 Course info

 Basic concepts in
Information
information security
security
Course
information
• Course organization
• Prerequisites
• Lecture plan
• Security education
• Security basics

UCA / GIPI 2021 Lec. 01 - Information Security

Lecturer

• Tkachev Vlad
– Baker Tilly, IT Audit Director, 2017
– Center of Information Security, Lead Auditor, 2015
– KyrgyzTelecom, CIO, 2002—2017

Education
– Ethical Hacking Academy, CISA
– Unix Edu Center, RedHat Certified Engineer
– US Dept. of Homeland Security, Critical Infrastructure Protection
– Texas A&M University, Risk Management
– Moscow University of E&L, MBA

UCA / GIPI 2021 3

Lec. 01 - Information Security
Prerequisites

• Prerequisites
– Basic computer and network technology
– Basic (discrete) mathematics

• Theoretic focus on a basic level

– Discrete mathematics, number theory, modular arithmetic
– Information theory
– Probability calculus
– Computer and network architectures

UCA / GIPI 2021 4

Lec. 01 - Information Security
Preliminary Date Lecture Topic

Course 12.04.2021 1 Course Information. Basic Concepts in IS

Schedule 13.04.2021 2 Network Security

14.04.2021 3 IS Management, and Human Factors for IS

15.04.2021 4 Incident Response and Digital Forensics

16.04.2021 5 Risk Management and Business Continuity Planning

19.04.2021 6 Computer Security

20.04.2021 7 User Authentication

21.04.2021 8 Identity and Access Management

22.04.2021 9 Ethical Hacking / Penetration Testing

23.04.2021 10 Secure System Development and Application Security

UCA / GIPI 2021 5
Lec. 01 - Information Security
Why study
information
security? • You can not be an IT expert without also knowing IT
security
– Analogy: Building architects must have knowledge about fire
safety
• Developing IT systems without considering security will
lead to vulnerable IT systems
• “Security by design” is a requirement in system design and
is a prerequisite for privacy by design which is a legal
requirement for processing personal data
• Information security is a political issue
– The Government states the importance of producing of IT-
security skills in higher education

UCA / GIPI 2021 6

Lec. 01 - Information Security
Security
Certifications • Many different types of certifications available
for Professionals – vendor neutral or vendor specific, profit or non-profit, e.g.
• (ISC)² https://www.isc2.org/
• ISACA https://www.isaca.org/
• SANS https://www.sans.org/
• Certification gives assurance of knowledge and skills,
– needed in job functions
– gives credibility for consultants, applying for jobs, for promotion
• Sometimes required
– US, Some EU or Russian Government IT Security jobs
– Most of commercial financial and critical institutions
• Certification types reflect current topics in IT Security
– Generally kept up-to-date

UCA / GIPI 2021 Lec. 01 - Information Security

CISSP 3
Certification
from (ISC)2:
Certified Information System Security Professional
• Many different books to prepare for the CISSP exam
CISSP All-in-One Exam Guide
8th Edition, 2018
Author: Shon Harris and Fernando Maymí
• €560 fee to sit CISSP exam
• You also need several years professional experience to be certified
• Exam through http://www.pearsonvue.com/isc2/
• Most of the of the material presented in this course is taken from the
syllabus of the CISSP CBK (Common Body of Knowledge).

UCA / GIPI 2021 Lec. 01 - Information Security

CISSP CBK
Common Body of
Knowledge
8 domains

1. Security and Risk Management 5. Identity and Access Management (Controlling

(Security, Risk, Compliance, Law, Access and Managing Identity)
Regulations, and Business Continuity) 6. Security Assessment and Testing (Designing,
2. Asset Security (Protecting Security Performing, and Analyzing Security Testing)
of Assets) 7. Security Operations (Foundational Concepts,
3. Security Engineering (Engineering and Investigations, Incident Management, and
Management of Security) Disaster Recovery)
4. Communication and Network Security 8. Software Development Security
(Designing and Protecting Network (Understanding, Applying, and Enforcing
Security) Software Security)

UCA / GIPI 2021

Information Security
Basic Concepts
What is Security is the protection of assets from
security? any types of harm
property, infrastructure, stability, life, environment,
information
– Physical security (prevent burglary and theft of
property)
– Societal security (security of critical infrastructures)
– National security (political stability and national
integrity)
– Safety (security of life and health)
– Environmental security (stop pollution and invasive
species)
– Information security and data protection
UCA / GIPI 2021 Lec. 01 - Information Security
11
What is
Information
• Information Security is the protection of information assets
Security? from damage or harm
• In non-governmental sector Information Security is for
reducing total cost of ownership of information assets
• What are the assets to be protected?
– Example: data files, software, IT equipment and infrastructure
• Covers both intentional and accidental events
– Threat agents can be humans or acts of nature
– People can cause harm by accident or by intent
• Information Security defined:
– The preservation of confidentiality, integrity and availability of
information; in addition, other properties such as authenticity,
accountability, non-repudiation and reliability can also be involved.
(ISO27000 Information Security Management Systems - Overview
UCA / GIPI 2021
and Vocabulary) Lec. 01 - Information Security
12
Information
Security
Management
• IS management consists of activities to control
and reduce risk of damage to information
assets
• IS management focuses on:
– Evaluate threats, vulnerabilities and risks
– Control security risks by reducing vulnerability to
threats
– Detection and response to attacks
– Recovery from damage caused by attacks
– Investigate and collect evidence about incidents
(forensics)
UCA / GIPI 2021 Lec. 01 - Information Security
13
Threat, • Threat
Vulnerability, – Threat Actor: An active entity which can execute a threat scenario.
– Threat Scenario: The set of steps executed in a (potential) cyber attack.
Risk and Control – When simply using the term “threat”, it usually means a threat scenario.

Threat scenario / Attack

executes causes
Step 1 Step 2 Step 3 Incident

Threat actor
Vulnerabilities
• Vulnerabilities
– Weaknesses or opportunities allowing a threat scenario to be executed
• Security Risk
– Likelihood (ease of executing a threat scenario), combined with the potential
damage in case of an incident (successful attack)
• Security Control
UCA / GIPI 2021
– A method for removing vulnerabilities and reducing security risk
Lec. 01 - Information Security
14
The Need for
Information
Security
• Can we remove all vulnerabilities once and for all?
• No we can’t! Reasons why that’s impossible:
– Rapid innovation and new technology creates new vulnerabilities
– Information security is (still) often ignored when developing IT
– New threats that exploit vulnerabilities are invented every day
– More effective attack technique and tools are being developed
– Increased value of online digital assets makes attacks more
attractive
• Conclusion: Information security doesn’t have a final
goal, it’s a continuing process

UCA / GIPI 2021 Lec. 01 - Information Security

15
 16

Security control
categories

Physical controls Technical controls Administrative controls

 Facility protection  Logical access control  Policies & standards
 Security guards  Cryptographic controls  Procedures & practice
 Locks  Security devices  Personnel screening
 Monitoring  User authentication  Awareness training
 Environmental controls  Intrusion detection  Secure System Developing
 Intrusion detection  Forensics  Incident Response
UCA / GIPI 2021 Lec. 01 - Information Security
Security Controls
by Functional
• Preventive controls:
Types – prevent attempts to exploit vulnerabilities
• Example: encryption of files
• Detective controls:
– warn of attempts to exploit vulnerabilities
• Example: Intrusion detection systems (IDS)
• Corrective controls:
– correct errors or irregularities that have been detected.
• Example: Restoring all applications from the last known good
image to bring a corrupted system back online

• Use a combination of controls to help ensure that the

organisational processes, people, and technology
operate within prescribed bounds.

UCA / GIPI 2021 Lec. 01 - Information Security

17
Controls
by Information
States
• Information security involves protecting information
assets from harm or damage.
• Information is considered in one of three possible states:
– During storage
• Information storage containers
• Electronic, physical, human
– During transmission
• Physical or electronic
– During processing (use)
• Physical or electronic
• Security controls for all information states are needed

UCA / GIPI 2021 Lec. 01 - Information Security

18
Security
Services and • A security service supports a general security goal
Goals • The traditional definition of information security is to
ensure the three CIA security services/goals for data and
systems:
– Confidentiality
– Integrity
– Availability
• CIA are the three main security services and goals
• Data privacy is an additional goal which relies on CIA
– Privacy
UCA / GIPI 2021 Lec. 01 - Information Security
19
Security
• Security services (aka. security goals or properties) are
Services and – implementation independent
Controls – supported by specific controls
• Security controls (aka. mechanisms) are
– Practical mechanisms, actions, tools or procedures that are used
to provide security services

Security Controls

Encryption Firewalls Awareness etc.

Support

Security Services
Confidentiality Integrity Availability
UCA / GIPI 2021 Lec. 01 - Information Security
20
Confidentiality
Security Service • The property that information is not made available
Or Goal or disclosed to unauthorized individuals, entities, or
processes. (ISO 27000)
• Can be divided into:
– Secrecy: Protecting business data
– Privacy: Protecting personal data
– Anonymity: Hide who is engaging in what actions
• Main threat: Information theft, unintentional disclosure
• Controls: Encryption, Access Control, Perimeter defence
As general controls, also include:
– Secure Systems Development, Incident Response

UCA / GIPI 2021 Lec. 01 - Information Security

21
Integrity
Security Service • Data Integrity: The property that data has not been altered or
Or Goal destroyed in an unauthorized manner.
(X.800: Security Architecture for OSI)
• System Integrity: The property of accuracy and completeness
(ISO 27000).
Can include the accountability of actions.
• Threats: Data and system corruption, loss of accountability
• Controls:
– Hashing, cryptographic integrity check and encryption
– Authentication, access control and logging
– Software digital signing
– Configuration management and change control (system integrity)
As general controls, also include:
– Secure System Development, Incident Response
UCA / GIPI 2021 Lec. 01 - Information Security
22
Availability
Security Service/Goal • The property of being accessible and usable upon
demand by an authorized entity.
(ISO 27000)
• Main threat: Denial of Service (DoS)
– The prevention of authorized access to resources
or the delaying of time critical operations
• Controls:
– Redundancy of resources,
– Load balancing,
– Software and data backups
As general controls, also include:
– Secure System Development and Incident Response

UCA / GIPI 2021 Lec. 01 - Information Security

23
Data Privacy
To protect specific aspects of information that may be
related to natural persons (personal information).
• Prevent unauthorized collection and storage of
personal information
• Prevent unauthorized use of collected personal
information
• Make sure your personal information is correct
• Ensure transparency and access for data subjects
• Adequate information security (CIA) of personal
information
• Define clear responsibilities around personal information
10101
01101101
10110

UCA / GIPI 2021 Lec. 01 - Information Security

24
Authenticity The CIA services/goals are quite general.
Security Service Other security services are often mentioned.
or Goal Authentication is very important, with various types:
• User authentication:
– The process of verifying a claimed identity of a (legal) user
when accessing a system or an application.
• Organisation authentication:
– The process of verifying a claimed identity of a (legal)
organisation in an online interaction/session
• System authentication (peer entity authentication):
– The corroboration (verification) that a peer entity (system) in an
association (connection, session) is the one claimed (X.800).
• Data origin authentication (message authentication):
– The corroboration (verification) that the source of data received
is as claimed (X.800).
UCA / GIPI 2021 Lec. 01 - Information Security
25
Taxonomy of
Authentication Authentication

Data Authentication
MAC, DigSig, PKI

Entity Authentication

User Authentication Company Authentication System Authentication

Passwords, tokens, OTP, Crypto protocols: Crypto protocols:
biometrics, PKI TLS, PKI IPSec, PKI

UCA / GIPI 2021 Lec. 01 - Information Security

26
User Identification
and
Authentication • Identification
• Who you claim to be
• Method: (user)name, biometrics
• User authentication
• Prove that you are the one you claim to be
• Main threat: Spoofed identity and false login
• Controls:
• Passwords,
• Personal cryptographic tokens,
• OTP generators, etc.
• Biometrics
• Id cards
• Cryptographic security/authentication protocols
UCA / GIPI 2021 Lec. 01 - Information Security
27
System/Company
Authentication • Goal
– Establish the correct identity of organisations/remote
hosts
• Main threat:
– Network intrusion
– Masquerading attacks
– Replay attacks
– (D)DOS attacks
• Controls:
– Cryptographic authentication protocols based on
hashing and encryption algorithms
– Examples: TLS, VPN, IPSEC

UCA / GIPI 2021 Lec. 01 - Information Security

28
Data Origin
Authentication
Message authentication • Goal: Recipient of a message (i.e. data) can verify the
correctness of claimed sender identity
– But 3rd party may not be able to verify it
• Main threats:
– False transactions
– False messages and data
• Controls:
– Encryption with shared secret key
– MAC (Message Authentication Code)
– Security protocols
– Digital signature with private key
– Electronic signature,
• i.e. any digital evidence
UCA / GIPI 2021 Lec. 01 - Information Security
29
Non-Repudiation
Strong form of Data • Goal: Making sending and receiving messages undeniable
Authentication through unforgible evidence.
– Non-repudiation of origin: proof that data was sent.
– Non-repudiation of delivery: proof that data was received.
– NB: imprecise interpretation: Has a message been received and read
just because it has been delivered to your mailbox?
• Main threats:
– Sender falsely denying having sent message
– Recipient falsely denying having received message
• Control: digital signature
– Cryptographic evidence that can be confirmed by a third party
• Data origin authentication and non-repudiation are similar
– Data origin authentication only provides proof to recipient party
– Non-repudiation also provides proof to third parties
UCA / GIPI 2021 Lec. 01 - Information Security
30
Accountability (Can be considered as a part of System integrity)
• Goal: Trace action to a specific user and hold them
responsible
– Audit information must be selectively kept and protected so that
actions affecting security can be traced to the responsible party
(TCSEC/Orange Book)
• Main threats:
– Inability to identify source of incident
– Inability to make attacker responsible
• Controls:
– Identify and authenticate users
– Log all system events (audit)
– Electronic signature
– Non-repudiation based on digital signature
– Forensics
UCA / GIPI 2021 Lec. 01 - Information Security
31
Access
Authorization
• Access Authorization is to specify access and usage
permissions for entities, roles or processes
– Authorization policy is normally defined by humans
– Issued by an authority within the domain/organisation
• Authorities authorize, systems don’t
• Authority can be delegated
– Management → Sys.Admin
– Implemented in IT systems as configuration/policy

UCA / GIPI 2021 Lec. 01 - Information Security

32
Identity and Access
Management
(IAM) Phases
Configuration Operation phase Termination
phase phase
Registration of Present user identity
De-registration
identity Claim identity by providing user-Id

Provisioning of User authentication Deactivate

credentials Prove claimed identity with credential(s) credentials

Authorization of Access control Revoke

access Enforcement of authorization policy authorization

UCA / GIPI 2021 Lec. 01 - Information Security

33
Confusion about
Authorization • The term “authorization” is often wrongly used in the
sense of “access control”
– e.g. misleading figure in Ch.5 IAM on p.733 in Harris 8th ed.
– Common error in text books and specifications (RFC 2196 …)
– E.g. Cisco AAA (Authentication, Authorization and Accounting)
• Wrong use of “authorization” gives meaningless security:
1. You steal somebody’s password, and uses it to access account.
2. Login screen gives warning: “Only authorized users may access
this system”.
3. You get caught and taken to the police
4. You argue: “This text book on information security states that a
system authorizes the user when typing the right password, hence
I was authorized because I typed the right password”.
5. Case dismissed, you go free.
UCA / GIPI 2021 Lec. 01 - Information Security
34
Identity and Access
Management
System Owner Domain
Scenario
Registration 1 User
IdP 2 Provisioning

• PAP: Policy
Administration
3 Authorization PAP Logon:
ID + Key
User
Point
• PDP: Policy
policy request
Authenticati
on function 4
Decision Point
• PEP: Policy System 7 PDP 6
Enforcement resource
Point decision request Request:
• IdP: Identity Resource & Access Type
Provider 8 access PEP 5
Access Control Function

UCA / GIPI 2021 Lec. 01 - Information Security

35
Network Lecture #2
Security
Outline

• Network security concepts

• Transport Layer Security (TLS)
• VPN – Virtual Private Network
• Firewalls
• Intrusion Detection Systems
Network
Security Assumes that each organisation owns a network
Concepts – Wants to protect own local network
– Wants to protect communication with other networks
Network Security: two main areas
• Communication Security: Protection of data
transmitted across networks between
organisations and end users
– Topic for this lecture
• Perimeter Security: Protection of an
organization’s network from unauthorized
access
– Topic for next lecture

3
Communication
Security
Analogy

Physical transport security

Internet

Protected Pipe

Digital communication security

4
Security
Protocols
• Many different security protocols have been specified and
implemented for different purposes
– Authentication, integrity, confidentiality
– Key establishment/exchange
– E-Voting
– Secret sharing
– etc.
• Protocols are surprisingly difficult to get right!
– Many vulnerabilities are discovered years later (e.g. for TLS:
DROWN, POODLE, ROBOT, Logjam, FREAK, BEAST, …)
– … some are never discovered (or maybe only by the attackers)

5
 TLS/SSL
Transport Layer
Security
SSL/TLS:
History • 1994: Netscape Communications developed the network
authentication protocol Secure Sockets Layer, SSLv2.
– Badly broken, officially deprecated 2011
• 1995: Netscape release their own improvements SSLv3.
– Broken, officially deprecated 2015
• In January 1999, RFC 2246 was issued by the IETF,
Transport Layer Security Protocol: TLS 1.0
– Similar to, but incompatible with SSLv3
– Followed by TLS 1.1 (2006) and TLS 1.2 (2008)
– Current version: TLS 1.3 (2018), removes all old/insecure
features/algorithms

7
TLS:
Overview
• TLS is a cryptographic services protocol based on the
Browser PKI and is commonly used on the Internet.
– Each server has a server certificate and private key installed
– Allows browsers to establish secure sessions with web servers.
• Port 443 is reserved for HTTP over TLS/SSL and the
protocol https is used with this port.
– http://www.xxx.com implies using standard HTTP using port 80.
– https://www.xxx.com implies HTTP over TLS/SSL with port 443.
• Other applications:
– IMAP over TLS: port 993
– POP3 over TLS: port 995

8
TLS: Protocol
Stack
TLS TLS Change TLS Application
Handshake Cipher Suite Alert Protocol
Protocol Protocol Protocol (e.g. HTTP)

TLS Record Protocol

TCP
IP

9
TLS:
Architecture
• Designed to provide secure reliable end-to-end services over
Overview TCP.
– Confidentiality
– Integrity
– Authenticity
• Consists of 3 higher level protocols:
– TLS Handshake Protocol
– TLS Alert Protocol
– TLS Change Cipher Spec Protocol
• The TLS Record Protocol provides the practical encryption
and integrity services to various application protocols.

