Cryptography and Network Security Overview PDF

Roadmap Cryptographic algorithms symmetric ciphers asymmetric encryption hash functions Mutual Trust Network Security Computer Security Standards Organizations National Institute of Standards & Technology (NIST) Internet Society (ISOC) International Telecommunication Union Telecommunication Standardization Sector (ITU-T) International Organization for Standardization (ISO) Chapter 1 – Introduction The combination of space, time, and strength that must be considered as the basic elements of this theory of defense makes this a fairly complicated matter. Consequently, it is not easy to find a fixed point of departure.. — On War, Carl Von Clausewitz Computer Security the protection afforded to an automated information system in order to attain the applicable objectives of p re s e r v i n g t h e i n t e g r i t y, a v a i l a b i l i t y a n d confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications) Key Security Concepts Figure 1.1 Key Security Concepts These three concepts form what is often referred to as the CIA triad (Figure 1.1). The three concepts embody the fundamental security objectives for both data and for information and computing services. FIPS PUB 199 provides a useful characterization of these three objectives in terms of requirements and the definition of a loss of security in each category: Confidentiality (covers both data confidentiality and privacy): preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information. Integrity (covers both data and system integrity): Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. Although the use of the CIA triad to define security objectives is well established, some in the security field feel that additional concepts are needed to present a complete picture. Two of the most commonly mentioned are: Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. Levels of Impact can define 3 levels of impact from a security breach Low Moderate High Examples of Security Requirements confidentiality – student grades integrity – patient information availability – authentication service Computer Security Challenges 1. not simple 2. must consider potential attacks 3. procedures used counter-intuitive ‫غير املتوقع‬/ ‫غير البديهيه‬ 4. involve algorithms and secret info 5. must decide where to deploy mechanisms 6. battle of wits between attacker / admin 7. not perceived on benefit until fails 8. requires regular monitoring 9. too often an after-thought 10. regarded as impediment to using system Challenges of computer security 1. Computer security is not simple 2. In developing a particular security mechanism or algorithm One must consider potential (unexpected) attacks 3. Procedures used to provide particular services are often counter-intuitive 4. Security mechanisms involve algorithms and secret info (keys) 5. Must decide where to deploy mechanisms(algorithms) Having designed various security mechanisms, it is necessary to decide where to use them 6. A battle of wits between attacker / admin (Computer security is essentially a battle of wits between a attacker who tries to find holes (vulnerability) and the designer or administrator who tries to close them). 7. It is not perceived on benefit until fails 7. Requires regular monitoring 8. Security is still too often an afterthought - incorporated after the design is complete 9. Strong security is regarded as impediment(‫ )ع ـ ـ ـ ـ ـ ــائ ـ ـ ـ ـ ـ ــق‬to using system Many users / security administrators view strong security as an impediment to efficient and user- friendly operation of an information system or use of information OSI Security Architecture (Open Systems Interconnections) ITU-T X.800 “Security Architecture for OSI” defines a systematic way of defining and providing security requirements for us it provides a useful, if abstract, overview of concepts we will study Aspects of Security consider 3 aspects of information security: security attack‫ي‬ security mechanism security service note terms threat – a potential for violation of security attack – an assault on system security, a deliberate ‫اعتداء‬ ‫متعمدة‬ attempt to evade security services ‫للتهرب‬ security attack Security attack classified into: -Passive attacks -Active attacks Passive Attacks Figure 1.2a Active Attacks Figure 1.3b Security Service enhance security of data processing systems and information transfers of an organization‫تعزيز أمن أنظمة معالجة البيانات ونقل‬ ‫املعلومات في املنظمة‬ intended to counter security attacks using one or more security mechanisms ‫تهدف إلى مواجهة الهجمات األمنية باستخدام آلية‬ ‫أمنية واحدة أو أكثر‬ often replicates functions normally associated with physical documents which, for example, have signatures, dates; need protection from disclosure ‫عدم الكشف او االفشاء‬, tampering ‫العبث‬, or destruction; be notarized or witnessed ‫ ;ان تكون موثقه‬be recorded or licensed‫أن تكون مسجلة أو مرخصة‬ Security Services X.800: “a service provided by a protocol layer of communicating open systems, which ensures adequate ‫الكافي‬security of the systems or of data transfers” ‫ والتي تضمن األمن الكافي لألنظمة أو لنقل‬، ‫خدمة مقدمة من خالل طبقة بروتوكول ألنظمة االتصال املفتوحة‬ ‫البيانات‬ RFC 2828: “a processing or communication service provided by a system to give a specific kind of protection to system resources” Security Services (X.800) Authentication ‫ املصادقة‬- assurance that communicating entity is the one claimed‫التأكيد على أن الكيان املتصل هو املطالب به‬ have both peer-entity & data origin authentication‫مصادقة أصل البيانات‬ Access Control - prevention of the unauthorized use of ' a resource Data Confidentiality –protection of data from unauthorized disclosure ‫ه‬ Data Integrity - assurance that data received is as sent by an authorized entity Non-Repudiation ‫ عدم التنصل‬- protection against denial by one of the parties in a communication ‫ل‬ ‫الحماية من الرفض من قبل أحد األطراف في االتصا‬ Availability – resource accessible/usable Security Mechanism feature designed to detect, prevent, or recover from a security attack no single mechanism that will support all services required however one particular element underlies many of the security mechanisms in use: cryptographic techniques hence our focus on this topic Security Mechanisms (X.800) specific security mechanisms: encipherment, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization pervasive security mechanisms: trusted functionality, security labels, event detection, security audit trails, security recovery Model for Network Security Model for Network Security using this model requires us to: 1. design a suitable algorithm for the security transformation ‫مناسبة للتحول األمني‬ 2. generate the secret information (keys) used by the algorithm ‫التي تستخدمها الخوارزمية‬ 3. develop methods to distribute and share the secret information 4. specify a protocol enabling the principals to use the transformation and secret information for a security service Model for Network Access Security ‫نموذج ألمان الوصول إلى الشبكة‬ Model for Network Access Security using this model requires us to: 1. select appropriate gatekeeper functions to identify users 2. implement security controls to ensure only authorised users access designated information or resources Security Mechanisms (X.800) specific security mechanisms ( provide some of the security services) : encipherment, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization. ✓ Traffic padding mechanisms are used to protect against traffic analysis attacks. ✓ A routing control mechanism which monitors all the outgoing traffic through its connection with the Internet service providers (ISPs), and helps in selecting the best path for efficient delivery of the data. ‫اختيار أفضل مسار‬ ‫لتسليم البيانات بكفاءة‬ ✓ Notarization ‫ التوثيق‬is the process that assures the parties of a transaction that a document is authentic, and can be trusted ‫العملية التي تؤكد ألطراف املعاملة أن‬ ‫املستند أصلي ويمكن الوثوق به‬ Continuous Security Mechanisms (X.800) Pervasive‫ منتشرة‬security mechanisms:‫آليات األمن املنتشرة‬ Pervasive security mechanisms are not specific to any particular security service and are in general directly related to the level of security required ‫ليست خاصة بأي خدمة أمنية معينة وهي بشكل عام مرتبطة بشكل مباشر بمستوى األمن املطلوب‬ There are five pervasive security mechanisms: trusted functionality, security labels, event detection, security audit trails, security recovery ✓ trusted functionality : Every security system it must depends on trust between users of the system. ✓ security labels: System resources may have security labels associated with them (security label with data in transit) ✓ event detection :can be used to detect violations of security. ✓ security audit trails : established policy and operational procedures, to detect breaches in security ✓ security recovery: takes recovery actions as the result of applying a set of rules. Summary topic roadmap & standards organizations security concepts: confidentiality, integrity, availability X.800 security architecture security attacks, services, mechanisms models for network (access) security

Cryptography and Network Security Overview PDF

Document Details

Tags

Related

Summary

Full Transcript