LECTURE 25

Scribed By : 

Ashim Kapur

and

Harpreet Kaur Bajwa

 

Things covered in this lecture:

1) wraped up Digital cash.

2) Overview and conclusions.

 

1) Digital Cash

 

Alice wants to give the merchant 1000$ without telling the bank who is the merchant(reciever). One of the ways to accomplish this is as described:

 

              Alice prepares 100 anonymous money orders, 1000$ each. She gives these to the bank in separate envelops with a different nonce in each. Each envelop contains a carbon paper as well. The bank randomly opens 99 out of the 100 envelops and confirms that each of them is a 1000$ money order. Now the bank is almost sure that the last money order is also a 1000$ one.( probability of Alice cheating and getting away with it is extremely low 1/100). The bank signs the unopened money order and gives it back to Alice after deductng 1000$ from her account. Now Alice gives this money order to the merchant who can go to the bank and get the money. The bank checks for the signature and confirms that the nonce on the money order has not been used before and encashes the amount to the merchant. If the nonce matches with any of the previously used nonces from the data base then the bank rejects the transaction.

Envelop = encryption,

Signature = digital signature,

Nonce = random nonce,

With so many different types of identifications likelihood of catching the faulty is easy.

This kind of transaction will not work for a Micropayment as there are so many messages that have to be sent and it is not worth for a few cents.

 

2) Overview and Conclusion

 

The three main concepts of security are:

1. Confidentiality

2. Integrity

3. Availability

 

General Mechanisms

1. Authentication

2. Authorization

3. Audits

 

Security is about trade offs like :

Nothing is perfectly secure.

 

Complete mediation and system design : Once you have decided  that how vulnerable your system would be ,there are many  design principles available that will help you decide where you should put your effort.

 

Security is a process--You have to keep updating the measures to avoid the vulnerabilities.

 

Follow the principle of least privileges: The principle of Least privilege says that the users should only have access and privileges to complete the task at hand.

--Microsoft  should reveal bugs that it finds at all .Microsoft is not explaining which bugs  are fixed .Because a malicious user can make use of that and can make some virus or worm .Thats why Microsoft release patches but  never tells which bugs it has.

 

Cryptography

----------------------------------------------

Cryptography can be used  for:

--Authentication --Authentication means determining whom you are talking to before revealing information.

--Integrity--Integrity means the message received is exactly the one that was sent. This is done any using hashes in cryptography.

 

Shared Key Cryptography

 

Public Key Cryptography

 

Cryptographic Protocols can be used for :

1. Authentication

            Challenge-Response is the fundamental method of authentication.

2. Privacy

 

3. Confidentiality

 

To avoid "Replay Attacks" use nonces , timestamps or sequence numbers.

 

Viruses and Worms

---------------------------------------------------------

Viruses and worms both replicate themselves

--Viruses -They infect other programs that they need in order to make copies of themselves.

--WORMS--Worms are standalone programs. They execute and run on their own.

Following measures should be taken  to protect against viruses and worms:

1. Patching

2. Firewalls

3. Auditing

4. Using proper configuration

 

Buffer Overflows

---------------------------------------------------------

In order to avoid buffer overflows always use  safe languages like JAVA, C#.

If you must use C and C++, always use Stack Guard , Propolice.

Never use strcpy , strcat.