The Road Network security
2 likes322 views
This document provides an overview of network security concepts and techniques. It discusses security attacks like passive attacks involving eavesdropping and traffic analysis, and active attacks like masquerading, message modification, and denial of service. It also covers security services like confidentiality, authentication, integrity, access control, and non-repudiation. Common security mechanisms like encryption, digital signatures, access control lists, and authentication protocols are described. Models for secure network communication and protecting systems from unauthorized access are presented. The document outlines the contents of chapters that will cover topics such as encryption techniques, public-key cryptography, key management, hashing, digital signatures, and protocols for securing email, IP networks, and web traffic.
The Road Network security
- 1. 1
- 2. 2 Contents: Chapter 1: Introduction. Chapter 2: Classical Encryption Techniques. Chapter 3: Block Ciphers and Data Encryption Standard (DES). Chapter 4: Finite Fields. Chapter 5: Advanced Encryption Standard (AES). Chapter 6: More on Symmetric Ciphers. Chapter 7: Confidentiality using Symmetric Encryption. Chapter 8: Number Theory. Chapter 9: Public-key Cryptography and RSA. Chapter 10: Key Management. Chapter 11: Message Authentication and Hash Functions. Chapter 12: Hash and MAC Algorithms Chapter 13: Digital Signatures and Authentication Protocols. Chapter 14: Authentication Applications. Chapter 15: E-mail Security. Chapter 16: IP Security (IPSec). Chapter 17: Web Security. Chapter 18: Intruders. Chapter 19: Malicious Software. Chapter 20: Firewalls.
- 3. 3 Chapter 1 Introduction The OSI Security Architecture: - The International Telecommunication Union-Telecommunication standardization sector (ITU-U) Recommendation X.800, Security Architecture for OSI, defines a systematic approach for security attacks, mechanisms, and services. - These can be defined as follows: Security attack Any action the compromises the security of information owned by an organization. Security mechanism A process that is designed to detect, prevent, or recover from a security attack. Security service - A processing that enhances the security of data processing systems and the information transfers of an organization. - The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service. - The term “threat” and “attack” are defined by RFC 2828 as follows: Threat A potential for violation of security and a possible danger that might exploit a vulnerability. Attack An assault on system security that derives from an intelligent threat to evade security services and violate the security policy of a system.
- 4. 4 Security Attacks: - Security attacks can be classified into: a) Passive attacks. b) Active attacks. Passive attacks Attempts to learn or make use of information from the system but does not affect system resources. Active attacks Attempts to alter system resources or affect their operation. Passive Attacks: - Passive attacks are in the nature of eavesdropping on, or monitoring of, transmission. - The goal of the opponent is to obtain information that is being transmitted. - There are two types of passive attacks: a) Release of message contents. B) Traffic analysis. - The release of message contents is shown in the following figure: Release of Message Contents
- 5. 5 - A telephone conversation, an e-mail, and a transferred file ay contain sensitive or confidential information. - We would like to prevent an opponent from learning the contents of these transmissions. - The traffic analysis is shown in the following figure: Traffic Analysis - Suppose that we had a way of masking the contents of messages so that opponents, even if they captured the message, they could not extract the information from the message. - The common technique for masking contents is encryption. - If we had encryption protection in place, an opponent might still be able to observe the pattern of these messages. - The opponent could determine the location and identity of communicating hosts and could observe the frequency and length of messages being exchanged. - This information might be useful in guessing the nature of the communication that was taking place.
- 6. 6 - Passive attacks are very difficult to be detected because they do not involve any alteration of the data. - Typically, the message traffic is sent and received in an apparently normal fashion and neither the sender nor the receiver is aware that a third party has read the messages or observed the traffic pattern. - However, it is feasible to prevent the success of these attacks, usually by means of encryption. - Thus, the emphasis in dealing with passive attacks is on prevention rather than detection. Active Attacks: - Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: a) Masquerade. b) Replay. c) Modification of messages. d) Denial of service. - A masquerade is shown in the following figure: Masquerade
- 7. 7 - A masquerade takes place when one entity pretends to be a different entity. - For example, authentication sequences can be captured and replayed after a valid authentication sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges. - A replay is shown in the following figure: Replay - Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.
- 8. 8 - Modification of messages is shown in the following figure: Modification of Messages - Modification of messages simply means that some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect. - For example, a message meaning “Allow John Smith to read confidential file accounts” is modified to be “Allow Fred Brown to read confidential file accounts”.