10
TLS:
Handshake
Protocol
• The handshake protocol
– Negotiates the encryption to be used
– Establishes a shared session key
– Authenticates the server
– Authenticates the client (optional)
• After the handshake, application data is transmitted
securely (encrypted + integrity protected)

11
TLS: Client Server

Simplified Client Hello

Handshake Supported crypto Common protocol,

algorithms and Server Hello
Common
protocol versions algorithm, Server
Client Key Exchange certificate
Perform key
exchange & server ServerKey Exchange
authentication
Client and Server generate session key from secret material

Go to crypto with Change CipherSuite Go to crypto with

common algorithm common algorithm
and session key Change CipherSuite
and session key

Continues with TLS Record protocol encrypted with session key

12
TLS:
Elements of • Client hello
– Advertises available algorithms (e.g. RSA, AES, SHA256)
Handshake – Different types of algorithms bundled into “Cipher Suites”
– Format:
TLS_key-exchange-algorithm_WITH_data-protection-algorithm
– Example (TLS 1.2): TLS_RSA_WITH_AES_256_CBC_SHA256
• RSA for key exchange
• AES (128 bit key) with CBC mode for encryption
• SHA256 as hash function for authentication and integrity protection
– Example (TLS 1.3): TLS_AES_256_GCM_SHA384
• DH for key exchange (implicit)
• AES with GCM for encryption + integrity protection
• SHA384 as hash function for authentication

13
TLS:
Elements of • Server hello
– Returns the selected cipher suite
Handshake – Server adapts to client capabilities
• Server Certificate
– X.509 digital certificate sent to client
– Client verifies the certificate including that the certificate signer is
in its acceptable Certificate Authority (CA) list. Now the client has
the server’s certified public key.
• Client Certificate
– Optionally, the client can send its X.509 certificate to server, in
order to provide mutual authentication
• Server/Client Key Exchange
– The client and server can a establish session key using asymmetric
encryption or DH key exchange

14
TLS:
Record Protocol
Overview
• Provides two services for TLS connections.
– Message Confidentiality:
• Encrypt the payload using symmetric encryption (e.g. AES)
– Message Integrity/Authenticity:
• Calculate a MAC to ensure the message was not modified in
transmission
• For both operations the session key exchanged
during the handshake is used

15
 Weakness of DH Key Exchange
Diffie–Hellman key exchange is a method of securely exchanging cryptographic keys over a public channel

A E B

ga gb

ge ge

Secure Communication Secure Communication

K1 = gae mod p K2 = gbe mod p

TLS:
Key Exchange
• DH exchange:
– Client and server perform Diffie-Hellman-Exchange (DH)
– Server signs his DH value with server private key (RSA)
– Client validates signature with server public key (RSA)
• RSA exchange:
– Asymmetric encryption of symmetric key
– Was in the past the preferred method (simpler)
– Some security issues (no “forward secrecy”)
→ not recommended any more

17
Countermeasure
A E B
verifiy
signature
using B‘s
public key

gb
signed with
ga B‘s private
key

Secure Communication

K = gab mod p
TLS in a
nutshell
Security Authenticity
Confidentiality Integrity
Goals (Message + Sender)

Hand- Server Authentication

DH Key Exchange
shake (Certificate + DSig)

Symmetric Message
Payload
Encryption Authentication Code

Goal support
Key usage
TLS
Challenges • Many vulnerabilities exist for TLS
→ keep client and server software up-to-date
• Also vulnerabilities in cryptographic algorithms
→ configure server to exclude weak algorithms
• TLS provides security just for a single TCP connection
– Browser can establish HTTP and HTTPS connections; even to the
same server (e.g. HTML via HTTPS, images via HTTP)
• Relies on browser PKI which has many security issues
• No trust indicator
– Owner of “mafia.com” can get a legitimate certificate
– Phishing and TLS can be easily combined
– “Secure Connection” indicator can be misleading
Virtual Private
Networks
VPN
• TLS secures only a single TCP connection
• Sometimes:
– all communication from a computer shall be secured
– also non-TCP communication shall be secured
• Typical application:
– VPN tunnel into a company network
– Tunnel can only be established after authentication
– All communication is routed (and secured) through the tunnel
– Client is virtually part of the local company network
– Client gets access to internal services
Typical
usage of
VPN
 Remote Side  Internal infrastructure and Local Network
VPN

• Another application: VPN Browsing Proxy

• Usage Examples:
– Access to services subscribed by own organization
– Hide user’s true location (circumvent geo-blocking or censorship)
VPN Browsing
– via VPN Internet
services
Proxy

VPNaaS
Internet
(exposed IP addr.)

User
Tor –
The Onion
Router • An anonymizing routing protocol
• Originally sponsored by the US Naval Research Laboratory
• From 2004 to 2006 was supported by EFF
• Since 2006 independent nonprofit organisation

• Creates a multi-hop proxy circuit through the

Internet from client to destination.
• Each hop “wraps” another encryption layer thereby
hiding the
next destination.
• No cleartext-gap, except at the exit-node.
• No node knows end-to-end client-server association
„Onion“
Message

Destination: Jane
Some Payload
„Onion“
Message
Destination: Router A
Encrypt for A

Destination: Router B
Encrypt for B

Destination: Router C
Encrypt for C A B

Destination: Jane
C
Payload
Firewalls
Perimeter
security Medieval Castle Defense
analogy
Observation
posts Outer wall

Inner wall
Guard
Inner
Normal access court
Outer
Bridge court

Gatehouse
Moat
Defending
local
networks

Network
Perimeter
Security
Firewalls
• A firewall is a check point that protects the internal
networks against attack from outside networks
• The check point decides which traffic can pass in & out
based on rules
Firewalls:
Overview 1
• If the risk of having a connection to the Internet is
unacceptable, the most effective way of treating the risk
is to avoid the risk altogether and disconnect completely.
• If disconnection from the Internet is not practical, then
firewalls may provide an effective level of protection that
can reduce the risk to an acceptable level.
• Firewalls are often the first line of defence against
external attacks but should not be the only defence.
• A firewall’s purpose is to prevent unauthorized access to
or from a private network.
Firewalls:
Overview 2 • All traffic entering or leaving must pass through firewall
• The network owner must define criteria for what is
(un)authorized
• The effectiveness of firewalls depends on specifying
authorized traffic in terms of rules
– The rules defines what to let pass through;
– The rules defines what to block.
• Firewalls must be effectively administered, updated with the
latest patches and monitored.
• Firewalls can be implemented in both hardware and
software, or a combination of both.
 Types of Firewall Technology
(vehicle analogy)
Inspects packet
• Packet Filters headers only
ABC123

Analyses
• Stateful Packet Filters bi-directional traffic

• Application Level Gateway/

Next Generation Firewall

End-to-end connection
inspects payload, and
analyses traffic
Types of
firewalls

Simple Packet Filter Stateful Packet Filter

Application Level Gateway

(Stateless)
Packet Filter • A packet filter is a network router that can accept/reject
packets based on headers
• Packet filters examine each packet’s headers and make
decisions based on attributes such as:
– Source or Destination IP Addresses
– Source or Destination Port Numbers
– Protocol (UDP, TCP or ICMP)
– ICMP message type
– And which interface the packet arrived on
• Unaware of session states at internal or external hosts
• High speed, but primitive filter
(Stateless)
Packet Filters

• Widespread packet filter software (Linux):

– iptables / netfilter
– nft / nttables
• Examples (iptables)
iptables -A FORWARD -s 131.234.142.33 -j ACCEPT
– All packets from source IP Address 131.234.142.33 are accepted
iptables -A FORWARD -p tcp –d 10.0.0.56 --dport 22 -j ACCEPT
– All packets using transport protocol and destination address
10.0.0.56 and destination port 22 are accepted
Problems with
Stateless
Filtering
• Assume a typical “security policy”:
– Access from internal to external allowed
– Access from external to internal prohibited
– Example application: home network
• Naive packet filter configuration:
– outgoing packet → allow and forward
– incoming packet → reject
• Problem?
• Most internet applications would not work!
Stateful
Filtering
Internal
Internet
Network

TCP, SYN, DST: X

TCP, SYN ACK, SRC: X

UDP, DNS Request, DST: Y

UDP, DNS Response, SRC: Y

TCP, SYN, SRC: Z

UDP, DNS Response, SRC: X

Stateful
Packet
Filters • Stateful packet filters track current state of a connection
– More ‘intelligent’ than simple packet filters.
• Stateful packet filters keep track of sessions
– Recognise if a particular packet is part of an established
connection by ‘remembering’ recent traffic history.
– Will add a temporary rule to allow the reply traffic back through the
firewall.
– When “session” is finished, the temporary rule is deleted.
• This makes the definition of filtering rules easier to
accomplish and therefore potentially more secure.
• High speed, can use relatively advanced filter rules
• Requires memory
– So can be subject to DOS (Denial of Service) attacks
Stateful
Packet
Filters

• Examples (iptables)
iptables -A FORWARD -m state --state NEW -i eth0 -j ACCEPT
• Accept new connections (i.e. TCP SYN) from network interface eth0 („from
inside“)
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
• Accept ALL packets which belong to an established TCP connection or are related
to an existing UDP communication
(Stateful)
Packet Filter:
Evaluation
• Strengths:
– Low overhead and high throughput
– Supports almost any application
• Weaknesses:
– Unable to interpret application layer data/commands
• may allow insecure operations to occur
– Allows direct connection between hosts inside &
outside firewall
Application
Level
Gateway • Inspects payload in end-to-end or proxy application
connection
• Support specific application protocols
– e.g. http, telnet, ftp, smtp etc.
– each protocol supported by a specific proxy HW/SW module
• Can be configured to filter specific user applications
– E.g. Facebook, Youtube, LinkedIn, Telegram, WhatsApp, etc
– Can filter detailed elements in each specific user application
• Can provide intrusion detection and intrusion prevention
• Very high processing load in firewall
– High volume needs high performance hardware, or else will be slow
Next
Generation
Firewalls
High range model: PA-7050
Up to 120 Gbps throughput
Prices starting from: US$ 150,000

High range models: 44000 / 64000

Up to 200 / 400 Gbps throughput
Prices starting from: US$ 200,000
Application
Level
Gateway Pros & Cons
• Strengths:
– Easy logging and audit of all incoming traffic
– Provides potential for best security through control of application
layer data/commands
• Weaknesses:
– May require some time for adapting to new applications
– Much slower than packet filters
– Much more expensive than packet filters
Simple
Firewall
Architecture
Internet
Router /
Firewall
(Gateway)

Internal Networks Internal Networks

DNS Web Email Workstations Production DB

Server Server Server Systems Server
DMZ Firewall
Architecture
Internet
External
Router /
Firewall

DMZ (Demilitarized Zone) Production DB

Systems Server
Workstations
Internal
Router /
Firewall
DNS Web Email
Server Server Server
Internal Networks
Intrusion Detection
Systems
Intrusion
Detection and • Intrusion
– Actions aimed at compromising the security of a target network
Prevention (confidentiality, integrity, availability of resources)

• Intrusion detection
– The identification of possible intrusion through
intrusion signatures and network activity analysis
– IDS: Intrusion Detection Systems

• Intrusion prevention
– The process of both detecting intrusion activities and managing
automatic responsive actions throughout the network
– IPS: Intrusion Prevention Systems
– IDPS: Intrusion Detection and Prevention Systems
Intrusion
Detection
• IDS are automated systems that detect suspicious activity
Systems:
• IDS can be either host-based or network-based.
• A host-based IDS is designed to detect intrusions only on
the host it is installed on
– monitor events, changes to host’s OS files and traffic sent to the host
• Network based IDS (NIDS) detect intrusions on one or more
network segments, to protect multiple hosts
– monitor networks looking for suspicious traffic
• What can be detected:
– Attempted and successful misuse, both external and internal agents
– Known Malware: Trojan programs, viruses and worms
– DoS (Denial of Service) attacks
Network IDS
Deployment External Router /
Firewall
Internet
Internal
Router /
Firewall DB Production
Work
Server Server
DMZ Network Station

Internal Networks
DNS Web Email NIDS
Server Server Server

NIDS
Intrusion
Detection • Misuse detection
Techniques – Use attack “signatures” (need a model of the attack)
• Sequences of system calls, patterns of network traffic, etc.
– Must know in advance what attacker can do, based on known
attack patterns
– Can only detect known attacks
– Relatively few false positives
• Anomaly detection
– Using a model of normal system behavior, try to detect
deviations and abnormalities
• e.g., raise an alarm when a statistically rare event(s) occurs
– Can potentially detect unknown attacks
– Many false positives
Example:
Vulnerability +
Snort Rule

alert tcp $HOME_NET 445 -> any any ( msg:"OS-WINDOWS Microsoft Windows SMB
possible leak of kernel heap memory"; flow:to_client,established;
content:"Frag",fast_pattern; content:"Free"; content:"|FA FF FF|";
content:"|F8 FF FF|",within 3,distance 5; content:"|F8 FF FF|",within
3,distance 5; metadata:policy balanced-ips alert,policy security-ips
drop,ruleset community; service:netbios-ssn; reference:cve,2017-0147;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010;
classtype:attempted-recon; sid:42339; rev:2; )
Intrusion
Detection
Errors
• False negatives: attack is not detected
– Big problem in signature-based misuse detection
• False positives: harmless behavior is classified as attack
– Big problem in statistical anomaly detection
• Both types of IDS suffer from both error types
• Both false positives and false negatives are problematic
Remarks on
Intrusion • Most alarms are false positives
Detection – Requires automated or manual screening and filtering of alarms
• Most true positives are trivial incidents
– can be ignored,
– the attacks will never be able to penetrate any system
• Serious incidents need human attention
– Can be dealt with locally
– May require external expertise
• Potential for improvement through more intelligent IDS
– Less false positives
– Better detection of advanced attacks (APT)
Honeypots
• A honeypot:
– is a computer configured to detect network
attacks or malicious behavior,
– appears to be part of a network, and seems to
contain information or a resource of value to attackers.
• But honeypots are isolated, are never advertised and are
continuously monitored
• All connections to honeypots are per definition
malicious
• Can be used to extract attack signatures
• Honeynet is an international security club, see next slide
 End of
lecture
Lecture 03:
- Information Security Management
- Human Factors for Information Security
Security Management
Set enterprise
Levels objectives.
Balance
Information stakeholder
Security value
Governance propositions.

