VTU Network Security(10ec832) Unit-1 Notes - baixardoc

NETWORK SECURITY (10EC832)NETWORK SECURITY (10EC832)

8th8th SEMSEM E&CE&C

JAYANTHDWIJESH H PJAYANTHDWIJESH H P M.tech (DECS)M.tech (DECS)

Assistant ProfessorAssistant Professor – – Dept of E&CE Dept of E&CE

B.G.S INSTITUTE OF TECHNOLOGY (B.G.S.I.T)B.G.S INSTITUTE OF TECHNOLOGY (B.G.S.I.T)

B.G Nagara, Nagamangala Tq, Mandya District- 571448B.G Nagara, Nagamangala Tq, Mandya District- 571448

NETWORK NETWORK SECURITY SECURITY 10EC83210EC832

Dept. Dept. of of ECE, ECE, BGSIT, BGSIT, BG BG Nagara, Nagara, Mandya Mandya Page Page 11

NETWORK SECURITYNETWORK SECURITY

PART-APART-A

UNIT-1UNIT-1

UNIT - 1UNIT - 1

Services, mechanisms and attacks, The OSI security architecture, A model forServices, mechanisms and attacks, The OSI security architecture, A model for

network security.network security.

TEXT BOOK:TEXT BOOK:

1. Cryptography and Network Security, William Stal1. Cryptography and Network Security, William Stalling, Pearson Education, 2003.ling, Pearson Education, 2003.

REFERENCE BOOKS:REFERENCE BOOKS:

1. Cryptography and Network Security, Behrouz A. Forouzan, TMH, 2007.1. Cryptography and Network Security, Behrouz A. Forouzan, TMH, 2007.

2. Cryptography and Network Security, Atul Kahate, TMH, 2. Cryptography and Network Security, Atul Kahate, TMH, 2003.2003.



UNITUNIT – – 1: 1: Services, Mechanisms and Attacks, The OSI security architecture, A Model forServices, Mechanisms and Attacks, The OSI security architecture, A Model for

Network Security. Network Security.

OVERVIEWOVERVIEW

1. SECURITY SERVICES1. SECURITY SERVICES [DEC-2012(10M)][DEC-2012(10M)]

X.800 defines a security service as a service that is provided by a protocol layer ofX.800 defines a security service as a service that is provided by a protocol layer of

communicating open systems and that ensures adequate security of the systems or of datacommunicating open systems and that ensures adequate security of the systems or of data

transfers.transfers.

Also the RFC 2828(Internet Security Glossary version 2) defines security services as aAlso the RFC 2828(Internet Security Glossary version 2) defines security services as a

processing or processing or communication communication service service that that is is provided by provided by a a system system to to give a give a specific specific kind ofkind of

protection to system resources. protection to system resources.

X.800 divides these services into five categories and fourteen specific services. Shown in theX.800 divides these services into five categories and fourteen specific services. Shown in the

fig1 and table 1.fig1 and table 1.

Figure 1: Security servicesFigure 1: Security services

1.1. Authentication1.1. Authentication

The authentication service is concerned with assuring that a communication isThe authentication service is concerned with assuring that a communication is

authentic.authentic.

In the case of a single message, such as a warning or alarm signal, the function of theIn the case of a single message, such as a warning or alarm signal, the function of the

authentication service is to assure the recipient that the message is from the sourceauthentication service is to assure the recipient that the message is from the source

that it claims to be from.that it claims to be from.

In the case of an ongoing interaction, such as the connection of a terminal to a host,In the case of an ongoing interaction, such as the connection of a terminal to a host,

two aspects are involved.two aspects are involved.

First, at the time of connection initiation, the service assures that the twoFirst, at the time of connection initiation, the service assures that the two

entities are authentic, that is, that each is the entity that it claims to be.entities are authentic, that is, that each is the entity that it claims to be.

