A multidiscipnary introduction to informations security
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (4.89 MB, 342 trang )
Free ebooks ==> www.Ebook777.com
Computer Science/Computer Engineering/Computing
Series Editor KENNETH H. ROSEN
With most services and products now being offered through digital
communications, new challenges have emerged for information security
specialists. A Multidisciplinary Introduction to Information Security
presents a range of topics on the security, privacy, and safety of information
and communication technology. It brings together methods in pure
mathematics, computer and telecommunication sciences, and social
sciences.
The book begins with the cryptographic algorithms of the Advanced
Encryption Standard (AES) and Rivest, Shamir, and Adleman (RSA). It
explains the mathematical reasoning behind public key cryptography
and the properties of a cryptographic hash function before presenting the
principles and examples of quantum cryptography. The text also describes
the use of cryptographic primitives in the communication process, explains
how a public key infrastructure can mitigate the problem of crypto-key
distribution, and discusses the security problems of wireless network
access. After examining past and present protection mechanisms in the
global mobile telecommunication system, the book proposes a software
engineering practice that prevents attacks and misuse of software. It
then presents an evaluation method for ensuring security requirements
of products and systems, covers methods and tools of digital forensics
and computational forensics, and describes risk assessment as part of the
larger activity of risk management. The final chapter focuses on information
security from an organizational and people point of view.
Mjølsnes
As our ways of communicating and doing business continue to shift, information
security professionals must find answers to evolving issues. Offering a starting
point for more advanced work in the field, this volume addresses various
security and privacy problems and solutions related to the latest information
and communication technology.
A MULTIDISCIPLINARY INTRODUCTION
TO INFORMATION SECURITY
DISCRETE MATHEMATICS AND ITS APPLICATIONS
DISCRETE MATHEMATICS AND ITS APPLICATIONS
Series Editor KENNETH H. ROSEN
A MULTIDISCIPLINARY
INTRODUCTION TO
INFORMATION
SECURITY
Stig F. Mjølsnes
C5905
www.Ebook777.com
C5905_Cover.indd 1
9/21/11 1:29 PM
Free ebooks ==> www.Ebook777.com
A MULTIDISCIPLINARY
INTRODUCTION TO
INFORMATION
SECURITY
www.Ebook777.com
C5905_FM.indd 1
9/20/11 2:59 PM
DISCRETE
MATHEMATICS
ITS APPLICATIONS
Series Editor
Kenneth H. Rosen, Ph.D.
R. B. J. T. Allenby and Alan Slomson, How to Count: An Introduction to Combinatorics,
Third Edition
Juergen Bierbrauer, Introduction to Coding Theory
Katalin Bimbó, Combinatory Logic: Pure, Applied and Typed
Donald Bindner and Martin Erickson, A Student’s Guide to the Study, Practice, and Tools of
Modern Mathematics
Francine Blanchet-Sadri, Algorithmic Combinatorics on Partial Words
Richard A. Brualdi and Drago˘s Cvetkovi´c, A Combinatorial Approach to Matrix Theory and Its
Applications
Kun-Mao Chao and Bang Ye Wu, Spanning Trees and Optimization Problems
Charalambos A. Charalambides, Enumerative Combinatorics
Gary Chartrand and Ping Zhang, Chromatic Graph Theory
Henri Cohen, Gerhard Frey, et al., Handbook of Elliptic and Hyperelliptic Curve Cryptography
Charles J. Colbourn and Jeffrey H. Dinitz, Handbook of Combinatorial Designs, Second Edition
Martin Erickson, Pearls of Discrete Mathematics
Martin Erickson and Anthony Vazzana, Introduction to Number Theory
Steven Furino, Ying Miao, and Jianxing Yin, Frames and Resolvable Designs: Uses,
Constructions, and Existence
Mark S. Gockenbach, Finite-Dimensional Linear Algebra
Randy Goldberg and Lance Riek, A Practical Handbook of Speech Coders
Jacob E. Goodman and Joseph O’Rourke, Handbook of Discrete and Computational Geometry,
Second Edition
Jonathan L. Gross, Combinatorial Methods with Computer Applications
Jonathan L. Gross and Jay Yellen, Graph Theory and Its Applications, Second Edition
C5905_FM.indd 2
9/20/11 2:59 PM
Titles (continued)
Jonathan L. Gross and Jay Yellen, Handbook of Graph Theory
David S. Gunderson, Handbook of Mathematical Induction: Theory and Applications
Richard Hammack, Wilfried Imrich, and Sandi Klavžar, Handbook of Product Graphs,
Second Edition
Darrel R. Hankerson, Greg A. Harris, and Peter D. Johnson, Introduction to Information Theory
and Data Compression, Second Edition
Darel W. Hardy, Fred Richman, and Carol L. Walker, Applied Algebra: Codes, Ciphers, and
Discrete Algorithms, Second Edition
Daryl D. Harms, Miroslav Kraetzl, Charles J. Colbourn, and John S. Devitt, Network Reliability:
Experiments with a Symbolic Algebra Environment
Silvia Heubach and Toufik Mansour, Combinatorics of Compositions and Words
Leslie Hogben, Handbook of Linear Algebra
Derek F. Holt with Bettina Eick and Eamonn A. O’Brien, Handbook of Computational Group Theory
David M. Jackson and Terry I. Visentin, An Atlas of Smaller Maps in Orientable and
