security mindset
play

Security Mindset The adversary will do anything it can to break your - PowerPoint PPT Presentation

Nov 12, 2022 •292 likes •1.07k views

Security Mindset The adversary will do anything it can to break your system It will study your system and purposefully do the worst thing it can Might even disregard its own well being Will attack your implementation and your

  1. Security Mindset • The adversary will do anything it can to break your system • It will study your system and purposefully do the worst thing it can • Might even disregard its own well being • Will attack your implementation and your assumptions

  2. How would you overwhelm my mailbox with letters? How should I or the postal service protect against the attacks you considered?

  3. What would you do after that?

  4. What if you wanted to read my letters — but didn’t want me to know? How should I or the postal service protect against the attacks you considered?

  5. What other “attacks” might you leverage against the postal system?

  6. Adversaries Unlimited resources • Possible adversaries include: • Competitors trying harm you Knows your source • Governments trying to control you code • Criminals who want to use your system for crime • Disgruntled employees (the insider threat ) • Hackers who find it fun to break stuff Destructive with no • Others we didn’t even think of … “real” goals • Assumptions about the adversary are dangerous • Security is very hard

  7. “DARPA Internet Design Goals” Interconnection 1. Failure resilience 2. Multiple types of service 3. Variety of networks 4. Management of resources 5. Cost-effective 6. Low entry-cost 7. Accountability for resources 8. Where is security?

  8. Why did they leave it out? • Designed for connectivity • Network designed with implicit trust • Origin as a small and cooperative network • No “bad” guys (adversaries) • Can’t security be provided at the edge? • Encryption, Authentication etc • End-to-end arguments in system design

  9. Many of you have already noticed some security problems that snuck in to the Internet’s design…

  10. Internet Design Decisions and Security • Connection-less datagram service • (=> can’t verify source, hard to protect bandwidth)

  11. 
 Internet Usage and Security • Anyone can connect (=> ANYONE can connect) • Millions of hosts run nearly identical software (=> single exploit can create epidemic) • Most Internet users know about as much as Senator Stevens aka “the tubes guy” (=> help us all…)

  12. The problem of anyone • The Internet — unlike other systems — allows anyone to use it. • Is this agent (IP address, connection, user) allowed to access this server? • Are they who they say they are? • Is this data from who I think it is from? Has it been read or modified?

  13. Our “Narrow” Focus in Networking • Yes: • Creating a “secure channel” for communication (Part I) • End-to-end • Protecting network resources and limiting connectivity (Part II, III) • Accountability for resources (largely not end-to-end) • No: • Preventing software vulnerabilities & malware, or “social engineering”.

  14. Secure Communication with an Untrusted Infrastructure Bob ISP D ISP B ISP C ISP A Alice

  15. Secure Communication with an Untrusted Infrastructure Mallory Bob ISP D ISP B ISP C ISP A Alice

  16. Secure Communication with an Untrusted Infrastructure ISP D ISP B ISP C ISP A Alice Hello, I’m “Bob”

  17. What do we need for a secure comm channel? • Authentication (Who am I talking to?) • Confidentiality (Is my data hidden?) • Integrity (Has my data been modified?) • Availability (Can I reach the destination?)

  18. When you go to the bank, how do they implement authentication?

  19. When you go to the bank, how do they implement confidentiality?

  20. When you go to the bank, how do they implement integrity?

  21. What is cryptography? "cryptography is about communication in the presence of adversaries." - Ron Rivest “cryptography is using math and other crazy tricks to approximate magic” - Unknown 441 TA

  22. What is cryptography? Mathematical tools to help us build secure communication channels that provide: 1) Authentication 2) Integrity 3) Confidentiality 15-411: security

  23. Cryptography As a Tool • Using cryptography securely is not simple • Designing cryptographic schemes correctly is so hard it’s near impossible. Today we want to give you an idea of what can be done with cryptography. Go talk to Professor Goyal (https://www.cs.cmu.edu/~goyal/) or take a security course if you want to know more about crypto!

