CRYPTOGRAPHY

AND
NETWORK SECURITY

1
 Network Security
• This is the age of universal electronic connectivity, where
activities like hacking, viruses, electronic fraud are very
common.
• Unless security measures are taken, a network conversation or a
distributed application can be compromised easily.
• Some simple examples are:
– Online purchases using a credit/debit card.
– A customer unknowingly being directed to a false website.
– A hacker sending a message to a person pretending to be
someone else
2
 Definitions
• Computer Security - generic name for the collection of
tools designed to protect data over a device and to thwart
(prevent) hackers.

• Network Security - measures to protect data during

their transmission.

• Internet Security - measures to protect data during their

transmission over a collection of interconnected
networks.
3
4
Confidentiality

Confidentiality is probably the most common aspect of

information security. We need to protect our confidential
information. An organization needs to guard against those
malicious actions that endanger the confidentiality of its
information.
5
 Integrity

Information needs to be changed constantly. Integrity means

that changes need to be done only by authorized entities and
through authorized mechanisms.

6
Availability

The information created and stored by an organization

needs to be available to authorized entities. Information
needs to be constantly changed, which means it must be
accessible to authorized entities.

7
 The OSI Security Architecture
• ITU-T (The International Telecommunication Union (ITU)
Telecommunication) Recommended X.800, Security
Architecture for OSI, defines a systematic approach for
defining the requirements for security and characterizing the
approaches to satisfy those requirements.

• The OSI security architecture focuses on

1. Security Attacks

2. Security Mechanisms

3. Security Services 8
 Security Attacks
• Security Attack: Any action that compromises the
security of information.

• A useful means of classifying security attacks, used

both in X.800 and RFC 2828, is in terms of passive
attacks and active attacks
➢ A passive attack attempts to learn or make use
of information from the system but does not
affect system resources.
➢ An active attack attempts to alter system
resources or affect their operation.
9
 Passive Attacks
Passive attacks are in the nature of eavesdropping on, or monitoring of,
transmissions.
• Passive attacks are very difficult to detect because they do not
involve any alteration of the data.
• Typically, the message traffic is sent and received in an
apparently(seeming) normal fashion and neither the sender nor
receiver is aware that a third party has read the messages or observed
the traffic pattern
• Two types of passive attacks are
1. Release of message contents
2. Traffic analysis
10
 Passive Attacks
• The release of message contents is easily understood

– A telephone conversation, an electronic mail

message, and a transferred file may contain
sensitive or confidential information, which may be
known to a third party.

• We would like to prevent an opponent from learning

the contents of these transmissions.

11
 Passive Attacks
• Traffic analysis: Masking the contents of messages or other information
traffic so that opponents, even if they captured the message, could not extract the
information from the message. The common technique for masking contents is
encryption.

• If we had encryption protection in place, an opponent might still be

able to observe the pattern of these messages. The opponent
could determine the location and identity of communicating
hosts and could observe the frequency and length of messages
being exchanged.

• This information might be useful in guessing the nature of the

communication that was taking place. 12
 Active attacks
• Active attacks involve some modification of the data
stream or the creation of a false stream and can be
subdivided into four categories:

1. Masquerade

2. Replay

3. Modification of messages

4. Denial of service.

13
 Active attacks
Masquerade:
• A masquerade takes place when one entity pretends to
be a different entity.
• For example, authentication sequences can be captured
and replayed after a valid authentication sequence has
taken place, thus enabling an authorized entity with few
privileges to obtain extra privileges by impersonating an
entity that has those privileges.

14
Active attacks

15
 Active attacks
Replay involves the passive capture of a data unit and its
subsequent retransmission to produce an unauthorized
effect.

16
 Active attacks

Modification of messages simply means that

some portion of a legitimate message is altered,
or that messages are delayed or reordered, to
produce an unauthorized effect.

17
Active attacks

18
 Active attacks
• The denial of service prevents or inhibits (slows down) the
normal use or management of communications facilities.

• This attack may have a specific target; for example, an entity

may suppress all messages directed to a particular destination
(e.g., the security audit service).

• Another form of service denial is the disruption of an entire

network, either by disabling the network or by overloading
it with messages so as to degrade performance.
19
Active attacks

20
 Security Mechanisms
A mechanism is a method that is designed to detect, prevent, or
recover from a security attack.

21
 Security Mechanisms

◼ Encipherment: It refers to the process of applying

mathematical algorithms for converting data into a
form that is not intelligible. This depends on algorithm
used and encryption keys.

◼ Data Integrity: A variety of mechanisms used to

assure the integrity of a data unit or stream of data
units.

