If network security matters to you, buy this book. Paul Kocher, Cryptography Research, Inc. Co-Designer of SSL v3 Having the right crypto is necessary but not sufficient to having secure communications. It covers the protocols down to the level of packet traces. And it contrasts SSL with other approaches. All this while being technically sound and readable!
|Published (Last):||4 October 2019|
|PDF File Size:||8.42 Mb|
|ePub File Size:||7.56 Mb|
|Price:||Free* [*Free Regsitration Required]|
Designing and Building Secure Systems 1. A threat model describes resources we expect the attacker to have available and what attacks the attacker can be expected to mount. Nearly every security system is vulnerable to some threat or another. To see this, imagine that you keep your papers in a completely unbreakable safe.
Failure to take this important step typically leads to complete deadlock as designers try to figure out how to counter every possible threat.
Designers of Internet security protocols typically share a more or less common threat model. Protecting against attacks where one of the end systems is under the control of the attacker is extraordinarily difficult, if not impossible. This assumption comes with two caveats. There should be no single point of failure. For instance, if an attacker breaks system A, then all communications between B and C should be safe.
If we must have a single point of failure it must be possible to harden it against attack. Second, attackers may control systems that attempt to pose as legitimate end systems. Other than that, we assume that the attacker has more or less complete control of the communications channel between any two machines. He can certainly inject packets into the network with arbitrary address information, both for the sender and the receiver, and can read any packet that is on the network and remove any packet he chooses.
Any packet you send might be modified in transit. An attack that depends on the attacker writing data to the network is known as an active attack. An attack that merely involves reading the data off the network is known as a passive attack. An obvious corollary of the assumption that the attacker can modify traffic is that the attacker can shut down all communications between any pair of machines simply by removing all relevant packets.
This is one form of denial-of-service attack. Another form would be to force you to use up enormous CPU resources responding to connections. Failure to make this judgement correctly can easily lead to a situation where no risk is judged acceptable, and thus no acceptable system can be designed. Part of the risk calculation is the effort required by the attacker to mount a given attack, and cost generally increases with each attack prevented. No security system is resistant to every attack.
The function of a security model is to allow designers to determine which attacks are worthwhile to prevent. If an attack that was originally considered impractical is discovered to be simple, then there is a window of vulnerability while people adjust their security models and implementations to compensate.
SSL and TLS: Designing and Building Secure Systems / Edition 1
ISBN 13: 9780201615982
SSL and TLS - 1.2 - The Internet Threat Model
SSL and TLS : Designing and Building Secure Systems