CRYPTOGRAPHY AND

NETWORK SECUTITY
PROF.POORNIMA R D
ASSISTANT PROFESSOR
DEPARTMENT OF CSE
DR AIT
TABLE OF CONTENTS

 Computer security concepts

 The OSI Security Architecture
 Security Attacks
 Security Services
 Security Mechanism
 A Model for network security
 CRYPTOGRAPHY

 Cryptography is the process of hiding or coding information so that

only the person a message was intended for can read it.
 The art of cryptography has been used to code messages for
thousands of years and continues to be used in bank cards,
computer passwords, and ecommerce.
 NETWORK SECURITY

 Network security refers to the technologies, policies, people, and

procedures that defend any communication infrastructure from
cyberattacks, unauthorized access, and data loss.
 In addition to the network itself, they also secure traffic and
network-accessible assets at both the network edge and inside the
perimeter.
 IMPORTANCE OF CRYPTOGRAPHY

 For secure communication, data transmission, and transactions.

 To safeguard personal information
 To ensure data confidentiality
 For the protection of data from unauthorized access.
 To authenticate the source of data
 To establish trust between two communicating parties.
 APPLICATIONS OF CRYPTOGRAPHY

 Authentication/Digital Signatures
 Time Stamping
 Electronic Money
 Encryption/Decryption in email
 WhatsApp Encryption
 Instagram Encryption
 Sim card Authentication
APPLICATIONS OF NETWORK
SECURITY

 Protection of network.
 Protection from intrusions.
 To protect from threats.
 Protection of data from breaches.
 CRYPTOGRAPHIC PROTOCOLS

 Cryptographic algorithms and protocols can be grouped into four main areas:
 Symmetric encryption: Used to conceal the contents of blocks or streams of data of any
size, including messages, files, encryption keys, and passwords.
 Asymmetric encryption: Used to conceal small blocks of data, such as encryption keys and
hash function values, which are used in digital signatures.
 Data integrity algorithms: Used to protect blocks of data, such as messages, from
alteration.
 Authentication protocols: These are schemes based on the use of cryptographic algorithms
designed to authenticate the identity of entities.
 COMPUTER SECURITY CONCEPTS

Computer Security: The protection afforded to an automated information system in order to attain the
applicable objectives of preserving the integrity, availability, and confidentiality of information system
resources (includes hardware, software, firmware, information/data, and telecommunications).
This definition introduces three key objectives that are at the heart of computer security: ■
Confidentiality: This term covers two related concepts:
 Data1 confidentiality: Assures that private or confidential information is not made available or
disclosed to unauthorized individuals.
 Privacy: Assures that individuals control or influence what information related to them may be
collected and stored and by whom and to whom that information may be disclosed.
 COMPUTER SECURITY CONCEPTS

 Integrity: This term covers two related concepts:

 Data integrity: Assures that information (both stored and in transmitted
packets) and programs are changed only in a specified and authorized manner.
 System integrity: Assures that a system performs its intended function in an
unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system.
 Availability: Assures that systems work promptly and service is not denied to
authorized users.
 COMPUTER SECURITY CONCEPTS

 Confidentiality: Preserving authorized restrictions on information access and

disclosure, including means for protecting personal privacy and proprietary
information. A loss of confidentiality is the unauthorized disclosure of information.
 Integrity: Guarding against improper information modification or destruction,
including ensuring information nonrepudiation and authenticity. A loss of integrity is
the unauthorized modification or destruction of information.
 Availability: Ensuring timely and reliable access to and use of information. A loss of
availability is the disruption of access to or use of information or an information
system.
 CIA TRAID

 Confidentiality: Preserving authorized restrictions on information access and

disclosure, including means for protecting personal privacy and proprietary
information. A loss of confidentiality is the unauthorized disclosure of information.
 Integrity: Guarding against improper information modification or destruction,
including ensuring information nonrepudiation and authenticity. A loss of integrity is
the unauthorized modification or destruction of information.
 Availability: Ensuring timely and reliable access to and use of information. A loss of
availability is the disruption of access to or use of information or an information
system.
Authenticity: The property of being genuine and being able
to be verified and trusted; confidence in the validity of a
transmission, a message, or message originator. This means
verifying that users are who they say they are and that each
input arriving at the system came from a trusted source.
Accountability: The security goal that generates the
requirement for actions of an entity to be traced uniquely to
that entity. This supports nonrepudiation,deterrence, fault
isolation, intrusion detection and prevention, and after action
recovery and legal action.
 Challenges of Computer Security

