Professional Documents
Culture Documents
SUBMITTED TO SUBMITTED BY
Miss. Priya Jain Saurav Jha
Sr. Lecturer 0914IT071077
CS/IT
1 12/08/21 ms
What do we need to protect
• Data
• Resources
• Reputation
2 12/08/21 ms
Types of Attacks
• Passive
• Active
– Denial of Services
3 12/08/21 ms
Security Objectives
• Identification
• Authentication
• Authorization
• Access Control
• Data Integrity
• Confidentiality
• Non-repudiation
4 12/08/21 ms
Identification
• Something which uniquely identifies a
user and is called UserID.
• Sometime users can select their ID as
long as it is given too another user.
• UserID can be one or combination of
the following:
– User Name
– User Student Number
– User SSN
5 12/08/21 ms
Authentication
• The process of verifying the identity of
a user
• Typically based on
– Something user knows
• Password
– Something user have
• Key, smart card, disk, or other device
– Something user is
• fingerprint, voice, or retinal scans
6 12/08/21 ms
Authentication Cont.
• Authentication procedure
– Two-Party Authentication
• One-Way Authentication
• Two-Way Authentication
– Third-Party Authentication
• Kerberos
• X.509
– Single Sign ON
• User can access several network resources
by logging on once to a security system.
7 12/08/21 ms
C lie n t S e rv e r
O n e -w a y A u th e n tic a tio n
A u th e n tic a te d
S e rv e rID &
T w o -w a y A u th e n tic a tio n
P a ssw o rd
A u th e n tic a te d
T w o - P a r ty A u th e n tic a tio n s
8 12/08/21 ms
S e c u r ity S e r v e r
Se
d
or
rv
sw
er
as
ID
ed
,P
,P
at
ID
as
Au
ic
nt
sw
th
nt
ie
e
e
or
nt
Cl
th
d
ic
Au
at
ed
Exchange Keys
C lie n t S e rv e r
E x c h a n g e D a ta
T h ir d -P a r ty A u th e n tic a tio n s
9 12/08/21 ms
Authorization
10 12/08/21 ms
Access Control
• The process of enforcing access right
• and is based on following three entities
– Subject
• is entity that can access an object
– Object
• is entity to which access can be controlled
– Access Right
• defines the ways in which a subject can
access an object.
11 12/08/21 ms
Access Control Cont.
• Access Control is divided into two
– Discretionary Access Control (DAC)
• The owner of the object is responsible for
setting the access right.
– Mandatory Access Control (MAC)
• The system defines access right based on
how the subject and object are classified.
12 12/08/21 ms
Data Integrity.
13 12/08/21 ms
Confidentiality
14 12/08/21 ms
Non-repudiation
15 12/08/21 ms
Security Mechanisms
• Web Security
• Cryptographic techniques
• Internet Firewalls
16 12/08/21 ms
Web Security
• Basic Authentication
• Secure Socket Layer (SSL)
17 12/08/21 ms
Basic Authentication
18 12/08/21 ms
Secure Socket Layer (SSL)
19 12/08/21 ms
Secure Socket Layer Cont..
The client sends a "hello" message to the Web server, and
the server responds with a copy of its digital certificate.
The client decrypts the server's public key using the well-
known public key of the Certificate Authority such as
VeriSign.
The client generates two random numbers that will be used
for symmetric key encryption, one number for the receiving
channel and one for the sending channel. These keys are
encrypted using the server's public key and then transmitted
to the server.
The client issues a challenge (some text encrypted with the
send key) to the server using the send symmetric key and
waits for a response from the server that is using the receive
symmetric key.
Optional, server authenticates client
Data is exchanged across the secure channel.
20 12/08/21 ms
Cryptographic Techniques
21 12/08/21 ms
Secret Key Algorithm
S e c re t K e y S e c re t K e y
E n c r y p t io n D e c r y p tio n
C le a r T e x t C ip h e r T e x t C le a r T e x t
Bob A lic e
22 12/08/21 ms
Public Key Algorithm
E n c r y p tio n D e c r y p tio n
C le a r T e x t C ip h e r T e x t C le a r T e x t
Bob A lic e
23 12/08/21 ms
Digital Signature
D e c r y p tio n &
E n c r y p tio n
A u th e n tic a tio n
C le a r T e x t C ip h e r T e x t C le a r T e x t
A lic e Bob
24 12/08/21 ms
Certificate Authority
R e q u e s t B o b 's C e r tific a te
P u b lic K e y A u th o r ity P u b lis h P u b lic
Key
B o b 's P u b lic
Key
A lic e Bob
C ip h e r T e x t
25 12/08/21 ms
Internet Firewall
• A firewall is to control traffic flow between
networks.
• Firewall uses the following techniques:
– Packet Filters
– Application Proxy
26 12/08/21 ms
Packet Filtering
• Most commonly used firewall technique
• Operates at IP level
• Checks each IP packet against the filter rules
before passing (or not passing) it on to its
destination.
• Very fast than other firewall techniques
• Hard to configure
27 12/08/21 ms
Packet Filter Cont..
Packet
N o n -S e c u re S e c u re
F ilte r in g
N e tw o rk N e tw o rk
S e rv e r
28 12/08/21 ms
Application Proxy
• Application Level Gateway
• The communication steps are as follows
– User connects to proxy server
– From proxy server, user connects to destination
server
• Proxy server can provide
– Content Screening
– Logging
– Authentication
29 12/08/21 ms