ABSTRACT all kinds of entrepreneurial activities, and must

ABSTRACT The continuous development of computer network system brings both a great experience and convenience but new security threats for users. Computer security problem generally includes network system security and data security. Specifically, it refers to the reliability of network system, confidentiality, integrity and availability of data information in the system. Network security problem exists through all the layers of the computer network, and the network security objective is to maintain the confidentiality, authenticity, integrity, dependability, availability and audit-ability of the network. This paper mainly aims to discuss about the basic concepts,implementations of security mechanisms, Policies and latest threats of various systems that are upcoming today. Keywords Goals,  Cryptography, Cryptanalysis, Access  Control  Lists,Mechanisms, Bell-LaPadula, Biba. 1. INTRODUCTION Computer security should be seen as a basic management task. It is an extension of the duty to protect the organization’s assets against misuse or loss. Also, the information stored and processed by computers is the most significant asset of most organizations. (Some prefer to the use the term information security to describe the process of protecting computing. It plays a major role in ensuring an organization’s ability to survive as what the law calls a going concern. Increasingly, maintaining this process will involve ensuring that the organization is complying with relevant statutory and regulatory agency requirements.) Information is inevitable in all kinds of entrepreneurial activities, and must be therefore protected as assets. Information security may be assured in various ways, including related policies, processes, procedures, organizational structures, software programs and hardware equipment able to eliminate many sources of safety jeopardizing such as espionage, computer fraud and deceit, sabotage, vandalism, fire or water. Computer Security is the protection of computing systems and the data that they store or access. How many attacks to computers on campus do you think take place everyday? l Thousands of attacks per minute bombard our campus network. l An unprotected computer can become infected or compromised within a few seconds after it is connected to the network. l A compromised computer is a hazard to everyone else, too – not just to you. 2. BASIC CONCEPTS 2.1 Goals of Security: Computer security rests on Confidentiality, Integrity and Availability that is CIA. The interpretation of these aspects vary, as do the contexts in which they arise. The interpretation of aspect in a given environment is dictated by the needs of the individuals, customs and laws of particular organizations. But we can define it in a general way as follows- 1. Confidentiality Confidentiality is the concealment of information or resources. The need of keeping information secret arises from the use of computer in sensitive fields such as government. Ex-Military,banks. 2. Integrity Integrity refers to the trustworthiness of data or resources and it usually phrased in terms of preventing improper or unauthorized change. Integrity includes data integrity(Content information) and origin integrity(the source of data often called authentication). 3. Availability Availability refers to the ability to use the information or resource desired. Computer security professionals usually address three common challenges to availability: Denial of service (DoS) due to intentional attacks or because of undiscovered flaws in implementation (for example, a program written by a programmer who is unaware of a flaw that could crash the program if a certain unexpected input is encountered).Loss of information system capabilities because of natural disasters (fires, floods, storms, or earthquakes) or human actions (bombs or strikes). And Equipment failures during normal use.10 2.2 Threats: A threat, in the context of computer security, refers to anything that has the potential to cause serious harm to a computer system. A threat is something that may or may not happen, but has the potential to cause serious damage. Threats can lead to attacks on computer systems, networks and more. 2.3 Cryptography: Cryptography means secret writing. Basically writing text in secret form such that it’s not understandable to attackers. Cryptanalysis is the breaking of codes. The basic component of cryptography is Cryptosystem. 2.4 Policies: A. Security Policies-A security model is a model that represents a particular policy or set of policies. A model abstracts details relevant for analysis. Analyses rarely discuss particular policies; they usually focus on specific characteristics of policies, because many policies exhibit these characteristics; and the more policies with those characteristics, the more useful the analysis. By the HRU result, no single nontrivial analysis can cover all policies, but restricting the class of security policies

