Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography and Network Security Chapter 1

Published byCarmel Hall Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography and Network Security Chapter 1"— Presentation transcript:

1 Cryptography and Network Security Chapter 1
Fifth Edition by William Stallings “Cryptography and Network Security”, 4/e, by William Stallings, Chapter 1 “Introduction”.

2 Security: is ensuring the (Secrecy) confidentiality, data integrity and availability of components of computing system. .

3 Cryptographic algorithms and protocols can be grouped into four main areas:
Used to conceal the contents of blocks or streams of data of any size, including messages, files, encryption keys, and passwords Symmetric encryption Used to conceal small blocks of data, such as encryption keys and hash function values, which are used in digital signatures Asymmetric encryption Used to protect blocks of data, such as messages, from alteration Data integrity algorithms Schemes based on the use of cryptographic algorithms designed to authenticate the identity of entities Authentication protocols

4 Definitions Network Security - measures to protect data during their transmission Internet Security - measures to protect data during their transmission over a collection of interconnected networks Here are some key definitions, note boundaries between them are blurred.

5 The field of network and Internet security consists of:
measures to deter, prevent, detect, and correct security violations that involve the transmission of information The field of network and Internet security consists of measures to deter, prevent, detect, and correct security violations that involve the transmission of information. That is a broad statement that covers a host of possibilities.

6 Computer Security the protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications)

7 Key Security Concepts These three concepts form what is often referred to as the CIA triad The three concepts embody the fundamental security objectives for both data and for information and computing services. FIPS PUB 199 provides a useful characterization of these three objectives in terms of requirements and the definition of a loss of security in each category: • Confidentiality (covers both data confidentiality and privacy): preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information. • Integrity (covers both data and system integrity): Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. • Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. Although the use of the CIA triad to define security objectives is well established, some in the security field feel that additional concepts are needed to present a complete picture. Two of the most commonly mentioned are: • Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. • Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.

8 Levels of Impact can define 3 levels of impact from a security breach
Low Moderate High We can define three levels of impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). These levels are defined in FIPS PUB 199: • Low: The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. • Moderate: The loss could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect means that, for example, the loss might (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious, life-threatening injuries. • High: The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect means that, for example, the loss might (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

9 Goals of computer security
• To protect computer assets from: – Human errors, natural disasters, physical and electronic maliciousness. • Confidentiality, Integrity, Availability .

10 Confidentiality ( Secrecy, Privacy).
Data confidentiality Assures that private or confidential information is not made available or disclosed to unauthorized individuals Privacy Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed (Ensuring that the system is only accessible by authorized parties.) This definition introduces three key objectives (goals) that are at the heart of computer security: • Confidentiality: This term covers two related concepts: Data confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized individuals. Privacy: Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed. •Integrity: This term covers two related concepts: Data integrity: Assures that information and programs are changed only in a specified and authorized manner. System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. • Availability: Assures that systems work promptly and service is not denied to authorized users

11 Integrity Data integrity
Assures that information and programs are changed only in a specified and authorized manner System integrity Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system

12 Availability • Assures that systems work promptly and service is not denied to authorized users Ensuring that authorized parties are not denied access to information and resources • Ensuring that the computer works when it is supposed to work and that it works the way it should. (access to computing resources without difficulties.) . .

13 Other goals Non-repudiation
– Ensuring that communication parties can't later deny that the exchange took place (or when the exchange took place). Legitimate use – Ensuring that resources are not used by unauthorized parties or in unauthorized ways. – Examples: Printer and disk quotas. Spam-filters in servers.. .

14 Kinds of Security breaches
Exposure: . A form of possible loss or a harm in computing system . Examples : Unauthorized disclosure of data ,modification of data or Denial legitimate access to computing Vulnerability: is a weakness in the security system that might be exploited to cause loss or harm • Attack: an assault on system security, a deliberate attempt to evade security services (Attempt to exploit a vulnerability.) .

