Attacks on Computers ~.

nd
Computer Security

S).433
1.1 Introduction
This is a book on networlc and Internet security. Before we understand _the various co~cepts and ~hnical issues
related to security (i.e. trying to understand h9w to protect), it is essential .to know whg,t we are trying to
protect. The various dangers when we use comp~ters, corp.p_ut~r networ,ks and the bigg~st networ~ of
them all, the Internet and the likely pitfalls. The consequ~nces of not seting, up the right security policies,
framework and technology implementations. This chapter-attempts to clarify these basic concepts.
We start with a discussion of the basic question: Why is security required in the first place? People
sometimes say that security is like statistics: the extent -of data it reveals is trivial, the extent of data-it
[ conceals is vital! In other words, the right security infrastructure opens up just enough doors that are
1 mandatory. It protects everything else. We discuss a few real-life incidents that should prove beyond
doubt that security cannot simply be compromised. Especially these days when serious business and
?ther types of ~ansaction~ are ~ing ~onducted over t~e Internet to s~ch_a large e~tent, inadeq~ate or
I improper secunty mecharusms can bnng the whole busmess down or play havoc with people's lives!
I We then discuss the key principles of security. These principles help us identify the various areas,
l which are crucial while determining the security threats and possible solutions to tackle them. Since
1 electronic documents and messages are now becoming equivalent to paper documents in terms of their
1
legal validity and binding, we examine the various implications in this regard.
I This is followed by a discussion of the types of attacks. There are certain theoretical concepts
I associated with attacks and there is a practical side to it as well. We shall discuss all these aspects.
FinaIIy, we discuss some modem security problems. This will pave the way for further discussions of
network and Internet security concepts.

1.2 The Need for Security

1.2.1 Basic Concepts
Most initial computer applications had no or at best, very little security. This continued for a number of
Years until the importance of data was truly realized. Until then, computer data was considered to be
 Cryptography and Network Security

useful, but not something to be protected. When computer applications were developed to handle
financial and personal data, the real need for security was feh like never before. People realized that data
on compute_rs was an extremely important aspect of modem life. Therefore, various areas in security
began to gam prominence. Two typical examples of such security mechanisms were as follows:
• Provide a user id and password to every user and use that information to authenticate a user
• Encode information stored in the databases in some fashion so that it is not visible to users who do
not have the right permissions
Organizations empl~yed their own mechanisms in order to provide for these kinds of basic security
mechanisms. As technology improved, the communication infrastructure became extremely mature and,
newer and newer applications began to be developed for various user deman~s and needs. Soon, people
realized that the basic security measures were not quite enough. •
Furthermore, the Internet took the world by storm and there were many examples of what could
happen if th~ e was insufficient security built in applications developed for the Internet. Figure 1.1
shows such an example of wpllJ.~lf! }yle»en when you use your credit card for making purchases over the
Internet. From the user's conipufe1e tAe(iser details such as user id, order details such as order id and item
id, and payment details such as credit card information travel across the Internet to the server (i.e. to the
merchant's computer). The merchant's server stores these details in-its database.
There are various security holes here. First of all, an intruder can capture the credit carq details as they
travel from the client to the server. If we somehow protect this transit from an intruder's attack, it still
does not so)ve our problem. Once the merchant receives the credit card details and validates them so as
to process the order and later obtain payments, the merchant stores the credit card details into its
database. Now, an attacker can simply succeed in accessing this database and gain access to all the credit

Customer Id: 78910

B I I
Order Id: 90
Item Id: 156 s~nier
Credit Card Number:
1234567890
Issued By: Visa
Valid Till: Jan 2006

Server
Database

I- Fig. 1.1 Example of information traveling from a client to a server over the Internet
_ _ _ _ _ _ __ _ ____:A~tta~c~ks~o~n~C~omputers and Computer Security 3

card numbers stored therein' One Rus · tt k ,,:· ,

merchant Internet site and ~btained 3~1;~~0 ac e~ (called as Maxim) ac~ually managed to intrude into a
extortion by demandin t . ' credit card numbers from its database. He then attempted
g pro ectlon money ($100 000) f th h
oblige Following this th tt k bl. ' rom e mere ant. The merchant refused to
Some banks reissued ~l t~ a a~_er p~ ished about 25,000 of the credit card numbers on the Internet!
about unusual entn·es i·n the. ere it car s at a cost of $20 per card and others forewarned their customers
eir statements.
• tak
Such$attacks could
· obviously lead t0 great 1osses - both m · terms of finance and goodwill Generally
itf ehs 20 to rekp_1ace a credit card. Therefore, if a bank has to replace 3 00 000 such cards th.e total cost'
o . sue an d 1s about $6 fill·trion! How mce
d hattac · it· would have been, if the
' 'merchant in the' example just
d1scusse a emp1oyed proper security measures! .
Of course, this was just o~e e_xample. Sev_eral such cases have been reported in the last few months
~d ~e need for prop_er secunty 1s be1~g felt ~ncreasingly with every such attack. In another example of
this, m 1999,
· all d a Swedish hacker broke mto Microsoft's Hotmail Web site and created a m,rr 11...__or s1·te. Thi s
site owe anyone to enter any Hotmail user's email id and read her emails!
In 2005 as independent survey was conducted to invite people's opinions about the losses that occur
due to s_uccessful attacks on security. The survey pegged the losses at an average of $455,848,000. Next
year, this figure reduced to $201,757,340!

1.2.2 Modem Nature of Attacks

If we attempt to demystify technology, we would realize that computer-based systems are not all that
different from what happens in the real world. Differences in computer-based systems are mainly due to
the speed at which things happen and the accuracy that we get, as compared to the traditional world.
We can highlight a few salient features of the modem nature of attacks, as follows:
• Automating attacks The speed of computers make several attacks worthwhile. For example. in the
real world, suppose that someone manages to create a machine that can produce counterfeit coins Would
that not bother authorities? It certainly would. Howe".er, producing so many coins on a mass scale may
not be that much economical compared to the return on that investment! How many such coins would
the attacker be able to get into the market so rapidly? '.fhis is quite different with computers. They are
quite efficient and happy in doing routine, mundane and repetitive tasks. For example, they would excel
in ,somehow stealing a very low amount (say half a dollar or Rupees 20) from a million bank accounts irt
a matter of a few minutes. This would give the attacker a half million dollars possibly without any major
complaints! This is shown in Fig. 1.2.
The morale of the story is:
Humans dislike mundane and repetitive tasks. Automating_ them can cause destruction or
nuisance quite rapidly.
• Privacy concerns Collecting information about people and later (mis)using it is turning out to be a
huge problem, these days. Toe so called data mining applic_ali_ons gather, process and tabulate all sorts of
details about individuals. People can then illegally sell this mformauon. For example, companies like
Experian (formerly TRW), TransUnion and Equifax maintain credit history of individuals in the USA.
Similar trends are seen in the rest of the world. These companies have volumes of infonnation about a
majority of citizens of that country. These companies can collect, collate, P?lish and format all sorts ~f
information to whosoever is ready to pay for that data! Examples of informauon that can come out of this
 ::___ Cn;ptography
4 ____________ __':-:__;zJ_".:'.:'.,~ C ~and Network Securiti; - - -- - -- - - - - ---
'.:..:....:.:.::.:.=:::...:.::__:._:._:..:.:.;.~-

Traditional attack: Produce coins LiSing some machinery and bring them into circulation.

•••••••••
Modern attack: Steal half a dollar from million accounts in a few minutes time digitally.

I- Fig. 1.2 The changing nature of attacks due to automation

are: which store the person buys more from, which restaurant she eats in, where she goes for vacations
frequently and so on! Every company (e.g. shopkeepers, banks, airlines, insurers) are collecting and
processing a mind-boggling amount of information about us, without we realizing when and how it is
going to be used.
• Distance does not matter Thieves would earlier attack banks, because banks had money. Banks do
not have money today! Money is in digital form inside computers and moves around by using computer
networks. Therefore, a modem thief would perhaps not like to wear a mask and attempt a robbery!
Instead, it is far easier and cheaper to attempt an attack on the computer systems of the bank, ·sitting at
home! It may be far prudent for the attacker to break into the bank's servers or steal credit card/ATM
information from the comforts of her home or place of work. This is illustrated in Fig. 1.3.
In 1995, a Russian hacker broke into Citibank's computers remotely, stealing$ 12 million. Although
the attacker was traced, it was very difficult to get him extradited for the court case.

1.3 Security Approaches

1.3.1 Trusted Systems

A trusted system is a computer system that can be trusted to a specified extent to enforce a
specified security policy.

