1st topic-osi model
TRANSCRIPT
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 1/37
Cryptography and Network
Security
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 2/37
Chapter 1 – Introduction
The art of war teaches us to rely not on the
likelihood of the enemy's not coming, but on our own readiness to receive him; not
on the chance of his not attacking, but rather on the fact that we have made our
position unassailable. —The Art of War, Sun Tzu
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 3/37
Cryptography
• Cryptography (from Greek kryptós , "hidden", andgráphein , "to write") is, traditionally, the study of meansof converting information from its normal,
comprehensible form into an incomprehensible format,rendering it unreadable without secret knowledge — theart of encryption .
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 4/37
Background
• Information Security requirements havechanged in recent times
• traditionally provided by physical andadministrative mechanisms
• computer use requires automated tools toprotect files and other stored information
• use of networks and communications linksrequires measures to protect data duringtransmission
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 5/37
Definitions
• Computer Security - generic name for
the collection of tools designed to protect
data and to thwart hackers• Network Security - measures to protect
data during their transmission
• Internet Security - measures to protectdata during their transmission over a
collection of interconnected networks
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 6/37
Aim of Course
• our focus is on Internet Security
• consists of measures to deter, prevent,
detect, and correct security violations thatinvolve the transmission of information
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 7/37
Services, Mechanisms, Attacks
• need systematic way to define
requirements for security
• consider three aspects of informationsecurity:
– security attack
– security mechanism
– security service
• consider in reverse order
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 8/37
Security Service
– is something that enhances the security of thedata processing systems and the informationtransfers of an organization
– intended to counter security attacks – make use of one or more security
mechanisms to provide the service
– replicate functions normally associated with
physical documents• eg. have signatures, dates; need protection from
disclosure, tampering, or destruction; be notarizedor witnessed; be recorded or licensed
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 9/37
Security Mechanism
• a mechanism that is designed to detect,
prevent, or recover from a security attack
• no single mechanism that will support allfunctions required
• however one particular element underlies
many of the security mechanisms in use:
cryptographic techniques
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 10/37
Security Attack
• any action that compromises the security
of information owned by an organization
• information security is about how toprevent attacks, or failing that, to detect
attacks on information-based systems
• have a wide range of attacks
• can focus of generic types of attacks
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 11/37
OSI Security Architecture
• ITU-T X.800 Security Architecture for OSI
• defines a systematic way of defining and
providing security requirements• for us it provides a useful, if abstract,
overview of concepts we will study
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 12/37
Security Services
• X.800 defines it as: a service provided bya protocol layer of communicating opensystems, which ensures adequate security
of the systems or of data transfers• RFC 2828 defines it as: a processing or
communication service provided by asystem to give a specific kind of protectionto system resources
• X.800 defines it in 5 major categories
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 13/37
Security Services (X.800)
• Authentication - assurance that thecommunicating entity is the one claimed
• Access Control - prevention of the
unauthorized use of a resource• Data Confidentiality –protection of data from
unauthorized disclosure
• Data Integrity - assurance that data received is
as sent by an authorized entity• Non-Repudiation - protection against denial by
one of the parties in a communication
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 14/37
AUTHENTICATION
• Peer entity authentication- Used in
logical connection to provide confidence in
the identity of the entities connected.• Data origin authentication- Used in
connectionless transfer to provide
assurance that source of received data is
as claimed.
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 15/37
ACCESS CONTROL
• Prevention of unauthorized use of a
resource
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 16/37
DATA CONFIDENTIALITY
• Connection confidentiality- Protection of all user dataon a connection.
• Connectionless confidentiality- Protection of data in a
single data block.• Selective field confidentiality- confidentiality of
selected fields within user data on connection or in singledata block.
• Traffic flow confidentiality- Protection of information
that is derived from observation of traffic flows.
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 17/37
DATA INTEGRITY
• Connection integrity with recovery- Provides forintegrity of all user data on connection and detects anymodification, insertion, deletion, replay of any data withinentire data sequence with recovery.
• Connection Integrity without Recovery
• Selective field connection integrity- it determineswhether any selected fields have been modified,inserted, deleted or replayed.
• Connectionless integrity
• Selective field connectionless integrity.
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 18/37
NONREPUDIATION
• Non repudiation, Origin- Proof that the
message was sent by specified party.
• Non repudiation, Destination- Proof thatmessage was received by the specified
party.
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 19/37
Security Mechanisms (X.800)
• specific security mechanisms:
– encipherment, digital signatures, accesscontrols, data integrity, authenticationexchange, traffic padding, routing control,notarization
• pervasive security mechanisms:
– trusted functionality, security labels, eventdetection, security audit trails, securityrecovery
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 20/37
ENCIPHERMENT
• Use of mathematical algorithms to
transform data into a form data that is notreadily intelligible.
• Transformation and subsequent recovery
of data depend on algorithm and
encryption keys.
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 21/37
DIGITAL SIGNATURES
• Data appended to or a cryptographic
transformation of a data unit that allowsrecipient to prove the source and integrity
of data unit and protect against forgery.
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 22/37
ACCESS CONTROL & DATA
INTEGRITY• Variety of mechanisms that enforce
access rights to resources
• Variety of mechanisms used to assure theintegrity of data unit or stream of data
units.
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 23/37
AUTHENTICATION EXCHANGE &
TRAFFIC PADDING• A mechanism intended to ensure identity
of an entity by means of informationexchange.
• Insertion of bits into gaps in a data stream
to frustrate traffic analysis attempts.
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 24/37
ROUTING CONTROL &
NOTORIZATION• Enables selection of particular physically
secure routes for certain data and allowsrouting changes when breach of security is
suspected.
• Notarization- Use of trusted third party to
assure certain properties of data
exchange.
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 25/37
PERVASIVE SECURITY
MECHANISMS• Trusted functionality
• Security label
• Event detection• Security audit trail
• Security recovery
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 26/37
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 27/37
Cryptography and Network Security27
Attack: Interruption
Cut wire lines,
Jam wirelesssignals,
Drop packets,
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 28/37
Cryptography and Network Security 28
Attack: Interception
Wiring,
eavesdrop
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 29/37
Cryptography and Network Security 29
Attack: Modification
interceptReplaced
info
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 30/37
PASSIVE ATTACKS
• Release of message contents- Telephoneconversation, electronic mail message and transferredfile may contain sensitive information- we should preventopponent from learning contents of these transmissions.
• Traffic analysis- we mask contents of messages so thatopponents even if they capture message , could notextract information. But opponent could determinelocation and identity of messages being exchanged.
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 31/37
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 32/37
ACTIVE ATTACKS
• Modification of messages- messages
are altered, delayed, reordered.
• Denial of service- Prevents the normaluse or management of communications
facilities. Disruption of entire network by
disabling network or by overloading it with
messages to degrade performance
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 33/37
Model for Network Security
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 34/37
Model for Network Security
• using this model requires us to: – design a suitable algorithm for the security
transformation
– generate the secret information (keys) usedby the algorithm
– develop methods to distribute and share thesecret information
– specify a protocol enabling the principals touse the transformation and secret informationfor a security service
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 35/37
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 36/37
Model for Network Access Security
• using this model requires us to:
– select appropriate gatekeeper functions toidentify users
– implement security controls to ensure onlyauthorised users access designatedinformation or resources
• trusted computer systems can be used toimplement this model
8/6/2019 1st Topic-OSI Model
http://slidepdf.com/reader/full/1st-topic-osi-model 37/37