s Classified
Classified
To Ivan’
Ivan’s
Directory
Inserts Trojan Horse
Ivan Into shared program
http://my.fit.edu/~tgillett/swe5900/week1/Access%20Control%20Concepts.ppt
(NCSC, 1987):
(ACLs – ).
» Robert (classified)
76
. Robert
Robert. , « » Ivan
Robert. Ivan, o
,
Robert, .
, ( , – wrapping-
): Robert
, trojan ( Robert)
Robert Ivan. Robert
, .
3.3 « ’ » MAC
« ’ » (MAC).
,
( ) (Multi Level Security -
MLS). ,
( ) . ,
MAC :
1. .
(classification security labels).
(sensitivity)
– µ µ
.
2. .
(classification security label).
µ .
, (labels)
.
MAC
. µ
,
( . DAC,
).
µ .
(top secret) >

(secret) >
(confidential) >
(unclassified))
77
3.3.1 Bell-LaPadula
MAC µ
.H « ’ »
Bell LaPadula. ,
-
.
).
. :
• ,
, ,
,
.
• ,
,
,
, .
»
Mandatory Access Control (MAC)
Bell-LaPadula
(confidentiality)
1.
2.
*- )
Biba
(integrity)
1.
,
2.
: (o
Bell-LaPadula)
.
( - trojan)
, ,
.
,
,
.
78
Bell-Lapadula ,
.
3.3.2 Biba
To Biba.
.
. ,
. .
. :
1. ,
,
, ,
.
2. ,
, ,
,
.
: Biba
.
« » (download) Internet
(virus). ,
’ . , o
( )
( : )
. Biba (1 )
. ,
(2 ).
: 2 .
,
.
,
.
79
»
Mandatory Access Control (MAC)
–trojan»
(Bell-LaPadula)
(Biba)
Internet)
3.4 (RBAC)
« ». ,
(roles):
.
:
Role-based Access Control (RBAC)
Athos palace Aramis
DAC uniform
Porthos weapons D'Artagnan
Athos palace
RBAC Porthos
Aramis Musketeer uniform
D'Artagnan
weapons
http://my.fit.edu/~tgillett/swe5900/week1/Access%20Control%20Concepts.ppt
• .
, ,
80
, .
, ,
.
• (
).
.
.
: ,
, (least privilege),
:
. Web,
. WEB, .
, . ActiveX,
« » ( )
WEB.
»
Role-based Access Control (RBAC)
, »
, ,
,
, »
,
»( )
-
DAC,
,
( )
. ’ ,
: . DAC,
O (user group)
. RBAC,
81
,
.
RBAC
:
• MAC:
,
. DAC,
.O
,
. RBAC
,
(least privilege).
• DAC.
,
.
.
,
( ).
, ,
.
( ,
). ,
DAC,
:
, .
RBAC – MAC, DAC
Role 1 Server 1
Role 2 Server 2
Server 3
Role 3
http://cs.uccs.edu/~frsn/docs/RoleBasedAccesscontrol.ppt
82
. RBAC,
. ,
.
,
.
,
.
: “ ” “ ” /
. . ,
, .
83
4
4.1 (Malware)
( )
, .
( ) ,
: ( . ,
)
( , –
updates ).
(payload). ,
:
• : (« »
).
• :
( . )
F. Cohen, “Computer Viruses”, ASP Press, 1985

…. «program that can 'infect' other programs by modifying them to include
a ... version of itself»…
1986: Brain
1987: Christmas Card, Jerusalem
1988: The Internet Worm
1992: Michelangelo
1994: Good times (hoax)
1995:
1999: Melissa
http://www.f-secure.com/weblog/archives/maldal.jpg
1998: Chernobyl
2000: ILOVEYOU
2003: Slammer, Blaster,…
… 2006: Botnets, Wikipedia attack, Myspace/XSS, Storm worm
. ,
, .
, :
1. ,
, .
84
, . KLM\Software\Microsoft\
Windows\CurrentVersion\Run,
2.
,
3.
. ,
Antivirus . C:\WINDOWS\SYSTEM32\
DRIVERS\ETC\hosts « » IP
Web,
« » .
4.1.1 &
(virus).
.
(
– Worm) ( .
USB flash disk ).
O Fred Cohen, to 1985 (F. Cohen, “Computer Viruses”, ASP Press, 1985)
«….
… ».
: , ,
. ,
( ).
(Worm). , ,
,
( . - WAN) Internet
(IRC chat, e-mail, newsgroups, ).
(Trojan Horses).
, ( ’ )
, .
, Trojan (backdoor) ,
’ . trojans
,
.
Spyware – Adware. -
(
85
), -
(spyware), (adware).
,
(
Web
).
Rootkits. , rootkit
.,
- stealth
, firewalls antivirus. rootkit
,
(backdoors)
.
ots – zombies.
(botnet) ’ ,
(DDOS attacks),
( )
. «bot»,
( ) «robota»
( . IRC bots).
bot «zombie». –
zombies DOS Web,
spam,
(phishing) .
: …
It is estimated that approximately 150 to 200 viruses, Trojans, and other threats
emerge every day.( : McAfee® AVERT® Labs, 2007)
– .
:
86
• .
.
,
( . mail Worm).
• (floppy, CD, DVD, USB disks,

zip,..).
.
• Web ( html).
Web ( )
, 5.
• .
(Instant messengers, Internet telephony, video conferencing,
IRC clients) (newsgroups),
(Peer to Peer)
• (LAN, WAN). ( . Worm)

, ,
TCP/IP.
(buffer overflow) Worms
. , ,
, (
). ,
(shared)
(P2P).
. (payload)
:
• , ( : adware)
• , (dialers)
( : trojans, spyware)
• , , ( : , worms)
- ,
- (
) Internet ( P2P)
- .
- (boot sectors),
(FAT), (partition tables).
87
• « » (back door) ( )
( : trojans, rootikits, zombies)
• ( :
worms, bots- zombies)
- ( , )
- (bandwidth)
- ,
DDOS (Distributed DOS).
4.1.2 « »
– .
.
« » .
,
( memory-resident),
» .
,
( –
antivirus), ( ) .
.
.
, ( .
e-mail
).
http://oncampus.richmond.edu/~dszajda/classes/cs395_computer_security/Fall_2004/slides/MaliciousLogic.ppt
88
.( : McAfee Inc. AVERT library). Vienna
, .
Vienna .com.
Vienna, .com
( ).
, ,
.
»- (parasitic, file-infecting)
H
http://oncampus.richmond.edu/~dszajda/classes/cs395_computer_security/Fall_2004/slides/MaliciousLogic.ppt
integrate A V A V A V A V A
Pre-pend Append Overwrite
: To Jerusalem (1987)
(logic bomb).
, . 18.00, 13 .
, ( ) DDOS
. Jerusalem ,
, 13.
: .
.
– boot sector.
(boot sector) (partition).
.
« » . boot sector
MBR (Master Boot Record)
.
& :
. .
89
: ,
.
boot sector
.
( - McAfee Inc. AVERT library) : Michelangelo

