Security and Protection

Chapter 6
 Protection
Control access by limiting file types
accessed by different users

Only authorized processes can operate on

memory segments, CPU and other resources
Security
Protect information integrity by ensuring
authentication of system users
Prevent unauthorized access
Prevent malicious destruction of data
Prevent accidental introduction of
inconsistency
Security vs. Protection
Security takes into consideration the
protection system which is strictly
internal, as well as the external
environment in which the system
operates

Security violations can be malicious or

accidental
Security (Contd.)
Malicious violations
Unauthorized reading of data
Unauthorized writing of data
Unauthorized destruction of data
Preventing legitimate system use (Denial of
service)
Goals of Protection
Obviously to prevent malicious misuse of the
system by users or programs.
To ensure that each shared resource is used
only in accordance with system policies,
which may be set either by system designers or
by system administrators.
To ensure that errant programs cause the
minimal amount of damage possible.
Note that protection systems only provide
the mechanisms for enforcing policies and
ensuring reliable systems. It is up to
administrators and users to implement those
mechanisms effectively.
Principles of Protection
The principle of least privilege dictates that
programs, users, and systems be given just
enough privileges to perform their tasks.
This ensures that failures do the least amount
of harm and allow the least of harm to be done.
Typically each user is given their own account, and
has only enough privilege to modify their own
files.
The root account should not be used for
normal day to day activities - The System
Administrator should also have an ordinary
account, and reserve use of the root account for
only those tasks which need the root privileges
Domain of Protection
A computer can be viewed as a collection
of processes and objects ( both HW & SW ).
The need to know principle states that a
process should only have access to those
objects it needs to accomplish its task, and
furthermore only in the modes for which it
needs access and only during the time frame
when it needs access.
The modes available for a particular object
may depend upon its type.
 Domain Structure
 A protection domain specifies the resources
that a process may access.
 Each domain defines a set of objects and the
types of operations that may be invoked on
each object.
 An access right is the ability to execute an
operation on an object.
 A domain is defined as a set of < object,
{ access right set } > pairs, as shown
below. Note that some domains may be
disjoint while others overlap.
System with three protection
domains
The association between a process and a
domain may be static or dynamic.
If the association is static, then the need-to-
know principle requires a way of changing the
contents of the domain dynamically.
If the association is dynamic, then there needs
to be a mechanism for domain switching.
Domains may be realized in different fashions
- as users, or as processes, or as procedures.
E.g. if each user corresponds to a domain,
then that domain defines the access of that
user, and changing domains involves changing
user ID.
An Example: UNIX
UNIX associates domains with users.
Certain programs operate with the SUID bit set,
which effectively changes the user ID, and therefore the
access domain, while the program is running. ( and
similarly for the SGID bit. ) Unfortunately this has some
potential for abuse.
An alternative used on some systems is to place
privileged programs in special directories, so that
they attain the identity of the directory owner when they
run. This prevents crackers from placing SUID programs
in random directories around the system.
Yet another alternative is to not allow the changing of
ID at all. Instead, special privileged daemons are
launched at boot time, and user processes send
messages to these daemons when they need special
tasks performed.
 An example: MULTICS
The MULTICS system uses a complex
system of rings, each corresponding to a
different protection domain, as shown:
Rings are numbered from 0 to 7, with outer rings
having a subset of the privileges of the inner rings.
Each file is a memory segment, and each segment
description includes an entry that indicates the ring
number associated with that segment, as well as
read, write, and execute privileges.
Each process runs in a ring, according to
the current-ring-number, a counter associated with
each process.
A process operating in one ring can only access
segments associated with higher ( farther out )
rings, and then only according to the access bits.
Processes cannot access segments associated with
lower rings.
 Domain switching is achieved by a process in one
ring calling upon a process operating in a lower ring,
which is controlled by several factors stored with each
segment descriptor:
 An access bracket, defined by integers b1 <= b2.
 A limit b3 > b2
 A list of gates, identifying the entry points at which the segments may be
called.
