Chapter 1: Network Security Concepts PDF

Summary

This document provides an introduction to cryptographic algorithms and protocols, categorizing them into symmetric, asymmetric, data integrity, and authentication schemes. It also details the field of network and Internet security consisting of measures to deter, prevent, detect, and correct security violations. Furthermore, it introduces computer security, security objectives, and additional concepts such as authenticity and accountability.

Full Transcript

Cryptographic algorithms and protocols
can be grouped into four main areas:

Symmetric encryption

Used to conceal the contents of blocks or streams of data of any size,
including messages, files, encryption keys, and passwords

Asymmetric encryption

Used to conceal small blocks of data, such as encryption keys and hash
function values, which are used in digital signatures

Data integrity algorithms

Used to protect blocks of data, such as messages, from alteration

Authentication protocols

Schemes based on the use of cryptographic algorithms designed to
authenticate the identity of entities
 The field of network and
Internet security consists of:

measures to deter,
prevent, detect, and
correct security
violations that involve
the transmission of
information
 Computer Security

The NIST Computer Security Handbook defines the
term computer security as:

“the protection afforded to an automated
information system in order to attain the
applicable objectives of preserving the
integrity, availability and confidentiality of
information system resources” (includes
hardware, software, firmware, information/
data, and telecommunications)
Computer Security Objectives
Confidentiality
Data confidentiality
Assures that private or confidential information is not made available or disclosed
to unauthorized individuals
Privacy
Assures that individuals control or influence what information related to them may
be collected and stored and by whom and to whom that information may be
disclosed

Integrity
Data integrity
Assures that information and programs are changed only in a specified and
authorized manner
System integrity
Assures that a system performs its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized manipulation of the system

Availability
Assures that systems work promptly and service is not denied to authorized
users
CIA Triad
Possible additional concepts:

Authenticity Accountability
Verifying that users The security goal that
are who they say they generates the
are and that each requirement for
input arriving at the actions of an entity to
system came from a be traced uniquely to
trusted source that entity
Breach of Security
Levels of Impact
The loss could be expected to have a severe or
High catastrophic adverse effect on organizational
operations, organizational assets, or individuals

The loss could be expected to have a

Moderate serious adverse effect on
organizational operations,
organizational assets, or individuals

The loss could be expected
to have a limited adverse

Low effect on organizational
operations, organizational
assets, or individuals
Computer Security Challenges
Security is not simple Security mechanisms typically
involve more than a
Potential attacks on the particular algorithm or
security features need to be protocol
considered
Security is essentially a battle
Procedures used to provide of wits between a
particular services are often perpetrator and the designer
counter-intuitive
Little benefit from security
It is necessary to decide investment is perceived until
where to use the various a security failure occurs
security mechanisms
Strong security is often
Requires constant monitoring viewed as an impediment to
efficient and user-friendly
Is too often an afterthought operation
 OSI Security Architecture
Security attack
Any action that compromises the security of information
owned by an organization

Security mechanism
A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security
attack

Security service
A processing or communication service that enhances the
security of the data processing systems and the information
transfers of an organization
Intended to counter security attacks, and they make use of
one or more security mechanisms to provide the service
 Table 1.1
Threats and Attacks (RFC 4949)
 Security Attacks
A means of classifying security
attacks, used both in X.800 and
RFC 4949, is in terms of passive
attacks and active attacks

A passive attack attempts to
learn or make use of
information from the system
but does not affect system
resources

An active attack attempts to
alter system resources or affect
their operation
 Passive Attacks

Are in the nature of
eavesdropping on, or
monitoring of, transmissions

Goal of the opponent is to Two types of passive
obtain information that is
being transmitted
attacks are:
The release of message
contents
Traffic analysis
 Active Attacks
Involve some modification of the
data stream or the creation of a Takes place when one entity
pretends to be a different entity
false stream Masquerade Usually includes one of the other
forms of active attack
Difficult to prevent because of
the wide variety of potential
Involves the passive capture of a
physical, software, and network data unit and its subsequent
Replay retransmission to produce an
vulnerabilities
unauthorized effect

Goal is to detect attacks and to
recover from any disruption or Some portion of a legitimate
delays caused by them Modification message is altered, or messages are
of messages delayed or reordered to produce an
unauthorized effect

Denial of Prevents or inhibits the normal use
or management of communications
service facilities
 Security Services

Defined by X.800 as:
A service provided by a protocol layer of
communicating open systems and that ensures
adequate security of the systems or of data transfers

Defined by RFC 4949 as:
A processing or communication service provided by a
system to give a specific kind of protection to system
resources
X.800 Service Categories

Authentication

Access control

Data confidentiality

Data integrity

Nonrepudiation
 Authentication
Concerned with assuring that a communication is
authentic
In the case of a single message, assures the recipient
that the message is from the source that it claims to
be from
In the case of ongoing interaction, assures the two
entities are authentic and that the connection is not
interfered with in such a way that a third party can
masquerade as one of the two legitimate parties

Two specific authentication services are defined in X.800:

Peer entity authentication
Data origin authentication
 Access Control

The ability to limit and control the access to
host systems and applications via
communications links

To achieve this, each entity trying to gain
access must first be indentified, or
authenticated, so that access rights can be
tailored to the individual
 Data Confidentiality
The protection of transmitted data from passive
attacks
Broadest service protects all user data transmitted
between two users over a period of time
Narrower forms of service includes the protection of a
single message or even specific fields within a message

The protection of traffic flow from analysis
This requires that an attacker not be able to observe the
source and destination, frequency, length, or other
characteristics of the traffic on a communications facility
Data Integrity

Can apply to a stream of messages, a single
message, or selected fields within a message

Connection-oriented integrity service, one that
deals with a stream of messages, assures that
messages are received as sent with no duplication,
insertion, modification, reordering, or replays

A connectionless integrity service, one that deals
with individual messages without regard to any
larger context, generally provides protection
against message modification only
 Nonrepudiation
Prevents either sender or receiver from
denying a transmitted message

When a message is sent, the receiver can
prove that the alleged sender in fact sent the
message

When a message is received, the sender can
prove that the alleged receiver in fact received
the message
 Table 1.2

Security
Services
(X.800)

(This table is found on
page 38 in textbook)
Security Mechanisms (X.800)

Specific Security Mechanisms
Encipherment
Digital signatures
Access controls
Data integrity
Pervasive Security Mechanisms
Authentication exchange
Traffic padding Trusted functionality
Routing control Security labels
Notarization Event detection
Security audit trails
Security recovery
 Table 1.3

Security
Mechanisms
(X.800)

(This table is found on
pages 40-41 in textbook)
Model for Network Security
Network Access Security
Model
 Unwanted Access
Placement in a computer system of logic that
exploits vulnerabilities in the system and that
can affect application programs as well as
utility programs such as editors and compilers
Programs can present two kinds of threats:
Information access threats
Intercept or modify data on behalf of users who
should not have access to that data
Service threats
Exploit service flaws in computers to
inhibit use by legitimate users