Cryptography and Network Security:
Principles and Practice
Seventh Edition
Chapter 11
Cryptographic Hash
Functions
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Hash Functions
• A hash function H accepts a variable-length block of data
M as input and produces a fixed-size hash value
– h = H ( M)
– Principal object is data integrity
• Cryptographic hash function
– An algorithm for which it is computationally infeasible
to find either:
(a) a data object that maps to a pre-specified hash
result (the one-way property)
(b) two data objects that map to the same hash
result (the collision-free property)
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.1 Cryptographic Hash Function h =
uppercase h left parenthesis m right parenthesis
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.2 Attack Against Hash Function
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.3 Simplified Examples of the Use of
a Hash Function for Message Authentication
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Message Authentication Code (MAC)
• Also known as a keyed hash function
• Typically used between two parties that share a secret key to
authenticate information exchanged between those parties
• Takes as input a secret key and a data block and produces a
hash value (MAC) which is associated with the protected
message
– If the integrity of the message needs to be checked, the M
AC function can be applied to the message and the result
compared with the associated MAC value
– An attacker who alters the message will be unable to alter
the associated MAC value without knowledge of the secret
key
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Digital Signature
• Operation is similar to that of the MAC
• The hash value of a message is encrypted with a user’s
private key
• Anyone who knows the user’s public key can verify the
integrity of the message
• An attacker who wishes to alter the message would need
to know the user’s private key
• Implications of digital signatures go beyond just message
authentication
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.4 Simplified Examples of Digital
Signatures
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Other Hash Function Uses (1 of 2)
• Commonly used to create a one-way password file
– When a user enters a password, the hash of that
password is compared to the stored hash value for
verification
– This approach to password protection is used by most
operating systems
• Can be used for intrusion and virus detection
– Store H(F) for each file on a system and secure the
hash values
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Other Hash Function Uses (2 of 2)
– One can later determine if a file has been modified by
H(F)
re
recomputing
– An intruder would need to change F without changing
H(F)
• Can be used to construct a pseudorandom function (PR
F) or a pseudorandom number generator (PRNG)
– A common application for a hash-based PRF is for
the generation of symmetric keys
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Two Simple Hash Functions (1 of 2)
• Consider two simple insecure hash functions that operate
using the following general principles:
– The input is viewed as a sequence of n-bit blocks
– The input is processed one block at a time in an
iterative fashion to produce an n-bit hash function
• Bit-by-bit exclusive-OR (XOR) of every block
− Ci = bi1xor bi 2 xor . . . xor bim
– Produces a simple parity for each bit position and is
known as a longitudinal redundancy check
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Two Simple Hash Functions (2 of 2)
– Reasonably effective for random data as a data
integrity check
• Perform a one-bit circular shift on the hash value after
each block is processed
– Has the effect of randomizing the input more
completely and overcoming any regularities that
appear in the input
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.5 Two Simple Hash Functions
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Requirements and Security
Preimage
Collision
x is the preimage of h for a Occurs if we have
hash value h = H ( x )
x y and H ( x ) = H ( y )
Is a data block whose
hash function, using the
function H, is h
Because we are using
hash functions for data
integrity, collisions are
clearly undesirable
Because H is a many-toone mapping, for any
given hash value h, there
will in general be multiple
preimages
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 11.1 Requirements for a
Cryptographic Hash Function H
Requirement
Description
Variable input size
H can be applied to a block of data of any
size.
Fixed output Size
H produces a fixed-length output.
Efficiency
H ( x ) is relatively easy to compute for any
given x. making both hardware and
software implementations practical.
Preimage resistant (one-way property)
For any given hash value h. it is
computationally infeasible to find y such that
H ( y ) = h.
Second preimage resistant (weak collision
resistant)
For any given block x, it is computationally
infeasible to find y x with H( y ) = H( x).
Collision resistant (strong collision resistant)
It is computationally infeasible to find any
pair ( x. y ) such that H ( x ) H ( y ) .
Pseudo randomness
Output of H meets standard tests for
Pseudo randomness
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.6 Relationship Among Hash
Function Properties
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 11.2 Hash Function Resistance Properties
Required for Various Data Integrity Applications
Blank
Preimage
Resistant
Second
Preimage
Resistant
Collision
Resistant
Hash + digital
Signature
Yes
Yes
Yes*
Intrusion
Detection and
virus detection
Blank
Yes
Blank
Hash + symmetric Blank
encryption
Blank
Blank
One-way
password file
Yes
Blank
Blank
MAC
Yes
Yes
Yes*
* Resistance required if attacker is able to mount a chosen message attack
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Attacks on Hash Functions
Brute-Force Attacks
Cryptanalysis
Does not depend on the
specific algorithm, only
depends on bit length
An attack based on
weaknesses in a particular
cryptographic algorithm
In the case of a hash
function, attack depends
only on the bit length of
the hash value
Seek to exploit some
property of the algorithm to
perform some attack other
than an exhaustive search
Method is to pick values at Blank
random and try each one
until a collision occurs
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Collision Resistant Attacks (1 of 3)
• For a collision resistant attack, an adversary wishes to
find two messages or data blocks that yield the same
hash function
– The effort required is explained by a mathematical
result referred to as the birthday paradox
• Yuval proposed the following strategy to exploit the
birthday paradox in a collision resistant attack:
– The source (A) is prepared to sign a legitimate
message x by appending the appropriate m-bit hash
code and encrypting that hash code with A’s private
key
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Collision Resistant Attacks (2 of 3)
– Opponent generates 2m/2 variations x’ of x, all with
essentially the same meaning, and stores the
messages and their hash values
– Opponent prepares a fraudulent message y for which
A’s signature is desired
– Opponent generates minor variations y’ of y, all of
which convey essentially the same meaning. For
each y’, the opponent computes H (y’), checks for
matches with any of the H (x’) values, and continues
until a match is found. That is, the process continues
until a y’ is generated with a hash value equal to the
hash value of one of the x’ values
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Collision Resistant Attacks (3 of 3)
– The opponent offers the valid variation to A for
signature which can then be attached to the
fraudulent variation for transmission to the intended
recipient
▪ Because the two variations have the same hash
code, they will produce the same signature and the
opponent is assured of success even though the
encryption key is not known
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.7 A Letter in 2 to the twenty
eighth power Variation
(Letter is located on page 334 in textbook)
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.8 General Structure of Secure
Hash Code
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Hash Functions Based on Cipher Block
Chaining (1 of 3)
• A number of proposals have been made for hash
functions based on using a cipher block chaining
technique, but without using the secret key
• One of the first proposals was that of Rabin
– Divide a message M into fixed-size blocks
M1 , M 2 , . . . , M N and use a symmetric encryption
system such as DES to compute the hash code G as
H 0 = initial value
H i = E(M i , H i−1 )
G = HN
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Hash Functions Based on Cipher Block
Chaining (2 of 3)
– Similar to the CBC technique, but in this case, there is
no secret key
– As with any hash code, this scheme is subject to the
birthday attack
– If the encryption algorithm is DES and only a 64-bit
hash code is produced, the system is vulnerable
• Meet-in-the-middle-attack
– Another version of the birthday attack used even if the
opponent has access to only one message and its
valid signature and cannot obtain multiple signings
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Hash Functions Based on Cipher Block
Chaining (3 of 3)
• It can be shown that some form of birthday attack will
succeed against any hash scheme involving the use of
cipher block chaining without a secret key, provided that
either the resulting hash code is small enough or that a
larger hash code can be decomposed into independent
sub codes
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Secure Hash Algorithm (SHA)
• SHA was originally designed by the National Institute of
Standards and Technology (NIST) and published as a federal
information processing standard (FIPS 180) in 1993
• Was revised in 1995 as SHA-1
• Based on the hash function MD4 and its design closely models
MD4
• Produces 160-bit hash values
• In 2002 NIST produced a revised version of the standard that
defined three new versions of SHA with hash value lengths of
256, 384, and 512
– Collectively known as SHA-2
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 11.3 Comparison of SHA Parameters
Algorithm
Message
Size
Block Size Word
Size
Message
Digest Size
SHA-1
264
264
264
512
32
160
512
32
224
512
32
256
2128
2128
1024
64
384
1024
64
512
SHA512/224
2128
1024
64
224
SHA512/256
2128
1024
64
256
SHA-224
SHA-256
SHA-384
SHA-512
Note: All sizes are measured in bits.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.9 Message Digest Generation
Using SHA-512
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.10 SHA-512 Processing of a
Single 1024-Bit Block
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 11.4 SHA-512 Constants
(Table can be found on page 341 in textbook)
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.11 Elementary SHA-512
Operation (Single Round)
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.12 Creation of 80-Word Input Sequence
for SHA-512 Processing of Single Block
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.13 SHA-512 Logic
(Figure can be found on page 345 in textbook)
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
SHA-3
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
The Sponge Construction
• Underlying structure of SHA-3 is a scheme referred to by its
designers as a sponge construction
• Takes an input message and partitions it into fixed-size blocks
• Each block is processed in turn with the output of each
iteration fed into the next iteration, finally producing an output
block
• The sponge function is defined by three parameters:
– f = the internal function used to process each input block
– r = the size in bits of the input blocks, called the bitrate
– pad = the padding algorithm
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.14 Sponge Function Input and
Output
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.15 Sponge Construction
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 11.5 SHA-3 Parameters
Message
Digest Size
224
256
384
512
No maximum
No maximum
No maximum
No maximum
Block Size
(bitrate r)
1152
1088
832
576
Word Size
64
64
64
64
Number of
Rounds
24
24
24
24
Capacity c
448
512
768
1024
Collision
Resistance
2112
2128
2192
2256
Second
Preimage
Resistance
2224
2256
2384
2512
Message Size
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.16 SHA-3 State Matrix
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.17 SHA-3 Iteration Function f
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 11.6 Step Functions in SHA-3
Function
Type
Description
Substitution
New value Of each bit in each word depends its
current value and on one bit in each word of
preceding column and one bit of each word in
succeeding column.
Permutation
The bits of each word are permuted using a circular
bit shift. w[0,0] is not affected.
Permutation
Words are permuted in the 5x5 matrix. w[0,0] not
affected.
Substitution
New value of each bit in each word depends on its
current value and on one bit in next word in the same
row and one bit in the second next word in the same
row.
