1 / 24

Sicherheit Stammvorlesung Sommersemester 2003 Dieter Hutter, Werner Stephan

Sicherheit Stammvorlesung Sommersemester 2003 Dieter Hutter, Werner Stephan. Stammvorlesung: 9 credit points Monday, Wednesday: 11am – 1 pm (c.t.) Room: HS 001 (Geb. 45) Exercises starting begin of June Exams: presumably end of July Homepage: http://www.dfki.de/~hutter/lehre/sicherheit

zola
Télécharger la présentation

Sicherheit Stammvorlesung Sommersemester 2003 Dieter Hutter, Werner Stephan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SicherheitStammvorlesung Sommersemester 2003Dieter Hutter, Werner Stephan

  2. Stammvorlesung: 9 credit points Monday, Wednesday: 11am – 1 pm (c.t.) Room: HS 001 (Geb. 45) Exercises starting begin of June Exams: presumably end of July Homepage: http://www.dfki.de/~hutter/lehre/sicherheit Contact: Dieter Hutter, Room –1.11 (Geb. 43.1, DFKI) hutter@dfki.de, Tel. 302-5317 Werner Stephan, Room 1.28 (Geb. 43.8, DFKI) stephan@dfki.de, Tel. 302-5296 Important Information

  3. Cryptography Johannes Buchmann: Einführung in die Kryptographie (Springer), 2001(also available in English (Springer) ) IT-Security Ross Anderson: Security Engineering (Wiley & Sons), 2001 Claudia Eckert: IT-Sicherheit (Oldenbourg), 2001 Bruce Schneider: Secrets & Lies Edward Amoroso: Fundamentals of Computer Security Technology (Prentice Hall), 1994 Josef Pieprzy et al. Fundamentals of Computer Security (Springer) Literature

  4. Introduction Important Information Overview Motivation Basic Notions Confidentiality, Integrity, Authentication, ... , Multilateral Security Overview

  5. Cryptography Types of Systems Symmetric - Asymmetric Encryption One-Way Functions, Hash-Functions, Random Generators Analysis of Cryptographic Techniques Attacks Properties Concrete Techniques DES, RSA, El Gamal, Diffie-Hellman, ... Overview

  6. SecurityProtocols (Cryptographic Protocols) Constituents of Protocols (Protocol Notation) Keys, Encryption, Nonces, Timestamps Problems with Protocols Goals, Attacks, Failures Formal Analysis of Protocols Data-Types, Traces, Inductive Proofs Overview

  7. Security Policies Access Control Basic Concepts Systems: Chinese-Wall, Bell-La Padula, Biba, … Information Flow Control Basic Notions of Non-Interference Systems with Structured States Multilevel Security Policies Intransitive Policies Overview

  8. Technology Secure Operating Systems Secure Devices Network Security Firewalls, IDS, Mixes,… Media Security CSA, CSS,… Systems Digital Signatures, E-Payment, … Overview

  9. Security Engineering (Development of Secure Systems) Risk Analysis Identification of Threats Requirements Engineering Security Objectives, Security Functions and mechanisms Assessment of IT-Systems Quality Criteria (Common Criteria), Evaluation Overview

  10. Security (according to Common Criteria) Owners Wish to minimize to reduce countermeasures impose value that may be reduced by that may possess vulnerabilities may be aware of Threatagents that exploit leading to risk to give rise to that increase threats to assets wish to abuse and/or may damage

  11. E-Commerce payment systems orders / contracts auctions E-Administration public administration e-voting Critical Infrastructure Applications

  12. Information Systems military company Important General Services: Digital Signatures Public Key Infrastructures Time Stamps Critical Infrastructure Applications

  13. Safety: Avoid system states that endanger “users” Fail–Safe Concepts, Fault-Tolerance Threats from „inside“ Malfunctioning of the system Security: Threats from „outside“ Attacks of malevolent participants Problem: “Attacker Model” Security vs. Safety

  14. Privacy: Confidentiality (of data) Anonymity (of participants) Integrity: Integrity (of data) Authentication (of participants) Liability: Availability (of resources) Accountability (of participants) Security Objectives

  15. Confidentiality of users data. No unauthorized user can discover content of data or communication Encryption of data (Cryptography) Hiding of data (Steganography) Restricting (read) access to data Who is allowed to read which data under which conditions ? (Security policies) Confidentiality

  16. Anonymity ensures that a user can use resources or services without disclosing his/her identity Pseudonyms Network: Proxy-server, Mixes Who communicates with whom or reads which data ? Anonymity

  17. GSM Location System Syslog XP 3.7 Participant: Koch Contacting ... Häuble Location Retrieval: Locked Starting ... Mapping: zooming ... Participant Koch in City: Hamburg Area: Inner City Jungfernstieg / Neuer Wall MSISDN: 0179 - 208394242

  18. GSM Location System Syslog XP 3.7 Participant Koch arrested !

  19. Protecting data from unauthorized manipulation Signatures and digital signatures Hash functions Restricting (write) access to data Who is allowed to change which data under which conditions ? (Security policies) Integrity

  20. Identification of participants in a system Passwords (shared knowledge) Biometric authentication Public – Key infrastructure Who is using a system or sending a message Authentication

  21. No unauthorized impairment of services Examples: Blocking CPU-resources by Java-applets Flooding network with e-mails Availabilty

  22. Sender and receiver of information cannot succesfully deny having sent or received information. Communication takes place in a provable way Proof of communication required Digital Signatures Accountabilty

  23. Security objectives are not always independent. Examples: Anonymity weakens Accountability Confidentiality weakens Accountability Accessability implies Authentication Security Objectives

  24. Each participant has its own security issues Each participant can formulate its own issues Conflicts have to be resolved and enforced Multilateral Security

More Related