Computer Security (CE-408) : An Overview
Computer Security (CE-408) : An Overview
(CE-408)
An Overview
1
Course Tutors
Kashif Habib (A,B)
Ibrahim M. Hussain (C)
Najmul Islam Farooqi (D,E)
2
Course Outline
Introduction: (chapters 1,2)
Introduction to Computer Security
Introduction to Cryptology
Part One: Symmetric Ciphers: (chapters 2-7)
Classical Encryption Techniques
Feistel Structure and S-DS
DES and mode of operation
Linear and differential cryptanalysis
3-DES and IDEA
Finite field and AES
Confidentiality Using Symmetric Encryption
Key distribution
Random number generators
Part Two : Public Key Encryption and Hash Algorithms: (chapters 8-13)
Number theory
Public Key Cryptography
RSA Algorithm
Public Key Exchange Methods
Key exchange management (Diffie-Hellman)
Introduction to message authentication and Hash Functions
MD-5, SHA
Digital Signatures –An application of Hash Functions
Part Three: Network Security and System Security: (chapters 15-20)
Electronic Mail Security (PGP)
IP Security
Intrusion Detection
Viruses
Firewalls
Web and WAP Security 3
Text Book
Cryptography and Network Security:
Principles & Practice (Third Edition)
By William Stallings – Prentice Hall Publication
4
Network Security
CE-408
Introduction (Chapter 1)
5
What is Computer Security?
Computer Security: The generic name for collection of
tools designed to protect data and to thwart attackers.
6
Network Security: Security issues involving all
business, government and academic organizations
interconnected for sharing data. It involves protection of
data during their transmission.
7
Security Trends
The Value of Computer Assets
and Services
Most companies use electronic information extensively to
support their daily business processes. Data is stored on
customers, products, contracts, financial results, accounting
etc.
9
Computer Crimes
Computer fraud in the U.S. alone exceeds $3 billion each year
10
Average computer bank theft amounts to $1.5 million
Computer Crimes ...
12
Computer Security Losses
Security Technologies Used
Complexity of Internetwork
Security
Major requirements: Secrecy, Integrity, Availability,
Authenticity, Non-repudiation and Access control
Secrecy
Integrity
Availability
Authenticity
Non-repudiation
Access control
17
Computer Security
Requirements
18
Secrecy
Secrecy requires that the information in a computer system
only be accessible for reading by authorized parties.
This type of access includes printing, displaying, and other forms of disclosure,
including simply revealing the existence of an object.
Integrity
Integrity requires that the computer system asset can be modified only by
authorized parties.
Modification includes writing, changing, changing status, deleting, and creating.
Data integrity versus System integrity
Availability
Availability requires that computer system assets are available to authorized
parties.
“Requirement intended to assure that systems work promptly and service is not
denied to authorized users." (Computers at Risk, p. 54.)
Access control - Unauthorized users are kept out. 19
Authenticity
Authenticity means that parties in a information services can ascertain
the identity of parties trying to access information services.
Non-repudiation
Originator of communications can’t deny it later
Associates the identity of the originator with the transaction in a non-deniable
way
Access Control
Unauthorized users are kept out of the system
Unauthorized users are kept out of places on the system/disk
20
Security Requirements are
often Combined
For example:
User authentication
used for access
control purposes
Non-repudiation
combined with
authentication
21
Type of Attacks/Threats in
Computer Systems
A threat is a danger which could affect the
security (confidentiality, integrity, availability)
of assets, leading to a potential loss or
damage.
Interruption
Interception
Modification
Fabrication
22
Possible Scenarios
23
Normal Flow of Information
24
Interruption
26
Interception
Information disclosure/information leakage
27
Interception
28
Modification
Modification is integrity violation
30
Fabrication
An unauthorized part inserts counterfeit
objects into the system.
32
Classification of Attacks
Computer Security attacks can be classified into two broad
categories:
Mail forgery/modification
TCP/IP spoofing/session hijacking
33
Passive Attacks
eavesdropping on or monitoring of transmission.
The goal of the opponent is to obtain information that
is being transmitted.
Two types:
Release-of-message contents:
Opponent finds out the contents or the
actual messages being transmitted
Traffic Analysis
More subtle than release-of-message contents
Messages may be kept secret by masking or encryption.
The opponent figures out information being carried by the messages based on
the frequency and timings of the message
Problems:
Difficult to detect because there is no modification of data
34
Protection approach should be based on prevention rather than detection
Active Attacks
Active attacks involve some sort of modification of the data
stream or the creation of a false stream. Four sub-categories:
Masquerade
An entity pretends to be another
For the purpose of doing some other form of attack
Example a system claims its IP address to be what
it is not, IP spoofing
Replay
First passive capture of data and then its retransmission
to produce an unauthorized effect.
Modification of Messages
Some portion of a legitimate message is altered or messages
are delayed or reordered to produce an unauthorized effect.
Denial of service
Prevents the normal use or management of communication facilities.
Problems
Easy to detect but difficult to prevent
Efforts are directed to quickly recover from disruption or delays
35
Good thing is that detection will have a deterrent effect
Methods of Defense
Encryption
Physical Controls
36
Model for Network Security
37
Using this model requires us to:
Design a mechanism or algorithm to perform the security
task without been defeated and challenged.
39
using this model requires us to:
42
Security Services
X.800:
“ a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers”
RFC 2828:
“ a processing or communication service
provided by a system to give a specific kind of
protection to system resources”
OSI Security Architecture
ITU-T X.800 “Security Architecture for OSI”
defines a systematic way of defining and
providing security requirements
for us it provides a useful, if abstract,
overview of concepts we will study
Security A p p lic a tio n E m a il - S /M IM E A p p lic a tio n
Layers S e s s io n SSL S e s s io n
•The further T ra n s p o rt T ra n s p o rt
the more
transparent it is D a ta lin k PPP - ECP D a ta lin k
P h y s ic a l P h y s ic a l
•The further up
you go, the
E n c r y p tin g E n c r y p tin g
easier it is to N IC
P H Y S IC A L N E T W O R K
N IC
deploy
45
Security Services
From the OSI definition:
Access control: Protects against unauthorized use.
Authentication: Provides assurance of someone's
identity.
Confidentiality: Protects against disclosure to
unauthorized identities.
Integrity: Protects from unauthorized data alteration.
Non-repudiation: Protects against originator of
communications later denying it.
46
Security Mechanisms (X-800)
Three basic building blocks are used:
Encryption is used to provide confidentiality, can
provide authentication and integrity protection
Digital signatures are used to provide
authentication, integrity protection, and non-
repudiation
Checksums/hash algorithms are used to provide
integrity protection, can provide authentication
One or more security mechanisms are
combined to provide a security service
47
Services, Mechanisms,
Algorithms
A typical security protocol provides one or
more security services (authentication,
secrecy, integrity, etc.)
Services are built from mechanisms
Mechanisms are implemented using
algorithms
48
Summary