Security Engineering Chapter 3 Kahoot!
13 Questions
6 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What does the acronym 'SHA' stand for?

Secure Hash Algorithm

Which of the following are components of the PGP method for secure email transmission? (Select all that apply)

  • Integrity
  • Authentication (correct)
  • Confidentiality (correct)
  • Encryption (correct)
  • SSL and TLS are used for authentication and decryption in the HTTPS method.

    True

    HTTPS employs encryption and authentication on top of __________.

    <p>HTTP</p> Signup and view all the answers

    What are the basic controls that form the CIA triad of information security?

    <p>Confidentiality, Integrity, Availability</p> Signup and view all the answers

    What is the primary purpose of the CIA triad in information security?

    <p>Confidentiality, Integrity, and Availability</p> Signup and view all the answers

    Match the following security control with its purpose:

    <p>Authentication = Confirming the identity of a user or communication partner Non-Repudiation = Asserting the assignment of an action to a subject and providing proof of authenticity Access Control = Selective restriction of access to resources Data Authenticity = Ensuring data has not been modified while in transit and verifying the source of the message</p> Signup and view all the answers

    What is the goal of Security Engineering?

    <p>Development of a comprising security model</p> Signup and view all the answers

    Which concept implies that the design of a system should not be secret, and all protection mechanisms must be open?

    <p>Open design</p> Signup and view all the answers

    Least privilege principle states that every program and user should operate with the maximum set of privileges.

    <p>False</p> Signup and view all the answers

    Every access to every object must be checked for ____. (Hint: authority)

    <p>authority</p> Signup and view all the answers

    Match the encryption method with the correct type:

    <p>Symmetric algorithms = One key is used/shared for Encryption and Decryption Asymmetric algorithms = Two keys, one for encryption and one for decryption</p> Signup and view all the answers

    What is the purpose of a digital signature?

    <p>Demonstrating the authenticity of digital messages or documents</p> Signup and view all the answers

    Study Notes

    Security Engineering – Basic Principles

    Motivation

    • Security matters: history of security issues dating back to 1975, including the first models and system of Intrusion Detection
    • Notable security breaches: SolarWinds cyberattack (2020), NotPetya malware attack (2017), Ukraine power grid attack (2015), Cyberattacks on Estonia (2007)
    • Gartner Study: Spending on information security and risk management products and services is forecast to grow 11.3% to reach more than $188.3 billion in 2023

    Reasons for Importance of Security

    • Increase of data value
    • Increased number of attacks
    • Lacking law regulations
    • Low ethical barrier
    • Lacking control mechanisms
    • Increase of number of potential attackers
    • Increasing number of users
    • Accessible Know-How of security holes
    • Problem Open Source Software
    • Decentralization

    Security Controls (Security Countermeasures)

    • CIA triad: Confidentiality, Integrity, Availability
    • Derived controls: Accountability, Data authenticity, Non-repudiation, Access control

    Confidentiality

    • Ensuring secrecy of information
    • Cryptography
    • Examples: SSL/TLS protocol for TCP/IP, Caesar-Code

    Data Integrity

    • Maintaining accuracy and consistency of data
    • Identification of intentional or unintentional changes of data
    • Techniques: hash functions
    • Examples: Secure Hash Algorithms (e.g., SHA-256), Message Digest (MD5, 128 Bit)

    Availability

    • Guaranteeing information and services to authorized users
    • Redundancy/Backup-policy
    • Firewalls
    • Priorities
    • Administrative methods

    Authentication

    • Process of confirming the identity of a user or communication partner
    • Approaches: Knowing of a Secret, Ownership of an Item, Biometric characteristics
    • Often combination of these approaches

    Derived Controls

    • Data authenticity: verifying data source
    • Non-repudiation: asserting the assignment of an action to a subject
    • Access control: selective restriction of access to a resource

    Classical Principles for Protected IT Systems

    • Economy of mechanism
    • Fail-safe defaults
    • Complete mediation
    • Open design
    • Separation of privilege
    • Least privilege
    • Least common mechanism
    • Psychological acceptability

