Scribd Logo
Upload

Welcome to Scribd!

  • Chapter 1: Introduction

    Uploaded by

    Ayman Ibaida
    70 views25 pages
    The document introduces the characters Alice, Bob, and Trudy who represent users of an online bank. It discusses security concerns like confidentiality, integrity and availability for Alice as the bank owner and Bob as a customer. Trudy represents an intruder trying to compromise security. The textbook will cover cryptography, access control, security protocols, software security and how people can unintentionally break security. It emphasizes thinking like an attacker to strengthen defenses.

    Original Description:

    Original Title

    Intro

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document introduces the characters Alice, Bob, and Trudy who represent users of an online bank. It discusses security concerns like confidentiality, integrity and availability for Alice as the bank owner and Bob as a customer. Trudy represents an intruder trying to compromise security. The textbook will cover cryptography, access control, security protocols, software security and how people can unintentionally break security. It emphasizes thinking like an attacker to strengthen defenses.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    70 views25 pages

    Chapter 1: Introduction

    Uploaded by

    Ayman Ibaida
    The document introduces the characters Alice, Bob, and Trudy who represent users of an online bank. It discusses security concerns like confidentiality, integrity and availability for Alice as the bank owner and Bob as a customer. Trudy represents an intruder trying to compromise security. The textbook will cover cryptography, access control, security protocols, software security and how people can unintentionally break security. It emphasizes thinking like an attacker to strengthen defenses.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 25

    Chapter 1: Introduction

    Begin at the beginning, the King said, very gravely, and go on till you come to the end: then stop. Lewis Carroll, Alice in Wonderland

    Chapter 1 Introduction

    The Cast of Characters


    Alice

    and Bob are the good guys

    Trudy

    is the bad guy

    Trudy

    is our generic intruder


    2

    Chapter 1 Introduction

    Alices Online Bank


    Alice
    What If

    opens Alices Online Bank (AOB)


    are Alices security concerns?

    Bob is a customer of AOB, what are his security concerns? are Alices and Bobs concerns similar? How are they different? does Trudy view the situation?
    3

    How How

    Chapter 1 Introduction

    CIA
    CIA

    == Confidentiality, Integrity, and Availability


    must prevent Trudy from learning Bobs account balance prevent unauthorized reading of information
    o Cryptography used for confidentiality

    AOB

    Confidentiality:

    Chapter 1 Introduction

    CIA
    Trudy
    Bob

    must not be able to change Bobs account balance


    must not be able to improperly change his own account balance detect unauthorized writing of information
    o Cryptography used for integrity

    Integrity:

    Chapter 1 Introduction

    CIA

    AOBs information must be available whenever its needed


    Alice must be able to make transaction
    o If not, shell take her business elsewhere

    Availability: Data is available in a timely manner when needed Availability is a new security concern
    o Denial of service (DoS) attacks

    Chapter 1 Introduction

    Beyond CIA: Crypto


    How

    does Bobs computer know that Bob is really Bob and not Trudy?
    password must be verified are security concerns of pwds?
    o This requires some clever cryptography

    Bobs What

    Are

    there alternatives to passwords?


    7

    Chapter 1 Introduction

    Beyond CIA: Protocols


    When Bob logs into AOB, how does AOB know that Bob is really Bob?
    As before, Bobs password is verified Unlike the previous case, network security issues arise What are network security concerns?
    o Protocols are critically important o Crypto also important in protocols

    Chapter 1 Introduction

    Beyond CIA: Access Control

    Once Bob is authenticated by AOB, then AOB must restrict actions of Bob
    o Bob cant view Charlies account info

    o Bob cant install new software, etc., etc.


    Enforcing these restrictions: authorization Access control includes both authentication and authorization
    9

    Chapter 1 Introduction

    Beyond CIA: Software


    Cryptography, protocols, and access control are implemented in software


    What are security issues of software?
    o Most software is complex and buggy o Software flaws lead to security flaws o How does Trudy attack software? o How to reduce flaws in software development?

    And what about malware?


