Principles of Security

-Dr Nimish Kumar

PRINCIPLES OF SECURITY
Following are the principles of security:

Protecting data from any unauthorized disclosure or we can

Confidentiality say keeping the data private or secret
Principles of Security

Authentication Verifying the identity of sender/ receiver

Protecting data from any type of modification, addition or

Integrity deletion during transmission

Non-repudiation Assuring that one cannot deny of sending the transmitted data

Access Control Who should be given rights to access the system

Availability Resources must be available to the authorized parties

Confidentiality
The principle of Confidentiality specifies that only the sender and the intended receiver should be able
to access the contents of a message even if someone else gets it, he/she does not come to know about
the details of the message. If the message is accessed by the third person without prior knowledge of
sender and receiver then it is called interception. Interception causes loss of message confidentiality.

Authorized User (A,B)

User A Secret User B

Sender Unauthorized User C Receiver

User C
Intruder

Example: When the user A wants to share a secrete message with user B (suppose a confidential
mail) and if another user C gets access to this message, which is not desired, then this is breach of
confidentiality. This type of attack is called as interception.

Note Interception causes loss of message confidentiality.

Authentication
Authentication establishes the proof of identities. The authentication process ensures that message or
document is coming from the intended source.

User A Pretends to be User A User B

Sender Receiver
User C
Intruder

For instance, if user C transfers money from user A’s account to user B’s account and acting or posing
as user A then this type of attack is called as fabrication.

Note Fabrication is possible in the absence of proper authentication mechanisms.

Integrity
In integrity, User A and User B can ensure that no one else can tamper with the contents of the
transmitted message. This means that the changes need to be performed only by authorized user. If the
contents of the data gets changed during transmission then this type of attack is called modification.
Request sent from Message modified by
User A to User B to User C to pay Rs 1000
pay Rs 100 to User C to User C
User A User B
Message captured
Sender by User C Receiver
User C
Intruder
For instance, suppose user A sends a message to user B to pay Rs 100 to user C but user C captures
the message after transmission from user A and modify the amount to Rs 1000 and transmit the
modified data to user B. User B has no way of knowing that the contents of the message were
changed after user A had sent it. Also, user A also does not know about this change.

Note Modification causes loss of message integrity

Non-repudiation
Repudiation means denial of truth or validity of something means act of claiming that something is
wrong.
Non-repudiation is the ability to prevent a denial in an electronic message or transaction.

User A claims
the denial of
User A User B
data sent to
User B Receiver
Sender

For instance, suppose user A request bank to transfer funds to user B over the Internet. After the bank
performs the funds transfer, user A could claim that he has never sent funds transfer instruction to the
bank. Thus, user A repudiates, or denies, his funds transfer instruction. The principle of non-
repudiation eliminates the possibility of refuting something after it has been done.

Non-repudiation does not allow the sender of the message to refute the claim of
Note not sending the message.
Access Control
The principle of access control determines who should be given rights to access the system. Access
control is broadly related to two areas:
• Role Management - It focuses on user side as which user can do what.
• Rule management - It focuses on resource side as which resource is accessible under what
conditions

Permitted only to view the data

User A
Database
User B Permitted to update the data

For instance, user A may be given the access permission to user A is to only view the database
whereas user B is permitted to update the data base. In Linux based systems permissions are
given in the form of rwx-rwx-rwx (user, group and others).

Note Access control specifies and controls who can access what
Availability
According to the principle of availability, resources or information must be available to authorized
parties at all the times.

User A User B

Sender Receiver
Data interrupted by User C

User C
Intruder

For example, due to the intentional actions of unauthorized user C, an authorized user A may not be
able to contact user B. This type of attack is called as interruption.

Note Interruption puts the availability of resources in danger

SECURITY GOALS

CIA Triad in cryptography:

• Confidentiality
• Integrity
• Availability
Confidentiality

Network
Security

Availability Integrity
References:
1. Cryptography and Network Security by Behrouz A Forouzan and Debdeep
Mukhopadhayay
2. Cryptography and Network Security by Atul Kahate
3. Cryptography and Network Security by William Stallings