Professional Documents
Culture Documents
Text Book: Stallings, William. (2011) 4th Ed., Network Security Essentials: Applications and Standards, Prentice Hall.
Unit Topics
Weeks 1 2: Introduction of Network Security, Symmetric Encryption and Message Confidentiality Weeks 3 5: Public and private key cryptography; Methods of authentication; Digital signatures Weeks 6 8: Transport-Level Security, Electronic Mail Security, IP Security
Assessment Tasks
Assessment Task Release Date Due Date Weighting Task type Presentation Week 2 Week 5 (17/04/12) During lab time Week 6 (24/04/12) During lecture time Week 9 (15/05/12) 3PM Week 12 (05/06/12) 3PM 10% A
Week 6
10%
Group Assignment 1
Week 4
10%
Group Assignment 2
Week 6
10%
Laboratory participation
10%
Exam (3 hours)
End of semester
50 %
Lecture 1 Topics
Standard organisations Computer Security Concepts
Definition and Examples of Computer Security The Challenges of Computer Security
Introduction
Information security
primarily by physical and administrative means Ex: use of filing cabinets with a combination lock for storing sensitive documents
Computer security
automated tools for protecting files and other information stored on the computer
Availability: Assures that systems work promptly and service is not denied to authorized users.
7
Moderate
serious adverse effect, for example, the loss might
(i) cause a significant degradation in mission (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious, life-threatening injuries.
10
High
severe or catastrophic adverse effect: the loss might
(i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious, lifethreatening injuries.
11
Examples
Confidentiality: Student grade information (high), Student enrollment information (moderate), lists of students, faculty, or departmental lists (low) INTEGRITY: hospital patients allergy information stored in a database. The doctor should be able to trust that the information is correct and current (high), Web site that offers a forum to registered users to discuss some specific topic (moderate), anonymous online poll (low) AVAILABILITY: authentication services (high), public Web site for a university (Moderate), An online telephone directory (low)
12
OSI Model
Data unit Layer 7. Application Function Network process to application Data representation, encryption and decryption, convert machine dependent data to machine independent data
6. Presentation Data
Host layers
5. Session
Segments
4. Transport
Bit
1. Physical
Despite its national scope, NIST Federal Information Processing Standards (FIPS) and Special Publications (SP) have a worldwide impact. Internet Society: is a professional membership society with worldwide
provides leadership in addressing issues that confront the future of the Internet and is responsible for Internet infrastructure standards, including the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB). These organizations develop Internet standards and related specifications, all of which are published as Requests for Comments (RFCs).
15
SECURITY ATTACKS
Passive attacks and active attacks A passive attack: attempts to learn or make use of information from the system but does not affect system resources. An active attack: attempts to alter system resources or affect their operation
18
19
Passive attacks
The release of message contents is easily understood. A telephone conversation, an electronic mail message, and a transferred file may contain sensitive or confidential information. Traffic analysis: encryption can be used to mask contents. An opponent still might be able to observe the pattern of these messages Passive attacks are very difficult to detect, because they do not involve any alteration of the data, therefore passive attacks is on prevention rather than detection
20
Active Attacks
Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories:
Masquerade replay, modification of messages, and denial of service
It is quite difficult to prevent active attacks because of the wide variety of potential physical, software, and network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them.
21
Masquerade
takes place when one entity pretends to be a different entity. For example, authentication sequences can be captured and replayed after a valid authentication sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges.
22
Replay
involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect
23
Modification of messages
some portion of a legitimate message is altered, or that messages are delayed or reordered For example, a message meaning
Allow John Smith to read confidential file accounts is modified to Allow Fred Brown to read confidential file accounts.
24
Denial of service
prevents or inhibits the normal use or management of communications facilities for example, an entity may suppress all messages directed to a particular destination or disruption of an entire network
25
SECURITY SERVICES
X.800 defines a security service RFC 2828, which provides the following definition:
A processing or communication service that is provided by a system to give a specific kind of protection to system resources; security services implement security policies and are implemented by security mechanisms
26
27
14 Security Services
Authentication
Peer Entity Authentication Data-Origin Authentication
Access control
Access Control
Data confidentiality
Connection Confidentiality Connectionless Confidentiality Selective-Field Confidentiality Traffic-Flow Confidentiality Connection Integrity with Recovery Connection Integrity without Recovery Selective-Field Connection Integrity Connectionless Integrity Selective-Field Connectionless Integrity
Data integrity
Nonrepudiation
Nonrepudiation, Origin Nonrepudiation, Destination
28
Authentication
service is concerned with assuring that a communication is authentic Two types
Peer entity authentication: Two entities are considered peers Data origin authentication: Provides for the validation of the source of a data unit, ex: email
29
30
31
Security Mechanisms
Security mechanism are divided into
Specific Security Mechanism and Pervasive Security Mechanisms
Specific security mechanism are: Encipherment The use of mathematical algorithms to transform data into a form that is not readily intelligible. The transformation and subsequent recovery of the data depend on an algorithm and zero or more encryption keys. Digital Signature Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery (e.g., by the recipient). Access Control A variety of mechanisms that enforce access rights to resources.
32
Authentication Exchange
A mechanism intended to ensure the identity of an entity by means of information exchange.
Traffic Padding
The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.
Routing Control
Enables selection of particular physically secure routes for certain data and allows routing changes, especially when a breach of security is suspected.
Notarization
The use of a trusted third party to assure certain properties of a data exchange.
33
Security Label
The marking bound to a resource (which may be a data unit) that names or designates the security attributes of that resource.
Event Detection
Detection of security-relevant events.
Security Recovery
Deals with requests from mechanisms, such as event handling and management functions, and takes recovery actions. service.
34
35
36
2. Generate the secret information to be used with the algorithm. 3. Develop methods for the distribution and sharing of the secret information. 4. Specify a protocol to be used by the two principals that makes use of the security
algorithm and the secret information to achieve a particular security service.
37
2. Internal control
39
Summary
Standard organisations Computer Security Concepts
Definition and Examples of Computer Security The Challenges of Computer Security