CHAPTER -1

INTRODUCTION

Computer data often travels from one computer to another, leaving the safety of its
protected physical surroundings. Once the data is out of hand, people with bad intention could
modify or forge your data, either for amusement or for their own benefit.
Cryptography can reformat and transform our data, making it safer on its trip between
computers. The technology is based on the essentials of secret codes, augmented by modern
mathematics that protects our data in powerful ways.

• Computer Security - generic name for the collection of tools designed to protect data and to
thwart hackers
• Network Security - measures to protect data during their transmission

• Internet Security - measures to protect data during their transmission over a collection of
interconnected networks

Security Attacks, Services and Mechanisms

To assess the security needs of an organization effectively, the manager responsible for
security needs some systematic way of defining the requirements for security and characterization
of approaches to satisfy those requirements. One approach is to consider three aspects of
information security:
Security attack – Any action that compromises the security of information owned by an
organization.
Security mechanism – A mechanism that is designed to detect, prevent or recover from a
security attack.
Security service – A service that enhances the security of the data processing systems and the
information transfers of an organization. The services are intended to counter security attacks and
they make use of one or more security mechanisms to provide the service.

SECURITY SERVICES
The classification of security services are as follows:
Confidentiality: Ensures that the information in a computer system a n d transmitted
information are accessible only for reading by authorized parties.
E.g. Printing, displaying and other forms of disclosure.
Authentication: Ensures that the origin of a message or electronic document is correctly
identified, with an assurance that the identity is not false.
Integrity: Ensures that only authorized parties are able to modify computer system assets and
transmitted information. Modification includes writing, changing status, deleting, creating and
delaying or replaying of transmitted messages.
Non repudiation: Requires that neither the sender nor the receiver of a message be able to deny the
transmission.
Access control: Requires that access to information resources may be controlled by or the target
system.
Availability: Requires that computer system assets be available to authorized parties when
needed.

SECURITY MECHANISMS
One of the most specific security mechanisms in use is cryptographic techniques. Encryption
or encryption-like transformations of information are the most common means of providing security.
Some of the mechanisms are
1 Encipherment

2 Digital Signature

3 Access Control

SECURITY ATTACKS
There are four general categories of attack which are listed below.

Interruption
An asset of the system is destroyed or becomes unavailable or unusable. This is an attack on
availability e.g., destruction of piece of hardware, cutting of a communication line or

Disabling of file management system.

Interception
An unauthorized party gains access to an asset. This is an attack on confidentiality.
Unauthorized party could be a person, a program or a
computer.e.g., wire tapping to capture data in the network, illicit copying of files

Sender Receiver

Eavesdropper or forger

Modification
An unauthorized party not only gains access to but tampers with an asset. This is an attack on
integrity. e.g., changing values in data file, altering a program, modifying the contents of

messages being transmitted in a network.

Sender Receiver

Eavesdropper or forger

Fabrication
An unauthorized party inserts counterfeit objects into the system. This is an attack on authenticity.
e.g., insertion of spurious message in a network or addition of records to a file.

Sender Receiver

Eavesdropper or forger
Cryptographic Attacks

Passive Attacks
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of
the opponent is to obtain information that is being transmitted. Passive
attacks are of two types:
Release of message contents: A telephone conversation, an e-mail message and a transferred file may
contain sensitive or confidential information. We would like to prevent the opponent from learning
the contents of these transmissions.
Traffic analysis: If we had encryption protection in place, an opponent might still be able to observe
the pattern of the message. The opponent could determine the location and identity of
communication hosts and could observe the frequency and length of messages being
exchanged. This information might be useful in guessing the nature of communication that was taking
place.
Passive attacks are very difficult to detect because they do not involve any alteration of data.
However, it is feasible to prevent the success of these attacks.

Active attacks

These attacks involve some modification of the data stream or the creation of a false stream. These
attacks can be classified in to four categories:

Masquerade – One entity pretends to be a different entity.

