invitation to computer science 5th edition › pic › courseitem › 3968_chapter08u.pdf ·...
Post on 06-Jun-2020
5 Views
Preview:
TRANSCRIPT
Invitation to Computer Science 5th Edition
Chapter 8
Information Security
CIA Triad of Information Security
Ensuring that data is
protected from
unauthorized access
Ensuring
that data
can be
modified
only by
appropriate
mechanisms
The degree to which authorized
users can access information for
legitimate purposes
Invitation to Computer Science, 6e 2
Information Security
• Rick Analysis
– Determining the nature and likelihood of the risks to key data
– Planning for information analysis requires risk analysis
– Goal is to minimize vulnerability to threats that put a system at the most risk
Invitation to Computer Science, 6e 3
Cryptography
• Cryptography
– The field of study related to encoded information (comes from Greek word for "secret writing")
• Encryption
– The process of converting plaintext into ciphertext
• Decryption
– The process of converting ciphertext into plaintext
Invitation to Computer Science, 6e 4
Cryptography
plaintext
message ciphertext
message
Encryption
Decryption
Encrypted(Information) cannot be read
Decrypted(Encrypted(Information)) can be
Invitation to Computer Science, 6e 5
Cryptography
• Cipher
– An algorithm used to encrypt and decrypt text
• Key
– The set of parameters that guide a cipher
– Neither is any good without the other
Invitation to Computer Science, 6e 6
Symmetric-Key Cryptography
• The general idea behind symmetric-key cryptography. Alice can send a message to Bob over an insecure channel with the assumption that an adversary, Eve, cannot understand the contents of the message by simply eavesdropping on the channel.
• The original message from Alice to Bob is referred to as plaintext; the message that is sent through the channel is referred to as the ciphertext. Alice uses an encryption algorithm and a shared secret key. Bob uses a decryption algorithm and the same secret key.
Invitation to Computer Science, 6e 7
Invitation to Computer Science, 6e 8
Cryptography
• Substitution cipher: A cipher that substitutes one character with another
– Caesar cipher
• A substitution cipher that shifts characters a certain number of positions in the alphabet
• Transposition ciphers
– A cipher that rearranges the order of existing characters in a message in a certain way (e.g., a route cipher)
Invitation to Computer Science, 6e 9
Caesar cipher
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Substitute the letters in the second row for the letters in the top row to encrypt a message
Ex:
Encrypt(COMPUTER) gives FRPSXWHU
Decrypt(Encrypt(COMPUTER)) gives COMPUTER
Why is this called the Caesar cipher? What is the key?
Invitation to Computer Science, 6e 10
Transposition Cipher
T O D A Y
+ I S + M
O N D A Y
Write the letters in a row of five, using '+' as a blank. Encrypt by starting spiraling inward from the top left moving counter clockwise
Ex:
Encrypt(TODAY IS MONDAY) gives T+ONDAYMYADOIS+
Decrypt by recreating the grid and reading the letters across the row
The key are the dimension of the grid and the route used to encrypt the data
What is the key?
Invitation to Computer Science, 6e 11
Cryptanalysis
Cryptanalysis
– The process of decrypting a message without knowing the cipher or the key used to encrypt it
– Substitution and transposition ciphers are easy for modern computers to break
– To protect information more sophisticated schemes are needed
Invitation to Computer Science, 6e 12
Modern symmetric-key ciphers
• Modern ciphers normally use a combination of substitution, transposition and some other complex transformations to create a ciphertext from a plaintext.
• Modern ciphers are bit-oriented (instead of character-oriented). The plaintext, ciphertext and the key are strings of bits.
• Example
– DES (Data Encryption Standard)
– AES
Invitation to Computer Science, 6e 13
DES
• DES is a symmetric-key block cipher published by the National Institute of Standards and Technology (NIST) in 1977.
• DES has been the most widely used symmetric-key block cipher since its publication.
Invitation to Computer Science, 6e 14
DES (continued)
• Symmetric encryption algorithm
• Designed for digital data: plaintext is binary string
• Uses 64-bit binary key (56 bits actually used)
• Sixteen rounds of same series of manipulations
• Decryption uses same algorithm, keys in reverse
• Fast and effective, but requires shared key, 56 bits is too small for modern technology
Invitation to Computer Science, 6e 15
DES (continued)
DES manipulations
• Split string
• Duplicating some bits
• Omit some bits
• Permute bit order
• Combine bit strings with XOR (exclusive or)
Invitation to Computer Science, 6e 16
Invitation to Computer Science, 6e 17
AES
• The Advanced Encryption Standard (AES) is a symmetric-key block cipher published by the US National Institute of Standards and Technology (NIST) in 2001 in response to the shortcoming of DES.
