Information Security: Principles and Practice, 2nd Edition Mark Stamp Taking a practical approach to information security by focusing on real-world. Information Security: Principles and Practice. Author(s). Mark Stamp. First published:9 September Print ISBN |Online. Information Security Principles and Practice Mark Stamp - Download as PDF File .pdf), Text File .txt) or read online.
|Language:||English, Spanish, Portuguese|
|Genre:||Science & Research|
|ePub File Size:||15.64 MB|
|PDF File Size:||9.21 MB|
|Distribution:||Free* [*Regsitration Required]|
caite.info Library of Congress Cataloging-in-Publication Data: Stamp, Mark. Information security: principles and practice / Mark Stamp. p. cm. Includes. For more information about Wiley products, visit our web site at caite.info Library of Congress Cataloging-in-Publication Data: Stamp, Mark. Information. Information Security: Principles and Practice, Second Edition. Author(s). Mark Stamp. First published April Print ISBN |Online.
Suppose the key consists of the following seven bytes: At the time, the computer revolution was underway, and the amount—and sensitivity—of digital data was rapidly increasing. If both types of information are stored on a single system, how can we enforce such restrictions? Discuss one security problem this creates if CTR mode is used. Today, it is often claimed that most malware is written for profit.
Taking a practical approach to information security by focusing on real-world examples, this book is organized around four major themes: In addition to his experience gained in private industry and academia, Dr. Stamp has seven years' experience working as a cryptanalyst at the U. National Security Agency. He has written dozens of academic papers and two books on the topic of information security.
Permissions Request permission to reuse content from this site. Table of contents Preface. About The Author. I Crypto. II Access Control. III Protocols. IV Software. Network Security Basics.
In addition to his experience gained in private industry and academia, Dr. Stamp has seven years' experience working as a cryptanalyst at the U. National Security Agency. Free Access.
Summary PDF Request permissions. Tools Get online access For authors. Email or Customer ID. Forgot password?
Old Password. New Password. Your password has been changed. Since firewalls act as a form of access control for the network, we stretch the usual definition of access control to include firewalls. Regardless of the type of access control employed, attacks are bound to occur.
An intrusion detection system IDS is designed to detect attacks in progress. So we include a brief discussion of IDS techniques after our discussion of firewalls. First, we consider the general problem of authentication over a network. Many examples will be provided, each of which illustrates a particular security pitfall.
For example, replay is a critical problem, and so we must consider effective ways to prevent such attacks. Cryptography will prove essential in authentication protocols. We'll give example of protocols that use symmetric cryptography, as well as examples that rely on public key cryptography. Hash functions also have an important role to play in security protocols. Our study of simple authentication protocols will illustrate some of the subtleties that can arise in the field of security protocols.
A seemingly in- significant change to a protocol can completely change its security. We'll also highlight several specific techniques that are commonly used in real-world security protocols. Then we'll move on to study several real-world security protocols.
SSL is an elegant and efficient protocol. We'll also discuss IPSec, which is another Internet security protocol. Apparently due to its complexity, some fairly significant security issues are present in IPSec—despite a lengthy and open development process. Another real-world protocol that we'll consider is Kerberos, which is an authentication system based on symmetric cryptography. Both of these protocols have many security flaws, including problems with the un- derlying cryptography and issues with the protocols themselves, which make them interesting case studies.
This is a huge topic, and in three chapters we barely do more than scratch the surface. For starters, we'll discuss security flaws and malware, which were mentioned above. We'll also consider software reverse engineering, which illustrates how a dedicated attacker can deconstruct software, even without access to the source code. We then apply our newfound hacker's knowledge to the problem of digital rights management, which provides a good example of the limits of security in software, particularly when that software executes in a hostile environment.
Our final software-related topic is operating systems OSs. The OS is the arbiter of many security operations, so it's important to understand how the OS enforces security. We also consider the requirements of a so-called trusted OS, where "trusted" means that we can have confidence that the OS is performing properly, even when under attack. With this background in hand, we consider a recent attempt by Microsoft to develop a trusted OS for the PC platform.