6
1992 (« »). , Brain (1986)
stealth: antivirus
, Brain ( « » –
memory resident)
» antivirus.
: Boot Sector
(bootable). ,
BIOS USB,
.
– (Multi-partite, Hybrid).
. ,
boot sector .
« »
.O
: , .
.
, ,
.
: Melissa (1999) multipartite

& worm). « » word e-
mail, ( : ) normal.dot
Word. .doc
.
: worm) e-mail 50
(address book) .
(DOS) (mail servers). O
( )
(templates).
:
. ,
) ,
, ) e-mail
,
multipartite ( trojan worm).
spyware & adware, virus Trojan, virus worm .
– (File System). Link,

Cluster, FAT, «file system»,
90
, .
.
, FAT . FAT ,
, ( )
. . FAT
, .
« »
, .
, .
,
.
stealth:
,
: DIR-II). « » ,
rootkit.
Flash Bios. BIOS

(chip) flash ROM.
(rewritable). flash BIOS (ovewriting) BIOS
. To « » ( .
). O CIH Chernobyl (1999 –
: McAfee Inc. AVERT library)
BIOS. ( )
« »: 26
.
chip
(motherboard) .
O Melissa (1999)
http://www.heise.de/ct/99/08/017/bild.gif
91
- .
(macros).
, . VBA (Visual Basic for
Applications)
. Word, Excel, PowerPoint, Access)
. ,
Word ,
: ) , )
Arial, ) 14.
.
: .
,
. ,
. ,
,
: PC MAC.
: .
( .
Auto-open). ,
.
:
(templates)
.
: (
: Melissa e-mail,
Word .
:
» ILOVEYOU
: worm
Outlook www.caj.co.jp/tec/ tec_n/f_il0005iloveyou.htm
IRC client ( )
: : McAfee
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Win32DLL=WINDOWS\Win32DLL.vbs )
: JPG, JPEG, MP3, MP2, VBS, JS,,…
.. .vbs
: 45 . email (2000)
92
4.1.3 (Worms)
: MyDoom (worm) - 2004
vil.nai.com/vil/ content/v_131868.htm
- Worms. Worm
, .
–
,
.
( . e-mail, IRC,
LAN P2P), ,
,
.
Worms, Scanning Worms,
( . Code Red, Slammer, Blaster )
: worm
, ,
, .
.
ANNAKOURNIKOVA.JPG.VBS (2001),
http://www.f-secure.co.jp/v-descs/v-descs2/onthefly.htm
93
: worms ,
, ,
.
: The “code red” worm (2001)
www.ciac.org/ciac/ bulletins/l-117.shtml
250.000 -9 : CERT)
: DDOS www.whitehouse.gov
: . (buffer overflow)
: (DOS),
.
.
(input) ,
.
»
, EIP
HE
: (DoS)
1.
+ http://www.usenix.org/events/sec03/tech/full_pa
pers/cowan/cowan_html/pointguard-1.gif
2. EIP
3.
: (privileged)
return
address write to A: my_address
value2
value1|
value2| value1
buffer for
my_address
variable A
94
, , ,
, , .
(input) (
& )
. . « »
, (overwriting)
EIP (stack),
.
,
. EIP
, ( DOS).
: o Blaster. , worm
DCOM RPC
Windows XP Windows 2000.
(HOST) 135 (TCP) – ,
.
« » (remote shell) 4444 .
HOST «tftp get»
. tftp (trivial file transfer
service) 69 (TCP) HOST, msblast.exe.
, (registry) msblast.exe
. :
, HOST
.
:
Blaster (worm) – 2003
http://www.upenn.edu/computing/virus/03/w32.blaster.worm.html
: RPC. RPC (Remote Procedure Call)

client-server
. (process)
95
RPC.
Blaster. H Blaster
Internet
(patch) Microsoft.
,
,
RPC, .
,
: CERT):
• O H/Y
• (Task Manager) Windows,
msblast.exe
• RPC,
• firewall ,
(port) 135/TCP
• ,
Microsoft
: antivirus (update)
( msblast.exe) ,
(patch) windows ,
(
).
» Slammer.. (2003)
Figure 1: The geographic spread of Sapphire in the 30 minutes after release.

http://www.cs.berkeley.edu/~nweaver/sapphire/
4.1.4 (Trojan Horses).
H
, .
96
, (
) .
,
.
(Trojan Horses)
: »
http://cse.stanford.edu/class/sophomore-college/projects-01/distributed-computing/assets/images/trojan-horse.gif
: : backdoors
Tini
»
,
(telnet) 7777
Netbus, Netcat
Back Orifice 2000,
Subseven
: .
: ,
.
( . , ). ,
. ’
( )
spyware, adware, dialers, Rootkits, (
– multipartite ).
4.1.5 Spyware – Adware Hoax
(Spyware Adware)
.
,
(spyware) ( ) .
(trojans),
.
: spyware / adware :
• freeware, shareware
• (trojan)
97
• ( . ActiveX)
Web.
Spyware - Adware
http://en.wikipedia.org/wiki/Image:Benedelman-spyware-blogspot-2a.png
Spyware:
. (
) , (Usernames),
(passwords), TAN (Transaction Authorization Number), ,
, .
keylogger
( ) . e-mail .
spyware adware
Internet,
.
: dialer
spyware. , ,
Adware. adware (advertising-supported software)

, , , ,
Internet.
,
, .
adware . To adware
spyware (
spyware). adware :
browser,
(desktop), browser (
98
browser hijacking), Web,
( ) (web spoofing), .
Hoax -
http://securityresponse.symantec.com/avcenter/venc/data/watching.hoax.html
Subject: FW: VIRUS
IMPORTANT, URGENT - ALL SEEING EYE VIRUS! PASS THIS ON TO
ANYONE YOU HAVE AN E-MAIL ADDRESS FOR. If you receive an email
titled "We Are Watching You!" DO NOT OPEN IT! It will erase everything on
your hard drive. This information was announced yesterday morning from IBM,
FBI and Microsoft states that this is a very dangerous and malicious virus,
much worse than the "I Love You," virus and that there is NO remedy for it at
this time.
Some very sick individual has succeeded in using the reformat function from
Norton Utilities causing it to completely erase all documents on the hard drive.
It has been designed to work with Netscape Navigator and Microsoft Internet
Explorer. It destroys Macintosh and IBM compatible computers. This is a new,
very malicious virus and not many people on your address book will know about
it. Pass this warning along to EVERYONE in it and please share it with all your
online friendsASAP so that this threat may be stopped.
(Hoax). « »
.
: ) (bandwidth)
, ) e-mail ,
E (DOS)
(mail servers), .
, Hoax
command.com.
.
4.1.6
Internet. Internet ,
90 ,
. 1999 Melissa
. , ,
Worm. T worms
, chat, instant
messaging, P2P ( ) .
: worm Nimda (2001, CERT). worm

