U19CSE07/ Cryptography and

Network Security
By
Keerthana.S AP/CSE
VCEW
 Unit-1 COMPUTER SECURITY BASICS
1. Computer Security Concepts
2. OSI Security Architecture
3. Security Attacks
4. Security Services
5. Security Mechanisms
6. Model for Network Security
7. Classical Encryption techniques
8. Substitution and Transposition methods
9. Block Cipher Principles
Confidentiality : (covers both data confidentiality and privacy):
Preserving authorized restrictions on information access and disclosure, including
means for protecting personal privacy and proprietary information.
A loss of confidentiality is the unauthorized disclosure of information.

Integrity: (covers both data and system integrity):

Guarding against improper information modification or destruction, including
ensuring information non repudiation and authenticity.
A loss of integrity is the unauthorized modification or destruction of information.

Availability:
Ensuring timely and reliable access to and use of information.
A loss of availability is the disruption of access to or use of information or an
information system.
Although the use of the CIA triad to define security objectives is well established. some
in the security field feel that additional concepts are needed to present a complete
picture.
Two of the most commonly mentioned are as follows:

Authenticity:
The property of being genuine and being able to be verified and trusted;
confidence in the validity of a transmission, a message, or message originator.
This means verifying that users are who they say they are and that each input
arriving at the system came from a trusted source.

Accountability
The security goal that generates the requirement for actions of an entity to be
traced uniquely to that entity.
 The challenges of computer security
1. The major requirements for security services can be given self-explanatory, one-
word labels: confidentiality, authentication, nonrepudiation, or integrity.

2. In developing a particular security mechanism or algorithm, one must always

consider potential attacks on those security features.

3. When the various aspects of the thread are considered that elaborate security
mechanisms make sense.

4. It is necessary to decide where to use the security mechanisms, both in terms of

physical placement(at what points in a network) and in a logical sense(at what
layer or layers of a architecture such as TCP/IP)

