BCSE309L - Cryptography and

Network Security

Module 7
E-mail, Web and System Security

Dr. S. Renuka Devi

Professor
SCOPE
VIT Chennai Campus

1
Module Outline
 Electronic Mail Security
 Pretty Good Privacy (PGP)
 S/MIME
 Web Security
 Web Security Considerations
 Secure Electronic Transaction Protocol
 Intruders
 Intrusion Detection
 Password Management
 Firewalls
 Firewall Design Principles
 Trusted Systems

2
Electronic Mail Security

3
4
Email Protocols
 Two types of protocols are used for
transferring email
 Simple Mail Transfer Protocol (SMTP) - used to move
messages through the Internet from source to
destination

 Post Office Protocol (POP)/Internet Mail Access

Protocol (IMAP) - used to transfer messages between
mail servers

5
SMTP
 SMTP encapsulates an email message in an
envelope and is used to relay the
encapsulated messages from source to
destination through multiple MTAs

 SMTP is a text-based client-server protocol

 Majority of commands are ASCII text messages

 Runs on top of TCP

6
7
SMTP
 STARTTLS - security-related extension for
SMTP

 STARTTLS enables the addition of

confidentiality and authentication in the
exchange between SMTP agents

8
Post Office Protocol (POP3) / Internet
Mail Access Protocol (IMAP)

 POP3 allows an email

 IMAP also enables an emai
client (user agent) to client to access mail on an
download an email from email server
an email server (MTA)
 POP3 user agents  IMAP also uses TCP, with
connect via TCP to the server TCP port 143
server (typically port  IMAP is more complex than
110) POP3
 The user agent enters a  IMAP provides stronger
username and password authentication than POP3
 After authorization, the and provides other
UA can issue POP3 functions not supported by
9
POP3
Pretty Good Privacy
 PGP provides a confidentiality and authentication
service that can be used for electronic mail and file
storage applications
 PGP has grown explosively and is now widely used
 A number of reasons can be cited for this growth

It is available free worldwide

It is based on extremely secure algorithms

It has a wide range of applicability

It was not developed by, nor is it controlled by, any
governmental or standards organization

PGP is now on an Internet standards track (RFC 3156; MIME
Security with OpenPGP)

10
Operational Description

PGP consists of four services:

Authentication

Confidentiality

Compression

e-mail compatibility

11
PGP – Authentication

 DSS/SHA-1 is used to generate hash code of the

message
 RSA is used for encryption
12
PGP - Confidentiality

 Symmetric encryption algorithm used - CAST-128, IDEA or

3DES (64-bit cipher feedback (CFB) mode is used)
 Session key is encrypted with RSA using receiver’s public key
 Diffie-Hellman is also supported in PGP

13
PGP – Authentication plus
Confidentiality

14
PGP - Compression
 PGP compresses the message after applying the
signature but before encryption
 The signature is generated before compression
because it is preferable to sign an uncompressed
message so that one can store only the uncompressed
message together with the signature for future
verification
 Message encryption is applied after compression to
strengthen cryptographic security
 The compressed message has less redundancy than
the original plaintext, cryptanalysis is more difficult
 Compression algorithm used is Zip

15
PGP – Email Compatibility
 many electronic mail systems only permit the use of
blocks consisting of ASCII text
 PGP provides the service of converting the raw 8-bit
binary stream to a stream of printable ASCII
characters
 Scheme used for this purpose is radix-64 conversion
 Each group of three octets of binary data is mapped
into four ASCII characters
 This format also appends a CRC to detect
transmission errors
 The use of radix 64 expands a message by 33%

16
17
Transmission of PGP messages

18
Reception of PGP messages

19
General format of PGP message

20
Private Key Ring

21
Public key ring

22
PGP message generation

23
PGP message reception

24
S/MIME (Secure Multipurpose
Internet Mail Extension)
 Security enhancement to the MIME Internet e-
mail format standard
 S/MIME is very similar to PGP
 Evolved from
 RFC821