Nonorientable Surfaces
Richard E. Klima, Neil P. Sigmon, and Ernest L. Stitzinger, Applications of Abstract Algebra
with Maple™ and MATLAB®, Second Edition
Patrick Knupp and Kambiz Salari, Verification of Computer Codes in Computational Science
and Engineering
William Kocay and Donald L. Kreher, Graphs, Algorithms, and Optimization
Donald L. Kreher and Douglas R. Stinson, Combinatorial Algorithms: Generation Enumeration
and Search
Hang T. Lau, A Java Library of Graph Algorithms and Optimization
C. C. Lindner and C. A. Rodger, Design Theory, Second Edition
Nicholas A. Loehr, Bijective Combinatorics
Alasdair McAndrew, Introduction to Cryptography with Open-Source Software
Elliott Mendelson, Introduction to Mathematical Logic, Fifth Edition
Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, Handbook of Applied
Cryptography
Stig F. Mjølsnes, A Multidisciplinary Introduction to Information Security
Richard A. Mollin, Advanced Number Theory with Applications
Richard A. Mollin, Algebraic Number Theory, Second Edition
Richard A. Mollin, Codes: The Guide to Secrecy from Ancient to Modern Times
Richard A. Mollin, Fundamental Number Theory with Applications, Second Edition
Richard A. Mollin, An Introduction to Cryptography, Second Edition
Richard A. Mollin, Quadratics
C5905_FM.indd 3
9/20/11 2:59 PM
Free ebooks ==> www.Ebook777.com
Titles (continued)
Richard A. Mollin, RSA and Public-Key Cryptography
Carlos J. Moreno and Samuel S. Wagstaff, Jr., Sums of Squares of Integers
Dingyi Pei, Authentication Codes and Combinatorial Designs
Kenneth H. Rosen, Handbook of Discrete and Combinatorial Mathematics
Douglas R. Shier and K.T. Wallenius, Applied Mathematical Modeling: A Multidisciplinary
Approach
Alexander Stanoyevitch, Introduction to Cryptography with Mathematical Foundations and
Computer Implementations
Jörn Steuding, Diophantine Analysis
Douglas R. Stinson, Cryptography: Theory and Practice, Third Edition
Roberto Togneri and Christopher J. deSilva, Fundamentals of Information Theory and Coding
Design
W. D. Wallis, Introduction to Combinatorial Designs, Second Edition
W. D. Wallis and J. C. George, Introduction to Combinatorics
Lawrence C. Washington, Elliptic Curves: Number Theory and Cryptography, Second Edition
www.Ebook777.com
C5905_FM.indd 4
9/20/11 2:59 PM
DISCRETE MATHEMATICS AND ITS APPLICATIONS
Series Editor KENNETH H. ROSEN
A MULTIDISCIPLINARY
INTRODUCTION TO
INFORMATION
SECURITY
Stig F. Mjølsnes
Norwegian University of Science & Technology
Trondheim
C5905_FM.indd 5
9/20/11 2:59 PM
The cover illustration and all the chapter opener illustrations are original drawings by Hannah Mjølsnes. Copyright 2011.
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2012 by Taylor & Francis Group, LLC
CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Version Date: 20111012
International Standard Book Number-13: 978-1-4665-0651-0 (eBook - PDF)
This book contains information obtained from authentic and highly regarded sources. Reasonable
efforts have been made to publish reliable data and information, but the author and publisher cannot
assume responsibility for the validity of all materials or the consequences of their use. The authors and
publishers have attempted to trace the copyright holders of all material reproduced in this publication
and apologize to copyright holders if permission to publish in this form has not been obtained. If any
copyright material has not been acknowledged please write and let us know so we may rectify in any
future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced,
transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or
hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com ( or contact the Copyright Clearance Center, Inc. (CCC), 222
Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are
used only for identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
and the CRC Press Web site at
Preface
Information security is a truly multidisciplinary field of study, ranging from
the methods of pure mathematics through computer and telecommunication
sciences to social sciences. The intention of this multi-authored book is to offer
an introduction to a wide set of topics in ICT information security, privacy,
and safety. Certainly, the aim has not been to present a complete treatment of
this vast and expanding area of practical and theoretical knowledge. Rather,
my hope is that the selected range of topics presented here may attract a wider
audience of students and professionals than would each specialized topic by
itself.
Some of the information security topics contained in this book may be
familiar turf for the reader already. However, the reader will likely find some
new relevant topics presented here that can enhance his or her professional
knowledge and competence, or serve as an attractive starting point for further
reading and in-depth studies. For instance, the book may provide an entrance
and a guide to seek out more specialized courses available at universities or
inspire further work in projects and assignments.
