Chapter Two

Number Theory and Cryptography

Computer Networks and Information Security

(SE3052)

1 Compiled by Alemu w., (awcourseapp@gmail.com) , 26

October 2015
 Objectives

Overview on Security polices, Attacks, services and mechanisms

Security attacks and security attack types: Active and passive

Attacks

Security services and security service types

Security Mechanisms and security Mechanism types.

A model for Internetwork Security

Other network security considerations

2
 A Model for Internetwork Security
 While computer systems today have some of the best security systems ever, they are
more vulnerable than ever before.
 Computer and network security comes in many forms, including encryption
algorithms, access to facilities, digital signatures, and using fingerprints and face
scans as passwords.
 The OSI security architecture provides a systematic frame work for defining
security attacks, mechanisms and services.
The OSI security architecture focuses on security attacks, mechanisms and services.
 Security attack:- Any action that compromises the security of information owned
by an organization.
 Security mechanism:- A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security attack.
 Security service:- A processing or communication service that enhances the
security of the data processing systems and the information transfers of an
3
organization. The services are intended to counter security attacks, and they
 Security attacks, Mechanisms and Services

 Security attack: any action that will compromise the security of

information.
 These attacks take many forms, but in most cases, they seek to obtain

sensitive information, destroy resources, or deny legitimate users access to

resources.

 Security mechanism:- is a mechanism that is designed to

detect , prevent, or recover from a security attack.

 Security services: A service that enhances the security of data

processing systems and information transfers.

4
 A security service makes use of one or more security mechanisms.
 Security Attacks
 Is an assault on system security- an intelligent act that is a deliberate
attempt to evade security services and violate the security policy of a
system.
Information Information
source destination

a) Normal flow

b) Interruption
c) Interception

d) Modification e) Fabrication
5
 Contd.

Interruption

 The system is destroyed or becomes unavailable

 This is an attack on availability.
 This could be a destruction of a piece of hardware or
cutting a communication line.
6
 Contd.

Interception

 Unauthorized party gets access to information

 This is an attack on confidentiality
• Overhearing, eavesdropping over a communication line
 The attacker could be a person or program.
• Eg. of this could be unauthorized copying of files.
7
 Contd.
Modification

 An unauthorized party gains access to information and also modifies

it.
 This is an attack on integrity of information.
 Modification of program or date files to operate or contain different
information.
 Corrupting transmitted data or tampering with it before it reaches its
8 destination
 Contd.

Fabrication

 An unauthorized party injects fabricated information into the

system.
 That is, Faking data as if it were created by a legitimate and
authentic party
 This is an attack on authenticity.
 Examples of this is insertion of spurious messages, addition of
9 records to a file etc.
 Attack Types

1. Passive attacks:- are the type of attacks which do not change

or modify the information flowing between the parties.
 This type of attacks are hard to detect since it does not involve
the other party or alter the data.
 The objective of the opponent is to obtain the information that is
being transmitted.
 Passive attacks attempt to learn or make use of information from
the system but don’t affect the system resources.
 This kind of attack can be prevented rather than detected.

10 Examples are Eavesdropping or monitoring of traffic.

 Passive Attack Types

A. Release of Message Content:- Messages, such as telephone

conversation, an e-mail, and transferred file, may contain sensitive or
confidential information.
 An opponent may get to know the contents of the message.

 Prevent the opponent from learning the contents of these transmission.

B. Traffic Analysis:- Analyzing or determining the location and identity

of hosts and paths to guess on the nature of communication that is/was

taking place.
 Here, the link traffic profile and information gathering is done by the

opponent.
11
Contd.

12
 Contd.

2. Active attacks:- are types of attacks which attempt to alter

system resources or affect their operation

 Are easier to detect since the information stream is altered and
involves the other party.

 Harder to prevent since no absolute protection is available

with the current buggy systems.

 Involves some modification of the data stream or creation of a

false stream.
13
 Active Attack Types

A. Masquerading:- The entity pretends to be a different entity.

 It usually includes one of the other forms

B. Replay:- involves the passive capture of a data unit and its subsequent

retransmission to produce an authorized effect.

 Passive capture of data, alter and then retransmit.

C. Modification of Message:- Means some portion of the legitimate message

is altered, or the messages are delayed or reordered, to produce an

authorized effect.

D. Denial of Service:- Prevents or inhibits the normal use or management

14 of communications facilities.
 Contd.

