security matters v.t. raja, ph.d., oregon state university
TRANSCRIPT
![Page 1: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/1.jpg)
Security Matters
V.T. Raja, Ph.D.,
Oregon State University
![Page 2: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/2.jpg)
2Security Matters
Security Matters
• Outline
– Summary
– Example to illustrate RSA Algorithm– A framework to help managers
understand their role in security
![Page 3: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/3.jpg)
3Security Matters
Summary from first lecture on Security
• Characteristics of Secure Communication
• Perfect security – a myth or a reality? • Ciphers and Cryptography
• Authentication (ap 1.0 - ap 5.0)
![Page 4: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/4.jpg)
4Security Matters
Characteristics of Secure Communication
![Page 5: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/5.jpg)
5Security Matters
Cryptography
• Ciphers– Caesar, Monoalphabetic, Polyalphabetic
• Symmetric Key Cryptography (SKC)– Basic idea of SKC– Notation for symmetric key– Some popular SKC algorithms– Sharing of symmetric key
![Page 6: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/6.jpg)
6Security Matters
Public Key Cryptography (PKC)
• Basic idea of PKC
• Notation for private/public key pair and plain text message
• RSA Algorithm
• Sharing public key– Sender/Receive Authentication– Man (Woman) in the middle attack
![Page 7: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/7.jpg)
7Security Matters
RSA Algorithm
• How does RSA work? • Class Participation Exercise on RSA
application• Why does RSA work?
(See additional handouts for answers)
![Page 8: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/8.jpg)
8Security Matters
Example to illustrate RSA Algorithm Participation Exercise
• Background:– Bob has selected the prime numbers p and q as 5 and 7
respectively.
– Bob has selected e to be the number 5.
– Alice and Bob interpret each letter in the English alphabet as a number between 1 and 26. That is, a = 1, b = 2, …, n = 14,…, z = 26.
– Alice wishes to send the plaintext “love” to Bob, after encrypting using RSA.
• Questions:– Compute Bob’s public key using RSA. – Determine Alice’s cipher text using RSA algorithm.
![Page 9: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/9.jpg)
9Security Matters
RSA Algorithm
• Even for small p and q, as seen in the participation exercise, we had to deal with extremely large numbers.
• If we follow the suggestion of RSA labs and select p and q to be several hundred bits long, then the following practical issues come to mind:– How to choose large prime numbers p and q?– How to choose e and d?– How to perform exponentiation with large numbers?
(For those who are interested in this area, refer to Kaufman 1995 for answers to the above mentioned questions).
![Page 10: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/10.jpg)
10Security Matters
RSA and DES/AES
• DES is at least 100 times faster than RSA.
• In practice, RSA is often used in combination with DES or AES. How?
(Alice encrypts DES key with Bob’s public key. Bob decrypts and obtains DES key with his private key. The data is encrypted using DES key, which now both Alice and Bob have access to in order to encrypt/decrypt data).
![Page 11: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/11.jpg)
11Security Matters
Security of RSA
• The security of RSA relies on the fact that there are no known algorithms for quickly factoring a number (n), into the primes p and q. If one knew p and q, then given e, one could then easily compute the secret key d. It is not known whether or not there exist fast algorithms for factoring a number, and in this sense the security of RSA is not guaranteed.
![Page 12: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/12.jpg)
12Security Matters
Authentication
• ap 1.0
• ap 2.0
• ap 3.0
• ap 3.1
• ap 4.0
• ap 5.0
![Page 13: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/13.jpg)
13Security Matters
Authentication
• ap 1.0– Alice announces to Bob, “I am Alice.”
• Trudy could have sent this message.
• ap 2.0– Alice announces to Bob, “I am Alice”, and
asks Bob to authenticate her by matching source IP (in IP header) with Alice’s IP.
• Trudy could have sent this message if she had done IP spoofing.
![Page 14: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/14.jpg)
14Security Matters
Authentication
• ap 3.0– Alice announces to Bob, “I am Alice”, and asks Bob to
authenticate her by verifying her plaintext password. • Trudy may have already eavesdropped earlier, and have
stolen Alice’s plaintext password during an earlier conversation between Alice and Bob. Now, Trudy could send the message, “I am Alice” by using Alice’s plaintext password.
