1. Data & Network Security
Mrs. Iqra Shahid
Lecturer
Department of Computer Science

2. Instructor MS Computer Science from UOL (Sargodha Campus).
BS Computer Science from UET Lahore.
Have 3 research papers published.
Pre-coding Techniques (OFDMA)
Distributed Denial of Service (Network Security)
Multi-Level Queue and Real time Scheduling (Operating System)

3. Students Introduction

4. Introduction to Course

5. Teaching Procedure Lectures Discussion Assignments Surprise Quizzes
Midterm
Presentation
Final Exam

6. Marks Distribution Class Participation 05% Assignments 05%
Surprise Quizzes 10%
Midterm 30%
Presentation 10%
Final Exam 40%

7. Prerequisites
Data Communication & Networks
Computer Networks

8. Textbook
Cryptography and Network Security, William Stallings, 5th Edition, Pearson Education, 2011
Cryptography & Network Security, Behrouz A. Frouzen
Security in Computing, Charles P. Pfleeger, Fourth Edition, Pearson Education, 2011.
Online readings

9. Objectives of the lecture
To define Security
To define three security goals
To define security attacks that threaten security goals
To define security services and how they are related to the three security goals
To define security mechanisms to provide security services
To introduce two techniques, cryptography an steganography, to implement security mechanisms.
1.#

10. Introduction
The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.
—The Art of War, Sun Tzu

11. Background
Information Security requirements have changed in recent times.
Traditionally provided by physical and administrative mechanisms.
Computer use requires automated tools to protect files and other stored information.
Use of networks and communications links requires measures to protect data during transmission.

12. Computer Security
The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications). [NIST 1995]

13. Definitions
Computer Security - generic name for the collection of tools designed to protect data and to thwart hackers.
Network Security - measures to protect data during their transmission.
Internet Security - measures to protect data during their transmission over a collection of interconnected networks.

14. Aim of Course Our focus is on Data & Network Security
Which consists of measures to prevent, detect, deter and correct security violations that involve the transmission & storage of information.

15. Security Trends

16. Security Goals This section defines three security goals.
Confidentiality
Integrity
Availability

17. Confidentiality
Confidentiality is probably the most common aspect of information security.
We need to protect our confidential information.
An organization needs to guard against those malicious actions that endanger the confidentiality of its information.

18. Integrity Information needs to be changed constantly.
Integrity means that changes need to be done only by authorized entities and through authorized mechanisms.

19. Availability
The information created and stored by an organization needs to be available to authorized entities.
Information needs to be constantly changed, which means it must be accessible to authorized entities.

20. Examples of Security Requirements
Confidentiality – student grades
integrity – patient information
Availability – authentication service

21. Levels Of Impact 3 levels of impact from a security breach Low
Moderate
High

22. OSI Security Architecture
ITU-T X.800 “Security Architecture for OSI”
Defines a systematic way of defining and providing security requirements.
For us it provides a useful, if abstract, overview of concepts we will study.

23. Aspects of Security Consider 3 aspects of information security:
Security Attack
Security Mechanism
Security Service

24. Security Attack
Any action that compromises the security of information owned by an organization.
Information security is about how to prevent attacks, or failing that, to detect attacks on information-based systems.
Often threat & attack used to mean same thing.

25. Security Attack
The three goals of security - confidentiality, integrity, and availability can be threatened by security attacks.
Attacks Threatening Confidentiality
Attacks Threatening Integrity
Attacks Threatening Availability
Passive versus Active Attacks

26. Taxonomy of Attacks

27. Attacks Threading Confidentiality
Snooping refers to unauthorized access to or interception of data.
Traffic analysis refers to obtaining some other type of information by monitoring online traffic.

28. Attacks Threatening Integrity
Modification means that the attacker intercepts the message and changes it.
Masquerading or spoofing happens when the attacker impersonates somebody else.
Replaying means the attacker obtains a copy of a message sent by a user and later tries to replay it.
Repudiation means that sender of the message might later deny that she has sent the message; the receiver of the message might later deny that he has received the message.

29. Attacks Threatening Availability
Denial of service (DoS) is a very common attack. It may slow down or totally interrupt the service of a system.