15 Threat Threat:- a potential for violation of security
Physical threats - weather, natural disaster, bombs, power etc. Human threats - stealing, trickery, spying, sabotage, accidents. Software threats - viruses, Trojan horses, logic bombs. .

16 Network Security .

17 Network Security Normal Flow: .

18 Network Security Four types of possible attacks are:
Interruption: services or data become unavailable, unusable, destroyed, and so on, such as lost of file, denial of service, etc. . Cut wire lines, Jam wireless signals, Drop packets,

19 2. Interception: an unauthorized subject has gained access to an object, such as stealing data, overhearing others communication, etc. . Wiring, eavesdrop

20 3. Modification: unauthorized changing of data or tempering with services, such as alteration of data, modification of messages, etc. . Replaced info intercept

21 4. Fabrication: additional data or activities are generated that would normally no exist, such as adding a password to a system, replaying previously send messages, etc. . Also called impersonation

22 Security Trends Discuss observed security trends (Stallings section 1.1 & Figure 1.2 above), noting growth in sophistication of attacks contrasting with decrease in skill & knowledge needed to mount an attack.

23 OSI Security Architecture. OSI : Open System Interconnection
OSI Security Architecture . OSI : Open System Interconnection . ITU : International Telecommunication Union ITU-T X.800 “Security Architecture for OSI” defines a systematic way of defining and providing security requirements for us it provides a useful, if abstract, overview of concepts we will study To assess effectively the security needs of an organization and to evaluate and choose various security products and policies, the manager responsible for security needs some systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements. This is difficult enough in a centralized data processing environment; with the use of local and wide area networks,the problems are compounded. ITU-T Recommendation X.800, Security Architecture for OSI, defines such a systematic approach. The OSI security architecture is useful to managers as a way of organizing the task of providing security.

24 Aspects of Security consider 3 aspects of information security:
security attack security mechanism security service The OSI security architecture focuses on security attacks,mechanisms,and services. These can be defined briefly as follows: • Security attack: Any action that compromises the security of information owned by an organization. • Security mechanism: A process (or a device incorporating such a process) that is designed to detect, prevent,or recover from a security attack. • Security service: A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization.The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service.

25 Security Attack any action that compromises the security of information owned by an organization information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems can focus of generic types of attacks passive active Expand on definition and use of “security attack”, as detailed above. See Stallings Table 1.1 for definitions of threat and attack.

26 Passive Attacks A passive attack attempts to learn or make use of information from the system but does not affect system resources A useful means of classifying security attacks, used both in X.800 and RFC 2828, is in terms of passive attacks and active attacks. A passive attack attempts to learn or make use of information from the system but does not affect system resources. Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are: + release of message contents - as shown above in Stallings Figure 1.2a here + traffic analysis - monitor traffic flow to determine location and identity of communicating hosts and could observe the frequency and length of messages being exchanged These attacks are difficult to detect because they do not involve any alteration of the data. Are difficult to detect because they do not involve any alteration of the data.

27 Two types of passive attacks are:
The release of message contents Traffic analysis Are in the nature of eavesdropping on, or monitoring of, transmissions Goal of the opponent is to obtain information that is being transmitted Passive attacks (Figure 1.1) are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are the release of message contents and traffic analysis. The release of message contents is easily understood. A telephone conversation, an electronic mail message, and a transferred file may contain sensitive or confidential information. We would like to prevent an opponent from learning the contents of these transmissions. A second type of passive attack, traffic analysis , is subtler. Suppose that we had a way of masking the contents of messages or other information traffic so that opponents, even if they captured the message, could not extract the information from the message. The common technique for masking contents is encryption. If we had encryption protection in place, an opponent might still be able to observe the pattern of these messages. The opponent could determine the location and identity of communicating hosts and could observe the frequency and length of messages being exchanged. This information might be useful in guessing the nature of the communication that was taking place. Passive attacks are very difficult to detect, because they do not involve any alteration of the data. Typically, the message traffic is sent and received in an apparently normal fashion, and neither the sender nor receiver is aware that a third party has read the messages or observed the traffic pattern. However, it is feasible to prevent the success of these attacks, usually by means of encryption. Thus, the emphasis in dealing with passive attacks is on prevention rather than detection.