 most of the major requirements for security services can be given self-explanatory, one-word labels:
confidentiality, authentication, nonrepudiation, or integrity. But the mechanisms used to meet those
requirements can be quite complex, and understanding them may involve rather subtle reasoning.
 In developing a particular security mechanism or algorithm, one must always consider potential
attacks on those security features. In many cases, successful attacks are designed by looking at the
problem in a completely different way, therefore exploiting an unexpected weakness in the
mechanism.
 Because of point 2, the procedures used to provide particular services are often counterintuitive.
Typically, a security mechanism is complex, and it is not obvious from the statement of a particular
requirement that such elaborate measures are needed. It is only when the various aspects of the threat
are considered that elaborate security mechanisms make sense.
 Challenges of Computer Security

 Having designed various security mechanisms, it is necessary to decide where to use them. This is true both in
terms of physical placement (e.g., at what points in a network are certain security mechanisms needed) and in a
logical sense (e.g., at what layer or layers of an architecture such as TCP/IP [Transmission Control
Protocol/Internet Protocol] should mechanisms be placed).
 Security mechanisms typically involve more than a particular algorithm or protocol. They also require that
participants be in possession of some secret information (e.g., an encryption key), which raises questions about the
creation, distribution, and protection of that secret information. There also may be a reliance on communications
protocols whose behavior may complicate the task of developing the security mechanism. For example, if the
proper functioning of the security mechanism requires setting time limits on the transit time of a message from
sender to receiver, then any protocol or network that introduces variable, unpredictable delays may render such
time limits meaningless.
 Computer and network security is essentially a battle of wits between a perpetrator who tries to find holes and the
designer or administrator who tries to close them. The great advantage that the attacker has is that he or she need
only find a single weakness, while the designer must find and eliminate all weaknesses to achieve perfect security.
 Challenges of Computer Security

 There is a natural tendency on the part of users and system managers to perceive
little benefit from security investment until a security failure occurs.
 Security requires regular, even constant, monitoring, and this is difficult in today’s
short-term, overloaded environment.
 Security is still too often an afterthought to be incorporated into a system after the
design is complete rather than being an integral part of the design process.
 The OSI Security Architecture

 The OSI security architecture is useful to managers as a way of organizing the task of providing
security. Furthermore, because this architecture was developed as an international standard, computer
and communications vendors have developed security features for their products and services that
relate to this structured definition of services and mechanisms.
 The OSI security architecture focuses on security attacks, mechanisms, and services. These can be
defined briefly as:
1. Security attack: Any action that compromises the security of information owned by an organization.
2. Security mechanism: A process (or a device incorporating such a process) that is designed to detect, prevent, or
recover from a security attack.
3. Security service: A processing or communication service that enhances the security of the data processing
systems and the information transfers of an organization. The services are intended to counter security attacks,
and they make use of one or more security mechanisms to provide the service.
 Threat
A potential for violation of security, which exists when there is a circumstance, capability, action, or
event that could breach security and cause harm. That is, a threat is a possible danger that might exploit
a vulnerability.
 Attack
An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a
deliberate attempt (especially in the sense of a method or technique) to evade security services and
violate the security policy of a system.
 Security Attacks

 Passive attacks (Figure 1.2a) are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of
the opponent is to obtain information that is being transmitted.
 Two types of passive attacks are the release of message contents and traffic analysis.
1. The release of message contents is easily understood. A telephone conversation, an electronic mail message, and a
transferred file may contain sensitive or confidential information. We would like to prevent an opponent from
learning the contents of these transmissions.
2. A second type of passive attack, traffic analysis, is subtler.
Suppose that we had a way of masking the contents of messages or other information traffic so that opponents, even if
they captured the message, could not extract the information from the message. The common technique for masking
contents is encryption. If we had encryption protection in place, an opponent might still be able to observe the pattern
of these messages. The opponent could determine the location and identity of communicating hosts and could observe
the frequency and length of messages being exchanged. This information might be useful in guessing the nature of the
communication that was taking place.
 Active Attacks

