chapter 01
TRANSCRIPT
![Page 1: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/1.jpg)
1Vijay Katta
Chapter 1
Introduction
Vijay Katta
![Page 2: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/2.jpg)
2Vijay Katta
To define three security goals
To define security attacks that threaten security goals
To define security services and how they are related to the three security goals
To define security mechanisms to provide security services
To introduce two techniques, cryptography and steganography, to implement security mechanisms.
Objectives
Chapter 1
![Page 3: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/3.jpg)
3Vijay Katta
DefinitionsDefinitions
Computer SecurityComputer Security - - generic name generic name for the collection of tools designed to for the collection of tools designed to protect data and to thwart hackersprotect data and to thwart hackers
Network SecurityNetwork Security - - measures to measures to protect data during their transmissionprotect data during their transmission
Internet SecurityInternet Security - - measures to measures to protect data during their transmission protect data during their transmission over a collection of interconnected over a collection of interconnected networksnetworks
![Page 4: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/4.jpg)
4Vijay Katta
1-1 SECURITY GOALS1-1 SECURITY GOALS
This section defines three security goals. This section defines three security goals.
1.1.1 Confidentiality1.1.2 Integrity1.1.3 Security
Topics discussed in this section:Topics discussed in this section:
![Page 5: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/5.jpg)
5Vijay Katta
Figure 1.1 Taxonomy of security goals
1.1 Continued
![Page 6: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/6.jpg)
6Vijay Katta
1.1.1 Confidentiality
Confidentiality is probably the most common aspect of information security. We need to protect our confidential information. An organization needs to guard against thosemalicious actions that endanger the confidentiality of its information.
![Page 7: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/7.jpg)
7Vijay Katta
1.1.2 Integrity
Information needs to be changed constantly. Integrity means that changes need to be done only by authorized entities and through authorized mechanisms.
![Page 8: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/8.jpg)
8Vijay Katta
1.1.3 Availability
The information created and stored by an organization needs to be available to authorized entities. Information needs to be constantly changed, which means it must be accessible to authorized entities.
![Page 9: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/9.jpg)
9Vijay Katta
Network Security ModelNetwork Security Model
Trusted Third Party
principal principal
Security transformation
Security transformation
attacker
![Page 10: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/10.jpg)
10Vijay Katta
1-2 ATTACKS1-2 ATTACKS
The three goals of securityThe three goals of securityconfidentiality, integrity, confidentiality, integrity, and availabilityand availabilitycan be threatened by security attacks. can be threatened by security attacks.
1.2.1 Attacks Threatening Confidentiality1.2.2 Attacks Threatening Integrity1.2.3 Attacks Threatening Availability1.2.4 Passive versus Active Attacks
Topics discussed in this section:Topics discussed in this section:
![Page 11: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/11.jpg)
11Vijay Katta
Figure 1.2 Taxonomy of attacks with relation to security goals
1.2 Continued
![Page 12: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/12.jpg)
12Vijay Katta
1.2.1 Attacks Threatening Confidentiality
Snooping refers to unauthorized access to or interception of data.
Traffic analysis refers to obtaining some other type of information by monitoring online traffic.
![Page 13: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/13.jpg)
13Vijay Katta
Information TransferringInformation Transferring
![Page 14: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/14.jpg)
14Vijay Katta
Attack: InterruptionAttack: Interruption
Cut wire lines,Jam wireless
signals,Drop packets,
![Page 15: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/15.jpg)
15Vijay Katta
Attack: InterceptionAttack: Interception
Wiring, eavesdrop
![Page 16: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/16.jpg)
16Vijay Katta
1.2.2 Attacks Threatening Integrity
Modification means that the attacker intercepts the message and changes it.
Masquerading or spoofing happens when the attacker impersonates somebody else.
Replaying means the attacker obtains a copy of a message sent by a user and later tries to replay it.
Repudiation means that sender of the message might later deny that she has sent the message; the receiver of the message might later deny that he has received the message.
![Page 17: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/17.jpg)
17Vijay Katta
Attack: ModificationAttack: Modification
interceptReplaced
info
![Page 18: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/18.jpg)
18Vijay Katta
Attack: FabricationAttack: Fabrication
Also called impersonation
![Page 19: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/19.jpg)
19Vijay Katta
1.2.3 Attacks Threatening Availability
Denial of service (DoS) is a very common attack. It may slow down or totally interrupt the service of a system.
![Page 20: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/20.jpg)
20Vijay Katta
1.2.4 Passive Versus Active Attacks
Table 1.1 Categorization of passive and active attacks
![Page 21: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/21.jpg)
21Vijay Katta
1-3 SERVICES AND MECHANISMS1-3 SERVICES AND MECHANISMS
ITU-T provides some security services and some ITU-T provides some security services and some mechanisms to implement those services. Security mechanisms to implement those services. Security services and mechanisms are closely related because aservices and mechanisms are closely related because amechanism or combination of mechanisms are used to mechanism or combination of mechanisms are used to provide a service..provide a service..
