Introduction

Dr. Md. Mahbubur Rahman

Textbook
Cryptography: Theory and Practice
by Douglas R. Stinson CRC press

Cryptography and Network Security:

Principles and Practice;By William Stallings
Prentice Hall

Network Security: Private Communication

in a Public World
Charlie Kaufman, Radia Perlman, Mike
Speciner, Michael Speciner
Prentice Hall

Handbook of Applied Cryptography

byAlfred J. Menezes, Paul C. van Oorschot
and Scott A. Vanstone, CRC Press
 Learning Objectives

• Describe the key security requirements of confidentiality, integrity,

and availability

• Discuss the types of security threats and attacks that must be

dealt with and give examples of threats and attacks that apply to
different categories of computer and network assets

• Summarize the functional requirements for computer security

• Describe the X.800 security architecture for OSI

• Cryptography applications
 Cryptography

 “Hidden writing”
 Increasingly used to protect information
 Can ensure confidentiality
• Integrity and Authenticity too
 History – The Manual Era

 Dates back to at least 2000 B.C.

 Pen and Paper Cryptography
 Examples
• Scytale
• Atbash
• Caesar
• Vigenère
 History – The Mechanical Era

 Invention of cipher machines

 Examples
• Confederate Army’s Cipher Disk
• Japanese Red and Purple Machines
• German Enigma
 History – The Modern Era

 Computers!
 Examples
• Lucifer
• Rijndael
• RSA
• ElGamal
 Computer Security Concepts
• Before the widespread use of data processing equipment, the
security of information valuable to an organization was
provided primarily by physical and administrative means

• With the introduction of the computer, the need for automated

tools for protecting files and other information stored on the
computer became evident

• Another major change that affected security is the introduction

of distributed systems and the use of networks and
communications facilities for carrying data between terminal
user and computer and between computers
• Computer security
• The generic name for the collection of tools
designed to protect data and to thwart hackers

• internet security
• Consists of measures to deter, prevent, detect,
and correct security violations that involve the
transmission of information
Security Trends
 Computer Security

“The protection afforded to

• The NIST Computer an automated information
Security Handbook system in order to attain the
defines the term applicable objectives of
preserving the integrity,
computer security as:
availability, and
confidentiality of
NIST: National Institute of information system
Standards and Technology resources (includes
hardware, software,
firmware, information/data,
This definition introduces three key
and telecommunications)”
objectives that are at the heart of
computer security.
NIST
 Computer Security Objectives
Confidentiality
• Data confidentiality
• Assures that private or confidential information is
not made available or disclosed to unauthorized
individuals
• Privacy
• Assures that individuals control or influence what
information related to them may be collected and
stored and by whom and to whom that
information may be disclosed

Availability
• Assures that systems work promptly and service is
not denied to authorized users
Integrity

• Data integrity
• Assures that information and programs are
changed only in a specified and authorized
manner
• System integrity
• Assures that a system performs its intended
function in an unimpaired manner, free from
deliberate or inadvertent unauthorized
manipulation of the system
 CIA Triad

The Security Requirements Triad

 Confidentiality is probably the most common aspect of
information security. We need to protect our confidential
information. An organization needs to guard against those
malicious actions that endanger the confidentiality of its
information.
Integrity : Information needs to be changed constantly.
Integrity means that changes need to be done only by authorized
entities and through authorized mechanisms.

