Professional Documents
Culture Documents
Lecture 01
Lecture 01
Lecture 1
Introduction to Computer
Security
By
Ritwik M
Assistant Professor(SrGr)
Dept. Of Computer Science & Engg.
Sources: Stallings William, Cryptography and Network Security: Principles and Practice, 7th Edition, Pearson/Prentice- Hall, 2018.; the internet, All images from google images
What is security?
• System correctness
• If user supplies expected input, system generates desired output
• Good Input Good Output
• More features : Better
• Security
• If attacker supplies unexpected input, system does not fail in certain
ways
• Bad input Bad or Unexpected Output
• More Features : Can be worse
19CSE311 Ritwik M
What is Computer Security?
19CSE311 Ritwik M
Why Computer Security?
The worldwide information security market is forecast to reach $170.4 billion in 2022.
• Sources:
• Cybersecurity Ventures, Ninth Annual Cost of Cybercrime Study, Gartner
19CSE311 Ritwik M
Security Goals
• Confidentiality
• Integrity
• Availability
These three concepts form what is often referred to as the CIA triad.
19CSE311 Ritwik M
Security Goals - Confidentiality
• Data confidentiality
• Assures that private or confidential information is not made available or
disclosed to unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related to
them may be collected and stored and by whom and to whom
that information may be disclosed.
19CSE311 Ritwik M
Security Goals - Integrity
• Data Integrity
• Assures that information (both stored and in transmitted packets) and
programs are changed only in a specified and authorized manner.
• System Integrity
• Assures that a system performs its intended function in an unimpaired
manner, free from deliberate or inadvertent unauthorized manipulation of
the system.
19CSE311 Ritwik M
Security Goals - Availability
• Data/service Availability
• Assures that systems work promptly and service is not denied
to authorized users.
19CSE311 Ritwik M
CIA Triad - Summary
• Confidentiality
• Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information.
• A loss of confidentiality is the unauthorized disclosure of information.
• Integrity
• Guarding against improper information modification or destruction, including
ensuring information nonrepudiation and authenticity.
• A loss of integrity is the unauthorized modification or destruction of
information.
• Data/service Availability
• Ensuring timely and reliable access to and use of information.
• A loss of availability is the disruption of access to or use of information or
an information system.
19CSE311 Ritwik M
CIA Triad – An Update
• Authenticity
• The property of being genuine and being
able to be verified and trusted.
• Confidence in the validity of a
transmission, a message, or
message originator
• Accountability
• The security goal that generates the
requirement for actions of an entity to be
traced uniquely to that entity.
• Systems must keep records of their
activities to permit later forensic analysis
to trace security breaches or to aid in
transaction disputes.
19CSE311 Ritwik M
Computer Security Challenges
19CSE311 Ritwik M
Some important terminology
• Security Attack
• Any action that compromises the security of information owned by an organization.
• Security Mechanism
• A process (or a device incorporating such a process) that is designed to detect, prevent, or
recover from a security attack.
• Security Service
• A processing or communication service that enhances the security of the data processing
systems and the information transfers of an organization.
• The services are intended to counter security attacks, and they make use of one or more
security mechanisms to provide the service.
• Threat
• A potential for violation of security, which exists when there is a circumstance, capability,
action, or event that could breach security and cause harm.
• I.e. A threat is a possible danger that might exploit a vulnerability.
• Attack
• An assault on system security that derives from an intelligent threat
• i.e. an intelligent act that is a deliberate attempt (especially in the sense of a method or
technique) to evade security services and violate the security policy of a system
19CSE311 Ritwik M
Some important terminology Cont.
• Vulnerability
• A weakness in a security system.
• Controls
• Means and ways to block a threat, which tries to exploit one or more vulnerabilities.
• Encryption
• A method for transforming data/information into an unintelligible format.
• Cipher text – Encrypted data
• Plain text - information that can be directly read by humans or a machine
• Key – a secret value used by algorithms to encrypt/decrypt text
• Decryption
• A method for transforming data from an unintelligible format to readable text.
• Cryptology
• The science concerned with data communication and storage in secure and usually secret form
• Cryptography – Apply mathematical principles for security
• Cryptanalysis – The process of finding weakness in cryptographic schemes
• Cryptosystem :
• An implementation of cryptographic techniques and their accompanying infrastructure to provide a particular
security service
19CSE311 Ritwik M
Aspects of Security
• Security Attack
• Security Mechanism
• Security Service
19CSE311 Ritwik M
Security Attacks
• Passive
• Types
• Release of message contents
• Traffic Analysis
• Difficult to detect
• Does not involve any alteration of data
• Active
• Involve some modification of the data stream or the creation of a false stream
• Types
• Masquerade - takes place when one entity pretends to be a different entity
• Replay - involves the passive capture of a data unit and its subsequent retransmission to
produce an unauthorized effect
• Modification of data/messages - some portion of a legitimate message is altered
• Denial of service - prevents or inhibits the normal use or management of communications
facilities
19CSE311 Ritwik M
Security Services
19CSE311 Ritwik M
Security Services
- Summary
19CSE311 Ritwik M
Security Mechanisms
19CSE311 Ritwik M
Security
Mechanisms -
Summary
19CSE311 Ritwik M
Key Concepts
in Security -
Summary
19CSE311 Ritwik M
Relation between security services and
security mechanisms
19CSE311 Ritwik M
Implementing security mechanisms
• Cryptography
• Symmetric-Key Encipherment
• AKA secret-key encipherment or secret-key cryptography
• A single key is used for both encryption & decryption
• Asymmetric-Key Encipherment
• AKA public-key encipherment or public-key cryptography
• Two keys (one public and one private) are used for encryption & decryption
• Hashing
• a fixed-length message digest is created out of a variable-length message.
• used to provide check-values that validate data integrity.
• Steganography
• concealing the message itself by covering it with something else (more text,
images, audio, video, etc.)
19CSE311 Ritwik M
Summary
19CSE311 Ritwik M
Exercises
• With any real-world case study:
• Identify 5 passive and 5 active attacks
• List and define five security services used in the case study
• If user supplies expected input, system generates desired output
• Define the three security goals.
• Give examples for each of the Security mechanisms discussed in the
lecture.
• An organization wants protection against passive attacks. As their
security head, which security services would you recommend?
Justify your answer.
19CSE311 Ritwik M
Assignment
• Explore, write (using pen & paper) & submit a 2-page report on the
following topics.
1. Malicious code
• (i.e.) Virus, Worms, Trojans, Spyware, Adware, Clickware, Logic bomb, etc.
2. Intruders
3. Error detection
4. Error correction
Up Next..
19CSE311 Ritwik M