Invitation to Computer Science, 6e 18
Asymmetric-key Cryptographs
• Two distinctive keys in asymmetric-key cryptography: a private key and a public key.
• The key for encryption and the key for decryption are different
– Person A makes an encryption key public (public key)
– Anyone can encrypt a message using the public key and send it to A
– Only A has the decryption key (private key) and can decrypt the message
• Example
– RSA
Invitation to Computer Science, 6e 19
Figure 16.7 The general idea behind asymmetric-key cryptography Invitation to Computer Science, 6e 20
RSA
RSA key creation
– Pick 2 large prime numbers: p and q
– Compute n = p×q, and m = (p-1)×(q-1)
– Choose large number e at random, so that e and m are relatively prime (no common factors except 1)
– Find unique value d, between 0 and m, such that (e×d) modulo m = 1
– Public key = (n, e), Private key = d
Invitation to Computer Science, 6e 21
RSA (continued)
Example:
• Choose p = 7, q = 11
• n = 7×11 = 77, and m = 6×10 = 60
• Choose e = 13 (60 = 2*2*3 * 5, 13=1*13)
• The corresponding d = 37 (13×37 modulo 60 = 1)
• Therefore, public key = (77, 13), Private key = 37
Invitation to Computer Science, 6e 22
RSA (continued)
RSA encryption:
Given public key (n, e)
– Convert message to integer P
– Calculate C = Pe modulo n
RSA decryption:
Given private key d
– Calculate Cd modulo n
Invitation to Computer Science, 6e 23
RSA (continued)
RSA encryption, example:
Given public key (77, 13)
– Convert message to integer P = 5
– Calculate C = 513 modulo 77 = 26
RSA decryption:
Given private key 37
– Calculate 2637 modulo 77 = 5
Invitation to Computer Science, 6e 24
Public/Private Keys
• Digital signature
– Data that is appended to a message, made from the message itself and the sender's private key, to ensure the authenticity of the message
• Digital certificate
– A representation of a sender's authenticated public key used to minimize malicious forgeries
Invitation to Computer Science, 6e 25
Computer Security
Authentication credentials
Information users provide to identify themselves for computer access
– User knowledge such as name, password, PIN
– Smart card with embedded memory chip used for identification
– Biometrics human characteristics such as fingerprints, retina or voice patterns
Invitation to Computer Science, 6e 26
Computer Security
Malicious Code
A computer program that attempts to bypass appropriate authorization and/or perform unauthorized functions
– Worm: stands alone, targets network resources
– Trojan horse: disguised as benevolent resource
– Virus: self-replicating
– Logic bomb: set up to execute at system event
Invitation to Computer Science, 6e 27
Computer Security
Security Attacks
An attack on the computer system itself
– Password guessing: obvious
– Phishing: trick users into revealing security information
– Spoofing: malicious user masquerades as authorized user
– Back door: unauthorized access to anyone who knows it exists
Invitation to Computer Science, 6e 28
Computer Security
– Buffer overflow: defect that could cause a system to crash and leave the user with heightened privileges
– Denial-of-service: attach that prevents authorized user from accessing the system
– Man-in-the-middle: network communication is intercepted in an attempt to obtain key data
Have you ever experienced one of these?
Invitation to Computer Science, 6e 29
Invitation to Computer Science, 6e 30
Mal-Ware
• Virus: attaches itself to a program or file and causes damage of hardware, software or files
• Worm: has the capability to spread itself out to everyone listed in your email address book
• Trojans horse: will appear to be useful software at first glance but will actually do damage once installed or run on your computer
Invitation to Computer Science, 6e 31
Mal-Ware (con’t)
• Some Famous Computer Virus, Worm, or Trojan Horse
Invitation to Computer Science, 6e 32
Web Transmission Security
• E-commerce requires secure transmission of names, passwords, credit card numbers
• Web protocols: SSL (Secure Sockets Layer) and TLS (Transport Layer Security)
– Client-server applications
– Server provides certificate of authentication and server’s public key
– Client sends its DES key, encrypted using RSA
– Data is sent encrypted by the (now shared) DES key
Invitation to Computer Science, 6e 40
Invitation to Computer Science, 6e 41
Secure Socket Layer (SSL)
Invitation to Computer Science, 6e 42
Secure Socket Layer (SSL)
Invitation to Computer Science, 6e 43
Secure Socket Layer (SSL)
• SSL includes two sub-protocols: the SSL Record Protocol and the SSL Handshake Protocol.