Outlook Express
e-mail,
. Outlook Express
99
wav,
.
(scripting languages). ,
,
.
(scripting language)
server ( . PHP, ASP, ) client.
(mobile code):
Javascript, Java Applets ActiveX.
, ,
.
.
. ,
(components) .
.
. Windows, (dll –dynamic
link libraries) (
UNIX: – shared libraries).
. ( )
.
plug-in Internet
, .
Internet
, : (Code
Isolation – . Java), ( .
ActiveX), . 5.
Schneier,
(Schneier 2001)
100
.
.
, Stealth,
.
( ) Stealth. stealth
, .
stealth Brain ( .
antivirus , Brain
« » antivirus).
( ) : antivirus
« » ,
« » .
Stealth. antivirus
(integrity checking) .
, antivirus
( .
Internet (patch) ).
stealth (memory resident)
’
( . patch). ’
« » anti-virus
.
Stealth. « » ,
« » ,
(Kernel) .( : Hacker Defender).
, rootkit :
• process (process hiding). rootkit

(Task Manager). ,
( -threads),
.
• (port). To rootkit (ports)

« »
.
• (registry): rootkit
( . « »
, : firewall-service.exe»)
101
–
Stealth
Stealth
(Rootkits)
Rootkits. (Administrator)
.
spyware, backdoors, bots, FTP servers .
Kernel API
process service, (port),

(registry)
Rootkit
:
» . ,
(
),
. system crash).
Stealth – .
antivirus .
(definition files).
-1
http://www.cc.gatech.edu/classes/AY2003/cs6265_fall/Polymorph_final.ppt
102
.
« » antivirus. ,
, antivirus
, . ,
. ,
« », .
( . « » -
). : ,
(pseudorandom number
generator), « »
.
: (Mutation Engines)
. Internet (
: Trident Polymorphic Engine)
Antivirus,
AntiSpyware
Firewalls
Patch, Updates
•
(Disaster
• Recovery)
• Fault Tolerance
…
4.2
1, «
»
, , .
(prevention),
(detection), (recovery) .
2
, 3
.
, , , /
( , , ).
, ,
103
.
.
. , Internet
,
.
4.2.1 Antivirus
Antivirus.
: . antivirus
. , ,
. ,
(LAN, Internet).
.
.
.
antivirus
, (
)
. « » (matching), antivirus
.
) (delete), )
(isolation, quarantine) (repair, clean)
.
Antivirus
Antivirus
user Application
Service
mode
kernel signature
Antivirus
mode Filter driver
database
File System
Driver
http://download.microsoft.com/documents/uk/technet/learning/downloads/security/Understanding_Malware_Spyware_Viruses_and_Rootkits.ppt
104
, , : antivirus
.
, -
Web). , antivirus
stealth/rootkits.
antivirus
heuristic scanning, behavior blocking integrity checking
.
.
( . –
false alarm).
( ) ( ) Antivirus
• Interface & .
, . ,
. ,
antivirus
(
).
• . antivirus
(real-time
protection). antivirus
(background),
,
.
• ,
,
antivirus
(virus definitions).
),
.
• . antivirus
(
).
.
• . antivirus (scheduling)
,
.
• : boot sector,
. ,
antivirus
105
.
boot sector ( ) ,
(overwrite) .
• (event logging).
Antivirus.
• (heuristic) . ( )
. ,
( )
, .
Office,
, ,
, . H
(proactive), « »
.
• (integrity checks). ,
,
(checksum). To
: bit
.
, hash
( 6-« »).
, antivirus
. ,
) ’ ( .
), )
.
• (behaviour blocking).
« » (sandbox)
Java.
’ ,
. ’
« - »( .
, , )
antivirus
( ) . « »
, (
).
, ) « »
, )
» , ) .
« » (reactive) antivirus
» .
106
: Avast Antivirus
• . antivirus
. ,
( )
, « »
P2P,
(chat, –
instant messaging), Web, . ,
antivirus
firewall, (IDS),
( ) spyware-adware.
Antivirus –
http://www3.uwm.edu/security/
(logic
bombs) ,
(ports)
spyware – adware
107
: antivirus .
.
( )
antivirus. ,
,
, antivirus
– . , antivirus
/
,
( . firewalls).
antivirus
firewalls,
(IDS), Spyware-Adware, ,
backup ..
4.2.2 Firewall
250 , Sun Tzu, Wu,

“ ”. :
”.
,
, ,
(firewalls).
. firewall
. ,
.
.
firewall,
.
firewalls TCP/IP,
packet filters ( ) application
gateways ( ).
108
: Kerio
Packet filter. packet-filtering firewalls :
1.
(packet filter rules)
.
2. ,
. packet-filter firewall IP,
TCP, UDP .
• IP , IP
• (Port) ,
• ( & )
3. .
, .
4. « » ,
.
5. ,
.
6. ,
• :
• :
109
: , firewall
. firewalls,
, , « »
firewall. firewall « »
.
: Kerio
: , firewalls
( ),
) ( )
(Internet).
: Kerio
110
Application Gateways. firewalls application gateways
« »
TCP/IP. ,
)
( . HTTP, DNS, SMTP, ).
application gateway .
application gateways «
& ».
: , firewall
:
• ( service)
•
(
« »
)
•
(
antivirus).
: Kerio
, firewall
» « »
firewall. ,
111
web ( . cookies, pop-up,
, – IDS).
: Kerio
- .
(packet header)- ( .
, (protocol numbers)
(port numbers).
,
.
(stateful packet inspection). , .
SYN (Sequence
Number, TCP) .
4.2.3 (Vulnerability Scanners)
,
, (hackers)
. , ,
. scanner « »
( ) (epxloits).
, ( .
Windows XP Professional SP2) ( )..
(remotely):
(sites), ( .
symantec.com), ,
.
112
Vulnerability Scanners ( )
: Baseline Security Analyzer
(antivirus, IDS ), scanners

(false positives – , false negatives – ).
scanner ( )
.
» , ( )
. ,
( )
(Intrusion Detection System).
: « » (preventive) ,
scanner ,
.
: scanner , ( ,
« » , . 80-web, 25-mail )
(remote access).
(back door) root-kit.
4.2.4 (Intrusion Detection

Systems)
,
. ,
100% .
( ) (hardware),
(insiders)
.
113
: Snort
http://www.linuxsoft.cz/screenshot_img/1971-a.jpg
, IDS
(logging and audit) « »
( ). » (host-based) IDS
« » ( .
, ( ), port
scans, , DOS),
(NIDS) IDS, firewall
(port scans,
DOS ). IDS :
1. (Misuse Detection). ,
IDS ( )
,
» .
IDS
« » antivirus.
.
2. (Anomaly Detection). IDS

(heuristic)
antivirus. o
( .
, , )
. To IDS
( ):
(threshold)
, IDS.
:
114
-
-
-
-
.
: , « » (heuristic)
, .
(false positives) (false negatives)
. = ).
IDS. (passive) IDS,