The start of this collection of information security topics goes back to a
master-level continuing education course that I organized in 2005, where more
than 10 professors and researchers contributed from six different departments
at the Norwegian University of Science and Technology. The topics included
cryptography, hardware security, software security, communication and network security, intrusion detection systems, access policy and control, risk and
vulnerability analysis, and security technology management. The compendium
of the lecturers’ presentations then grew into a book initiative taken on by
the Norwegian University of Science and Technology’s Strategic Research Programme Committee for Information Security, which I was heading. And more
authors were asked to contribute with hot topics as this project grew.
The topics and chapters in this book could have been ordered by many
reasonable and acceptable principles. I chose to start with the basic components of hardware and algorithms, move toward integration and systems, and
end with a chapter on human factors in these systems.
Many interdependencies and some overlap exist between the chapters, of
course, for instance, the electronic hardware realizations in Chapter 1 and the
public-key algorithms in Chapter 2, so a total linear sequence of the chapters
in this respect has not been possible to set. The index at the back of the book
is meant to be a helpful guide to find all chapters and locations that deal with
a specific keyword or problem issue.
vii
viii
The book’s cover drawing and all chapter front drawings are made especially for this book by Hannah Mjølsnes. This process went something like
this. First, I tried to explain in simple words what the chapter was about, and
then she made some pencil sketches of illustration ideas that we discussed.
At a later stage, she worked out the complete illustrations on drawing paper,
digitized these by scanning, and finally did the necessary postprocessing of
the digital images for use in this book.
Acknowledgments
I wish to thank all the contributing authors for their effort and positive attitude toward this book project. Some of this sure took a while! Thank you
to all the technical reviewers for your time and valuable recommendations to
improve the text. None mentioned none forgotten. Thanks to PhD-students
Anton Stolbunov and Mauritz Panggebean who assisted me in typesetting the
manuscripts and bibliographies from authors not versed in LATEX. A big hug
to fine art student Hannah Mjølsnes for all the amusing and diverting artwork
you made for this book.
I am most grateful to the CRC representative Robert B. Stern who accepted this book project back then, for his patient and considerate guidance
and excellent recommendations throughout the years. I would also like to
thank the rest of the people I communicated with in the publication process
at Taylor and Francis Group; Amber Donley, Scott Hayes, Jim McGovern,
Katy Smith, all your requests and advice were clear, professional and understandable.
Stig Frode Mjølsnes
Free ebooks ==> www.Ebook777.com
Contributors
Einar Johan Aas
Department of Electronics and Telecommunications
Norwegian University of Science and Technology, Trondheim
Eirik Albrechtsen
Department of Industrial Economy and Technology Management
Norwegian University of Science and Technology, Trondheim
Jan Arild Audestad
Department of Telematics
Norwegian University of Science and Technology, Trondheim
Gjøvik University College, Gjøvik
Martin Eian
Department of Telematics
Norwegian University of Science and Technology, Trondheim
Danilo Gligoroski
Department of Telematics
Norwegian University of Science and Technology, Trondheim
Stein Haugen
Department of Production and Quality Engineering
Norwegian University of Science and Technology, Trondheim
Dag Roar Hjelme
Department of Electronics and Telecommunications
Norwegian University of Science and Technology, Trondheim
ix
www.Ebook777.com
x
Jan Hovden
Department of Industrial Economy and Technology Management
Norwegian University of Science and Technology, Trondheim
Martin Gilje Jaatun
Department of Software Engineering, Safety and Security
SINTEF ICT, Trondheim
Jostein Jensen
Department of Software Engineering, Safety and Security
SINTEF ICT, Trondheim
Per Gunnar Kjeldsberg
Department of Electronics and Telecommunications
Norwegian University of Science and Technology, Trondheim
Svein Johan Knapskog
Department of Telematics
Norwegian University of Science and Technology, Trondheim
Lars Lydersen
Department of Electronics and Telecommunications
Norwegian University of Science and Technology, Trondheim
Vadim Makarov
University Graduate Center, Kjeller
Per H˚
akon Meland
Department of Software Engineering, Safety and Security
SINTEF ICT, Trondheim
Stig Frode Mjølsnes
Department of Telematics
Norwegian University of Science and Technology, Trondheim
xi
Sverre Olaf Smalø
Department of Mathematical Sciences
Norwegian University of Science and Technology, Trondheim
Inger Anne Tøndel
Department of Software Engineering, Safety and Security
SINTEF ICT, Trondheim
Svein Yngvar Willassen
Department of Telematics
Norwegian University of Science and Technology, Trondheim
This page intentionally left blank
List of Figures
1.1
Categories of unwanted events that can happen to a system. . . . . .
2.1
2.2
2.3
The RL binary method. . . . . . . . . . . . . . . . . . . . . . .
Excerpts of a Log file generated by the synthesizer Xilinx ISE.