Information Security Management

Achieve
enterprise
objectives
IT Security Operations
Information Security
Governance

IS governance provides strategic direction, ensures

objectives are achieved, manages risk appropriately, uses
organizational resources responsibly, and monitors the
success or failure of the enterprise security programme.
- IT Governance Institute
Benefits of IT Security
Governance
Protecting assets = creating value
• Trust from customers, partners, investors, own staff
• Reputation, brand, image
• Competitive advantage
• Prevention and reduction of losses
• Business continuity & resilience
– In case of disasters and major incidents
• Increase shareholder value
Goals of information security governance
as defined by COBIT and ISACA

1. Strategic alignment of the security program

2. Risk management
3. Value delivery
4. Resource management
5. Performance measurement
Characteristics of good IS Governance
Managed as a business-wide issue
• Alignment of frameworks, policies and activities
Viewed as business requirement
• Seen as essential for sustainable business operations
Leaders are informed
• Leaders understand security risks and get regular reviews
Leaders take responsibility
• Visible leaders who set clear goals and priorities
Risk-based priorities
• Tolerances to risk understood and established
Roles & responsibilities defined
• Clear segregation of duties
Information security management
Includes:
• Development and maintenance of security policies
– Goals, rules and practice for IS
• Planning and organisation of the security activities
– Information Security Management System (ISMS)
• Inventory and classification of resources and Information
• Threat and risk assessment
• Reporting and coordination with top level management
• Deployment and maintenance of security controls
• Security education and training
• Incident response and business continuity planning
IS Management Standards
• ISO/IEC 27K security standards:
– ISO: International Standards Organization
– ISO 27001: Information Security Management System (ISMS)
– ISO 27002: Code of practice for information security controls
– + many more
– ISO/IEC standards cost money
• USA
– NIST (National Institute for Standards and Technology) Special
Publications 800 ,
– Cover similar topics as ISO27K
– NIST standards are free
ISO/IEC 27000 family of standards and related standards as of Oct. 2013

Vocabulary Guide Overview and vocabulary 27000

27016 Organizational economics
Code of practice 27002
Principles and guidelines 31000
Requirements 27014 Governance
27005 27001
Risk assessment techniques 31010
Risk Management
27003 Implementation guidance

Conformity Assessment – Certification 27004 Measurements

Vocabulary and general principals
17000
Requirements for bodies Application areas
17021 27006 audit and certification
Inter-sector and
Conformity assessment 27010
Inter organizational
Guidelines for ISMS
19011 27007
auditing 27011 Telecommunications
Guidelines for auditing
management system 27008 Guidance for auditors
on controls - TR 27013 27001+20000-1
Operation
27015 Financial services
Business Continuity 27031

Cyber Security 27032 27017 Cloud Computing service

Network Security 27033 27018 Data protection control of

public cloud computing service
Application Security 27034
27019 Process control system - TR
Incident Management 27035
27799 Health
Digital Evidence 27037
• 1995 • 2005
BS 7799: Code of Practice for ISO/IEC 17799 ISO/IEC 27001
Information Security Management
ISO/IEC 17799-2 ISO/IEC 27002
• 1999
BS 7799-2: Information Security • 2013
Management System (ISMS) ISO Management Standards Alignment
- ISO/IEC 27001: ISMS
- ISO/IEC 27002: Code of Practice for
Information Security Controls

• 2001 • 2019
BS 7799  ISO/IEC 17799 Major changes to ISO/IEC 27001: ISMS
BS 7799-2  ISO/IEC 17799-2 planned
ISO/IEC 27001:2013
• ISO 27001 specifies requirements for establishing,
implementing, maintaining and continually improving an
information security management system (ISMS) within
the context of the organization.
• ISMS is a holistic approach to IS management
– … not an IT system
• While the ISO 27002 (code of practice) defines a set of
security goals and controls, ISO 27001 (ISMS) defines
how to manage the implementation of security controls.
• Organizations can be certified against ISO 27001
– … but not against ISO 27002
• ISO 27001 is to be used in conjunction with ISO 27002
 Planning

• The ISMS cycle is an

interpretation of ISMS
Risk (ISO 27001).
Reporting Assessment
ISMS • The steps in the cycle
Cycle are done in parallel.

• Good IS management
Security requires that all steps
Evaluation
Controls
are implemented
CISSP 7th Ed. (p.41) Description
IS program phases
1. Plan and organise • Establish mgmt commitment and high level IS policy
• Define roles and committees,
•Assess threats, vulnerabilities and risk
• Identify and plan security solutions and controls
2. Implement •Assign roles and responsibilities
• Develop specific IS policies and procedures
• Implement security solutions and controls
3. Operate and • Execute security operations tasks
maintain • Carry out internal and external audit
• Develop monitoring and metrics for security controls
4. Monitor and • Review audits, monitoring and metrics
evaluate •Assess goal accomplishment
• Identify areas for improvement, and integrate in phase 1.
ISO/IEC 27002
Code of practice for information security controls
• ISO 27002 provides a checklist of general security controls to be
considered implemented/used in organizations
– Contains 14 categories (control objectives) of security controls
– Each category contains a set of security controls
– In total, the standard describes 113 generic security controls
• Not all controls are relevant to every organisation
• Objective of ISO 27002:
• “… gives guidelines for […] information security management
practices including the selection, implementation and management
of controls taking into consideration the organization’s information
security risk environment(s).”
The 14 Control Objectives Information security Security Human resources
Asset management
policy organization security
of ISO/IEC 27002:2013

Physical and
Access control Cryptography environmental Operations security
security

Communications Supplier System acq., Incident

security relationships develop. & maint. management

Business continuity Compliance

 • Alternative to ISO/IEC 27002
20 CSC: Critical Security • https://www.cisecurity.org/controls/
Controls • Description of each control:
– Why control is critical
– How to implement controls
• Specific tasks
– Procedures and tools
• Advice on implementation
– Effectiveness metrics
– Automation metrics
• How to automate effectiveness metrics
– Effectiveness tests
– System entity relationship diagram
• Relevant architecture integration
20 CSC: Critical Inventory of
Hardware
Inventory of
Software
Continuous
Vulnerability
Management
Control of Admin.
Privileges
Secure
Configuration

Security Controls
Control of Ports,
Analysis of Audit Email and Browser Data Recovery
Malware Defenses Protocols and
Logs Protections Capabilities
Services

Configuration of
Need-to-know Wireless Access
Firewalls, Routers Boundary Defense Data Protection
Access Control Control
and Switches

Account Control Security Awareness Application Security Incident Response Pentesting

Evaluation of the ISMS
through Security
Measurements
• What is the effectiveness of a security control?
– You have to measure it to know it.
• Security measurements provide
– info about how well security controls work
– basis for comparing effect of controls on risks
– benchmark for assessing security investments
Why do we care?

Example • The CEO asks, “Is our network perimeter secure?”

• Without metrics:
“Well, we installed a firewall, so it must be.”
• With metrics:
“Yes, our evidence tells us that we are. Look at our
intrusion statistics before and after we completed that
firewall project. It’s down 80%. We are definitely more
secure today than we were before.”
IS Measurement Model 1) Information needs about:
— Security Controls
— Security Processes

(ISO 27004) — Policy and awareness

— Compliance

2) Select data sources and

4) Measurement results:
collect relevant data*:
— Discover new knowledge
— Logs from systems
— Identify new info needs
— Questions to people
— Make decisions
— Observations
— Present results
— Data mining

3) Analyze data:
— Manage raw data
— Sanitize data
— Categorize data
— Apply analytical model:
Basic → Derived → Indicator
Measurement —
ISMS integration Planning

4
Measurement Risk
Reporting
Assessment
results
ISMS
Cycle

3 1
Analyze Information Security
Evaluation
data needs Controls

2
Data
collection
CMMI
Capability Maturity Model Integration
for Information Security Management

5: Optimized /
Cultural
4: Managed and
measurable
3: Defined
processes
2: Repeatable but
intuitive
1: Initial / Ad Hoc processes
processes
0: No security
processes
CMM levels 1 - 3
1. Initial / Ad Hoc
+ Processes are ad-hoc and disorganised.
+ Risks are considered on an ad hoc basis, but no formal processes
exist.
2. Repeatable but intuitive
+ Processes follow a regular pattern.
+ Emerging understanding of risk and the need for security
3. Defined process
+ Processes are documented and communicated.
+ Company-wide risk management.’
+ Awareness of security and security policy
CMM levels 4 - 5

4. Managed and measurable

+ Processes are monitored and measured.
+ Risks assessment standard procedures
+ Roles and responsibilities are assigned
+ Policies and standards are in place
5. Optimized
+ Security culture permeates organisation
+ Organisation-wide security processes are implemented, monitored
and followed
The human factor in information security
• Personnel integrity
• Making sure personnel do not become insider attackers
• Personnel as defence
• Making sure personnel do not fall victim to social engineering
attacks
• Cybersecurity Culture in Organisations
• Stimulate behaviour which strengthens security
• Security usability
• Making sure users operate security correctly
Personnel Preventing employees from becoming attackers
Integrity • Consider:
– Employees
– Executives
– Customers
– Visitors
– Contractors & Consultants
• All these groups obtain some form of access
privileges
• How to make sure privileges are not abused?
Personnel crime statistics
• Organisations report that a large proportion of computer
crimes originate from inside:
• US Statistics (PWC) 2016—2020
– 28% had insider attacks, 32% very concerned about insider
threats
• Australian Statistics (CERT Australia) 2019
– 14% had insider attacks, 60% very concerned about insider
threats
• KRISINO 2020
– 28% of enterprises had experienced insider attacks.
Strengthening employee integrity
• Difficult to determine long term integrity of staff at hiring
– Integrity can change, influenced by events
• All personnel should follow security awareness training
• Reminders about security policy and warnings about
consequences of intentional breach of policy
– Will strengthen power of judgment
• Personnel in highly trusted positions must be supported,
trained and monitored
• Support and monitor employees in difficult situations:
• conflict, loss of job, personal problems
• Always try to stay on good terms with staff.
 • Different reasons for departure
Personnel – Voluntary
Departure – Redundancy
– Termination
• Different types of actions
– Former employee may keep some privileges
– Revoke all privileges
– Escort to the exit.
• Staff who lose their job due to redundancy are at greater risk to become
insider attackers. To mitigate this risk:
– The redundancy process must be seen as fair
– Try to keep a good dialogue
– … even with staff who feel being treated badly
• During exit interview, review the original employment agreement
(i.e. non-compete, wrongful disclosure, etc.
Social engineering attacks

Where people are the defence

Social Engineering Attacks
• According to Kevin Mitnick:
– “The biggest threat to the security of a company is not
a computer virus, an unpatched hole in a program, or a
badly installed firewall. In fact the biggest threat could
be you.”
– “What I found personally to be true was that it’s easier
to manipulate people rather than technology. Most of
the time, organisations overlook that human element”.

From “How to hack people”, BBC NewsOnline, 14 Oct 2002

 Types of Social Engineering Attacks
• Technical Social-Engineering Attacks
– Electronic contact with victims
– Email, telephone, messaging, social networks,
websites
– Multi-channel attacks

• In-Person Social-Engineering Attacks

– Manipulate people face-to-face in person
– Convince victims to perform actions which compromise
security
– Open doors, give physical access, provide
– IT resources
UiO Autumn 2019 L05 - IN2120 32
Phishing • A kind of social-engineering attack in which criminals use
spoofed emails to trick people into sharing sensitive
Attacks information or installing malware on their computer
• Phases
1. Sending phishing email, getting through spam-filters, and landing in
victim’s inbox
• Increasingly difficult to get through email filtering (SPF, DKIM,
DMARC)
• Content must be sufficiently credible to trick the user
1. The victim taking the suggested action in the message
• Got to a fake website
• Replying with sensitive information
• Installing malware
2. The criminals exploiting and monetizing the stolen information
Types of Phishing
• Mass Phishing – Mass, large-volume attack intended to reach
as many people as possible
• Spear Phishing – Targeted attack directed at specific
individuals or companies using gathered information to
personalize the message and make the scam more difficult to
detect
• Whaling – Type of spear phishing attack that targets “big fish,”
including high-profile individuals or those with a great deal of
authority or access
• Clone Phishing – Spoofed copy of a legitimate and previously
delivered email, with original attachments or hyperlinks
replaced with malicious versions, which is sent from a forged
email address so it appears to come from the original sender or
another legitimate source
Detect a Phishing Scam
• Spelling errors (e.g., “passward”), lack of punctuation or
poor grammar
• Hyperlinked URL differs from the one displayed, or it is
hidden
• Threatening language that calls for immediate action
• Requests for personal information
• Announcement indicating you won a prize or lottery
• Requests for donations
• Be skeptical, use common sense
Protect Yourself  Refuse the Bait
• STOP. THINK. CONNECT.
– Before you click, look for common baiting tactics, ask colleagues
• Be extremely careful about clicking on links in an email
– User your computer mouse to hover over each link to verify its actual destination,
even if the message appears to be from a trusted source
– Pay attention to the URL and look for a variation in spelling or different domain (e.g.,
ndsu.edu vs. ndsu.com)
– Consider navigating to familiar sites on your own instead of using links within messages
• Examine websites closely
– Malicious websites may look identical to legitimate sites
– Look for “https://” or a lock icon in the address bar before entering
any sensitive information on a website
In case you took the bait:
Protect Yourself  Take Action Now
If you suspect that … You should…
You interacted with, or  Immediately contact your help desk, or other
replied to a phishing scam relevant entity.

You might have revealed  Immediately change the password(s) for your
or shared personal or account(s). If you use the same password for multiple
financial information accounts and sites, change it for each account. Do
not reuse that password in the future.
 Watch for signs of identity theft by reviewing your
bank and credit card statements for unauthorized
charges and activity. If you notice anything unusual,
immediately contact your credit card or bank.
 Consider reporting the attack to the police.
Social Engineering Tactics
• Neuro-Linguistic Programming (NLP)
• Develop Trust
• Induce strong affect
• Information overload
• Reciprocation
• Diffusion of responsibility and moral duty
• Authority
• Commitment creep
SE Tactics:
Neuro-Linguistic Programming (NLP)

• Mirror their target’s body language

– Match the voice, tone and body language of their victim.
– Match the breathing rate, voice and vocabulary
– Use common industry or company jargon
• Produces an affective connection with the target on a
subconscious level
• Frequently used by salespeople to get clients to like them
SE Tactics: Develop Trust
– People are naturally helpful and trusting
– Ask during seemingly innocent conversations
– Slowly ask for increasingly important information
– Learn company lingo, names of key personnel, names
of servers and applications
– Cause a problem and subsequently offer your help to
fix it (aka. reverse social engineering)
– Talk negatively about common enemy
– Talk positively about common hero
SE Tactics: Induce strong affect
– Heightened emotional state makes victim
• Less alert
• Less likely to analyse deceptive arguments
– Triggered by attacker by creating
• Excitement (“you have won a price”)
• Fear (“you will loose your job”)
• Confusion (contradictory statements)
SE Tactics: Information overload

• Reduced the target’s ability to scrutinize arguments

proposed by the attacker
• Triggered by
– Providing large amounts of information to produce sensory
overload
– Providing arguments from an unexpected angle, which forces the
victim to analyse the situation from new perspective, which
requires additional mental processing
SE Tactics: Reciprocation
• Exploits our tendency to return a favour
– Even if the first favour was not requested
– Even if the return favour is more valuable
• Double disagreement
– If the attacker creates a double disagreement, and
gives in on one, the victim will have a tendency to give
in on the other
• Expectation
– If the victim is requested to give the first favour, he will
believe that the attacker becomes a future ally
SE Tactics:
Diffusion of responsibility and moral duty

• Make the target feel the he or she will not be held

responsible for actions
• Make the target feel that satisfying attacker’s request is a
moral duty
SE Tactics:
Authority
• People are conditioned to obey authority
– Milgram and other experiments
– Considered rude to even challenge the veracity of authority claim
• Triggered by
– Faking credentials
– Faking to be a director or superior
– Skilful acting (con artist)
SE Tactics:
Commitment creep
• People have a tendency to follow commitments, even
when recognising that it might be unwise.
• It’s often a matter of showing personal consistency and
integrity
• Triggered e.g. by creating a situation where one
commitment naturally or logically follows another.
– First request is harmless
– Second request causes the damage
Multi-Level Defence against
Social Engineering Attacks
6: Offensive Level Incident Response

5: Gotcha Level Social Engineering Detectors

Source: David Gragg:
http://www.sans.org/rr/wh 4: Persistence Level Ongoing Reminders
itepapers/engineering/
3: Fortress Level Resistance Training for Key Personnel

2: Awareness Level Security Awareness Training for all Staff

1: Foundation Level Security Policy to Address SE Attacks

SE Defence: Foundation
• The security policy must address SE attacks
– Policy is always the foundation of information security
• Address e.g.: Shredding, Escorting, Authority obedience
• Ban practice that is similar to social attack patterns
– Asking for passwords over phone is a typical SE attack method
→ Therefore never provide passwords over the phone
– Calling a user and pretending to represent IT department is a typical SE
attack
→ Therefore never call user, or make it possible/mandatory for user to
authenticate the IT Department
– Calling IT dep. and pretending to be user is a typical SE attack
→ Therefore make it possible/mandatory for IT department to
authenticate the user
SE Defence: • Security awareness training for all staff
– Understanding SE tactics
Awareness – Learn to recognise SE attacks
– Know when to say “no”
– Know what is sensitive
– Understand their responsibility
– Understand the danger of casual conversation
– Friends are not always friends
– Passwords are personal
– Uniforms are cheap
• Awareness of policy shall make personnel feel
that the only choice is to resist SE attempts
SE Defence:
Fortress • Resistance training for key personnel
– Consider: Reception, Help desk, Sys.Admin.,
Customer service
• Fortress training techniques
– Inoculation
• Expose to SE arguments, and learn counterarguments
– Forewarming
• of content and intent
– Reality check:
• Realising own vulnerability
SE Defence:
Persistence
• Ongoing reminders
– SE resistance will quickly diminish after a training
session
– Repeated training
– Reminding staff of SE dangers
• Posters
• Messages
• Tests
SE Defence: • Social Engineering Detectors
– Filters and traps designed to expose SE attackers
Gotcha • Consider:
– The justified Know-it-all
• Person who knows everybody
– Centralised log of suspicious events
• Can help discover SE patterns
– Call backs mandatory by policy
– Key questions, e.g. personal details
– “Please hold” mandatory by policy
• Time to think and log event
– Deception
• Bogus question
• Login + password of “alarm account” on yellow sticker
SE Defence:
Offensive
• Incident response
– Well defined process for reporting and reacting to
• Possible SE attack events,
• Cases of successful SE attacks
• Reaction should be vigilant and aggressive
– Go after SE attacker
– Proactively warn other potential victims
Cybersecurity Culture in
Organisations
 Cybersecurity Culture
• Definition: (ISACA)
The knowledge, beliefs, perceptions, attitudes,
assumptions, norms and values of people regarding
cybersecurity and how they manifest themselves in
people’s behavior with information technologies.