 If a process operating in ring i calls a segment whose
bracket is such that b1 <= i <= b2, then the call
succeeds and the process remains in ring i.
 Otherwise a trap to the OS occurs, and is handled as
follows:
 If i < b1, then the call is allowed, because we are transferring to a procedure
with fewer privileges. However if any of the parameters being passed are of
segments below b1, then they must be copied to an area accessible by the
called procedure.
 If i > b2, then the call is allowed only if i <= b3 and the call is directed to
one of the entries on the list of gates.
 Overall this approach is more complex and less efficient
than other protection schemes.
 Access Matrix
The model of protection that we have been discussing can be
viewed as an access matrix, in which columns represent
different system resources and rows represent different
protection domains. Entries within the matrix indicate what
access that domain has to that resource.
 Domain switching can be easily supported under
this model, simply by providing "switch" access to
other domains.
 The ability to copy rights is denoted by an asterisk,
indicating that processes in that domain have the
right to copy that access within the same column,
i.e. for the same object. There are two important
variations:
 If the asterisk is removed from the original access
right, then the right is transferred, rather than being
copied. This may be termed atransfer right as
opposed to a copy right.
 If only the right and not the asterisk is copied, then the
access right is added to the new domain, but it may
not be propagated further. That is the new domain
does not also receive the right to copy the access. This
may be termed a limited copy right, as shown below:
Access matrix with copy rights
The owner ri
ght adds the
privilege of
adding new
rights or
removing
existing ones:
Copy and owner rights only allow the modification of
rights within a column. The addition of control rights,
which only apply to domain objects, allow a process
operating in one domain to affect the rights available in
other domains. For example in the table below, a process
operating in domain D2 has the right to control any of the
rights in domain D4.
Implementation of Access Matrix
Global Table
 The simplest approach is one big global table with <
domain, object, rights > entries.
 Unfortunately this table is very large ( even if sparse )
and so cannot be kept in memory ( without invoking
virtual memory techniques. )
 There is also no good way to specify groupings - If
everyone has access to some resource, then it still needs
a separate entry for every domain.
Access Lists for Objects
 Each column of the table can be kept as a list of the
access rights for that particular object, discarding blank
entries.
 For efficiency a separate list of default access rights can
also be kept, and checked first.
Capability Lists for Domains
In a similar fashion, each row of the table can be
kept as a list of the capabilities of that domain.
Capability lists are associated with each domain,
but not directly accessible by the domain or any
user process.
Capability lists are themselves protected
resources, distinguished from other data in one
of two ways:
 A tag, possibly hardware implemented, distinguishing this
special type of data. ( other types may be floats, pointers,
booleans, etc. )
 The address space for a program may be split into multiple
segments, at least one of which is inaccessible by the
program itself, and used by the operating system for
maintaining the process's access right capability list.
A Lock-Key Mechanism
Each resource has a list of unique bit patterns,
termed locks.
Each domain has its own list of unique bit
patterns, termed keys.
Access is granted if one of the domain's keys fits
one of the resource's locks.
Again, a process is not allowed to modify its own
keys.
Comparison
Each of the methods here has certain
advantages or disadvantages, depending on the
particular situation and task at hand.
Many systems employ some combination of the
listed methods.
 Access Control
•Role-Based Access
Control, RBAC, assigns
privileges to users,
programs, or roles as
appropriate, where
"privileges" refer to the
right to call certain system
calls, or to use certain
parameters with those calls.
•RBAC supports the principle
of least privilege, and
reduces the susceptibility to
abuse as opposed to SUID
or SGID programs.
Revocation of Access Rights
 The need to revoke access rights dynamically
raises several questions:
 Immediate versus delayed - If delayed, can we
determine when the revocation will take place?
 Selective versus general - Does revocation of an
access right to an object affect all users who have
that right, or only some users?
 Partial versus total - Can a subset of rights for an
object be revoked, or are all rights revoked at once?
 Temporary versus permanent - If rights are revoked,
is there a mechanism for processes to re-acquire
some or all of the revoked rights?
