Download security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
Document related concepts

Security-focused operating system wikipedia , lookup

Distributed firewall wikipedia , lookup

Information privacy law wikipedia , lookup

Trusted Computing wikipedia , lookup

Proxy server wikipedia , lookup

Password strength wikipedia , lookup

Cross-site scripting wikipedia , lookup

Computer security wikipedia , lookup

Cryptanalysis wikipedia , lookup

Wireless security wikipedia , lookup

Cryptographic hash function wikipedia , lookup

One-time pad wikipedia , lookup

Public-key cryptography wikipedia , lookup

Diffie–Hellman key exchange wikipedia , lookup

Rainbow table wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Security and safety features new to Windows Vista wikipedia , lookup

Digital signature wikipedia , lookup

Unix security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Mobile security wikipedia , lookup

HTTPS wikipedia , lookup

Cryptography wikipedia , lookup

Web of trust wikipedia , lookup

Certificate authority wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

History of cryptography wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Security – 1h
The Internet – a global network
of networks
• Information travelling on the internet
– takes a circuitous route
– through several intermediate computers and
data links
– to reach any destination computer
• You have no control over the route your
information takes to reach its destination
• Offers possibilities for information to be
intercepted and corrupted
• Raises issues of security
The aims of computer security
• Prevention
– Prevent asset being damaged
• Detection
– Detect when an asset has been damaged
• Response
– Recover assets
– Repair damage to assets
– Inform others
Issues (1/2)
• Confidentiality: Unauthorised
disclosure of information
• Integrity: Prevent unauthorised
modification of information
• Availability: Prevent unauthorised
withholding of information
Issues (2/2)
• Authenticity: Are you what you say you
are ?
• Accountability: Can I be sure that the last
transaction was encrypted?
• Dependability: Will this always be the
case, or do you have a non-secure server
when the secure server is down?
Username and Password
• Password guessing
– Exhaustive search
– Intelligent search
• Password spoofing
– Log-in to a fake site (have you ever re-used a pwd?)
• Compromise of password file
– Illegal under the UK Data Protection Act
• What happens if an overseas call-centre starts selling your
passwords as well as your credit card data?
– Cryptography
Network solutions
• Password:
– Checkers - Search for weak passwords
– Generation - random but pronounceable
– Ageing - prevent last ten being reused
• Limit Log-in attempts
– Inform user of number of unsuccessful log-ins
• Levels of password
– Log-in/Log-out/Server/
– Access Database/Write Database
Cryptography Issues
Three functions of cryptography:
• Secure encryption and decryption of data
to prevent unauthorised access
• Verification that the data was sent by the
stated sender
• Validation that data was received
unaltered
Private-Key Encryption
• The same key is used for both encoding and
decoding
• Sending a message from A to B:
– A encodes a message with his/her private key
– A sends the message to B
– A must also send his/her private key to B (this is the
weakest link)
– B decodes A’s message with A’s private key
Private-Key Encryption
• Problem
– Key security: steal the key and the code can
be broken
– Every time the key is transferred there is risk
of it being intercepted
– The same key may be shared by too many
people
Public-Key Encryption
• Two keys are required: The two keys are different
but linked (Asymmetric key-pair)
– A public key
• Can be copied and given out freely
– A private key
• Retained by you only
• Could reside on your computer as a password-protected file
(message digest)
• Could be stored solely on your floppy disk (further security)
• People send you information encoded with your
public key that can only be decoded by you with
your private key (confidentiality)
Hash functions
• Produce fixed-length hash (~32 bits) from variable-length
message
– It is computationally infeasible to find a message with that
hash; in fact one can't determine any usable information about a
message with that hash, not even a single bit.
– Biometrics usually work the same way!
• A public one-way hash function can be used to speed up a
public-key digital signature system.
