19CSE311 :Computer Security

Lecture 1
Introduction to Computer
Security
By
Ritwik M
Assistant Professor(SrGr)
Dept. Of Computer Science & Engg.
Sources: Stallings William, Cryptography and Network Security: Principles and Practice, 7th Edition, Pearson/Prentice- Hall, 2018.; the internet, All images from google images
What is security?

• System correctness
• If user supplies expected input, system generates desired output
• Good Input Good Output
• More features : Better
• Security
• If attacker supplies unexpected input, system does not fail in certain
ways
• Bad input Bad or Unexpected Output
• More Features : Can be worse

19CSE311 Ritwik M
What is Computer Security?

• Measures and controls that ensure confidentiality, integrity, and

availability of the information processed and stored by a computer.
• Term has been replaced by the term “cybersecurity”.
• Source: Committee on National Security Systems Instruction (CNSSI 4009-2015)

19CSE311 Ritwik M
 Why Computer Security?

The worldwide information security market is forecast to reach $170.4 billion in 2022.
• Sources:
• Cybersecurity Ventures, Ninth Annual Cost of Cybercrime Study, Gartner

19CSE311 Ritwik M
Security Goals

• Confidentiality
• Integrity
• Availability

These three concepts form what is often referred to as the CIA triad.

19CSE311 Ritwik M
Security Goals - Confidentiality

• Data confidentiality
• Assures that private or confidential information is not made available or
disclosed to unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related to
them may be collected and stored and by whom and to whom
that information may be disclosed.

19CSE311 Ritwik M
Security Goals - Integrity

• Data Integrity
• Assures that information (both stored and in transmitted packets) and
programs are changed only in a specified and authorized manner.
• System Integrity
• Assures that a system performs its intended function in an unimpaired
manner, free from deliberate or inadvertent unauthorized manipulation of
the system.

19CSE311 Ritwik M
Security Goals - Availability

• Data/service Availability
• Assures that systems work promptly and service is not denied
to authorized users.

19CSE311 Ritwik M
CIA Triad - Summary
• Confidentiality
• Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information.
• A loss of confidentiality is the unauthorized disclosure of information.
• Integrity
• Guarding against improper information modification or destruction, including
ensuring information nonrepudiation and authenticity.
• A loss of integrity is the unauthorized modification or destruction of
information.
• Data/service Availability
• Ensuring timely and reliable access to and use of information.
• A loss of availability is the disruption of access to or use of information or
an information system.

19CSE311 Ritwik M
 CIA Triad – An Update
• Authenticity
• The property of being genuine and being
able to be verified and trusted.
• Confidence in the validity of a
transmission, a message, or
message originator
• Accountability
• The security goal that generates the
requirement for actions of an entity to be
traced uniquely to that entity.
• Systems must keep records of their
activities to permit later forensic analysis
to trace security breaches or to aid in
transaction disputes.

19CSE311 Ritwik M
Computer Security Challenges

• Security is not simple.

• Potential attacks on new features/algos need to be always considered.
• Balancing act between security and availability.
• Procedures used are counter-intuitive
• A battle of wits between attacker and defender.
• Requires regular/ constant monitoring.
• Security mechanisms typically involve more than a particular algorithm or protocol
• Companies perceive little benefit from security investment until a security failure occurs.
• Too often security is an afterthought.
• Often viewed as an impediment to efficient and user-friendly operation.

19CSE311 Ritwik M
 Some important terminology
• Security Attack
• Any action that compromises the security of information owned by an organization.
• Security Mechanism
• A process (or a device incorporating such a process) that is designed to detect, prevent, or
recover from a security attack.
• Security Service
• A processing or communication service that enhances the security of the data processing
systems and the information transfers of an organization.
• The services are intended to counter security attacks, and they make use of one or more
security mechanisms to provide the service.
• Threat
• A potential for violation of security, which exists when there is a circumstance, capability,
action, or event that could breach security and cause harm.
• I.e. A threat is a possible danger that might exploit a vulnerability.
• Attack
• An assault on system security that derives from an intelligent threat
• i.e. an intelligent act that is a deliberate attempt (especially in the sense of a method or
technique) to evade security services and violate the security policy of a system
19CSE311 Ritwik M
 Some important terminology Cont.
• Vulnerability
• A weakness in a security system.
• Controls
• Means and ways to block a threat, which tries to exploit one or more vulnerabilities.
• Encryption
• A method for transforming data/information into an unintelligible format.
• Cipher text – Encrypted data
• Plain text - information that can be directly read by humans or a machine
• Key – a secret value used by algorithms to encrypt/decrypt text
• Decryption
• A method for transforming data from an unintelligible format to readable text.
• Cryptology
• The science concerned with data communication and storage in secure and usually secret form
• Cryptography – Apply mathematical principles for security
• Cryptanalysis – The process of finding weakness in cryptographic schemes
• Cryptosystem :
• An implementation of cryptographic techniques and their accompanying infrastructure to provide a particular
security service

