NETWORK SECURITY (10EC832)

8th SEM E&C

JAYANTHDWIJESH H P M.tech (DECS)

Assistant Professor – Dept of E&CE

B.G.S INSTITUTE OF TECHNOLOGY (B.G.S.I.T)

B.G Nagara, Nagamangala Tq, Mandya District- 571448
NETWORK SECURITY 10EC832

NETWORK SECURITY

PART-A

UNIT-1

UNIT - 1
Services, mechanisms and attacks, The OSI security architecture, A model for
network security.

TEXT BOOK:
1. Cryptography and Network Security, William Stalling, Pearson Education, 2003.

REFERENCE BOOKS:
1. Cryptography and Network Security, Behrouz A. Forouzan, TMH, 2007.
2. Cryptography and Network Security, Atul Kahate, TMH, 2003.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 1

NETWORK SECURITY 10EC832

UNIT – 1: Services, Mechanisms and Attacks, The OSI security architecture, A Model for
Network Security.
OVERVIEW
1. SECURITY SERVICES [DEC-2012(10M)]
X.800 defines a security service as a service that is provided by a protocol layer of
communicating open systems and that ensures adequate security of the systems or of data
transfers.
Also the RFC 2828(Internet Security Glossary version 2) defines security services as a
processing or communication service that is provided by a system to give a specific kind of
protection to system resources.

X.800 divides these services into five categories and fourteen specific services. Shown in the
fig1 and table 1.

Figure 1: Security services

1.1. Authentication
 The authentication service is concerned with assuring that a communication is
authentic.
 In the case of a single message, such as a warning or alarm signal, the function of the
authentication service is to assure the recipient that the message is from the source
that it claims to be from.
 In the case of an ongoing interaction, such as the connection of a terminal to a host,
two aspects are involved.
 First, at the time of connection initiation, the service assures that the two
entities are authentic, that is, that each is the entity that it claims to be.
 Second, the service must assure that the connection is not interfered with in
such a way that a third party can masquerade as one of the two legitimate
parties for the purposes of unauthorized transmission or reception.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 2

NETWORK SECURITY 10EC832

OR
Authentication
 This service provides the authentication of the Party at the other end of the line.
 In connection –oriented communication, it provides authentication of the sender or
receiver during the connection establishment (peer entity authentication).
 In connectionless communication, it authenticates of the data (data origin
authentication).
Two specific authentication services are defined in X.800:
a. Peer entity authentication:
 Provides for the corroboration of the identity of a peer entity in an association.
 Peer entity authentication is provided for use at the establishment of, or at times
during the data transfer phase of, a connection.
 It attempts to provide confidence that an entity is not performing either a masquerade
or an unauthorized replay of a previous connection.

b. Data origin authentication:

 Provides for the corroboration of the source of a data unit.
 It does not provide protection against the duplication or modification of data units.
 This type of service supports applications like electronic mail, where there are no
prior interactions between the communicating entities.

1.2. Access Control

 Access control is the ability to limit and control the access to host systems and
applications via communications links.
 To achieve this, each entity trying to gain access must first be identified, or
authenticated, so that access rights can be tailored to the individual.
OR
Access Control
 Access control provides protection against unauthorized access to data.
 The term access in this definition is very broad and can involve reading, writing,
modifying, executing programs and so on.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 3

NETWORK SECURITY 10EC832

Table 1: Security Services (X.800)

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 4

NETWORK SECURITY 10EC832

1.3. Data Confidentiality

 Confidentiality is the protection of transmitted data from passive attacks. With respect
to the content of a data transmission, several levels of protection can be identified.
 The broadest service protects all user data transmitted between two users over a
period of time.
 Narrower forms of this service can also be defined, including the protection of a
single message or even specific fields within a message.
 The other aspect of confidentiality is the protection of traffic flow from analysis. This
requires that an attacker not be able to observe the source and destination, frequency,
length, or other characteristics of the traffic on a communications facility.
OR
Data Confidentiality
 Data confidentiality is designed to protect data from disclosure attack.
 The service as defined by X.800 is very broad and encompasses confidentiality of the
whole message or part of a message and also protection against traffic analysis.
 That is, it is designed to prevent snooping and traffic analysis attack.

