Marquette University logo      

 

Reference:

Protection (Chapter 14) limits the access of users to resources (e.g., files). It provides a mechanism that controls the access of programs processes, or users. Protection is an internal issue. Protection is important even on a machine used by only one person in a locked and isolated room.

Security (Chapter 15) prevents unauthorized access to the system. Security is an external issue.

Consider COSC 4360 Computer Security

 

15.4 CryptographySpy vs. Spy

Threats: What are we afraid of?
Spy vs. Spy HQ (from Mad Magazine)
ISRAEL/USA ~~ SPY Vs SPY

  1. Foe reading secret files
  2. Foe reading email intended for you
  3. Foe altering email intended for you
  4. Is it really you I am sending to?
  5. Is it really you who is sending to me?

Rough idea: Encryption (symmetric, 15.4.1.1)

Sender:
M - message
K - key
E - function E(M, K) --> C - cipher text

Transmit C

Receiver:
C - cipher text
K - key (same one?)
D - function D(C, K) --> M

Problem: How does the receiver get key K?

Rough idea: Encryption (asymmetric, 15.4.1.2)Spy vs. Spy

Receiver:
q & r - private key, two large (~200 digit) prime numbers
pR = q * r - public key - Broadcast it. If you know pR, you'll never find q & r

Sender:
M - message
pR - public key of R
E - function E(M, pR) --> C - cipher text

Transmit C

Receiver:
C - cipher text
q, r - private key
D - function D(C, q, r) --> M

Pretty Good Privacy (PGP)

Originally developed by Philip Zimmermann in the early 1990's.

See www.symantec.com/theme.jsp?themeid=pgp. They offer a very nice GUI interface for email and disk protection, but it is not free.

Also, see Alice and Bob - Wikipedia

GNU Privacy Guard (GPG)

Get it? GPG?

See www.gnupg.org

GnuPG is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application.

  Spy vs. Spy Step 1 Download GPG from www.gnupg.org/download

Unless you know otherwise, you probably want

Binaries for various operating systems

For Mac OS-X at www.gpgtools.org/

GnuPG 2.0 compiled for Microsoft Windows. [FTP]

Signature and SHA-1 checksum for previous file. [FTP]

Gnu PG distributions are signed. It is wise and more secure to check out for their integrity.

  Step 2 Install according to the instructions

  Step 3 Read The Fine Manual (RTFM)

At www.gnupg.org/documentation/index.en.html are many fine sources.

For convenience, I refer to a local copy of A Practical Introduction to GNU Privacy Guard for Windows (protected), which is installed in a directory gnupg\Intro_GNUpg_Win by the Step 2 installation

A.1 A Few GPG Commands

gpg --version
Find out what version of GPG you have installed (2)
 
gpg --gen-key
Create a new key pair (3)
 
gpg --armor --output "KEY.txt" --export "YOUR-NAME"
Export your public key to a text file KEY.txt (3)
 
gpg --import "KEY.txt"
Import the keys found in KEY.txt (4)
 
gpg --edit-key "NAME"
Edit the key for NAME. In edit mode, use the "trust" command to set the trust level (4)
 
gpg --recipient "RECIPIENT" --output "FILENAME.gpg"
--encrypt "FILENAME"
Encrypt FILENAME using RECIPIENT's public key (4)
 
gpg --armor --recipient "RECIPIENT" --output "FILENAME.gpg"
--encrypt "FILENAME"
Encrypt a file and output text suitable for email (4)
 
gpg --decrypt-files "FILENAME.asc" or gpg --decrypt-files "FILENAME.gpg"
Decrypt FILENAME.asc or FILENAME.gpg verify a digital signature if present, and output to FILENAME (4)
 
gpg --local-user "YOUR-NAME" --clearsign "FILENAME"
Create digital signature and output plaintext plus signature to FILENAME.asc (5)
 
gpg --local-user "YOUR-NAME" --output "FILENAME.sig"
--detach-sign "FILENAME"
Create separate digital signature file for FILENAME (5)
 
gpg --verify "FILENAME.asc"
Verify the digital signature found inline in FILENAME.asc (5)
 
gpg --verify "FILENAME.sig"
Verify the digital signature for FILENAME contained in FILENAME.sig (5)
 
gpg --armor --local-user "YOUR-NAME" --recipient "RECIPIENT"
--sign --output "FILENAME.asc" --encrypt "FILENAME"
Encrypt and sign FILENAME, with text output to FILENAME.asc (5)
 
gpg --homedir . SOME-COMMAND
Use the current folder as the home folder, useful for calling GPG from an application. (6)

