Information and Network Security

Introduction
 Objectives
 To define three security goals
 To define security attacks that threaten security
goals
 To define security services and how they are
related to the three security goals
 To define security mechanisms to provide security
services
 To introduce two techniques, cryptography and
steganography, to implement security mechanisms.
Backgrounds
Information Security requirements have
changed in recent times
Traditionally provided by physical and
administrative mechanisms
Computer use requires automated tools to
protect files and other stored information
The use of networks and communications
links requires measures to protect data
during transmission
Definitions

Computer Security - generic name for the

collection of tools designed to protect data
and to thwart hackers
Network Security - measures to protect
data during their transmission over a
computer network
Internet Security - measures to protect
data during their transmission over a
collection of interconnected networks
• A security vulnerability is a flaw or
weakness in a system’s design,
implementation, or operation that could be
exploited to violate the system’s security
(RFC 2828). A security vulnerability is not a
risk, a threat, or an attack

• Security threat: a potential violation of

security, which can be active (when the
state of a system can be changed) or passive
(unauthorized disclosure of information
without changing the state of the system).
• A security risk originates when a security
vulnerability is combined with a security
threat.
• For example, an overflow bug in an
operating system application (i.e., a
vulnerability) associated with a hacker’s
knowledge, appropriate tools, and access
(i.e., a threat) can develop the risk of a
web server attack. Consequences of
security risks are data loss, data
corruption, privacy loss, fraud, downtime,
and loss of public confidence.

• Security attack: Any action that

compromises the security of information
 Integrity

Confidentiality Availability
 1-1 SECURITY GOALS

Confidentiality– Can you keep a secret? Specifies that only

the sender and the intended recipients should be able to access
the content of a message. Confidentiality gets compromised if
an unauthorized person can access a message. This type of
attack is called an interception.
Integrity – Did you get the message I sent? When the
message's contents are changed after the sender sends it but
before it reaches the intended recipient, we say the Integrity of
the message is lost. This type of attack is called modification.
 Availability – Are you there when needed?
The principle of availability states that resources
(i.e) information should be available to authorized
parties at all times.
For example, due to the intentional actions of
another unauthorized user, C , an authorized user
A may not be able to contact server computer B.
This would defeat the principle of availability; such
an attack is called an interruption.
 1.2 Security Attacks
1. Passive Attacks: this is like eavesdropping on or
monitoring transmissions. The goal of the opponent
is to obtain information that is being transmitted.
2. Active attacks: involve some modification of the
data stream or the creation of a false stream.
• Active attacks present the opposite characteristics of
passive attacks. Whereas passive attacks are difficult to
detect, measures are available to prevent their success.
• On the other hand, it is difficult to prevent active attacks
because of the wide variety of potential physical,
software, and network vulnerabilities.
• Instead, the goal is to detect active attacks and to
recover from any disruption or delays caused by them.
The three goals of security- confidentiality, integrity, and
availability- can be threatened by security attacks.
Snooping
Fig.2 Replay
 1.2.3 Attacks Threatening Availability
Denial of service (DoS) is a very common attack. It may
slow down or totally interrupt the service of a system.
The International Telecommunication Union
(ITU) is a specialized agency of the United
Nations (UN) that is responsible for issues that
concern information and communication
technologies (ICTs).

Security services refer to a broad range of measures, protocols, and
mechanisms designed to ensure the confidentiality, integrity, availability,
and resilience of information systems and data.

These services protect information assets from threats, such as
unauthorized access, theft, damage, and disruption.

Security services can be classified into various categories, each addressing
specific security needs and objectives, such as:

Authentication, authorization, confidentiality, integrity, availability, non-
repudiation, and privacy.

Enhance security of data processing systems and information transfers of
an organization

Intended to counter security attacks

Using one or more security mechanisms

Often replicates functions normally associated with physical documents
 X.800:
“a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers”

 RFC 2828:
“a processing or communication service
provided by a system to give a specific kind of
protection to system resources”
 1.3.2 Security Services X.800

 Authentication - assurance that the communicating entity is

the one claimed
 Access Control - prevention of the unauthorized use of a
resource
 Data Confidentiality –protection of data from unauthorized
disclosure
 Data Integrity - assurance that data received is as sent by an
authorized entity
 Non-Repudiation - protection against denial by one of the
parties in a communication
 1.3.2 Security Services X.800

• Access control: rules and policies that limit access to confidential

information to those people and/or systems with a “need to
know.”
– This need to know may be determined by identity, such as a
person’s name or a computer’s serial number, or by a role that
a person has, such as being a manager or a computer security
specialist.
• Authentication: the determination of the identity or role that someone
has. This determination can be done in a number of different ways, but
it is usually based on a combination of
– something the person has (like a smart card or a radio key fob storing secret
keys),
– something the person knows (like a password),
– something the person is (like a human with a fingerprint).

password=ucIb()w1V
mother=Jones
human with fingers pet=Caesar
and eyes

Something you are

Something you know

radio token with

secret keys

Something you have

• Authorization: determining whether a person or system is
allowed access to resources based on an access control policy.
– Such authorizations should prevent an attacker from tricking the
system into letting him have access to protected resources.

• Physical security: establishing physical barriers to limit

access to protected computational resources.
– Such barriers include locks on cabinets and doors, the placement of
computers in windowless rooms, the use of sound-dampening
materials, and even the construction of buildings or rooms with
walls incorporating copper meshes (called Faraday cages) so that
electromagnetic signals cannot enter or exit the enclosure.
1.3.3 Security Mechanism
• Encipherment: hiding or covering data can prove confidentiality
using two techniques: cryptography and steganography.
• Data integrity: appends to the data a short check value created by
a specific process from the data itself.
• Digital signature: the sender can electronically sign the data, and
the receiver can verify the signature,
• Authentication exchange: two entities exchange some message to
prove their identity to each other.
• Traffic Padding: inserting some bogus data into the traffic to thwart
the adversary’s attempt to use traffic analysis.
• Routing control: selecting and continuously changing different
routes between the sender and the receiver.
• Notarization: selecting a third trusted party to control the
communication between two entities (to prevent repudiation)
• Access control: uses a method to prove that the user has access
right to the data or resources owned by the system (PINs or
password)
1.3.3 Relation between Services and Mechanisms

The term "encipherment" refers to the process of converting

plaintext into ciphertext using an algorithm and a key. This
process is a fundamental aspect of cryptography, aimed at
ensuring the confidentiality of information
 1.4 TECHNIQUES
Mechanisms discussed in the previous sections are only
theoretical recipes to implement security. The actual
implementation of security goals needs some
techniques. Two techniques are prevalent today:
cryptography and steganography.
 1.4.1 Cryptography
Cryptography, a word with Greek origins, means “secret
writing.” However, we use the term to refer to the science
and art of transforming messages to make them secure and
immune to attacks.
• Encryption: the transformation of information using a secret, called an
encryption key, so that the transformed information can only be read using
another secret, called the decryption key (which may, in some cases, be the
same as the encryption key).
• Usually used to provide Confidentiality .

Communication
Sender Recipient
channel

encrypt decrypt

ciphertext plaintext

plaintext

shared shared
secret secret
key key
Attacker
(eavesdropping)
 1.4.2 Steganography
• The word steganography, with origin in Greek, means “covered writing,” in contrast
with cryptography, which means “secret writing.”
• It involves embedding data within other, non-secret, files or media
in such a way that no one apart from the intended recipient knows
of the existence of the hidden information.

Example: covering data with text

 1.4.2 Steganography
• Least Significant Bit (LSB) Insertion: In the context of digital images, this
technique involves modifying the least significant bits of the pixel values to
embed secret information without significantly altering the image's
appearance to the human eye.
• Masking and Filtering: These methods are typically used in more robust
forms of steganography, like hiding information within images by using
specific areas that can be more significantly altered without drawing
attention.
• Other options: audio, video and protocol
Hide data
Extract data
1.5.1 Data Transfer
 Model for Network Security
 using this model requires us to:
1. design a suitable algorithm for the security
transformation
2. generate the secret information (keys) used
by the algorithm
3. develop methods to distribute and share the
secret information
4. specify a protocol enabling the principals to
use the transformation and secret
information for a security service
1.5.2 Model for Network Access
Security

 using this model requires us to:

1. select appropriate gatekeeper functions to
identify users
2. implement security controls to ensure only
authorised users access designated information
or resources