Outline Computer Security: Intro Organisation Bart Jacobs - PDF document

Organisation Organisation Introduction Introduction Radboud University Nijmegen Radboud University Nijmegen A security protocol example A security protocol example Outline Computer Security: Intro Organisation Bart Jacobs Introduction Institute for Computing and Information Sciences – Digital Security Radboud University Nijmegen A security protocol example Version: fall 2011 Bart Jacobs Version: fall 2011 Computer Security 1 / 36 Bart Jacobs Version: fall 2011 Computer Security 2 / 36 Organisation Organisation Introduction Introduction Radboud University Nijmegen Radboud University Nijmegen A security protocol example A security protocol example About this course I About this course II Lectures Exercises • Weekly, 2 hours, monday early morning • Compulsory, make up half of final mark • Presence not compulsory . . . • Also weekly meetings, on thursday mornings • but active attitude expected, when present • Answers, for old exercises • Lectures based on own slides • Questions, for new ones • Updated version, slightly different from slides used last year • Assistants: Flavio Garcia & Pim Vullers • Lots of background information available on the web (esp. • You may work in (stable) pairs wikipedia) • Schedule: • Do use such additional sources! • New exercise on the web on monday • Certainly if you do not fully understand things • Next thursday for questions • Up-to-date info (bookmark; accessible via my webpage) at: • Next monday: hand-in, by email www.ru.nl/ds/education/courses/security-2011/ • Exercises URL on lectures page. • Slides will appear there Bart Jacobs Version: fall 2011 Computer Security 4 / 36 Bart Jacobs Version: fall 2011 Computer Security 5 / 36 Organisation Organisation Introduction Introduction Radboud University Nijmegen Radboud University Nijmegen A security protocol example A security protocol example About this course III About this course IV Some special points Examination • You can fail for this course! • Final mark is average (each 50%) of: (I know, it’s extremely unfair) • Average of markings of exercises • 6ec means 6 × 28 = 168 hours in total • Final, written exam (January) • Let’s say 18 hours for exam • Mark of written exam must be at least 5. • 150 hours for 15 weeks means: 10 hours per week! • Re-exam of written exam in spring • Large, mixed audience: computer science, information science, • If you fail again, you must start all over next year “ schakelaars ”, artificial intelligence, mathematics, . . . (including re-doing new exercises) • Requires some flexibility • but computer security is inherently multidisciplinary Bart Jacobs Version: fall 2011 Computer Security 6 / 36 Bart Jacobs Version: fall 2011 Computer Security 7 / 36

Organisation Organisation Introduction Introduction Radboud University Nijmegen Radboud University Nijmegen A security protocol example A security protocol example About this course V About this course VI Topics • Basic notions: confidentiality, integrity, availability Sensitivity of the topic (jointly known as: CIA of information security) • Not everything is publicly known (like e.g. in algebra) • Basic techniques: encryption, both symmetric (shared secret • Some things are simply illegal: don’t try this at home! key) and asymmetric (public key) • Moral compass/fibre/backbone required in this field • Basic protocols for achieving security goals • Lectures are deliberately not recorded! • Basic technologies (PGP, SSL, certificates, etc) • some inside stories will be told • Underlying mathematics (cryptography) is used as tool box, • they can be misinterpreted, out of context not topic of study in itself • But very basics are included (substitution, transposition, RSA, El Gamal) Bart Jacobs Version: fall 2011 Computer Security 8 / 36 Bart Jacobs Version: fall 2011 Computer Security 9 / 36 Organisation Organisation Introduction Introduction Radboud University Nijmegen Radboud University Nijmegen A security protocol example A security protocol example Beyond this course Computer security @Nijmegen Research • Security important research topic at Nijmegen More about computer security • Focus on smart cards, in various forms • Much theoretical research, eg. on protocol correctness • There is a lot of interesting reading • Also many societal issues: involvement with • Historical • e-voting • smart (electricity) • Military/intelligence • e-passports and metering • Societal (eg. about privacy) • road pricing identity cards • and technical, of course • bankcards (eg. EMV • electronic patient • Reading a bit more is strongly encouraged issues) records • Many conncections with legal issues • e-ticketing • cyber security • Esp. information science students are encouraged to follow the Teaching “computer law” course in the Law Faculty • A special Kerckhoffs master programme • Jointly between Nijmegen, Twente and Eindhoven • Also open to Math. & AI students Bart Jacobs Version: fall 2011 Computer Security 10 / 36 Bart Jacobs Version: fall 2011 Computer Security 11 / 36 Organisation Organisation Introduction Introduction Radboud University Nijmegen Radboud University Nijmegen A security protocol example A security protocol example What is computer Security about? Attacker example KPMG Amsterdam has a good computer security group Computer Security is about regulating access Some time ago, KPMG was approached by a large firm that had to (digital) assets its own secure facilty, with sensitive and strategic data. It had: • strong physical & electronic security measures Key issues • strict operational security guidelines • assets: the valuables that need protection • well-trained staff • regulating access: involves • identification: who are you? / what are your attributes? KPMG was asked/challenged to try and obtain access, either • authentication: how do you prove this? physically or electronically (“red teaming”) • authorisation: what are you allowed to do • Implicit there is an attacker that is trying to get unintended access They managed to get in as Santa Claus • Attacker model: what can the bad guys do? (an attack known as: Trojaanse Schimmel ) Bart Jacobs Version: fall 2011 Computer Security 13 / 36 Bart Jacobs Version: fall 2011 Computer Security 14 / 36