  Spy vs. SpyStep 4 What version (~ "Hello, World!")

GPG is a DOS command line application

Open a DOS box

gpg --version
Find out what version of GPG you have installed (2)

  Step 5 Generate YOUR key pair

gpg --gen-key
Create a new key pair (3)

gpg --armor --output "KEY.txt" --export "YOUR-NAME"
Export your public key to a text file KEY.txt (3)

Send your public key KEY.txt to your friends: georgec-opsys@mscs.mu.edu

My public key is

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.2 (MingW32)

mQGiBEHKLJMRBADjOBE6/asUhemSGo+BNuXrbJN59acPlLosQsxJkKILxBTPQg8b
zpeHENsVSKWHBgKfJRyKn1UfGnhMHPwSBm9ytPDp0Sy8cQmPWgCLhBaWPw3UZkGE
7avnLaHjowm46BW8vZP1nBRFfQLN4lE8QyNTr+lfK3/1INAGkW8aOHPUTwCg/+zB
GbPa36uX4QLlrvu6zGU81ZkD/0ooYXVLlXGJZ4VMxF38xPTQlR7qxoe8GsLspOFE
JsQZ58SrtHq4kwQREmSgscUdSk+KIKxz0/5Vc5miPbWkF67wlPy7VVzRlF3zw/D6
tIAt4iJJl0LLlDn7gsRBsoU9pu6Cvd/rQf3JQbp+Leo+bksF9Tpu5qqfrByoO3dB
/EBIA/9gEaHQlUntYH9yToBrYVNbTZXDmrqslUMNgBpjWXTNTblUSZHRyKKlDyCF
4huE9D9BqygCaLNNyi4qJhTRBwCCYisDp9Pzt+FFO3Ksxkt9dwF4yGtYceVjZLiR
ZS2vwK3VP34N0wpAKQSoYvDOJJQFfi1Q9Wvr7RVcWpP+B/xPzrQtR2VvcmdlIENv
cmxpc3MgPEdlb3JnZS5Db3JsaXNzQE1hcnF1ZXR0ZS5lZHU+iF0EEBECAB0FAkHK
LJMHCwkIBwMCCgIZAQUbAwAAAAUeAQAAAAAKCRCXouNrhazxwh0dAKDGhgoV22UO
QaucZoJngu/NBeCPFACfR2Io3CyrjVlDtdm5w8chplh5SlzRyf3/AAAKuAEQAAEB
AAAAAAAAAAAAAAAA/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAA4KCw0LCQ4NDA0Q
Dw4RFiQXFhQUFiwgIRokNC43NjMuMjI6QVNGOj1OPjIySGJJTlZYXV5dOEVmbWVa
bFNbXVn/2wBDAQ8QEBYTFioXFypZOzI7WVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZ
WVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVn/wAARCACPAHgDASIAAhEBAxEB/8QA
HwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA
AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRol
JicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWG
h4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ
2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQF
BgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEI
FEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RV
VldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmq
srO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oA
DAMBAAIRAxEAPwDtaKWigBKSlpKACkpaKAEooooASilpKAEopaSgBKKWkoASiloo
AmopaSgBKKWkoASil+tc3rGridWtrWYoDkeYnU/T/PNJuw0rmne61ZWWVkl3OOqp
