1st topic-osi model

8/6/2019 1st Topic-OSI Model

http://slidepdf.com/reader/full/1st-topic-osi-model 1/37

Cryptography and Network

Security



Chapter 1 – Introduction

The art of war teaches us to rely not on the

likelihood of the enemy's not coming, but on our own readiness to receive him; not

on the chance of his not attacking, but rather on the fact that we have made our

position unassailable. —The Art of War, Sun Tzu



Cryptography

• Cryptography (from Greek kryptós , "hidden", andgráphein , "to write") is, traditionally, the study of meansof converting information from its normal,

comprehensible form into an incomprehensible format,rendering it unreadable without secret knowledge — theart of encryption .



Background

• Information Security requirements havechanged in recent times

• traditionally provided by physical andadministrative mechanisms

• computer use requires automated tools toprotect files and other stored information

• use of networks and communications linksrequires measures to protect data duringtransmission



Definitions

• Computer Security - generic name for

the collection of tools designed to protect

data and to thwart hackers• Network Security - measures to protect

data during their transmission

• Internet Security - measures to protectdata during their transmission over a

collection of interconnected networks



Aim of Course

• our focus is on Internet Security

• consists of measures to deter, prevent,

detect, and correct security violations thatinvolve the transmission of information



Services, Mechanisms, Attacks

• need systematic way to define

requirements for security

• consider three aspects of informationsecurity:

– security attack

– security mechanism

– security service

• consider in reverse order



Security Service

– is something that enhances the security of thedata processing systems and the informationtransfers of an organization

– intended to counter security attacks – make use of one or more security

mechanisms to provide the service

– replicate functions normally associated with

physical documents• eg. have signatures, dates; need protection from

disclosure, tampering, or destruction; be notarizedor witnessed; be recorded or licensed



Security Mechanism

• a mechanism that is designed to detect,

prevent, or recover from a security attack

• no single mechanism that will support allfunctions required

• however one particular element underlies

many of the security mechanisms in use:

cryptographic techniques



Security Attack

• any action that compromises the security

of information owned by an organization

• information security is about how toprevent attacks, or failing that, to detect

attacks on information-based systems

• have a wide range of attacks

• can focus of generic types of attacks



OSI Security Architecture

• ITU-T X.800 Security Architecture for OSI

• defines a systematic way of defining and

providing security requirements• for us it provides a useful, if abstract,

overview of concepts we will study



Security Services

• X.800 defines it as: a service provided bya protocol layer of communicating opensystems, which ensures adequate security

of the systems or of data transfers• RFC 2828 defines it as: a processing or

communication service provided by asystem to give a specific kind of protectionto system resources

• X.800 defines it in 5 major categories



Security Services (X.800)

• Authentication - assurance that thecommunicating entity is the one claimed

• Access Control - prevention of the

unauthorized use of a resource• Data Confidentiality –protection of data from

unauthorized disclosure

• Data Integrity - assurance that data received is

as sent by an authorized entity• Non-Repudiation - protection against denial by

one of the parties in a communication



AUTHENTICATION

• Peer entity authentication- Used in

logical connection to provide confidence in

the identity of the entities connected.• Data origin authentication- Used in

connectionless transfer to provide

assurance that source of received data is

as claimed.



ACCESS CONTROL

• Prevention of unauthorized use of a

resource



DATA CONFIDENTIALITY

• Connection confidentiality- Protection of all user dataon a connection.

• Connectionless confidentiality- Protection of data in a

single data block.• Selective field confidentiality- confidentiality of

selected fields within user data on connection or in singledata block.

• Traffic flow confidentiality- Protection of information

that is derived from observation of traffic flows.



DATA INTEGRITY

• Connection integrity with recovery- Provides forintegrity of all user data on connection and detects anymodification, insertion, deletion, replay of any data withinentire data sequence with recovery.

• Connection Integrity without Recovery

• Selective field connection integrity- it determineswhether any selected fields have been modified,inserted, deleted or replayed.

• Connectionless integrity

• Selective field connectionless integrity.



NONREPUDIATION

• Non repudiation, Origin- Proof that the

message was sent by specified party.

• Non repudiation, Destination- Proof thatmessage was received by the specified

party.



Security Mechanisms (X.800)

• specific security mechanisms:

– encipherment, digital signatures, accesscontrols, data integrity, authenticationexchange, traffic padding, routing control,notarization

• pervasive security mechanisms:

– trusted functionality, security labels, eventdetection, security audit trails, securityrecovery



ENCIPHERMENT

• Use of mathematical algorithms to

transform data into a form data that is notreadily intelligible.

• Transformation and subsequent recovery

of data depend on algorithm and

encryption keys.



DIGITAL SIGNATURES

• Data appended to or a cryptographic

transformation of a data unit that allowsrecipient to prove the source and integrity

of data unit and protect against forgery.



ACCESS CONTROL & DATA

INTEGRITY• Variety of mechanisms that enforce

access rights to resources

• Variety of mechanisms used to assure theintegrity of data unit or stream of data

units.



AUTHENTICATION EXCHANGE &

TRAFFIC PADDING• A mechanism intended to ensure identity

of an entity by means of informationexchange.

• Insertion of bits into gaps in a data stream

to frustrate traffic analysis attempts.



ROUTING CONTROL &

NOTORIZATION• Enables selection of particular physically

secure routes for certain data and allowsrouting changes when breach of security is

suspected.

• Notarization- Use of trusted third party to

assure certain properties of data

exchange.



PERVASIVE SECURITY

MECHANISMS• Trusted functionality

• Security label

• Event detection• Security audit trail

• Security recovery



Cryptography and Network Security27

Attack: Interruption

Cut wire lines,

Jam wirelesssignals,

Drop packets,



Cryptography and Network Security 28

Attack: Interception

Wiring,

eavesdrop



Cryptography and Network Security 29

Attack: Modification

interceptReplaced

info



PASSIVE ATTACKS

• Release of message contents- Telephoneconversation, electronic mail message and transferredfile may contain sensitive information- we should preventopponent from learning contents of these transmissions.

• Traffic analysis- we mask contents of messages so thatopponents even if they capture message , could notextract information. But opponent could determinelocation and identity of messages being exchanged.



ACTIVE ATTACKS

• Modification of messages- messages

are altered, delayed, reordered.

• Denial of service- Prevents the normaluse or management of communications

facilities. Disruption of entire network by

disabling network or by overloading it with

messages to degrade performance



Model for Network Security



Model for Network Security

• using this model requires us to: – design a suitable algorithm for the security

transformation

– generate the secret information (keys) usedby the algorithm

– develop methods to distribute and share thesecret information

– specify a protocol enabling the principals touse the transformation and secret informationfor a security service



Model for Network Access Security

• using this model requires us to:

– select appropriate gatekeeper functions toidentify users

– implement security controls to ensure onlyauthorised users access designatedinformation or resources

• trusted computer systems can be used toimplement this model

1st topic-osi model

Documents