Network Security and Surveillancesiva/talks/ips05.pdf · Network Security and Surveillance G. Sivakumar Computer Science and Engineering IIT Bombay [email protected] October 14, 2005

Internet Security Overview Defence: Cryptography Offence: RFIDs and Surveillance

Network Security and Surveillance

G. Sivakumar

Computer Science and EngineeringIIT Bombay

[email protected]

October 14, 2005

1 Internet Security OverviewSome Puzzles

2 Defence: Cryptography

3 Offence: RFIDs and Surveillance

G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]


Internet Security Overview Defence: Cryptography Offence: RFIDs and SurveillanceSome Puzzles

Internet’s Growth and Charter

Information AnyTime, AnyWhere, AnyForm, AnyDevice, ...WebTone like DialTone




Internet’s Dream

Why should a fridge be on Internet?

Will security considerations make this a nightmare?




What are Cyber crimes?

Against People

Cyber Stalking and Harrassment(Child) Pornography

Against Property

CrackingVirus and SpamSoftware/Entertainment Piracy

Cyber Terrorism!




Security Concerns

Match the following!Problems Attackers

Highly contagious viruses Unintended blundersDefacing web pages Disgruntled employees or customers

Credit card number theft Organized crimeOn-line scams Foreign espionage agents

Intellectual property theft Hackers driven by technical challengeWiping out data Petty criminalsDenial of service Organized terror groupsSpam E-mails Information warfare

Reading private files ...Surveillance ...

Crackers vs. Hackers

Note how much resources available to attackers.




Cyber Terrorism?

Some examples from http://cybercrimes.net/

1989: Legion of Doom group took over the BellSouth telephonesystem, tapped phone lines, re-routed calls, ...

1996: A white supremacist movement took out a Massachusettsinternet service provider

1997: A cracker disabled the computer system of an airport controltower at the Worcester, Mass. Airport.

1997: a hacker in Sweden jammed the 911 emergency telephonesystem all throughout west-central Florida.

1998: NASA, Navy, and Defence Department computers wereattacked.

2000: in Maroochy Shire, Australia, a disgruntled consultant hackedinto a waste management control system and released millions ofgallons of raw sewage on the town.

2001: Two post-graduate students cracked a bank system used bybanks and credit card companies to secure the personalidentification numbers of their customers accounts. [38]




Emergency Response: http://www.cert-in.org.in/




Internet Attacks Timeline

From training material at http://www.cert-in.org.in/G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]



Internet Attack Trends

From training material at http://www.cert-in.org.in/




Indian IT Act 2000

Basic Legal Framework

Electronic documents, signatures as evidence

Cyber Crimes & Punishments

Secn 43: Damage to Computers/NetworkSecn 65: Tampering source codeSecn 66: “Hacking” (cracking)Secn 67: Obscenity (bazee.com!)Secn 69: Interception

Several Initiatives (PKI, CERT-IN, Cyber cells, ...)




Vulnerabilities

Application Security

Buggy codeBuffer Overflows

Host Security

Server side (multi-user/application)Client side (virus)

Transmission Security




Denial of Service

Small shop-owner versus Supermarket

What can the attacker do?

What has he gained orcompromised?

What defence mechanisms arepossible?

Screening visitors usingguards (who looksrespectable?)VVIP security, but do youwant to be isolated?

what is the Internet equivalent?




Security Requirements

Informal statements (formal is much harder)

Confidentiality Protection from disclosure to unauthorized persons

Integrity Assurance that information has not been modifiedunauthorizedly.

Authentication Assurance of identity of originator of information.

Non-Repudiation Originator cannot deny sending the message.

Availability Not able to use system or communicate when desired.

Anonymity/Pseudonomity For applications like voting, instructorevaluation.

Traffic Analysis Should not even know who is communicating withwhom. Why?

Emerging Applications Online Voting, Auctions (more later)

And all this with postcards (IP datagrams)!G. Sivakumar Computer Science and Engineering IIT Bombay [email protected]



Exchanging Secrets

Goal

A and B to agree on a secret number. But, C can listen to all theirconversation.

Solution?

A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.




Exchanging Secrets

Goal

A and B to agree on a secret number. But, C can listen to all theirconversation.

Solution?

A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.




Mutual Authentication

Goal

A and B to verify that both know the same secret number. Nothird party (intruder or umpire!)

Solution?

A tells B: I’ll tell you first 2 digits, you tell me the last two...




Mutual Authentication

Goal

A and B to verify that both know the same secret number. Nothird party (intruder or umpire!)

Solution?

A tells B: I’ll tell you first 2 digits, you tell me the last two...




Cryptography and Data Security

sine qua non [without this nothing :-]

Historically who used first? (L & M)

Code Language in joint families!




Symmetric/Private-Key Algorithms




Asymmetric/Public-Key Algorithms

Keys are duals (lock with one, unlock with other)

Cannot infer one from other easily

How to encrypt? How to sign?




One way Functions

Mathematical Equivalents

Factoring large numbers (product of 2 large primes)

Discrete Logarithms




Security Mechanisms

System Security: “Nothing bad happens to my computersand equipment”virus, trojan-horse, logic/time-bombs, ...

Network Security:Authentication Mechanisms “you are who you say you are”Access Control Firewalls, Proxies “who can do what”

Data Security: “for your eyes only”

Encryption, Digests, Signatures, ...




Security Mechanisms








Security Mechanisms








Network Security Mechanism Layers

Cryptograhphic Protocols underly all security mechanisms. RealChallenge to design good ones for key establishment, mutualauthentication etc.




What is RFID?

Not just super barcode.

Already in use by Andhra Pradesh police?




How RFID works




RFID Tags

Passive

Cheapest: no battery in tagAll power comes from reader

Semi Passive

With batteriesImproved performance and reliabilityIncreased size and cost

Active

High performance and costActive




Privacy Concerns




RFID Applications

Payment

Toll collectionFuel payment (Speedpass)ParkingPre-payment card (Dexit)

Supply Chain Mgmt

LogisticsInventory Mgmt

Asset Tracking

High value assetsRe-useable containersShipping containersInventory

Access Control

Card KeysAutomotive anti-theft

Anti-theft

ShrinkageAutomotive anti-theft

Track & Trace

FoodPharmaceuticalsBooksParts/lots trackingApparel




References

Books

TCP/IP Illustrated by Richard Stevens, Vols 1-3,Addison-Wesley.Applied Cryptography - Protocols, Algorithms, and SourceCode in C by Bruce Schneier, Jon Wiley & Sons, Inc. 1996Cryptography and Network Security: Principles and Practiceby William Stallings (2nd Edition), Prentice Hall Press; 1998.Practical Unix and Internet Security, Simson Garfinkel andGene Spafford, O’Reilly and Associates, ISBN 1-56592-148-8.

Web sites

www.cerias.purdue.edu (Centre for Education and Research inInformation Assurance and Security)www.sans.org (System Administration, Audit, NetworkSecurity)cve.mitre.org (Common Vulnerabilities and Exposures)csrc.nist.gov (Computer Security Resources Clearinghouse)www.vtcif.telstra.com.au/info/security.html



Documents

Network Security and Surveillancesiva/talks/ips05.pdf · Network Security and Surveillance G. Sivakumar Computer Science and Engineering IIT Bombay [email protected] October 14, 2005