Replay – involves passive capture of a data unit and its subsequent transmission to produce an
unauthorized effect.
Modification of messages – Some portion of message is altered or the messages are delayed or
recorded, to produce an unauthorized effect.
Denial of service – Prevents or inhibits the normal use or management of communication
facilities. Another form of service denial is the disruption of an entire network, either by disabling the
network or overloading it with messages so as to degrade performance.
It is quite difficult to prevent active attacks absolutely, because to do so would require physical
protection of all communication facilities and paths at all times. Instead, the goal is to detect them and
to recover from any disruption or delays caused by them.

Symmetric and public key algorithms

Encryption/Decryption methods fall into two categories.
Symmetric key
Public key
In symmetric key algorithms, the encryption and decryption keys are known both to sender and
receiver. The encryption key is shared and the decryption key is easily calculated from it. In many
cases, the encryption and decryption keys are the same.
In public key cryptography, encryption key is made public, but it is
computationally infeasible to find the decryption key without the information known to the
receiver.

A MODEL FOR NETWORK SECURITY

A message is to be transferred from one party to another across some sort of internet. The two
parties, who are the principals in this transaction, must cooperate for the exchange to take place. A
logical information channel is established by defining a route through the internet from source to
destination and by the cooperative use of communication protocols (e.g., TCP/IP) by the two
principals.
Using this model requires us to:
– design a suitable algorithm for the security transformation
– generate the secret information (keys) used by the algorithm
– develop methods to distribute and share the secret information
– specify a protocol enabling the principals to use the transformation and secret information for
a security service
CONVENTIONAL ENCRYPTION
• Referred conventional / private-key / single-key
• Sender and recipient share a common key

All classical encryption algorithms are private-key was only type prior to invention of public-
key in 1970‟plaintext - the original message
Some basic terminologies used:
• cipher text - the coded message
• Cipher - algorithm for transforming plaintext to cipher text
• Key - info used in cipher known only to sender/receiver
• encipher (encrypt) - converting plaintext to cipher text
• decipher (decrypt) - recovering cipher text from plaintext
• Cryptography - study of encryption principles/methods

• Cryptanalysis (code breaking) - the study of principles/ methods of deciphering cipher text
without knowing key
• Cryptology - the field of both cryptography and cryptanalysis
 Here the original message, referred to as plaintext, is converted into apparently random
nonsense, referred to as cipher text. The encryption process consists of an algorithm and a key.
The key is a value independent of the plaintext. Changing the key changes the output of the
algorithm. Once the cipher text is produced, it may be transmitted. Upon reception, the
cipher text can be transformed back to the original plaintext by using a decryption algorithm
and the same key that was used for encryption. The security depends on several factors. First, the
encryption algorithm must be powerful enough that it is impractical to decrypt a message on
the basis of cipher text alone. Beyond that, the security depends on the secrecy of the key,
not the secrecy of the algorithm.
• Two requirements for secure use of symmetric encryption:
– A strong encryption algorithm
– A secret key known only to sender / receiver
Y = EK(X)
X = DK(Y)

X = DK(Y)
.
the client, the latter encrypted with the session key now shared by the client and the TGS.
DATA ENCRYPTION STANDARD
(DES)

In May 1973, and again in Aug 1974 the NBS (now NIST) called for possible
encryption algorithms for use in unclassified government applications response was mostly
disappointing, however IBM submitted their Lucifer design following a period of redesign
and comment it became the Data Encryption Standard (DES)
it was adopted as a (US) federal standard in Nov 76, published by NBS as a hardware only
scheme in Jan 77 and by ANSI for both hardware and software standards in ANSI X3.92-1981
(also X3.106-1983 modes of use) subsequently it has been widely adopted and is now
published in many standards around the world cf Australian Standard AS2805.5-1985
one of the largest users of the DES is the banking industry, particularly with EFT, and
EFTPOS
it is for this use that the DES has primarily been standardized, with ANSI having
twice reconfirmed its recommended use for 5 year periods - a further extension is not expected
however although the standard is public, the design criteria used are classified and have yet to be
released there has been considerable controversy over the design, particularly in the choice of a
56-bit key
• recent analysis has shown despite this that the choice was appropriate, and that DES is
well designed
• rapid advances in computing speed though have rendered the 56 bit key susceptible
to exhaustive key search, as predicted by Diffie & Hellman

