Information Security Alan Song Institute of Technology Management

Presentation on theme: "Information Security Alan Song Institute of Technology Management"— Presentation transcript:

1 Information Security Alan Song Institute of Technology Management
National Chung Hsing University

2 Security Threads 網路安全威脅的主要三個來源 1.外部的駭客 (Hackers)
Password attacks 駭客透過網路登入到未經授權的主機 去竊取資料或破壞 Trap doors 2.惡意的訊息 (Spam mails, virus attached mails) EX. 病毒或垃圾訊息，癱瘓電腦或破壞資料 3.內部惡意的使用者 (Unauthenticated Users) P.355

3 Password Attacks 1.字典攻擊法(Dictionary Attack) 2.猜測攻擊法(Guessing Attack)
使用字典中的單字嘗試 (Exhaustive trials) 2.猜測攻擊法(Guessing Attack) EX. 生日，紀念日 Birthday/Anniversary 3.窮舉攻擊法(Exhaustive Search Attack) 暴力攻擊法 Brute-Force Attack (Try all combinations) 4.重送攻擊法(Replaying Attack) 攔截使用者密碼 (eg. Change the sender IP address) 5.行騙法(Spoofing) 類似金光黨的行騙手法

4 Denial-of-Service Attacks
目前TCP/IP協定上最常見的攻擊方式 Most common way to attack a server. 試圖使系統的工作超過其所能負荷而導致系統癱瘓 Attempt to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. EX. 分散式阻斷服務 Distributed Attack (DDos) 只多個遠端主機在同一時間內傳送許多封包訊息給目標主機，導致主機在短 時間內因收到大量的訊息，超過系統所能負荷而癱瘓 P.348

5 Viruses Attacks Boot sector attack 啟動磁區病毒 Executable file virus 可執行檔病毒
巨集型(Macro)病毒 電腦寄生蟲(Worm) 特洛伊木馬(Trojan Horses) 邏輯炸彈(Logic Bomb) 薩拉米香腸 P.80 P.81

6 Information Security 資訊安全通常注重三類資料 (Three types of data which are of particularly concerned.) 1. 機密資料 (Confidential Data) EG. Military/National Information 2. 敏感資料 (Sensitive Data) EG. Government/Organization/Business 具有敏感性之資料 3. 正確資料 (Integrity Data, All other data) 保護該資料之正確性及有效性，禁止資料被偽造及篡改

7 Functions of an Information Security System
1. Confidentiality 確保資訊的私密性 Data cannot be accessed by unauthorized user. 2. Integrity 資料是否被不當的篡改Make sure that the data is not being modified inappropriately. 3. Non-repudiation 不可否認性，提供資訊傳送來源、接收目的或 交易的證明 a state of affairs where the purported maker of a statement will not be able to successfully challenge the validity of the statement or contract. 4. Audit – Who (Which department) is the owner of a data, who have changed the data, and when and why. Normally, the owner of the data will be responsible for all legal actions if something wrong coming out from the data. P.7-9

8 Technologies for an Information Security System
Access control – Right to access the data, or a system, or an account. The control of access right is based on account name. Authentication – Identify the person who has login the account is really the account owner, but not any hacker who has stolen the password. Digital signature Biometric: Fingerprint, iris, face, palm P.7-9

9 Encryption plaintext -----(Key)------ ciphertext------(Key)  plaintext

10 Encryption 依照金鑰使用數量，分為”對稱式”與”非對稱式” Symmetric Encryption versus Asymmetric Encryption. 對稱式加密Symmetric Encryption : Using the a single key to encrypt and decipher ( so called secret-key ) 非對稱性加密Asymmetric Encryption : Using two different keys(nowadays, public key - private key) to encrypt and decipher.

11 秘密金鑰密碼系統(對稱式) “Secret” Key Cryptosystems (Symmetric)
“If you can keep the secret!” 明文(plain text)資料以秘密金鑰(Secret Key) )加密 轉換成一段亂碼(密文cipher text) Plain text > cipher text Secret key 解密(decryption)使用同一把金鑰把密文轉回明文 (When decrypting, use the same secret key to change cipher text into plain text.)

12 秘密金鑰密碼系統(對稱式) “Secret” Key Cryptosystems (Symmetric)

13 Algorithms for Symmetric Encryptions
DES (Data Encryption Standard) , Triple DES(3DES), AES, RSA, RC2, RC4, RC5, RC6 , Rijndael ….etc.   DES : DES採用56位元的金鑰來對64位元的資料區段進行加密，需經16回合的 運算。 • 主要缺點：56位元的金鑰長度太短，以目前電腦的計算能力，通常只需要花費一 些時 間找出DES金鑰。 3DES :可以反覆使用DES來增加強度，因此Triple DES應運而生。(運算48回合) AES : 多數安全專家認為DES和三重DES不再能滿足安全需要。1997年1月， NIST開始確定接替DES演算法的程式，決定所選的對稱金鑰演算法被稱做高級 加密標準（Advanced Encryption Standard）。 AES為區段式加密技術， 使用的區塊大小為128位元，而金鑰大小為128、192、256位元三種選擇。

14 Comparisons among DES, 3DES, AES
Message Size Key Length Iterations

15 對稱式與非對稱式比較 (Symmetric Versus Asymmetric Encryptions)

16 對稱式與非對稱式比較 (Symmetric Versus Asymmetric Encryptions)