, « »
» . o IDS
( . e-mail
) .
: , IDS
.
(alarm & monitoring systems)
« » .
(reactive) IDS
. ,
firewall (
) ( ) « »
. IDS
(Intrusion Prevention System / IPS).
4.2.5 (Backup)
( . ,
, ),
.
(backup data). (original)
, .
115
: Windows backup
, :
- ( .,
) , .
, ,
, (hacking) ,
, (cracking).
: Norton Ghost
116
- ,
, , ,
( . ).
:
. , ) ( . CD-R, DVD-R, ).
(remote backup).
(backup software). To
.
(backup policy).
,
,
.
117
5
5.1 (Mobile Code)
.
html,
(client) – . Javascript, ActiveX, Applets, VBscript,
( . ASP, PHP, CGI ),
. Web, ,
,
,
, .
. Web
( )
. ,
( . ).
(scripts) – JavaScript,
VBScript, Java applets, ActiveX, SWF
(flash) Office.
: ,
Internet Explorer MAC
Firefox PC. ,
, .
Java applets
Java . Java
.
(Java Virtual Machine, JVM),
. Java
. applet java, ,
,
. Web Java applets (interpreted)
( . Internet Explorer, Netscape, Opera, Firefox)
(client). applets
web-based , animations, & , ,
, .
. applet « » (sandbox)
( ) . , applet
( ) ,
, .
Java, « »
(Security Manager).
Reference Monitor : Security Manager
» applet
118
( . ,
, ) ,
applet. , applet « » site
applets.
: applets
, ActiveX,
. applets
(sandbox), . ,
,
(Public
Key Infrastructure) Internet.
- Applets
http://detective.internet2.edu/applet/detective-certificate-warning.jpg
http://www.augustana.ca/~mohrj/courses/common/csc120/slides/Ch04/images/applet-in-browser.png
ActiveX
ActiveX ( OLE-Object Link Exchange, COM-

Component Object Model),
. ,
Windows,
. Web, ActiveX ,
Web ( applets,
ActiveX
– . ), .
, ActiveX
Word Excel ,
.
119
& . ActiveX
. , applets, ActiveX
, « »
. ,
Authenticode, ActiveX
Web, ,
( 6).
’ ActiveX (
),
,
. ,
( DAC).
ActiveX (
, . signed applets)
.
.
, ,
–
.
– ActiveX
http://www.researchtechs.com
http://www4.dogus.edu.tr/bim/bil_kay/prog_dil/activex/06axu13a.gif
JavaScript
H JavaScript (scripting language)

HTML Web,
(client) (server).
client, Javascript
HTML ( , JavaScript
<script> </script>)
120
. , JavaScript
(forms) Web
. ,
), ,
Javascript. , JavaScript
( .
pop-up) . , Javascript
« » ,
,
( . ).
, Cross-Site Scripting (XSS),
.
: worm Nimda ( 4)
html Web server ,
JavaScript: Web,
« » eml ( Outlook Express)
worm.
XSS (Cross-Site Scripting)
!!
.
Web.
,
. Internet Explorer ,
: Internet (
), (zone) (High) ,
(Custom)
ActiveX.
121
(JavaScript, applets ).
, :
• ,
Web,
•
.
4, ’
.
- ActiveX
122
:
.
. « » Internet Explorer).
5.2 Cookies
Cookies. cookie
( . JavaScript CGI)
.
cookie ( ) ( ) .
cookies. ( session) cookies
.
( .
,
),
. (persistent) cookies
« » ( , )
. ,
cookie web server
. ( ) cookies :
1. , (counter)
( cookies)
2. ( ) , web server
» password ,
( . web mail
)
3. , ,
« ».
cookie ( ) « »
. ,
Web. .
(« »)
,
.
4. ( )
.
, ’ ( .
customisation – ) .
123
»
( -personalization).
(persistent) cookies.
5. ( ,
, )– cookies.
“cookies” –
cookie HTTP
»
server
. cookies
, ,
Web. Web,
,
,
.
Cookies (third party cookies).

HTML
domain ( . - banner-
web server « »
). , ,
HTTP ( ,
) cookie ( )
. ’ ,
domains,
domain. , .
( )
domains banners,
.
124
cookies .
Cookie Theft. cookie « »

. , ).
.
, Javascript, HTML,
cookies .H cookies
(cookie theft). « »
cookie
, . personalization,
( ).
, . Web
mail cookie,
.
Cookie Poisoning. , « » -
cookie, server
. cookie poisoning.
, cookie
,
.
Cookies
125
Cookies
5.3 (e-Mail Security)
(e-
mail) . o e-mail
Internet, , -
( ) . ,
e-mail .
:
: e-mail
.
: To
.
:
« ».
:
. ,
Internet ( , e-mail),
.
e-mail.
, ,
(mail servers). O
,
126
(username – ),
(password) « » .
, « » ,
:
. , ,
. , worm
(address book)
, Internet.
. SMTP POP,
mail server
. , ,
( ) ,
( ) ( ).
(outgoing mail server) Internet
, ( )
(routers)
(incoming mail server) e-mail .
:
• . mail
servers routers ,
. hardware) « » ( .
– sniffing).
( . ,
).
, (
) .
• .
.
.
mail server e-mail,
( . client mail server
POP – Post Office Protocol). ,
• , ,
.
• e-mail
(backup policy).
web mail
, web server
.
. ,
127
, ,
(hacking) mail server.
.H
, ,
. (spoofing),
(phishing), (spamming),
Worm,
,
, e-mail .
PGP. PGP (Phil Zimmerman, 1991)

,
(end to end). (Open PGP)
(
), hash, ,
, ,
. ,
GNU Privacy Guard ( GPG)
.
, PGP.
1. Alice Bob, ,
( )
.
2. H Alice M ( ) KS
.
3. Alice KS
Bob, eB. Bob Alice.
4. Alice ,
, Bob, Internet.
5. O Bob dB
,
KS.
6. O Bob KS
M. O
.
128
PGP:
+ (concatenation) - (deconcatenation)
m
KS
KS(.) S
eB Bob dB Bob
eB(.) eB
dB(.) dB
1. Alice Bob, ,
( hash )
.
2. H Alice hash M
hash.
3. Alice hash
dA
.
4. Alice M, hash
Bob, Internet.
5. O Bob Alice, eA
hash.
6. O Bob hash M,
hash . ,
.
129
H PGP (Pretty Good Privacy)
+ (concatenation) – (deconcatenation)
m
(.) (one way hash)
dA(.) . ) dA
KS(.) S
e (.) e
: ,
.
,
Advanced Encryption Algorithm (AES), 256 bit.
ElGamal (1024 bit), hash SHA (Secure

Hash Algorithm) 512 bit, DSA
(Digital Signature Algorithm) 1024 bit.
5.4 TCP/IP
,
. ,
, :
.
;
. ,
.
« » ,
. « » ,
,
, « » .
130
TCP/IP (
)
Application HTTP, SMTP, DNS

) FTP, TELNET, POP3, IMAP4
Transport
TCP,UDP
)
Network
IP/IPv6
)
Data Link
Ethernet, Token Ring, FDDI, ATM, Frame Relay
)
Physical
TP, Coaxial, Fiber-Optic, Wireless
)
(layered approach),
.
,
,
, :
1.
2.
.
« »
. - ,
-
. ,
.
( ) TCP/IP
Internet.
« » Internet,
TCP (Transmission Control Protocol) IP (Internet Protocol).
TCP/IP.
,
(Application Layer), ,
(
, Web, e-mail)
..
(transparent) .
131
,
TCP/IP.
DNS
http://gaia.cs.umass.edu/security/slides/SK-DNSSEC.ppt
Question: www.cnn.com
dns.cs.umass.edu
www.cnn.com A ? .
lab.cs.umass.edu 1 2
ask .com server
www.cnn.com A ?
stub the ip address of .com server
resolver xxx.xxx.xxx.xxx
resolver www.cnn.com A ? 3
.com
ask cnn.com server
the ip address of cnn.com server
5
add to cache 4
www.cnn.com A ?
xxx.xxx.xxx.xxx
www.cnn.com cnn.com
5.4.1 DNS (Domain Name System)
, o
lab.cs.umass.edu www.cnn.com.
, Internet ,
IP. DNS
www.cnn.com IP.
1. lab.cs.umass.edu DNS server dns.cs.umass.edu

