Computer Security

Lecture 1

Overview & Chapter 1

 Course Objectives

▪ Give the students a basic understanding of

network security issues.

▪ Illustrate basic concepts about cryptography,

network security protocols, and mechanisms
to secure computers.
 Course Contents

• Overview of computer security.

• Classical Ciphers.
• Introduction to symmetric key ciphers.
• AES encryption.
• Block ciphers and stream ciphers.
• Public key cryptography and RSA.
 Course Contents

• Cryptography hash functions.

• Message authentication codes.
• Digital signatures.
• Key management and distribution.
• User authentication protocols.
• Network and internet security.
• Intrusion, malicious software, and firewalls.
 Evaluation

20 % midterm

20 % project + quizzes + assignment

60 % Final Exam
 Textbooks

William Stallings, Cryptography and

Network Security: Principles and
Practice, 7th Edition, 2017
 The field of network and internet
security consists of:
 Measures to deter ‫ ردع‬, prevent ‫يمنع‬, detect, and correct security violations ‫ انتهاكات‬that involve
‫ تتضمن‬the transmission of information
 Computer Security:
 The protection afforded to an automated information system in order to attain the applicable objectives of
preserving ‫الحفاظ على‬the integrity, availability, and confidentiality of information system resources (includes
hardware, software, firmware, information/data, and telecommunications).
Cryptographic algorithms and protocols can
be grouped into four main areas:
Symmetric encryption

•Used to conceal the contents of blocks or streams of data of any

size, including messages, files, encryption keys, and passwords

Asymmetric encryption

•Used to conceal small blocks of data, such as encryption keys and

hash function values, which are used in digital signatures

Data integrity algorithms

•Used to protect blocks of data, such as messages, from alteration

Authentication protocols

•Schemes based on the use of cryptographic algorithms designed to

authenticate the identity of entities
Computer Security Objectives
Confidentiality
• Data confidentiality
• Assures that private or confidential information is not made available or
disclosed to unauthorized individuals
• Privacy
• Assures that individual's control or influence what information related to
them may be collected and stored and by whom and to whom that
information may be disclosed

Integrity
• Data integrity
• Assures that information and programs are changed only in a specified
and authorized manner
• System integrity
• Assures that a system performs its intended function in an unimpaired
manner, free from deliberate or inadvertent unauthorized manipulation
of the system

Availability
• Assures that systems work promptly, and service is not denied to
authorized users
© 2017 Pearson Education, Ltd., All rights reserved.
• Authenticity: The property of being genuine and being able to be
verified and trusted; confidence in the validity of a transmission, a message,
or message originator. This means verifying that users are who they say they
are and that each input arriving at the system came from a trusted source.

• Accountability: The security goal that generates the requirement for

actions of an entity to be traced uniquely to that entity. This supports
nonrepudiation, deterrence, fault isolation, intrusion detection and prevention,
and after action recovery and legal action. Because truly secure systems are
not yet an achievable goal, we must be able to trace a security breach to a
responsible party. Systems must keep records of their activities to permit later
forensic analysis to trace security breaches or to aid in transaction disputes.
Breach of Security Levels of Impact

•The loss could be expected to have a severe or

catastrophic adverse effect on organizational

High operations, organizational assets, or individuals

•The loss could be expected to have

Moderate a serious adverse effect on

organizational operations,
organizational assets, or individuals

•The loss could be

expected to have a
limited adverse effect on
Low organizational operations,
organizational assets, or
individuals
 Computer Security
Challenges
➢ Security is not simple
➢ Potential attacks on the security features
need to be considered
➢ Procedures used to provide particular
services are often counter-intuitive ‫مضاد بديهى‬
➢ It is necessary to decide where to use the
various security mechanisms
➢ Requires constant monitoring
➢ Is too often an afterthought
➢ Security mechanisms typically involve more
than a particular algorithm or protocol
➢ Security is essentially a battle ‫ معركة‬of wits‫ذكاء‬
between a perpetrator and the designer
➢ Little benefit from security investment is
perceived until a security failure occurs
➢ Strong security is often viewed as an
impediment ‫ عائق‬to efficient and user-friendly
operation
OSI (Open System Interconnection) Security Architecture
▪ Security attack
➢ Any action that compromises the security of information
owned by an organization
▪ Security mechanism
➢ A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security attack
▪ Security service
➢ A processing or communication service that enhances the
security of the data processing systems and the information
transfers of an organization
➢ Intended to counter security attacks, and they make use of
one or more security mechanisms to provide the service
Threats and Attacks
 Security Attacks

