Assignments on

Data and Network Security

ITEC-4111
Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 1|Page
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
 Dedication

All glories praises and gratitude to Almighty Allah Pak, who blessed
us with a super, unequalled processor! Brain…

I dedicate all of my efforts to my students who gave me an urge and

inspiration to work more.
I also dedicate this piece of effort to my family members who always
support me to move on. Especially, my father (Ch. Ali Muhammad) who
pushed me ever and makes me to stand at this position today.

Muhammad Shahid Azeem

Author

Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 2|Page
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
 Course Outlines

Course Title: NETWORK SECURITY

Course Code: ITEC4111
Credit Hours: 3(3+0)
Objectives: The main objectives of this course are to:
· Introduce computer and network security concepts.
· Understand basic cryptography concepts.
· Get the knowledge about VPNs, Firewalls, Viruses.
Course Outline:
Introduction: Computer Security, Network security, Information security, Security Trends, OSI
Security architecture.
Security Basics: Security attacks, Services, Mechanisms, Model.
Classical Cryptography: Symmetric cipher model, Substitution and transposition Technique,
Cryptography and cryptanalysis, Modular arithmetic. Caesar cipher, Vigenere cipher. Mono-
alphabetic and polyalphabetic ciphers, Playfair cipher, Hill cipher
Stream Ciphers and Block Ciphers: Data Encryption Standard (DES), General depiction of
DES algorithm.
Advance Encryption Standard (AES): How AES works, Placement of encryption functions,
link versus End-to-End encryption. Traffic confidentiality
Key Distribution: Key distribution, Different key distribution approaches.
Message Authentication: Authentication requirements, Authentication functions, MAC and
hash functions.
Public Key Cryptography: Public key cryptosystems, RSA Algorithm, Key management in
Cryptographic systems, Diffie-Hellman Key Exchange
Digital Signatures: Digital Signature requirements, Direct and arbitrated digital Signatures,
Mutual and One-way authentication, Digital Signature Standard (DSS).
Authentication Applications: Kerberos, How Kerberos works?
PKI, Authentication Service: X.509 Certificates, Public key infrastructure.
Firewalls: What is firewall, Access control policy, Firewall functions, Firewall types, Windows
based firewalls, Linux based firewalls.
Virtual Private Network: VPN basics and theory, How VPN works. VPN configuration and
testing on windows operating system.

Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 3|Page
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
IP Security: IP Security, Applications of IPSec, Benefits of IP Sec, IP Security architecture. IP
security services, Transport and tunnel modes.
Email Security: PGP, S/MIME.
Web Security: SSL, TLS, SET.
Operating System Checklists: Operating system security checklists, Disaster prevention and
recovery.
Security Threats: Viruses, Trojans and worms, Types of viruses, Antivirus approaches.
Recommended Books:
1. W. Stallings, Cryptography and Network Security, Prentice Hall PTR, Upper Saddle River,
NJ,2003.
2. Kaufman, R. Perlman, M. Speciner, Network Security: Private Communication in a Public
World Prentice Hall PTR, Upper Saddle River, NJ,2002.
3. M. Bishop, Computer Security: Art and Science Addison-Wesley,2003
4. Stinson, Cryptography: Theory and Practice, CRC Press, Boca Raton, FL.1995.
5. Richard A. Mollin, an Introduction to Cryptography, Chapman and Hall/CRC, 2001.
6. B. Schneier, Applied Cryptography, John Wiley and Sons, NY,1996.
7. Menezes, P. Oorshcot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press,
Boca Raton, FL,1997.

Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 4|Page
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
Table of Contents
Chapter 01 .............................................................................................................................. 10
Introduction............................................................................................................................ 10
1.1. Information Security ................................................................................................... 11
1.2. Computer Security ...................................................................................................... 11
1.1.1.1. Security Objectives .......................................................................................... 11
1.3. Network security......................................................................................................... 12
1.4. Security Trends ........................................................................................................... 12
1.5. OSI Security Architecture .......................................................................................... 14
1.1.1.2. Security Attacks ............................................................................................... 15
1.5.1.1. Passive Attacks ............................................................................................... 15
1.5.1.2. Active Attacks ................................................................................................ 15
1.1.1.3. Security Services ............................................................................................. 16
1.5.1.3. Authentication................................................................................................. 16
1.5.1.4. Access Control ................................................................................................ 17
1.5.1.5. Data Confidentiality........................................................................................ 17
1.5.1.6. Data Integrity .................................................................................................. 17
1.5.1.7. Nonrepudiation ............................................................................................... 18
1.5.1.8. Availability Service ........................................................................................ 18
1.1.1.4. Security Mechanisms ....................................................................................... 18
1.5.1.9. Encipherment .................................................................................................. 18
1.5.1.10. Digital Signature ........................................................................................... 18
1.5.1.11. Access Control .............................................................................................. 19
1.5.1.12. Data Integrity ................................................................................................ 19
1.5.1.13. Authentication Exchange .............................................................................. 19
1.5.1.14. Traffic Padding ............................................................................................. 19
1.5.1.15. Routing Control ............................................................................................ 19
1.5.1.16. Notarization .................................................................................................. 19
1.5.1.17. Trusted Functionality .................................................................................... 19
1.5.1.18. Security Label ............................................................................................... 19
Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 5|Page
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
 1.5.1.19. Event Detection ............................................................................................ 19
1.5.1.20. Security Audit Trail ...................................................................................... 19
1.5.1.21. Security Recovery ......................................................................................... 19
1.6. Review Questions ....................................................................................................... 20
Chapter 02 .............................................................................................................................. 21
Classical Cryptography .......................................................................................................... 21
2.1. Symmetric Cipher Model ........................................................................................... 22
1.1.1.5. Cryptography ................................................................................................... 23
1.1.1.6. Cryptanalysis ................................................................................................... 24
2.2. History of Cryptography ............................................................................................. 26
1.1.1.7. Manual Systems ............................................................................................... 26
2.2.1.1. Scytale............................................................................................................. 26
2.2.1.2. Polybius Square .............................................................................................. 27
2.2.1.3. Caesar Cipher.................................................................................................. 27
2.2.1.4. Atbash cipher .................................................................................................. 27
1.1.1.8. Crypto Machines.............................................................................................. 27
1.1.1.9. The Enigma Machine....................................................................................... 28
1.1.1.10. Computers ........................................................................................................ 28
2.3. Cryptography from Muslim History (Medieval Cryptography) ................................. 28
2.4. CLASSICAL ENCRYPTION TECHNIQUES .......................................................... 29
1.1.1.11. Substitution Techniques .................................................................................. 29
2.4.1.1. Caesar Cipher.................................................................................................. 29
2.4.1.2. Playfair cipher ................................................................................................. 29
2.4.1.3. Hill Cipher ...................................................................................................... 30
2.4.1.4. Vigenere Cipher ............................................................................................. 32
1.1.1.12. Transposition Techniques ................................................................................ 34
Chapter 03 .............................................................................................................................. 35
Modern Cryptography ........................................................................................................... 35
3.1. Key Concepts in Modern Cryptography ..................................................................... 36
1.1.1.13. Confusion......................................................................................................... 36
Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 6|Page
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
 1.1.1.14. Diffusion .......................................................................................................... 36
3.2. Block Cipher ............................................................................................................... 36
1.1.1.15. Example Of a Block Cipher............................................................................. 37
3.3. Stream Ciphers ........................................................................................................... 38
3.4. Modern-Day Encryption Techniques ......................................................................... 38
1.1.1.16. Symmetric Key Algorithms ............................................................................. 38
1.1.1.17. Data Encryption Standard (DES) .................................................................... 39
1.1.1.18. DES Encryption ............................................................................................... 40
1.1.1.19. Details of Single Round ................................................................................... 41
1.1.1.20. The Strength of DES........................................................................................ 44
Chapter 04 .............................................................................................................................. 46
Firewall .................................................................................................................................. 46
4.1. Firewall ....................................................................................................................... 47
4.2. Firewall Basics ........................................................................................................... 47
4.3. Firewall Characteristics .............................................................................................. 48
4.3.1. Design goals for a firewall ...................................................................................... 48
4.3.2. General techniques in firewalls ............................................................................... 48
4.4. Types of Firewalls ...................................................................................................... 49
4.4.1. Packet Filtering ....................................................................................................... 49
4.4.2. Stateless Filtering .................................................................................................... 49
4.4.3. Stateful Filtering ..................................................................................................... 50
4.4.4. Deep packet layer inspection .................................................................................. 50
Chapter 05 .............................................................................................................................. 52
Advance Encryption Standard ............................................................................................... 52
5.1. Introduction ................................................................................................................ 53
5.2. Evaluation Criteria For AES....................................................................................... 53
5.2.1. The Origins of AES ................................................................................................ 53
5.2.2. AES Evaluation ....................................................................................................... 54
5.3. The AES Cipher.......................................................................................................... 55
5.3.1. Sub Bytes: ............................................................................................................... 58
Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 7|Page
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
5.3.2. ShifRows:................................................................................................................ 59
5.3.3. MixColumns: .......................................................................................................... 59
5.3.4. Addroundkey........................................................................................................... 60
Chapter 06 .............................................................................................................................. 61
Message Authentication......................................................................................................... 61
6.1. Message Authentication ............................................................................................. 62
6.2. Authentication Requirements ..................................................................................... 62
6.3. Authentication Functions ............................................................................................ 62
6.3.1. Message Encryption ................................................................................................ 63
6.3.2. Message Authentication Code (Mac)...................................................................... 65
6.3.3. Hash Function ......................................................................................................... 66
6.3.3.1. Requirements for a Hash Function ...................................................................... 68
6.3.3.2. Simple Hash Functions........................................................................................ 68

Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 8|Page
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 9|Page
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
 Chapter 01
Introduction

Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 10 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
1.1. Information Security
The requirements of information security within an organization have undergone two major
changes in the last several decades. Before the widespread use of data processing equipment, the
security of information felt to be valuable to an organization was provided primarily by physical
and administrative means. An example of the former is the use of rugged filing cabinets with a
combination lock for storing sensitive documents. An example of the latter is personnel
screening procedures used during the hiring process.

1.2. Computer Security

The protection afforded to an automated information system in order to attain the applicable
objectives of preserving the integrity, availability, and confidentiality of information system
resources (includes hardware, software, firmware, information/ data, and telecommunications).
1.1.1.1. Security Objectives
When performing security tasks, security professionals try to protect their environments as
effectively as possible. These actions can also be described as protecting confidentiality,
integrity, and availability (CIA), or maintaining CIA. CIA stands for
 Confidentiality: Ensure that no data is disclosed intentionally or unintentionally. It covers
two related concepts:
Data confidentiality: Assures that private or confidential information is not made
available or disclosed to unauthorized individuals.
Privacy: Assures that individuals control or influence what information related to
them may be collected and stored and by whom and to whom that information may be
disclosed.
 Integrity: Make sure that no data is modified by unauthorized personnel, that no
unauthorized changes are made by authorized personnel, and that the data remains
consistent, both internally and externally. This term covers two related concepts:
Data integrity: Assures that information and programs are changed only in a
specified and authorized manner.
System integrity: Assures that a system performs its intended function in an
unaffected manner, free from deliberate or inadvertent unauthorized manipulation of
the system.
 Availability: Assures that systems work promptly and service is not denied to authorized
users. Availability also ensures timely and reliable access to and use of information. A loss
of availability is the disruption of access to or use of information or an information system.

Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 11 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
Although the use of the CIA triad to define security objectives is well established, some in the
security field feel that additional concepts are needed to present a complete picture. Two of the
most commonly mentioned are
 Authenticity: The property of being genuine and being able to be verified and trusted;
confidence in the validity of a transmission, a message, or message originator. This means
verifying that users are who they say they are and that each input arriving at the system
came from a trusted source.
 Accountability: The security goal that generates the requirement for actions of an entity to
be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation,
intrusion detection and prevention, and after-action recovery and legal action. Because
truly secure systems are not yet an achievable goal, users must be able to trace a security
breach to a responsible party. Systems must keep records of their activities to permit later
forensic analysis to trace security breaches or to aid in transaction disputes.
1.3. Network security
Network security is the protection of the underlying networking infrastructure from
unauthorized access, misuse, or theft. It involves creating a secure infrastructure for devices,
applications, users, and applications to work in a secure manner.
Introduction of distributed systems and the use of networks and communications facilities
for carrying data between terminal user and computer and between computer and computer.
Network security measures are needed to protect data during their transmission.

