network security and cryptography - 123seminarsonly.com · dept. of ece network security &...
TRANSCRIPT
Network Security and
Cryptography
Lecture 1
Uday Prakash Pethakamsetty
Lecturer, JNTUHCEH
The art of war teaches us to rely not on the
likelihood of the enemy's not coming, but on our
own readiness to receive him; not on the chance of
his not attacking, but rather on the fact that we
have made our position unassailable.
—The Art ofWar, SunTzu
Prevention is better than Cure.
12/13/2012 2Dept. of ECE Network Security & Cryptography
Timeline: Art of WAR
12/13/2012Dept. of ECE Network Security &
Cryptography3
Information Security
• Computer Security - generic name
for the collection of tools designed toprotect data and to thwart hackers.
• Network Security - measures to
protect data during their transmission.
• Internet Security - measures to
protect data during their transmission over acollection of interconnected networks.
12/13/2012Dept. of ECE Network Security &
Cryptography4
Computer Security
• Protection to an automated information system.
• Objective: security with preserving Information system
Resource with
Integrity
Availability
Confidentiality
12/13/2012 5Dept. of ECE Network Security & Cryptography
Levels of Impact
There are 3 levels of impact from a
security breach
1. Low
2. Moderate
3. High
12/13/2012 6Dept. of ECE Network Security & Cryptography
Low Impact
• Security Breach may have a limited adverse effect on
organizational operations, organizational assets, or individuals.
• Ex: loss of confidentiality, integrity, or availability might
1. cause a degradation in mission capability to an extent and duration
that the organization is able to perform its primary functions, but the
effectiveness of the functions is noticeably reduced;
2. result in minor damage to organizational assets;
3. result in minor financial loss; or
4. result in minor harm to individuals.
12/13/2012 7Dept. of ECE Network Security & Cryptography
Moderate Impact
• May have a serious adverse effect on organizational operations,
organizational assets, or individuals.
• Ex:The loss might
1. cause a significant degradation in mission capability to an extent
and duration that the organization is able to perform its primary
functions, but the effectiveness of the functions is significantly
reduced;
2. result in significant damage to organizational assets;
3. result in significant financial loss; or
4. result in significant harm to individuals that does not involve loss of
life or serious, life-threatening injuries.
12/13/2012 8Dept. of ECE Network Security & Cryptography
High Impact
• May have a severe or catastrophic adverse effect on
organizational operations, organizational assets, or individuals.
• Ex: The loss might
1. cause a severe degradation in or loss of mission capability to an
extent and duration that the organization is not able to perform one
or more of its primary functions;
2. result in major damage to organizational assets;
3. result in major financial loss; or
4. result in severe or catastrophic harm to individuals involving loss of
life or serious life threatening injuries.
12/13/2012 9Dept. of ECE Network Security & Cryptography
Examples of Security Requirements
• Confidentiality – student grades
• Integrity – patient information
• Availability – authentication service
• Authenticity (Origin Integrity)-admission
Ticket
• Non-Repudiation-stock sell order
12/13/2012 10Dept. of ECE Network Security & Cryptography
HACKING Ex: exploiting Browser Vulnerability
12/13/2012Dept. of ECE Network Security &
Cryptography11
Computer Security Challenges
1. Not simple – easy to get it wrong
2. Must consider potential attacks
3. Procedures used counter-intuitive
4. Involve algorithms and secret info
5. Must decide where to deploy mechanisms
6. “Unusable security is not secure”
12/13/2012 12Dept. of ECE Network Security & Cryptography
Standards Organizations
• National Institute of Standards & Technology (NIST)
• Internet Society (ISOC)
• International Telecommunication Union Telecommunication
Standardization Sector (ITU-T)
• International Organization for Standardization (ISO)
• RSA Labs (de facto)
12/13/2012 13Dept. of ECE Network Security & Cryptography
Security Aspects
• There are THREE aspects of information security:
I. SECURITY ATTACK
II. SECURITY MECHANISM (CONTROL)
III. SECURITY SERVICE
• Difference Between Threat, Vulnerability and an Attack?– Threat – a potential for violation of security
– Vulnerability – a way by which loss can happen
