Cryptograph

y and
Network
Security
Seventh Edition
by William Stallings

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Chapter 1
Computer and Network Security
Concepts

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Computer Security
The NIST Computer Security Handbook
defines the term computer security as:

“the protection afforded to an

automated information system in order
to attain the applicable objectives of
preserving the integrity, availability and
confidentiality of information system
resources” (includes hardware,
software, firmware, information/ data,
and telecommunications)
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Computer Security
Objectives
Confidentiality
• Data confidentiality
• Assures that private or confidential information is not made available
or disclosed to unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related
to them may be collected and stored and by whom and to whom that
information may be disclosed

Integrity
• Data integrity
• Assures that information and programs are changed only in a
specified and authorized manner
• System integrity
• Assures that a system performs its intended function in an
unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system
Availability
• Assures that systems work promptly and service is not denied
to authorized users
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Breach of Security
Levels of Impact
• The loss could be expected to have a severe
or catastrophic adverse effect on
organizational operations, organizational
High assets, or individuals

• The loss could be expected to have

Moderat a serious adverse effect on

organizational operations,
organizational assets, or individuals
e
• The loss could be expected
to have a limited adverse
effect on organizational

Low operations, organizational

assets, or individuals

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Computer Security
Challenges
• Security is not simple • Security mechanisms
typically involve more than
• Potential attacks on the a particular algorithm or
security features need to protocol
be considered
• Security is essentially a
• Procedures used to battle of wits between a
provide particular services perpetrator and the
are often counter-intuitive designer

• It is necessary to decide • Little benefit from security

where to use the various investment is perceived
security mechanisms until a security failure
occurs
• Requires constant
• Strong security is often
monitoring
viewed as an impediment
• Is too often an to efficient and user-friendly
afterthought
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
operation
 OSI Security
Architecture
• Security attack
• Any action that compromises the security of information
owned by an organization

• Security mechanism
• A process (or a device incorporating such a process) that
is designed to detect, prevent, or recover from a security
attack

• Security service
• A processing or communication service that enhances
the security of the data processing systems and the
information transfers of an organization
• Intended to counter security attacks, and they make use
of one or more security mechanisms to provide the
service
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Table 1.1
Threats and Attacks (RFC
4949)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Security
Attacks
•A means of classifying
security attacks, used
both in X.800 and RFC
4949, is in terms of
passive attacks and active
attacks

•A passive attack
attempts to learn or make
use of information from
the system but does not
affect system resources

•An active attack attempts

to alter system resources
or affect their operation
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Passive
Attacks

• Are in the nature of

eavesdropping on, or
monitoring of,
transmissions
• Two types of passive
• Goal of the opponent attacks are:
is to obtain information
that is being • The release of
transmitted message contents
• Traffic analysis

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Active Attacks
• Involve some modification • Takes place when one entity
of the data stream or the Masquerad pretends to be a different
entity
creation of a false stream e • Usually includes one of the
other forms of active attack
• Difficult to prevent because
of the wide variety of • Involves the passive capture of
potential physical, a data unit and its subsequent
Replay retransmission to produce an
software, and network unauthorized effect
vulnerabilities

• Some portion of a legitimate

• Goal is to detect attacks Modificatio message is altered, or
and to recover from any n of messages are delayed or
disruption or delays caused reordered to produce an
messages unauthorized effect
by them

• Prevents or inhibits the normal

Denial of use or management of
service communications facilities

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Security Services

• Defined by X.800 as:

• A service provided by a protocol layer of
communicating open systems and that
ensures adequate security of the systems or
of data transfers

• Defined by RFC 4949 as:

• A processing or communication service
provided by a system to give a specific kind
of protection to system resources
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Table 1.2

Security
Services
(X.800)

(This table is found on

page 12 in textbook)
© 2017 Pearson Education, Inc., Hoboken, NJ
All rights reserved.
 Authentication
• Concerned with assuring that a communication is
authentic
• In the case of a single message, assures the
recipient that the message is from the source that
it claims to be from
• In the case of ongoing interaction, assures the two
entities are authentic and that the connection is
not interfered with in such a way that a third party
can masquerade as one of the two legitimate
parties
Two specific authentication services are defined
in X.800:
• Peer entity authentication
• Data origin authentication