• the DES has also been theoretically broken using a method called
Differential
Cryptanalysis, however in practice this is unlikely to be a problem (yet)

Overview of the DES Encryption Algorithm

– signature algorithm identifier

 the client, the latter encrypted with the session key now shared by the client and the TGS.

The basic process in enciphering a 64-bit data block using the DES consists of:
 an initial permutation (IP)
 16 rounds of a complex key dependent calculation f
 a final permutation, being the inverse of IP in more detail the 16 rounds of f consist of:

T his can be described functionally as

L(i) = R(i-1)
R(i) = L(i-1) (+) P(S( E(R(i-1))(+) K(i) ))
and forms one round in an S-P network
• the subkeys used by the 16 rounds are formed by the key schedule which consists of:

o an initial permutation of the key (PC1) which selects 56-bits in two 28-bit halves

– signature algorithm identifier

the client, the latter encrypted with the session key now shared by the client and the TGS.
o 16 stages consisting of
o selecting 24-bits from each half and permuting them by PC2 for use in function f,
o rotating each half either 1 or 2 places depending on the key rotation schedule KS
• this can be described functionally
as: K(i) = PC2(KS(PC1(K),i))
• the key rotation schedule KS is specified as:
Round 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

KS 1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1

Total Rot 1 2 4 6 8 10 12 14 15 17 19 21 23 25 27 28

RSA
• RSA encryption and decryption are commutative, hence it may be used directly as a digital
signature scheme

o given an RSA scheme {(e,R), (d,p,q)}

• to sign a message, compute:

o S = Md(mod R)

• to verify a signature, compute:

o M = Se(mod R) = Me.d(mod R) = M(mod R)

• thus know the message was signed by the owner of the public-key

• would seem obvious that a message may be encrypted, then signed using RSA without
increasing it size

o but have blocking problem, since it is encrypted using the receivers modulus, but
signed using the senders modulus (which may be smaller)

– signature algorithm identifier

the client, the latter encrypted with the session key now shared by the client and the TGS.
o several approaches possible to overcome this

• more commonly use a hash function to create a separate MDC which is then signed

Subkey: The client's choice for an encryption key to be used to protect this specific
application session. If this field is omitted, the session key from the ticket (Kc,v) is used.
Sequence number: An optional field that specifies the starting sequence number
to be use may be sequence numbered to detect replays.

If mutual authentication is required, the server responds with message (6). This message includes
the timestamp from the authenticator. Note that in version 4, the timestamp was incremented by
one. This is not necessary in version 5 because the nature of the format of messages is such that it is
not possible for an opponent to create message (6) without knowledge of the appropriate encryption
keys.

Ticket Flags
The flags field included in tickets in version 5 supports expanded functionality compared to that
available in version 4.

– signature algorithm identifier

Overview:
ELECTRONIC MAIL SECURITY PRETTY GOOD PRIVACY (PGP)
PGP provides the confidentiality and authentication service that can be used for electronic
mail and file storage applications. The steps involved in PGP are
Select the best available cryptographic algorithms as building blocks.
Integrate these algorithms into a general purpose application that is independent of
operating system and processor and that is based on a small set of easy-to-use commands.
Make the package and its documentation, including the source code, freely
available via the internet, bulletin boards and commercial networks.
Enter into an agreement with a company to provide a fully compatible, low cost

commercial version of PGP.

