Cryptography and Network
Unit -1
�Computer Security Concepts:
• Confidentiality – This term covers two related concepts:
• Data confidentiality – Private or confidential information are not made available
or disclosed to unauthorized individuals.
• Privacy – Assures that individuals control what information related to them may
be collected and stored and by whom and to whom that information may be
disclosed.
• Integrity - This term covers two related concepts:
• Data Integrity: Assures that information(both stored and in transmitted packets)
and programs are changed only in a specified and authorized manner.
• System Integrity: Assures that a system performs its intended function in an
unimpaired manner, free from deliberate or inadvertent unauthorized manipulation
of the system.
�Computer Security Concepts:
• Availability – Assures that systems work promptly and service is not denied to
unauthorized users.
• These three concepts forms CIA triad.
• Confidentiality – Preserving authorized restrictions on information access and
disclosure.
- A loss of confidentiality means Unauthorized access to the information.
• Integrity – Guarding against improper information modification.
Loss of Integrity means unauthorized modification or destruction of information.
• Availability – Ensuring timely and reliable access and to use of information.
Loss of availability – disruption of access to or use of information.
Authenticity – being genuine and being able to be verified.
Accountability – requirement for actions of an entity to be traced uniquely. This
supports non-repudiation, fault isolation, intrusion detection and prevention, and
after action recovery and legal action.
�Computer Security Concepts:
� The OSI Security Architecture:
• ITU-T Recommendation X.800 Security architecture for OSI defines a systematic
approach.
• The OSI Security architecture is useful to the managers as a way of organizing the task of
providing security.
• Since, this architecture is of international standards, Vendors can adopt common
structure.
• The OSI architecture focuses on security attacks, mechanisms and services.
• Security attack – Any action that compromises the security of information owned by an
organization.
• Security mechanism – A process( or a device incorporating such a process) that is
designed to detect, prevent or recover from a security attack.
• Security service – A process or communication service that enhances the security of the
data processing systems and the information transfers of an organization.
- The services are intended to counter security attacks, and they make use of one or more
security mechanisms to provide the service.
�Security Attacks:
• Security attacks are classified as Active attacks and Passive attacks.
• Passive attacks - nature of eavesdropping on, or monitoring of, transmissions.
• The goal of the opponent is to obtain information that is being transmitted.
• Passive attacks are of two types:
• Release of message contents: A telephone conversation, an e-mail message and a transferred
file may contain sensitive or confidential information. We would like to prevent the opponent
from learning the contents of these transmissions.
• Traffic analysis: If we had encryption protection in place, an opponent might still be able to
observe the pattern of the message.
• The opponent could determine the location and identity of communication hosts and could
observe the frequency and length of messages being exchanged.
• This information might be useful in guessing the nature of communication that was taking
place.
• Passive attacks are very difficult to detect because they do not involve any alteration of data.
However, it is feasible to prevent the success of these attacks.
�Security Attacks:
• Active attacks - These attacks involve some modification of the data stream or the creation of a
false stream.
• These attacks can be classified in to four categories:
• Masquerade – One entity pretends to be a different entity.
• Replay – involves passive capture of a data unit and its subsequent transmission to produce an
unauthorized effect.
• Modification of messages – Some portion of message is altered or the messages are delayed or
recorded, to produce an unauthorized effect.
• Denial of service – Prevents or inhibits the normal use or management of communication
facilities.
• Another form of service denial is the disruption of an entire network, either by disabling the
network or overloading it with messages so as to degrade performance.
• It is quite difficult to prevent active attacks absolutely, because to do so would require physical
protection of all communication facilities and paths at all times.
• Instead, the goal is to detect them and to recover from any disruption or delays caused by them.
�Security Services:
• Authentication - assurance that the communicating entity is the one claimed.
- Peer Entity authentication – used in association with a logical connection to provide
confidence in the identity of the entities connected.
- Data origin authentication – In a connectionless transfer, provides assurance that the
source of received data is as claimed.
• Access Control - prevention of the unauthorized use of a resource.
• Data Confidentiality –protection of data from unauthorized disclosure.
• Data Integrity - assurance that data received is as sent by an authorized entity.
• Non-Repudiation - protection against denial by one of the parties in a communication.
• Availability service
� Security Mechanisms:
• Table below lists the security mechanisms defined in X.800.
• The mechanisms are divided into those that are implemented in a specific protocol layer, such as TCP or
an application-layer protocol, and those that are not specific to any particular protocol layer or security
service.
�Relationship between Security Services Mechanisms :
� Computer Security Challenges
1. Not simple – easy to get it wrong
2. Must consider potential attacks
3. Procedures used counter-intuitive
4. Involve algorithms and secret info
5. Must decide where to deploy mechanisms
6. Battle of wits between attacker / admin
7. Not perceived to be of benefit until it fails
8. Requires regular monitoring
�Model for Network Security:
�Model for Network Security:
Using this model requires us to:
1. Design a suitable algorithm for the security transformation
2. Generate the secret information (keys) used by the algorithm
3. Develop methods to distribute and share the secret information
4. Specify a protocol enabling the principals to use the transformation and secret
information for a security service
�Model for Network Access Security:
�Model for Network Access Security:
Using this model requires us to:
1. Select appropriate gatekeeper functions to identify users
2. Implement security controls to ensure only authorized users access
designated information or resources
Note that model does not include:
1. Monitoring of system for successful penetration
2. Monitoring of authorized users for misuse
3. Audit logging for forensic uses, etc.