Cryptography and Network Security

UNIT-1
Basic Principles

Dr. Dwiti Krishna Bebarta

 Objectives
• To define three security goals
• To define security attacks that threaten security
goals
• To define security services and how they are
related to the three security goals
• To define security mechanisms to provide security
services
• To introduce mathematical concepts used in
cryptography for implementing security
mechanisms.
 Computer Security/The OSI security architecture

The Open System Interconnect(OSI) security architecture

was designated by the ITU-T (International
Telecommunication Union - Telecommunication). The ITU-T
decided a standardized architecture which defines the
security requirements and it specifies in "X.800“.
The OSI architecture focuses on
Security attacks
Security services
Security mechanisms
Security attack
An attack is when the security of a system is compromised
by some action of a perpetrator. Attacks could either be
active attacks or passive attacks.
Security mechanism
A mechanism that is designed to detect, prevent, or recover
from a security attack.
Security service
A service that enhances the security of the data processing
systems and the information transfers of an organization.
The services make use of one or more security mechanisms
to provide the service.
The terms threat and attack are commonly used to mean
more or less the same thing. The definitions taken from RFC
2828, Internet Security Glossary is

Threat
A potential for violation of security, which exists when
there is a circumstance, capability, action, or event that
could breach security and cause harm. That is, a threat
is a possible danger that might exploit a vulnerability.

Attack
An assault on system security that derives from an
intelligent threat; that is, an intelligent act that is a
deliberate attempt (especially in the sense of a method
or technique) to evade security services and violate the
security policy of a system.
SECURITY GOALS

This section defines three security goals.

1 Confidentiality
2 integrity
3 Availability
 Confidentiality
Confidentiality is probably the most common aspect of
information security. We need to protect our confidential
information. An organization needs to guard against those
malicious actions that endanger the confidentiality of its
information.

• Data, objects and resources are protected from

unauthorized viewing and other access
 Integrity
Information needs to be changed constantly. Integrity
means that changes need to be done only by authorized
entities and through authorized mechanisms.

• Data is protected from unauthorized changes to

ensure that it is reliable and correct.
 Availability
The information created and stored by an organization
needs to be available to authorized entities. Information
needs to be constantly changed, which means it must be
accessible to authorized entities.

• Authorized users have access to the systems and

the resources they need.
ATTACKS

The three goals of securityconfidentiality, integrity,

and availabilitycan be threatened by security
attacks.

Passive versus Active Attacks

Attacks Threatening Confidentiality
Attacks Threatening Integrity
Attacks Threatening Availability
 Active Attacks Vs Passive Attacks
Basis for Active Attack Passive Attack
Comparison
Definition Active attack tries Passive attack tries to
to change the read or make use of
system resources information from the
or affect their system but does not
operation. influence system
resources.
Threat Integrity and Confidentiality
availability
Attack awareness Victim gets Victim is unaware of
informed about the the attack.
attack or known by
the attack.
Emphasis Detection Prevention
Security Attacks
A useful means of classifying security attacks, used both in
X.800 and RFC 2828, is in terms of passive attacks and active
attacks. A passive attack attempts to learn or make use of
information from the system but does not affect system
resources. An active attack attempts to alter system resources
or affect their operation.
Passive Attacks
Passive attacks are in the nature of eavesdropping on, or
monitoring of, transmissions. The goal of the opponent is to
obtain information that is being transmitted. Two types of
passive attacks are release of message contents and traffic
analysis.
Active Attacks
Active attacks involve some modification of the data stream or
the creation of a false stream and can be subdivided into four
categories: masquerade, replay, modification of messages, and
denial of service.
The active attacks are in the form of interruption,
modification and fabrication.
The passive attacks are in the form of release of
message content and traffic analysis.
Taxonomy of attacks with relation to security goals
 Interception/Monitoring

or Snooping
Def: the action of
secretly trying to find
out something,
especially
information about
someone's private
affairs.
 Attacks Threatening Confidentiality
–Interception: attacks confidentiality.
– Eavesdropping, “man-in-the-middle” attacks.
–Traffic Analysis: attacks confidentiality, or secrecy.

Snooping refers to unauthorized access to or interception

of data.

Traffic analysis refers to obtaining some other type of

information by monitoring online traffic.
Active Attacks

masquerade
replay
modification of messages
Repudiation Integrity

Denial of Services Availability

Message from attacker but appears like from
source i.e. Darth pretends as Bob
Active Attacks

Replaying: Capture
message and later replay
to destination
modification of messages
A repudiation attack happens when an
application or system does not adopt controls to
properly track and log users' actions, thus
permitting malicious manipulation or forging the
identification of new actions.
Attacks Threatening Integrity
Modification means that the attacker intercepts the
message and changes it.

Masquerading or spoofing happens when the attacker

impersonates somebody else.

Replaying means the attacker obtains a copy

of a message sent by a user and later tries to replay it.

Repudiation means that sender of the message might later

deny that she has sent the message; the receiver of the
message might later deny that he has received the message.
Attacks Threatening Availability

Denial of service (DoS) is a very common attack. It may

slow down or totally interrupt the service of a system.
Passive Versus Active Attacks
SERVICES AND MECHANISMS

ITU-T provides some security services and some

mechanisms to implement those services. Security
services and mechanisms are closely related because a
mechanism or combination of mechanisms are used to
provide a service..

Topics discussed in this section:

Security Services
Security Mechanisms
Relation between Services and Mechanisms
Security Services

Security Mechanism
(X.800)
Encipherment:
• Hiding or covering data
• Provide confidentiality
• Cryptography and Steganography
Data Integrity
• Appends to the data a short checkvalue that has
been created by a specific process
• The receiver receives the data and the checkvalue
Receiver creates a new checkvalue from the
received data
• This computed new checkvalue than compared
with the received one
• If both the checkvalues are same then the the data
is preserved
Digital signature
• Sender electronically signs the data and send using
his private key
• Receiver can electronically verify the signature using
sender’s public key
• Concept of public key and private key is used to sign
the data electronically
Authentication exchange
• Two entities exchange messages to prove their
identity to each other
Traffic padding
Inserting bogus data into the data traffic to thwart the
adversary’s attempt for traffic analysis
Routing control
Selecting and continuously changing different available
routes between the source and destination to prevent the
opponent from eavesdropping on a particular route
Notarization
Selecting a third party to control the communication
between the two entities
To prevent repudiation
Generally three part process: vetting/selection,
certifying, and record keeping

Access control
Uses methods to prove that a user has access rights
Passwords or pins or OTP
Relation between Services and Mechanisms
TECHNIQUES

Mechanisms discussed in the previous sections are

only theoretical recipes to implement security. The
actual implementation of security goals needs some
techniques. Two techniques are prevalent today:
cryptography and steganography.

Topics discussed in this section:

Cryptography
Steganography
 Cryptography

Cryptography, a word with Greek origins, means “secret

writing.” However, we use the term to refer to the science
and art of transforming messages to make them secure and
immune to attacks.
 Steganography

The word steganography, with origin in Greek, means

“covered writing,” in contrast with cryptography, which
means “secret writing.”