Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

I- Security Fundamentals

Objectives Prerequisites
At the end of this lesson, students will be able to: To be able to understand this lesson, students need notions on :
• Have a broad overview of security research • Network architecture
• Explain concepts around attacks
• Explain concepts on confidentiality, integrity, Non
repudiation, authentication and access control

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

Keywords

Security, network,
information, computer,
active attack, passive attack,
services, confidentiality,
integrity, non repudiation,
authentication, access control,
deterrence, prevention,
detection, response, message transmission

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

Literature

Kizza, J. M. : Guide to Computer Network Security, Third Edition. Computer Communications and Networks.
Springer 2015
Stallings, W.: Cryptography and Network Security: Principles and Practice, Sixth Edition. Pearson, USA 2014

Further readings

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

1. Definitions
Three ingredients for the communication
•Two entities, a sender and a receiver + something to share
• A transmission medium
•An agreed-on set of communication rules or protocols

A computer network
•A distributed system consisting of loosely coupled computers and other devices

Computer Security: This is a study, which is a branch of computer science,

focusing on creating a secure environment for the use of computers.

Network Security: is a broader study of computer security.

It is still a branch of computer science, but a lot broader than
that of computer security.
Information Security: bigger field of study including computer and
computer network security. Disciplines: computer science,
business management, information studies, and engineering

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

2. Illustration
1. User A transmits a file to user B. The file contains sensitive 4. An employee is fired without warning. The personnel
information (e.g., payroll records) that is to be protected manager sends a message to a server system to invalidate
from disclosure. User C, who is not authorized to read the the employee’s account. When the invalidation is
file, is able to monitor the transmission and capture a copy of accomplished, the server is to post a notice to the employee’s
the file during its transmission. file as confirmation of the action. The employee is able to
intercept the message and delay it long enough to make a
2. A network manager, D, transmits a message to a
final access to the server to retrieve sensitive information. The
computer, E, under its management. The message instructs
message is then forwarded, the action taken, and the
computer E to update an authorization file to include the
confirmation posted. The employee’s action may go
identities of a number of new users who are to be given
unnoticed for some
access to that computer. User F intercepts the message, alters
considerable time.
its contents to add or delete entries, and then forwards the
message to computer E, which accepts the message as 5. A message is sent from a customer to a stockbroker with
coming from manager D and updates its authorization file instructions for various transactions. Subsequently, the
accordingly. investments lose value and the customer denies
3. Rather than intercept a message, user F constructs its own sending the message.
message with the desired entries and transmits that message
to computer E as if it had come from manager D. Computer
E accepts the message as coming from manager D
and updates its authorization file accordingly.
Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017
Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

3. Concepts
Security is a continuous process of protecting an object from unauthorized access. It is a state of being or feeling
protected from harm. That object in that state may be a person, an organization such as a business, or property
such as a computer system or a file. Security comes from secure which means, according to
Webster Dictionary , a state of being free from care, anxiety, or fear [ 1 ].

Security guaranteed if the following four protection mechanisms are in place

Deterrence: First line of defense against intruders who may try to gain access. It works by creating an atmosphere
intended to frighten intruders.

Prevention: Process of trying to stop intruders from gaining access to the resources of the system. Barriers include fi
rewalls, demilitarized zones (DMZs), and the use of access items like keys, access cards, biometrics, and others to allow
only authorized users to use and access a facility.

Detection: occurs when the intruder has succeeded or is in the process of gaining access to the system. Signals from the
detection process include alerts to the existence of an intruder. Sometimes these alerts can be real time or stored for
further analysis by the security personnel.

Response: an aftereffect mechanism that tries to respond to the failure of the first three mechanisms. It works by trying to
stop and/or prevent future damage or access to a facility.
Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017
Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

4. Attack Concepts
The OSI security architecture focuses on security attacks, mechanisms, and services
• Security attack: Any action that compromises the security of information owned by an organization.
• Security mechanism: A process (or a device incorporating such a process) that is designed to detect, prevent, or
recover from a security attack.
• Security service: A processing or communication service that enhances the security of the data processing systems
and the information transfers of an organization. The services are intended to counter security attacks, and they
make use of one or more security mechanisms to provide the service.

Threats and Attacks (RFC 4949)

Threat
A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could
breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability.

Attack
An assault on system security that derives from an intelligent threat; that is, an intelligent act that is a deliberate
attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of
a system.