15
 Security Services

 A security service is the collection of mechanisms, procedures and

other controls that are implemented to help reduce the risk associated

with threat.

 For example, the identification and authentication service helps

reduce the risk of the unauthorized user threat.

 Some services provide protection from threats, while other services

provide for detection of the threat occurrence.

 An example of this would be a logging or monitoring service.

16
 Security Services Types

A. Confidentiality (privacy):- is the protection of transmitted

data from passive attacks.

 The other aspect of confidentiality is the protection of traffic
flow from analysis.
 The attacker will not be able to observe the source and
destination, frequency, length or other characteristics of the
traffic on a communications facility.

B. Integrity (has not been altered):- ensures that the

messages are received with no duplication, insertion,
17 modification, reordering or replays.
 Contd.
 Connection oriented service:- addresses DoS and modifications

(duplication, insertion, modification and reordering problems handled).

 Connectionless service:- deals with only individual messages and only

assures against modification. This is because it only deals with

individual packets.

C. Access Control:- This service controls who can have access to a

resource, under what conditions access can occur and what those
accessing the resources are allowed to do.

D. Non-repudiation:- Prevents either sender or receiver from denying a

transmitted message.
18
 Contd.

E. Authentication:- is the assurance that the communicating

entity is the one that it claims to be.

I. Peer Entity Authentication:- is used in association with a
logical connection to provide confidence in identity of the entities.
II. Data Origin Authentication:- In a connectionless transfer, it
provides assurance that the source of received data is as claimed

F. Audit:- Recording & analyses of participation, roles and actions in

information communication by relevant entities..

G. Availability:- having your data accessible and obtainable at all

times.
19
 Contd.
1. Confidentiality
Data Confidentiality
Traffic Confidentiality
Primary Services
2. Data Integrity
3. Authentication
Data Origin Authentication
Peer Authentication
4. Access Control
5. Non-Repudiation
Non-Repudiation of Origin
Non-Repudiation of Reception
6. Audit
7. Availability – an after-thought but increasingly important
20
 Security Mechanisms

1. Encipherment:- is the use of mathematical algorithms to transform data

into a form that is not readily intelligible.

2. Digital Signature:-  is a mathematical scheme for demonstrating the

authenticity of a digital message or document.

 A valid digital signature gives a recipient reason to believe that the message

was created by a known sender, and that it was not altered in transit.

3. Access Control:- a variety of mechanisms that enforce access rights

to resources.
21
 Contd.

4. Data Integrity:- a variety of mechanisms used to assure the integrity

of data unit or stream of data units.
5. Authentication Exchange:-  a mechanism intended to ensure the
identity of an entity by means of information exchange.

6. Traffic Padding:- The insertion of bits into gaps in a data stream to

frustrate traffic analysis attempt.

7. Routing Control:- Enables selection of particularly secure routes

from certain data & allows routing changes, especially when a
breach of security is suspended.

8. Notarization:- The use of a trusted 3rd party to assure certain

22 properties of a data exchange.
 Confidentiality
• Protection of information from disclosure to unauthorized entities
(organizations, people, machines, processes).
• Information includes data contents, size, existence, communication
characteristics, etc.

Service Types Protection Mechanisms

 Data Confidentiality / Disclosure  Data Encryption
Protection  Symmetric (Secret-Key)
 Connection Oriented  Asymmetric (Public-Key)
 Connectionless
 Selective Field
 Traffic Flow Confidentiality
 Origin Destination Association
 Message Size
 Transmission Patterns
23  Accompanied with Data Integrity
 Integrity
 Protection of data against creation, alteration, deletion,
duplication, re-ordering by unauthorized entities (organizations,
people, machines, processes).
 Integrity violation is always caused by active attacks.

Service Types Protection Mechanisms

Message Integrity Message Digests (Hashing)
Associated with Sequence Numbers
connectionless communication Nonce ID (Random Number)
Message Stream Integrity Time Stamps
Associated with
connection oriented
communication
24
 Authentication
• Communicating entities are provided with assurance & information
of relevant identities of communicating partners (people, machines,
processes).
• Personnel Authentication requires special attention.

