VTU Network Security(10ec832) Unit-1 Notes - baixardoc
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of VTU Network Security(10ec832) Unit-1 Notes - baixardoc
NETWORK SECURITY (10EC832)NETWORK SECURITY (10EC832)
8th8th SEMSEM E&CE&C
JAYANTHDWIJESH H PJAYANTHDWIJESH H P M.tech (DECS)M.tech (DECS)
Assistant ProfessorAssistant Professor – – Dept of E&CE Dept of E&CE
B.G.S INSTITUTE OF TECHNOLOGY (B.G.S.I.T)B.G.S INSTITUTE OF TECHNOLOGY (B.G.S.I.T)
B.G Nagara, Nagamangala Tq, Mandya District- 571448B.G Nagara, Nagamangala Tq, Mandya District- 571448
NETWORK NETWORK SECURITY SECURITY 10EC83210EC832
Dept. Dept. of of ECE, ECE, BGSIT, BGSIT, BG BG Nagara, Nagara, Mandya Mandya Page Page 11
NETWORK SECURITYNETWORK SECURITY
PART-APART-A
UNIT-1UNIT-1
UNIT - 1UNIT - 1
Services, mechanisms and attacks, The OSI security architecture, A model forServices, mechanisms and attacks, The OSI security architecture, A model for
network security.network security.
TEXT BOOK:TEXT BOOK:
1. Cryptography and Network Security, William Stal1. Cryptography and Network Security, William Stalling, Pearson Education, 2003.ling, Pearson Education, 2003.
REFERENCE BOOKS:REFERENCE BOOKS:
1. Cryptography and Network Security, Behrouz A. Forouzan, TMH, 2007.1. Cryptography and Network Security, Behrouz A. Forouzan, TMH, 2007.
2. Cryptography and Network Security, Atul Kahate, TMH, 2. Cryptography and Network Security, Atul Kahate, TMH, 2003.2003.
NETWORK NETWORK SECURITY SECURITY 10EC83210EC832
Dept. Dept. of of ECE, ECE, BGSIT, BGSIT, BG BG Nagara, Nagara, Mandya Mandya Page Page 22
UNITUNIT – – 1: 1: Services, Mechanisms and Attacks, The OSI security architecture, A Model forServices, Mechanisms and Attacks, The OSI security architecture, A Model for
Network Security. Network Security.
OVERVIEWOVERVIEW
1. SECURITY SERVICES1. SECURITY SERVICES [DEC-2012(10M)][DEC-2012(10M)]
X.800 defines a security service as a service that is provided by a protocol layer ofX.800 defines a security service as a service that is provided by a protocol layer of
communicating open systems and that ensures adequate security of the systems or of datacommunicating open systems and that ensures adequate security of the systems or of data
transfers.transfers.
Also the RFC 2828(Internet Security Glossary version 2) defines security services as aAlso the RFC 2828(Internet Security Glossary version 2) defines security services as a
processing or processing or communication communication service service that that is is provided by provided by a a system system to to give a give a specific specific kind ofkind of
protection to system resources. protection to system resources.
X.800 divides these services into five categories and fourteen specific services. Shown in theX.800 divides these services into five categories and fourteen specific services. Shown in the
fig1 and table 1.fig1 and table 1.
Figure 1: Security servicesFigure 1: Security services
1.1. Authentication1.1. Authentication
The authentication service is concerned with assuring that a communication isThe authentication service is concerned with assuring that a communication is
authentic.authentic.
In the case of a single message, such as a warning or alarm signal, the function of theIn the case of a single message, such as a warning or alarm signal, the function of the
authentication service is to assure the recipient that the message is from the sourceauthentication service is to assure the recipient that the message is from the source
that it claims to be from.that it claims to be from.
In the case of an ongoing interaction, such as the connection of a terminal to a host,In the case of an ongoing interaction, such as the connection of a terminal to a host,
two aspects are involved.two aspects are involved.
First, at the time of connection initiation, the service assures that the twoFirst, at the time of connection initiation, the service assures that the two
entities are authentic, that is, that each is the entity that it claims to be.entities are authentic, that is, that each is the entity that it claims to be.
Second, the service must assure that the connection is not interfered with inSecond, the service must assure that the connection is not interfered with in
such a way that a third party can masquerade as one of the two legitimatesuch a way that a third party can masquerade as one of the two legitimate
parties for the purposes of unauthorized transmission or reception. parties for the purposes of unauthorized transmission or reception.
