Cryptography and Network Security

UNIT – I
Part I
Unit 1
Computer Security Concepts- OSI security Architecture,
A Security attacks, Services, mechanism, model of network
security
Classical encryption techniques- Substitution Cipher
B (Mono-alphabetic, Poly-alphabetic), Transposition cipher,
Steganography
Block Cipher- Encryption Principles, DES & strength of
C DES
Faculty Name : Dr. Amrita 1
 Security

฀ Motivation: Why do we need security?

฀ Increased reliance on Information technology with or with out the use of
networks.
฀ The use of IT has changed our lives drastically.
฀ We depend on E-mail, Internet banking, and several other governmental
activities that use IT
฀ Increased use of E-Commerce and the World wide web on the Internet as a
vast repository of various kinds of information (immigration databases, flight
tickets, stock markets etc.)

Faculty Name : Dr. Amrita 2

 Security Concerns
฀ Systems connected by networks are more prone to attacks and also suffer
more as a result of the attacks than stand-alone systems (Reasons?)
฀ Concerns such as the following are common
• How do I know the party I am talking on the network is really the one I want to
talk?
• How can I be assured that no one else is listening and learning the data that I send
over a network
• Can I ever stay relaxed that no hacker can enter my network and play havoc?
฀ Is the web site I am downloading information from a legitimate one, or a
fake?
฀ How do I ensure that the person I just did a financial transaction denies
having done it tomorrow or at a later time?
฀ I want to buy some thing online, but I don’t want to let them charge my
credit card before they deliver the product to me.
Faculty Name : Dr. Amrita 3
 That is why…

● ..we need security

– To safeguard the confidentiality, integrity, authenticity and
availability of data transmitted over insecure networks
– Internet is not the only insecure network in this world
– Many internal networks in organizations are prone to insider
attacks
– In fact, insider attacks are greater both in terms of likelihood of
happening and damage caused

Faculty Name : Dr. Amrita 4

 Definition
• Security is a state of well-being of information and infrastructures in which
the possibility of successful yet undetected theft, tampering, and disruption
of information and services is kept low or tolerable
• Security rests on confidentiality, authenticity, integrity, and availability
• Computer Security - generic name for the collection of tools designed to
protect data and to thwart hackers
• Network Security - measures to protect data during their transmission
• Internet Security - measures to protect data during their transmission over
a collection of interconnected networks

Faculty Name : Dr. Amrita 5

 The Basic Components
฀ Confidentiality is the concealment (cover up) of information or
resources.
▪ E.g., only sender, intended receiver should “understand” message
contents
▪ Need access control, Cryptography, Cryptography
฀ Authenticity is the identification and assurance of the origin of
information.
฀ Integrity refers to the trustworthiness of data or resources in terms
of preventing improper and unauthorized changes.
฀ Availability refers to the ability to use the information or resource
desired.
฀ Confidentiality, Integrity and Availability (CIA)

Faculty Name : Dr. Amrita 6

 Security Threats and Attacks
฀ A threat is a potential violation of security.
– Flaws in design, implementation, and operation.
฀ An attack is any action that violates security.
– Active adversary
฀ An attack has an implicit concept of “intent”
– Router mis-configuration or server crash can also cause loss of availability, but they are not
attacks
฀ THREAT : Action or potential occurrence (whether or not malicious) to breach the security of the
system by exploiting its known or unknown vulnerabilities. It may be caused by (1) gaining
unauthorized access to stored information, (2) denial of service to the authorized users, or (3)
introduction of false information to mislead the users or to cause incorrect system behavior (called
spoofing).
฀ ATTACK : Malicious action taken by a hacker, intruder, or unauthorized user to cause damage to
the system and/or to the data stored in it, through exploitation of one or more system vulnerabilities.

