Professional Documents
Culture Documents
Lec1 Security
Lec1 Security
Security
1
About This Course
Suggested books
Cryptography: Theory and Practice
by Douglas R. Stinson CRC press
y:
Cryptography and Network Securit
m
Principles and Practice; By Willia
Stallings Prentice Hall
4
Information Security
5
C.I.A
Confidentiality, Integrity and Availability
Information Systems are decomposed in
three main portions, hardware, software
and communications
with the purpose to identify and apply information
security industry standards, as mechanisms of
protection and prevention, at three levels or layers:
Physical, personal and organizational
6
Various Securities
Data security
Data security is the means of ensuring that data is kept safe from
corruption and that access to it is suitably controlled.
Computer Security
The objective of computer security includes protection of
information and property from theft, corruption, or natural disaster,
while allowing the information and property to remain accessible
and productive to its intended users.
Malware: malicious software
includes computer viruses, worms, trojan horses, most
rootkits, spyware, dishonest adware,
Network Security
protect the network and the network-accessible resources from
unauthorized access, consistent and continuous monitoring and
measurement of its effectiveness 7
Network Security
network security and information security are often
used interchangeably
Principal Principal
(sender) (receiver)
Security Security
transformation transformation
attacker
9
Attacks, Services and
Mechanisms
Security Attacks
Action compromises the information security
Could be passive or active attacks
Security Services
Actions that can prevent, detect such attacks.
Such as authentication, identification, encryption, signature, secret
sharing and so on.
Security mechanism
The ways to provide such services
Detect, prevent and recover from a security attack
10
Attacks
Passive attacks
Interception
Release of message contents
Traffic analysis
Active attacks
Interruption, modification, fabrication
Masquerade
Replay
Modification
Denial of service
11
Information Transferring
12
Attack: Interruption
13
Attack: Interception
Wiring,
eavesdrop
14
Attack: Modification
Replaced
intercept
info
15
Attack: Fabrication
Ali: this is
…
Ali: this is
…
16
Attacks, Services and
Mechanisms
Security Attacks
Action compromises the information security
Could be passive or active attacks
Security Services
Actions that can prevent, detect such attacks.
Such as authentication, identification, encryption,
signature, secret sharing and so on.
Security mechanism
The ways to provide such services
Detect, prevent and recover from a security attack
17
Important Services of Security
Confidentiality, also known as secrecy:
only an authorized recipient should be able to extract the
contents of the message from its encrypted form. Otherwise, it
should not be possible to obtain any significant information
about the message contents.
Integrity:
the recipient should be able to determine if the message has been
altered during transmission.
Authentication:
the recipient should be able to identify the sender, and verify
that the purported sender actually did send the message.
Non-repudiation:
the sender should not be able to deny sending the message.
18
Secure Communication
protecting data locally only solves a minor part of
the problem.
19
Secure Communication
20
Secure Communication
The combined protocol HTTP/TLS or SSL is often
referred to as HTTPS. SSL was originally developed by
Netscape for secure communication on the Internet, and
was built into their browsers. SSL version 3 was then
adopted and standardized as the Transport Layer Security
(TLS) protocol.
Use of Public Key Infrastructure (PKI) for session key
exchange during the handshake phase of TLS has been
quite successful in enabling Web commerce in recent
years.
TLS also has some known vulnerabilities: it is
susceptible to man-in-the-middle attacks and denial-
of-service attacks.
21
SOAP security
SOAP (Simple Object Access Protocol) is designed to pass through
firewalls as HTTP. This is disquieting from a security point of view.
Today, the only way we can recognize a SOAP message is by parsing
XML at the firewall. The SOAP protocol makes no distinction
between reads and writes on a method level, making it impossible to
filter away potentially dangerous writes. This means that a method
either needs to be fully trusted or not trusted at all.
The SOAP specification does not address security issues directly,
but allows for them to be implemented as extensions.
As an example, the extension SOAP-DSIG defines the syntax and
processing rules for digitally signing SOAP messages and validating
signatures. Digital signatures in SOAP messages provide integrity and
non-repudiation mechanisms.
22
PKI
PKI key management provides a sophisticated framework for
securely exchanging and managing keys. The two main
technological features, which a PKI can provide to Web
Services, are:
Encryption of messages: by using the public key of the recipient
Digital signatures: non-repudiation mechanisms provided by PKI and
defined in SOAP standards may provide Web Services applications with
legal protection mechanisms
Note that the features provided by PKI address the same
basic needs as those that are recognized by the
standardization organizations as being important in a Web
Services context.
In Web Services, PKI mainly intervenes at two levels:
At the SOAP level (non-repudiation, integrity)
At the HTTPS level (TLS session negotiation, eventually assuring
authentication, integrity and privacy)
23