Chapter 1

A Definition of Computer Security

The NIST Computer Security Handbook [NIST95] defines the term computer security as follows:

The protection afforded to an automated information system in order to attain the applicable
objectives of preserving the integrity, availability, and confidentiality of information system resources
(includes hardware, software, firmware, information/ data, and telecommunications).

This definition introduces three key objectives that are at the heart of computer security:

• Confidentiality: This term covers two related concepts:

Data confidentiality: Assures that private or confidential information is not made available or disclosed
to unauthorized individuals.

Privacy: Assures that individuals control or influence what information related to them may be collected
and stored and by whom and to whom that information may be disclosed.

• Integrity: This term covers two related concepts:

Data integrity: Assures that information and programs are changed only in a specified and authorized
manner.
 System integrity: Assures that a system performs its intended function in an unimpaired manner, free
from deliberate or inadvertent unauthorized manipulation of the system.

• Availability: Assures that systems work promptly and service is not denied to authorized users.

These three concepts form what is often referred to as the CIA triad (Figure 1.1). The three concepts
embody the fundamental security objectives for both data and for information and computing services.

FIPS 199 provides a useful characterization of these three objectives in terms of requirements and the
definition of a loss of security in each category:

• Confidentiality: Preserving authorized restrictions on information access and disclosure, including

means for protecting personal privacy and proprietary information. A loss of confidentiality is the
unauthorized disclosure of information.

• Integrity: Guarding against improper information modification or destruction, including ensuring

information nonrepudiation and authenticity. A loss of integrity is the unauthorized modification or
destruction of information.

• Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the
disruption of access to or use of information or an information system.

Although the use of the CIA triad to define security objectives is well established, some in the security
field feel that additional concepts are needed to present a complete picture. Two of the most commonly
mentioned are as follows:
 • Authenticity: The property of being genuine and being able to be verified and trusted; confidence in
the validity of a transmission, a message, or message originator. This means verifying that users are who
they say they are and that each input arriving at the system came from a trusted source.

• Accountability: The security goal that generates the requirement for actions of an entity to be traced
uniquely to that entity. This supports nonrepudia tion, deterrence, fault isolation, intrusion detection
and prevention, and after-action recovery and legal action. Because truly secure systems are not yet an
achievable goal, we must be able to trace a security breach to a responsible party. Systems must keep
records of their activities to permit later forensic analysis to trace security breaches or to aid in
transaction disputes.

OSI SECURITY ARCHITECTURE

.The OSI security architecture focuses on security attacks, mechanisms, and services. These can be
defined briefly as

• Security attack: Any action that compromises the security of information owned by an organization.

• Security mechanism: A process (or a device incorporating such a process) that is designed to detect,
prevent, or recover from a security attack.

• Security service: A processing or communication service that enhances the security of the data
processing systems and the information transfers of an organization. The services are intended to
counter security attacks, and they make use of one or more security mechanisms to provide the service.

SECURITY ATTACKS

A useful means of classifying security attacks, used both in X.800 and RFC 2828, is in terms of passive
attacks and active attacks. A passive attack attempts to learn or make use of information from the
system but does not affect system resources. An active attack attempts to alter system resources or
affect their operation.
Passive Attacks

Passive attacks are in the nature of eavesdropping on, or monitoring of, transmis sions.The goal of the
opponent is to obtain information that is being transmitted. Two types of passive attacks are the release
of message contents and traffic analysis.

The release of message contents is easily understood. A telephone conversation,an electronic mail
message,and a transferred file may contain sensitive or confidential information.We would like to
prevent an opponent from learning the contents of these transmissions.

A second type of passive attack, traffic analysis, is subtler. Suppose that we had a way of masking the
contents of messages or other information traffic so that opponents, even if they captured the message,
could not extract the information from the message. The common technique for masking contents is
encryption. If we had encryption protection in place, an opponent might still be able to observe the
pattern of these messages. The opponent could determine the location and identity of communicating
hosts and could observe the frequency and length of messages being exchanged. This information might
be useful in guessing the nature of the communication that was taking place.

Passive attacks are very difficult to detect, because they do not involve any alteration of the
data.Typically,the message traffic is sent and received in an appar ently normal fashion,and neither the
sender nor receiver is aware that a third party has read the messages or observed the traffic
pattern.However,it is feasible to pre vent the success of these attacks, usually by means of
encryption.Thus, the empha sis in dealing with passive attacks is on prevention rather than detection.

Active Attacks

Active attacks involve some modification of the data stream or the creation of a false stream and can be
subdivided into four categories: masquerade, replay, modification of messages, and denial of service.

A masquerade takes place when one entity pretends to be a different entity. A masquerade attack
usually includes one of the other forms of active attack. For example, authentication sequences can be
captured and replayed after a valid authentication sequence has taken place, thus enabling an
authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those
privileges.

Replay involves the passive capture of a data unit and its subsequent retransmission to produce an
unauthorized effect .

Modification of messages simply means that some portion of a legitimate message is altered, or that
messages are delayed or reordered, to produce an unauthorized effect. For example, a message
meaning “Allow John Smith to read confidential file accounts” is modified to mean “Allow Fred Brown to
read confidential file accounts.”

The denial of service prevents or inhibits the normal use or management of communications facilities.
This attack may have a specific target; for example, an entity may suppress all messages directed to a
particular destination .Another form of service denial is the disruption of an entire network,either by
disabling the network or by overloading it with messages so as to degrade performance.

Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are
difficult to detect, measures are available to prevent their success.On the other hand, it is quite difficult
to prevent active attacks absolutely because of the wide variety of potential physical, software, and
network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption
or delays caused by them. If the detection has a deterrent effect, it may also contribute to prevention.

SECURITY SERVICE

X.800 defines a security service as a service that is provided by a protocol layer of communicating open
systems and that ensures adequate security of the systems or of data transfers. X.800 divides these
services into five categories:

Confidentiality

The most basic security requirement is privacy of communications. This service protects the data from
disclosure to unauthorized entities. Confidentiality as service covers even its broader aspect, traffic
confidentiality. Traffic confidentiality refers to confidentiality of communicating entities and
confidentiality of volume of data.

Data IntegrityData integrity service is designed to protect data from modification, insertion, deletion, or
reordering. Data integrity service provides means for integrity verification. It is to be noted that data
confidentiality does not ensure its integrity.

Authentication : Authentication service has two aspects: peer-entity authentication and data-origin
authentication.

Peer-entity authentication refers to proving identity of a communicating entity (e.g. Alice) to the other
entity (e.g. Bob).Data-origin authentication service provides means to verify the source of data.

Note the subtle difference in peer-entity authentication and data origin authentication. Peer-entity
authentication may be done once at the beginning of a communication session. Each message
exchanged thereafter during the session requires to be verified for its origin.

Access Control Access control service protects against unauthorized access to a resource. Access is
further qualified in terms of read, write and execute rights. Access control service works in tandem with
authentication service since granting entitled access right to an entity requires prior authentication of
the entity.

Non-repudiation

It is possible that the receiver may alter a delivered message to his advantage, or the sender may later
deny having sent the message. Thus there can be dispute between its sender and the receiver. Non-
repudiation service protects interests of the sender and the receiver. This service ensures that the
sender cannot deny transmission of a message or repudiate contents of the transmitted message and
the receiver cannot deny receipt of a message.

SECURITY MECHANISMS

Table 1.3 lists the security mechanisms defined in X.800.The mechanisms are divided into those that are
implemented in a specific protocol layer,such as TCP or an application-layer protocol,and those that are
not specific to any particular protocol layer or security service.