Professional Documents
Culture Documents
Introduction
David Gray
School of Computer Applications
DCU
david.gray@computing.dcu.ie
September 20, 2010
1. http://ca413.computing.dcu.ie
• Lecture notes, etc. are available from this WEB site.
2. http://honey.computing.dcu.ie
• Bulletin Board.
Housekeeping
• There is no essential textbook.
• However, there is a collection of useful books in the library.
• In addition, the WWW is a good source of information.
• Study work may be carried out in groups. For example, different members can research different topics.
• However, you are expected to know the material for the continuous assessment and the written exam.
• You will need to register with the WEB site using your student ID.
• You will also need to register with the module bulletin board.
– All general questions should be asked on the bulletin board.
– I will only respond to e-mails that are of a personal nature.
• The WEB site & bulletin board are new, so there may be some teething problems.
Module Structure
Lectures:
• 2 lectures per week for 12 weeks.
• Copies of all the slides are on the WEB site.
• References to other material are also on the WEB site.
Continuous Assessment (CA):
• There will be a number of pieces of practical work that you must undertake.
– All this work is examinable.
• The practical work must be undertaken using either Java or Go.
1
CA413: Introduction 2
Module Material
• This is the first year that CA413 has been presented in Semester One.
Module Outline
We will cover three main areas:
1. Cryptography
• We will treat ciphers & hash functions as black boxes.
• How they work is covered in CA416.
• We are interested in using ciphers & hash in protocols.
2. Security Protocols
• Abstract view of security protocols.
• We are interested in analyzing and fixing weaknesses.
3. Real-world Protocols
• How security protocols are used in practice.
Some Definitions
Threat: the potential for the occurrence of a harmful event such as an attack.
Attack: an action taken against a target with the intention of doing harm.
Vulnerability: a weakness that makes targets susceptible to an attack.
Attacks
• There are two basic types of attack:
– Passive
– Active
Trust
Security Policies
• To build a secure system we need to:
– Assess threats.
. What threats exist?
. What is the cost if there is a successful attack?
– Identify trusted components.
– Determine appropriate security mechanisms to counter threats.
. What mechanisms will work and what will they cost?
. How will these various mechanisms work together?
– Define procedures to ensure the correction operation of the system.
– Define review and audit mechanisms.
...
Security Objectives
• Confidentiality (Privacy)
– Keeping information secret from those not entitled to see it.
• Identification & Authentication
– Identification & Authentication go hand-in-hand
. There is no point authenticating an unknown entity.
. There is no use identifying an entity if you cannot authenticate them.
– Entity Authentication
. Ensuring that the purported identity of an entity is correct.
– Message Authentication (Origin Authentication)
Types of Security
• Physical Security
– Most security is based on ensuring that the physical access to resources is restricted.
– Large amounts of money are normally stored in safes.
– Shared computer and network equipment is normally locked in secure rooms.
• Secrecy
– By keeping the existence or details of a system secret, then it may be more secure.
• Personnel Security
– Personnel who build and operate secure systems need to be trusted.
– Many organizations (in particular, national security organizations) vet their staff to ensure that
they can be trusted.
– The most serious (and costly) attacks on systems are normally insider attacks by trusted personnel.
• IT Security
– Non-cryptographic mechanisms used in computers, networks, etc..
. Passwords, PINs, ...
. Access controls, e.g., file access controls used in operating systems such as UNIX.
. Secure network addresses, e.g., X.25 addresses, telephone numbers,
. ...
• Cryptographic Security
– Mechanisms based on the use of cryptography.
– Stronger than simple IT security mechanisms.
– The classic example is military security were adversaries continually try to develop better
ways of attacking each others systems.
– The security of credit cards is continually being improved as threats increase.
5. Prevention verses Detection.
• The ideal is to prevent attacks becoming successful.
• However, if the technology to prevent a successful attack does not exist or is too costly, then we
should at least try to detect successful attacks.
• Detecting passive attacks tends to be more difficult than detecting active attacks.
• Therefore, except for the most trivial of systems, there is no perfectly secure system.
• Is cryptography sufficient?
– No. Cryptography is necessary, but it is not sufficient.
– We still need to use other forms of security.
. We still need to make sure that networking equipment is physically secure.
. We still need to trust network operators (but to a much lesser extent).
. We still need to trust software.
. In particular, we need to trust cryptographic products.
. We need to protect cryptographic keys.
. ...