CAP361:

SECURITY AND PRIVACY OF INFORMATION Bhagat Avinash

Asst. Prof.
Domain:D3

School of Computing Applications Lovely Professional University

Email: avinash.bhagat@lpu.co.in avinash.bhagat@gmail.com

3/1/2013 Introduction 1

The name cryptography comes from the Greek words 'kryptos' which means hidden and 'graphia' which means writing. Cryptography is the art of creating and using cryptosystems. Or simply put, it is the art of secret writing."
3/1/2013 Introduction 2

Defination
The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources. (includes hardware, software, firmware, information /data, and telecomm.)
3/1/2013

Introduction

Course Overview
Course Objectives: 1. Understand the importance of security and privacy of information 2. Understand the importance of protecting the privacy and confidentiality of Data.

Introduction

Course Overview
Text Books: Network Security Essentials Application and Standards by William Stallings, Pearson Education Publications, 4th Edition (2012) References: Network Security Essentials (Applications and Standards) by william stallings, Pearson Education, 1st Edition
3/1/2013 Introduction 5

Course Overview
In this age of universal electronic connectivity, of viruses and hackers, electronic fraud there is indeed no time at which security does not matter.

3/1/2013

Introduction

CAP361

Course Overview
Two trends have come together to make the course : 1. The explosive growth in computer systems and their interconnections via networks has increased the dependence of both organizations and individual on the information stored and communicated using there systems. This in turn has led to a heightened awareness of the need to protect data and resources from disclosure.
3/1/2013 Introduction CAP361 7

Course Overview
2. The disciplines of cryptography and network security have matured, leading to the development of practical, readily available applications to enforce network security.

3/1/2013

Introduction

CAP361

Career Overview
If you have a good cryptography knowledge associated with Information security concepts and implementation, You will get a good job within one month. and it is sure. There are a lots of software companies in bangalore, looking for good crypto professional.

3/1/2013

Introduction

CAP361

Career Overview
Cryptologists before the 80s were primarily depicted as spy agents involved in deciphering and configuring coded messages to gain momentum against enemy activities. However, with the upsurge of information technology and the increasing dependence on electronic data processing, the range of activities a cryptologist is involved in has expanded.

3/1/2013

Introduction

CAP361 10

Career Overview
The vast digital data that is stored and processed in large computer bases and transmitted through complex communication networks is susceptible to unauthorized interception and interpretation and hence, needs to be protected through encrypted remote access or passwords.

3/1/2013

Introduction

CAP361 11

Career Overview
Cryptologists are in demand in the military forces, government agencies, technology companies, banking and financial organizations, law enforcement agencies, universities and research institutes.

3/1/2013

Introduction

CAP361 12

Network Security Essentials

Fourth Edition by William Stallings

3/1/2013 Introduction 13

The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable. The Art of War, Sun Tzu

3/1/2013 Introduction 14

 The combination of space, time, and strength that must be considered as the basic elements of this theory of defense makes this a fairly complicated matter. Consequently, it is not easy to find a fixed point of departure.. On War, Carl Von Clausewitz

3/1/2013 Introduction 15

Computer Security

NIST : National Institute of Standards and Technology. ISOC : Internet society ITU-T : The international telecommunication Union. ISO : International organization for standardization.
3/1/2013 Introduction 16

Computer Security

The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes H/W , S/W, firmware, information / data, and telecommunications)
3/1/2013 Introduction 17

CIA triod

3/1/2013 Introduction 18

Computer Security

Integrity means guarding against improper information modification.

1. Data Integrity assures that information and programs are changed only in a specified and authorized manner. 2. System Integrity assures that a system performs its intended function in an unimpaired manner, free from deliberate unauthorized users
Introduction 19

3/1/2013

Computer Security

Confidentiality means protecting privacy.

1. Data Confidentiality ensures that private or confidential information is mot made available or disclosed to unauthorized individuals 2. Privacy assures that individual controls what related to them. By whom and to whom the information is to be disclosed.
Introduction 20

3/1/2013

Computer Security

Availability means ensuring timely and reliable access to and use of information. Assures that systems work promptly and service in not denied to authorized users

3/1/2013 Introduction 21

Computer Security

Authenticity means the property of being genuine and being able to be verified and t rusted; confidence in validity of a transmission, message message originator
3/1/2013 Introduction 22

Computer Security

Accountability means the security goal that generates the requirement for actions of an entity to be traced uniquely to that entity

3/1/2013 Introduction 23

Levels of Impact
can define 3 levels of impact from a security breach
Low Moderate High

3/1/2013 Introduction 24

Aspects of Security

3 aspects of information security:

security attack security mechanism security service

3/1/2013 Introduction 25

3/1/2013

Aspects of Security Security attack: Any action that compromises the security of information owned by an organization. Security mechanism : A mechanism that is designed to detect, prevent or recover from a security attack. Security Service is a service that enhances the security of the data processing systems and the information transfer of an organization.
Introduction 26