1.4. Data Integrity

 Data integrity is designed to protect data from modification, insertion, depletion and
replying by an adversary. It may protect the whole message or part of the message.
 As with confidentiality, integrity can apply to a stream of messages, a single message,
or selected fields within a message.
 A connection-oriented integrity service, one that deals with a stream of messages,
assures that messages are received as sent with no duplication, insertion, modification,
reordering, or replays.
 The connection-oriented integrity service addresses both message stream modification
and denial of service.
 a connectionless integrity service, one that deals with individual messages without
regard to any larger context, generally provides protection against message
modification only.
 We can make a distinction between service with and without recovery. Because the
integrity service relates to active attacks, we are concerned with detection rather than
prevention.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 5

NETWORK SECURITY 10EC832

 If a violation of integrity is detected, then the service may simply report this violation,
and some other portion of software or human intervention is required to recover from
the violation.
 Alternatively there are mechanisms available to recover from the loss of integrity of
data as we will review subsequently.
 The incorporation of automated recovery mechanisms is, in general, the more
attractive alternative.

1.5 Nonrepudiation
 Nonrepudiation prevents either sender or receiver from denying a transmitted
message.
 Thus, when a message is sent, the receiver can prove that the alleged sender in fact
sent the message. Similarly, when a message is received, the sender can prove that the
alleged receiver in fact received the message.
OR
Nonrepudiation
 Nonrepudiation service protects against repudiation by either the sender or the
receiver of the data.
 In Nonrepudiation with proof of the origin, the receiver of the data can later prove the
identity of the sender if denied.
 In Nonrepudiation with proof of delivery, the sender of data can later prove that data
were delivered to the intended recipient.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 6

NETWORK SECURITY 10EC832

2 SECURITY MECHANISMS [DEC-2011(8M)]

Table 2 lists the security mechanisms. The mechanisms are divided into those that are
implemented in a specific protocol layer, such as TCP or an application-layer protocol, and
those that are not specific to any particular protocol layer or security service.

Table 2: Security mechanisms

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 7

 NETWORK SECURITY 10EC832

Mechanism
Service Enciph- Digital Access Data Authentication Traffic Routing Notarization
erment signature control integrity exchange padding control

Peer entity authentication Y Y Y

Data origin authentication Y Y
Access control Y
Confidentiality Y Y
Traffic flow Y Y Y
confidentially
Data integrity Y Y Y
Nonrepudiation Y Y Y
Availability Y Y

Table 3: Relationships between Security Services and Mechanisms

3 SECURITY ATTACKS [JUNE-2010(6M), DEC-2011(8M), JULY-2011(8M), JUNE-

2012(10M), DEC-2012(4M), JULY-2013(4M), JULY-2015(6M), JULY-2017(10M)]

 A useful means of classifying security attacks is in terms of passive attacks and active
attacks.
 A passive attack attempts to learn or make use of information from the system but
does not affect system resources.
 An active attack attempts to alter system resources or affect their operation.

3.1 Passive Attacks

 Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions.
 The goal of the opponent is to obtain information that is being transmitted.
 Two types of passive attacks are the release of message contents and traffic analysis.
 The release of message contents is easily understood (Figure 2(a)).A telephone
conversation, an electronic mail message, and a transferred file may contain
sensitive or confidential information. We would like to prevent an opponent from
learning the contents of these transmissions.
 A second type of passive attack, traffic analysis, is subtler (Figure 2(b)). Suppose
that we had a way of masking the contents of messages or other information
traffic so that opponents, even if they captured the message, could not extract the
information from the message. The common technique for masking contents is
encryption. If we had encryption protection in place, an opponent might still be
able to observe the pattern of these messages. The opponent could determine the

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 8

NETWORK SECURITY 10EC832

location and identity of communicating hosts and could observe the frequency and
length of messages being exchanged. This information might be useful in guessing
the nature of the communication that was taking place.

(a) : Release of message contents

(b): Traffic analysis

Figure 2: Passive Attacks

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 9

NETWORK SECURITY 10EC832

 Passive attacks are very difficult to detect, because they do not involve any alteration
of the data. However, it is feasible to prevent the success of these attacks, usually by
means of encryption. Thus, the emphasis in dealing with passive attacks is on
prevention rather than detection.