Organisation Organisation Introduction Introduction Radboud University Nijmegen Radboud University Nijmegen A security protocol example A security protocol example Yes, indeed . . . Serious, difficult questions 1 How do you protect against a deliberate, well-motivated, malicious, resourceful, technically competent, intelligent, creative, socially skilful, patient attacker? ✓ ✏ ✎ ☞ 2 Assume you think you have such protection, how do you test / verify it? Computer security is the nicest part of computer science! ✍ ✌ ✒ ✑ • How do you formalise the attacker? • How to incorporate out-of-the-box thinking and geeky sick minds into your validation? methods 3 Formalization only makes your assumptions explicit • There is no reason an attacker will do what is assumed Bart Jacobs Version: fall 2011 Computer Security 15 / 36 Bart Jacobs Version: fall 2011 Computer Security 16 / 36 Organisation Organisation Introduction Introduction Radboud University Nijmegen Radboud University Nijmegen A security protocol example A security protocol example Security requires a mix Legal relevance Protection of digital assets requires a mix of: Important distinction • Technical measures • Computer science for law ( rechtsinformatica ) • Cryptography, as mathematical basis • Computers, to run cryptographic algorithms • Eg. knowledge representation, formal reasoning (and to break them) • Strong AI flavour • Tamper-resistant/proof hardware • Organisational measures • Law for computer science ( informaticarecht ) • Examples: chipknip, banking, rocket launch (eg. from • The laws governing the use of computers submarine) • European origins • three B’s : burglary, blackmail, bribery • Strongly related to cyber crime • Legal measures • Part of penal law ( wetboek van strafrecht, Sr ) • Most relevant here • Penal law: computer criminality laws • Civil law: user agreements (eg. for bank/travel cards) Bart Jacobs Version: fall 2011 Computer Security 17 / 36 Bart Jacobs Version: fall 2011 Computer Security 18 / 36 Organisation Organisation Introduction Introduction Radboud University Nijmegen Radboud University Nijmegen A security protocol example A security protocol example Computer crime laws, in Dutch Example legal text snippet No eavesdropping: • art. 138a, Sr: computervredebreuk No computer intrusion Hij die door middel van een openbaar • art. 139a, Sr: afluisteren telecommunicatienetwerk, of door middel van daarop No eavesdropping (for confidentiality) aangesloten randapparatuur overgedragen gegevens die niet voor hem, mede voor hem of voor degeen in wiens • art. 161sexies, Sr: stoornis opdracht hij handelt, zijn bestemd, opzettelijk met een No computer disruption (for hardware and software integrity technisch hulpmiddel aftapt of opneemt, wordt gestraft & availability) met gevangenisstraf van ten hoogste een jaar of • art. 350a, Sr: wijzigen of vernietigen van opgeslagen gegevens geldboete van de vierde categorie. No data corruption (for data integrity). Bart Jacobs Version: fall 2011 Computer Security 19 / 36 Bart Jacobs Version: fall 2011 Computer Security 20 / 36