sufficiently allows meaningful analysis of that class of policies. B.Confidentiality Policies- Confidentiality is one of the factors of privacy, an issue recognized in the laws of many government entities (such as the Privacy Act of the United States and similar legislation in Sweden). Aside from constraining what information a government entity can legally obtain from individuals, such acts place constraints on the disclosure and use of that information. Unauthorized disclosure can result in penalties that include jail or fines; also, such disclosure undermines the authority and respect that individuals have for the government and inhibits them from disclosing that type of information to the agencies so compromised. I. The Bell – LaPadula Model- The simplest type of confidentiality classification is a set of security clearances arranged in a linear (total) ordering . These clearances represent sensitivity levels. The higher the security clearance, the more sensitive the information (and the greater the need to keep it confidential). A subject has a security clearance. In the figure, Claire’s security clearance is C (for CONFIDENTIAL), and Thomas’ is TS (for TOP SECRET). An object has a security classification; the security classification of the electronic mail files is S (for SECRET), and that of the telephone list files is UC (for UNCLASSIFIED). (When we refer to both subject clearances and object classifications, we use the term “classification.”) The goal of the Bell-LaPadula security model is to prevent read access to objects at a security classification higher than the subject’s clearance. The Bell-LaPadula security model combines mandatory and discretionary access controls. In what follows, “S has discretionary read (write) access to O” means that the access control matrix entry for S and O corresponding to the discretionary access control component contains a read (write) right. In other words, were the mandatory controls not present, S would be able to read (write) O.        Figure 1 : Classification of model  C. Integrity Policies 1. Biba Integrity Model- In 1977, Biba studied the nature of the integrity of systems. In his model, a system consists of a set S of subjects, a set O of objects, and a set I of integrity levels.1 The levels are ordered. The relation ? ? I × I holds when the second integrity level either dominates or is the same as the first. The function i:S ? O?I returns the integrity level of an object or a subject. 2. Clark Wilsoon Integrity Models In 1987, David Clark and David Wilson developed an integrity model radically different from previous models. This model uses transactions as the basic operation, which models many commercial systems more realistically than previous models. One main concern of a commercial environment, as discussed above, is the integrity of the data in the system and of the actions performed on that data. The data is said to be in a consistent state (or consistent) if it satisfies given properties. For example, let D be the amount of money deposited so far today, W the amount of money withdrawn so far today, YB the amount of money in all accounts at the end of yesterday, and TB the amount of money in all accounts so far today. Then the consistency property is D + YB – W = TB Before and after each action, the consistency conditions must hold. A well-formed transaction is a series of operations that transitionthe system from one consistent state to another consistent state. For example, if a depositor transfers money from one account to another, the transaction is the transfer; two operations, the deduction from the first account and the addition to the second account, make up this transaction. Each operation may leave the data in an inconsistent state, but the well-formed transaction must preserve consistency. 3. IMPLEMENTATION – I Implementing Computer security techniques fall under following types: 3.1 Cryptography- The art or science encompassing the principles and methods of transforming an intelligible message into one that is unintelligible, and then re-transforming that message back to its original form.The classical Cryptosystem consists of following types- 1. Transposition Cipher- A transposition cipher is a method of encryption by which the positions held by units of plain text (which are commonly characters or groups of characters) are shifted according to a regular system, so that the cipher text constitutes a permutation of the plain text. 2. Substitution cipher- A substitution cipher is a method of encrypting by which units of plain text are replaced with cipher text, according to a fixed system; the “units” may be single letters (the most common), pairs of letters, triplets of letters, mixtures of the above, and so forth. 3. Vigenère cipher- The Vigenère cipher is a method of encrypting alphabetic text by using a series of interwoven Caesar ciphers based on the letters of a keyword. 4. One time pad- In this technique, a plain text is paired with a random secret key (also referred to as a one-time pad). Then, each bit or character of the plain text is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plain text, is never reused in whole or in part, and is kept completely secret, then the resulting ciphertext will be impossible to decrypt or break.  5. Public key Cryptosystem- PKC works in way illustrated in following figure.        