# Security

Security requires a protection system but also consideration of the external environment.

A system is `secure` if its resources are used and accessed as intended under all circumstances.
Total security cannot be achieved.

Security Violations:

* breach of confidentiality: unauthorized reading of data.
* breach of integrity: unauthorized modification of data.
* breach of availability: unauthorized destruction of data.
* theft of service: unauthorized use of resources.
* denial of service: preventing legitimate use of the system.

Protecting a system:

* Physical: secure physical site and/or computer(s).
* Human: authorization of users. phishing, password re-use.
* Operating system: system must protect itself from security breaches.
* Network: Interception of data, interruption of communication.

Trojan Horse: A code segment that misuses its environment. (e.g. spyware)
Trap door: a hole left in the system usable by the creator of a program.
Logic bomb: code written to detect a certain condition and executes when it occurs.
Buffer Overflow: pop a shell.
Virus: a fragment of code embedded in a legitimate program.
Worm: a process that uses the `spawn` mechanism to duplicate itself.
Port Scanning: detects what ports are open on systems in a network.
Denial of Service: disrupting legitimate use of a system.

Protection mechanisms:

Cryptography: used to constrain the potential senders and/or receivers of a message.
Encryption: used to send messages securely across the network, protect data, files, disks etc.


Encryption algorithm consists of the following components:

* A set of `K` of keys.
* A set of `M` of messages.
* A set of `C` of ciphertexts.
* An encrypting function `E : K -> (M -> C)`
* A decrypting function `D : K -> (C -> M)`

Symmetric Encryption: same key is used to encrypt and decrypt.
Asymmetric Encryption: different encryption and decryption keys.

RSA is the most widely used asymmetric encryption algorithm. (elliptic curves uses shorter keys with same cryptographic strength)

```plaintext
Ke: public_key
Kd: private_key
N: (p * q) # two large prime numbers.

Eke,N(m) = m^ke mod N: encryption
```

Authentication: constraining set of potential senders of a message.

A `hash function` produces a fixed-size block of data called a `message digest` or `hash value` from message `m`.

Authentication algorithms:

* message-authentication code MAC: a crypto checksum is generated from the message using a secret key. The key must be shared to authenticate.
* digital-signature: enable anyone to verify authenticity of a message.


## Key distribution

* out of band: share key via paper or conversation.

digital certificate: is a public key digitially signed by a trusted party.
certificate authority: have their public keys included within web browsers.

## implementation

```plaintext
   ----------------
   | Application  |
   ----------------
   | Presentation |
   ----------------
   | Session      |
   ----------------     -------------
   | Transport    |     | SSL/TLS   |
   ----------------     -------------
   | Network      |     | IPSec/IKE |
   ----------------     -------------
   | Data link    |
   ----------------
   | Physical     |
   ----------------
```