Cryptography and Network Security Chapter 1 Roadmap Cryptographic algorithms and protocols Symmetric ciphers Asymmetric encryption Data integrity: hash functions Authentication Mutual Trust Computer Security Network Security Computer Security Need for Security NIST definition of Computer Security The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications) This definition introduces 3 key objectives: Confidentiality: Data confidentiality, Privacy. Integrity: Data Integrity, System Integrity. Availability Key Security Concepts Additional Concepts: Authenticity, Accountability Examples of Security Violations Capturing a file(by C) during transmission from A to B Message Interception Faking source identity Delaying the message Deny having sent the message Levels of Impact can define 3 levels of impact from a security breach Low Moderate High Examples of Security Requirements – student grades integrity – patient information availability – authentication service confidentiality Computer Security Challenges not simple 2. must consider potential attacks 3. procedures used counter-intuitive 4. involve algorithms and secret info 5. must decide where to deploy mechanisms 6. battle of wits between attacker / admin 7. not perceived on benefit until fails 8. requires regular monitoring 9. too often an after-thought 10. regarded as impediment to using system 1. OSI Security Architecture X.800 “Security Architecture for OSI” defines a systematic way of defining and providing security requirements. ITU-T For us it provides a useful, if abstract, overview of concepts we will study Aspects of Security consider security attack security mechanism security service note 3 aspects of information security: terms threat – a potential for violation of security attack – an assault on system security, a deliberate attempt to evade security services Passive Attacks Release of Message Contents Active Attacks Active Attacks (b)Replay Security Service enhance security of data processing systems and information transfers of an organization intended to counter security attacks using one or more security mechanisms often replicates functions normally associated with physical documents • which, for example, have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed Security Services X.800: “a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers” RFC 2828: “a processing or communication service provided by a system to give a specific kind of protection to system resources” Security Services (X.800) Authentication - assurance that communicating entity is the one claimed peer-entity data origin authentication Access Control - prevention of the unauthorized use of a resource Data Confidentiality –protection of data from unauthorized disclosure • • • • Connection Confidentiality Connectionless Confidentiality Selective-Field Confidentiality Traffic-Flow Confidentiality Data • • • • • Integrity: Connection Integrity with Recovery Connection Integrity without Recovery Selective-Field Connection Integrity Connectionless Integrity Selective-Field Connectionless Integrity Non-Repudiation - protection against denial by one of the parties in a communication • • Nnrepudiation, Origin Nonrepudiation, Destination Security Mechanism Method or technique used to provide security. Feature designed to detect, prevent, or recover from a security attack No single mechanism will support all security services required Security Mechanisms (X.800) specific security mechanisms: Encipherment (reversible, irreversible), digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization pervasive security mechanisms: trusted functionality, security labels, event detection, security audit trails, security recovery Service Peer Entity Authentication Data Origin Authentication Access Control Confidentiality Traffic Flow Confidentiality Data Integrity Nonrepudiation Availability Mechanism Digital Access Data Encipherment Signature Control Integrity Authentication Traffic Routing Exchange Notariza Padding Control tion Service Mechanism Digital Access Encipherment Signature Control Integrity Peer Entity Authentication Y Y Data Origin Authentication Y Y Access Control Y Traffic Flow Confidentiality Y Data Integrity Y Availability Authentication Traffic Routing Exchange Notariza Padding Control tion Y Y Confidentiality Nonrepudiation Data Y Y Y Y Y Y Y Y Y Y Attack Service Release of Traffic Message Contents Analysis Masquerade Peer Entity Authentication Y Data Origin Authentication Y Y Access Control Confidentiality Traffic Flow Confidentiality Y Y Data Integrity Nonrepudiation Y Replay Modification of Denial of Messages Service Attack Mechanism Encipherment Digital Signature Access Control Data Integrity Authentication Exchange Traffic Padding Routing Control Notarization Release of Traffic Message Contents Analysis Masquerade Replay Modification of Denial of Messages Service Exercises 1. An organization wants protection against passive attacks. As a security manager of the organization which security services would you recommend for your organization? Justify your answer. 2. Consider a database management system used by a departmental store. Give examples of confidentiality, integrity, availability, and authenticity requirements associated with the system. In each case indicate the degree of importance of the requirement. 3. An organization has a server in which some manual are kept. It also provides some applications. The organization wants the manuals to be viewed by all the employees whenever required by them. However project managers can modify the contents of the manuals. For this they must first request the admin. If the admin is confirmed that it is only the concerned project manager making a request he grants permission to make changes to the concerned manual. What type of security services must be present to enable these activities in the organization? 4. Consider an implanted medical device that monitors and records data about a patient’s health and stores the information locally. To access the data, authorized personnel must transmit a PIN to the implanted device, and once authorized, electronically request specific portions of the data. Give examples of confidentiality, integrity and availability requirements associated with the system, and in each indicate the degree of importance of the requirement. Model for Network Security Model for Network Security using this model requires us to: 1. 2. 3. 4. design a suitable algorithm for the security transformation generate the secret information (keys) used by the algorithm develop methods to distribute and share the secret information specify a protocol enabling the principals to use the transformation and secret information for a security service Model for Network Access Security Model for Network Access Security using this model requires us to: 1. 2. select appropriate gatekeeper functions to identify users implement security controls to ensure only authorised users access designated information or resources Summary topic roadmap & standards organizations security concepts: confidentiality, integrity, availability X.800 security architecture security attacks, services, mechanisms models for network (access) security The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable. —The Art of War, Sun Tzu Text Book: 1. William Stallings - Cryptography and Network Security: Principles and Practice, Prentice Hall, 5th edition, 2010. Reference Book: 1. Behrouz A. Forouzan and Debdeep Mukhopadhyay - Cryptography and Network Security, McGraw Hill, 2nd Edition, 2008.