 With an access list scheme revocation is easy,
immediate, and can be selective, general, partial,
total, temporary, or permanent, as desired.
 With capabilities lists the problem is more complicated, because
access rights are distributed throughout the system. A few schemes
that have been developed include:
Reacquisition - Capabilities are periodically
revoked from each domain, which must then re-
acquire them.
Back-pointers - A list of pointers is maintained
from each object to each capability which is held
for that object.
Indirection - Capabilities point to an entry in a
global table rather than to the object. Access rights
can be revoked by changing or invalidating the
table entry, which may affect multiple processes,
which must then re-acquire access rights to
continue.
Keys - A unique bit pattern is associated with each
capability when created, which can be neither
inspected nor modified by the process.
 The security problem
 Some of the most common types of violations include:
Breach of Confidentiality - Theft of private or confidential
information, such as credit-card numbers, trade secrets, patents,
secret formulas, manufacturing procedures, medical information,
financial information, etc.
Breach of Integrity - Unauthorized modification of data, which
may have serious indirect consequences. For example a popular
game or other program's source code could be modified to open up
security holes on users systems before being released to the
public.
Breach of Availability - Unauthorized destruction of data, often
just for the "fun" of causing havoc and for bragging rites.
Vandalism of web sites is a common form of this violation.
Theft of Service - Unauthorized use of resources, such as theft of
CPU cycles, installation of daemons running an unauthorized file
server, or tapping into the target's telephone or networking
services.
Denial of Service, DOS - Preventing legitimate users from using
the system, often by overloading and overwhelming the system
with an excess of requests for service.
 One common attack is masquerading, in
which the attacker pretends to be a trusted
third party. A variation of this is the man-in-
the-middle, in which the attacker
masquerades as both ends of the
conversation to two targets.
 A replay attack involves repeating a valid
transmission. Sometimes this can be the
entire attack, ( such as repeating a request for
a money transfer ), or other times the content
of the original message is replaced with
malicious content.
Levels of Protection
1. Physical - The easiest way to steal data is
to pocket the backup tapes. Also, access to
the root console will often give the user
special privileges, such as rebooting the
system as root from removable media. Even
general access to terminals in a computer
room offers some opportunities for an
attacker, although today's modern high-
speed networking environment provides
more and more opportunities for remote
attacks.
2. Human - There is some concern that the humans
who are allowed access to a system be
trustworthy, and that they cannot be coerced into
breaching security. However more and more
attacks today are made via social
engineering, which basically means fooling
trustworthy people into accidentally breaching
security.
Phishing involves sending an innocent-looking e-mail
or web site designed to fool people into revealing
confidential information.
Dumpster Diving involves searching the trash or
other locations for passwords that are written down.
Password Cracking involves divining users
passwords, either by watching them type in their
passwords, knowing something about them like their
pet's names, or simply trying all words in common
dictionaries.
3. Operating System - The OS must protect
itself from security breaches, such as
runaway processes ( denial of service ),
memory-access violations, stack overflow
violations, the launching of programs with
excessive privileges, and many others.
4. Network - As network communications
become ever more important and pervasive
in modern computing environments, it
becomes ever more important to protect this
area of the system. This is a growing area of
concern as wireless communications and
portable devices become more and more
prevalent.
Operating System Security
User authentication
Based on
- User possession (of key or card)
- User knowledge (user identifier +
password)
- User attribute (fingerprint, retina
pattern, signature)
Program Threats
Trojan Horse
 A Trojan Horse is a program that secretly performs some
maliciousness in addition to its visible actions.
 Some Trojan horses are deliberately written as such, and others
are the result of legitimate programs that have become infected
with viruses,
 One dangerous opening for Trojan horses is long search paths,
and in particular paths which include the current directory ( "." ) as
part of the path. If a dangerous program having the same name as
a legitimate program ( or a common mis-spelling, such as "sl"
instead of "ls" ) is placed anywhere on the path, then an
unsuspecting user may be fooled into running the wrong program
by mistake.
