Computer Security: Principles and Practice 5th Edition PDF
Document Details
Uploaded by Deleted User
2023
William Stallings, Lawrie Brown
Tags
Summary
This is a textbook on Computer Security, fifth edition by William Stallings and Lawrie Brown. It covers the fundamental principles and practices of computer security in information systems. Updated content on key security topics such as multi-factor authentication and ransomware attacks are introduced.
Full Transcript
Page 1 of 1641 Computer Security Principles and Practice Fifth Edition William Stallings Lawrie Brown UNSW Canberra at the Australian Defence Force Academy Page 2 of 1641 Content Management: Tracy Johnson Content Production: Dr Rajul Jain Product Management: Tracy Johnson P...
Page 1 of 1641 Computer Security Principles and Practice Fifth Edition William Stallings Lawrie Brown UNSW Canberra at the Australian Defence Force Academy Page 2 of 1641 Content Management: Tracy Johnson Content Production: Dr Rajul Jain Product Management: Tracy Johnson Product Marketing: Krista Clark and Wayne Stevens Rights and Permissions: Chandan Kumar Please contact https://support.pearson.com/getsupport/s/ with any queries on this content. Cover Image by ra2studio/123RF. Microsoft and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published as part of the services for any purpose. All such documents and related graphics are provided “as is” without warranty of any kind. Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all warranties and conditions of merchantability, whether express, implied or statutory, fitness for a particular purpose, title and non-infringement. In no event shall Microsoft and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from the services. The documents and related graphics contained herein could include technical inaccuracies or typographical errors. Page 3 of 1641 Changes are periodically added to the information herein. Microsoft and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time. Partial screen shots may be viewed in full within the software version specified. Microsoft® and Windows® are registered trademarks of the Microsoft Corporation in the U.S.A. and other countries. This book is not sponsored or endorsed by or affiliated with the Microsoft Corporation. Copyright © 2024, 2018, 2015 by Pearson Education, Inc. or its affiliates, 221 River Street, Hoboken, NJ 07030. All Rights Reserved. Manufactured in the United States of America. This publication is protected by copyright, and permission should be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise. For information regarding permissions, request forms, and the appropriate contacts within the Pearson Education Global Rights and Permissions department, please visit www.pearsoned.com/permissions/. Acknowledgments of third-party content appear on the appropriate page within the text. PEARSON is an exclusive trademark owned by Pearson Education, Inc. or its affiliates in the U.S. and/or other countries. Page 4 of 1641 Unless otherwise indicated herein, any third-party trademarks, logos, or icons that may appear in this work are the property of their respective owners, and any references to third-party trademarks, logos, icons, or other trade dress are for demonstrative or descriptive purposes only. Such references are not intended to imply any sponsorship, endorsement, authorization, or promotion of Pearson’s products by the owners of such marks, or any relationship between the owner and Pearson Education, Inc., or its affiliates, authors, licensees, or distributors. Library of Congress Cataloging-in-Publication Data Names: Stallings, William, author. | Brown, Lawrie, author. Title: Computer security : principles and practice / William Stallings, Lawrie Brown, UNSW Canberra at the Australian Defence Force Academy. Description: Fifth edition. | Hoboken, NJ : Pearson Education, Inc., | Includes bibliographical references and index. Identifiers: LCCN 2023000040 | ISBN 9780138091675 (hardcover) | ISBN 0138091676 (hardcover) Subjects: LCSH: Computer security. | Computer networks— Security measures. Classification: LCC QA76.9.A25 S685 2024 | DDC 005.8— dc23/eng/20230109 Page 5 of 1641 LC record available at https://lccn.loc.gov/2023000040 ISBN-10: 0-13-809167-6 ISBN-13: 978-0-13-809167-5 Scout Automated Print Code Page 6 of 1641 For my loving wife, Tricia —WS To my extended family and friends, who helped make this all possible —LB Page 7 of 1641 Pearson’s Commitment to Diversity, Equity, and Inclusion Pearson is dedicated to creating bias-free content that reflects the diversity, depth, and breadth of all learners’ lived experiences. We embrace the many dimensions of diversity, including but not limited to race, ethnicity, gender, sex, sexual orientation, socioeconomic status, ability, age, and religious or political beliefs. Education is a powerful force for equity and change in our world. It has the potential to deliver opportunities that improve lives and enable economic mobility. As we work with authors to create content for every product and service, we acknowledge our responsibility to demonstrate inclusivity and incorporate diverse scholarship so that everyone can achieve their potential through learning. As the world’s leading learning company, we have a duty to help drive change and live up to our purpose to help more people create a better life for themselves and to create a better world. Our ambition is to purposefully contribute to a world where: Everyone has an equitable and lifelong opportunity to succeed through learning. Our educational content accurately reflects the histories and lived experiences of the learners we serve. Our educational products and services are inclusive and represent the rich diversity of learners. Our educational content prompts deeper discussions with students and motivates them to expand their own learning (and worldview). Accessibility We are also committed to providing products that are fully accessible to all learners. As per Pearson’s guidelines for accessible educational Web media, we test and retest the capabilities of our products against the highest standards for every release, following the WCAG guidelines in developing new products for copyright year 2022 and beyond. You can learn more about Pearson’s commitment to accessibility at https://www.pearson.com/us/accessibility.html Contact Us While we work hard to present unbiased, fully accessible content, we want to hear from you about any concerns or needs with this Pearson product so that we can investigate and address them. Please contact us with concerns about any potential bias at https://www.pearson.com/report-bias.html Page 8 of 1641 For accessibility-related issues, such as using assistive technology with Pearson products, alternative text requests, or accessibility documentation, email the Pearson Disability Support team at [email protected] Page 9 of 1641 Preface What’s New in the Fifth Edition Since the fourth edition of this book was published, the field has seen continued innovations and improvements. In this new edition, we try to capture these changes while maintaining a broad and comprehensive coverage of the entire field. There have been a number of refinements to improve pedagogy and user-friendliness, updated references, and mention of recent security incidents, along with a number of more substantive changes throughout the book. The most noteworthy of these changes include: Multi-factor authentication and mobile authentication: Chapter 3 includes a new discussion on multi-factor authentication (MFA) in which the user presents two or more pieces of evidence (or factors) to verify their identity. This is increasingly used to address the known problems with just using a password for authentication. This is commonly done using either a hardware authentication token, or using SMS text messages or an authentication app on mobile devices, as we discuss. Mandatory access control (MAC): Chapter 4 includes some revised discussion on mandatory access controls that was previously included in the online Chapter 27. These controls are now included as part of the underlying security enhancements in recent releases of some Linux, macOS, and Windows systems. Social engineering and ransomware attacks: The discussion in Chapters 6 and 8 on social engineering, and its use in enabling ransomware attacks have been updated, reflecting the growing incidence of such attacks, and the need to defend against them. These defenses include improved security awareness training, as we discuss in Chapter 17. Supply-chain and business email compromise attacks: Chapter 8 includes new discussion on the growth of supply-chain and business email compromise (BEC) attacks, including the recent SolarWinds attack, which have been used to compromise many commercial and government organizations in recent years. Updated list of the most dangerous software errors: Chapter 11 includes an updated list of the Top 25 Most Dangerous Software Errors. It also discusses the recent widely exploited code injection attack on the Apache Log4j package. Updated list of essential controls: Chapter 12 includes updated lists of essential controls, including the Australian Signals Directorate’s “Essential Eight” that should be used by all organizations to improve the security of their operating systems. Trusted computer systems: Chapter 12 includes some revised discussion on trusted computer systems that was previously included in the online Chapter 27, which is relevant to the use of secure systems in some government organizations. Updated list of security controls: Chapter 15 includes a significantly updated list of the NIST security controls that should be considered when addressing identified security risks in organizations. Security awareness and training: Chapter 17 includes a significantly revised section on security awareness and training for personnel, which is of increasing importance given the rise in security incidents that result from deliberate or accidental personnel actions. European Union (EU) General Data Protection Regulation (GDPR): Chapter 19 includes a new section on the EU’s 2016 GDPR that is effectively the global standard for the protection of personal data, its collection, access, and use. Page 10 of 1641 The ChaCha20 stream cipher: Chapter 20 includes a new section with details of the ChaCha20 stream cipher, replacing details of the now depreciated RC4 cipher. Galois Counter Mode: Appendix E now includes details of the new Galois Counter authenticated encryption mode of use for block ciphers. Background Interest in education in computer security and related topics has been growing at a dramatic rate in recent years. This interest has been spurred by a number of factors, two of which stand out: 1. As information systems, databases, and Internet-based distributed systems and communication have become pervasive in the commercial world, coupled with the increased intensity and sophistication of security-related attacks, organizations now recognize the need for a comprehensive security strategy. This strategy encompasses the use of specialized hardware and software and trained personnel to meet that need. 2. Computer security education, often termed information security education or information assurance education, has emerged as a national goal in the United States and other countries, with national defense and homeland security implications. The NSA/DHS National