yaxJfFykv5MafL2LZJrm5rZFOXkk6dOnPaobjbaRoI1XLHLZyePf3rPmbL5bG0fG
13FOPOs4zGewDKfzya3tI8SWupyLFsaGVhwpOQfoa87uJBNbrkkuFGc84/P86jtJ
ZLeUNE5VgflPoaabE0ex0VxHhzxTO9z9l1GTeCcLIRz+PtXbA5AI6VadyLBRRRTA
SiiigCekpaKAEooooAz9ZmeDTpDGCWbC8dq4uCylurgRq7BmOGb0HfH6V2usqW0u
4K9UQsPbFc9oOQzk5LHuO1ZT3NIEs+jxybUjby9v45rOudAAj+TJPr0FdMV3HOcH
2qC5TZGzq5YLzgc/lWZurHHT6G0Wfn5A9KzZ7Qxc9QPau0vY2aPPrzjNYF7buACR
8p704smSVjIs0zIJASChHTsc16xajbboD6dMYxXmFmFSZ0GN2RjjOT0HH516mg2o
oPJA61rEwkLRS0lWSFFFFAE1FFFACUUtJQBFcqrW0quNyFDkeoxXPWcDWkrowyoG
QwGOxPNdDdErbuRk8dvTvWNnzJQHAYMDkHkfSsajNqa0uVrm4uAx+yxNMye4UY98
8n8MU20muNu+ZSylsYABwe3Tt69anlgaONnd0dT/ABHgk+4+mPx7Cn2wwqef5SFu
UU8lcjGf89qg1sczNqDNfeSxXCk4GSoB6/4UydblwGkERGedhO09/wCVQawRDfl1
dXUNuK9Tz6f57VflkmNokqupXr93k09hWuYswMDmWJmVsghlPJPbHp2r07TZXuNN
tJ5CC8sKOxHqVBNeX3wxboCQCHz/ADr07S0MWlWcZZWKQIuVOQflHQ1rExlsWqKK
KszEooooAmopaSgApKWigBpAYEEZB7Vj3kJgcY5U9DWzVHU1UwKzYyDgZ+n/ANao
mro0pys7GNKS0kSMf3YySPU+n0qa3na7iLxQylTwCwCnOdvQn19aaBlgGAyrUl7a
xXGDJEkh6AtnKmsUdBzeuWhgkd3gdSAGJG3nP0NS2oI0aWSRiBgYB/l/n0qG9tok
YeRGinoOMke1QtI5h+zg/LkE/hVEvQ2tF8PwakqXl0X2I52xY4bp1Pp1FdiqqihV
UKqjAA4AFUtFiEOj2i5zmMN0x15x+tXq2SOaTuFJS0lMQUUUUATUlLRQAlJS0lAB
WdqYMmyNWwV+Yj1pLrVUQmO3Ad+7HoP8apwXP2iMOzbnP3vWhq407akUjYIJwHHB
FNe6jCZbqBU9xAsvJ4I7is6dWQhX5U9GArFwa2N4zTMrUpo5MFDls9R2qraRGeZI
UPzSMqAnoCT3qzqEIVSwqrYyf8TWzUPsCzIzMeAqg5JoiKTPTaSlpK2MApKWkoAK
KKKAJqKKrXd2lsvI3Oei0APuLiO2j3ytgdh3Nc7qGpS3IK/dTso/r6024nlupSz8
t046D2qqUCSKkhDZPegCaFcqdqkYXJJHXjoP8f8AIS0cRsMAKsqhx9cYP8v0qW0Y
vczL1K4H4VWtkMtvIg+/DIfbvxQM1UcOg/LA7HvUNyquhHB5qo0zRkSAHGcOvr71
ZJ3YI+df4WHpQBz2sFIpRyzYQu6D07Hp04NZaSxSOpiG0d1znbnt/wDXqC7uHuby
e8Q7Fnk2px/CBjOOfb8c1Xd0g1CRoj+5br7f/qpBc3NI1660l/KDedBnGxyeBnPy
+h6/nXd6Zq9rqkeYH/eAZaNuGX8K8vKAytu5zT1Mlu6yRMyunIINK4j1uiuU0TxU
ZWSHUdqljgT9B7bh2+tdXVAJRRRQA27uPIj+XG+sgq+csTye9WblzLO7jkKcLznN
VySX2kgDaCeODnNAFe5i2IGThsnHv7VSkdJJokfgSfKD0KtV69WQ2jFP9bGNy46l
hyP8KytUIlht7yEYDEHJ9f8APFDAnsmK6jMjYOUHT2pYz5WrTRkkeaM+nNSW371o
LkfxRkN9ap6hxqULAYB+XigC1NkORjg8EDpUIO6KS1kx5co5yPwP5iprgD5HGBn5
SB/WoJhtMbg9TjigDH1X/Q4Io04VGJUKB0x/+v8AOsAk+YS+eeD+ldNrgWSCN/kR
w4G5vQjn+Q/KuXkZyQ+SSxySGz19fypMC1CTlfQDANXFG4Y71StT8209+cmtHZle
M7h0560hlNwYXwfut+ldh4U1okiwuHG3H7pmPIOfu/4fl6VzLKJUKNw1VYpXt5s7