Substitution
w[0,0] is updated by XOR with a round constant.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.18 Theta and Chi Step Functions
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 11.19 Pi Step Function
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 11.8 Round Constants in SHA-3 (1 of 2)
Round
Constant (hexadecimal)
Number of 1 bits
0
0000000000000001
1
1
0000000000008082
3
2
800000000000808A
5
3
8000000080008000
3
4
000000000000808B
5
5
0000000080000001
2
6
8000000080008081
5
7
8000000000008009
4
8
000000000000008A
3
9
0000000000000088
2
10
0000000080008009
4
11
000000008000000A
3
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 11.8 Round Constants in SHA-3 (2 of 2)
Round
Constant (hexadecimal)
Number of 1 bits
12
000000008000808B
6
13
800000000000008B
5
14
8000000000008089
5
15
8000000000008003
4
16
8000000000008002
3
17
8000000000000080
2
18
000000000000800A
3
19
800000008000000A
4
20
8000000080008081
5
21
8000000000008080
3
22
0000000080000001
2
23
8000000080008008
4
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Summary
• Applications of
cryptographic hash
functions
– Message
authentication
– Digital signatures
– Other applications
• Hash functions based
on cipher block chaining
• Requirements and security
– Security requirements
for cryptographic hash
functions
– Brute-force attacks
– Cryptanalysis
• SHA-3
– The sponge
construction
– The SHA-3 Iteration
Function f
• Secure hash algorithm
(SHA)
– SHA-512 logic
– SHA-512 round
function
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
CRYPTOGRAPHY AND
NETWORK SECURITY
PRINCIPLES AND PRACTICE
SEVENTH EDITION
GLOBAL EDITION
William Stallings
Boston Columbus Indianapolis New York San Francisco Hoboken
Amsterdam Cape Town Dubai London Madrid Milan Munich Paris Montréal Toronto
Delhi Mexico City São Paulo Sydney Hong Kong Seoul Singapore Taipei Tokyo
Hiva-Network.Com
For Tricia: never dull, never boring,
the smartest and bravest person
I know
Vice President and Editorial Director, ECS:
Marcia J. Horton
Executive Editor: Tracy Johnson (Dunkelberger)
Editorial Assistant: Kristy Alaura
Acquisitions Editor, Global Editions: Abhijit Baroi
Program Manager: Carole Snyder
Project Manager: Robert Engelhardt
Project Editor, Global Editions: K.K. Neelakantan
Media Team Lead: Steve Wright
R&P Manager: Rachel Youdelman
R&P Senior Project Manager: William Opaluch
Senior Operations Specialist: Maura Zaldivar-Garcia
Inventory Manager: Meredith Maresca
Inventory Manager: Meredith Maresca
Senior Manufacturing Controller, Global Editions:
Trudy Kimber
Media Production Manager, Global Editions:
Vikram Kumar
Product Marketing Manager: Bram Van Kempen
Marketing Assistant: Jon Bryant
Cover Designer: Lumina Datamatics
Cover Art: © goghy73 / Shutterstock
Full-Service Project Management:
Chandrakala Prakash, SPi Global
Composition: SPi Global
Credits and acknowledgments borrowed from other sources and reproduced, with permission, in this textbook
appear on page 753.
Pearson Education Limited
Edinburgh Gate
Harlow
Essex CM20 2JE
England
and Associated Companies throughout the world
Visit us on the World Wide Web at:
www.pearsonglobaleditions.com
© Pearson Education Limited 2017
The right of William Stallings to be identified as the author of this work has been asserted by him in accordance
with the Copyright, Designs and Patents Act 1988.
Authorized adaptation from the United States edition, entitled Cryptography and Network Security: Principles and
Practice, 7th Edition, ISBN 978-0-13-444428-4, by William Stallings published by Pearson Education © 2017.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in
any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without either the prior
written permission of the publisher or a license permitting restricted copying in the United Kingdom issued by the
Copyright Licensing Agency Ltd, Saffron House, 6–10 Kirby Street, London EC1N 8TS.
All trademarks used herein are the property of their respective owners. The use of any trademark in this text does
not vest in the author or publisher any trademark ownership rights in such trademarks, nor does the use of such
trademarks imply any affiliation with or endorsement of this book by such owners.
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library
10 9 8 7 6 5 4 3 2 1
ISBN 10:1-292-15858-1
ISBN 13: 978-1-292-15858-7
Typeset by SPi Global
Printed and bound in Malaysia.
CONTENTS
Notation 10
Preface 12
About the Author 18
PART ONE: BACKGROUND 19
Chapter 1 Computer and Network Security Concepts 19
1.1
Computer Security Concepts 21
1.2
The OSI Security Architecture 26
1.3
Security Attacks 27
1.4
Security Services 29
1.5
Security Mechanisms 32
1.6
Fundamental Security Design Principles 34
1.7
Attack Surfaces and Attack Trees 37
1.8
A Model for Network Security 41
1.9
Standards 43
1.10
Key Terms, Review Questions, and Problems 44
Chapter 2 Introduction to Number Theory 46
2.1
Divisibility and the Division Algorithm 47
2.2
The Euclidean Algorithm 49
2.3
Modular Arithmetic 53
2.4
Prime Numbers 61
2.5
Fermat’s and Euler’s Theorems 64
2.6
Testing for Primality 68
2.7
The Chinese Remainder Theorem 71
2.8
Discrete Logarithms 73
2.9
Key Terms, Review Questions, and Problems 78
Appendix 2A The Meaning of Mod 82
PART TWO: SYMMETRIC CIPHERS 85
Chapter 3 Classical Encryption Techniques 85
3.1
Symmetric Cipher Model 86
3.2
Substitution Techniques 92
3.3
Transposition Techniques 107
3.4
Rotor Machines 108
3.5
Steganography 110
3.6
Key Terms, Review Questions, and Problems 112
Chapter 4 Block Ciphers and the Data Encryption Standard 118
4.1
Traditional Block Cipher Structure 119
4.2
The Data Encryption Standard 129
4.3
A DES Example 131
4.4
The Strength of DES 134
3
4
CONTENTS
4.5
Block Cipher Design Principles 135
4.6
Key Terms, Review Questions, and Problems 137
Chapter 5 Finite Fields 141
5.1
Groups 143
5.2
Rings 145
5.3
Fields 146
5.4
Finite Fields of the Form GF(p) 147
5.5
Polynomial Arithmetic 151
5.6
Finite Fields of the Form GF(2n) 157
5.7
Key Terms, Review Questions, and Problems 169
Chapter 6 Advanced Encryption Standard 171
6.1
Finite Field Arithmetic 172
6.2
AES Structure 174
6.3
AES Transformation Functions 179
6.4
AES Key Expansion 190
6.5
An AES Example 193
6.6
AES Implementation 197
6.7
Key Terms, Review Questions, and Problems 202
Appendix 6A Polynomials with Coefficients in GF(28) 203
Chapter 7 Block Cipher Operation 207
7.1
Multiple Encryption and Triple DES 208
7.2
Electronic Codebook 213
7.3
Cipher Block Chaining Mode 216
7.4
Cipher Feedback Mode 218
7.5
Output Feedback Mode 220
7.6
Counter Mode 222
7.7
XTS-AES Mode for Block-Oriented Storage Devices 224
7.8
Format-Preserving Encryption 231
7.9
Key Terms, Review Questions, and Problems 245
Chapter 8 Random Bit Generation and Stream Ciphers 250
8.1
Principles of Pseudorandom Number Generation 252
8.2
Pseudorandom Number Generators 258
8.3
Pseudorandom Number Generation Using a Block Cipher 261
8.4
Stream Ciphers 267
8.5
RC4 269
8.6
True Random Number Generators 271
8.7
Key Terms, Review Questions, and Problems 280
PART THREE: ASYMMETRIC CIPHERS 283
Chapter 9 Public-Key Cryptography and RSA 283
9.1
Principles of Public-Key Cryptosystems 285
9.2
The RSA Algorithm 294
9.3
Key Terms, Review Questions, and Problems 308
CONTENTS
Chapter 10 Other Public-Key Cryptosystems 313
10.1
Diffie-Hellman Key Exchange 314
10.2
Elgamal Cryptographic System 318
10.3
Elliptic Curve Arithmetic 321
10.4
Elliptic Curve Cryptography 330
10.5
Pseudorandom Number Generation Based on an Asymmetric Cipher 334
10.6
Key Terms, Review Questions, and Problems 336
PART FOUR: CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS 339
Chapter 11 Cryptographic Hash Functions 339
11.1
Applications of Cryptographic Hash Functions 341
11.2
Two Simple Hash Functions 346
11.3
Requirements and Security 348
11.4
Hash Functions Based on Cipher Block Chaining 354
11.5
Secure Hash Algorithm (SHA) 355
11.6
SHA-3 365
11.7
Key Terms, Review Questions, and Problems 377
Chapter 12 Message Authentication Codes 381
12.1
Message Authentication Requirements 382
12.2
Message Authentication Functions 383
12.3
Requirements for Message Authentication Codes 391
12.4
Security of MACs 393
12.5
MACs Based on Hash Functions: HMAC 394
12.6
MACs Based on Block Ciphers: DAA and CMAC 399
12.7
Authenticated Encryption: CCM and GCM 402
12.8
Key Wrapping 408
12.9
Pseudorandom Number Generation Using Hash Functions and MACs 413
12.10
Key Terms, Review Questions, and Problems 416
Chapter 13 Digital Signatures 419
13.1
Digital Signatures 421
13.2
Elgamal Digital Signature Scheme 424
13.3
Schnorr Digital Signature Scheme 425
13.4
NIST Digital Signature Algorithm 426
13.5
Elliptic Curve Digital Signature Algorithm 430
13.6
RSA-PSS Digital Signature Algorithm 433
13.7
Key Terms, Review Questions, and Problems 438
PART FIVE: MUTUAL TRUST 441
Chapter 14 Key Management and Distribution 441
14.1
Symmetric Key Distribution Using Symmetric Encryption 442
14.2
Symmetric Key Distribution Using Asymmetric Encryption 451
Distribution of Public Keys 454
14.3
14.4
X.509 Certificates 459
5
6
CONTENTS
14.5
Public-Key Infrastructure 467
14.6
Key Terms, Review Questions, and Problems 469
