1Chapter 1

The need for security

• Computerized trend (all kind of information are in the database)

• Information passing through Internet

2Chapter 1

Data Transmission on the Internet

• Data travels in clear text [ASCII or BIG-5]

• Personal or confidential information is not secure

• Example: Credit card details

3Chapter 1

Client

Customer Id: 78910Order Id: 90Item Id: 156

Credit Card Number: 1234-5678-9000-2345

Issued By: VisaValid Till: Jan 2006

…

Server

Server Database

Transmission of Credit Card Details

Fig 1.1

4Chapter 1

Security Approaches

• Security models– No security– Security through obscurity– Host security– Network security

5Chapter 1

Security Management Practices

• A good security policy takes care of four key aspects,– Affordability– Functionality– Cultural issues– legality

6Chapter 1

Process to carry a security police

• Explanation to all concerned

• Outline everybody’s responsibilities

• Use simple language in all communications

• Accountability should be established

• Provide for exception and periodic reviews

7Chapter 1

Principles (functionality) of security

• Four chief objectives:– Confidentiality– Authentication– Integrity– Non-repudiation

• Others:– Access control– Availability

8Chapter 1

Confidentiality

• Also called as privacy

• Refers to the secrecy of information

• Only the sender and the intended receiver(s) should have an access to the information

9Chapter 1

A B

C

Secret

Loss of Confidentiality (interception)

Fig 1.2

Sender Receiver

Attacker

10Chapter 1

Authentication

• Identifies the sender/receiver of a message, proof of identities.

• Required so that the communicating parties trust each other

• Answers: Who am I trusting or talking?

11Chapter 1

Absence of Authentication (fabrication)

Fig 1.3

A B

C

I am user A

Sender Receiver

Attacker

12Chapter 1

Integrity

• Ensures that any changes to a message are detected

• The message from the sender to the receiver must travel without any alterations

• Changes need to be prevented, or at least, detected

13Chapter 1

Loss of Message Integrity (modification)

Fig 1.4

A B

C

Transfer $100 to C Transfer

$1000 to C

Ideal route of the message

Actual route of the message

Sender ReceiverAttacker

14Chapter 1

Non-repudiation

• Defeats the possibilities of denying something been done.

• The others ’(the third) trusted proof between sender and receiver.

15Chapter 1

An example- the I.D. card

16Chapter 1

Access control

• Specifies and controls who can access what data.

• For example, user A view the records, but can not update. Neither see other records not authorized.

17Chapter 1

Availability

• Resources/applications must be available to authentic users all the time

• Attackers can deny the availability

• Denial Of Service (DOS) is an example of an attack on availability

18Chapter 1

Attack on Availability

Fig 1.5

A B

C

Sender Receiver

Attacker

19Chapter 1

Types of Attacks

Fig 1.6

Attacks

Passive attacks Active attacks

20Chapter 1

Classification of Passive Attacks

Fig 1.7

Passive attacks (Interception)

Release of message contents

Traffic analysis

21Chapter 1

Classification of Active Attacks

Fig 1.8

Active attacks

Interruption (Masquerade)

Fabrication (Denial Of

Service - DOS)

Modification

Replay attacks Alterations

22Chapter 1

Practical Side of Attacks

Fig 1.9

Security attacks in practice

Application level attacks

Network level attacks

23Chapter 1

Virus

• Program that causes damage to other programs/applications/data

• Contains malicious code

• Propagates as it damages

24Chapter 1

Example of Virus

Fig 1.10

Add x to yPerform Print-JobPerform Close-JobEnd

Add x to yPerform Print-JobPerform Virus-JobPerform Close-JobEnd

Delete all filesSend a copy of myself to all using this users address book Return

(a) Original clean code

(b) Virus infected code

(c) Virus code

25Chapter 1

Worm

• Propagates as it damages

• Does not damage a program/data

• Consumes resources, and brings system to a halt

26Chapter 1

Example of Worm

Fig 1.11

Perform resource-eating tasks, but no destruction

Worm code

Perform resource-eating tasks, but no destruction

Perform resource-eating tasks, but no destruction

Perform resource-eating tasks, but no destruction

Perform resource-eating tasks, but no destruction

Perform resource-eating tasks, but no destruction

Perform resource-eating tasks, but no destruction

…

Replicate itself

Replicate itself

27Chapter 1

Trojan Horse

• Silently observes user actions and captures confidential information

• Uses captured information for its use

• Example: Capturing user id and password

28Chapter 1

Example of Trojan Horse

Fig 1.12

User User Id: xxxPassword: yyy

Login code…

Trojan horseLogin code

…

Attacker

User Id: xxxPassword: yyy

Login program

29Chapter 1

HTTP Protocol

• Hyper Text Transfer Protocol

• Used for communication between a browser and server on the Internet

• Based on a Request-Response model

30Chapter 1

HTTP Protocol

Fig 1.13

Client Server

Client Server

HTTP Request

Please send me the Web page www.yahoo.com/info

HTTP Response

Web page www.yahoo.com/info

….

31Chapter 1

Java Applet/ActiveX Control

• Small programs that get downloaded along with an HTML page to the client

• Executes on the client browser

• Makes Web pages active

32Chapter 1

Web Page containing Applet

Fig 1.14

Client Server

Client Server

HTTP Request

Please send me the Web page www.abc.com/init

HTTP Response

Applet

Web page www.abc.com/init

….

33Chapter 1

Cookie

• HTTP protocol is stateless

• For client to remember its state, some mechanism is needed

• Cookie allows client to remember its state

34Chapter 1

Cookie Creation

Fig 1.15 (a)

Web browser

Web server

Name: JohnAddress: ……

Id: 123456

Name: JohnAddress: ……

Id: 123456

123456 John …123457 Pete …………

Cookie

35Chapter 1

Cookie Usage

Fig 1.15 (b)

Web browser

Web server

Id: 123456

Name: JohnAddress: ……

What doesId: 123456

map to?

Welcome John!

Step 1

Step 2Step 3

Step 4

123456 John …123457 Pete …………………

36Chapter 1

HTML

• Hyper Text Markup Language

• Tag-based language used to create Web pages

• Browser can interpret HTML

37Chapter 1

Example of HTML Tags

Fig 1.16, 1.17

<B> This is an example of text being displayed in boldface. </B>

Start of boldface

The text that needs to be displayed in boldface

End of boldface

<B> This is an example of text being displayed in boldface. </B>

Browser interprets this

This is an example of text being

displayed in boldface.

38Chapter 1

Java Security

Java source program

Java compilerJava compiler

istore 1getfield#5astore0…

Java byte code

InternetJava byte code

verifier

Class loader

Java interpreter

Java compiler

Runtime environment

Hardware

Fig 1.18

39Chapter 1

Java security

• Sandbox model • Java application security

– Bytecode verifier– Class loader– Access controller– Security package

• Built-in Java application security– Array bound– Access methods are strictly adhereed to

40Chapter 1

C program vs Java

• Void main()

• {

• Char *p;

• print (“enter a string”);

• gets(p)

• }

41Chapter 1

Specific attacks

• Internet deliver packets

• Attackers target these packets in two main forms: (a) packet sniffing (snooping)

(b) packet spoofing