• The objective of developing a cybersecurity culture is to

stimulate employees’ behaviour to support cybersecurity
in the organisation.
UiO Autumn 2019 55 L05 - IN2120
 Behaviour for Cybersecurity
• Types of human behavior which affects security
– Your understanding of cyber threats
– Your perception of the value and sensitivity of information
– Your perception of risk
– Your awareness of security policies
– Your ability and willingness to follow security policies
– Your attitude to policy breaches by colleagues
– How you report / deal with security incidents
– How you manage passwords
– How you handle devices (exclusive use or sharing with family/friends)
– Your motivations and fears
– Your integrity
UiO Autumn 2019 56 L05 - IN2120
Behaviour Model

The Fogg’s Behaviour

Model says that
Behavior (B)
happens when
Motivation (M),
Ability (A) and
Triggers (T)
come together at the
same moment.
Stimulation Factor General Action Example Action

Capability • Redesign policies & tools • Review & change policies & tools
of Security •
•
Education
Skill-building
•
•
Build employee security skills
Practical training
Culture Motivation
•
•
Restrict
Awareness campaigns
•
•
Remove admin rights
Security culture programme.
Incentives • ‘Good security’ awards, Security
performance as Key Performance
Indicator.
• Nudge/Prompt • Alerts & reminders
• Organisational response • Visible organisational reaction to all
policy breaches & errors
Opportunity • Engage employees in • Identify policies & tools that cause friction
security review/design • Identify & support employees who
• Security champion want to build security skills

Audit of ISO/IEC 27001 / 27002 Audit Audits are the most common metrics, but do
results not cover the full spectrum of social and
(Revisjon) psychological items that influence human
behavior.
End of Lecture
Lecture 7
• Risk Management
• Business Continuity Management
 • ISO 31000 Risk Management:
What is risk? – “Risk is the effect of uncertainty on objectives”
– No distinction between positive and negative effects of uncertainty
– This definition is very general, and too abstract for IS risk assessment
– But ISO 31000 also says: Risk is often expressed as the combination of
the likelihood of occurrence of an event and the associated
consequences of the event.

• ISO 27005 (Information Security Risk)

– “Risk is the potential that a given threat will exploit vulnerabilities of
assets and thereby cause harm to the organization.”

• Harris, CISSP 8th ed.:

– “Risk is the likelihood of a threat agent taking advantage of a
vulnerability and the resulting business impact.” (Glossary p.1292)
Risk Categories Strategic
• Risk related to long-term strategies and plans
• Disruptive technological development
• New Competitors in the market
Risk • Changing laws, regulation and politics
• Unstable global economy

• Risk related to the financial situation of the

Financial organization
• Return on investments
• Sales and price levels in the market
Risk • Cost of operations
• Liquidity

• Risk related to events with negative impact on

operations
Operational • Accidents and failures
• Natural events (flood, fire)
Risk • Intentional adversarial actions
• Information security and cyber incidents
General IS Risk Model (NSM)
Assets

• General model for

information-security risk General
– The more assets you have, Risk
the more threats you are
exposed to, and the more Vulnera-
vulnerable you are, then Threats
bilities
the greater the risk.
 Assets, Threats and
Risk: Threats: Vulnerabilities: Vulnerabilities
• Asset: Something which is of value to
business disruption angry employers software bugs
the organization.
– The CIA properties of concrete assets,
finance losses dishonest staff broken processes
e.g. servers and equipment
loss of privacy criminals ineffective controls – The CIA and privacy properties of data
damage to reputation governments hardware flaws • Threat: A scenario of steps or
loss of confidence terrorists business change
procedures, controlled or triggered by a
threat actor, which can negatively
legal penalties press legacy system
affect the victim’s information assets.
impaired growth hackers inadequate BCP • Vulnerability: The absence of
loss of life nature human error security controls to stop a threat
scenario.
Detailed risk model
• Each specific risk results from a Threat Actor (TA)
threat scenario that can affect
specific assets. TA
TA capacity
Threat
motivation scenario
• Motivation, capacity,
vulnerability and impact
TA strength Vulnerability
determine the risk level for that
specific risk
Impact to
• Likelihood of the threat scenario Likelihood
asset
to become an incident
Risk Level
• The relevant combination of a threat scenario, vulnerabilities, and the resulting incident and impact represents a single
specific risk
• All relevant specific risks should be identified

Threats / incidents Vulnerabilities Asset impacts

•Password compromise •Weak passwords •Deleted files
•SQL injection •Poor awareness •Stolen files
•Logical bomb in SW •No input validation •Corrupted files
•Trojan infects clients •Outdated antivirus •Intercepted traffic
•Cryptanalysis of cipher •Weak ciphers •False transaction
•Brute force attack •Short crypto keys •Process disruption
•Social engineering •Poor usability •Damaged reputation
• ….. •… •…
Many Risks

• Multiple different threats (scenarios) can be

identified
• Each threat can potentially cause a (different)
incident
• Each potential incident has a risk level
• Multiple threats  Many risks
The level of a • Practical risk analysis typically considers two factors to
determine the level of each risk
specific risk 1. Likelihood / frequency of each type of incident
2. Impact on assets (loss) resulting from each type of incident

Threat
scenario

Likelihood/frequency of
threat scenario to cause
incident
× Impact of incident to
asset

Risk Level
Risk Management standards

• ISO 31000 Risk Management

• ISO 27005 Information Security Risk Management
• NIST SP800-39 Managing Information Security Risk
• NIST SP800-30 Guide for Conducting Risk Assessment
– formerly called “Risk Management Guide for
Information Technology Systems”
What is risk management?
• “Risk management consists of coordinated
activities to direct and control an organization
with regard to risk.”
– ISO 31000

• “IS risk management analyses what can happen

and what the possible consequences can be,
before deciding what should be done and when,
to reduce risk to an acceptable level.”
– ISO 27005
Risk Management Process: ISO 31000

• ISO 31000 is a general standard for risk

management applicable to different
sectors
• The same approach is applicable to IS
risk management
Basis for assessing risk

• Know the assets: identify and understand the value of

information assets and systems.
• Know the threats: identify and understand relevant threat
scenarios which can harm information assets and systems.
• Know the vulnerabilities which can be exploited by threats.
• Know the potential impacts of incidents.
• Know which stakeholders in the organisation are
responsible for managing the identified risks.
Risk management process ISO 27005
Information Security Strategy
• Organization
• Approach
Planning • Scope
• Risk Criteria • Risk identification
• Risk analysis
Risk Assessment • Risk evaluation
• Communication
Risk Decision Point 1:
• Assessment satisfactory? • Risk reduction
• Risk transfer
Risk Treatment Plan • Risk retention
• Risk avoidance
Risk Decision Point 2: • Communication
• Treatment satisfactory?

Accepted Residual Risk • Risk Communication

Implement Risk Treatment Plan

(security controls)
Risk assessment process ISO 27005
Planning

• Identification of assets
• Identification of threats
Risk Identification • Identification of existing controls
• Identification of vulnerabilities
• Identification of consequences
• Assess asset values and impacts
Risk analysis • Assess incident likelihood/frequency
• Determine/compute risk levels

• Rank risks
Risk evaluation • Compare risks with criteria

Decide whether risk assessment is

satisfactory
Roles involved in risk management
• Management, users, and information technology must
all work together
– Asset owners must participate in developing asset inventory

– Users and experts must assist in identifying threats and

vulnerabilities, and in determining likelihoods of incidents

– Risk management experts must guide stakeholders through

the risk assessment process

– Security experts must assist in selecting security controls

– Management must review the risk management process and

approve risk management strategy (security controls)
Risk Management – ISMS integration
Planning

• Risk management is an essential

element of ISMS
Reporting
Risk – Used to identify risks and their magnitude
Assessment
Risk – Basis for selecting security controls
ISMS Assessment
– Tool for top management to understand
Cycle organization’s risk exposure

Security
Evaluation
Controls
 • Identify relevant assets, and define relevant security aspects
Asset and • For example, which information assets are the most critical to the
Impact organization’s success with regard to the following aspects:
1. generates the most revenue/profitability?
Valuation 2. is the most important for legal compliance (e.g. GDPR)?
3. would be the most embarrassing if compromised?
• Valuation
– Estimate impact on assets from the combined set of aspects
– Example impact level computation using coproduct (“OR” rule),
• Let p1 denote relative impact on asset aspect 1, with value in [0,1]
• Coproduct: ∐ 𝑝1 , 𝑝2 = 𝑝1 ∐ 𝑝2 = 𝑝1 + 𝑝1 𝑝2
• Coproduct: ∐ 𝑝1 , 𝑝2 , 𝑝3 = 𝑝1 ∐ 𝑝2 ∐ 𝑝3 = (𝑝1∐ 𝑝2 ) ∐ 𝑝3 = 𝑝1 + 𝑝2 + 𝑝3 +
+ 𝑝1 𝑝2 𝑝3 − 𝑝1 𝑝2 − 𝑝1 𝑝3 − 𝑝2 𝑝3
• The relative impact levels can be mapped to qualitative levels
Example Asset and Impact Valuation
Information asset Aspect 1 Aspect 2 Aspect 3 Total impact
(corresponding incident) Impact on Impact on Impact on of incidents
revenue / legal public (coproduct)
profit compliance image
System and network availability 0.9 0.0 0.2 0.92
(unavailability)
Product data (loss of) integrity 0.4 0.0 0.0 0.40
Customer profiles (loss of) integrity 0.5 0.0 0.0 0.50
Customer profiles (loss of) 0.0 0.8 0.5 0.90
confidentiality
Customer credentials (loss of) 0.9 0.0 0.4 0.94
confidentiality
Web page integrity 0.1 0.0 0.1 0.19
(defacement)
User support (un) availability 0.2 0.0 0.1 0.28
• All values are relative in the interval [0, 1]
Threat Modelling
• Threat modelling is the process of identifying, analysing and
describing relevant threat scenarios.
• Unimportant/irrelevant threat scenarios can be ignored.
• Examine how each relevant threat scenario can be executed
against the organization’s assets.
• The threat modelling process works best when people with diverse
backgrounds within the organization work together in a series of
brainstorming sessions.
• Threat modelling is important during system development
– Used to identify, remove and avoid vulnerabilities when developing
software and systems.
• Multiple approaches/methods for threat modelling
Threat Modelling Methods
• Attacker-centric
– Starts from attackers, evaluates their goals, and how they might
achieve them through attack tree. Usually starts from entry points or
attacker action.
• System-centric (aka. SW-, design-, architecture-centric)
– Starts from model of system, and attempts to follow model
dynamics and logic, looking for types of attacks against each
element of the model. This approach is e.g. used for threat
modeling in Microsoft's Security Development Lifecycle.
• Asset-centric
– Starts from assets entrusted to a system, such as a collection of
sensitive personal information, and attempts to identify how security
breaches of CIA properties can happen.
Vulnerability Identification
• Vulnerabilities are specific opportunities that threat actors can exploit
to attack systems and information assets.
• Generic vulnerability identification
– To identify a vulnerability is the same as to determine how to block
a specific threat scenario.
– Removing a vulnerability is the same as blocking a threat.
– A vulnerability is the absence of barriers against a threat.
– Blocking a threat (i.e. removing a vulnerability) is done with a
security control.
• Tool-based and checklist-based vulnerability identification
– Vulnerability scanners are automated tools to detect known
vulnerabilities in networks and systems, e.g. Wireshark
– Check lists of vulnerabilities are used by teams when doing risk
assessment and removing vulnerabilities, e.g. OWASP Top 10.
Estimating risk levels
Types of analysis
• Qualitative
– Uses descriptive scales. Example:
• Impact level: Minor, moderate, major, catastrophic
• Likelihood: Rare, unlikely, possible, likely, almost certain
• Relative
– Relative numerical values assigned to qualitative scales
– Gives relatively good distribution of risk levels
• Quantitative
– Use numerical values for both consequence (e.g. $) and
likelihood (e.g. probability value)
Qualitative likelihood scale
Likelihood Description
Increasing likelihood

High Is expected to occur in most conditions (1 or more times per year).

Medium The event will probably happen in most conditions (every 2 years).

Low The event should happen at some time (every 5 years).

Unlikely The event could happen at some time (every 10 years).

Qualitative impact level scale
Impact Level Description

Major problems would occur and threaten the provision of important

Increasing Impact

Major processes resulting in significant financial loss.

Moderate Services would continue, but would need to be reviewed or changed.

Minor Effectiveness of services would be threatened but dealt with.

Insignificant Dealt with as a part of routine operations.

Qualitative risk estimation - example
• Define a risk matrix with a suitable set of qualitative levels
– qualitative levels for likelihood, impact and risk
• Use the risk matrix as a look-up table to determine the level of each risk
Qualitative impact levels
E: extreme risk; Risk must Risk levels
be handled with priority Qualitative likelihood Insignificant Minor Moderate Major
(V)H: (very) high risk; Risk
must be handled High M H VH E
M: moderate risk; Risk to be
handled according to budget Medium L M H VH
(V)L: (very) low risk; Risk
with low priority, handle if Low VL L M H
there is opportunity
N: Negligible risk; To be Unlikely N VL L M
ignored
 Relative Impact levels
Relative risk (0.0) (0.1) (0.2) (0.4) (1.0)
levels Nil Insign. Minor Moderate Major
Relative likelihood levels

(1.0) High 0 0.10 0.20 0.40 1.00

(0.4) Medium 0 0.04 0.08 0.16 0.40

(0.2) Low 0 0.02 0.04 0.08 0.20

(0.1) Unlikely 0 0.01 0.02 0.04 0.10

(0.0) Never 0 0 0 0 0

Relative risk estimation can give a better distribution of risk levels than
with purely qualitative models.
Quantitative risk estimation example
Example quantitative risk analysis method
• Quantitative parameters
– Asset Value (AV)
• Estimated total value of asset
– Exposure Factor (EF)
• Percentage of asset loss caused by threat occurrence
– Single Loss Expectancy (SLE)
• SLE = AV  EF
– Annualized Rate of Occurrence (ARO)
• Estimated frequency a threat will occur within a year
– Annualised Loss Expectancy (ALE)
• ALE = SLE  ARO
Quantitative risk estimation
example Example quantitative risk analysis
• Risk description
– Asset: Public image (and trust)
– Threat: Defacing web site through intrusion
– Impact: Loss of image
• Parameter estimates
– AV(public image) = $1,000,000
– EF(public image affected by defacing) = 0.05
– SLE = AV  EF = $50,000
– ARO(defacing) = 2
– ALE = SLE  ARO = $100,000

• Justifies spending up to $100,000 p.a. on controls

Risk listing and ranking
Existing controls & Likelihood
Threat scenario: Asset impact: Impact level: Likelihood: Risk level:
vulnerabilities: description:

No control or Deleted files, breach

Compromise of user Will happen to 1 of
enforcement of of confidentiality MODERATE MEDIUM HIGH
password 50 users every year
password strength and integrity

Will happen to 1 in
Virus infection on Virus filter disabled Compromise of
MODERATE 100 clients every HIGH EXTREME
clients on many clients clients
year

IDS, firewall, daily

Web server hacking Could happen once
patching, but zero Reputation MINOR MEDIUM MODERATE
and defacing every year
day exploits exist

