S.38153 Security of Communication Protocols


2 Νοε 2013 (πριν από 4 χρόνια και 8 μήνες)

189 εμφανίσεις

Security of Communication Protocols


Lectures Tu
lecturer J. Jormakka

Exercises We
and We
laboratory M. Nardonne

in groups, each group every second week

= (>
cr) exam + (<
cr) exercise reports

Content: S
ecurity attack and defense mechanisms.

Lecture material:

Find any thick book of security of the Internet dealing with the
matters on the course.

Lecture notes
are copies of transparencies, they are not
good as a stand
alone study material, they are a check list of
issues treated on the course so that you know what to study
from books. The exam is largely based on the lecture notes.

The slides from year
maybe nicer to read than mine.

General content

GOAL: The course is about security attacks to the Internet and
ways to protect the network.

LECTURES: The lectures explain different attack and defense
mechanisms on a beginner level.

The first lectures explain basic mechanisms which can be used
in the exercises, later lectures deal with some special issues
and cannot be tried in the laboratory at least this year.

EXERCISES: The exercises are mandatory (you do not need
to attend always, but returning
a report

by the end of the
course is required, the report is made by the group).

It is known that there were problems with the laboratory
equipment and arrangements last year.

In order to partially improve this, each group will make a
laboratory work description

from one work.

What the course is not?

This is not a basic course of applied cryptography. For
instance B. Schneier: Applied Cryptography is a source for
this kind of information for engineers. This kind of
knowledge is not assumed to be known in this course.

This is not a course giving up
date information of current
security products and tools, take instead some course from
TIK with visiting lecturers from industry.

This course does not teach good hacking tricks. All
information on lectures
is available in books on these
matters. In the exercises you may be trying attacks that might
still work somewhere. Attacking any real network is illegal, do
not do so.

The course ignores security policies, security in organization...

What this course is then? It is a basic course of security for our
students as TIK’s courses have too many students already.

Content should cover something


Security tools & mechanisms:

Firewalls, Scanners

Antivirus tools, viruses,worms, trojans

Intruder Detection & logs

IPsec, IKE

Java security, Web security (CGI etc.)

eCommerce security issues, PKI

secure email,like PGP

authentication (AAA, Kerberos/Active directory... etc.)

SSH, SSL, what ever security protocols,WLAN security etc.

Information warfare

attacks, statistics, importance

That is, technical aspects of practical security


Introduction, Hacking


Scanning, Viruses


Denial of Service attack, Firewalls


Security logs, Intruder Detection Systems


Basics of cryptography and cryptoanalysis


IPsec, IKE


Java security, CGI security


WLAN security,Bluetooth security


Overview of ISO
standard and SAML


PGP, Kerberos


Security of operating systems (Win



GSM, GPRS, UMTS security features


no lecture


PKI, WPKI, SET, smart cards


Information warfare, hints to the exam



Exercise assistant: Nardone Massimo

exercise time, every second week

In groups of
, each time
groups have place in the laboratory

Exercise report returned by the group by
on paper to
a place announced later.

Exercise report is free form, must contain names and the name
of the course.

Report is evaluated accepted/not accepted=returned

Should explain what you did. Minimum
exercises done, not
necessarily successfully but a good try is needed.

You are encouraged to try something new, pick up some new
tools, try some new attacks, do not do useless things here!

You can also make one individual larger exercise.

What should be protected?

Security attacks usually violate:



data is not disclosed to
unauthorized people.



data is not changed by unauthorized people.



data is not available to authorized users
(people or something else).

Let us define that people do security breaches. There must be one
or more intentional human attackers to make a security attack.

This means that destruction of data by a natural catastrophe, or
forgetting to lock a door are not attacks. They may enable attacks
but that requires a person doing the attack intentionally.

Security=(Privacy, Integrity, Availability)?

Almost, but not quite

there are some other aspects in security
not covered by this triplet.

One is

(cannot deny having done

Privacy, integrity and availability are not independent aspects:

Integrity and availability can be related: If an unauthorized
user manages to crypt some protected data does it become
unavailable data or is the integrity violated?

Privacy and integrity can be related: If an unauthorized
user plans a trapdoor which can later be used for violation
of privacy (like read files) or violation of integrity (like
remove files), what area planting the trapdoor violates?

Privacy and unavailability can be related: the trapdoor
could be used to violate unavailability.

What should be protected?

A type of security attack which does not attack privacy, integrity
or availability is for instance faking somebody’s digital signature
and faking an agreement on somebody’s name for a business deal
outside data communications.

The classification (privacy, integrity and availability) apply best
attacks to stored data

There are other areas, like

attacks to processes
(like forcing a process to misbehave)

attacks to transmitted data

security as a service

(like giving digital signatures)

These areas may require a wider classification scheme.

What about the law?

