This chapter presents the following content: Outline of the course is discussed; topic roadmap & standards organizations; security concepts; X.800 security architecture; security attacks, services, mechanisms; models for network (access) security.
Data Security and Encryption (CSE348) Dr. Basit Raza Assistant Professor Comsats Institute of Information Technology, Islamabad Course Outline In this course we will follow the mentioned book Cryptography and Network Security”, 5th Edition by William Stallings The book is organized into seven parts: Course Outline Part One: Symmetric Ciphers: Provides a survey of symmetric encryption, including classical and modern algorithms. The emphasis is on the two most important algorithms, the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES).This part also covers the most important stream encryption algorithm,RC4,and the important topic of pseudorandom number generation Course Outline Part Two: Asymmetric Ciphers: Provides a survey of publickey algorithms, including RSA (RivestShamirAdelman) and elliptic curve Course Outline Part Three: Cryptographic Data Integrity Algorithms: Begins with a survey of cryptographic hash functions. This part then covers two approaches to data integrity that rely on cryptographic hash functions: message authentication codes and digital signatures Course Outline Part Four: Mutual Trust: Covers key management and key distribution topics and then covers user authentication techniques Course Outline Part Five: Network Security and Internet Security: Examines the use of cryptographic algorithms and security protocols to provide security over networks and the Internet. Topics covered include transportlevel security, wireless network security, email security, and IP security Course Outline Part Six: System Security: Deals with security facilities designed to protect a computer system from security threats, including intruders, viruses, and worms. This part also looks at firewall technology Course Outline Part Seven: Legal and Ethical Issues: Deals with the legal and ethical issues related to computer and network security 10 Passive Attacks • A useful means of classifying security attacks, used both in X.800 and RFC 2828, is in terms of passive attacks and active attacks • A passive attack attempts to learn or make use of information from the system but does not affect system resources • Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. 66 Passive Attacks • Two types of passive attacks are: + release of message contents + traffic analysis monitor traffic flow to determine location and identity of communicating hosts and could observe the frequency and length of messages being exchanged 67 Active Attacks 68 Active Attacks • Active attacks involve some modification of the data stream or the creation of a false stream • can be subdivided into four categories: • masquerade of one entity as some other • replay previous messages • modify/alter (part of) messages in transit to produce an unauthorized effect • denial of service prevents or inhibits the normal use or management of communications facilities 69 Active Attacks • Active attacks present the opposite characteristics of passive attacks. • Whereas passive attacks are difficult to detect, measures are available to prevent their success. • Quite difficult to prevent active attacks absolutely, because of the wide variety of potential physical, software, and network vulnerabilities • Instead, the goal is to detect active attacks and to recover from any disruption/or delays caused by them 70 Security Service – enhance security of data processing systems and information transfers of an organization – intended to counter security attacks – using one or more security mechanisms – often replicates functions normally associated with physical documents • which, for example, have signatures, dates; need protection from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed 71 Security Services • X.800: “a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers” • RFC 2828: “a processing or communication service provided by a system to give a specific kind of protection to system resources” 72 Security Services (X.800) • Authentication assurance that communicating entity is the one claimed – have both peerentity & data origin authentication • Access Control prevention of the unauthorized use of a resource • Data Confidentiality –protection of data from unauthorized disclosure • Data Integrity assurance that data received is as sent by an authorized entity • NonRepudiation protection against denial by one of the parties in a communication • Availability – resource accessible/usable 73 Security Mechanism • feature designed to detect, prevent, or recover from a security attack • no single mechanism that will support all services required • however one particular element underlies many of the security mechanisms in use: – cryptographic techniques • hence our focus on this topic 74 Security Mechanisms (X.800) • specific security mechanisms: – encipherment, digital signatures, access controls, data integrity, authentication exchange, traffic padding, routing control, notarization • pervasive security mechanisms: – trusted functionality, security labels, event detection, security audit trails, security recovery 75 Model for Network Security 76 Model for Network Security • using this model requires us to: design a suitable algorithm for the security transformation generate the secret information (keys) used by the algorithm develop methods to distribute and share the secret information specify a protocol enabling the principals to use the transformation and secret information for a security service 77 Model for Network Access Security 78 Model for Network Access Security • using this model requires us to: select appropriate gatekeeper functions to identify users implement security controls to ensure only authorised users access designated information or resources 79 Summary • Outline of the course is discussed • topic roadmap & standards organizations • security concepts: – confidentiality, integrity, availability • X.800 security architecture • security attacks, services, mechanisms • models for network (access) security 80 ... Reading and Web Sites 2.7 Key Terms and Review Questions 12 Course Outline Chapter Block Ciphers and the Data Encryption Standard 3.1 Block Cipher Principles 3.2 The Data Encryption Standard (DES)... Course Outline Chapter Overview 1.1 Computer Security Concepts 1.2 The OSI Security Architecture 1.3 Security Attacks 1.4 Security Services 1.5 Security Mechanisms 1.6 A Model for Network Security. .. covered include transportlevel? ?security, wireless network? ?security, email? ?security, ? ?and? ?IP? ?security Course Outline Part Six: System? ?Security: Deals with? ?security? ?facilities designed to protect a computer system from? ?security? ?threats, including