mVlPUHBHoaAPXKKr2F2l9ZQ3Mf3ZFzj0Pcfgc0VQiq3C9aryfLK2eQVAGf8APvU7
ckD39aozS7b454Ur0HegCWFhIrZyOTkA9PSsV4lRL2wI2gDz4ceh6/kQa1rfcDKM
DOc1UuAguoZHXGS0YI6glcYPt/gKAHaM+dPwfvZzjpj1qrqClm+0jJ8lxuq5bE2N
jubO6T58Z4BIqKwj+0Wsgf5jIu/n3H/1jQA9lUo21uDhlwPaoJSGiKjOeG69aktc
rbJE3JHy8+3/AOqkbcPxGc5+tAGXqrbbGUkBuBwTx16kf56Vye0DO7g9Mf5FdpcR
CaJ4SwCEbSTzgHjNcaSuFXkEDjvk/wBOP5UmBPDIfPRmx8xyeeK3Nny59K5xNuCx
4Y4x6H1rpLN/NsoZd2cjBPrjg0AVJxg7u9QTYdd+PmUYb3FX7hDnGfpWfIwjO7qO
h+h4pDOy8DXG+wubc5LxSBifUMOP/QTRWT4Ql8nXUXaW86Joyc4xjnP/AI7+tFNC
P//ZiFoEEBECABoFAkHLe8kHCwkIBwMCCgUbAwAAAAUeAQAAAAAKCRCXouNrhazx
wkkmAKDOVoeu9XvFfgB7Rzsaq/OJanJt2QCdG7GKJNzliT/occZ+7xH0iPx7vFO5
Ag0EQcoskxAIAPZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9A
VfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biu
dE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J
280gtJ3kkQc2azNsOA1FHQ98iLMcfFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwX
V0OjHRhs3jMhLLUq/zzhsSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG
0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVekyCzsAAgIH/0sNhlgMomcyVuM7aQcc/m3X
BHUip3DOrPoBsoGTtzgk28jHkOmzzk3kmVLfjGT9X0wR9oaQ5osCjYNJ0c3Z5coO
XhS5kQRNbmvycw+es0AOIsSKKNXOSuHSc5nZhz1M2yurS7VOIUamKHPH1sfSz/CT
n2+RjSwY6YGJbBXkUI2pLymIM6GJyYiS8CLSn0Qj1qhY7mFVPQGmpqYuDNlDiFBx
mmLc8v4mTgXBP+16XEtMn50OQuI0xs3wVsPz4MxUJWZ4jx4LJRoRD3Y+YFHa3cY9
Wqjdf/IKQDSwhRKeyspGOFwwoc0utOHwescudk9Zrwv94SdwW7hV3nJr2EPI5zGI
TAQYEQIADAUCQcoskwUbDAAAAAAKCRCXouNrhazxwlSLAJ9h1rmOYgjJhYvRZQbA
FO7lIEajOwCfX4WMVYYIFtRTEsKHW5EKip7tOFC5AaIEQdrcbBEEAMX3Gc7dAECH
1s1ktN59zfixlhjSspB/nPUpQgMq2YcMCtjANbmX8JY69hjO5O+8OLWUmS4Onv2X
zPKaOrM9v44Hq6Hh9eUWbtXLfSijiD/qiBxHZ+Osfj9hq80e917xl309MWCA7tx8
R8gZ2uTW6SgMxiQ/AQq4hR25koJIS9EHAKCNvmrpxpDsYcvWcYSU9C1uo6JOpQP/
f5RUct+O524J+K9REoorrZbJ2WxHyXkk8prjoO/F/Qext77Q6UvEnd2eJzElUSGM
TlAAneLHB/XjtPYh0HW0df9MlVUMqeYWtnKNxETYykVt83SVjsVg1M4VZUx/IY16
Tf8Jv+X1K/fEczsHWttWVweStOvMvCrzoaK/JmxVcvcD/jzqwiBNuH0Nvc4Shc0u
yT01XiJwpodpZhv5puT5LZzpXPKzgLirb0/ttveEpYY2CrN4jjtfrBVzCVGuDvYp
rSGK2/fG8hzQTca1RKO+cOKisiR17/fu8npcX48MJOkqRlcFxrETNKetDVCc3fOx
2SXBI/kdkxwObxpMR41sp2w/iEwEGBECAAwFAkHa3GwFCQBPGgAACgkQl6Lja4Ws
8cIjKwCg6wUoBgaqVBXYQZY3Vu6ODUitjkkAn1lvvhNZl6LLNReUVCpnt2xdbdYQ
=USI1
-----END PGP PUBLIC KEY BLOCK-----

