COMMUNICATION SYSTEM

SECURITY
-Lidong Chen, Guang Gong
 Objective
• Gives a thorough understanding of information security technology
• Policy (what should be protected)
• Mechanisms (cryptography, electrical engineering, …)
• Attacks (malicious code, protocol failure …)
• Assurance – that there was the right information from the right source
• How to make this into a proper engineering discipline?
Security systems have critical assurance requirements. Their failure may-

• endanger human life and the environment (as with nuclear safety and control systems),

• do serious damage to major economic infrastructure (cash machines and other bank systems),

• endanger personal privacy (medical record systems),

• undermine the viability of whole business sectors (pay-TV), and facilitate crime (burglar and
car alarms).
• While software engineering is about ensuring that certain things happen, security is about
ensuring that the unwanted doesn't happen.

• Security requirements differ greatly from one system to another. It requires a combination of
user authentication, integrity and accountability, fault tolerance, message secrecy, and
covertness.

But still systems fail because the wrong things are protected, or the right things are protected
in a wrong way
Communication system security includes

• information security

• physical resource security

The objectives of providing security is achieved by applying security mechanisms based on trust

assumptions and threat assessments .

 Information Security

Main Requirements

Confidentiality, integrity and availability, also known as the CIA triad, is a model designed to
guide policies for information security within an organization. The model is also sometimes
referred to as the

‘AIC triad’
Objectives can be achieved thru several Protection Mechanisms like cryptographic
functions or algorithms
1. Confidentiality:

• assures that information can only be received by eligible communication parties

• achieved by applying encryption mechanisms i.e., encryption operation and a decryption

operation

• What is encryption operation and a decryption operation?

• symmetric-key based encryption, asymmetric-key based encryption

• Confidentiality

• Preserving the confidentiality of information means preventing unauthorized

parties from accessing the information or perhaps even being aware of the
existence of the information. i.e., secrecy.

• Integrity

• Maintaining the integrity of information means that only authorized parties can
manipulate the information and do so only in authorized ways.

• Availability

• Resources are available if they are accessible by authorized parties on all

appropriate occasions
A communication system can be described as a set of nodes connected with links.
• Node
• Link
• Path
Symmetric-key based encryption mechanisms
Asymmetric-key based / public key mechanism

Public key cryptography made it possible to protect communications between

two nodes without requiring secure key distribution, even though a public key
must be bound to a specific node in a trusted way encryption.
J’s public key pkJ, private key skJ
Next Objective:
Integrity and Authenticity - inseparable information security objectives.

Integrity is to assure that the information is not tampered with by a noneligible

party or through a transmission or storage error i.e., it prevents altering the
content of the message

Authenticity is to assure that the originator of the information appearing to the

receiver is its actual originator i.e., it prevents from altering the origin of the
message
How in symmetric-key based cryptography mechanism, integrity and
authenticity is achieved by generating a message authentication code (MAC)
(sometimes known as a tag, is a short piece of information used
to authenticate a message—in other words, to confirm that the message came from the
stated sender (its authenticity) and has not been changed.
In public-key based cryptographic mechanism, integrity and authenticity can
be achieved by a digital signature  a digital code (generated and authenticated by
public key encryption) which is attached to an electronically transmitted document to
verify its contents and the sender's identity, guarantees that the contents of a message have
not been altered in transit, protects the2 parties from the third party)
Trust is often regarded as an important precondition for the adoption of new
technologies, and thus as a research problem needing urgent attention.
Several research programs have listed trust as an important item in their calls
for proposals. The goal is to provide technology that can be trusted by its
users. When trust is defined, for example, as the user’s willingness to risk
time, money, and personal data on a website, we are primarily concerned
with user psychology. In this context, trust is a natural term to use.
Furthermore, this type of trust is an important goal indeed when designing
and deploying IT systems. But, this interpretation does not necessarily match
the various usages of trust in computer security.
Different forms of trust exists to address different types of problems and
mitigate risks in certain conditions. Which form of trust to apply in a
given circumstance is generally dictated by corporate policy.

In network security , there are two important forms of trust:

- third-party trust

- direct (personal) trust

Third-party trust, a fundamental requirement for any large-scale implementation of network
security refers to a situation in which two individuals implicitly trust each other even though they
have not previously established a personal relationship. In this situation, two individuals implicitly
trust each other because they each share a relationship with a common third party, and that third
party vouches for the trustworthiness of the two people.
Direct trust refers to a situation in which two individuals have established a trusting relationship
between themselves.
- is required when individuals from separate CA domains exchange keying information to
secure their communications
- whereas third party trust allows individuals to implicitly trust each other without a personal
relationship, direct trust is predicated on the existence of a personal relationship prior to
exchanging of secure information.
Trustworthy

-able to be relied on as honest or truthful.

Trust Model:
Critical in establishing a secure communication system.
Is a starting point for establishing communication system security.
Can be achieved thru:
Encryption
Distributing keys through trusted parties– certification authority
The security and robustness of a protection mechanism must be proved
based on a set of well-defined assumptions but , in security practice, a
trust model is often determined by business and management relation.
For example,
a case of cellular service provider…
Threat Model:
For securing a communication system, for each protection mechanism used ,
which kind of attacks the mechanism is up against should be known.

Threat Model is based on –

• Computation Power of Attackers
• Physical Vulnerability
• Jamming and Intrusion
• The Man-in-the-Middle Attacks
Communication System Security:

communication system security - consisting of nodes and links. is pursued in

two aspects:
• to make each node a trusted platform
• to protect communications on each link.
Trusted Platform:
-is a platform to operate as it is supposed to.
E.g.,, a trusted platform should not allow a process accessing a file unless the
process is entitled to.
An application in a trusted platform, such as a music player or an electronic
book reader, should observe the digital right management rules.

For a personal computer, relative to the system software such as an operating

system (OS), the processors and memories will form a platform,
while,
for the applications, the hardware and system software together are integrated to
a platform
Trusted Platform in the form of :
• Robust hardware
• Validated system software
• Authorized applications
Protected Communications-
Communications done with confidentiality, integrity, and authenticity.
achieved through cryptographic mechanisms : encryption and message
authentication
Key distribution-- Symmetric or public key distribution,
Can be through broadcast , multicast
protected communications can be established through
Mutual authentication
Key establishment
Cipher suite negotiation
Failure detection
******************