28 Active Attacks An active attack attempts to alter system resources or affect their operation
Also have “active attacks” which attempt to alter system resources or affect their operation. By modification of data stream to: + masquerade of one entity as some other + replay previous messages (as shown above in Stallings Figure 1.4b) + modify messages in transit + denial of service Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely, because of the wide variety of potential physical,software,and network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them.

29 Modification of messages
Active Attacks Involve some modification of the data stream or the creation of a false stream Difficult to prevent because of the wide variety of potential physical, software, and network vulnerabilities Goal is to detect attacks and to recover from any disruption or delays caused by them Takes place when one entity pretends to be a different entity Usually includes one of the other forms of active attack Masquerade Involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect Replay Some portion of a legitimate message is altered, or messages are delayed or reordered to produce an unauthorized effect Modification of messages Prevents or inhibits the normal use or management of communications facilities Denial of service Active attacks (Figure 1.1b) involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service. A masquerade takes place when one entity pretends to be a different entity (path 2 of Figure 1.1b is active). A masquerade attack usually includes one of the other forms of active attack. For example, authentication sequences can be captured and replayed after a valid authentication sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges. Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect (paths 1, 2, and 3 active). Modification of messages simply means that some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect (paths 1 and 2 active). For example, a message meaning “Allow John Smith to read confidential file accounts ” is modified to mean “Allow Fred Brown to read confidential file accounts. ” The denial of service prevents or inhibits the normal use or management of communications facilities (path 3 active). This attack may have a specific target; for example, an entity may suppress all messages directed to a particular destination (e.g., the security audit service). Another form of service denial is the disruption of an entire network, either by disabling the network or by overloading it with messages so as to degrade performance. Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely because of the wide variety of potential physical, software, and network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them. If the detection has a deterrent effect, it may also contribute to prevention.

30 Security Service enhance security of data processing systems and information transfers of an organization intended to counter security attacks using one or more security mechanisms often replicates functions normally associated with physical documents which, for example, have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed Consider the role of a security service, and what may be required. Note both similarities and differences with traditional paper documents, which for example: have signatures & dates; need protection from disclosure, tampering, or destruction; may be notarized or witnessed; may be recorded or licensed

31 Security Services X.800: RFC 4949 :
“a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers” RFC 4949 : “a processing or communication service provided by a system to give a specific kind of protection to system resources” Also have a couple of definition of “security services” from relevant standards. X.800 defines a security service as a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers. Perhaps a clearer definition is found in RFC 2828, which provides the following definition: a processing or communication service that is provided by a system to give a specific kind of protection to system resources; security services implement security policies and are implemented by security mechanisms.

32 Security Services (X.800) Authentication - assurance that the communicating entity is the one claimed There are two specific authentication services defined in X.800: Peer entity authentication:- Provides for the corroboration of the entity of a peer entity in association. Data origin authentication:- provides for the corroboration of the source of a data units. This list includes the various "classic" security services which are traditionally discussed. Note there is a degree of ambiguity as to the meaning of these terms, and overlap in their use. See Stallings Table 1.2 for details of the 5 Security Service categories and the 14 specific services given in X.800.

33 Security Services (X.800) Access Control - prevention of the unauthorized use of a resource Data Confidentiality –protection of data from unauthorized disclosure Data Integrity - assurance that data received is as sent by an authorized entity Non-Repudiation - protection against denial by one of the parties in a communication This list includes the various "classic" security services which are traditionally discussed. Note there is a degree of ambiguity as to the meaning of these terms, and overlap in their use. See Stallings Table 1.2 for details of the 5 Security Service categories and the 14 specific services given in X.800.

34 Security Mechanism feature designed to detect, prevent, or recover from a security attack no single mechanism that will support all services required however one particular element underlies many of the security mechanisms in use: cryptographic techniques hence our focus on this topic Now introduce “Security Mechanism” which are the specific means of implementing one or more security services. Note these mechanisms span a wide range of technical components, but one aspect seen in many is the use of cryptographic techniques.