Active Attacks
 Active attacks (Figure 1.2b) involve some modification of the data stream or the creation of a false stream and
can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service.
 A masquerade takes place when one entity pretends to be a different entity (path 2 of Figure 1.2b is active). A
masquerade attack usually includes one of the other forms of active attack. For example, authentication
sequences can be captured and replayed after a valid authentication sequence has taken place, thus enabling an
authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those
privileges.
 Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized
effect (paths 1, 2, and 3 active).
 Modification of messages simply means that some portion of a legitimate message is altered, or that messages
are delayed or reordered, to produce an unauthorized effect (paths 1 and 2 active). For example, a message
meaning “Allow John Smith to read confidential file accounts” is modified to mean “Allow Fred Brown to read
confidential file accounts.”
 The denial of service prevents or inhibits the normal use or management of communications
facilities (path 3 active). This attack may have a specific target; for example, an entity may
suppress all messages directed to a particular destination (e.g., the security audit service). Another
form of service denial is the disruption of an entire network, either by disabling the network or by
overloading it with messages so as to degrade performance.
 SECURITY SERVICE

 Security Service is a processing or communication service that is provided by a system to give a

specific kind of protection to system resources; security services implement security policies and are
implemented by security mechanisms.
 X.800 divides these services into five categories and fourteen specific services (Table 1.2). We look at
each category in turn.5
SECURITY SERVICE
 SECURITY SERVICE

 The authentication service is concerned with assuring that a communication is authentic. In the case of
a single message, such as a warning or alarm signal, the function of the authentication service is to
assure the recipient that the message is from the source that it claims to be from.
 Two specific authentication services are defined in X.800:
1. Peer entity authentication: Provides for the corroboration of the identity of a peer entity in an
association. Two entities are considered peers if they implement to same protocol in different systems.
2. Data origin authentication: Provides for the corroboration of the source of a data unit. It does not
provide protection against the duplication or modification of data units. This type of service supports
applications like electronic mail, where there are no prior interactions between the communicating
entities.
 SECURITY SERVICE

 Access Control
In the context of network security, access control is the ability to limit and control the access to host
systems and applications via communications links. To achieve this, each entity trying to gain access must
first be identified, or authenticated, so that access rights can be tailored to the individual.
 Data Confidentiality
Confidentiality is the protection of transmitted data from passive attacks. With respect to the content of a
data transmission, several levels of protection can be identified. The broadest service protects all user data
transmitted between two users over a period of time.
 Data Integrity
As with confidentiality, integrity can apply to a stream of messages, a single message, or selected fields
within a message. Again, the most useful and straightforward approach is total stream protection.
 SECURITY SERVICE

 Nonrepudiation
Nonrepudiation prevents either sender or receiver from denying a transmitted message. Thus, when a message is sent,
the receiver can prove that the alleged sender in fact sent the message.
 Availability Service
X.800 treats availability as a property to be associated with various security services. However, it makes
sense to call out specifically an availability service. An availability service is one that protects a system to
ensure its availability. This service addresses the security concerns raised by denial-of-service attacks. It
depends on proper management and control of system resources and thus depends on access control service
and other security services.
 SECURITY MECHANISMS

The mechanisms are divided into those that are implemented in a specific protocol layer, such as TCP or
an application-layer protocol, and those that are not specific to any particular protocol layer or security
service.
SECURITY MECHANISMS
MODEL FOR NETWORK SECURITY

A message is to be transferred from one party to another across

some sort of Internet service. The two parties, who are the
principals in this transaction, must cooperate for the exchange
to take place. A logical information channel is established by
defining a route through the Internet from source to destination
and by the cooperative use of communication protocols (e.g.,
TCP/IP) by the two principals.
 MODEL FOR NETWORK SECURITY

All the techniques for providing security have two components:

 A security-related transformation on the information to be sent. Examples include the encryption of the
message, which scrambles the message so that it is unreadable by the opponent, and the addition of a
code based on the contents of the message, which can be used to verify the identity of the sender.
 Some secret information shared by the two principals and, it is hoped, unknown to the opponent. An
example is an encryption key used in conjunction with the transformation to scramble the message
before transmission and unscramble it on reception.6
 MODEL FOR NETWORK SECURITY

This general model shows that there are four basic tasks in designing a particular security service:
1. Design an algorithm for performing the security-related transformation. The algorithm should be such that an
opponent cannot defeat its purpose.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of the secret information.
4. Specify a protocol to be used by the two principals that makes use of the security algorithm and the secret
information to achieve a particular security service.
 Programs can present two kinds of threats:
a) Information access threats: Intercept or modify data on behalf of users who should not have access to that
data.
b) Service threats: Exploit service flaws in computers to inhibit use by legitimate users.
MODEL FOR NETWORK SECURITY