NETWORK NETWORK SECURITY SECURITY 10EC83210EC832
Dept. Dept. of of ECE, ECE, BGSIT, BGSIT, BG BG Nagara, Nagara, Mandya Mandya Page Page 33
OROR
AuthenticationAuthentication
This service provides the authentication of the PartThis service provides the authentication of the Party at the other end of the line.y at the other end of the line.
In connectionIn connection – – oriented communication, it provides authentication of the sender ororiented communication, it provides authentication of the sender or
receiver during the connection establishment (peer entity authentication).receiver during the connection establishment (peer entity authentication).
In connectionless communication, it authenticates of the data (data originIn connectionless communication, it authenticates of the data (data origin
authentication).authentication).
Two specific authentication services are Two specific authentication services are defined in X.800:defined in X.800:
a. Peer entity authentication:a. Peer entity authentication:
Provides for the corroboration of the identity of a peer entitProvides for the corroboration of the identity of a peer entity in an association.y in an association.
Peer entity authentication is provided for use at the establishment of, or at timesPeer entity authentication is provided for use at the establishment of, or at times
during the data transfer phase of, a connection.during the data transfer phase of, a connection.
It attempts to provide confidence that an entity is not performing either a masqueradeIt attempts to provide confidence that an entity is not performing either a masquerade
or an unauthorized replay of a previous connection.or an unauthorized replay of a previous connection.
b. Data origin b. Data origin authenticatauthentication:ion:
Provides for the corroboration of the source of a data unit.Provides for the corroboration of the source of a data unit.
It does not provide protection against the duplication or modification of data units.It does not provide protection against the duplication or modification of data units.
This type of service supports applications like electronic mail, where there are noThis type of service supports applications like electronic mail, where there are no
prior interactions between the communicating entities. prior interactions between the communicating entities.
1.2. Access Control1.2. Access Control
Access control is the ability to limit and control the access to host systems andAccess control is the ability to limit and control the access to host systems and
applications via communications links.applications via communications links.
To achieve this, each entity trying to gain access must first be identified, orTo achieve this, each entity trying to gain access must first be identified, or
authenticated, so that access rights can be tailored to the individual.authenticated, so that access rights can be tailored to the individual.
OROR
Access ControlAccess Control
Access control provides protection against unauthorized access to data.Access control provides protection against unauthorized access to data.
The term access in this definition is very broad and can involve reading, writing,The term access in this definition is very broad and can involve reading, writing,
modifying, executing programs and so on.modifying, executing programs and so on.
NETWORK NETWORK SECURITY SECURITY 10EC83210EC832
Dept. Dept. of of ECE, ECE, BGSIT, BGSIT, BG BG Nagara, Nagara, Mandya Mandya Page Page 44
Table 1: Security Services (X.800)Table 1: Security Services (X.800)
NETWORK NETWORK SECURITY SECURITY 10EC83210EC832
Dept. Dept. of of ECE, ECE, BGSIT, BGSIT, BG BG Nagara, Nagara, Mandya Mandya Page Page 55
1.3. Data Confidentiality1.3. Data Confidentiality
Confidentiality is the protection of transmitted data from passive attacks. With respectConfidentiality is the protection of transmitted data from passive attacks. With respect
to the content of a data transmission, several levels of protection can be identified.to the content of a data transmission, several levels of protection can be identified.
The broadest service protects all user data transmitted between two users over aThe broadest service protects all user data transmitted between two users over a
period of time. period of time.
Narrower Narrower forms forms of of this this service service can can also also be be defined, defined, including including the the protection protection of of aa
single message or even specific fields within a message.single message or even specific fields within a message.
The other aspect of confidentiality is the protection of traffic flow from analysis. ThisThe other aspect of confidentiality is the protection of traffic flow from analysis. This
requires that an attacker not be able to observe the source and destination, frequency,requires that an attacker not be able to observe the source and destination, frequency,
length, or other characteristics of the traffic on a communications facility.length, or other characteristics of the traffic on a communications facility.
OROR
Data ConfidentialityData Confidentiality
Data confidentiality is designed to protect data from disclosure attack.Data confidentiality is designed to protect data from disclosure attack.