    Security Engineering

    • Structured engineering approach ("Security by Design")
    • Goal: Development of a comprehensive security model
    • Examples: IT-Grundschutz, OCTAVE

    Technical Security Concepts

    • Encryption
    • Certificate
    • Digital signatures
    • PGP method
    • HTTPS### Certificate
    • A digital document that maps a public key to the identity of a person or organization
    • Guaranteed by a Certificate Authority (CA)
    • Contains a key-pair (private and public key) assigned to the owner
    • Essential components:
      • Serial number
      • Personal data (name, company)
      • Public key of person or organization
      • Signature of the CA by the issuer's private key
    • No secret information is contained in a certificate

    Certificate Structure (X.509v3)

    • Type of key
    • X.509 version
    • Terms and conditions
    • Serial number
    • Signature algorithm
    • Validity duration
    • Alternative names of owner and issuer
    • Name of owner
    • Public key
    • Restrictions of certification paths
    • ID of signing body
    • Information of owner
    • Extensions
    • Place of revocation lists
    • Signature algorithm
    • Digital signature
    • Private extensions (specific to issuer)

    Certification Authority (CA)

    • Creates certificates
    • Examples:
      • Governmental and commercial organizations (e.g., MIT, Symantec/Verisign, Teletrust)
      • Free certificate authorities (e.g., Let's Encrypt)
      • Austrian CAs (e.g., A-Trust Company, Arge Daten)
    • Austrian signature law (Österreichische Signaturgesetz) ensures equality between electronic and handwritten signatures

    Digital Signature

    • A mathematical scheme for demonstrating the authenticity of digital messages or documents
    • Ensures:
      • Authentication (sender's identity)
      • Non-repudiation (sender cannot deny sending the message)
      • Integrity (message was not altered in transit)
    • Process:
      • Create a digital fingerprint (digest) from the information
      • Encrypt the digest with the sender's private key
      • Send the encrypted digest and information
      • Receiver decrypts the digest with the sender's public key and checks for tempering

    Checking a Digital Signature

    • Receiver decrypts the digest with the sender's public key
    • Compare the decrypted digest with the calculated digest from the received information

    Hash Algorithms

    • Examples:
      • MD5 algorithm (creates a 128-bit hash value from an arbitrary message)
      • SHA-series (Secure Hash Algorithm)
        • SHA-1 (160-bit hash value)
        • SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512)
        • SHA-3 (SHA3-224, SHA3-256, SHA3-384, SHA3-512 + SHAKE-128 and SHAKE-256)

    PGP Method

    • "Pretty-Good-Privacy" method
    • Combines public-key encryption and digital signature
    • Ensures confidentiality, integrity, and authentication
    • Originally developed by Phillip Zimmermann

    HTTPS Method

    • Uses HTTP with encryption and authentication
    • Goals:
      • Web-server authentication to a client
      • End-to-end encryption of the connection
    • Uses SSL/TLS for authentication and decryption
    • Requires Certification Authority (CA) and Public Key Infrastructure (PKI) for certificates

    HTTPS Workflow

    • Client sends a "client hello" message with cryptographic information and a random byte string
    • Server responds with a "server hello" message with chosen CipherSuite, session ID, and another random byte string
    • Client verifies the server's digital certificate
    • Client sends the random byte string encrypted with the server's public key
    • Server verifies the client's certificate (if requested)
    • Both parties compute the secret key for encrypting subsequent message data
    • Client and server send "finished" messages to indicate completion of the handshake

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Description

    This quiz reviews key concepts in Security Engineering from Chapter 3, covering basic principles. Earn bonus points with Kahoot quizzes!

    More Like This

    Social Engineering in Modern Systems
    17 questions
    Introduction to Cybersecurity Concepts
    16 questions
    Security Engineering Overview
    40 questions

    Security Engineering Overview

    DelicateRationality307 avatar
    DelicateRationality307
    Use Quizgecko on...
    Browser
    Browser