Security Services
Information security services are replicating the types of functions normally associated with physical documents. Most of the activities of mankind depends on use of documents. Documents typically have signatures and dates; they may need to be protected from disclosure, tampering, they may be notorized, witnessed , may be recorded or licensed.
3/1/2013 Introduction 27

Security Services
Challenges to electronic documents
1. It is usually possible to discriminate between an original paper document and a xerographic copy. However an electronic document is merely a sequence of bits and bytes. 2. An alternation to a paper document may leave some sort of physical evidence. 3. Any proof process associated with a physical document typically depends upon physical characteristics of the document.
3/1/2013 Introduction 28

Security Services
List of common Information Integrity functions:
1. 2. 3. 4. 5. 6. 7. 8. 9. 3/1/2013 Identification. Authentication License and certificates Signature Witnesses Liablilty Receipts Validation Access 10. Vote 11. Time of occurrence 12. Owner ship 13. Registration 14. Approval 15. privacy

Introduction

29

Security Service
enhance security of data processing systems and information transfers of an organization intended to counter security attacks using one or more security mechanisms often replicates functions normally associated with physical documents
which, for example, have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed

3/1/2013 Introduction 30

Security Services
X.800:
a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers

RFC 2828:
a processing or communication service provided by a system to give a specific kind of protection to system resources
3/1/2013 Introduction 31

Security Services (X.800)

Authentication assurance that communicating entity is the one claimed have both peer-entity and data origin authentication Access Control prevention of the unauthorized use of a resource Data Confidentiality protection of data from unauthorized disclosure Data Integrity assurance that data received is as sent by an authorized entity Non-Repudiation protection against denial by one of the parties in a communication Availability resource accessible/usable 3/1/2013
Introduction 32

Security Mechanism
feature designed to detect, prevent, or recover from a security attack no single mechanism that will support all services required however one particular element underlies many of the security mechanisms in use:
cryptographic techniques

hence our focus on this topic

Introduction

33

Security Attacks
Normal Flow Interruption Interception Modification Fabrication

3/1/2013 Introduction 34

Security Attacks
Normal Flow

Source

Destination

3/1/2013 Introduction 35

Security Attacks
Interruption : This is an attack on availability, an asset of the system is destroyed or becomes unavailable.

3/1/2013 Introduction 36

Security Attacks
Interception: This is an attack on confidentiality an unauthorized party gains access to an asset.

3/1/2013 Introduction 37

Security Attacks
Modification : This is an attack on integrity. An unauthorized party not only gain access to but tampers with assests

3/1/2013 Introduction 38

Security Attacks
Fabrication : This is an attack on authenticity. An unauthorized party inserts counterfeit objects into the system.

3/1/2013 Introduction 39

Security Attacks
Classification of Security Attacks: Passive are in the nature of eavesdropping on, monitoring of, transmissions.
Release of Message Traffic analysis

Active
3/1/2013 Masquerade Replay Modification of message contents Denial of service
Introduction 40

Release of message contents

3/1/2013 Introduction 41

Traffic analysis

3/1/2013 Introduction 42

Security Attacks
Classification of Security Attacks: Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories
Masquerade Replay Modification of message contents Denial of service

3/1/2013 Introduction 43

Security Attacks
Masquerade takes place when one entity pretends to be a different entity.

3/1/2013 Introduction 44

Masquerade

3/1/2013 Introduction 45

Security Attacks
Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect.

3/1/2013 Introduction 46

Replay

3/1/2013 Introduction 47

Security Attacks
Modification of message simply means that some portion of a legitimate message is altered, or that messages are delayed or recorded to produce and unauthorized effect.

3/1/2013 Introduction 48

Modification of message

3/1/2013 Introduction 49

Security Attacks
Denial of service prevents or inhibits the normal use or management of communication facilities.

3/1/2013 Introduction 50

Denial of service

3/1/2013 Introduction 51

Model for Network Security

Introduction

52

Model for Network Security

All the techniques for providing security have two basic components:
1. Security related transformation on the information to be sent. 2. Some secret information shared by the two principals.

Introduction

53

Model for Network Security

Four basic tasks in designing a particular security service:
1. design a suitable algorithm for the security transformation 2. generate the secret information (keys) used by the algorithm 3. develop methods to distribute and share the secret information 4. specify a protocol enabling the principals to use the transformation and secret information for a security service
Introduction 54

Model for Network Access Security

Introduction

55

Model for Network Access Security

using this model requires us to:
1. select appropriate gatekeeper functions to identify users 2. implement security controls to ensure only authorised users access designated information or resources

Introduction

56

Questions
1. Define computer security ----2 marks 2. What are three objectives of computer security? Or what is CIA triad 2marks 3. How are security services classified? 4. Explain the model basic model for network security. 5. What are four basic tasks in designing a particular security service.

Introduction

57

Summary
topic roadmap and standards organizations security concepts:
confidentiality, integrity, availability

X.800 security architecture security attacks, services, mechanisms models for network (access) security

Introduction

58