 Another classic Trojan Horse is a login emulator, which records a
users account name and password, issues a "password incorrect"
message, and then logs off the system. The user then tries again
( with a proper login prompt ), logs in successfully, and doesn't
realize that their information has been stolen.
 Two solutions to Trojan Horses are to have the system
print usage statistics on logouts, and to require
the typing of non-trappable key sequences such
as Control-Alt-Delete in order to log in. ( This is
why modern Windows systems require the Control-
Alt-Delete sequence to commence logging in, which
cannot be emulated or caught by ordinary programs.
I.e. that key sequence always transfers control over
to the operating system. )
 Spyware is a version of a Trojan Horse that is often
included in "free" software downloaded off the
Internet. Spyware programs generate pop-up browser
windows, and may also accumulate information about
the user and deliver it to some central site. Another
common task of spyware is to send out spam e-mail
messages, which then purportedly come from the
infected user.
Trap Door
 A Trap Door is when a designer or a programmer (
or hacker ) deliberately inserts a security hole that
they can use later to access the system.
 Because of the possibility of trap doors, once a
system has been in an untrustworthy state, that
system can never be trusted again. Even the
backup tapes may contain a copy of some cleverly
hidden back door.
 A clever trap door could be inserted into a
compiler, so that any programs compiled with that
compiler would contain a security hole. This is
especially dangerous, because inspection of the
code being compiled would not reveal any
problems.
Logic Bomb
 A Logic Bomb is code that is not designed to
cause havoc all the time, but only when a
certain set of circumstances occurs, such as
when a particular date or time is reached or
some other noticeable event.
 A classic example is the Dead-Man Switch,
which is designed to check whether a certain
person ( e.g. the author ) is logging in every
day, and if they don't log in for a long time
( presumably because they've been fired ),
then the logic bomb goes off and either opens
up security holes or causes other problems.
Stack and Buffer Overflow
This is a classic method of attack, which
exploits bugs in system code that allows
buffers to overflow. Consider what happens in
the following code, for example, if argv[ 1 ]
exceeds 256 characters:
The strcpy command will overflow the buffer,
overwriting adjacent areas of memory.
( The problem could be avoided using strncpy,
with a limit of 255 characters copied plus room
for the null byte. )
Example of Buffer Overflow Waiting To
Happen:

#include <stdio.h>
#define BUFFER SIZE 256
int main(int argc, char *argv[])
{
char buffer[BUFFER SIZE];
int other_data;

if (argc < 2)
return -1;
else {
strcpy(buffer,argv[1]);
return 0;
}
}
Viruses
 A virus is a fragment of code embedded in an
otherwise legitimate program, designed to
replicate itself ( by infecting other programs ),
and ( eventually ) wreaking havoc.
 Viruses are more likely to infect PCs than UNIX or
other multi-user systems, because programs in
the latter systems have limited authority to
modify other programs or to access critical
system structures ( such as the boot block. )
 Viruses are delivered to systems in a virus
dropper, usually some form of a Trojan Horse,
and usually via e-mail or unsafe downloads.
 Viruses take many forms. Figure below shows
typical operation of a boot sector virus.
A Boot Sector Virus
Forms of Viruses
 File - A file virus attaches itself to an executable file, causing it
to run the virus code first and then jump to the start of the
original program. These viruses are termed parasitic, because
they do not leave any new files on the system, and the original
program is still fully functional.
 Boot - A boot virus occupies the boot sector, and runs before
the OS is loaded. These are also known as memory viruses,
because in operation they reside in memory, and do not appear
in the file system.
 Macro - These viruses exist as a macro ( script ) that are run
automatically by certain macro-capable programs such as MS
Word or Excel. These viruses can exist in word processing
documents or spreadsheet files.
 Source code viruses look for source code and infect it in order
to spread.
 Polymorphic viruses change every time they spread - Not their
underlying functionality, but just their signature, by which
virus checkers recognize them.
 Encrypted viruses travel in encrypted form to escape
detection. In practice they are self-decrypting, which then
allows them to infect other files.