– Attack – an assault on system security, a deliberate attempt to evade security
services
12/13/2012 14Dept. of ECE Network Security & Cryptography
Dept. of ECE Network Security & Cryptography 15
Classify Security Attacks
• PASSIVE ATTACKS - eavesdropping on, or monitoring of, transmissions to:
– obtain message contents, or
– monitor traffic flows
• ACTIVE ATTACKS – modification of data stream to:
– masquerade of one entity as some other
– replay previous messages
– modify messages in transit
– denial of service
12/13/2012
Passive Attack - Interception
12/13/2012 16Dept. of ECE Network Security & Cryptography
Passive Attack: Traffic Analysis
Observe traffic pattern
12/13/2012 17Dept. of ECE Network Security & Cryptography
Active Attack: Interruption
Block delivery of message
12/13/2012 18Dept. of ECE Network Security & Cryptography
Active Attack: Fabrication
Fabricate message
12/13/2012 19Dept. of ECE Network Security & Cryptography
Active Attack: Replay
12/13/2012 20Dept. of ECE Network Security & Cryptography
Active Attack: Modification
Modify message
12/13/2012 21Dept. of ECE Network Security & Cryptography
Handling Attacks
Passive attacks – focus on Prevention
– Easy to stop
– Hard to detect
Active attacks – focus on Detection
and Recovery
– Hard to stop
– Easy to detect
12/13/2012 22Dept. of ECE Network Security & Cryptography
Dept. of ECE Network Security & Cryptography 23
Security Services
• X.800: a service provided by a protocol layer of
communicating open systems, which ensures adequate
security of the systems or of data transfers
• RFC 2828 : a processing or communication service
provided by a system to give a specific kind of
protection to system resources
• X.800 defines it in 5 major categories
12/13/2012
Security Service
– enhance security of data processing systems
and information transfers of an organization
– intended to counter security attacks
– using one or more security mechanisms
– often replicates functions normally
associated with physical documents
• which, for example, have signatures, dates; need
protection from disclosure, tampering, or
destruction; be notarized or witnessed; be
recorded or licensed
12/13/2012 24Dept. of ECE Network Security & Cryptography
OSI Security Architecture
• ITU-T X.800 “Security Architecture for
OSI”
• defines a systematic way of defining and
providing security requirements
• for us it provides a useful, if abstract,
overview of concepts we will study
12/13/2012 25Dept. of ECE Network Security & Cryptography
Dept. of ECE Network Security & Cryptography 26
Security Services (X.800)• AUTHENTICATION - assurance that the communicating entity is the one
claimed
• ACCESS CONTROL - prevention of the unauthorized use of a resource
• DATA CONFIDENTIALITY –protection of data from unauthorized
disclosure
• DATA INTEGRITY - assurance that data received is as sent by an
authorized entity
• NON-REPUDIATION - protection against denial by one of the parties in
a communication.
• AVAILABILITY – resource accessible/usable
12/13/2012
Dept. of ECE Network Security & Cryptography 27
Security Mechanisms (X.800)
• specific security mechanisms:
– encipherment, digital signatures, access controls, data integrity,
authentication exchange, traffic padding, routing control,
notarization
• pervasive security mechanisms:
– trusted functionality, security labels, event detection, security
audit trails, security recovery
12/13/2012
Security Mechanisms (X.800)
• a.k.a. control
• feature designed to detect, prevent, orrecover from a security attack
• no single mechanism that will support allservices required
• however one particular elementunderlies many of the securitymechanisms in use:– cryptographic techniques
• hence our focus on this topic
12/13/2012 28Dept. of ECE Network Security & Cryptography
Security Mechanisms (X.800)
• specific security mechanisms:
– encipherment, digital signatures, access
controls, data integrity, authentication exchange,
traffic padding, routing control, notarization
• pervasive security mechanisms:
– trusted functionality, security labels, event
detection, security audit trails, security recovery12/13/2012 29Dept. of ECE Network Security & Cryptography
References• William Stallings, “Cryptography and Network
Security-Principles and Practices”, 4e, Pearson-
Printice Hall publications,ISBN 81-7758-774-9.
• Behrouz A. Forouzan, Debdeep Mukhopadhyay,
“Cryptography and Network Security” 2e,
McGrawHill Publications, ISBN 978-0-07-070208-0.
12/13/2012Dept. of ECE Network Security &
Cryptography30