3. Хичээлийн ерөнхий агуулга
Network security
Compliance and Operational Security
Threats and Vulnerabilities
Application, Data and Host security
Access control and Identity Management
Cryptography
10. Availability
Нууцлал хамгаалалтын үйлчилгээ.
◦ Availability: Мэдээллийг ажлын бэлэн байдалд байлгах, систем, сүлжээнд хандах боломжийг
байнга хангах
◦ Нууцлал хамгаалалтын механизм/tools/:
◦ Physical protections: мэдээллийн сангийн биет хамгаалалтыг хангах
◦ Computational redundancies: нөөцийг үүсгэх
◦ Disk redundancies (RAID)
◦ Server redundancies (clusters)
◦ Site redundancies
◦ Backups
◦ Alternate power
◦ Cooling systems
D.SA302НУУЦЛАЛЫНПРОТОКОЛУУД
10
11. Balancing CIA
You can never have perfect security
Increasing one item lowers others
Increasing confidentiality generally lowers availability
◦ Example: long ,complex passwords that are easily forgotten
13. Non-Repudiation
Prevents entities from denying that they took an action
Examples: signing a home loan, making a credit card purchase
Techniques
◦ Digital signatures
◦ Audit logs
14. Risk – Эрсдэлийн үндэс
Risk
◦ The likelihood of a threat exploiting a vulnerability, resulting in a loss
Аюул занал - Threat
Мэдээллийн нууцлал, хамгаалалтын чиг үүргүүдийг эсрэг мэдээллийн нөөцөд учирч болох
хор хөнөөлтэй нөхцлүүдийг хэлнэ
Vulnerability
◦ Мэдээллийн капиталд хор хөнөөл учруулж болзошгүй нөхцөл
15. Threats and Attacks
Eavesdropping: Холболтын шугмаар мэдээлэл дамжих явцад дундаас нь
барьж авах үйлдэл юм
D.SA302НУУЦЛАЛЫНПРОТОКОЛУУД
15
Alice Bob
Eve
16. Threats and Attacks
◦ Masquerading: Зөвшөөгдсөн хэрэглэгчийн өмнөөс хандаж мэдээлэл
авах
D.SA302НУУЦЛАЛЫНПРОТОКОЛУУД
16
“From: Alice”
(really is from Eve)
17. Threats and Attacks
Repudiation: өгөгдлийн итгэмжлэл болон хүлээн авахын эсрэг халдпага.
◦ Гуравдагч этгээдийн баталгаажуулалтыг шаарддаг
D.SA302НУУЦЛАЛЫНПРОТОКОЛУУД
17
Public domain image from http://commons.wikimedia.org/wiki/File:Plastic_eraser.jpeg
21. Authentication Services
Kerberos
◦ Used in Windows Active Directory Domains
◦ Used in UNIX realms
◦ Developed at MIT
◦ Prevents Man-in-the-Middle attacks and replay attacks
22. LDAP (Lightweight Directory Access
Protocol)
Formats and methods to query directories
Used by Active Directory
An extension of the X.500 standard
LDAP v2 can use SSL encryption
LDAP v3 can use TLS encryption
LDAP uses ports 389 (unencrypted) or 636 (encrypted) (TCP and UDP)
23. IEEE 802.1x
Port-based authentication
◦ User conects to a specific access point or logical port
Secures authentication prior to the client gaining access to a network
Most common on wireless networks
◦ WPA Enterprise or WPA2 Enterprise
Requires a RADIUS (Remote Authentication Dial-in User Service) or
other centralized identification server
24. Remote Access authentication
Clients connect through VPN (Virtual Private Network) or dial-up
A VPN allows a client to access a private network over a public network, usually the Internet
25. Remote Access Authentication Methods
PAP (Password Authentication Protocol)
◦ Passwords sent in cleartext, rarely used
CHAP (Challenge Handshake Protocol)
◦ Server challenges the client
◦ Client responds with appropriate authentication information
MS-CHAP
◦ Microsoft's implementation of CHAP
◦ Deprecated
26.
27. Remote Access Authentication Methods
RADIUS (Remote Authentication Dial-in
User Service)
◦ Central authentication for multiple
remote access servers
◦ Encrypts passwords, but not the entire
authentication process
◦ Uses UDP
28. Remote Access Authentication Methods
TACACS (Terminal Access Controller Access-Control System)
◦ Was used in UNIX systems, rare today
TACACS+
◦ Cisco proprietary alternative to RADIUS
◦ Interacts with Kerberos
◦ Encrypts the entire authentication process
◦ Uses TCP
◦ Uses multiple challenges and responses during a session
29. AAA Protocols:
Authentication, Authorization, and
Accounting
Authentication
◦ Verifies a user's identification
Authorization
◦ Determines if a user should have access
Accounting
◦ Tracks user access with logs
31. Cryptosystem
1. The set of possible plaintexts
2. The set of possible ciphertexts
3. The set of encryption keys
4. The set of decryption keys
5. The correspondence between encryption keys and decryption keys
6. The encryption algorithm to use
7. The decryption algorithm to use
D.SA302НУУЦЛАЛЫНПРОТОКОЛУУД
31
32. Caesar Cipher
Replace each letter with the one “three over” in the alphabet.
D.SA302НУУЦЛАЛЫНПРОТОКОЛУУД
32Public domain image from http://commons.wikimedia.org/wiki/File:Caesar3.svg
34. Digital Signatures
To sign a message, M, Alice just encrypts it with her private key, SA, creating C = ESA(M).
Anyone can decrypt this message using Alice’s public key, as M’ = DPA(C), and compare that to
the message M.
D.SA302НУУЦЛАЛЫНПРОТОКОЛУУД
34
37. Topic: Access Control
Users and groups
Authentication
Passwords
File protection
Access control lists
• Which users can read/write which files?
• Are my files really safe?
• What does it mean to be root?
• What do we really want to control?
11/13/2020
D.SA302НУУЦЛАЛЫНПРОТОКОЛУУД
37
INTRODUCTION