Scribd
Upload
116 views

Chapter 1: Introduction

The document introduces the characters Alice, Bob, and Trudy who represent users of an online bank. It discusses security concerns like confidentiality, integrity and availability for Alice as the bank owner and Bob as a customer. Trudy represents an intruder trying to compromise security. The textbook will cover cryptography, access control, security protocols, software security and how people can unintentionally break security. It emphasizes thinking like an attacker to strengthen defenses.

Uploaded by

Ayman Ibaida
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
116 views

Chapter 1: Introduction

The document introduces the characters Alice, Bob, and Trudy who represent users of an online bank. It discusses security concerns like confidentiality, integrity and availability for Alice as the bank owner and Bob as a customer. Trudy represents an intruder trying to compromise security. The textbook will cover cryptography, access control, security protocols, software security and how people can unintentionally break security. It emphasizes thinking like an attacker to strengthen defenses.

Uploaded by

Ayman Ibaida
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 25

Chapter 1: Introduction

Begin at the beginning, the King said, very gravely, and go on till you come to the end: then stop. Lewis Carroll, Alice in Wonderland

Chapter 1 Introduction

The Cast of Characters


Alice

and Bob are the good guys

Trudy

is the bad guy

Trudy

is our generic intruder


2

Chapter 1 Introduction

Alices Online Bank


Alice
What If

opens Alices Online Bank (AOB)


are Alices security concerns?

Bob is a customer of AOB, what are his security concerns? are Alices and Bobs concerns similar? How are they different? does Trudy view the situation?
3

How How

Chapter 1 Introduction

CIA
CIA

== Confidentiality, Integrity, and Availability


must prevent Trudy from learning Bobs account balance prevent unauthorized reading of information
o Cryptography used for confidentiality

AOB

Confidentiality:

Chapter 1 Introduction

CIA
Trudy
Bob

must not be able to change Bobs account balance


must not be able to improperly change his own account balance detect unauthorized writing of information
o Cryptography used for integrity

Integrity:

Chapter 1 Introduction

CIA

AOBs information must be available whenever its needed


Alice must be able to make transaction
o If not, shell take her business elsewhere

Availability: Data is available in a timely manner when needed Availability is a new security concern
o Denial of service (DoS) attacks

Chapter 1 Introduction

Beyond CIA: Crypto


How

does Bobs computer know that Bob is really Bob and not Trudy?
password must be verified are security concerns of pwds?
o This requires some clever cryptography

Bobs What

Are

there alternatives to passwords?


7

Chapter 1 Introduction

Beyond CIA: Protocols


When Bob logs into AOB, how does AOB know that Bob is really Bob?
As before, Bobs password is verified Unlike the previous case, network security issues arise What are network security concerns?
o Protocols are critically important o Crypto also important in protocols

Chapter 1 Introduction

Beyond CIA: Access Control

Once Bob is authenticated by AOB, then AOB must restrict actions of Bob
o Bob cant view Charlies account info

o Bob cant install new software, etc., etc.


Enforcing these restrictions: authorization Access control includes both authentication and authorization
9

Chapter 1 Introduction

Beyond CIA: Software


Cryptography, protocols, and access control are implemented in software


What are security issues of software?
o Most software is complex and buggy o Software flaws lead to security flaws o How does Trudy attack software? o How to reduce flaws in software development?

And what about malware?


10

Chapter 1 Introduction

Your Textbook
The

text consists of four major parts

o Cryptography o Access control o Protocols o Software


Note:

Our focus is on technical issues


11

Chapter 1 Introduction

The People Problem


People

often break security

o Both intentionally and unintentionally o Here, we consider the unintentional


For

example, suppose you want to buy something online


o To make it concrete, suppose you want to

buy from amazon.com

Chapter 1 Introduction

12

The People Problem


To

buy from amazon.com

o Your Web browser uses SSL protocol o SSL relies on cryptography

o Access control issues arise


o All security mechanisms are in software
Suppose

all of these security stuff works perfectly


o What could possibly go wrong?
13

Chapter 1 Introduction

The People Problem


What

could go wrong? Trudy can try man-in-the-middle attack


o SSL is secure, so attack doesnt work

o Web browser issues a warning


o What do you, the user, do?
If

user ignores warning, attack works!

o None of the security mechanisms failed o But user unintentionally broke security
Chapter 1 Introduction 14

Cryptography
Secret
The

codes

book covers

o Classic cryptography

o Symmetric ciphers
o Public key cryptography o Hash functions++ o Advanced cryptanalysis
Chapter 1 Introduction 15

Access Control

Authentication
o Passwords o Biometrics (and other)

Authorization
o Access Control Lists/Capabilities o Multilevel security (MLS), security modeling,

covert channel, inference control

o Firewalls and Intrusion Detection Systems

Chapter 1 Introduction

16

Protocols
Simple

authentication protocols

o Focus on basics of security protocols o Cryptography used a lot in protocols


Real-world

security protocols

o SSH, SSL, IPSec, Kerberos o Wireless: WEP, GSM

Chapter 1 Introduction

17

Software
Security-critical

flaws in software

o Buffer overflow o Race conditions, etc.


Malware

o Examples of viruses and worms o Prevention and detection o Future of malware?


Chapter 1 Introduction 18

Software
Software
Digital

reverse engineering (SRE)

o How hackers dissect software

rights management (DRM)

o Shows difficulty of security in software


o Also raises OS security issues
Software

and testing

o Open source, closed source, other topics


Chapter 1 Introduction 19

Software

Operating systems
o Basic OS security issues o Trusted OS requirements o NGSCB: Microsofts trusted OS for the PC

Software is a BIG security topic


o Lots of material to cover

o Lots of security problems to consider


o But not nearly enough time available
Chapter 1 Introduction 20

Think Like Trudy


In

the past, no respectable sources talked about hacking in detail


o After all, such info might help Trudy

Recently,

this has changed

o Books on network hacking, how to write evil software, how to hack software, etc. o Classes teach writing viruses, SRE, etc.
Chapter 1 Introduction 21

Think Like Trudy


Good
A

guys must think like bad guys!

police detective

o must study and understand criminals


In

information security

o We want to understand Trudys methods o Might be good to know Trudys motives o Well often pretend to be Trudy
Chapter 1 Introduction 22

Think Like Trudy


Is

all of this security information a good idea?


Schneier (referring to Security Engineering, by Ross Anderson):
o Its about time somebody wrote a book to teach the good guys what the bad guys already know.

Bruce

Chapter 1 Introduction

23

Think Like Trudy


We

must try to think like Trudy We must study Trudys methods We can admire Trudys cleverness Often, we cant help but laugh at Alices and/or Bobs stupidity But, we cannot act like Trudy
o Except in this class
Chapter 1 Introduction 24

In This Course
Think

like the bad guy Always look for weaknesses


o We want to find weak link before Trudy
Its

OK to break the rules

o What rules?
Think

like Trudy But dont do anything illegal!


Chapter 1 Introduction 25

You might also like