Trusted systems were initially of primary interest to the military. However, these days, the concept has
spanned across various areas, most prominently in the banking and financial community, but the concept
never caught on. Trusted systems often use the term reference monitor. This is an entity that is at the
 Attacks on Computers and Computer Security 5

Attacker

t Analog signal

,J

modem

Digital signal
Analog signal
+
nJL +

niodem

t
Bank

I- Fig. 1.3 Attacks can now be launched from a distance

logical heart of the computer system. It is m.i.inly responsible for all the decisions related to access
controls. Naturally, following are the expectations from the reference monitor:
(a) It should be tamperproof
(b) It should always be invoked
(c) It should be small enough so that it can be independently tested
 -
In their 1983 Orange Book (also called as the Tmsted Computer System Evaluation Criteria
(TCSEC)) , the National Security Agency (NSA) of the US Government defined a set of evaluation
classes. These described the features and assurances that the user could expect from a truS ted syS tem.
The highest levels of assurance were provided by significant efforts directed towards reduc~ion _of the
size of the trusted computing base or TCB. In this context, TCB was defined as _a com?i_natmn of
hardware, software and firmware responsible for enforcing the system's security pohcy. ~~rumum the
TCB, higher is assurance. However, this raises an inherent problem (quite similar to the dec1S1ons related
to the designing of operating systems). If we make the TCB as small as possible, the surrounding
hardware, software and firmware is likely to be quite big!
The mathematical foundation for trusted systems was provided by two relatively independent yet
interrelated works. In the year 1974, David Bell and Leonard LaPadula of MITRE devised a technique
called as the Bell-LaPadula model. In this model, a highly trustworthy computer system is designed_as
a collection of objects and subjects. Objects are passive repositories or destinations for data, such as
files, disks, printers, etc. Subjects are active entities, such as users, processes or threads operating on
behalf of those users. Subjects cause infonnation to flow among objects.
Around the same time, Dorothy Denning at Purdue University was preparing for her doctorate. It
dealt with lattice-based information flows in computer-systems. A mathematical lattice is a partially
ordered set, in which the relationship between any two vertices is either dominates, is dominated by or
neither. She devised a generalized notion of labels - similar to the full security markings on classified
military documents. Examples of this are TOP SECRET.
Later, Bell and LaPadula integrated Denning's theory into their MITRE technical report, which was
titled Secure Computer System: Unified Exposition and Multics Interpretation. Here, labels attached to
objects represented the sensitivity of data contained within the object. Interestingly, the Bell-LaPadula
model talks only about confidentiality or secrecy of infonnation. It does not talk about the problem of
integrity of infonnation.

1.3.2 Security Models

An organization can take several approaches to implement its security model. Let us summarize these
approaches.
• No security In this simplest case, the approach could be a decision to implement no security at all.
• Security through obscurity In this model, a system is secure simply because nobody knows about
its existence and contents. This approach cannot work for too long, as there are many ways an attacker
can come to know about it.
• Host security In this scheme, the security for each host is enforced individually. This is a very safe
approach, but the trouble is that it cannot scale well. The complexity and diy_ersity of modem sites/
organizations makes the task even harder.
• Network security Host security is tough to achieve as organizations grow and become more
diverse. In this technique, the focus is to control network access to various hosts and their services, rather
than individual host security. This is a very efficient and scalable model.

1.3.3 Security Management Practices

Good security management practices always talk of a security policy being in place. Putting a security
policy in place is actually quite tough. A good security policy and its proper implementation go a long
 Attacks on Computers and Computer Security 7

way in ensuring adequate security management practices. A good security policy generally takes care of
four key aspects, as follows:
• Affordability Cost and effort in security implementation.
• Functionality Mechanism of providing security.
• Cultural issues Whether the policy gels well with people's expectations, working style and beliefs.
• Legality . Whether the policy meets the legal requirements.
Once a security policy is in place, the following points should be ensured.
(a) Explanation of the policy to all concerned.
(b) Outline everybody's responsibilities.
(c) Use simple language in all communications.
(d) Establishment of accountability. -
(e) Provision for exceptions and periodic reviews.

1.4 Principles of Security

Having discussed some of the attacks that J;iav~ occurred in real life, let us now classify the principles
related to security. This will help us understand the attacks better and also help us in thinking ~bout the
possible solutions to tackle them. We shall take an example to understand these concepts. · -
Let us assume that a person A wants to send a check worth $100 to another person B. Normally, what
are the factors that A and B will think of, in such a case? A will write the check for $100, put it inside an
envelope and send it to B.
A will like to ensure that no one except B,gets the envelope and even if someone else gets it, she
does not come to know about the details of the check. _This is the principle of confidentiality.
A and B will further like to make sure that no one can tamper with the contents of the check (such
as its amount, date, signature, name of the payee, etc.). This is the principle of integrity.
B would like to be assured ·that the check has indeed come from A and not from someone else
posing as A (as it could be a fake eheck in that case). This is the principle of authentication.
What will happen tomorrow if B ,deposits the check in her account, the money is transferred from
A's account to·B's account and then A refuses having written/sent th'e check? The court 'of law w.ill
use A's signature to disallow A to refute this claim and settle the dispute. This is the principle of
non-repudiation.
These are the four chief principles of security. There are two more, access control and availability,
which are not related to a particular message, but are linked to the overall system as a whole.
We shall discuss all these security principles in the next few sections.

1.4.1 Confidentiality
The principle of confidentiality specifies that only the sender and the intended recipient(s) should be able
lo access the contents of a message. Confidentiality gets compromised if an unauthorized person is able
loaccess a message. Example of compromising the confidentiality of a message is shown in Fig. 1.4.
Here, the user of computer A sends a message to user of computer B. (Actually, from here onwards, we
8 Cryptography and Network Secur_ity
-"---_ _ _____ _ _ _ __

[I] Secret 0

I- Fig. 1.4 Loss of confidentiality

shall use the term A to mean the user A, B to mean user B, etc. although we shall just show the
computers of user A, B, etc.). Another user C gets access to this message, which is not desired and
therefore, defeats the purpose of confidentiality. Example of this could be a confidential email message
sent by A to B, which is accessed by C without the permission or knowledge of A and B. This type of
attack is called as interception.

Interception causes loss of message confidentiality.

1.4.2 Authentication
Authentication mechanisms help establish proof of identities. The authentication process ensures that
the origin of a electronic message or document is correctly identified. For instance, suppose that user C
sends an electronic document over the Internet to user B. However, the trouble is·that user Chad posed
as user A when she sent this document to user B. How would user B know that the message has come
from user C, who is posing as user A? A real life example of this could be the case of a user C, posing as
user A, sending a funds transfer request (from A's account to C's account) to bank B. The bank might
happily transfer the funds from A's account to C's account - after all, it would think that user A has
,-quested for the funds transfer! This concept is shown in Fig. 1.5. This type of attack is called as
fabrication.

Fabrication is possible in absence of proper authentication mechanisms.

1.4.3 Integrity
When the contents of a message are changed after the sender sends it, but before it reaches the intended
recipient, we say that the integrity of the message is lost. For example, suppose you write ~9heck for
$100 to pay for the goods bought from the US. However, when you see your next account statement, you
are startled to see that the check resulted in a payment of $1000! This is the case for loss of message
integrity. Conceptually, this is shown in Fig. 1.6. ~ere, user C tampers with a message originally sent by
user A, which is actually destined for user B. User C somehow manages to access it, change its contents

J
 Attacks on Computers and Computer Security 9

lam
user A

I- Fig. 1.5 Absence of authentication

and send the changed message to user B. User B has no way of knowing that the contents of the message
J-
were changed after user A had sent User A also does not know about this change. This type of attack
is called as modification.

Ideal route of the message

~' Transfer
$100
to D
I
I
Actual route of the message
Transfer
$ 1000
toe

I- Fig. 1.6 Loss of integrity

Modification causes loss of message integrity.

1.4.4 Non-repudiation
There are situations where a user sends a message and later on refuses that she had sent that message. For
instance, user A could send a funds transfer request to bank B over the Internet. After the bank performs
the funds transfer as per A's instructions, A could claim that she never sent the funds transfer instruction
to the bank! Thus, A repudiates or denies, her funds transfer instruction. The principle of non-
repudiation defeats such possibilities of denying something, having done it. This is shown in Fig. 1.7.

Non-repudiation does not allow the sender of a message to refute the claim of not sending
that message.
10 Cn;ptography and Network Security

I never sent that message,

Q
which you claim to have
received

I- Fig. 1.7 Establishing non-repudiation

1.4.5 Access Control

The principle of access control determines who should be able to access what. For instance, we should
be able to specify that user A can view the records in a database, but ~annot update them. However, user
B might be allowed to make updates as well. An access control mechanism can be set up to ensure this.
Access control is broadly related to two areas: role management and rule management. Role •,
management concentrates on the user side (which user can do what), whereas rule management focuses
on the resources side (which resource is accessible and under what circumstances). Based on the
decisions taken here, an access control matrix is prepared, which lists the users against a list of items
they can access (e.g. it can say that user A can write to file X, but can only update files Y and Z). An ,
Access Control List (ACL) is a subset of an access control matrix.