Chapter 15 User Authentication 473
15.1
Remote User-Authentication Principles 474
15.2
Remote User-Authentication Using Symmetric Encryption 478
15.3
Kerberos 482
15.4
Remote User-Authentication Using Asymmetric Encryption 500
15.5
Federated Identity Management 502
15.6
Personal Identity Verification 508
15.7
Key Terms, Review Questions, and Problems 515
PART SIX: NETWORK AND INTERNET SECURITY 519
Chapter 16 Network Access Control and Cloud Security 519
16.1
Network Access Control 520
16.2
Extensible Authentication Protocol 523
16.3
IEEE 802.1X Port-Based Network Access Control 527
16.4
Cloud Computing 529
16.5
Cloud Security Risks and Countermeasures 535
16.6
Data Protection in the Cloud 537
16.7
Cloud Security as a Service 541
16.8
Addressing Cloud Computing Security Concerns 544
16.9
Key Terms, Review Questions, and Problems 545
Chapter 17 Transport-Level Security 546
17.1
Web Security Considerations 547
17.2
Transport Layer Security 549
17.3
HTTPS 566
17.4
Secure Shell (SSH) 567
17.5
Key Terms, Review Questions, and Problems 579
Chapter 18 Wireless Network Security 581
18.1
Wireless Security 582
18.2
Mobile Device Security 585
18.3
IEEE 802.11 Wireless LAN Overview 589
18.4
IEEE 802.11i Wireless LAN Security 595
18.5
Key Terms, Review Questions, and Problems 610
Chapter 19 Electronic Mail Security 612
19.1
Internet Mail Architecture 613
19.2
Email Formats 617
19.3
Email Threats and Comprehensive Email Security 625
19.4
S/MIME 627
19.5
Pretty Good Privacy 638
19.6
DNSSEC 639
19.7
DNS-Based Authentication of Named Entities 643
19.8
Sender Policy Framework 645
19.9
DomainKeys Identified Mail 648
CONTENTS
19.10
19.11
Chapter 20
20.1
20.2
20.3
20.4
20.5
20.6
20.7
Domain-Based Message Authentication, Reporting, and Conformance 654
Key Terms, Review Questions, and Problems 659
IP Security 661
IP Security Overview 662
IP Security Policy 668
Encapsulating Security Payload 673
Combining Security Associations 681
Internet Key Exchange 684
Cryptographic Suites 692
Key Terms, Review Questions, and Problems 694
APPENDICES 696
Appendix A Projects for Teaching Cryptography and Network Security 696
A.1
Sage Computer Algebra Projects 697
A.2
Hacking Project 698
A.3
Block Cipher Projects 699
A.4
Laboratory Exercises 699
A.5
Research Projects 699
A.6
Programming Projects 700
A.7
Practical Security Assessments 700
A.8
Firewall Projects 701
A.9
Case Studies 701
A.10
Writing Assignments 701
A.11
Reading/Report Assignments 702
A.12
Discussion Topics 702
Appendix B Sage Examples 703
B.1
B.2
B.3
B.4
B.5
B.6
B.7
B.8
B.9
B.10
B.11
References
Credits 753
Index 754
Linear Algebra and Matrix Functionality 704
Chapter 2: Number Theory 705
Chapter 3: Classical Encryption 710
Chapter 4: Block Ciphers and the Data Encryption Standard 713
Chapter 5: Basic Concepts in Number Theory and Finite Fields 717
Chapter 6: Advanced Encryption Standard 724
Chapter 8: Pseudorandom Number Generation and Stream Ciphers 729
Chapter 9: Public-Key Cryptography and RSA 731
Chapter 10: Other Public-Key Cryptosystems 734
Chapter 11: Cryptographic Hash Functions 739
Chapter 13: Digital Signatures 741
744
7
8
CONTENTS
ONLINE CHAPTERS AND APPENDICES1
PART SEVEN: SYSTEM SECURITY
Chapter 21 Malicious Software
21.1
Types of Malicious Software (Malware)
21.2
Advanced Persistent Threat
21.3
Propagation—Infected Content—Viruses
21.4
Propagation—Vulnerability Exploit—Worms
21.5
Propagation—Social Engineering—Spam E-mail, Trojans
21.6
Payload—System Corruption
21.7
Payload—Attack Agent—Zombie, Bots
21.8
Payload—Information Theft—Keyloggers, Phishing, Spyware
21.9
Payload—Stealthing—Backdoors, Rootkits
21.10
Countermeasures
21.11
Distributed Denial of Service Attacks
21.12
References
21.13
Key Terms, Review Questions, and Problems
Chapter 22 Intruders
22.1
Intruders
22.2
Intrusion Detection
22.3
Password Management
22.4
References
22.5
Key Terms, Review Questions, and Problems
Chapter 23 Firewalls
23.1
The Need for Firewalls
23.2
Firewall Characteristics and Access Policy
23.3
Types of Firewalls
23.4
Firewall Basing
23.5
Firewall Location and Configurations
23.6
References
23.7
Key Terms, Review Questions, and Problems
PART EIGHT: LEGAL AND ETHICAL ISSUES
Chapter 24 Legal and Ethical Aspects
24.1
Cybercrime and Computer Crime
24.2
Intellectual Property
24.3
Privacy
24.4
Ethical Issues
24.5
Recommended Reading
24.6
References
24.7
Key Terms, Review Questions, and Problems
24.A
Information Privacy
1
Online chapters, appendices, and other documents are at the Companion Website, available via the
access card at the front of this book.
CONTENTS
Appendix C
Sage Exercises
Appendix D
Standards and Standard-Setting Organizations
Appendix E
Basic Concepts from Linear Algebra
Appendix F
Measures of Secrecy and Security
Appendix G
Simplified DES
Appendix H
Evaluation Criteria for AES
Appendix I
Simplified AES
Appendix J
The Knapsack Algorithm
Appendix K
Proof of the Digital Signature Algorithm
Appendix L
TCP/IP and OSI
Appendix M
Java Cryptographic APIs
Appendix N
MD5 Hash Function
Appendix O
Data Compression Using ZIP
Appendix P
PGP
Appendix Q
The International Reference Alphabet
Appendix R
Proof of the RSA Algorithm
Appendix S
Data Encryption Standard
Appendix T
Kerberos Encryption Techniques
Appendix U
Mathematical Basis of the Birthday Attack
Appendix V
Evaluation Criteria for SHA-3
Appendix W
The Complexity of Algorithms
Appendix X
Radix-64 Conversion
Appendix Y
The Base Rate Fallacy
Glossary
9
NOTATION
Symbol
Expression
Meaning
D, K
D(K, Y)
Symmetric decryption of ciphertext Y using secret key K
D, PRa
D(PRa, Y)
Asymmetric decryption of ciphertext Y using A’s private key PRa
D, PUa
D(PUa, Y)
Asymmetric decryption of ciphertext Y using A’s public key PUa
E, K
E(K, X)
Symmetric encryption of plaintext X using secret key K
E, PRa
E(PRa, X)
Asymmetric encryption of plaintext X using A’s private key PRa
E, PUa
E(PUa, X)
Asymmetric encryption of plaintext X using A’s public key PUa
K
Secret key
PRa
Private key of user A
PUa
Public key of user A
MAC, K
MAC(K, X)
Message authentication code of message X using secret key K
GF(p)
The finite field of order p, where p is prime.The field is defined as
the set Zp together with the arithmetic operations modulo p.
GF(2n)
The finite field of order 2n
Zn
Set of nonnegative integers less than n
gcd
gcd(i, j)
Greatest common divisor; the largest positive integer that
divides both i and j with no remainder on division.
mod
a mod m
Remainder after division of a by m
mod, K
a K b (mod m)
a mod m = b mod m
mod, [
a [ b (mod m)
a mod m ≠ b mod m
dlog
dlog a,p(b)
Discrete logarithm of the number b for the base a (mod p)
w
f(n)
The number of positive integers less than n and relatively
prime to n.
This is Euler’s totient function.
Σ
Π
n
a ai
a1 + a2 + g + an
i=1
n
q ai
a1 * a2 * g * an
i=1
i j
i divides j, which means that there is no remainder when j is
divided by i
,
a
Absolute value of a
10
Hiva-Network.Com
NOTATION
Symbol
Expression
Meaning
}
x}y
x concatenated with y
≈
x ≈ y
x is approximately equal to y
⊕
x⊕y
Exclusive-OR of x and y for single-bit variables;
Bitwise exclusive-OR of x and y for multiple-bit variables
:, ;
:x ;
The largest integer less than or equal to x
∈
x∈S
The element x is contained in the set S.
·
A · (a1, a2,
c ak)
The integer A corresponds to the sequence of integers
(a1, a2, c ak)
11
PREFACE
WHAT’S NEW IN THE SEVENTH EDITION
In the four years since the sixth edition of this book was published, the field has seen continued innovations and improvements. In this new edition, I try to capture these changes while
maintaining a broad and comprehensive coverage of the entire field. To begin this process of
revision, the sixth edition of this book was extensively reviewed by a number of professors
who teach the subject and by professionals working in the field. The result is that, in many
places, the narrative has been clarified and tightened, and illustrations have been improved.
Beyond these refinements to improve pedagogy and user-friendliness, there have been
substantive changes throughout the book. Roughly the same chapter organization has been
retained, but much of the material has been revised and new material has been added. The
most noteworthy changes are as follows:
■
Fundamental security design principles: Chapter 1 includes a new section discussing the
security design principles listed as fundamental by the National Centers of Academic
Excellence in Information Assurance/Cyber Defense, which is jointly sponsored by the
U.S. National Security Agency and the U.S. Department of Homeland Security.
■
Attack surfaces and attack trees: Chapter 1 includes a new section describing these two
concepts, which are useful in evaluating and classifying security threats.
Number theory coverage: The material on number theory has been consolidated
into a single chapter, Chapter 2. This makes for a convenient reference. The relevant
portions of Chapter 2 can be assigned as needed.
Finite fields: The chapter on finite fields has been revised and expanded with additional text and new figures to enhance understanding.
Format-preserving encryption: This relatively new mode of encryption is enjoying
increasing commercial success. A new section in Chapter 7 covers this method.