Throughput [messages/second] as a function of message and
length. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AES encryption and decryption . . . . . . . . . . . . . . . . . .
Cycle-count for AES implemented in software . . . . . . . . . .
Delay in ns through hardware datapath . . . . . . . . . . . . .
2.4
2.5
2.6
4.1
4.2
4.3
4.4
4.5
4.6
4.7
. . .
. . .
key
. . .
. . .
. . .
. . .
A graphical presentation of the strengthened Merkle-Damg˚
ard iterated hash design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A graphical presentation of the herding attack. . . . . . . . . . . . .
A graphical presentation of the Double-pipe iterated hash design. . .
A graphical presentation of the HAIFA iterated hash design. . . . .
A graphical presentation of the sponge iterated hash design. . . . . .
A graphical presentatioin of the signing process. . . . . . . . . . . . .
A graphical presentation of the verification process of the signed document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.1
5.2
5.3
5.4
5.5
5.6
Classical versus quantum bit . . . . . . . . . . . . . . . . . . . . .
Qubit as a polarized photon . . . . . . . . . . . . . . . . . . . . . .
Using quantum key distribution in a symmetric encryption scheme
BB84 protocol using polarized light . . . . . . . . . . . . . . . . . .
Classical post-processing in quantum key distribution . . . . . . .
Commercial quantum cryptography vintage 2010 . . . . . . . . . .
6.1
Strong security primitives (e.g., bike lock and rack-in-ground) are
necessary but not sufficient for securing a (bike-) system . . . . . . .
The Diffie-Hellman key exchange protocol. . . . . . . . . . . . . . . .
The Fiat-Shamir identification protocol . . . . . . . . . . . . . . . .
End-to-end key distribution protocol using a trusted third party in
the network and two provably secure cryptographic primitives. . . .
An active attack on the key distribution protocol. . . . . . . . . . . .
The Needham-Schroeder public key based authentication protocol. .
Lowe’s fix of the Needham-Schroeder protocol. . . . . . . . . . . . .
6.2
6.3
6.4
6.5
6.6
6.7
7.1
.
.
.
.
.
.
3
23
25
26
27
29
30
56
60
61
62
62
66
67
76
77
78
80
83
89
98
101
102
105
106
108
109
A signature chain of three public key certificates, including the root
certificate with a self-signature. . . . . . . . . . . . . . . . . . . . . . 121
xiii
xiv
7.2
An example of a X.509v3 certificate of an RSA public key of length
1024 bits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
8.1
8.2
8.3
8.4
The IEEE 802.11 infrastructure mode. . . . . . . . .
An IEEE 802.11 frame. . . . . . . . . . . . . . . . .
A high-level view of the 802.11 connection process. .
An encrypted and integrity protected CCMP frame.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
136
136
140
142
9.1
9.2
9.3
9.4
9.5
9.6
9.7
9.8
9.9
9.10
9.11
9.12
9.13
9.14
9.15
9.16
3G architecture. . . . . . . . . . . . . . . . . . . . . . . . . .
Security in 3G. . . . . . . . . . . . . . . . . . . . . . . . . . .
Security functions in the authentication center. . . . . . . . .
Security functions in the USIM. . . . . . . . . . . . . . . . . .
Organization of the radio channel in GSM. . . . . . . . . . .
Stream cipher in GSM. . . . . . . . . . . . . . . . . . . . . . .
The A5/1 generator. . . . . . . . . . . . . . . . . . . . . . . .
Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Keystream generation. . . . . . . . . . . . . . . . . . . . . . .
Derivation of message integrity code (MAC). . . . . . . . . .
Integrity algorithm in 3G. . . . . . . . . . . . . . . . . . . . .
Location updating, connection setup, and anonymity. . . . . .
Anonymous roaming. . . . . . . . . . . . . . . . . . . . . . . .
Session authentication using GSM/3G. . . . . . . . . . . . . .
Authentication of browser using one time password over SMS.
EAP-SIM authentication. . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
153
156
158
160
162
163
163
165
167
168
168
170
172
176
178
179
10.1 The main phases of the SODA approach to secure software engineering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10.2 Result of the brainstorming session. . . . . . . . . . . . . . . . . . .
10.3 Misuse case diagram for a publicly available web application. . . . .
10.4 Attack tree detailing an attack on a web server. . . . . . . . . . . . .
10.5 Core requirements phase. . . . . . . . . . . . . . . . . . . . . . . . .
10.6 Software security testing cycle. . . . . . . . . . . . . . . . . . . . . .
186
192
194
194
195
209
11.1
11.2
11.3
11.4
11.5
11.6
11.7
222
226
227
231
232
233
238
.
.
.
.
.
.
.
.
General model for evaluation. . . . . . . . . . . . . . . .
Generic hierarchy for the assurance components. . . . .
EAL 1–7 described by assurance components. . . . . . .
The ToC of a certification report for a Firewall PP. . . .
