With the introduction of the computer, it is necessary to have the automated tools for protecting files and other information stored on the computer. This is especially the case for a shared system, such as a time-sharing system, and the need is even more acute for systems that can be accessed over a public telephone or data network. The generic name for the collection of tools designed to protect data and to prevent hackers is computer security. Another major change that affected security is the introduction of distributed systems and the use of networks and communications facilities for carrying data between computers. Network security measures are needed to protect data during their transmission. One of the most publicized types of attack on information systems is the computer virus. A virus may be introduced into a system physically when it arrives on a diskette and is subsequently loaded onto a computer. Viruses may also arrive over an internet. In either case, once the virus is resident on a computer system, internal computer security tools are needed to detect and recover from the virus. Some of the security violations are: 1. User A transmits a file to user B. The file contains sensitive information (e.g. payroll records) that is to be protected. User C, who is not authorized to read the file, is able to monitor the transmission and capture a copy of the file during its transmission. 2. A network management application, D, transmits a message to a computer, E under its management. The message instructs computer E to update an authorization file to include the identities of a number of new users who are to be given access to that computer. User F intercepts the message, alters its contents to add or delete entries, and then forwards the message to E, which accepts the message as coming from manager D and updates its authorization file accordingly. 3. Rather than intercept a message, user F constructs its own message with the desired entries and transmits that message to E as if it had come from manager D. Computer E accepts the message as coming from manager D and updates its authorization file accordingly. Internetwork security is both attractive and complex. Some of the reasons follow: 1. Security involving communications and networks is not simple. The required security services are confidentiality, authentication, non-repudiation, integrity. But the mechanisms used to meet those requirements can be quite complex, and understanding them may involve rather subtle reasoning. 2. In developing a particular security mechanism or algorithm, one must always consider potential countermeasures. In many cases, countermeasures are designed by looking at the problem in a completely different way, therefore making use of an unexpected weakness in the mechanism. 3. Having designed various security mechanisms, it is necessary to decide where to use them. This is true both in terms of physical placement (e.g., at what points in a network are certain security mechanisms needed) and in a logical sense (e.g., at what layer or layers of an architecture such as TCP/IP should mechanisms be placed). 4. Security mechanisms usually involve more than a particular algorithm or protocol. They usually also require that participants be in possession of some secret information (e.g., an encryption key), which raises questions about the creation, distribution, and protection of that secret information. There is also a reliance on communications protocols whose behavior Page 1.1
or recover from a security attack. or the disabling of the file management system. and they make use of one or more security mechanisms to provide the service. Security Attacks Attacks on the security of a computer system or network are best characterized by viewing the function of the computer system as providing information. The services are intended to counter security attacks. to a destination. such as another file or a user. In general. such as a file or a region of main memory. This is an attack on availability. This is an attack on confidentiality. or a computer. such as a hard disk. the manager responsible for security needs some systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements. Security service: A service that enhances the security of the data processing systems and the information transfers of an organization. Examples include destruction of a piece of hardware. the cutting of a communication line. and Mechanisms To judge the security needs of an organization effectively and to evaluate and choose various security products and policies. prevent. Security mechanism: A mechanism that is designed to detect. Attacks. The four general categories of attacks are:
Interruption: An asset of the system is destroyed or becomes unavailable or unusable. there is a flow of information from a source. Examples include wiretapping to capture data in a network. and the unauthorized copying of files or programs.1a. if the proper functioning of the security mechanism requires setting time limits on the transit time of a message from sender to receiver. This normal flow is depicted in Figure 1. unpredictable delays may render such time limits meaningless. The unauthorized party could be a person. then any protocol or network that introduces variable. Services.2
. One approach is to consider three aspects of information security: Security attack: Any action that compromises the security of information owned by an organization. Page 1. Interception: An unauthorized party gains access to an asset. a program. For example.may complicate the task of developing the security mechanism.
Passive attacks are very difficult to detect because they do not involve any alteration of the data. For example. altering a program so that it performs differently. even if they captured the message. Authentication sequences can be captured and replayed after a valid authentication sequence has taken place. to produce an unauthorized effect. Examples include the insertion of spurious messages in a network or" the addition of records to a file. This is an attack on integrity. Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect. 2 Traffic analysis. The opponent could determine the location and identity of communicating hosts and could observe the frequency and length of messages being exchanged. The common technique for masking contents is encryption. If we had encryption protection in place. the emphasis in dealing with passive attacks is on prevention rather than detection.3
. or that messages are delayed or reordered. The traffic analysis is more subtle. and a transferred file may contain sensitive or confidential information. This information might be useful in guessing the nature of the communication that was taking place." Page 1. For example. The release of message contents is easily understood. could not extract the information from the message. and modifying the content of messages being transmitted in a network. However it is possible to prevent these attacks. Passive Attacks Passive attacks are in the nature of eavesdropping on. A message meaning "Allow A to read confidential file accounts. Examples include changing values in a data file. Modification of messages simply means that some portion of a legitimate message is altered. Thus. Fabrication: An unauthorized party inserts counterfeit objects into the system. This is an attack on authenticity. Two types of passive attacks are: 1 Release of message contents. A telephone conversation. Suppose that we had a way of masking the contents of message so that opponents. or monitoring of. thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges. We would like to prevent the opponent from learning the contents of these transmissions. The goal of the opponent is to obtain information that is being transmitted. an opponent might still be able to observe the pattern. an electronic mail message.
