Department of Informatics Lecture MINF4221: IT Security FS 2021 / Course No. 3089 Prof. Dr. Rolf Oppliger Version: 8.3.2021 Department of Informatics Lecturer − University of Zurich (adjunct professor) − eSECURITY Technologies Rolf Oppliger (founder and owner) − Swiss National Cyber Security Centre NCSC (scientific employee) − Artech House (author and series editor for information security and privacy) → rolf-oppliger.ch or rolf-oppliger.com FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 2 Department of Informatics Terms of Use This work is published with a Creative Commons Attribution No Derivatives (CC BY-ND) 4.0 license → http://creativecommons.org/licenses/by-nd/4.0/ No Derivative Work Attribution Creative Commons (version 4.0) FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 3 Department of Informatics Schedule – February 22, 2021 (~ slides 1 – 61) – March 8, 2021 (~ slides 62 – 107) – March 22, 2021 (~ slides 108 – 156) – March 29, 2021 (~ slides 157 – 208) The lectures are recorded in MS Teams and the – April 26, 2021 (~ slides 209 – 246) recordings are made available for later use. – May 10, 2021 (~ slides 247 – 299) If you want to ask questions without being recorded, – May 17, 2021 (~ slides 300 – 341) then you can either use the chat function or ask the – May 31, 2021 (reserve) question off-the-record (e.g., using phone or e-mail). – June 21, 2021 (exam) FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 4 Department of Informatics Recommended Reading – Matt Bishop, Computer Security: Art and Science, 2nd Edition, ISBN 9780321712332, Addison-Wesley Professional, 2019 – Matt Bishop, Introduction to Computer Security, ISBN 9780321247445, Addison- Wesley Professional, 2004 – Charles P. Pfleeger and Shari L. Pfleeger, Security in Computing, 5th Edition, ISBN 9780134085043, Prentice Hall, 2015 – Charles P. Pfleeger and Shari L. Pfleeger, Analyzing Computer Security: A Threat / Vulnerability / Countermeasure Approach, ISBN 9780132789462, Prentice Hall, 2012 – William Stallings and Lawrie Brown, Computer Security: Principles and Practice, 4th Edition, ISBN 9780134794105, Pearson, 2017 Specific topics → Artech House’s book series on information security and privacy FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 5 Department of Informatics Table of Contents Challenge me ! 1. Introduction [~ 10%] 2. Computer Security [~ 25%] 3. Communication Security [~ 25%] 4. Operational Environments and Applications [~ 25%] 5. Privacy and Data Protection [~ 10%] 6. Conclusions and Outlook [~ 5%] – The lecture mandates a self-study of the cryprographic fundamentals based on two chapters of a draft version of an upcoming book entitled «Cryptography 101: From Theory to Practice» – Questions can be asked during the lecture – Presentation of partiular cryptosystems (e.g., AES, RSA, DH, … ) is optional and available on request – Collective and individual execises are marked with a blue blackground FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 6 Department of Informatics Cryptography is everywhere FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 7 Department of Informatics Operation schedule of cryptography – Make precise statements about a practical (security) problem, e.g., protect the confidentiality of a message → definitions and assumptions – Propose solutions (i.e., algorithms or protocols) that solve the problem under the given assumptions – Prove the security of these solutions → proofs Cryptosystem Keyless Secret Key (symmetric) Public Key (asymmetric) • Random generators • Pseudorandom generators (e.g., key derivation) • Key exchange • Random functions • Pseudorandom functions • Asymmetric encryption • One-way functions • Symmetric encryption • Digital signatures • Cryptographic hash functions • Message authentication • Cryptographic protocols • Authentic encryption FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 8 Department of Informatics Limitations of cryptography – An implementation of a theoretically secure cryptosystem need not be secure in practice – Mind experiment / puzzle (due to Artur Ekert) → page 14, mind experiment 2 – Two rooms – One with 3 light switches and the other with 3 light bulbs – The wiring of the light switches and bulbs is unknown – The adversary has to find out the wiring, but he or she can enter each room only once A B C 1 2 3 – Theorist (e.g., mathematician): (Provably) impossible to solve (even for n>2 room entries and n+1 switches/bulbs) – Prcatitioner (e.g., physician): Permanently light on one bulb, light on another bulb for some time → the second one can be identified due to its heat – Beware of side channels and new ways of solving problems and breaking systems FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 9 