For example, suppose that Bob wants to purchase an item from amazon.
Access control issues arise in such a transaction Part II , and all of these security mechanisms are enforced in software Part IV. So far, so good. However, we'll see in Chapter 10 that a practical attack on this transaction that will cause Bob's Web browser to issue a warning. If Bob heeds the warning, no attack will occur.
Unfortunately, if Bob is a typical user, he will ignore the warning, which has the effect of negating this sophisticated security scheme. That is, the security can be broken due to user error, despite the fact To take just one more example, consider passwords.
Users want to choose easy to remember passwords, but this also makes it easier for Trudy to guess passwords—as discussed in Chapter 7. A possible solution is to assign strong passwords to users. However, this is generally a bad idea since it is likely to result in passwords being written down and posted in prominent locations, likely making the system less secure than if users were allowed to choose their own weaker passwords.
As mentioned above, the primary focus of this book is on understanding security mechanisms—the nuts and bolts of security.
Yet in several places throughout the book, various "people problems" arise. It would be possible to write an entire volume on this single topic, but the bottom line is that, from a security perspective, the best solution is to remove the humans from the equation as much as possible. In fact, we will see some specific examples of this as well. For more information on the role that humans play in information security, a good source is Ross Anderson's book .
Anderson's book is filled with case studies of security failures, many of which have at least one of their roots somewhere in human nature. While theory certainly has its place, in your opinionated author's opinion, many aspects of information security are not yet ripe for a meaningful theoretical treatment. But even the more theoretical se- curity topics can be understood without getting deeply into the theory. For example, cryptography can be and often is taught from a highly mathemat- ical perspective.
However, with rare exception, a little elementary math is all that is needed to understand important cryptographic principles. Your practical author has consciously tried to keep the focus on practical issues, but at a deep enough level to give the reader some understanding of— and appreciation for—the underlying concepts. The goal is to get into some depth without overwhelming the reader with trivial details.
Admittedly, this is a delicate balancing act and, no doubt, many will disagree that a proper balance has been struck here or there. In any case, the book touches on a large number of security issues related to a wide variety of fundamental principles, 9 To take but one example, consider the infamous buffer overflow attack, which is certainly the most serious software security flaw of all time see Section What is the grand theory behind this particular exploit?
There isn't any—it's simply due to a quirk in the way that memory is laid out in modern processors. For those who yearn for a more theoretical treatment of the subject, Bishop's book  is the obvious choice. The problem is expecting otherwise and thinking that having problems is a problem. Rubin 1. Among the fundamental challenges in information security are confi- dentiality, integrity, and availability, or CIA.
Define each of these terms: Give a concrete example where confidentiality is more important than integrity. Give a concrete example where integrity is more important than confidentiality. Give a concrete example where availability is the overriding con- cern.
From a bank's perspective, which is usually more important, the in- tegrity of its customer's data or the confidentiality of the data? From the perspective of the bank's customers, which is more important? Players, who pay a monthly fee, log into AOC where they are matched with another player of comparable ability.
Where and why is confidentiality important for AOC and its customers? Why is integrity necessary? Why is availability an important concern? Where should cryptography be used in AOC? Where should access control used? Where would security protocols be used? Is software security a concern for AOC? Why or why not? Some authors distinguish between secrecy, privacy, and confidentiality. In this usage, secrecy is equivalent to our use of the term confidentiality, whereas privacy is secrecy applied to personal data, and confidentiality in this misguided sense refers to an obligation not to divulge certain information.
Discuss a real-world situation where privacy is an important secu- rity issue. Discuss a real-world situation where confidentiality in this incor- rect sense is a critical security issue. RFID tags are extremely small devices capable of broadcasting a num- ber over the air that can be read by a nearby sensor. RFID tags are used for tracking inventory, and they have many other potential uses. For example, RFID tags are used in passports and it has been suggested that they should be put into paper money to prevent counterfeiting.
