(go back)

1 Introduction to Security

Pillars of Security:

• Confidentiality
• Integrity
• Availability

3 Program Security

• virus
• trojan horse
• worm
• logic bomb

Non-Malicous Program Errors

• buffer overflows
• incomplete mediation
• time-of-check to time-of-use errors
• combination of flaws

Fault Tolerance Terminology

• Error: may lead to a fault
• Fault: deviation from intended function
• permanent: stays for the lifetime of the application
• transient: temporary, harder to diagnose
• Failure: system malfunction caused by a fault

4 Operating System Security

Key questions we ask are: Who are the subjects, and what are the objects?

Objects:

• Memory
• IO
• Programs
• Data

Who are the subjects?

5 Basic Cryptography

Basic Terms

1. Cyrptography
2. Cryptanalysis
3. Cryptology = Cryptography + Cryptanalysis

Basic Cryptography

• plaintext -> [encryption] -> ciphertext -> [decryption] -> original plaintext
• keyless
P is plaintext
C is ciphertext
C = E(P)
P = D(C)
• keyed
encryption / decryption keys
two types: symmetric, assymetric (public key)
P = D( K_d, E( K_e, P ) )

Cryptanalysis

• analysis of systems to understand their cryptographic attributes
• formally it is proven that a system can be designed on paper that is unbreakable; in practice, they can all be broken given enough time
• systems can be broken by brute force, but not commonly used

6 Basic Cipher Types

Substitution

• Caesar Cipher - shifts letters up by 3. Aka monoalphabetic substitution, because only 1 character substitution used throughout
• Easy to break because the key is too short! Better to use polyalphabetic substitution
• Polyalphabetic substitution: has multiple keys, alternates through them for each replacement; eg, a two-key system alternates keys every other character during encryption
• Attack Methods:
• exhaustive search
• statistical analysis

Transposition

• arranging the plaintext into columns, extracting a new order of characters from those columns (2 col's is called Rail-Fence)
• Attack Methods:
• anagramming

• confusion
• diffusion

Stream Ciphers

• problem: if a character is missing in the key, the decryption can be wrong

Block Cipher (better than stream)

• must wait to receive several more characters before decryptionting each subsequent cipher char
• block ciphers where receiver needs entire cipher before starting to decode, are Strong Block ciphers

7 Symmetric & Asymmetric Cryptosystems

Symmetric

• share 1 key between two parties
• problem: sharing the key securely

Asymmetric

• different keys for encryption and decryption, so no channel for sharing them
• public key encryption (PKE); public key is used
• private key(s) are used for decryption; public keys can encrypt

Nov 2: 7.2 Threats in Networks

Network Vulnerabilities

1. attacker anonymity