No review of source
Logical bomb Breach of integrity Could happen once
code that goes into MAJOR UNLIKELY MODERATE
planted by insider or loss of data every 10 years
production.
Problems of measuring risk
Businesses normally wish to measure risk in money, but
almost impossible to do this
– Valuation of assets
• Value of data, hard to assess
• Value of goodwill and customer confidence, very vague
– Likelihood of incidents
• Past events not always relevant for future probabilities
– The nature of future attacks is unpredictable
– The actions of future attackers are unpredictable
– Measurement of benefit from security control
• Problems with the difference of two approximate quantities
– Estimation of past and present risk
Risk Control Strategies

• After completing the risk assessment, the security team

must choose one of four strategies to control each risk:
1. Reduce risk by implementing security controls
2. Share/transfer risk (outsource activity that causes
risk, or buy insurance)
3. Retain risk (understand and tolerate potential
consequences)
4. Avoid risk (stop activity that causes risk)
ROI of Security
Controls High ROI
Good reason
ROI — Return on Investment
to implement
SLE — Single Loss Expectancy

Risk reduction ($)

security

?
ARO — Annual Rate of Occurrence control

Moderate ROI
𝑆𝑒𝑐𝑢𝑟𝑖𝑡𝑦 𝐶𝑜𝑛𝑡𝑟𝑜𝑙 𝑅𝑂𝐼 =
𝑅𝑖𝑠𝑘 𝑅𝑒𝑑𝑢𝑐𝑡𝑖𝑜𝑛 − 𝐶𝑜𝑠𝑡 𝑜𝑓 𝐶𝑜𝑛𝑡𝑟𝑜𝑙 Use judgement
= 𝐶𝑜𝑠𝑡 𝑜𝑓 𝐶𝑜𝑛𝑡𝑟𝑜𝑙 to decide whether to
Low ROI
implement security
Uneconomic,
control
𝑅𝑖𝑠𝑘 𝑅𝑒𝑑𝑢𝑐𝑡𝑖𝑜𝑛 = don’t implement
= (𝑅𝑒𝑑𝑢𝑐𝑡𝑖𝑜𝑛 𝑜𝑓 𝐴𝑅𝑂) × 𝑆𝐿𝐸 security control

Cost of security control ($)

 Business Continuity Management

Outline
– Business Continuity Planning
– Business Impact Analysis
Business Continuity Management
• Procedures for the recovery of an organization's
facilities in case of major incidents and disasters,
so that the organization will be able to either
maintain or quickly resume mission-critical functions
• BCM standards
– ISO 27031 Guidelines for ICT readiness for business
continuity
– NISTSP800-34 Contingency Planning Guide for Federal
Information Systems
Effect of BCM
Business • The range of incidents and disasters to be
considered include:
continuity – Acts of nature, for example:
•
management •
Excessive weather conditions
Earthquake
• Flood
• Fire
– Human acts (inadvertent or deliberate), for example:
• Hacker activity
• Mistakes by operating staff
• Theft
• Fraud
• Vandalism
• Terrorism
Business Continuity Plan (BCP)
• The business continuity plan is need to
be used in situations from getting control
over the crisis to reach back in business
and describes:
– a sequence of actions
– and the parties responsible for carrying
them out
– in response to disasters
– in order to restore normal business operations
as quickly as possible
BCP Terminology
• Business Continuity Plan
– Plan for restoring normal business functions after disruption
• Business Contingency Plan
– Same as Business Continuity Plan
– Contingency means ”something unpredictable that can happen”
• Disaster Recovery
– Reestablishment of business functions after a disaster, possibly in
temporary facilities
– Requires a BCP
• Business Continuity Management
– Denotes the management of Business Continuity
– Includes the establishment of a BCP
– ICT Readiness for Business Continuity (IRBC) (term used in ISO27031)
BCP Management (same as IRBC)
BCP Policy Business Impact Identify Preventive Recovery
• Mgmt approval Analysis (BIA) Controls • Strategies
• Scope • Critical functions • Implement controls • Processes
• Responsibility • MTD • Mitigate risks • Facilities
• Teams • Risks • Data

Maintain BCP Test BCP Develop BCP

• Integrate • Exercises • Document
• Update • Improvements • Responsibility
• Distribute • Training • Teams
• Strategies

Source: NIST Special Publication 800-34 rev.1

Contingency Planning Guide for Information Technology Systems (p.13)
 Activation and Notification
Supporting Information
Phase
• Background
• Activation criteria
• Scope
• Notification procedures
• Roles & responsibilities
• Outage assessment

Recovery Phase
BCP Development:
• Sequence recovery activities
• Incorporate BIA finding
• Recovery procedures
• Document recovery strategy
• Escalation and notifications

Reconstitution Phase
• Concurrent processing
Appendices • Testing
• BIA • Notifications
• POC (point of contact) lists • Cleanup
• Procedures • Offsite data storage
• Backup
BCP Development and Output: NIST SP800-34, rev.1 p.34 • Documentation
BIA: Business Impact Analysis
• A Business Impact Analysis (BIA) is performed as
part of the BCP development to identify the
functions that in the event of a disaster or
disruption, would cause the greatest financial or
operational loss.
• Consider e.g.:
– IT network support – Customer support
– Data processing – Order entry
– Accounting – Production scheduling
– Software development – Purchasing
– Payroll – Communications
BIA (continued)
• The MTD (Maximum Tolerable Downtime) is defined for
each function in the event of disaster.
• Example:
– Non-essential = 30 days
– Normal = 7 days
– Important = 72 hours
– Urgent = 24 hours
– Critical = minutes to hours
Alternative • Redundant site
– Mirror of the primary processing environment
Sites More – Operable within minutes
expensive • Hot site
– Fully configured hardware and software, but no data
– Operable within hours
• Cloud
• Warm site
– Partially configured with some equipment, but not the
Less actual computers
expensive – Operable within days
• Cold site
– Basic electricity and plumbing
– Operable within weeks
BCP Testing • Checklist test
– Copies of the BCP distributed to departments for review
• Structured walk-through test
– Representatives from each department come together to go
through the plan
• Simulation test
– All staff in operational and support functions come together to
practice executing the BCP
• Parallel test
– Business functions tested at alternative site
• Full interruption test
– Business functions at primary site halted, and migrated to
alternative site in accordance with the BCP
End of Lecture
Lecture 5: User Authentication
Outline
• Context of user authentication
– Component of IAM (Identity and Access Management)
• User Authentication
– Knowledge-based authentication
– Ownership-based authentication
– Inherence-based authentication
– Authentication based on secondary channel
Taxonomy of Authentication
Authentication:

This lecture
Data Entity
Authentication Authentication

User Company System

Authentication Authentication Authentication
 Identity and Access Management (IAM) Phases
Configuration phase Operation phase
This lecture
Registration of Present user identity
identity Claim identity by providing user-Id

Provisioning of User authentication

credentials Prove claimed identity with credential(s)

Authorization of Access control

access Enforcement of authorization policy
User authentication credentials

• A credential is the ‘thing’ used for authentication.

• Credential categories (“factors”) and typical examples:
1. Knowledge-based (“something you know”): Passwords
2. Ownership-based (“something you have”): Tokens
3. Inherence-based (“something you are/do”): Biometrics
• physiological biometric characteristics
• behavioural biometric characteristics
4. Secondary channel (a channel you control): SMS, email, etc.
• Combinations, called multi-factor authentication
Knowledge-Based Authentication
“Something you know”

Example: Passwords
 123456

Authentication: Static passwords

• Passwords are a simple and the most common
authentication credential.
– Something the user knows
• Problems:
– Easy to share (intentionally or not)
– Easy to forget
– Often easy to guess (weak passwords)
– Can be written down (both good and bad)
• If written down, then “what you know” is “where to find it”
– Often remains in computer memory and cache
https://haveibeenpwned.com
750,000,000 passwords (2021)
Secure password • Passwords length  13 characters
strategies • Use  3 categories of characters
– L-case, U-case, numbers, special characters
• Do not use ordinary words (names, dictionary wds.)
• Change typically once per year
• OK to reuse between low-sensitivity accounts
• Do not reuse between high-sensitivity accounts
• Store passwords securely
– In brain memory
– On paper, adequately protected
– In cleartext on offline digital device, adequately protected
– Encrypted on online digital device
Strategies for
strong passwords • User education and policies
– Not necessarily with strict enforcement
• Proactive password checking
– User selects a potential password which is tested
– Weak passwords are not accepted
• Reactive password checking
– SysAdmin periodically runs password cracking tool (also used by
attackers) to detect weak passwords that must be replaced.
• Computer-generated passwords
– Random passwords are strong but difficult to remember
– FIPS PUB 181 specifies automated pronounceable password
generator
Password storage in OS
• /etc/shadow is the file where modern Linux/Unix stores
it passwords
– Earlier version stored it in /etc/passwd
– Need root access to modify it
• \windows\system32\config\sam is the file Windows system
normally stores its passwords
– Undocumented binary format
– Need to be Administrator to access it
• Network environments store passwords centrally
– AD (Active Directory) on Windows servers
– LDAP (Lightweight Directory Access Protocol) on Linux
Protection of password file
• Systems need to verify user passwords against stored
values in the password file
– Hence, the password file must be available to the OS
– But this file needs protection from users and applications
• Protection measures for password file
– Access control (only accessible by Root/Admin)
– Hashing or encryption (passwords not stored in cleartext)
• In case a password file gets stolen, then
hashing/encryption provides a level of protection
– It happens quite frequently that password files get stolen
and also leaked to the Internet
Hash functions
One-way function Collision free
any size input M M M´
easy difficult to difficult to find different input
computation inverse values producing same hash

fixed size hash h(M) h(M)

• A hash function is easy to compute but hard to invert.

• Passwords are typically stored as hash values.
• Authentication function first computes hash of received
password, then compares against the stored hash value
Cracking • The attacker hashes a possible password and checks if the
hashed hash value is found in the password file.
– The password has been cracked if the hash value is found
passwords • Brute-force search
– Hash and check all possible passwords (a powerful GPU
computer can test passwords up to 8 characters in 1 day)
• Intelligent search
– User names
– Names of friends/relatives
– Phone numbers
– Birth dates
– Dictionary attack
• Try all words from a dictionary
Password salting:
Prevents cracking with hash-tables
• Prepend or append random data (salt) to a user’s password
before hashing
– In Unix: a randomly chosen integer from 0 to 4095.
– Different salt for each user
– Produces different hashes for equal passwords
– Prevents that users with identical passwords get the same password
hash-value
– Increases the amount of work for hash precomputation
– Makes it necessary to compute new table for each user
– Makes hash tables and rainbow tables impractical for password cracking
Storing and checking passwords
1. Clear-text Passw0rd =
Bad security
Clear-text passwords
Password database

2. Hashed Passw0rd Hashing 2FE76D =

Moderate security
Hashed passwords
database 2FE76D

3. Salted hash Passw0rd Hashing Ae7FaG =

Salted & hashed Good security
passwords database
Salt Ae7FaG
 Effort of brute force attacks depends on length + complexity
Brute Force Attacks of passwords
Digits, small and
Small OR capital Small AND capital Digits, small and
Symbols Digits only capital letters, and
letters letters capital letters
symbols

3 Instantly Instantly Instantly Instantly Instantly

4 Instantly Instantly Instantly Instantly Instantly
5 Instantly Instantly Instantly 3 seconds 10 seconds
6 Instantly Instantly 8 seconds 3 minutes 13 minutes
7 Instantly Instantly 5 minutes 3 hours 17 hours
8 Instantly 13 minutes 3 hours 10 days 57 days
9 4 seconds 6 hours 4 days 1 year 12 years.
10 40 seconds 6 days 169 days 106 years 928 years
11 6 minutes 169 days 16 years 6 thousand years 71 thousand years
12 1 hour 12 years 600 years 108 thousand years 5 million years
13 11 hours 314 years 21 thousand years 25 million years 423 million years
14 4 days 8 thousand years 778 thousand years 1 billion years 5 billion years
15 46 days 212 thousand years 28 million years 97 billion years 2 trillion years
16 1 year 143 million years 1 billion years 6 trillion years 193 trillion years
17 12 years 512 million years 36 billion years 374 trillion years 14 trillion years
18 126 years 3 billion years 1 trillion years 23 trillion years 1 quadrillion years
Brute Force Attacks

• Effort of brute force attacks depends on:

– length + complexity of passwords
– complexity of hash algorithm
• Hash algorithms are optimized for runtime and
memory consumption
• Simple key stretching schemes:
key = hash(password) key = "" key = ""
for 1 to 65536 do for 1 to 65536 do for 1 to 65536 do
key = hash(key) key = hash(key + password) key = hash(key + password + salt)
Brute Force Attacks
• Special hashing algorithms:
– PBKDF2
• large runtime
• Applications (Examples): WPA, WPA2,
TrueCrypt
• Problem: can be „reversed“ using
special crypto hardware
– bcrypt
• additionally: high memory consumption
– scrypt
• additionally: very high memory consumption
– Argon2
• currently best password hashing function
Brute Force Attacks
• Comparision of hashing/key derivation functions:
Never send unprotected passwords in clear

• A password sent “in clear” can be captured during

transmission, so an attacker may reuse it.
• An attacker setting up a fake server can get the
password from the user
– E.g. phishing attack.
• Solutions to these problems include:
– Encrypted communication channel
– One-time passwords (token-based authentication)
– Challenge-response protocols
HTTP Digest • A simple challenge response protocol specified in RFC 2069
Authentication • Server sends:
– WWW-Authenticate = Digest
– realm=“service domain”
A simple challenge- – nonce=“some random number”
response protocol
(rarely used) • User types Id and password in browser window
• Browser produces a password digest from nonce, Id and
password using a 1-way hash function
• Browser sends Id and digest to server that validates digest
1 Request access for page

User
3 [www-authenticate, domain, nonce] 2
4 [domain, Id, digest = h(nonce, Id, password)] Server

Password
Ownership-Based Authentication
“Something you have”
Example: Authentication Tokens (OTP)
Taxonomy of Authentication Tokens

Authentication Tokens
Typically a Challenge-
hardware token Synchronised Tokens Response
but also available Tokens
as mobile app

Clock-Based Counter-
Tokens Based Tokens
Clock-based OTP Tokens:
Operation
• Token displays time-dependent code on display
– User copies code from token to terminal to log in
• Possession of the token is necessary to know the
correct value for the current time
• Each code computed for specific time window
• Codes from adjacent time windows are accepted
• Clocks must be synchronised
• Example: BankID and SecurID
Clock-based OTP Token Operation with (optional) input PIN
HOST
USER’S TOKEN

user id
clock clock

user id Secret key algorithm Secret key

OTP
Optional
OTP PIN
algorithm =?
compare

PIN Optional user input

Clock-based OTP Tokens:

SafeID OTP
ActiveID OTP BankID OTP
token with
token with PIN token with PIN
PIN

RSA SecurID
Feitan OTP BankID OTP token
without PIN
token witout PIN without PIN
Compromised OTP Tokens

• RSA was hacked in 2007.