(resolver) domain
cs.umass.edu.
2. dns.cs.umass.edu IP www.cnn.com,
root servers
DNS ( DNS). root server
, resolver (authoritative) DNS server
domain .com.
3. DNS server domain .com

(authoritative) DNS server domain CNN.com,
IP.
: DNS server IP
host, (cache)
: ( DNS –
132
IP) . , (reset)
, .
DNS. To DNS
. (host) “ ” (address
lookup queries) DNS server, domain
IP. host DNS
,
. DNS, host )
DNS server ) DNS server « »
(honest). .
1. ( IP) host,
DNS server,
» (cracker). ,
DNS server cracker,
.H IP
cracker ( . phishing attacks
), (
-DOS).
: , o cracker :
- host « »
cracker ( .
IP primary DNS server TCP/IP).
- (router) : ,
, DHCP
host
DNS server . cracker
DHCP hosts
cracker. H
DHCP spoofing.
- host DNS server.

(Man in the Middle attack):
cracker
» DNS server.
2. O host DNS server,

cache DSN server
( ).
H «DNS cache poisoning».
:
DNS, DNS server domains sub-
domains DNS server
. « » ,
.
133
DNS
domain
, DNS servers
H DNS server (DNS zone)
. To 2000, RSA security

hacker. ,
RSA, DNS server
DNS.
RSA .
.
. domain
IP, “ ” (address lookup query)
DNS server. hosts DNS
servers, servers
. host
server) IP domain ( ,
). “ ”
(reverse lookup query). , host/servers
: .
, o host ( DNS server)
IP domain (reverse lookup).
, , ,
server . hosts
IP, IP
hosts, DNS servers.
cracker
DNS servers domain.
DNSsec. To 1994 o IETF
DNS. To
DNSSEC, DNS Security.
134
DNSSEC
DNS servers . DNSEC
:
1. DNS («
DNS server ;»)
2. («
DNS server;»)
3. (key management)
,
DNS servers.
DNS server ( ).
DNS server
DNS server (resolver) DNS,
.
. , resolver
,
.
DNS server, . S,
resolver R, R ( S) S.
S ; R
S S;
DNSSEC
http://gaia.cs.umass.edu/security/slides/SK-DNSSEC.ppt
Question: www.cnn.com
dns.cs.umass.edu
www.cnn.com A ? . (root)
lab.cs.umass.edu 1 2
ask .com server
www.cnn.com A ?
SIG(the ip address and PK of .com server)
stub by its private key
resolver xxx.xxx.xxx.xxx
resolver www.cnn.com A ? 3
.com
ask cnn.com server
SIG(the ip address and PK of cnn.com server)
5 by its private key
add to cache 4
www.cnn.com A ?
SIG(xxx.xxx.xxx.xxx)
by its private key
www.cnn.com cnn.com
. , server
server- , servers
« » server
135
. . servers
domain .com
(authoritative) server domain. , servers
» root servers. ,
(trust paths),
(Public Key Infrastructure – PKI).
: DNSSEC (secrecy,
confidentiality),
.
& ,
( ) .
TCP/IP
Sniffing
LAN ( . Spoofing
) IP MAC
. )
DDOS, DDOS
(Hijacking)
. TCP Hijacking
. Routing attacks –
http://www-128.ibm.com/developerworks/websphere/library/techarticles/0504_mckegney/images/figure4.gif
5.4.2 (Packet Sniffing)
. (packet sniffing)
( . )
E .
:
(Hub), ,
(broadcast).
, LAN.
(NIC) LAN MAC
,
.
. Internet, MAC
MAC .
136
TCP/IP
Packet Sniffing ( )
LAN: Kurose, 2003
Ethernet, Token Ring

packet sniffer
, .
: Ethereal, dsniff, tcpdump,….
(switched networks)
) -IPsec, SSL, ssh,…
: one-time passwords, challenge-response,
(packet sniffing)
. , ,
. ( . Ethereal, dsniff)
» (insider) hacker
LAN,
.
. ,
( . e-mail).
(Active sniffing)
Packet Sniffing switch -
ARP Spoofing
Arpspoof
Arpredirect
WinARP
Ettercap
Hunt
137
. - bridge – switch),
. ,
, ,
(MAC). ARP Spoofing.
: Internet ( )
.
( « »
), , ,
:
.
,
, hacker.
Case:
(Packet Switching)
Routing within a diagram subnet.
, ).
5.4.3 (IP Spoofing)
IP spoofing. host
host TCP/IP. ,
:
: O host-
: host (o A )
138
X: host.
– . DOS, .
: host.
IP ( datagram)
, host
.
IP ,
host, . . IP spoofing
( . firewalls)
IP
. « » ,
. , ( )
. (Intranets, Extranets).
IP
host . , « »
http://www.bytefusion.com/products/ens/secex/spoof.gif
: IP spoofing, , (
IP
) : host A
, Z ( ).
IP spoofing ,
(
, ) .
(DOS) smurf SYN
flooding, .
139
0 16 31
1 Versio IH Type of Total Length
2 Identification Flags Fragmentation
3 Time to Live Protocol Header Checksum
4 Source address
5 Destination address
6 Options Padding
Data…
format IP datagram
. IP spoofing
firewall,
IPSEC, (
) IP.
.
(ingress & egress filtering),
firewalls. , )
( interface )
, )
( interface )
( 1),
hosts ( 2).
,
IP spoofing,
. ISPs Internet
, (
).
5.4.4
TCP.
(Transport Layer).
TCP (Transmission Control Protocol) UDP (User Datagram
Protocol). TCP (reliable)
end-to-end . ,
. TCP
PAR (Positive Aknowledgment with Retransmission).
, PAR ,
“ ”
. TCP
modules segment. segment
(checksum)
140
. segment
, (Positive
Acknowledgment) . ,
(discard). (time-out),
segment .
(handshake)
TCP
SYN FLOODING
SYN Flooding
TCP segment ( )
CP (connection-oriented).
end-to-end hosts.
, TCP modules
.
(handshake). TCP segment
bit Flags ( ) 4
segment.
Host A Host B
SYN
SYN, ACK
ACK,
. (three-way handshake)
handshake TCP
(three-way handshake), .
. host A
host B (segment) bit SYN (Synchronize sequence
141
numbers) . B
, (sequence
number) A
.
. host B
ACK (Acknowledgment) SYN bits. To
(ACKnowledgement) ,
. ,
o ,
.
TCP SYN Flooding.