Center of Academic Excellence in Information Assurance/Cyber Defense is spearheading a government role in the development of standards for computer security education. Accordingly, the number of courses in universities, community colleges, and other institutions in computer security and related areas is growing. Objectives The objective of this book is to provide an up-to-date survey of developments in computer security. Central problems that confront security designers and security administrators include defining the threats to computer and network systems, evaluating the relative risks of these threats, and developing cost-effective and user friendly countermeasures. The following basic themes unify the discussion: Principles: Although the scope of this book is broad, there are a number of basic principles that appear repeatedly as themes and that unify this field. Examples are issues relating to authentication and access control. The book highlights these principles and examines their application in specific areas of computer security. Design approaches: The book examines alternative approaches to meeting specific computer security requirements. Standards: Standards have come to assume an increasingly important, indeed dominant, role in this field. An understanding of the current status and future direction of technology requires a comprehensive discussion of the related standards. Real-world examples: A number of chapters include a section that shows the practical application of that chapter’s principles in a real-world environment. Support of ACM/IEEE Cybersecurity Curricula 2017 Page 11 of 1641 The book is intended for both an academic and a professional audience. As a textbook, it is intended as a one- or two-semester undergraduate course for computer science, computer engineering, and electrical engineering majors. This edition is designed to support the recommendations of the ACM/IEEE Cybersecurity Curricula 2017 (CSEC2017). The CSEC2017 curriculum recommendation includes eight knowledge areas. Table P.1 shows the support for the these knowledge areas provided in this textbook. It also identifies six crosscutting concepts that are designed to help students explore connections among the knowledge areas, and are fundamental to their ability to understand the knowledge area regardless of the underlying computing discipline. These concepts, which are topics we introduce in Chapter 1, are as follows: Confidentiality: Rules that limit access to system data and information to authorized persons. Integrity: Assurance that the data and information are accurate and trustworthy. Availability: The data, information, and system are accessible. Risk: Potential for gain or loss. Adversarial thinking: A thinking process that considers the potential actions of the opposing force working against the desired result. Systems thinking: A thinking process that considers the interplay between social and technical constraints to enable assured operations. Table P.1 Coverage of CSEC2017 Cybersecurity Curricula Knowledge Units Essentials Textbook Coverage Data Security Basic cryptography concepts Part 1—Network Security Digital forensics Technology and Principles End-to-end secure Part 3—Management Issues communications Part 4—Cryptographic Data integrity and Algorithms authentication Part 5—Network Security Information storage security Software Security Fundamental design principles 1—Overview including least privilege, open Part 2—Software Security design, and abstraction 19—Legal and Ethical Aspects Security requirements and role in design Implementation issues Static and dynamic testing Configuring and patching Ethics, especially in development, testing and vulnerability disclosure Component Security Vulnerabilities of system 1—Overview components 8—Intrusion Detection Component lifecycle 10—Buffer Overflow 11—Software Security Page 12 of 1641 Secure component design principles Supply chain management security Security testing Reverse engineering Connection Security Systems, architecture, models, Part 5—Network Security and standards 8—Intrusion Detection Physical component interfaces 9—Firewalls and Intrusion Software component interfaces Prevention Systems Connection attacks 13—Cloud and IoT Security Transmission attacks System Security Holistic approach 1—Overview Security policy 3—User Authentication Authentication 4—Access Control Access control 14—IT Security Management Monitoring and Risk Assessment Recovery 15—IT Security Controls, Plans, Testing and Procedures Documentation Human Security Identity management 3—User Authentication Social engineering 4—Access Control Awareness and understanding 6—Malicious Software Social behavioral privacy and 17—Human Resources Security security 19—Legal and Ethical Aspects Personal data privacy and security Organizational Risk management 14—IT Security Management Security Governance and policy and Risk Assessment Laws, ethics, and compliance 15—IT Security Controls, Plans, Strategy and planning and Procedures 17—Human Resources Security 19—Legal and Ethical Aspects Societal Security Cybercrime 8—Intrusion Detection Cyber law 19—Legal and Ethical Aspects Cyber ethics Cyber policy Privacy This text discusses all of these knowledge areas and crosscutting concepts. Coverage of CISSP Subject Areas Page 13 of 1641 This book provides coverage of all the subject areas specified for CISSP (Certified Information Systems Security Professional) certification. The CISSP designation from the International Information Systems Security Certification Consortium is often referred to as the “gold standard” when it comes to information security certification. It is the only universally recognized certification in the security industry. Many organizations, including the U.S. Department of Defense and many financial institutions, now require that cyber security personnel have the CISSP certification. In 2004, CISSP became the first IT program to earn accreditation under the international standard ISO/IEC 17024 (General Requirements for Bodies Operating Certification of Persons). The CISSP examination is based on the Common Body of Knowledge (CBK), a compendium of information security best practices developed and maintained by , a nonprofit organization. The CBK is made up of 8 domains that comprise the body of knowledge that is required for CISSP certification. The eight domains are as follows, with an indication of where the topics are covered in this textbook: Security and risk management: Confidentiality, integrity, and availability concepts; security governance principles; risk management; compliance; legal and regulatory issues; professional ethics; and security policies, standards, procedures, and guidelines. (Chapter 14) Asset security: Information and asset classification; ownership (e.g. data owners, system owners); privacy protection; appropriate retention; data security controls; and handling requirements (e.g., markings, labels, storage). (Chapters 5, 15, 16, 19) Security architecture and engineering: Engineering processes using secure design principles; security models; security evaluation models; security capabilities of information systems; security architectures, designs, and solution elements vulnerabilities; web-based systems vulnerabilities; mobile systems vulnerabilities; embedded devices and cyber-physical systems vulnerabilities; cryptography; and site and facility design secure principles; physical security. (Chapters 1, 2, 13, 15, 16) Communication and network security: Secure network architecture design (e.g., IP and non-IP protocols, segmentation); secure network components; secure communication channels; and network attacks. (Part Five) Identity and access management: Physical and logical assets control; identification and authentication of people and devices; identity as a service (e.g. cloud identity); third-party identity services (e.g., on-premise); access control attacks; and identity and access provisioning lifecycle (e.g., provisioning review). (Chapters 3, 4, 8, 9) Security assessment and testing: Assessment and test strategies; security process data (e.g., management and operational controls); security control testing; test outputs (e.g., automated, manual); and security architectures vulnerabilities. (Chapters 14, 15, 18) Security operations: Investigations support and requirements; logging and monitoring activities; provisioning of resources; foundational security operations concepts; resource protection techniques; incident management; preventative measures; patch and vulnerability management; change management processes; recovery strategies; disaster recovery processes and plans; business continuity planning and exercises; physical security; and personnel safety concerns. (Chapters 11, 12, 15, 16, 17) Page 14 of 1641 Software development security: Security in the software development lifecycle; development environment security controls; software security effectiveness; and acquired software security impact. (Part Two) Support for NCAE-C Certification The National Centers of Academic Excellence in Cybersecurity (NCAE-C) program is managed by the National Security Agency, with partners including the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). The NCAE-C program office collaborates closely with the National Institute of Standards and Technology (NIST), the National Science Foundation (NSF), the Department of Defense Office of the Chief Information Officer (DoD-CIO), and US Cyber Command (CYBERCOM). The goal of this program is to promote higher education and research in cyber defense and produce professionals with cyber defense expertise in order expand to the cybersecurity workforce and to reduce vulnerabilities in our national infrastructure. Academic institutions may choose from three designations: Cyber Defense, Cyber Research, and Cyber Operations. To achieve that purpose, NSA/DHS have defined a set of Knowledge Units that must be supported in the curriculum to gain NCAE-C designation. Each Knowledge Unit is composed of a minimum list of required topics to be covered and one or more outcomes or learning objectives. Designation is based on meeting a certain threshold number of core and optional Knowledge Units. In the area of Cyber Defense, the 2022 Foundational Knowledge Units are as follows: Cybersecurity foundations: Provides students with a basic understanding of the fundamental concepts behind cybersecurity including attacks, defenses, and incidence response. Cybersecurity principles: Provides students with basic security design fundamentals that help create systems that are worthy of being trusted. IT systems components: Provides students with a basic understanding of the hardware and software components in an information technology system and their roles in system operation. This book provides extensive coverage in these foundational areas, as well as coverage of many of the other technical, nontechnical, and optional Knowledge Units. Plan of the Text The book is divided into five parts (see Chapter 0): Computer Security Technology and Principles Software and System Security Management Issues Cryptographic Algorithms Network Security The text includes an extensive glossary, a list of frequently used acronyms, and a bibliography. Each chapter includes homework problems, review questions, a list of key words, and suggestions for further reading. Page 15 of 1641 Student Resources For this new edition, a tremendous amount