第10章-Computer-and-Network-Security.ppt

1、计算机专业英语,10-,*,Chapter 10 Computer and Network Security,Computer English,Chapter 10,Computer and Network Security,Key points:,u,seful terms and definitions of computer security,Difficult points:,c,omparison of,four kinds of computer security breaches,2,计算机专业英语,Requirements:,1.Principle of easiest pen

2、etration,2.The kinds of computer security breaches,3.What is firewall,4.,了解科技论文标题的写法,3,计算机专业英语,New Words&Expressions:,breach,破坏，缺口,involve,包含，涉及，也可不译,depositor,寄托（存放）者,vulnerability,弱点，攻击,perimeter,周围，周边,penetrate,vt,.,攻破，攻击,exposure,曝光，揭露,threat n.,威胁，恐吓,asset,资产,interruption,中断，打断,interception,截取,

3、modification,修改,fabricate v.,伪造,tamper v.,篡改,，玩弄，干预,spurious adj.,假的,10.1,Characteristics of Computer Intrusion and Kinds of Security Breaches,4,计算机专业英语,10.1.1,入侵计算机的特点,Principle of Easiest Penetration.An intruder must be expected to use any available means of penetration.This will not necessarily b

4、e the most obvious means,nor will it necessarily be the one against which the most solid defense has been installed.,最容易攻破原理。入侵者必定要使用一种可以攻破的方法，这种方法既不可能是最常用的，也不可能是针对已经采取了最可靠的防范措施的方法。,This principle says that computer security specialists must consider all possible,means of penetration,because strengt

5、hening one may just make another means more appealing to intruders.We now consider(,细想,)what these means of penetration are.,这一原理说明计算机安全专家必须考虑所有可能的攻击方法。由于你加强了某一方面，入侵者可能会想出另外的对付方法。我们现在就说明这些攻击的方法是什么。,10.1,Characteristics of Computer Intrusion and Kinds of Security Breaches,5,计算机专业英语,10.1,Characteristi

6、cs of Computer Intrusion and Kinds of Security Breaches,10.1.2 KINDS OF SECURITY BREACHES,In security,an exposure is a form of possible loss or harm in a computing system;examples of exposures are unauthorized disclosure of data,modification of data,or denial,（拒绝）,of legitimate access to computing.A

7、 vulnerability is a weakness in the security system that might be,exploit,ed,（利用，开发）,to cause loss or harm.,在计算机系统中，暴露是一种使安全完全丧失或受到伤害的一种形式；暴露的例子是非授权的数据公开、数据修改或拒绝合法地访问计算机。脆弱性是安全系统中的薄弱环节，它可能引起安全的丧失或伤害。,6,计算机专业英语,10.1.2 KINDS OF SECURITY BREACHES,A human who,exploit,s a vulnerability,perpetrate,s,（,vt,

8、犯罪，做坏事,）,an attack on the system.Threats to computing systems are circumstances that have the potential to cause loss or harm;human attacks are examples of threats,as are natural disasters,inadvertent,（,不注意的,怠慢的,不慎的,非故意的,）,human errors,and internal hardware or software flaws.Finally,a control is a

9、 protective measure-an action,a device,a procedure,or a technique-that reduces a vulnerability.,人可利用脆弱性对系统进行罪恶的攻击。对计算机系统的威胁是引起安全丧失或伤害的环境；人们的攻击是威胁的例子，此外还有自然灾害、人们非故意错误和内部硬件或软件缺陷等。最后，控制是一种保护性措施,控制可以是一种动作，一个设备，一个过程或一种技术,减少了脆弱性。,advertent,：,a.,注意的,留意的,10.1,Characteristics of Computer Intrusion and Kinds

10、of Security Breaches,7,计算机专业英语,10.1.2 KINDS OF SECURITY BREACHES,The major assets of computing systems are hardware,software,and data.There are,four kinds of threats,to the security of a computing system:,interruption,interception,modification,and,fabrication,.The four threats all exploit vulnerabil