TCP . client,
server, server
.
,
(
) .
. TCP
client server TCP segment SYN bit .
, server SYN/ACK
client, 32-bit “ ”
(Source Address) IP. client , ACK
server, .
(SYN ) TCP
,
) . , TCP
SYN, .
host SYN port TCP

. , IP
(IP spoofing) ,
(unreacheable) host. IP ,
host SYN/ACKs
host- ( ,
(reset) , –
).
host- SYN/ACKs
SYN ( host X). , IP
TCP host , TCP
IP (
). , ( )
server ,
. ,
, . ,
time-out ( ),
, server
.
142
’ , host IP
(spoofed),
,
. ,
( handshake),
,
server . ,
, .
: TCP SYN flooding

time-out.
time-out
, ACK.
( TCP server -HTTP, FTP, SMTP ),

. 8 Kilobytes,
(
100 megabytes 25 server). time-
outs, ,
” (spoofed) . ,
time-out
Internet,
server,
.
TCP/IP ( .
). , IP,
o IP ,
TCP/IP. IPSEC
.
To ICMP. Internet Control Mesage protocol

.
(connectionless)
(unicast) IP. ICMP
IP (datagrams).
ICMP_ECHO (Ping).
ICMP_ECHO (ping)
TCP/IP. standard format
,
. , firewalls
ICMP_ECHO.
143
Ping ICMP_ECHO host.
host “ ”
). ICMP_ECHO,
(payload). T
(timestamp),
ICMP_ECHOREPLY ,
ICMP_ CHO
(DOS) host / server.
H ping H ping
http://www.erg.abdn.ac.uk/users/gorry/course/images/icmp-eg.gif
Smurf attack ( : Cert). IP IP

(unicasting), (multicasting)
IP ( - broadcast).
(broadcast address) IP
bit 1. ,
10.0.0.0,
IP : 10.255.255.255.
Smurf, o « »
ICM_ECHO IP,
. , ICMP_ECHO
IP « » (IP spoofing)
–« ». (
) , ICMP_ECHO-reply.
« ».
144
Smurf attack
Ping (ICMP_ECHO)
IP
B
IP Spoofing
http://www.networkdictionary.com/images/SmurfAttack.gif
http://www.networkdictionary.com/images/SmurfAttack.gif
: -firewall,
IP (broadcast),
.
DDOS
http://www.cs3-inc.com/images/attack.gif http://www.f-secure.com/slapper/slapper_ddos_attack.jpg
(DDOS).
DOS,
( zombies). , « »
( )
( bot rootkit).
145
, worm
LAN - Internet. « » -
zombies DOS .
, . -zombies
(Logical
Bomb). 4
DDOS.
5.5
5.5.1 To SSL
SSL .
( ) .
, SSL
.
(intranets) Internet,
.
To SSL (transparent)
. SSL Web server « »
( ’ port 443) HTTP
(port 80). URL port 443 :
https://www.server.com. client ,
SSL ( « » - SSL handshake).
SSL handshake
. ,
SSL. handshake :
1. client ( ) server
(X.509) .
,
root (
). “ ”
(Certificate Authority).
2. client
MAC.
server
146
server.
client-server server-client ( ).
3.
hash ( ), .
client ( .
: AES, DES,.. – Hash: SHA, MD5 ),
server .( :
server
, .
).
SSL
To SSL
(Diffie-Hellman 1976)
1. O Bob Alice,
2. Bob
3. Alice e
4. Alice C
5. H Alice C d
6. Alice Bob
7. . Bob
5.5.2 IPSEC
IP SECurity ( 3
TCP/IP).
( ) ,
(transparent) . (standard)
firewalls
(LAN), (WAN),
hosts TCP/IP.
( ) IPv4,
IPv6 (Internet Protocol
version 6)
IPSEC (integrity) – « IP
;», (authentication) – «
IP;» (confidentiality) - «
147
IP ;», .
IPSEC :
• (transport mode), IPSEC

(payload) IP, (
).
IPSEC ( ESP). To IPSEC

(end to end)
client-server, client-client.
• tunnel (tunnel mode), IPSEC

IP, .
IP, . ,
IPSEC- client,
proxy.
tunnel, IPSEC (
ESP). To IPSEC tunnel (end to
end) -firewalls,
VPN.
IPSec .
IP,
:
AH
:
:
:
http://www.isaserver.org/img/upl/IPSec_NAPT_AH1050086915216.gif
AH Header
• - uthentication Header).
,
IP.
o mode (transport tunnel),
IP ( header) . MAC
148
(transport), MAC IP
(tunnel: ).
.
• ESP - (Encapsulating Security Payload).
IP. transport,
( “payload” ),
tunnel IP, ,
, . , ESP
(payload) , .
Transport Packet layout
ESP IP Header ESP Header Payload (TCP, UDP, etc)

Tunnel Packet layout
IP Header ESP Header IP Header Payload (TCP. UDP,etc)
:
:
:
Transport mode:
client-client client-gateway
Tunnel mode : datagram

VPN
: VPN Tunnel. IPSEC IP

.
)
– end-to-end)
(VPN). tunnel mode, IPSEC, ,
IP host ,
:
IP ,
AH ESP).
IP (header) ,
),
. transport, tunnel
(transparent) .
(Virtual Private Networks – VPNs).

, IPSec hosts
(host-to-host), LAN (lan-to-lan), (user-to-LAN)
149
. VPN
Internet
. VPN
(leased lines)
. , , client
VPN server (VPN-enabled),
( . telnet, mail, ,
), IPSEC.
( . OpenSSH, SSL),
,
.
(VPN)
http://www.conta.uom.gr/conta/ekpaideysh/seminaria/M_Telecommunications/29main.htm
: o IPSEC ’ (default)
: Hash ,
(MAC) ,
.
5.5.3 Firewalls
firewall (software)
(hardware) .
firewall (router).
,
. , « »
( , ) . ,
( )
.
150
, ,
, « » .
, firewall
. ,
“ ” (transparent) ,
.
(packet filtering) (Network layer)
(Transport layer) TCP/IP, ,
.
- Firewalls
(Point of entry-exit)
Security Policy
WHO ? WHEN ?
WHAT ? HOW ?
My PC
INTERNET
INTERNET
http://www.cmpe.boun.edu.tr/courses/cmpe526/spring2005/Cmpe526-20050505-GokhanAydin-Firewalls.ppt
Secure Private Network
router-firewall
(port).
router ,
router .
« »
hosts,
router. , .
151
Firewalls
LAN 3 Users
LAN 3 Secure
Servers
LAN 3 DMZ
Internet
LAN 2
http://www.cmpe.boun.edu.tr/courses/cmpe526/spring2005/Cmpe526-20050505-GokhanAydin-Firewalls.ppt Internet
LAN 2
packet filter. TCP

(full duplex ).
,
(aknowledgement packets) (control packets)
. ,
ACK bit (flag) (header) ,
. , ACK bit
. ACK bit
,
“ ” hosts .
host ,
. , 199.232.18.0
:
Filter rule Action Source Host Port Destination Port TCP Comment
number Host flags
1 allow 199.232.18.0 * * 25 our mail
2 allow * * 199.232.18.0 * ACK their replies
1 :
- 199.232.18.0
, 25 (mail) host .
2 :
-
25 TCP ACK bit ,
host 199.232.18.0.
152
Outgoing packets Incoming packets
Incoming packets Outgoing packets

