1 / 36

Security technology

Security technology. Hua Wang University of Southern Queensland 09/2004. Objectives:. Global review security skills, Authentication algorithm, Role based access control. Types of threats. Interception Unauthorized party has gained access data, Interruption Data become unusable,

dolph
Télécharger la présentation

Security technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security technology Hua Wang University of Southern Queensland 09/2004 CSC8408: Security

  2. Objectives: • Global review security skills, • Authentication algorithm, • Role based access control. CSC8408: Security

  3. Types of threats • Interception Unauthorized party has gained access data, • Interruption Data become unusable, • Modification Unauthorized changing, • Fabrication Additional data are generated. CSC8408: Security

  4. Figure1: Foundation for system security CSC8408: Security

  5. Authentication User-to-computer authentication can be based on one or more of the following: 1. Something the user knows, such as a password, 2. Something the user possesses, such as a credit-card-sized cryptographic token or smart card, or 3. Something the user is, exhibited in a biometric signature such as a fingerprint or voiceprint. CSC8408: Security

  6. Access Control Access controls usually apply after authentication has been established. Access control can take several forms: 1. Discretionary access control, 2. Lattice-based access controls, 3. Role-based access control. CSC8408: Security

  7. Audit Audit has two components: the collection and organization of audit data and an analysis of the data to discover or diagnose security violations. CSC8408: Security

  8. The problem is what to look for in audit data and how to determine automatically whether a violation has occurred or is being perpetrated. The following approaches have been tried: anomaly detection, which is based on the assumption that the exploitation of the vulnerabilities of the system involves abnormal use of the system, and misuse detection, which is based on rules specifying events, sequences of events, or observable properties of the system, symptomatic of violations. Finally, we note that audit analysis is an empirical discipline in which we currently have little historical data. CSC8408: Security

  9. Authentication methods The Diffie-Hellman key agreement protocol (also called exponential key agreement) was developed by Diffie and Hellman in 1976 and published in the ground-breaking paper "New Directions in Cryptography“. The protocol allows two users to exchange a secret key over an insecure medium without any prior secrets. CSC8408: Security

  10. RSA is a public key cipher which can be used both for encrypting messages and making digital signatures. The letters stand for the names of the inventors: Rivest, Shamir and Adleman. The company RSA Data Security Inc. takes its name from this algorithm, and has acquired the rights to the patents which cover it. CSC8408: Security

  11. CSC8408: Security

  12. CSC8408: Security

  13. CSC8408: Security

  14. PGP signature What is PGP? • Pretty Good Privacy • 1976 – Diffie/Hellman • 1977 – Rivest/Shamir/Adleman http://www.rsasecurity.com/node.asp?id=1159 • 1991 – Zimmermann writes PGP • Send E-mail securely to a known recipient • Digitally sign E-mail so that the recipient(s) can be sure it is from you • Can also be used with file transfers CSC8408: Security

  15. Why Bother? • Sending plain text E-mail is little more secure than sending a postcard – PGP enables encryption • PGP is useful for digitally signing material that is important (case of tutorials being cancelled) • Enables secure transactions over E-mail. • Pretty much unbreakable CSC8408: Security

  16. Key Pairs – public vs. private • Types of Key – RSA vs DH/DSS • Public is widely disseminated - private kept secret, with passphrase • Fingerprints • Varying levels of security. 512-bit lowest. 2048-bit very secure CSC8408: Security

  17. PGP Servers • Servers that hold huge public key key rings • Update to each other, accept and send updates from/to everyone • Better than everyone keeping a huge key ring • Server addresses included with PGP software CSC8408: Security

  18. Encrypting messages • Recipient’s public key is used to encrypt message • Can use several different recipients’ public keys then any one of the matching private keys are required to decrypt message CSC8408: Security

  19. Signing Messages • Sender’s private key is used to encrypt some or all of the message • Public key of sender is widely available so verification of signature is easy for anyone CSC8408: Security

  20. Signing Keys. Why? • How do you know that a person’s key is really theirs? • Get owner to repeat fingerprint to you in person on on phone if you know their voice before signing key • Unsigned keys are a security risk • Key signing sessions involve just this • http://www.ox.compsoc.net/compsoc/events/pgp-keysigning.html CSC8408: Security

  21. The Software • Versions for PC, Mac, UNIX etc… • Command-line & GUI • ftp://ftp.ox.ac.uk/pub/pgp/pgpi/ • Version 6.0.2i • Linewrap • Sable/Ermine CSC8408: Security

  22. Access control The access matrix model is the policy for user authentication, and has several implementations such as access control lists (ACLs) and capabilities. It is used to describe which users have access to what objects. CSC8408: Security

  23. The access matrix model consists of four major parts: a. A list of objects b. A list of subjects c. A function T which returns an object's type d. The matrix itself, with the objects making the columns and the subjects making the rows In the cells where a subject and object meet lie the rights the subject has on that object. Some example access rights are read, write, execute, list and delete. CSC8408: Security

  24. Example Access Matrix: Objects Subjects index.html Java VM Peter rwld x Hua rl - An access matrix has several standard operations associated with it: • Entry of a right into a specified cell • Removal of a right from a specified cell • Creation of a subject • Creation of an object • Removal of an subject • Removal of an object CSC8408: Security

  25. Role based access control CSC8408: Security

  26. A user in this model is a human being. • A role is a job function or job title. • Permission is an approval of a particular operation. • RBAC model supports the specification of:a. User/role associations; b. Role hierarchies; c. Duty separation constraints: c1. Static separated duty (SSD); c2. Dynamic separated duty (DSD). CSC8408: Security

  27. RBAC has been widely used in database system management and operating system products. • In 1993, the National Institute of Standards and Technology (NIST) developed prototype implementations, sponsored external research, and published formal RBAC models. • RBAC is being considered as part of the emerging SQL3 standard for database management systems, based on their implementation in Oracle 7. CSC8408: Security

  28. PERMISSIONS • Primitive permissions • read, write, append, execute • Abstract permissions • credit, debit, inquiry CSC8408: Security

  29. PERMISSIONS • System permissions • Auditor • Object permissions • read, write, append, execute, credit, debit, inquiry CSC8408: Security

  30. PERMISSIONS • Permissions are positive • No negative permissions or denials • negative permissions and denials can be handled by constraints • No duties or obligations • outside scope of access control CSC8408: Security

  31. ROLES AS POLICY • A role brings together • a collection of users and • a collection of permissions • These collections will vary over time • A role has significance and meaning beyond the particular users and permissions brought together at any moment CSC8408: Security

  32. ROLES VERSUS GROUPS • Groups are often defined as • a collection of users • A role is • a collection of users and • a collection of permissions • Some authors define role as • a collection of permissions CSC8408: Security

  33. USERS • Users are • human beings or • other active agents • Each individual should be known as exactly one user CSC8408: Security

  34. USER-ROLE ASSIGNMENT • A user can be a member of many roles • Each role can have many users as members CSC8408: Security

  35. PERMISSION-ROLE ASSIGNMENT • A permission can be assigned to many roles • Each role can have many permissions CSC8408: Security

  36. Questions? CSC8408: Security

More Related