• ap 3.1– Alice announces to Bob, “I am Alice”, and asks Bob to
authenticate her by verifying her encrypted password, which is kept the same for different communication sessions between Bob and Alice.
• Same disadvantage mentioned in ap 3.0 still exists. Note that Trudy need not decrypt the password. She could still eavesdrop, steal encrypted password, and then perform a “playback attack” on Bob.
![Page 15: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/15.jpg)
15Security Matters
Authentication
• ap 4.0– Alice announces to Bob, “I am Alice.” – Bob sends a plaintext nonce (= r) to Alice.
• Note that nonce is a one time value that is specific to that communication session. It is not repeated again in another session. So “playback attack” is not possible.
– Alice resends same nonce back to Bob but this time nonce is encrypted with symmetric key used by Alice and Bob.
– Bob decrypts nonce using symmetric key. If decrypted nonce equals the nonce he sent Alice earlier (i.e. decrypted nonce = r) , then Alice is authenticated.
– However, this implies that Alice and Bob must have decided upon and exchanged their symmetric key.
![Page 16: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/16.jpg)
16Security Matters
Authentication
• ap 5.0– Alice announces to Bob, “I am Alice.” – Bob sends a plaintext nonce (= r) to Alice.
• Since nonce is a one-time value, “playback attack” is not possible.
– Alice resends same nonce back to Bob but this time nonce is encrypted with Alice’s private key.
– Bob decrypts nonce using Alice’s public key. If decrypted nonce equals the nonce he sent Alice earlier (i.e. decrypted nonce = r) , then Alice is authenticated.
![Page 17: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/17.jpg)
17Security Matters
Exchanging Public Keys
• Why should public key be publicly available?
• Wouldn’t it be better for Alice and Bob to exchange their respective public keys via e-mail, after authenticating each other?– Due to possibility of “man (woman) in the
middle attack.”
![Page 18: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/18.jpg)
18Security Matters
Man (Woman) in the Middle Attack
• Alice transmits, “I am Alice.”• Trudy (alias Eve) eavesdrops. • Bob sends a nonce = r. • Trudy intercepts nonce, and
sends Bob encrypted nonce (encrypted using her private key).
• Bob sends a message to Alice asking her for a public key.
• Trudy intercepts message, and sends Bob Trudy’s public key.
• Bob decrypts nonce with Trudy’s public key (thinking that he is using Alice’s public key), and inadvertently authenticates Trudy.
• While Bob is encrypting new data using Trudy’s public key, Trudy is busy posing as Bob to Alice. In particular, – Trudy transmits Bob’s
nonce to Alice– Alice transmits encrypted
nonce (encrypted using Alice’s private key).
– Trudy intercepts encrypted nonce, and asks Alice for her public key.
– Alice sends her public key
![Page 19: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/19.jpg)
19Security Matters
Man (Woman) in the Middle Attack
• Bob sends encrypted data (encrypted using Trudy’s public key)
• Trudy decrypts using her private key, and finds out Bob’s plain text.
• Trudy encrypts Bob’s plain text using Alice’s public key.
• Trudy transmits encrypted text to Alice. • Alice decrypts using her private key, and finds out
Bob’s plain text. • Alice and Bob are happy that they have had a
secure communication. They are ignorant of the fact that Trudy has intercepted and decrypted Bob’s message to Alice.
![Page 20: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/20.jpg)
20Security Matters
Public Key Certification
• PK cryptography – possible for two entities to exchange secret messages without having to exchange secret keys.
• Communicating entities have to exchange public keys (without being subject to “man in the middle attack”).
• Binding a public key to a particular entity is typically done by a Certification Authority (CA).
![Page 21: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/21.jpg)
21Security Matters
Certification Authority
• A CA verifies that an entity is who it claims to be.
• After verification, CA creates a certificate that binds the public key to appropriate entity.