Conditioning and health testing for true random number generators: Chapter 8 now
provides coverage of these important topics.
User authentication model: Chapter 15 includes a new description of a general model
for user authentication, which helps to unify the discussion of the various approaches
to user authentication.
Cloud security: The material on cloud security in Chapter 16 has been updated and
expanded to reflect its importance and recent developments.
Transport Layer Security (TLS): The treatment of TLS in Chapter 17 has been updated,
reorganized to improve clarity, and now includes a discussion of the new TLS version 1.3.
Email Security: Chapter 19 has been completely rewritten to provide a comprehensive
and up-to-date discussion of email security. It includes:
— New: discussion of email threats and a comprehensive approach to email security.
— New: discussion of STARTTLS, which provides confidentiality and authentication
for SMTP.
■
■
■
■
■
■
■
■
12
PREFACE
13
— Revised: treatment of S/MIME has been updated to reflect the latest version 3.2.
— New: discussion of DNSSEC and its role in supporting email security.
— New: discussion of DNS-based Authentication of Named Entities (DANE) and the
use of this approach to enhance security for certificate use in SMTP and S/MIME.
— New: discussion of Sender Policy Framework (SPF), which is the standardized way
for a sending domain to identify and assert the mail senders for a given domain.
— Revised: discussion of DomainKeys Identified Mail (DKIM) has been revised.
— New: discussion of Domain-based Message Authentication, Reporting, and Conformance (DMARC) allows email senders to specify policy on how their mail should
be handled, the types of reports that receivers can send back, and the frequency
those reports should be sent.
OBJECTIVES
It is the purpose of this book to provide a practical survey of both the principles and practice
of cryptography and network security. In the first part of the book, the basic issues to be
addressed by a network security capability are explored by providing a tutorial and survey
of cryptography and network security technology. The latter part of the book deals with the
practice of network security: practical applications that have been implemented and are in
use to provide network security.
The subject, and therefore this book, draws on a variety of disciplines. In particular,
it is impossible to appreciate the significance of some of the techniques discussed in this
book without a basic understanding of number theory and some results from probability
theory. Nevertheless, an attempt has been made to make the book self-contained. The book
not only presents the basic mathematical results that are needed but provides the reader
with an intuitive understanding of those results. Such background material is introduced
as needed. This approach helps to motivate the material that is introduced, and the author
considers this preferable to simply presenting all of the mathematical material in a lump at
the beginning of the book.
SUPPORT OF ACM/IEEE COMPUTER SCIENCE CURRICULA 2013
The book is intended for both academic and professional audiences. As a textbook, it is
intended as a one-semester undergraduate course in cryptography and network security for
computer science, computer engineering, and electrical engineering majors. The changes to
this edition are intended to provide support of the ACM/IEEE Computer Science Curricula
2013 (CS2013). CS2013 adds Information Assurance and Security (IAS) to the curriculum recommendation as one of the Knowledge Areas in the Computer Science Body of Knowledge.
The document states that IAS is now part of the curriculum recommendation because of the
critical role of IAS in computer science education. CS2013 divides all course work into three
categories: Core-Tier 1 (all topics should be included in the curriculum), Core-Tier-2 (all or
almost all topics should be included), and elective (desirable to provide breadth and depth).
In the IAS area, CS2013 recommends topics in Fundamental Concepts and Network Security
14
PREFACE
in Tier 1 and Tier 2, and Cryptography topics as elective. This text covers virtually all of the
topics listed by CS2013 in these three categories.
The book also serves as a basic reference volume and is suitable for self-study.
PLAN OF THE TEXT
The book is divided into eight parts.
■
■
■
■
■
■
■
■
Background
Symmetric Ciphers
Asymmetric Ciphers
Cryptographic Data Integrity Algorithms
Mutual Trust
Network and Internet Security
System Security
Legal and Ethical Issues
The book includes a number of pedagogic features, including the use of the computer
algebra system Sage and numerous figures and tables to clarify the discussions. Each chapter includes a list of key words, review questions, homework problems, and suggestions
for further reading. The book also includes an extensive glossary, a list of frequently used
acronyms, and a bibliography. In addition, a test bank is available to instructors.
INSTRUCTOR SUPPORT MATERIALS
The major goal of this text is to make it as effective a teaching tool for this exciting and
fast-moving subject as possible. This goal is reflected both in the structure of the book and in
the supporting material. The text is accompanied by the following supplementary material
that will aid the instructor:
■
Solutions manual: Solutions to all end-of-chapter Review Questions and Problems.
■
Projects manual: Suggested project assignments for all of the project categories listed
below.
PowerPoint slides: A set of slides covering all chapters, suitable for use in lecturing.
PDF files: Reproductions of all figures and tables from the book.
Test bank: A chapter-by-chapter set of questions with a separate file of answers.
■
■
■
■
Sample syllabuses: The text contains more material than can be conveniently covered
in one semester. Accordingly, instructors are provided with several sample syllabuses
that guide the use of the text within limited time.
All of these support materials are available at the Instructor Resource Center
(IRC) for this textbook, which can be reached through the publisher’s Web site
www.pearsonglobaleditions.com/stallings. To gain access to the IRC, please contact your
local Pearson sales representative.
PREFACE
15
PROJECTS AND OTHER STUDENT EXERCISES
For many instructors, an important component of a cryptography or network security course
is a project or set of projects by which the student gets hands-on experience to reinforce
concepts from the text. This book provides an unparalleled degree of support, including a
projects component in the course. The IRC not only includes guidance on how to assign and
structure the projects, but also includes a set of project assignments that covers a broad range
of topics from the text:
■
Sage projects: Described in the next section.
■
Hacking project: Exercise designed to illuminate the key issues in intrusion detection
and prevention.
Block cipher projects: A lab that explores the operation of the AES encryption algorithm by tracing its execution, computing one round by hand, and then exploring the
various block cipher modes of use. The lab also covers DES. In both cases, an online
Java applet is used (or can be downloaded) to execute AES or DES.
Lab exercises: A series of projects that involve programming and experimenting with
concepts from the book.
Research projects: A series of research assignments that instruct the student to research
a particular topic on the Internet and write a report.
Programming projects: A series of programming projects that cover a broad range of
topics and that can be implemented in any suitable language on any platform.
Practical security assessments: A set of exercises to examine current infrastructure and
practices of an existing organization.
Firewall projects: A portable network firewall visualization simulator, together with
exercises for teaching the fundamentals of firewalls.
Case studies: A set of real-world case studies, including learning objectives, case
description, and a series of case discussion questions.
Writing assignments: A set of suggested writing assignments, organized by chapter.
Reading/report assignments: A list of papers in the literature—one for each chapter—
that can be assigned for the student to read and then write a short report.
■
■
■
■
■
■
■
■
■
This diverse set of projects and other student exercises enables the instructor to use
the book as one component in a rich and varied learning experience and to tailor a course
plan to meet the specific needs of the instructor and students. See Appendix A in this book
for details.
THE SAGE COMPUTER ALGEBRA SYSTEM
One of the most important features of this book is the use of Sage for cryptographic examples
and homework assignments. Sage is an open-source, multiplatform, freeware package that
implements a very powerful, flexible, and easily learned mathematics and computer algebra
system. Unlike competing systems (such as Mathematica, Maple, and MATLAB), there are
16
PREFACE
no licensing agreements or fees involved. Thus, Sage can be made available on computers
and networks at school, and students can individually download the software to their own
personal computers for use at home. Another advantage of using Sage is that students learn
a powerful, flexible tool that can be used for virtually any mathematical application, not
just cryptography.
The use of Sage can make a significant difference to the teaching of the mathematics
of cryptographic algorithms. This book provides a large number of examples of the use of
Sage covering many cryptographic concepts in Appendix B, which is included in this book.
Appendix C lists exercises in each of these topic areas to enable the student to gain
hands-on experience with cryptographic algorithms. This appendix is available to instructors at the IRC for this book. Appendix C includes a section on how to download and get
started with Sage, a section on programming with Sage, and exercises that can be assigned to
students in the following categories:
■
Chapter 2—Number Theory and Finite Fields: Euclidean and extended Euclidean
algorithms, polynomial arithmetic, GF(24), Euler’s Totient function, Miller–Rabin, factoring, modular exponentiation, discrete logarithm, and Chinese remainder theorem.
■
Chapter 3—Classical Encryption: Affine ciphers and the Hill cipher.
Chapter 4—Block Ciphers and the Data Encryption Standard: Exercises based
on SDES.
Chapter 6—Advanced Encryption Standard: Exercises based on SAES.
Chapter 8—Pseudorandom Number Generation and Stream Ciphers: Blum Blum
Shub, linear congruential generator, and ANSI X9.17 PRNG.
Chapter 9—Public-Key Cryptography and RSA: RSA encrypt/decrypt and signing.
Chapter 10—Other Public-Key Cryptosystems: Diffie–Hellman, elliptic curve.
Chapter 11—Cryptographic Hash Functions: Number-theoretic hash function.
Chapter 13—Digital Signatures: DSA.
■
■
■
■
■
■
■
ONLINE DOCUMENTS FOR STUDENTS
For this new edition, a tremendous amount of original supporting material for students has
been made available online.
Purchasing this textbook new also grants the reader six months of access to the
Companion Website, which includes the following materials:
■
Online chapters: To limit the size and cost of the book, four chapters of the book are
provided in PDF format. This includes three chapters on computer security and one on
legal and ethical issues. The chapters are listed in this book’s table of contents.
■
Online appendices: There are numerous interesting topics that support material found
in the text but whose inclusion is not warranted in the printed text. A total of 20 online
appendices cover these topics for the interested student. The appendices are listed in
this book’s table of contents.
PREFACE
■
■
■
■
17
Homework problems and solutions: To aid the student in understanding the material,
a separate set of homework problems with solutions are available.
Key papers: A number of papers from the professional literature, many hard to find,
are provided for further reading.
Supporting documents: A variety of other useful documents are referenced in the text
and provided online.
Sage code: The Sage code from the examples in Appendix B is useful in case the student
wants to play around with the examples.
To access the Companion Website, follow the instructions for “digital resources for
students” found in the front of this book.