• Secret key for OTP tokens stolen
• Hackers could generate OTP and spoof users
• Companies using RSA SecureID were vulnerable
• Lockheed Martin used RSA SecureID
• Chinese attackers spoofed Lockheed Martin staff
– Stole plans for F-35 fighter jet
Counter-based OTP Tokens:
Overview
• Counter-based tokens generate a ‘password’ result value
as a function of an internal counter and other internal
data, without external inputs.
• HOTP is a HMAC-Based One-Time Password Algorithm
described in RFC 4226 (Dec 2005)
• http://www.rfc-archive.org/getrfc.php?rfc=4226
– Tokens that do not support any numeric input
– The value displayed on the token is designed to be easily
Reflex
530 read and entered by the user.
 Diagram

Counter-based OTP Token Operation

USER’S TOKEN HOST

counter user id
counter

user id Secret key algorithm Secret key

OTP
OTP
algorithm =?
compare
Challenge
Response • A challenge is sent in response to access request
Based Tokens – A legitimate user can respond to the challenge by
for User performing a task which requires use of information
only available to the user (and possibly the host)
Authentication:
• User sends the response to the host
– Access is approved if response is as expected by host.
• Advantage: Since the challenge will be different
each time, the response will be too – the dialogue
can not be captured and used at a later time
• Could use symmetric or asymmetric crypto
Token-based User authentication
Challenge Response Systems HOST
TOKEN

Id / key Id / key
challenge Random
algorithm number algorithm
generator

Optional =?
display response compare
 Inherence-Based Authentication

“Something you are”

Biometrics
“Something you do”
Biometrics: Overview
• What is it?
– Automated methods of verifying or recognizing a
person based upon a physiological characteristics.
• Biometric modalities, examples:
– fingerprint
– facial recognition
– eye retina/iris scanning
– hand geometry
– written signature
– voice print
– keystroke dynamics
Biometrics: Requirements
• Universality:
Each person should have the characteristic;
• Distinctiveness:
Any two persons should be sufficiently different in terms
of the characteristic;
• Permanence:
The characteristic should be sufficiently invariant (with
respect to the matching criterion) over a period of time;
• Collectability:
The characteristic should be measurable quantitatively.
 • Accuracy:
Biometrics: Practical
considerations – The correctness of a biometric system, expressed as ERR (Equal
Error Rate), where a low ERR is desirable.
• Performance:
– the achievable speed of analysis,
– the resources required to achieve the desired speed,
• Acceptability:
– the extent to which people are willing to accept the use of
a biometric identifier (characteristic)
• Circumvention resistance:
– The difficulty of fooling the biometric system
• Safety:
– Whether the biometric system is safe to use
Biometrics Safety
• Biometric authentication can be safety risk
– Attackers might want to “steal” body parts
– Subjects can be put under duress to produce biometric
authenticator
• Necessary to consider the physical environment
where biometric authentication takes place.
Car thieves chopped off part of the driver’s left index finger
to start S-Class Mercedes Benz equipped with fingerprint
key.
Biometrics: • Enrolment:
Modes of – analog capture of the user’s biometric attribute.
operation – processing of this captured data to develop a template
of the user’s attribute which is stored for later use.
• Verification of claimed identity (1:1, one-to-one):
– capture of a new biometric sample.
– comparison of the new sample with that of the user’s
stored template.
• Identification (1:N, one-to-many)
– capture of a new biometric sample.
– search the database of stored templates for a match
based solely on the biometric.
Extracting
Ridge ending
biometric Bifurcation

features
Example
fingerprints:
Extracting
minutia
Biometrics: System components

Sensor

Feature
Comparator
Extractor

System
Database

System Components
Biometrics Enrolment Phase
Biometric Verification / Authentication

Comparator
Biometric Identification

Comparator
Evaluating Biometrics:

• Features from captured sample are compared

against those of the stored template sample
• Score s is derived from the comparison.
– Better match leads to higher score.
• The system decision is tuned by threshold T:
– System gives a match (same person) when the
sample comparison generates a score s where s ≥T
– System gives non-match (different person) when the
sample comparison generates a score s where s < T
Comparison characteristics
• True positive
– User’s sample matches → User is accepted
• True negative
– Stranger’s sample does not match → Stranger is rejected
• False positives
– Stranger’s sample matches → Stranger is falsely accepted
• False negatives
– User’s sample does not match → User is falsely rejected
• False Match Rate vs. False Non-Match Rate
FMR = (# matching strangers) / (# strangers in total)
FNMR = (# non-matching users) / (# users in total)
• T determines tradeoff between FMR and FNMR
 • Comparing biometric samples produces score s
Evaluating • Acceptance threshold T determines FMR and FNMR
– If T is set low to make the system more tolerant to input
Biometrics: variations and noise, then FMR increases.
System Errors – On the other hand, if T is set high to make the system more secure, then
FNMR increases accordingly.
• EER (Equal Error Rate) is the rate when FMR = FNMR.
• Low EER is good, it means good separation of curves.
# Stranger score distribution
Number of
users / strangers
User score distribution
(how many got a Threshold
particular score?)

T Score s
FNMR FMR
IN2120 - UiO 2019
Spoofed • It is relatively simple to trick a biometric system
Biometrics: • Terminology: Presentation Attacks
Presentation
Attacks

False finger False face

• Biometric authentication on smartphones is insecure
• PAD (Presentation Attack Detection) is the subject of
intensive research, to make biometrics more secure
• Alternative solution is to capture biometrics in
controlled environments
 • Independent from the primary channel !
Secondary • Controlled by user, not necessarily very secure
Channel • Increased authentication assurance through
Increased complexity for attackers
• Typically used as second authentication factor
User Mobile Network (secondary) Bank
1
SMS with authorization code
2

Internet (primary) Server

3
Authorization code
Client
Authentication:
Multi-factor
• Multi-factor authentication aims to combine two or
more authentication techniques in order to provide
stronger authentication assurance.
• Two-factor authentication is typically based on
something a user knows (factor one) plus
something the user has (factor two).
– Usually this involves combining the use of a password
and a token
– Example: BankID OTP token with PIN + static password
Authentication Assurance
• Authentication assurance = robustness of
authentication
• Resources have different sensitivity levels
– High sensitivity gives high risk in case of
authentication failure
• Authentication has a cost
AAL
– Unnecessary authentication assurance is a
Required User waste of money
Authentication • Authentication assurance should balance
Assurance authentication risk
Level
Authentication Risk
End of lecture
 Lecture 6:
Identity and Access Management
Outline:
• Identity and access management concepts
• Identity management models
• Access control models (security models)
IAM
Configuration phase Operation phase
Identity and Access
Management Registration of Present User
User Identity Identity
Identity
Management
Provisioning of Authentication
Credential(s) by Credential(s)

Access Access
Management Access Control
Authorization
 Identity and System Owner Domain
Access Registration
1
Management User
Scenario
IdP 2 Provisioning

• PAP: Policy
Administration 3 Authorization
PAP Logon:
ID + Key
User
Point
• PDP: Policy policy request
Authenticati
on function
4
Decision Point
• PEP: Policy
Enforcement Point System 7 PDP 6
• IdP: Identity resource
Provider
decision request Request:
Resource & Access Type
8 access PEP 5
Access Control Function
Definition of IAM
• Identity and access management (IAM) is the security
discipline that enables the right individuals to access th
right resources at the right times for the right reasons.

• IAM addresses the mission-critical need to ensure

appropriate access to resources across increasingly
heterogeneous technology environments, and to meet
increasingly rigorous compliance requirements.

Gartner, IT Glossary
http://blogs.gartner.com/it-glossary/identity-and-access-management-iam/
The concept of identity

Entities have Identities consist of Attributes

Systems

A Names,
Persons
B
Identifiers &
Characteristics
C

Organisations Y

Z
Concepts related
• Entity
to identity – A person, organisation, agent, system, session, process, etc.
• Identity
– A set of names / attributes of entity in a specific domain
– An entity may have identities in multiple domains
– An entity may have multiple identities in one domain
• Digital identity
– Digital representation of names / attributes in a way that is
suitable for processing by computers
• Names and attributes of entity
• Can be unique or ambiguous within a domain
• Transient or permanent, self-defined or defined by
authority, interpretation by humans and/or by
computers, etc
Identity
• Etymology (original meaning of words)
– “identity” = “same one as last time”.
• “First-time” authentication is not meaningful
– because there is no “previous time”
– because the identity first must be created/registered
• Authentication requires a first-time registration of identity
in the form of a name within a domain
• Registration can be take two forms:
– pre-authentication, from previous identity, e.g. passport
– creation of new identity, e.g. new-born baby
Identity • An identity domain has a name-space of unique names
– The same user can have separate identities in different domains
Domains
Silo Id Domain Federated Id Domain
Service A Service B
Service C
Id-1 Id-2 Service D
User
• Identity domain structures:
– Silo domain with single authority, e.g. User Ids in company network
– Distributed hierarchic domain: e.g. DNS (Domain Name System)
• Federated identity domains
– Identity domain can be used by many different Service Providers
– Requires alignment of identity management between SPs
Taxonomy of Identity Management
Architectures Identity
Management

Silo Federeated
Id Mgmt. Id Mgmt.

Hybrid
Centralised
Centralised Distributed Distributed
Federeation Federation Federeation
Silo identity management model Legend:
SP
IdP/CrP
SP/IdP A SP/IdP B SP/IdP C
Identity domain
1 2 3 User identifier for
X
1 2 3 silo domain

X Authentication token
for silo domain
Service logon
Service provision
Silo Id domains
• SP (Service Provider) = IdP (Identity Provider):
SP controls name space and provides access credentials
• Unique identifier assigned to each entity
• Advantages
– Simple to deploy, low initial cost for SPs
– Potentially good privacy
• Disadvantages
– Identity overload for users, poor usability, no business integration
– Low acceptance of new services with separate Id & credentials
– Users must provide same information to different service providers
– For service providers: Barrier to service bundling and data collection
 A set of agreements, standards and technologies that enable a group of
Identity SPs to recognise and trust user identities and credentials from different
Federation IdPs, CrPs and SPs.
• Four main types:
1. Centralized Federation: Centralised name space and
management of credentials by single IdP/CrP.
2. Distributed Identity with Centralised Authentication:
Distributed name spaces managed by multiple IdPs. Centralised
credentials authentication by single CrP.
3. Centralised Identity with Distributed Authentication: Centralized
name space managed by single IdP. Distributed mgmt. of credentials
and authentication by multiple CrPs.
4. Distributed Federation: Distributed name spaces and
management of credentials by multiple IdPs and CrPs.
Identity Federation Types

Federation Types Centralized Identity Distributed Identity

Centralized: Distributed ID, Centralized Credentials:
• Aadhaar (Government of • Facebook
Centralized Authentication India) • Twitter
• Google +
Centralized ID, Distributed Credentials: Distributed:
• Government of Estonia • OpenID
Distributed Authentication • Government of Norway
• (Government of Kyrgyzstan)
Federation • Aadhaar (India) and google+ are centralised because
– they control and manage the domain’s name space of identities,
model types – they always verify the authentication credentials in their federations.
• Facebook and Twitter have distributed identities and
centralized credentials because
– they do not manage identities which are ordinary email addresses,
– they always verify the authentication credentials in their federations.
• Some countries (Norway, Estonia) have centralized Id
and distributed authentication because
– Identities are national id-numbers, managed by the government
– multiple private credentials providers verify credentials for authentication
• OpenID distributed because
– multiple Id-providers control and manage name spaces for identities
– the same Id-providers also verify the credentials for authentication
Identity Federation • User
Players – Needs identities and credentials to access
multiple SPs.
• Service Provider (SP)
– Needs to know identity of users, and needs
assurance of user authenticity.
• Identity Provider (IdP)
– Controls name space of identities.
Issues/registers identities for users.
• Credentials Provider (CrP)
– Issues/registers credentials for users.
Performs authentication of users.
• Broker
– Intermediary between players (not always used)
Federation • Authentication by one IdP/CrP/SP is communicated as a
security assertions (cryptographic token) to other SPs
protocols that trust and accept the assertion of authenticity.
• Usually based on the SAML protocol
– Security Assertions Markup Language
• Involves multiple players
– User, IdP, CrP, SP, and sometimes a broker
– In Kyrgyzstan and Estonia a broker is X-Road (SE “Tunduk”)
Pros and Cons of • Advantages
– Improved usability
Federation – Allows SPs to bundle services and collect user info
– Strengthen privacy through pseudonym identities
• Disadvantages
– High technical and legal complexity
– High trust requirements between parties
• Each federation partner can potentially compromise security
– Privacy issues,
• Massive data collection is a threat to data privacy
– Limited scalability,
• Limited by political and economical constraints
• An Identity federation can become a new form of silo
SAML protocol Federation circle of trust

profile: Browser Identity Service

Post Security Provider Provider

token via front- 1 3

channel 2
4
Browser

User
SAML protocol Federation circle of trust

profile: Browser Identity Token 5 Service

Artefact Security Provider
4 Artefact
Provider

token via back- 1 The artefact is a 3

channel reference to get
token
2
6
Browser

User
 Federation Agreement

OpenID Authentication request Request resource

Connect
OpenId Service
Protocol IdP
Provide
LogIn page 6
List of IdPs
Provider

5 Select 4
2
Post IdP
Creds 1 3 Redirect
8
client to get Token
Token token from IdP
9 Client
Redirect token to Forward token 10 11
SP via client back to SP
7
Provide Creds
Provide resource
OpenID Connect Characteristics

• Based on OpenID and OAuth 2.0 specifications

• SPs establish federation agreements with IdPs
• Beware of abuse of term “authorization”
– The OpenId Connect standard uses “authorization” in the
meaning of authentication and access control
• OpenID Connect used in the Tunduk UIS (ЕСИ)
– UIS is for the Government sector as a SSO (Single Sign-On)
– Any public body should accept OpenIds from UIS as it already
has registered citizen
– Mapping between OpenIds and person number exists but is
protected
Service
google, facebook and twitter federations
Provider g+ f t
2 Authentication with google+,
6 FacebookConnect or twitter
1. User requests service
1 5 2. Redirect to g+, f or t for authentication
7
3. Present login form from g+, f or t
3
4. User provides Id and credentials
Browser
5. Credentials forwarded to g+, f or t
4 6. Assert authenticated user
7. Provide service
User
Broker Scenario
1. User requests access to service
User
2. Service Provider sends authentication
request to Broker, and displays Broker
login form to user.
5 3. User enters name and password in
2
X-Road Broker login form, which are sent for
1
(broker) validation to Home Institution of user.
4. Home Institution confirms authentic
3
4 user and provides user attributes to
Broker which forwards these to SP
Service Home Institution 5. Service Provider analyses user
Provider of User (IdP) attributes and provides service
according to policy
Introduction to Logical Access Control

Physical Access Control:

(not the theme today)

Logical Access Control:

(this lecture)
Basic concepts
• Access control security models:
– How to define which subjects can access which objects with which
access modes?
• Three classical approaches
– Discretionary Access Control (DAC)
– Mandatory access control (MAC)
– Role-Based Access Control (RBAC)
• Advanced approach for distributed environments:
– Attribute-Based Access Control (ABAC)
• Generalisation of DAC, MAC and RBAC
Access modes
• Modes of access:
– Authorizations specify the access permissions of subjects
(users) when accessing objects (resources)
• If you are authorized to access a resource, what are you
allowed to do to the resource?
– Example: possible access permissions include
• read — observe
• write — observe and alter
• execute — neither observe nor alter
• append — alter
 TCSEC (1985) specifies two AC security models
DAC / MAC
• Discretionary Access Control (DAC)
– aka. Name-Based Access Control
– AC policy based on user/group names
– e.g. John has (r,w) - access to HR-files
HR Sales  Objects
John r,w
Subjects 
Mary r,w

• Mandatory AC (MAC)
– aka. Label-Based Access Control
– AC policy based on security labels
– e.g. secret-clearance needed to access secret-classified document
DAC – Discretionary Access Control
(Name-Based Access Control)
• Access authorization is specified and enforced
based on the name/identity of subjects/objects.
• Typically implemented as ACL (Access Control Lists)
• DAC is discretionary in the sense that the owner of
the resource can decide at his/her discretion who is
authorized for access
• Operating systems using DAC:
– Windows and Linux
 AC Matrix
DAC principles O1
Object names
O2 O3 O4

• AC Matrix S1 r,w - x r

– General list of authorizations

Subject
S2 r - r r,w

names
– Impractical, too many empty cells S3 - x - -

• Access Control Lists (ACL) S4 r,w x x x

– Associated with an object

– Represent columns from AC Matrix
– Tells who can access the object
AC lists O1 O2 O3 O4
S1 r,w S1 - S1 x S1 r
S2 r S2 - S2 r S2 r,w
S3 - S3 x S3 - S3 -
S4 r,w S4 x S4 x S4 x
ACL in Unix Each file and directory has an associated ACL
 Three access operations:  Access applied to a directory:
read: from a file  read: list contents of dir
write: to a file  write: create or rename files in dir
execute: a file  execute: search directory
•Permission bits are grouped in three triples that define read,
write, and execute access for owner, group, and others.
•A ‘-’ indicates that the specific access right is not granted.
•rw-r--r-- means: read and write access for the owner,
read access for group, and for others (world).
•rwx------ means: read, write, and execute access for the
owner, no rights for group and no rights for others
MAC – • Access authorization is specified and enforced with
Mandatory security labels
Access Control – Security clearance for subjects
– Classification levels for objects
• MAC compares subject and object labels
• MAC is mandatory in the sense that users do not control
access to the resources they create.
• A system-wide set of AC policy rules for subjects and
objects determine modes of access
• OS with MAC:
– SE Linux supports MAC
MAC principles: • Security Labels can be assigned to subjects and objects
– Can be strictly ordered security levels, e.g. “Confidential” or “Secret”
Labels – Can also be partially ordered categories, e.g. {Sales-dep, HR-dep}
• Dominance relationship between labels
– ( LA  LB ) means that label LA dominates label LB
• Object labels are assigned according to sensitivity
• Subject labels are determined by security clearance
• Access control decisions are made by comparing the subject
label with the object label according to specific model
• MAC is typically based on Bell-LaPadula model (see later)

Subject Object
Compare
labels
Bell-LaPadula: The classical MAC model
SS-property (Simple Security): No Read Up
• A subject should not be able to read files with a higher label than
its own label, because otherwise it could cause unauthorized
disclosure of sensitive information.
• So you should only be able to read documents with an
equal or lower label as your security clearance level.
*-Property (Star Property): No Write Down
• Subjects working on information/tasks at a given level should not
be allowed to write to a lower level, because otherwise it could
create unauthorized information flow.
• So you should only be able write to files with an equal or higher
label as your security clearance level.
Bell-LaPadula (MAC model) SS-Property: No Read Up
Top Secret
Current read
Subject Object
Label Labels
Secret read
Secret
read
Confidential
 Diagram

