Computer Network Security

Lecture-1

1
 Course Outline
1. Introduction • Network Security Applications:Authentication
– Attacks, Services and mechanisms – Kerberos
– Security Services – X.509 Directory authentication service
– A generic model for network Security • Network Security Applications : Email security
– RFC and Internet Standards for Security – Pretty Good Privacy
2. Conventional Encryption – S/MIME
– Principles • IP Security
– Algorithms – Overview
– Cipher block modes of operation – Architecture
– Location of encryption devices – Authentication header
– Key distribution – Encapsulating security payload
3. Public Key Cryptography – Combining security associations
– Approaches to Authentication – Key management
– Hash – VPN applications
– PKI principles and algorithms • System Security
– Digital Signatures – Intruders
– Key Management – Viruses and related threats
– Firewall design principles
– Trusted systems

2
 Text Book and Reference
• Text
– Cryptography and Network Security Principles and
Practices by William Stallings 4th Ed
• Reference
– Network Security Charles P Fleeger Prentice Hall
• cns2018@yahoogroups.com

Computer Security by Saneeha Ahmed 3

 Introduction
• Network Security Basics
– Define computer and network security
– Historical ciphers and techniques
– Attacks security services and mechanisms
– Encryption and crypto systems

4
Trends in Attack Sophistication vs.
Intruder Knowledge

5
 What is security?
• Security is about protection of assets.
D.Gollman Computer Security, Willey
• Absolute security is only possible if the asset is
never bought or used !!!
• Computer Security
– Is a generic name for collection of tools designed to
protect data and thwart hackers.
• Network Security
– Includes measures that are needed to protect data
during transmission.

6
 What is security?
• The real world security depends on the
following 3 things a) specification\ policy b)
implementation\mechanism c)correctness
\assurance.
• The CIA triad
– Confidentiality
– Integrity
– Availability

7
 What is security?
• Information Security
– Information system security is the function that
ensures protection of information resources of a
firm. Potential threats are identified and
countermeasures are established.
G. Dhillon Principles of Information Systems Security,
Willey 2007
– Prevention
– Detection
– Reaction

8
 Internet Shopping example
• Prevention
– Encryption.
– Not sharing password/credit card number etc.
– Use secure services like paypall
• Detection
– An unauthorized transactions appears on your credit
card
• Reaction
– Complain, sue. OR forget it !!!
9
 Why Security is Important
Security is not something we
want to have to pay for. It
would be nice if we did not
have to worry about
protecting out data from
disclosure modification or
destruction from CERT statistics
unauthorized individuals, but
the is not the environment
that we find ourselves in.
– W.A Conklin, et. Al Principle of
Computer Security, Mc Graw-
Hill,2004

10
 Why Security is Important
• Credit Card?
• Online Shopping?
• Just browsing?
• Web-based apps/services?
• Unwanted advertisements?

11
 Basic Security Concepts
• Vulnerability
– A weakness that can be exploited
• Threat
– An action or tool that can exploit a vulnerability
• Attack
– Defines the details of how a threat can be used to exploit a
vulnerability
• Security Services
– Remedies/defense/counter-measure against vulnerability.
Such as authorization.
• Security mechanisms
– Schemes used to implement a security service, such as access
lists
12
 Attacks
• Passive Attacks
– Monitoring of transmission
– Eavesdropping, Traffic Analysis
• Active Attacks
– Involves modification of data or creation of false
stream
• Masquerade
• Replay
• Modification of Messages
• Denial of service

13
 Taxonomy of Attacks

Security
attacks

Confidentiality Availability Integrity

Traffic
snooping DOS Modification Masquerade Replay Repudiation
Analysis

14
 Security Services
• To prevent or detect attacks
• To enhance the security
• Implemented through a set of security
mechanisms

15
 Taxonomy of Security Services
• Data Confidentiality
• Data Integrity
– Antichage
– Anti replay
• Authentication
– Peer entity
– Data origin
• Non Repudiation
– Proof of origin
– Proof of delivery
• Access Control

16
 Basic Security Service
• Authentication
– Ensuring that the identity as it is claimed
• Peer Authentication
– Both sender and receivers are authenticated by each other
• Data origin authentication
– Only sender is authenticated before accepting the
information. Useful for broadcast information
• Access Control
– Prevention of unauthorized access to the
information

17
 Basic Security Services
• Data Confidentiality
– Protection of data from unauthorized disclosure.
• Connection user data on a particular connection
• Connectionless  all user data on a block
• Selective field selective fields of user data on a block or
connection
• Traffic Flow information that might be derived from traffic
flow analysis
• Data Integrity
– Assurance that data is exactly same as sent by the
authorized sender, i.e, no modification

18
 Basic Security Services
• Non-repudiation
– Protection against denial by one of the parties
• Origin non-repudiation
• Destination non-repudiation
• Question
– How is non-repudiation related to authentication?
And how is authentication related to integrity?