17 數位簽章Digital Signature
P.184 1.發送者(Signer)將所要傳遞的資訊透過 hash function 加密以產生 message digest 2.發送者使用自己的 private key 將 message digest 加密，結果即為 digital signature 3.此時發送者將原始資訊與 digital signature 一起傳送給接收者 4.接收者使用相同的 hash function，計算出原始資訊的 message digest 5..接收者使用發送者的 public key 將 digital signature 解密，取出 message digest 6.比對兩個 message digest，若是相同，則表示資訊來源的確為原始發送者，並沒有被修改過 由上述的說明可知，透過 Digital Signature 的機制，除了可以達到資訊安全中的不可否認性(non-repudiation)外，還可以達到資訊完整性(integrity)的目的。

18 SSL(Secure Sockets Layer)
first the session layer has a handshake using an asymmetric cipher in order to establish cipher settings and a shared key for that session; then the presentation layer encrypts the rest of the communication using a symmetric cipher and that session key. In both models, TLS and SSL work on behalf of the underlying transport layer, whose segments carry encrypted data.

19 SSL(Secure Sockets Layer)
1.SSL Client端發出ClientHello給SSL伺服器端。告知伺服器端本身可實現的算法列表和其他一些需要的資訊。 2.SSL的服務器端在接收ClientHello後會回應一個ServerHello，裡面確定了這次通訊所需要的演算法，並送出伺服器本身的憑證（資訊內包含身分及公鑰）。 3.SSL Client會新增一個秘密金鑰，並利用伺服器傳來的公鑰來加密，而且會回傳加密後的秘密金鑰密文給伺服器。 4.伺服器使用自己的私鑰解開秘密金鑰密文，取得秘密金鑰後，即利用此秘密金鑰來相互通訊。

20 SSL(Secure Sockets Layer)
Secure Sockets Layer (SSL), are cryptographic protocols which are designed to provide communication security over the Internet. Apply both symmetric and asymmetric encryption technologies first the session layer has a handshake using an asymmetric cipher in order to establish cipher settings and a shared key for that session; then the presentation layer encrypts the rest of the communication using a symmetric cipher and that session key. In both models, TLS and SSL work on behalf of the underlying transport layer, whose segments carry encrypted data.

21 SSL(Secure Socket Layer)安全傳輸協定
驗證 (Authentication) ：使用RSA、DSS和X.509憑證等公開金 鑰加密技術 傳輸的機密性 (Confidentiality)：使用IDEA、3DES、RC4 對稱 性加密技術 完整性(Integrity)：使用MD5、SHA等雜湊為基礎的訊息確認碼 (MAC) P.334

22 阻斷服務攻擊Denial-of-Service Attack
目前TCP/IP協定上最常見的攻擊方式 Most common way to attack a server. 試圖使系統的工作超過其所能負荷而導致系統癱瘓 Attempt to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. EX. 分散式阻斷服務 Distributed Attack (DDos) 只多個遠端主機在同一時間內傳送許多封包訊息給目標主機，導致主機在短 時間內因收到大量的訊息，超過系統所能負荷而癱瘓 P.348

23 Types of computer viruses
Boot sector attacks 啟動磁區病毒 Executable file virus 可執行檔病毒 巨集型(Macro)病毒 電腦寄生蟲(Worm) 特洛伊木馬(Trojan Horses) 邏輯炸彈(Logic Bomb) 薩拉米香腸 P.80 P.81

24 網路的安全威脅Network Security
網路安全威脅的主要三個來源 1.外部的駭客 (Hackers) Password attacks 駭客透過網路登入到未經授權的主機 去竊取資料或破壞 Trap doors 2.惡意的訊息 EX. 病毒或垃圾訊息，癱瘓電腦或破壞資料 3.內部惡意的使用者 P.355

25 電腦網路攻擊事件之流程 Access Result Goal Attacker 駭客 間諜 惡意破壞 職業犯罪 Tool 使用者指令
JAVA 套裝軟體 Access 管理疏失 設計疏失 非法使用 非法存取 Result 資料竄改 資料竊取 資料破壞 系統癱瘓 Goal 報復 獲取情報 獲得報酬 成就感 P.356

26 防火牆Firewall 所有從外部進到受保護的內部網路封包稱為”進入封包”(Inbound packet)，反 之，封包由內部網路送到外部網路者稱為”外出封包”(Outbound packet)。 A software or hardware-based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, 防火牆可以將意圖不軌之封包阻絕在外。 4 ways to control packets.控制封包方式分為四種 1.服務控制(Service control) 2.流向控制(Direction control) 3.使用者控制(User control) 4.行為控制(Behavior control) P.360 In simple terms, a firewall serves two primary purposes. First, it protects computer systems and networks from malicious activity coming across Internet connections. Second, it also provides computer network administrators with control over the types of communication that can be conducted over Internet connections within a specific computer network.

27 Types Software firewalls Hardware firewalls
More common and are often included in operating system software. Filtering rules and other settings are usually controlled through a simple, user- friendly software interface. Hardware firewalls Physical computer components that are connected to computers via Ethernet cables. Hardware firewalls are generally considered to be the most secure types of firewalls available.

28 Avoid Data Lost or Crash: Backup
Entire Backup (Initial Backup) Backup the entire system including database, operating systems and other related application software. Selective Backup Only the changes are backup. Routine (Entire) Backup Backup in a regular basis, eg monthly or yearly. The entire old backup is replaced by the entire new backup.

29 Cloud 雲端 Cloud computing is a phrase used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication network such as the Internet Cloud computing characteristics Client–server model Mainframe computer Peer-to-peer Cloud gaming SECURE ?