Information Security

Muhammad Ahmed

1
 Introduction
• Fundamental concept
– CIA
– AAA
– Threats and attacks
– Security principles
• Access control models
– Access Control Matrices
– Access Control Lists
– Capabilities
– Role based access control
• Cryptographic concepts
– Encryption
– Digital signatures
– Simple attacks on cryptosystems
– Cryptographic has functions
2
– Digital Certificates
 Defining Security
• The security of a system, application, or protocol is
always relative to
– A set of desired properties
– An adversary with specific capabilities
• For example, standard file access permissions in Linux
and Windows are not effective against an adversary
who can boot from a CD

3
 A sound security model
• Define security properties
• Anticipate the types of attacks
• The design should be usable and simple
– If security measure are difficult to understand then
it will lead to failure of adoption
• Implementation (H/w or S/w) should be tested
for programming errors
• When deployed, it should be monitor.
• Patches must be applied when available
4
 Security Goals
Integrity
• C.I.A.

Confidentiality Availability

5
 Confidentiality
• Confidentiality is the avoidance of the
unauthorized disclosure of information.
– confidentiality involves the protection of data,
– providing access for those who are allowed to see
it while disallowing others from learning anything
about its content.

6
 Tools for Confidentiality
• Encryption: the transformation of information using a secret,
called an encryption key, so that the transformed information
can only be read using another secret, called the decryption
key (which may, in some cases, be the same as the encryption
key).

7
 Tools for Confidentiality
• Access control: rules and policies that limit
access to confidential information to those
people and/or systems with a “need to know.”
– This may be determined by identity, such as a
person’s name or a computer’s serial number, or
by a role that a person has, such as being a
manager or a computer security specialist.

8
 Cont.
Access control
prevention of the unauthorized use of a
resource, that is this service controls
- who can have access to a resource
- under what condition access can occur
- and what those accessing are allowed to
do

9
 Tools for Confidentiality
• Authentication: the determination of the identity or role that
someone has. This determination can be done in a number of
different ways, but it is usually based on a combination of
– something the person has (like a smart card or a radio key storing
secret keys),
– something the person knows (like a password),
– something the person is (like a human with a fingerprint).

password=ucIb()w1V
mother=Jones
human with fingers pet=Caesar
and eyes
Something you know
Something you are

radio token with

secret keys
10
Something you have
 Tools for Confidentiality
• Authorization: the determination if a person or system is
allowed access to resources, based on an access control policy.
– Such authorizations should prevent an attacker from tricking the
system into letting him have access to protected resources.
• Physical security: the establishment of physical barriers to
limit access to protected computational resources. It includes
– locks on cabinets and doors,
– placement of computers in windowless rooms,
– use of sound dampening materials,
– construction of buildings or rooms with walls incorporating copper
meshes (called Faraday cages) so that electromagnetic signals
cannot enter or exit the enclosure.

11
 Cont.

• Browser verify that website we are connecting to is indeed(Really)

who it says it is.
– Authentication
• Website might be checking our browser and can we access that page
according to ACP
– Authentication and access control
• Browser may ask the website for encryption key to encrypt credit
card no.
– Encryption
• Finally our credit card no. reaches at server :
– Physical security, access policy, authorization and authentication to safe
credit card no
12
 [Physical security]
• One can determine the letters by
– Listening to the recording of key stokes
• Possible to reconstruct the image of computer
screen
– By monitoring its electromagnetic radiations
– From video of blank wall the screen was shining on
• Physical security is IS concept and should not
be taken for granted

13
 Integrity
• Integrity: the property that information has not be altered in
an unauthorized way.
• Tools
– Backups: the periodic archiving of data.
– Checksums:
• the computation of a function that maps the contents of a file to a
numerical value.
• A checksum function depends on the entire contents of a file and is
designed in a way that even a small change to the input file is highly likely
to result in a different output value.
– Data correcting codes:
• methods for storing data in such a way that small changes can be easily
detected and automatically corrected.
• Apply to small data such as byte or word
• Metadata of the data also need to be protected
14
 Availability
• Availability: the property that information is
accessible and modifiable in a timely fashion by
those authorized to do so.
• Tools:
– Physical protections: infrastructure meant to keep
information available even in the event of physical
challenges.
– Computational redundancies: computers and storage
devices that serve as fallbacks in the case of failures.

