cse543 introduction to computer and network security

CSE543 - Introduction to Computer and Network Security Module: - PowerPoint PPT Presentation

Oct 30, 2022 •123 likes •598 views

  1. �������฀฀���฀฀�������� ��������������฀�������� � � �������฀���฀��������฀��������฀������ ����������฀��฀��������฀�������฀���฀����������� ������������฀�����฀�����������฀����������฀����฀฀�� CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security Page 1 1

  2. Reading papers … • What is the purpose of reading research papers? • How do you read research papers? CSE543 - Introduction to Computer and Network Security Page 2 2

  3. Understanding what you read • Things you should be getting out of a paper ‣ What is the central idea proposed/explored in the paper? • Abstract These are the best areas to find • Introduction an overview of the contribution • Conclusions ‣ Motivation: What is the problem being addressed? ‣ How does this work fit into others in the area? • Related work - often a separate section, sometimes not, every paper should detail the relevant literature. Papers that do not do this or do a superficial job are almost sure to be bad ones. • An informed reader should be able to read the related work and understand the basic approaches in the area, and why they do not solve the problem effectively CSE543 - Introduction to Computer and Network Security Page 3 3

  4. Understanding what you read (cont.) • What scientific devices are the authors using to communicate their point? ‣ Methodology - this is how they evaluate their solution. • Theoretical papers typically validate a model using mathematical arguments (e.g., proofs) • Experimental papers evaluate results based on a design of a test apparatus (e.g., measurements, data mining, synthetic workload simulation, trace-based simulation). ‣ Empirical research evaluates by measurement. • Some papers have no evaluation at all, but argue the merits of the solution in prose (e.g., paper design papers) CSE543 - Introduction to Computer and Network Security Page 4 4

  5. Understanding what you read (cont.) • What do the authors claim? ‣ Results - statement of new scientific discovery. • Typically some abbreviated form of the results will be present in the abstract, introduction, and/or conclusions. • Note: just because a result was accepted into a conference or journal does necessarily not mean that it is true. Always be circumspect. • What should you remember about this paper? ‣ Take away - what general lesson or fact should you take away from the paper. ‣ Note that really good papers will have take-aways that are more general than the paper topic. CSE543 - Introduction to Computer and Network Security Page 5 5

  6. Summarize Thompson Article • Contribution • Motivation • Related work • Methodology • Results • Take away CSE543 - Introduction to Computer and Network Security Page 6 6

  7. A Sample Summary • Contribution: Ken Thompson shows how hard it is to trust the security of software in this paper. He describes an approach whereby he can embed a Trojan horse in a compiler that can insert malicious code on a trigger (e.g., recognizing a login program). • Motivation: People need to recognize the security limitations of programming. • Related Work: This approach is an example of a Trojan horse program. A Trojan horse is a program that serves a legitimate purpose on the surface, but includes malicious code that will be executed with it. Examples include the Sony/BMG rootkit: the program provided music legitimately, but also installed spyware. • Methodology: The approach works by generating a malicious binary that is used to compile compilers. Since the compiler code looks OK and the malice is in the binary compiler compiler, it is difficult to detect. • Results: The system identifies construction of login programs and miscompiles the command to accept a particular password known to the attacker. • Take away: What is the transcendent truth????? (see next slide) CSE543 - Introduction to Computer and Network Security Page 7 7

  8. Turtles all the way down ... • Take away: Thompson states the “obvious” moral that “you cannot trust code that you did not totally create yourself.” We all depend on code, but constructing a basis for trusting it is very hard, even today. • ... or “ trust in security is an infinite regression ...” “A well-known scientist (some say it was Bertrand Russell) once gave a public lecture on astronomy. He described how the earth orbits around the sun and how the sun, in turn, orbits around the center of a vast collection of stars called our galaxy. At the end of the lecture, a little old lady at the back of the room got up and said: "What you have told us is rubbish. The world is really a flat plate supported on the back of a giant tortoise." The scientist gave a superior smile before replying, "What is the tortoise standing on?" "You're very clever, young man, very clever", said the old lady. "But it's turtles all the way down!" - Hawking, Stephen (1988). A Brief History of Time. CSE543 - Introduction to Computer and Network Security Page 8 8

