Intro to Cyber Security Review

BoBJ
95 阅读5分钟

Scale:

  • past exams with suggested answers, review exercises with suggested outlines, class PPT
  • study partner after class, or self-learning, many open courses and resources on RSA knowledge and other related points are available online. ex: edX, Coursera, Crypto++, Stack Overflow, etc.

Cyber Sceurity Overview

Needs of Cyber Security

  • Information Security: protection of information
  • Network Security: protection of networks and their services

Objective

  • Objective of Cyber Security
    • Confidentiality: information is accessible only to authorized entities
    • Integrity:
      • data integrity: no unauthorized or accidental modifications to information
      • system integrity: Information systems are accurate and consistent
    • Availability: resources are available to authorized entities when needed
  • Objectives of information security management
    • business continuity
    • Minimize business damage
    • Maximize return on investments and business opportunities

Cyber Security Challenges

  1. Security attack – Any action that compromises the security of information owned by an organization
  2. Vulnerability – A weakness in a security system
  3. Threat – A set of circumstances that has the potential for violation of security – Caused by human (e.g., human error, hackers) – Non-human caused (e.g., software flaws, natural disaster)
  4. A threat agent exploits a vulnerability results in asecurity attack 螢幕截圖 2024-10-30 下午12.06.10.png
  5. Factors Affecting Cyber Security Programs 螢幕截圖 2024-10-30 上午11.50.30.png
  6. Type of Security attack
    • Passive: Eavesdropping on or monitoring of transmission to
      • obtain message content
      • perform traffic analysis
    • Active: Modification of data stream or creation of false data stream to
      • masquerade (伪装)
      • replay
      • modify messages
      • perform denial of service (拒绝服务)

Cyber Security Frameworks

A cyber security framework provides a set of common language, standards and best practices to facilitate cyber security management.

ITU-T X.800 Security Architecture for OSI defines a systematic approach. Service provided by a protocol layer of communicating open systems which ensures adequate security of the systems or of data transfers.

RFC 2828: communication service that is provided by a system to give a specific kind of protection to system resources. – Specific security mechanisms for specific protocol layers – Pervasive security mechanisms that are not specific to any particular protocol layer or security services

The Risk Management Cycle

螢幕截圖 2024-10-30 下午12.24.06.png

Risk Assesment

  1. Approach
    • Quantitative: Quantify risk elements such as Asset value, Threat frequency and Uncertainty.
    • Qualitative: Use a "ranking" approach.

Cryptology

  • Cryptography 密码学: The mathematical science that deals with the design of algorithms and protocols for information protection (cryptographic systems)
  • Cryptanalysis 密码分析: The mathematical science that deals with breaking cryptographic systems
  • Steganography 隐写: The science of information hiding

Encryption and Decryption

螢幕截圖 2024-10-30 下午12.33.54.png
  • Encryption and decryption keys do not have to be the same
  • Encryption and decryption algorithms do not have to be the same
  • Unpublished algorithms are proprietary and may not be fully analyzed by experts

Symmetric Cryptographic Algorithms

The encryption key is the same as the decryption key (known as the secret key)

螢幕截圖 2024-10-30 下午12.37.10.png
  • Advantages
    • Fast compared to asymmetric cryptographic algorithms
  • Disadvantages
    • Key distribution issue
    • Complex key management (nC2~ n2 keys are required for n entities)
  • Mainly use for mass encryption to achieve confidentiality
  • Some published symmetric encryption algorithms 螢幕截圖 2024-10-30 下午12.39.15.png

Triple DES

DES the effective key size is 56 and the input key size is 64

螢幕截圖 2024-10-30 下午4.18.47.png

假设EK()和DK()分别表示DES的加密和解密函数,P表示明文,C表示密文,那么加解密的公式如下:

  • 加密:C = EK3( DK2( EK1(P)) ),即对明文数据进行,加密 --> 解密 --> 加密的过程,最后得到密文数据;
  • 解密:P = DK1( EK2( DK3(C)) ),即对密文数据进行,解密 --> 加密 --> 解密的过程,最后得到明文数据
  • 当三重密钥均相同时,前两步相互抵消,相当于仅实现了一次加密,因此可实现对普通DES加密算法的兼容。

Asymmetric Cryptographic Algorithms

Two different keys are used

  • It is computationally infeasible to derive one from the other

  • Use the concepts of private key and public key

  • There are two scenarios

    • Encrypt with a user's private key & Decrypt with the corresponding public key
    • Encrypt with a user's public key & Decrypt with the corresponding private key 螢幕截圖 2024-10-30 下午12.40.39.png

  • Advantages

    • Can be used to achieve non-repudiation (in addition to confidentiality, integrity, and authenticity)

  • Disadvantages

    • Slow compared to symmetric cryptographic algorithms
    • Complex key generation process