•A means of classifying security

attacks, used both in X.800 and RFC
4949, is in terms of passive attacks
and active attacks
•A passive attack attempts to learn
or make use of information from the
system but does not affect system
resources
•An active attack attempts to alter
system resources or affect their
operation
 Passive Attacks

• Are in the nature of eavesdropping

on, or monitoring of, transmissions
• Goal of the opponent is to obtain
information that is being transmitted

❑ Two types of passive attacks are:

➢ The release of message contents
➢ Traffic analysis
 Active Attacks •Takes place when one entity
pretends to be a different entity
Masquerade •Usually includes one of the other
▪ Involve some modification of the data stream or forms of active attack
the creation of a false stream
▪ Difficult to prevent because of the wide variety
of potential physical, software, and network •Involves the passive capture of
vulnerabilities a data unit and its subsequent
Replay retransmission to produce an
▪ Goal is to detect attacks and to recover from unauthorized effect
any disruption or delays caused by them

•Some portion of a legitimate

Modification message is altered, or messages
of messages are delayed or reordered to
produce an unauthorized effect

•Prevents or inhibits the normal

Denial of use or management of
service communications facilities
Security Services
▪ Defined by X.800 as:
• A service provided by a protocol layer of communicating open systems and that ensures
adequate security of the systems or of data transfers

▪ Defined by RFC 4949 as:

• A processing or communication service provided by a system to give a specific kind of
protection to system resources
Services Categories

1. Authentication.
2. Access Control.
3. Data Confidentiality.
4. Data Integrity.
5. Nonrepudiation.
Authentication

o Concerned with assuring that a communication is authentic

➢ In the case of a single message, assures the recipient that the
message is from the source that it claims to be from
➢ In the case of ongoing interaction, assures the two entities are
authentic and that the connection is not interfered with in such
a way that a third party can masquerade as one of the two
legitimate parties

Two specific authentication services are defined in

X.800:
•Peer entity authentication
•Data origin authentication
Access Control

➢ The ability to limit and control the access to host systems

and applications via communications links
➢ To achieve this, each entity trying to gain access must
first be indentified, or authenticated, so that access rights
can be tailored to the individual
Data Confidentiality
o The protection of transmitted data from passive attacks
➢ Broadest service protects all user data transmitted between two
users over a period of time
➢ Narrower forms of service includes the protection of a single
message or even specific fields within a message
o The protection of traffic flow from analysis
➢ This requires that an attacker not be able to observe the source
and destination, frequency, length, or other characteristics of the
traffic on a communications facility
Data Integrity

Can apply to a stream of messages, a single

message, or selected fields within a message

Connection-oriented integrity service, one that

deals with a stream of messages, assures that
messages are received as sent with no
duplication, insertion, modification, reordering, or
replays

A connectionless integrity service, one that deals

with individual messages without regard to any
larger context, generally provides protection
against message modification only
Nonrepudiation

➢ Prevents either sender or receiver from denying a transmitted

message
➢ When a message is sent, the receiver can prove that the alleged
sender in fact sent the message
➢ When a message is received, the sender can prove that the alleged
receiver in fact received the message
Summary
▪ Computer security ▪ Security services
concepts  Authentication
 Definition  Access control
 Examples  Data confidentiality
 Challenges  Data integrity
▪ The OSI security  Nonrepudiation
architecture
 Availability service
▪ Security attacks
▪ Security mechanisms
 Passive attacks
 Active attacks