Conclusion

Conclusion 1
 Course Summary
 Crypto
o Basics, symmetric key, public key, hash
functions and other topics, cryptanalysis
 Access Control
o Authentication, authorization, firewalls, IDS
 Protocols
o Simplified authentication protocols
o Real-World protocols
 Software
o Flaws, malware, SRE, development

Conclusion 2
 Crypto Basics
 Terminology
 Classic ciphers
o Simple substitution
o Double transposition
o Codebook
o One-time pad
 Basic cryptanalysis

Conclusion 3
 Symmetric Key
 Stream ciphers
o A5/1
o RC4
 Block ciphers
o DES
o AES, TEA, etc.
o Modes of operation
 Data integrity (MAC)

Conclusion 4
 Public Key
 Knapsack (insecure)
 RSA

 Diffie-Hellman

 Elliptic curve crypto (ECC)

 Digital signatures and non-repudiation
 PKI

Conclusion 5
 Hashing and Other
 Birthday problem
 SHA-3
 HMAC
 Clever uses (online bids, blockchain and
cryptocurrency)
 Other topics
o Secret sharing, random numbers, information
hiding (stego, watermarking)

Conclusion 6
 Authentication
 Passwords
o Verification and storage (salt, etc.)
o Cracking (math)
 Biometrics
o Fingerprint, hand geometry, iris scan, etc.
o Error rates
 Two-factor, single sign on, Web cookies

Conclusion 7
 Authorization
 History/system certification
 ACLs and capabilities
 Multilevel security (MLS)
o BLP, Biba, compartments, covert channel,
inference control
 CAPTCHA
 Firewalls
 IDS

Conclusion 8
 Simple Protocols
 Authentication
o Using symmetric key
o Using public key
o Session key
o Perfect forward secrecy (PFS)
o Timestamps
 Zero knowledge proof (Fiat-Shamir)

Conclusion 9
 Real-World Protocols
 SSH
 SSL
 IPSec
o IKE
o ESP/AH, tunnel/transport modes, …
 Kerberos
 Wireless: WEP & GSM
Conclusion 10
Software Flaws and Malware
 Flaws
o Buffer overflow
o Incomplete mediation, race condition, etc.
 Malware
o Brain, Morris Worm, Code Red, Slammer
o Malware detection
o Future of malware, botnets, etc.
 Other software-based attacks
o Salami, linearization, etc.

Conclusion 11
 Insecurity in Software
 Software reverse engineering (SRE)
o Software protection
 Software development
o Open vs closed source
o Finding flaws (do the math)

Conclusion 12
 Crystal Ball
 Cryptography
o Well-established field
o Don’t expect major changes
o But some systems will be broken
o ECC is a major “growth” area
o Quantum crypto may prove worthwhile…
o …but for now it’s mostly (all?) hype

Conclusion 13
 Crystal Ball
 Authentication
o Passwords will continue to be a problem
o Biometrics should become more widely used
o Smartcard/tokens will be used more
 Authorization
o ACLs, etc., well-established areas
o CAPTCHA’s interesting new topic
o IDS (based on machine learning/AI) is hot topic

Conclusion 14
 Crystal Ball
 Protocols are challenging
 Difficult to get protocols right
 Protocol development often haphazard
o “Kerckhoffs’ Principle” for protocols?
o Would it help?
 Protocols will continue to be a source of
subtle problem

Conclusion 15
 Crystal Ball
 Software is a huge security problem today
o Buffer overflows are on the decline…
o …but race condition attacks might increase
 Virus writers are getting smarter
o Botnets
o Polymorphic, metamorphic, sophisticated attacks, …
o Future of malware detection?
 Malware will continue to be a BIG problem
Conclusion 16
 Crystal Ball
 Other software issues
o Reverse engineering will not go away
o Secure development will remain hard
o Open source is not a panacea

Conclusion 17
 The Bottom Line
 Security knowledge is needed today…
 …and it will be needed in the future
 Necessary to understand technical issues
o The focus of this class
 But technical knowledge is not enough
o Human nature, legal issues, business issues, ...
o As with anything, experience is helpful

Conclusion 18
 A True Story
 The names have been changed…
 “Bob” took my information security class
 Bob then got an intern position
o At a major company that does lots of security
 One meeting, an important customer asked
o “Why do we need signed certificates?”
o “After all, they cost money!”
 The silence was deafening

Conclusion 19
 A True Story
 Bob’s boss remembered that Bob had taken
a security class
o So he asked Bob, the lowly intern, to answer
o Bob mentioned man-in-the-middle attack on SSL
 Customer wanted to hear more
o So, Bob explained MiM attack in some detail
 The next day, “Bob the lowly intern” became
“Bob the fulltime employee”

Conclusion 20