Introduction

Prof. Heba Elnemr

Background
• Goal of attacker: access another user’s Twitter account to post
inappropriate tweets.
• Tools used: web browser, telephone, personal information about the user
that was available to anyone in the Internet.
• Historically: security was enforced by physical and administrative means
• Two major changes:
1. Introduction of data processing: need to protect data especially in
shared environments like time-sharing systems (computer security)
2. Introduction of distributed systems and networking: need to protect
data during its transmission from one machine to another (network
security)
Definitions
• Computer Security
• Generic name for the collection of tools designed to protect data and to
thwart hackers.
• The protection of the items you value, called the assets of a computer
or computer system.
Hardware Software Data

• Computer • Operating System • Documents

• Devices (desks, • Utilities • Photos
printers, memory) • Application Software • Emails
• Network gear • Individual application • Class Projects

Off the shelf: Easily replaceable Unique: Irreplaceable

Definitions
• Network Security - measures to protect data during their
transmission
• Internet Security - measures to protect data during their
transmission over a collection of interconnected networks
• Examples of security violations:
• Interception of messages by un-authorized person
• Alteration of messages by un-authorized person
• Inventing a new message by un-authorized person and sending as an
authorized one
• Delaying a message for some time, during which an un-authorized
action is taken
• Sender denies sending a message (which may have caused some loses
to a customer)
Services, Mechanisms, Attacks
• Need systematic way to define requirements, and approaches
to satisfy these requirements.
• One way to do this is by considering the three aspects of
information security:
• security attack: any action that compromises the security of
information owned by the organization
• security mechanism: mechanisms to detect, prevent, or recover from
security attack
• security service: makes use of one or more of the security mechanisms
to counter security attacks
Example: electronic document vs. paper document
• It is possible to discriminate between an original paper
document and a xerographic copy. How can this be done for
electronic document?
• An alteration to a paper document would leave some physical
evidence of the alteration. How this can be done for electronic
document?
• Paper document physical characteristics (like shape,
handwritten signatures, seals, …) can be used within a proof
process. How this can be done in electronic document?
Examples of security attacks
• Gain unauthorized access to information (violate secrecy or privacy)
• Impersonate another user either to shift responsibility or else to use
the other's license for the purpose of:
• originating fraudulent information
• modifying legitimate information
• using fraudulent identity to gain unauthorized access
• fraudulently authorizing transactions of endorsing them
• Insert self into a communication link between other users as an
active (undetected) relay point – man in the middle
• Pervert (distort) the function of a software, typically by adding a
covert (secret) function
OSI Security Model
• OSI: Open Systems Interconnection
• A model for network security
• Defines a systematic approach to define security requirements and
approaches. It focuses on security services, mechanisms, and attacks
• Security Architecture for OSI (ITU-T Recommendation X.800)
• ITU: int'l telecommunication Union
• T: telecomm standard section
• The components of the OSI security architecture model
• Computer Security
• Network Security
• Internet Security
OSI Security Model
• Security services:
• To enhance the security of information being processed or
transferred
• X.800 defines a security service as a service provided by a
protocol layer of communicating open systems, which ensures
adequate security of the systems or data transfers.
• X.800 divides these services into five categories and fourteen
specific services.
OSI Security Model
• Security services:
1. Authentication - assurance that the communicating entity is
the one claimed
2. Access Control or Authorization - prevention of the
unauthorized use of a resource
3. Data Confidentiality - protection of data from unauthorized
disclosure
4. Data Integrity - assurance that data received is as sent by
an authorized entity
5. Non-Repudiation - protection against denial by one of the
parties in a communication
OSI Security Model
• Security Mechanisms (X.800)
• A mechanism that is designed to detect, prevent or recover
from a security attack.
• specific security mechanisms:
• encipherment, digital signatures, access controls, data integrity,
authentication exchange, traffic padding, routing control, notarization
• pervasive security mechanisms:
• those which cannot be specific to particular OSI security service or protocol
layer and are in general directly related to the level of security required.
• Trusted functionality, Event detection, Security labels, Security audit trail
OSI Security Model
• specific security mechanisms:
1. Encipherment
• The use of mathematical algorithms to transform data into a form
that is not readily intelligible
2. Digital signatures
• provide an electronic analog of handwritten signatures for
electronic documents.
3. Access controls
• used to stop unattended access to data which you are sending.
4. Data integrity
• used to assure the integrity of a data unit or stream of data units.
OSI Security Model
• specific security mechanisms:
5. Authentication exchange
• deals with identity to be known in communication.
6. Traffic padding
• The insertion of bits into gaps in a data stream to frustrate traffic
analysis attempts.
7. Routing control
• Enables selection of particular physically secure routes for certain
data and allows routing changes.
8. Notarization
• The use of a trusted third party to assure certain properties of a
data exchange.
OSI Security Model
• Pervasive security mechanisms:
1. Trusted Functionality
• Perceived to be correct with respect to some criteria (e.g., as
established by a security policy).
2. Event Detection
• Detection of security-relevant events.
3. Security Audit Trail
• Data collected and potentially used to facilitate a security audit, which is
an independent review and examination of system records and
activities.
4. Security Recovery
• Deals with requests from mechanisms, such as event handling and
management functions, and takes recovery actions.
 OSI Security Model
• Security Attacks
1. passive attacks - eavesdropping on, or
monitoring, transmissions. The goal is to:
• obtain message contents, or
• monitor traffic flows

An attacker observes the messages and copies them.

An attacker attempts to learn or make use of information
from the system but does not affect system resources.

• Passive attacks are very difficult to detect and the goal is

to prevent rather than detect.
 OSI Security Architecture
• Security Attacks
2. active attacks – modification of data stream to:
• Masquerade: an entity pretends to be a different entity
• Replay: involves the passive capture of data to produce an
unauthorized effect
• modify messages in transit
• denial of service: prevents or inhibits the normal use or
management of the communication facilities

An attacker tries to modify the content of the messages.

• The goal is to detect active attacks and to recover from any

disruption or delays caused by them
Model for Network Security
Exhibits how the security service has been designed over the network to
prevent the opponent from causing a threat to the confidentiality or
authenticity of the information that is being transmitted through the network.
Model for Network Security
• There are 4 basic tasks in designing a particular security service:
1. transform a readable message at the sender side into an unreadable
format, an appropriate algorithm should be designed such that it
should be difficult for an opponent to crack that security algorithm.
2. generate the secret information (keys) to be used by the algorithm
3. develop methods to distribute and share the secret information at
both the ends
4. specify a protocol enabling the principals to use the transformation
and secret information for a security service