Bell-LaPadula (MAC model) *-Property: No Write Down

Current
write Top Secret
Subject
label
write
Secret Secret

write Object
Labels

Confidential
Labels in Bell La Padula

• Users have a clearance level LSM (Subject Max level)

• Users log on with a current clearance level LSC (Subject
Current level) where LSC  LSM
• Objects have a sensitivity level LO (Object)
• SS-property allows read-access when LSC  LO
– Label LSC dominates label LO
• *-property allows write-access when LSC  LO
– Label LO dominates label LSC
• Simultaneous read- and write-access requires LSC = LO
Bell-LaPadula label relationships Object labels LO
A
Subject Max label (clearance) LSM B
write access C

Dominance
D
Subject Current label LSC = LO
E E
F
Possible LSC read access G
H
I
 • Example: Define a label L = (h, c) where h and c are label-
parameters which take values from sets H and C
Partial Ordering
h  hierarchical set H = {Secret, Unclassified} = {S, U}
of MAC Labels c  category set C = {Development, Marketing, } = {D, M, }
(S,{D,M})
Partial (S,M)
ordering (S,D)
lattice (S,)
: dominates
(U,{D,M})
(U,M)
(U,D)

(U,)
Definition of • Labels defined as: L = (h, c), hH and cC
Label • H: set of hierarchical levels, C: set of categories
Dominance • – Subject current label: LSC = (hSC, cSC),
– Object label: LO = (hO, cO)
• Dominance: LSC  LO iff (hO  hSC)  (cO  cSC)
– In case LSC = LO then also LSC  LO and LO  LSC
• Non-dominance cases: LSC  LO
– (hO > hSC)  (cO  cSC); insufficient hierarchic level
– (hO  hSC)  (cO  cSC); insufficient category set
– (hO > hSC)  (cO  cSC); insufficient level and category
Combined MAC & DAC
• Combining MAC and DAC access control:
– It can be useful to combine MAC and DAC access control
• MAC policy is applied first,
• DAC policy applied subsequently in case of positive MAC
• Access granted only if both MAC and DAC decisions are positive
– Advantage:
• MAC ensures that users with insufficient clearance label in terms
of level and category can not access resources with a dominant
classification label
• DAC makes it possible to enforce ‘need to know’ to limit access
that would otherwise be granted under the MAC policy
RBAC: Role Based Access Control

• A user has access to an object based on the

assigned role.
• Roles are defined based on job functions.
• Permissions are defined based on job authority and
responsibilities within a job function.
• Operations on an object are invocated based on the
permissions.
• The object is concerned with the user’s role and not the
user.
RBAC Flexibility
Users Roles Resources

User’s change Role 1 File 1

frequently, roles don’t
Role 2 File 2

Role 3 File 3

• RBAC can be configured to do MAC and/or DAC

RBAC Privilege Principles

• Roles are engineered based on the principle of

least privilege.
• A role contains the minimum amount of
permissions to instantiate an object.
• A user is assigned to a role that allows her to
perform only what’s required for that role.
• All users with the same role have the same
permissions.
ABAC and XACML
ABAC = Attribute Based Access Control
•ABAC specifies access authorizations and approves access
through policies combined with attributes. The policy rules can
apply to any type of attributes (user attributes, resource attribute,
context attributed etc.).
• XACML used to express ABAC attributes and policies.
XACML = eXtensible Access Control Markup Language
•The XACML standard defines a language for expressing access
control attributes and policies implemented in XML, and a processing
model describing how to evaluate access requests according to the
rules defined in policies.
• XACML attributes are typically structured in ontologies
Attribute Based Access Control
• ABAC makes AC decisions based on Boolean conditions on attribute
values.
• Subject, Object, Context, and Action consist of attributes
– Subject attributes could be: Name, Sex, DOB, Role, etc.
– Each attributes has a value, e.g.:
– (Name (subject) = Alice), (Sex(subject) = F), (Role(subject) = HR-staff),
(AccessType(action) = {read, write}),
(Owner(object) = HR), (Type(object) = salary)
• The AC logic analyses all (attribute = value) tuples that are
required by the relevant policy.
– E.g. permit if:
[ Role(subject) = HR-staff) and (AccessType(action) = read) and
(Owner(object) = HR) ] and (Time(query) = office-hours) ]
 AC Policies
ABAC Model Meta Policy
Context
Conditions
Policy 1 Policy 3
Policy 2
2d
2a
Access Access
Action ABAC Functions 3 Object
• AC decision logic
Request 1
• AC enforcement

2b 2c
Subject
Subject Attributes Object Attributes
Name Affiliation Type Owner
Clearance Classification
etc. etc.
Global Consistence
• ABAC systems require an XML terminology to
express all possible attributes and their values,
• Must be consistent across the entire domain,
– e.g. the attribute Role and all its possible values, e.g.
(Role(subject) = HR-staff), must be known and interpreted by all
systems in the AC security domain.
• Requires standardization:
– e.g. for access to medical journals, medical terms must be
interpreted in a consistent way by all systems
– current international work on XML of medical terms
• Consistent interpretation of attributes and values is a
major challenge for implementing ABAC.
ABAC: + and  On the positive side:
• ABAC is much more flexible than DAC, MAC or RBAC
– DAC, MAC and RBAC can be implemented with ABAC
•Can use any type of access authorization policies combined
with an unlimited number of attributes
• Suitable for access control in distributed environments
– e.g. national e-health networks
On the negative side:
•Requires defining AC concepts in terms of XML and ontologies
which is much more complex than what is required in traditional
DAC, MAC or RBAC systems.
•Political alignment and legal agreements are required for ABAC in
distributed environments.
End of lecture
Lecture 7:
Application Security and
Secure System Development
Outline
• Application Security
– Malicious Software
– Attacks on web applications
– Secure System Development
How do computers
get compromised ? • Accessing malicious or infected websites which contain
malicious scripts through browser vulnerabilities
• Downloading and installing malware from websites
• Executing attachments to emails which contain exploits and
malware
• Plugging in external devices which are infected with
malware
• Installing malware / infected software from any media
• Direct attacks from the Internet, which e.g. exploit
vulnerabilities in OS or applications such as web servers or
SQL databases
• Supply-chain attacks through the delivery chain, during
assembly, or during shipment
Malware •
•
Backdoor or trapdoor
Logic bomb
types • Trojan horse
• Worm
• Virus
• Stealth virus
• Uses techniques to hide itself, e.g. encryption
• Polymorphic virus
• Different for every system
• Metamorphic virus
• Different after every activation on same system
• Exploit
• A method to infect systems by using malicious program or input data (e.g.
document) that triggers and exploits a software bug in the systems
Exploits • A piece of software, data, or a sequence of
commands that exploits a software/hardware vulnerability
• Can be carried in common data formats such as pdf
documents, office documents or media files.
• Often contains carefully designed corrupt datatypes
• Causes unintended or unanticipated behavior to occur on
computer software or hardware
• The functionality of exploits is typically to:
– Download a malware/backdoor which allows the attacker to
control the platform
– Directly take control of a computer system, allowing privilege
escalation, or a denial-of-service or other sabotage.
Backdoor or Installed by exploit:
Trapdoor • Provides remote control capabilities by attackers
• Can reside on system for long periods before being used
• Can be removed after use
Installed by user:
• User can be tricked to install malicious program (see Trojan horse)
Installed during design:
• is a hidden/secret entry point into a program,
• allows those who know access bypassing usual security procedures
• is commonly used by developers for testing
• is a threat when left in production software allowing, exploit by attackers
• is very hard to block in O/S
• can be prevented with secure development lifecycle
The Cyber Kill Chain & Timescale
Reconnaissance / OSINT Days, months, • •••••••••
years

Weaponisation Days, months • ••••••

Delivery Minutes, • •••

hours

Exploitation Milliseconds ••

Installation Seconds • ••

Hours, days • •••••

C&C

Hours, days, • •••••••••

Action/Exfiltration years
Logic Bomb
• one of oldest types of malicious software
• code embedded in legitimate program
• activated when specified conditions met
– eg presence/absence of some file
– particular date/time
– particular user
• causes damage when triggered
– modify/delete files/disks, halt machine, etc
Trojan Horse
• program with hidden side-effects
– e.g. a back door
• program is usually superficially attractive
– e.g. game, s/w upgrade, rare driver etc
• performs additional tasks when executed
– allows attacker to indirectly gain access they do not have
directly
• often used to propagate a virus/worm or to install a
backdoor
• … or simply to destroy data
Malicious Mobile Code
• Program/script/macro that runs unchanged
 on homogeneous platforms (e.g. Windows)
—will only affect specific platforms
 on heterogeneous platforms
—will affect any platform that supports script/macro language
—e.g. Office macros
• Transmitted from remote system to local system & then executed
on local system
 To inject Trojan horse, spyware, virus, worm etc. which can
—directly perform specific attacks, such as unauthorized data
access, root compromise, sabotage
—indirectly infect other systems and thereby spread
Viruses

• a piece of software that infects programs

• specific to operating system and hardware
• taking advantage of their details and weaknesses
• a typical virus goes through phases of:
• dormant
• propagation
• triggering
• execution
Worms • Replicating programs that propagate over net
– Access remote systems via network protocols to open ports
– Attack vulnerable processes in remote systems
– Can also use email, remote exec, remote login
• Can have characteristics like a virus:
– Dormant, triggering, execution, propagation & replication
– Propagation phase: searches for other systems to infect
– May disguise itself as a system process when executing
• Morris Worm, the first and the best know worm, 1988
– released by Robert Morris Jr., paralyzed the Internet (of 1988)
– exploited vulnerabilities in UNIX systems
• WannaCry Worm, epidemic infection in May 2017
– exploits known, but unpatched, vulnerability in Windows XP, Win7 and Win8
Worm Propagation Speed
 • A botnet is a collection of computers infected with malicious
What is a software agents (robots) that can be controlled remotely by an
attacker.
botnet ? • Owners of bot computers are typically unaware of infection.
• Botnet controller is called a "bot herder" or "bot master"
• Botnets execute malicious functions in a coordinated way:
– Send spam email
– Collect identity information
– Denial of service attacks
– Create more bots
– Bitcoin mining
• A botnet is typically named after the malware used to infect
• Multiple botnets can use the same malware, but can still be
operated by different criminal groups
Botnet Architectures
Decentralized Botnet

Hybrid Botnet

Centralized Botnet
 • Direct attack
DDoS – Bots send traffic with own or
Flood spoofed sender address to victim

Types

• Reflected attack
– Bots send traffic to innocent hosts
with victim address as sender
address. Innocent hosts become
part of attack by replying to victim.
The web application
security challenge

Network security (firewall, SSL, IDS, hardening) does not stop application attacks
What is SQL?

• Structured Query Language: interface to relational database

systems.
• Allows for insert, update, delete, and retrieval of data in a database.
• ANSI/ISO Standard, used extensively in web applications.
• Example:
select ProductName from products where ProductID = 40;
SQL at back-end of websites
1. Take input from a web-form via HTTP methods such as
POST or GET, and pass it to a server-side application.
2. Application process opens connection to SQL database.
3. Query database with SQL and retrieve reply.
4. Process SQL reply and send results back to user.
SQL Interface

2 3
1
4
3

Computer Web Server Application Server Database Server

What is SQL Injection?
• Database system misinterpretation of input data
– Attacker disguises SQL commands as data-input
– Disguised SQL commands = ‘injected’ SQL commands
• With SQL injection, an attacker can get complete control of
database
– no matter how well the system is patched,
– no matter how well the firewall is configured,
• Vulnerability exists when web application fails to sanitize
data input before sending to it database
• Flaw is in web application, not in SQL database.
What is SQL Injection?

• For example, if input field ask for a product number, but the malicius user
inputs “40 or 1 = 1” or can leave an ‘ symbol (single quote/apostrophe)
• The result SQL command becomes:
select ProductName from products where ProductID = 40 or 1 = 1
• 1=1 is always TRUE so the “where” clause will always be satisfied, even if
ProductID ≠ 40.
• All product records will be returned.
• Data leak.
SQL injection with a single quote
Stored XSS
• Data provided by users to a web application is stored
persistently on server (in database, file system, …)
and later displayed to users in a web page.
• Typical example: online message boards.
• Attacker uploads data containing malicious script to
server.
• Every time the vulnerable web page is visited, the
malicious script gets executed in client browser.
• Attacker needs to inject script just once and every
user accessed infected page will be infected too.
Preventing SQL Injection and XSS

• Validate all user entered parameters

– CHECK data types and lengths
– DISALLOW unwanted data (HTML tags, JavaScript, SQL commands)
– ESCAPE questionable characters (ticks, --, semi-colon, brackets,
single quotes etc.)

• Hide information about Error handling

– Error messages divulge information that can be used by hacker
– Error messages must not reveal potentially sensitive information
Broken Authentication and Session Mgmt
Broken Authentication and Session
Mgmnt Problem and Fix
• User authentication does not necessarily provide continuous
authentication assurance
– User authentication is only at one point in time
• Insecure implementation of session control with a static session Id
which is passed in the URL
– Unfortunately this can be misused
• Recommendations for session Id must be followed
– E.g. from OWASP
• Examples of controls for session Id:
– Link session Id to e.g. IP address, TLS session Id
OWASP The Open Web Application Security Project
• Non-profit organisation
– Local chapters in most countries, also in Norway
• OWASP promotes security awareness and security solutions
for Web application development.
• OWASP Top-10 security risks identify the most critical
security risks of providing online services
– The Top 10 list also recommends relevant security solutions.
• OWASP ASVS (Application Security Verification Standard)
specifies requirements for application-level security.
• Provides and maintains many free tools for scanning and security
vulnerability fixing
Top-10 Web Application Risks
1. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. Cross-Site Request Forgery (CSRF)
9. Using Components with Known Vulnerabilities
10. Unvalidated Redirects and Forwards
 Waterfall and Secure Waterfall

Waterfall SDLC
Software Development Life Microsoft SDL (Secure Development Lifecycle)
Cycle
Requirements

Design

Implementation

Verification

Maintenance
Agile Software Development (e.g. Scrum)
• Requirements are specified as stories
Project planning • Each story implemented as sprint
• Repeated sprint cycles until all stories are implemented

Select user stories for Break down user story

into functions Plan new release
the next release

Evaluate current Develop, integrate &

Release new software
system test new functionality

Deploy system
User Stories and Usecases
User Story – Seen from the user perspective:
As an [actor] I want [action] so that [achievement]. For
example: As an Instagram member, I want to set different
privacy levels on my photos, so I can control who sees
which of my photos.

Usecase – Seen from the design perspective:

Description of a set of interactions between a system and
one or more actors (where an ‘actor’ can be a user
or another system).
Secure Agile Software Development
• Secure agile has some additional steps
– During project startup
Project planning
– During each sprint cycle
Collect stakeholder
– During final test and validation
security concerns • Secure agile necessarily makes it a little less agile
Select user stories Break down user
Plan new release
for next release story into functions
Identify threat
scenarios to control
Evaluate system & Release new Develop, integrate
review security software & test new function

Deploy system
Threat Modelling in Secure Agile

User PC or phone Internet Front-End Back-End DB

• Threat modelling is the process of identifying, analysing and describing

relevant threats (scenarios).
• Do threat modelling and (light weight) risk assessment in each sprint.
• Think: How could this new function be misused or attacked?
Which assets could be harmed? What consequences?
• Stop or mitigate the threat (remove vulnerabilities) during the sprint.
STRIDE Threat Modelling
Spoofing
Can an attacker gain access using a false identity?

Tampering
Can an attacker modify data as it flows through the application?

Repudiation
If an attacker denies doing something, can we prove he did it?

Information disclosure
Can an attacker gain access to private or potentially injurious data?

Denial of service
Can an attacker crash or reduce the availability of the system?

