Cryptography and Network Security: Fifth Edition by William Stallings
Cryptography and Network Security: Fifth Edition by William Stallings
Security
Overview
Fifth Edition
by William Stallings
The art of war teaches us to rely not on the
likelihood of the enemy's not coming, but on our
own readiness to receive him; not on the chance
of his not attacking, but rather on the fact that we
have made our position unassailable.
Moderate
High
Low Impact
The loss could be expected to have a limited
adverse effect on organizational operations,
organizational assets, or individuals.
A limited adverse effect might
Eg: the loss of confidentiality, integrity, or availability
(i) cause a degradation in mission capability to an extent
and duration that the organization is able to perform its
primary functions, but the effectiveness of the functions
is noticeably reduced;
(ii) result in minor damage to organizational assets;
(iii) result in minor financial loss; or
(iv) result in minor harm to individuals.
Moderate Impact
The loss could be expected to have a serious
adverse effect on organizational operations,
organizational assets, or individuals.
the loss might:
(i) cause a significant degradation in mission capability
to an extent and duration that the organization is able to
perform its primary functions, but the effectiveness of
the functions is significantly reduced;
(ii) result in significant damage to organizational assets;
(iii) result in significant financial loss; or
(iv) result in significant harm to individuals that does not
involve loss of life or serious, life-threatening injuries.
High Impact
The loss could be expected to have a severe or
catastrophic adverse effect on organizational
operations, organizational assets, or individuals.
The loss might
(i) cause a severe degradation in or loss of mission
capability to an extent and duration that the organization
is not able to perform one or more of its primary
functions;
(ii) result in major damage to organizational assets;
(iii) result in major financial loss; or
(iv) result in severe or catastrophic harm to individuals
involving loss of life or serious life threatening injuries.
Examples of Security
Requirements
confidentiality – student grades
Modify message
Active Attack: DoS
The denial of service prevents or inhibits the
normal use or management of communications
facilities .
Denial of service attacks do profit from
fundamental weaknesses of TCP/IP protocols, as
well as from incorrect implementations of TCP/IP
protocol stacks.
This attack may have a specific target.
Eg: an entity may suppress all messages directed to a
particular destination
Handling Attacks
Passive attacks – focus on Prevention
• Easy to stop
• Hard to detect
Active attacks – focus on Detection and
Recovery
• Hard to stop due to vulnerabilities
• Easy to detect
Security Service
Enhances security of data processing systems and
information transfers of an organization
intended to counter security attacks
use one or more security mechanisms
often replicates functions normally associated with
physical documents
• Eg: have signatures, dates; need protection from
disclosure, tampering, or destruction; be notarized
or witnessed; be recorded or licensed
Security Services
X.800:
“a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers”
RFC 2828:
“a processing or communication service provided
by a system to give a specific kind of protection
to system resources”
X.800 divides the security services into 5
categories and 14 specific services.
1. Authentication
2. Access control
3. Data confidentiality
4. Data integrity
5. Nonrepudiation
6. Availability service
Authentication
Concerned with assuring that a communication is
authentic:
The recipient of the message should be sure that the
message came from the source that it claims to be -
Peer Entity Authentication
All communicating parties should be sure that the
connection is not interfered with by unauthorized
party- Data-Origin Authentication
Eg: consider a person, using online banking service.
Both the user and the bank should be assured in
identities of each other
Access control
This service controls :