課程:資訊安全

出自 陳富國維基館
前往: 導覽搜尋

目錄

課程大綱

課程簡介

資訊安全主要瞭解在電腦系統和網路環境上,包含技術上、操作上和管理上的安全議題,藉由本課程的學習,你將會知道資訊安全整體性的概念,必要的密碼學基礎,及相關應用協定及安全性架構,對日後從事資訊工作你可以知道如何應用資訊安全技術及密碼學在電腦、資訊與網路的管理上。

教學目標

  1. 瞭解電腦操作上和通訊上的基本風險和威脅 。
  2. 瞭解基本的密碼技術。
  3. 瞭解不同型式的安全性解決方案,其中的優點與缺點 。
  4. 瞭解應用不同型式的安全技術在OSI不同的層級,以獲致整體安全性。

指定書目

資訊安全概論與實務,潘天佑,碁峰

參考書目/資料

  1. 網路攻防站, 呂守箴,http://anti-hacker.blogspot.tw/
  2. 鐘慶豐,近代網路安全與編碼機制,儒林
  3. 微軟資訊安全文章(中文),http://www.microsoft.com/taiwan/technet/hotdoc/security.htm
  4. Ford, Warwick, Computer Communications Security , Fifth Edition, Prentice-Hall, Englewood Cliffs, New Jersey 1994
  5. Stallings, William, Cryptography and Network Security: Principles and Practice , Second Edition, Prentice Hall, Upper Saddle River, New Jersey. 1999
  6. Kaufman, Charlie, Radia Perlman, and Mike Speciner, Network Security: Private Communication in a Public World , Prentice Hall, Upper Saddle River, New Jersey. 1995
  7. Walker, Kathryn M. and Linda Croswhite Cavanaugh, Computer Security Policies and Sun Screen Firewalls , Sun Microsystems Press - PTR 1998
  8. Red Hat, "Red Hat Linux Security Guide", http://www.redhat.com
  9. Microsoft TechNet, "Security", http://www.microsoft.com/technet/security/default.asp

教學進度

第 1 週 (02/18-02/23) 資訊安全簡介與概論

第 2 週 (02/24-03/02) 資訊法律與事件處理

第 3 週 (03/03-03/09) 資訊安全威脅/駭客手法研究

第 4 週 (03/10-03/16) 認證、授權與存取控制/資訊安全架構設計

第 5 週 (03/17-03/23) 基礎密碼學-1

第 6 週 (03/24-03/30) 基礎密碼學-2

第 7 週 (03/31-04/06) 基礎密碼學-3

第 8 週 (04/07-04/13) 資訊系統與網路模型

第 9 週 (04/14-04/20) 期中考試

第10週 (04/22-04/27) 防火牆 /虛擬私有網路

第11週 (04/28-05/04) 入侵偵測與防禦系統/惡意程式與防毒/多層次防禦

第12週 (05/05-05/11) 實體安全與營運安全/資訊安全管理系統

第13週 (05/13-05/19) 緊急應變計劃

第14週 (05/20-05/26) 資訊技術服務管理

第15週 (05/27-06/02) 資訊安全實驗-1

第16週 (06/03-06/09) 資訊安全實驗-2

第17週 (06/10-06/16) 資訊安全實驗-3

第18週 (06/17-06/23) 期末考試

評分方法

  • 平常成績 30% (到課率、作業、小考等)
  • 期中考 30%
  • 期末考 40%

課程內容

資訊安全概論

  • 資訊安全三個P:People、Product、Process

資安的一個設計負面例,不當的密碼忘記處理方式: 某個學校忘記密碼處理方式.png

資訊安全三元素

  • 實體安全
  • 營運安全
  • 管理與政策

資訊安全目標

  • 預防
  • 偵測
  • 反應

身份認證

  • 身分認證 (authentication) 是資訊安全的重要環節,它讓使用者或要求存取的系統證明自己的身分。認證有以下三種要素:
  • 所知之事 (something you know)
    • 通關密碼 (password) 或是 PIN。
  • 所持之物 (something you have)
    • 智慧卡或其它身分證明裝置。
  • 所具之形 (something you are)
    • 指紋或視網膜比對。
  • 通關密碼使用 something you know。Password Authentication Protocol (PAP) 是將使用者名稱與通關密碼以明碼形式送到伺服器上比對,這是最簡單的認證方法但並不安全。
  • 生物特徵 (biometrics) 使用 something you are,包括手的比對 (如指紋、掌紋),臉部特徵,視網膜 (retina) 與虹膜 (iris) 掃描等。
  • 安全代符 (security tokens) 使用 something you have,這種隨身攜帶的元件上儲存著比人腦能記憶的通關密碼複雜許多的認證資訊,使身分認證程序更加安全。常見的安全代符包括:
    • 一次性密碼代符 (one-time password tokens)
    • 智慧卡 (smart cards)
    • 記憶卡 (memory cards)
    • 無線射頻身分證明 (RFID)