    10

    Chapter 1 Introduction

    Your Textbook
    The

    text consists of four major parts

    o Cryptography o Access control o Protocols o Software


    Note:

    Our focus is on technical issues


    11

    Chapter 1 Introduction

    The People Problem


    People

    often break security

    o Both intentionally and unintentionally o Here, we consider the unintentional


    For

    example, suppose you want to buy something online


    o To make it concrete, suppose you want to

    buy from amazon.com

    Chapter 1 Introduction

    12

    The People Problem


    To

    buy from amazon.com

    o Your Web browser uses SSL protocol o SSL relies on cryptography

    o Access control issues arise


    o All security mechanisms are in software
    Suppose

    all of these security stuff works perfectly


    o What could possibly go wrong?
    13

    Chapter 1 Introduction

    The People Problem


    What

    could go wrong? Trudy can try man-in-the-middle attack


    o SSL is secure, so attack doesnt work

    o Web browser issues a warning


    o What do you, the user, do?
    If

    user ignores warning, attack works!

    o None of the security mechanisms failed o But user unintentionally broke security
    Chapter 1 Introduction 14

    Cryptography
    Secret
    The

    codes

    book covers

    o Classic cryptography

    o Symmetric ciphers
    o Public key cryptography o Hash functions++ o Advanced cryptanalysis
    Chapter 1 Introduction 15

    Access Control

    Authentication
    o Passwords o Biometrics (and other)

    Authorization
    o Access Control Lists/Capabilities o Multilevel security (MLS), security modeling,

    covert channel, inference control

    o Firewalls and Intrusion Detection Systems

    Chapter 1 Introduction

    16

    Protocols
    Simple

    authentication protocols

    o Focus on basics of security protocols o Cryptography used a lot in protocols


    Real-world

    security protocols

    o SSH, SSL, IPSec, Kerberos o Wireless: WEP, GSM

    Chapter 1 Introduction

    17

    Software
    Security-critical

    flaws in software

    o Buffer overflow o Race conditions, etc.


    Malware

    o Examples of viruses and worms o Prevention and detection o Future of malware?


    Chapter 1 Introduction 18

    Software
    Software
    Digital

    reverse engineering (SRE)

    o How hackers dissect software

    rights management (DRM)

    o Shows difficulty of security in software


    o Also raises OS security issues
    Software

    and testing

    o Open source, closed source, other topics


    Chapter 1 Introduction 19

    Software

    Operating systems
    o Basic OS security issues o Trusted OS requirements o NGSCB: Microsofts trusted OS for the PC

    Software is a BIG security topic


    o Lots of material to cover

    o Lots of security problems to consider


    o But not nearly enough time available
    Chapter 1 Introduction 20

    Think Like Trudy


    In

    the past, no respectable sources talked about hacking in detail


    o After all, such info might help Trudy

    Recently,

    this has changed

    o Books on network hacking, how to write evil software, how to hack software, etc. o Classes teach writing viruses, SRE, etc.
    Chapter 1 Introduction 21

    Think Like Trudy


    Good
    A

    guys must think like bad guys!

    police detective

    o must study and understand criminals


    In

    information security

    o We want to understand Trudys methods o Might be good to know Trudys motives o Well often pretend to be Trudy
    Chapter 1 Introduction 22

    Think Like Trudy


    Is

    all of this security information a good idea?


    Schneier (referring to Security Engineering, by Ross Anderson):
    o Its about time somebody wrote a book to teach the good guys what the bad guys already know.

    Bruce

    Chapter 1 Introduction

    23

    Think Like Trudy


    We

    must try to think like Trudy We must study Trudys methods We can admire Trudys cleverness Often, we cant help but laugh at Alices and/or Bobs stupidity But, we cannot act like Trudy
    o Except in this class
    Chapter 1 Introduction 24

    In This Course
    Think

    like the bad guy Always look for weaknesses


    o We want to find weak link before Trudy
    Its

    OK to break the rules

    o What rules?
    Think

    like Trudy But dont do anything illegal!


    Chapter 1 Introduction 25

    You might also like