The ToC of a security target (ST) for a TOE. . . . . . .
The structure of the assurance class ASE–security target
Relationship between CC and CEM structures. . . . . .
.
.
.
.
.
.
.
.
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
evaluations.
. . . . . . .
13.1 Overview of risk management process. . . . . . . . . . . . . . . . . . 263
13.2 Illustration of key terms. . . . . . . . . . . . . . . . . . . . . . . . . . 266
13.3 The overall process of risk analysis and evaluation. . . . . . . . . . . 268
14.1 Risk governance framework based on Orwin Renn’s book . . . . . . 286
14.2 The socio-technical system involved in risk management in a dynamic
society . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
14.3 Formal and informal information security management. . . . . . . . 294
xv
14.4 Individual information security performance explained by organizational aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
14.5 Information security measures directed at users . . . . . . . . . . . . 305
This page intentionally left blank
List of Tables
2.1
2.2
2.3
2.4
Execution of the RL binary method . . . . . . . . . . .
Results from synthesis with Xilinx ISE 9.2 . . . . . . . .
Comparison of Sbox implementations . . . . . . . . . . .
Comparison of software and software/hardware solution
4.1
4.6
Theoretical facts or knowledge versus practical requirements for cryptographic hash functions . . . . . . . . . . . . . . . . . . . . . . . . .
A generic description of the strengthened Merkle-Damg˚
ard iterated
hash design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The 12 PGV schemes that can construct a collision-resistant compression function from a block cipher . . . . . . . . . . . . . . . . . .
The multicollision attack of Joux on the Merkle-Damg˚
ard iterated
hash design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Two essential parts of the digital signatures: Signing and Verification
process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A list of applications where hash functions are used . . . . . . . . . .
10.1
10.2
10.3
10.4
10.5
10.6
10.7
Asset prioritization table . . . .
Asset prioritization table . . . .
Calculated asset ranking . . . .
Examples of design principles .
Security pattern examples . . .
Checklist for security review . .
Approaches to security testing .
4.2
4.3
4.4
4.5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
23
25
29
31
51
57
58
59
67
68
189
192
193
201
202
204
207
xvii
This page intentionally left blank
Free ebooks ==> www.Ebook777.com
Contents
1 Introduction
S. F. Mjølsnes
1.1
1.2
1.3
1
Motivation . . . . . . . . . . . . . . . . . .
What Is Information Security? . . . . . . .
Some Basic Concepts . . . . . . . . . . . .
1.3.1 The Communication Perspective .
1.3.2 The Shared Computer Perspective
1.4 A Synopsis of the Topics . . . . . . . . . .
1.4.1 The Book Structure . . . . . . . .
1.4.2 Security Electronics . . . . . . . . .
1.4.3 Public Key Cryptography . . . . .
1.4.4 Hash Functions . . . . . . . . . . .
1.4.5 Quantum Cryptography . . . . . .
1.4.6 Cryptographic Protocols . . . . . .
1.4.7 Public Key Infrastructure . . . . .
1.4.8 Wireless Network Access . . . . . .
1.4.9 Mobile Security . . . . . . . . . . .
1.4.10 Software Security . . . . . . . . . .
1.4.11 ICT Security Evaluation . . . . . .
1.4.12 ICT and Forensic Science . . . . .
1.4.13 Risk Assessment . . . . . . . . . .
1.4.14 The Human Factor . . . . . . . . .
1.5 Further Reading and Web Sites . . . . . .
Bibliography . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2 Security Electronics
E. J. Aas and P. G. Kjeldsberg
2.1 Introduction . . . . . . . . . . . . . . . . . . .
2.2 Examples of Security Electronics . . . . . . .
2.2.1 RSA as Hardwired Electronics . . . . .
2.2.2 AES as Hardwired Electronics . . . . .
2.2.3 Examples of Commercial Applications
2.3 Side Channel Attacks . . . . . . . . . . . . . .
2.4 Summary . . . . . . . . . . . . . . . . . . . .
2.5 Further Reading and Web Sites . . . . . . . .
Bibliography . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2
3
4
4
7
9
9
9
10
10
11
11
11
12
12
13
14
14
15
16
17
17
19
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
20
22
22
26
31
32
32
33
33
xix
www.Ebook777.com
xx
3 Public Key Cryptography
S. O. Smalø
3.1 Introduction
. . . . . . . . . . . . . . . . . . . . . . .
3.2 Hash Functions and One Time Pads. . . . . . . . . . .
3.3 Public Key Cryptography . . . . . . . . . . . . . . . .
3.4 RSA-Public Key Cryptography . . . . . . . . . . . . .
3.5 RSA-Public-Key-Cryptography with Signature . . . .
3.6 Problem with Signatures . . . . . . . . . . . . . . . . .
3.7 Receipt . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.8 Secret Sharing Based on Discrete Logarithm Problems
3.9 Further Reading . . . . . . . . . . . . . . . . . . . . . .
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . .
37
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
4 Cryptographic Hash Functions
D. Gligoroski
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . .
4.2 Definition of Cryptographic Hash Function . . . . . . . . .
4.3 Iterated Hash Functions . . . . . . . . . . . . . . . . . . .
4.3.1 Strengthened Merkle-Damg˚
ard Iterated Design . .
4.3.2 Hash Functions Based on Block Ciphers . . . . . .
4.3.3 Generic Weaknesses of the Merkle-Damg˚
ard Design
4.3.4 Wide Pipe (Double Pipe) Constructions . . . . . .
4.3.5 HAIFA Construction . . . . . . . . . . . . . . . . .
4.3.6 Sponge Functions Constructions . . . . . . . . . . .
4.4 Most Popular Cryptographic Hash Functions . . . . . . .
4.4.1 MD5 . . . . . . . . . . . . . . . . . . . . . . . . . .
4.4.2 SHA-1 . . . . . . . . . . . . . . . . . . . . . . . . .
4.4.3 SHA-2 . . . . . . . . . . . . . . . . . . . . . . . . .
4.4.4 NIST SHA-3 Hash Competition . . . . . . . . . . .
4.5 Application of Cryptographic Hash Functions . . . . . . .
4.5.1 Digital Signatures . . . . . . . . . . . . . . . . . . .
4.5.2 Other Applications . . . . . . . . . . . . . . . . . .
4.6 Further Reading and Web Sites . . . . . . . . . . . . . . .
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5 Quantum Cryptography
D. R. Hjelme, L. Lydersen, and V. Makarov
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . .
5.2 Quantum Bit . . . . . . . . . . . . . . . . . . . . .
5.3 Quantum Copying . . . . . . . . . . . . . . . . . .
5.4 Quantum Key Distribution . . . . . . . . . . . . . .
5.4.1 The BB84 Protocol . . . . . . . . . . . . . .
5.4.2 The BB84 Protocol Using Polarized Light .
5.5 Practical Quantum Cryptography . . . . . . . . . .
5.5.1 Loss of Photons . . . . . . . . . . . . . . . .
5.5.2 Error Correction and Privacy Amplification
5.5.3 Security Proofs . . . . . . . . . . . . . . . .
5.5.4 Authentication . . . . . . . . . . . . . . . .
5.6 Technology . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
38
39
44
44
45
46
47
47
47
48
49
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
50
53
56
56
56
58
61
61
62
63
63
64
64
66
66
66
68
69
69
73
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
74
76
78
78
79
79
81
81
81
82
82
84
xxi
5.6.1 Single Photon Sources . . . . . . . . . . . . . . . .
5.6.2 Single Photon Detectors . . . . . . . . . . . . . . .
5.6.3 Quantum Channel . . . . . . . . . . . . . . . . . .
5.6.4 Random Number Generator . . . . . . . . . . . . .
5.7 Applications . . . . . . . . . . . . . . . . . . . . . . . . . .
5.7.1 Commercial Application of Quantum Cryptography
5.7.2 Commercial Systems with Dual Key Agreement . .
5.7.3 Quantum Key Distribution Networks . . . . . . . .
5.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.9 Further Reading and Web Sites . . . . . . . . . . . . . . .
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6 Cryptographic Protocols
S. F. Mjølsnes
6.1 The Origins . . . . . . . . . . . . . . . . . . .
6.2 Information Policies . . . . . . . . . . . . . . .
6.3 Some Concepts . . . . . . . . . . . . . . . . .
6.3.1 Primitives and Protocols . . . . . . . .
6.3.2 Definitions . . . . . . . . . . . . . . . .
6.3.3 The Protocol as a Language . . . . . .
6.3.4 Provability . . . . . . . . . . . . . . . .
6.3.5 Modeling the Adversary . . . . . . . .
6.3.6 The Problem of Protocol Composition
6.4 Protocol Failures . . . . . . . . . . . . . . . .
6.4.1 Reasons for Failure . . . . . . . . . . .
6.4.2 An Example of Protocol Failure . . . .
6.5 Heuristics . . . . . . . . . . . . . . . . . . . .
6.5.1 Simmons’ Principles . . . . . . . . . .
6.5.2 Separation of Concerns . . . . . . . . .
6.5.3 More Prudent Engineering Advice . . .
6.6 Tools for Automated Security Analysis . . . .
6.7 Further Reading and Web Sites . . . . . . . .
Bibliography . . . . . . . . . . . . . . . . . . . . . .