The Finnish legislation treats communication security in several


“Privacy of a telephone call or some other confidential
message must not be violated.”

A law can make an exception to this general rule in the

Law of privacy in work life


states that there is separate legislation giving an employer
some right to monitor and control communications and email.
This legislation does not exist yet but there is a new proposal.

Then personal email, even if coming to a work place mail
server, is protected by privacy including header information.

The employer has right to search and filter out letters which
are by content addressed to the firm even if they come to the
mailbox of an employer and are addressed to the employer.

What about the law?

Law of privacy in telecommunication

Concerns personnel of telecommunication firms

Reading transmitted data is a security breach,

Criminal law

If access is obtained by breaking security mechanisms it is
a criminal action.

Writing/ spreading viruses is a crime.

Law of personnel registers


states that registers must be kept in such a way that
privacy of people whose information is registered is not

There are many other relevant references in the law.

What about the law?

The present legislation is not considered to cover all cases:

If for instance a system administrator reads emails sent to a
former employer when the mail is in a mailbox, it was still
years ago unclear if he violates privacy of mail.

Now email security is rather clear (he does, but some
mechanisms for the employer are coming for filtering letters
which by content are to the employer).

Copying data protected by security mechanisms is a theft, if the
data is not well protected it may be a theft.

Damaging somebody’s system is most probably criminal as any
unauthorized damaging act.

Writing/spreading a virus is a crime, but what is a virus.

Who are the attackers?

The attackers contain different types of people like teenage
hackers wanting to impress peers, university
students/personnel trying some nice new trick, tiger teems,
dissatisfied former employees, computer criminals, industrial
and military spies, vandals and terrorists.

Rather than making a list of all types, we can classify the
attackers by their goals:

wish to show ability (hackers)

economic gain (criminals)

wish to destroy (vandals)

political and military gain (terrorists, military, spies)

Why security problems in data networks?

It is customary to mention when discussing security of the
Internet that there are security problems in all communication
networks, but it is not quite so, there are more problems in the
Internet than in, say PSTN.

If you compare the Internet to a telecommunication network
like PSTN of GSM you see that a telecommunication network is
basically a service network.

What we can do with a service network is: cheat in bills if
signaling is too simple, block the network if it is not enough
protected, listen to transmissions unless they are encrypted well
enough, cause problems like crash some services by exploiting
bugs and abuse services.

There were early PSTN phreakers, but they could never be the
threat what Internet crackers are. Phreakers only could call on
somebody else’s account.

Why security problems in data networks?

To a large extent we can design the network and services
so well that these problems can be avoided. I think it is
possible to offer a sufficiently large set of sufficiently
secure services.

A data communication network like the Internet is
basically a platform for making any computing in
networked computers. Its origin is networked computing in
a LAN in a secure environment.

Such an environment wants to offer things like remote
access which make possible stealing files, destroying data

I think a general purpose convenient distributed computing
environment will not be secure.

Why security problems in data networks?

What is the future?

To a large extent the Internet is not any more a distributed
computing platform. Firewalls block remote access to hosts
outside your own network.

People mostly use a small set of services: email, file transfer,
web, maybe in the future voice and video services. There is
little need for a possibility to remotely log into a system at all.
Maybe we could drop all dangerous features.

But there are other development scenarios: mobile code is still
one of the favorite ideas in the Internet community.
Executable attachments in email, like macros, applets and
scripts cause security problems.

Seems that the Internet may not become a secure service

Why security problems in data networks?

Some think that Internet security will be solved in a short
time and maybe is almost solved with IPsec and IKE.

There are indeed methods to solve some security problems:

privacy of transmitted data through IPsec

privacy of transmitted and stored data like PGP.

authentication through public key cryptography or by one
time passwords

protection to some forms of address spoofing and use of
vulnerabilities through firewalls

protection against some known types of malicious code
through virus protection

protection against misbehaving malicious code through
sandbox model like in Java security

use of scanners for locating vulnerabilities

Why security problems in data networks?

There are security problems which are not yet solved and may
not be solvable.

My favorites are the following problems:

Denial of Service (DoS) attacks. At the moment these attacks use
features of some protocols but in general, overload protection is
very difficult for a network whose structure is not carefully

Bugs in software and design. These vulnerabilities can usually be
fixed if they are found but if new applications are introduced in a
fast pace without careful quality control there is no hope of
getting all bugs removed. In general, avoiding bugs is

There are no complete protection methods for harmful mobile
code of different type (Java scripts, mobile agents etc.)

Additionally, social engineering works fine

Why security problems in data networks?

Often it is stated that the problem is not technical

is organizational: The organization is not security

Then personnel uses poor passwords and social
engineering attacks work.

Thus: security can be fixed by organizational means.

There are organizations which need high security
policy (like the army) including a security
classification of all documents.

However, this way also leads to more control.

Higher security may become counterproductive.