Internet
“Inside Screening “Outside
port” router port”
packet filter
:
interface ( ),
. interface .
IP spoofing
)– : 135.12.0.0
Internet packet filtering firewall.
(subnets) 10 11. host
135.12.10.201. T
port.
,
” , 135.12.10.0
port ( ). ,
, ,
.
Screening
Mask=255.255.255.0
Inside router Outside
Network=135.12.10.0
Internet
Inside
Mask=255.255.255.0 Packet claiming to be
Network=135.12.10.0
from 135.12.10.201
“Address spoofer”
packet filter
. :
,
routers, (port)
(packet header), -
(source) - (destination),
. ,
“ ” ,
,
( ). ,
153
SYN (Sequence Number, TCP ) .
Application - State Table
(statefull packet filtering) Transport - Access Rules
Network - Access Rules
Firewall (3rd generation) Inspection Module
(Dynamic Packet Filtering)

(statefull)
(Ports)
.«
Firewall
Internet
Internet
packet filtering Firewalls.
• O
.
• H
firewall. firewall TCP/IP
) “ ”
« ».
• packet filtering firewall

(logging) .
Application Gateways. application gateways
HTTP, TELNET, FTP . proxy.

( . Telnet),
gateway host ,
( ):
1. telnet application gateway

server,
2. To gateway IP (source)
, ,
154
3. ,
.
4. proxy TELNET gateway
server,
5. proxy
H/Y server, .
6. application gateway (logging) .
Firewalls-
Application Level
Gateway
Telnet
IP . . IP )
IP/TCP/UDP
(user name Passwords)
: Application Level Gateway (ALG)

filter telnet IP ALG
”. gateway ( proxy)
.
Internet (
). proxy “ ” ,
.
,
. proxy server client .
server client
. (session), proxy
client server
.
: proxy, (log
in) proxy, client host
.
155
pplication Gateways
• gateways ,
, IP
. :
FTP,
“get” “put”.
HTTP
web .
• gateways ( . applets ActiveX).
• gateways
proxy client,
.
» .
(Network Address Translation)
Firewall
,
firewall
Internet
firewall
Internet ,
client
• gateways ,
hosts
.
DNS IP gateway. ,
firewall NAT (Network Address Translation).
• gateways
(authentication) (logging).
• firewalls packet filtering, gateways

firewall.
firewall
application gateway.
156
6
6.1
, ,
.
:
(cipher).
(Substitution)
(Ceasar cipher)
:
: I CAME I SAW I CONQUERED
: L FDPH L VDZ L FRQTXHUHG
. (Encryption)
,
(confidentiality).
.
.
(Decryption) ,
.
. , (key),
,
.
( )
.
157
Kurose, 2003
:
(encryption algorithm)
(decryption algorithm)
.
,
.
To = = )
: ;
!
(Key Management)
Secure Channel
1
4
2
5 E )
3
158
.
( )
)
lice eB Bob
: C EeB (M )
Bob dB
: M Dd B (C )
Authenticated Channel
1
eB
4
dB
2
5 C EeB (M )
M M
3
)
Bob dB
C Ed B (M )
lice Bob eB
1 eB
2
dB 4 OK
2 M ,C Ed B ( M )
M 3
»
????
: Alice e Bob?
:
,
(non repudiation).
159
.
.
:
,
.
, ,
.
,
( ).
Bob
CA-1
As a Certification Serial #: 5
Authority, I assertthat Subject: Bob
this Public Key is

Public Key:
CA-1
associated with JoeSmith From: 02-28-01

To: 02-28-03
Signature
Signed, CA-1
Certification Authority
X .5 09 C e rtific a te
http://www.e-publishing.af.mil/contentmgmt/PKI%20Tutorial.ppt
:
.
.
( )
( . –
).
(
). ,
. ,
( )
, .
160
)
)
lice eB Bob
: C EeB (M )
Bob dB
: M Dd B (C )
1
eB, CertB
4
dB
2
5 C EeB (M )
M M
3
)
)
Bob dB
C Ed B (M )
lice Bob eB
1 eB, CertB
2
dB 4 OK
2 M ,C Ed B ( M )
M 3
»
?
, Alice o Bob CA.
6.2
.
. ( )
. ,
100-10.000 .
161
. ,
,
.
, .
. ,
SSL PGP.
: , Alice
Bob Bob .
( )
dX
eX
CertX
Hash[M] hash
)
, Bob, CertBob
Bob, E eB (K)
B A EK ( )
: PGP
) Kurose, 2003
+ (concatenation) - (deconcatenation)
m
KS
KS(.) S
eB Bob dB Bob
eB(.) eB
dB(.) dB
162
6.3 Hash (One-way ash functions)
(One Way). ,
, .
f( ). ,
f(X), .
(trapdoor One-way functions).

, ,
.
f( ). ,
f(X), ,
(trapdoor).
:
. ,
.
, .
Schneier, Bruce. Applied
Cryptography. John Wiley &
Sons, Inc., 2nd edition, 1996.
(One-way) x f (x)
&
(trapdoor one way)

It would take millions of years to compute x One-way:
from f(x), even if all the computers in the world : ,
were assigned to the problem
(trapdoor)
;
.
1. & RSA
2.
:
RSA
!! n
Hash. hash, : message digest,

fingerprint, cryptographic checksum, MIC (Message Integrity Check), MDC
(Message Detection Code), , ,
(pre-image)
( hash ).
hash ’ ,
,
hash. , hash
(byte),
XOR
.
163
Menezes, Oorschot, Vanstone,
Handbook of Applied
Cryptography, CRC, 2001
Hash
Hash
1. Compression
H H
(pre
image)
http://en.wikipedia.org/wiki/Hash_algorithm
D R
hash)
2. :
x
H,
H(x)
http://msdn.microsoft.com/library/en-us/dnvs05/html/datastructures_guide2-fig09.gif
Hash. hash, a)
hash: ash( )
,
ash( ). , )
(collision resistant): , ’
hash( )=hash(M’).
Handbook of Applied
Hash
Hash Hash
Hash 1. One way:
hash
(collision resistance)
D R ,
hash.
2. Collision-Resistance:
:
http://msdn.microsoft.com/library/en-us/dnvs05/html/datastructures_guide2-fig09.gif hash
: |D| > |R| , ,
hash
(one-way)
hash. ,
( bit) (output) . ,
164
(input) . bit
, , , bit hash.
hash,
. , hash ,
’ hash(M) =
hash(M’). hash MD5, o
SHA (Secure Hash Algorithm) : 256 512 bit.
Hash .
( hash ),
hash .
.
)
)
M Authenticated Channel
2 1 eB, CertB
hash 3
dB 5 OK
3 M , Ed B ( H ( M ))
)
4
»
:
,
Bob )
: PGP
: hash ,
: , ’
hash(M)=hash(M’) ’.
6.4
( )
. ,
. H Alice Bob. Bob