  24. The Great Divide Asymmetric Crypto Symmetric Crypto (Public key) (Private key) (E.g., AES) (E.g., RSA) Shared secret between Yes No parties? Speed of crypto Fast Slow operations

  25. Cryptography Overview Symmetric Asymmetric Confidentiality Integrity Authentication

  26. Symmetric Key: Confidentiality K AB K AB E D Plaintext Ciphertext Plaintext

  27. Symmetric Key: Confidentiality One-Time Pad Motivating Example: You and a friend share a key K of L random bits, and want to secretly share message M also L bits long. Scheme: You send her the xor(M,K) and then she “decrypts” using xor(M,K) again. 1) Do you get the right message to your friend? 2) Can an adversary recover the message M? 3) Can adversary recover the key K?

  28. Symmetric Key: Confidentiality One-Time Pad Alice Bob = = Random L-bit key Random L-bit key L-bit Plaintext Random L-bit key = L-bit Ciphertext L-bit Ciphertext Random L-bit key = L-bit Plaintext

  29. Symmetric Key: Confidentiality One-Time Pad SECURE? • Yes! One-time Pad (OTP) is proven “information-theoretically secure” (Claude Shannon, 1949) • Leaks no information about the message other than its length BUT • Assumptions: • Perfectly random one-time pads (keys) • One-time pad at least the length of the message • Can never reuse a one-time pad • Adversary can never know the one-time pad

  30. Symmetric Key: Confidentiality One-Time Pad

  31. Symmetric Key: Confidentiality • All ciphers suffer from assumptions, but one-time pad’s are impractical to maintain • Key is as long at the message • Keys cannot be reused • In practice, ciphers are used that require constant length keys: • We will learn about “Block Ciphers” 
 Ex: DES, AES, Blowfish

  32. Big Idea: Small amount of shared random info and use a deterministic function to generate the rest

  33. Symmetric Key: Confidentiality Block Ciphers Alice Bob Fixed sized block (e.g., 128 bits) Plaintext Block E Ciphertext Block Ciphertext Block Inverse of E D 1-1 function mapping plaintext block to ciphertext block Plaintext Block

  34. Symmetric Key: Confidentiality Block Ciphers

  35. Symmetric Key: Confidentiality Block Ciphers • What if your data is bigger than a block? • Break it into blocks, add padding if necessary Plaintext P 1 P 2 P 3 P 4 P 5 P 6 padding • Now what? • There are several modes of operation

  36. Symmetric Key: Confidentiality Block Ciphers Electronic Code Book ( ECB Mode ) P 1 P 2 P 3 E E E C 1 C 2 C 3 15-411: security

  37. Symmetric Key: Confidentiality Block Ciphers Cipher Block Chaining ( CBC Mode ) P 1 P 2 P 3 Initialization Vector E E E C 1 C 2 C 3 15-411: security

  38. Cryptography Overview Symmetric Asymmetric One-Time Pad Block Ciphers Confidentiality Integrity Authentication 15-411: security

  39. Cryptographic Hash Functions Fixed Size Message of arbitrary length Hash Hash • One-Way ⬥ Given y = H(x) , can’t find x’ s.t. H(x’) = y • Weak Collision Resistance ⬥ Given x , can’t find x’ ≠ x s.t. H(x) = H(x’) • Strong Collision Resistance ⬥ Can’t find x ≠ x’ s.t. H(x) = H(x’)

  40. Symmetric Key: Integrity Hash Message Authentication Code Alice Bob Message Hash MAC Message MAC Message MAC Message Hash MAC’ ? = MAC MAC’

  41. Symmetric Key: Authentication • You already know how to do this! • (Hint: Think how we verified integrity.) I’m Bob Hash MAC • Alice checks the MAC, knows sender is Bob 15-411: security

  42. DONT LOOK AT THE NEXT SLIDE THAT IS CHEATING What is wrong with this algorithm?

  43. Symmetric Key: Authentication SECURE? • What if Mallory overhears the MAC from Bob and replays it later? ISP D ISP B ISP C ISP A Hello, I’m Bob. Here’s the hash to “prove” it A43FF234 15-411: security