35 Security Mechanisms (X.800)
specific security mechanisms: encipherment, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization pervasive security mechanisms: trusted functionality, security labels, event detection, security audit trails, security recovery Some examples of mechanisms from X.800. Note that the “specific security mechanisms” are protocol layer specific, whilst the “pervasive security mechanisms” are not. We will meet some of these mechanisms in much greater detail later. See Stallings Table 1.3 for details of these mechanisms in X.800, and Table 1.4 for the relationship between services and mechanisms.

36 Model for Network Security
In considering the place of encryption, its useful to use the following two models from Stallings section 1.6. The first, illustrated in Figure 1.5, models information flowing over an insecure communications channel, in the presence of possible opponents. Hence an appropriate security transform (encryption algorithm) can be used, with suitable keys, possibly negotiated using the presence of a trusted third party.

37 Model for Network Security
using this model requires us to: design a suitable algorithm for the security transformation generate the secret information (keys) used by the algorithm develop methods to distribute and share the secret information specify a protocol enabling the principals to use the transformation and secret information for a security service This general model shows that there are four basic tasks in designing a particular security service, as listed.

38 Model for Network Access Security
The second, illustrated in Figure 1.6, model is concerned with controlled access to information or resources on a computer system, in the presence of possible opponents. Here appropriate controls are needed on the access and within the system, to provide suitable security. Some cryptographic techniques are useful here also.

39 Model for Network Access Security
using this model requires us to: select appropriate gatekeeper functions to identify users implement security controls to ensure only authorised users access designated information or resources trusted computer systems may be useful to help implement this model Detail here the tasks needed to use this model. Note that trusted computer systems (discussed in Ch 20 can be useful here).

40 Summary have considered: X.800 standard
definitions for: computer, network, internet security X.800 standard security attacks, services, mechanisms models for network (access) security Chapter 1 summary.

Download ppt "Cryptography and Network Security Chapter 1"

Similar presentations

Network Security Chapter 1 - Introduction.

Network Security Chapter 1 - Introduction.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Cryptography and Network Security Sixth Edition by William Stallings.

Cryptography and Network Security Sixth Edition by William Stallings.
Prof. Giovambattista Ianni - 2013.  10 ECTS (5 Theory + 5 Lab.)  Suggested material:  W. Stallings, Cryptography and Network Security  W. Stallings,

Prof. Giovambattista Ianni  10 ECTS (5 Theory + 5 Lab.)  Suggested material:  W. Stallings, Cryptography and Network Security  W. Stallings,
Chapter 1 This book focuses on two broad areas: cryptographic algorithms and protocols, which have a broad range of applications; and network and Internet.

Chapter 1 This book focuses on two broad areas: cryptographic algorithms and protocols, which have a broad range of applications; and network and Internet.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.

IT 221: Introduction to Information Security Principles Lecture 1: Introduction to IT Security For Educational Purposes Only Revised: August 28, 2002.
Chapter 1 – Introduction

Chapter 1 – Introduction
4/16/2017 Network Security Mehrdad Nourani.

4/16/2017 Network Security Mehrdad Nourani.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not.

Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not.
Computer and Information Security

Computer and Information Security
Computer and Information Security Jen-Chang Liu, 2004

Computer and Information Security Jen-Chang Liu, 2004
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Editied by R. Newman.

Cryptography and Network Security Overview & Chapter 1 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Editied by R. Newman.
“Network Security” Introduction. My Introduction Obaid Ullah Owais Khan Obaid Ullah Owais Khan B.E (I.T) – Hamdard University(2003), Karachi B.E (I.T)

“Network Security” Introduction. My Introduction Obaid Ullah Owais Khan Obaid Ullah Owais Khan B.E (I.T) – Hamdard University(2003), Karachi B.E (I.T)
Introduction (Pendahuluan)  Information Security.

Introduction (Pendahuluan)  Information Security.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google