( ). Bob
Alice. Alice
Bob:
165
, Alice, Bob;
Bob :
B A Alice, Bob, Ed B (Hash [Alice, Bob])
Alice , Hash ,
Bob Hash. Mallory

Bob,
.
. Bob
Alice ;
.
:
, Bob, -Bob
A B
, (Mallory)
Bob eM Alice.
. Alice Bob.
.
. ,
( ),
. .
.
Alice Bob ,
. –
.
, Bob, CertB
166
A B
Alice Bob,
).
Bob,
CertB.
Mallory Bob, :
, Bob, CertB
A M
M A ???
,
.
( . ),
(certification authority).
:
X.509
CA-1 ) Bob
Bob
CA-2 CA-1
CA-2
Subject: CA1 Subject: Bob
» Alice,
Public Key: Public Key: 500 widgets
Alice
would cost
$500000.00
Signature Signature Signature

CA-2 CA-1 Bob
http://www.smart.gov/information/polk/polk.ppt
:
CA–1 Bob
lice CA-2
.
. Bob
CA1 Alice (
Alice CA2), Alice
Bob.
(trust path):
167
CA1
CA2, :
, Bob, CertB, CertCA1

A B
Alice Bob,
CA2 ( ).
Bob,
CertB.
.509
H »:
H Alice « CA-2
H CA-2 « CA-1
H CA-1 Bob
: Alice B Bob
1. , Bob
2. ,
Bob
6.4.1 (MAC)
Message Authentication Code (MAC).

MAC, hash ( )
.
, hash
. , Alice hash
, hash ,
« » Bob.
168
Handbook of Applied
MAC (Message Authentication Code)
C: MAC HMAC
1.
hash (n-bit) Hash
: 2. H C(M)
: MAC (n–bit)
H(M,K)
Hash
,
HASH MAC
. )
H Alice MAC
Bob. Bob
MAC(M). Bob C. , Bob
Alice : Alice
, Alice MAC( ).
hash,
. ,
ash , . 256 bit,
’ )= ’) .
: C
?
Secure Channel MAC(M ) MAC(M )
1 K
NAI OXI
(OK)
2
K M K
3 M, C( ) 4 5
Hash Hash
: Hash
, hash (collision resistant)
, MAC
(one-way): A hash , Eve !!!
169
:
.
6.5
:
(dictionary attack). « » « »
bit, ( )
(pseudo-randomness generator). bit
.
.O “ ”
, (btute-force).
, Mallory
.
,
. 8 bits, 28 , 256 .
, 256 ,
50% .
.
128 bit, 2127 ,
. .
: ,
128 bit. ,
1024 bit.
: ,
,
. ( Diffie
Hellman), .
: ( )
. ,
( ).
(smart card): PIN

.
170
. …
&
8-bit
32 ROM
512 bytes RAM
(tamper-resistance)
(PIN + )
- .
,
.
. ,
(key update). ,
(session).
,
,
.
171
-
[1] Anderson, Ross. Security Engineering: A Guide To Building Dependable
Distributed Systems. John Wiley and Sons Ltd, 2001.
[2] Ferguson, Niels, Schneier, Bruce. Practical Cryptography. John Wiley & Sons,
2003.
[3] Kurose, J. F., Ross, K. W. Computer Networking – A Top-Down approach

featuring the Internet. Addison-Wesley, 2005.
[4] Mao, Wenbo. Modern Cryptography: Theory and Practice. Prentice Hall, 2003
[5] Matyas, Vaclav Jr, Riha, Zdenek. Biometric authentication systems. Technical
report, ECOM-MONITOR, 2000.
[6] National Computer Security Center (NCSC), A guide to understanding

discrentionary access control in trusted systems, 30 September 1987
[7] McClure, Stuart, Scambray, Joel, Kurtz, George. Hacking Exposed, 5th Edition:
Network Security Secrets & Solutions. Osborne/McGraw-Hill, 2005.
[8] Schneier, Bruce. Applied Cryptography. John Wiley & Sons, Inc., 2nd edition,
1996.
[9] Schneier, Bruce. Secrets and Lies: Digital Security in a Networked World. Wiley
Computer Publishing, 2001.
[10] Stinson, Douglas. Cryptography: Theory and Practice. CRC Press, 1995
[11] Tanenbaum, Andrew S. Computer Networks — Fourth Edition. Prentice-Hall

International, 2003.
[12] . . .
,7 . , , 2005.
[13] . . . . .
, . , 2003.
[14] , , ,
http://www.csd.auth.gr/~oswinds/dopsys/week10b.pdf
172

Afaleia Ypologiston

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Afaleia Ypologiston

Uploaded by

Copyright:

Available Formats

’

(outsiders): Hackers / Crackers / Vandals / Hacktivists,

- (Data Origin Authentication):

: & : (1993, 1994).

: (One time Passwords).

IFF (Identification Friend-or-Foe).

10) T SAAF ANG

H “MIG-in the MIDDLE” (Anderson)

Cuban MIG South African bomber

{N}K Secret key K

H “Mafia in the Middle”

(ACLs), MAC, RBAC,… X

Firewalls (Packet Filters, Application Gateways) X X

SYK (Something You Know - SYK)

(Something you Have –

(Something you Are - SY )

web banking log-in Windows

• ( . log-on Windows, Unix,..):

• server ( . Domain Server, Unix server):

• mail server , e-mail:

Sydney [Anderson, 2001]

: Brutus, ObiWan, pop.c, TeeNet, SNMPbrute, …

aa, ab, ba, bb 4

aaa, aab, aba, abb, baa,bab, bba, bbb = 8

100 3 (Anderson, 2001)

"My son Eiten is three years older than my daughter Anna."

False non-matches False matches

2.3.2.2 (Iris Recognition)

<= 512 bytes

Twin One Twin Two

Ease of Use High

& & (2 ) Sensor Cost $1500-$2000

Template Size 9 Bytes

, & (3 ) User Time 2-3 Seconds

2.3.2.4 (Facial Recognition)

2.3.2.5 (Voice Recognition)

(ear shape) www.htgadvancesystems.com

Biometric Technology Comparison

Biometric / Fingerprint Facial Hand Iris Retinal Voice Signature

Verify/Identify Either Either Verify Either Either Verify Verify

Uniqueness High Low Moderate High Very High Low Low

Robustness Moderate Moderate Moderate High High Moderate Low

Acceptability Moderate High Moderate Low Very Low High High

Ease of Use High Moderate High Moderate Low High High

Template Size 512-1000 B 100-3500 B 9B 256 B 96 B 3-15 KB 50-300 B

Cost/HW Unit Low Low Moderate High High Low Low

« » (DAC – Discretionary Access Control):

« ’ » (MAC – Mandatory Access Control):

« » (RBAC – Role based Access Control):

DAC, MAC, RBAC,…

User1 orwx rwx r r

(Access Control Lists)

User (Subject) Capability Table

Win2k: (Group policy), (domain policy), …

3.2.1 Windows (NTFS)

• & (Read and Execute): ,

(user groups) . , Bob

- rwx rwx rwx . ,

- rwx r-x r-x .

d rwx --- --- . ,

TH Robert: read, write

Ivan, Robert: read, write

(top secret) >