  44. Symmetric Key: Authentication • Solution: Use a nonce • Alice sends a random bit string (used only once) to Bob as a “challenge.” Bob Replies with “fresh” MAC. Nonce Bob Alice Nonce Hash B4FE64 K A-B B4FE64 Performs same hash with K A-B and compares results

  45. Symmetric Key: Authentication • Solution: Use a nonce • Alice sends a random bit string (used only once) to Bob as a “challenge.” Bob Replies with “fresh” MAC. Bob Alice Nonce Nonce Nonce Hash MAC MAC MAC Nonce Hash MAC’ ? = MAC MAC’

  46. Symmetric Key: Authentication SECURE? ?!?! Nonce Alice Mallory If Alice sends Mallory a nonce, she cannot compute the corresponding MAC without K A-B

  47. Cryptography Overview Symmetric Asymmetric One-Time Pad Block Ciphers Confidentiality Message Authentication Code Integrity (e.g., HMAC, CBC-MAC) MAC + Nonce Authentication

  48. Asymmetric Key Cryptography K B Bob’s public key K B-1 Bob’s private key The keys are inverses, so: K B-1 ( K B (m) ) = m ■ • Instead of shared keys, each person has a “key pair” K B K B-1 E D Plaintext Ciphertext Plaintext

Recommend

Learning Environment: Mindset Mindset Growth Mindset Fixed Mindset Abili%es mostly innate

Learning Environment: Mindset Mindset Growth Mindset Fixed Mindset Abili%es mostly innate

Crea%ng a Posi%ve Learning Environment: Mindset Mindset Growth Mindset Fixed Mindset Abili%es mostly innate Abili%es can be developed Failure is lack of basic abili%es Requires effort, persistence I must look smart and never Everyone

251 views • 9 slides
Lecture 01 The Security Mindset Stephen Checkoway CS 343 Fall 2020 Adapted from Michael

Lecture 01 The Security Mindset Stephen Checkoway CS 343 Fall 2020 Adapted from Michael

Lecture 01 The Security Mindset Stephen Checkoway CS 343 Fall 2020 Adapted from Michael Baileys ECE 422 About Me Research area: Computer Security Some prior research Voting machine security (change votes) Automotive

505 views • 29 slides
growth mindset culture in school We all need to move away from having a fixed mindset What is

growth mindset culture in school We all need to move away from having a fixed mindset What is

Developing a growth mindset culture in school We all need to move away from having a fixed mindset What is growth mindset? Carol Dweck a Professor of Psychology Growth mindset about cognition about enjoying learning and

621 views • 33 slides
EVALUATING START-UP IDEAS MINDSET MINDSET DEFINE PURPOSE MINDSET AVOID TUNNEL VISION MINDSET

EVALUATING START-UP IDEAS MINDSET MINDSET DEFINE PURPOSE MINDSET AVOID TUNNEL VISION MINDSET

EVALUATING START-UP IDEAS MINDSET MINDSET DEFINE PURPOSE MINDSET AVOID TUNNEL VISION MINDSET STAY HIGH LEVEL MARKET MARKET MARKET SIZE & OPPORTUNITY SIZE MARKET UNIQUE SELLING PROPOSITION MARKET DEFENSIBLE POSITION MARKET

593 views • 38 slides
Lecture 01 The Security Mindset Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 01 The Security Mindset Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 01 The Security Mindset Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Adapted from Michael Baileys ECE 422 About Me 2012 Ph.D. from UC San Diego in CS 20122015 Assistant Research Professor

417 views • 29 slides
Mindset-shifts? How does change emerge? Ole Fogh Kirkeby 2012 Mindset-shifts Is a mindset a

Mindset-shifts? How does change emerge? Ole Fogh Kirkeby 2012 Mindset-shifts Is a mindset a

Mindset-shifts? How does change emerge? Ole Fogh Kirkeby 2012 Mindset-shifts Is a mindset a closed set of existential questions and answers at the common sense level? Questions: What is a human being? What is childhood? What is gender? What

