Information

Security Overview
 Network Security 2

Consists of measures to
deter, prevent, detect,
and correct security
violations that involve
the transmission of
information

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”.
 Computer Security
3
Objectives
Confidentiality

• Data confidentiality
• Assures that private or confidential information is not made available or disclosed to
unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related to them may be collected
and stored and by whom and to whom that information may be disclosed

Integrity

• Data integrity
• Assures that information and programs are changed only in a specified and authorized manner
• System integrity
• Assures that a system performs its intended function in an unimpaired manner, free from
deliberate or inadvertent unauthorized manipulation of the system

Availability

• Assures that systems work promptly, and service is not denied to authorized users

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”.
 CIA Triad

4
Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”.
Possible additional concepts:

Authenticity Accountability
• Verifying that users • The security goal that
are who they say they generates the
are and that each requirement for
input arriving at the actions of an entity to
system came from a be traced uniquely to
trusted source that entity

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”. 5
Breach of Security / Levels of Impact

• The loss could be expected to have a severe or

catastrophic adverse effect on organizational operations,
organizational assets, or individuals

High
• The loss could be expected to have a serious

Moderate
adverse effect on organizational operations,
organizational assets, or individuals

• The loss could be expected to

have a limited adverse effect on
organizational operations,

Low organizational assets, or

individuals

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”. 6
Cryptographic algorithms and protocols can be
grouped into four main areas:
Symmetric encryption

• Used to conceal the contents of blocks or streams of data of any size, including messages, files, encryption keys,
and passwords

Asymmetric encryption

• Used to conceal small blocks of data, such as encryption keys and hash function values, which are used in digital
signatures

Data integrity algorithms

• Used to protect blocks of data, such as messages, from alteration

Authentication protocols

• Schemes based on the use of cryptographic algorithms designed to authenticate the identity of entities

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”. 7
Computer • Security is not simple • Security mechanisms typically
involve more than a particular
• Potential attacks on the algorithm or protocol
Security security features need to be
considered
• Security is essentially a battle
of wits between an offender
Challenge • Procedures used to provide and the designer
particular services are often
s counter-intuitive
• Little benefit from security
investment is perceived until a
security failure occurs
• It is necessary to decide
• Strong security is often viewed
where to use the various as a barrier to efficient and
security mechanisms user-friendly operation
• Requires constant
monitoring
• Is too often an afterthought

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William
Stallings. Chapter 1, “Overview”. 8
 OSI Security
9
Architecture

• Security attack
• Any action that compromises the security of information owned by an organization
• Security mechanism
• A process (or a device incorporating such a process) that is designed to detect, prevent, or recover
from a security attack
• Security service
• A processing or communication service that enhances the security of the data processing systems
and the information transfers of an organization
• Intended to counter security attacks, and they make use of one or more security mechanisms to
provide the service

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”.
Table 1.1
Threats and Attacks (RFC 4949)

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”. 10
 11
Security Attacks

•A means of classifying security attacks, used both in X.800

and RFC 4949, is in terms of passive attacks and active
attacks
•A passive attack attempts to learn or make use of
information from the system but does not affect system
resources
•An active attack attempts to alter system resources or
affect their operation

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”.
Passive Attacks

• Are in the nature of eavesdropping on, or monitoring of,

transmissions
• Goal of the opponent is to obtain information that is being
transmitted
• Two types of passive attacks are:
• The release of message contents
• Traffic analysis

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William
Stallings. Chapter 1, “Overview”. 12
 Active Attacks
• Involve some modification of the
data stream or the creation of a • Takes place when one entity pretends
to be a different entity
false stream Masquerade • Usually includes one of the other
Security”, 6/e, by William Stallings. Chapter 1, “Overview”.
Lecture slides adapted from “Cryptography and Network

• Difficult to prevent because of the forms of active attack

wide variety of potential physical,
software, and network
• Involves the passive capture of a data
vulnerabilities
unit and its subsequent
• Goal is to detect attacks and to Replay retransmission to produce an
unauthorized effect
recover from any disruption or
delays caused by them
• Some portion of a legitimate message
Modification is altered, or messages are delayed or
reordered to produce an
of messages unauthorized effect

• Prevents or inhibits the normal use or

Denial of management of communications
service facilities

13
Security • Defined by X.800 as:
• A service provided by a protocol layer of
Services communicating open systems and that ensures adequate
security of the systems or of data transfers

• Defined by RFC 4949 as:

• A processing or communication service provided by a
system to give a specific kind of protection to system
resources

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”. 14
X.800 Service Categories

• Authentication
• Access control
• Data confidentiality
• Data integrity
• Nonrepudiation

