Ryerson Computer Science CPS633: Computer Security

(go back)

1 Introduction to Security

Pillars of Security:

  • Confidentiality
  • Integrity
  • Availability

3 Program Security

Malicious Code (common)

  • virus
  • trojan horse
  • worm
  • logic bomb

Non-Malicous Program Errors

  • buffer overflows
  • incomplete mediation
  • time-of-check to time-of-use errors
  • combination of flaws

Fault Tolerance Terminology

  • Error: may lead to a fault
  • Fault: deviation from intended function
    • permanent: stays for the lifetime of the application
    • transient: temporary, harder to diagnose
  • Failure: system malfunction caused by a fault

4 Operating System Security

Key questions we ask are: Who are the subjects, and what are the objects?

Objects:

  • Memory
  • IO
  • Programs
  • Data

Who are the subjects?

5 Basic Cryptography

Basic Terms

  1. Cyrptography
  2. Cryptanalysis
  3. Cryptology = Cryptography + Cryptanalysis

Basic Cryptography

  • plaintext -> [encryption] -> ciphertext -> [decryption] -> original plaintext
  • keyless
    P is plaintext
    C is ciphertext
    C = E(P)
    P = D(C)
  • keyed
    encryption / decryption keys
    two types: symmetric, assymetric (public key)
    P = D( K_d, E( K_e, P ) )

Cryptanalysis

  • analysis of systems to understand their cryptographic attributes
  • formally it is proven that a system can be designed on paper that is unbreakable; in practice, they can all be broken given enough time
  • systems can be broken by brute force, but not commonly used

6 Basic Cipher Types

Substitution

  • Caesar Cipher - shifts letters up by 3. Aka monoalphabetic substitution, because only 1 character substitution used throughout
  • Easy to break because the key is too short! Better to use polyalphabetic substitution
  • Polyalphabetic substitution: has multiple keys, alternates through them for each replacement; eg, a two-key system alternates keys every other character during encryption
  • Attack Methods:
    • exhaustive search
    • statistical analysis

Transposition

  • arranging the plaintext into columns, extracting a new order of characters from those columns (2 col's is called Rail-Fence)
  • Attack Methods:
    • anagramming

Product

Criteria for 'Good' Ciphers

  • confusion
  • diffusion

Stream Ciphers

  • problem: if a character is missing in the key, the decryption can be wrong

Block Cipher (better than stream)

  • must wait to receive several more characters before decryptionting each subsequent cipher char
  • block ciphers where receiver needs entire cipher before starting to decode, are Strong Block ciphers

7 Symmetric & Asymmetric Cryptosystems

Symmetric

  • share 1 key between two parties
  • problem: sharing the key securely

Asymmetric

  • different keys for encryption and decryption, so no channel for sharing them
  • public key encryption (PKE); public key is used
  • private key(s) are used for decryption; public keys can encrypt

8 RSA Encryption

Nov 2: 7.2 Threats in Networks

Network Vulnerabilities

  1. attacker anonymity

Message Confidentiality & Integrity