Information Security policies Flashcards
What is cryptography?
Enabling technology that turns an insecure communication facility into a secure one by guarantees one or more of the following information security policies, confidentiality, integrity, availability, nonrepudiation, authentication, anonymity and unobservability
also the science of secret writing
What is steganography?
the science of hiding messages inside other messages
What is cryptanalysis?
science of recovering the plaintext from the ciphertext
What are the CIA properties?
Confidentiality (Secrecy): No improper disclosure of information.
Integrity: No improper modification of information.
Availability: No improper impairment of functionality/service.
Confidentiality: No unauthorized access to information.
Integrity: No unauthorized modification of information.
Availability: No unauthorized impairment of functionality
What is confidentiality?
information is not learnt by unauthorised principals
Attack against confidentiality - passive attack( listen or read )
Confidentiality is guaranteed when Charlie, who is not authorised to read the message Alice is sending to Bob, is not able to read the message
Confidentiality presumes a notion of authorized party, or more generally, a security policy saying who or what can access our data. The security policy is used for access control
Example of confidentiality
Confidentiality can be achieved if you send a letter from A to B rather than an email (email is over the internet so everyone along the way can read it). To prevent this, encryption, access control and network security.
Email is not a letter but a postcard!
What is privacy?
- You choose what information you want other people to know
- Confidentiality of information that you don’t want to share
(confidentiality for individuals)
What is anonymity?
- a condition where your true identity is not known.
- Confidentiality of your identity
- Hiding your activity amongst other similar activities.
- Charlie does not know the identity of the sender or the receiver.
Privacy and anonymity on public networks
- internet is designed on a public network
- machines on your LAN can see your traffic - Routing info is public
- a passive observer can see who is talking to who
- IP packet header - shows source and destination
- packet route can be tracked (traffic analysis) - Encryption
- does not hide identities of sender and receiver
- hides payload but not routing info
What is an anonymity set?
a group in which your actions (sending, receiving, communication and relationships) cannot be distinguished from the actions of anyone else in the group - bigger the group, better
YOU CANNOT BE ANONYMOUS BY YOURSELF
What are the attacks on anonymity?
- Passive traffic analysis:
- observing packet route to identify the sender and receiver - Active traffic analysis:
- injecting packets or putting a timing signature on packet flow - Compromise of routers:
- it is not obvious about what nodes have been compromised
- assuming that some fraction of the nodes are good but not sure which ones (do not trust just one individual node only)
What is unlinkability?
- This is the unlinkability of action (sending the email) and identity (identity of the sender)
- sender and his email are no more related after
observing communication than they were before - once the sender sends the email, they are no longer related to each other.
What is unobservability?
HARD TO ACHIEVE
an observer cannot tell if a certain action took place or not.
What is integrity?
data has not been (maliciously) altered
Attack against integrity - active attack where Charlie modifies the message between Alice and Bob
Alice -> Charlie( modifies it) -> Bob
Integrity is guaranteed whenever Charlie, who is not authorised to alter the message, is not able to modify the message.
What is availability?
data or services cannot be accessed by unauthorised principals
attack against availability - Charlie disrupts the communication between Alice and Bob (disrupts the service)