ACKNOWLEDGMENTS
This new edition has benefited from review by a number of people who gave generously
of their time and expertise. The following professors reviewed all or a large part of the
manuscript: Hossein Beyzavi (Marymount University), Donald F. Costello (University of
Nebraska–Lincoln), James Haralambides (Barry University), Anand Seetharam (California
State University at Monterey Bay), Marius C. Silaghi (Florida Institute of Technology),
Shambhu Upadhyaya (University at Buffalo), Zhengping Wu (California State University
at San Bernardino), Liangliang Xiao (Frostburg State University), Seong-Moo (Sam) Yoo
(The University of Alabama in Huntsville), and Hong Zhang (Armstrong State University).
Thanks also to the people who provided detailed technical reviews of one or more
chapters: Dino M. Amaral, Chris Andrew, Prof. (Dr). C. Annamalai, Andrew Bain, Riccardo
Bernardini, Olivier Blazy, Zervopoulou Christina, Maria Christofi, Dhananjoy Dey, Mario
Emmanuel, Mike Fikuart, Alexander Fries, Pierpaolo Giacomin, Pedro R. M. Inácio,
Daniela Tamy Iwassa, Krzysztof Janowski, Sergey Katsev, Adnan Kilic, Rob Knox, Mina
Pourdashty, Yuri Poeluev, Pritesh Prajapati, Venkatesh Ramamoorthy, Andrea Razzini,
Rami Rosen, Javier Scodelaro, Jamshid Shokrollahi, Oscar So, and David Tillemans.
In addition, I was fortunate to have reviews of individual topics by “subject-area
gurus,” including Jesse Walker of Intel (Intel’s Digital Random Number Generator), Russ
Housley of Vigil Security (key wrapping), Joan Daemen (AES), Edward F. Schaefer of
Santa Clara University (Simplified AES), Tim Mathews, formerly of RSA Laboratories
(S/MIME), Alfred Menezes of the University of Waterloo (elliptic curve cryptography),
William Sutton, Editor/Publisher of The Cryptogram (classical encryption), Avi Rubin of
Johns Hopkins University (number theory), Michael Markowitz of Information Security
Corporation (SHA and DSS), Don Davis of IBM Internet Security Systems (Kerberos),
Steve Kent of BBN Technologies (X.509), and Phil Zimmerman (PGP).
Nikhil Bhargava (IIT Delhi) developed the set of online homework problems and
solutions. Dan Shumow of Microsoft and the University of Washington developed all of
the Sage examples and assignments in Appendices B and C. Professor Sreekanth Malladi of
Dakota State University developed the hacking exercises. Lawrie Brown of the Australian
Defence Force Academy provided the AES/DES block cipher projects and the security
assessment assignments.
18
PREFACE
Sanjay Rao and Ruben Torres of Purdue University developed the laboratory exercises
that appear in the IRC. The following people contributed project assignments that appear in
the instructor’s supplement: Henning Schulzrinne (Columbia University); Cetin Kaya Koc
(Oregon State University); and David Balenson (Trusted Information Systems and George
Washington University). Kim McLaughlin developed the test bank.
Finally, I thank the many people responsible for the publication of this book, all of
whom did their usual excellent job. This includes the staff at Pearson, particularly my editor
Tracy Johnson, program manager Carole Snyder, and production manager Bob Engelhardt.
Thanks also to the marketing and sales staffs at Pearson, without whose efforts this book
would not be in front of you.
ACKNOWLEDGMENTS FOR THE GLOBAL EDITION
Pearson would like to thank and acknowledge Somitra Kumar Sanadhya (Indraprastha
Institute of Information Technology Delhi), and Somanath Tripathy (Indian Institute of
Technology Patna) for contributing to the Global Edition, and Anwitaman Datta (Nanyang
Technological University Singapore), Atul Kahate (Pune University), Goutam Paul (Indian
Statistical Institute Kolkata), and Khyat Sharma for reviewing the Global Edition.
ABOUT THE AUTHOR
Dr. William Stallings has authored 18 titles, and counting revised editions, over 40 books
on computer security, computer networking, and computer architecture. His writings have
appeared in numerous publications, including the Proceedings of the IEEE, ACM Computing
Reviews, and Cryptologia.
He has 13 times received the award for the best Computer Science textbook of the
year from the Text and Academic Authors Association.
In over 30 years in the field, he has been a technical contributor, technical manager,
and an executive with several high-technology firms. He has designed and implemented
both TCP/IP-based and OSI-based protocol suites on a variety of computers and operating
systems, ranging from microcomputers to mainframes. As a consultant, he has advised government agencies, computer and software vendors, and major users on the design, selection,
and use of networking software and products.
He created and maintains the Computer Science Student Resource Site at
ComputerScienceStudent.com. This site provides documents and links on a variety of
subjects of general interest to computer science students (and professionals). He is a member
of the editorial board of Cryptologia, a scholarly journal devoted to all aspects of cryptology.
Dr. Stallings holds a PhD from MIT in computer science and a BS from Notre Dame
in electrical engineering.
PART ONE: BACKGROUND
CHAPTER
Computer and Network
Security Concepts
1.1
Computer Security Concepts
A Definition of Computer Security
Examples
The Challenges of Computer Security
1.2
The OSI Security Architecture
1.3
Security Attacks
Passive Attacks
Active Attacks
1.4
Security Services
Authentication
Access Control
Data Confidentiality
Data Integrity
Nonrepudiation
Availability Service
1.5
Security Mechanisms
1.6
Fundamental Security Design Principles
1.7
Attack Surfaces and Attack Trees
Attack Surfaces
Attack Trees
1.8
A Model for Network Security
1.9
Standards
1.10 Key Terms, Review Questions, and Problems
19
Hiva-Network.Com
20
CHAPTER 1 / COMPUTER AND NETWORK SECURITY CONCEPTS
LEARNING OBJECTIVES
After studying this chapter, you should be able to:
◆ Describe the key security requirements of confidentiality, integrity, and
availability.
◆ Describe the X.800 security architecture for OSI.
◆ Discuss the types of security threats and attacks that must be dealt with
and give examples of the types of threats and attacks that apply to different categories of computer and network assets.
◆ Explain the fundamental security design principles.
◆ Discuss the use of attack surfaces and attack trees.
◆ List and briefly describe key organizations involved in cryptography
standards.
This book focuses on two broad areas: cryptographic algorithms and protocols, which
have a broad range of applications; and network and Internet security, which rely
heavily on cryptographic techniques.
Cryptographic algorithms and protocols can be grouped into four main areas:
■
■
■
■
Symmetric encryption: Used to conceal the contents of blocks or streams of
data of any size, including messages, files, encryption keys, and passwords.
Asymmetric encryption: Used to conceal small blocks of data, such as encryption keys and hash function values, which are used in digital signatures.
Data integrity algorithms: Used to protect blocks of data, such as messages,
from alteration.
Authentication protocols: These are schemes based on the use of cryptographic algorithms designed to authenticate the identity of entities.
The field of network and Internet security consists of measures to deter, prevent,
detect, and correct security violations that involve the transmission of information.
That is a broad statement that covers a host of possibilities. To give you a feel for the
areas covered in this book, consider the following examples of security violations:
1. User A transmits a file to user B. The file contains sensitive information
(e.g., payroll records) that is to be protected from disclosure. User C, who is
not authorized to read the file, is able to monitor the transmission and capture
a copy of the file during its transmission.
2. A network manager, D, transmits a message to a computer, E, under its management. The message instructs computer E to update an authorization file to
include the identities of a number of new users who are to be given access to
that computer. User F intercepts the message, alters its contents to add or delete
entries, and then forwards the message to computer E, which accepts the message as coming from manager D and updates its authorization file accordingly.
1.1 / COMPUTER SECURITY CONCEPTS
21
3. Rather than intercept a message, user F constructs its own message with the
desired entries and transmits that message to computer E as if it had come
from manager D. Computer E accepts the message as coming from manager D
and updates its authorization file accordingly.
4. An employee is fired without warning. The personnel manager sends a message to a server system to invalidate the employee’s account. When the invalidation is accomplished, the server is to post a notice to the employee’s file as
confirmation of the action. The employee is able to intercept the message and
delay it long enough to make a final access to the server to retrieve sensitive
information. The message is then forwarded, the action taken, and the confirmation posted. The employee’s action may go unnoticed for some considerable time.
5. A message is sent from a customer to a stockbroker with instructions for various transactions. Subsequently, the investments lose value and the customer
denies sending the message.
Although this list by no means exhausts the possible types of network security violations, it illustrates the range of concerns of network security.
1.1 COMPUTER SECURITY CONCEPTS
A Definition of Computer Security
The NIST Computer Security Handbook [NIST95] defines the term computer security as follows:
Computer Security: The protection afforded to an automated information system
in order to attain the applicable objectives of preserving the integrity, availability,
and confidentiality of information system resources (includes hardware, software,
firmware, information/data, and telecommunications).
This definition introduces three key objectives that are at the heart of computer security:
■
Confidentiality: This term covers two related concepts:
Data1 confidentiality: Assures that private or confidential information is
not made available or disclosed to unauthorized individuals.
Privacy: Assures that individuals control or influence what information related to them may be collected and stored and by whom and to whom that
information may be disclosed.
1
RFC 4949 defines information as “facts and ideas, which can be represented (encoded) as various forms
of data,” and data as “information in a specific physical representation, usually a sequence of symbols
that have meaning; especially a representation of information that can be processed or produced by a
computer.” Security literature typically does not make much of a distinction, nor does this book.
CHAPTER 1 / COMPUTER AND NETWORK SECURITY CONCEPTS
■
Integrity: This term covers two related concepts:
Data integrity: Assures that information (both stored and in transmitted packets) and programs are changed only in a specified and authorized
manner.
System integrity: Assures that a system performs its intended function in
an unimpaired manner, free from deliberate or inadvertent unauthorized
manipulation of the system.
■
Availability: Assures that systems work promptly and service is not denied to
authorized users.
These three concepts form what is often referred to as the CIA triad. The
three concepts embody the fundamental security objectives for both data and for
information and computing services. For example, the NIST standard FIPS 199
(Standards for Security Categorization of Federal Information and Information
Systems) lists confidentiality, integrity, and availability as the three security objectives for information and for information systems. FIPS 199 provides a useful characterization of these three objectives in terms of requirements and the definition of
a loss of security in each category:
■
■
■
Confidentiality: Preserving authorized restrictions on information access
and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of
information.