11、ities of the assets in computing systems.These four threats are shown in Fig.10-1.,计算机系统的主要资源是硬件、软件和数据。有四种对计算机安全的威胁：中断，截取，篡改和伪造。这四种威胁都利用了计算机系统资源的脆弱性，图,10-1,表示这四种威胁。,10.1,Characteristics of Computer Intrusion and Kinds of Security Breaches,8,计算机专业英语,Fig.10-1,Four classes of System Security Failures,9

12、计算机专业英语,10.1.2 KINDS OF SECURITY BREACHES,In an,interruption,an asset of the system becomes lost or unavailable or unusable.An example is,malicious,（恶意的）,destruction of a hardware device,erasure of a program or data file,or failure of an operating system file manager so that it cannot find a partic

13、ular disk file.,(1),在,中断,情况下，系统资源开始丢失，不可用或不能用。例如，蓄意破坏硬件设备，抹除程序或数据文件或造成操作系统的文件管理程序故障，以致不能找到某一磁盘文件。,10.1,Characteristics of Computer Intrusion and Kinds of Security Breaches,10,计算机专业英语,10.1.2 KINDS OF SECURITY BREACHES,(2)An,interception,means that some unauthorized party has gained access to an asset

14、The outside party can be a person,a program,or a computing system.Examples of this type of failure are,illicit copying,of program or data files,or wiretapping,（搭线窃听）,to obtain data in a network.While a loss may be discovered fairly quickly,a silent interceptor may leave no traces by which the inter

15、ception can be readily detected.,(2),截取,是指某一非授权用户掌握了访问资源的权利。外界用户可以是一个人、一个程序或一个计算机系统。这种威胁的例子如程序或数据文件的非法拷贝，或私自接线入网去获取网上数据。数据丢失可能会很快被发现，但很可能截取者并不留下任何容易检测的痕迹,。,10.1,Characteristics of Computer Intrusion and Kinds of Security Breaches,11,计算机专业英语,10.1.2 KINDS OF SECURITY BREACHES,(3)If an unauthorized par

16、ty not only accesses but,tampers with,an asset,the failure becomes a,modification,.For example,someone might modify the values in a database,alter a program so that it performs an additional computation,or modify data being transmitted electronically.It is even possible,for hardware to be modified,.

17、Some cases of modification can be detected with simple measures,while other more subtle changes may be almost impossible to detect.,(3),如果非授权用户不仅可以访问计算机资源，而且可以篡改资源，则威胁就成为,修改,了。例如，某人可以修改数据库中的值，更换一个程序，以便完成另外的计算，或修改正在传送的数据，甚至还可能修改硬件。某些情况下可以用简单的方法检测到所做的修改，但某些细微的修改是不可能检测出来的。,10.1,Characteristics of Compu

18、ter Intrusion and Kinds of Security Breaches,12,计算机专业英语,10.1.2 KINDS OF SECURITY BREACHES,(4)Finally,an unauthorized party might,fabricate,（伪造）,counterfeit,objects for a computing system.The intruder may wish to,add spurious transactions,to a network communication system.or add records to an existin

19、g data base.Sometimes these additions can be detected as,forgeries,but if skillfully done,they are virtually indistinguishable from the real thing.,(4),最后，非授权用户可以,伪造,计算机系统的一些对象。入侵者妄图向网络通信系统加入一个假的事务处理业务，或向现有的数据库加入记录。有时，这些增加的数据可以作为伪造品检测出来，但如果做得很巧妙，这些数据实际上无法与真正的数据分开。,counterfeit,：,v.,伪造,仿造,adj.,伪造,假冒的,

20、n.,赝品,forgery,：,n.,伪造（物）,10.1,Characteristics of Computer Intrusion and Kinds of Security Breaches,13,计算机专业英语,10.1,Characteristics of Computer Intrusion and Kinds of Security Breaches,10.1.2 KINDS OF SECURITY BREACHES,These four classes of interference with computer activity-interruption,intercepti