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”. 15
Authentication Two specific authentication services are defined in X.800
• Peer Entity Authentication
• Used when a communication is established and
during data transfer
• Ensures that a communication is authentic
• In the case of ongoing interaction, assures the
two entities are authentic and that the
connection is not interfered with in such a way
that a third party can masquerade as one of the
two legitimate parties
• Data-origin Authentication
• Assures the recipient that the message is from the
source that it claims to be from

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William
Stallings. Chapter 1, “Overview”. 16
Access Control

• The ability to limit and control the access to

host systems and applications via
communications links
• To achieve this, each entity trying to gain
access must first be indentified, or
authenticated, so that access rights can be
tailored to the individual

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”. 17
Data • The protection of transmitted data from passive attacks
• Broadest service protects all user data transmitted
Confidentiality between two users over a period of time
• Narrower forms of service includes the protection of a
single message or even specific fields within a
message
• The protection of traffic flow from analysis
• This requires that an attacker not be able to observe
the source and destination, frequency, length, or
other characteristics of the traffic on a
communications facility

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”. 18
Data Integrity

Can apply to a stream of messages, a single message, or selected

fields within a message

Connection-oriented integrity service, one that deals with a

stream of messages, assures that messages are received as sent
with no duplication, insertion, modification, reordering, or replays
A connectionless integrity service, one that deals with individual
messages without regard to any larger context, generally provides
protection against message modification only

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”. 19
Nonrepudiation

PREVENTS EITHER SENDER OR RECEIVER WHEN A MESSAGE IS SENT, THE RECEIVER WHEN A MESSAGE IS RECEIVED, THE SENDER
FROM DENYING A TRANSMITTED MESSAGE CAN PROVE THAT THE ALLEGED SENDER IN CAN PROVE THAT THE ALLEGED RECEIVER IN
FACT SENT THE MESSAGE FACT RECEIVED THE MESSAGE

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”. 20
Security Mechanisms

Security mechanisms are used to Two types of mechanisms

provide and support Security services
Specific Security Mechanisms – used to provide
specific security services
Pervasive Security Mechanisms – not specific to a
particular service

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William
Stallings. Chapter 1, “Overview”. 21
Specific Security Mechanisms

Digital signature -
Encryption - encryption Access control Data integrity
Signing, verification, non
or cipher algorithms mechanisms - mechanisms - Provides
repudiation, origin
that provide data Controlling access to data integrity and origin
authentication and data
confidentiality resources authentication services
integrity

Notarization - Using
Routing control -
Authentication Traffic padding - notary or a crypto
Providing secure
exchanges - Entity Padding data to provide graphical transformation
channels for routing
authentication data confidentiality to guarantee data
data
integrity

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William
Stallings. Chapter 1, “Overview”. 22
 • Trusted Functionality
• Any functionality (software or hardware) providing or accessing security
mechanisms should be trustworthy

Pervasive • Security Labels

• Using security labels with any kind of resource for eg: stored data to indicate
it is security sensitive
Security • Could also be associated with user data
• Event detection
Mechanis • Used to detect violations or legal security related activity
• Could be used to trigger security alarms or event logging

ms • Security audit trail

• Log of past security related events
• Security Recovery
• Mechanisms to handle requests to recover from security failures

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1,
“Overview”. 23
Model for
Network
Security

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”. 24
Designing a
security service
• Includes four basic tasks:
• Design a strong algorithm for performing security
related transformation
• Generate the secret information to be used with the
algorithm
• Develop methods for distribution and sharing of the
secret information
• Specify the protocol to be used by both sender and
receiver
• Makes use of the security algorithm and the
secret information
• Achieves the security service

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”. 25
Network
Access
Security
Model

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”. 26
Unwanted Access
• Placement in a computer system of logic that exploits
vulnerabilities in the system and that can affect application
programs as well as utility programs such as editors and
compilers
• Programs can present two kinds of threats:
• Information access threats
• Intercept or modify data on behalf of users who
should not have access to that data
• Service threats
• Exploit service flaws in computers to inhibit use by
legitimate users

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William Stallings. Chapter 1, “Overview”. 27
Summary
• Computer security concepts • Security services
• Definition • Authentication
• Examples • Access control
• Challenges • Data confidentiality
• The OSI security architecture • Data integrity
• Security attacks • Nonrepudiation
• Passive attacks • Availability service
• Active attacks • Security mechanisms

Lecture slides adapted from “Cryptography and Network Security”, 6/e, by William
Stallings. Chapter 1, “Overview”. 28
 • Please classify each of the
following as a violation of
confidentiality, integrity,
availability, authenticity, or some
combination of these
Class
Activity-1 • John copies Mary’s homework.
• Paul crashes Linda’s system.
• Gina forges Roger’s signature on
a deed.