Overview 曹天杰 Tianjie Cao ticao@cumt.edu.cn College of Computer Science and echnology china University of Mining and Technology Xuzhou, China 中国矿业大学计算机科学与技术学院 2003.5.12
1 曹天杰 Tianjie Cao tjcao@cumt.edu.cn College of Computer Science and Technology, China University of Mining and Technology, Xuzhou, China 中国矿业大学计算机科学与技术学院 2003.5.12 Overview
Resources A.J. Menezes p C van oorschot and s.a. vanstone Handbook of Applied Cryptography, CRC Press, 1997 Bruce Schneier. Applied cryptography, Second Edition Protocols, algorthms, and Source Code in C(cloth) John Wiley sons, Inc )1996 Douglas R. Stinson, Cryptography (theory and practice), CRC Press 1995
2 A. J. Menezes, P. C. van Oorschot and S. A. Vanstone. Handbook of Applied Cryptography, CRC Press, 1997. Bruce Schneier. Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C (cloth) John Wiley & Sons, Inc.) 1996 Douglas R. Stinson, Cryptography (Theory and Practice), CRC Press 1995 Resources
Course outline oVerview: Secure communication Attacks to cryptosystems. One time pad randomness and pseudo randomness o Secret-Key cryptography: Block ciphers. DES, AES (Rijndael). Modes of operation. Linear and Differential cryptanalysis Public-Key cryptography: Mathematical Foundations One-way functions Trapdoor one-way functions. Public-key cryptosystems. RSA, Diffie-Hellman, ElGamal, and elliptic curve cryptosystems. Design and Analysis of Cryptographic Protocols: Authentication protocols. Digital cash. Sharing and partial disclosure of secrets, Zero-knowledge proof systems Identification protocols. Key management architectures
3 •Overview : Secure communication. Attacks to cryptosystems. One time pad, randomness and pseudorandomness •Secret-Key Cryptography: Block ciphers .DES, AES (Rijndael). Modes of operation. Linear and Differential cryptanalysis. •Public-Key Cryptography: Mathematical Foundations. One-way functions. Trapdoor one-way functions. Public-key cryptosystems. RSA, Diffie-Hellman, ElGamal, and elliptic curve cryptosystems. •Design and Analysis of Cryptographic Protocols: Authentication protocols. Digital cash. Sharing and partial disclosure of secrets. Zero-knowledge proof systems. Identification protocols. Key management architectures Course Outline
Some security Properties Integrity: no improper modification Authenticity: integrity of source Non-repudiation: integrity of commitments Accountability: integrity of responsibility Secrecy: no improper disclosure Privacy: secrecy of personal data Anonymity: unlinkable secrecy of identity Pseudonymity: linkable secrecy of identity Availability: no improper denial of service
4 Some Security Properties • Integrity: no improper modification – Authenticity: integrity of source – Non-repudiation: integrity of commitments – Accountability: integrity of responsibility • Secrecy: no improper disclosure – Privacy: secrecy of personal data – Anonymity: unlinkable secrecy of identity – Pseudonymity: linkable secrecy of identity • Availability: no improper denial of service
Correctness vs Security Correctness: satisfy specifications For reasonable inputs get reasonable output Security: resist attacks For unreasonable inputs output not completely disastrous Main difference Active interference from the environment
5 Correctness vs. Security • Correctness: satisfy specifications – For reasonable inputs, get reasonable output • Security: resist attacks – For unreasonable inputs, output not completely disastrous • Main difference – Active interference from the environment
Attack Goals in the physical world in the electronic world Publicr Terrorism Highly contagious viruses Landing in red square defacing web pages frau Bank robbery Credit card number theft Scams On-line scams Plagiarism Intellectual property theft Disruption Vandalism wiping out data Obstruction of justice> Denial of service Invasion Collection of personal Reading private files of privacy data urveillance Espionage
6 Attack Goals • Publicity • Fraud • Disruption • Invasion of privacy – . ➢ Terrorism ➢ Landing in Red Square ➢ Bank robbery ➢ Scams ➢ Plagiarism ➢ Vandalism ➢ Obstruction of justice ➢ Collection of personal data ➢ Espionage in the physical world ➢ Highly contagious viruses ➢ Defacing web pages ➢ Credit card number theft ➢ On-line scams ➢ Intellectual property theft ➢ Wiping out data ➢ Denial of service ➢ Reading private files ➢ Surveillance in the electronic world
Vulnerable systems: a Trend Vulnerability: a weakness that can be exploited to cause damage Attack: a method to exploit a The internet vulnerability World-Wide connection Distributed: no central design and control O pen infrastructureS: modems, wireless, dhCP Untrusted software: applets, downloads Unsophisticated users homogeneity Security costs Hardware: x86 Market now, fix bugs later OS: Window Customers want it but wont Applications pay for
7 Vulnerable Systems: a Trend • The Internet – World-Wide connection – Distributed: no central design and control – Open infrastructures: modems, wireless, DHCP – Untrusted software: applets, downloads – Unsophisticated users • Security costs – Market now, fix bugs later – Customers want it, but won’t pay for it • Homogeneity – Hardware: x86 – OS: Windows – Applications: Vulnerability: a weakness that can be exploited to cause damage Attack : a method to exploit a vulnerability
Attacks. Services, and mechanisms Security attack: Any action that compromises the securi of information Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack Security service: a service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms 8
8 Attacks, Services, and Mechanisms * Security Attack: Any action that compromises the security of information. * Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack. * Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms
Some attacks · Unintended blunders Hackers driven by technical challenge Disgruntled employees or customers Petty criminals Organized crime Organized terror groups Foreign espionage agents ● Information warfare
9 Some Attacks • Unintended blunders • Hackers driven by technical challenge • Disgruntled employees or customers • Petty criminals • Organized crime • Organized terror groups • Foreign espionage agents • Information warfare
Security services confidentiality: only authorized parties have read access to information integrity: only authorized parties have write access to information availability: authorized access to information when neede authenticity: identity claims(user, message source) can be verified non-repudiation: message exchange can be proved by sender and receiver authorization: information system /resource access contro
10 - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to information - availability: authorized access to information when needed - authenticity: identity claims (user, message source) can be verified - non-repudiation: message exchange can be proved by sender and receiver - authorization: information / system / resource access control Security services