 Stealth viruses try to avoid detection by modifying parts
of the system that could be used to detect it. For
example the read( ) system call could be modified so that
if an infected file is read the infected part gets skipped
and the reader would see the original unadulterated file.
 Tunneling viruses attempt to avoid detection by
inserting themselves into the interrupt handler chain, or
into device drivers.
 Multipartite viruses attack multiple parts of the system,
such as files, boot sector, and memory.
 Armored viruses are coded to make them hard for anti-
virus researchers to decode and understand. In addition
many files associated with viruses are hidden, protected,
or given innocuous looking names such as "...".
System and Network Threats
 A worm is a process that uses the fork / spawn
process to make copies of itself in order to wreak
havoc on a system. Worms consume system
resources, often blocking out other, legitimate
processes. Worms that propagate over networks can
be especially problematic, as they can tie up vast
amounts of network resources and bring down large-
scale systems.
 One of the most well-known worms was launched by
Robert Morris, a graduate student at Cornell, in
November 1988. Targeting Sun and VAX computers
running BSD UNIX version 4, the worm spanned the
Internet in a matter of a few hours, and consumed
enough resources to bring down many systems.
This worm consisted of two parts:
1. A small program called a grappling hook, which was
deposited on the target system through one of three
vulnerabilities, and
2. The main worm program, which was transferred onto the
target system and launched by the grappling hook program.
Vulnerabilities of Morris Internet worm
1. rsh ( remote shell ) is a utility that was in common use
at that time for accessing remote systems without having
to provide a password. If a user had an account on two
different computers ( with the same account name on
both systems ), then the system could be configured to
allow that user to remotely connect from one system to
the other without having to provide a password.
2. finger is a utility that allows one to remotely query a user
database, to find the true name and other information for
a given account name on a given system..
3. sendmail is a routine for sending and forwarding mail
that also included a debugging option for verifying and
testing the system. The debug feature was convenient for
administrators, and was often left turned on. The Morris
worm exploited the debugger to mail and execute a copy
of the grappling hook program on the remote system.
 Port Scanning
 Port Scanning is technically not an attack, but rather a search
for vulnerabilities to attack. The basic idea is to systematically
attempt to connect to every known ( or common or possible )
network port on some remote machine, and to attempt to make
contact. Once it is determined that a particular computer is
listening to a particular port, then the next step is to determine
what daemon is listening, and whether or not it is a version
containing a known security flaw that can be exploited.
 Because port scanning is easily detected and traced, it is usually
launched from zombie systems.
 There are also port scanners available that administrators can
use to check their own systems, which report any weaknesses
found but which do not exploit the weaknesses or cause any
problems. Two such systems are nmap(
http://www.insecure.org/nmap ) and nessus (
http://www.nessus.org ). The former identifies what OS is found,
what firewalls are in place, and what services are listening to
what ports. The latter also contains a database of known
security holes, and identifies any that it finds.
Denial of Service
Denial of Service ( DOS ) attacks do not
attempt to actually access or damage systems,
but merely to clog them up so badly that they
cannot be used for any useful work. Tight loops
that repeatedly request system services are an
obvious form of this attack.
DOS attacks can also involve social engineering,
such as the Internet chain letters that say "send
this immediately to 10 of your friends, and then
go to a certain URL", which clogs up not only
the Internet mail system but also the web
server to which everyone is directed.
Security systems that lock accounts after a
certain number of failed login attempts are
Cryptography as a Security Tool
 Within a given computer the transmittal of messages
is safe, reliable and secure, because the OS knows
exactly where each one is coming from and where it
is going.
 On a network, however, things aren't so
straightforward - A rogue computer ( or e-mail sender
) may spoof their identity, and outgoing packets are
delivered to a lot of other computers besides their
( intended ) final destination, which brings up two big
questions of security:
 Trust - How can the system be sure that the messages
received are really from the source that they say they
are, and can that source be trusted?
 Confidentiality - How can one ensure that the
messages one is sending are received only by the
intended recipient?
 Cryptography can help with both of these
problems, through a system
of secrets and keys.