• Certificate – includes a public key– includes globally unique identifying information
about owner of the public key– Is digitally signed by CA
![Page 22: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/22.jpg)
22Security Matters
Digital Signatures and Message Digests
• Assume Bob wants to digitally sign a “document,” m.
• Bob’s digital signature could be KB- (m)
• Due to complexity of RSA, digital signatures are applied to “fingerprints” instead of being applied to message m.
• Fingerprint – H(m) – where H denotes a “hash algorithm”
• Bob’s digital signature is KB- (H(m))
![Page 23: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/23.jpg)
23Security Matters
Message Digests
• Message Digest (Hash) algorithms:– MD5; SHA-1; SHA-224;-256;-384;-512
• Secure Hash Algorithm is a U.S. federal standard
• Required for use whenever a secure message digest algorithm is required for federal applications
• Produces a 160-bit message digest.
• Longer the output length, the more secure SHA-1
• SHA-224, SHA-256, SHA-384, and SHA-512, (which despite the similarity of names), are actually fairly different algorithms to SHA-1 and have much wider safety margins.
![Page 24: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/24.jpg)
Management’s Role in Security
A framework to help managers understand that security rests on three cornerstones
![Page 25: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/25.jpg)
25Security Matters
Three Cornerstones
• Technology
• Organization
• Critical Infrastructure– Management should provide strong
leadership in all three areas.
![Page 26: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/26.jpg)
26Security Matters
Cornerstone: Technology
• Have an understanding/appreciation of technology– Firewalls– IDS/IPS systems– Antivirus/Security Patches– Physical security– Client/Server/Perimeter Security; Secure VPNs– Evaluation of potential technology acquisitions
based on their impact on security– Symmetric and Public Key Cryptography
![Page 27: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/27.jpg)
27Security Matters
Example: DDoS attack on iPremier Company
• IPremier– Sells luxury and rare high priced items on
Internet– Survived dot com implosion– Customers have good credit history with high
spending limits – Experienced a DDoS on Web Server– Ha Ha Ha! e-mails received by Help Desk
• Problems at Colocation facility: Qdata • iPremier employees could not get access to
Qdata’s Network Operations Center (NOC)
![Page 28: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/28.jpg)
28Security Matters
Questions
• About Qdata:• Although an early entrant in the industry, Qdata lost
any prospect of market leadership• Had not been quick to invest in advance technology• Had experienced difficulty in retaining qualified staff
• Questions:– If you were the CIO, how would you react to this
situation? – What implications does this situation have for the
iPremier company?
![Page 29: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/29.jpg)
29Security Matters
iPremier Example (Continued)
• Unable to determine extent of damage (firewall penetrated? How deep is the penetration?)
• Unable to determine if customer data was stolen (CIO’s main immediate concern)
• Unable to track (in a reasonable time frame) where ‘Ha, ha, ha’ e-mails received by “support” folks are originating
– Even if e-mail is tracked eventually – leads to another “Zombie
![Page 30: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/30.jpg)
30Security Matters
iPremier’s Response to Attack: Very Poor
• Try to shut down traffic from “Zombies” – didn’t work – for every zombie that was shut down – two new zombies joined the “party” automatically
• Shut down Web Server?
• Cost of downtime?
![Page 31: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/31.jpg)
31Security Matters
Imperative Need for Secure CommunicationCost of downtime
![Page 32: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/32.jpg)
32Security Matters
• Unable to determine if they should “disconnect the communication lines”
• initially CIO and CTO had discussion - may lose logging data that could help them figure out what happened (preserving evidence to find root cause of problem; and what to disclose publicly);
• later concluded that detailed logs have not been enabled
• Unable to determine if they should call “Seattle Police” or “FBI”?
iPremier’s Response to Attack: Very Poor
![Page 33: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/33.jpg)
33Security Matters
• How to handle PR (before info about security breach leaks out)?