Access control specifies and controls who can access what.

1.4.6 Availability
The principle of availability states that resources (i.e. information) should be available to authorized
patties at all times. For example, due to the intentional actions of an unauthorized user C, an authorized
user A may not be able to contact a server computer B, as shown in Fig. 1.8. This would defeat the
principle of availability. Such an attack is called as interruption.

101
• .bl

I- Fig. 1.8 Attack on availability

Interruption puts the availability of resources in danger.

I
- Attacks on Computers and Computer Security 11

We may be aware of the traditional OSI standard for Network Model (titled OSI. Network
Model 7498-1), which describes the seven layers of the networking technology (application,
presentation, session, transport, network, data link and physical). A very less known standard on similar
lines is the OSI standard for Security Model (titled OSI Security Model 7498-2). This also defines
seven layers of security in the form of:
• Authentication
• Access control
• Non repudiation
• Data integrity
• Confidentiality
• Assurance or Availability
• Notarization or Signature
We shall be discussing upon most of these topics in this book.
Having explained the various principles of security, let us now discuss the various types of attacks
that are possible, from a technical perspective.

1.4.7 Ethical and Legal Issues

Many ethical and legal issues in computer security systems seem to be in the area of the individual's
right to privacy versus the greater good of a larger entity (e.g. a company, society, etc.) For example,
tracking how employees use computers, crowd surveillance, managing customer profiles, tra~king a
person's travel with a passport, location tracking so as to spam cell phone with text message
.advertisements and so on. A key concept in resolving this issue is to find out is a person's expectation of
privacy.
Classically, the ethical issues in security systems are classified into the following four categories:
• Privacy - This deals with the right of an individual to control personal information.
• Accuracy - This talks about the responsibility for the authenticity, fidelity and accuracy of
information.
• Property - Here we find out the owner of the information. We also talk about who controls access.
• Accessibility - This deals with the issue of the type of information an organization has the right to
collect. And in that situation, it als~ expects to know the measures which will safeguard against
any unforeseen eventualities.
Privacy is the protection of personal or sensitive information. Individual privacy is the desire to"be left
alone as an extension of our personal space and may or may not be supported by local regulations or
laws. Privacy is subjective. Different people have different ideas of what privacy is and how much
privacy they will trade for safety or convenience. ·
When dealing with legal issues, we need to remember that there is a hierarchy of regulatory bodies
that govern the legality of information security. We can roughly classify- them as follows.
• International: e-.~'.· µiternational Cybercrime Treaty
• Federal: e;g. FERPA, GLB, HIPAA, DMCA, Teach Act, Patriot Act, Sarbanes-Oxley Act, etc.
• State: e.g. UCITA, SB 1386, etc.
• Organization: e.g. Computer use policy
 -
cj' 1.5 Types of Attacks · th 0 0 ·s view and a 1echnologist" s view '
\\·e shal l classify anacks \\;th respect IO two views: e common pers .

1.5.1 Attacks: A General

• . View - · i;. •· ·
10
to three categories, as shown in
From a common person s porn! of view. we can classh / anacl\.s .._. -

Fig. 1.9.

Type of attacks as understood

by a common person

Legal attacks
Publicity attacks
Criminal attacks
I
I- Fig. 1.9 Classification of attacks as understood in general tenns

Let us now discuss these attacks.

Criminal Attacks Criminal attacks are the simplest to understand. Here, the sole aim of the attackers
is to maximize financial gain by attacking computer systems. Table 1.1 lists some forms of criminal

attacks.
Publicity Attacks Publicity attacks occur because the attackers want to see their names appear on
tele vision news channels and newspapers. History suggests that these types of attackers are usually not
hardcore criminals. They are people such as students in universities or employees in large organizations,
who seek publicity by adopting a novel approach of attacking computer systems.
One form of publicity anacks is to damage (or deface) the Web pages of a site by attacking it. One of
the most famous such attacks occurred on the US Department of Justice's Web site in 1996. The New
York Times home page was also famously defaced two years later.
Legal Attacks Thi s form of attack is quite novel and unique. Here, the attacker tries to make the judge
or the jury doubtful about the security of a computer system. This works as follows. The attacker attacks
the computer system and the attacked party (say a bank or an organization) manages to take the attacker .
to the court. While the case is being fought, the attacker tries to convince the judge and the jury that there
is inherent weakness in the computer system and that she has done nothing wrongful, The aim of the
attacker is to exploit the weakness of the judge and the jury in technology matters.
For example, an attacker may sue a bank for a performing an online transaction, which she never
wanted to perform. In court, she could innocently say something like The bank's Web site asked me to
enter a pass1rord and that is all that I provided; I do not know what happened thereafter. A judge is
likely to sympathize with the attacker!
 Attacks on Computers and Computer Security 13

Table 1.1 Types of Criminal Atta~ks

Attack Description
Fraud Modem fraud attacks concentrate on manipulating some aspects of
electronic currency, credit cards, electronic stock certificates, checks,
letters of credit, purchase orders, ATMs, etc. ,l'J ,
Scams Scams come in various forms , some of the most common ones being sale
of services, auctions, multi.level mar~eting scheples, general merchandise
and business opportunities, etc. People are enticed to send money in return
. I ., ' 1 .
of great pro fiits, b ut end up losing their money. A very common examp e 1s
r, J .

the Nigeria scam, where an email from Nigeria (Jnd other Afric~n
countries) entices people to deposit money info a bank account with a
promise of hefty gains. Whosoever gets caught in this scam loses ITIOney
heavily. .
Destruction
- · Some sort of ~rudge is the motive behind such attacks. For example,

,
unhappy employees attack their own organization, whereas terrorists' strike
at mu_ch bigger levels. For example, fo the year 2000, there was an attack
against popular Internet sites such as . Yahoo!, CNN, eBay, Buy.com,
Amazon.com and e*Trade where .authorized\ - .users,of
. these sites•failed to
log in or.access these sites.
Identity theft This is best understood with a quote from Bruce ~ch·neier: Why steal from
I . .
someone when you can just become · that person? In other words, an
·, . attacker does not steal anything.from a legitimate user - he be_comes that
legitimate user! For example, it is much easier to manage to get the
password of someone else's bank account or to actually be able to get a
credit card on someone else's name. Then that privilege can be misused
until it gets detected.
Intellectual property theft Intellectual pr:operty theft ranges from_stealing companies' trade secrets,
databases, digital music and videos, electronic documents and books,
software and so on . .
Brand theft It is quite easy to set up fake Web sites that look like real Web sites. How
would a common user know if she is visiting the HDFC Bank site or an
attacker's site? Innocent users end up providing their secrets and personal
details on these fake sites to the attackers. The attackers use these details to
thyn access the real site, causing an i<l.entity theft:

1.5.2 Attacks: A Technical View

From the technical point of view, we can classify the types of attacks on computers and network systems
into two categories for better understanding: (a) Theoretical concepts behind these attacks and (b)
Practical approaches used by the attackers. Let us discuss these one-by-one.

Theoretical Concepts As we discussed earlier, the principles of security face threat from various
attacks. These attacks are generally classified into four categories, as mentioned earlier. They are:
• Interception - Discussed in the context of confidentiality, earlier. It means that an unauthorized
party has gained access to a resource. The party can be a person, program or computer-based
system. Examples of interception are copying of data or programs and listening to network traffic.
1_4_ _ _ _ _ _ _ _ _ _~C::.'..ryp~to~gr~a'l'.p~hy1_:_a~n-"-d.'...:N~etw~or'.':k.'.:'.S'.:::ec::_u::_:rity7.___ _ _ _ _ _ _ _ _ ______

• Fabrication - Discussed in the context of authentication, earlier. This involves creation of illegaJ
-:ibjects on a computer system. For example, the attacker may add fake records to a database.
• Modification - Discussed in the context of integrity, earlier. For example the attacker may modify 1--
the values in a database.
• Interruption - Discussed in the context of availability, ear!ier. Here, the resource beco~es
unavailable, lost or unusable. Examples of interruption are causing problems to a hardware device,
erasing program, data or operating system components.
These attacks are further grouped into two - - - - - - - - - - - - - - - -
types: passive attacks and active attacks, as Attacks
shown in Fig. 1.10.
Let us discuss these two types of attacks now.
Passive attacks Passive attacks are those,
wherein the attacker indulges in eavesdropping or Active attacks
Passive attacks
monitoring of data transmission. In other words,
the attacker aims to obtain information that is in
transit. The term passive indicates that _the a~tacker I- Fi . l.lO Types of attacks
does not attempt to perform any mod1ficat1ons to g (
the data. In fact, this is also why passive attacks are harder to detect. Thus, the general approach to deal
with passive attacks is to think about prevention, rather than detection or corrective actions.