In the future, a person might be surrounded by a cloud of RFID numbers that would provide a great deal of information about the person. Discuss some privacy concerns related to the widespread use of RFID tags. Discuss security issues, other than privacy, that might arise due to the widespread use of RFID tags. Cryptography is sometimes said to be brittle, in the sense that it can be very strong, but when it breaks, it generally completely shat- ters.
In contrast, some security features can "bend" without breaking completely—security may be lost as a result of the bending, but some useful level of security remains. Other than cryptography, give an example where security is brittle.
Provide an example where security is not brittle, that is, the secu- rity can bend without completely breaking. Read Diffie and Hellman's classic paper . Briefly summarize the paper. Diffie and Hellman give a system for distributing keys over an insecure channel see Section 3 of the paper.
How does this system work? Diffie and Hellman also conjecture that a "one way compiler" might be used to construct a public key cryptosystem.
Do you believe this is a plausible approach? Draw a diagram illustrating the inner workings of the Enigma.
The Enigma was broken by the Allies and intelligence gained from Enigma intercepts was invaluable. The cipher was broken by the Allies and intel- ligence gained from Enigma messages proved invaluable.
At first, the Allies were very careful when using the information gained from broken Enigma messages—sometimes the Allies did not use information that could have given them an advantage.
Later in the war, however, the Allies in particular, the Americans were much less careful, and they tended to use virtually all information obtained from broken Enigma messages. The Allies were cautious about using information gained from bro- ken Enigma messages for fear that the Germans would realize the cipher was broken. Discuss two different approaches that the Ger- mans might have taken if they had realized that the Enigma was broken.
At some point in the war, it should have become obvious to the Germans that the Enigma was broken, yet the Enigma was used until the end of the war. Why did the Nazis continue to use the Enigma? When you want to authenticate yourself to your computer, most likely you type in your username and password. The username is considered public knowledge, so it is the password that authenticates you. Your password is something you know. It is also possible to authenticate based on something you are, that is, a physical characteristic.
Such a characteristic is known as a biometrie. Give an example of biometric-based authentication. It is also possible to authenticate based on something you have, that is, something in your possession. Give an example of authen- tication based on something you have. Two-factor authentication requires that two of the three authenti- cation methods something you know, something you have, some- thing you are be used. Give an example from everyday life where two-factor authentication is used.
Which two of the three are used? Suppose that a particular security protocol is well designed and secure. However, there is a fairly common situation where insufficient informa- tion is available to complete the security protocol.
In such cases, the protocol fails and, ideally, a transaction between the participants, say, Alice and Bob, should not be allowed to occur. However, in the real world, protocol designers must decide how to handle cases where pro- tocols fail. As a practical matter, both security and convenience must be considered. Comment on the relative merits of each of the follow- ing solutions to protocol failure.
Be sure to consider both the relative security and user-friendliness of each. When the protocol fails, a brief warning is given to Alice and Bob, but the transaction continues as if the protocol had succeeded, without any intervention required from either Alice or Bob. When the protocol fails, a warning is given to Alice and she decides by clicking a checkbox whether the transaction should continue or not.
When the protocol fails, a notification is given to Alice and Bob and the transaction terminates. When the protocol fails, the transaction terminates with no expla- nation given to Alice or Bob.
Automatic teller machines ATMs are an interesting case study in secu- rity. Anderson  claims that when ATMs were first developed, most However, most real-world at- tacks on ATMs have been decidedly low tech. Examples of high-tech attacks on ATMs would be breaking the encryption or authentication protocol. If possible, find a real-world case where a high-tech attack on an ATM has actually occurred and provide the details.
Shoulder surfing is an example of a low-tech attack. Give another example of a low-tech attack on an ATM that has actually occurred. Large and complex software systems invariably have a large number of bugs.
