Security Engineering Chapter 3 Kahoot!

Questions and Answers

What does the acronym 'SHA' stand for?

Secure Hash Algorithm

Which of the following are components of the PGP method for secure email transmission? (Select all that apply)

Integrity

Authentication (correct)

Confidentiality (correct)

Encryption (correct)

SSL and TLS are used for authentication and decryption in the HTTPS method.

True

HTTPS employs encryption and authentication on top of __________.

HTTP

What are the basic controls that form the CIA triad of information security?

Confidentiality, Integrity, Availability

What is the primary purpose of the CIA triad in information security?

Confidentiality, Integrity, and Availability

Match the following security control with its purpose:

Authentication = Confirming the identity of a user or communication partner Non-Repudiation = Asserting the assignment of an action to a subject and providing proof of authenticity Access Control = Selective restriction of access to resources Data Authenticity = Ensuring data has not been modified while in transit and verifying the source of the message

What is the goal of Security Engineering?

Development of a comprising security model

Which concept implies that the design of a system should not be secret, and all protection mechanisms must be open?

Open design

Least privilege principle states that every program and user should operate with the maximum set of privileges.

False

Every access to every object must be checked for ____. (Hint: authority)

authority

Match the encryption method with the correct type:

Symmetric algorithms = One key is used/shared for Encryption and Decryption Asymmetric algorithms = Two keys, one for encryption and one for decryption

What is the purpose of a digital signature?

Demonstrating the authenticity of digital messages or documents

Study Notes

Security Engineering – Basic Principles

Motivation

• Security matters: history of security issues dating back to 1975, including the first models and system of Intrusion Detection
• Notable security breaches: SolarWinds cyberattack (2020), NotPetya malware attack (2017), Ukraine power grid attack (2015), Cyberattacks on Estonia (2007)
• Gartner Study: Spending on information security and risk management products and services is forecast to grow 11.3% to reach more than $188.3 billion in 2023

Reasons for Importance of Security

• Increase of data value
• Increased number of attacks
• Lacking law regulations
• Low ethical barrier
• Lacking control mechanisms
• Increase of number of potential attackers
• Increasing number of users
• Accessible Know-How of security holes
• Problem Open Source Software
• Decentralization

Security Controls (Security Countermeasures)

• CIA triad: Confidentiality, Integrity, Availability
• Derived controls: Accountability, Data authenticity, Non-repudiation, Access control

Confidentiality

• Ensuring secrecy of information
• Cryptography
• Examples: SSL/TLS protocol for TCP/IP, Caesar-Code

Data Integrity

• Maintaining accuracy and consistency of data
• Identification of intentional or unintentional changes of data
• Techniques: hash functions
• Examples: Secure Hash Algorithms (e.g., SHA-256), Message Digest (MD5, 128 Bit)

Availability

• Guaranteeing information and services to authorized users
• Redundancy/Backup-policy
• Firewalls
• Priorities
• Administrative methods

Authentication

• Process of confirming the identity of a user or communication partner
• Approaches: Knowing of a Secret, Ownership of an Item, Biometric characteristics
• Often combination of these approaches

Derived Controls

• Data authenticity: verifying data source
• Non-repudiation: asserting the assignment of an action to a subject
• Access control: selective restriction of access to a resource

Classical Principles for Protected IT Systems

• Economy of mechanism
• Fail-safe defaults
• Complete mediation
• Open design
• Separation of privilege
• Least privilege
• Least common mechanism
• Psychological acceptability

Security Engineering

• Structured engineering approach ("Security by Design")
• Goal: Development of a comprehensive security model
• Examples: IT-Grundschutz, OCTAVE

Technical Security Concepts

• Encryption
• Certificate
• Digital signatures
• PGP method
• HTTPS### Certificate
• A digital document that maps a public key to the identity of a person or organization
• Guaranteed by a Certificate Authority (CA)
• Contains a key-pair (private and public key) assigned to the owner
• Essential components:
  • Serial number
  • Personal data (name, company)
  • Public key of person or organization
  • Signature of the CA by the issuer's private key
• No secret information is contained in a certificate

Certificate Structure (X.509v3)

• Type of key
• X.509 version
• Terms and conditions
• Serial number
• Signature algorithm
• Validity duration
• Alternative names of owner and issuer
• Name of owner
• Public key
• Restrictions of certification paths
• ID of signing body
• Information of owner
• Extensions
• Place of revocation lists
• Signature algorithm
• Digital signature
• Private extensions (specific to issuer)

Certification Authority (CA)

• Creates certificates
• Examples:
  • Governmental and commercial organizations (e.g., MIT, Symantec/Verisign, Teletrust)
  • Free certificate authorities (e.g., Let's Encrypt)
  • Austrian CAs (e.g., A-Trust Company, Arge Daten)
• Austrian signature law (Österreichische Signaturgesetz) ensures equality between electronic and handwritten signatures

Digital Signature

• A mathematical scheme for demonstrating the authenticity of digital messages or documents
• Ensures:
  • Authentication (sender's identity)
  • Non-repudiation (sender cannot deny sending the message)
  • Integrity (message was not altered in transit)
• Process:
  • Create a digital fingerprint (digest) from the information
  • Encrypt the digest with the sender's private key
  • Send the encrypted digest and information
  • Receiver decrypts the digest with the sender's public key and checks for tempering

Checking a Digital Signature

• Receiver decrypts the digest with the sender's public key
• Compare the decrypted digest with the calculated digest from the received information

Hash Algorithms

• Examples:
  • MD5 algorithm (creates a 128-bit hash value from an arbitrary message)
  • SHA-series (Secure Hash Algorithm)
    • SHA-1 (160-bit hash value)
    • SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512)
    • SHA-3 (SHA3-224, SHA3-256, SHA3-384, SHA3-512 + SHAKE-128 and SHAKE-256)

PGP Method

• "Pretty-Good-Privacy" method
• Combines public-key encryption and digital signature
• Ensures confidentiality, integrity, and authentication
• Originally developed by Phillip Zimmermann

HTTPS Method

• Uses HTTP with encryption and authentication
• Goals:
  • Web-server authentication to a client
  • End-to-end encryption of the connection
• Uses SSL/TLS for authentication and decryption
• Requires Certification Authority (CA) and Public Key Infrastructure (PKI) for certificates

HTTPS Workflow

• Client sends a "client hello" message with cryptographic information and a random byte string
• Server responds with a "server hello" message with chosen CipherSuite, session ID, and another random byte string
• Client verifies the server's digital certificate
• Client sends the random byte string encrypted with the server's public key
• Server verifies the client's certificate (if requested)
• Both parties compute the secret key for encrypting subsequent message data
• Client and server send "finished" messages to indicate completion of the handshake

Description

This quiz reviews key concepts in Security Engineering from Chapter 3, covering basic principles. Earn bonus points with Kahoot quizzes!