Parul University

Information
Security
2
3
4
 Topics

• Computer Security Concept

• The OSI Security Architecture
• Security Attacks
• Security Services
• Security Mechanism
• A Model for Network Security

5
Information Security. What you
need to know

6
 What is Information Security?
• Information security is the practice of
defending information from unauthorized
access, use, disclosure, disruption,
modification, inspection or recording.
• In general way, we can say that protecting the
information.

7
 CONT….
Three broad categories:
Cryptography
 This is the study of techniques for ensuring the
secrecy and/or authenticity of information. It has two
main branches
 Cryptography, Which is the study of the design of
such techniques
 Cryptanalysis, which deals with the defeating such
techniques, to recover information that will be
accepted as authentic
8
 CONT….

• Network Security
This area covers the use of
cryptographic algorithms in network
protocols and network applications
• Computer Security
Security of computers against
intruders and malicious software
9
 The OSI (Open System Interconnect) security
Architecture
 The OSI security Architecture focuses on

 Security Attack:
 Any action that compromises the security of information owned by
an organization. when the security of a system is compromised by
some action of a perpetrator.
 Security mechanism:
 A process that is designed to detect, prevent or recover from a
security attack.
 Security Service:
 A processing or communication service that enhances the security
of data processing systems and the information transfers of an
organization 10
Security Attacks

11
 Security Attacks
• There are mainly two types:
• Passive attacks
 A Passive attack attempts to learn or make use of
information from the system but does not affect system
resources.
 Passive attacks are in the nature of eavesdropping on, or
monitoring of, transmission. The goal of opponent is to
obtain information that is being transmitted.
• Active attacks
 An Active attack attempts to alter system resources or
affect their operations. Active attacks involve some
modification of the data stream or creation of a false
stream. 12
Attacks (video…..)

13
 Passive Attack - Interception
Darth

Read content of message

from Bob to Alice

Hi how are you

14
Passive Attack: Traffic Analysis
Darth

Observe traffic pattern

15
Active Attack: Masquerade
Darth

Message from Darth that

appears to be from Bob

16
Passive Attack: Replay
Darth

Capture
message Replay message to Alice
from Bob to
Alice

17
 Modification of message
Darth
Modifies message
from Bob to Alice
Meet me
tomorrow

Meet me
immediately

18
Active Attack: Denial of service
Darth

Darth disrupts service provided

By server

server

19
Key Security GOAL

20
• Confidentiality: (covers both data confidentiality
and privacy): preserving authorized restrictions
on information access and disclosure, including
means for protecting personal privacy and
proprietary information. A loss of confidentiality
is the unauthorized disclosure of information.

• Integrity (covers both data and system integrity):

Guarding against improper information
modification or destruction, and includes
ensuring information non-repudiation and
authenticity. A loss of integrity is the
unauthorized modification or destruction of
information.
21
• Availability: Ensuring timely and reliable access to and
use of information. A loss of availability is the
disruption of access to or use of information or an
information system.
• focuses upon providing immediate access to mission
critical data when it is needed for decision making.
• An organization's business continuity is at serious risk
if the information that is required for decision making
is inaccessible. Failing to provide timely access to vital
information resources can result in the continuity of
operations being lost.
• Authorization: relates
to who has the right or
privilege to access the
information
infrastructure.
• Access rights are
determined by an
information security
plan that should be
approved by the
organization’s
legitimate authority.
 • Authenticity: The property of being genuine and
being able to be verified and trusted; confidence in
the validity of a transmission, a message, or
message originator.
• Authentication is an access control method (s) used to
verify the identity of an individual who is attempting to
gain access into an information asset.
• There are three main methods to provide the assurance
of the identity of an authorized user
1. something that the user knows (e.g. password)
2.something that the user possess (e.g. a token)
3.something that the individual "is" (e.g. biometrics such
as a finger print reader.

https://www.computer-security-glossary.org/
• Accountability: The security goal that generates
the requirement for actions of an entity to be traced
uniquely to that entity. i.e. every individual who works
with an information system should have specific
responsibilities for information assurance.
• E.g. all employees must avoid installing outside
software on a company-owned information
infrastructure. The person in charge of information
security should perform periodic checks to be certain
that the policy is being followed.
 Security Services (X.800)
Authentication
 The property of being genuine and being able to be
verified and trusted; confidence in the validity of a
transmission, a message, or message originator.
 This means verifying that each input arriving at the
system came from a trusted source.

