Scribd
Upload
56 views52 pages

Data Security: Goals and Mechanisms

The document discusses various aspects of data security including the goals of data security such as confidentiality, integrity, and availability. It also covers security threats like interruption, interception, modification, and fabrication. Finally, the document outlines different defense mechanisms for data security including security policies, access control, authentication, cryptography, and network security measures.

Uploaded by

Jason Guiton
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
56 views52 pages

Data Security: Goals and Mechanisms

The document discusses various aspects of data security including the goals of data security such as confidentiality, integrity, and availability. It also covers security threats like interruption, interception, modification, and fabrication. Finally, the document outlines different defense mechanisms for data security including security policies, access control, authentication, cryptography, and network security measures.

Uploaded by

Jason Guiton
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd

Data security is ...

• Security is about the protection of


assets (for example, your private home):
– prevention
– detection
– reaction
• Data Security is about the protection of
the asset called data (for example, data
regarding your credit card transactions).

1
Why Data Security?
• ‘Sewage’ Hacker jailed – 8th May
2002
• Analysts: Insiders may pose
security threat – 15th Oct, 2001
• White House DoS attack - May
2001

2
3
Computer
Emergency
Reporting
Team
4
DDOS Attack
Control Agent
Flood
Traffic Traffic
Agent
Handler

Agent Victim
Attacker’s
Controlling
Host
Console Agent

Handler Agent

Agent

5
Hackers have hijacked the account
details of 400,000 Optus Internet
dial-up customers.

6
‘Waterfall’ Model for
Secure System Development

Analyse Threat & Risk

Write Security Policy

Design protection mechanism


7
Data Security Goals
• Confidentiality
– access to data & processes is restricted to
authorised people
• Integrity
– the “system” (hardware + software +
facilities + network + people) hasn’t been
compromised
• Availability
– continuous/ uninterrupted service
8
Data Security Goals

• Non-Repudiation
– You cannot deny that you have performed
some action on the data
• Authentication
– You can prove your identity or the origin of
the data

9
Security Threats
• Interruption
– When your assets become unavailable
• Interception
– Some unauthorised party has gained
access to your assets
• Modification
– Some unauthorised party tampers with
your assets
• Fabrication
– Counterfeits of your assets are made 10
Normal Flow

Information Information
Source Destination

11
Interruption
Attack on availability

Information Information
Source Destination

12
Interception
Attack on confidentiality

Information Information
Source Destination

13
Modification
Attack on integrity

Information Information
Source Destination

14
Fabrication
Attack on authenticity

Information Information
Source Destination

15
Defence Mechanisms
• Involve 3 components in system

Computer People

DATA
DATA

Media
16
Defence Mechanisms
• Low Technology
– Security Policy: A documented plan of
action and principles for an organisation
– Training against deception, blackmail, &
“social engineering”
– Secure disposal of paper & storage media
– Employee vetting & reference checking
– Change control + audit trails + follow-up
– contingency planning + training + rehearsal
17
Defence Mechanisms
• High Technology
–Ciphers and digital signatures
–Access control systems
–Firewalls
–Tamper-resistant systems
–Trusted systems

18
19
“Waterfall” Model

Analyse Threat & Risk

Write Security Policy

Design protection mechanism


20
Threat & Risk Analysis
• A security policy must incorporate a
realistic assessment of threats
– What is to be protected?
– What can go wrong?
– If it goes wrong, how will it affect me?

21
Security Policy
••asset
assetvaluation
valuation
businessneeds
needsanalysis
analysis ••risk
riskanalysis
analysis
business
••impact
impactanalysis
analysis

Security Policy

• security policy is a statement of rules


• security is defined by a security policy
• goal of security is to enforce the policy
• “standards” in OSI 7498-2 RFC 2196 & BS 7799 & AS
4444
22
Security Policy
The Proportionality Principle:
• identifying and invoking a set of
protective mechanisms and
procedures (e.g. data encryption)
• which match the perceived risk to
and
• the value of an organization’s
(information) assets
23
24
Cryptography

Computer People

DATA
DATA
Media
25
Ciphers
encryption
plaintext key ciphertext

encryption encrypted
message
algorithm message

original decryption
message algorithm

decryption key 26
A simple example...
plaintext

this message is highly secret


t ASCII representation
exclusive-OR

0 1 1 1 0 1 0 0 plaintext
key
 1 0 1 1 0 1 0 1
1 1 0 0 0 0 0 1 ciphertext
key
 1 0 1 1 0 1 0 1
0 1 1 1 0 1 0 0 plaintext t
27
Categories of ciphers...

unbreakable ciphers computationally


e.g Vernan cipher secure ciphers

symmetric-key asymmetric-key
ciphers ciphers
e.g. DES e.g RSA

28
Symmetric-key cipher
same key
key must be
distributed first

Plaintext Encryption Ciphertext Decryption Plaintext

message encryption text decryption message


algorithm transmitted algorithm
+ over +
key network key

Examples...
Data Encryption Standard (DES)
Advanced Encryption Standard (AES) 29
Asymmetric-key cipher

Receiver’s Public Key Receiver’s Private Key


different
keys

Plaintext Encryption Ciphertext Decryption Plaintext

message encryption text decryption message


algorithm transmitted algorithm
+ over +
public key network private key

Examples: RSA (Rivest, Shamir and Adleman),


30
elliptic-curve cipher
Requirements
• E-commerce needs ciphers which are:
– practical to implement and manage,
– computationally efficient,
– computationally secure (highly-effective),
• key management
– scalability across networks,
– cost of key distribution (security)
– cost of key revocation (find and replace
every key),
31
Access Control
&
Authentication

32
Access control and
User Authentication

Computer People

DATA
DATA
Media
33
Basic Principles of Authentication
• something you...
– know
• e.g. password, PIN
– have
• e.g. magnetic-stripe card, smart card
– can do
• e.g. signature, encrypt a message
– are (i.e distinguishing personal traits)
• e.g. biometrics
• more effective if used in combinations
34
Authentication Examples
• biometrics - recognizing a person using
distinguishing traits
– speech, fingerprints, hand geometry, wrist
veins, face, retina, iris, handwritten signature
• One time passwords or challenge-
response protocols to prevent “record and
replay” attacks
• “digitally” signing a message using a
“digital” signature
35
Network
Security

36
Network Security

Computer People

DATA
DATA
Media
37
A view of TCP/IP
client PC server

Browser Web server


router
TCP TCP
Software Software

IP IP IP
Software Software Software

Ethernet Ethernet Ethernet


LAN LAN WAN
LAN
Software Software Software
Software

38
The Secure Sockets Layer
client PC server

Browser Web server

SSL Secure Sockets Layer SSL

TCP TCP
Software Software

IP IP
Software Software

39
Firewalls
Internal Network External Network
Firewall
(trusted) (untrusted)

internal external
router router

bastion host

• filter packets based on IP address


• direct each application to a proxy on the
firewall
40
Views on Data Security
• Data security is often inconvenient
• Data security is often not very secure
• Data security is a balance
• People issue more than a technology
issue
• Reactive not proactive - sometimes the
need for data security is not obvious
until it is too late
41
42
• 1

43
44
45
46
47
48
49
50
51
52

You might also like