network security and surveillancesiva/talks/crypto-ips.pdf · offence: rfids and surveillance...
TRANSCRIPT
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and Surveillance
Network Security and Surveillance
G. Sivakumar
Computer Science and EngineeringIIT Bombay
October 29, 2004
1 Internet Security OverviewSome Puzzles
2 Defence: Cryptography
3 Offence: RFIDs and Surveillance
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and SurveillanceSome Puzzles
Internet’s Growth and Charter
Information AnyTime, AnyWhere, AnyForm, AnyDevice, ...WebTone like DialTone
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and SurveillanceSome Puzzles
Internet’s Dream
Why should a fridge be on Internet?
Will security considerations make this a nightmare?
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and SurveillanceSome Puzzles
What are Cyber crimes?
Against People
Cyber Stalking and Harrassment(Child) Pornography
Against Property
CrackingVirus and SpamSoftware/Entertainment Piracy
Cyber Terrorism!
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and SurveillanceSome Puzzles
Security Concerns
Match the following!Problems Attackers
Highly contagious viruses Unintended blundersDefacing web pages Disgruntled employees or customers
Credit card number theft Organized crimeOn-line scams Foreign espionage agents
Intellectual property theft Hackers driven by technical challengeWiping out data Petty criminalsDenial of service Organized terror groupsSpam E-mails Information warfare
Reading private files ...Surveillance ...
Crackers vs. Hackers
Note how much resources available to attackers.
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and SurveillanceSome Puzzles
Cyber Terrorism?
Some examples from http://cybercrimes.net/
1989: Legion of Doom group took over the BellSouth telephonesystem, tapped phone lines, re-routed calls, ...
1996: A white supremacist movement took out a Massachusettsinternet service provider
1997: A cracker disabled the computer system of an airport controltower at the Worcester, Mass. Airport.
1997: a hacker in Sweden jammed the 911 emergency telephonesystem all throughout west-central Florida.
1998: NASA, Navy, and Defence Department computers wereattacked.
2000: in Maroochy Shire, Australia, a disgruntled consultant hackedinto a waste management control system and released millions ofgallons of raw sewage on the town.
2001: Two post-graduate students cracked a bank system used bybanks and credit card companies to secure the personalidentification numbers of their customers accounts. [38]
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and SurveillanceSome Puzzles
Vulnerabilities
Application Security
Buggy codeBuffer Overflows
Host Security
Server side (multi-user/application)Client side (virus)
Transmission Security
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and SurveillanceSome Puzzles
Denial of Service
Small shop-owner versus Supermarket
What can the attacker do?
What has he gained orcompromised?
What defence mechanisms arepossible?
Screening visitors usingguards (who looksrespectable?)VVIP security, but do youwant to be isolated?
what is the Internet equivalent?
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and SurveillanceSome Puzzles
Security Requirements
Informal statements (formal is much harder)
Confidentiality Protection from disclosure to unauthorized persons
Integrity Assurance that information has not been modifiedunauthorizedly.
Authentication Assurance of identity of originator of information.
Non-Repudiation Originator cannot deny sending the message.
Availability Not able to use system or communicate when desired.
Anonymity/Pseudonomity For applications like voting, instructorevaluation.
Traffic Analysis Should not even know who is communicating withwhom. Why?
Emerging Applications Online Voting, Auctions (more later)
And all this with postcards (IP datagrams)!G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and SurveillanceSome Puzzles
Exchanging Secrets
Goal
A and B to agree on a secret number. But, C can listen to all theirconversation.
Solution?
A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and SurveillanceSome Puzzles
Exchanging Secrets
Goal
A and B to agree on a secret number. But, C can listen to all theirconversation.
Solution?
A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and SurveillanceSome Puzzles
Mutual Authentication
Goal
A and B to verify that both know the same secret number. Nothird party (intruder or umpire!)
Solution?
A tells B: I’ll tell you first 2 digits, you tell me the last two...
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and SurveillanceSome Puzzles
Mutual Authentication
Goal
A and B to verify that both know the same secret number. Nothird party (intruder or umpire!)
Solution?
A tells B: I’ll tell you first 2 digits, you tell me the last two...
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and Surveillance
Cryptography and Data Security
sine qua non [without this nothing :-]
Historically who used first? (L & M)
Code Language in joint families!
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and Surveillance
Symmetric/Private-Key Algorithms
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and Surveillance
Asymmetric/Public-Key Algorithms
Keys are duals (lock with one, unlock with other)Cannot infer one from other easilyHow to encrypt? How to sign?
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and Surveillance
One way Functions
Mathematical Equivalents
Factoring large numbers (product of 2 large primes)
Discrete LogarithmsG. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and Surveillance
Security Mechanisms
System Security: “Nothing bad happens to my computersand equipment”virus, trojan-horse, logic/time-bombs, ...
Network Security:Authentication Mechanisms “you are who you say you are”Access Control Firewalls, Proxies “who can do what”
Data Security: “for your eyes only”
Encryption, Digests, Signatures, ...
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and Surveillance
Security Mechanisms
System Security: “Nothing bad happens to my computersand equipment”virus, trojan-horse, logic/time-bombs, ...
Network Security:Authentication Mechanisms “you are who you say you are”Access Control Firewalls, Proxies “who can do what”
Data Security: “for your eyes only”
Encryption, Digests, Signatures, ...
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and Surveillance
Security Mechanisms
System Security: “Nothing bad happens to my computersand equipment”virus, trojan-horse, logic/time-bombs, ...
Network Security:Authentication Mechanisms “you are who you say you are”Access Control Firewalls, Proxies “who can do what”
Data Security: “for your eyes only”
Encryption, Digests, Signatures, ...
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and Surveillance
Network Security Mechanism Layers
Cryptograhphic Protocols underly all security mechanisms. RealChallenge to design good ones for key establishment, mutualauthentication etc.
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and Surveillance
What is RFID?
Not just super barcode.
Already in use by Andhra Pradesh police?
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and Surveillance
How RFID works
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and Surveillance
RFID Tags
Passive
Cheapest: no battery in tagAll power comes from reader
Semi Passive
With batteriesImproved performance and reliabilityIncreased size and cost
Active
High performance and costActive
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and Surveillance
Privacy Concerns
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and Surveillance
RFID Applications
Payment
Toll collectionFuel payment (Speedpass)ParkingPre-payment card (Dexit)
Supply Chain Mgmt
LogisticsInventory Mgmt
Asset Tracking
High value assetsRe-useable containersShipping containersInventory
Access Control
Card KeysAutomotive anti-theft
Anti-theft
ShrinkageAutomotive anti-theft
Track & Trace
FoodPharmaceuticalsBooksParts/lots trackingApparel
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance
Internet Security OverviewDefence: Cryptography
Offence: RFIDs and Surveillance
References
Books
TCP/IP Illustrated by Richard Stevens, Vols 1-3,Addison-Wesley.Applied Cryptography - Protocols, Algorithms, and SourceCode in C by Bruce Schneier, Jon Wiley & Sons, Inc. 1996Cryptography and Network Security: Principles and Practiceby William Stallings (2nd Edition), Prentice Hall Press; 1998.Practical Unix and Internet Security, Simson Garfinkel andGene Spafford, O’Reilly and Associates, ISBN 1-56592-148-8.
Web sites
www.cerias.purdue.edu (Centre for Education and Research inInformation Assurance and Security)www.sans.org (System Administration, Audit, NetworkSecurity)cve.mitre.org (Common Vulnerabilities and Exposures)csrc.nist.gov (Computer Security Resources Clearinghouse)www.vtcif.telstra.com.au/info/security.html
G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]
Network Security and Surveillance