1.3.1 Security Services1.3.2 Security Mechanism1.3.3 Relation between Services and Mechanisms
Topics discussed in this section:Topics discussed in this section:
![Page 22: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/22.jpg)
22Vijay Katta
1.3.1 Security ServicesFigure 1.3 Security services
![Page 23: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/23.jpg)
23Vijay Katta
Security Services (X.800)Security Services (X.800)
1) Authentication-1) Authentication- --- Peer Entity authentication.--- Peer Entity authentication. --- Data Origin authentication.--- Data Origin authentication.2)Data Confidentiality-2)Data Confidentiality- ---Connection Confidentiality.---Connection Confidentiality. ---Connectionless confidentiality.---Connectionless confidentiality. ---Selected Field confidentiality.---Selected Field confidentiality. ---Traffic Flow Confidentiality. ---Traffic Flow Confidentiality.
![Page 24: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/24.jpg)
24Vijay Katta
Security Services (X.800)Security Services (X.800)
3)Data Integrity.3)Data Integrity.
-Connection integrity with recovery.-Connection integrity with recovery.
- Connection integrity without - Connection integrity without recovery.recovery.
- Connectionless integrity.- Connectionless integrity.
-Selected field connection Integrity.-Selected field connection Integrity.
- Selected field connectionless - Selected field connectionless Integrity. Integrity.
![Page 25: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/25.jpg)
25Vijay Katta
Security Services (X.800)Security Services (X.800)
4)Nonrepuditation4)Nonrepuditation
-nonrepuditation Origin.-nonrepuditation Origin.
- nonrepuditation destination.- nonrepuditation destination.
5) Access Control5) Access Control
![Page 26: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/26.jpg)
26Vijay Katta
1.3.2 Security MechanismFigure 1.4 Security mechanisms
![Page 27: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/27.jpg)
27Vijay Katta
1.3.3 Relation between Services and Mechanisms
Table 1.2 Relation between security services and mechanisms
![Page 28: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/28.jpg)
28Vijay Katta
Model for Network Model for Network SecuritySecurity
![Page 29: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/29.jpg)
29Vijay Katta
Model for Network Model for Network SecuritySecurity
using this model requires us to: using this model requires us to: design a suitable algorithm for the design a suitable algorithm for the
security transformation security transformation generate the secret information (keys) generate the secret information (keys)
used by the algorithm used by the algorithm develop methods to distribute and share develop methods to distribute and share
the secret information the secret information specify a protocol enabling the specify a protocol enabling the
principals to use the transformation and principals to use the transformation and secret information for a security service secret information for a security service
![Page 30: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/30.jpg)
30Vijay Katta
Model for Network Access Model for Network Access SecuritySecurity
![Page 31: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/31.jpg)
31Vijay Katta
Model for Network Access Model for Network Access SecuritySecurity
using this model requires us to: using this model requires us to: select appropriate gatekeeper functions select appropriate gatekeeper functions
to identify users to identify users implement security controls to ensure implement security controls to ensure
only authorised users access designated only authorised users access designated information or resources information or resources
trusted computer systems can be trusted computer systems can be used to implement this model used to implement this model
![Page 32: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/32.jpg)
32Vijay Katta
Secure CommunicationSecure Communication
protecting data locally only solves a protecting data locally only solves a minor part of the problem. The major minor part of the problem. The major challenge that is introduced by the Web challenge that is introduced by the Web Service security requirements is to Service security requirements is to secure data transport between the secure data transport between the different components. Combining different components. Combining mechanisms at different levels of the mechanisms at different levels of the Web Services protocol stack can help Web Services protocol stack can help secure data transport (see figure next secure data transport (see figure next page).page).
![Page 33: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/33.jpg)
33Vijay Katta
Secure CommunicationSecure Communication
![Page 34: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/34.jpg)
34Vijay Katta
Secure CommunicationSecure Communication The combined protocol HTTP/TLS or SSL is The combined protocol HTTP/TLS or SSL is
often referred to as HTTPS (see figure). SSL often referred to as HTTPS (see figure). SSL was originally developed by Netscape for was originally developed by Netscape for secure communication on the Internet, and secure communication on the Internet, and was built into their browsers. SSL version 3 was built into their browsers. SSL version 3 was then adopted by IETF and standardized as was then adopted by IETF and standardized as the Transport Layer Security (TLS) protocol.the Transport Layer Security (TLS) protocol.
Use of Public Key Infrastructure (PKI) for Use of Public Key Infrastructure (PKI) for session key exchange during the handshake session key exchange during the handshake phase of TLS has been quite successful in phase of TLS has been quite successful in enabling Web commerce in recent years. enabling Web commerce in recent years.