For honest users, such as Alice and Bob, buggy software is certainly annoying but why is it a security issue? Why does Trudy love buggy software? In general terms, how might Trudy use bugs in software to break the security of a system? Malware is software that is intentionally malicious, in the sense that it is designed to do damage or break the security of a system. Malware comes in many familiar varieties, including viruses, worms, and Trojans.
Has your computer ever been infected with malware? If so, what did the malware do and how did you get rid of the problem? If not, why have you been so lucky? In the past, most malware was designed to annoy users. Today, it is often claimed that most malware is written for profit. How could malware possibly be profitable? In the movie Office Space , software developers attempt to modify company software so that for each financial transaction, any leftover fraction of a cent goes to the developers, instead of going to the com- pany.
The idea is that for any particular transaction, nobody will notice the missing fraction of a cent, but over time the developers will accu- mulate a large sum of money. This type of attack is sometimes known as a salami attack.
Find a real-world example of a salami attack. In the movie, the salami attack fails. Some commercial software is closed source, meaning that the source code is not available to users. On the other hand, some software is open source, meaning that the source code is available to users.
Give an example of software that you use or have used that is closed source. Give an example of software that you use or have used that is open source.
For open source software, what can Trudy do to search for security flaws in the software? For closed source software, what can Trudy do to search for secu- rity flaws in the software? For open source software, what can Alice do to make the software more secure? For closed source software, what can Alice do to make the software more secure? Which is inherently more secure, open source software or closed source software? It's sometimes said that complexity is the enemy of security.
Give an example of commercial software to which this statement applies, that is, find an example of software that is large and com- plex and has had significant security problems.
Find an example of a security protocol to which this statement applies. Then the author would make more money off of each copy sold than he currently does10 and people who purchase the book would save a lot of money.
What are the security issues related to the sale of an online book? How could you make the selling of an online book more secure, from the copyright holder's perspective? How secure is your approach in part b? What are some possible attacks on your proposed system? The PowerPoint slides at  describe a security class project where students successfully hacked the Boston subway system.
Summarize each of the various attacks. What was the crucial vulnerability that enabled each attack to succeed? The students planned to give a presentation at the self-proclaimed "hacker's convention," Defcon 16 , where they would have pre- sented the PowerPoint slides now available at .
At the re- quest of the Boston transit authority, a judge issued a temporary restraining order since lifted that prevented the students from talking about their work.
Do you think this was justified, based on the material in the slides? What are war dialing and war driving? What is war carting?
Comment on the production quality of the "melodramatic video about the warcart" a link to the video can be found at . Part I Crypto These characters, as any one might readily guess, form a cipher—that is to say, they convey a meaning This discussion will lay the foundation for the remaining crypto chapters which, in turn, underpin much of the material throughout the book.
We'll avoid mathematical rigor as much as possible. Nevertheless, there is enough detail here so that you will not only understand the "what" but you will also have some appreciation for the "why. A cipher or cryptosystem is used to encrypt data.
The original unen- crypted data is known as plaintext, and the result of encryption is ciphertext. We decrypt the ciphertext to recover the original plaintext. A key is used to configure a cryptosystem for encryption and decryption. In a symmetric cipher, the same key is used to encrypt and to decrypt, as illustrated by the black box cryptosystem in Figure 2.
Since different keys are used, it's possible to make the encryption key public—thus the name public key. In symmetric key crypto, the key is known as a symmetric key. We'll avoid the ambiguous term secret key. That is, even if the attacker, Trudy, has complete knowledge of the algorithms used and lots of other information to be made more precise later , she can't recover the plaintext without the key.
That's the goal, although reality sometimes differs. This is known as Kerckhoffs' Principle, which, believe it or not, was named after a guy named Kerckhoffs. In the year , Kerckhoffs, a Dutch linguist and cryptographer, laid out six principles of cipher design and use . The principle that now bears his name states that a cipher "must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience" , that is, the design of the cipher is not secret.