Passive attacks do not involve any modifications to the contents of an original message.

Figure 1.11 shows further classification of passive attacks into two sub-categories. These categories
are namely, release of message contents and traffic analysis.

Passive attacks (Interception)

Release of message contents Traffic analysis

I- Fig. 1.11 Passive attacks

Release of message contents is quite simple to understand. When we send a confidential email
message to our friend, we desire that only she be able to access it. Otherwise, the contents of the message
are released against our wishes to someone else. Using certain security mechanisms, we can prevent
release of message contents. For example, we can encode messages using a code language, so that only
the desired parties understand the contents of a message, because only they know the code language.
However, if many such messages are passing through, a passive attacker could try to figure out
similarities between them to come up with some sort of pattern that provides her some clues regarding
the communication that is taking place. Such attempts of analyzing (encoded) messages to come up with
likely patterns are the work of the traffic analysis attack.
 Attacks on Computers and Computer Security 15

Active attacks Unlike passive attacks, the active attacks are based on modification of the original
L message in some manner or the creation of a false message. These attacks cannot be prevented easily.
However, they can be detected with some effort and attempts can,ft>e made to recover from them. These
attacks can be in the form of interruption, modification and fabrication.

In active attacks, the contents of the original message are modified in some way.

• Trying to pose as another entity involves masquerade attacks.

• Modification attacks can be classified further into replay attacks and alteration of messages.
• Fabrication causes Denial Of Service (DOS) attacks.
This classification is shown in Fig. 1.12.

7 'Active attacks

Interruption Fabrication
Modification
(Masquerade) (Denial Of Service-DOS)

Replay attacks Alterations

t- Fig. 1.12 Active attacks

Masquerade is caused when an unauthorized entity pretends to be another entity. As we have seen,
user C might pose as user A and send a message to user B. User B might be led to believe that the
message indeed came from user A. In masquerade attacks, an entity poses as another entity. In
masquerade attacks, usually some other forms of active attacks are also embedded. As an instance, the
attack may involve capturing the user's authentication sequence (e.g. user ID and password). Later,
those details can be replayed to gain illegal access to the computer system.
In a replay attack, a user captures a sequence of events or some data units and re-sends tb,em. For
instance, suppose user A wants to transfer some amount to user C's bank account. Both users A and C
have accounts with bank B. User A might send an electronic message to bank B, requesting for the funds
transfer. User C could capture this message and send a second copy of the same to bank B. Bank B would
have no idea that this is an unauthorized message and would treat this as a second and different, funds
transfer request from user A. Therefore, user C would get the benefit of the funds transfer twice: once
authorized, once through a replay attack.
Alteration of messages involves some change to the original message. For instance, suppose user A
sends an electronic message Transfer $1000 to D's account to bank B. User C might capture this and
change it to Transfer $10000 to C's account.
 l
16
Cryptography and Network Security

Note that both the beneficiary and the amount have been changed - instead, only one of these could
have also caused alteration of the message.
Denial Of Service (DOS) attacks make an attempt to prevent legitimate users from accessing some
services, which they are eligible for. For instance, an unauthorized user might send too many login
l
requests to a server using random user ids one after the other in quick succession, so as to flood the
network and deny other legitimate users from using the network facilities.

1.5.3 The Practical Side of Attacks

The attacks discussed earlier can come in a number of forms ifl real life. They can be classified into two
broad categories: application-level attacks and network-level attacks, as shown in Fig. 1.13.

Security attacks in practice

Appi°icalion level attacks Network level attacks

I- Fig. 1.13 Practical side of attacks

Let us discuss these as follows.
• Application level attacks - These attacks happen at an application level in the sense· that the
attacker attempts to access, modify or prevent access to information of a particular application or
to the application itself. Examples of this are trying to obtain someone's credit card information on
the Internet or changing the contents of a message to change the amount in~a transaction, etc.
• Network level attacks -These attacks generally aim at reducing the capabilities of a network by
a number of possible means. These attacks generally make an attempt to either slow down o_r
completely bring to halt, a computer network. Note that this automatically can lead to application
level attacks, because once someone is able to gain access to a network, usually she is able to
access/modify at least some sensitive information, causing havoc.
These two types of attacks can be attempted by using various mechanisms, as discussed next. We will
not classify these attacks into the above two categories, since they can span across application as well as
network levels. ·

Security attacks can happen at the application level or the network level.

1.5.4 Programs that Attack

Let us now discuss a few programs that attack computer systems to cause some damage or to create
confusion.

Virus One can launch an application-level attack or a network level attack using a virus. In simple
terms, a virus is a piece of program code that attaches itself to legitimate program code_and runs when
 Attacks on Computers and Computer Security 17

. the legitimate program runs. It can then infect other programs in that computer or programs that are in
~other computers but on the same network. This is shown in Fig. 1.14. In this example, after deleting all
the files from the current user's computer, the virus self-propagates by sending its code to all users
whose email addresses are stored in the current user's address book.

Delete all files

Add x toy (,I Add x.to y,
Send a copy of
Perform Print-Job Perform Print~Jqb
myself to all
Perform Close-Job Perform Virus-Job'
using this user's
End PerformTClose.Job
·address book
End
· Return

(a) Original clean code (b) Virus infected code (c) Virus code

Fig. 1.14 Virus

Viruses can also be triggered by specific events (e.g. a virus could automatically execute at 12 PM
every day). Usually viruses cause damage to computer and network systems to the extent that it can be
repaired, assuming that the organization deploys good backup and recovery procedures.
A virus is a computer program that attaches itself to another legitimate program and causes damage
to the computer system or to the network.
During its lifetime, a virus goes through four phases:
(a) Dormant phase: Here, the virus is idle. It gets activated based on certain action or event (e.g. the
user typing a certain key or certain date or time is reached, etc). This-is an optional phase.
(b) Propagation phase: In this phase, a virus copies itself and each copy starts creating more copies of
self, thus propagating the virus.
(c) Triggering phase: A donnant virus moves into this phase when the action/event for which it was
waiting is initiated.
(d) Execution phase: This is the actual work of the virus, which could be hannless (display some
message on the screen) or destructive (delete a file on the disk).
Viruses can be classified into the following categories:
(a) Parasitic virus: This is the most common fonn of viruses. Such a virus attaches itself to
executable files and keeps replicating. Whenever the infected file is executed, the virus looks for
other executable files to attach itself and spread.
(b) Memory-resident virus: This type of virus first attaches itself to an area of the main memory and
then infects every executable program that is executed.
(c) Boot sector virus: This type of virus infects the master boot record of the disk and spreads on the
disk when the operating system starts booting the computer.
(d) Stealth virus: This virus has intelligence built in, which prevents anti-virus software programs
from detecting it.
(e) Polymorphic virus: A virus that keeps changing its signature (i.e. identity) on every execution,
making it very difficult to detect.
(f) Metamorphic virus: In addition to changing its signature like a polymorphic virus, this type of
virus keeps rewriting itself every time, making its detection even harder.
18 Cryptography and Network Security

There is another popular category of viruses, called as the macro virus. This virus affects specific
application software, such as Microsoft Word or Microsoft Excel. These viruses affect the documents \ "
created by users and spread quite easily since such documents are very commonly exchanged over
em_ail. There is a feature called as macro these application software programs, which allows the users to
wnte small useful utility programs within the documents. Viruses attack these macros and hence the
name macro virus. .l
Worm Similar in concept to a virus, a worm is actually different in implementation. A virus modifies
a program (i.e. it attaches itself to the program under attack). A worm, however, does not modify a
program. Instead, it replicates itself again and again. This is shown in Fig. 1.15. The replication grows so
much that ultimately the computer or the network on which the worm resides, becomes very slow, finally
coming to a halt. Thus, the basic purpose of a worm attack is different from that of a virus. A worm
attack attempts to make the computer or the network under attack unusable by eating all its resources.

Perform
Replicate resource-eating
itself tasks, but no
destruction

()
17

Perform Perform

Q
Replicate resource-eating resource-eating
itself tasks, but no tasks, but no

Perform () destruction destruction

17

Q
resource-eating
tasks, but no Perform
resource-eating Perform
destruction resource-eating
17 tasks, but no
destruction tasks, but no
l7 destruction
Worm code 17

Perform
resource-eating ...
tasks, but no
destruction
17

I- Fig. 1.15 Worm

A worm does not perform any destructive actions and instead, only consumes system
,,:sources to bring it down.