Second, the service must assure that the connection is not interfered with inSecond, the service must assure that the connection is not interfered with in

such a way that a third party can masquerade as one of the two legitimatesuch a way that a third party can masquerade as one of the two legitimate

parties for the purposes of unauthorized transmission or reception. parties for the purposes of unauthorized transmission or reception.



OROR

AuthenticationAuthentication

This service provides the authentication of the PartThis service provides the authentication of the Party at the other end of the line.y at the other end of the line.

In connectionIn connection – – oriented communication, it provides authentication of the sender ororiented communication, it provides authentication of the sender or

receiver during the connection establishment (peer entity authentication).receiver during the connection establishment (peer entity authentication).

In connectionless communication, it authenticates of the data (data originIn connectionless communication, it authenticates of the data (data origin

authentication).authentication).

Two specific authentication services are Two specific authentication services are defined in X.800:defined in X.800:

a. Peer entity authentication:a. Peer entity authentication:

Provides for the corroboration of the identity of a peer entitProvides for the corroboration of the identity of a peer entity in an association.y in an association.

Peer entity authentication is provided for use at the establishment of, or at timesPeer entity authentication is provided for use at the establishment of, or at times

during the data transfer phase of, a connection.during the data transfer phase of, a connection.

It attempts to provide confidence that an entity is not performing either a masqueradeIt attempts to provide confidence that an entity is not performing either a masquerade

or an unauthorized replay of a previous connection.or an unauthorized replay of a previous connection.

b. Data origin b. Data origin authenticatauthentication:ion:

Provides for the corroboration of the source of a data unit.Provides for the corroboration of the source of a data unit.

It does not provide protection against the duplication or modification of data units.It does not provide protection against the duplication or modification of data units.

This type of service supports applications like electronic mail, where there are noThis type of service supports applications like electronic mail, where there are no

prior interactions between the communicating entities. prior interactions between the communicating entities.

1.2. Access Control1.2. Access Control

Access control is the ability to limit and control the access to host systems andAccess control is the ability to limit and control the access to host systems and

applications via communications links.applications via communications links.

To achieve this, each entity trying to gain access must first be identified, orTo achieve this, each entity trying to gain access must first be identified, or

authenticated, so that access rights can be tailored to the individual.authenticated, so that access rights can be tailored to the individual.

OROR

Access ControlAccess Control

Access control provides protection against unauthorized access to data.Access control provides protection against unauthorized access to data.

The term access in this definition is very broad and can involve reading, writing,The term access in this definition is very broad and can involve reading, writing,

modifying, executing programs and so on.modifying, executing programs and so on.



Table 1: Security Services (X.800)Table 1: Security Services (X.800)



1.3. Data Confidentiality1.3. Data Confidentiality

Confidentiality is the protection of transmitted data from passive attacks. With respectConfidentiality is the protection of transmitted data from passive attacks. With respect

to the content of a data transmission, several levels of protection can be identified.to the content of a data transmission, several levels of protection can be identified.

The broadest service protects all user data transmitted between two users over aThe broadest service protects all user data transmitted between two users over a

period of time. period of time.

Narrower Narrower forms forms of of this this service service can can also also be be defined, defined, including including the the protection protection of of aa

single message or even specific fields within a message.single message or even specific fields within a message.

The other aspect of confidentiality is the protection of traffic flow from analysis. ThisThe other aspect of confidentiality is the protection of traffic flow from analysis. This

requires that an attacker not be able to observe the source and destination, frequency,requires that an attacker not be able to observe the source and destination, frequency,

length, or other characteristics of the traffic on a communications facility.length, or other characteristics of the traffic on a communications facility.

OROR

Data ConfidentialityData Confidentiality

Data confidentiality is designed to protect data from disclosure attack.Data confidentiality is designed to protect data from disclosure attack.

The service as defined by X.800 is very broad and encompasses confidentiality of theThe service as defined by X.800 is very broad and encompasses confidentiality of the

whole message or part of a message and also protection against traffic analysis.whole message or part of a message and also protection against traffic analysis.