Integrity: Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity. A loss
of integrity is the unauthorized modification or destruction of information.
Availability: Ensuring timely and reliable access to and use of information.
A loss of availability is the disruption of access to or use of information or an
information system.
Although the use of the CIA triad to define security objectives is well established, some in the security field feel that additional concepts are needed to present a
complete picture (Figure 1.1). Two of the most commonly mentioned are as follows:
y
lit
ility
b
unta
Acco
Data
and
services
In
teg
rit
y
ty
nfi
Co
ntici
tia
n
de
Auth
e
22
Availability
Figure 1.1
Essential Network and Computer Security
Requirements
1.1 / COMPUTER SECURITY CONCEPTS
■
■
23
Authenticity: The property of being genuine and being able to be verified and
trusted; confidence in the validity of a transmission, a message, or message
originator. This means verifying that users are who they say they are and that
each input arriving at the system came from a trusted source.
Accountability: The security goal that generates the requirement for actions
of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and afteraction recovery and legal action. Because truly secure systems are not yet an
achievable goal, we must be able to trace a security breach to a responsible
party. Systems must keep records of their activities to permit later forensic
analysis to trace security breaches or to aid in transaction disputes.
Examples
We now provide some examples of applications that illustrate the requirements just
enumerated.2 For these examples, we use three levels of impact on organizations or
individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). These levels are defined in FIPS PUB 199:
■
■
■
2
Low: The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse
effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a degradation in mission capability to an extent and
duration that the organization is able to perform its primary functions, but the
effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in
minor harm to individuals.
Moderate: The loss could be expected to have a serious adverse effect on
organizational operations, organizational assets, or individuals. A serious
adverse effect means that, for example, the loss might (i) cause a significant degradation in mission capability to an extent and duration that the
organization is able to perform its primary functions, but the effectiveness
of the functions is significantly reduced; (ii) result in significant damage to
organizational assets; (iii) result in significant financial loss; or (iv) result in
significant harm to individuals that does not involve loss of life or serious,
life-threatening injuries.
High: The loss could be expected to have a severe or catastrophic adverse
effect on organizational operations, organizational assets, or individuals.
A severe or catastrophic adverse effect means that, for example, the loss
might (i) cause a severe degradation in or loss of mission capability to an
extent and duration that the organization is not able to perform one or more
of its primary functions; (ii) result in major damage to organizational assets;
(iii) result in major financial loss; or (iv) result in severe or catastrophic harm
to individuals involving loss of life or serious, life-threatening injuries.
These examples are taken from a security policy document published by the Information Technology
Security and Privacy Office at Purdue University.
24
CHAPTER 1 / COMPUTER AND NETWORK SECURITY CONCEPTS
CONFIDENTIALITY Student grade information is an asset whose confidentiality is
considered to be highly important by students. In the United States, the release of
such information is regulated by the Family Educational Rights and Privacy Act
(FERPA). Grade information should only be available to students, their parents,
and employees that require the information to do their job. Student enrollment
information may have a moderate confidentiality rating. While still covered by
FERPA, this information is seen by more people on a daily basis, is less likely to be
targeted than grade information, and results in less damage if disclosed. Directory
information, such as lists of students or faculty or departmental lists, may be assigned a low confidentiality rating or indeed no rating. This information is typically
freely available to the public and published on a school’s Web site.
INTEGRITY Several aspects of integrity are illustrated by the example of a hospital
patient’s allergy information stored in a database. The doctor should be able to
trust that the information is correct and current. Now suppose that an employee
(e.g., a nurse) who is authorized to view and update this information deliberately
falsifies the data to cause harm to the hospital. The database needs to be restored
to a trusted basis quickly, and it should be possible to trace the error back to the
person responsible. Patient allergy information is an example of an asset with a high
requirement for integrity. Inaccurate information could result in serious harm or
death to a patient and expose the hospital to massive liability.
An example of an asset that may be assigned a moderate level of integrity
requirement is a Web site that offers a forum to registered users to discuss some
specific topic. Either a registered user or a hacker could falsify some entries or
deface the Web site. If the forum exists only for the enjoyment of the users, brings
in little or no advertising revenue, and is not used for something important such
as research, then potential damage is not severe. The Web master may experience
some data, financial, and time loss.
An example of a low integrity requirement is an anonymous online poll. Many
Web sites, such as news organizations, offer these polls to their users with very few
safeguards. However, the inaccuracy and unscientific nature of such polls is well
understood.
AVAILABILITY The more critical a component or service, the higher is the level of
availability required. Consider a system that provides authentication services for
critical systems, applications, and devices. An interruption of service results in the
inability for customers to access computing resources and staff to access the resources they need to perform critical tasks. The loss of the service translates into a
large financial loss in lost employee productivity and potential customer loss.
An example of an asset that would typically be rated as having a moderate
availability requirement is a public Web site for a university; the Web site provides
information for current and prospective students and donors. Such a site is not a
critical component of the university’s information system, but its unavailability will
cause some embarrassment.
An online telephone directory lookup application would be classified as a low
availability requirement. Although the temporary loss of the application may be
an annoyance, there are other ways to access the information, such as a hardcopy
directory or the operator.
1.1 / COMPUTER SECURITY CONCEPTS
25
The Challenges of Computer Security
Computer and network security is both fascinating and complex. Some of the
reasons follow:
1. Security is not as simple as it might first appear to the novice. The requirements seem to be straightforward; indeed, most of the major requirements for
security services can be given self-explanatory, one-word labels: confidentiality, authentication, nonrepudiation, or integrity. But the mechanisms used to
meet those requirements can be quite complex, and understanding them may
involve rather subtle reasoning.
2. In developing a particular security mechanism or algorithm, one must always
consider potential attacks on those security features. In many cases, successful
attacks are designed by looking at the problem in a completely different way,
therefore exploiting an unexpected weakness in the mechanism.
3. Because of point 2, the procedures used to provide particular services are
often counterintuitive. Typically, a security mechanism is complex, and it is not
obvious from the statement of a particular requirement that such elaborate
measures are needed. It is only when the various aspects of the threat are considered that elaborate security mechanisms make sense.
4. Having designed various security mechanisms, it is necessary to decide where
to use them. This is true both in terms of physical placement (e.g., at what points
in a network are certain security mechanisms needed) and in a logical sense
(e.g., at what layer or layers of an architecture such as TCP/IP [Transmission
Control Protocol/Internet Protocol] should mechanisms be placed).
5. Security mechanisms typically involve more than a particular algorithm or
protocol. They also require that participants be in possession of some secret information (e.g., an encryption key), which raises questions about the creation,
distribution, and protection of that secret information. There also may be a reliance on communications protocols whose behavior may complicate the task
of developing the security mechanism. For example, if the proper functioning
of the security mechanism requires setting time limits on the transit time of a
message from sender to receiver, then any protocol or network that introduces
variable, unpredictable delays may render such time limits meaningless.
6. Computer and network security is essentially a battle of wits between a perpetrator who tries to find holes and the designer or administrator who tries to
close them. The great advantage that the attacker has is that he or she need
only find a single weakness, while the designer must find and eliminate all
weaknesses to achieve perfect security.
7. There is a natural tendency on the part of users and system managers to perceive little benefit from security investment until a security failure occurs.
8. Security requires regular, even constant, monitoring, and this is difficult in
today’s short-term, overloaded environment.
9. Security is still too often an afterthought to be incorporated into a system
after the design is complete rather than being an integral part of the design
process.
26
CHAPTER 1 / COMPUTER AND NETWORK SECURITY CONCEPTS
10. Many users and even security administrators view strong security as an
impediment to efficient and user-friendly operation of an information system
or use of information.
The difficulties just enumerated will be encountered in numerous ways as we
examine the various security threats and mechanisms throughout this book.
1.2 THE OSI SECURITY ARCHITECTURE
To assess effectively the security needs of an organization and to evaluate and
choose various security products and policies, the manager responsible for security
needs some systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements. This is difficult enough in a
centralized data processing environment; with the use of local and wide area networks, the problems are compounded.
ITU-T3 Recommendation X.800, Security Architecture for OSI, defines such a
systematic approach.4 The OSI security architecture is useful to managers as a way
of organizing the task of providing security. Furthermore, because this architecture
was developed as an international standard, computer and communications vendors
have developed security features for their products and services that relate to this
structured definition of services and mechanisms.
For our purposes, the OSI security architecture provides a useful, if abstract,
overview of many of the concepts that this book deals with. The OSI security architecture focuses on security attacks, mechanisms, and services. These can be defined
briefly as
■
■
■
Security attack: Any action that compromises the security of information
owned by an organization.
Security mechanism: A process (or a device incorporating such a process)
that is designed to detect, prevent, or recover from a security attack.
Security service: A processing or communication service that enhances the
security of the data processing systems and the information transfers of an
organization. The services are intended to counter security attacks, and they
make use of one or more security mechanisms to provide the service.
In the literature, the terms threat and attack are commonly used to mean more
or less the same thing. Table 1.1 provides definitions taken from RFC 4949, Internet
Security Glossary.
3
The International Telecommunication Union (ITU) Telecommunication Standardization Sector (ITU-T)
is a United Nations-sponsored agency that develops standards, called Recommendations, relating to telecommunications and to open systems interconnection (OSI).
4
The OSI security architecture was developed in the context of the OSI protocol architecture, which is
described in Appendix L. However, for our purposes in this chapter, an understanding of the OSI protocol architecture is not required.
1.3 / SECURITY ATTACKS
27
Table 1.1 Threats and Attacks (RFC 4949)
Threat
A potential for violation of security, which exists when there is a circumstance, capability, action,
or event that could breach security and cause harm. That is, a threat is a possible danger that might
exploit a vulnerability.
Attack
An assault on system security that derives from an intelligent threat; that is, an intelligent act that
is a deliberate attempt (especially in the sense of a method or technique) to evade security services
and violate the security policy of a system.
1.3 SECURITY ATTACKS
A useful means of classifying security attacks, used both in X.800 and RFC 4949, is
in terms of passive attacks and active attacks (Figure 1.2). A passive attack attempts
to learn or make use of information from the system but does not affect system resources. An active attack attempts to alter system resources or affect their operation.