  9. Authentication and Authorization • Fundamental mechanisms to enforce security on a system • Authentication: Identify the principal responsible for a “message” ‣ Distinguish friend from foe • Authorization: Control access to system resources based on the identity of a principal ‣ Determine whether a principal has the permissions to perform a restricted operation • Today, we discuss principles behind authentication CSE543 - Introduction to Computer and Network Security Page 9 9

  10. What is Authentication? • Short answer: establishes identity ‣ Answers the question: To whom am I speaking? • Long answer: evaluates the authenticity of identity by proving credentials ‣ Credential – is proof of identity ‣ Evaluation – process that assesses the correctness of the association between credential and claimed identity • for some purpose • under some policy (what constitutes a good cred.?) CSE543 - Introduction to Computer and Network Security Page 10 10

  11. Why authentication? • Well, we live in a world of rights, permissions, and duties ‣ Authentication establishes our identity so that we can obtain the set of rights ‣ E.g., we establish our identity with Tiffany’s by providing a valid credit card which gives us rights to purchase goods ~ physical authentication system • Q: How does this relate to security? CSE543 - Introduction to Computer and Network Security Page 11 11

  12. Why authentication (cont.)? • Same in online world, just different constraints ‣ Vendor/customer are not physically co-located, so we must find other ways of providing identity • e.g., by providing credit card number ~ electronic authentication system ‣ Risks (for customer and vendor) are different • Q: How so? • Computer security is crucially dependent on the proper design, management, and application of authentication systems. CSE543 - Introduction to Computer and Network Security Page 12 12

  13. What is Identity? • That which gives you access … which is largely determined by context ‣ We all have lots of identities ‣ Pseudo-identities • Really, determined by who is evaluating credential ‣ Driver’s License, Passport, SSN prove … ‣ Credit cards prove … ‣ Signature proves … ‣ Password proves … ‣ Voice proves … • Exercise: Give an example of bad mapping between identity and the purpose for which it was used. CSE543 - Introduction to Computer and Network Security Page 13 13

  14. Credentials • … are evidence used to prove identity • Credentials can be ‣ Something I am ‣ Something I have ‣ Something I know CSE543 - Introduction to Computer and Network Security Page 14 14

  15. Something you know … • Passport number, mothers maiden name, last 4 digits of your social security, credit card number • Passwords and pass-phrases ‣ Note: passwords have historically been pretty weak • University of Michigan: 5% of passwords were goblue • Passwords used in more than one place ‣ Not just because bad ones selected: If you can remember it, then a computer can guess it • Computers can often guess very quickly • Easy to mount offline attacks • Easy countermeasures for online attacks CSE543 - Introduction to Computer and Network Security Page 15 15

  16. “Hoist with his own petard” • The rule of seven plus or minus two. ‣ George Miller observed in 1956 that most humans can remember about 5-9 things more or less at once. ‣ Thus is a kind of maximal entropy that one can hold in your head. ‣ This limits the complexity of the passwords you can securely use, i.e., not write on a sheet of paper. ‣ A perfectly random 8-char password has less entropy than a 56-bit key. • Implication? CSE543 - Introduction to Computer and Network Security Page 16 16

Recommend

CSE543 Computer and Network Security Module: Network Security Professor Patrick McDaniel Fall

CSE543 Computer and Network Security Module: Network Security Professor Patrick McDaniel Fall

CSE543 Computer and Network Security Module: Network Security Professor Patrick McDaniel Fall 204 1 CSE543 - Introduction to Computer and Network Security Page Networking Fundamentally about transmitting information between two (or more)

636 views • 47 slides
CSE 543 - Computer Security (Fall 2006) Lecture 16 - Network Security October 31, 2006 URL:

CSE 543 - Computer Security (Fall 2006) Lecture 16 - Network Security October 31, 2006 URL:

CSE 543 - Computer Security (Fall 2006) Lecture 16 - Network Security October 31, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06 CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger 1 Midterm Grades 85-100 -- A

1.41k views • 26 slides
CSE 543 - Computer Security (Fall 2006) Lecture 18 - Network Security November 7, 2006 URL:

CSE 543 - Computer Security (Fall 2006) Lecture 18 - Network Security November 7, 2006 URL:

CSE 543 - Computer Security (Fall 2006) Lecture 18 - Network Security November 7, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/ CSE543 Computer (and Network) Security - Fall 2006 - Professor Jaeger 1 Denial of Service Intentional

406 views • 18 slides
CSE 543 - Computer Security Lecture 11 - OS Security October 2, 2007 URL:

CSE 543 - Computer Security Lecture 11 - OS Security October 2, 2007 URL:

CSE 543 - Computer Security Lecture 11 - OS Security October 2, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 OS Security An secure OS should provide the

873 views • 28 slides
DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and Security DNS and

860 views • 71 slides
CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Mobile Phones Networked device

302 views • 11 slides
CSE 543 - Computer Security Lecture 12 - MAC Security October 4, 2007 URL:

CSE 543 - Computer Security Lecture 12 - MAC Security October 4, 2007 URL:

CSE 543 - Computer Security Lecture 12 - MAC Security October 4, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Mandatory Access Control Is about administration

462 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

644 views • 36 slides
CSE 543 - Computer Security (Fall 2007) Lecture 1 - Introduction Professor: Trent Jaeger URL:

CSE 543 - Computer Security (Fall 2007) Lecture 1 - Introduction Professor: Trent Jaeger URL:

CSE 543 - Computer Security (Fall 2007) Lecture 1 - Introduction Professor: Trent Jaeger URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Some bedtime stories

534 views • 24 slides
CSE 543 - Computer Security Lecture 2 - Introduction August 30, 2007 URL:

CSE 543 - Computer Security Lecture 2 - Introduction August 30, 2007 URL:

CSE 543 - Computer Security Lecture 2 - Introduction August 30, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 A historical moment Mary Queen of Scots is

631 views • 29 slides
CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL:

CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL:

CSE 543 - Computer Security Lecture 20 - Firewalls November 8, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07 CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Midterm Grades (High is 83) 77-94 -- A (4)

930 views • 29 slides
CSE 543 - Computer Security Lecture 22 - Denial of Service November 15, 2007 URL:

CSE 543 - Computer Security Lecture 22 - Denial of Service November 15, 2007 URL:

CSE 543 - Computer Security Lecture 22 - Denial of Service November 15, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Denial of Service Intentional prevention

663 views • 25 slides
CSE 543 - Computer Security Lecture 4 - Cryptography September 6, 2007 URL:

CSE 543 - Computer Security Lecture 4 - Cryptography September 6, 2007 URL:

CSE 543 - Computer Security Lecture 4 - Cryptography September 6, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Hash Algorithms Hash algorithm

358 views • 22 slides
CSE 543 - Computer Security Lecture 14 - Access Control October 11, 2007 URL:

CSE 543 - Computer Security Lecture 14 - Access Control October 11, 2007 URL:

CSE 543 - Computer Security Lecture 14 - Access Control October 11, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Page Access Control System Protection Domain

663 views • 25 slides
CSE 543 - Computer Security Lecture 27 - Wrapup December 13, 2007 URL:

CSE 543 - Computer Security Lecture 27 - Wrapup December 13, 2007 URL:

CSE 543 - Computer Security Lecture 27 - Wrapup December 13, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger Final Tuesday, December 18, 8:00am-9:50am in 102

167 views • 12 slides
CSE 543 - Computer Security Lecture 3 - Principles September 4, 2007 URL:

CSE 543 - Computer Security Lecture 3 - Principles September 4, 2007 URL:

CSE 543 - Computer Security Lecture 3 - Principles September 4, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Data Encryption Standard (DES) Introduced by the

384 views • 17 slides
PRESIDENTIAL CAMPAIGN Josemar Alves Caetano, Jussara Almeida, Humberto Torres Marques-Neto