Threats?

  Step 6 Import your friends' public keys

gpg --import "KEY.txt"
Import the keys found in KEY.txt (4)

  Step 7 Send an encrypted message

Create a text file "FILENAME" containing the message you want to send

gpg --armor --recipient "RECIPIENT" --output "FILENAME.gpg" --encrypt "FILENAME"
Encrypt a file and output text suitable for email (4)

Send "FILENAME.gpg". Copy and paste in the message body or attach (give some body message)

  Step 8 Receive an encrypted message

Save the message (or the attachment) as "FILENAME.gpg"

gpg --decrypt-files "FILENAME.gpg"
Decrypt FILENAME.gpg verify a digital signature if present, and output to FILENAME (4)

Read the message in "FILENAME"

  Step 9 Digital signature

gpg --local-user "YOUR-NAME" --clearsign "FILENAME"
Create digital signature and output plaintext plus signature to FILENAME.asc (5)

  Step 10 Verify a digital signature

gpg --verify "FILENAME.asc"
Verify the digital signature found inline in FILENAME.asc (5)

Step n+1 MANY variants

Trust a public key?

One student observed: All of your examples assume we have a public key that is really from the sender.

VERY GOOD!!!

Actually, from the person it claims to be. Yes, you could create a private key - public key pair, claiming to be from the President. If someone encrypted a message for the President using that public key and you intercepted the message, you could read the Top Secret message.

How can you be sure?

  1. Know the author and get his/her public key directly. Since I showed you the web page with my public key, you can be reasonably certain that it IS my public key. Of course, if is possible that someone hacked my web site and substituted a fake. I admit I did not personally check each character today.
  2. My public key might be officially registered with Verisign or some other official registry. If you trust that authority, you might trust my public key you get from them.
  3. You might have a friend you trust, and that friend might tell you (either directly or through PGP formalities) that he/she believes that to be my public key, so you can trust it to a slightly less degree than you trust your friend.

There is an entire concept "Web of Trust" which allows me to sign someone else's public key and say (in effect), "I believe this is valid." If you don't trust me, my signature carries no weight with you. If you do trust me, you can trust the public key I have signed. How do you know it is I who signed it? Digital signature plus whatever trust you have in "my" public key. Hence, a public key signed by many people in whom you have trust is probably a trustworthy key.