19
 More on Security Services
• Confidentiality vs Privacy
– Both prevent against unauthorized disclosure of information
– Confidentiality makes use of encryption to hide all data
– Privacy involves keeping certain important data unavailable to
unauthorized data
• Integrity
– Protection of information from modification or reuse, classic
example man-in-the-middle
• Access Control and authorization
– Authorization is to provide access rights as tailored to a
particular user/application.
– Access control is to check who is allowed to use/access a
resource.

20
 More on Security Services
• Authentication
– Deals with assuring identity of a user. Making sure a person
is who he claims to be.
• Availability
– Deals with assuring that the communication system or
resource is available to the authorized users. Ensuring that
a service is not disrupted or blocked from legitimate users
• Non-repudiations
– It is concerned with ensuring that an entity cannot deny its
action after commencement. Prevents senders and receivers
from denying an already exchanged information.

21
 More on Security Services
• Accountability
– An unbiased record-keeping of activities.
– Question is : what to log and how often.
• X.800 defines security service as a service
provided by a protocol layer of communicating
open system, which ensures adequate security
of systems or of data transfers.
– Divides services into 5 groups and total 14
specific services in these groups

22
Taxonomy of Security Mechanisms
Encipherment

Integrity

Digital Signatures

Authentication

Traffic Padding

Routing Control

Notorization/auditing

Access Control

23
Relationship between services and
mechanisms

24
 Security Mechanisms
• Message digest
• Digital Signature or Message Authentication Code
• Authentication Exchange
• Encryption
• Notarization – (3rth party based authentication)
• Time stamping
• Non cryptographic mechanisms
– Traffic padding/analysis
– Intrusion detection
– firewall

25
 Typical Security REquirements
• Requirement • Threat
– Enterprise – Masquerade, data
corruption, eves dropping
– Forgery,repudiation
– Banking masquerade, eves dropping
– Data loss /corruption,
evesdrop, forgery,
– Govt masquerade
– DOS , evesdrop,
masquerade, unaut access
– Public Network

26
Relation between mechanisms and
services

27
A simple Communication Network
Security Model

28
Network Security Model Requirements
• Requirements
– Designing a suitable algorithm for security
transformation
– Generating Secret keys to be used by algo.
– Develope methods to share secret information
– Specify protocols enabling principles to use
transformation and secret information for a
security service.

29
Symmetric Encryption Cryptosystem

30
 Characteristics for Symmetrical
Encryption Cryptosystems
• Transformation methods:
– Substitution operation
– Transposition Operation
– Product Operation
• Number of Keys
– Single
– Two or more
• Plain Text
– Block
– Stream

31
Network access security model

32
 Network access model requirements
• Select gatekeeper functions
• Monitor activity for unwanted intruders

33
 Security Policy
• A security policy is a statement of what is and what is
not allowed
• Security policies
– Set of rules that specify
• How resources are managed to satisfy security requirements
• Which actions are permitted and which are not
– Ultimate aim
• Prevent security violations
– Scope
• Organizational or individual
– Implementation
• Partially automated but mostly manual

34
Fundamental Dilemma of Security
• Unaware users do have some security
requirements but they dont have expertise
• Solutions is to provide security in predefined
classes specified in some common criterea

35
 Fundamental Tradeoff
• Between security and ease of use
• If security is an add-on that people have to do
to get it then most of the times they will not
get it.
– Martin Hellman

36
Design criteria for a successful product
• User transparent
– Donot assume users would be experts but provide
enough features for experts.
• Hypothesis
– A security feature is a plus, but a security product
is a challenge to sell
• Homework
– Prove or disprove this hypothesis by making a web
search

37
 What is good enough security
• Everything should be as secure as necessary
bit not securer
– Ravi Sandhu, IEEE Internet Computing January /
February 2003 pp.66-68

38