DOC PREVIEW
CORNELL CS 514 - Lecture 19 Security (part 1)

This preview shows page 1-2-3-18-19-37-38-39 out of 39 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 39 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

1CS514: Intermediate Course in Computer SystemsLecture 19: October 29, 31, 2003Security (part 1)CS514Security is an endlessly huge topic| Take CS513 next semester and find out!z (Seriously, highly recommended)| Here, we want to focus on security issues associated with web sites and web servicesz This is still a broad range of problems that goes beyond web…2CS514What kinds of things concern us?| Someone breaks into a web site and steals data (user credit card numbers) or alters contents| Someone impersonates a web site (and perhaps steals user information)| Someone impersonates a user| Someone monitors communications between a user and a web site, and gathers sensitive information| Someone overwhelms a web site with requests or traffic and makes it unusable by others (denial of service)CS514What kinds of things concern us?| Someone breaks into a web site and steals data (user credit card numbers) or alters contents| Someone impersonates a web site (and perhaps steals user information)| Someone impersonates a user| Someone monitors communications between a user and a web site, and gathers sensitive information| Someone overwhelms a web site with requests or traffic and makes it unusable by others (denial of service)Firewall (to protect against port scanning and other intrusions, and make life harder for the attacker)Access Control and Authentication (to prevent attacker from getting admin privilegesIntrusion detection (to discover suspicious activity)3CS514What kinds of things concern us?| Someone breaks into a web site and steals data (user credit card numbers) or alters contents| Someone impersonates a web site (and perhaps steals user information)| Someone impersonates a user| Someone monitors communications between a user and a web site, and gathers sensitive information| Someone overwhelms a web site with requests or traffic and makes it unusable by others (denial of service)Protect DNS so that attacker can’t steer user to the wrong placeCertificates from trusted Certificate Authorities“Realistic” looking URLsCS514What kinds of things concern us?| Someone breaks into a web site and steals data (user credit card numbers) or alters contents| Someone impersonates a web site (and perhaps steals user information)| Someone impersonates a user| Someone monitors communications between a user and a web site, and gathers sensitive information| Someone overwhelms a web site with requests or traffic and makes it unusable by others (denial of service)User AuthenticationEncryption of user sessions to protect passwords4CS514What kinds of things concern us?| Someone breaks into a web site and steals data (user credit card numbers) or alters contents| Someone impersonates a web site (and perhaps steals user information)| Someone impersonates a user| Someone monitors communications between a user and a web site, and gathers sensitive information| Someone overwhelms a web site with requests or traffic and makes it unusable by others (denial of service)Encryption of user sessionsCS514What kinds of things concern us?| Someone breaks into a web site and steals data (user credit card numbers) or alters contents| Someone impersonates a web site (and perhaps steals user information)| Someone impersonates a user| Someone monitors communications between a user and a web site, and gathers sensitive information| Someone overwhelms a web site with requests or traffic and makes it unusable by others (denial of service)TCP SYN attack preventionOver provision (same as for dealing with flash crowds)Load balancers to throttle trafficOther tricks…5CS514Classic list of basic security services| Access control| Authentication| Confidentiality| Integrity| Non-repudiationFollowing slides borrow heavily from Peter Gutmann’s highly recommended tutorial at http://www.cs.auckland.ac.nz/~pgut001/tutorial/CS514In a way, everything is built out of two mechanisms| Encryption/decryptionz Which is ultimately about securely keeping and sharing secretsz Key distribution| Hashing (one way)| But these basic mechanisms are used in many different ways6CS514Hashing (a.k.a. message digest)| Produces an integer when applied to some dataz Hash(data, len) = Iz The integer I tends to be uniformly randomly distributed| But only works in one directionz Can’t produce the (data,len) from I| If I is big enough (say, 128 bits), then serves as a unique identifier for the data| Virtually no other (data,len) will produce the same Iz And small changes to (data,len) will produce a different ICS514What can you do with hashing?| If the hash value can be securely conveyed, then can detect tamperingz I.e. integrity| Used in other ways too (as we’ll see)z Digital signature7CS514Conventional encryption (confidentiality)Problem of communicating a large message in secret becomes that of communicating a small secret in secretCS514Difficulties of shared secret encryption| Also known as symmetric key encryption| How do you distribute the keys?| Need to have a distinct key for every pair of communicatorsz And each needs to be changed periodically (“refreshed”) in case it was discovered| N2keys!8CS514Trusted third party key distributionCS514Trusted third party key distribution9CS514Trusted third party key distribution| This is the basis for Kerberosz We’ll cover this a bit later| Note that Bob’s and Alice’s keys (Kb and Ka) have to be refreshed periodically| The shared key Kab is typically used only oncez So that an eavesdropper can’t, over time, guess the keyCS514Guessing keys| A key is easier to guess when:z They are shortz There is lots of data available that was encrypted by the key| 48 bits is a short key| 128 bits is a long key10CS514Note the single point of failure| As a rule, security tends to lead to weakened system reliability| Simply by virtue of having another box “in the loop”z Secure systems typically err on the side of preventing things from happening| We all have experienced this first handz I.e., can’t log into a system, etc…CS514Public key encryption| Now, what if a given node (say Bob) could use the same key with every communicating peer?z Instead of a different key for each peer| Now we have N keys instead of N2keys| But now, couldn’t every other node decrypt a document?11CS514Public key encryption| Actually, each “key” comes as a pair of keys…z …a public key and a private keyz The private key is kept secretz Everybody knows the public key| These things are magic! Why?| Something encrypted with


View Full Document

CORNELL CS 514 - Lecture 19 Security (part 1)

Documents in this Course
LECTURE

LECTURE

29 pages

LECTURE

LECTURE

28 pages

Load more
Download Lecture 19 Security (part 1)
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lecture 19 Security (part 1) and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lecture 19 Security (part 1) 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?