254 views • 12 slides
Psychology - Mindset Gavin Carvalho What is a mindset? What does Self-belief and Action

Psychology - Mindset Gavin Carvalho What is a mindset? What does Self-belief and Action

Psychology - Mindset Gavin Carvalho What is a mindset? What does Self-belief and Action it influence? Optimism and Perspective Growth Mindset vs Fixed Can Mindsets Change? Mindset How to Change Mindsets? What

338 views • 17 slides
Developing a growth mindset culture We all need to move away from having a fixed mindset What

Developing a growth mindset culture We all need to move away from having a fixed mindset What

Developing a growth mindset culture We all need to move away from having a fixed mindset What is growth mindset? The power of yet Your brain is like a muscle When you train your muscles, the muscles will change based on the amount of

462 views • 29 slides
Growth Mindset rowth Mindset and B and Brene Brown rene Brown Today, I want to talk about

Growth Mindset rowth Mindset and B and Brene Brown rene Brown Today, I want to talk about

Growth Mindset rowth Mindset and B and Brene Brown rene Brown Today, I want to talk about Growth Mindset which is groundbreaking research in education. Carol Dweck has done major research in Growth Mindset. Let me start by sharing her

141 views • 12 slides
GRAD SEC A WHIRLWIND TOUR CMSC 818O AUG 31 2017 TODAYS PAPERS THE SECURITY MINDSET To

GRAD SEC A WHIRLWIND TOUR CMSC 818O AUG 31 2017 TODAYS PAPERS THE SECURITY MINDSET To

GRAD SEC A WHIRLWIND TOUR CMSC 818O AUG 31 2017 TODAYS PAPERS THE SECURITY MINDSET To anticipate attackers we must be able to think like attackers + = Proof of ownership Uniquely identifiable liquid What would an attacker do?

633 views • 37 slides
A Torahs Take on Mindset RABBI PHILIP MOSKOWITZ The Fixed Mindset For twenty years, my

A Torahs Take on Mindset RABBI PHILIP MOSKOWITZ The Fixed Mindset For twenty years, my

A Torahs Take on Mindset RABBI PHILIP MOSKOWITZ The Fixed Mindset For twenty years, my research has shown that the view you adopt for yourself profoundly affects the way you lead your life. It can determine whether you become the person

767 views • 24 slides
THE NEUROSCIENCE OF HIGH PERFORMANCE MINDSET AGENDA Mindset and its impact on energy

THE NEUROSCIENCE OF HIGH PERFORMANCE MINDSET AGENDA Mindset and its impact on energy

Financial Executive Women April 2018 THE NEUROSCIENCE OF HIGH PERFORMANCE MINDSET AGENDA Mindset and its impact on energy and performance Neuroscience of stress Personal accountability Understand your limiting beliefs and

739 views • 14 slides
INTRODUCTION COMPUTER & NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is

INTRODUCTION COMPUTER & NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is

INTRODUCTION COMPUTER & NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is security? Why is it so hard to achieve? Administrative The security mindset Analyzing a systems security 1. Summarize the system 2.

801 views • 43 slides
Parenting From a Growth Mindset 1 W O R K S H O P W I T H A H A P A R E N T S J O E B

Parenting From a Growth Mindset 1 W O R K S H O P W I T H A H A P A R E N T S J O E B

Parenting From a Growth Mindset 1 W O R K S H O P W I T H A H A P A R E N T S J O E B O N I T O O C T O B E R 2 0 , 2 0 1 4 Objectives (& Hopes ) 2 Provide an initial awareness of Growth Mindset Focus on how to

259 views • 24 slides
NOT BY THEIR INNATE ABILITY, BUT BY THEIR MINDSET. NEURON DEVELOPMENT Think about the last time

NOT BY THEIR INNATE ABILITY, BUT BY THEIR MINDSET. NEURON DEVELOPMENT Think about the last time

MINDSET The work of Carol Dweck MOST PEOPLE ARE HELD BACK NOT BY THEIR INNATE ABILITY, BUT BY THEIR MINDSET. NEURON DEVELOPMENT Think about the last time you had a major setback, failure or rejection in your life. Did you hear the fixed