21、on,modification,and fabrication-can describe the kinds of exposures possible,2,.,这四种对计算机工作的干扰,中断，截取，修改,或,伪造,表明了可能出现的几种威胁类型。,14,计算机专业英语,New Words&Expressions:,cryptography n.,密码学,(,术,),encryption,加密,cipher n.v.,密码（钥）,写成密码,decrypt v.,解密,transit,通行（过），运输,plaintext n.,明文,cyphertext,n.,密文,scheme n.,计划，方案

22、secret-key,秘钥,public-key,公钥,symmetric adj.,对称的,data integrity,数据完整性,session key,会话密钥,crack v.,解开，裂开,hacker,黑客，计算机窃贼,encode v.,编码,triple-encryption,三重加密,built-in,内在,(,固有,),的，,state-of-the-art,最新的,proliferate v.,增生,扩散,10.2,Modern Cryptography-Data Encryption,Abbreviations:,DES(Data Encryption System)

23、数据加密系统,DCE(Distributed Computing Environment),分布式计算环境,15,计算机专业英语,10.2,Modern Cryptography-Data Encryption,If the receiver of the encrypted data wants to read the original data,the receiver must convert it back to the original through a process called decryption.,Decryption,is the inverse of the enc

24、ryption process.In order to perform the,decryption,the receiver must be in possession of a special piece of data called the key.,如果接收到加密数据的人要看原来的数据，就必须把数据转换为原来的形式，这个过程称为,解密,。解密是加密过程的逆过程。为了进行解密，接收者必须有称为密钥的特殊数据。,The two main competing cryptography schemes are known as the secret-key(symmetric)system a

25、nd the public-key(asymmetric)system.The secret-key system uses a single,wholly secret sequence both to encrypt and to decrypt messages.The,public-key system,uses a pair of mathematically related sequences,one each for encryption and decryption,1,.,现在有两种主要的、相互竞争的密码术：秘钥（对称）和公钥（不对称）系统。秘钥系统采用单一的绝密序列，对报文

26、进行加密和解密。,公钥系统,采用一对数学上相关的序列，一个用于加密，另一个用于解密。,16,计算机专业英语,10.2,Modern Cryptography-Data Encryption,Secret-key encryption,One of the most popular secret-key encryption schemes is IBMs Data Encryption System(DES),which became the U.S.federal standard in 1997.the standard form uses a 56-bit key to encrypt

27、64-bit data blocks.,The following is a notation for relating plaintext,ciphertext,and keys.We will use C=E,k,(P)to mean that the encryption of the plaintext P using key k gives the,ciphertext,C.similarly,P=D,k,(C)represents of decryption of C to get the plaintext again.It then follows that D,k,(E,k,

28、P)=P,密钥加密,IBM,的数据加密系统,(DES),是最流行的密钥加密方案之一。,1977,年，该方案成为美国联邦标准。该标准形式采用,56,位的密钥对,64,位的数据块进行加密。,下面是有关明文、密文和密钥关系的表示法。我们用,C=E,k,(P),表示用密钥,K,对明文,P,加密，得到密文,C,。,类似的，,P=D,k,(C),代表对,C,解密得到明文。因而遵循：,D,k,(E,k,(P)=P,17,计算机专业英语,10.2,Modern Cryptography-Data Encryption,DES has been studied by many of the worlds le

29、ading cryptographers,but no weaknesses have been uncovered.,To crack a DES-encrypted message a hacker or commercial spy would need to try 2,55,possible keys.This type of search would need days of computer time on the worlds fastest supercomputers.,Even then,the message may not be cracked if the plai

30、ntext is not easily understood,2,.,（前略）,为了打开一个,DES,加密的报文，黑客或商业间谍需要试验,2,55,种可能的密钥，这种搜索在世界上最快的巨型机上也需好几天的计算机时间。如果未加密的“明文”是不易理解的，即使算出报文也可能解不开。,18,计算机专业英语,10.2,Modern Cryptography-Data Encryption,Developers using DES can improve security by changing the keys frequently,using temporary session keys,or usi