7 Public Key Distribution
S. F. Mjølsnes
7.1 The Public Key Distribution Problem .
7.2 Authenticity and Validity of Public Keys
7.3 The Notion of Public Key Certificates .
7.3.1 Certificates . . . . . . . . . . . .
7.3.2 Public Key Certificates . . . . . .
7.3.3 Certificate Data Structures . . .
7.3.4 Chain of Certificates . . . . . . .
7.4 Revocation . . . . . . . . . . . . . . . . .
7.4.1 The Problem of Revocation . . .
7.4.2 The CRL Data Structure . . . . .
7.5 Public Key Infrastructure . . . . . . . .
7.6 Identity-Based Public Key . . . . . . . .
7.7 Further Reading and Web Sites . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
84
85
86
86
87
87
87
88
90
90
90
93
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
94
96
97
97
98
99
102
103
103
104
104
105
106
106
107
109
110
111
112
115
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
116
118
119
119
119
121
122
124
124
124
125
126
128
xxii
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
8 Wireless Network Access
S. F. Mjølsnes and M. Eian
8.1 Introduction . . . . . . . . . . . . . .
8.2 Wireless Local Area Networks . . . .
8.2.1 The Standard . . . . . . . . .
8.2.2 The Structure . . . . . . . . .
8.2.3 Message Types . . . . . . . .
8.3 The 802.11 Security Mechanisms . .
8.4 Wired Equivalent Privacy . . . . . .
8.4.1 RSN with TKIP . . . . . . . .
8.5 RSN with CCMP . . . . . . . . . . .
8.5.1 Security Services . . . . . . .
8.5.2 Authentication . . . . . . . .
8.5.3 Data Confidentiality . . . . .
8.5.4 Key Management . . . . . . .
8.5.5 Data Origin Authenticity . .
8.5.6 Replay Detection . . . . . . .
8.5.7 Summary of Security Services
8.6 Assumptions and Vulnerabilities . . .
8.7 Summary . . . . . . . . . . . . . . .
8.8 Further Reading and Web Sites . . .
Bibliography . . . . . . . . . . . . . . . . .
131
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
9 Mobile Security
J. A. Audestad
9.1 GSM Security . . . . . . . . . . . . . . . . . . . . . . . . .
9.2 3G Architecture . . . . . . . . . . . . . . . . . . . . . . . .
9.3 Extent of Protection . . . . . . . . . . . . . . . . . . . . .
9.4 Security Functions in the Authentication Center . . . . . .
9.4.1 3G . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.4.2 GSM . . . . . . . . . . . . . . . . . . . . . . . . . .
9.5 Security Functions in the SGSN/RNC . . . . . . . . . . .
9.6 Security Functions in the Mobile Terminal (USIM) . . . .
9.7 Encryption and Integrity . . . . . . . . . . . . . . . . . . .
9.7.1 Encryption in GSM (A5/1) . . . . . . . . . . . . .
9.7.2 Encryption in 3G . . . . . . . . . . . . . . . . . . .
9.7.2.1
Method . . . . . . . . . . . . . . . . . . .
9.7.2.2
Keystream Generation Algorithm . . . .
9.7.2.3
Initialization of the Keystream Generator
9.7.2.4
Production of the Keystream . . . . . . .
9.7.3 Integrity in 3G . . . . . . . . . . . . . . . . . . . .
9.8 Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.9 Example: Anonymous Roaming in a Mobile Network . . .
9.9.1 Procedure . . . . . . . . . . . . . . . . . . . . . . .
9.9.2 Information Stored . . . . . . . . . . . . . . . . . .
9.9.3 Prevention of Intrusion . . . . . . . . . . . . . . . .
9.9.3.1
The Mobile Terminal Is an Impostor . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
132
135
135
135
136
137
137
139
140
140
140
141
142
142
143
143
143
145
146
146
149
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
150
152
155
157
157
159
159
159
160
160
164
164
166
166
166
167
169
171
171
174
175
175
xxiii
9.9.3.2
Both the Mobile Terminal and the Home Network
Are Impostors . . . . . . . . . . . . . . . . . . . .
9.9.3.3
The Foreign Network Is an Impostor . . . . . . .
9.10 Using GSM/3G Terminals as Authentication Devices . . . . . . . .
9.10.1 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . .
9.10.2 One Time Password . . . . . . . . . . . . . . . . . . . . . .
9.10.3 The Extensible Authentication Protocol (EAP) . . . . . . .
9.11 Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10 A Lightweight Approach to Secure Software Engineering
M. G. Jaatun, J. Jensen, P. H. Meland and I. A. Tøndel
10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10.2 Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10.2.1 Asset Identification . . . . . . . . . . . . . . . . . . . .
