Computer and Network Security

Chapters
• Introduction On Security
• Cryptography
• Traditional Symmetric Cryptosystem
• Modern Symmetric Cryptosystem
• Asymmetric Cryptography
• Message Authentication
• Network and Internet Security
Reference
• Behrouz A. Fourouzan‖, Cryptography and Network Security‖, Tata
McGraw- Hill, 2008
• William Stallings, "Cryptography and Network Security: Principles and
Practice", 5th Edition, Prentice Hall, 2011
 4

Computer Network Security

INTRODUCTION
What security is about in general? 5

 Security is about protection of assets

 Prevention
 take measures that prevent your assets from being
damaged (or stolen)
 Detection
 take measures so that you can detect when, how, and
by whom an asset has been damaged
 Reaction
 take measures so that you can recover your assets
Real world example 6

 Prevention
 locksat doors, window bars, secure the
walls around the property, hire a guard
 Detection
 missing items, burglar alarms, closed circuit
TV
 Reaction
 attackon burglar (not recommended ), call
the police, replace stolen items, make an in-
surance claim
Information security in past & 7
present

 Traditional Information Security

 keep the cabinets locked
 put them in a secure room
 human guards
 electronic surveillance systems
 in general: physical and administrative mecha-
nisms
 Modern World
 Data are in computers
 Computers are interconnected
 8

Terminology
 Computer Security
2 main focuses: Information and Computer itself
 tools and mechanisms to protect data in a computer
(actually an automated information system), even if
the computers/system are connected to a network
 tools and mechanisms to protect the information
system itself (hardware, software, firmware,…)
 Against?
 against hackers (intrusion)
 against viruses
 against denial of service attacks
 etc. (all types of malicious behavior)
 9

Terminology

 Network and Internet Security

 measures to prevent, detect, and correct security viola-
tions that involve the transmission of information in a
network or interconnected networks
Computer
Security
Terminol-
ogy
RFC 4949, Internet

Security Glossary,

May 2000
The global average cost of cyber 11

crime/attacks
2017 Cost
of Cyber
Crime
Study by
Accen-
ture*
Steeper
increasing
trend in
the recent
years
* https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
Security Objectives: CIA Triad and Beyond
Computer Security Objectives
Additional concepts:
Services, Mechanisms, Attacks 15

 3 aspects of information security:

 security attacks (and threats)
actions that (may) compromise secu-
rity
 security services
services counter attacks
 security mechanisms
used by services
e.g. secrecy is a service, encryption
(a.k.a. encipherment) is a mechanism
 16

Attacks
 Attacks on computer systems
 break-in to destroy information
 break-in to steal information
 blocking to operate properly
 malicious software
 wide spectrum of problems
 Source of attacks
 Insiders

 Outsiders
 Attacks 17

 Network Security
 Active attacks
 Passive attacks
 Passive attacks
 interception of the messages
 What can the attacker do?
 use information internally
 hard to understand
 release the content
 can be understood
 traffic analysis
 hard to avoid
 Hard to detect, try to prevent
 Attacks 18

 Active attacks
 Attacker actively manipulates
the communication
 Masquerade
 pretend as someone else
 possibly to get more privileges
 Replay
 passively
capture data
and send later
 Denial-of-service
 prevent the normal use of
servers, end users, or network
itself
 Attacks 19

 Active attacks (cont’d)

 deny
 repudiate sending/receiving a message later
 modification
 change the content of a message
Security Services 20

 to prevent or detect attacks

 to enhance the security
 replicate functions of physical documents
 e.g.
 have signatures, dates
 need protection from disclosure, tampering, or
destruction
 notarize
 record
 21

Basic Security Services

 Authentication • Access Control


• prevention of the unauthorized use
assurance that the communicating en-
of a resource
tity is the one it claims to be
• to achieve this, each entity trying to
 peer entity authentication gain access must first be identified
 mutual confidence in the identities and authenticated, so that access
of the parties involved in a connec- rights can be tailored to the individ-
tion ual
 Data-origin authentication
 assurance about the source of the
received data
 22

Basic Security Services

 Data Confidentiality
 protection of data from unauthorized disclosure
(against eavesdropping)
 traffic flow confidentiality is one step ahead
 this
requires that an attacker not be able to observe the source
and destination, frequency, length, or other characteristics of
the traffic on a communications facility
 Data Integrity
 assurance that data received are exactly as sent by an
authorized sender
 i.e. no modification, insertion, deletion, or replay
Basic Security Services 23

 Non-Repudiation
 protection against denial by one of the parties in a
communication
 Origin non-repudiation
 proof that the message was sent by the specified
party
 Destination non-repudiation
 proof that the message was received by the speci-
fied party
Relationships 24

 among integrity, data-origin authentication

and non-repudiation

Non-repudiation

Authentication

Integrity
 25

Security Mechanisms

 Cryptographic Techniques
 will see next
 Software and hardware for access limitations
 Firewalls
 Intrusion Detection and Prevention Systems
 Traffic Padding
 against traffic analysis
 Hardware for authentication
 Smartcards, security tokens
 Security Policies / Access Control
 define who has access to which resources.
 Physical security
 Keep it in a safe place with limited and authorized physical access
 26