Faculty Name : Dr. Amrita 7

 Friends and enemies: Alice, Bob, Trudy

฀ well-known in network security world

฀ Bob, Alice (friends!) want to communicate “securely”
฀ Trudy (intruder) may intercept, delete, add messages

Alice Bob
channel data, control
messages

data secure secure data

sender receiver

Trudy

Faculty Name : Dr. Amrita

 Eavesdropping - Message Interception (Attack on Confidentiality)
● Unauthorized access to information
● Packet sniffers and wiretappers
A B
● Illicit copying of files and programs

Eavesdropper

Integrity Attack - Tampering With Messages

● Stop the flow of the message
● Delay and optionally modify the A B
message
● Release the message again
Perpetrator

Faculty Name : Dr. Amrita 9

 Authenticity Attack - Fabrication
● Unauthorized assumption of other’s identity
● Generate and distribute objects under this A B
identity
Masquerader: from A

Attack on Availability
● Destroy hardware (cutting fiber) or software
● Modify software in a subtle way (alias commands) A B
● Corrupt packets in transit
● denial of service (DoS):
– Crashing the server
– Overwhelm the server (use up its resource)

Faculty Name : Dr. Amrita 10

 OSI Security Architecture

● ITU-T Recommendation X.800 Security Architecture for OSI

– (ITU-T X.800 Security Architecture for OSI)

– Defines a systematic way of defining and providing security

requirements
● International Telecommunications Union (ITU) is a United Nations
sponsored agency that develops standards relating to telecommunications
and to Open system Interconnection (OSI)

Faculty Name : Dr. Amrita 11

 Standards Organizations

National Institute of Standards & Technology (NIST)

http://csrc.nist.gov/
Internet Society (ISOC):
Internet Engineering Task Force (IETF), ietf.org
Internet Architecture Board (IAB)
International Telecommunication Union Telecommunication
Standardization Sector (ITU-T)
http://www.itu.int
International Organization for Standardization (ISO)
http://www.iso.org

Faculty Name : Dr. Amrita 12

 Aspects of
฀
Security
The OSI security architecture focuses on following aspects of information security:
Security
Security
attack
Security
service
mechanism
● Security Attack: Any action that compromises the security of information.
● Security Service: A service that enhances the security of data processing
systems and information transfers. A security service makes use of one or
more security mechanisms.
● Security Mechanism: A mechanism that is designed to detect, prevent, or
recover from a security attack.

Faculty Name : Dr. Amrita 13

 Security Attack
● any action that compromises
the security of information
owned by an organization
● information security is about
how to prevent attacks, or
failing that, to detect attacks
on information-based
systems
● have a wide range of attacks
● can focus of generic types of
attacks
● Interruption : attack on Availability
● note: often threat & attack
● Interception : attack on confidentiality
mean same
● Modification : attack on integrity
● Fabrication : attack on authenticity
Faculty Name : Dr. Amrita 14
 Classify Security Attacks as
● Passive attacks
● Active attacks

Faculty Name : Dr. Amrita 15

 Passive Attack
● Passive attacks
– obtain message contents, or monitor traffic flows
– No modification of content or fabrication
– Eavesdropping to learn contents or other information (transfer patterns, traffic
flows etc.)
– Two types
● Release of Message Contents
● Traffic analysis

(server most frequently used)

Very difficult to detect.

Faculty Name : Dr. Amrita 16

Passive Attacks

Faculty Name : Dr. Amrita 17

 Classify Security Attacks as
● Active attacks
– Involves some modification of the data stream or the creation of a false
stream.
– Four categories
● Masquerade :One entity pretends to be a different entity.
Authentication attack (fabrication can be made).
● Replay : Passive capture of a transaction and subsequent replay. Gain
access to server by giving userid and password.
● Modification : Some portions of a message is altered on its way.

● Denial of Service : prevents access to resources.

