Professional Documents
Culture Documents
Conclusion
Conclusion
Conclusion
Conclusion 1
Course Summary
Crypto
o Basics, symmetric key, public key, hash
functions and other topics, cryptanalysis
Access Control
o Authentication, authorization, firewalls, IDS
Protocols
o Simplified authentication protocols
o Real-World protocols
Software
o Flaws, malware, SRE, development
Conclusion 2
Crypto Basics
Terminology
Classic ciphers
o Simple substitution
o Double transposition
o Codebook
o One-time pad
Basic cryptanalysis
Conclusion 3
Symmetric Key
Stream ciphers
o A5/1
o RC4
Block ciphers
o DES
o AES, TEA, etc.
o Modes of operation
Data integrity (MAC)
Conclusion 4
Public Key
Knapsack (insecure)
RSA
Diffie-Hellman
Conclusion 5
Hashing and Other
Birthday problem
SHA-3
HMAC
Clever uses (online bids, blockchain and
cryptocurrency)
Other topics
o Secret sharing, random numbers, information
hiding (stego, watermarking)
Conclusion 6
Authentication
Passwords
o Verification and storage (salt, etc.)
o Cracking (math)
Biometrics
o Fingerprint, hand geometry, iris scan, etc.
o Error rates
Two-factor, single sign on, Web cookies
Conclusion 7
Authorization
History/system certification
ACLs and capabilities
Multilevel security (MLS)
o BLP, Biba, compartments, covert channel,
inference control
CAPTCHA
Firewalls
IDS
Conclusion 8
Simple Protocols
Authentication
o Using symmetric key
o Using public key
o Session key
o Perfect forward secrecy (PFS)
o Timestamps
Zero knowledge proof (Fiat-Shamir)
Conclusion 9
Real-World Protocols
SSH
SSL
IPSec
o IKE
o ESP/AH, tunnel/transport modes, …
Kerberos
Wireless: WEP & GSM
Conclusion 10
Software Flaws and Malware
Flaws
o Buffer overflow
o Incomplete mediation, race condition, etc.
Malware
o Brain, Morris Worm, Code Red, Slammer
o Malware detection
o Future of malware, botnets, etc.
Other software-based attacks
o Salami, linearization, etc.
Conclusion 11
Insecurity in Software
Software reverse engineering (SRE)
o Software protection
Software development
o Open vs closed source
o Finding flaws (do the math)
Conclusion 12
Crystal Ball
Cryptography
o Well-established field
o Don’t expect major changes
o But some systems will be broken
o ECC is a major “growth” area
o Quantum crypto may prove worthwhile…
o …but for now it’s mostly (all?) hype
Conclusion 13
Crystal Ball
Authentication
o Passwords will continue to be a problem
o Biometrics should become more widely used
o Smartcard/tokens will be used more
Authorization
o ACLs, etc., well-established areas
o CAPTCHA’s interesting new topic
o IDS (based on machine learning/AI) is hot topic
Conclusion 14
Crystal Ball
Protocols are challenging
Difficult to get protocols right
Protocol development often haphazard
o “Kerckhoffs’ Principle” for protocols?
o Would it help?
Protocols will continue to be a source of
subtle problem
Conclusion 15
Crystal Ball
Software is a huge security problem today
o Buffer overflows are on the decline…
o …but race condition attacks might increase
Virus writers are getting smarter
o Botnets
o Polymorphic, metamorphic, sophisticated attacks, …
o Future of malware detection?
Malware will continue to be a BIG problem
Conclusion 16
Crystal Ball
Other software issues
o Reverse engineering will not go away
o Secure development will remain hard
o Open source is not a panacea
Conclusion 17
The Bottom Line
Security knowledge is needed today…
…and it will be needed in the future
Necessary to understand technical issues
o The focus of this class
But technical knowledge is not enough
o Human nature, legal issues, business issues, ...
o As with anything, experience is helpful
Conclusion 18
A True Story
The names have been changed…
“Bob” took my information security class
Bob then got an intern position
o At a major company that does lots of security
One meeting, an important customer asked
o “Why do we need signed certificates?”
o “After all, they cost money!”
The silence was deafening
Conclusion 19
A True Story
Bob’s boss remembered that Bob had taken
a security class
o So he asked Bob, the lowly intern, to answer
o Bob mentioned man-in-the-middle attack on SSL
Customer wanted to hear more
o So, Bob explained MiM attack in some detail
The next day, “Bob the lowly intern” became
“Bob the fulltime employee”
Conclusion 20