Computer Security
The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications). The definition includes three key objectives of security --Confidentiality --Integrity --Availability
�CIA Triad
Confidentiality: This term covers two related concepts: --Data confidentiality: Assures that private or confidential information is not made available or disclosed to unauthorized individuals. --Privacy: Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed. Integrity: This term covers two related concepts: --Data integrity: Assures that information and programs are changed only in a specified and authorized manner. --System integrity: Assures that a system performs its intended function in an unimpaired(strong) manner, free from deliberate or inadvertent unauthorized manipulation of the system. Availability: Assures that systems work promptly and service is not denied to authorized users.
2
�Security Goals
Confidentiality
Integrity
Avaliability
�OSI Security Architecture
Threat:-A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability. Attack:-An assault on system security that derives from an intelligent threat. That is, an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.
�OSI Security Architecture
ITU-T X.800 Security Architecture for OSI defines a systematic way of defining and providing security requirements for us it provides a useful, if abstract, overview of concepts we will study
�Attacks, Services and Mechanisms
Security Attack: Any action that compromises the security of information. Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack. Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.
�Passive Attacks
�Active Attacks
�Security Attacks
�Security Attacks
Interruption: This is an attack on availability Interception: This is an attack on confidentiality Modification: This is an attack on integrity Fabrication: This is an attack on authenticity
10
�11
�Security Services
Confidentiality (privacy)
Authentication (who created or sent the data) Integrity (has not been altered) Non-repudiation (the order is final) Access control (prevent misuse of resources) Availability (permanence, non-erasure) Denial of Service Attacks Virus that deletes files
12
�Security Mechanism
feature designed to detect, prevent, or recover from a security attack no single mechanism that will support all services required however one particular element underlies many of the security mechanisms in use:
cryptographic techniques
hence our focus on this topic
�Security Mechanisms (X.800)
specific security mechanisms:
In order to provide some of the OSI security services
pervasive security mechanisms:
Mechanisms that are not specific to any particular OSI security service
�specific security mechanisms
Encipherment : The use of mathematical Algorithm to transform data into a form that is not readily Intelligible (encryption keys)
Digital signatures: A cryptographic transformation of a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against Forgery.
� Access controls: A variety of mechanisms that enforce rights to resources Data integrity: A variety of mechanisms used to assure the integrity of a data unit or stream of data units Authentication exchange: A mechanism intended to ensure the identity of an entity Traffic Padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts
Routing Control: Enables selection of particular physically secure routes for certain data and allows routing changes, especially when a breach of security is suspected
Notarization: the use of a Trusted third party to assure certain properties of a data exchange
�pervasive security mechanisms
Trusted Functionality: Which is perceived to be correct with respect to some criteria
Security Label: The marking bound to a resource that names or designates the security attributes of that resource Event Detection: Detection of Security-relevant events Security Audit Trail: Data collected and potentially used to facilitate a security audit, which is an independent review Security Recovery: takes recovery actions
�Model for Network Security
�Model for Network Security
using this model requires us to:
1. design a suitable algorithm for the security transformation 2. generate the secret information (keys) used by the algorithm 3. develop methods to distribute and share the secret information 4. specify a protocol enabling the principals to use the transformation and secret information for a security service
�Model for Network Access Security
�Model for Network Access Security
using this model requires us to:
1. select appropriate gatekeeper functions to identify users 2. implement security controls to ensure only authorised users access designated information or resources
trusted computer systems may be useful to help implement this model
�Summary
have considered:
definitions for:
computer, network, internet security
X.800 standard security attacks, services, mechanisms models for network (access) security