Figure 2 : Working of Public Key Cryptosystem There are 2 types of PKCs as follows:  a Diffie-Hellman It was the first PKC proposed. It is based on Discrete Logarithm Problem. b. RSA It is an exponential cipher. This type of cipher is even used today. (Note: Algorithms to be followed in section)     4. IMPLEMENTATION – II Protecting cryptographic keys may sound simple: just put the key into file and use operating system access control mechanisms to protect it. But as we know in a number of ways these mechanisms can be compromised leading to keys getting invaded. In this section we discuss some mechanisms to prevent keys. Following are some key management techniques. 1. Kerberos Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. Unlike most other authentication schemes described in this book, Kerberos relies exclusively on symmetric encryption, making no use of public-key encryption.              2. Key escrow (also known as a “fair” Cryptosystem) is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys. Key escrow is a data security measure in which a cryptographic key is entrusted to a third party (i.e., kept in escrow). Under normal circumstances, the key is not released to someone other than the sender or receiver without proper authorization. For the above key management techniques, various authentication techniques are used for verifying the user authenticity. Techniques include following:1. Passwords2. Challenge-Response (OTP)3. Biometric a. Fingerprint b. Face recognitionc. Retina Scand. Face scane. Voice recognitionA combination of above three techniques is used for authenticity of users.  Access Control is a set of controls to restrict access to certain resources. If we think about it, access controls are everywhere around us. A door to your room, the guards allowing you to enter the office building on seeing your access card, swiping your card and scanning your fingers on the biometric system, a queue for food at the canteen or entering your credentials to access FB, all are examples of various types of access control. Here we focus only on the logical Access Control mechanisms. 1. Discretionary Access Control (DAC) Discretionary access controls base access rights on the identity of the subject and the identity of the object involved. Identity is the key; the owner of the object constrains who can access it by allowing only particular subjects to have access. The owner states the constraint in terms of the identity of the subject, or the owner of the subject.  EXAMPLE: Suppose a child keeps a diary. The child controls access to the diary, because she can allow someone to read it (grant read access) or not allow someone to read it (deny read access). The child allows her mother to read it, but no one else. This is a discretionary access control because access to the diary is based on the identity of the subject (mom) requesting read access to the object (the diary). 2. Mandatory Access Control (MAC) When a system mechanism controls access to an object and an individual user cannot alter that access, the control is a mandatory access control (MAC), occasionally called a rule-based access control. The operating system enforces mandatory access controls. Neither the subject nor the owner of the object can determine whether access is granted. Typically, the system mechanism will check information associated with both the subject and the object to determine whether the subject should access the object. Rules describe the conditions under which access is allowed.  EXAMPLE: The law allows a court to access driving records without the owners’ permission. This is a mandatory control, because the owner of the record has no control over the court’s accessing the information. 3. Role Based Access Control (RBAC) RBAC is the buzzword across enterprises today. In this model the access to a resource is governed based on the role that the subject holds within an organization. RBAC is also known as non-discretionary Access Control because the user inherits privileges that are tied to his role. The user does not have a control over the role that he will be assigned. Each of the above Access Models has its own advantages and disadvantages. The selection of the appropriate Access Model by an organization should be done by considering various factors such as type of business, no of users, organization’s security policy etc. 4. Access Control lists(ACLs) An obvious variant of the access control matrix is to store each column with the object it represents. Thus, each object has associated with it a set of pairs, with each pair containing a subject and a set of rights. The named subject can access the associated object using any of those rights. More formally:Let S be the set of subjects, and R the set of rights, of a system. An access control list (ACL) l is a set of pairs l = { (s, r) : s ? S, r ? R }. Let acl be a function that determines the access control list l associated with a particular object o. The interpretation of the access control list acl(o) = { (si , ri ) : 1 ? i ? n } is that subject si may access o using any right in ri . 5. STEPWISE EXPLANATION OFALGORITHMS 1. Diffie-Hellman               2. RSA * Generating Public key:Select two prime no’s. Suppose P = 53 and Q = 59. Now First part of the Public key : n = P*Q = 3127. We also need a small exponent say e : But e Must be An integer. Not be a factor of n. 1

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Written by