Cryptography
 Encryption (a.k.a. Encipherment)
 use of mathematical algorithms to transform data into a
form that is not readily intelligible
 keys are involved
 Steganography
 an alternative to encryption
 hides existence of message
 using only a subset of letters/words in a longer message
marked in some way
 using invisible ink
 hiding in LSB in graphic image or sound file
 has drawbacks
 high overhead to hide relatively few info bits
 advantage is can obscure encryption use
 27

Cryptographic Security Mechanisms

 Encryption (a.k.a. Encipherment)

 use of mathematical algorithms to trans-
form data into a form that is not readily in-
telligible
 keys are involved
 28

Cryptographic Security Mechanisms

 Message Digest
 similarto encryption, but one-way (recovery
not possible)
 generally no keys are used

 Digital Signatures and Message Authen-

tication Codes
 Data appended to, or a cryptographic trans-
formation of, a data unit to prove the source
and the integrity of the data
Security Mechanisms 29

 Authentication Exchange
 ensure the identity of an entity by exchanging some information
 Notarization
 use of a trusted third party to assure certain properties of a data ex-
change
 Timestamping
 inclusion of correct date and time within messages

 On top of everything, the most fundamental problem in security is

SECURE KEY EXCHANGE
 mostly over an insecure channel
A General Model for Network Security 30
Model for Network Security 31

 using this model requires us to:

 designa suitable algorithm for the security
transformation
 generate the secret information (keys) used by
the algorithm
 develop methods to distribute and share the
secret information
 specifya protocol enabling the principals to use
the transformation and secret information for a
security service
Model for Network Access Security 32
Model for Network Access Security 33

 using this model requires us to:

 select appropriate gatekeeper functions to identify users
and processes and ensure only authorized users and pro-
cesses access designated information or resources
 Internal control to monitor the activity and analyze infor-
mation to detect unwanted intruders
 34

More on Computer System Security

 Based on “Security Policies”  Implementation

 Set of rules that specify  Partially automated, but mostly humans
 How resources are managed to sat- are involved
isfy the security requirements  Assurance and Evaluation
 Which actions are permitted, which
 Assurance: degree of confidence to a
are not
system
 Ultimate aim  Security products and systems must be
 Prevent security violations such as evaluated using certain criteria in order
unauthorized access, data loss, ser- to decide whether they assure security
vice interruptions, etc. or not
 Scope
 Organizational or Individual
Aspects of Computer Security 35

 Mostly related to Operating Systems

 Similar to those discussed for Network
Security
 Confidentiality
 Integrity
 Availability
 Authenticity
 Accountability
 Dependability
 36
Aspects of Computer Security

 Confidentiality
 Prevent unauthorised disclosure of information
 Synonyms: Privacy and Secrecy
 Integrity
 two types: data integrity and system integrity
 In general, “make sure that everything is as it is supposed to
be”
 More specifically, “no unauthorized modification, deletion” on
data (data integrity)
 System performs as intended without any unauthorized ma-
nipulations (system integrity)
 Aspects of Computer Security 37

 Availability  Accountability
 services should be accessible  audit information must be selectively
when needed and without kept and protected so that actions af-
extra delay fecting security can be traced to the
 Dependability responsible party
 How can we do that?
 Can we trust the system as a  Users have to be identified and au-
whole? thenticated to have a basis for access
control decisions and to find out respon-
sible party in case of a violation.
 The security system keeps an audit log
(audit trail) of security relevant events
to detect and investigate intrusions.
Attack Surfaces
 An attack surface consists of the reachable and
exploitable vulnerabilities in a system
 Examples:
 Open ports on outward facing Web and other servers,
and code listening on those ports
 Services available in a firewall
 Code that processes incoming data, email, XML,
office documents, etc.
 Interfaces and Web forms
 An employee with access to sensitive information
vulnerable to a social engineering attack
Attack Surface Categories

 Network attack surface

 Refers to vulnerabilities over an enterprise
network, wide-area network, or the Internet
 E.g.DoS, intruders exploiting network protocol vul-
nerabilities
 Software attack surface
 Refers to vulnerabilities in application, utility,
or operating system code
 Human attack surface
 Refers to vulnerabilities created by personnel
or outsiders
 E.g. social engineering, insider traitors
Fundamental Dilemma of Security 40

“Security unaware users have specific security re-

quirements but no security expertise.”
from D. Gollmann
 Solution: level of security is given in predefined classes speci-
fied in some common criteria

 Fundamental Trade off

 Between security and ease-of-use
 Security may require clumsy and inconvenient restrictions on users
and processes