PGP has grown explosively and is now widely used. A number of reasons can be cited for this
growth.
• It is available free worldwide in versions that run on a variety of platform.
• It is based on algorithms that have survived extensive public review and are considered
extremely secure.
• e.g., RSA, DSS and Diffie Hellman for public key encryption CAST-128, IDEA and 3DES
for conventional encryption SHA-1 for hash coding.
• it has a wide range of applicability.
• It was not developed by, nor it is controlled by, any governmental or standards
organization.

Operational description
The actual operation of PGP consists of five services: authentication, confidentiality, compression,
e-mail compatibility and segmentation.
1. Authentication
The sequence for authentication is as follows:
The sender creates the message
SHA-1 is used to generate a 160-bit hash code of the message
The hash code is encrypted with RSA using the sender’s private key and the result is
prepended to the message
 The receiver uses RSA with the sender’s public key to decrypt and recover the hash code.
The receiver generates a new hash code for the message and compares it with the decrypted
hash code. If the two match, the message is accepted as authentic.
2. Confidentiality
Confidentiality is provided by encrypting messages to be transmitted or to be stored locally as
files. In both cases, the conventional encryption algorithm CAST-128 may be used. The 64-bit
cipher feedback (CFB) mode is used.
In PGP, each conventional key is used only once. That is, a new key is generated as a random 128-
bit number for each message. Thus although this is referred to as a session key, it is in reality a one
time key. To protect the key, it is encrypted with the receiver’s public key.
The sequence for confidentiality is as follows:

• The sender generates a message and a random 128-bit number to be used as a session key for
this message only.
• The message is encrypted using CAST-128 with the session key.
• The session key is encrypted with RSA, using the receiver’s public key and is prepended
to the message.
• The receiver uses RSA with its private key to decrypt and recover the session key.
• The session key is used to decrypt the message.

VIRUSES AND RELATED THREATS

Perhaps the most sophisticated types of threats to computer systems are presented by programs that
exploit vulnerabilities in computing systems.

Parasitic virus: The traditional and still most common form of virus. A parasitic virus
attaches itself to executable files and replicates, when the infected program is executed, by finding
other executable files to infect.
Memory-resident virus: Lodges in main memory as part of a resident system program.

From that point on, the virus infects every program that executes.
 Boot sector virus: Infects a master boot record or boot record and spreads when a
system is booted from the disk containing the virus.
Stealth virus: A form of virus explicitly designed to hide itself from detection by
antivirus software.
Polymorphic virus: A virus that mutates with every infection, making detection by the

"signature" of the virus impossible.

Metamorphic virus: As with a polymorphic virus, a metamorphic virus mutates with

every infection. The difference is that a metamorphic virus rewrites itself completely at each
iteration, increasing the difficulty of detection. Metamorphic viruses my change their behavior as
well as their appearance.
One example of a stealth virus was discussed earlier: a virus that uses compression so that
the infected program is exactly the same length as an uninfected version. Far more
sophisticated techniques are possible. For example, a virus can place intercept logic in disk I/O
routines, so that when there is an attempt to read suspected portions of the disk using these routines,
the virus will present back the original, uninfected program.

A polymorphic virus creates copies during replication that are functionally equivalent but
have distinctly different bit patterns.

Macro Viruses
In the mid-1990s, macro viruses became by far the most prevalent type of virus. Macro viruses are
particularly threatening for a number of reasons:

1. A macro virus is platform independent. Virtually all of the macro viruses infect Microsoft
Word documents. Any hardware platform and operating system that supports Word can be infected.
2. Macro v i r u s e s i n f e c t d o c u m e n t s , n o t e x e c u t a b l e p o r t i o n s o f c o d e . Most o f
t h e information introduced onto a computer system is in the form of a document rather than a
program.
3. Macro viruses are easily spread. A very common method is by electronic mail.
Macro viruses take advantage of a feature found in Word and other office applications such as
Microsoft Excel, namely the macro. In essence, a macro is an executable program embedded in a
word processing document or other type of file. Typically, users employ macros to automate
repetitive tasks and thereby save keystrokes. The macro language is usually some form of the Basic
programming language. A user might define a sequence of keystrokes in a macro and set it up so
that the macro is invoked when a function key or special short combination of keys is input.
Successive releases of Word provide increased protection against macro viruses. For example,
Microsoft offers an optional Macro Virus Protection tool that detects suspicious Word files and
alerts the customer to the potential risk of opening a file with macros. Various antivirus
product vendors have also developed tools to detect and correct macro viruses.