15
 Other Security Concepts

• A.A.A. Authenticity

Anonymity
Assurance
16
 Assurance
• Assurance refers to how trust is provided and managed in
computer systems.
• Trust management depends on:
– Policies, which specify behavioral expectations that people or
systems have for themselves and others.
• E.g., the designers of an online music system may specify policies that
describe how users can access and copy songs.
– Permissions, which describe the behaviors that are allowed by
the agents that interact with a person or system.
• For instance, an online music store may provide permissions for limited
access and copying to people who have purchased certain songs.
– Protections, which describe mechanisms put in place to enforce
permissions and polices.
• We could imagine that an online music store would build in protections
to prevent people from unauthorized access and copying of its songs.
17
 Example: Internet Browser
• “Locks the lock” indicate that comm. is secure
• Perform no of services on behalf of user
– Encrypting the session
– Authenticate the website

18
 Authenticity
• Authenticity is the ability to determine that
statements, policies, and permissions issued by
persons or systems are genuine.
• Primary tool:
– Nonrepudiation, which is the property that authentic
statements issued by some person or system cannot be
denied
– Digital signatures
• These are cryptographic to authenticate a document
• If doc is modified then become invalid
• Requirement : must have electronic
way to identify people
19
 Anonymity
• Anonymity: the property that certain records or
transactions not to be attributable to any individual.
• Tools:
– Aggregation:
• the combining of data from many individuals so that disclosed
sums or averages cannot be tied to any individual.
– Mixing:
• the intertwining of transactions, information, or communications
in a way that cannot be traced to any individual.
– Proxies:
• trusted agents that are willing to engage in actions for an
individual in a way that cannot be traced back to that person.
20
 Aspects of Security
• Security attack
Any action that compromises the security of information
owned by an organization.
• Security mechanism
A process that is designed to detect, prevent or recover from
a security attack.
• Security service
Services that enhances the security of the data processing
systems and the information transfers of an organization.
These services are intended to counter security attacks, and
they make use of one or more security mechanisms to
provide the service.
21
 Threat and attack
• A threat is a possible potential danger that might
exploit a vulnerability.
– Exploit is a sequence of commands that take
advantage of a vulnerability in order to cause damage
– Vulnerability is applied to a weakness in a system
which allows an attacker to violate the integrity of
that system
• An attack is an unlawful attempt on a system
security that drives from an intelligent threat.

22
 Security Attacks
• Any action that compromises the security of
information owned by an organization
• Information security is about how to prevent attacks,
or failing that, to detect attacks on information-based
systems
• have a wide range of attacks
• Classification according to X.800
– Passive attack
– Active attack

23
 Passive attack
• Obtaining message content
• Traffic analysis

24
 Active attack
• Masquerade
• Replay previous messages
• Modify messages in transit
• Denial of service

25
 Threats and Attacks
• Eavesdropping: the interception(Capture) of
information intended for someone else during
its transmission over a communication channel.

Alice Bob

Eve 26
 Threats and Attacks
• Alteration: unauthorized modification of
information.
– Example: the man-in-the-middle attack, where a
network stream is intercepted, modified, and
retransmitted.
Communication
Sender Recipient
channel
encrypt decrypt

plaintext M plaintext M′

shared shared
secret ciphertext C ciphertext C′ secret
key key

Attacker
(intercepting) 27
 Threats and Attacks
• Denial-of-service: the interruption or
degradation of a data service or information
access.
– Example: email spam, to the degree that it is meant
to simply fill up a mail queue and slow down an
email server.

Alice
28
 Threats and Attacks
• Masquerading: the fabrication of information
that is purported(suppose) to be from someone
who is not actually the author.

“From: Alice”
(really is from Eve)

29
 Threats and Attacks
• Repudiation: the denial of a commitment or
data receipt.
– This involves an attempt to back out of a contract or
a protocol that requires the different parties to
provide receipts acknowledging that data has been
received.

30
 Threats and Attacks
• Correlation and traceback: the integration of
multiple data sources and information flows to
determine the source of a particular data
stream or piece of information.

Bob
31
 Security Mechanisms
• Specific security mechanisms:
– Encipherment:
use of mathematical algorithm to transform data into a
form that is not understandable
– Digital signatures :
use of cryptographic transformation on a data unit
that allows a recipient of the data unit to prove that
source and integrity of data unit
– Access controls:
mechanisms that enforce access rights to resources
– Data integrity:

32
 Cont.
– Authentication exchange
mechanism used to ensure the integrity of an
entity by mean of information exchange
– Traffic padding
insertion of bits in a data stream to frustrate
traffic analysis attempt
– Routing control
enable selection of physically secure route for
data transmission
– Notarization
use of trusted third party to ensure certain
properties of data exchange
33
 Examples of Security Violations
• A transmit a file (containing sensitive information) to
B. C, who is not authorized to read the file, is able
monitor the transmission
• Administrator D sends a message to computer E for
updating an authorization file. F intercept the
message, alters its content to add or delete entries,
and then forwards the message to E. E accept the
message and update the authorization file
• Rather than intercept, F constructs its own message
and send it to E

34
 Cont.
• An employee X is fired. X is able to intercept
the message that is send to invalidate the
employee account. X is able to delay the
message long enough to access the sensitive
information from the server. X then forward
the message and the action taken. This delay
may go unnoticed
• A message is send from a customer to a
stockbroker. Afterwards, investment loose
value and customer denies the sending
message.
35