of original supporting material for students is available online at pearsonhighered.com/stallings. The Companion Website, at Pearsonhighered.com/cs-resources (search for Stallings). The Companion Website contains the following support materials: Homework problems and solutions: In addition to the homework problems in the book, more homework problems and solutions are made available to students to test their understanding and deepen learning. Support Files: Provides collections of useful papers and a Recommended Reading list. Instructor Support Materials Page 16 of 1641 The major goal of this text is to make it as effective a teaching tool for this exciting and fast- moving subject as possible. This goal is reflected both in the structure of the book and in the supporting material. The text is accompanied by the following supplementary material to aid the instructor: Projects manual: Project resources including documents and portable software, plus suggested project assignments for all of the project categories listed in the following section Solutions manual: Solutions to end-of-chapter Review Questions and Problems PowerPoint slides: A set of slides covering all chapters, suitable for use in lecturing PDF files: Reproductions of all figures and tables from the book Test bank: A chapter-by-chapter set of questions All of these support materials are available on the Instructor Resource Center (IRC) for this textbook, which can be reached through the publisher’s Website www.pearsonhighered.com. To gain access to the IRC, please contact your local Pearson sales representative via https://www.pearson.com/us/contact-us/find-your-rep.html or call Pearson Faculty Services at 1-800-922-0579. Projects and Other Student Exercises For many instructors, an important component of a computer security course is a project or set of projects by which the student gets hands-on experience to reinforce concepts from the text. The instructor’s support materials created for this text not only include guidance on how to assign and structure the projects but also include a set of user manuals for various project types and assignments, all written especially for this book. Instructors can assign work in the following areas: Hacking exercises: Two projects that enable students to gain an understanding of the issues in intrusion detection and prevention. Laboratory exercises: A series of projects that involve programming and experimenting with concepts from the book. Security education (SEED) projects: The SEED projects are a set of hands-on exercises, or labs, covering a wide range of security topics. Research projects: A series of research assignments that instruct the students to research a particular topic on the Internet and write a report. Programming projects: A series of programming projects that cover a broad range of topics and that can be implemented in any suitable language on any platform. Practical security assessments: A set of exercises to examine current infrastructure and practices of an existing organization. Firewall projects: A portable network firewall visualization simulator is provided, together with exercises for teaching the fundamentals of firewalls. Case studies: A set of real-world case studies, including learning objectives, case description, and a series of case discussion questions. Reading/report assignments: A list of papers that can be assigned for reading and writing a report, plus suggested assignment wording Writing assignments: A list of writing assignments to facilitate learning the material. Page 17 of 1641 This diverse set of projects and other student exercises enables the instructor to use the book as one component in a rich and varied learning experience and to tailor a course plan to meet the specific needs of the instructor and students. See Appendix A in this book for details. Acknowledgments This new edition has benefited from review by a number of people, who gave generously of their time and expertise. The following professors and instructors reviewed all or a large part of the manuscript: Bernardo Palazzi (Brown University), Jean Mayo (Michigan Technological University), Scott Kerlin (University of North Dakota), Philip Campbell (Ohio University), Scott Burgess (Humboldt State University), Stanley Wine (Hunter College/CUNY), and E. Mauricio Angee (Florida International University). Thanks also to the many people who provided detailed technical reviews of one or more chapters: Umair Manzoor (UmZ), Adewumi Olatunji (FAGOSI Systems, Nigeria), Rob Meijer, Robin Goodchil, Greg Barnes (Inviolate Security LLC), Arturo Busleiman (Buanzo Consulting), Ryan M. Speers (Dartmouth College), Wynand van Staden (School of Computing, University of South Africa), Oh Sieng Chye, Michael Gromek, Samuel Weisberger, Brian Smithson (Ricoh Americas Corp, CISSP), Josef B. Weiss (CISSP), Robbert-Frank Ludwig (Veenendaal, ActStamp Information Security), William Perry, Daniela Zamfiroiu (CISSP), Rodrigo Ristow Branco, George Chetcuti (Technical Editor, TechGenix), Thomas Johnson (Director of Information Security at a banking holding company in Chicago, CISSP), Robert Yanus (CISSP), Rajiv Dasmohapatra (Wipro Ltd), Dirk Kotze, Ya’akov Yehudi, and Stanley Wine (Adjunct Lecturer, Computer Information Systems Department, Zicklin School of Business, Baruch College). Dr. Lawrie Brown would first like to thank Bill Stallings for the pleasure of working with him to produce this text. I would also like to thank my colleagues in the School of Engineering and Information Technology, UNSW Canberra at the Australian Defence Force Academy for their encouragement and support. In particular, thanks to Gideon Creech, Edward Lewis, and Ben Whitham for discussion and review of some of the chapter content. Finally, we would like to thank the many people responsible for the publication of the book, all of whom did their usual excellent job. This includes the staff at Pearson, particularly our editor Tracy Johnson, with support from Carole Snyder, Erin Sullivan, and Rajul Jain. Also Mahalakshmi Usha and the team at Integra for their support with the production of the book. Thanks also to the marketing and sales staffs at Pearson, without whose efforts this book would not be in front of you. Page 18 of 1641 Notation Symbol Expression Meaning D, K Symmetric decryption of ciphertext Y using secret key K Asymmetric decryption of ciphertext Y using A’s private key Asymmetric decryption of ciphertext Y using A’s public key E, K Symmetric encryption of plaintext X using secret key K Asymmetric encryption of plaintext X using A’s private key K Secret key Private key of user A Public key of user A H Hash function of message X Logical OR: x OR y Logical AND: x AND y Logical NOT: NOT x C A characteristic formula, consisting of a logical formula over the values of attributes in a database Page 19 of 1641 X Query set of C, the set of records satisfying C Magnitude of : the number of records in Set intersection: the number of records in both and x concatenated with y Page 20 of 1641 About the Authors Dr. William Stallings has authored 18 textbooks, and, counting revised editions, a total of 70 books on various aspects of these subjects. His writings have appeared in numerous ACM and IEEE publications, including the Proceedings of the IEEE and ACM Computing Reviews. He has 13 times received the award for the best Computer Science textbook of the year from the Text and Academic Authors Association. In over 30 years in the field, he has been a technical contributor, technical manager, and an executive with several high-technology firms. He has designed and implemented both TCP/IP-based and OSI-based protocol suites on a variety of computers and operating systems, ranging from microcomputers to mainframes. Currently he is an independent consultant whose clients have included computer and networking manufacturers and customers, software development firms, and leading-edge government research institutions. He created and maintains the Computer Science Student Resource Site at Computer ScienceStudent.com. This site provides documents and links on a variety of subjects of general interest to computer science students (and professionals). He is a member of the editorial board of Cryptologia, a scholarly journal devoted to all aspects of cryptology. Page 21 of 1641 Dr. Lawrie Brown is a visiting senior lecturer in the School of Engineering and Information Technology, UNSW Canberra at the Australian Defence Force Academy. His professional interests include communications and computer systems security and cryptography, including research on pseudo-anonymous communication, authentication, security and trust issues in Web environments, the design of secure remote code execution environments using the functional language Erlang, and on the design and implementation of the LOKI family of block ciphers. During his career, he has presented courses on cryptography, cybersecurity, data communications, data structures, and programming in Java to both undergraduate and postgraduate students. Page 22 of 1641 Pearson’s Commitment to Diversity, Equity, and Inclusion...................................................... 8 Preface...................................................................................................................................... 10 What’s New in the Fifth Edition.......................................................................................... 10 Background.......................................................................................................................... 11 Objectives............................................................................................................................. 11 Support of ACM/IEEE Cybersecurity Curricula 2017........................................................ 11 Table P.1....................................................................................................................... 12 Coverage of CSEC2017 Cybersecurity Curricula........................................................ 12 Coverage of CISSP Subject Areas....................................................................................... 13 Support for NCAE-C Certification...................................................................................... 15 Plan of the Text.................................................................................................................... 15 Student Resources................................................................................................................ 16 Instructor Support Materials................................................................................................. 16 Projects and Other Student Exercises................................................................................... 17 Acknowledgments................................................................................................................ 18 Learning Objectives............................................................................................................. 37 1.1 Computer Security Concepts............................................................................................. 39 A Definition of Computer Security...................................................................................... 39 Figure 1.1 Essential Network and Computer Security Requirements.......................... 