30. Passive Attacks (i) Release of Message Contents

31. Passive Attacks (ii) Traffic Analysis

32. Passive Attacks (Cont…)
Passive attacks do not affect system resources
Eavesdropping, monitoring
Two types of passive attacks
Release of message contents
Traffic analysis
Passive attacks are very difficult to detect
Message transmission apparently normal
No alteration of the data
Emphasis on prevention rather than detection
By means of encryption

33. Active Attacks (i) Masquerade

34. Active Attacks (ii) Replay

35. Active Attacks (iii) Modification of Messages

36. Active Attacks (iv) Denial of Service

37. Active Attacks (Cont…)
Active attacks try to alter system resources or affect their operation
Modification of data, or creation of false data
Four categories
Masquerade
Replay
Modification of messages
Denial of service: preventing normal use
A specific target or entire network
Difficult to prevent
The goal is to detect and recover

38. Passive versus Active Attacks

39. Security Service & Mechanisms
ITU-T provides some security services and some mechanisms to implement those services. Security services and mechanisms are closely related because …
Mechanism or combination of mechanisms are used to provide a service…
Security Services
Security Mechanism
Relation between Services and Mechanisms

40. Security Service
Enhance security of data processing systems and information transfers of an organization.
Intended to counter security attacks.
Using one or more security mechanisms.
Systematically evaluate and define security requirements.

41. Security Services X.800: RFC 2828:
A service provided by a protocol layer of communicating
open systems, which ensures adequate security of the
systems or of data transfers.
RFC 2828:
A processing or communication service provided by a
system to give a specific kind of protection to system
resources.

42. Security Services (X.800)

43. Security Services (X.800)
Authentication - Assurance that the communicating entity is the one claimed.
Access Control - Prevention of the unauthorized use of a resource.
Data Confidentiality – Protection of data from unauthorized disclosure.
Data Integrity - Assurance that data received is as sent by an authorized entity.
Non-Repudiation - Protection against denial by one of the parties in a communication. Sender cannot deny sending of a message that they originated.

44. Security Mechanism
Feature designed to detect, prevent, or recover from a security attack.
No single mechanism that will support all services required.
However one particular element underlies many of the security mechanisms in use:
Cryptographic techniques

45. Security Mechanisms (X.800)
Specific security mechanisms:
OSI security services performed on different protocol layer.
Encipherment, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization.
Pervasive security mechanisms:
The mechanisms that are not specific to the protocol layer particular.
Trusted functionality, security labels, event detection, security audit trails, security recovery.
Some examples of mechanisms from X.800. Note that the “specific security mechanisms” are protocol layer specific, whilst the “pervasive security mechanisms” are not. We will meet some of these mechanisms in much greater detail later.
See Stallings Table 1.3 for details of these mechanisms in X.800, and Table 1.4 for the relationship between services and mechanisms.

46. Security Mechanisms (X.800)

47. Specific Security Mechanisms
Encipherment is the use of algorithms mathematics to transform to the data into a form that can not be understood.
Digital Signature is a cryptographic transformation of a data unit that is used to validate the authenticity and integrity of a message. Hashing algorithm is used.
Access Control is a mechanism that ensures access to a resource by a user who have rights.
Data integrity is a mechanism that used to ensure the integrity of a data unit or stream of data units.

48. Cont….
Authentication Exchange is a mechanism which aims to ensure the identity of entity for purposes of the exchange of information.
Traffic padding is added to the data bits stream analysis attempts to confuse traffic.
Routing Control receives the selection of a safe route to certain data and allow changes routing especially when security breaches made it known.
Notarization is the use of third party reliably during the process of data exchange.

49. Relationship between Services & Mechanisms

50. Security Techniques
Mechanisms discussed in the previous sections are only theoretical recipes to implement security. The actual implementation of security goals needs some techniques.
Two techniques are prevalent today:
Cryptography
Steganography

51. Cryptography
Cryptography, a word with Greek origins, means “secret writing.”
However, we use the term to refer to the science and art of transforming messages to make them secure and immune to attacks.

52. Steganography
The word steganography, with origin in Greek, means “covered writing,” in contrast with cryptography, which means “secret writing.”
Example: Covering data with text

53. Model for Network Security

54. Model for Network Security
Using this model requires us to:
Design a suitable algorithm for the security transformation.
Generate the secret information (keys) used by the algorithm.
Develop methods to distribute and share the secret information.
Specify a protocol enabling the principals to use the transformation and secret information for a security service.

55. Model for Network Access Security

56. Model for Network Access Security
Using this model requires us to:
Select appropriate gatekeeper functions to identify users.
Implement security controls to ensure only authorised users access designated information or resources.
Trusted computer systems may be useful to help implement this model. \

57. Summary We have considered: Definitions for: X.800 standard
Computer Network, Internet Security
Confidentiality, Integrity, Availability
X.800 standard
Security Attacks, Services, Mechanisms
Cryptography vs. Stegnography
Models for network (access) security