Faculty Name : Dr. Amrita 18

Active Attacks

Faculty Name : Dr. Amrita 19

 Security Services

● X.800 defines a security service as a service provided by a protocol

layer of communicating open systems, which ensures adequate
security of the systems or of data transfers.
● X.800 divides these services into 5 categories and 14 specific services
● 5 Categories
1. Authentication
2. Access Control
3. Data confidentiality
4. Data Integrity
5. Nonrepudiation (and Availability)

Faculty Name : Dr. Amrita 20

 1. Security Services: Authentication

● Ensuring the proper identification of entities and origins of data before

communication
● The assurance that the communicating entity is the one that it claims to be
1.1 Peer entity authentication
Used in association with a logical connection to provide confidence in the
identity of the entities connected
1.2 Data-origin authentication
In a connectionless transfer, provides assurance that the source of the
received data is as claimed

Faculty Name : Dr. Amrita 21

 2.Security Services:Access Control

▪ The prevention of unauthorized use of a resource (i.e., this service

controls who can have access to resource, under what conditions access
can occur, and what those accessing the resource are allowed to do).

Faculty Name : Dr. Amrita 22

 3.Security Services : Confidentiality

● The protection of data from unauthorized disclosure

3.1 Connection confidentiality
▪ The protection of all user data on a connection
3.2 Connectionless confidentiality
▪ The protection of all user data in a single data block
3.3 Selective-field confidentiality
▪ The confidentiality of selected fields within the user data on a connection or in a
single data block
3.4 Traffic-flow confidentiality
▪ The protection of information that might be derived from observation of traffic flows

Faculty Name : Dr. Amrita 23

 4.Security Services: Integrity
▪ The assurance that data received are exactly as sent by an authorized entity (i.e.,
contain no modification, insertion, deletion, or replay)
4.1 Connection integrity with recovery
Provides for the integrity of all user data on a connection and detects any
modification, insertion, deletion, or replay of any data within an entire data
sequence, with recovery attempted
4.2 Connection integrity without recovery
As above, but provides only detection without recovery
4.3 Selective-field connection integrity
Provides for the integrity of selected fields within the user data of a data block
transferred over a connection and takes the form of determination of whether the
selected fields have been modified, inserted, deleted, or replayed

Faculty Name : Dr. Amrita 24

 Security Services : Integrity

4.4 Connectionless integrity

Provides for the integrity of a single connectionless data block

4.5 Selective-field connectionless integrity

Provides for the integrity of selected fields within a single connectionless
data block

Faculty Name : Dr. Amrita 25

 5. Security Services: Non-repudiation
Provides protection against denial by one of the entities involved in the
communication of having participated in all or part of the
communication
5.1 Nonrepudiation, origin
Proof that the message was sent by the specified party
5.2 Nonrepudiation, destination
Proof that the message was received by the specified party
Security Services: Availability
● Availability service protects the system to ensure its availability

● Protection against denial-of-service

Faculty Name : Dr. Amrita 26

 Security Mechanisms (X.800)
● X.800 defines the following mechanisms (2 Types)
1. Specific security mechanisms
Specific mechanisms existing to provide certain security services
● E.g. encryption used for authentication
May be incorporated into the appropriate protocol layer in order to provide some
of OSI security services
2. Pervasive security mechanisms
Pervasive mechanisms which are general mechanisms incorporated into the
system and not specific to a service
● E.g. security audit trail
Mechanisms, not specific to any particular OSI security service or protocol layer

Faculty Name : Dr. Amrita 27

 Security Mechanisms (X.800)

• Specific security mechanisms: ● Pervasive security

– Encipherment mechanisms:
– Digital signatures – Trusted functionality
– Access controls – Security labels
– Data integrity – Event detection
– Authentication exchange
– Security audit trails
– Traffic padding
– Security recovery
– Routing control
– Notarization

Faculty Name : Dr. Amrita 28

 1. Specific security mechanisms

1.1 Encipherment
The use of mathematical algorithms to transform data into a form that is not readily
intelligible. The transformation and subsequent recovery of the data depend on an
algorithm and zero or more encryption keys
1.2 Digital signature
Data appended to, or a cryptographic transformation of, a data unit that allows a
recipient of the data unit to prove the source and integrity of the data unit and protect
against forgery
1.3 Access control
A variety of mechanisms that enforce access rights to resources
1.4 Data integrity
A variety of mechanisms used to assure the integrity of a data unit or stream of data
units