- 9. 9 - The denial of service is shown in the following figure: Denial of Service (DoS) - The denial of service prevents the normal use of communications facilities. - This attack may have a specific target. - For example, an entity may suppress all messages directed to a particular destination. - Another form of service denial is the disruption of an entire network, either by disabling the network or by overloading it with messages so as to degrade performance. - Active attacks present the opposite characteristics of passive attacks. - Whereas passive attacks are difficult to detect, measures are available to prevent their success. - On the other hand, it is quite difficult to prevent active attacks absolutely, because of the wide variety of potential physical, software, and network vulnerabilities.
- 10. 10 - Instead, the goal is to detect active attacks and to recover from any disruption or delay caused by them. - If the detection has a deterrent effect, it may also contribute to prevention. Security Services: - X.800 divides security services into five categories: a) Data Confidentiality. b) Authentication. c) Data Integrity. d) Access Control. e) Nonrepudiation. Data Confidentiality The protection of data from passive attacks. Authentication The assurance that the communicating entity is the one that it claims to be. Data Integrity The assurance that data received are exactly as sent by an authorized entity. Access Control The prevention of unauthorized use of a resource. Nonrepudiation - Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication.
- 11. 11 - Nonrepudiation prevents either sender or receiver from denying a transmitted message. Security Mechanisms: - X.800 defines the following security mechanisms: a) Encipherement (Encryption). b) Digital Signature. c) Data Integrity. d) Access Control. e) Authentication Exchange. f) Traffic Padding. g) Routing Control. h) Notarization. Encipherement (Encryption) The use of mathematical algorithms to transform data into a form that is not readily intelligible. Digital Signature A cryptographic transformation of a data unit that allows a recipient to prove the source and integrity of the data unit and protection against forgery. Data Integrity A variety of mechanisms used to assure the integrity of a data unit or stream of data units.
- 12. 12 Access Control A variety of mechanisms that enforce access rights to resources. Authentication Exchange A mechanism intended to ensure the identity of an entity by means of information exchange. Traffic Padding The insertion if bits into gaps in a data stream to frustrate traffic analysis attempts. Routing Control Enables selection of particular physically secure routes for certain data and allows routing changes, especially when a breach of security is suspected. Notarization The use of a trusted third party to assure certain properties of a data exchange. Note:- - X.800 distinguishes between reversible encipherement mechanisms and irreversible encipherement mechanisms. - A reversible encipherement mechanism is simply an encryption algorithm that allows data to be encrypted and subsequently decrypted. - Irreversible encipherement mechanisms include hash algorithms and message authentication codes, which are used in digital signature and message authentication applications.
- 13. 13 A Model for Network Security: - The following figure shows a model for network security: Model for Network Security - A trusted third party may be needed to achieve secure transmission. - For example, a third party may be responsible for distributing the secret information to the two principals while keeping it from any opponent. - This general model shows that there are four basic tasks in designing a particular security service: 1) Design an algorithm for performing the security-related transformation. The algorithm should be such that an opponent cannot defeat its purpose. 2) Generate the secret information to be used with the algorithm. 3) Develop methods for the distribution and sharing of the secret information. 4) Specify a protocol to be used by the two principals that makes use of the security algorithm and the secret information to achieve a particular security service.
- 14. 14 - There are other security-related situations of interest that do not nearly fit this model. - A general model of these other situations is shown in the following figure: Network Access Security Model - This network access security model reflects a concern for protecting an information system from unwanted access. - Hackers are those who attempt to penetrate systems that can be accessed over a network. - The hacker can be someone who simply gets satisfaction from breaking and entering a computer system. - The intruder can be a disgruntled employee who wishes to do damage or revenge. - The criminal is the one who seeks to exploit computer assets for financial gain such as obtaining credit card numbers or performing illegal money transfers. - Viruses and worms are two examples of software attacks. - Such attacks can be introduced into a system by means of a disk that contains the unwanted logic concealed in otherwise useful software.
- 15. 15 - The security mechanisms needed to cope with unwanted access are shown in the previous figure. - The first category might be termed a gatekeeper function. - It includes password-based login procedures that are designed to deny access to all but authorized users and screening logic that is designed to detect and reject worms, viruses, and other similar attacks. - Once either an unwanted user or unwanted software gains access, the second line of defense consists of a variety of internal controls that monitor activity and analyze stored information in an attempt to detect the presence of unwanted intruders.
- 16. 16