  • Asymmetric cryptosystems are mainly used for

    • Secret key exchange
    • Digital signature

  • Some published asymmetric cryptographic algorithms 螢幕截圖 2024-10-30 下午12.44.15.png

Hash Functions

  • outputs of fixed sizes

  • One way: 个哈希算法是一个多对一映射,给定目标文本S,H可以将其唯一映射为R,并且对于所有S,R具有相同的长度。由于是多对一映射,所以H不存在逆映射使得R转换为唯一的S。

  • Collision free: 对于一个给定的哈希函数,找到两个不同的输入(消息)使得它们经过哈希函数处理后得出相同的哈希值(输出)是非常困难的

  • 如果被保护数据仅仅用作比较验证,在以后不需要还原成明文形式,则使用哈希;如果被保护数据在以后需要被还原成明文,则需要使用加密。

    螢幕截圖 2024-10-30 下午12.55.09.png

Digital Signature

螢幕截圖 2024-10-30 下午12.56.49.png 螢幕截圖 2024-10-30 下午3.13.31.png

  • 签名的核心是防止信息被篡改(one way)。私钥(加密)签名,公钥(解密)验签

  • A对原始数据进行哈希运算->哈希值; A使用私钥对摘要进行加密->密文;A将原始数据+密文发送给B

  • B接收数据: 将解密后的内容和A发送的哈希值做比较,如果相同则说明数据并未被篡改。

  • 加密与签名的顺序:先签名后加密。 签名算法计算出来的签名是为了验证消息的完整性。如果先加密再签名,任何对消息内容的修改(例如,修改加密后的数据)都会导致解密后无法验证签名,从而无法确保消息的完整性。

数字签名的数学表示法

  • P: 原始消息。
  • H(P): 消息的哈希值,用于确保消息的完整性。
  • EKpriAE_{K_{priA}}: 使用A的私钥进行加密。
  • EKSE_{K_{S}}: 使用对称密钥K进行加密。
  • EKpubBE_{K_{pubB}}: 使用B的公钥进行加密。
  • KSKS: 对称密钥。
  • ||: 表示连接(concatenation)。
螢幕截圖 2024-10-30 下午4.35.52.png

Digital signature only: PEKpriAH(P)P||E_{K_{priA}} H(P): 发送者A首先对消息P进行哈希处理,然后用自己的私钥加密这个哈希值,最后将原始消息P和加密后的哈希值连接在一起,形成数字签名.

Digital signature with Confidentiality: EKS(PEKpriAH(P))EkpubB(KS)E_{K_{S}}(P||E_{K_{priA}} H(P))|| E_{k_{pubB}}(K_{S})

螢幕截圖 2024-10-30 下午4.39.01.png

PKI - Public Key Infrastructure

PKI是一个安全框架和体系结构,用于建立、管理和分发公钥,并提供安全和可信赖的通信和数据传输。它是基于非对称加密算法的一种广泛应用的加密技术框架,通过数字证书和证书颁发机构(Certificate Authority, CA)来实现身份验证和信任。

简单来说,PKI并不单指某项技术,而是作为“基础设施”存在,里面包括创建、管理、存储、分发和撤销数字证书所需的硬件、软件、人员、策略和程序等。提供以下服务: 身份验证, 加密通信,数字签名。

  • PKI的种类
    • X.509 based PKI
    • PGP based PKI
  • Components
    • Certificate Authority
    • Registration Authority
    • Certificate Repository
    • Certificate Revocation List
  • Verifying Digital Signatures and Achieving Confidentiality
    1. Check that the certificate is within the validity period
    2. Check the CRL to ensure that the certificate has not been revoked
    3. Check that the CA’s digital signature
    4. Extract the public key from the certificate and verify the corresponding digital signature or use it to encrypt a session key
  • the most reliable choice of product certification -> Independent Certification

数学原理

模数运算 Modular Arithmetic

如果两个整数𝑎和𝑏的差𝑎−𝑏能被𝑛整除, 我们称𝑎和𝑏对𝑛同余(n ≠ 0)

we say a is congruent to b modulo n, 写作:

abmodna \equiv b \mod n

整数𝑏称为𝑎模𝑛的余数(residue), 反之亦然。

如果对于每个整数𝑎,存在唯一的整数riRr_{i} \in R 使得 arimodna \equiv r_{i} \mod n, 那么R={r1,r2,...,rn}R = \{r_{1}, r_{2}, ..., r_{n} \}被称为模𝑛的完全余数集合(complete set of residues modulo n). 常见的完全余数集合是{0,1,2,...,n1}\{0,1,2,...,n-1 \}.

对整数k, 能够使k和n同余的最小非负整数被称为reducing k modulo n.

性质(类结合律分配律):

  • (a+b)modn=(amodn+bmodn)modn(a+b)\mod n=(a \mod n+b \mod n) \mod n
  • abmodn=((amodn)(bmodn))modnab \mod n=((a \mod n)(b \mod n))\mod n
avatar
文章
阅读
粉丝