Trojan Horse A Trojan horse is a hidden piece of code, like a virus. However, the purpose of a
Trojan horse is different. Whereas the main purpose of a virus is to make some sort of modifications to
the target computer or network, a Trojan horse attempts to reveal confidential information to an attacker.
The name (Trojan horse) is due to the Greek soldiers, who hid inside a large hollow horse, which was
pulled by Troy citizens, unaware of its contents. Once the Greek soldiers entered the city of Troy, they
opened the gates for the rest of Greek soldiers. .
 Attacks on Computers and Computer Securiti; 19

In a similar fashion, a Trojan horse could silently sit in the code for a Login screen by attaching itself
' ' to it. When the user enters the user id and password, the Trojan horse could capture these oetails and send
this infomiation to the attacker without the knowledge of the user who had entered the id and password.
The attacker can then merrily use the user id and password to gain access to the system. This is shown in
Fig. 1.16.

Login program

User Id: XXX

Password: yyy Login code

Trojan horse
Login code

User Id: XXX

Password: yyy

I ~ttack~r· I

I- Fig. 1.16 Trojan horse

A Trojan horse allows an attacker to obtain some confidential information about a computer
or a network.

Applets and ActiveX Controls Applets and ActiveX controls were born due to the technological
development of the World Wide Web rylWW) application (usually referred to simply as the Web) of the
Internet. In its simplest form, tlie Web consists of communication between client and server computers
using a communications protocol called as Hyper Text Transfer Protocol (HTTP). The client uses a
piece of software called as W~b browser. The server runs a program called as Web server. In its
simplest form, a browser sends a HTTP request for a Web page to a Web server. The Web server locates
this Web page (actually a computer file) and sends it back to the Web browser, again using HTTP. The
Web browser interprets the contents of that file and shows the results on the screen to the user. This is
shown in Fig. 1.17. Here, the client sends a request for a Web page called as www.yahoo.com/info,
which the server sends back to the client.
Many Web pages contain .small programs that get downloaded onto the client along with the Web
page itself. These programs then ez<:~cute inside the browser. Sun Microsystems provides Java applets
for this purpose and Microsoft's1technology makes use of ActiveX controls for the same purpose. Both
are essentially small programs that get downloaded along with a Web page and then execute on the
client. This is shown in Fig. 1.18. Here;, the server sends an applet along with the Web page to the client.
20 - - - - - - - - - - -~ C!Jry(.f.p~to'.e.g~ra~ph~y'._a
- '.'~n:_
d.'N
. . '.:'.et:w
:~or~k~S=
ec:.:u:.:ri~ty'....-_ _ _ _ _ __ __ __

I I
Please send me the Web
r-:=:l page www.yahoo.com/info
SeNer
1-----------~
HTTP Request
= =

EJ HTTP Response
[~l
= =
Web page
www.yahoo.com/info

I- Fig. 1.17 Example of HTTP interaction between client and server

Please send me the Web

r==7 page www.yahoo.com/info
1-------------'
HTTP Request
= = ·

8=
.I

B
Web page
www.yahoo,com/info

I- Fig. 1.18 Applet sent back along with a Web page

Usually, these programs (applets or ActiveX controls) are used to either perform some processing on
the client side or to automatically and periodically request for information from the Web server using a
technology called as client pull. For instance, a program can get downloaded on to the client along with
the :Web page showing the latest stock prices on a stock exchange and then periodically issue HTfP
requests for pulling the updated prices to the Web server. After obtaining this information, the program
could display it on the user's screen.
 Attacks on Computers and Computer Security ·21

These apparently innocuous programs can sometimes cause havocs. What if such a program perfonns
1

' a virus-l~ke activi~y by deleting files on the user's hard disk or stealing some personal infonnation or
sending Junk emails to all the USP.rs whose addresses are contained in the user's address book?
To prevent th~se attacks, Java applets have strong security checks as to what they can do·and what
they cannot. ActiveX controls h~v~ no such restrictions. Moreover, a new version of apple~~ called as
signed applets allows accesses smular to Acti veX. Of course, a number of checks have been lin place to
ensure that n~i~~r applets nor ActiveX controls can do a lot of damage and even if they somehow
manage to do it, it can be detected. However, at least in theory, they pose some sort of security risks.

Java applets (from Sun Microsystems) and ActiveX controls ( from Microsoft Corporation)
are small client-side programs that might cause security problems, if use,d by ,attackers with
a malicious intention.

Cookies Cookies were born as a result of a specific characteristic of the Internet. The Internet uses
HTfP protocol, which is stateless. Let us understand what it means and what are its implications.
Suppose that the client sends an HITP request for a Web page to the server. The Web server locates
that page on its disk, sends it back to the client and completeiy forgets about this interaction! If the client
wants to continue this interaction, it must identify itself to the server in the next HTTP request.
Otherwise, the server would not know that this same client had sent a HTTP request earlier. Since a
typical application is likely to involve a number of interactions between the.client and the. sefVer, there
must be some mechanism for the client to identify itself to the server each time "It sends an HTTP request
tq the server. For this, cookies are used. Cookies are perhaps the most popular mechanism of maintaining
the state information (i.e. ,identifying a client to a server). A cookie is just one or more pieces of
infonnation stored as text strings in a text file on the disk of the client computer (i.e. the Web browser).
Actually, a Web server sends the Web browser a cookie and the browser stores it on the hard disk of the
client computer. The browser then sends a copy of the cookie to the server during the next HITP request.
'Phis is used for identification purposes as shown in Figs 1.19 (a) and 1.19 (b).
This 'works as follows:
(a~ ~en you interact with a Web site for the first time, the site might want you to register yourself.
itf~ually, this means that the Web server sends a page to you wherein .yoti have a fonn to enter your
Qfinne, address and 0ther details such as date of birth, interests etc. ·
·(a); When you complete this fonn and _send it to the server with the help of your browser, the server
stpres this infonnation into its database.·Additionally, it also creates a unique id for you. It stores
tliis id along with your infonnation in the database (as shown in Fig. l.19(b)) and also sends the id
back to you in the fonn of a cookie.
(a) The ne?(t time you interact with the server, you do not have to enter any infonnation such as your
name and address. Your browser would automati~ally send your id (i.e.Jhe .c;ookie) along with the
J-JITP request for a particular page to the server (as .shown in Fig. l.~9Gb)). .
(a) 'the server now takes this id, tries to find a match in its database an~ having fm,md it, knows that
you are a registered user. Accordingly, it sends you the next page. As illustrated in the figure, it
could be a simple welcome message. In practical situations, this could be used for many other
purposes.
People perceive that cookies are dangerous . .Actually, this is generally not true. Cookies can do little,
if any, harm to you. Firstly, the \\;eb server that originally created a cookie can only access the cookie.
Secondly, cookies can contain onlY text-based inf9nnation. Thirgfy, the user can refuse acc~pting cookies.
22 Cryptography and Network Security

Wsb
browser
Name: John
Address: ...
City: ...
- Web
server
I

... 1
i I
I
,. "'-.
I

= Id: 123456 : /,'

I Cookie
(
'
Name: John
when you {from your client computer) visit an
on line shopping site for the first time and fill in
Address: .. .
City: .. . I Id: 123456
I
a fo rm, the Web server creates a unique id for ...
yo u.
This unique id is stored along with the
informaticm you have entered in the form, in
th e database on the server. The server sends
on ly the id to your client computer as a file. I'--...._ __,/
Yo ur browser stores this file on the hard disk
of your computer. This file is called as a 123456 John ...
cookie. Note that other information is on the ·123457 Pete ...
se rver itself. The cookie simply establishes a ... .. . ...
link between the user and the server using the
co mmon id, which is store9 on the client's .. . .. . ...
co mputer as well as in the database on the
server.

I- Fig. 1.19 · (a) Creation of cookies

Step 1

'[§]'
Id: 123456
Web · ·web
browser se~er ·

= Welcome
John!
. 1

Step4

Name: John What does

Mdress: ... Id: 123456
When you visit the same Website again, City: ... map to?
the Web browser sends the cookie back
to the Web server. The Web server uses
the cookie to retrieve your information. Step 2
fr_om the dal/Jbase and uses it. A very
simple case could be just greeting you
with a welcome message.

123456 John
123457 Pete

I- Fig. l.l9 (b) Usage of cookies

 Attacks on Computers and Computer Security 23

some modern tricks allow attackers to misuse cookies in terms of collecting personal data and
'· invading people's privacy. This attack works is as follows:
1. An advertising agency (say My Ads) contacts major Web sites and places banner ads for its
corporate clients' products on their pages. It pays some fees to the site owners for this.
2. Instead of providing an actual image that can be embedded by the respective Web sites in their
pages directly, it provides a link (URL) to add to each page. This is shown in Fig. 1.20.

