1. Information and Network Security
Introduction
Dr. Hadi AL Saadi

2. Objectives
To define three security goals
To define security attacks that threaten security goals
To define security services and how they are related to the three security goals
To define security mechanisms to provide security services
To introduce two techniques, cryptography and steganography, to implement security mechanisms.

3. 1-1 SECURITY GOALS
Confidentiality– Can you keep a secret? Specifies that only the sender and the intended recipients should be able to access the content of a message. Confidentiality gets compromised if an unauthorized person is able to access a message. This type of an attack is called as interception
Integrity – Did you get the message I sent? When the contents of the message are changed after the sender sends it, but before it reaches the intended recipient , we said the Integrity of the message is lost. This type of attack is called modification.

4. Availability – Are you there when needed?
The principle of availability states that resources (i.e) information should be available to authorized parties at all times For example due to the intentional actions of another unauthorized user C , an authorized user A may not be able to contact server computer B. This would defeats the principle of availability . such an attack is called as interruption.

5. 1-2 Security Attacks
Passive Attack : are in the nature of eavesdropping on, or monitoring of transmissions. The goal of the opponent is to obtain information that is being transmitted
Active attacks: involve some modification of the data stream or the creation of a false stream .
Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely, because of the wide variety of potential physical, software, and network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them.

6. The three goals of security- confidentiality, integrity, and availability- can be threatened by security attacks.

7. Snooping

9. Fig.2 Replay

10. 1.2.3 Attacks Threatening Availability
Denial of service (DoS) is a very common attack. It may slow down or totally interrupt the service of a system.

12. intended to counter security attacks
enhance security of data processing systems and information transfers of an organization
intended to counter security attacks
using one or more security mechanisms
often replicates functions normally associated with physical documents
which, for example, have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed
Consider the role of a security service, and what may be required.
Note both similarities and differences with traditional paper documents, which for example:
have signatures & dates;
need protection from disclosure, tampering, or destruction;
may be notarized or witnessed;
may be recorded or licensed

14. X.800:
“a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers”
RFC 2828:
“a processing or communication service provided by a system to give a specific kind of protection to system resources”

15. Security Mechanism
Encipherment : hiding or covering data , can prove confidentiality , two techniques , cryptography and steganography .
Data integrity : appends to the data a short check value that has been created by a specific process from data itself.
Digital signature: the sender can electronically sign the data and receiver can verify the signature,
Authentication exchange: two entities exchange some message to prove their identity to each other.
Traffic Padding: inserting some bogus data into the traffic to thwart the adversary’s attempt to use traffic analysis.
Routing control: selecting and continuously changing different available routes between the sender and the receiver.
Notarization: selecting a third trusted party to control the communication between two entities ( to prevent repudiation )
Access control: uses a method to prove that the user has access right to the data or resources owned by system (PINs or password)

16. 1.3.3 Relation between Services and Mechanisms

17. Model for Network Security
In considering the place of encryption, its useful to use the following two models from Stallings section 1.6.
The first, illustrated in Figure 1.4, models information being transferred from one party to another over an insecure communications channel, in the presence of possible opponents. The two parties, who are the principals in this transaction, must cooperate for the exchange to take place. They can use an appropriate security transform (encryption algorithm), with suitable keys, possibly negotiated using the presence of a trusted third party. Parts One through Four of this book concentrates on the types of security mechanisms and services that fit into the model shown here.

18. Model for Network Security
using this model requires us to:
design a suitable algorithm for the security transformation
generate the secret information (keys) used by the algorithm
develop methods to distribute and share the secret information
specify a protocol enabling the principals to use the transformation and secret information for a security service

19. Model for Network Access Security
using this model requires us to:
select appropriate gatekeeper functions to identify users
implement security controls to ensure only authorised users access designated information or resources
The second, illustrated in Figure 1.5, model is concerned with controlled access to information or resources on a computer system, in the presence of possible opponents. Here appropriate controls are needed on the access to and within the system, to provide suitable security.
The security mechanisms needed to cope with unwanted access fall into two broad categories (as shown in this figure). The first category might be termed a gatekeeper function. It includes password-based login procedures that are designed to deny access to all but authorized users and screening logic that is designed to detect and reject worms, viruses, and other similar attacks. Once either an unwanted user or unwanted software gains access, the second line of defense consists of a variety of internal controls that monitor activity and analyze stored information in an attempt to detect the presence of unwanted intruders. These issues are explored in Part Four.

20. 1-4 TECHNIQUES
Mechanisms discussed in the previous sections are only theoretical recipes to implement security. The actual implementation of security goals needs some techniques. Two techniques are prevalent today: cryptography and steganography.

21. Cryptography
Cryptography, a word with Greek origins, means “secret writing.” However, we use the term to refer to the science and art of transforming messages to make them secure and immune to attacks.

22. Steganography
The word steganography, with origin in Greek, means “covered writing,” in contrast with cryptography, which means “secret writing.”
Example: covering data with text

23. Example: using dictionary
Example: covering data under color image