Introduction to Security Challenges:
Terminology

Assets and Risks:

Example: your databases

Authentication:

Example of authentication mechanisms:

Prompt for user id/password, then compare to encrypted password database

• How to authenticate without sending user name/password over Internet
• Someone could monitor network traffic and collect user names/passwords sent as clear text
• How to authenticate a client host
• Someone could program their computer with your computer's IP address ("spoofing")
• If your computer remotely mounts a Unix disk (via NFS), so could the "spoofing" computer
• How do I know when I connect to a Web site who operates the site?
• Someone could spoof the IP address of a Web server, and then deliver bogus Web pages or invalid Java applets to your Web browser
• Anyone can buy an Internet domain name. How do we know whether the name corresponds to the enterprise we expect it to?
• Is www.walmart.com really Wal-Mart?
• I could buy "www.navy.com" and put up information that looks a U.S. Navy site, but isn't. (After all, www.army.com is an official U.S. Army web site.)

Confidentiality:

• Protect private communication between two Internet hosts?
• Ensure that Internet message you sent me wasn't modified by someone else?
• Be sure that document I see in my Web browser is same as copy on server?

Authorization: