Cryptography and Network

Security
Chapter 1

Fifth Edition
by William Stallings
Security: is ensuring the (Secrecy)
confidentiality, data integrity and
availability of components of
.computing system
Cryptographic algorithms and protocols can
:be grouped into four main areas
 Definitions

• Network Security - measures to protect data during

their transmission
• Internet Security - measures to protect data during
their transmission over a collection of
interconnected networks
 The field of network and
:Internet security consists of
 Computer Security
 the protection afforded to an automated
information system in order to attain the
applicable objectives of preserving the
integrity, availability and confidentiality of
information system resources (includes
hardware, software, firmware,
information/data, and telecommunications)
Key Security Concepts
 Levels of Impact
 can define 3 levels of impact from a
security breach

Low

Moderate

High
 Goals of computer security
• To protect computer assets from:
– Human errors, natural disasters, physical and
electronic maliciousness.
• Confidentiality, Integrity, Availability
 Confidentiality
. ( Secrecy, Privacy)
• Data confidentiality
– Assures that private or confidential information is not
made available or disclosed to unauthorized individuals
• Privacy
– Assures that individuals control or influence what
information related to them may be collected and stored
and by whom and to whom that information may be
disclosed
(Ensuring that the system is only accessible by authorized
parties.)
 Integrity
• Data integrity
– Assures that information and programs are
changed only in a specified and authorized
manner
• System integrity
– Assures that a system performs its intended
function in an unimpaired manner, free from
deliberate or inadvertent unauthorized
manipulation of the system
 Availability
• Assures that systems work promptly and
service is not denied to authorized users
•Ensuring that authorized parties are not
denied access to information and resources
• Ensuring that the computer works when it
is supposed to work and that it works the
way it should.
(access to computing resources without difficulties.)
.
 Other goals
• Non-repudiation
– Ensuring that communication parties can't
later deny that the exchange took place (or
when the exchange took place).
• Legitimate use
– Ensuring that resources are not used by
unauthorized parties or in unauthorized ways.
– Examples:
• Printer and disk quotas.
• Spam-filters in E-mail servers..
 Kinds of Security breaches
• Exposure: . A form of possible loss or a harm in
computing system . Examples :
Unauthorized disclosure of data ,modification of data
or Denial legitimate access to computing
• Vulnerability: is a weakness in the security system
that might be exploited to cause loss or harm
• Attack: an assault on system security, a
deliberate attempt to evade security services
(Attempt to exploit a vulnerability.)
 Threat

– Threat:- a potential for violation of security

• Physical threats - weather, natural disaster, bombs,
power etc.

• Human threats - stealing, trickery, spying, sabotage,

accidents.

• Software threats - viruses, Trojan horses, logic

bombs.
Network Security
 Network Security

Normal Flow:
 Network Security

• Four types of possible attacks are:

1. Interruption: services or data become unavailable, unusable,
destroyed, and so on, such as lost of file, denial of service,
etc.

Cut wire lines,

Jam wireless
signals,
Drop packets,
• 2. Interception: an unauthorized subject
has gained access to an object, such as
stealing data, overhearing others
communication, etc.

Wiring,
eavesdrop
3. Modification: unauthorized changing of
data or tempering with services, such as
alteration of data, modification of
messages, etc.

Replaced
intercept
info
4. Fabrication: additional data or activities
are generated that would normally no
exist, such as adding a password to a
system, replaying previously send
messages, etc.

Also called impersonation

Security Trends
OSI Security Architecture
. OSI : Open System Interconnection
. ITU : International Telecommunication Union

• ITU-T X.800 “Security Architecture for OSI”

• defines a systematic way of defining and
providing security requirements
• for us it provides a useful, if abstract, overview
of concepts we will study
 Aspects of Security
• consider 3 aspects of information security:
– security attack
– security mechanism
– security service
 Security Attack
• any action that compromises the security of
information owned by an organization
• information security is about how to prevent attacks,
or failing that, to detect attacks on information-
based systems
• can focus of generic types of attacks
– passive
– active
 Passive Attacks
A passive attack attempts to learn or make use of information
from the system but does not affect system resources
 Passive Attacks

• Are in the nature of • Two types of

eavesdropping on, or passive attacks are:
monitoring of, – The release of
transmissions message contents
• Goal of the opponent is – Traffic analysis
to obtain information that
is being transmitted
 Active Attacks
An active attack attempts to alter system resources or affect their
operation
 Active Attacks
• Involve some modification of the
data stream or the creation of a
false stream
• Difficult to prevent because of the
wide variety of potential physical,
software, and network
vulnerabilities
• Goal is to detect attacks and to
recover from any disruption or
delays caused by them
 Security Service
– enhance security of data processing systems and
information transfers of an organization
– intended to counter security attacks
– using one or more security mechanisms
– often replicates functions normally associated
with physical documents
• which, for example, have signatures, dates; need
protection from disclosure, tampering, or destruction;
be notarized or witnessed; be recorded or licensed
 Security Services
• X.800:
“a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers”

• RFC 4949 :
“a processing or communication service provided by
a system to give a specific kind of protection to
system resources”
 Security Services (X.800)
• Authentication - assurance that the
communicating entity is the one claimed
There are two specific authentication services defined in X.800:
1. Peer entity authentication:- Provides for the corroboration
of the entity of a peer entity in association.
2. Data origin authentication:- provides for the corroboration
of the source of a data units.
 Security Services (X.800)
• Access Control - prevention of the
unauthorized use of a resource
• Data Confidentiality –protection of data from
unauthorized disclosure
• Data Integrity - assurance that data received
is as sent by an authorized entity
• Non-Repudiation - protection against denial
by one of the parties in a communication
 Security Mechanism
• feature designed to detect, prevent, or
recover from a security attack
• no single mechanism that will support all
services required
• however one particular element underlies
many of the security mechanisms in use:
– cryptographic techniques
• hence our focus on this topic
 Security Mechanisms (X.800)
• specific security mechanisms:
– encipherment, digital signatures, access controls,
data integrity, authentication exchange, traffic
padding, routing control, notarization
• pervasive security mechanisms:
– trusted functionality, security labels, event
detection, security audit trails, security recovery
Model for Network Security
 Model for Network Security
• using this model requires us to:
1. design a suitable algorithm for the security
transformation
2. generate the secret information (keys) used by
the algorithm
3. develop methods to distribute and share the
secret information
4. specify a protocol enabling the principals to use
the transformation and secret information for a
security service
Model for Network Access Security
 Model for Network Access Security
• using this model requires us to:
1. select appropriate gatekeeper functions to
identify users
2. implement security controls to ensure only
authorised users access designated information
or resources
• trusted computer systems may be useful to
help implement this model
 Summary
• have considered:
– definitions for:
• computer, network, internet security
• X.800 standard
• security attacks, services, mechanisms
• models for network (access) security