1 / 33

CSI315 Web Technology and Applications

CSI315 Web Technology and Applications. Internet Security. What Security means to people. Limit data disclosure to intended set Monitor communications to catch terrorists Keep data from being corrupted Destroy computers with pirated content Track down bad guys Communicate anonymously.

deloreswatts
Télécharger la présentation

CSI315 Web Technology and Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSI315 Web Technology and Applications Internet Security

  2. What Security means to people • Limit data disclosure to intended set • Monitor communications to catch terrorists • Keep data from being corrupted • Destroy computers with pirated content • Track down bad guys • Communicate anonymously

  3. Definitions • Computer crime • Action that violates state or Federal laws • Cybercrime • Crime carried out by means of the Internet • Cyberlaw • New field of law developing to respond to rise of cybercrime • Computer security risk • Any event, action, or situation – intentional or not – that could lead to the loss or destruction of computer systems or the data they contain • Not backing up data regularly is considered a computer security risk

  4. Cybercrime: Tools and Techniques • Security loophole programs • Packet Sniffers • Programs like SATAN and ANGEL • Port scanners Examples at http://www.tinhat.com/internet_security/security_hole_examples.html • Computer viruses • Time bombs • Worms • Trojan horses

  5. The Attackers • Hackers • Crackers (Black Hats) • Cyber gangs • Computer virus authors • Disgruntled employees • Spies • Cyberstalkers • Sexual predators • Terrorists • Information warfare

  6. What’s at Stake? • Computer downtime • Fraud and theft of computer resources • Adverse publicity • Vandalism • Especially of webpages • Character assassination • Loss of privacy • Risk to public safety • Denial of service (DOS) • Eavesdropping--(compromise routers, links, routing algorithms, or DNS) • arbitrary messages can be sent • messages in transit can be modified

  7. Sometimes goals conflict • privacy vs company (or govt) wants to be able to see what you’re doing • losing data vs disclosure (copies of keys) • denial of service vs preventing intrusion

  8. Security Measures/Protocols

  9. Examples of Security Measures • Sharing files between users • File store must authenticate users • File store must know who is authorized to read and/or update the files • Information must be protected from disclosure and modification on the wire • Users must know it’s the genuine file store (so as not to give away secrets or read bad data)

  10. Examples cont’d • Electronic Mail • Send private messages • Know who sent a message (and that it hasn’t been modified) • Non-repudiation - ability to forward in a way that the new recipient can know the original sender • Anonymity

  11. Examples cont’d • Electronic Commerce • Pay for things without giving away my credit card number • to an eavesdropper • or phony merchant • Buy anonymously • Merchant wants to be able to prove I placed the order

  12. Security Measures • Firewalls • Anti-virus software • File sharing • Scripting • Patches • Security Protocols

  13. FireWall • A firewall is a computer system dedicated to protect a LAN from the Internet at large • All traffic from/to the LAN to/from any host on the Internet at large goes through a firewall.  • A firewall is not always a single computer. For example, a firewall may consist of a pair of filtering routers and one or more proxy servers running on one or more bastion hosts • Assumptions

  14. Firewall Applications • Security Policy :Every organization that uses LANs should have rules governing acceptable use of computing resources, security practices, and operational procedures • Access Control List (ACL). • Many routers now have the ability to selectively perform their duties, based on a number of facts about a packet that comes to it. This includes things like origination address, destination address, destination service port, and so on. These can be employed to limit the sorts of packets that are allowed to come in and go out of a given network.

  15. Routers • A Screening Router is a router configured to permit or deny traffic based on a set of permission rules.

  16. Packet Filter • filters packets based on certain rulesE.g • Block all incoming connections from systems outside the internal network, except for incoming SMTP connections (so that you can receive email). • Block all connections to or from certain systems you distrust.

  17. Demilitarized Zone (DMZ). The DMZ is a critical part of a firewall: it is a network that is neither part of the untrusted network, nor part of the trusted network.

  18. Proxy Server/Application Gateway • This is the process of having one host act in behalf of another. A host that has the ability to fetch documents from the Internet might be configured as a proxy server , and host on the intranet might be configured to be proxy clients . ability to direct talk to the Internet.

  19. Bastion Host • A system that has been hardened to resist attack, and which is installed on a network in such a way that it is expected to potentially come under attack. Bastion hosts are often components of firewalls.

  20. Security Functional Elements • Confidentiality: Content is visible only to the intended receiver • Authentication: User identity is legitimate • Authorization: Only those allowed can access • Integrity protection: Content not altered during transmit ion • Non-repudiation: Sender cannot deny sending the message

  21. Basic Confidentiality Techniques • Cryptography • secret key • public key • Hashing Algorithms • Most popular hash today SHA-1 (secure hash algorithm) • Older ones (MD2, MD4, MD5) still around

  22. Secret Key Crypto • Two operations (“encrypt”, “decrypt”) which are inverses of each other. Like multiplication/division • One parameter (“the key”) • Even the person who designed the algorithm can’t break it without the key • Ideally, a different key for each pair of users

  23. Secret key crypto, Mike and Sam share secret S • encrypt=f(S, plaintext)=ciphertext • decrypt=f(S, ciphertext)=plaintext • authentication: send f(S, challenge) • integrity check: f(S, msg)=X • verify integrity check: f(S, X, msg)

  24. Operational model of encryption Ek(x) ciphertext E D x plaintext Dk’(Ek(x)) = x • assumption: • attacker knows E and D • attacker doesn’t know the (decryption) key • attacker’s goal: • to systematically recover plaintext from ciphertext • to deduce the (decryption) key • attack models: • ciphertext-only • known-plaintext • (adaptive) chosen-plaintext • (adaptive) chosen-ciphertext attacker k encryption key k’ decryption key Cryptographic primitives

  25. Popular Secret Key Algorithms • DES (Data Encryption Standard: old standard, 56-bit key, slow) • 3DES: fix key size but 3 times as slow • RC4: variable length key, “stream cipher” • AES: replacement for DES, will probably take over

  26. Public Key Crypto • Two keys per user, keys are inverses of each other • sender, receiver do not share secret key • public encryption key known to all • private decryption key known only to receiver • RSA • ECC (elliptic curve crypto): smaller keys, so faster than RSA (but not for public key ops).

  27. + K (m) B - + m = K (K (m)) B B Public key cryptography + Bob’s public key K B - Bob’s private key K B encryption algorithm decryption algorithm plaintext message plaintext message, m ciphertext

  28. Digital Signatures • One of the best features of public key • An integrity check • calculated as f(priv key, data) • verified as f(public key, data, signature) • Verifiers don’t need to know secret • vs. secret key, where integrity check is generated and verified with same key, so verifiers can forge data • Provides authentication, data integrity, and non-repudiation • Prevents Public Key forgery • Private Key used to encrypt information • Issued by Certificate Authority (Verisign, Cybertrust etc.)

  29. Basic Authentication Techniques • IP layer Authentication Mechanisms • Authentication Header (AH) • Encryption Security Payload (ESP) • Packet Filtering • UserID and Password Methods -Password Authentication Protocol (PAP)

  30. Basic Authorization Techniques • Access Control • Physical • UserID and Password • Acess Control Lists • Demilitarized Zone (DMZ): a neutral zone between the private LAN and the public Internet. FTP servers, Web servers and the like are located in DMZ

  31. Basic Message Integrity Techniques • Data link layer Virtual Private Networks • Tunneling Protocols, PPP,PPTP, • Authentication Protocols AH and ESP

  32. Basic Non- Repudiation • Digital Signatures • Message Authentication Codes (MAC) • Network Address Translator (NAT) • Port Address Translator (PAT)

  33. Internet Security Protocols • HTTPS HypertextTransport Protocol Secure) • SSL Secure Socket Layer • TLS Transport Layer Security

More Related