40 Examples.............................................................................................................................. 41 Confidentiality.................................................................................................................. 41 Integrity............................................................................................................................ 41 An example of a low-integrity requirement is an anonymous online poll. Many websites, such as news organizations, offer these polls to their users with very few safeguards. However, the inaccuracy and unscientific nature of such polls is well understoodAvailability..................................................................................................... 42 The Challenges of Computer Security................................................................................. 43 Table 1.1....................................................................................................................... 44 Computer Security Terminology.................................................................................. 44 1.2 Threats, Attacks, and Assets.............................................................................................. 47 Threats and Attacks.............................................................................................................. 47 Confidentiality.................................................................................................................. 50 Integrity............................................................................................................................ 50 Availability....................................................................................................................... 51 Threats and Attacks.............................................................................................................. 52 Table 1.2 Threat Consequences and the Types of Threat Actions that Cause Each Consequence................................................................................................................. 52 Threats and Assets................................................................................................................ 55 Figure 1.3 Scope of Computer Security........................................................................ 55 Page 23 of 1641 Table 1.3 Computer and Network Assets, with Examples of Threats.......................... 55 Hardware.......................................................................................................................... 56 Software............................................................................................................................ 56 Data................................................................................................................................... 56 Communication Lines and Networks............................................................................... 57 1.3 Security Functional Requirements..................................................................................... 59 1.4 Fundamental Security Design Principles........................................................................... 62 1.5 Attack Surfaces and Attack Trees...................................................................................... 66 Attack Surfaces.................................................................................................................... 67 Figure 1.4 Defense in Depth and Attack Surface......................................................... 67 Attack Trees......................................................................................................................... 68 1.6 Computer Security Strategy............................................................................................... 71 Security Policy..................................................................................................................... 72 Assurance and Evaluation.................................................................................................... 73 1.7 Standards............................................................................................................................ 74 1.8 Key Terms, Review Questions, and Problems................................................................... 75 Key Terms............................................................................................................................ 75 Review Questions................................................................................................................. 77 Problems............................................................................................................................... 78 2.1 Confidentiality with Symmetric Encryption...................................................................... 82 Symmetric Encryption.......................................................................................................... 83 Figure 2.1...................................................................................................................... 83 Simplified Model of Symmetric Encryption................................................................. 83 Symmetric Block Encryption Algorithms............................................................................ 84 Data Encryption Standard................................................................................................. 85 Triple DES........................................................................................................................ 86 Advanced Encryption Standard........................................................................................ 87 Practical Security Issues................................................................................................... 87 Stream Ciphers..................................................................................................................... 88 2.2 Message Authentication and Hash Functions.................................................................... 90 Authentication Using Symmetric Encryption...................................................................... 90 Message Authentication without Message Encryption........................................................ 91 Message Authentication Code.......................................................................................... 92 One-Way Hash Function.................................................................................................. 94 Secure Hash Functions......................................................................................................... 97 Hash Function Requirements............................................................................................ 98 Security of Hash Functions............................................................................................... 99 Secure Hash Function Algorithms.................................................................................... 99 Page 24 of 1641 Other Applications of Hash Functions............................................................................... 100 2.3 Public-Key Encryption..................................................................................................... 101 Public-Key Encryption Structure....................................................................................... 102 Applications for Public-Key Cryptosystems...................................................................... 105 Requirements for Public-Key Cryptography...................................................................... 106 Asymmetric Encryption Algorithms.................................................................................. 107 RSA................................................................................................................................ 108 Diffie–Hellman Key Agreement.................................................................................... 108 Digital Signature Standard.............................................................................................. 108 Elliptic Curve Cryptography.......................................................................................... 108 2.4 Digital Signatures and Key Management........................................................................ 110 Digital Signature................................................................................................................ 110 Public-Key Certificates...................................................................................................... 112 Symmetric Key Exchange Using Public-Key Encryption................................................. 114 Digital Envelopes............................................................................................................... 115 2.5 Random and Pseudorandom Numbers............................................................................. 118 The Use of Random Numbers............................................................................................ 118 Randomness.................................................................................................................... 119 Unpredictability.............................................................................................................. 120 Random versus Pseudorandom.......................................................................................... 120 2.6 Practical Application: Encryption of Stored Data........................................................... 121 2.7 Key Terms, Review Questions, and Problems................................................................. 123 Key Terms.......................................................................................................................... 123 Review Questions............................................................................................................... 125 Problems............................................................................................................................. 126 A Model for Digital User Authentication.......................................................................... 132 Means of Authentication.................................................................................................... 134 Multifactor Authentication................................................................................................. 134 Assurance Levels for User Authentication......................................................................... 136 3.2 Password-Based Authentication...................................................................................... 137 The Vulnerability of Passwords......................................................................................... 138 The Use of Hashed Passwords........................................................................................... 140 UNIX Implementations.................................................................................................. 143 Password Cracking of User-Chosen Passwords................................................................. 143 Traditional Approaches.................................................................................................. 