Ch01: Information and Network Security Concepts - HackMD

<style> .red { color: red; font-weight: bold; } .blue { color: blue; font-weight: bold; } </style> # Information and Network Security Concepts ## What is cybersecurity ? The **protection of information** that is stored, transmitted, and processed in a networked system of computers, other digital devices, and network devices and transmission lines, including the Internet. Protection encompasses: - Confidentiality - Integrity - Availability - Authenticity - Accountability --- Cybersecurity encompasses Information Security and Network Security: - **Information Security** - Preservation of confidentiality, integrity, and availability of　information. Authenticity, accountability, nonrepudiation, and　reliability can also be involved. - **Network Security** - Protection of networks and their service from unauthorizedmodification, destruction, or disclosure, and provision ofassurance that the network performs its critical functionscorrectly and there are no harmful side effects. ### Security Objectives - **Confidentiality**（機密性） - Data confidentiality - Privacy - 使密文無法被未經授權者解讀 - **Integrity**（完整性） - Data integrity - System integrity - 可檢查訊息是否被修改 - **Availability**（可用性） - **Authenticity**（鑑別性/可認證性） - 收訊者可確認訊息不是他人偽造的 - **Accountability**（可歸責性/不可否認性） - 發訊者無法否認他所發送的訊息 :::info 假設在一個**對稱金鑰密碼系統**中，Alice 與 Bob 共用同一把金鑰，由於只有這兩人知道金鑰，Bob 在收到密文時可以確定是 Alice 發送的，因此鑑別性成立。但如果可能有第三者知道金鑰，且 Alice 否認訊息是她發送的，則可歸責性就不成立。此時需要透過**公開金鑰密碼系統**的**私鑰** (private) 來實現數位簽章，確保訊息是 Alice 發送的。 ::: ## OSI Security Architecture ITU-T X.800 defines a systematic way of defining and providing security requirements: - Security Attack - action compromises the security of information - **Attacker ≈ Adversary ≈ Intruder ≈ Eve ≈ Hacker ≈ Cracker** - Security Mechanism - mechanism that can **detect**, **prevent**, or **recover** from a security attack - Security Service - Threat ## Security Attack - Passive Attacks - 可以預防，但較不易檢測 - Types: - eavesdrop（竊聽） ![](https://hackmd.io/_uploads/SkEsTGYk6.png) - traffic analysis（流量分析） - traffic padding：若沒有要傳送訊息，則持續傳送隨機的密文，使流量難以分析，但成本較高。 ![](https://hackmd.io/_uploads/S1H-CGFk6.png) - Active Attacks - 可以檢測與恢復，但不易防止 - Types: - masquerade (impersonation)（假冒身分） - data modification（竄改資料） - denial of service (DoS)（阻斷服務） - replay（重送） ![](https://hackmd.io/_uploads/B1wRCGKkT.png) ![](https://hackmd.io/_uploads/rkA11Xt1a.png) ![](https://hackmd.io/_uploads/B1GdJ7Fkp.png) ![](https://hackmd.io/_uploads/SkYChztJp.png) ## Security Services :::info 以下服務不用同時具備。 ::: ### Authentication - 確保溝通對象的身分是真實的 (authentic)。 - Two Specific Authentication Services - Peer entity authentication - Data origin authentication - 使用 data 的來源佐證 (corroboration) 身分的真實性。 - 無法防止重複或被竄改的訊息。 ### Access Control - 限制及控制對系統、應用程式的存取。 - Ex. Role-based access control - 為了實現需要在每個實體 (entity) 嘗試獲取存取權時進行驗證。 ### Data Confidentiality 保護資料免於未經授權的洩漏 (disclosure)。 - Connection Confidentiality - Connectionless Confidentiality - Selective-Field Confidentiality - Traffic-Flow Confidentiality  ### Data Integrity - Connection Integrity with Recovery - Connection Integrity without Recovery - 發生次數少，不必恢復 - Selective-Field Connection Integrity - Connectionless Integrity - Selective-Field Connectionless Integrity ### Non Repudiation Nonrepudiation prevents either sender or receiver from **denying** a transmitted message. Thus, when a message is sent, the receiver can prove that the alleged sender **in fact sent** the message. Similarly, when a message is received, the sender can prove that the alleged receiver in **fact received** the message. ### Availability Service ![](https://hackmd.io/_uploads/rkYluXt1p.png) ## Security Mechanisms ### Cryptographic Algorithms - **Reversible** cryptographic mechanism - Irreversible cryptographic mechanisms - 用於數位簽章、訊息驗證等。 - hash algorithms - message authentication codes ### Data Integrity - 包含確保資料完整性的各種機制。 ### Digital Signature - 成本較高，非必要通常使用 data integrity。 - 證明完整性及防止偽造。 ### Authentication Exchange - 允許雙方交換資訊來做認證。 ### Traffic Padding - The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts - 在資料流空隙持續傳送資料，使流量難以分析 ### Routing Control - Enables **selection** of particular **physically or logically secure routes** for certain data and allows routing changes, especially when a breach of security is suspected ### Notarization 公證 - The use of a trusted **third party** to **assure certain properties** of a data exchange ### Access Control - A variety of mechanisms that enforce access rights to resources. ## Cryptography Cryptographic Algorithms: - Keyless - **Do not use any keys** during cryptographic transformations. - Hash (Cryptographic hash function) - Pseudo-random number generator - Single-Key - 雙方持有相同的 key。 - Block cipher symmetric encryption - Message authentication code - Two-Key - 需要使用 public key 與 private key。 - Asymmetric encryption - Digital signature - Key exchange - User authentication ### Keyless Cryptographic Algorithms Deterministic function **without using keys**. - Cryptographic Hash Function - A cryptographic hash function turns a **variable-length input** into a **small & fixed-length** output. - <font class="blue">將任意長度的輸入轉換為相同固定長度的輸出</font> - 可做為其他加密演算法的一部份。 - Pseudorandom Number Generator - 利用演算法產出看似隨機的數字。 ### Single-Key Cryptographic Algorithms The transformation depends on a <font class="red">secret key</font>. - **Single-Key Encryption** Algorithms - ≈ **Secret-Key Encryption** Algorithms ≈ **Symmetric** **Encryption** Algorithms - Block Cipher - 將資料切成大小為 128 bits 的 block。 - Stream Cipher - **使用 XOR 轉換** - 缺點：較不安全 - Message Authentication Code (MAC) - A piece of information used for authenticating a message. ### Two-Key Cryptographic Algorithms The transformation depends on <font class="red">Private Key</font> and <font class="red">Public Key</font>. ≈ **Asymmetric (Cryptographic)** Algorithms ≈ **Public-Key (Cryptographic)** Algorithms - Private Key - 只有自己知道 - Used for **decrypting** or **signing** - Public Key - 對所有人公開 - Used for **encrypting** or **verifying signatures** - Knowing the Public Key, it is still **computationally infeasible** to compute the Private Key - Types - Encryption Algorithms - Digital Signature Algorithms - Key Exchange Algorithms - User Authentication Algorithms ![](https://hackmd.io/_uploads/SynwaQKkT.png) ## Network Security ### Communications Security - 使用 Security Protocol ### Device Security - Firewall - Intrusion Detection - Intrusion Prevention ## Standards - National Institute of Standards and Technology (NIST) - NIST Federal Information Processing Standards (**FIPS**) and Special Publications (**SP**) have a worldwide impact - Internet Society (ISOC) - Internet Engineering Task Force (IETF) - Internet Architecture Board (IAB) - **Requests for Comments** (RFC) - ITU Telecommunication Standardization Sector (ITU-T) - ITU (The International Telecommunication Union) - International Organization for Standardization (ISO)