YOUR NEWS CHANNEL

Today's Headlines

1. Sachin Tendulkar creates a new world record

2. India to become superpower in 2020

i
t
http://www.myads.com/5726740919.jpeg

The Web page contains a very small (almost invisible) image, corres-
ponding to the URL of My Ads. The image is not visible to the user, but
it must be brought in by the news channel server nevertheless.
_. ,.
1-: Fig. 1.20 · Embedding almost invisible Images corresponding to ad_vertisements
1

3. Each URL contains a unique number in the file part. For example, http://www.myads.com/
5726740919.jpeg. ; ' · ·
4. When a user visits a page for the first time, the browser fetches the advertisement image from My
Ads along with 1the main HTML page for tl1e site it is visiting. This is shown in the earlier diagram.
5. When the user ,visits the main site (e.g. _the, news site), My Ads sends a cookie to the browser
containing a unique user ID and records the relationship
I
between this user ID an'cl the file name.
•
6. Later, wh.enJhe sam~ user visits another page, the browser sees another reference to My Ads.
7. Uie bJowser s.endS'the vrevious cookie to My Ads and also fetches the current page from My Ads,
as bef9{e.
8. My Ad.f knows that .the same us~r ha~ visited apother Web page now.
9. It addsthis reference to its database.
As ~e can guess, over time, My Ads has a lot of information about the Web pages the user visits, the
actions it performs, etc. The advertisement from My Ads can be a single pixel in the same background
color, making it even more difficult for the user to know that advertisements are appearing!

JavaSctjpt, VffS~~pt and ]Script . A Web page is constructed usiqg a special language called as
Hyper Text Mark~p Language (HTML). it is a tag-based language. A tag begins with the symbol <>
and it ends with <I>. Between these boundaries of ¢e tags, the actual information to be displayed on the ·
user's computer is mentioned. As an example, let us consider how the tag pair <B> and <IB> can be used
10 change the text font to boldface. This is shown in Fig. 1.21.
 t'
<b> This is an example of text being displayed in boldface. </b>

The text that needs to be displayed End of boldface

Start of boldface
in boldface
/
I- Fig. 1.21 Example of the <b> and </b> HTML tags to display the specified text in boldface
Wh en a browser comes across th!.s porti·on of a HTML document, it realizes that the. portion
. of the
. text
embedded within the <b> and <lb> tags needs to be displayed in boldface. Therefore, it displays this text
in boldface, as shown in Fig. 1.22.

<b> This is an This is an

example of text Browser example of text
being displayed interprets this being displayed
in boldface. </b> in boldface.

I- Fig. 1.22 Output resulting from the use of the <b> and </b> HTML tags to display the
specified text in boldface
In addition to HTML tags, a Web page can contain client-side scripts. These are small programs
written in scripting languages like JavaScript, VBScript or Jscript, which are executed inside the Web
browser on the client computer. For instance, let us assume that a user visits the Web site of an online
bookshop. Suppose that the Web site mandates that the user must place an order for at least three books.
Then, the Web page can contain a small JavaScript program, which can ensme that this condition is met
before the user can place the order. Otherwise, the JavaScript program would not allow the user to
proceed. Note that HTML cannot be used for this purpose, as its sole purpose is to display text on the
client computer in a pre-specified fonnat. To perfonn dynamic actions, such as the one discussed here,
we ueed scripts.
These scripts can be dangerous at times. Since these scripts are small programs, they can perfonn a lot
of actions on the client's computer. Of course, there are restrictions as to what a scripting program can
and cannot do. However, incidents of security breaches have been reported, blaming the scripting
languages.

1.5.5 Dealing with Viruses

Preventing viruses is the best option. However, it is almost impossible. to prevent tnem altogether with
the world connected to the Internet all the time. We have to accept that viruses will attack and would
need to find ways to deal with them. Hence, we can attempt to detect, identify and remove viruses. This
is shown in Fig. 1.23.
Detection of viruses involves locating the virus, having known that a virus has attacked. Then we
need to identify the specific virus that has attacked. Finally, we need to remove it. For this, we need to
remove all traces of the virus and restore the affected programs/files to their original states. This is dom,
by anti-virus software.
 Attacks on Computers and Computer Security 25

wher
r·-·- ·- ·- ·-·- ·-·- ·-·- ·-·-·- ·- ·- ·-· .
'Detection -'
.... __ ~Loom, v;ru, ;, _:

I ll')dentification ... . Identify the virus. i

•--·-·-·-·-·-·-·-·r·-·-·- ·-·-·-·- ·-·
/ L. -.-.-·-.-.-.-..-
r · -· - ·- ·-. - . - . ___
Removal ... i Remove all traces, restore order. i
l-- •- •-•-•-•-·-·- •-•- •- · -•-·-·- •-·-•

I- Fig. 1.23 Virus elimination steps

Anti-virus software is classified into four generation~, as depicted in Fig. 1.24.

- ·- ·- ·-·-·-·- ·- ·-·-·-·- ·-·-·- ·- ·1

st ; Simple scanners i

:_:::,:J_::_ . _:
1 Generation

nd
2 Gen~rafi~ri

;: ::"'""'"T""'rn : :: '.
3rcl Generation

.l :::AciMrps
Full-featured protection
::::j ·
. ·-· -·-·-·-·-·-·-·- ·-· -·-·- ·-·- ·J

I- Fig. 1.24 Generations of anti-virus ~oftware

Let us summarize the key characteristics of the four generations of anti-virus software.
• 1st generati~n These anti-virus software programs were called as simple scanners. They needed a
virus signature ~o identify a virus. A variation of such programs kept a watch O°i the length of programs
and looked for changes so as to possibly identify a virus attack.
• 2n4 generation These anti-virus software programs did not rely on simple virus signatures. Rather,
thet used heuristic rules to look for possible virus attacks. The idea was to look for code blocks that were
COQlmonly associated with viruses. For example, such a program could look for encryption key used by
a virus, find it, decrypt and remove the virus and clean the code. Another variation of these anti-virus
programs used to store some identificatic;m about the file (e.g. a message digest, which we shall study
later) to detect changes in the contents of the file. ·
• 3rd generation These anti-virus software programs were memory resident.. They watched for
viruses based on actions, rather than their structure. Thus, it is not necessary to maintain a large database
of virus signatures. Instead, the focus is to keep watch on a small number of suspect actions.
 1.3 / Security Attacks  15

1.3 Security Attacks

A useful means of classifying security attacks, used both in X.800 and RFC 4949, is in
terms of passive attacks and active attacks (Figure 1.1). A passive attack attempts to
learn or make use of information from the system but does not affect system resources.
An active attack attempts to alter system resources or affect their operation.

Passive Attacks
Passive attacks (Figure 1.1) are in the nature of eavesdropping on, or monitoring
of, transmissions. The goal of the opponent is to obtain information that is being
transmitted. Two types of passive attacks are the release of message contents and
traffic analysis.

Darth

Internet or
other communications facility

Bob Alice
(a) Passive attacks

Darth

1 2
3
Internet or
other communications facility

Bob Alice

(b) Active attacks

Figure 1.1 Security Attacks

SHANNON.IR
16  Chapter 1 / Overview
The release of message contents is easily understood. A telephone conver-
sation, an electronic mail message, and a transferred file may contain sensitive or
confidential information. We would like to prevent an opponent from learning the
contents of these transmissions.
A second type of passive attack, traffic analysis, is subtler. Suppose that we
had a way of masking the contents of messages or other information traffic so that
opponents, even if they captured the message, could not extract the information
from the message. The common technique for masking contents is encryption. If we
had encryption protection in place, an opponent might still be able to observe the
pattern of these messages. The opponent could determine the location and identity
of communicating hosts and could observe the frequency and length of messages
being exchanged. This information might be useful in guessing the nature of the
communication that was taking place.
Passive attacks are very difficult to detect, because they do not involve any
alteration of the data. Typically, the message traffic is sent and received in an appar-
ently normal fashion, and neither the sender nor receiver is aware that a third party
has read the messages or observed the traffic pattern. However, it is feasible to pre-
vent the success of these attacks, usually by means of encryption. Thus, the emphasis
in dealing with passive attacks is on prevention rather than detection.

