Introduction

Dr. Md. Mahbubur Rahman

Textbook
Cryptography: Theory and
Practice
by Douglas R. Stinson CRC
press
Cryptography and Network
Security: Principles and
Practice;By William Stallings
Prentice Hall
Network Security: Private
Communication in a Public
World
Charlie Kaufman, Radia

Learning Objectives
Describe the key security requirements of
confidentiality, integrity, and availability
Discuss the types of security threats and
attacks that must be dealt with and give
examples of threats and attacks that apply to
different categories of computer and network
assets
Summarize the functional requirements for
computer security
Describe the X.800 security architecture for
OSI
Cryptography applications

Cryptography

Hidden writing
Increasingly used to protect
information
Can ensure confidentiality
Integrity and Authenticity too

History The Manual Era

Dates back to at least 2000 B.C.

Pen and Paper Cryptography
Examples

Scytale
Atbash
Caesar
Vigenre

History The Mechanical Era

Invention of cipher machines

Examples
Confederate Armys Cipher Disk
Japanese Red and Purple Machines
German Enigma

History The Modern Era

Computers!
Examples

Lucifer
Rijndael
RSA
ElGamal

Computer Security Concepts

Before the widespread use of data processing
equipment, the security of information valuable to
an organization was provided primarily by physical
and administrative means
With the introduction of the computer, the need for
automated tools for protecting files and other
information stored on the computer became
evident
Another major change that affected security is the
introduction of distributed systems and the use of
networks and communications facilities for carrying
data between terminal user and computer and
between computers

 Computer security
The generic name for the collection of
tools designed to protect data and to
thwart hackers

internet security
Consists of measures to deter, prevent,
detect, and correct security violations that
involve the transmission of information

Security Trends

Computer Security

The NIST Computer

Security Handbook defines
the term computer security
as:
NIST: National Institute of Standards
and Technology

This definition introduces three

key objectives that are at the
heart of computer security.

The protection
afforded to an automated
information system in
order to attain the
applicable objectives of
preserving the integrity,
availability, and
confidentiality of
information system
resources (includes
hardware, software,
firmware,
information/data, and
telecommunications)

NIST

Computer Security Objectives

Confidentialit
y
Data confidentiality
Assures that private or confidential
information is not made available or
disclosed to unauthorized individuals
Privacy
Assures that individuals control or
influence what information related to them
may be collected and stored and by whom
and to whom that information may be
disclosed
Availability
Assures that systems work promptly and
service is not denied to authorized users

Integrity
Data integrity
Assures that information and programs
are changed only in a specified and
authorized manner
System integrity
Assures that a system performs its
intended function in an unimpaired
manner, free from deliberate or
inadvertent unauthorized manipulation of
the system

CIA Triad

The Security Requirements Triad

Confidentiality is probably the most common aspect of

information security. We need to protect our confidential
information. An organization needs to guard against those
malicious actions that endanger the confidentiality of its
information.
Integrity : Information needs to be changed constantly.
Integrity means that changes need to be done only by authorized
entities and through authorized mechanisms.
Availability : The information created and stored by an
organization needs to be available to authorized entities.
Information needs to be constantly changed, which means it must
be accessible to authorized entities.

Possible additional concepts:

Authenticity

Accountability

Verifying that users

are who they say
they are and that
each input arriving
at the system came
from a trusted
source

The security goal

that generates the
requirement for
actions of an entity
to be traced
uniquely to that
entity

Breach of Security
3 Levels of Impact

Hi
gh

The loss could be expected to have a

severe or catastrophic adverse
effect on organizational operations,
organizational assets, or individuals

Moderat
e
Low

The loss could be expected to have

a serious adverse effect on
organizational operations,
organizational assets, or individuals
The loss could be expected
to have a limited
adverse effect on
organizational
operations,
organizational assets, or
individuals

Examples of Security Requirements

Confidential
ity
Student grade
information is an
asset whose
confidentiality is
considered to be
highly important by
students

Regulated by the
Family Educational
Rights and Privacy Act
(FERPA)

Integrity
(consistency
)
Patient information
stored in a database
inaccurate
information could
result in serious harm
or death to a patient
and expose the
hospital to massive
liability
A Web
site that
offers a forum to
registered users to
discuss some specific
topic would be
assigned a moderate
of integrity
Anlevel
example
of a lowintegrity requirement
is an anonymous
online poll

Availability
The more critical a
component or
service, the higher
the level of availability
required
A moderate
availability
requirement is a
public Web site for
a university
An online telephone
directory lookup
application would be
classified as a lowavailability
requirement

Computer Security Challenges

Security is not simple

Potential attacks on the
security features need to
be considered
Procedures used to provide
particular services are often
counter-intuitive
It is necessary to decide
where to use the various
security mechanisms
Requires constant
monitoring
Is too often an
afterthought

Security mechanisms
typically involve more than
a particular algorithm or
protocol
Security is essentially a
battle of wits between a
perpetrator and the designer
Little benefit from security
investment is perceived
until a security failure occurs
Strong security is often
viewed as an impediment
to efficient and user-friendly
operation

ITU-T
The ITU Telecommunication Standardization Sector
(ITU-T) is one of the three sectors (divisions or units) of
the International Telecommunication Union (ITU); it
coordinates standards for telecommunications.