31、ng triple-encryption DES.With triple DES,each 64-bit block is encrypted under three different DES keys.Recent research has confirmed that triple-DES is indeed more secure than single-DES.The User Data Masking Encryption Facility is an export-grade algorithm substituted for DES in several IBM product

32、s,such as the Distributed Computing Environment(DCE),3,.,使用,DES,的开发人员可以通过频繁更改密钥，使用临时的会话密钥或使用三重加密,DES,来提高安全性。使用三重,DES,时，每个,64,位数据块用三种不同的,DES,密钥加密。最新研究已确认三重,DES,确实比单重,DES,更安全。,19,计算机专业英语,10.2,Modern Cryptography-Data Encryption,Public-key encryption,The key distribution problem has always been the wea

33、k link in the secret-key systems.Since the encryption key and decryption key are the same(or easily derived from one another)and the key has to be distributed to all users of the system,it,seemd,as if there was an inherent built-in problem:keys had to be protected from theft,but they also had to be

34、distributed,so they could not just be locked up in a bank vault.,公钥加密,密钥的分布问题在秘钥系统中一直是一个薄弱环节。因为加密密钥和解密密钥是相同的（或彼此容易推出来）并且这个密钥必须分配给该秘钥系统的所有用户，这好像是存在一个固有的内部问题，必须保护密钥不被偷窃，但又必须分布出去，所以它们不可能只是锁在银行的地下室里。,20,计算机专业英语,10.2,Modern Cryptography-Data Encryption,Encryption can be used to protect data in transit as

35、 well as data in storage.,Some vendors(,卖主，厂商,)provide hardware encryption devices that can be used to encrypt and decrypt data.There are also software encryption packages which are available either commercially or as free software.,加密可以用来保护传输中的数据和存储器中的数据。一些厂家提供硬件加密设备，用来加密和解密数据。也可买到软件加密程序包或作为自由软件免费获

36、得。,Encryption,can be defined as the process of tasking information that exists in some readable form(plaintext)and converting it into a form(,ciphertext,)so that it cannot be understood by others.,加密,可以定义为这样的过程：把以某种可读形式存在（明文）的信息转换成其他人不能理解的形式（密文）。,21,计算机专业英语,10.2,Modern Cryptography-Data Encryption,I

37、n public key cryptosystem,the encryption and decryption keys were different,and plaintext encrypted with the public key can only be deciphered with the private key from the same pair.Conversely,plaintext encrypted with the private key can be decrypted only with the public key,4,(it is used in electr

38、onic signatures).The notations for these are as follows.,C=E,k,(P),P=D,k1,(C)=D,k1,(E,k,(P)or,C=D,k1,(P),P=E,k,(C)=E,k,(D,k1,(P),在公钥秘钥系统中，加密和解密密钥是不同的。并且用公开密钥加密的明文只能用同一对密钥中的秘密密钥解密。相反，用私有密钥加密的明文只能用公开密钥解密（它用于电子签名）。这些关系的表示法如下：,(,见上式）,Here k is a public key and k1 is private key(or secret key).Users can

39、make their public keys freely available or place them at a key distribution center for others to access.However,the private key must be kept safe.In public-key systems there is no need to find a safe channel for communicating a shared secret key.,这里,K,是公开密钥，,K1,是私有密钥（或秘密密钥）。用户可以让他们的公开密钥自由地使用，或把它们放在密

40、钥分配中心供其他人存取。然而，私有密钥必须安全的保存。在公开密钥系统，无需找一条传送共享的私有密钥的安全通道。,22,计算机专业英语,10.3 How Firewalls Work,New Words&Expressions,firewall n.,防火墙,offensive adj.,无理的，攻击性的,hacker n.,黑客,filter v.,过滤，滤过，渗入,private,私有的，秘密地,packet n.,小包，信息包,employee n.,职员，雇工,telnet n.,远程登录,traffic n.,流量,proxy n.,代理,retrieve v.,检索,match n.