Active Attacks
Active attacks (Figure 1.1b) involve some modification of the data stream or the
creation of a false stream and can be subdivided into four categories: masquerade,
replay, modification of messages, and denial of service.
A masquerade takes place when one entity pretends to be a different entity
(path 2 of Figure 1.1b is active). A masquerade attack usually includes one of the
other forms of active attack. For example, authentication sequences can be captured
and replayed after a valid authentication sequence has taken place, thus enabling an
authorized entity with few privileges to obtain extra privileges by impersonating an
entity that has those privileges.
Replay involves the passive capture of a data unit and its subsequent retrans-
mission to produce an unauthorized effect (paths 1, 2, and 3 active).
Modification of messages simply means that some portion of a legitimate
message is altered, or that messages are delayed or reordered, to produce an
unauthorized effect (paths 1 and 2 active). For example, a message meaning “Allow
John Smith to read confidential file accounts” is modified to mean “Allow Fred
Brown to read confidential file accounts.”
The denial of service prevents or inhibits the normal use or management of
communications facilities (path 3 active). This attack may have a specific target; for
example, an entity may suppress all messages directed to a particular destination
(e.g., the security audit service). Another form of service denial is the disruption
of an entire network, either by disabling the network or by overloading it with
messages so as to degrade performance.
Active attacks present the opposite characteristics of passive attacks. Whereas
passive attacks are difficult to detect, measures are available to prevent their suc-
cess. On the other hand, it is quite difficult to prevent active attacks absolutely

SHANNON.IR
 1.4 / Security Services  17
because of the wide variety of potential physical, software, and network vulner-
abilities. Instead, the goal is to detect active attacks and to recover from any dis-
ruption or delays caused by them. If the detection has a deterrent effect, it may also
contribute to prevention.

1.4 Security Services

X.800 defines a security service as a service that is provided by a protocol layer of

communicating open systems and that ensures adequate security of the systems
or of data transfers. Perhaps a clearer definition is found in RFC 4949, which
provides the following definition: a processing or communication service that is
provided by a system to give a specific kind of protection to system resources;
security services implement security policies and are implemented by security
mechanisms.
X.800 divides these services into five categories and fourteen specific services
(Table 1.2). We look at each category in turn.5

Authentication
The authentication service is concerned with assuring that a communication is
authentic. In the case of a single message, such as a warning or alarm signal, the
function of the authentication service is to assure the recipient that the message
is from the source that it claims to be from. In the case of an ongoing interaction,
such as the connection of a terminal to a host, two aspects are involved. First,
at the time of connection initiation, the service assures that the two entities are
authentic, that is, that each is the entity that it claims to be. Second, the service
must assure that the connection is not interfered with in such a way that a third
party can masquerade as one of the two legitimate parties for the purposes of
unauthorized transmission or reception.
Two specific authentication services are defined in X.800:
• Peer entity authentication: Provides for the corroboration of the identity
of a peer entity in an association. Two entities are considered peers if they
implement to same protocol in different systems; for example two TCP mod-
ules in two communicating systems. Peer entity authentication is provided for
use at the establishment of, or at times during the data transfer phase of, a
connection. It attempts to provide confidence that an entity is not performing
either a masquerade or an unauthorized replay of a previous connection.
• Data origin authentication: Provides for the corroboration of the source of a
data unit. It does not provide protection against the duplication or modification
of data units. This type of service supports applications like electronic mail,
where there are no prior interactions between the communicating entities.

5
There is no universal agreement about many of the terms used in the security literature. For example, the
term integrity is sometimes used to refer to all aspects of information security. The term authentication is
sometimes used to refer both to verification of identity and to the various functions listed under integrity
in this chapter. Our usage here agrees with both X.800 and RFC 4949.

SHANNON.IR
18  Chapter 1 / Overview
Table 1.2 Security Services (X.800)

AUTHENTICATION DATA INTEGRITY

The assurance that the communicating entity is the The assurance that data received are exactly as
one that it claims to be. sent by an authorized entity (i.e., contain no
modification, insertion, deletion, or replay).
Peer Entity Authentication
Used in association with a logical connection to Connection Integrity with Recovery
provide confidence in the identity of the entities Provides for the integrity of all user data on a
connected. connection and detects any modification, insertion,
deletion, or replay of any data within an entire data
Data-Origin Authentication sequence, with recovery attempted.
In a connectionless transfer, provides assurance that
the source of received data is as claimed. Connection Integrity without Recovery
As above, but provides only detection without recovery.
ACCESS CONTROL
Selective-Field Connection Integrity
The prevention of unauthorized use of a resource
Provides for the integrity of selected fields within the
(i.e., this service controls who can have access to a
user data of a data block transferred over a connec-
resource, under what conditions access can occur,
tion and takes the form of determination of whether
and what those accessing the resource are allowed
the selected fields have been modified, inserted,
to do).
deleted, or replayed.
DATA CONFIDENTIALITY Connectionless Integrity
The protection of data from unauthorized Provides for the integrity of a single connectionless
disclosure. data block and may take the form of detection of
data modification. Additionally, a limited form of
Connection Confidentiality replay detection may be provided.
The protection of all user data on a connection.
Selective-Field Connectionless Integrity
Connectionless Confidentiality Provides for the integrity of selected fields within a
The protection of all user data in a single data block single connectionless data block; takes the form of
determination of whether the selected fields have
Selective-Field Confidentiality been modified.
The confidentiality of selected fields within the user
data on a connection or in a single data block. NONREPUDIATION
Traffic-Flow Confidentiality Provides protection against denial by one of the
The protection of the information that might be entities involved in a communication of having
derived from observation of traffic flows. participated in all or part of the communication.

Nonrepudiation, Origin
Proof that the message was sent by the specified party.

Nonrepudiation, Destination
Proof that the message was received by the specified
party.

Access Control
In the context of network security, access control is the ability to limit and control
the access to host systems and applications via communications links. To achieve
this, each entity trying to gain access must first be identified, or authenticated, so
that access rights can be tailored to the individual.

SHANNON.IR
 1.4 / Security Services  19

Data Confidentiality
Confidentiality is the protection of transmitted data from passive attacks. With
respect to the content of a data transmission, several levels of protection can be
identified. The broadest service protects all user data transmitted between two
users over a period of time. For example, when a TCP connection is set up between
two systems, this broad protection prevents the release of any user data transmit-
ted over the TCP connection. Narrower forms of this service can also be defined,
including the protection of a single message or even specific fields within a message.
These refinements are less useful than the broad approach and may even be more
complex and expensive to implement.
The other aspect of confidentiality is the protection of traffic flow from analysis.
This requires that an attacker not be able to observe the source and destination, fre-
quency, length, or other characteristics of the traffic on a communications facility.

Data Integrity
As with confidentiality, integrity can apply to a stream of messages, a single mes-
sage, or selected fields within a message. Again, the most useful and straightforward
approach is total stream protection.
A connection-oriented integrity service, one that deals with a stream of mes-
sages, assures that messages are received as sent with no duplication, insertion,
modification, reordering, or replays. The destruction of data is also covered under
this service. Thus, the connection-oriented integrity service addresses both message
stream modification and denial of service. On the other hand, a connectionless in-
tegrity service, one that deals with individual messages without regard to any larger
context, generally provides protection against message modification only.
We can make a distinction between service with and without recovery.
Because the integrity service relates to active attacks, we are concerned with detec-
tion rather than prevention. If a violation of integrity is detected, then the service
may simply report this violation, and some other portion of software or human
intervention is required to recover from the violation. Alternatively, there are
mechanisms available to recover from the loss of integrity of data, as we will review
subsequently. The incorporation of automated recovery mechanisms is, in general,
the more attractive alternative.

Nonrepudiation
Nonrepudiation prevents either sender or receiver from denying a transmitted mes-
sage. Thus, when a message is sent, the receiver can prove that the alleged sender in
fact sent the message. Similarly, when a message is received, the sender can prove
that the alleged receiver in fact received the message.

Availability Service
Both X.800 and RFC 4949 define availability to be the property of a system or a
system resource being accessible and usable upon demand by an authorized system
entity, according to performance specifications for the system (i.e., a system is avail-
able if it provides services according to the system design whenever users request

SHANNON.IR
20  Chapter 1 / Overview
them). A variety of attacks can result in the loss of or reduction in availability. Some
of these attacks are amenable to automated countermeasures, such as authentica-
tion and encryption, whereas others require some sort of physical action to prevent
or recover from loss of availability of elements of a distributed system.
X.800 treats availability as a property to be associated with various security
services. However, it makes sense to call out specifically an availability service. An
availability service is one that protects a system to ensure its availability. This ser-
vice addresses the security concerns raised by denial-of-service attacks. It depends
on proper management and control of system resources and thus depends on access
control service and other security services.