199 views • 17 slides
GROWTH MINDSET Its not always the people who start out the smartest who end up the smartest. -

GROWTH MINDSET Its not always the people who start out the smartest who end up the smartest. -

FIXED MINDSET VS. GROWTH MINDSET Its not always the people who start out the smartest who end up the smartest. - Alfred Binet, inventor of the IQ test Presented by: Laurie Brown and Michelle Rhodes Agree or Disagree? Look at the following

534 views • 35 slides
CS 642: Midterm 1 Review Questions and General Study Pointers March 2020 1 Threat Modeling,

CS 642: Midterm 1 Review Questions and General Study Pointers March 2020 1 Threat Modeling,

CS 642: Midterm 1 Review Questions and General Study Pointers March 2020 1 Threat Modeling, Security Mindset Review the security mindset, and practice threat modeling on a few example websites. Also, review the various types of attacker models

401 views • 3 slides
growth mindset in ourselves and our teams Charlie Warshawski Think of as many different uses

growth mindset in ourselves and our teams Charlie Warshawski Think of as many different uses

Developing a growth mindset in ourselves and our teams Charlie Warshawski Think of as many different uses for. A chair A cup www.loveyourcoaching.com Understand Mindset motivation theory Outcomes Understand associated theories

610 views • 31 slides
a Way to Growth Mindset and Self-Confidence Makke Leppnen I am an expert in motivational

a Way to Growth Mindset and Self-Confidence Makke Leppnen I am an expert in motivational

Gamification: a Way to Growth Mindset and Self-Confidence Makke Leppnen I am an expert in motivational psychology and an author. With 20 years of experience, I am one of the leading experts in Finland in the field of future skills, mindset,

346 views • 21 slides
Growth Mindset Intentional changes that can unlock your potential! Essential Questions 1.) What

Growth Mindset Intentional changes that can unlock your potential! Essential Questions 1.) What

Growth Mindset Intentional changes that can unlock your potential! Essential Questions 1.) What is growth mindset? 2.) How does it apply to me and my students? 3.) Why should I care? 4 Quadrants Activity Passions Goals and Dreams What are

1.02k views • 12 slides
Superintendent Kankakee School District 111 Woman in the Mirror Mindset, Purpose and Courage to

Superintendent Kankakee School District 111 Woman in the Mirror Mindset, Purpose and Courage to

Dr. Genevra Walters Superintendent Kankakee School District 111 Woman in the Mirror Mindset, Purpose and Courage to Lead Mindset Abilities can be developed through dedication and hard work. This view develops a love of learning

1.08k views • 80 slides
8/24/2017 Transforming Challenging Behavior Through Leadership of Your Program Mindset, Play and

8/24/2017 Transforming Challenging Behavior Through Leadership of Your Program Mindset, Play and

8/24/2017 Transforming Challenging Behavior Through Leadership of Your Program Mindset, Play and Theater Techniques Barb ONeill, Ed.D. www.transformchallengingbehavior.com 1 8/24/2017 What youll learn in this webinar a mindset

547 views • 25 slides
I Came Here To Play Football and Other Reasons Why/How to Teach Mindset and Grit to

I Came Here To Play Football and Other Reasons Why/How to Teach Mindset and Grit to

I Came Here To Play Football and Other Reasons Why/How to Teach Mindset and Grit to Student-Athletes Barbara Boyette, FYE 2016 Agenda General student- athletes characteristics Overview of Mindset and Grit Teaching in the

705 views • 46 slides
AGENDA A Business Perspective What is a Systems Mindset? Elements of Business

AGENDA A Business Perspective What is a Systems Mindset? Elements of Business

12/5/2018 SYSTEMS MINDSETS as Business Solutions for ECE Program Leaders Lauren M. Small, MBA O UR C OMPANY Systems Mindset AGENDA A Business Perspective What is a Systems Mindset? Elements of Business Management

323 views • 20 slides

More recommend