– Rather than sign a long message, which can take a long time,
compute the one-way hash of the message, and sign the hash.
• Passwords may be stored as hashes, so accessing the
password file does not compromise the users
Cryptography Issues
• Secure encryption and decryption of data
– Keys
• Verification that the data was sent by the
stated sender
– Digital Signature
• Validation that data was received
unaltered
– Comparison of message digests
Digital Certificates
• Attached to a public key to reassure
users that the public key they are
about to accept is authentic
• Given by a Certification Authority
(CA) e.g.Verisign
• Web browsers have a list of trusted
CA’s built into them
Digital Certificates
– Scenario
• A secure web page offers the web browser
a public key (as a digital certificate)
• Web browser then checks the key for
certification and the authority that certified it
Secure Sockets Layer SSL
• Secure Sockets Layer SSL (Netscape)
• Protocol used to transmit information
securely via the Internet
• Delivers
– Server authentication (check site digital
certificate)
– Message privacy (encryption of information
moving between browser and server and
unique session keys)
– Message integrity (compare message digests)
Firewalls
• Firewall
– any security system protecting the boundary of an internal
network (intranet, LAN)
• Functions
– Access control based on sender or receiver addresses
– Access control based on the service requested
– Hiding the internal network from the outside world (e.g.
topology, IP addresses)
– Virus checking on incoming files
– Authentication based on the source of traffic
– Logging of internet activities
• Mechanisms used
– Packet filtering
– Proxy servers
Proxy Servers
• A server located between a client (e.g. web
browser) and the server the client is trying to
contact
• Intercepts the client’s request and decides
whether it is permitted according to its security
rules
• The only entity seen by the outside world and
appears transparent to internal users
Hacking - DOS
• Denial of Service attacks
– Target: ISP
– Causes a service (e.g. web server or mail
server) to be unavailable or unusable
• e.g. send a stream of connection requests to the
server and deplete it of memory or reach the
server connection limit
– Consequences
• Refusal of further connection requests
• Poor performance
Hacking - Cracking Passwords
• Cracking Passwords – remote access
• Dictionary attack is trying to determine a
decryption key or pass-phrase by
searching a large number of possibilities
• Remote access to a user’s account allows
files to be copied or corrupted.
• Hacking used to be a game – now it is
done by criminals for theft.
Virus
• Virus
– A piece of self-replicating code attached to some
other piece of code, with a payload. Payload can
range from non-existent/harmless to harmful e.g.
deleting/modifying files
– Infects a program by inserting itself into the program
code
– Attacks
•
•
•
•
Executable program files
File-directory
Boot process (e.g. bootstrap virus use BIOS)
System
Trojan Horses
• Program which produces hidden sideeffects not intended by the user executing
the program e.g Melissa - a macro virus
which via Word attacked MS
Outlook/Express
• Can allow passwords and account details
to be accessed remotely.
Worms
• Self-replicating, but not infecting,
• Designed to attack networks (use active
network connections in order to
propagate)
• Can reduce server efficiency or crash the
server
• Can allow information to be accessed
remotely
Cookies
• Text file created by a site’s web server and
stored on your host machine by your web
browser
• An information packet sent from a server to a
browser and thereafter sent back by the
browser each time it access the server
• Creation of a user profile to improve user
experience of the web or invasion of privacy?
• Can be blocked (Browser settings)
Related documents
Security
Security
ITS_8_Security Vocab Answers
ITS_8_Security Vocab Answers
Online Security - Nassau Financial
Online Security - Nassau Financial
Presentation PPT
Presentation PPT
Support: Ticket, Process, and Expectations
Support: Ticket, Process, and Expectations
Security Risks
Security Risks
Chapter 2 The Internet and Multimedia
Chapter 2 The Internet and Multimedia
When you create a link, you MUST use the precise name
When you create a link, you MUST use the precise name
Data Confidentiality
Data Confidentiality
Network Traversal
Network Traversal
Disclaimer
Disclaimer
Encrypting Connection Strings
Encrypting Connection Strings