E-mail Viruses

A more recent development in malicious software is the e-mail virus. The first rapidly
spreading e-mail viruses, such as Melissa, made use of a Microsoft Word macro embedded in an
attachment. If the recipient opens the e-mail attachment, the Word macro is activated. Then

1. The e-mail virus sends itself to everyone on the mailing list in the user's e-mail
package.

2. The virus does local damage.

Worms
A worm is a program that can replicate itself and send copies from computer to computer
across network connections. Upon arrival, the worm may be activated to replicate and
propagate again.

Network worm programs use network connections to spread from system to system. Once
active within a system, a network worm can behave as a computer virus or bacteria, or it could
implant Trojan horse programs or perform any number of disruptive or destructive actions.

To replicate itself, a network worm uses some sort of network vehicle. Examples include the
following:

Electronic mail facility: A worm mails a copy of itself to other systems.

Remote execution capability: A worm executes a copy of itself on another system.
 Remote login capability: A worm logs onto a remote system as a user and then uses
commands to copy itself from one system to the other.

The new copy of the worm program is then run on the remote system where, in addition to any
functions that it performs at that system, it continues to spread in the same fashion.

A network worm exhibits the same characteristics as a computer virus: a dormant phase, a
propagation phase, a triggering phase, and an execution phase. The propagation phase
generally performs the following functions:

1. Search for other systems to infect by examining host tables or similar repositories of
remote system addresses.
2. Establish a connection with a remote system.
3. Copy itself to the remote system and cause the copy to be run.
As with viruses, network worms are difficult to counter.
Recent Worm Attacks
In late 2001, a more versatile worm appeared, known as Nimda. Nimda spreads by multiple
mechanisms:
from client to client via e-mail
from client to client via open network shares
from Web server to client via browsing of compromised Web sites
from client to Web server via active scanning for and exploitation of various Microsoft
IIS 4.0 / 5.0 directory traversal vulnerabilities
from client to Web server via scanning for the back doors left behind by the "Code Red
II" worms
The worm modifies Web documents (e.g., .htm, .html, and .asp files) and certain executable files
found on the systems it infects and creates numerous copies of itself under various filenames.

Detection: Once the infection has occurred, determine that it has occurred and locate the
virus.

Identification: Once detection has been achieved, identify the specific virus that has
CHAPTER-4

FIREWALLS
Firewall design principles
Internet connectivity is no longer an option for most organizations. However, while internet
access provides benefits to the organization, it enables the outside world to reach and interact with
local network assets. This creates the threat to the organization. While it is possible to equip each
workstation and server on the premises network with strong security features, such as intrusion
protection, this is not a practical approach. The alternative, increasingly accepted, is the firewall.
The firewall is inserted between the premise network and internet to establish a controlled link and
to erect an outer security wall or perimeter. The aim of this perimeter is to protect the premises
network from internet based attacks and to provide a single choke point where security and audit
can be imposed. The firewall can be a single computer system or a set of two or more systems that
cooperate to perform the firewall function.