• Unable to decide if all systems need to be rebuilt • Worst is over? Damage has been done?• Attack stopped after about 75 minutes – without any
intervention from iPremier or from Qdata!• FBI Calls iPremier?• Would system rebuild imply wiping out any remaining
proof of iPremier’s innocence?
iPremier’s Response to Attack: Very Poor
![Page 34: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/34.jpg)
34Security Matters
Some Business Implications for IPremier
• Web server unavailable to legitimate customers
• Cost of downtime?• Bad reputation for the business
• Lost customers• Loss of customer goodwill• Legal issues if customer data was
compromised
![Page 35: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/35.jpg)
35Security Matters
Some Business Implications for IPremier
• Impact on stock price• Unknown damages to the
network/business?• What if there was another attack?
![Page 36: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/36.jpg)
36Security Matters
Cornerstone: Organization
• Organizational characteristics – typically under the control of organization– Structure– Business environment– Culture– Policies and Responses– Standard Operating Procedures– Education, Training, and Awareness
![Page 37: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/37.jpg)
37Security Matters
Management’s Role in Security
• Realize that total/perfect security is a myth
• Act appropriately, recognizing that security rests on three cornerstones
• Critical Asset Identification
• Initial Risk Assessment
• Risk Assessment as a continuous process
![Page 38: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/38.jpg)
38Security Matters
Management’s Role in Security
• Creating a security team
• Initiate and actively participate in planning/design/documentation/ testing of security policy
• Actively involved in establishing standard operating procedures
![Page 39: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/39.jpg)
39Security Matters
Management’s Role in Security
• Developing and maintaining an appropriate organizational culture
• Ensure employees are educated and trained regarding importance of following security policy
• Have an understanding of what each security tool proposed by IT team can do or cannot do
![Page 40: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/40.jpg)
40Security Matters
Management’s Role in Security
• Have a good control environment– Physical controls– Data/Content control– Implementation control (outsourcing)– Operations/Administrative Control– Application Controls specific to individual
system components/applications
(e.g., Limiting e-mail attachments)
![Page 41: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/41.jpg)
41Security Matters
Cornerstone: Critical Infrastructure
• Infrastructure that are so vital that their damage or destruction would have a debilitating impact on the physical or economic security of the country– Telecommunications– Banking – Energy
![Page 42: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/42.jpg)
42Security Matters
Why should government/academic institutions/industry collaborate?
• In each other’s interestCI in large part is owned by the private sector, used by both private and public sectors, and protected in large part by public sector.
• Need to discuss problems and exchange ideas and solutions to cyber attacks/misuse
• Resource/cost/information sharing• Opportunity to play a role in the evolution of “best
practices”• Help shape legal and government policies in areas
of mutual concerns; Appropriate guidance for rapid additional protection measures
![Page 43: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/43.jpg)
43Security Matters
CERT Source: http://www.us-cert.gov/
![Page 44: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/44.jpg)
44Security Matters
What does CERT do?
![Page 45: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/45.jpg)
45Security Matters
Imperative Need for Secure CommunicationReported Security Incidents up to 1995
Source: CERT.ORG
![Page 46: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/46.jpg)
46Security Matters
Reported Security Incidents 1995 – 2003 Source: http://www.cert.org/present/cert-overview-trends/module-1.pdf
![Page 47: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/47.jpg)
47Security Matters
Why have cyber attacks been on the rise?Some reasons
![Page 48: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/48.jpg)
48Security Matters
Management’s Role in Security
• Recognize that security requires an end-to-end view of business processes
• Achieve a balanced approach to security – one that does not solely focus on technological solutions
• Recognize that security is a socio-technical issue, and requires strong leadership from management
![Page 49: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/49.jpg)
49Security Matters
Management’s Role in Security
• Management ties everything together
• Responsibility
• Ownership
TechnologyInfrastructure
Organization
Management
Security is a Mindset, not a service. It must be a part of all decisions and implementations.
![Page 50: Security Matters V.T. Raja, Ph.D., Oregon State University](https://reader035.vdocument.in/reader035/viewer/2022062301/5697c0051a28abf838cc4d0f/html5/thumbnails/50.jpg)
50Security Matters
• Apply the Dutta/McCrohan framework and help iPremier’s management react appropriately to the security incident.