What is the point of Kerckhoffs' Principle? After all, it must certainly be more difficult for Trudy to attack a cryptosystem if she doesn't know how the cipher works. So, why would we want to make Trudy's life easier? There are at least a couple of problems with relying on a secret design for your security.
For one, the details of "secret" cryptosystems seldom, if ever, remain secret for long. Reverse engineering can be used to recover algorithms from software, and even algorithms embedded in tamper-resistant hardware are sometimes subject to reverse engineering attacks and exposure. And, even more worrisome is the fact that secret crypto-algorithms have a long history of failing to be secure once the algorithms have been exposed to public scrutiny—see  for a relatively recent example where Microsoft violated Kerckhoffs' Principle.
Cryptographers will not deem a crypto-algorithm worthy of use until it has withstood extensive public analysis by many cryptographers over an extended period of time. The bottom line is that any cryptosystem that does not satisfy Kerckhoffs' Principle is suspect.
In other words, ciphers are presumed guilty until "proven" innocent. Kerckhoffs' Principle is often extended to cover various aspects of security well beyond cryptography. In other contexts, this basic principle is usually taken to mean that the security design itself is open to public scrutiny.
The belief is that "more eyeballs" are more likely to expose more security flaws and therefore ultimately result in a system that is more secure. Although Kerckhoffs' Principle in both its narrow crypto form and in a broader con- text seems to be universally accepted in principle, there are many real-world temptations to violate this fundamental tenet, almost invariably with dis- astrous consequences.
Throughout this book we'll see several examples of security failures that were directly caused by a failure to heed the venerable Mr.
In the next section, we look briefly at a few classic cryptosystems. Al- though the history of crypto is a fascinating topic , the purpose of this material is to provide an elementary introduction to some of the crucial con- cepts that arise in modern cryptography. In other words, pay attention since we will see all of these concepts again in the next couple of chapters and in many cases, in later chapters as well.
First on our agenda is the simple substitution, which is one of the oldest cipher systems—dating back at least 2, years—and one that is good for illustrating some basic attacks. We then turn our attention to a type of double transposition cipher, which includes important concepts that are used in modern ciphers.
We also discuss classic codebooks, since many modern ciphers can be viewed as the "electronic" equivalent of codebooks. Finally, we consider the so-called one- time pad, a practical cipher that is provably secure. No other cipher in this book or in common use is provably secure.
In the simplest case, the message is encrypted by substituting the letter of the alphabet n places ahead of the current letter. In this example, the key could be given succinctly as "3" since the amount of the shift is, in effect, the key. Using the key 3, we can encrypt the plaintext message fourscoreandsevenyearsago by looking up each plaintext letter in the table above and then substituting the corresponding letter in the ciphertext row, or by simply replacing each letter by the letter that is three positions ahead of it in the alphabet.
For the particular plaintext in 2. To decrypt this simple substitution, we look up the ciphertext letter in the ciphertext row and replace it with the corresponding letter in the plaintext row, or we can shift each ciphertext letter backward by three.
The simple substitution with a shift of three is known as the Caesar's cipher. Then she can try each of the 26 possible keys, "decrypting" the message with each putative key and checking whether the resulting putative plaintext makes sense. If the message really was encrypted via a shift by n, Trudy can expect to find the true plaintext—and thereby recover the key— after 13 tries, on average.
This brute force attack is something that Trudy can always attempt. Pro- vided that Trudy has enough time and resources, she will eventually stumble across the correct key and break the message. This most elementary of all crypto attacks is known as an exhaustive key search.
Since this attack is always an option, it's necessary although far from sufficient that the num- ber of possible keys be too large for Trudy to simply try them all in any reasonable amount of time.
How large of a keyspace is large enough? Suppose Trudy has a fast com- puter or group of computers that's able to test keys each second. For modern symmetric ciphers, the key is typically bits or more, giving a keyspace of size 2 or more.