Professional Documents
Culture Documents
Module 1-Introduction: No. Detailed Contents Hrs
Module 1-Introduction: No. Detailed Contents Hrs
01 1 Introduction : 03
Introduction to Information Security,
principles, services and attacks,
functional requirements of security,
current trends in security
Security Attacks
Action compromises the information security
Could be passive or active attacks
Security Services
Actions that can prevent, detect such attacks.
Such as authentication, identification, encryption,
signature, secret sharing and so on.
Security mechanism
The ways to provide such services
Detect, prevent and recover from a security attack
Security Attack
Any action that compromises the security of
information owned by an organization
Information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
often threat & attack used to mean same thing
have a wide range of attacks
can focus of generic types of attacks
passive
active
General View Attack
Criminal Attack: Fraud, Scam, Destruction,
Identity Theft, Intellectual Property Theft,
Brand Theft
Publicity Attack
Legal Attack
Accidental Attack
Technical View
Theoretical Approach :
Interception -> Context of confidentiality
Fabrication -> Context of Authentication
Modification -> Context of Integrity
Interruption -> Context of Availability
Attacks
Passive attacks
Interception
Release of message contents
Traffic analysis
Active attacks
Interruption, modification, fabrication
Masquerade
Replay
Modification
Denial of service
Passive Attacks
“Interception causes
loss of message
Confidentiality”
c ep tion
Inter
Active Attacks
Interruption
Modification
Fabrication
Information Transferring
Attack: Interruption
Wiring, eavesdrop
Attack: Modification
Replaced info
intercept
Attack: Fabrication
Ali: this is …
Ali: this is …
Attacks, Services and Mechanisms
Security Attacks
Action compromises the information security
Could be passive or active attacks
Security Services
Actions that can prevent, detect such attacks.
Such as authentication, identification, encryption, signature,
secret sharing and so on.
Security mechanism
The ways to provide such services
Detect, prevent and recover from a security attack
Important Services of Security
Confidentiality, also known as secrecy:
only an authorized recipient should be able to extract
the contents of the message from its encrypted form.
Otherwise, it should not be possible to obtain any
significant information about the message contents.
Integrity:
the recipient should be able to determine if the
message has been altered during transmission.
Important Services of security
Authentication:
the recipient should be able to identify the sender, and
verify that the purported sender actually did send the
message.
Non-repudiation:
the sender should not be able to deny sending the
message.
Access Control:
prevention of the unauthorized use of a resource
Availability: Use authentication and encryption
Security Services
X.800:
“a service provided by a protocol layer of communicating
open systems, which ensures adequate security of the
systems or of data transfers”
RFC 2828:
“a processing or communication service provided by a
system to give a specific kind of protection to system
resources”
Security Mechanism
Feature designed to detect, prevent, or
recover from a security attack
No single mechanism that will support all
services required
However one particular element underlies
many of the security mechanisms in use:
cryptographic techniques
Security Mechanisms (X.800)
specific security mechanisms:
encipherment, digital signatures, access controls,
data integrity, authentication exchange, traffic
padding, routing control, notarization
Principal Principal
(sender) (receiver)
Security Security
transformation transformation
attacker
Model for Network Security
using this model requires us to:
1. design a suitable algorithm for the security
transformation
2. generate the secret information (keys) used by
the algorithm
3. develop methods to distribute and share the
secret information
4. specify a protocol enabling the principals to use
the transformation and secret information for a
security service
Model for Network Access
Security
Model for Network Access
Security
using this model requires us to:
1. select appropriate gatekeeper functions
to identify users
2. implement security controls to ensure
only authorised users access designated
information or resources
trusted computer systems may be
useful to help implement this model
Good Enough Security