Information Security

Lecture-04

1
 Agenda

• Security Attacks
• Security Services
• Security Mechanisms

2
 Introduction (3/5)

Security Comes with Costs

• In reality, achieving perfect security not possible due to
the costs associated with it:
– This cost can be measured not just in money, but also in
complexity, time and efficiency
• To make things secure, it is necessary to spend money,
perform more procedures, and wait for these procedures
to complete
• Recommendation is to choose a scheme that has a
certain amount of “cost” and an understood amount of
security coverage

3
 Introduction (5/5)

Security Architecture for OSI

• ITU-T Recommendation X.800, Security Architecture for
OSI defines systematic way to:
– Defining the requirements for security
– Characterizing the approaches to satisfying those requirements
• Security architecture comprises of basically 3 elements:
1. Security attack: An action that compromises the security of
information owned by an organization
2. Security mechanism: Detect, prevent or recover from a
security attack
3. Security service: Enhance the security of data processing
systems and transfers – counter security attacks by making use
of one or more security mechanisms
• Security service prevents attacks using mechanisms 4
 Agenda

• Security Attacks
• Security Services
• Security Mechanisms
• Network Security Model

5
 Introduction (1/5)

Threat vs. Attack

• Threat: A potential for violation of security, which exists
when there is a circumstance, capability, action, or
event that could breach security and cause harm. That
is, a threat is a possible danger that might exploit a
vulnerability
• Attack: An assault on system security that derives from
an intelligent threat; that is, an intelligent act that is a
deliberate attempt (especially in the sense of a method
or technique) to evade security services and violate the
security policy of a system

6
 Security Attacks (2/5)

Security attacks can be passive or active

• Passive attack attempts to learn or make use of
information from the system but does not affect system
resources
• Active attack attempts to alter system resources or
affect their operation

Active Attacks Passive Attacks

7
 Security Attacks (3/5)

Passive Attacks

Passive threats

The Release of Traffic

message contents analysis

• eavesdropping, monitoring transmissions

8
 Security Attacks (4/5)

Active Attacks

Active threats

Masquerade Replay Modification of Denial of

message contents service

• some modification of the data stream

9
 OSI Reference Model (5/5)

Understanding Different Threats

Source: Fundamental Principles of Network Security, White Paper 101, Christopher Leidigh
 Agenda

• Introduction
• Security Attacks
• Security Services
• Security Mechanisms

11
 Security Services (1/7)

Service Categories
• The OSI security architecture (X.800) defines the
following security services:
─ Authentication
─ Access Control
─ Data Confidentiality
─ Data Integrity
─ Nonrepudiation

12
 Security Services (2/7)

Authentication

• Concerned with assuring that a communication is

authentic
─ In the case of a single message, assures the
recipient that the message is from the source that it
claims to be from
─ In the case of ongoing interaction, assures the two
entities are authentic and that the connection is not
interfered with in such a way that a third party can
masquerade as one of the two legitimate parties
 Security Services (3/7)

Access Control (Authorization)

• The ability to limit and control the access to host systems

and applications via communications links
• To achieve this, each entity trying to gain access must
first be identified, or authenticated, so that access rights
can be tailored to the individual
 Security Services (4/7)

Data Confidentiality

• The protection of transmitted data from passive attacks

─ Broadest service protects all user data transmitted between two
users over a period of time
─ Narrower forms of service include the protection of a single
message or even specific fields within a message
• The protection of traffic flow from analysis
─ This requires that an attacker not be able to observe the source
and destination, frequency, length, or other characteristics of the
traffic on a communications facility
 Security Services (5/7)

Data Integrity

• Can apply to a stream of messages, a single message,

or selected fields within a message
• Connection-oriented integrity service deals with a stream
of messages and assures that messages are received
as sent with no duplication, insertion, modification,
reordering, or replays
• A connectionless integrity service deals with individual
messages without regard to any larger context and
generally provides protection against message
modification only
 Security Services (6/7)

Nonrepudiation

• Prevents either sender or receiver from denying a

transmitted message
• When a message is sent, the receiver can prove that the
alleged sender in fact sent the message
• When a message is received, the sender can prove that
the alleged receiver in fact received the message
 Security Services (7/7)

Availability (not defined in X.800)

• Keeps the system accessible for the authorized users

• Addresses the security concerns raised by denial-of-
service attacks
• Depends on proper management and control of system
resources