SECURITY

Abenoja, Michael Joseph B

Campos, Jennylyn T
Dugenia, Marrieda C

Based on lecture notes by Scott Shenker and Mike Freed

 What is Security?
Classes of attacks
Basic security requirements
Simple cryptographic methods
Cryptographic toolkit
DNSSec
Certificate Authorities
SSL / HTTPS

TOPICS

WHAT IS SECURITY
Dictionary.com says:
1. Freedom from risk or danger; safety.
2. Freedom from doubt, anxiety, or fear; confidence.
3. Something that gives or assures safety, as:
1. A group or department of private guards: Call building
security if a visitor acts suspicious.
2. Measures adopted by a government to prevent
espionage, sabotage, or attack.
3. Measures adopted, as by a business or homeowner, to
prevent a crime such as burglary or assault: Security was lax
at the firm's smaller plant.
etc.

CLASSES OF ATTACKS
Passive Attack - monitors unencrypted traffic and looks for clear-text
passwords and sensitive information that can be used in other types of
attacks.
Active Attack - the attacker tries to bypass or break into secured
systems. This can be done through stealth, viruses, worms, or Trojan
horses.
Distributed Attack - focus on the malicious modification of hardware or
software at the factory or during distribution.
Insider Attack involves someone from the inside, such as a disgruntled
employee, attacking the network.
Close-in Attack involves someone attempting to get physically close to
network components, data, and systems in order to learn more about a
network.
Phishing Attack - the hacker creates a fake web site that looks exactly
like a popular site such as the SBI bank or paypal.

CLASSES OF ATTACKS
Hijack Attack - a hacker takes over a session between you and
another individual and disconnects the other individual from the
communication.
Spoof Attack - the hacker modifies the source address of the
packets he or she is sending so that they appear to be coming
from someone else.
Buffer Overflow Attack - is when the attacker sends more data
to an application than is expected.
Exploit Attack - the attacker knows of a security problem within
an operating system or a piece of software and leverages that
knowledge by exploiting the vulnerability.
Password Attack - an attacker tries to crack the passwords
stored in a network account database or a password-protected
file.

BASIC REQUIREMENTS FOR

SECURE COMMUNICATION
Availability
Authentication
Integrity
Confidentiality
Provenance
Authorization

Accountability/Attributio
n
Audit/Forensics
Appropriate use
Freedom from traffic
analysis
Anonymity

INTERNETS DESIGN:
INSECURE
Designed for simplicity in a nave era
On by default design
Readily available zombie machines
Attacks look like normal traffic
Internets federated operation obstructs
cooperation for diagnosis/mitigation

EAVESDROPPING - MESSAGE
INTERCEPTION (ATTACK ON
CONFIDENTIALITY)
Unauthorized access to information
Packet sniffers and wiretappers
Illicit copying of files and programs

Integrity Attack Tampering

Stop the flow of the
message

Delay and optionally modify the message

Release the message again

AUTHENTICITY ATTACK - FABRICATION

Unauthorized assumption of others identity
Generate and distribute objects under this
identity

Attack on Availability
Destroy hardware (cutting fiber) or software
Modify software in a subtle way
Corrupt packets in transit
Blatant denial of service (DoS):
- Crashing the server
- Overwhelm the server (use up its resource)

BASIC FORMS OF
CRYPTOGRAPHY
Cryptography: describes a process of encrypting
information so that its meaning is hidden from
those who do not know how to decrypt the
information.
Cryptographic Algorithm (cipher) - is a step by
step sequence of mathematical calculations used
to encrypt and decrypt information.
3 different types of cryptographic
algorithms:
- hashing algorithms
- symmetric-key algorithms
- asymmetric key algorithms.

HASHING ALGORITHM
is a mathematical algorithm designed to perform one-way
encryption. When we say one-way we mean that once the
information has been encrypted there is no way to retrieve
the original information from the hashed form.
The two most common hash methods are as follows:
Message Digest Service Algorithm - The message
digest family of encryption algorithms provides encryption
of 128-bits in strength and is designed to be fast and
simple. Current standards are MD2, MD4 and MD5.
Secure Hash Algorithm - SHA is used extensively by the
US government and was developed by the National
Security Agency (NSA). Two version of SHA have so far
been developed - SHA and SHA1. SHA1 provides 160-bit
hashing. SHA-1 is more secure than MD5 but involves a
slower encryption process.

SYMMETRIC KEY
ENCRYPTION
Same key for encryption and decryption
Both sender and receiver know key
But adversary does not know key
Symmetric key encryption is one of the most basic forms
of cryptography and is based on the premise that both
the sending and receiving parties are in possession of
the key used to encrypt the data

ASYMMETRIC ENCRYPTION (PUBLIC KEY)

- based on the concept of using a pair of keys, one
private and one public.
The private key is held by the host or application which
is to receive the encrypted data. The corresponding
public key is made available to anyone who wishes to
encrypt data such that it can be decrypted by the holder
of the private key. The cornerstone of public key
encryption is the level of difficulty involved in inferring
the private key from the public key

CRYPTOGRAPHIC
TOOLKIT
Cryptographic Toolkit is a collection of standards,
recommendations and guidance about cryptographic
security components and functionality for protecting
their data, communications, and operations.

DNSSEC
Domain Name System Security Extensions
(DNSSEC)
- is a suite of Internet Engineering Task Force (IETF)
specifications for securing certain kinds of information
provided by the Domain Name System (DNS) as used
on Internet Protocol (IP) networks.
- it is a set of extensions to DNS which provide to DNS
clients (resolvers) origin authentication of DNS data,
authenticated denial of existence, and data integrity,
but not availability or confidentiality.

CERTIFICATE
AUTHORITIES
Certificate Authority or Certification Authority
(CA)
- is an entity that issues digital certificates.
Digital Certificate - certifies the ownership of a
public key by the named subject of the certificate. This
allows others (relying parties) to rely upon signatures
or on assertions made by the private key that
corresponds to the certified public key.

SSL/HTTPS
SSL

SSL (Secure Socket Layer)

- is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures
that all data passed between the web server and browsers remain private and integral.

To be able to create an SSL connection a web server requires an SSL Certificate. When you choose to activate SSL on
your web server you will be prompted to complete a number of questions about the identity of your website and
your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key.

HTTPS
https = Use HTTP over SSL/TLS
SSL = Secure Socket Layer
TLS = Transport Layer Security
- is a communications protocol for secure communication over a
computer network, with especially wide deployment on the
Internet.
- it is not a protocol in and of itself; rather, it is the result of
simply layering the Hypertext Transfer Protocol (HTTP) on top of
the SSL or TLS protocol, thus adding the security capabilities of
SSL/TLS to standard HTTP communications. The main motivation
for HTTPS is to provide authentication of the visited website and
prevent wiretapping and man-in-the-middle attacks.

END OF
PRESENTATION

PENDONG

Based on lecture notes by Scott Shenker and Mike Freed