Availability : The information created and stored by an

organization needs to be available to authorized entities.
Information needs to be constantly changed, which means it must
be accessible to authorized entities.
Possible additional concepts:

Authenticity Accountability
• Verifying that users • The security goal
are who they say that generates the
they are and that requirement for
each input arriving at actions of an entity to
the system came be traced uniquely to
from a trusted source that entity
 Breach of Security
3 Levels of Impact
• The loss could be expected to have a
severe or catastrophic adverse effect
High on organizational operations,
organizational assets, or individuals

• The loss could be expected to have

a serious adverse effect on
Moderate organizational operations,
organizational assets, or individuals

• The loss could be

expected to have a
limited adverse effect

Low on organizational
operations,
organizational assets, or
individuals
 Examples of Security Requirements

Integrity
Confidentiality Availability
(consistency)
Patient information
stored in a database – The more critical a
Student grade inaccurate information component or service,
information is an asset could result in serious the higher the level of
whose confidentiality is harm or death to a availability required
considered to be highly patient and expose the
important by students hospital to massive
liability A moderate availability
requirement is a public
A Web site that offers a
Web site for a
forum to registered
university
users to discuss some
specific topic would be
Regulated by the Family assigned a moderate An online telephone
Educational Rights and level of integrity directory lookup
Privacy Act (FERPA) application would be
An example of a low-
integrity requirement is an classified as a low-
anonymous online poll availability requirement
 Computer Security Challenges

• Security is not simple • Security mechanisms

• Potential attacks on typically involve more
the security features than a particular
need to be considered algorithm or protocol
• Procedures used to • Security is essentially a
provide particular battle of wits between a
services are often perpetrator and the
counter-intuitive designer
• It is necessary to decide • Little benefit from security
where to use the investment is perceived
various security until a security failure
mechanisms occurs
• Requires constant • Strong security is often
monitoring viewed as an impediment
• Is too often an to efficient and user-
afterthought friendly operation
 ITU-T

The ITU Telecommunication Standardization Sector

(ITU-T) is one of the three sectors (divisions or units) of
the International Telecommunication Union (ITU); it
coordinates standards for telecommunications.

The ITU-T mission is to ensure the efficient and timely

production of standards covering all fields of
telecommunications on a worldwide basis, as well as
defining tariff and accounting principles for international
telecommunication services.
 OSI

ISO- The International Organization for

Standardization (French: Organisation internationale
de normalisation;) produced OSI (Open Systems
Interconnection Reference Model, the OSI Reference
Model, or even just the OSI Model)
 History of OSI
In the late 1970s, two projects began independently, with the same
goal: to define a unifying standard for the architecture of
networking systems.

One was administered by the International Organization for

Standardization (ISO), while the other was undertaken by the
International Telegraph and Telephone Consultative Committee, or
CCITT (the abbreviation is from the French version of the name).

These two international standards bodies each developed a

document that defined similar networking models. ISO 7498, ITU-T
(formerly CCITT ) standard X.200 (1984)
 X.800

X.800 Recommendation:

1. provides a general description of security services and related

mechanisms, which may be provided by the Reference Model; and

2. defines the positions within the Reference Model where the

services and mechanisms may be provided.

This Recommendation extends the field of application of

recommendation X.200, to cover secure communications between
open systems.
 OSI Security Architecture
ITU-T Recommendation X.800, Security Architecture for OSI
describes a systematic way of defining the requirements for security
and characterizing the approaches to satisfying those requirements.
Focus
• Security attack
– Any action that compromises the security of information
owned by an organization
• Security mechanism
– A process (or a device incorporating such a process) that
is designed to detect, prevent, or recover from a security
attack
• Security service
– A processing or communication service that enhances
the security of the data processing systems and the
information transfers of an organization
– Intended to counter security attacks, and they make use
of one or more security mechanisms to provide the service
 IETF and RFC

The Internet Engineering Task Force (IETF) (1986) develops and

promotes voluntary Internet standards, in particular the standards
that comprise the Internet protocol suite (TCP/IP).

A Request for Comments (RFC) is a publication of the Internet

Engineering Task Force (IETF) and the Internet Society, the principal
technical development and standards-setting bodies for the Internet.