Passive Attacks
Passive attacks (Figure 1.2a) are in the nature of eavesdropping on, or monitoring
of, transmissions. The goal of the opponent is to obtain information that is being
transmitted. Two types of passive attacks are the release of message contents and
traffic analysis.
The release of message contents is easily understood. A telephone conversation, an electronic mail message, and a transferred file may contain sensitive or
confidential information. We would like to prevent an opponent from learning the
contents of these transmissions.
A second type of passive attack, traffic analysis, is subtler. Suppose that we
had a way of masking the contents of messages or other information traffic so that
opponents, even if they captured the message, could not extract the information
from the message. The common technique for masking contents is encryption. If we
had encryption protection in place, an opponent might still be able to observe the
pattern of these messages. The opponent could determine the location and identity
of communicating hosts and could observe the frequency and length of messages
being exchanged. This information might be useful in guessing the nature of the
communication that was taking place.
Passive attacks are very difficult to detect, because they do not involve any
alteration of the data. Typically, the message traffic is sent and received in an apparently normal fashion, and neither the sender nor receiver is aware that a third party
has read the messages or observed the traffic pattern. However, it is feasible to prevent the success of these attacks, usually by means of encryption. Thus, the emphasis in dealing with passive attacks is on prevention rather than detection.
Active Attacks
Active attacks (Figure 1.2b) involve some modification of the data stream or the
creation of a false stream and can be subdivided into four categories: masquerade,
replay, modification of messages, and denial of service.
28
CHAPTER 1 / COMPUTER AND NETWORK SECURITY CONCEPTS
Darth
Internet or
other communications facility
Bob
Alice
(a) Passive attacks
Darth
1
2
3
Internet or
other communications facility
Alice
Bob
(b) Active attacks
Figure 1.2
Security Attacks
A masquerade takes place when one entity pretends to be a different entity
(path 2 of Figure 1.2b is active). A masquerade attack usually includes one of the
other forms of active attack. For example, authentication sequences can be captured
and replayed after a valid authentication sequence has taken place, thus enabling an
authorized entity with few privileges to obtain extra privileges by impersonating an
entity that has those privileges.
Replay involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect (paths 1, 2, and 3 active).
Modification of messages simply means that some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect (paths 1 and 2 active). For example, a message meaning “Allow John
Smith to read confidential file accounts” is modified to mean “Allow Fred Brown to
read confidential file accounts.”
Hiva-Network.Com
1.4 / SECURITY SERVICES
29
The denial of service prevents or inhibits the normal use or management of
communications facilities (path 3 active). This attack may have a specific target; for
example, an entity may suppress all messages directed to a particular destination
(e.g., the security audit service). Another form of service denial is the disruption of
an entire network, either by disabling the network or by overloading it with messages so as to degrade performance.
Active attacks present the opposite characteristics of passive attacks. Whereas
passive attacks are difficult to detect, measures are available to prevent their success.
On the other hand, it is quite difficult to prevent active attacks absolutely because
of the wide variety of potential physical, software, and network vulnerabilities.
Instead, the goal is to detect active attacks and to recover from any disruption or
delays caused by them. If the detection has a deterrent effect, it may also contribute
to prevention.
1.4 SECURITY SERVICES
X.800 defines a security service as a service that is provided by a protocol layer of
communicating open systems and that ensures adequate security of the systems or
of data transfers. Perhaps a clearer definition is found in RFC 4949, which provides
the following definition: a processing or communication service that is provided by
a system to give a specific kind of protection to system resources; security services
implement security policies and are implemented by security mechanisms.
X.800 divides these services into five categories and fourteen specific services
(Table 1.2). We look at each category in turn.5
Authentication
The authentication service is concerned with assuring that a communication is authentic. In the case of a single message, such as a warning or alarm signal, the function
of the authentication service is to assure the recipient that the message is from the
source that it claims to be from. In the case of an ongoing interaction, such as the connection of a terminal to a host, two aspects are involved. First, at the time of connection initiation, the service assures that the two entities are authentic, that is, that each
is the entity that it claims to be. Second, the service must assure that the connection is
not interfered with in such a way that a third party can masquerade as one of the two
legitimate parties for the purposes of unauthorized transmission or reception.
Two specific authentication services are defined in X.800:
■
5
Peer entity authentication: Provides for the corroboration of the identity of a
peer entity in an association. Two entities are considered peers if they implement to same protocol in different systems; for example two TCP modules
in two communicating systems. Peer entity authentication is provided for
There is no universal agreement about many of the terms used in the security literature. For example, the
term integrity is sometimes used to refer to all aspects of information security. The term authentication is
sometimes used to refer both to verification of identity and to the various functions listed under integrity
in this chapter. Our usage here agrees with both X.800 and RFC 4949.
30
CHAPTER 1 / COMPUTER AND NETWORK SECURITY CONCEPTS
Table 1.2
Security Services (X.800)
AUTHENTICATION
The assurance that the communicating entity is the
one that it claims to be.
Peer Entity Authentication
Used in association with a logical connection to
provide confidence in the identity of the entities
connected.
Data-Origin Authentication
In a connectionless transfer, provides assurance that
the source of received data is as claimed.
ACCESS CONTROL
The prevention of unauthorized use of a resource
(i.e., this service controls who can have access to a
resource, under what conditions access can occur,
and what those accessing the resource are allowed
to do).
DATA CONFIDENTIALITY
The protection of data from unauthorized
disclosure.
Connection Confidentiality
The protection of all user data on a connection.
Connectionless Confidentiality
The protection of all user data in a single data block.
Selective-Field Confidentiality
The confidentiality of selected fields within the user
data on a connection or in a single data block.
Traffic-Flow Confidentiality
The protection of the information that might be
derived from observation of traffic flows.
DATA INTEGRITY
The assurance that data received are exactly as
sent by an authorized entity (i.e., contain no modification, insertion, deletion, or replay).
Connection Integrity with Recovery
Provides for the integrity of all user data on a connection and detects any modification, insertion, deletion,
or replay of any data within an entire data sequence,
with recovery attempted.
Connection Integrity without Recovery
As above, but provides only detection without
recovery.
Selective-Field Connection Integrity
Provides for the integrity of selected fields within the
user data of a data block transferred over a connection and takes the form of determination of whether
the selected fields have been modified, inserted,
deleted, or replayed.
Connectionless Integrity
Provides for the integrity of a single connectionless
data block and may take the form of detection of
data modification. Additionally, a limited form of
replay detection may be provided.
Selective-Field Connectionless Integrity
Provides for the integrity of selected fields within a
single connectionless data block; takes the form of
determination of whether the selected fields have
been modified.
NONREPUDIATION
Provides protection against denial by one of the
entities involved in a communication of having participated in all or part of the communication.
Nonrepudiation, Origin
Proof that the message was sent by the specified
party.
Nonrepudiation, Destination
Proof that the message was received by the specified
party.
■
use at the establishment of, or at times during the data transfer phase of, a
connection. It attempts to provide confidence that an entity is not performing
either a masquerade or an unauthorized replay of a previous connection.
Data origin authentication: Provides for the corroboration of the source of a
data unit. It does not provide protection against the duplication or modification of data units. This type of service supports applications like electronic mail,
where there are no prior interactions between the communicating entities.
1.4 / SECURITY SERVICES
31
Access Control
In the context of network security, access control is the ability to limit and control
the access to host systems and applications via communications links. To achieve
this, each entity trying to gain access must first be identified, or authenticated,
so that access rights can be tailored to the individual.
Data Confidentiality
Confidentiality is the protection of transmitted data from passive attacks. With respect to the content of a data transmission, several levels of protection can be identified. The broadest service protects all user data transmitted between two users
over a period of time. For example, when a TCP connection is set up between two
systems, this broad protection prevents the release of any user data transmitted over
the TCP connection. Narrower forms of this service can also be defined, including
the protection of a single message or even specific fields within a message. These
refinements are less useful than the broad approach and may even be more complex
and expensive to implement.
The other aspect of confidentiality is the protection of traffic flow from
analysis. This requires that an attacker not be able to observe the source and destination, frequency, length, or other characteristics of the traffic on a communications
facility.
Data Integrity
As with confidentiality, integrity can apply to a stream of messages, a single message, or selected fields within a message. Again, the most useful and straightforward
approach is total stream protection.
A connection-oriented integrity service, one that deals with a stream of messages, assures that messages are received as sent with no duplication, insertion,
modification, reordering, or replays. The destruction of data is also covered under
this service. Thus, the connection-oriented integrity service addresses both message stream modification and denial of service. On the other hand, a connectionless integrity service, one that deals with individual messages without regard to any
larger context, generally provides protection against message modification only.
We can make a distinction between service with and without recovery. Because
the integrity service relates to active attacks, we are concerned with detection rather
than prevention. If a violation of integrity is detected, then the service may simply
report this violation, and some other portion of software or human intervention is
required to recover from the violation. Alternatively, there are mechanisms available to recover from the loss of integrity of data, as we will review subsequently. The
incorporation of automated recovery mechanisms is, in general, the more attractive
alternative.
Nonrepudiation
Nonrepudiation prevents either sender or receiver from denying a transmitted message. Thus, when a message is sent, the receiver can prove that the alleged sender in
fact sent the message. Similarly, when a message is received, the sender can prove
that the alleged receiver in fact received the message.
32
CHAPTER 1 / COMPUTER AND NETWORK SECURITY CONCEPTS
Availability Service
Both X.800 and RFC 4949 define availability to be the property of a system or a
system resource being accessible and usable upon demand by an authorized system
entity, according to performance specifications for the system (i.e., a system is available if it provides services according to the system design whenever users request
them). A variety of attacks can result in the loss of or reduction in availability. Some
of these attacks are amenable to automated countermeasures, such as authentication and encryption, whereas others require some sort of physical action to prevent
or recover from loss of availability of elements of a distributed system.
X.800 treats availability as a property to be associated with various security
services. However, it makes sense to call out specifically an availability service. An
availability service is one that protects a system to ensure its availability. This service addresses the security concerns raised by denial-of-service attacks. It depends
on proper management and control of system resources and thus depends on access
control service and other security services.
