Pfleeger 9780134093093 Ch02 - ppawar.github.io€¦ · í î l î ò l î ì í õ ñ $ffhvv...
Transcript of Pfleeger 9780134093093 Ch02 - ppawar.github.io€¦ · í î l î ò l î ì í õ ñ $ffhvv...
12/26/2019
1
SECURITY IN COMPUTING,FIFTH EDITIONChapter 2: Toolbox: Authentication, Access Control, and Cryptography
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
1
Objectives for Chapter 2
• Survey authentication mechanisms
• List available access control implementation options
• Explain the problems encryption is designed to solve
• Understand the various categories of encryption tools as well as the strengths, weaknesses, and applications of each
• Learn about certificates and certificate authorities
2
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Authentication
• The act of proving that a user is who she says she is
• Methods:• Something the user knows
• Something the user is
• Something user has
3
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
1
2
3
12/26/2019
2
Something You Know
• Passwords
• Security questions
• Attacks on “something you know”:• Dictionary attacks
• Inferring likely passwords/answers
• Guessing
• Defeating concealment
• Exhaustive or brute-force attack
• Rainbow tables
4
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Distribution of Password Types
5
One character0%
Two characters2%
Three characters14%
Four characters,all letters
14%
Five letters,all same case
22%
Six letters,lowercase
19%
Words indictionaries orlists of names
15%
Other goodpasswords
14%
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Password Storage
Plaintext Concealed
6
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
4
5
6
12/26/2019
3
Biometrics: Something You Are
7
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Problems with Biometrics
• Intrusive
• Expensive
• Single point of failure
• Sampling error
• False readings
• Speed
• Forgery
8
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Tokens: Something You Have
9
Time-Based Token Authentication
PASSCODE PIN TOKENCODE=
Login: mcollings
2468159759Passcode:
+
Clocksynchronized toUCT
Unique seed
Token code:Changes every
60 seconds
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
7
8
9
12/26/2019
4
Federated Identity Management
10
UserIdentity Manager
(performsauthentication)
AuthenticatedIdentity
Application(no authentication)
Application(no authentication)
Application(no authentication)
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Single Sign-On
11
User Single Sign-OnShell
Identification andAuthentication
Credentials
Application
Authentication
Token
AuthenticationAuthentication
ApplicationApplication
Password
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Access Control
12
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
10
11
12
12/26/2019
5
Access Policies
• Goals:• Check every access
• Enforce least privilege
• Verify acceptable usage
• Track users’ access
• Enforce at appropriate granularity
• Use audit logging to track accesses
13
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Implementing Access Control
• Reference monitor
• Access control directory
• Access control matrix
• Access control list
• Privilege list
• Capability
• Procedure-oriented access control
• Role-based access control
14
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Reference Monitor
15
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
13
14
15
12/26/2019
6
Access Control Directory
16
PROG1.C
PROG1.EXE
BIBLIOG
HELP.TXT
TEMP
ORW
ORW
ORW
OX
R
BIBLIOG
TEST.TMP
PRIVATE
HELP.TXT
R
ORW
OX
R
File NameFile NameAccessRights
AccessRights
FilePointer
FilePointer
User A Directory User B DirectoryFiles
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Access Control Matrix
17
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Access Control List
18
F
TEMP
BIBLIOG
HELP.TXT
FileAccess List
Pointer UserAccessRights
USER_S
USER_B
USER_A ORW
RW
R
BIBLIOG
TEMP
F
HELP.TXT
USER_A ORW
USER_S
USER_A ORW
R
USER_S
USER_B
USER_A R
R
R
USER_T R
SYSMGR
USER_SVCS
RW
O
Directory Access Lists Files
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
16
17
18
12/26/2019
7
Problems Addressed by Encryption
• Suppose a sender wants to send a message to a recipient. An attacker may attempt to• Block the message
• Intercept the message
• Modify the message
• Fabricate an authentic-looking alternate message
19
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Encryption Terminology
• Sender
• Recipient
• Transmission medium
• Interceptor/intruder
• Encrypt, encode, or encipher
• Decrypt, decode, or decipher
• Cryptosystem
• Plaintext
• Ciphertext
20
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Encryption/Decryption Process
21
Key(Optional)
OriginalPlaintext
Plaintext Ciphertext
Key(Optional)
Encryption Decryption
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
19
20
21
12/26/2019
8
Symmetric vs. Asymmetric
22
Encryption Decryption OriginalPlaintextPlaintext Ciphertext
(a) Symmetric Cryptosystem
DecryptionKey
Encryption Decryption OriginalPlaintextPlaintext Ciphertext
EncryptionKey
(b) Asymmetric Cryptosystem
Key
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Stream Ciphers
23
Encryption
Key(Optional)
Plaintext Ciphertext
…ISSOPMI wdhuw…
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Block Ciphers
24
IH
Key(Optional)
Plaintext Ciphertext
.. XN OI TP ES
pobaqckdem..
