Chap. 1: Introduction

Transcription

1 Chap. 1: Introduction Introduction Services, Mechanisms, and Attacks The OSI Security Architecture Cryptography 1 1 Introduction Computer Security the generic name for the collection of tools designed to protect data and to thwart hackers Network Security protect data during their transmission In fact, there is no clear boundaries between these two forms of security This course focuses on internet security consists of measures to deter ( ), prevent ( ), detect ( ), and correct ( ) security violations that involve the transmission of information Cryptography 1 2

2 Examples of security violations Confidentiality the message transmitted from A to B was intercepted by an unauthorized user C Authentication user F transmits a message to E as if it had come from D Nonrepudiation F denies sending a message to E Integrity F intercepts the message transmitted from D to E, alters the contents and then forwards the message to E Cryptography 1 3 Attacks, Services, and Mechanisms Security Attack any action that compromises the security of information Security Mechanism designed to detect, prevent, or recover from a security attack Security Service enhances the security of data processing system and the information transfers, uses one or more security mechanisms to counter security attacks Cryptography 1 4

3 Security Aspects Concerning Paper Document Paper documents typically have signatures and dates May need to be protected from disclosure, tampering, or destruction May be notarized or witnessed May be recorded licensed Cryptography 1 5 Security Aspects Concerning Electronic Document To provide electronic documents with the above functions is more challenging It is hard to discriminate between the original and its copies Alternation of bits in electronic documents leaves no physical trace The proof process of of a physical document depends on the physical characteristics of that document (e.g., handwritten signature or an embossed notary seal); whereas the proof of authenticity of an electronic document must be based on internal evidence present in the information itself. Cryptography 1 6

4 Classification of Security Services Confidentiality ensures that information in a computer system or transmitted information are accessible by authorized parties Authentication ensures that the origin of a message or electronic document is correctly identified Integrity ensures that only authorized parties are able to modify computer system assets and transmitted information, including writing, changing, changing status, deleting, creating, delaying, or replaying transmitted information Nonrepudiation neither the sender nor the receiver of a message be able to deny the transmission Access control access to information resources may be controlled by or for the target system Availability computer system assets be available to authorized parties when available Cryptography 1 7 Security Mechanisms No single mechanism will provide all the services required One that underlies most of the security mechanism is cryptographic mechanism See Table 1.2 for some examples of security attacks Cryptography 1 8

5 The OSI Security Architecture ITU-T Recommendation X.800, Security Architecture for OSI Defines a systematic way of defining and providing security requirements Focuses on security services, mechanisms, and attacks Cryptography 1 9 X.800 Security Services X.800 defines it as: a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers RFC 2828 defines it as: a processing or communication service provided by a system to give a specific kind of protection to system resources Security services implement security polices, and are implemented by security mechanisms Security Polices Security Services Security Mechanisms Cryptography 1 10

6 X Security Services Categories Authentication assuring that the communicating entity is the one that it claims to be Peer entity authentication Data origin authentication Access control prevention of unauthorized use of a resource Confidentiality protection of data from unauthorized disclosure Data Integrity assures that data received are exactly as sent by an authorized entity (i.e., with no modification, insertion, deletion, or replays) Nonrepudiation prevents either sender or receiver from denying a transmitted message Cryptography 1 11 X.800 Security Mechanisms specific security mechanisms: Encipherment digital signatures access controls data integrity authentication exchange traffic padding routing control notarization pervasive security mechanisms: trusted functionality, security labels, event detection, security audit trails, security recovery Cryptography 1 12

7 X.800 Security Attacks Two types of attacks passive attack, active attack Passive attacks Eavesdropping on, or monitoring of, transmission The goal of an opponent is to obtain information being transmitted Two types of passive attacks Release of message contents Traffic analysis It is very difficult to detect passive attacks To prevent passive attack is usually by means of encryption Cryptography 1 13 X.800 Active Attacks Active attacks involves some modification of the data stream or the creation of a false stream Four categories of active attacks: Masquerade one entity pretends to be a different entity Replay the passive capture of a data unit and its subsequent retransmission to produce unauthorized effect Modification of Message some portion of a legitimate message is altered, or that messages are delayed, to produce unauthorized effect Denial of Service prevents or inhibits the normal use or management of communications facilities Cryptography 1 14

8 A Model for Network Security Sender Recipient Cryptography 1 15 A Model for Network Security (cont.) Four basic tasks in designing a particular security service: An algorithm for performing the security-related transformation Generate the secret information to be used with the algorithm Develop method for the distribution and sharing of the secret information Specify a protocol to be used by the two principals that make use of the security algorithm and the secret information to achieve a particular security service Cryptography 1 16

9 Network Access Security Model Cryptography 1 17 Network Access Security Model (cont.) Opponents Human (e.g., hackers) Software (e.g., virus, worm) Information access threats intercept or modify data on behalf of users who should not have access to the data Service threats exploit service flaws in computers to inhibit use by legitimate users Security mechanism Gatekeeper function includes password-based login procedure and screening logic internal controls monitor activity and analyze stored information Cryptography 1 18