That is, it is designed to prevent snooping and traffic analThat is, it is designed to prevent snooping and traffic analysis attack.ysis attack.

1.4. Data Integrity1.4. Data Integrity

Data integrity is designed to protect data from modification, insertion, depletion andData integrity is designed to protect data from modification, insertion, depletion and

replying by an adversary. It may protect the whole message or part of replying by an adversary. It may protect the whole message or part of the message.the message.

As with confidentiality, integrity can apply to a stream of messages, a single message,As with confidentiality, integrity can apply to a stream of messages, a single message,

or selected fields within a message.or selected fields within a message.

A connection-oriented integrity service, one that deals with a stream of messages,A connection-oriented integrity service, one that deals with a stream of messages,

assures that messages are received as sent with no duplication, insertion, modification,assures that messages are received as sent with no duplication, insertion, modification,

reordering, or replays.reordering, or replays.

The connection-oriented integrity service addresses both message stream modificationThe connection-oriented integrity service addresses both message stream modification

and denial of service.and denial of service.

a connectionless integrity service, one that deals with individual messages withouta connectionless integrity service, one that deals with individual messages without

regard to any larger context, generally provides protection against messageregard to any larger context, generally provides protection against message

modification only.modification only.

We can make a distinction between service with and without recovery. Because theWe can make a distinction between service with and without recovery. Because the

integrity service relates to active attacks, we are concerned with detection rather thanintegrity service relates to active attacks, we are concerned with detection rather than

prevention. prevention.



If a violation of integrity is detected, then the service may simply report this violation,If a violation of integrity is detected, then the service may simply report this violation,

and some other portion of software or human intervention is required to recover fromand some other portion of software or human intervention is required to recover from

the violation.the violation.

Alternatively there are mechanisms available to recover from the loss of integrity ofAlternatively there are mechanisms available to recover from the loss of integrity of

data as we will review subsequently.data as we will review subsequently.

The incorporation of automated recovery mechanisms is, in general, the moreThe incorporation of automated recovery mechanisms is, in general, the more

attractive alternative.attractive alternative.

1.5 Nonrepudiation1.5 Nonrepudiation

Nonrepudiation Nonrepudiation prevents prevents either either sender sender or or receiver receiver from from denying denying a a transmittedtransmitted

message.message.

Thus, when a message is sent, the receiver can prove that the alleged sender in factThus, when a message is sent, the receiver can prove that the alleged sender in fact

sent the message. Similarly, when a message is received, the sender can prove that thesent the message. Similarly, when a message is received, the sender can prove that the

alleged receiver in fact received the message.alleged receiver in fact received the message.

OROR

NonrepudiationNonrepudiation

Nonrepudiation Nonrepudiation service service protects protects against against repudiation repudiation by by either either the the sender sender or or thethe

receiver of the data.receiver of the data.

In Nonrepudiation with proof of the origin, the receiver of the data can later prove theIn Nonrepudiation with proof of the origin, the receiver of the data can later prove the

identity of the sender if denied.identity of the sender if denied.

In Nonrepudiation with proof of delivery, the sender of data can later prove that dataIn Nonrepudiation with proof of delivery, the sender of data can later prove that data

were delivered to the intended recipient.were delivered to the intended recipient.



2 SECURITY MECHANISMS2 SECURITY MECHANISMS [DEC-2011(8M)][DEC-2011(8M)]

Table 2 lists the security mechanisms. The mechanisms are divided into those that areTable 2 lists the security mechanisms. The mechanisms are divided into those that are

implemented in a specific protocol layer, such as TCP or an application-layer protocol, andimplemented in a specific protocol layer, such as TCP or an application-layer protocol, and

those that are not specific to any particular protocol layer or security service.those that are not specific to any particular protocol layer or security service.