1.4. Security Trends

In 1994, the Internet Architecture Board (IAB) issued a report entitled "Security in the
Internet Architecture" (RFC 1636). The report stated the general consensus that the Internet
needs more and better security, and it identified key areas for security mechanisms. Among these
were the need to secure the network infrastructure from unauthorized monitoring and control of
network traffic and the need to secure end-user-to-end-user traffic using authentication and
encryption mechanisms.
These concerns are fully justified. As confirmation, consider the trends reported by the
Computer Emergency Response Team (CERT) Coordination Center (CERT/CC). Figure 1.1a
shows the trend in Internet-related vulnerabilities reported to CERT over a 10-year period. These
include security weaknesses in the operating systems of attached computers (e.g., Windows,
Linux) as well as vulnerabilities in Internet routers and other network devices. Figure 1.1b shows
the number of security related incidents reported to CERT. These include denial of service
attacks; IP spoofing, in which intruders create packets with false IP addresses and exploit
applications that use authentication based on IP; and various forms of eavesdropping and packet
sniffing, in which attackers read transmitted information, including logon information and
database contents.

Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 12 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
 Figure 1.1: CERT Statistics

Over time, the attacks on the Internet and Internet-attached systems have grown more
sophisticated while the amount of skill and knowledge required to mount an attack has declined
(Figure 1.2). Attacks have become more automated and can cause greater amounts of damage.
This increase in attacks coincides with an increased use of the Internet and with increases in
the complexity of protocols, applications, and the Internet itself. Critical infrastructures
increasingly rely on the Internet for operations. Individual users rely on the security of the
Internet, email, the Web, and Web-based applications to a greater extent than ever. Thus, a wide
range of technologies and tools are needed to counter the growing threat. At a basic level,
cryptographic algorithms for confidentiality and authentication assume greater importance. As
well, designers need to focus on Internet-based protocols and the vulnerabilities of attached
operating systems and applications. This book surveys all of these technical areas.
Figure 1.2. Trends in Attack Sophistication and Intruder Knowledge

Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 13 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
1.5. OSI Security Architecture
To assess effectively the security needs of an organization and to evaluate and choose
various security products and policies, the manager responsible for security needs some
systematic way of defining the requirements for security and characterizing the approaches to
satisfying those requirements. This is difficult enough in a centralized data processing
environment; with the use of local and wide area networks, the problems are compounded.
ITU-T Recommendation X.800, Security Architecture for OSI, defines such a systematic
approach.
The OSI security architecture is useful to managers as a way of organizing the task of
providing security. Furthermore, because this architecture was developed as an international
standard, computer and communications vendors have developed security features for their
products and services that relate to this structured definition of services and mechanisms.
For our purposes, the OSI security architecture provides a useful, if abstract, overview of
many of the concepts. The OSI security architecture focuses on security attacks,
mechanisms, and services. These can be defined briefly as follows:
 Security attack: Any action that compromises the security of information owned by an
organization.
 Security mechanism: A process (or a device incorporating such a process) that is designed
to detect, prevent, or recover from a security attack.
Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 14 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
  Security service: A processing or communication service that enhances the security of the
data processing systems and the information transfers of an organization. The services are
intended to counter security attacks, and they make use of one or more security
mechanisms to provide the service.
1.1.1.2. Security Attacks
A useful means of classifying security attacks, used both in X.800 and RFC 2828, is in terms
of passive attacks and active attacks. A passive attack attempts to learn or make use of
information from the system but does not affect system resources. An active attack attempts to
alter system resources or affect their operation.
1.5.1.1. Passive Attacks
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The
goal of the opponent is to obtain information that is being transmitted. Two types of passive
attacks are release of message contents and traffic analysis.
The release of message contents is easily understood. A telephone conversation, an
electronic mail message, and a transferred file may contain sensitive or confidential information.
We would like to prevent an opponent from learning the contents of these transmissions.
A second type of passive attack, traffic analysis, is subtler. Suppose that we had a way of
masking the contents of messages or other information traffic so that opponents, even if they
captured the message, could not extract the information from the message. The common
technique for masking contents is encryption. If we had encryption protection in place, an
opponent might still be able to observe the pattern of these messages. The opponent could
determine the location and identity of communicating hosts and could observe the frequency and
length of messages being exchanged. This information might be useful in guessing the nature of
the communication that was taking place.
Passive attacks are very difficult to detect because they do not involve any alteration of the
data.
Typically, the message traffic is sent and received in an apparently normal fashion and
neither the sender nor receiver is aware that a third party has read the messages or observed the
traffic pattern.
However, it is feasible to prevent the success of these attacks, usually by means of
encryption. Thus, the emphasis in dealing with passive attacks is on prevention rather than
detection.
1.5.1.2. Active Attacks
Active attacks involve some modification of the data stream or the creation of a false stream
and can be subdivided into four categories: masquerade, replay, modification of messages, and
denial of service.
A masquerade takes place when one entity pretends to be a different entity. A masquerade
attack usually includes one of the other forms of active attack. For example, authentication
sequences can be captured and replayed after a valid authentication sequence has taken place,

Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 15 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating
an entity that has those privileges.
Replay involves the passive capture of a data unit and its subsequent retransmission to produce
an unauthorized effect.
Modification of messages simply means that some portion of a legitimate message is altered, or
that messages are delayed or reordered, to produce an unauthorized effect. For example, a
message meaning "Allow John Smith to read confidential file accounts" is modified to mean
"Allow Fred Brown to read confidential file accounts."
Denial of service (DOS) prevents or inhibits the normal use or management of communications
facilities. This attack may have a specific target; for example, an entity may suppress all
messages directed to a particular destination (e.g., the security audit service). Another form of
service denial is the disruption of an entire network, either by disabling the network or by
overloading it with messages so as to degrade performance.
Active attacks present the opposite characteristics of passive attacks. Whereas passive
attacks are difficult to detect, measures are available to prevent their success. On the other hand,
it is quite difficult to prevent active attacks absolutely, because of the wide variety of potential
physical, software, and network vulnerabilities. Instead, the goal is to detect active attacks and to
recover from any disruption or delays caused by them. If the detection has a deterrent effect, it
may also contribute to prevention.

1.1.1.3. Security Services

X.800 defines a security service as a service provided by a protocol layer of communicating
open systems, which ensures adequate security of the systems or of data transfers. Security
Service is a processing or communication service that is provided by a system to give a specific
kind of protection to system resources; security services implement security policies and are
implemented by security mechanisms.
1.5.1.3. Authentication
The authentication service is concerned with assuring that a communication is authentic. In
the case of a single message, such as a warning or alarm signal, the function of the authentication
service is to assure the destination that the message is from the valid source (source that it claims
to be from).
In the case of an ongoing interaction, such as the connection of a terminal to a host, two
aspects are involved. First, at the time of connection initiation, the service assures that the two
entities are authentic, that is, that each is the entity that it claims to be. Second, the service must
assure that the connection is not interfered with in such a way that a third party can masquerade
as one of the two legitimate parties for the purposes of unauthorized transmission or reception.
Two specific authentication services are:
● Peer entity authentication: Provides for the validation of the identity of a peer entity in an
association. It is provided for use at the establishment of, or at times during the data transfer
Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 16 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
phase of, a connection. It attempts to provide confidence that an entity is not performing either a
masquerade or an unauthorized replay of a previous connection.
● Data origin authentication: Provides for the validation of the source of a data unit. It does not
provide protection against the duplication or modification of data units. This type of service
supports applications like electronic mail where there are no prior interactions between the
communicating entities.
1.5.1.4. Access Control
In the context of network security, access control is the ability to limit and control the access
to host systems and applications via communications links. To achieve this, each entity trying to
gain access must first be identified, or authenticated, so that access rights can be tailored to the
individual.
1.5.1.5. Data Confidentiality
Confidentiality is the protection of transmitted data from passive attacks. With respect to the
content of a data transmission, several levels of protection can be identified. The broadest service
protects all user data transmitted between two users over a period of time. For example, when a
TCP connection is setup between two systems, this broad protection prevents the release of any
user data transmitted over the TCP connection. Narrower forms of this service can also be
defined, including the protection of a single message or even specific fields within a message.
These refinements are less useful than the broad approach and may even be more complex and
expensive to implement.
The other aspect of confidentiality is the protection of traffic flow from analysis. This
requires that an attacker not be able to observe the source and destination, frequency, length, or
other characteristics of the traffic on a communications facility.
1.5.1.6. Data Integrity
As with confidentiality, integrity can apply to a stream of messages, a single message, or
selected fields within a message. Again, the most useful and straightforward approach is total
stream protection.
A connection-oriented integrity service, one that deals with a stream of messages, assures
that messages are received as sent, with no duplication, insertion, modification, reordering, or
replays. The destruction of data is also covered under this service. Thus, the connection-oriented
integrity service addresses both message stream modification and denial of service. On the other
hand, a connectionless integrity service, one that deals with individual messages without regard
to any larger context, generally provides protection against message modification only.
We can make a distinction between the service with and without recovery. Because the
integrity service relates to active attacks, we are concerned with detection rather than prevention.
If a violation of integrity is detected, then the service may simply report this violation, and some

Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 17 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
other portion of software or human intervention is required to recover from the violation.
Alternatively, there are mechanisms available to recover from the loss of integrity of data, as we
will review subsequently. The incorporation of automated recovery mechanisms is, in general,
the more attractive alternative.
1.5.1.7. Nonrepudiation
Nonrepudiation prevents either sender or receiver from denying a transmitted message.
Thus, when a message is sent, the receiver can prove that the alleged sender in fact sent the
message. Similarly, when a message is received, the sender can prove that the alleged receiver in
fact received the message.
1.5.1.8. Availability Service
Availability is the property of a system or a system resource being accessible and usable
upon demand by an authorized system entity, according to performance specifications for the
system (i.e., a system is available if it provides services according to the system design whenever
users request them). A variety of attacks can result in the loss of or reduction in availability.
Some of these attacks are amenable to automated countermeasures, such as authentication and
encryption, whereas others require some sort of physical action to prevent or recover from loss of
availability of elements of a distributed system.
X.800 treats availability as a property to be associated with various security services.
However, it makes sense to call out specifically an availability service. An availability service is
one that protects a system to ensure its availability. This service addresses the security concerns
raised by denial-of-service attacks. It depends on proper management and control of system
resources and thus depends on access control service and other security services.
1.1.1.4. Security Mechanisms
The mechanism that is built to identify any breach of security or attack on the organization, is
called a security mechanism. Security Mechanisms are also responsible for providing ways in
which an attack can be prevented as soon as it is detected. May be incorporated into the
appropriate protocol layer in order to provide some of the OSI security services.
1.5.1.9. Encipherment
The use of mathematical algorithms to transform data into a form that is not readily
intelligible. The transformation and subsequent recovery of the data depend on an algorithm and
zero or more encryption keys.
1.5.1.10. Digital Signature
Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of
the data unit to prove the source and integrity of the data unit and protect against forgery (e.g., by
the recipient).

Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 18 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
1.5.1.11. Access Control
A variety of mechanisms that enforce access rights to resources.
1.5.1.12. Data Integrity
A variety of mechanisms used to assure the integrity of a data unit or stream of data units.
1.5.1.13. Authentication Exchange
A mechanism intended to ensure the identity of an entity by means of information exchange.
1.5.1.14. Traffic Padding
The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.
1.5.1.15. Routing Control
Enables selection of particular physically secure routes for certain data and allows routing
changes, especially when a breach of security is suspected.
1.5.1.16. Notarization
The use of a trusted third party to assure certain properties of a data exchange.
PERVASIVE SECURITY MECHANISMS
Mechanisms that are not specific to any particular OSI security service or protocol layer.
1.5.1.17. Trusted Functionality
That which is perceived to be correct with respect to some criteria (e.g., as established by a
security policy).
1.5.1.18. Security Label
The marking bound to a resource (which may be a data unit) that names or designates the
security attributes of that resource.
1.5.1.19. Event Detection
Detection of security-relevant events.
1.5.1.20. Security Audit Trail
Data collected and potentially used to facilitate a security audit, which is an independent
review and examination of system records and activities.
1.5.1.21. Security Recovery
Deals with requests from mechanisms, such as event handling and management functions,
and takes recovery actions.

Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 19 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
1.6. Review Questions

1. What is the OSI security architecture?

2. What is the difference between passive and active security threats?
3. List and briefly define categories of passive and active security attacks.
4. List and briefly define categories of security services.
5. List and briefly define categories of security mechanisms.

Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 20 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk