Cryptography and Network Security 4/e
Download
Report
Transcript Cryptography and Network Security 4/e
Cryptography and Network
Security
Chapter 1
Fifth Edition
by William Stallings
Security: is ensuring the (Secrecy)
confidentiality, data integrity and
availability of components of
computing system.
Cryptographic algorithms and protocols can
be grouped into four main areas:
Symmetric encryption
• Used to conceal the contents of blocks or streams of data of any size,
including messages, files, encryption keys, and passwords
Asymmetric encryption
• Used to conceal small blocks of data, such as encryption keys and hash
function values, which are used in digital signatures
Data integrity algorithms
• Used to protect blocks of data, such as messages, from alteration
Authentication protocols
• Schemes based on the use of cryptographic algorithms designed to
authenticate the identity of entities
Definitions
• Network Security - measures to protect data during
their transmission
• Internet Security - measures to protect data during
their transmission over a collection of
interconnected networks
The field of network and
Internet security consists of:
measures to deter,
prevent, detect, and
correct security
violations that involve
the transmission of
information
Computer Security
the
protection afforded to an automated
information system in order to attain the
applicable objectives of preserving the
integrity, availability and confidentiality of
information system resources (includes
hardware, software, firmware,
information/data, and telecommunications)
Key Security Concepts
Levels of Impact
can
define 3 levels of impact from a
security breach
Low
Moderate
High
Goals of computer security
• To protect computer assets from:
– Human errors, natural disasters, physical and
electronic maliciousness.
• Confidentiality, Integrity, Availability
Confidentiality
( Secrecy, Privacy).
• Data confidentiality
– Assures that private or confidential information is not
made available or disclosed to unauthorized individuals
• Privacy
– Assures that individuals control or influence what
information related to them may be collected and stored
and by whom and to whom that information may be
disclosed
(Ensuring that the system is only accessible by authorized
parties.)
Integrity
• Data integrity
– Assures that information and programs are
changed only in a specified and authorized
manner
• System integrity
– Assures that a system performs its intended
function in an unimpaired manner, free from
deliberate or inadvertent unauthorized
manipulation of the system
Availability
• Assures that systems work promptly and
service is not denied to authorized users
• Ensuring that authorized parties are not
denied access to information and resources
• Ensuring that the computer works when it
is supposed to work and that it works the
way it should.
(access to computing resources without difficulties.)
.
Other goals
• Non-repudiation
– Ensuring that communication parties can't
later deny that the exchange took place (or
when the exchange took place).
• Legitimate use
– Ensuring that resources are not used by
unauthorized parties or in unauthorized ways.
– Examples:
• Printer and disk quotas.
• Spam-filters in E-mail servers..
Kinds of Security breaches
• Exposure: . A form of possible loss or a harm in
computing system . Examples :
Unauthorized disclosure of data ,modification of data
or Denial legitimate access to computing
• Vulnerability: is a weakness in the security system
that might be exploited to cause loss or harm
• Attack: an assault on system security, a
deliberate attempt to evade security services
(Attempt to exploit a vulnerability.)
Threat
– Threat:- a potential for violation of security
• Physical threats - weather, natural disaster, bombs,
power etc.
• Human threats - stealing, trickery, spying, sabotage,
accidents.
• Software threats - viruses, Trojan horses, logic
bombs.
Network Security
Network Security
Normal Flow:
Network Security
•
Four types of possible attacks are:
1.
Interruption: services or data become unavailable, unusable,
destroyed, and so on, such as lost of file, denial of service,
etc.
Cut wire lines,
Jam wireless
signals,
Drop packets,
• 2. Interception: an unauthorized subject
has gained access to an object, such as
stealing data, overhearing others
communication, etc.
Wiring,
eavesdrop
3. Modification: unauthorized changing of
data or tempering with services, such as
alteration of data, modification of
messages, etc.
intercept
Replaced
info
4. Fabrication: additional data or activities
are generated that would normally no
exist, such as adding a password to a
system, replaying previously send
messages, etc.
Also called impersonation
Security Trends
OSI Security Architecture
. OSI : Open System Interconnection
. ITU : International Telecommunication Union
• ITU-T X.800 “Security Architecture for OSI”
• defines a systematic way of defining and
providing security requirements
• for us it provides a useful, if abstract, overview
of concepts we will study
Aspects of Security
• consider 3 aspects of information security:
– security attack
– security mechanism
– security service
Security Attack
• any action that compromises the security of
information owned by an organization
• information security is about how to prevent attacks,
or failing that, to detect attacks on informationbased systems
• can focus of generic types of attacks
– passive
– active
Passive Attacks
A passive attack attempts to learn or make use of information
from the system but does not affect system resources
Passive Attacks
• Are in the nature of
eavesdropping on, or
monitoring of,
transmissions
• Goal of the opponent is
to obtain information that
is being transmitted
• Two types of
passive attacks are:
– The release of
message contents
– Traffic analysis
Active Attacks
An active attack attempts to alter system resources or affect their
operation
Active Attacks
•
•
•
Involve some modification of the
data stream or the creation of a
false stream
Difficult to prevent because of the
wide variety of potential physical,
software, and network
vulnerabilities
Goal is to detect attacks and to
recover from any disruption or
delays caused by them
Masquerade
• Takes place when one entity pretends
to be a different entity
• Usually includes one of the other
forms of active attack
Replay
• Involves the passive capture of a data
unit and its subsequent
retransmission to produce an
unauthorized effect
Modification
of messages
• Some portion of a legitimate message
is altered, or messages are delayed or
reordered to produce an
unauthorized effect
Denial of
service
• Prevents or inhibits the normal use or
management of communications
facilities
Security Service
– enhance security of data processing systems and
information transfers of an organization
– intended to counter security attacks
– using one or more security mechanisms
– often replicates functions normally associated
with physical documents
• which, for example, have signatures, dates; need
protection from disclosure, tampering, or destruction;
be notarized or witnessed; be recorded or licensed
Security Services
• X.800:
“a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers”
• RFC 4949 :
“a processing or communication service provided by
a system to give a specific kind of protection to
system resources”
Security Services (X.800)
•
Authentication - assurance that the
communicating entity is the one claimed
There are two specific authentication services defined in X.800:
1. Peer entity authentication:- Provides for the corroboration
of the entity of a peer entity in association.
2. Data origin authentication:- provides for the corroboration
of the source of a data units.
Security Services (X.800)
• Access Control - prevention of the
unauthorized use of a resource
• Data Confidentiality –protection of data from
unauthorized disclosure
• Data Integrity - assurance that data received is
as sent by an authorized entity
• Non-Repudiation - protection against denial
by one of the parties in a communication
Security Mechanism
• feature designed to detect, prevent, or
recover from a security attack
• no single mechanism that will support all
services required
• however one particular element underlies
many of the security mechanisms in use:
– cryptographic techniques
• hence our focus on this topic
Security Mechanisms (X.800)
• specific security mechanisms:
– encipherment, digital signatures, access controls,
data integrity, authentication exchange, traffic
padding, routing control, notarization
• pervasive security mechanisms:
– trusted functionality, security labels, event
detection, security audit trails, security recovery
Model for Network Security
Model for Network Security
•
using this model requires us to:
1. design a suitable algorithm for the security
transformation
2. generate the secret information (keys) used by
the algorithm
3. develop methods to distribute and share the
secret information
4. specify a protocol enabling the principals to use
the transformation and secret information for a
security service
Model for Network Access Security
Model for Network Access Security
•
using this model requires us to:
1. select appropriate gatekeeper functions to
identify users
2. implement security controls to ensure only
authorised users access designated information
or resources
•
trusted computer systems may be useful to
help implement this model
Summary
• have considered:
– definitions for:
• computer, network, internet security
• X.800 standard
• security attacks, services, mechanisms
• models for network (access) security