Cryptography

Sixth Edition
by William Stallings

Vietnam – Korea University

of Information and Communication Technology Adopted by VKU
 Chapter 1

Overview

Vietnam – Korea University

of Information and Communication Technology
 A bit of Philosophy

“The combination of space, time, and

strength that must be considered as the
basic elements of this theory of defense
makes this a fairly complicated matter.
Consequently, it is not easy to find a fixed
point of departure.”
— On War,
Carl Von Clausewitz

Vietnam – Korea University

of Information and Communication Technology
 Computer Security

• the protection afforded to an automated

information system in order to attain the
applicable objectives of preserving the
integrity, availability and confidentiality of
information system resources (includes
hardware, software, firmware,
information/data, and telecommunications)

Vietnam – Korea University

of Information and Communication Technology
 Cryptographic algorithms and protocols can
be grouped into four main areas:
Symmetric encryption

• Used to conceal the contents of blocks or streams of data of any

size, including messages, files, encryption keys, and passwords

Asymmetric encryption

• Used to conceal small blocks of data, such as encryption keys and

hash function values, which are used in digital signatures

Data integrity algorithms

• Used to protect blocks of data, such as messages, from alteration

Authentication protocols

• Schemes based on the use of cryptographic algorithms designed to

authenticate the identity of entities

Vietnam – Korea University

of Information and Communication Technology
 The field of network and
Internet security consists of:

measures to deter,
prevent, detect, and
correct security
violations that involve
the transmission of
information

Vietnam – Korea University

of Information and Communication Technology
 Computer Security

• The NIST* Computer Security Handbook

defines the term computer security as:
“the protection afforded to an automated
information system in order to attain the
applicable objectives of preserving the
integrity, availability and confidentiality of
information system resources” (includes
hardware, software, firmware, information/
data, and telecommunications)
* National Institute of Standards and Technology, USA

Vietnam – Korea University

of Information and Communication Technology
 Computer Security Objectives
Confidentiality
• Data confidentiality
• Assures that private or confidential information is not made available or
disclosed to unauthorized individuals
• Privacy
• Assures that individuals control or influence what information related to them
may be collected and stored and by whom and to whom that information may
be disclosed

Integrity
• Data integrity
• Assures that information and programs are changed only in a specified and
authorized manner
• System integrity
• Assures that a system performs its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized manipulation of the system

Availability
• Assures that systems work promptly and service is not denied to
authorized users

Vietnam – Korea University

of Information and Communication Technology
 CIA Triad

Vietnam – Korea University

of Information and Communication Technology
 Possible additional concepts:

Authenticity Accountability
• Verifying that users • The security goal
are who they say that generates the
they are and that requirement for
each input arriving at actions of an entity to
the system came be traced uniquely to
from a trusted source that entity

Vietnam – Korea University

of Information and Communication Technology
Breach of Security - Levels of Impact

• The loss could be expected to have a severe or

High catastrophic adverse effect on organizational
operations, organizational assets, or individuals

• The loss could be expected to have a

Moderate serious adverse effect on organizational
operations, organizational assets, or
individuals

• The loss could be expected

to have a limited adverse

Low effect on organizational

operations, organizational
assets, or individuals

Vietnam – Korea University

of Information and Communication Technology
Computer Security Challenges
• Security is not simple • Security mechanisms
• Potential attacks on the typically involve more than
security features need to a particular algorithm or
be considered protocol
• Procedures used to • Security is essentially a
provide particular services battle of wits between a
are often counter-intuitive perpetrator and the
• It is necessary to decide designer
where to use the various • Little benefit from security
security mechanisms investment is perceived
• Requires constant until a security failure
monitoring occurs
• Is too often an afterthought • Strong security is often
viewed as an impediment
to efficient and user-
friendly operation

Vietnam – Korea University

of Information and Communication Technology
 OSI* Security Architecture
• Security attack
– Any action that compromises the security of information
owned by an organization
• Security mechanism
– A process (or a device incorporating such a process)
that is designed to detect, prevent, or recover from a
security attack
• Security service
– A processing or communication service that enhances
the security of the data processing systems and the
information transfers of an organization
– Intended to counter security attacks, and they make use
of one or more security mechanisms to provide the
service
*(OSI) Open Systems Interconnection model

Vietnam – Korea University

of Information and Communication Technology
 Table 1.1
Threats and Attacks (RFC 4949)

Vietnam – Korea University

of Information and Communication Technology
Security Attacks

A means of classifying
security attacks, used both in
X.800 and RFC 4949, is in
terms of passive attacks and
active attacks
• A passive attack attempts to
learn or make use of
information from the system
but does not affect system
resources
• An active attack attempts to
alter system resources or
affect their operation

Vietnam – Korea University

of Information and Communication Technology
Passive Attacks

• Are in the nature of

eavesdropping on, or
monitoring of,
transmissions
• Goal of the opponent is to
obtain information that is
being transmitted • Two types of
passive attacks are:
– The release of
message contents
– Traffic analysis