19CSE311 Ritwik M
Aspects of Security

• Security Attack
• Security Mechanism
• Security Service

19CSE311 Ritwik M
Security Attacks
• Passive
• Types
• Release of message contents
• Traffic Analysis
• Difficult to detect
• Does not involve any alteration of data
• Active
• Involve some modification of the data stream or the creation of a false stream
• Types
• Masquerade - takes place when one entity pretends to be a different entity
• Replay - involves the passive capture of a data unit and its subsequent retransmission to
produce an unauthorized effect
• Modification of data/messages - some portion of a legitimate message is altered
• Denial of service - prevents or inhibits the normal use or management of communications
facilities

19CSE311 Ritwik M
Security Services
• Authentication
• Peer Entity Authentication
• Data-Origin Authentication
• Access Control
• Data Confidentiality
• Connection Confidentiality
• Connectionless Confidentiality
• Selective-Field Confidentiality
• Traffic-Flow Confidentiality
• Data Integrity
• Connection Integrity with Recovery
• Connection Integrity without Recovery
• Selective-Field Connection Integrity
• Connectionless Integrity
• Selective-Field Connectionless Integrity
• Non Repudiation
• Nonrepudiation, Origin
• Nonrepudiation, Destination
• Availability Service
19CSE311 Ritwik M
 Security Services
- Summary

19CSE311 Ritwik M
 Security Mechanisms

• Specific Security Mechanisms • Pervasive Security Mechanisms

• Encipherment (I.e. crypto algos) • Trusted Functionality
• Digital Signature • Security Label
• Access Control • Event Detection
• Data Integrity • Security Audit Trail
• Authentication Exchange • Security Recovery
• Traffic Padding
• Routing Control
• Notarization

19CSE311 Ritwik M
 Security
Mechanisms -
Summary

19CSE311 Ritwik M
Key Concepts
in Security -
Summary

19CSE311 Ritwik M
Relation between security services and
security mechanisms

19CSE311 Ritwik M
Implementing security mechanisms
• Cryptography
• Symmetric-Key Encipherment
• AKA secret-key encipherment or secret-key cryptography
• A single key is used for both encryption & decryption
• Asymmetric-Key Encipherment
• AKA public-key encipherment or public-key cryptography
• Two keys (one public and one private) are used for encryption & decryption
• Hashing
• a fixed-length message digest is created out of a variable-length message.
• used to provide check-values that validate data integrity.
• Steganography
• concealing the message itself by covering it with something else (more text,
images, audio, video, etc.)

19CSE311 Ritwik M
Summary

• Definition and need for computer security

• Definition of various terms
• Security Goals
• Challenges/shortcomings
• Security Attacks
• Security Services
• Security Mechanisms
• Implementation Strategies
• Introduction to Cryptography

19CSE311 Ritwik M
Exercises
• With any real-world case study:
• Identify 5 passive and 5 active attacks
• List and define five security services used in the case study
• If user supplies expected input, system generates desired output
• Define the three security goals.
• Give examples for each of the Security mechanisms discussed in the
lecture.
• An organization wants protection against passive attacks. As their
security head, which security services would you recommend?
Justify your answer.

19CSE311 Ritwik M
Assignment
• Explore, write (using pen & paper) & submit a 2-page report on the
following topics.
1. Malicious code
• (i.e.) Virus, Worms, Trojans, Spyware, Adware, Clickware, Logic bomb, etc.
2. Intruders
3. Error detection
4. Error correction
Up Next..

Mathematical Foundations for Cryptography

19CSE311 Ritwik M