Study Guide for Midterm

This is a guide of topics that may be covered in the midterm exam. Note that questions pertaining to any of these topics may appear on the midterm exam.

Introduction
1. Three basic components
  - confidentiality: Concealment of information or resources
  - Integrity: Trustworthiness of data or resources. Data integrity and origin integrity.
  - Availability: the ability to use information desired.
2. Threats and how to counter them.
  - Unauthorized change of information
  - snooping
  - spoofing
  - denial of service
  - denial of receipt
  - repudiation of origin
3. Policy and mechanism
  - Policy: What is, and is not allowed defines security
  - Mechanisms: enforce policies. can be a method, tool, procedure
  - Composition of policies: no conflict
  - Goals of security: prevention, detection, recovery
4. Assumptions and trust
5. Assurance
  - Specification: requirements analysis, statement of desired functionality
  - Design: How system will meet specification
  - Implementation: Systems that carry out design. Formal proof and testing
Access Control Matrix
1. Protection state
  - What is a protection state?
2. Access control matrix model
  - Object: A protected entity
  - Subject: An active entity that carries out operations
  - Right: An operation that ....
  - What is an access control matrix?
  - Implementation: capability, time condition
3. Protection state transitions
  - Notation
  - Primitive commands
  - System commands
  - conditional commands
Foundational Results
1. How to determine if a computer system is secure?
  - Safety problem
2. Basic results
  - Theorem 3-1
  - Theorem 3-2
  - What is the implication of theorem 3-2?
Security Policies
1. Definitions of security polices
  - A security policy is a statement that ...
  - A secure system starts in a secure state and can not enter a nonsecure state
  - When does a breach of security occur?
  - Three basic properties
2. Types of security policies
  - Identity-based access control
  - Rule-based access control
  - Originator controlled access control
3. The role of trust
4. Three types of access control
Confidentiality policies
1. Goals
  - Information flow policy
  - Prevent unauthorized disclosure of information
  - Transfer of rights, information without transfer right
  - Temporal context
2. The Bell-LaPadula Model
  - It models military requirements
  - Description
  - Subjects have clearances
  - Mandatory access control
  - Simple security condition
  - Star property
  - Define a secure system
  - Categories
  - Access rules
Integrity Policies
1. Goals
  - Separation of duty
  - Separation of function
  - Auditing
2. The Biba Integrity Model
  - Rules
3. The Clark-Wilson Integrity Model
  - Transactions, data, consistency
  - Description
  - Integrity constraints
  - Procedure
  - Certification rules and enforcement rules
  - Comparison with other models
Basic Cryptography
1. Definition of cryptosystems
  - Plaintexts, keys, ciphertexts, enciphering functions, deciphering functions
2. Classic cryptosystems
  - Transposition ciphers
  - substitution ciphers
  - One-time pad
  - Data Encryption Standard (DES)
  - Several modes of DES
3. Public key cryptography
  - Private and public keys
  - Three conditions a public key cryptosystem must meet.
  - RSA
Key Management
1. Session and interchange keys
2. Key exchange
  - Classical cryptographic key exchange and authentication
    - A trusted third party
    - Authentication
  - Kerberos: ticket granting server, authentication server
  - Public key cryptographic key exchange and authentication
3. Cryptographic key infrastructure
  - Certificates signature chains: Bind an identity to a key
  - X.509: certificate format, certification validation
4. Storing and revoking keys
  - Key storage: ROM, smart cards etc.
  - Key revocation: when a key is compromised, binding between a subject and a key has changed