The ITU-T mission is to ensure the efficient and timely

production of standards covering all fields of
telecommunications on a worldwide basis, as well as
defining tariff and accounting principles for international
telecommunication services.

OSI

ISOThe
International
Organization
for
Standardization (French: Organisation internationale
de normalisation;) produced OSI (Open Systems
Interconnection Reference Model, the OSI Reference
Model, or even just the OSI Model)

History OF OSI

In the late 1970s, two projects began independently, with

the same goal: to define a unifying standard for the
architecture of networking systems.
One was administered by the International Organization
for Standardization (ISO), while the other was undertaken
by the International Telegraph and Telephone Consultative
Committee, or CCITT (the abbreviation is from the French
version of the name).
These two international standards bodies each developed
a document that defined similar networking models. ISO
7498, ITU-T (formerly CCITT ) standard X.200 (1984)

X.800

X.800 Recommendation:
1. provides a general description of security services
and related mechanisms, which may be provided by the
Reference Model; and
2. defines the positions within the Reference Model
where the services and mechanisms may be provided.
This Recommendation extends the field of application of
recommendation
X.200,
to
cover
secure communications between open systems.

OSI Security Architecture

ITU-T Recommendation X.800, Security Architecture for OSI
describes a systematic way of defining the requirements for security
and characterizing the approaches to satisfying those requirements.
Focus

Security attack
Any action that compromises the security of information
owned by an organization
Security mechanism
A process (or a device incorporating such a process) that
is designed to detect, prevent, or recover from a security
attack
Security service
A processing or communication service that enhances
the security of the data processing systems and the
information transfers of an organization
Intended to counter security attacks, and they make
use of one or more security mechanisms to provide the
service

IETF and RFC

The Internet Engineering Task Force (IETF) (1986)

develops and promotes voluntary Internet standards, in
particular
the
standards
that
comprise
the
Internet protocol suite (TCP/IP).
A Request for Comments (RFC) is a publication of the
Internet Engineering Task Force
(IETF)
and
the
Internet Society, the principal technical development and
standards-setting bodies for the Internet.
The Internet Society (ISoc) is an international, nonprofit organization founded in 1992 to provide leadership
in Internet related standards, education, and policy.

ATTACKS
The three goals of security confidentiality,
integrity, and availability can be threatened
by security attacks.

Threats and Attacks (RFC 4949)

Internet Security
Glossary, Version 2
This Glossary provides definitions, abbreviations, and
explanations of terminology for information system
security.

Security Attacks

A means of classifying security attacks, used both in

X.800 and RFC 4949, is in terms of passive attacks
and active attacks
A passive attack attempts to learn or make use of
information from the system but does not affect
system resources
An active attack attempts to alter system resources or
affect their operation

Passive Attacks
(Two types)

Are in the nature of

eavesdropping on, or
monitoring of,
transmissions
Goal of the opponent is
to obtain information
that is being transmitted

Two types of passive

attacks are:
The release of
message contents
Traffic analysis

Snooping refers to unauthorized access to or interception of

data.

Traffic analysis refers to obtaining some other type of

information by monitoring online traffic.

Active Attacks (4 types)

Involve some modification of the data stream or the

creation of a false stream
Difficult to prevent because of the wide variety of potential
physical, software, and network vulnerabilities
Goal is to detect attacks and to recover from any disruption
or delays caused by them

Modification means that the attacker intercepts the message

and changes it.
Masquerading or spoofing happens when the attacker
impersonates somebody else.
Replaying means the attacker obtains a copy
of a message sent by a user and later tries to replay it.
Repudiation means that sender of the message might later
deny that she has sent the message; the receiver of the
message might later deny that he has received the message.

Denial of service (DoS) is a very common attack. It may

slow down or totally interrupt the service of a system.

Active Attacks (4 types)

SERVICESANDMECHANISMS
ITU-T provides some security services and some
mechanisms to implement those services. Security
services and mechanisms are closely related because a
mechanism or combination of mechanisms are used to
provide a service.

Security Services

Security service defined by X.800 as:

A service provided by a protocol layer of communicating open

systems and that ensures adequate security of the systems or of

data transfers

Defined by RFC 4949 as:

A processing or communication service provided by

a system to give a specific kind of protection to
system resources

X.800 Service Categories

X.800 divides these services into five categories and
fourteen specific services
Authentication
Access control
Data confidentiality
Data integrity
Nonrepudiation

Security
Services
(X.800)

Authentication
Concerned with assuring that a communication is
authentic
In the case of a single message, assures the
recipient that the message is from the source that it
claims to be from
In the case of ongoing interaction, assures the two
entities are authentic and that the connection is
not interfered with in such a way that a third party
can masquerade as one of the two legitimate
parties

Two entities are considered peers if they implement

the same protocol in different systems (e.g., two TCP modules in two
communicating systems).