 In the former case, the key is held by the
sender, so that the recipient knows that only
the authentic author could have sent the
message; In the latter, the key is held by the
recipient, so that only the intended recipient
can receive the message accurately.
 Keys are designed so that they cannot be
divined from any public information, and must
be guarded carefully.
 ( Asymmetric encryption involve both a
public and a private key. )
 Encryption
The basic idea of encryption is to encode a
message so that only the desired recipient
can decode and read it.
Encryption has been around since before the
days of Caesar, and is an entire field of study
in itself. Only some of the more significant
computer encryption schemes will be covered
here.
 Basic process of Encryption
1. The sender first creates a message, m in plaintext.
2. The message is then entered into an encryption algorithm,
E, along with the encryption key, Ke.
3. The encryption algorithm generates the ciphertext, c, = E(Ke)
(m). For any key k, E(k) is an algorithm for generating ciphertext
from a message, and both E and E(k) should be efficiently
computable functions.
4. The ciphertext can then be sent over an unsecure network, where
it may be received by attackers.
5. The recipient enters the ciphertext into a decryption algorithm,
D, along with the decryption key, Kd.
6. The decryption algorithm re-generates the plaintext message, m, =
D(Kd)(c). For any key k, D(k) is an algorithm for generating a clear
text message from a ciphertext, and both D and D(k) should be
efficiently computable functions.
7. The algorithms described here must have this important property:
Given a ciphertext c, a computer can only compute a message m
such that c = E(k)(m) if it possesses D(k). ( In other words, the
messages can't be decoded unless you have the decryption
algorithm and the decryption key. )
Symmetric Encryption
 With symmetric encryption the same key is used for
both encryption and decryption, and must be safely
guarded. There are a number of well-known symmetric
encryption algorithms that have been used for computer
security:
 The Data-Encryption Standard, DES, developed by the
National Institute of Standards, NIST, has been a standard
civilian encryption standard for over 20 years. Messages
are broken down into 64-bit chunks, each of which are
encrypted using a 56-bit key through a series of
substitutions and transformations.
 DES is known as a block cipher, because it works on
blocks of data at a time. Unfortunately this is a
vulnerability if the same key is used for an extended
amount of data. Therefore an enhancement is to not only
encrypt each block, but also to XOR it with the previous
block, in a technique known as cipher-block chaining.
 As modern computers become faster and faster,
the security of DES has decreased, to where it is
now considered insecure because its keys can be
exhaustively searched within a reasonable amount
of computer time.
 An enhancement called triple DES encrypts the
data three times using three separate keys
(actually two encryptions and one decryption ) for
an effective key length of 168 bits. Triple DES is in
widespread use today.
 The Advanced Encryption Standard,
AES, developed by NIST in 2001 to replace DES
uses key lengths of 128, 192, or 256 bits, and
encrypts in blocks of 128 bits using 10 to 14 rounds
of transformations on a matrix formed from the
block.
Asymmetric Encryption
 With asymmetric encryption, the decryption key, Kd,
is not the same as the encryption key, Ke, and more
importantly cannot be derived from it, which means the
encryption key can be made publicly available, and only
the decryption key needs to be kept secret.
 One of the most widely used asymmetric encryption
algorithms is RSA, named after its developers - Rivest,
Shamir, and Adleman.
 RSA is based on two large prime numbers, p and q, ( on
the order of 512 bits each ), and their product N.
 Ke and Kd must satisfy the relationship:
( Ke * Kd ) % [ ( p - 1 ) * ( q - 1 ) ] = = 1
 The encryption algorithm is:
c = E(Ke)(m) = m^Ke % N
 The decryption algorithm is:
m = D(Kd)(c) = c^Kd % N
Authentication
 Authentication involves verifying the identity of the entity who
transmitted a message.
 For example, if D(Kd)(c) produces a valid message, then we
know the sender was in possession of E(Ke).
 This form of authentication can also be used to verify that a
message has not been modified
 Authentication revolves around two functions, used
for signatures ( or signing), and verification:
 A signing function, S(Ks) that produces an authenticator, A,
from any given message m.