The security attacks can also be categorized in terms of passive attacks and active attacks." is modified to mean" Allow B to read confidential file accounts.
Modification: An unauthorized party not only gains access to but tampers with an asset. Four types of active attacks are: 1 Masquerade 2 Replay 3 Modification of messages 4 Denial of service A masquerade takes place when one entity pretends to be a different (other) entity. transmissions. Active Attacks Active attacks involve some modification of the data stream or the creation of a false stream.
the function of the authentication service is to assure the recipient that the message is from the source that it claims to be from. with no duplication. First. The destruction of data is also covered under this service.The denial of service prevents or inhibits the normal use or management of communications facilities. The other aspect of confidentiality is the protection of traffic flow from analysis. Integrity As with confidentiality. or replays. An entity may suppress all messages directed to a particular destination (e.. This requires that an attacker not be able to observe the source and destination. The broadest service protects all user data transmitted between two users over a period of time. length. Again. broad protection would prevent the release of any user data transmitted over the virtual circuit. These refinements are less useful than the broad approach and may even be more complex and expensive to implement. This attack may have a specific target. at the time of connection initiation. In the case of an ongoing interaction.g. such as the connection of a terminal to a host. including the protection of a single message or even specific fields within a message. With respect to the release of message contents. Active attacks quite difficult to prevent absolutely. modification. two aspects are involved. several levels of protection can be identified. a single message. integrity can apply to a stream of messages. If a violation of integrity is detected. for example. The goal is to detect them and to recover from any disruption or delays caused by them. Second. Authentication The authentication service is concerned with assuring that a communication is authentic. because to do so would require complete protection of all communications facilities and paths at all times. Because the integrity service relates to active attacks. either by disabling the network or by overloading it with messages so as to degrade performance. or other characteristics of the traffic on a communications facility. the most useful and straightforward approach is total stream protection. the service assures that the two entities are authentic (that is. such as a warning or alarm signal. and some other portion of software or human intervention is required to recover from the violation. or selected fields within a message. Page 1.4
. The disruption of an entire network. frequency. reordering. Integrity service assures that messages are received as sent. then the service may simply report this violation. we are concerned with detection rather than prevention. the security audit service). Security Services Confidentiality Authentication Integrity Nonrepudiation Access control Availability Confidentiality
Confidentiality is the protection of transmitted data from passive attacks. that each is the entity that it claims to be). insertion. the service must assure that the connection is not interfered with in such a way that a third party can masquerade as one of the two legitimate parties for the purposes of unauthorized transmission or reception. For example. In the case of a single message. Narrower forms of this service can also be defined.
it is hoped. who are the principals in this transaction. unknown to the opponent. TCP/IP) by the two principals. when a message is received. For example. Examples include the encryption of the message. An example is an encryption key used in conjunction with the transformation to scramble the message before transmission and unscramble it on reception. which scrambles the message so that it is unreadable by the opponent. when a message is sent. and the addition of a code based on the contents of the message. All the techniques for providing security have two components: A security-related transformation on the information to be sent. Thus. Nonrepudiation Nonrepudiation prevents either sender or receiver from denying a transmitted message. which can be used to verify the identity of the sender. A logical information channel is established by defining a route through the internet from source to destination and by the cooperative use of communication protocols (e.Alternatively. A Model for Network Security A message is to be transferred from one party to another across some sort of internet. Some secret information shared by the two principals and. such as authentication and encryption. the receiver can prove that the message was in fact sent by the alleged sender. whereas others require some sort of physical action to prevent or recover from loss of availability of elements of a distributed system. a third party Page 1.g. or authenticated. each entity trying to gain access must first be identified.5
. Similarly. there are mechanisms available to recover from the loss of integrity of data. Access Control Access control is the ability to limit and control the access to host systems and applications via communications links. must cooperate for the exchange to take place. Availability A variety of attacks can result in the loss of or reduction in availability.
To achieve secure transmission a trusted third party may be needed. The two parties. Some of these attacks are open to automated countermeasures. the sender can prove that the message was in fact received by the alleged receiver. so that access rights can be tailored to the individual. To achieve this control..
and other similar attacks.may be responsible for distributing the secret information to the two principals while keeping it from any opponent.. such as editors and compilers. 4 Specify a protocol to be used by the two principals that makes use of the security algorithm and the secret information to achieve a particular security service.]
