Introduction of Network Security & Blockchain

Team Teaching 교수 소개 홍충선 교수 허의남 교수 컴퓨터공학과 교수 컴퓨터공학과 교수 서울시 자문위원 경희대 정보처장 과기정통부 모바일클라우드센터장 (최우수 연구센터 선정) 과기정통부 자문위원 한국정보과학회 학술대회 최우수논문상 대통령후보 특보 클라우드 및 보안연구실 운영 홍충선 교수 컴퓨터공학과 교수 서울시 자문위원 경희대 연구처장&산학협력단장 LINC+사업단장/BK21+사업단장 한국정보과학회 회장 한국정보과학회 가헌학술상 경희 Fellow 지능네트워킹연구실 운영

주차 강의계획 정보보호 개요 및 블록체인 네트워크 보안 기술 기초 (대칭암호와 메시지 기밀성) 공개키 암호와 메시지 인증 인증 응용 (AAA, Kerberos, PKI) 전자메일 보안 (S/MIME, Relay, 스팸메일) IP 보안 & 웹 보안 중간고사 네트워크관리 보안(Network Management Security) 침입(Intrusion) 및 악성 소프트웨어(Worm and Virus) Firewall(침입차단시스템) 및 VPN 네트워크 해킹 및 공격의 유형 블록체인 개요 및 구조 블록체인 메커니즘 및 플랫폼 블록체인 암호 및 인증 Term Project발표 기말고사

Be ambitious! John Sculley Year 2019 is yours !! Steve Jobs said, do you want to sell sugar water for the rest of your life or do you want to come with me and change the world and I just gulped because I knew I would wonder for the rest of my life what I would have missed. Year 2019 is yours !!

Outline Information & Network Security Background Attacks, services and mechanisms Methods of Defense Blockchain & Information Security Concept of blockchain Issues in blockchain Stanrdard in Security

Background What is Information Security? The protection of information and information systems from unauthorised access, use, or disruption

Background Attacked or Compromised System or Data Data theft: Hackers accessing student or employee personal or confidential details; Data loss: Unauthorised entities manipulating or deleting important data; Law suits ; Loss of Reputation Financial loss including recovery expenses.

Introduction Goal Information Security Computer Security Network Services Computer Security Network Security Automated tools for protecting info on the computer Measures to protect data during their transmission on the network

Attacks, Services and Mechanisms Security Attack: Any action that compromises the security of information. Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack. Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.

Security Threats & Attacks A possible danger that might exploit a vulnerability given a Circumstance, Capability, action, or event to breach security and cause harm Attacks An assault on system security that derives from an intelligent threat

Security Threats

Security Threats

Security Threats Interruption: This is a threat on availability Interception: This is a threat on confidentiality Modification: This is a threat on integrity Fabrication: This is a threat on authenticity

Security Attacks • Passive Attack : Attempts to learn or make use of info. from the system, but no affect on system resources - Release of message contents - Traffic analysis • Active Attack : Attempts to data system resources or affect their operations - Masquerade - Replay - Modification of message - Denial of service

Release of Message Contents Sensitive or confidential info needs to be prevented from an opponent who will learn the contents of the there transmissions Darth Read contents of message from Bob to Alice Internet or other comms facility Bob Alice

Internet or other comms facility Traffic Analysis If the contents of msgs are masked or protected by encryption, and opponent might still be able to observe the pattern of msgs, • such as source and dest of communicating hosts, • frequency and length of msgs being exchanged. Darth Observe pattern of messages from Bob to Alice Internet or other comms facility Bob Alice

Internet or other comms facility Masquerade • Taking place when one entity pretends to be a different entity • Enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges. Darth Read contents of message from Bob to Alice Internet or other comms facility Bob Alice

Internet or other comms facility Replay The passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect. Darth Capture message from Bob to Alice; later replay message to Alice Internet or other comms facility Bob Alice

Modification of Message Some portion of legitimate msg altered, delayed, or reordered to produce an unauthorized effect. Darth Darth modifies message from Bob to Alice Internet or other comms facility Bob Alice

Denial of Service The normal use of communications facilities prevented or inhibited, such as • Suppressing all msgs directed to a particular dest. • The disruption of an entire network by disabling the network • The degradation of performance by overloading it with msgs

Security Goals Confidentiality Integrity Availability

Security Service A service that is provided by a protocol layer of communicating open system and that ensures adequate security of the systems or of data transfer Security services implement security policies and are implemented by security mechanisms Classification of the services Authentication - Data Integrity Access control - Nonrepudiation Data confidentiality - Availability

Authentication This service is concerned with assuring that a communication is authentic Data origin authentication (in the case of a single message) The function of the authentication service is to assure the recipient that the message is from the original source. No service on duplication or modification. Peer entity authentication (in a connection-oriented transmission i.e TCP) At the time of connection initiation, the service assures that the two entities are authentic On the way of transmissions, the service assures that the connection is not interfered by a third party to masquerade as one of the entities.

Access Control The prevention of unauthorised use of a resource In the context of network security, this service is the ability to limit and control the access to host systems and applications via communications links. Each entity must be identified or authenticated then, access rights can be tailored to the individual.

Data Confidentiality The protection of transmitted data from passive attacks. Types of data confidentiality Connection confidentiality (all user data on a connection) Connectionless confidentiality (all user data in a single msg.) Selective field confidentiality (specific fields within a use data) Traffic-flow confidentiality (information for traffic flow) ※ The broadest service is better than narrowed service.

Data Integrity To provide the assurance that the received data are exactly the same as the data transmitted by an authorised entity. ※ no modification, insertion, deletion, or replay A connection-oriented / connectionless integrity service Connection-oriented : deals with a stream of messages & assures no duplication, alteration, or replays on the messages. Connectionless : deals with individual messages & provide protection against no modification mly. Integrity service with / without recovery The automated recovery mechanism is more attractive.