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Access Control

• The ability to limit and control the

access to host systems and
applications via communications links

• To achieve this, each entity trying to

gain access must first be indentified,
or authenticated, so that access rights
can be tailored to the individual

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Data Confidentiality
• The protection of transmitted data from passive
attacks
• Broadest service protects all user data transmitted
between two users over a period of time
• Narrower forms of service includes the protection
of a single message or even specific fields within a
message

• The protection of traffic flow from analysis

• This requires that an attacker not be able to
observe the source and destination, frequency,
length, or other characteristics of the traffic on a
communications facility
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Data Integrity
Can apply to a stream of messages, a
single message, or selected fields within a
message

Connection-oriented integrity service, one

that deals with a stream of messages,
assures that messages are received as sent
with no duplication, insertion, modification,
reordering, or replays
A connectionless integrity service, one that
deals with individual messages without
regard to any larger context, generally
provides protection against message
modification only

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Nonrepudiation
• Prevents either sender or receiver from
denying a transmitted message

• When a message is sent, the receiver

can prove that the alleged sender in
fact sent the message
• When a message is received, the
sender can prove that the alleged
receiver in fact received the message

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Availability Service

• Protects a system to ensure its

availability

• This service addresses the security

concerns raised by denial-of-service
attacks

• It depends on proper management and

control of system resources and thus
depends on access control service and
other security services
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Security Mechanisms
(X.800)
Specific Security
Mechanisms
• Encipherment
• Digital signatures
• Access controls
• Data integrity Pervasive Security
• Authentication Mechanisms
exchange • Trusted functionality
• Traffic padding
• Security labels
• Routing control
• Event detection
• Notarization
• Security audit trails
• Security recovery

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Table 1.3

Security
Mechanisms
(X.800)

(This table is found on

pages 14-15 in
textbook)
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Attack Surfaces
• An attack surface consists of the reachable and
exploitable vulnerabilities in a system
• Examples:
• Open ports on outward facing Web and other servers,
and code listening on those ports
• Services available on the inside of a firewall
• Code that processes incoming data, email, XML,
office documents, and industry-specific custom data
exchange formats
• Interfaces, SQL, and Web forms
• An employee with access to sensitive information
vulnerable to a social engineering attack

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Attack Surface Categories
• Network attack surface
• Refers to vulnerabilities over an enterprise
network, wide-area network, or the Internet

• Software attack surface

• Refers to vulnerabilities in application,
utility, or operating system code

• Human attack surface

• Refers to vulnerabilities created by
personnel or outsiders
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Model for Network
Security

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

 Standards
National Institute of Standards and Technology

• NIST is a U.S. federal agency that deals with measurement science, standards, and
technology related to U.S. government use and to the promotion of U.S. private-sector
innovation
• Despite its national scope, NIST Federal Information Processing Standards (FIPS) and Special
Publications (SP) have a worldwide impact
Internet Society

• ISOC is a professional membership society with world-wide organizational and individual

membership
• Provides leadership in addressing issues that confront the future of the Internet and is the
organization home for the groups responsible for Internet infrastructure standards
ITU-T

• The International Telecommunication Union (ITU) is an international organization within the

United Nations System in which governments and the private sector coordinate global
telecom networks and services
• The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors of the
ITU and whose mission is the development of technical standards covering all fields of
telecommunications
ISO

• The International Organization for Standardization is a world-wide federation of national

standards bodies from more than 140 countries
• ISO is a nongovernmental organization that promotes the development of standardization
and related activities with a view to facilitating the international exchange of goods and
services and to developing cooperation in the spheres of intellectual, scientific,
technological, and economic activity
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
 Summary
Security Architecture
(ITU-T X.800, X.805)

Security
Security Security
Requirem
Attacks Enforcers
ents
 Summary
• Computer security • Security services
concepts • Authentication
• Definition • Access control
• Data confidentiality
• Examples
• Data integrity
• Challenges • Nonrepudiation
• Availability service
• The OSI security
architecture • Security mechanisms

• Security attacks • Fundamental security

design principles
• Passive attacks
• Active attacks • Network security model

• Attack surfaces • Standards

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.