Service Types Protection Mechanisms

 Data Origin Authentication  Password
 Associated with  Manual
Connectionless Communication  One-Time Password
 Peer Entity Authentication
 Key Sharing
 Associated with
 Manual
Connection Oriented Communication
 Symmetric Key (Tickets)
 Fundamental for access control
 Asymmetric Key (Certificates)
hence, confidentiality & integrity
 Challenge – Response
 Nonce Based
 Zero Knowledge Proof

25
 Access Control
Protection of information resources or services from access or use by unauthorized
entities (organizations, people, machines, processes).
 Privileges – rights to access or use resources or services
 Principles – entities own access control privileges
 Subjects – entities exercise access control privileges
 Objects / Targets – resources or services accessed/used by subjects
 Delegation – transfer of access control privileges among principals
 Authorization – transfer of access control privileges from principals to subjects

Service Types Protection Mechanisms

 Subject Based Typing
 Identity Based
 Role Based
 Enforcement Based Typing
 Mandatory Access Control
― Management Directed
 Discretionary Access Control ―
26 Resource Owner Directed
 Access Control Lists (ACLs)
 Object Based Specification
Ex.: UNIX File System
 Capabilities
 Subject Based Specification
 Issue Tickets/Certificates
 Non-Repudiation

 Protection against denial of participation by communicating

entities in all or part of a communication.

Service Types Protection Mechanisms

Non-Repudiation of Origin Notarization

Non-Repudiation of Reception 
Time Stamp
Digital Signature

27
 Audit

 Recording & analyses of participation, roles and actions in

information communication by relevant entities.

Service Types Protection Mechanisms

Intrusion Monitors / Sensors
Off-line Analysis
Common Intrusion Detection
(Computer Forensic)
Framework (CIDF)
On-line Analysis
Common Information Model
(Real-time Intrusion Detection)
(CIM)

28
 Service vs. Layer Mapping

29
Chapter Two
Number Theory and Cryptography

Computer Networks and Information Security

(SE3052)

30 Compiled by Alemu w., (awcourseapp@gmail.com) , 11

March 2021
 A Model for Network Security

31
 A Model for Network Security

32
 Design Issues in the Model

1. Design an algorithm for performing the security-related

transformation.
 The algorithm should be such that an opponent cannot defeat its

purpose.

2. Generate the secret information to be used with the algorithm.

3. Develop methods for the distribution and sharing of the secret

information.

4. Specify a protocol to be used by the two principles that makes

use of the security algorithm and the secret information to
achieve a particular security service.
33
 Other Considerations
1. Network Design Considerations
Designing for acceptable risk.

Use of network models with security (LAN/WAN more secure, Dedicated/non-

dedicated, segregation and isolation)

2. Host hardening
Firewalls, Packet filtering

3. Choice of network devices

Choice of routers and other hardware

Routing protocols

4. Intrusion detection systems (IDS)

Host based IDS

Network based IDS

34
 Network Penetration Attacks and Firewalls

Passed Packet Attack

Internet Packet
Firewall
Hardened
Client PC Internet

Attacker

Dropped
Packet

Hardened
Server Internal
Log File Corporate
Network
35
 Intrusion Detection System

1.
4. Alarm Intrusion Suspicious
Detection Packet
System
Network
Administrator 2. Suspicious
Packet Passed Internet

Attacker

3. Log
Packet

Hardened
Server
Log File Corporate Network

36
 Encryption for Confidentiality

Encrypted
Message
“100100110001”

Client PC Server
Bob Alice

“100100110001”

Attacker (Eve) intercepts

Original but cannot read Decrypted
Message Message
“Hello” “Hello”

37
 Impersonation and Authentication

I’m Bob

Prove it!
Client PC Attacker (Authenticate Yourself)
Server
Bob (Eve) Alice

38
 Secure Dialog System

Secure Dialog

Client PC
Automatically Handles Server
Bob
Negation of Security Options Alice
Authentication
Encryption
Integrity
Attacker cannot
read messages, alter
messages, or impersonate

39
 Hardening Host Computers
1. The Problem
 Computers installed out of the box have known vulnerabilities
 Not just Windows computers
 Hackers can take them over easily
 They must be hardened—a complex process that involves many actions
2. Elements of Hardening
 Physical security
 Secure installation and configuration
 Fix known vulnerabilities
 Turn off unnecessary services (applications)
 Harden all remaining applications
 Manage users and groups
 Manage access permissions
 For individual files and directories, assign access permissions specific users and
groups
 Back up the server regularly
40
 Advanced protections