144 Modern Approaches....................................................................................................... 145 Password File Access Control............................................................................................ 146 Password Selection Strategies............................................................................................ 147 Page 25 of 1641 Rule Enforcement........................................................................................................... 149 Password Checker........................................................................................................... 149 Bloom Filter.................................................................................................................... 150 3.3 Token-Based Authentication........................................................................................... 150 Memory Cards.................................................................................................................... 151 Smart Cards........................................................................................................................ 152 Electronic Identity Cards.................................................................................................... 154 Eid Functions.................................................................................................................. 155 Password Authenticated Connection Establishment (PACE)........................................ 157 Hardware Authentication Tokens....................................................................................... 158 Authentication Using a Mobile Phone............................................................................... 161 3.4 Biometric Authentication................................................................................................. 163 Physical Characteristics Used in Biometric Applications.................................................. 164 Operation of a Biometric Authentication System.............................................................. 166 Figure 3.8 A Generic Biometric System..................................................................... 167 Biometric Accuracy............................................................................................................ 167 3.5 Remote User Authentication............................................................................................ 171 Password Protocol.............................................................................................................. 172 Figure 3.12 Basic Challenge-Response Protocols for Remote User Authentication.. 172 Token Protocol................................................................................................................... 173 Static Biometric Protocol................................................................................................... 174 Dynamic Biometric Protocol.............................................................................................. 175 3.6 Security Issues for User Authentication.......................................................................... 176 3.7 Practical Application: An Iris Biometric System............................................................. 179 3.8 Case Study: Security Problems for ATM Systems.......................................................... 182 3.9 Key Terms, Review Questions, and Problems................................................................. 184 Key Terms.......................................................................................................................... 184 Review Questions............................................................................................................... 185 Problems............................................................................................................................. 186 Learning Objectives........................................................................................................... 189 4.1 Access Control Principles................................................................................................ 191 Access Control Context...................................................................................................... 192 Figure 4.1 Relationship among Access Control and Other Security Functions......... 192 Access Control Policies...................................................................................................... 194 4.2 Subjects, Objects, and Access Rights.............................................................................. 195 4.3 Discretionary Access Control.......................................................................................... 196 Figure 4.2 Example of Access Control Structures...................................................... 196 Table 4.2 Authorization Table for Files in Figure 4.2................................................ 198 Page 26 of 1641 An Access Control Model.................................................................................................. 199 Figure 4.3 Extended Access Control Matrix............................................................... 199 Figure 4.4 An Organization of the Access Control Function..................................... 200 Table 4.3 Access Control System Commands............................................................ 201 The ability of one subject to create another subject and to have ‘owner’ access right to that subject can be used to define a hierarchy of subjects. For example, in Figure 4.3, owns and so and are subordinate to By the rules of Table 4.3, can grant and delete to access rights that already has. Thus, a subject can create another subject with a subset of its own access rights. This might be useful, for example, if a subject is invoking an application that is not fully trusted and does not want that application to be able to transfer access rights to other subjects........................................................................ 202 Protection Domains............................................................................................................ 203 4.4 Example: UNIX File Access Control.............................................................................. 204 Traditional UNIX File Access Control.............................................................................. 205 Figure 4.5 UNIX File Access Control........................................................................ 205 Access Control Lists in UNIX........................................................................................... 207 4.5 Mandatory Access Control.............................................................................................. 208 Bell-LaPadula (BLP) Model.............................................................................................. 209 4.6 Role-Based Access Control............................................................................................. 210 Figure 4.7 Access Control Matrix Representation of RBAC..................................... 212 4.6 Role Base Access Control............................................................................................ 212 RBAC Reference Models................................................................................................... 212 Figure 4.8 A Family of Role-Based Access Control Models..................................... 213 Base Model—................................................................................................................. 213 Role Hierarchies—......................................................................................................... 214 Figure 4.9 Example of Role Hierarchy....................................................................... 214 Constraints—.................................................................................................................. 215 4.7 Attribute-Based Access Control...................................................................................... 217 Attributes............................................................................................................................ 218 ABAC Logical Architecture............................................................................................... 219 Figure 4.10 ABAC Scenario....................................................................................... 219 ABAC Policies................................................................................................................... 222 4.8 Identity, Credential, and Access Management................................................................ 225 Figure 4.12 Identity, Credential, and Access Management (ICAM).......................... 225 Identity Management.......................................................................................................... 226 Credential Management..................................................................................................... 227 Access Management........................................................................................................... 228 Identity Federation............................................................................................................. 229 4.9 Trust Frameworks............................................................................................................ 230 Traditional Identity Exchange Approach........................................................................... 231 Page 27 of 1641 Figure 4.13 Identity Information Exchange Approaches............................................ 231 Open Identity Trust Framework......................................................................................... 234 4.10 Case Study: RBAC System for a Bank.......................................................................... 237 Table 4.5 Functions and Roles for Banking Example................................................ 237 Figure 4.14 Example of Access Control Administration............................................ 239 4.11 Key Terms, Review Questions, and Problems............................................................... 240 Key Terms.......................................................................................................................... 240 Review Questions............................................................................................................... 242 Problems............................................................................................................................. 243 Figure 4.15 VAX/VMS Access Modes...................................................................... 244 Learning Objectives........................................................................................................... 246 5.1 The Need for Database Security...................................................................................... 248 5.2 Database Management Systems....................................................................................... 249 5.3 Relational Databases........................................................................................................ 251 Elements of a Relational Database System........................................................................ 253 Table 5.1 Basic Terminology for Relational Databases............................................. 253 Structured Query Language............................................................................................... 255 5.4 SQL Injection Attacks...................................................................................................... 256 A Typical SQLi Attack...................................................................................................... 257 The Injection Technique..................................................................................................... 259 SQLi Attack Avenues and Types....................................................................................... 260 SQLi Countermeasures...................................................................................................... 262 5.5 Database Access Control................................................................................................. 263 SQL-Based Access Definition........................................................................................... 264 Cascading Authorizations.................................................................................................. 266 Figure 5.6 Teri Revokes Privilege from David........................................................... 266 Role-Based Access Control................................................................................................ 268 Table 5.2 Fixed Roles in Microsoft SQL Server........................................................ 268 5.6 Inference.......................................................................................................................... 271 Figure 5.7 Indirect Information Access via Inference Channel.................................. 271 5.7 Database Encryption........................................................................................................ 275 Figure 5.10 Encryption Scheme for Database of Figure 5.3....................................... 277 5.8 Data Center Security........................................................................................................ 280 Data Center Elements......................................................................................................... 281 Figure 5.11 Key Data Center Elements...................................................................... 281 Data Center Security Considerations................................................................................. 282 Figure 5.12 Data Center Security Model.................................................................... 283 TIA-492.............................................................................................................................. 283 Page 28 of 1641 Table 5.4 Data Center Tiers Defined in TIA-942....................................................... 284 5.9 Key Terms, Review Questions, and Problems................................................................. 286 Key Terms.......................................................................................................................... 286 Review Questions............................................................................................................... 287 Problems............................................................................................................................. 288 Learning Objectives........................................................................................................... 294 Learning Objectives........................................................................................................... 297 A Broad Classification of Malware.................................................................................... 301 Attack Kits.......................................................................................................................... 302 Attack Sources.................................................................................................................... 303 Macro and Scripting Viruses.............................................................................................. 310 A Brief History of Worm Attacks...................................................................................... 321 State of Worm Technology................................................................................................ 324 Mobile Code....................................................................................................................... 325 Clickjacking....................................................................................................................... 328 6.5 Propagation—Social Engineering—Spam E-Mail, Trojans............................................ 329 Trojan Horses..................................................................................................................... 332 Mobile Phone Trojans........................................................................................................ 334 Figure 8.9 Snort Architecture..................................................................................... 468 Circuit-Level Gateway....................................................................................................... 497 Figure 13.11 IoT Gateway Security Functions........................................................... 771 Figure 14.5 Judgment about Risk Treatment.............................................................. 819 Review Questions............................................................................................................... 864 Problems............................................................................................................................. 865 Table 16.1 Characteristics of Natural Disasters.......................................................... 871 Table 16.3 Saffir/Simpson Hurricane Scale................................................................ 873 Table 16.4 Temperature Thresholds for Damage to Computing Resources............... 875 Figure 16.1 Standard Fire Temperature–Time Relations Used for Testing of Building Elements...................................................................................................................... 877 Table 16.6 Degrees of Security and Control for Protected Areas [ARMY10]........... 896 Table 17.1 Comparative Framework.......................................................................... 908 Table 17.3 Examples of Possible Information Flow to and from the Incident-Handling Service......................................................................................................................... 935 Table 18.1 Security Audit Terminology (RFC 4949)................................................. 943 Figure 18.1 Security Audit and Alarms Model (X.816)............................................. 946 Figure 18.2 Distributed Audit Trail Model (X.816)................................................... 947 Figure 18.3 Common Criteria Security Audit Class Decomposition......................... 949 Table 18.2 Auditable Items Suggested in X.816........................................................ 954 Page 29 of 1641 Monitoring Areas Suggested in ISO 27002................................................................ 955 Figure 18.4 Examples of Audit Trails......................................................................... 956 Table 18.4 Windows Event Schema Elements........................................................... 961 Figure 18.5 Windows System Log Entry Example.................................................... 963 Figure 18.6.................................................................................................................. 967 Examples of Syslog Messages.................................................................................... 967 Table 18.5 UNIX Syslog Facilities and Severity Levels............................................ 968 Figure 18.9 Run-Time Environment for Application Auditing.................................. 976 Table 19.1................................................................................................................... 996 Cybercrimes Cited in the Convention on Cybercrime................................................ 996 Table 19.2 CERT 2007 E-Crime Watch Survey Results............................................ 999 Figure 19.2 DRM Components................................................................................. 1011 Figure 19.4 Common Criteria Privacy Class Decomposition................................... 1019 Figure 19.6 ACM Code of Ethics and Professional Conduct................................... 1030 Figure 19.8 AITP Standard of Conduct.................................................................... 1032 Table 20.1 Types of Attacks on Encrypted Messages.............................................. 1048 Triple DES........................................................................................................................ 1056 Figure 20.2 Triple DES............................................................................................. 1056 The SHA Secure Hash Function...................................................................................... 1103 Table 21.1................................................................................................................. 1104 Comparison of SHA Parameters............................................................................... 1104 HMAC Algorithm............................................................................................................ 1112 Figure 21.4 HMAC Structure................................................................................... 1112 Figure 21.5 OCB Encryption and Authentication..................................................... 1118 Figure 21.6................................................................................................................ 1122 OCB Algorithms....................................................................................................... 1122 Description of the Algorithm........................................................................................... 1124 Figure 21.8 Example of RSA Algorithm.................................................................. 1126 Timing Attacks............................................................................................................. 1129 21.5 Diffie-hellman and Other Asymmetric Algorithms..................................................... 1132 Diffie-Hellman Key Exchange......................................................................................... 1132 21.5 Diffie-hellman and Other Asymmetric Algorithms..................................................... 1132 Diffie-Hellman Key Exchange......................................................................................... 1132 The Algorithm.............................................................................................................. 1133 Figure 21.9 The Diffie-Hellman Key Exchange Algorithm..................................... 1134 Key Exchange Protocols............................................................................................... 1135 Figure 21.10.............................................................................................................. 1135 Other Public-Key Cryptography Algorithms................................................................... 1140 Page 30 of 1641 Digital Signature Standard............................................................................................ 1034 Elliptic-Curve Cryptography........................................................................................ 1034 Post-Quantum Cryptography........................................................................................ 1034 21.6 Key Terms, Review Questions, and Problems............................................................. 1141 Key Terms........................................................................................................................ 1141 Problems........................................................................................................................... 1143 MIME............................................................................................................................... 1150 S/MIME............................................................................................................................ 1151 Table 22.1 S/MIME Content Types.......................................................................... 1152 Figure 22.1 Simplified S/MIME Functional Flow.................................................... 1153 Signed and Clear-Signed Data...................................................................................... 1154 Enveloped Data............................................................................................................. 1155 Public-Key Certificates................................................................................................. 1155 22.2 Domainkeys Identified Mail........................................................................................ 1156 Internet Mail Architecture................................................................................................ 1157 Figure 22.2 Function Modules and Standardized Protocols Used Between Them in the Internet Mail Architecture......................................................................................... 1159 DKIM Strategy................................................................................................................. 1161 Figure 22.3 Simple Example of DKIM Deployment................................................ 1162 22.3 Secure Sockets Layer (SSL) and Transport Layer Security (TLS).............................. 1164 TLS Architecture.............................................................................................................. 1165 Figure 22.4 SSL/TLS Protocol Stack........................................................................ 1165 TLS Protocols................................................................................................................... 1167 Record Protocol............................................................................................................ 1167 Figure 22.5 TLS Record Protocol Operation............................................................ 1167 Change Cipher Spec Protocol....................................................................................... 1168 Alert Protocol............................................................................................................... 1168 Handshake Protocol...................................................................................................... 1169 Figure 22.6 Handshake Protocol Action................................................................... 1170 Heartbeat Protocol........................................................................................................ 1172 SSL/TLS Attacks.............................................................................................................. 1174 Attack Categories......................................................................................................... 1174 Heartbleed..................................................................................................................... 1176 Figure 22.7 The Heartbleed Exploit.......................................................................... 1177 22.4 HTTPS......................................................................................................................... 1179 Connection Initiation........................................................................................................ 1180 Connection Closure.......................................................................................................... 1181 22.5 IPv4 and IPv6 Security................................................................................................ 1182 Page 31 of 1641 IP Security Overview....................................................................................................... 1182 Applications of IPsec.................................................................................................... 1183 Benefits of IPsec........................................................................................................... 1184 Routing Applications.................................................................................................... 1184 The Scope of IPsec........................................................................................................... 1186 Security Associations....................................................................................................... 1187 Encapsulating Security Payload....................................................................................... 1189 Figure 22.8 IPsec ESP Format.................................................................................. 1190 Transport and Tunnel Modes........................................................................................... 1191 Transport Mode............................................................................................................ 1191 Tunnel Mode................................................................................................................. 1191 22.6 Key Terms, Review Questions, and Problems............................................................. 1193 Key Terms........................................................................................................................ 1193 Review Questions............................................................................................................. 1194 Figure 22.9 Antireplay Mechanism.......................................................................... 1196 Chapter 23Internet Authentication AChapter 23 Internet Authentication Applicationsications.............................................................................................................................................. 1198 Learning Objectives......................................................................................................... 1198 23.1 Kerberos....................................................................................................................... 1199 The Kerberos Protocol..................................................................................................... 1200 Figure 23.1 Overview of Kerberos........................................................................... 1201 Kerberos Realms and Multiple Kerberi........................................................................... 1207 Figure 23.2 Request for Service in Another Realm.................................................. 1208 Version 4 and Version 5................................................................................................... 1210 Performance Issues........................................................................................................... 1211 23.2 X.509............................................................................................................................ 1212 Figure 23.3 X.509 Formats....................................................................................... 1213 Public Key Infrastructure X.509 (PKIX)......................................................................... 1217 Figure 23.4 PKIX Architectural Model.................................................................... 1218 23.4 Key Terms, Review Questions, and Problems............................................................. 1220 Key Terms........................................................................................................................ 1220 Review Questions............................................................................................................. 1221 Problems.......................................................................................................................... 1222 ChapterChapter 24............................................................................................................... 1225 Wireless Network Securityeless Network Security............................................................. 1225 Learning Objectives......................................................................................................... 1226 24.1 Wireless Security......................................................................................................... 1227 Figure 24.1 Wireless Networking Components........................................................ 1228 Page 32 of 1641 Wireless Network Threats................................................................................................ 1229 Wireless Security Measures............................................................................................. 1231 Securing Wireless Transmissions................................................................................. 1231 Securing Wireless Access Points.................................................................................. 1232 Securing Wireless Networks........................................................................................ 1232 24.2 Mobile Device Security............................................................................................... 1233 Security Threats................................................................................................................ 1235 Lack of Physical Security Controls.............................................................................. 1235 Use of Untrusted Mobile Devices................................................................................ 1235 Use of Untrusted Networks.......................................................................................... 1236 Use of Untrusted Applications..................................................................................... 1236 Interaction with Other Systems.................................................................................... 1236 Use of Untrusted Content............................................................................................. 1236 Use of Location Services.............................................................................................. 1237 Mobile Device Security Strategy..................................................................................... 1238 Figure 24.2 Mobile Device Security Elements......................................................... 