UNIT - I Cryptography & Network Security Student Handout UNIT – I Cryptography & Network Security © Dept.s of CSE & IT, PEC For the internal circulation in Pragati Engineering College only Page 1 Soma Sekhar T.
UNIT - I Cryptography & Network Security Student Handout Computer Security Concepts Computer Security: The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information / data, and telecommunications). This definition introduces three key objectives that are at the heart of computer security: • Confidentiality: This term covers two related concepts: Data Confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized individuals. Privacy: Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed. • Integrity: This term covers two related concepts: Data integrity: Assures that information and programs are changed only in a specified and authorized manner. System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. • Availability: Assures that systems work promptly and service is not denied to authorized users. Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. This means verifying that users are who they say they are and that each input arriving at the system came from a trusted source. Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. Threat: A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability. Attack: An attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset. ITU-T Recommendation X.800, Security Architecture for OSI, defines such a systematic approach. The OSI security architecture is useful to managers as a way of organizing the task of providing security. Furthermore, because this architecture was developed as an international standard, computer and communications vendors have developed security features for their products and services that relate to this structured definition of services and mechanisms. The OSI security architecture focuses on security attacks, mechanisms, and services. These can be defined briefly as • Security attack: Any action that compromises the security of information owned by an organization. • Security mechanism: A process that is designed to detect, prevent, or recover from a security attack. © Dept.s of CSE & IT, PEC For the internal circulation in Pragati Engineering College only Page 2 Soma Sekhar T.
UNIT - I Cryptography & Network Security Student Handout • Security service: A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization. The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service. Security Attacks: Passive Attacks: A passive attack attempts to learn or make use of information from the system but does not affect system resources. Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are the release of message contents and traffic analysis. The release of message (below fig.(a)) contents is easily understood. A telephone conversation, an electronic mail message, and a transferred file may contain sensitive or confidential information. We would like to prevent an opponent from learning the contents of these transmissions. Passive Attacks © Dept.s of CSE & IT, PEC For the internal circulation in Pragati Engineering College only Page 3 Soma Sekhar T.
UNIT - I Cryptography & Network Security Student Handout A second type of passive attack, traffic analysis (above fig.(b)), is subtler. Suppose that we had a way of masking the contents of messages or other information traffic so that opponents, even if they captured the message, could not extract the information from the message. The common technique for masking contents is encryption. If we had encryption protection in place, an opponent might still be able to observe the pattern of these messages. The opponent could determine the location and identity of communicating hosts and could observe the frequency and length of messages being exchanged. This information might be useful in guessing the nature of the communication that was taking place. Passive attacks are very difficult to detect, because they do not involve any alteration of the data. Typically, the message traffic is sent and received in an apparently normal fashion, and neither the sender nor receiver is aware that a third party has read the messages or observed the traffic pattern. However, it is feasible to prevent the success of these attacks, usually by means of encryption. Thus, the emphasis in dealing with passive attacks is on prevention rather than detection. Active Attacks: Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service. A masquerade (below fig.(a)) takes place when one entity pretends to be a different entity. A masquerade attack usually includes one of the other forms of active attack. For example, authentication sequences can be captured and replayed after a valid authentication sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges. Replay (below fig.(b)) involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect. Modification of messages (below fig.(c)) simply means that some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect. For example, a message meaning ―Allow John Smith to read confidential file accounts‖ is modified to mean ―Allow Fred Brown to read confidential file accounts.‖ The denial of service (below fig.(d)) prevents or inhibits the normal use or management of communications facilities. This attack may have a specific target; for example, an entity may suppress all messages directed to a particular destination. Another form of service denial is the disruption of an entire network, either by disabling the network or by overloading it with messages so as to degrade performance. Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely because of the wide variety of potential physical, software, and network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them. If the detection has a deterrent effect, it may also contribute to prevention. © Dept.s of CSE & IT, PEC For the internal circulation in Pragati Engineering College only Page 4 Soma Sekhar T.