Vietnam – Korea University

of Information and Communication Technology
 Active Attacks
• Involve some modification of • Takes place when one
the data stream or the creation entity pretends to be a
of a false stream Masquerade different entity
• Usually includes one of the
• Difficult to prevent because of other forms of active attack
the wide variety of potential
physical, software, and network • Involves the passive
capture of a data unit and
vulnerabilities Replay its subsequent
• Goal is to detect attacks and to retransmission to produce
an unauthorized effect
recover from any disruption or
delays caused by them • Some portion of a
legitimate message is
Modification altered, or messages are
of messages delayed or reordered to
produce an unauthorized
effect

• Prevents or inhibits the

Denial of normal use or
service management of
communications facilities

Vietnam – Korea University

of Information and Communication Technology
 Security Services
• Defined by X.800 as:
• A service provided by a protocol layer of
communicating open systems and that ensures
adequate security of the systems or of data transfers

• Defined by RFC 4949 as:

• A processing or communication service provided by a
system to give a specific kind of protection to system
resources

A central issue for Security Service design and implementation:

Policy and Mechanism ! Policy versus Mechanism ?

Vietnam – Korea University

of Information and Communication Technology
 X.800 Service Categories

• Authentication
• Access control
• Data confidentiality
• Data integrity
• Non-repudiation

Vietnam – Korea University

of Information and Communication Technology
 Authentication
• Concerned with assuring that a communication
is authentic
– In the case of a single message, assures the
recipient that the message is from the source that it
claims to be from
– In the case of ongoing interaction, assures the two
entities are authentic and that the connection is not
interfered with in such a way that a third party can
masquerade as one of the two legitimate parties
Two specific authentication services are defined in
X.800:
• Peer entity authentication
• Data origin authentication

Vietnam – Korea University

of Information and Communication Technology
 Access Control
• The ability to limit and control the access to host
systems and applications via communications links
• To achieve this, each entity trying to gain access
must first be indentified, or authenticated, so that
access rights can be tailored to the individual
• Currently, Authorization is administered locally.
• Distributed Authorization is a significant research
challenge problem.

Vietnam – Korea University

of Information and Communication Technology
 Data Confidentiality
• The protection of transmitted data from passive attacks
– Broadest service protects all user data transmitted between two
users over a period of time
– Narrower forms of service includes the protection of a single
message or even specific fields within a message
• The protection of traffic flow from analysis
– This requires that an attacker not be able to observe the source
and destination, frequency, length, or other characteristics of the
traffic on a communications facility

Vietnam – Korea University

of Information and Communication Technology
 Data Integrity

Can apply to a stream of messages, a single

message, or selected fields within a message

Connection-oriented integrity service, one that deals

with a stream of messages, assures that messages
are received as sent with no duplication, insertion,
modification, reordering, or replays

A connectionless integrity service, one that deals

with individual messages without regard to any
larger context, generally provides protection against
message modification only

Vietnam – Korea University

of Information and Communication Technology
 Nonrepudiation

• Prevents either sender or receiver from denying

a transmitted message
• When a message is sent, the receiver can prove
that the alleged sender in fact sent the message
• When a message is received, the sender can
prove that the alleged receiver in fact received
the message

Vietnam – Korea University

of Information and Communication Technology
 Table 1.2

Security
Services
(X.800)

(This table is found on

page 18 in textbook)
 Security Mechanisms (X.800)

Specific Security Mechanisms

• Encipherment
• Digital signatures
• Access controls
• Data integrity
• Authentication exchange Pervasive Security Mechanisms
• Traffic padding • Trusted functionality
• Routing control • Security labels
• Notarization • Event detection
• Security audit trails
• Security recovery

Vietnam – Korea University

of Information and Communication Technology
 Table 1.3

Security
Mechanisms
(X.800)

(This table is found on

pages 20-21 in textbook)
 Model for Network Security

Vietnam – Korea University

of Information and Communication Technology
 Network Access Security Model

Vietnam – Korea University

of Information and Communication Technology
 Unwanted Access
• Placement in a computer system of logic
that exploits vulnerabilities in the system and
that can affect application programs as well as
utility programs such as editors and compilers
• Programs can present two kinds of threats:
– Information access threats
• Intercept or modify data on behalf of users
who should not have access to that data
– Service threats
• Exploit service flaws in computers to
inhibit use by legitimate users

Vietnam – Korea University

of Information and Communication Technology
 Summary
• Computer security • Security services
concepts – Authentication
– Definition – Access control
– Examples – Data confidentiality
– Challenges – Data integrity
• The OSI security – Nonrepudiation
architecture – Availability service
• Security attacks • Security mechanisms
– Passive attacks
– Active attacks

Vietnam – Korea University

of Information and Communication Technology