+ =
Passw Verific Acc
ord ation ess

26
 Security Services (X.800)
Authentication
Two specific authentication services are defined in X.800:
 Peer entity Authentication, provides for the proof of
the identity of a peer entity in an association
 Provides confidence against masquerade or unauthorized
replay
 Data Origin Authentication, provides for the proof of
the source of a data unit Transfer
Rs.
1,00,
000
User
From
A Ba
A to
C. nk
I am
User
A
27
User
 Security Services
 Access Control
 Prevention of unauthorized use of resource
 Who can have access to a resource, under what condition
access can occur and what those accessing the resource are
allowed to do.
 Access control is the ability to limit and control the access to host
systems and applications via communications links.

User
A

User
Hum an resources Development
B 28
 Security Services
 Data Confidentiality
 The protection of data from unauthorized disclosure.
 Confidentiality is the protection of transmitted data from
passive attacks.

Bob
Alice

Packet Sniffing illegal Coping

29
 Security Services
 Data Integrity
 The assurance that data received are exactly as sent by authorized entity
 Data integrity is the protection of transmitted data from active attacks?

Channel

Ali B
ce o
b
Both are
same

30
 SECURITY SERVICES
Availability :
•Assure that systems work promptly and service is not
denied to authorized users.

www.amaz
on.com

User
Browser Server
working down
 Security Services
• Non-repudiation
 Non-repudiation prevents either sender or receiver
from denying a transmitted message

Transfer Rs.
1,00,000 to
Bank
After few days
User
A I have never
requested to
Ba
transfer Rs.
nk
1,00,000
to Bank
32
 Security Mechanism
• Feature designed to detect, prevent, or
recover from a security attack
• however one particular element underlies
many of the security mechanisms in use:
– cryptographic techniques

33
 Cntd…
• specific security mechanisms:
– Encipherment: In cryptography, a cipher is an algorithm
for performing encryption or decryption—a series of
well-defined steps that can be followed as a procedure.
An alternative, less common term is encipherment.
– Digital signatures, access controls, data integrity,
authentication exchange, traffic padding,
– Routing control: A routing control mechanism is
composed of hardware and software, which monitors
all the outgoing traffic through its connection with the
Internet service providers (ISPs), and helps in selecting
the best path for efficient delivery of the data.

34
Symmetric Key Encryption
Asymmetric Key Encryption
`
Access control is the ability to limit and control the access to host
systems and applications via communications links.
What will happen if Access control , authorization,
authentication is properly designed?
• Data/resources risk
• Inconsistency
• Information breach
• Attack on system from
inside
• Intruders
• Authentication Exchange : A mechanism intended
to ensure the identity of an entity by means of
information exchange.
• Traffic Padding: The insertion of bits into gaps in a
data stream to frustrate traffic analysis attempts.
• Notarization: The use of a trusted third party to
assure certain properties of a data exchange.
• Digital Signature: Data appended to, or a
cryptographic transformation of, a data unit that
allows a recipient of the data unit to prove the
source and integrity of the data unit and protect
against forgery.
 – Notarization: An eNotary is a Notary Public who
notarizes documents electronically. One of the methods
employed by eNotaries is the use of a digital
signature and digital notary seal to notarize digital
documents and validate with a digital certificate.
Electronic notarization is a process whereby a notary
affixes an electronic signature and notary seal using a
secure Public key to an electronic document (such as
a PDF or Word document). Once affixed to the electronic
document, the document is rendered tamper
evident such that unauthorized attempts to alter the
document will be evident to relying parties
• pervasive security mechanisms:
– trusted functionality, security labels, event detection,
security audit trails, security recovery 41
A model for Network Security

42
 The general model shows that there four basic tasks in
designing a particular security service:
 Design an algorithm for performing the security-related
transformations. The algorithm should be such that an
opponent cannot defeat its purpose.
 Generate the secret information to be used with the
algorithm.
 Develop methods for the distribution and sharing of the
secret information
 Specify a protocol to be used by two principals that
makes use of the security algorithm and the secret
information to achieve a particular security service.

43
Than 44