3.2 Active Attacks

 Active attacks involve some modification of the data stream or the creation of a false
stream and can be subdivided into four categories: masquerade, replay,
modification Of messages, and denial of service.

1. Masquerade: -
 A masquerade takes place when one entity pretends to be a different entity (Figure a).
 A masquerade attack usually includes one of the other forms of active attack.
 For example, authentication sequences can be captured and replayed after a valid
authentication sequence has taken place, thus enabling an authorized entity with few
privileges to obtain extra privileges by impersonating an entity that has those
privileges.

(a) Masquerade

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 10

NETWORK SECURITY 10EC832

2. Replay:-
 Involves the passive capture of a data unit and its subsequent retransmission to
produce an unauthorized effect (Figure b).

(b) Replay

3. Modification of messages:-
 Modification of messages simply means that some portion of a legitimate message is
altered, or that messages are delayed or reordered, to produce an unauthorized effect
(Figure c).
 For example, a message meaning ―”Allow John Smith to read confidential file
accounts “is modified to mean ―”Allow Fred Brown to read confidential file
accounts”.

(c) Modification of messages

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 11

NETWORK SECURITY 10EC832

4. Denial of service:-
 The denial of service prevents or inhibits the normal use or management of
communications facilities (Figure d).
 This attack may have a specific target; for example, an entity may suppress all
messages directed to a particular destination.
 Another form of service denial is the disruption of an entire network, either by
disabling the network or by overloading it with messages so as to degrade
performance.

(d) Denial of service

Figure 3: Active Attacks
 Active attacks present the opposite characteristics of passive attacks. Whereas passive
attacks are difficult to detect, measures are available to prevent their success.
 It is quite difficult to prevent active attacks absolutely because of the wide variety of
potential physical, software, and network vulnerabilities.
 Instead, the goal is to detect active attacks and to recover from any disruption or
delays caused by them. If the detection has a deterrent effect, it may also contribute to
prevention.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 12

NETWORK SECURITY 10EC832

4 THE OSI SECURITY ARCHITECTURE

The OSI security architecture is useful to managers as a way of organizing the task of
providing security. The OSI security architecture focuses on security attacks, mechanisms,
and services. These can be defined briefly as
 Security attack: Any action that compromises the security of information owned by
an organization.
 Security mechanism: A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security attack.
 Security service: A processing or communication service that enhances the security
of the data processing systems and the information transfers of an organization. The
services are intended to counter security attacks, and they make use of one or more
security mechanisms to provide the service.

5 A MODEL FOR NETWORK SECURITY AND NETWORK ACESS

SECURITY MODEL [DEC-2010(5M), JUNE-2010(6M), DEC-2011(4M), JUNE-

2012(10M),DEC-2012(6M), JULY-2013(6M),JAN-2014(8M), JAN-2015(6M),JAN-2016(10M), JULY-

2017(10M)]
FIG 4:-
 A message is to be transferred from one party to another across some sort of Internet
service.
 The two parties, who are the principals in this transaction, must cooperate for the
exchange to take place.
 A logical information channel is established by defining a route through the Internet
from source to destination and by the cooperative use of communication protocols
(e.g., TCP/IP) by the two principals.
 Security aspects come into play when it is necessary or desirable to protect the
information transmission from an opponent who may present a threat to
confidentiality, authenticity, and so on.
 All the techniques for providing security have two components:
 A security-related transformation on the information to be sent.
Examples:- include the encryption of the message, which scrambles the message
so that it is unreadable by the opponent, and the addition of a code based on the
contents of the message, which can be used to verify the identity of the sender.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 13

NETWORK SECURITY 10EC832

 Some secret information shared by the two principals and, it is hoped, unknown to
the opponent.
An example is an encryption key used in conjunction with the transformation to
scramble the message before transmission and unscramble it on reception.
 A trusted third party may be needed to achieve secure transmission.
For example, a third party may be responsible for distributing the secret information
to the two principals while keeping it from any opponent. Or a third party may be
needed to arbitrate disputes between the two principals concerning the authenticity of
a message transmission.