1.5 Security Mechanisms

Table 1.3 lists the security mechanisms defined in X.800. The mechanisms are
divided into those that are implemented in a specific protocol layer, such as TCP
or an application-layer protocol, and those that are not specific to any particu-
lar protocol layer or security service. These mechanisms will be covered in the
appropriate places in the book. So we do not elaborate now, except to comment
on the definition of encipherment. X.800 distinguishes between reversible enci-
pherment mechanisms and irreversible encipherment mechanisms. A reversible

Table 1.3 Security Mechanisms (X.800)

SPECIFIC SECURITY MECHANISMS PERVASIVE SECURITY MECHANISMS

May be incorporated into the appropriate protocol Mechanisms that are not specific to any particular
layer in order to provide some of the OSI security OSI security service or protocol layer.
services.
Trusted Functionality
Encipherment That which is perceived to be correct with respect
The use of mathematical algorithms to transform to some criteria (e.g., as established by a security
data into a form that is not readily intelligible. The policy).
transformation and subsequent recovery of the
data depend on an algorithm and zero or more Security Label
encryption keys. The marking bound to a resource (which may be a
data unit) that names or designates the security attri-
Digital Signature butes of that resource.
Data appended to, or a cryptographic transformation
of, a data unit that allows a recipient of the data unit Event Detection
to prove the source and integrity of the data unit and Detection of security-relevant events.
protect against forgery (e.g., by the recipient).
Security Audit Trail
Access Control Data collected and potentially used to facilitate a
A variety of mechanisms that enforce access rights to security audit, which is an independent review and
resources. examination of system records and activities.

Data Integrity Security Recovery

A variety of mechanisms used to assure the integrity Deals with requests from mechanisms, such as event
of a data unit or stream of data units. handling and management functions, and takes
recovery actions.

SHANNON.IR
 1.5 / Security Mechanisms  21
Table 1.3 Continued
SPECIFIC SECURITY MECHANISMS
Authentication Exchange
A mechanism intended to ensure the identity of an
entity by means of information exchange.

Traffic Padding
The insertion of bits into gaps in a data stream to
frustrate traffic analysis attempts.

Routing Control
Enables selection of particular physically secure
routes for certain data and allows routing changes,
especially when a breach of security is suspected.

Notarization
The use of a trusted third party to assure certain
properties of a data exchange.

encipherment mechanism is simply an encryption algorithm that allows data to

be encrypted and subsequently decrypted. Irreversible encipherment mechanisms
include hash algorithms and message authentication codes, which are used in digi-
tal signature and message authentication applications.
Table 1.4, based on one in X.800, indicates the relationship between security
services and security mechanisms.

Table 1.4 Relationship Between Security Services and Mechanisms

MECHANISM
ge
an
ut ddi ch
Ro pa n ex
D s co ure

at ol
N gc g
A l sig t

A nteg l
en

n
a i ntro

r
he rity

fic tio
at

t
n
n
ig erm

io
o
a
Tr ntic
h

iz
ip

in
ita

es

ar
ch

SERVICE
af
cc

ut

ot
at
En

Peer entity authentication Y Y Y

Data origin authentication Y Y

Access control Y

Confidentiality Y Y

Traffic flow confidentiality Y Y Y

Data integrity Y Y Y

Nonrepudiation Y Y Y

Availability Y Y

SHANNON.IR
22  Chapter 1 / Overview

1.6 A Model for Network Security

A model for much of what we will be discussing is captured, in very general terms, in
Figure 1.2. A message is to be transferred from one party to another across some sort
of Internet service. The two parties, who are the principals in this transaction, must
cooperate for the exchange to take place. A logical information channel is established
by defining a route through the Internet from source to destination and by the coop-
erative use of communication protocols (e.g., TCP/IP) by the two principals.
Security aspects come into play when it is necessary or desirable to protect the in-
formation transmission from an opponent who may present a threat to confidentiality,
authenticity, and so on. All the techniques for providing security have two components:
• A security-related transformation on the information to be sent. Examples
include the encryption of the message, which scrambles the message so that it
is unreadable by the opponent, and the addition of a code based on the con-
tents of the message, which can be used to verify the identity of the sender.
• Some secret information shared by the two principals and, it is hoped, unknown
to the opponent. An example is an encryption key used in conjunction with the
transformation to scramble the message before transmission and unscramble it
on reception.6
A trusted third party may be needed to achieve secure transmission. For
example, a third party may be responsible for distributing the secret information

Trusted third party

(e.g., arbiter, distributer
of secret information)

Sender Recipient
Information
Security-related channel Security-related
transformation transformation
Message

Message
message

message
Secure

Secure

Secret Secret
information information

Opponent
Figure 1.2 Model for Network Security

6
Part Two discusses a form of encryption, known as a symmetric encryption, in which only one of the two
principals needs to have the secret information.

SHANNON.IR
 1.6 / A Model for Network Security 23
to the two principals while keeping it from any opponent. Or a third party may be
needed to arbitrate disputes between the two principals concerning the authentic-
ity of a message transmission.
This general model shows that there are four basic tasks in designing a particu-
lar security service:
1. Design an algorithm for performing the security-related transformation. The
algorithm should be such that an opponent cannot defeat its purpose.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of the secret information.
4. Specify a protocol to be used by the two principals that makes use of the security
algorithm and the secret information to achieve a particular security service.
Parts One through Five of this book concentrate on the types of security mech-
anisms and services that fit into the model shown in Figure 1.2. However, there are
other security-related situations of interest that do not neatly fit this model but are
considered in this book. A general model of these other situations is illustrated in
Figure 1.3, which reflects a concern for protecting an information system from un-
wanted access. Most readers are familiar with the concerns caused by the existence
of hackers, who attempt to penetrate systems that can be accessed over a network.
The hacker can be someone who, with no malign intent, simply gets satisfaction
from breaking and entering a computer system. The intruder can be a disgruntled
employee who wishes to do damage or a criminal who seeks to exploit computer
assets for financial gain (e.g., obtaining credit card numbers or performing illegal
money transfers).
Another type of unwanted access is the placement in a computer system
of logic that exploits vulnerabilities in the system and that can affect application
programs as well as utility programs, such as editors and compilers. Programs can
present two kinds of threats:
• Information access threats: Intercept or modify data on behalf of users who
should not have access to that data.
• Service threats: Exploit service flaws in computers to inhibit use by legitimate
users.

Information system

Computing resources
Opponent (processor, memory, I/O)

—human (e.g., hacker) Data

—software
(e.g., virus, worm) Processes
Access channel Software
Gatekeeper
function Internal security controls

Figure 1.3 Network Access Security Model

SHANNON.IR
24  Chapter 1 / Overview
Viruses and worms are two examples of software attacks. Such attacks can be
introduced into a system by means of a disk that contains the unwanted logic con-
cealed in otherwise useful software. They can also be inserted into a system across a
network; this latter mechanism is of more concern in network security.
The security mechanisms needed to cope with unwanted access fall into
two broad categories (see Figure 1.3). The first category might be termed a gate-
keeper function. It includes password-based login procedures that are designed
to deny access to all but authorized users and screening logic that is designed
to detect and reject worms, viruses, and other similar attacks. Once either an
unwanted user or unwanted software gains access, the second line of defense
consists of a variety of internal controls that monitor activity and analyze stored
information in an attempt to detect the presence of unwanted intruders. These
issues are explored in Part Six.

1.7 Recommended Reading

[STAL12] provides a broad introduction to both computer and network security. [SCHN00] is
valuable reading for any practitioner in the field of computer or network security: It discusses
the limitations of technology, and cryptography in particular, in providing security and the need
to consider the hardware, the software implementation, the networks, and the people involved
in providing and attacking security.
It is useful to read some of the classic tutorial papers on computer security; these
provide a historical perspective from which to appreciate current work and thinking.7
The papers to read are [WARE79], [BROW72], [SALT75], [SHAN77], and [SUMM84].
Two more recent, short treatments of computer security are [ANDR04] and [LAMP04].
[NIST95] is an exhaustive (290 pages) treatment of the subject. Another good treatment is
[NRC91]. Also useful is [FRAS97].

ANDR04 Andrews, M., and Whittaker, J. “Computer Security.” IEEE Security and
Privacy, September/October 2004.
BROW72 Browne, P. “Computer Security—A Survey.” ACM SIGMIS Database,
Fall 1972.
FRAS97 Fraser, B. Site Security Handbook. RFC 2196, September 1997.
LAMP04 Lampson, B. “Computer Security in the Real World,” Computer, June 2004.
NIST95 National Institute of Standards and Technology. An Introduction to Computer
Security: The NIST Handbook. Special Publication 800–12, October 1995.
NRC91 National Research Council. Computers at Risk: Safe Computing in the
Information Age. Washington, D.C.: National Academy Press, 1991.
SALT75 Saltzer, J., and Schroeder, M. “The Protection of Information in Computer
Systems.” Proceedings of the IEEE, September 1975.
SCHN00 Schneier, B. Secrets and Lies: Digital Security in a Networked World.
New York: Wiley, 2000.

7
These classic papers are available in the Premium Content Web site for this book.

SHANNON.IR