Faculty Name : Dr. Amrita 29

 1. Specific security mechanisms
1.5 Authentication exchange
A mechanism intended to ensure the identity of an entity by means of
information exchange
1.6 Traffic padding
The insertion of bits into gaps in a data stream to frustrate traffic analysis
attempts
1.7 Routing control
Enables selection of a particular physically secure routes for certain data and
allows routing changes, especially when a breach of security is suspected
1.8 Notarization
The use of the third trusted party to assure certain properties of a data
exchange
Faculty Name : Dr. Amrita 30
 2. Pervasive security mechanisms
2.1 Trusted functionality
That which is perceived to be correct with respect to some criteria (e.g., as established
by security policy)
2.2 Security label
The marking bound to a resource (which may be a data unit) that names or designates
the security attributes of that resource
2.3 Event detection
Detection of security relevant events
2.4 Security audit trail
Data collected and potentially used to facilitate a security audit, which is independent
review and examination of system records and activities
2.5 Security recovery
Deals with requests from mechanisms, such as event handling and management
functions, and takes recovery actions
Faculty Name : Dr. Amrita 31
 Relationship between Security Services & Mechanism
฀ Usage of mechanisms in services:

Faculty Name : Dr. Amrita 32

 Model for Network Security

● Basic tasks
– Design an algorithm that opponent cannot defeat
– Generate the secret information to be used with the algorithm
– Develop methods for distributing secret information
– Specify a protocol to be used
● May need a trusted third part to assist

Faculty Name : Dr. Amrita 33

Model for Network Security

Faculty Name : Dr. Amrita 34

 Model for Network Security
● Using this model requires us to:
– Design a suitable algorithm for the security transformation
– Generate the secret information (keys) used by the algorithm
– Develop methods to distribute and share the secret information
– Specify a protocol enabling the principals to use the transformation and secret
information for a security service

Faculty Name : Dr. Amrita 35

 Model for Network Access Security

● Using this model requires us to:

– Select appropriate gatekeeper functions to identify users
– Implement security controls to ensure only authorised users access designated information or
resources
● Trusted computer systems can be used to implement this model
Faculty Name : Dr. Amrita 36
 How to Make a System Trustworthy

● Specification
– A statement of desired functions
● Design
– A translation of specifications to a set of components
● Implementation
– Realization of a system that satisfies the design
● Assurance
– The process to insure that the above steps are carried out correctly
– Inspections, proofs, testing, etc.

Faculty Name : Dr. Amrita 37

 Internet standards

● The Internet society

– Internet Architecture Board (IAB)

– Internet Engineering Task Force (IETF)

– Internet Engineering Steering Group (IESG)

Faculty Name : Dr. Amrita 38

 Summary

NIST, IETF, ITU-T, ISO develop standards for network

security
CIA represents the 3 key components of security
ISO X.800 security architecture specifies security attacks,
services, mechanisms
Active attacks may modify the transmitted information.
Security services include authentication, access control, …

Faculty Name : Dr. Amrita 39

 Security URLs (Cont)

Security Focus, http://www.securityfocus.com/

SANS Institute, http://sans.org/
Data Protection resource Directory,
http://www.dataprotectionhq.com/cryptographyanddat
asecurity/
Helger Lipmaa's Cryptology Pointers,
http://www.adastral.ucl.ac.uk/%7ehelger/crypto/

Faculty Name : Dr. Amrita 40

 Newsgroups and Forums
sci.crypt.research, sci.crypt, sci.crypt.random-numbers
alt.security
comp.security.misc, comp.security.firewalls,
comp.security.announce
comp.risks
comp.virus
Security and Cryptography Forum,
http://forums.devshed.com/security-and-cryptography-17/
Cryptography Forum,
http://www.topix.com/forum/science/cryptography
Security Forum, http://www.windowsecurity.com/
Google groups, http://groups.google.com
LinkedIn Groups, http://www.linkedin.com

Faculty Name : Dr. Amrita 41