Table 2: Security mechanismsTable 2: Security mechanisms



MechanismMechanism

Service Enciph-Service Enciph-

ermenterment

DigitalDigital

signaturesignature

AccessAccess

controlcontrol

DataData

integrityintegrity

AuthenticationAuthentication

exchangeexchange

TrafficTraffic

paddingpadding

RoutingRouting

controlcontrol

NotarizationNotarization

Peer entity authenticationPeer entity authentication Y Y Y Y YYData origin authenticationData origin authentication Y Y YYAccess controlAccess control YYConfidentialityConfidentiality Y Y YYTraffic flowTraffic flow

confidentiallyconfidentiallyY Y Y Y YY

Data integrityData integrity Y Y Y Y YY Nonrepudiation Nonrepudiation Y Y Y Y YYAvailabilityAvailability Y Y YY

Table 3: Relationships between Security Services and MechanismsTable 3: Relationships between Security Services and Mechanisms

3 SECURITY ATTACKS3 SECURITY ATTACKS [JUNE-2010(6M), DEC-2011(8M), JULY-2011(8M), JUNE-[JUNE-2010(6M), DEC-2011(8M), JULY-2011(8M), JUNE-

2012(10M), DEC-2012(4M), JULY-2013(4M), JULY-2015(6M), JULY-2017(10M)]2012(10M), DEC-2012(4M), JULY-2013(4M), JULY-2015(6M), JULY-2017(10M)]

A useful means of classifying security attacks is in terms of passive attacks and activeA useful means of classifying security attacks is in terms of passive attacks and active

attacks.attacks.

A passive attack attempts to learn or make use of information from the system butA passive attack attempts to learn or make use of information from the system but

does not affect system resources.does not affect system resources.

An active attack attempts to alter system resources or affect their operation.An active attack attempts to alter system resources or affect their operation.

3.1 Passive Attacks3.1 Passive Attacks

Passive attacks are in the Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions.nature of eavesdropping on, or monitoring of, transmissions.

The goal of the opponent is to obtain information that is being transmitted.The goal of the opponent is to obtain information that is being transmitted.

Two types of passive attacks are the release of message contents and traffic analysis.Two types of passive attacks are the release of message contents and traffic analysis.

TheThe release of message contentsrelease of message contents is easily understood (Figure 2(a)).A telephoneis easily understood (Figure 2(a)).A telephone

conversation, an electronic mail message, and a transferred file may containconversation, an electronic mail message, and a transferred file may contain

sensitive or confidential information. We would like to prevent an opponent fromsensitive or confidential information. We would like to prevent an opponent from

learning the contents of these transmissions.learning the contents of these transmissions.

A second type of passive attack,A second type of passive attack, traffic analysistraffic analysis, is subtler (Figure 2(b)). Suppose, is subtler (Figure 2(b)). Suppose

that we had a way of masking the contents of messages or other informationthat we had a way of masking the contents of messages or other information

traffic so that opponents, even if they captured the message, could not extract thetraffic so that opponents, even if they captured the message, could not extract the

information from the message. The common technique for masking contents isinformation from the message. The common technique for masking contents is

encryption. If we had encryption protection in place, an opponent might still beencryption. If we had encryption protection in place, an opponent might still be

able to observe the pattern of these messages. The opponent could determine theable to observe the pattern of these messages. The opponent could determine the



location and identity of communicating hosts and could location and identity of communicating hosts and could observe the frequency andobserve the frequency and

length of messages being exchanged. This information might be useful in guessinglength of messages being exchanged. This information might be useful in guessing

the nature of the communication that was taking place.the nature of the communication that was taking place.

(a) (a) : : Release of Release of message contentsmessage contents

(b): Traffic analysis(b): Traffic analysis

Figure 2: Passive AttacksFigure 2: Passive Attacks

VTU Network Security(10ec832) Unit-1 Notes - baixardoc

Documents

Transcript of VTU Network Security(10ec832) Unit-1 Notes - baixardoc