Information Security Principles course “Cryptology” Based of: “Cryptography and network Security” by William Stalling, 5th edition. Eng. Mohamed Adam Isak PH.D Researcher in CS Lecturer in Mogadishu University and University of Somalia Tell:
Chapter one: Overview 1.Computer Security Concepts 2.The OSI Security architecture 3.Security Attacks 4.Security Services 5.Security Mechanisms 2
Computer Security concept The protection afforded to an automated information system in order to attain the applicable objectives of preserving(protecting) the integrity, availability and confidentiality of information system resources (includes hardware, software, information/data, and telecommunications) [NIST 1995] 3
CIA Security Triangle (1/2) The three Key Objectives 4
CIA Security Triangle (2/2) Confidentiality (covers both data confidentiality and privacy): preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information. Integrity (covers both data and system integrity): Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information. Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. 5
Two additional key objectives Authenticity: The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. 6
Levels of Impact 3 levels of impact from a security breach Low Moderate High 7
The Challenges of Computer Security Security is not as simple as it might first appear to the novice Security developers must consider potential attacks Involve algorithms and secret info Must decide where to deploy mechanisms Battle of wits (brains) between attacker / admin Not perceived on benefit until fails Requires regular monitoring Too often an afterthought (becoming larger) The system will not be friendly usage. 8
OSI Security Architecture (1/2) ITU-T X.800 “Security Architecture for OSI” The International Telecommunication Union (ITU) Telecommunication Standardization Sector (ITU-T) is a United Nations-sponsored agency that develops standards, called Recommendations, relating to telecommunications and to OPEN SYSTEMS INTERCONNECTION (OSI). The OSI security architecture was developed in the context of the OSI protocol architecture. OSI Security architecture defines a systematic way of defining and providing security requirements. The OSI security architecture is useful to managers as a way of organizing the task of providing security. 9
OSI Security Architecture (2/2) Aspects of Security The OSI security architecture focuses on 3 aspects: security attacks, mechanisms, and services. 1.Security attack: Any action that compromises the security of information owned by an organization. 2.Security service: A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization. 3.Security mechanism: A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack. 10
Security attack classifications 1.A passive attack attempts to learn or make use of information from the system but does not affect system resources. Passive attacks are in the nature of eavesdropping on (means listening to the conversation), or monitoring of transmissions. The goal of the opponent is to obtain information that is being transmitted. 2.An active attack attempts to alter system resources or affect their operation. 11
Passive Attacks (1) Release of Message Contents Two types of passive attacks are: Release of message contents and Traffic analysis. Release of message contents relates to eavesdropping on (means listening to the conversation). as this figure shows. These attacks are difficult to detect because they do not involve any alteration of the data. E.g. A telephone conversation, an electronic mail message, and a transferred file may contain sensitive or confidential information. 12
Passive Attacks (2) Traffic Analysis Traffic analysis - monitor traffic flow to determine location and identity of communicating hosts and could observe the frequency and length of messages being exchanged 13
Categories of Active attacks Active attacks try to alter system resources or affect their operation Modification of data, or creation of false data Four categories Masquerade Replay Modification of messages Denial of service: preventing normal use Difficult to prevent The goal is to detect and recover 14
Active Attacks (1) Masquerade 15 Masquerade is pretending of an entity as authorized entity
Active Attacks (2) Replay 16 Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect
Active Attacks (3) Modification of Messages 17 Modify/alter (part of) messages in transit to produce an unauthorized effect
Active Attacks (4) Denial of Service 18 Denial of service - prevents or inhibits the normal use or management of communications facilities.
Security Services (1/2) X.800: “a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers” RFCs (Requests for Comments - RFC 2828): “a processing or communication service provided by a system to give a specific kind of protection to system resources” 19
Security Services (X.800) (2/2) 1.Authentication - assurance that communicating entity is the one claimed Have both peer-entity & data origin authentication 2.Access Control - prevention of the unauthorized use of a resource 3.Data Confidentiality –protection of data from unauthorized disclosure 4.Data Integrity - assurance that data received is as sent by an authorized entity 5.Non-Repudiation - protection against denial by one of the parties in a communication 6.Availability – resource accessible/usable 20
Security Mechanisms (1/2) Security Mechanisms are the specific means of implementing one or more security services. It is a feature designed to detect, prevent, or recover from a security attack No single mechanism that will support all services required However one particular element underlies many of the security mechanisms in use: Cryptographic techniques Hence our focus on this topic 21
Security Mechanisms (2/2) (X.800) It is divided into Specific security mechanisms and Pervasive security mechanisms. Note that the “specific security mechanisms” are protocol layer specific, whilst the “pervasive security mechanisms” are not. Specific security mechanisms are: Encipherment *, digital signatures, access controls, data integrity, authentication exchange, traffic padding and routing control. Pervasive security mechanisms are: Trusted functionality, security labels, event detection, security audit trails (security review paths) and security recovery * Encipherment is: The use of mathematical algorithms to transform data into a form that is not readily intelligible. 22
Model for Network Security (1/3) This model, the information being transferred from one party to another over an insecure communications channel 23
Model for Network Security (2/3) This general model shows that there are four basic tasks in designing a particular security service, as the previous figure shows. 1.Design a suitable algorithm for the security transformation 2.Generate the secret information (keys) used by the algorithm 3.Develop methods to distribute and share the secret information 4.Specify a protocol enabling the principals to use the transformation and secret information for a security service 24
Model for Network Access Security (3/3) Using the model shown in the this figure requires, we understand that the security mechanisms needed to cope with unwanted access fall into two broad categories. 1.Select appropriate gatekeeper functions to identify users 2.Implement security controls to ensure only authorised users access designated information or resources 25
Standards NIST: National Institute of Standards and Technology FIPS: Federal Information Processing Standards SP: Special Publications ISOC: Internet Society Home for IETF (Internet Engineering Task Force) and IAB (Internet Architecture Board) RFCs: Requests for Comments 26
Summary and coming assignment points 27
CHAPTER ONE – KEY TERMS AND REVIEW QUESTIONS 1.1 What is the OSI security architecture? 1.2 What is the difference between passive and active security threats? 1.3 List and briefly define categories of passive and active security attacks. 1.4 List and briefly define categories of security services. 1.5 List and briefly define categories of security mechanisms 28