PRESIDENTIAL CAMPAIGN Josemar Alves Caetano, Jussara Almeida, Humberto Torres Marques-Neto

CHARACTERIZING POLITICALLY ENGAGED USERS' BEHAVIOR DURING THE 2016 US PRESIDENTIAL CAMPAIGN Josemar Alves Caetano, Jussara Almeida, Humberto Torres Marques-Neto ASONAM 2018 2 Social networks and political campaings ASONAM 2018 3 Reach of

858 views • 56 slides
EEXCESS or the challenge of privacy-preserving quality recommendations Benjamin Habegger, Nadia

EEXCESS or the challenge of privacy-preserving quality recommendations Benjamin Habegger, Nadia

EEXCESS or the challenge of privacy-preserving quality recommendations Benjamin Habegger, Nadia Bennani, Eld Egyed-Szigmond, Omar Hassan Lyon University, CNRS, INSA-Lyon, LIRIS, UMR5205 EEXCESS Project Enhancing Europes eXchange in

612 views • 36 slides
Opinion mining in social networks Corrado Monti Universit` a degli Studi di Milano Corrado

Opinion mining in social networks Corrado Monti Universit` a degli Studi di Milano Corrado

Measuring phenomena on Twitter Ongoing work Opinion mining in social networks Corrado Monti Universit` a degli Studi di Milano Corrado Monti Universit` a degli Studi di Milano Opinion mining in social networks 1 Measuring phenomena on

445 views • 13 slides
MOOC Wendy Drexler, Ph.D. Christopher D. Sessums, Ph.D. College of Education | School of

MOOC Wendy Drexler, Ph.D. Christopher D. Sessums, Ph.D. College of Education | School of

University of Florida Faculty Development Colloquium Fall 2010 Massively Open Online Courses and Personal Learning Environments MOOC Wendy Drexler, Ph.D. Christopher D. Sessums, Ph.D. College of Education | School of Teaching and Learning

194 views • 17 slides
The SM works ATLAS https://twiki.cern.ch/twiki/bin/view/AtlasPublic/StandardModelPublicResults

The SM works ATLAS https://twiki.cern.ch/twiki/bin/view/AtlasPublic/StandardModelPublicResults

I N C LOSING Felix Yu JGU Mainz EFTs for Collider Physics, Flavor Phenomena and EWSB November 13, 2014 I N C LOSING O UR S TORY T HUS F AR Felix Yu JGU Mainz EFTs for Collider Physics, Flavor Phenomena and EWSB November 13, 2014 The SM

1.04k views • 75 slides
GI-Dagstuhl Seminar Aware Machine-to-Machine Communication Arumaithurai, Sigg, Wang

GI-Dagstuhl Seminar Aware Machine-to-Machine Communication Arumaithurai, Sigg, Wang

GI-Dagstuhl Seminar Aware Machine-to-Machine Communication Arumaithurai, Sigg, Wang 28.08.2016 02.09.2016 Version 1.0, August 29, 2016 Introduction (from: Dagstuhl Seminars, Shonan Meetings; Prof. Dr. Reinhard Wilhem) Arumaithurai,

334 views • 21 slides
Argument extraction for supporting public policy formulation Eirini Florou Dept of Linguistics,

Argument extraction for supporting public policy formulation Eirini Florou Dept of Linguistics,

The NOMAD Project Argument Recognition Conclusion Argument extraction for supporting public policy formulation Eirini Florou Dept of Linguistics, Faculty of Philosophy University of Athens, Greece eirini.florou@gmail.coml S.

679 views • 13 slides
121 Conference New York June 6-7, 2017 The Next Multi-Jurisdictional West African Gold

121 Conference New York June 6-7, 2017 The Next Multi-Jurisdictional West African Gold

121 Conference New York June 6-7, 2017 The Next Multi-Jurisdictional West African Gold Producer Forward-Looking Statements This presentation contains certain statements that constitute forward-looking information within the meaning of

598 views • 14 slides

More recommend