10.2.2 Asset Identification in Practice . . . . . . . . . . . . .
10.2.2.1 Key Contributors . . . . . . . . . . . . . . .
10.2.2.2 Step 1: Brainstorming . . . . . . . . . . . . .
10.2.2.3 Step 2: Assets from Existing Documentation
10.2.2.4 Step 3: Categorization and Prioritization . .
10.2.3 Example . . . . . . . . . . . . . . . . . . . . . . . . . .
10.3 Security Requirements . . . . . . . . . . . . . . . . . . . . . .
10.3.1 Description . . . . . . . . . . . . . . . . . . . . . . . .
10.3.2 Security Objectives . . . . . . . . . . . . . . . . . . . .
10.3.3 Asset Identification . . . . . . . . . . . . . . . . . . . .
10.3.4 Threat Analysis and Modeling . . . . . . . . . . . . . .
10.3.5 Documentation of Security Requirements . . . . . . . .
10.3.6 Variants Based on Specific Software Methodologies . .
10.3.7 LyeFish Example Continued . . . . . . . . . . . . . . .
10.4 Secure Software Design . . . . . . . . . . . . . . . . . . . . . .
10.4.1 Security Architecture . . . . . . . . . . . . . . . . . . .
10.4.2 Security Design Guidelines . . . . . . . . . . . . . . . .
10.4.2.1 Security Design Principles . . . . . . . . . .
10.4.2.2 Security Patterns . . . . . . . . . . . . . . .
10.4.3 Threat Modeling and Security Design Review . . . . .
10.4.4 Putting It into Practice – More LyeFish . . . . . . . .
10.4.4.1 Applying Security Design Principles . . . . .
10.4.4.2 Making Use of Security Design Patterns . . .
10.4.4.3 Make Use of Tools for Threat Modeling . . .
10.4.4.4 Performing Security Review . . . . . . . . .
10.5 Testing for Software Security . . . . . . . . . . . . . . . . . .
10.5.1 Background . . . . . . . . . . . . . . . . . . . . . . . .
10.5.2 The Software Security Testing Cycle . . . . . . . . . .
10.5.3 Risk-Based Security Testing . . . . . . . . . . . . . . .
10.5.4 Managing Vulnerabilities in SODA . . . . . . . . . . .
10.5.5 Example – Testing LyeFish . . . . . . . . . . . . . . .
10.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10.7 Further Reading and Web Sites . . . . . . . . . . . . . . . . .
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
175
175
175
175
177
177
180
181
183
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
185
186
186
187
187
187
189
189
191
193
193
195
196
196
197
197
197
198
199
199
199
200
203
203
203
205
205
206
206
206
208
209
210
213
213
214
214
xxiv
11 ICT
S. J.
11.1
11.2
Security Evaluation
Knapskog
Introduction . . . . . . . . . . . . . . . . . . . .
ISO/IEC 15408, Part 1/3 Evaluation Criteria for
11.2.1 The Development of the Standard . . . .
11.2.2 Evaluation Model . . . . . . . . . . . . .
11.2.3 Security Requirements . . . . . . . . . .
11.3 Definition of Assurance . . . . . . . . . . . . . .
11.4 Building Confidence in the Evaluation Process .
11.5 Organizing the Requirements in the CC . . . .
11.6 Assurance Elements . . . . . . . . . . . . . . . .
11.7 Functional Classes . . . . . . . . . . . . . . . .
11.8 Protection Profiles (PPs) . . . . . . . . . . . . .
11.9 Protection Profile Registries . . . . . . . . . . .
11.10 Definition of a Security Target (ST) . . . . . . .
11.11 Evaluation of a Security Target (ST) . . . . . .
11.12 Evaluation Schemes . . . . . . . . . . . . . . . .
11.13 Evaluation Methodology . . . . . . . . . . . . .
11.14 Summary . . . . . . . . . . . . . . . . . . . . .
11.15 Further Reading and Web Sites . . . . . . . . .
Bibliography . . . . . . . . . . . . . . . . . . . . . . .
12 ICT and Forensic Science
S. F. Mjølsnes and S. Y. Willassen
12.1 The Crime Scene . . . . . . . . . . .
12.2 Forensic Science and ICT . . . . . .
12.3 Evidence . . . . . . . . . . . . . . . .
12.3.1 Judicial Evidence . . . . . . .
12.3.2 Digital Evidence . . . . . . .
12.3.3 Evidential Reasoning . . . . .
12.3.4 Lack of Evidence . . . . . . .
12.4 The Digital Investigation Process . .
12.5 Digital Evidence Extraction . . . . .
12.5.1 Sources of Digital Evidence .
12.5.2 Extraction . . . . . . . . . . .
12.6 Digital Evidence Analysis Techniques
12.7 Anti-Forensics . . . . . . . . . . . . .
12.8 Further Reading and Web Sites . . .
Bibliography . . . . . . . . . . . . . . . . .
217
. .
IT
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. . . . .
Security
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . .
(CC)
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
218
219
219
221
221
222
223
224
224
225
228
230
230
233
236
237
239
239
240
243
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
13 Risk Assessment
S. Haugen
13.1 Risk Assessment in the Risk Management Process . . . . . .
13.2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . .
13.2.1 Risk . . . . . . . . . . . . . . . . . . . . . . . . . . .
13.2.2 Vulnerability . . . . . . . . . . . . . . . . . . . . . .
13.2.3 Hazards, Threats, Sources, and Events . . . . . . . .
13.2.4 Risk Analysis, Risk Evaluation, and Risk Assessment
13.3 Main Elements of the Risk Assessment Process . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
244
246
247
247
248
249
251
251
254
254
254
255
256
258
258
261
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
262
264
264
265
265
266
267
