Network Security and Surveillance
G. Sivakumar
Computer Science and Engineering IIT Bombay
siva@iitb.ac.in
October 14, 2005
1 Internet Security Overview Some Puzzles
2 Defence: Cryptography
3 Offence: RFIDs and Surveillance
Internet’s Growth and Charter
Information AnyTime, AnyWhere, AnyForm, AnyDevice, ...
WebTone like DialTone
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Network Security and Surveillance
Internet’s Dream
Why should a fridge be on Internet?
Will security considerations make this a nightmare?
What are Cyber crimes?
Against People
Cyber Stalking and Harrassment (Child) Pornography
Against Property Cracking Virus and Spam
Software/Entertainment Piracy Cyber Terrorism!
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Network Security and Surveillance
Security Concerns
Match the following!
Problems Attackers
Highly contagious viruses Unintended blunders
Defacing web pages Disgruntled employees or customers Credit card number theft Organized crime
On-line scams Foreign espionage agents Intellectual property theft Hackers driven by technical challenge
Wiping out data Petty criminals
Denial of service Organized terror groups
Spam E-mails Information warfare
Reading private files ...
Surveillance ...
Crackers vs. Hackers
Note how much resources available to attackers.
Cyber Terrorism?
Some examples from http://cybercrimes.net/
1989: Legion of Doom group took over the BellSouth telephone system, tapped phone lines, re-routed calls, ...
1996: A white supremacist movement took out a Massachusetts internet service provider
1997: A cracker disabled the computer system of an airport control tower at the Worcester, Mass. Airport.
1997: a hacker in Sweden jammed the 911 emergency telephone system all throughout west-central Florida.
1998: NASA, Navy, and Defence Department computers were attacked.
2000: in Maroochy Shire, Australia, a disgruntled consultant hacked into a waste management control system and released millions of gallons of raw sewage on the town.
2001: Two post-graduate students cracked a bank system used by banks and credit card companies to secure the personal
identification numbers of their customers accounts. [38]
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Network Security and Surveillance
Emergency Response: http://www.cert-in.org.in/
Internet Attacks Timeline
From training material at http://www.cert-in.org.in/
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Network Security and Surveillance
Internet Attack Trends
From training material at http://www.cert-in.org.in/
Indian IT Act 2000
Basic Legal Framework
Electronic documents, signatures as evidence Cyber Crimes & Punishments
Secn 43: Damage to Computers/Network Secn 65: Tampering source code
Secn 66: “Hacking” (cracking) Secn 67: Obscenity (bazee.com!) Secn 69: Interception
Several Initiatives (PKI, CERT-IN, Cyber cells, ...)
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Network Security and Surveillance
Vulnerabilities
Application Security Buggy code Buffer Overflows Host Security
Server side (multi-user/application) Client side (virus)
Transmission Security
Denial of Service
Small shop-owner versus Supermarket
What can the attacker do?
What has he gained or compromised?
What defence mechanisms are possible?
Screening visitors using guards (who looks respectable?)
VVIP security, but do you want to be isolated?
what is the Internet equivalent?
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Network Security and Surveillance
Security Requirements
Informal statements (formal is much harder)
Confidentiality Protection from disclosure to unauthorized persons Integrity Assurance that information has not been modified unauthorizedly.
Authentication Assurance of identity of originator of information.
Non-Repudiation Originator cannot deny sending the message.
Availability Not able to use system or communicate when desired.
Anonymity/Pseudonomity For applications like voting, instructor evaluation.
Traffic Analysis Should not even know who is communicating with whom. Why?
Emerging Applications Online Voting, Auctions (more later)
And all this with postcards (IP datagrams)!
Exchanging Secrets
Goal
A and B to agree on a secret number. But, C can listen to all their conversation.
Solution?
A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Network Security and Surveillance
Exchanging Secrets
Goal
A and B to agree on a secret number. But, C can listen to all their conversation.
Solution?
A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.
Mutual Authentication
Goal
A and B to verify that both know the same secret number. No third party (intruder or umpire!)
Solution?
A tells B: I’ll tell you first 2 digits, you tell me the last two...
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Network Security and Surveillance
Mutual Authentication
Goal
A and B to verify that both know the same secret number. No third party (intruder or umpire!)
Solution?
A tells B: I’ll tell you first 2 digits, you tell me the last two...
Cryptography and Data Security
sine qua non [without this nothing :-]
Historically who used first? (L & M) Code Language in joint families!
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Network Security and Surveillance
Symmetric/Private-Key Algorithms
Asymmetric/Public-Key Algorithms
Keys are duals (lock with one, unlock with other) Cannot infer one from other easily
How to encrypt? How to sign?
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Network Security and Surveillance
One way Functions
Mathematical Equivalents
Factoring large numbers (product of 2 large primes)
Discrete Logarithms
Security Mechanisms
System Security: “Nothing bad happens to my computers and equipment”
virus, trojan-horse, logic/time-bombs, ...
Network Security:
Authentication Mechanisms “you are who you say you are”
Access Control Firewalls, Proxies “who can do what”
Data Security: “for your eyes only”
Encryption, Digests, Signatures, ...
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Network Security and Surveillance
Security Mechanisms
System Security: “Nothing bad happens to my computers and equipment”
virus, trojan-horse, logic/time-bombs, ...
Network Security:
Authentication Mechanisms “you are who you say you are”
Access Control Firewalls, Proxies “who can do what”
Data Security: “for your eyes only”
Encryption, Digests, Signatures, ...
Security Mechanisms
System Security: “Nothing bad happens to my computers and equipment”
virus, trojan-horse, logic/time-bombs, ...
Network Security:
Authentication Mechanisms “you are who you say you are”
Access Control Firewalls, Proxies “who can do what”
Data Security: “for your eyes only”
Encryption, Digests, Signatures, ...
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Network Security and Surveillance
Network Security Mechanism Layers
Cryptograhphic Protocols underly all security mechanisms. Real
Challenge to design good ones for key establishment, mutual
authentication etc.
What is RFID?
Not just super barcode.
Already in use by Andhra Pradesh police?
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Network Security and Surveillance
How RFID works
RFID Tags
Passive
Cheapest: no battery in tag All power comes from reader Semi Passive
With batteries
Improved performance and reliability Increased size and cost
Active
High performance and cost Active
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Network Security and Surveillance
Privacy Concerns
RFID Applications
Payment
Toll collection
Fuel payment (Speedpass) Parking
Pre-payment card (Dexit) Supply Chain Mgmt
Logistics Inventory Mgmt Asset Tracking
High value assets Re-useable containers Shipping containers Inventory
Access Control Card Keys
Automotive anti-theft Anti-theft
Shrinkage
Automotive anti-theft Track & Trace
Food
Pharmaceuticals Books
Parts/lots tracking Apparel
G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in
Network Security and Surveillance