Professional Documents
Culture Documents
Information Security
The requirements of information security within organizations have undergone two major changes:
The introduction of shared systems such as time-shared and/or systems that can be accessed over the public telephone or data network. The introduction of distributed systems and the use of networks and communications facilities for carrying data between terminal user and computer and between computer and computer.
3. Disavow responsibility or liability for information the cheater did originate 4. Claim to have received from some other user information that the cheater created (i.e., fraudulent attribution of responsibility or liability).
6
10
Internet Security
Our focus is on Internet Security It consists of measures to deter, prevent, detect, and correct security violations that involve the transmission of information We need systematic way to define requirements Consider three aspects of information security:
security attack security mechanism security service
11
Security Attacks
12
Security Attack
Any action that compromises the security of information owned by an organization Information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems Should include a wide range of attacks Can focus of generic types of attacks Note: often threat & attack mean same
13
Interception
Attack on confidentiality
Modification
Attack on integrity
Fabrication
Attack on authenticity
14
Normal Flow
Normal Flow is the flow of information from an information source, such as a file, or a region of main memory, to a destination, such as another file or user.
Information Source
Information Destination
15
Interruption
An asset of the system is destroyed or becomes unavailable or unusable.
This is an attack on availability.
Examples: The destruction of hardware, the cutting of a communication line, or the disabling of the file management system.
Information Source
Information Destination
16
Interception
An unauthorized party gains access to an asset.
This is an attack on confidentiality.
The unauthorized party could be a person, a program, or a computer. Examples: Wiretapping to capture data in a network and the unauthorized copying of files or programs.
Information Source
Information Destination
Unauthorized Party
17
Modification
An unauthorized party not only gains access to but tampers with an asset.
This is an attack on integrity.
Examples: Changing values in a data file, altering a program so that it performs differently, or modifying the content of messages being transmitted in a network.
Information Source
Information Destination
Unauthorized Party
18
Fabrication
An unauthorized party inserts counterfeit objects into the system.
This is an attack on authenticity.
Examples: The insertion of spurious (fake) messages in a network or the addition of records to a file.
Information Source
Information Destination
Unauthorized Party
19
Passive Attacks
Passive attacks eavesdrop or monitor the transmission. Goal: To obtain transmitted information Two types of passive attacks:
1. Release of contents: A telephone conversation, an electronic mail message, or confidential information. 2. Traffic analysis: Using the location and identities of hosts and the frequency and length of messages to determine the type of communication taking place.
Passive attacks are difficult to detect since they do not involve any alteration of data. The emphasis is on prevention rather than detection.
20
Active Attacks
Active attacks may modify of the data stream or create a false stream. Four Types of active attacks:
1. Masquerade: takes place when one entity pretends to be a different entity. This form usually includes one of the other forms of active attack. 2. Replay: involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect. 3. Modification: occurs when an unauthorized party gains access to and tampers with an asset. This is an attack on integrity. 4. Denial of service: prevents or inhibits the normal use or management of communications facilities.
21
Security Mechanisms
22
23
Security Services
24
25
Security Services
Confidentiality is the protection of transmitted data from passive attacks. Authentication is concerned with assuring that a communication is authentic. Integrity assures that messages are received as sent.
A connection-oriented integrity service should assure that there are no duplicates, insertions, deletions, modifications, reordering, or replays. A connectionless integrity service deals only with an individual message.
26
27
SSL
Signatures Encryption
Hashing Mechanisms
SHA1 MD5
DSA
RSA
RSA
DEA
Algorithms
Mechanism-Service Relationship
29
Security Model
30
31
32
33
Additionally, in some cases a trusted third party may be used for distributing the secret information or arbitrating disputes between the two parties over authenticity.
34
35
36
Internet Standards
Internet Society is responsible for the development and publication of standards for use over the Internet. Internet Society is a professional membership organization. Internet Society is involved in Internet development and standardization. Internet Society is the coordinating committee for Internet design, engineering, and management.
37
38
39
40
41