How you come by the public key also should be a factor. Consider: If I call Lands End, place an order, and give them my phone number over the phone, I am reasonably certain it is really Lands End to whom I am speaking. Someone COULD be eaves-dropping, but at least I have high confidence I am not talking to an impostor. On the other, if someone calls ME and says, "This is Lands End. Please give me your credit card number," I am MUCH more skeptical.

If I type the URL of a web site I am accustomed to using and I retrieve a public key, I am reasonably certain it is a valid public key, although the entire web site COULD be an impostor. On the other hand, if I receive unsolicited email containing a public key, I am more skeptical. I might call the claimed author and ask, "Did you send your public key to me at about 2:37 PM this afternoon?"

 

15.4.3 SSL

Communicate securely between browser and web server, e.g.,

  • credit card numbers
  • Virtual Private Networks (VPN)

Precondition: Server s obtained a certificate cert from a certification authority CA, including

  • Attributes including DNS name
  • Public encryption algorithm E()
  • Public key ke
  • Validity interval for the certificate
  • Digital signature of the certification authority

Precondition: Client has obtained the public verification algorithm for the certification authority

Basic idea:

  1. Establish each identity
  2. Use public keys to exchange a one-time symmetric key
  3. Communicate using symmetric key

What are the threats?

The dance (See pp. 586-7 for more detail)

  1. Client initiates
  2. Client sends 28-byte random value
  3. Server responds with 28-byte random value + its certificate
  4. Client checks validity of certificate
  5. Client generates secret 46-byte pms, encrypts using server's public key, and transmits
  6. Server decrypts to recover pms
  7. Both client and server use two 28-byte values & pms to compute a master secret key ms. Use ms to generate four keys:
    1. Symmetric encryption key for client --> server
    2. Symmetric encryption key for server --> client
    3. Key to authenticate client --> server
    4. Key to authenticate server --> client
  8. Client can send encrypted, signed messages to server
  9. Server can send encrypted, signed messages to client

15.1 Security Problem

What do we fear?

"Total security cannot be achieved." - p. 560

Threat is the potential for a security violation

Attack is an attempt to break security

  • Breach of confidentiality - Unauthorized reading of data
  • Breach of integrity - Unauthorized modification of data
  • Breach of availability - Unauthorized destruction of data
  • Theft of service - Unauthorized use of resources
  • Denial of service - Prevent legitimate use

Take security measures at four levels:

  • Physical
  • Human
  • Operating system
  • Network

15.2 Program Threats

Write a program that creates a breach of security

15.2.1 Trojan horse programs

Code segment that misuses its environment

Search PATH - All directories must be secure

"." in the search path

15.2.2 Trap door

Might check for a specific user and circumvent normal security

Undocumented command-line options

Built into the compiler?

15.2.4 Stack and buffer overflow

Review activation record

Web form: Enter name:  

Copy contents into a string:

     char userName[40];
     strcpy(userName, ...);

Possible buffer overflow could alter the return address

Instead of returning, could jump to arbitrary code, e.g., command shell

P. 566: "Unfortunately, good bounds checking is the exception rather than the norm."

15.2.5 Viruses

15.3 System and Network Threats

Examples include

  • Masquerading
  • Replay
  • Worms
  • Port scanning
  • Denial-of-service

15.5 User Authentication

How do we determine that whether a user's identity is authentic?

  1. Something you have, e.g., key, card, dongle
  2. Something you know, e.g., password
  3. Something you are, e.g., fingerprint

15.5.1 Passwords

15.5.2 Password vulnerabilities

15.5.3 Encrypted passwords

15.5.4 One-time passwords

15.5.5 Biometrics

15.6 Implementing Security Defenses

Improved user education through writing fault-free software

15.6.1 Security policy, e.g., Marquette's Acceptable Use of E-Resources Policy

15.6.2 Vulnerability assessment, see List of security tools

15.6.3 Intrusion detection: Signature-based vs. Anomaly detection

15.6.4 Virus protection

15.7 Firewalling

Monitors and logs all connections

Limits connections based on source or destination address, source or destination port, direction of the connection, etc.

See also HowStuffWorks, How Firewalls Work

 

 

 
  Marquette University. Be The Difference. Marquette | Corliss |