Information Security: Principles and Practice Second Edition. Mark Stamp

Size: px

Start display at page:

Download "Information Security: Principles and Practice Second Edition. Mark Stamp"

Eileen Smith
5 years ago
Views:

1 Information Security: Principles and Practice Second Edition Mark Stamp August 10, 2009

2 Contents Preface Second Edition Preface About The Author Acknowledgments xvii xix xxiii xxv 1 Introduction The Cast of Characters Alice s Online Bank Confidentiality, Integrity, and Availability Beyond CIA About This Book Cryptography Access Control Protocols Software The People Problem Principles and Practice Problems I Crypto 17 2 Crypto Basics Introduction How to Speak Crypto Classic Crypto Simple Substitution Cipher Cryptanalysis of a Simple Substitution Definition of Secure Double Transposition Cipher vii

3 viii CONTENTS One-Time Pad Project VENONA Codebook Cipher Ciphers of the Election of Modern Crypto History A Taxonomy of Cryptography A Taxonomy of Cryptanalysis Summary Problems Symmetric Key Crypto Introduction Stream Ciphers A5/ RC Block Ciphers Feistel Cipher DES Triple DES AES Three More Block Ciphers TEA Block Cipher Modes Integrity Summary Problems Public Key Crypto Introduction Knapsack RSA Textbook RSA Example Realistic RSA Example Repeated Squaring Speeding Up RSA Diffie-Hellman Realistic Diffie-Hellman Example Elliptic Curve Cryptography Elliptic Curve Math Realistic Elliptic Curve Example ECC Diffie-Hellman Public Key Notation Uses for Public Key Crypto

4 CONTENTS ix Confidentiality in the Real World Signatures and Non-repudiation Confidentiality and Non-repudiation Public Key Infrastructure Summary Problems Hash Functions and Other Topics Introduction What is a Cryptographic Hash Function? The Birthday Problem Non-Cryptographic Hashes Tiger Hash HMAC Uses of Hash Functions Online Bids Spam Reduction Other Crypto-Related Topics Secret Sharing Key Escrow Visual Cryptography Random Numbers Texas Hold em Poker Generating Random Bits Information Hiding Summary Problems Advanced Cryptanalysis Introduction Linear and Differential Cryptanalysis Quick Review of DES Overview of Differential Cryptanalysis Overview of Linear Cryptanalysis Tiny DES Differential Cryptanalysis of TDES Linear Cryptanalysis of TDES Block Cipher Design Timing Attack on RSA Lattice Reduction and the Knapsack Hellman s Time-Memory Trade-Off Popcnt Cryptanalytic TMTO

5 x CONTENTS Misbehaving Chains Success Probability Summary Problems II Access Control Authentication Introduction Authentication Methods Passwords Keys Versus Passwords Choosing Passwords Attacking Systems via Passwords Password Verification Math of Password Cracking Other Password Issues Biometrics Types of Errors Biometric Examples Fingerprints Hand Geometry Iris Scan Biometric Error Rates Biometric Conclusions Something You Have Two-Factor Authentication Single Sign-On and Web Cookies Summary Problems Authorization Introduction A Brief History of Authorization The Orange Book The Common Criteria Access Control Matrix ACLs and Capabilities Confused Deputy Multilevel Security Models Bell-LaPadula Biba s Model

6 CONTENTS xi 8.5 Multilateral Security Covert Channel Inference Control CAPTCHA Firewalls Packet Filter Stateful Packet Filter Application Proxy Personal Firewall Defense in Depth Intrusion Detection Signature-Based IDS Anomaly-Based IDS Summary Problems III Protocols Simple Authentication Protocols Introduction Simple Security Protocols Authentication Protocols Authentication Using Symmetric Keys Authentication Using Public Keys Session Keys Perfect Forward Secrecy Mutual Authentication, Session Key, and PFS Timestamps Authentication and TCP Zero Knowledge Proofs The Best Authentication Protocol? Summary Problems Real-World Security Protocols Introduction SSH SSL SSL and the Man-in-the-Middle SSL Connections SSL Versus IPSec IPSec

7 xii CONTENTS IKE Phase 1: Digital Signature IKE Phase 1: Symmetric Key IKE Phase 1: Public Key Encryption IPSec Cookies IKE Phase 1 Summary IKE Phase IPSec and IP Datagrams Transport and Tunnel Modes ESP and AH Kerberos Kerberized Login Kerberos Ticket Kerberos Security WEP WEP Authentication WEP Encryption WEP Integrity Check Other WEP Issues WEP: The Bottom Line Real Security for the Wireless LAN GSM GSM Architecture GSM Security Architecture Anonymity Authentication Confidentiality GSM Authentication Protocol GSM Security Flaws Crypto Flaws Invalid Assumptions SIM Attacks Fake Base Station GSM Conclusions GPP Summary Problems IV Software Software Flaws and Malware Introduction Software Flaws

8 CONTENTS xiii Buffer Overflow Smashing the Stack Stack Smashing Example Stack Smashing Prevention Buffer Overflow: The Last Word Incomplete Mediation Race Conditions Malware Brain Morris Worm Code Red SQL Slammer Trojan Example Malware Detection Signature Detection Change Detection Anomaly Detection The Future of Malware Cyber Diseases Versus Biological Diseases Miscellaneous Software-Based Attacks Salami Attacks Linearization Attacks Time Bombs Trusting Software Summary Problems Insecurity in Software Introduction Software Reverse Engineering Anti-Disassembly Techniques Anti-Debugging Techniques Software Tamper Resistance Guards Obfuscation Metamorphism Revisited Digital Rights Management What is DRM? A Real-World DRM System DRM for Streaming Media DRM for a P2P Application DRM in the Enterprise DRM Failures

9 xiv CONTENTS DRM Conclusions Software Development Open Versus Closed Source Software Finding Flaws Other Software Development Issues Summary Problems Operating Systems and Security Introduction Operating System Security Functions Separation Memory Protection Access Control Trusted Operating System MAC, DAC, and More Trusted Path Trusted Computing Base Next Generation Secure Computing Base NGSCB Feature Groups Process Isolation Sealed Storage Secure Path Attestation NGSCB Compelling Applications Criticisms of NGSCB Summary Problems Appendix 455 A-1 Network Security Basics A-1.1 Introduction A-1.2 The Protocol Stack A-1.3 Application Layer A-1.4 Transport Layer A-1.5 Network Layer A-1.6 Link Layer A-1.7 Conclusions A-2 Math Essentials A-2.1 Modular Arithmetic A-2.2 Permutations A-2.3 Probability A-2.4 Linear Algebra

10 CONTENTS xv A-3 DES S-Boxes Annotated Bibliography 475

Babu Madhav Institute of Information Technology, UTU 2016

Babu Madhav Institute of Information Technology, UTU 2016 060010504 Information Security Unit 1 Introduction of Information Security SHORT QUESTIONS: 1. Suppose Akbar starts Online banking which name is AOB (Akbar s Online Bank).What kind of aspects are needed