駭客攻擊手法探討

阻絕服務(Denial of Service DOS, Distributed DOS)

型態

  1. UDP Flood, A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol. Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the distant host will: check for the application listening at that port, see that no application listens at that port and reply with an ICMP Destination Unreachable packet.
  2. Ping of Death, A ping of death is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A correctly formed ping message is typically 56 bytes in size, or 84 bytes when the Internet Protocol (IP) header is considered. Historically, many computer systems could not properly handle a ping packet larger than the maximum IPv4 packet size of 65535bytes. Larger packets could crash the target computer. In early implementations of TCP/IP, this bug was easy to exploit. This exploit affected a wide variety of systems, including Unix, Linux, Mac, Windows, printers, and routers.
  3. Reflected / Spoofed attack, A distributed denial of service attack may involve sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target.
  4. Nuke, A Nuke is an old denial-of-service attack against computer networks consisting of fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a modified ping utility to repeatedly send this corrupt data, thus slowing down the affected computer until it comes to a complete stop.
  5. Slowloris, Slowloris is a piece of software written by Robert "RSnake" Hansen which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request.
  6. Unintentional DDoS, This describes a situation where a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story.
  7. Zero Day DDoS, General term used to describe vulnerabilities and exploits that are still new and haven't been patched yet.
  8. SYN Flood, A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

實體世界的阻絕服務攻擊

資料來源:http://bbs.nsysu.edu.tw/txtVersion/treasure/STCF/M.1020826379.A/M.1023340705.A/M.1023340740.A.html

電話癱瘓公所柯賜海無罪定讞

高院調查後認為,柯賜海等人是租用數十支固網線路,同時重複密集撥打三重市公所的總機電話,因為短時間內重複撥打,使得三重市公所的總機線路遭「塞爆」,他人在同一時間因此無法撥入電話,此舉並未造成受話電話系統故障或毀壞。柯賜海這種抗議行為固然可議,但法律卻無處罰規定,不能加以論罪處罰。

字典攻擊

木馬

釣魚網站

實體世界的釣魚手法 -- 假的ATM提款機

SQL injection

XSS

Google hacking

鍵盤側錄器

IP Spoofing

暴力攻擊(Brute-force attack)

無線網路安全

資訊加密

傳統加密法

  • 斯巴達人的密碼木杖與凱撒密碼

密碼木杖與凱撒密碼.png

位移加密法

下面的範例示範了在一個表格由右到左的列方式(row major)寫下明文,最後將訊息以行為主(column)輸出文章(密文)。

位移加密法範別.png

替換加密法

替換加密法範例.png

多重字母替換加密法

多重字母替換加密法範例.png

對稱式加密系統

目的與功用

對稱式加密流程圖.png

Simplified DES

Simplified DES (S-DES) has similar properties and structure to DES with much smaller parameters (See following S-DES scheme).

s-DES Scheme(S-DES 圖解)

S-DES Scheme.png

s-DES 金鑰產生過程

Following is the key generation process:


Key Generation for S-DES.png

s-DES加密過程

Encryption:

S-DES Encryption Detail.png

S-DES的Java程式

 public class sdes{
  private static short[] plainText={0,0,0,0,0,0,0,0}; //明文空間,將輸入的8位元一一放入此short陣列(為求運算方便)
  private static short[] Key1 ={1,0,1,0,0,1,0,0}; //子金鑰1
  private static short[] Key2 ={0,1,0,0,0,0,1,1};//子金鑰2

  private static short[] bitIndex={128,64,32,16,8,4,2,1};