Department of Informatics Quotes … (still related to cryptography) Necessity is the mother of invention, and computer networks are the mother of modern cryptography - Ronald L. Rivest (1997*) * In: CRYPTOGRAPHY AS DUCT TAPE → http://people.csail.mit.edu/rivest/Ducttape.txt Any sufficiently advanced technology is indistinguishable from magic - Arthur C. Clarke (1917 - 2008) James L. Massey, 2001 Dieter Gollmann, 2011 Cryptography – Science Cryptography – Magic, Science, or or Magic? Science Fiction? FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 10 Department of Informatics 1. Introduction 1.1 Terminology 1.2 Problem Statement 1.3 Security Metrics 1.4 Security Process 1.5 Security Principles 1.6 Standards and Best Practices FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 11 Department of Informatics Collective Exercise – Who has experienced a cyber attack? – Who remembers a cyber attack (from the media)? Alcoholics Anonymous FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 12 Department of Informatics Introduction 1.1 Terminology – The term security is hard to define → unanymously agreed definition – It is a state in which one experiences no (relevant) threat or security breach – It is neither possible to enumarate all possible (relevant) threats nor to verify their nonexistence → security can not be attested objectively or measured in a meaningful way – Instead, the notion of security is highly subjective Perceived security – What is «secure» or «insecure» depends on the per- son and his or her willingness to take risks – This may be perceived differently by different people – Characteristic function for the (subjective) perception of security (in approximated form) – Also, the notion of security is situational and always Time depends on many factors and circumstances 1st event 2nd event FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 13 Department of Informatics Introduction Terminology – In the English language, there are two related (complementary) terms – Safety refers to protection against unintended incidents → availlability, reliability, and stability – Security refers to protection against intended incidents and attacks → lack of security breaches – In the German language, the terms «Verlässlichkeit» or «Resilienz» («Widerstandsfähigkeit») are sometimes used to refer to safety and security – Information is a fourth production factor (in addition to ground, Information capital, and work) – As we are moving from an industrialized information society, infor- Work mation technology (IT) is getting more and more important – This also applies to IT security and the need to protect IT resources Ground against incidents and attacks Capital FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 14 Department of Informatics Introduction Terminology – IT security mainly focuses on the secure storage, processing, and transmission of data that encodes information in one way or another – Security goals – Availability – Confidentiality / secrecy – Integrity – Authenticity – Nonrepudiation / transparency – Accountability / traceability (CIA) – Anonymity – Pseudonymity – ... FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 15 Department of Informatics Introduction Threats Terminology – The following terms are important to meaningfully argue about (IT) security – Threat Vulnerability or – Vulnerability / weakness weakness – Countermeasure – Security breach Layers of defense (~ countermeasures) – The Swiss cheese model (attributed to James Reason) can be used to explain the terms and Security breach put them into perspective FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 16 Department of Informatics Individual Exercise – Take a real-world situation of your choice (e.g., a house, a stay in a foreign city, … ) and use the Swiss cheese model to discuss the relevant – Threats – Vulnerabilities – Countermeasures – Possible security breaches FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 17 Department of Informatics Introduction 1.2 Problem Statement – Key question in IT security How can one protect a computer system and its resources (mainly data) against attacks from the inside or outside? – Due to the asymmetric workload, it is possible and very likely that many attacks are mounted and that some of them are successful – There are many possibilities to attack a computer system (e.g., DDoS) – Direct attacks can sometimes be mitigated using technical means and countermeasures – Indirect attacks are simple to mount but difficult to mitigate → tend to be very powerful (e.g., social engineering attacks) FS 2021 IT Security (MINF4221), Prof. Dr. Rolf Oppliger Slide 18 Department of Informatics
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages341 Page
-
File Size-