The service as defined by X.800 is very broad and encompasses confidentiality of theThe service as defined by X.800 is very broad and encompasses confidentiality of the
whole message or part of a message and also protection against traffic analysis.whole message or part of a message and also protection against traffic analysis.
That is, it is designed to prevent snooping and traffic analThat is, it is designed to prevent snooping and traffic analysis attack.ysis attack.
1.4. Data Integrity1.4. Data Integrity
Data integrity is designed to protect data from modification, insertion, depletion andData integrity is designed to protect data from modification, insertion, depletion and
replying by an adversary. It may protect the whole message or part of replying by an adversary. It may protect the whole message or part of the message.the message.
As with confidentiality, integrity can apply to a stream of messages, a single message,As with confidentiality, integrity can apply to a stream of messages, a single message,
or selected fields within a message.or selected fields within a message.
A connection-oriented integrity service, one that deals with a stream of messages,A connection-oriented integrity service, one that deals with a stream of messages,
assures that messages are received as sent with no duplication, insertion, modification,assures that messages are received as sent with no duplication, insertion, modification,
reordering, or replays.reordering, or replays.
The connection-oriented integrity service addresses both message stream modificationThe connection-oriented integrity service addresses both message stream modification
and denial of service.and denial of service.
a connectionless integrity service, one that deals with individual messages withouta connectionless integrity service, one that deals with individual messages without
regard to any larger context, generally provides protection against messageregard to any larger context, generally provides protection against message
modification only.modification only.
We can make a distinction between service with and without recovery. Because theWe can make a distinction between service with and without recovery. Because the
integrity service relates to active attacks, we are concerned with detection rather thanintegrity service relates to active attacks, we are concerned with detection rather than
prevention. prevention.
NETWORK NETWORK SECURITY SECURITY 10EC83210EC832
Dept. Dept. of of ECE, ECE, BGSIT, BGSIT, BG BG Nagara, Nagara, Mandya Mandya Page Page 66
If a violation of integrity is detected, then the service may simply report this violation,If a violation of integrity is detected, then the service may simply report this violation,
and some other portion of software or human intervention is required to recover fromand some other portion of software or human intervention is required to recover from
the violation.the violation.
Alternatively there are mechanisms available to recover from the loss of integrity ofAlternatively there are mechanisms available to recover from the loss of integrity of
data as we will review subsequently.data as we will review subsequently.
The incorporation of automated recovery mechanisms is, in general, the moreThe incorporation of automated recovery mechanisms is, in general, the more
attractive alternative.attractive alternative.
1.5 Nonrepudiation1.5 Nonrepudiation
Nonrepudiation Nonrepudiation prevents prevents either either sender sender or or receiver receiver from from denying denying a a transmittedtransmitted
message.message.
Thus, when a message is sent, the receiver can prove that the alleged sender in factThus, when a message is sent, the receiver can prove that the alleged sender in fact
sent the message. Similarly, when a message is received, the sender can prove that thesent the message. Similarly, when a message is received, the sender can prove that the
alleged receiver in fact received the message.alleged receiver in fact received the message.
OROR
NonrepudiationNonrepudiation
Nonrepudiation Nonrepudiation service service protects protects against against repudiation repudiation by by either either the the sender sender or or thethe
receiver of the data.receiver of the data.
In Nonrepudiation with proof of the origin, the receiver of the data can later prove theIn Nonrepudiation with proof of the origin, the receiver of the data can later prove the
identity of the sender if denied.identity of the sender if denied.
In Nonrepudiation with proof of delivery, the sender of data can later prove that dataIn Nonrepudiation with proof of delivery, the sender of data can later prove that data
were delivered to the intended recipient.were delivered to the intended recipient.
NETWORK NETWORK SECURITY SECURITY 10EC83210EC832
Dept. Dept. of of ECE, ECE, BGSIT, BGSIT, BG BG Nagara, Nagara, Mandya Mandya Page Page 77
2 SECURITY MECHANISMS2 SECURITY MECHANISMS [DEC-2011(8M)][DEC-2011(8M)]
Table 2 lists the security mechanisms. The mechanisms are divided into those that areTable 2 lists the security mechanisms. The mechanisms are divided into those that are
implemented in a specific protocol layer, such as TCP or an application-layer protocol, andimplemented in a specific protocol layer, such as TCP or an application-layer protocol, and
those that are not specific to any particular protocol layer or security service.those that are not specific to any particular protocol layer or security service.