5. Security mechanism typically involve more than a particular algorithm or

protocol.
 THE OSI SECURITY ARCHITECTURE
The OSI security architecture focuses on
security attack
security mechanism
security service
 masquerade
• A masquerade takes place when one entity
pretends to be a different entity
• A masquerade attack usually includes one of the
other forms of active attack.
• For example, authentication sequences can be
captured and replayed after a valid authentication
sequence has taken place, thus enabling an
authorized entity with few privileges to obtain extra
privileges by impersonating an entity that has those
privileges.
 Replay
Replay involves the passive capture of a data
unit and its subsequent retransmission to
produce an unauthorized effect.
 Modification of messages
Modification of messages simply means that
some portion of a legitimate message is altered,
or that messages are delayed or reordered, to
produce an unauthorized effect
 denial of service
• The denial of service prevents or inhibits the normal
use or management of communications facilities.
• This attack may have a specific target; for example,
an entity may suppress all messages directed to a
particular destination (e.g., the security audit
service).
• Another form of service denial is the disruption of
an entire network, either by disabling the network
or by overloading it with messages so as to degrade
performance.
 Security Services (X.800)
⚫ Authentication - service is concerned with assuring that a
communication is authentic.
◦ Peer entity authentication
◦ Data origin authentication
⚫ Access Control - prevention of the unauthorized use of a resource
⚫ Data Confidentiality –protection of data from unauthorized disclosure
⚫ Data Integrity - assurance that data received is as sent by an
authorized entity
⚫ Non-Repudiation - protection against denial by one of the parties in a
communication
⚫ Availability Service - Availability is the property of a system, or a
system resource being accessible and usable upon demand by an
authorized system entity, according to performance specifications for
the system
 authentication service
• Authentication - The assurance that the
communicating entity is the one that it claims
to be.
– Peer entity authentication: Used in association
with a logical connection to provide confidence in
the identity of the entities connected.
– Data origin authentication: In a connectionless
transfer, provides assurance that the source of
received data is as claimed.
 Access control
• The prevention of unauthorized use of a
resource (i.e., this service controls who can
have access to a resource, under what
conditions access can occur, and what those
accessing the resource are allowed to do).
 Data Confidentiality
• The protection of data from unauthorized disclosure.
• Connection Confidentiality The protection of all user data
on a connection.
• Connectionless Confidentiality The protection of all user
data in a single data block
• Selective-Field Confidentiality The confidentiality of
selected fields within the user data on a connection or in a
single data block.
• Traffic-Flow Confidentiality The protection of the
information that might be derived from observation of
traffic flows.
 Data integrity
• The assurance that data received are exactly as sent by an authorized entity (i.e.,
contain no modification, insertion, deletion, or replay).
• Connection Integrity with Recovery Provides for the integrity of all user data on
a connection and detects any modification, insertion, deletion, or replay of any data
within an entire data sequence, with recovery attempted.
• Connection Integrity without Recovery As above, but provides only detection
without recovery.
• Selective-Field Connection Integrity Provides for the integrity of selected fields
within the user data of a data block transferred over a connection and takes the
form of determination of whether the selected fields have been modified, inserted,
deleted, or replayed.
• Connectionless Integrity Provides for the integrity of a single connectionless data
block and may take the form of detection of data modification. Additionally, a
limited form of replay detection may be provided.
• Selective-Field Connectionless Integrity Provides for the integrity of selected
fields within a single connectionless data block; takes the form of determination of
whether the selected fields have been modified.
 Non-Repudiation
• Provides protection against denial by one of
the entities involved in a communication of
having participated in all or part of the
communication.
• Nonrepudiation, Origin Proof that the
message was sent by the specified party.
• Nonrepudiation, Destination Proof that the
message was received by the specified party.
 Security mechanisms
The mechanisms are divided into those that are
implemented in a specific protocol layer, such as
TCP or an application-layer protocol, and those
that are not specific to any particular protocol
layer or security service.
 1. Cryptographic algorithms:
◦ reversible cryptographic mechanisms - encryption algorithm that
allows data to be encrypted and subsequently decrypted
◦ irreversible cryptographic mechanisms - include hash algorithms
and message authentication codes, - used in digital signature
and message authentication applications
2. Data integrity - covers a variety of mechanisms used to assure the
integrity of a data unit
3. Digital signature - a data unit that allows a recipient of the data unit
to prove the source and integrity of the data unit and protect
against forgery.
4. Authentication exchange: A mechanism intended to ensure the
identity of an entity by means of information exchange
5. Traffic padding: The insertion of bits into gaps in a
data stream to frustrate traffic analysis attempts.
6. Routing control: Enables selection of particular
physically or logically secure routes for certain data
and allows routing changes, especially when a breach
of security is suspected.
7. Notarization: The use of a trusted third party to
assure certain properties of a data exchange.
8. Access control: A variety of mechanisms that
enforce access rights to resources.
 Encipherment
• The use of mathematical algorithms to
transform data into a form that is not readily
intelligible. The transformation and
subsequent recovery of the data depend on
an algorithm and zero or more encryption
keys.
 Digital Signature
• Data appended to, or a cryptographic
transformation of, a data unit that allows a
recipient of the data unit to prove the source
and integrity of the data unit and protect
against forgery (e.g., by the recipient).
 Access Control
• A variety of mechanisms that enforce access
rights to resources.
 Data Integrity
• A variety of mechanisms used to assure the
integrity of a data unit or stream of data units.
 Authentication Exchange
• A mechanism intended to ensure the identity
of an entity by means of information
exchange.
 Traffic Padding
• The insertion of bits into gaps in a data stream
to frustrate traffic analysis attempts.
 Routing Control
• Enables selection of particular physically
secure routes for certain data and allows
routing changes, especially when a breach of
security is suspected.
 Notarization
• The use of a trusted third party to assure
certain properties of a data exchange.
 PERVASIVE SECURITY MECHANISMS
• Mechanisms that are not specific to any
particular OSI security service or protocol
layer.
 Trusted Functionality
• That which is perceived to be correct with
respect to some criteria (e.g., as established
by a security policy).
 Security Label
• The marking bound to a resource (which may
be a data unit) that names or designates the
security attributes of that resource.
 Event Detection
• Detection of security-relevant events.
 Security Audit Trail
• Data collected and potentially used to
facilitate a security audit, which is an
independent review and examination of
system records and activities.
 Security Recovery
• Deals with requests from mechanisms, such as
event handling and management functions,
and takes recovery actions
Model for Network Security
Model for Network Security
 Model for Network Security
⚫ using this model requires us to:
1. design a suitable algorithm for the security
transformation
2. generate the secret information (keys) used by
the algorithm
3. develop methods to distribute and share the
secret information
4. specify a protocol enabling the principals to use
the transformation and secret information for a
security service
Model for Network Access Security
Model for Network Access Security
⚫ using this model requires us to:
1. select appropriate gatekeeper functions to
identify users
2. implement security controls to ensure only
authorised users access designated information
or resources
⚫ trusted computer systems may be useful to
help implement this model