22
 Security Mechanisms
◼ Digital Signature: The appended data or a
cryptographic transformation applied to any data unit
allowing to prove the source and integrity of the data
unit and protect against forgery.

◼ Authentication Exchange: A mechanism intended to

ensure the identity of an entity by means of information
exchange.

◼ Traffic Padding: The insertion of bits into gaps in a

data stream to frustrate traffic analysis attempts. 23
 Security Mechanisms

◼ Routing Control: Enables selection of particular

physically secure routes for certain data and allows
routing changes once a breach of security is suspected.

◼ Notarization: The use of a trusted third party to assure

certain properties of a data exchange

◼ Access Control: A variety of techniques used for

enforcing access permissions to the system resources.
24
 Security Services
• A service is one that enhances the security of data processing
systems and information transfers of an organization.

• The services are intended to counter security attacks, and they

make use of one or more security mechanisms.

• X.800 divides these services into five categories

1. Authentication (who has created or has sent the data)
2. Access control (prevent misuse of resources)
3. Data Confidentiality (privacy)
4. Data Integrity (has not been altered)
5. Non-repudiation (the order is final) 25
 Security Services
• Authentication: Assurance that the communicating
entity is the one claimed
• Access Control: Prevention of the unauthorized use of a
resource
• Data Confidentiality: Protection of data from
unauthorized disclosure
• Data Integrity: Assurance that data received is as sent
by an authorized entity
• Non-Repudiation: Protection against denial by one of
the parties in a communication

26
Relation between Services and Mechanisms

27
 Model for Network Security
• Data is transmitted over network between two
communicating parties, who must cooperate for the
exchange to take place.
• A logical information channel is established by
defining a route through the internet from source to
destination by use of communication protocols by the
two parties.
• Whenever an opponent presents a threat to
confidentiality, authenticity of information, security
aspects come into play.
28
Model for Network Security

29
 Model for Network Security
• Two components are present in almost all the security
providing techniques.
1. A security-related transformation on the information to
be sent making it unreadable by the opponent, and the
addition of a code based on the contents of the message,
used to verify the identity of sender.
2. Some secret information shared by the two principals
and, it is hoped, unknown to the opponent. An example is an
encryption key used in conjunction with the transformation
to scramble the message before transmission and
unscramble it on reception. 30
 Model for Network Security
• A trusted third party may be needed to achieve secure
transmission.

• It is responsible for distributing the secret information

to the two parties, while keeping it away from any
opponent.

• It also may be needed to settle disputes (difference of

opinions) between the two parties regarding
authenticity of a message transmission.
31
 Model for Network Security
• The general model shows that there are four basic tasks
in designing a particular security service:
1. Design an algorithm for performing the security-related
transformation. The algorithm should be such that an
opponent cannot defeat its purpose
2. Generate the secret information to be used with the
algorithm (The Key)
3. Develop methods for the distribution and sharing of the
secret information
4. Specify a protocol to be used by the two principals that
makes use of the security algorithm and the secret
information to achieve a particular security service 32
 Model for Network Security
• Various other threats to information system like
unwanted access still exist. The existence of hackers
attempting to penetrate systems accessible over a network
remains a concern.
• Another threat is placement of some logic in computer
system affecting various applications and utility programs.
This inserted code presents two kinds of threats.
– Information access threats that intercept or modify data
on behalf of users who should not have access to that
data
– Service threats exploit service flaws in computers to
inhibit use by legitimate users
33
 Model for Network Security
• Viruses and worms are two examples of software attacks
inserted into the system by means of a disk or also across the
network.
• The security mechanisms needed to cope with unwanted
access fall into two broad categories:
– Placing a gatekeeper function, which includes a password-based
login methods that provide access to only authorized users and
screening logic to detect and reject worms, viruses etc
– An internal control, monitoring the internal system activities,
analyzes the stored information and detects the presence of
unauthorized users or intruders. 34
Model for Network Security

35
 Methods of Defense
• Encryption
• Software Controls (access limitations in a data base.
In operating systems, protect each user from other
users)
• Hardware Controls (smartcard)
• Policies (frequent changes of passwords)
• Physical Controls

36
 Internet standards and RFCs
(Request For Comments)

• The Internet society

– Internet Architecture Board (IAB)
– Internet Engineering Task Force (IETF)
– Internet Engineering Steering Group (IESG)

37
Internet RFC Publication Process

38
 SECURITY GOALS - Recall

• There are three security goals in internet security

environment.
1. Confidentiality
2. Integrity
3. Availability
 Taxonomy of Attacks in relation with
Security Goals

1.40