Nonrepudiation To prevent either sender or receiver from denying a transmitted message. The sender can prove that the message has been sent to the receiver. The receiver can prove that the message has been transmitted from the sender.

Availability Provides the normal use of a system or system resource Addresses the security concerns raised by denial-of-service attack.

Security Mechanisms Specific Security Mechanisms Implemented in a specific protocol layer. Pervasive Security Mechanisms Not specific to any particular protocol layer or security service.

A Model for Network Security Trusted third party (e.g., arbiter, distributer of secret information) Information channel Security-related transformation Security-related transformation Message Secure Message Secure Message Message Secret information Secret information Opponent

Methods of Defense Encryption Software Controls (access limitations in a data base, in operating system protect each user from other users) Hardware Controls (smartcard) Policies (frequent changes of passwords) Physical Controls

A Recent Security Issue SNI(Server Name Indication)차단 문제에 대하여 - 감청 vs 단지 차단 - 속도위반 단속 카메라 vs 교통정보카메라 편지내용과 편지 봉투 주소 그럼, 차단과 관련된 규정은 만들어 졌는가?

How to block a site (1)

How to block a site (2) 서버 IP 차단 방식 : (1)~(2)번 과정에서 차단. 123.123.123.123과 같은 IP 주소 자체를 차단하는 방식 2. DNS 차단 방식 : (1)~(2)번 과정에서 차단. ISP업체에서 제공하는 DNS서버에 KBS.CO.KR의 IP주소를 묻는 요청이 들어오면 IP주소 123.123.123.123을 가르쳐주는 대신, 차단 사이트(warning.or.kr)의 IP주소를 알려주는 방식​ 3. HTTP 통신 헤더의 호스트 정보를 이용한 차단 방식 : (4)번 과정에서 차단. HTTP 통신을 할때 기본적으로 헤더 영역에 KBS.CO.KR과 같은 호스트 이름이 표시됨 문제점) HTTPS 암호화 통신을 이용하면, 이 정보가 암호화 되므로 이 차단 방식을 무력화시킬수 있음 4. SNI(Server Name Indication) 차단 방식 : ​HTTPS 통신을 하더라도 (암호화가 개시되기 이전의) 핸드셰이킹 과정에서는 <Extension: server_name 필드>에 호스트 이름 KBS.CO.KR이 표시될 수 있음

How to block a site (3) 상세 우회방법 등 상세사항은 “web보안” 6주차 강의시 상세설명예정임

Example of Security System: Blockchain

Blockchain의 본질:정의 데이터 분산 저장 기술의 일종 block 단위의 데이터를 chain처럼 연결하여 저장 저장된 데이터를 모든 사용자에게 분산하여 저장 이러한 분산저장 특성 때문에 분산원장기술 (분산장부기술, Distributed Ledger Technology) 이라고 불리기도 함

Concept of Blockchain What is the blockchain? Cryptography + P2P Sharing + Distributed System

Concept of Blockchain Why is it addressed to “blockchain”? Each block is linked together with chain

Concept of Blockchain Why blockchain is tamper resistant”? More distribution, more attack target? Corrupted file (block) is verified by other blocks Removing the Middle Man with Machine Consensus

Concept of Blockchain Why Game theory? How to validate who will store block and receive incentives? Crypto-coins such as bitcoin, ethereum ,,, are appeared for incentives and proof Under which conditions a transaction – sending money from A to B – is valid. Transaction costs related to sending money from A to B. Game theoretic incentive mechanism for validating transactions with a cryptographic token. Rules of how to change current consensus rules.

사용 예 (Use case) <블록체인 활용 분야> 1. 가상화폐 요금 결제 : 가상화폐(비트코인)를 통한 상품대금 결제 기능 2. P2P 마켓 : P2P 거래의 신뢰성을 블록체인이 부여함 - 기존의 P2P 거래의 경우 거래의 신뢰성을 부여하기 위해 공증기관을 이용하였다. 이로 인해 불필요한 비용과 시간이 소모되었는데 스마트 컨트랙트를 통해 이를 해결할 수 있다. 3. 데이터 보안 : 분산 네트워크를 활용하여 인증 데이터 관리 - 개인정보의 활용을 최소로 하지만 인증의 안전성을 높일 수 있다. 블록체인은 이를 통해 민감한 정보의 활용으로 일어나는 문제를 유연하게 대처할 수 있다. 4. 공급망(물류) : 물품의 추적 및 검수를 실시간으로 가능하게 함 - 실제 물류업계에는 은행, 선주, 관세청 등 많은 계약 당사자가 존재하는데, 이들이 계약을 맺을 때 아직까지도 종이가 사용되고, 변호사가 계약 내용을 보증한 뒤 계약이 활성화되는 경우가 많다. 5. 저작권 관리 : 블록체인을 통해 온라인 저작권을 관리하고자 하는 시도가 많음 - 기존의 디지털 창작물의 경우 원출처를 확인, 보증하거나 확산 상태를 저작자가 관찰하기 어려웠다. 그러나 블록체인을 이용하면 디지털 창작물의 흐름을 파악할 수 있다.

Issues in Blockchain Peer Node Security (Authentication) Optimal Availability Fast PoW Store big data to block in Peers ?

Internet standards and RFCs The Internet society Internet Architecture Board (IAB) Internet Engineering Task Force (IETF) Internet Engineering Steering Group (IESG)

Internet RFC Publication Process

Recommended Reading Pfleeger, C. Security in Computing. Prentice Hall, 1997. Mel, H.X. Baker, D. Cryptography Decrypted. Addison Wesley, 2001.