8/30/2010 CS 686

Definition of Security/Privacy

EJ Jungejung@cs.usfca.edu

CS 686 Special Topics in CSPrivacy and Security

8/30/2010 CS 686

AnnouncementsCourse Questionnaire and Consent Form

• No submission, no grades

Service Lab community partners are coming

Reading assignment in schedule• read “ahead”

8/30/2010 CS 686

Course questionnaire results

20 students

Previous courses• 13 networks, 10 OS, 3 crypto, 1 security

Familiar technology• 13 hash, 10 proxy, 9 SSL/TLS, 9 PKC, 3 TOR, 2

PGP, 1 IPsec,

8/30/2010 CS 686

Current challenging problems

Conflicting goals: • privacy vs. utility, anonymity vs. authenticity• safety vs. convenience, usability• right to opt-out• happy medium

HackersUser education and admin educationData sharing among many partiesData leak from social networks

8/30/2010 CS 686

Want to solve

Hacking prevention, Server protection, Data protection Vulnerability (loophole) analysis and mitigation Intrusion detection

• packet sniffing and monitoring User education, usability Malware, e.g. virus, key-loggers, prevention&detection Identity theft, Phishing prevention/detection Right to opt-out, Pay for privacy Anonymity, Finding happy medium between anonymity

and authenticity• TOR

Security software development Secure data sharing among multiple parties, Data tracing

8/30/2010 CS 686

After this course

Become knowledgeable

Find vulnerabilities

Protect systems and websites• without hurting performance and usability too

much

Work as security specialist

8/30/2010 CS 686Henric Johnson 7

Attacks, Services and Attacks, Services and MechanismsMechanisms

Security Attack: Any action that compromises the security of information.

Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack.

Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.

8/30/2010 CS 686

Passive attack (1) - Eavesdrop

Code talkers

8/30/2010 CS 686

Passive attack (2) - Analysis

Alexa

8/30/2010 CS 686

Active attack (1) - impersonation

Impostors on Facebook

8/30/2010 CS 686

Active (2) - replay

8/30/2010 CS 686

Active (3) – intercept&modify

8/30/2010 CS 686

Active (4) - DoS

Distributed DoS

8/30/2010 CS 686

Summary of attacks

Henric Johnson 14

8/30/2010 CS 686Henric Johnson 15

Security ServicesSecurity Services

Confidentiality (privacy)

Authentication (who created or sent the data)

Integrity (has not been altered)

Non-repudiation (the order is final)

Access control (prevent misuse of resources)

Availability (permanence, non-erasure)

• Denial of Service Attacks

• Virus that deletes files

8/30/2010 CS 686

network

Attack on Authenticity

Authenticity is identification and assurance of origin of information

Unauthorized assumption ofanother’s identity

8/30/2010 CS 686

network

Attack on Confidentiality

Confidentiality is concealment of information

Eavesdropping,packet sniffing,illegal copying

8/30/2010 CS 686

network

Attack on Integrity

Integrity is prevention of unauthorized changes

Intercept messages,tamper, release again

8/30/2010 CS 686

network

Attack on Availability

Availability is ability to use information or resources desired

Overwhelm or crash servers,disrupt infrastructure

8/30/2010 CS 686

Famous words

Encrypt and decryptPlaintext and ciphertext

• encrypt plaintext -> ciphertext• decrypt ciphertext -> plaintext• easy example: XOR

Digital signature• as you sign on paper• for non-repudiation and accountability

Session• one conversation/communication unit

8/30/2010 CS 686

Model for Network Security

8/30/2010 CS 686

Access Control Model