Information Security

Chapter 1
KEU, Computer Science Faculty
IT Department
2 Course Policy

 Lectures
 Tuesday 10:00 AM  Methodology
 Project 10 %  Lecture ( Presentation)
 Home-Works 10 %  Home work
 Class Activity 10 %  Presentation
 Exams
 Project / Seminar
 Midterm 20 %
 Final 50 %
3 References
1. Thomas, Justin Peltier, John Blackley
Information Security Fundamentals, Copyright 2005 by CRC Press,
LLC. All Rights Reserved.
2. William Stallings, Cryptography and Network Security, fourth Edition
principles and practices.
3. Fundamentals of Computer Security, Springer
4. Matt Bishop, Introduction to Computer Security,
5. Cisco Certified Security Professional, Security + Syo-2014
6. William Stallings, Network Security Essentials, Applications and
Standards, Fourth Edition, 2011
4 Course Topics
 Chapter 1:  Chapter 2:
 Computer Security  Encryption
 The Three key objectives of  Symmetric Encryption
Security
 Asymmetric encryption
 Level of Impact
 Basic terminology
 Examples of security requirement
 Cryptography
 Computer Security challenges
 Cryptanalysis
 OSI security architecture
 Brute Force Search
 Aspects of security
 Caesar Cipher
 Types of Attacks
 Manoalphabbatic cipher
 Language Redundancy and
Cryptanalysis
 5 Course Topics
 Chapter 3:
 Symmetric Block Cipher Algorithms
 DES, Double DESS, 3DES, AES Cipher, Rijndaal
6 Course Topics

 Chapter 4:
 Public Key Cryptography  Chapter 5:
and RSA
 IP Security
 Private-Key Cryptography
 Benefits of IPSec
 Public-Key Cryptography
 IP Security Architecture
 Symmetric vs Public-Key
 Transport and Tunnel Modes
 Public-Key Requirements
 RSA
 7 Course Topics
Chapter 7:
 Chapter 6:
 Transport-Level Security  Firewall
 Web Security
 Firewall Limitations
 SSL (Secure Socket Layer)
 Firewalls – Packet Filters
 SSL Architecture
 SSL Handshake Protocol  Attacks on Packet Filters
 TLS (Transport Layer Security)
 Firewalls – Stateful Packet Filters
 HTTPS
 Secure Shell (SSH)  Firewalls – StateLess

 SSH Protocol Stack  Personal Firewall

 Computer Security
The protection afforded to an automated
information system in order to provide the
applicable objectives of the integrity,
availability and confidentiality of information
system resources (includes hardware,
software, firmware, information/data, and
telecommunications)
9

three key objectives that are at

the heart of computer security:
 Confidentiality
 Integrity
 Availability
10 Confidentiality
This term covers two related concepts:
 Data confidentiality: Assures that private or confidential
information is not made available or disclosed to unauthorized
individuals.

 Privacy: Assures that individuals control or influence what

information related to them may be collected and stored and by
whom and to whom that information may be disclosed.
11 Integrity
This term covers two related concepts:

 Data integrity: Assures that information and programs are

changed only in a specified and authorized manner.

 System integrity: Assures that a system performs its intended

function in an unimpaired manner, free from deliberate or
inadvertent unauthorized manipulation of the system.
12 Availability:

 Assures that systems work promptly and service is not

denied to authorized users.
 Key Security Concepts
These three concepts form what is often referred to as the CIA triad.

Figure 1.1 The Security Requirements Triad

 Levels of Impact

 can define 3 levels of impact from a security breach

 Low

 Moderate

 High
Examples of Security
Requirements

 confidentiality – student grades

 integrity – patient information

 availability – authentication service

 Computer Security Challenges

1. Not simple
2. must consider potential attacks
3. procedures used counter-intuitive ‫غیرقابل درک‬
4. involve algorithms and secret info
5. must decide where to deploy mechanisms
6. Battle of wits ‫ رزم عقلی‬between attacker / admin
7. not supposed on benefit until fails
8. requires regular monitoring
9. too often an after-thought
10. regarded as impediment to using system
 OSI Security Architecture

ITU-T X.800 “Security Architecture for OSI”

defines a systematic way of defining and providing security requirements

for us it provides a useful, if abstract, overview of concepts we will study

 Aspects of Security

 consider 3 aspects of information security:

 security attack
 security mechanism
 security service
 note terms
 threat – a potential for violation‫ نقض‬of security
 attack – an assault ‫ حمله‬on system security, a
deliberate ‫ تالش‬attempt to evade ‫ فرار‬security
services
19 Security attack

 Any action that compromises the security of

information owned by an organization.
20 Security mechanism

 A process (or a device incorporating

such a process) that is designed to
detect, prevent, or recover from a
security attack.
21 Security service