The Internet Society (ISoc) is an international, non-profit

organization founded in 1992 to provide leadership in Internet
related standards, education, and policy.
 ATTACKS

The three goals of security, confidentiality, integrity, and

availability can be threatened by security attacks.
 Threats and Attacks (RFC 4949)

Internet Security
Glossary, Version 2

This Glossary provides definitions, abbreviations, and

explanations of terminology for information system security.
 Security Attacks

• A means of classifying security attacks, used both in X.800 and

RFC 4949, is in terms of passive attacks and active attacks
• A passive attack attempts to learn or make use of information
from the system but does not affect system resources
• An active attack attempts to alter system resources or affect their
operation
 Passive Attacks
(Two types)

• Are in the nature of

eavesdropping on, or
monitoring of,
transmissions
• Two types of passive
• Goal of the opponent is to
attacks are:
obtain information that is
being transmitted  The release of message
contents
 Traffic analysis
Snooping refers to unauthorized access to or
interception of data.
Traffic analysis refers to obtaining some other type of
information by monitoring online traffic.
 Active Attacks (4 types)

• Involve some modification of the data stream or the creation of a

false stream
• Difficult to prevent because of the wide variety of potential physical,
software, and network vulnerabilities
• Goal is to detect attacks and to recover from any disruption or
delays caused by them
Modification means that the attacker intercepts the message
and changes it.

Masquerading or spoofing happens when the attacker

impersonates somebody else.

Replaying means the attacker obtains a copy

of a message sent by a user and later tries to replay it.

Repudiation means that sender of the message might later

deny that she has sent the message; the receiver of the message
might later deny that he has received the message.
Denial of service (DoS) is a very common attack. It may slow down or totally
interrupt the service of a system.
 Active Attacks (4 types)

• Takes place when • Some portion of a

one entity pretends to Modification legitimate message
Masquerade be a different entity of is altered, or
• Usually includes one messages messages are
of the other forms of delayed or reordered
active attack to produce an
unauthorized effect

• Involves the passive • Prevents or inhibits

capture of a data unit the normal use or
and its subsequent Denial of
Replay
service
management of
retransmission to communications
produce an facilities
unauthorized effect
 Services and Mechanisms

ITU-T provides some security services and some

mechanisms to implement those services. Security
services and mechanisms are closely related because a
mechanism or combination of mechanisms are used to
provide a service.
 Security Services
• Security service defined by X.800 as:
• A service provided by a protocol layer of communicating open
systems and that ensures adequate security of the systems or of
data transfers

• Defined by RFC 4949 as:

• A processing or communication service provided by a system to
give a specific kind of protection to system resources
 X.800 Service Categories
X.800 divides these services into five categories and fourteen
specific services

• Authentication
• Access control
• Data confidentiality
• Data integrity
• Nonrepudiation
Security
Services
(X.800)
 Authentication
• Concerned with assuring that a communication is
authentic
– In the case of a single message, assures the recipient
that the message is from the source that it claims to be
from.
– In the case of ongoing interaction, assures the are
authentic and that the connection is not interfered with in
such a way that a third party can masquerade as one of
the two legitimate parties

Two specific authentication services are defined in X.800:

• Peer entity authentication

• Data origin authentication

Two entities are considered peers if they implement the same protocol in
different systems (e.g., two TCP modules in two communicating systems).
 Access Control
• The ability to limit and control the access to host systems
and applications via communications links
• To achieve this, each entity trying to gain access must first be
identified, or authenticated, so that access rights can be
tailored to the individual
 Data Confidentiality
• The protection of transmitted data from passive
attacks
– Broadest service protects all user data transmitted between
two users over a period of time
– Narrower forms of service include the protection of a single
message or even specific fields within a message
• The protection of traffic flow from analysis
– This requires that an attacker not be able to observe the
source and destination, frequency, length, or other
characteristics of the traffic on a communications facility
 Data Integrity
Can apply to a stream of messages, a single
message, or selected fields within a message

Connection-oriented integrity service deals with

a stream of messages and assures that messages
are received as sent with no duplication, insertion,
modification, reordering, or replays

A connectionless integrity service deals with

individual messages without regard to any larger
context and generally provides protection against
message modification only
 Nonrepudiation