Elevation of privilege
Can an attacker assume the identity of a privileged user?
Attacker Story and Misuse Case
(Attacker Goal and Threat Scenario)

• Attacker Story – The goal of the attacker:

• As an [attacker] I want [action] so that [achievement].
• So, for example: As an attacker, I want to hack into Instagram accounts
to steal photos and personal info.
• Misuse Case (Threat Scenario)
• Seen from the threat scenario perspective:
• Description of a set of steps and interactions to be executed by
attacker to achieve goal.
End of lecture
 Lecture 8
Cryptography
Outline • What is cryptography?
• Brief crypto history
• Symmetric cryptography
– Stream ciphers
– Block ciphers
– Hash functions
• Asymmetric cryptography
– Encryption
– Diffie-Hellman key exchange
– Digital signatures
– Post-Quantum Crypto
Terminology
• Cryptography is the science of secret writing with
the goal of hiding the meaning of a message.
• Cryptanalysis is the science of breaking
cryptography.
• Cryptology covers both cryptography and
cryptanalysis.
Cryptology

Cryptography Cryptanalysis

IN2120 - UiO 2019

What can cryptography do?
Crypto can provide the following security services:
– Confidentiality:
• Makes data unreadable to entities who do not have the
appropriate cryptographic keys, even if they have the data.
– Data Integrity:
• Entities with the appropriate cryptographic keys can verify that data
is correct and has not been altered, either deliberately or
accidentally.
– Authentication:
• Entities who communicate can be assured that the other user/entity
or the sender of a message is what it claims to be.
– Digital Signature and PKI (Public-Key Infrastructure):
• Strong proof of data origin which can be verified by 3rd parties.
• Scalable (to the whole Internet) distribution of cryptographic keys.
Taxonomy of cryptographic functions Cryptographic
Functions

Hash
Ciphers
Functions
cryptographic algorithm

Called “public-key
Symmetric Asymetric cryptography”
One secret key used for both encryption and Public key used for encryption and private
decryption key used for decryption

Block Stream
Block Cipher vs. Stream Cipher
Block cipher Stream cipher
Plaintext blocks
N bits Key

Key stream
Key Block cipher
generator

N bits Plaintext stream Ciphertext stream

Ciphertext blocks
Note that the key stream repeats itself and is not totally
random, hence a stream cipher is not a One-Time-Pad.
Evolution of Ciphers
Classical Medieval Pre-WW2 Pre-2000 Post-2000
WW2 ciphers
ciphers ciphers ciphers ciphers ciphers

Transposition Poly-alphabetic One-time pad Complex DES AES

Scytale Substitution Vernan mechanics Feistel Rijmen &
+ 1916 Enigma Daemen
Transposition
Vigenere SP-networks Asymmetric Post-quantum
Substitution 1566 info-theory crypto assimetric
Caesar cipher Shannon Diffie-Hellman crypto

BC AD —1799 1800—1939 1940—1975 1976—2000 2001—

Terminology
• Encryption: plaintext (cleartext) M is converted into a
ciphertext C under the control of a key k.
– We write C = E(M, k).
• Decryption with key k recovers the plaintext M
from the ciphertext C.
– We write M = D(C, k).
• Symmetric ciphers: the secret key is used for both
encryption and decryption.
• Asymmetric ciphers: Pair of private and public keys
where it is computationally infeasible to derive the
private decryption key from the corresponding public
encryption key.
Symmetric cryptography (secret key)

Secret Key Secret Key

Encryption Ciphertext Decryption

Plaintext algorithm transfer algorithm Plaintext

“Secret key” means that the key is shared “in secret” between entities who are authorized
to encrypt and decrypt
Strength Factors for cryptographic strength:
• Key size.
of Ciphers – Exhaustive key-search time depends on the key size.
– Typical key size for a symmetric cipher is 256 bit.
– Attacker must try 2256/2 keys on average to find the key, which would
take millions of years, which is not practical.
– With N different keys, the key size is log2(N).
• Algorithm strength.
– Key discovery by cryptanalysis can exploit statistical
regularities in the ciphertext.
– To prevent cryptanalysis, the bit-patterns / characters in the
ciphertext should have a uniform distribution, i.e. all bit-patterns /
characters should be equally probable.
Letter Frequencies → Statistical cryptanalysis
Historic ciphers, like the Caesar Cipher,
Letter frequencies in English
are weak because they fail to hide
statistical regularities in the ciphertext.

Caesar Cipher
Claude Shannon(1916 – 2001)
The Father of Information Theory – MIT / Bell Labs
• Information Theory
• Defined the „binary digit“ (bit) as information
unit
• Defined information „entropy“ to measure
amount of information
• Cryptography
• Model of secrecy systems
• Defined perfect secrecy
• Principle of S-P encryption (substitution &
permutation) to hide statistical regularities
 Shannon’s S-P Network plaintext
Removes statistical regularities in ciphertext S S .... S

• “S-P Networks” (1949) P

– Substitutions & Permutations
– Substitute bits e.g. 0001 with 0110 S S .... S
– Permute parts e.g. part-1 to part-2

...
D
– Substitution provides “confusion” i.e. complex E
relationship between input and output
– Permutation provide “diffusion”, i.e. a single S S .... S
input bit influences many output bits
– Iterated S-P functions a specific number of P
times
ciphertext
– Functions must be invertible
AES - Advanced Encryption Standard

• DES (Data Encryption Standard) from 1977 had a

56-bit key and a 64-bit block. In the mid-1990s DES
could be cracked with exhaustive key search.
• In 1997, NIST announced an open competition for
a new block cipher to replace DES.
• The best proposal called “Rijndael” was nominated
as AES (Advanced Encryption Standard) in 2001.
AES is designed by Vincent Rijmen • AES has key sizes of 128, 192 or 256 bit and block
and Joan Daemen from Belgium size of 128 bit
Block Ciphers: Modes of Operation
• Block ciphers can be used in different modes in
order to provide specific security protection.
• Common modes include:
– Electronic Code Book (ECB) Insecure

– Cipher Block Chaining (CBC)

– Output FeedBack (OFB)
Secure
– Cipher FeedBack (CFB)
– CounTeR Mode (CTR)
Electronic Code Book
(ECB-mode)
Electronic Code Book
• ECB Mode encryption
– Simplest mode of operation
– Plaintext data is divided into blocks M1, M2, …, Mn
– Each block is then processed separately
• Plaintext block and key used as inputs to the encryption algorithm
Vulnerability of ECB-mode
CTR
Counter Mode
One-Time-Pad
Shared secret OTP Shared secret OTP
key K key K
k1, k2, k3 … ki k1, k2, k3 … ki
c1, c2, c3 … ci

Plaintext Encryption Ciphertext Decryption Plaintext

M ci = m i  ki transfer m i = ci  ki M

bitwise XOR addition bitwise XOR addition

• Property of bitwise XOR addition:
k i  ki = 0 and mi = ci  ki = mi  ki  ki
Gilbert Vernam, • OTP offers perfect security assuming the OTP key is perfectly
1917 random, of same length as the message, and only used once
The perfect cipher: One-Time-Pad
• Old version used a paper tape of
random data
• Modern versions can use DVDs
with Gbytes of random data
Integrity Check Functions
- Hash functions
- MAC functions
Hash functions (message digest functions)
Requirements for a one-way hash function h:

1. Ease of computation: given x, it is easy to

compute h(x).
2. Compression: h maps inputs x of arbitrary bitlength
to outputs h(x) of a fixed bitlength n.
3. One-way: given a value y, it is computationally
infeasible to find an input x so that h(x)=y.
4. Collision resistance: it is computationally infeasible to
find x and x’, where x ≠ x’, with h(x)=h(x’) (note: two
variants of this property).
Properties of hash functions
x ? x x’ x ? ? ?

h(x) h(.) h(x) h(x) h(.)

Ease of Pre-image Collisions Weak collision Strong

computation resistance exist but are resistance collision
hard to find (2nd pre-image resistance
resistance)
Applications of hash functions
• Comparing files
• Protection of password
• Authentication of SW distributions
• Bitcoin
• Generation of Message Authentication Codes (MAC)
• Digital signatures
• Pseudo number generation/Mask generation functions
• Key derivation
Well-known hash functions
• MD5 (1991): 128 bit digest. Relatively easy to break by finding
collisions, due to short digest and poor design. Not to be used
in new applications, but may be used in legacy applications.
• SHA-1 (Secure Hash Algorithm):160 bit digest. Designed by
NSA in 1995 to operate with DSA (Digital Signature Standard).
Attacks exist. Not recommended, but sometimes still in use.
• SHA-2 designed by NSA in 2001 provides 224, 256, 384, and
512 bit digest. Considered secure. Replacement for SHA-1.
• SHA-3: designed by Joan Daemen + others in 2010.
Standardized in 2015. Digest of: 224, 256, 384, and 512 bit.
SHA-3 has little use, because SHA-2 is considered strong.
Message Authentication Codes
• A message M with a simple message hash h(M) can be
changed by attacker.
• In communications, we need to verify the origin of data,
i.e. we need message authentication.
• MAC (message authentication code) can use hash
function as h(M, k) i.e. with message M and a secret key
k as input.
• To validate and authenticate a message, the receiver has
to share the same secret key used to compute the MAC
with the sender.
• A third party who does not know the key cannot validate
the MAC.
Practical message integrity with MAC
MAC and MAC functions
• Terminology
– MAC is the computed message authentication code h(M, k)
– MAC function is the algorithm used to compute a MAC
• Different types of MAC functions are e.g.
– HMAC (Hash-based MAC algorithm)
– CBC-MAC (CBC based MAC algorithm)
– CMAC (Cipher-based MAC algorithm)
• MAC functions, a.k.a. keyed hash functions, support
data origin authentication services.
 Public-Key
Cryptography
Problem of symmetric key distribution
• Shared key between each pair
• In network of n users, each participant needs n-
1 keys.
• Number of exchanged secret keys:
= n(n-1)/2
= number of glasses touching at cocktail party
• Grows exponentially, which is a major problem.
Network of 5 nodes
• Is there a better way?
– Public-key cryptography
James H. Ellis (1924 – 1997)
Inventor of pub-key crypto, but received little recognition

• British engineer and mathematician

• Worked at GCHQ (Government Communications
Headquarters)
• Idea of non-secret encryption to solve key distribution
problem
• Encrypt with non-secret information in a way which makes it
impossible to decrypt without related secret information
• Never found a practical method
Clifford Cocks (1950)
Inventor of RSA algorithm in 1973, recognized in 1998
• British mathematician and cryptographer
• Silver medal at the International Mathematical Olympiad, 1968
• Worked at GCHQ (equivalent to NSA)
• Heard from James Ellis the idea of non- secret encryption in 1973
• Spent 30 minutes in 1973 to invent a practical method
• Equivalent to the RSA algorithm
• Was classified TOP SECRET
• Result revealed in 1998
• Fellow of the British Royal Society in 2015.
Malcolm J. Williamson
(1950 – 2015)
Inventor of key exchange but received little recognition
• British mathematician and cryptographer
• Gold medal at the International Mathematical Olympiad, 1968
• Worked at GCHQ until 1982
• Heard from James Ellis the idea of non- secret encryption, and
from Clifford Cocks the practical method.
• Intrigued, spent 1 day in 1974 to invent a method for secret key
exchange without secret channel
• Equivalent to the Diffie-Hellmann key exchange algorithm
Ralph Merkle, Martin Hellman and Whitfield Diffie

• Merkle invented (1979) the Merkle Hash Tree and

the Merkle Digital Signature Scheme, used e.g. in
Bitcoin. Resistant to quantum computers.
• Diffie & Hellman(1976) invented a practical key
exchange algorithm with discrete exponentiation.
• D&H defined public-key encryption (equiv. to non-
secret encryption) (1976)
• Defined digital signature
• “New directions in cryptography” (1976)
Diffie-Hellman key agreement (key exchange)
(provides no authentication)
Alice picks private ga mod p Bob picks private
random integer a random integer b
gb mod p

Alice computes the Bob computes the same

shared secret shared secret
(gb)a = gab mod p (ga)b = gab mod p.

Attackers can not recover the integers a or b because discrete logarithm of

large integers is computationally difficult. Hence, attackers are unable to
compute the secret key = gab mod p.
Applications of Diffie-Hellman Key Exchange

• IPSec (IP Security)

– IKE (Internet Key Exchange) is part of the IPSec
protocol suite
– IKE is based on Diffie-Hellman Key Agreement
• SSL/TLS
– Several variations of SSL/TLS protocol including
• Fixed Diffie-Hellman
• Ephemeral Diffie-Hellman
• Anonymous Diffie-Hellman
Ron Rivest, Adi Shamir and Len Adleman

• Read about public-key cryptography in 1976 article by Diffie

& Hellman: “New directions in cryptography”
• Intrigued, they worked on finding a practical algorithm
• Spent several months in 1976 to re-invent the method for
non-secret/public-key encryption discovered by Clifford
Cocks 3 years earlier
• Named RSA algorithm
• Uses a pair of keys: public key and private key
Asymmetric Ciphers: Examples of Cryptosystems

• RSA: best known asymmetric algorithm.

– RSA = Rivest, Shamir, and Adleman (published 1977)
– Historical Note: U.K. cryptographer Clifford Cocks invented the
same algorithm in 1973, but didn’t publish.
• ElGamal Cryptosystem
– Based on the difficulty of solving the discrete log problem.
• Elliptic Curve Cryptography
– Based on the difficulty of solving the EC discrete log problem.
– Provides same level of security with smaller key sizes.
Asymmetric Encryption: Basic encryption operation
Bob’s public key Bob’s private key Bob

f5aff7be85… f529c0840…
C

Plaintext Asymmetric Ciphertext Asymmetric Plaintext

M encryption transfer decryption M

M = D(C,Kpriv(B))
C = E(M,Kpub(B))

In practical applications, large messages are not encrypted directly with asymmetric
algorithms. Hybrid systems are used.
Hybrid Cryptosystems
• Symmetric ciphers are faster than asymmetric
ciphers (because they are less computationally
expensive ), but ...
• Asymmetric ciphers simplify key distribution,
therefore ...
• a combination of both symmetric and asymmetric
ciphers can be used – a hybrid system:
– The asymmetric cipher is used to distribute a randomly
chosen symmetric key.
– The symmetric cipher is used for encrypting bulk data.
Confidentiality Services: Hybrid Cryptosystems
Bob’s public key Bob’s private key Bob

f5aff7be85… f529c0840…
C
Generate Shared
Cipher Key
secret Asymmetric Asymmetric secret
K (K) K
symmetric encryption decryption symmetric
transfer
key K C = E(K,Kpub(B)) K = D(C,Kpriv(B)) key K

Cipher
Plaintext Symmetric Text (C) Ssymmetric Plaintext
M encryption transfer decryption M

C = E(M,K) M = D(C,K)
 Digital
Signatures
Digital • A MAC cannot be used as evidence to be verified
Signature by a 3rd party.
• Digital signatures can be verified by 3rd party.
Mechanisms – Used for non-repudiation,
– data origin authentication and
– data integrity
• Digital signature mechanisms have three
components:
– key generation
– signing procedure (private)
– verification procedure (public)
Digital signature: Basic operation
Alice Alice’s private key Alice’s public key Bob

Kpriv Kpub
C

C= Decryption
Plaintext Encryption Plaintext
operation
M operation (Signing) (Signed M) M
(Validation)

C = E(M,Kpriv(A)) M = D(C,Kpub(A))

In practical applications, message M is not signed directly,

only a hash value h(M) is signed.
Practical digital signature based on hash value
Non-repudiation only possible with DigSig

Private Key Public Key

Shared Key

Plaintext Symmetric auth Plaintext Non-repudiatable

Plaintext Plaintext
M MAC M auth / DigSig
M M
Principle for Quantum Computing

• Quantum Computing (QC) uses quantum superpositions instead of

binary bits to perform computations.
• Quantum algorithms, i.e. algorithms for quantum computers, can solve
certain problems much faster than classical computer algorithms.
QC Threat to Traditional Cryptography
• Shor’s Quantum Algorithm (1994) can factor integers and compute discrete
logarithms efficiently. With a powerful quantum computer (at least 1 million
qubits), Shor’s algorithm would be devastating to traditional public key
crypto algorithms.
• Grover’s Quantum Search Algorithm (1996) can be used to brute-force
search for a k-bit secret key with an effort of only

2𝑘 = 2𝑘/2

which effectively doubles the required key sizes for ciphers.

• QC has been dismissed by most cryptographers until recent years.
General purpose quantum computers do not currently exist, but are
predicted to be built in foreseeable future.
Cryptographic Functions and Services
• Symmetric encryption Confidentiality

• Hash Functions Authenticity / Integrity

• Asymmetric encryption Digital Signature

& digital signature PKI / key distribution
(Traditional), e.g. RSA,
ECC, Diffie-Hellman Confidentiality
Cryptographic Functions and Services
• Symmetric encryption Confidentiality

• Hash Functions Authenticity / Integrity

• Asymmetric encryption Digital Signature

& digital signature (Post- PKI / key distribution
Quantum), e.g., Lattice-
based, Multivariate, Confidentiality
Hash-based, Code-based,
Thanks to PQ Crypto we can still use
Elliptic curve isogeny DigSig and PKI even with quantum
computers of 1 million qubit
Collapse of traditional asymmetric crypto?
Towards Standardized PQC
• The term “Post-
Quantum Crypto”
means crypto which is
resistant to powerful
quantum computers.
• Many organizations plan
to start using PQC just
to be on the safe side,
and not risk bad
publicity.
PQC already works
• Many initiatives for
prototyping PQC in real
applications
• Version of Chrome Browser
with PQC TLS
• Disadvantage of PQC is high
complexity and computation
load
End of lecture