CSCE 813 Internet Security Final Exam Preview

Transcription

1 CSCE 813 Internet Security Final Exam Preview Professor Lisa Luo Fall 2017

2 Coverage All contents! Week1 ~ Week 15 The nature of the exam: 12 questions: 3 multiple choices questions 1 true or false question 8 short answer questions Time: 12/12 1:15pm ~ 3:00pm 2

3 Week 1 ~ Week 9 CIA+AA of Internet Security Cryptographic Tools: Symmetric encryption Asymmetric encryption Hash function Message authentication code Digital signature Two ways of establishing the secret key Use asymmetric crypto Public key distribution (?) Use Diffie-Hellman key agreement PKI and X.509 Certs Protocols HTTPS and TLS Kerberos HTTPS TLS Handshake HTTPS and Lock Icon Problems with HTTPS Invalid certs Mixed content Kerberos User authentication Message authentication How to change passwords? 3

4 Passive attacks Active attacks Model of Internet Security Establishing secret key o Use asymmetric crypto o DH key agreement Internet M M M M Public key distribution o X.509 Certs Goal: CIA+AA Tools: Cryptographic tools Schemes: Three communication channel schemes 4

5 Protocol: HTTPS Passive attacks Active attacks TLS Handshake 1. Establishing secret key o Use asymmetric crypto o DH key agreement 2. Server authentication o X.509 Certs (public key distribution) Internet M M M M HTTPS Goal: CIA+AA Tools: Cryptographic tools Schemes: Three communication channel schemes 5

6 Protocol: Kerberos Passive attacks Active attacks Intranet Kerberos 1. Authentication server 2. Ticket-granting server 3. Password-changing server 6

7 Week 1 ~ Week 9 Please refer to the midterm exam preview slides 7

8 Week 10 Mobile Phone Security Android Background Android system architecture UID DVM; DEX bytecode Three Android Security Problems: Android App Repackaging Android System Access Control Information Leakage via Logs TaintDroid 8

9 Week 10 Android App Repackaging Android APK generation process Why it is easy to repackage an App Countermeasures 9

10 Week 10 Android System Access Control How does Android system control resource access? Three mechanisms: Android permission: controlling system resources Android app UID: controlling app resources Android app package name: controlling app resource 10

11 Week 10 TaintDroid What is taint analysis? How it works? Taint sources: taint seed What you are tracking? Taint policy: taint tracker How do you track? Taint sinks: taint assert When and where will you check? 11

12 Week 12 11/07 Network Access Control Authorization vs. Authentication Access control policy: subject + object + operation Access matrix Network access enforcement methods IEEE 802.1X used in Ethernet, Wifi Firewall 12

13 Week 12 11/07 Firewall Packet filtering firewalls Know how to interpret the firewall rules limitations Stateful inspection firewalls Application-level gateways Circuit-level gateways 13

14 Week 12 11/09 Cloud Security Why do we need cloud computing? Three models of cloud service Software as a service (SaaS) Platform as a service (PaaS) Infrastructure as a service (IaaS) Cloud security risks Abuse of cloud computing Insecure interfaces and APIs Account or service hijacking Data loss or leakage Data protection in the cloud Basic requirement: encrypt data + access control 14

15 Week 13 ~ Week 14 security Internet Mail Architecture Protocols SMTP IMPA or POP MIME When SMTP is used and When IMPA/POP is used? Secure Protocols SMTP over TLS S/MIME 15

16 Week 13 ~ Week 14 Security PGP services Authentication Confidentiality Compression Segmentation PGP key management Session key Public key Private key Passphrase-based key PGP vs. PKI PGP: Web of Trust or decentralized trust PKI: Centralized Trust 16

17 Put Together

18 Web Applications Protocols: TLS; HTTPS;Kerberos; SMTP over TLS; PGP; Establishing secrete key: Asymmetric crypto Diffie-Hallman key agreement Distributing public key: PKI PGP Cryptographic tools: Symmetric encryption; Asymmetric encryption; Hash function;mac; Digital signature Security objectives: CIA + AA 18

19 19