– Record Protocol - defines the format used to transmit data.
– Handshake Protocol - using the Record protocol to exchange messages b/t an SSL-enable server and an SSL-enable client.
Invitation to Computer Science, 6e 44
Secure Socket Layer (SSL)
• 客戶端認證 (Client Authentication)
• 伺服端認證 (Server Authentication)
• 加密連線 (Encrypted Connection)
Invitation to Computer Science, 6e 45
SSL Record Protocol Operation
abcdef ghijk lmn
abcdefghijklmnApplication Data
Fragment
Compress
Add MAC
Encrypt
Add SSL
Record Header
generate MD5 by using HASH
Invitation to Computer Science, 6e 46
SSL 訊息封裝 (一)
• SSL 封包格式
Type=22
Length Content
HTTP, ..., Message(or Compress)
Type=23
MajorVersion
MinorVersion
Length MAC
加密編碼
Type= 21
AlterLevel
AlertDesc.
IP Header
Type= 20
Change
TCPHeader SSL Message
(a) 變更密文 規格協定
(b) 警告協定
(c) 握手協定
(d) 紀錄協定
1 Byte1
1 1 Byte
3 >= 0 Bytes
1 1 2 >= 0 Bytes 0,16, 20
Hand.Type
1
Invitation to Computer Science, 6e 47
SSL 訊息封裝 (二) • 握手協定之命令型態
訊息(命令)型態
參數(內容)
hello_request
無
client_hello
版本、亂數、會議 ID、加密套件、壓縮方法
server_hello
版本、亂數、會議 ID、加密套件、壓縮方法
certificate
一連串的 X.509v3 憑證內容
server_key_exchange
鑰匙材料、數位簽章
certificate_request
憑證型態、認證中心
server_done
無
certificate_verify
數位簽章
client_key_exchange
鑰匙材料、數位簽章
finished
雜湊值
Invitation to Computer Science, 6e 48
SSL 訊息封裝 (三)
• 紀錄層訊息封裝 Application data
Fragment Fragment Fragment
compress
compress MAC
Encrypt
EncryptH
上層資料 (如 HTTP)
分段處理
壓縮處理
加入認證標頭
加密處理
加入 SSL 紀錄標頭
TCP MessageTCP
HeaderTCP 協定包裝如 https: tcp/443 埠口
compression_method
client/server_write_MAC_secret
client/server_write_keyclient/server_write_IV
SSL 協定包裝
Invitation to Computer Science, 6e 49
11-5 SSL 會議連結識別
• 會議連結』(Session Connection):Session ID
• 使用於 SSL Record Layer 的參數
– Session Identifier
– Peer Certificate
– Compression Method
– Cipher Spec
– Master Secret
– Is Re-useable
Invitation to Computer Science, 6e 50
SSL 握手協定 (一) • 協商步驟
1. 交換 Hello 訊息,協議演算法,並檢視是否有 Session ID 可重
複使用。
2. 交換鑰匙材料,及製作『前置主秘鑰』(Pre-master Secret)
3. 交換『身份憑證』。
4. 利用 Pre-master Secret 製作 Master Secret。
5. 將安全參數登錄於 Session Connection。
6. 保證協議當中未受到駭客攻擊。
Invitation to Computer Science, 6e 51
SSL 握手協定 (二)
• 協商階段
客戶端
(1) client_hello
伺服端
(2) server_hello
(3) certificate *
(4) server_key_exchange *
(5) certificate_request *
(6) server_done
(7) certificate *
(8) client_key_exchange
(9) certificate_verify *
(10) [change_cipher_spec]
(11) finished
(12) [change_cipher_spec]
(13) finished
雙方利用 Hello 訊息互相傳送相關安全參數
第一階段
伺服端傳送憑證、交換鑰匙與要求對方憑證
客戶端傳送憑證、交換鑰匙與要求確認憑證
客戶端要求變更密文規格及完成協議
伺服端要求變更密文規格及確認完成協議
SSL/TLS 安全連線 依照安全機制傳輸應用層資料
第二階段
第三階段
第四階段
Record Protocol
備註:有星號 (*) 表示選項訊息Invitation to Computer Science, 6e 52
網路環境-防火牆
Invitation to Computer Science, 6e 53
top related