41、比较，匹配，符合,customizable,可定制的,block n.,妨碍，阻碍,port n.,端口,bug n.,故障，（程序）错误,unsolicited adj.,主动提供的,junk n.,垃圾，无用数据,spam n.,垃圾邮件,counter v.,还击，驳回,session n.,会话,inundate v.,淹没,macro ,计,宏指令，宏功能,virus,n.,病毒,23,计算机专业英语,10.3 How Firewalls Work,Abbreviations,HTTP(Hypertext Transfer Protocol),超文本传输协议,FTP(File Tr

42、ansfer Protocol),文件传输协议,SMTP(Simple Mail Transfer Protocol),简单邮件传送协议,ICMP(Internet Control Message Protocol),网际控制报文协议,A small home network has many of the same security issues that a large corporate network does.You can use a firewall to protect your home network and family from offensive Web sites

43、and potential hackers.,一个小型家庭网有着与大公司的网络相同的安全问题。防火墙可以保护你的家庭网和家庭免遭恶意网站和潜在黑客的攻击。,24,计算机专业英语,10.3 How Firewalls Work,Basically,a firewall is a barrier to keep destructive forces away from your property.In fact,thats why its called a firewall.Its job is similar to a physical firewall that keeps a fire fr

44、om spreading from one area to the next.,实质上，防火墙就是一个屏障，保护私有财产不受破坏。事实上，这就是它被称为防火墙的原因。它的作用类似于一堵防止火灾从一处蔓延到另一处的实实在在的防火墙。,What it does,A firewall is simply a program or hardware device that,filter,s the information coming through the Internet connection into your,private network,or computer system.If an i

45、ncoming packet of information is flagged by the filters,it is not allowed through.,防火墙做什么,一个防火墙就是一个程序或者一台硬件设备，用于过滤通过,Internet,连接进入你的专用网或计算机系统中的信息。如果一个输入的信息包被过滤器做了标记，它就不允许通过。,25,计算机专业英语,10.3 How Firewalls Work,Firewalls use one or more of three methods to control traffic flowing in and out of the net

46、work:,(1)Packet filtering:Packets(small chunks of data)are analyzed against a set of filters.Packets that make it through the filters are sent to the requesting system and all others are discarded.,(2),Proxy,service:Information,from,the Internet is retrieved by the firewall and then sent,to,the requ

47、esting system and vice versa.,防火墙使用下列三种方法之一或几种来控制进出网络的通信流：,（,1,）数据包过滤：数据包（小块数据）由一组过滤器进行分析。能通过过滤器的数据包被发送到发出请求的系统，其它的被丢弃。,（,2,）代理服务：来自,Internet,的信息通过防火墙进行检索，然后发送到提出请求的系统，反之亦然。,26,计算机专业英语,(3),Stateful,inspection:A newer method that doesnt examine the contents of each packet but instead compares certain

48、 key parts of the packet to a database of trusted information.Information traveling from inside the firewall to the outside is monitored for specific defining characteristics,then incoming information is compared to these characteristics.If the comparison,yield,s,（生成，服从）,a reasonable match,the infor

49、mation is allowed through.Otherwise it is discarded.,（,3,）,状态检查：一种更新的方法，并不检查每个数据包的内容，而是将数据包的某个关键部分与一个可信的信息数据库比较。从防火墙内部传输到外部的信息可根据特别规定的特性进行监控，然后将输入信息与这些特性相比较，若生成一个合理的匹配，则信息允许通过，否则就丢弃。,10.3 How Firewalls Work,27,计算机专业英语,The level of security you establish will determine how many of these threats can b

50、e stopped by your firewall.The highest level of security would be to simply block everything.Obviously that defeats the purpose of having an Internet connection.,10.3 How Firewalls Work,你所设定的安全级别将决定这些威胁有多少能够被你的防火墙所阻止。最高安全级别就是阻断一切。很显然，这就失去了进行,Internet,连接的意义。,28,计算机专业英语,But,a common rule of thumb,（共同法