 A processing or communication service

that enhances the security of the data
processing systems and the information
transfers of an organization.
 The services are intended to counter
security attacks, and they make use of
one or more security mechanisms to
provide the service.
22 Threat
 A potential for violation of security, which exists
when there is a circumstance, capability,
action, or event that could breach security
and cause harm .
‫ برای افشای نقض امنیتی است‬
‫ بازهم بتواند امنیت‬،‫ عمل و یا رویدادهای امنیتی وجود دارد‬،‫ وقتی که شرایط امنیتی‬
.‫را نقض و سبب آسیب شود‬

 That is, a threat is a possible danger that

might exploit a vulnerability.
23 Attack

 An assault ‫ هجوم و تجاوز‬on system security that

derives from an intelligent threat .
 That is, an intelligent act that is a deliberate
attempt (especially in the sense of a method or
technique) to evade security services and
violate the security policy of a system.
24 Types of Attacks
 A useful means of classifying security attacks,
used both in X.800 and RFC 2828, is in terms of
passive attacks and active attacks.
 Generally two types of attacks
 Active Attack

 Passive Attack
25
Passive Attacks
27 Passive Attacks(2)
 A passive attack attempts to learn or make use of information from
the system but does not affect system resources.
 Passive attacks are in the nature of eavesdropping on, or monitoring
of transmissions. The goal of the opponent is to obtain information
that is being transmitted. Two types of passive attacks are:
 release of message contents
 traffic analysis - monitor traffic flow to determine location and identity of
communicating hosts and could observe the frequency and length of
messages being exchanged
 These attacks are difficult to detect because they do not involve any
alteration of the data.
 Active Attacks
Some modification of the data
stream or and can be
subdivided into four categories:
masquerade, replay,
modification of messages, and
denial of service
29 Active Attacks(2)

 Active attacks involve some modification of the data stream or the creation
of a false stream and can be subdivided into four categories: masquerade,
replay, modification of messages, and denial of service:
 masquerade of one entity as some other
 replay previous messages (as shown above in Stallings Figure)
 modify/alter (part of) messages in transit to produce an unauthorized effect
 denial of service - prevents or inhibits the normal use or management of
communications facilities
 Active attacks present the opposite characteristics of passive attacks.
Whereas passive attacks are difficult to detect, measures are available to
prevent their success. On the other hand, it is quite difficult to prevent active
attacks absolutely, because of the wide variety of potential physical,
software, and network vulnerabilities. Instead, the goal is to detect active
attacks and to recover from any disruption or delays caused by them.
‫تشخیص حمله فعال آسان و جلوگیری آن سخت است‬ 
 Security Service
 Enhance security of data processing systems and
information transfers of an organization
 intended to counter security attacks
 using one or more security mechanisms
 often replicates functions normally associated with physical
documents
which, for example, have signatures, dates; need
protection from disclosure, tampering, or destruction;
be notarized or witnessed; be recorded or licensed
 Security Services
 X.800:
“a service provided by a protocol layer of communicating open systems,
which ensures adequate security of the systems or of data transfers”

 RFC 2828:
“a processing or communication service provided by a system to give a
specific kind of protection to system resources”
Security Services (X.800)

 Authentication - assurance that communicating

entity is the one claimed
 have both peer-entity & data origin authentication
 Access Control - prevention of the unauthorized
use of a resource
 Data Confidentiality –protection of data from
unauthorized disclosure
 Data Integrity - assurance that data received is
as sent by an authorized entity
 Non-Repudiation - protection against denial by
one of the parties in a communication
 Availability – resource accessible/usable
 Security Mechanism

 feature designed to detect, prevent, or recover from a security

attack
 no single mechanism that will support all services required
 however one particular element underlies many of the
security mechanisms in use:
 cryptographic techniques
 hence our focus on this topic
 Security Mechanisms (X.800)

specific security mechanisms:

 Encipherment , digital signatures, access controls, data
integrity, authentication exchange, traffic padding, routing
control, notarization ‫گواهی حضوری‬

pervasive security mechanisms:

 trusted functionality, security labels, event detection,
security audit trails, security recovery
Model for Network Security

Security Mechanism ?
 Model for Network Security

 using this model requires us to:

1. design a suitable algorithm for the security
transformation
2. generate the secret information (keys) used by the
algorithm
3. develop methods to distribute and share the secret
information
4. specify a protocol enabling the principals to use the
transformation and secret information for a security
service
Model for Network Access
Security
 Model for Network Access
Security
 using this model requires us to:
1. select appropriate gatekeeper functions to
identify users
2. implement security controls to ensure only
authorised users access designated information or
resources
END