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

5. Attack Types

Passive Attacks: obtaining information that is being transmitted

•Release of message contents
•Traffic analysis

Passive attacks are very difficult to detect, because they do

not involve any alteration of the data. Therefore prevention

Active Attacks: involving some modification of the data stream

or the creation of a false stream
•Masquerade (path 2 is active)
•Replay (paths 1, 2, and 3 active)
•Modification of messages (paths 1 and 2 active)
•Denial of service (path 3 active)

It is quite difficult to prevent active attacks

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

6. Security Services
Authentication: service used to identify a user. This service provides a User name, Password, Retinal images,
system with the capability to verify that a user is the very one he or she Fingerprints, Physical location, Identity cards
claims to be based on what the user is, knows, and has

Access Control: the ability to limit and control the access to host systems Biometric identification, Video surveillance
and applications via communications links. a service the system uses, together
with a user pre-provided identification information such as a password,
to determine who uses what of its services

Data Confidentiality: protection of transmitted data from passive attacks. Symmetric or asymmetric encryptions
this service protects system data and information from unauthorized
disclosure.

Data Integrity: service protects data against active threats such Encryption and hashing algorithms
as those that may alter it.
Non repudiation: security service that provides proof of origin
and delivery of service and/ or information. prevents either sender or
receiver from denying a transmitted message. Thus, when a message is sent, Digital signature and encryption algorithms,
the receiver can prove that the alleged sender in fact sent the message
Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017
Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

7. A Model For Network Security

•Achieve secure transmission;
•Arbitrate disputes between the two principals
concerning the authenticity of a message transmission.
1. Design an algorithm for performing the security-related
transformation. The algorithm should be such that an
opponent cannot defeat its purpose.

2. Generate the secret information to be used with the

algorithm.

3. Develop methods for the distribution and sharing of the

secret information.

4. Specify a protocol to be used by the two principals that

makes use of the security algorithm and the secret
information to achieve a particular security service.

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

8. Network Access Security Model

The security mechanisms needed to cope with unwanted access fall into two broad categories:

• It includes password-based login procedures that are designed to deny access to all but authorized users
and screening logic that is designed to detect and reject worms, viruses, and other similar attacks

• Once either an unwanted user or unwanted software gains access, the second line of defense consists of
a variety of internal controls that monitor activity and analyze stored information in an attempt to detect
the presence of unwanted intruders.

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

9. Some Research Problems

• Participants be in possession of some secret information (e.g., an encryption key),

which raises questions about the creation, distribution, and protection of that secret
information.

• Where to place security mechanisms: physical and logical (layers of an

architecture)

• Pattern Recognition

•Securing Routing Protocols

•Code correctness

•Security in New Generation Networks (NGN): WSN, WMN, ....

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017

Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

10. Review Questions and Problems (1)

Review Questions
1.1 What is the OSI security architecture?
1.2 What is the difference between passive and active security threats?
1.3 List and briefly define categories of passive and active security attacks.
1.4 List and briefly define categories of security services.
1.5 List and briefly define categories of security mechanisms.

Problems
1.1 Consider an automated teller machine (ATM) in which users provide a personal
identification number (PIN) and a card for account access. Give examples of confidentiality,
integrity, and availability requirements associated with the system and, in each case, indicate the
degree of importance of the requirement.
1.2 Repeat Problem 1.1 for a telephone switching system that routes calls through a switching
network based on the telephone number requested by the caller.
1.3 Consider a desktop publishing system used to produce documents for various organizations.
a. Give an example of a type of publication for which confidentiality of the stored data is the most
important requirement.
b. Give an example of a type of publication in which data integrity is the most important
requirement.
c. Give an example in which system availability is the most important requirement.
Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017
Université de Ngaoundéré - Faculté des Sciences Département de Mathématiques et Informatique

11. Review Questions and Problems (2)

1.4 For each of the following assets, assign a low, moderate, or high impact level for the loss of
confidentiality, availability, and integrity, respectively. Justify your answers.
a. An organization managing public information on its Web server.
b. A law enforcement organization managing extremely sensitive investigative information.
c. A financial organization managing routine administrative information (not privacy-related
information).
d. An information system used for large acquisitions in a contracting organization contains
both sensitive, pre-solicitation phase contract information and routine administrative
information. Assess the impact for the two data sets separately and the information system as a
whole.
e. A power plant contains a SCADA (supervisory control and data acquisition) system
controlling the distribution of electric power for a large military installation.
The SCADA system contains both real-time sensor data and routine administrative information.
Assess the impact for the two data sets separately and the information system as a whole.
1.5 Draw a table matrix similar shows the relationship between security mechanisms and
attacks.

Cycle: Master – Semestre 2 - SLED Academic Year 2016/2017