Figure 4: Model for Network Security

 This general model shows that there are four basic tasks in designing a particular
security service:
1. Design an algorithm for performing the security-related transformation. The
algorithm should be such that an opponent cannot defeat its purpose.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of the secret information.
4. Specify a protocol to be used by the two principals that makes use of the security
algorithm and the secret information to achieve a particular security service.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 14

NETWORK SECURITY 10EC832

FIG 5:-

Figure 5: Network Access Security Model

The security mechanisms needed to cope with unwanted access fall into two broad categories
(see above Figure 1.4).The first category might be termed a gatekeeper function. It includes
password-based login procedures that are designed to deny access to all but authorized users
and screening logic that is designed to detect and reject worms, viruses, and other similar
attacks. Once either an unwanted user or unwanted software gains access, the second line of
defense consists of a variety of internal controls that monitor activity and analyze stored
information in an attempt to detect the presence of unwanted intruders.

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 15

NETWORK SECURITY 10EC832

QUESTION BANK –NETWORK SECURITY

UNIT-1
MAY/JUNE-2010
1. Draw the model of network security and explain briefly. [MAY/JUNE-2010(6M)]
2. Classify the various security attacks and define them. [MAY/JUNE-2010(6M)]
DEC-2010
1. With a neat block diagram, describe the model for network security. [DEC-2010(5M)]
2. Explain the types of attack on encrypted messages. [DEC-2010(5M)]
JUNE/JULY-2011
1. Define security attacks and briefly define categorized of passive and active security
attacks. [JUNE/JULY-2011(8M)]
DEC-2011
1. List the example of security attacks each of which has arisen in a number of real
world cases. [DEC-2011(8M)]
2. Give the table showing relationship b/w security services and mechanisms. [DEC-
2011(8M)]
JUNE-2012
1. Define passive and active security attacks. Discuss the functioning of following
attacks with diagram: 1) Masquerade 2) Replay 3) Modification of messages 4)
Denial of service. [JUNE-2012(10M)]
2. With a neat block diagram, discuss the functioning of network security model. List
four basic tasks of designing security model. [JUNE-2012(10M)]
DEC-2012
1. Explain how security services can be categorized. [DEC-2012(10M)]
2. Draw the model of network security and explain briefly. [DEC-2012(6M)]
3. Classify the various security attacks. [DEC-2012(4M)]
JUNE/JULY-2013
1. Draw the model of network security. Explain it briefly. [JUNE/JULY-2013(6M)]
2. Distinguish passive and active attacks. With a figure explain masquerade attack.
[JUNE/JULY-2013(4M)]
JAN -2014
1. Explain the model for network security. [DEC/JAN -2014(8M)]
JUN/JULY-2014
1. Differentiate b/w active and passive attacks. [JUN/JULY-2014(4M)]

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 16

NETWORK SECURITY 10EC832

2. Explain the different categories of security services. [JUN/JULY-2014(6M)]

3. Draw the block diagram of network security model and explain it. Mention basic tasks
in designing a particular security services. [JUN/JULY-2014(10M)]
JAN-2015
1. With a neat block diagram, explain the model for network security. [DEC/JAN-
2015(6M)]
2. Briefly explain the categories of security attacks. [DEC/JAN-2015(6M)]
JUN/JULY-2015
1. Explain X-800 security mechanism, in details. [JUN/JULY-2015(10M)]
2. Differentiate b/w active and passive attacks. [JUN/JULY-2015(4M)]
DEC/JAN-2016
1. With a neat block diagram, discuss the functioning of network security model. List
four basic tasks of designing security model. [DEC/JAN-2016(10M)]
JUN/JULY-2017
1. With a neat block diagram, discuss the functioning of network security model. List
four basic tasks of designing security model. [JUN/JULY-2017(10M)]
2. Define passive and active security attacks. Discuss the functioning of following
attacks with diagram: 1) Masquerade 2) Replay 3) Modification of messages 4)
Denial of service. [JUN/JULY-2017(10M)]

Dept. of ECE, BGSIT, BG Nagara, Mandya Page 17