97 Computer Security and Cryptography 97.1 Computer and Communications Security Arlin Cooper hysical Security.Cryptology. Software Security. Hardware Sandia National laboratories Security. Network Security. Personnel Security Oded Goldreich 97.2 Fundamentals of Cryptography Central Paradigms. Pseudorandomness. Zero-knowledge Weizmann Institute of Science Encryption. Signatures.Cryptographic Protocols 97.1 Computer and Communications Security . Arlin Cooper Computer security is protection of computing assets and computer network communication assets against abuse, unauthorized use, unavailability through intentional or unintentional actions, and protection against undesired information disclosure, alteration, or misinformation In todays environment, the subject encom passes computers ranging from supercomputers to microprocessor-based controllers and microcomputers, software, peripheral equipment(including terminals, printers), communication media(e.g, cables, antennas, satellites), people who use computers or control computer operations, and networks(some of global extent) that interconnect computers, terminals, and other peripherals Widespread publicity about computer crimes(losses estimated at between $300 million and $500 billion per year), hacker(cracker)penetrations, and viruses has given computer security a high profile in the public eye Hafner and Markoff, 1991]. The same sorts of technologies that have made computers and computer network communications essential tools for information and control in almost all businesses and organizations have ovided new opportunities for adversaries and for accidents or natural occurrences to interfere with crucial functions. Some of the important aspects are industrial/national espionage, loss of functional integrity (e.g in air traffic control, monetary transfer, and national defense systems), and violation of society's desires(e.g compromise of privacy). The emergence of the World Wide Web access to the Internet has been accompanied by recent focus on financial transaction vulnerabilities, crypto system weaknesses, and privacy issues Fortunately, technological developments also make a variety of controls(proactive and follow-up)available or computer security. These include personal transaction devices(e.g, smart cards, and tokens), biometric verifiers, port protection devices, encryption, authentication, and digital signature techniques using symmet rical(single-key) or asymmetrical (public-keyapproaches, automated auditing, formal evaluation of security features and security products, and decision support through comprehensive system analysis techniques. Although the available technology is sophisticated and effective, no computer security protective measures perfect, so the goal of prevention(security assurance)is almost always accompanied by detection(early discovery security penetration)and penalty( denial of goal, e. g, information destruction; or response, e. g, prosecution he information in this section is intended to survey the major contemporary computer security threats, vulnerabilities, and controls. A general overview of the security environment is shown in Fig. 97. 1. The oval in the figure contains an indication of some of the crucial concentrations of resources that exist in many facilities, including digital representations of money, representations of information about operations, designs, software, and c 2000 by CRC Press LLC© 2000 by CRC Press LLC 97 Computer Security and Cryptography 97.1 Computer and Communications Security Physical Security • Cryptology • Software Security • Hardware Security • Network Security • Personnel Security 97.2 Fundamentals of Cryptography Central Paradigms • Pseudorandomness • Zero-Knowledge • Encryption • Signatures • Cryptographic Protocols 97.1 Computer and Communications Security J. Arlin Cooper Computer security is protection of computing assets and computer network communication assets against abuse, unauthorized use, unavailability through intentional or unintentional actions, and protection against undesired information disclosure, alteration, or misinformation. In today’s environment, the subject encom￾passes computers ranging from supercomputers to microprocessor-based controllers and microcomputers, software, peripheral equipment (including terminals, printers), communication media (e.g., cables, antennas, satellites), people who use computers or control computer operations, and networks (some of global extent) that interconnect computers, terminals, and other peripherals. Widespread publicity about computer crimes (losses estimated at between $300 million and $500 billion per year), hacker (cracker) penetrations, and viruses has given computer security a high profile in the public eye [Hafner and Markoff, 1991]. The same sorts of technologies that have made computers and computer network communications essential tools for information and control in almost all businesses and organizations have provided new opportunities for adversaries and for accidents or natural occurrences to interfere with crucial functions. Some of the important aspects are industrial/national espionage, loss of functional integrity (e.g., in air traffic control, monetary transfer, and national defense systems), and violation of society’s desires (e.g., compromise of privacy). The emergence of the World Wide Web access to the Internet has been accompanied by recent focus on financial transaction vulnerabilities, crypto system weaknesses, and privacy issues. Fortunately, technological developments also make a variety of controls (proactive and follow-up) available for computer security. These include personal transaction devices (e.g., smart cards, and tokens), biometric verifiers, port protection devices, encryption, authentication, and digital signature techniques using symmet￾rical (single-key) or asymmetrical (public-key) approaches, automated auditing, formal evaluation of security features and security products, and decision support through comprehensive system analysis techniques. Although the available technology is sophisticated and effective, no computer security protective measures are perfect, so the goal of prevention (security assurance) is almost always accompanied by detection (early discovery of security penetration) and penalty (denial of goal, e.g., information destruction; or response, e.g., prosecution and punishment) approaches. The information in this section is intended to survey the major contemporary computer security threats, vulnerabilities, and controls. A general overview of the security environment is shown in Fig. 97.1. The oval in the figure contains an indication of some of the crucial concentrations of resources that exist in many facilities, including digital representations of money; representations of information about operations, designs, software, and J. Arlin Cooper Sandia National Laboratories Oded Goldreich Weizmann Institute of Science