Encryption
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
22
23
24
12/26/2019
9
Stream vs. Block
Stream Block
Advantages Speed of transformation
Low error propagation
High diffusion Immunity to
insertion of symbol
Disadvantages Low diffusion Susceptibility to
malicious insertions and modifications
Slowness of encryption
Padding Error
propagation
25
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
DES: The Data Encryption Standard• Symmetric block cipher
• Developed in 1976 by IBM for the US National Institute of Standards and Technology (NIST)
26
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
AES: Advanced Encryption System
• Symmetric block cipher
• Developed in 1999 by independent Dutch cryptographers
• Still in common use
27
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
25
26
27
12/26/2019
10
DES vs. AES
28
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Public Key (Asymmetric) Cryptography
• Instead of two users sharing one secret key, each user has two keys: one public and one private
• Messages encrypted using the user’s public key can only be decrypted using the user’s private key, and vice versa
29
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Secret Key vs. Public Key Encryption
30
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
28
29
30
12/26/2019
11
Public Key to Exchange Secret Keys
31
4. , 5
a bc 6de f
9wx yz
8tuv
7pq rs
Bill, give me your public key
Here is my key, Amy
1
2
3 Here is a symmetric key we can use
6 m no
5 jkl
1 .,
2a b
c
3d e
f
9w x
y z
8tu
v
7 pqr s
4g
hi
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Key Exchange Man in the Middle
32
Bill, give meyour public key
1
Here is my key, Amy 2
3a Here is another symmetric k ey
No, give it to me1a
Here is the middle’s key 2a
Here is the symmetric key3
4
.,
5
ab c
6
d
e
f
9
wxy z
8
t uv
7
pqr s
6m
no5j
kl1
.
,
2ab
c
3d
ef
9wx
yz8tuv7
pqrs 4ghi
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Error Detecting Codes
• Demonstrates that a block of data has been modified
• Simple error detecting codes:• Parity checks
• Cyclic redundancy checks
• Cryptographic error detecting codes:• One-way hash functions
• Cryptographic checksums
• Digital signatures
33
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
31
32
33
12/26/2019
12
Parity Check
34
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
One-Way Hash Function
35
Encrypted forauthenticity
M
Hashfunction
Messagedigest
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Digital Signature
36
Mark onlythe sendercan make
Authentic Unforgeable
Mark fixedto
document
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
34
35
36
12/26/2019
13
Certificates: Trustable Identities and Public Keys
• A certificate is a public key and an identity bound together and signed by a certificate authority.
• A certificate authority is an authority that users trust to accurately verify identities before generating certificates that bind those identities to keys.
37
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Certificate Signing and Hierarchy
38
Name: DianaPosition: Division ManagerPublic key: 17EF83CA .. .
Diana creates and delivers to Edward:
Edward adds:
Edward signs with his private key:
Name: DianaPosition: Division ManagerPublic key: 17EF83CA .. .
hash value128C4
Name: DianaPosition: Division ManagerPublic key: 17EF83CA ...
hash value128C4
Which is Diana’s ce rtificate.
Name: DelwynPosition: Dept ManagerPublic key: 3AB3882C .. .
Delwyn creates and delivers to Diana:
Diana adds:
Diana signs with her private key:
Name: DelwynPosition: Dept ManagerPublic key: 3AB3882C .. .
hash value48CFA
And appends her certificate:
Which is Delwyn’s certificate.
Name: DianaPosition: Division ManagerPublic key: 17EF83CA .. .
hash value128C4
To create Diana’s certificate: To create Delwyn’s certificate:
Name: DelwynPosition: Dept ManagerPublic key: 3AB3882C .. .
hash value48CFA
Name: DelwynPosition: Dept ManagerPublic key: 3AB3882C .. .
hash value48CFA
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Cryptographic Tool Summary
39
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
37
38
39
12/26/2019
14
Summary
• Users can authenticate using something they know, something they are, or something they have
• Systems may use a variety of mechanisms to implement access control
• Encryption helps prevent attackers from revealing, modifying, or fabricating messages
• Symmetric and asymmetric encryption have complementary strengths and weaknesses
• Certificates bind identities to digital signatures
40
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
40