TLS also has some known vulnerabilities: it is TLS also has some known vulnerabilities: it is susceptible to man-in-the-middle attacks and susceptible to man-in-the-middle attacks and denial-of-service attacks. denial-of-service attacks.
![Page 35: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/35.jpg)
35Vijay Katta
SOAP securitySOAP security SOAP (Simple Object Access Protocol) is designed to SOAP (Simple Object Access Protocol) is designed to
pass through firewalls as HTTP. This is disquieting from pass through firewalls as HTTP. This is disquieting from a security point of view. Today, the only way we can a security point of view. Today, the only way we can recognize a SOAP message is by parsing XML at the recognize a SOAP message is by parsing XML at the firewall. The SOAP protocol makes no distinction firewall. The SOAP protocol makes no distinction between reads and writes on a method level, making it between reads and writes on a method level, making it impossible to filter away potentially dangerous writes. impossible to filter away potentially dangerous writes. This means that a method either needs to be fully This means that a method either needs to be fully trusted or not trusted at all. trusted or not trusted at all.
The SOAP specification does not address security issues The SOAP specification does not address security issues directly, but allows for them to be implemented as directly, but allows for them to be implemented as extensions. extensions. As an example, the extension SOAP-DSIG defines the syntax and As an example, the extension SOAP-DSIG defines the syntax and
processing rules for digitally signing SOAP messages and processing rules for digitally signing SOAP messages and validating signatures. Digital signatures in SOAP messages validating signatures. Digital signatures in SOAP messages provide integrity and non-repudiation mechanisms. provide integrity and non-repudiation mechanisms.
![Page 36: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/36.jpg)
36Vijay Katta
PKIPKI PKI key management provides a sophisticated framework PKI key management provides a sophisticated framework
for securely exchanging and managing keys. The two main for securely exchanging and managing keys. The two main technological features, which a PKI can provide to Web technological features, which a PKI can provide to Web Services, are:Services, are: Encryption of messagesEncryption of messages: by using the public key of the recipient : by using the public key of the recipient Digital signaturesDigital signatures: non-repudiation mechanisms provided by PKI : non-repudiation mechanisms provided by PKI
and defined in SOAP standards may provide Web Services and defined in SOAP standards may provide Web Services applications with legal protection mechanisms applications with legal protection mechanisms
Note that the features provided by PKI address the same Note that the features provided by PKI address the same basic needs as those that are recognized by the basic needs as those that are recognized by the standardization organizations as being important in a Web standardization organizations as being important in a Web Services context. Services context.
In Web Services, PKI mainly intervenes at two levels: In Web Services, PKI mainly intervenes at two levels: At the SOAP level (non-repudiation, integrity) At the SOAP level (non-repudiation, integrity) At the HTTPS level (TLS session negotiation, eventually assuring At the HTTPS level (TLS session negotiation, eventually assuring
authentication, integrity and privacy)authentication, integrity and privacy)
![Page 37: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/37.jpg)
37Vijay Katta
1-4 TECHNIQUES1-4 TECHNIQUES
Mechanisms discussed in the previous sections are Mechanisms discussed in the previous sections are only theoretical recipes to implement security. The only theoretical recipes to implement security. The actual implementation of security goals needs some actual implementation of security goals needs some techniques. Two techniques are prevalent today: techniques. Two techniques are prevalent today: cryptography and steganography. cryptography and steganography.
1.4.1 Cryptography1.4.2 Steganography
Topics discussed in this section:Topics discussed in this section:
![Page 38: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/38.jpg)
38Vijay Katta
1.4.1 Cryptography
Cryptography, a word with Greek origins, means “secret writing.” However, we use the term to refer to the science and art of transforming messages to make them secure and immune to attacks.
![Page 39: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/39.jpg)
39Vijay Katta
1.4.2 Steganography
The word steganography, with origin in Greek, means “covered writing,” in contrast with cryptography, which means “secret writing.”
Example: covering data with text
![Page 40: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/40.jpg)
40Vijay Katta
1.4.2 Continued
Example: using dictionary
Example: covering data under color image
![Page 41: Chapter 01](https://reader035.vdocument.in/reader035/viewer/2022081422/557cc9e9d8b42a7e5b8b4b76/html5/thumbnails/41.jpg)
41Vijay Katta
1-5 THE REST OF THE BOOK1-5 THE REST OF THE BOOK
The rest of this book is divided into four parts.The rest of this book is divided into four parts.
Part One: Symmetric-Key EnciphermenPart One: Symmetric-Key Enciphermen
Part Two: Asymmetric-Key EnciphermentPart Two: Asymmetric-Key Encipherment
Part Three: Integrity, Authentication, and Key ManagementPart Three: Integrity, Authentication, and Key Management
Part Four: Network SecurityPart Four: Network Security