Access Control
The ability to limit and control the access to host
systems and applications via communications links
To achieve this, each entity trying to gain access must
first be identified, or authenticated, so that access
rights can be tailored to the individual

Data Confidentiality
The protection of transmitted data from passive attacks
Broadest service protects all user data transmitted
between two users over a period of time
Narrower forms of service include the protection of
a single message or even specific fields within a
message
The protection of traffic flow from analysis
This requires that an attacker not be able to observe
the source and destination, frequency, length, or
other characteristics of the traffic on a communications
facility

Data Integrity

Nonrepudiation
Prevents either sender or receiver from denying a
transmitted message
When a message is sent, the receiver can prove that
the alleged sender in fact sent the message
When a message is received, the sender can prove
that the alleged receiver in fact received the message

Availability service
Availability
The property of a system or a system resource being
accessible and usable upon demand by an
authorized system entity, according to
performance specifications for the system
Availability service
One that protects a system to ensure its availability
Addresses the security concerns raised by denialof-service attacks
Depends on proper management and control of
system resources

Security Mechanisms (X.800)

Specific security mechanisms: incorporated
into the appropriate protocol layer in order to
provide some of the OSI security services

Encipherment
digital signatures
access controls
data integrity
authentication exchange
traffic padding
routing control
notarization

Security
Mechanisms
(X.800)

Relationship Between Security Services and

Mechanisms

Relationship Between Security Services

and Mechanisms

TECHNIQUES

Mechanisms discussed already are only theoretical

recipes to implement
security. The actual
implementation of security goals needs some
techniques. Two techniques are prevalent today:
cryptography and steganography.

1.57

Cryptography
Cryptography, a word with Greek origins, means
secret writing. However, we use the term to refer to
the science and art of transforming messages to make
them secure and immune to attacks.

1.58

Steganography
The word steganography, with origin in Greek, means
covered writing, in contrast with cryptography, which
means secret writing.

Example: covering data with text

1.59

Example: using dictionary

Example: covering data under color image

1.60

What is Cryptology

cryptography: The act or art of writing in secret characters.

cryptanalysis: The analysis and deciphering of secret
writings.
cryptology: (Websters) the scientific study of cryptography
and cryptanalysis.
In our context cryptology is the scientific study of protection
of information.

Cryptographic Services
Cryptography supports the following services:
1. Confidentiality
2. Integrity
3. Authentication
4. Identity
5. Timeliness
6. Proof of ownership
Each has various different requirements in different
circumstances, and each issupported by a wide variety of
schemes.

Applications

1. Communications (encryption or
authentication)
2. File and data base security
3. Electronic funds transfer
4. Electronic Commerce
5. Digital cash
6. Contract signing
7. Electronic mail
8. Authentication: Passwords, PINs
9. Secure identification, Access control
10. Secure protocols
11. Proof of knowledge

Applications (cont.)

12. Construction by collaborating parties (secret sharing)

13. Copyright protection
14. etc.

Model for Network Security

A Model for Network Security

Using this model requires us to:

1.
2.
3.
4.

Design a suitable algorithm for the security

transformation
Generate the secret information (keys) used by the
algorithm
Develop methods to distribute and share the secret
information
Specify a protocol enabling the principals to use the
transformation and secret information for a security
service

Network Access Security Model

A Model for Network Access

Security
Using this model requires us to:
1.
2.

Select appropriate gatekeeper functions to identify users

Implement security controls to ensure only authorized
users access designated information or resources

Unwanted Access
Placement in a computer
system of logic that exploits
vulnerabilities in the system
and that can affect application
programs as well as utility
programs

standards
NIST
National Institute of
Standards and Technology
U.S. federal agency that
deals with measurement
science, standards, and
technology related to U.S.
government use and to the
promotion of U.S. privatesector innovation
NIST Federal Information
Processing Standards (FIPS)
and Special Publications (SP)
have a worldwide impact

ISOC
Internet Society
Professional membership society
with worldwide organizational and
individual membership
Provides leadership in addressing
issues that confront the future of the
Internet
Is the organization home for the
groups responsible for Internet
infrastructure standards, including
the Internet Engineering Task Force
(IETF) and the Internet Architecture
Board (IAB)
Internet standards and related
specifications are published as
Requests for Comments (RFCs)

Summary

Computer security
concepts
Definition
Examples
Challenges
The OSI security
architecture
Security attacks
Passive attacks
Active attacks

Security services
Authentication
Access control
Data confidentiality
Data integrity
Nonrepudiation
Availability service
Security mechanisms
Model for network
security
Standards