1 1Security ServicesECE 646 - Lecture 1 2Need for information security• widespread use of data processing equipment: computer security• widespread use of computer networks and distributed computing systems: network security 3Computer Security• Virus attacks cause greatest financial losses–Unauthorized access– Loss of Laptops–Loss of proprietary information• Little outsourcing• Cyber insurance low• Reporting computer intrusion low but increased• Data protection is most critical (e.g. through identification, encryption, etc.)2 4Who provided the data 5 63 7 8 9Cryptography is Important• Algorithms and Usage• User Education4 10Security Threats in Banking SystemsBank ABank BinterceptionmodificationfabricationunauthorizedaccessRadiationanalysisTimingattacksATM 11Electronic CommerceHOME-SHOPPINGELECTRONIC FUND TRANSFER - EFTELECTRONIC DATAINTERCHANGE - EDI• non-digital goods (e.g., books, CDs)• services (e.g., travel reservations)• digital goods (e.g., software, music, video)• micropayments (e.g., database access)• intra-bank fund transfers• inter-bank fund transfers• home banking• electronic cash• financial transactions among companies 12Electronic Data Interchange• transactions between computers• human participation in routine transactions limited or non-existent• paper records eliminated• less time to detect and correct errors5 13Other types of data needing security• financial records• medical records• commercial secrets• business and private correspondence• technical specifications• your computer 14Potential attackers• hackers• industrial competitors• spies• press• government agencies 15Security on the InternetE-MAILSECUREE-MAIL≡≡Alice, Love you, BobAliceSmurftown,SL 22030Smurfland6 16NSANational Security Agency(also known as “No Such Agency” or “Never Say Anything”)Created in 1952 by president Truman Goals:• designing strong ciphers (to protect U.S. communications)• breaking ciphers (to listen to non-U.S. communications)Budget and number of employees kept secretLargest employer of mathematicians in the worldLarger purchaser of computer hardware 17Worldwide Survey of Cryptographic ProductsNAI Labs, June 2001Foreign products developed in 43 countriesdistributed in at least 76 countries763758413532domesticCompaniesProductsforeigndomesticforeign 18Germany(118)UK(93)Canada(85)Switzerland(74)Sweden(35)Russia(31)Australia(29)SouthKorea(26)Japan(26)Isreal(19)Other(222)Foreign Cryptographic Products7 19Increase in the number of foreign cryptographic products and companies010020030040050060070080090019931994 1995 1996 19971999656474804512Trusted Information SystemsGWUproductscompaniesNAI2000 2001835491758532 20RSA Security Inc.• patents for RSA, RC5, RC6 and other• over 1 billion users of crypto library BSAFE• RSA Laboratory• RSA Conference• spin-off companies– VeriSign (1995) – Public Key Infrastructure• recently acquired by EMC2 – EMC2 Data storage solutions 21Companies introducing security into their products/serviceshardwaresoftwaretelecomfinancesIBMMotorolaIntelSun MicrosystemsHewlett-PackardMicrosoftNetscapeNovellOracleIntuitAT&T / SBCVerizonNortelVisaMastercardVerifone8 22 American and international standardsregarding public key cryptographyIEEEANSINISTISORSA Labs PKCSIndustrialstandardsBankingstandardsFederal standardsInternationalstandardsInformalindustrialstandardsP1363ANSI X9FIPSPKCSISO 23Security servicesProtecting datain transit at rest• confidentiality• integrity• authentication• non-repudiation• access control - identification - authorization - auditing• availability 24Identification(User Authentication)On the basis of• what you know (passwords, PINs)• what you have (magnetic card, smart card)• what you are (fingerprints, handprints, voiceprints, keystroke timing, signatures, retinal scanners)9 25 26 27Basic Security Services (1)1. Confidentiality2. Message integrity3. Message authenticationBob AliceCharlieBob AliceCharlieBob AliceCharlie10 28Basic Security Services (2)4. Non-repudiation - of sender - of receiver - mutualTechnique: digital signatureSignatureDIGITALHANDWRITTENA6E3891F2939E38C745B25289896CA345BEF5349245CBA653448E349EA47Main Goals: • unique identification• proof of agreement to the contents of the document 29Handwritten and digital signaturesCommon FeaturesHandwritten signature Digital signature1. Unique2. Impossible to be forged3. Impossible to be denied by the author4. Easy to verify by an independent judge5. Easy to generate 30Handwritten and digital signaturesDifferencesHandwritten signature Digital signature6. Associated physically with the document7. Almost identical for all documents8. Usually at the last page6. Can be stored and transmitted independently of the document7. Function of the document8. Covers the entire document11 31Relations among security servicesINTEGRITYAUTHENTICATIONNON-REPUDIATIONCONFIDENTIALITY 32Network Security Threats (1)InterruptionInterceptionModificationFabrication 33PassiveActiveInterceptionRelease ofmessagecontentsTrafficanalysisInterruption(availability)Modification(integrity)Fabrication(authenticity)Network Security Threats
View Full Document