Firewall characteristics:
All traffic from inside to outside, and vice versa, must pass through the firewall.
This is achieved by physically blocking all access to the local network except via the firewall.
Various configurations are possible.
only authorized traffic, as defined by the local security policy, will be allowed to pass.
Various types of firewalls are used, which implement various types of security policies.

the firewall itself is immune to penetration. This implies that use of a trusted system
with a secure operating system. This implies that use of a trusted system with a secure operating
system.
Four techniques that firewall use to control access and enforce the site’s security policy is as
follows:
Service control – determines the type of internet services that can be accessed, inbound
or outbound. The firewall may filter traffic on this basis of IP address and TCP port number;
 may provide proxy software that receives and interprets each service request before passing it on;
or may host the server software itself, such as web or mail service.
Direction control – determines the direction in which particular service request may be
initiated and allowed to flow through the firewall.
User control – controls access to a service according to which user is attempting to
access it.
Behavior control – controls how particular services are used.
Capabilities of firewall
A firewall defines a single choke point that keeps unauthorized users out of the protected
network, prohibits potentially vulnerable services from entering or leaving the network, and
provides protection from various kinds of IP spoofing and routing attacks.
A firewall provides a location for monitoring security related events. Audits and alarms can
be implemented on the firewall system.
A firewall is a convenient platform for several internet functions that are not security
related.
A firewall can serve as the platform for IPsec.
Limitations of firewall
The firewall cannot protect against attacks that bypass the firewall. Internal systems
may have dial-out capability to connect to an ISP. An internal LAN may support a modem pool
that provides dial-in capability for traveling employees and telecommuters.
the firewall does not protect against internal threats. The firewall does not protect against
internal threats, such as a disgruntled employee or an employee who unwittingly cooperates
with an external attacker.
The firewall cannot protect against the transfer of virus-infected programs or files.
Because of the variety of operating systems and applications supported inside the perimeter, it
would be impractical and perhaps impossible for the firewall to scan all incoming files, e-mail, and

messages for viruses.

Types of firewalls
There are 3 common types of firewalls.
Packet filters
Application-level gateways
Circuit-level gateways
Packet filtering router
A packet filtering router applies a set of rules to each incoming IP packet and then forwards or
discards the packet. The router is typically configured to filter packets going in both directions.
Filtering rules are based on the information contained in a network packet:
Source IP address – IP address of the system that originated the IP packet.

Destination IP address – IP address of the system, the IP is trying to reach.

Source and destination transport level address – transport level port number.
IP protocol field – defines the transport protocol.
Interface – for a router with three or more ports, which interface of the router the packet
come from or which interface of the router the packet is destined for.

The packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP
header. If there is a match to one of the rules, that rule is invoked to determine whether to forward
or discard the packet. If there is no match to any rule, then a default action is taken.
Two default policies are possible:

Default = discard: That which is not expressly permitted is prohibited.

Default = forward: That which is not expressly prohibited is permitted.

The default discard policy is the more conservative. Initially everything is blocked, and services
must be added on a case-by-case basis. This policy is more visible to users, who are most likely
to see the firewall as a hindrance. The default forward policy increases ease of use for end
users but provides reduced security.
Advantages of packet filter router
Simple
 Transparent to users
Very fast
Weakness of packet filter firewalls
Because packet filter firewalls do not examine upper-layer data, they cannot prevent
attacks that employ application specific vulnerabilities or functions.
Because of the limited information available to the firewall, the logging
functionality present in packet filter firewall is limited.
It does not support advanced user authentication schemes.
They are generally vulnerable to attacks such as layer address spoofing.
Some of the attacks that can be made on packet filtering routers and the appropriate counter
measures are the following:

IP address spoofing –
the intruders transmit packets from the outside with a source IP address field containing an
address of an internal host.
Countermeasure: to discard packet with an inside source address if the packet arrives on an
external interface.
Source routing attacks – the source station specifies the route that a packet should take as
it crosses the internet; i.e., it will bypass the firewall.
Countermeasure: to discard all packets that uses this option.
Tiny fragment attacks – the intruder create extremely small fragments and force the TCP
header information into a separate packet fragment. The attacker hopes that only the first fragment
is examined and the remaining fragments are passed through.
Countermeasure: to discard all packets where the protocol type is TCP and the IP
Fragment offset is equal to 1.