Table 2: Security mechanismsTable 2: Security mechanisms
NETWORK NETWORK SECURITY SECURITY 10EC83210EC832
Dept. Dept. of of ECE, ECE, BGSIT, BGSIT, BG BG Nagara, Nagara, Mandya Mandya Page Page 88
MechanismMechanism
Service Enciph-Service Enciph-
ermenterment
DigitalDigital
signaturesignature
AccessAccess
controlcontrol
DataData
integrityintegrity
AuthenticationAuthentication
exchangeexchange
TrafficTraffic
paddingpadding
RoutingRouting
controlcontrol
NotarizationNotarization
Peer entity authenticationPeer entity authentication Y Y Y Y YYData origin authenticationData origin authentication Y Y YYAccess controlAccess control YYConfidentialityConfidentiality Y Y YYTraffic flowTraffic flow
confidentiallyconfidentiallyY Y Y Y YY
Data integrityData integrity Y Y Y Y YY Nonrepudiation Nonrepudiation Y Y Y Y YYAvailabilityAvailability Y Y YY
Table 3: Relationships between Security Services and MechanismsTable 3: Relationships between Security Services and Mechanisms
3 SECURITY ATTACKS3 SECURITY ATTACKS [JUNE-2010(6M), DEC-2011(8M), JULY-2011(8M), JUNE-[JUNE-2010(6M), DEC-2011(8M), JULY-2011(8M), JUNE-
2012(10M), DEC-2012(4M), JULY-2013(4M), JULY-2015(6M), JULY-2017(10M)]2012(10M), DEC-2012(4M), JULY-2013(4M), JULY-2015(6M), JULY-2017(10M)]
A useful means of classifying security attacks is in terms of passive attacks and activeA useful means of classifying security attacks is in terms of passive attacks and active
attacks.attacks.
A passive attack attempts to learn or make use of information from the system butA passive attack attempts to learn or make use of information from the system but
does not affect system resources.does not affect system resources.
An active attack attempts to alter system resources or affect their operation.An active attack attempts to alter system resources or affect their operation.
3.1 Passive Attacks3.1 Passive Attacks
Passive attacks are in the Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions.nature of eavesdropping on, or monitoring of, transmissions.
The goal of the opponent is to obtain information that is being transmitted.The goal of the opponent is to obtain information that is being transmitted.
Two types of passive attacks are the release of message contents and traffic analysis.Two types of passive attacks are the release of message contents and traffic analysis.
TheThe release of message contentsrelease of message contents is easily understood (Figure 2(a)).A telephoneis easily understood (Figure 2(a)).A telephone
conversation, an electronic mail message, and a transferred file may containconversation, an electronic mail message, and a transferred file may contain
sensitive or confidential information. We would like to prevent an opponent fromsensitive or confidential information. We would like to prevent an opponent from
learning the contents of these transmissions.learning the contents of these transmissions.
A second type of passive attack,A second type of passive attack, traffic analysistraffic analysis, is subtler (Figure 2(b)). Suppose, is subtler (Figure 2(b)). Suppose
that we had a way of masking the contents of messages or other informationthat we had a way of masking the contents of messages or other information
traffic so that opponents, even if they captured the message, could not extract thetraffic so that opponents, even if they captured the message, could not extract the
information from the message. The common technique for masking contents isinformation from the message. The common technique for masking contents is
encryption. If we had encryption protection in place, an opponent might still beencryption. If we had encryption protection in place, an opponent might still be
able to observe the pattern of these messages. The opponent could determine theable to observe the pattern of these messages. The opponent could determine the
NETWORK NETWORK SECURITY SECURITY 10EC83210EC832
Dept. Dept. of of ECE, ECE, BGSIT, BGSIT, BG BG Nagara, Nagara, Mandya Mandya Page Page 99
location and identity of communicating hosts and could location and identity of communicating hosts and could observe the frequency andobserve the frequency and
length of messages being exchanged. This information might be useful in guessinglength of messages being exchanged. This information might be useful in guessing
the nature of the communication that was taking place.the nature of the communication that was taking place.
(a) (a) : : Release of Release of message contentsmessage contents
(b): Traffic analysis(b): Traffic analysis
Figure 2: Passive AttacksFigure 2: Passive Attacks