  private static char[] IP =  {'1','5','2','0','3','7','4','6'};  //"26314857";
  private static char[] IP1 = {'3','0','2','4','6','1','7','5'};  //"41357286";
  private static char[] EP =  {'3','0','1','2','1','2','3','0'};  //"41232341";
  private static char[] P4 =  {'1','3','2','0'};      //"2431";
  private static char[] SW =  {'4','5','6','7','0','1','2','3'};  //"56781234";
  private static char[] P8 =  {'5','2','6','3','7','4','9','8'};  //637485A9";
  private static char[] P10 = {'2','4','1','6','3','9','0','8','7','5'}; //35274A1986";

  private static short[][] S0 = {{1,0,3,2},
                                 {3,2,1,0},
                                 {0,2,1,3},
                                 {3,1,3,2}};

  private static short[][] S1 = {{0,1,2,3},
                                 {2,0,1,3},
                                 {3,0,1,0},
                                 {2,1,0,3}};


  private static short[] tempText = {0,0,0,0,0,0,0,0};

  private static void printText(short[] Text){
    int i;
    for(i=0;i<8;i++) System.out.print(Text[i]);
    System.out.println();
  }

  public static void fx(short[] PT, short[] Key){
    int i,r,c,s;
    short[] leftText = {0,0,0,0};
    short[] rightText = {0,0,0,0};
    short[] fText = {0,0,0,0,0,0,0,0};
    short[] temp4Text = {0,0,0,0};

    for(i=4;i<8;i++) rightText[i-4] = PT[i]; //extract right part of plaintext

//perform EP
    for(i=0; i<8; i++) tempText[i] = rightText[(short)EP[i]-48];
    for(i=0; i<8; i++) fText[i] = tempText[i];
    System.out.print("After E/P : ");printText(fText);       

    for(i=0; i<8; i++) fText[i] ^= Key[i]; //Xor!
    System.out.print("Key is "); printText(Key);
    System.out.print("After XOR with Key : ");printText(fText);

    for(i=0;i<4;i++) leftText[i] = fText[i];    
    for(i=4;i<8;i++) rightText[i-4] = fText[i];

//perform S0 and S1
    r = (leftText[0]<<1) + leftText[3]; System.out.print("S0, Row is "+r+",");
    c = (leftText[1]<<1) + leftText[2]; System.out.print("Col is "+c+" ");
    s = S0[r][c];
    System.out.println("S0 is "+s);
    temp4Text[0] = ((s&2) == 0)? (short)0:(short)1;
    temp4Text[1] = ((s&1) == 0)? (short)0:(short)1; 

    r = (rightText[0]<<1) + rightText[3]; System.out.print("S1, Row is "+r+",");
    c = (rightText[1]<<1) + rightText[2]; System.out.print("Col is "+c+" ");
    s = S1[r][c];
    System.out.println("S1 is "+s);
    temp4Text[2] = ((s&2) == 0)? (short)0:(short)1;
    temp4Text[3] = ((s&1) == 0)? (short)0:(short)1;

//Perform P4
    for(i=0; i<4; i++) tempText[i] = temp4Text[(short)P4[i]-48];
    for(i=0; i<4; i++) temp4Text[i] = tempText[i];
    System.out.print("Apply P4 ");
    for(i=0; i<4; i++) System.out.print(temp4Text[i]);
    System.out.println();

    for(i=0; i<4; i++) leftText[i] = PT[i];

//Xor left and right processed with F-Box
    System.out.print("After XOR with the left part(See the above of diagram):");
    for(i=0; i<4; i++) {
      leftText[i] ^= temp4Text[i];
      System.out.print(leftText[i]);
    }
    System.out.println();
    for(i=0; i<4; i++) PT[i] = leftText[i];


  }

  public static void main(String args[]){
    short plainInt,i;
    if (args.length == 0) System.exit(0);
    plainInt = Short.parseShort(args[0]); //將將輸入的明文字串轉換成short

    for (i=0; i<8; i++) plainText[i] = ((plainInt & bitIndex[i])== 0) ? (short)0 : (short)1; //將明文數字中的每一個位元一一抓取出來測試,設定明文陣列
    System.out.print("The plaintext is "); printText(plainText);

//Perform IP operation
    for(i=0; i<8; i++) tempText[i] = plainText[(short)IP[i]-48];
    for(i=0; i<8; i++) plainText[i] = tempText[i];
    System.out.print("plaintexst after IP is ");
    printText(plainText);

//Round 1   

  System.out.println("Round 1..... ");
  fx(plainText, Key1);
  System.out.print("After round1, the plaintext is ");printText(plainText);