Application level gateway

An Application level gateway, also called a proxy server, acts as a relay of application level
traffic. The user contacts the gateway using a TCP/IP application, such as Telnet or FTP, and the
gateway asks the user for the name of the remote host to be accessed. When the user responds and
provides a valid user ID and authentication information, the gateway contacts the application on the
remote host and relays TCP segments containing the application data between the two endpoints.
Application level gateways tend to be more secure than packet filters. It is easy to log and audit all
incoming traffic at the application level. A prime disadvantage is the additional processing
overhead on each connection.

Circuit level gateway

Circuit level gateway can be a stand-alone system or it can be a specified function performed by an
application level gateway for certain applications. A Circuit level gateway does not permit an end-
to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself and a
TCP user on an inner host and one between itself and a TCP user on an outer host. Once the two
connections are established, the gateway typically relays TCP segments from one connection to the
other without examining the contents. The security function consists of determining which
connections will be allowed.
A typical use of Circuit level gateways is a situation in which the system administrator trusts the
internal users. The gateway can be configured to support application level or proxy service on
inbound connections and circuit level functions for outbound connections.
Firewall configurations
There are 3 common firewall configurations.
1. Screened host firewall, single-homed basiton configuration
In this configuration, the firewall consists of two systems: a packet filtering router and a bastion
host. Typically, the router is configured so that
For traffic from the internet, only IP packets destined for the basiton host are allowed
in.
For traffic from the internal network, only IP packets from the basiton host are allowed
out.
The basiton host performs authentication and proxy functions. This configuration has greater
security than simply a packet filtering router or an application level gateway alone, for two
reasons:
This configuration implements both packet level and application level filtering, allowing
for considerable flexibility in defining security policy.
An intruder must generally penetrate two separate systems before the security of the
internal network is compromised.

Data access control

Following successful logon, the user has been granted access to one or set of hosts and applications.
This is generally not sufficient for a system that includes sensitive data in its database. Through
the user access control procedure, a user can be identified to the system. Associated with each
user, there can be a profile that specifies permissible operations and file accesses. The
operating system can then enforce rules based on the user profile. The database management
system, however, must control access to specific records or even portions of records. The operating
system may grant a user permission to access a file or use an application, following which there are
no further security checks, the database management system must make a decision on each
individual access attempt. That decision will depend not only on the user’s identity but also on the
specific parts of the data being accessed and even on the information already divulged to the user.
A general model of access control as exercised by an file or database management system is that of
an access matrix. The basic elements of the model are as follows:
 Subject: An entity capable of accessing objects. Generally, the concept of subject equates
with that of process.
Object: Anything to which access is controlled. Examples include files, portion of files,
programs, and segments of memory.
Access right: The way in which the object is accessed by a subject. Examples are read,
write and execute.

One axis of the matrix consists of identified subjects that may attempt data access. Typically, this
list will consist of individual users or user groups. The other axis lists the objects that may be
accessed. Objects may be individual data fields. Each entry in the matrix indicates the access rights
of that subject for that object. The matrix may be decomposed by columns, yielding access control
lists. Thus, for each object, an access control list lists users and their permitted access rights.
The access control list may contain a default, or public, entry.

Reference Monitor concept

The reference monitor is a controlling element in the hardware and operating system of a
computer that regulates the access of subjects to objects on the basis of
security parameters of the subject and object. The reference monitor has access to a file, known as
the security kernel database that lists the access privileges (security clearance) of each subject and
the protection attributes (classification level) of each object. The reference monitor enforces the
security rules and has the following properties:
Complete mediation: The security rules are enforced on every access, not just, fr
example, when a file is opened.
Isolation: The reference monitor and database are protected from unauthorised
modification.
Verifiability: The reference monitor’s correctness must be provable. That is, it must be
possible to demonstrate mathematically that the reference monitor enforces the security rules
and provides complete mediation and isolation. Important security events, such as
detected security violations and
authorized changes to the security kernel database, are stored in the audit file.
 Fig: Reference Monitor Concept

References: Cryptography & Network Security by Atul Kahate