The Internet Society By universal agreement. The algorithm should be such that an opponent cannot defeat its purpose. obtaining credit card numbers or performing illegal money transfers). with no malign intent. simply gets satisfaction from breaking and entering a computer system. an organization known as the Internet Society (IS) is responsible for the Page 1. or a criminal who seeks to exploit computer assets for financial gain (e.. by either an unwanted user or unwanted software. Or a third party may be needed to arbitrate disputes between the two principals concerning the authenticity of a message transmission. This general model shows that there are four basic tasks in designing a particular security service: 1 Design an algorithm for performing the security-related transformation. A general model of one of the other security related situation is illustrated by Figure 1. 3 Develop methods for the distribution and sharing of the secret information. 2 Generate the secret information to be used with the algorithm. Once access is gained.6
The security mechanisms needed to cope with unwanted access fall into two broad categories 1 Gatekeeper 2 Internal Security Controls The gatekeeper function includes password-based login procedures that are designed to deny access to all but authorized users and screening logic that is designed to detect and reject worms. the second line of defense consists of a variety of Internal Security Controls that monitor activity and analyze stored information in an attempt to detect the presence of unwanted intruders. Intruder: Intruder can be a disgruntled (unhappy) employee who wishes to do damage. He can be someone who. [Note 1: Unwanted accesses are: Hacker: Hacker who attempt to penetrate systems that can be accessed over a network. viruses.4. which reflects a concern for protecting an information system from unwanted access.g. Software (Viruses and Worms): Logic that exploits vulnerabilities (weak points) in the system and that can affect application programs as well as utility programs.
it is withdrawn from the directory. The Internet Society is a professional membership organization that supervises a number of boards and task forces involved in Internet development and standardization. The working group may subsequently published a revised version of the draft. a working group will make a draft version of the document available as an Internet Draft. The white boxes in the Figure 1. At each step. They are Internet Architecture Board (IAB). on the recommendation of the IETF. The Standardization Process The decision of which RFCs become Internet standards is made by the IESG. providing guidance and broad direction to the IETF. Internet Engineering Steering Group (IESG): Responsible for technical management of IETF activities and the Internet standards process RFC Publication The actual development of new standards and protocols for the Internet is carried out by working groups chartered by the IETF.5 represent temporary states. engineering. Internet Engineering Task Force (IETF). To become a standard. During that time. Three organizations under the Internet Society are responsible for the actual work of standards development and publication: Internet Architecture Board (IAB): Responsible for defining the overall architecture of the internet. If the draft has not progressed to the status of an RFC during the six-month period. and interested parties may review and comment on the draft. A document in this series may be on essentially any topic related to computer communications and may be anything from a meeting report to the specification of a standard. and management. the IESG may approve publication of the draft as an RFC (Request for Comment). with approval of the IESG.7
. The Page 1. The document may remain as an Internet Draft for up to six months. Internet Engineering Task Force (IETF): The protocol engineering and development arm of the Internet. which is placed in the IETF’s ‘‘Internet Drafts’’ online directory. The Internet Society is the coordinating committee for Internet design. a specification must meet the following criteria: Be stable and well understood Be technically competent Have multiple. Internet Engineering Steering Group (IESG). the IETF must make a recommendation for advancement of the protocol.development and publication of standards for use over the Internet. It is the IETF that is responsible for publishing the RFCs. However. During the development of a specification. which should be occupied for the minimum practical time. called the standards track that a specification goes through to become a standard. a document must remain a Proposed Standard for at least six months and a Draft Standard for at least four months to allow time for review and comment. The steps involve increasing amounts of scrutiny (analysis) and testing. independent. and the IESG must ratify it. and interoperable implementations with substantial operational experience Enjoy significant public support Be recognizably useful in some or all parts of the Internet The series of steps. The process begins when the IESG approves the publication of an Internet Draft document as an RFC with the status of Proposed Standard.
For a specification to be advanced to Draft Standard status. SID number as well as an RFC number is assigned to the Specification. a specification may be put to Internet Standard. the specification may be resubmitted. there must be at least two independent and interoperable implementations from which adequate operational experience has been obtained. Finally. At this point. After significant implementation and operational experience has been obtained.
A protocol or other specification that is not considered ready for standardization may be published as an Experimental RFC. it is assigned to the Historic state.gray boxes represent long-term states that may be occupied for years.
Page 1. then the RFC will be designated a Proposed Standard.8
. is believed to be well understood. After further work. has resolved known design choices. and appears to enjoy enough community interest to be considered valuable. has received significant community review. when a protocol becomes obsolete. If the specification is generally stable.