1.5 SECURITY MECHANISMS
Table 1.3 lists the security mechanisms defined in X.800. The mechanisms are
divided into those that are implemented in a specific protocol layer, such as TCP or
an application-layer protocol, and those that are not specific to any particular protocol layer or security service. These mechanisms will be covered in the appropriate
Table 1.3
Security Mechanisms (X.800)
SPECIFIC SECURITY MECHANISMS
May be incorporated into the appropriate protocol
layer in order to provide some of the OSI security
services.
Encipherment
The use of mathematical algorithms to transform
data into a form that is not readily intelligible. The
transformation and subsequent recovery of the data
depend on an algorithm and zero or more encryption
keys.
Digital Signature
Data appended to, or a cryptographic transformation
of, a data unit that allows a recipient of the data unit
to prove the source and integrity of the data unit and
protect against forgery (e.g., by the recipient).
Access Control
A variety of mechanisms that enforce access rights to
resources.
Data Integrity
A variety of mechanisms used to assure the integrity
of a data unit or stream of data units.
PERVASIVE SECURITY MECHANISMS
Mechanisms that are not specific to any particular
OSI security service or protocol layer.
Trusted Functionality
That which is perceived to be correct with respect
to some criteria (e.g., as established by a security
policy).
Security Label
The marking bound to a resource (which may be a
data unit) that names or designates the security attributes of that resource.
Event Detection
Detection of security-relevant events.
Security Audit Trail
Data collected and potentially used to facilitate a
security audit, which is an independent review and
examination of system records and activities.
Security Recovery
Deals with requests from mechanisms, such as event
handling and management functions, and takes
recovery actions.
1.5 / SECURITY MECHANISMS
33
SPECIFIC SECURITY MECHANISMS
Authentication Exchange
A mechanism intended to ensure the identity of an
entity by means of information exchange.
Traffic Padding
The insertion of bits into gaps in a data stream to
frustrate traffic analysis attempts.
Routing Control
Enables selection of particular physically secure
routes for certain data and allows routing changes,
especially when a breach of security is suspected.
Notarization
The use of a trusted third party to assure certain
properties of a data exchange.
places in the book. So we do not elaborate now, except to comment on the definition of encipherment. X.800 distinguishes between reversible encipherment mechanisms and irreversible encipherment mechanisms. A reversible encipherment
mechanism is simply an encryption algorithm that allows data to be encrypted and
subsequently decrypted. Irreversible encipherment mechanisms include hash algorithms and message authentication codes, which are used in digital signature and
message authentication applications.
Table 1.4, based on one in X.800, indicates the relationship between security
services and security mechanisms.
Table 1.4 Relationship Between Security Services and Mechanisms
SERVICE
En
ci
p
D her
m
ig
ita en
A l si t
cc
g
es nat
D s co ure
at
a ntro
A inte l
ut
he grit
Tr ntic y
affi at
io
c
Ro pa n e
ut dd xch
in
i
N ng c g ang
ot
e
o
ar nt
r
iz
at ol
io
n
MECHANISM
Peer entity authentication
Y
Y
Data origin authentication
Y
Y
Access control
Y
Confidentiality
Y
Traffic flow confidentiality
Y
Data integrity
Y
Nonrepudiation
Availability
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
34
CHAPTER 1 / COMPUTER AND NETWORK SECURITY CONCEPTS
1.6 FUNDAMENTAL SECURITY DESIGN PRINCIPLES
Despite years of research and development, it has not been possible to develop
security design and implementation techniques that systematically exclude security
flaws and prevent all unauthorized actions. In the absence of such foolproof techniques, it is useful to have a set of widely agreed design principles that can guide
the development of protection mechanisms. The National Centers of Academic
Excellence in Information Assurance/Cyber Defense, which is jointly sponsored by
the U.S. National Security Agency and the U.S. Department of Homeland Security,
list the following as fundamental security design principles [NCAE13]:
■
■
■
■
■
■
■
■
■
■
■
■
■
Economy of mechanism
Fail-safe defaults
Complete mediation
Open design
Separation of privilege
Least privilege
Least common mechanism
Psychological acceptability
Isolation
Encapsulation
Modularity
Layering
Least astonishment
The first eight listed principles were first proposed in [SALT75] and have withstood
the test of time. In this section, we briefly discuss each principle.
Economy of mechanism means that the design of security measures embodied in both hardware and software should be as simple and small as possible.
The motivation for this principle is that relatively simple, small design is easier to test and verify thoroughly. With a complex design, there are many more
opportunities for an adversary to discover subtle weaknesses to exploit that may
be difficult to spot ahead of time. The more complex the mechanism, the more
likely it is to possess exploitable flaws. Simple mechanisms tend to have fewer
exploitable flaws and require less maintenance. Further, because configuration
management issues are simplified, updating or replacing a simple mechanism
becomes a less intensive process. In practice, this is perhaps the most difficult
principle to honor. There is a constant demand for new features in both hardware and software, complicating the security design task. The best that can be
done is to keep this principle in mind during system design to try to eliminate
unnecessary complexity.
Fail-safe defaults means that access decisions should be based on permission
rather than exclusion. That is, the default situation is lack of access, and the protection scheme identifies conditions under which access is permitted. This approach
1.6 / FUNDAMENTAL SECURITY DESIGN PRINCIPLES
35
exhibits a better failure mode than the alternative approach, where the default is
to permit access. A design or implementation mistake in a mechanism that gives
explicit permission tends to fail by refusing permission, a safe situation that can
be quickly detected. On the other hand, a design or implementation mistake in a
mechanism that explicitly excludes access tends to fail by allowing access, a failure
that may long go unnoticed in normal use. Most file access systems and virtually all
protected services on client/server systems use fail-safe defaults.
Complete mediation means that every access must be checked against the
access control mechanism. Systems should not rely on access decisions retrieved
from a cache. In a system designed to operate continuously, this principle requires
that, if access decisions are remembered for future use, careful consideration be
given to how changes in authority are propagated into such local memories. File
access systems appear to provide an example of a system that complies with this
principle. However, typically, once a user has opened a file, no check is made to see
if permissions change. To fully implement complete mediation, every time a user
reads a field or record in a file, or a data item in a database, the system must exercise
access control. This resource-intensive approach is rarely used.
Open design means that the design of a security mechanism should be open
rather than secret. For example, although encryption keys must be secret, encryption
algorithms should be open to public scrutiny. The algorithms can then be reviewed
by many experts, and users can therefore have high confidence in them. This is the
philosophy behind the National Institute of Standards and Technology (NIST)
program of standardizing encryption and hash algorithms, and has led to the widespread adoption of NIST-approved algorithms.
Separation of privilege is defined in [SALT75] as a practice in which multiple privilege attributes are required to achieve access to a restricted resource.
A good example of this is multifactor user authentication, which requires the use of
multiple techniques, such as a password and a smart card, to authorize a user. The
term is also now applied to any technique in which a program is divided into parts
that are limited to the specific privileges they require in order to perform a specific
task. This is used to mitigate the potential damage of a computer security attack.
One example of this latter interpretation of the principle is removing high privilege
operations to another process and running that process with the higher privileges
required to perform its tasks. Day-to-day interfaces are executed in a lower privileged process.
Least privilege means that every process and every user of the system should
operate using the least set of privileges necessary to perform the task. A good
example of the use of this principle is role-based access control. The system security
policy can identify and define the various roles of users or processes. Each role is
assigned only those permissions needed to perform its functions. Each permission
specifies a permitted access to a particular resource (such as read and write access
to a specified file or directory, connect access to a given host and port). Unless a
permission is granted explicitly, the user or process should not be able to access the
protected resource. More generally, any access control system should allow each
user only the privileges that are authorized for that user. There is also a temporal
aspect to the least privilege principle. For example, system programs or administrators who have special privileges should have those privileges only when necessary;
36
CHAPTER 1 / COMPUTER AND NETWORK SECURITY CONCEPTS
when they are doing ordinary activities the privileges should be withdrawn. Leaving
them in place just opens the door to accidents.
Least common mechanism means that the design should minimize the functions shared by different users, providing mutual security. This principle helps
reduce the number of unintended communication paths and reduces the amount of
hardware and software on which all users depend, thus making it easier to verify if
there are any undesirable security implications.
Psychological acceptability implies that the security mechanisms should not
interfere unduly with the work of users, while at the same time meeting the needs of
those who authorize access. If security mechanisms hinder the usability or accessibility of resources, then users may opt to turn off those mechanisms. Where possible,
security mechanisms should be transparent to the users of the system or at most
introduce minimal obstruction. In addition to not being intrusive or burdensome,
security procedures must reflect the user’s mental model of protection. If the protection procedures do not make sense to the user or if the user must translate his image
of protection into a substantially different protocol, the user is likely to make errors.
Isolation is a principle that applies in three contexts. First, public access systems should be isolated from critical resources (data, processes, etc.) to prevent disclosure or tampering. In cases where the sensitivity or criticality of the information
is high, organizations may want to limit the number of systems on which that data is
stored and isolate them, either physically or logically. Physical isolation may include
ensuring that no physical connection exists between an organization’s public access
information resources and an organization’s critical information. When implementing logical isolation solutions, layers of security services and mechanisms should be
established between public systems and secure systems responsible for protecting
critical resources. Second, the processes and files of individual users should be isolated from one another except where it is explicitly desired. All modern operating
systems provide facilities for such isolation, so that individual users have separate,
isolated process space, memory space, and file space, with protections for preventing unauthorized access. And finally, security mechanisms should be isolated in the
sense of preventing access to those mechanisms. For example, logical access control
may provide a means of isolating cryptographic software from other parts of the
host system and for protecting cryptographic software from tampering and the keys
from replacement or disclosure.
Encapsulation can be viewed as a specific form of isolation based on objectoriented functionality. Protection is provided by encapsulating a collection of procedures and data objects in a domain of its own so that the internal structure of a
data object is accessible only to the procedures of the protected subsystem, and the
procedures may be called only at designated domain entry points.
Modularity in the context of security refers both to the development of security
functions as separate, protected modules and to the use of a modular architecture for
mechanism design and implementation. With respect to the use of separate security
modules, the design goal here is to provide common ...
Purchase answer to see full
attachment