 A Verification function, V(Kv,m,A) that produces a value of "true"
if A was created from m, and "false" otherwise.
 Obviously S and V must both be computationally efficient.
 More importantly, it must not be possible to generate a valid
authenticator, A, without having possession of S(Ks).
 Furthermore, it must not be possible to divine S(Ks) from the
combination of ( m and A ), since both are sent visibly across
networks.
 Understanding authenticators begins with an
understanding of hash functions, which is the first step:
 Hash functions, H(m) generate a small fixed-size block of
data known as a message digest, or hash value from any
given input data.
 For authentication purposes, the hash function must
be collision resistant on m. That is it should not be
reasonably possible to find an alternate message m' such
that H(m') = H(m).
 Popular hash functions are MD5, which generates a 128-bit
message digest, and SHA-1, which generates a 160-bit
digest.
 Message digests are useful for detecting ( accidentally )
changed messages, but are not useful as authenticators,
because if the hash function is known, then someone
could easily change the message and then generate a
new hash value for the modified message. Therefore
authenticators take things one step further by encrypting
the message digest.
 A message-authentication code, MAC, uses symmetric
encryption and decryption of the message digest, which means
that anyone capable of verifying an incoming message could
also generate a new message.
 An asymmetric approach is the digital-signature
algorithm, which produces authenticators called digital
signatures. In this case Ks and Kv are separate, Kv is the
public key, and it is not practical to determine S(Ks) from public
information.
 There are three good reasons for having separate algorithms
for encryption of messages and authentication of messages:
1. Authentication algorithms typically require fewer calculations,
making verification a faster operation than encryption.
2. Authenticators are almost always smaller than the messages,
improving space efficiency. (?)
3. Sometimes we want authentication only, and not
confidentiality, such as when a vendor issues a new software
patch.
 Another use of authentication is non-repudiation, in which a
person filling out an electronic form cannot deny that they
were the ones who did so.
 Implementation of Cryptography
 Network communications are implemented in multiple
layers - Physical, Data Link, Network, Transport, and
Application being the most common breakdown.
 Encryption and security can be implemented at any layer
in the stack, with pros and cons to each choice:
 Because packets at lower levels contain the contents of
higher layers, encryption at lower layers automatically
encrypts higher layer information at the same time.
 However security and authorization may be important to
higher levels independent of the underlying transport
mechanism or route taken.
 At the network layer the most common standard
is IPSec, a secure form of the IP layer, which is used to
set up Virtual Private Networks, VPNs.
 At the transport layer the most common implementation
is SSL, described below.
 Example - SSL
Insertion of cryptography at one layer of the ISO
network model (the transport layer)
SSL – Secure Socket Layer (also called TLS)
Cryptographic protocol that limits two computers to
only exchange messages with each other
 Very complicated, with many variations
Used between web servers and browsers for secure
communication (credit card numbers)
The server is verified with a certificate assuring
client is talking to correct server
Asymmetric cryptography used to establish a secure
session key (symmetric encryption) for bulk of
communication during session
Communication between each computer uses
symmetric key cryptography
 Example –
Windows
Security is based on 7
user accounts
 Each user has unique security ID
 Login to ID creates security access token
Includes security ID for user, for user’s groups, and
special privileges
Every process gets copy of token
System checks token to determine if access allowed or
denied
Uses a subject model to ensure access security. A
subject tracks and manages permissions for each
program that a user runs
Each object in Windows XP has a security attribute
defined by a security descriptor
 For example, a file has a security descriptor that
indicates the access permissions for all users
 Security
Classifications
U.S. Department of Defense outlines four
divisions of computer security: A, B, C, and D.
D – Minimal security.
C – Provides discretionary protection through
auditing. Divided into C1 and C2. C1
identifies cooperating users with the same
level of protection. C2 allows user-level
access control.
B – All the properties of C, however each
object may have unique sensitivity labels.
Divided into B1, B2, and B3.
A – Uses formal design and verification
techniques to ensure security.