//Perform SW
    for(i=0; i<8; i++) tempText[i] = plainText[(short)SW[i]-48];
    for(i=0; i<8; i++) plainText[i] =  tempText[i];
    System.out.print("After SW, plaintext is ");
    printText(plainText);

//Round 2
  System.out.println("\nRound 2..... ");
  fx(plainText, Key2);
  System.out.print("After round 2, the plaintext is ");printText(plainText);

//Perform IP-1
    for(i=0; i<8; i++) tempText[i] = plainText[(short)IP1[i]-48];
    for(i=0; i<8; i++) plainText[i] =  tempText[i];
    System.out.print("Finally, ciphertext is ");
    printText(plainText);

  }
}

非對稱式加密系統

目的與功用

案例探討:Enigma密碼機

相關電影:攔載密碼戰、獵殺U-571

資訊完整性-安全雜湊演算法

目的與功用

MD5與SHA

案例探討1 驗證檔案下載的正確完整性

案例探討2 系統使用者密碼的儲存問題

案例探討3 康熙「傳位遺詔」

康熙因為幾次立/廢太子事,想到不能預立太子,決定死的時候才公佈繼位人選…,康熙死後江湖紛傳遺詔原為「傳十四子」,被篡改成「傳于四子」,留下後人無限的猜測。

參考解法:

遺囑使用數位雜湊驗證完整與真實性.png

數位簽章

目的與功用

作業系統中的憑證管理

電子簽章法

中華民國電子簽章法全文

憑證機構

案例探討 - 自然人憑證的應用-戶政戶籍謄本

電子戶籍謄本.png

電子戶籍謄本驗證作業.png

電子戶籍謄本驗證無誤.png

案例探討 - 自然人憑證

防火牆

路由器網路位址轉換(Network Address Translation)

Port forwarding 

虛擬私有網路(Virtual Private Network)

服務可用性

Server負載平衡

資安三大目標之一可用性的確保

QoS議題

入侵偵測

資訊安全課程實驗

資訊安全弱點與風險認知能力

基礎密碼學理解與應用

網路層的安全與防火牆分析應用

防火牆實驗

IPCop使用(內建於虛擬機器) · 對外網路存取測試 實驗步驟 · 在虛擬機器下確認IPCOP的二張網路卡正確設定 · 第一張網卡設定Custom network (VMNet2),此張網路卡是接至內部網路(GREEN) · 第二張網路卡設定Bridged network,此張網路卡連接至外部網路(RED) · 啟動IPCOP,進入IPCOP系統(root/csimcsim),鍵入setup以設定基本網路設定以確認: · GREEN網卡IP設定為:________________ (參考IP: 192.168.10.1) · RED網卡IP設定為 :________________ (與宿主主機網路同一個網段,若是電腦教室請設DHCP,因為宿主主機也是透過DHCP方式取得IP) · 設定與啟動WinXP網路 · 在虛擬機器下設定網路卡設為Custom network (VMNet2) · 啟動WinXP,網路卡的IP設定設為自動取得IP(透過IPCOP的DHCP服務取得IP) · 檢查IP是否為IPCOP中的DHCP之IP設定範圍? · 開啟網頁,檢查是否能正常瀏覽網頁? · 利用 IPCOP的port forwarding讓WinXP可以被外界進行遠端桌面 · 在WinXP的瀏覽器網頁中輸入: · https://192.168.10.1:445,進入IPCOP的WEB設定(帳/密:admin/csimcsim) · 在WinXP下啟動遠端桌面 · 我的電腦->內容->啟動遠端桌面 · 我的電腦->管理->使用者帳號 · 設定csim帳號的群組為Remote Desktop Users · 設定csim帳號的密碼(沒有密碼無法存取遠端桌面) · 從宿主主機使用遠端桌面軟體連線WinXP · 你的IPCOP那張對外網卡的IP位址(問題為何不是用WinXP的網路卡IP?) · 連線!


網路應用層安全分析(電子郵件、檔案傳輸)

案例探討

案例探討1 從柯賜海癱瘓總統府總機手法

案例探討2 釣魚版的ATM

案例探討3 X戰警2中,萬磁王逃離玻璃監獄的故事

案例探討4 網路釣魚網頁

案例探討5 ATM提款程序的安全性

案例探討6 盜數計時

資訊安全相關影片