1238 Device Security............................................................................................................. 1239 Traffic Security............................................................................................................. 1240 Barrier Security............................................................................................................. 1241 24.3 IEEE 802.11 Wireless LAN Overview........................................................................ 1242 Table 24.1 IEEE 802.11 Terminology...................................................................... 1242 The Wi-Fi Alliance........................................................................................................... 1243 IEEE 802 Protocol Architecture....................................................................................... 1244 Figure 24.3 IEEE 802.11 Protocol Stack.................................................................. 1244 Physical Layer.............................................................................................................. 1245 Medium Access Control............................................................................................... 1245 Figure 24.4 General IEEE 802 MPDU Format......................................................... 1246 Logical Link Control.................................................................................................... 1246 IEEE 802.11 Network Components and Architectural Model......................................... 1247 Figure 24.5 IEEE 802.11 Extended Service Set....................................................... 1248 IEEE 802.11 Services....................................................................................................... 1251 Table 24.2 IEEE 802.11 Services............................................................................. 1251 Distribution of Messages Within a DS......................................................................... 1252 Association-Related Services....................................................................................... 1252 24.4 IEEE 802.11i Wireless LAN Security......................................................................... 1255 Figure 24.6 Elements of IEEE 802.11i..................................................................... 1257 IEEE 802.11i Phases of Operation................................................................................... 1259 Figure 24.7 IEEE 802.11i Phases of Operation........................................................ 1261 Page 33 of 1641 Discovery Phase............................................................................................................... 1263 Figure 24.8 IEEE 802.11i Phases of Operation: Capability Discovery, Authentication, and Association......................................................................................................... 1263 Security Capabilities..................................................................................................... 1264 MPDU Exchange.......................................................................................................... 1265 Authentication Phase........................................................................................................ 1268 IEEE 802.1X Access Control Approach...................................................................... 1268 Figure 24.9 802.1X Access Control.......................................................................... 1269 MPDU Exchange.......................................................................................................... 1269 EAP Exchange.............................................................................................................. 1270 Key Management Phase................................................................................................... 1272 Figure 24.10 IEEE 802.11i Key Hierarchies............................................................ 1272 Table 24.3 IEEE 802.11i Keys for Data Confidentiality and Integrity Protocols.... 1273 Pairwise Keys............................................................................................................... 1275 Group Keys................................................................................................................... 1276 Pairwise Key Distribution............................................................................................ 1276 Figure 24.11 IEEE 802.11i Phases of Operation: 4-Way Handshake and Group Key Handshake................................................................................................................. 1278 Protected Data Transfer Phase......................................................................................... 1280 TKIP............................................................................................................................. 1280 CCMP........................................................................................................................... 1281 The IEEE 802.11i Pseudorandom Function..................................................................... 1282 Figure 24.12 IEEE 802.11i Pseudorandom Function............................................... 1283 24.5 Key Terms, Review Questions, and Problems............................................................. 1284 Key Terms........................................................................................................................ 1284 Review Questions............................................................................................................. 1286 Problems........................................................................................................................... 1287 Figure 24.13 WEP Authentication............................................................................ 1288 Appendix A: Projects and Other Student Exercises for Teaching Computer Security........ 1290 A.1 Hacking Project............................................................................................................. 1292 A.2 Laboratory Exercises..................................................................................................... 1294 A.3 Security Education (Seed) Projects............................................................................... 1295 Table A.1 Mapping of SEED Labs to Textbook Chapters....................................... 1296 A.4 Research Projects.......................................................................................................... 1299 A.5 Programming Projects................................................................................................... 1300 A.6 Practical Security Assessments..................................................................................... 1301 A.7 Firewall Projects........................................................................................................... 1302 A.8 Case Studies.................................................................................................................. 1303 Page 34 of 1641 A.9 Reading/Report Assignments........................................................................................ 1304 A.10 Writing Assignments................................................................................................... 1305 Appendix B: Some Aspects of Number Theory.................................................................. 1306 B.1 Prime and Relatively Prime Numbers........................................................................... 1307 Divisors............................................................................................................................ 1308 Prime Numbers................................................................................................................. 1309 Relatively Prime Numbers............................................................................................... 1310 B.2 Modular Arithmetic....................................................................................................... 1311 Figure B.1 The Relationship.................................................................................... 1311 Modular Arithmetic Operations....................................................................................... 1313 Inverses............................................................................................................................. 1314 (B.1).......................................................................................................................... 1314 (B.2).......................................................................................................................... 1314 B.3 Fermat’s and Euler’s Theorems.................................................................................... 1315 Fermat’s Theorem............................................................................................................ 1316 (B.3).......................................................................................................................... 1316 Euler’s Totient Function................................................................................................... 1318 Appendix C: Standards and Standard-Setting Organizations.............................................. 1323 C.1 The Importance of Standards........................................................................................ 1324 C.2 Internet Standards and the Internet Society................................................................... 1326 The Internet Organizations and RFC Publication............................................................ 1327 Table C.1 IETF Areas............................................................................................... 1328 The Standardization Process............................................................................................ 1330 Figure C.1 Internet RFC Publication Process........................................................... 1331 Internet Standards Categories........................................................................................... 1333 Other RFC Types............................................................................................................. 1334 C.3 The National Institute of Standards and Technology.................................................... 1336 C.4 The International Telecommunication Union............................................................... 1338 ITU Telecommunication Standardization Sector............................................................. 1339 Schedule........................................................................................................................... 1340 C.5 The International Organization for Standardization...................................................... 1341 C.6 Significant Security Standards and Documents............................................................ 1344 International Organization for Standardization (ISO)...................................................... 1345 National Institute of Standards and Technology (NIST)................................................. 1346 International Telecommunication Union Telecommunication Standardization Sector (ITU- T)......