• Prevents either sender or receiver from denying a

transmitted message
• When a message is sent, the receiver can prove that the
alleged sender in fact sent the message
• When a message is received, the sender can prove that the
alleged receiver in fact received the message
 Availability service

• Availability
– The property of a system or a system resource being
accessible and usable upon demand by an authorized
system entity, according to performance specifications for
the system
• Availability service
– One that protects a system to ensure its availability
– Addresses the security concerns raised by denial-of-
service attacks
– Depends on proper management and control of system
resources
 Security Mechanisms (X.800)

• Specific security mechanisms: incorporated into the

appropriate protocol layer in order to provide some
of the OSI security services
• Encipherment
• digital signatures
• access controls
• data integrity
• authentication exchange
• traffic padding
• routing control
• notarization
 Security
Mechanisms
(X.800)
Relationship Between Security Services and Mechanisms
Relationship Between Security Services and
Mechanisms
Techniques

Mechanisms discussed already are only theoretical

recipes to implement security. The actual
implementation of security goals needs some
techniques. Two techniques are prevalent today:
cryptography and steganography.
 Cryptography

Cryptography, a word with Greek origins, means “secret

writing.” However, we use the term to refer to the science and
art of transforming messages to make them secure and immune
to attacks.
 Steganography
The word steganography, with origin in Greek, means “covered writing,” in
contrast with cryptography, which means “secret writing.”

Example: covering data with text

 Example: using dictionary

Example: covering data under color image

 Cryptographic Services
Cryptography supports the following services:

1. Confidentiality

2. Integrity

3. Authentication

4. Identity

5. Timeliness

6. Proof of ownership

Each has various different requirements in different circumstances,

and each issupported by a wide variety of schemes.
 Applications

1. Communications (encryption or authentication)

2. File and data base security
3. Electronic funds transfer
4. Electronic Commerce
5. Digital cash
6. Contract signing
7. Electronic mail
8. Authentication: Passwords, PINs
9. Secure identification, Access control
10. Secure protocols
11. Proof of knowledge
 Applications (cont.)
12. Construction by collaborating parties (secret sharing)
13. Copyright protection
14. etc.
Model for Network Security
 A Model for Network Security

• Using this model requires us to:

1. Design a suitable algorithm for the security
transformation
2. Generate the secret information (keys) used by the
algorithm
3. Develop methods to distribute and share the secret
information
4. Specify a protocol enabling the principals to use the
transformation and secret information for a security
service
Network Access Security Model
 A Model for Network Access
Security
• Using this model requires us to:
1. Select appropriate gatekeeper functions to identify users
2. Implement security controls to ensure only authorized
users access designated information or resources
 Unwanted Access

• Placement in a computer
system of logic that exploits Programs can
present two kinds of
vulnerabilities in the system threats:
and that can affect
application programs as
well as utility programs
Information access
Service threats
threats

Intercept or modify
Exploit service
data on behalf of
flaws in computers
users who should
to inhibit use by
not have access to
legitimate users
that data
 Standards
• NIST • ISOC
• Internet Society
• National Institute of
• Professional membership society
Standards and Technology with worldwide organizational and
• U.S. federal agency that individual membership
deals with measurement • Provides leadership in
science, standards, and addressing issues that confront
the future of the Internet
technology related to U.S.
• Is the organization home for the
government use and to the groups responsible for Internet
promotion of U.S. private- infrastructure standards,
sector innovation including the Internet Engineering
Task Force (IETF) and the
• NIST Federal Information Internet Architecture Board (IAB)
Processing Standards • Internet standards and related
(FIPS) and Special specifications are published as
Publications (SP) have a Requests for Comments (RFCs)
worldwide impact
 Summary
• Computer security • Security services
concepts – Authentication
– Definition – Access control
– Examples – Data confidentiality
– Challenges – Data integrity
• The OSI security – Nonrepudiation
architecture – Availability service
• Security attacks • Security mechanisms
– Passive attacks • Model for network
– Active attacks security
• Standards