 RFC5322

 MIME

25
S/MIME services

26
Email formats - RFC5322
 RFC5322 defines a format for text messages
that are sent using electronic mail
 It has been the standard for Internet-based
text mail messages
 RFC 5322 message consists of some number
of header lines (the header) followed by
unrestricted text (the body)
 The header is separated from the body by a
blank line

27
Email formats - RFC5322

28
Email formats -Multipurpose Internet
Mail Extensions (MIME)
 Extension to the RFC 5322
 Intended to address some of the problems and
limitations of the use of Simple Mail Transfer
Protocol (SMTP)
 Limitations of the SMTP/5322 scheme
 SMTP cannot transmit executable files or other
binary objects
 SMTP cannot transmit text data that includes
national language characters
 SMTP servers may reject mail message over a
certain size

29
Email formats -MIME
 Limitations of the SMTP/5322 scheme
 SMTP gateways that translate between ASCII and the
character code EBCDIC do not use a consistent set of
mappings

 SMTP gateways to X.400 electronic mail networks

cannot handle nontextual data

 SMTP implementations do not adhere completely to

the SMTP standards defined in RFC 821

30
MIME

The MIME specification includes the following

elements
Five new message header fields are defined,

which may be included in an RFC 5322 header

A number of content formats are defined, thus

standardizing representations that support

multimedia electronic mail
Transfer encodings are defined that enable the

conversion of any content format into a form that

is protected from alteration by the mail system

31
MIME
 The five header fields defined in MIME are as
follows:
 MIME-Version: Must have the parameter value 1.0.
 Content-Type: Describes the data contained in the
body
 Content-Transfer-Encoding: Indicates the type of
transformation that has been used
 Content-ID: Used to identify MIME entities uniquely in
multiple contexts
 Content-Description: A text description of the object
with the body; this is useful when the object is not
readable (e.g., audio data)
32
MIME Content types

33
MIME Content types

34
MIME Transfer Encodings

35
S/MIME message content types
 Data: Refers to the inner MIME-encoded
message content, which may then be
encapsulated in a SignedData, EnvelopedData,
or CompressedData content type.
 SignedData: Used to apply a digital signature
to a message.
 EnvelopedData: This consists of encrypted
content of any type and encrypted content
encryption keys for one or more recipients.
 CompressedData: Used to apply data
compression to a message.
36
37
38
S/MIME messages - Enveloped Data
The steps for preparing an envelopedData MIME entity are:
Generate a pseudorandom session key for a particular

symmetric encryption algorithm (RC2/40 or triple DES).

For each recipient, encrypt the session key with the

recipient’s public RSA key.

For each recipient, prepare a block known as RecipientInfo

that contains
 An identifier of the recipient’s public-key certificate

 An identifier of the algorithm used to encrypt the session

key
 Encrypted session key

Encrypt the message content with the session key.

39
A Sample message – enveloped data

40
S/MIME messages - Signed Data
The steps for preparing a signedData are as follows.
Select a message digest algorithm (SHA or MD5).

Compute the message digest (hash function) of the

content to be signed.
Encrypt the message digest with the signer’s private key.

Prepare a block known as SignerInfo that contains

 signer’s public-key certificate

 an identifier of the message digest algorithm

 an identifier of the algorithm used to encrypt the

message digest
 encrypted message digest

41
A sample message – signed data

42
S/MIME messages - Clear Signing
 Clear signing is achieved using the multipart
content type with a signed subtype
 Message is sent “in the clear”
 A multipart/signed message has two parts.
 The first part can be any MIME type but must be
prepared so that it will not be altered during
transfer from source to destination.
 The second part has a MIME content type of
application and a subtype of pkcs7-signature.

43
A sample message – clear signed
data

44
Registration Request
 An application or user will apply to a certification
authority for a public-key certificate
 The application/pkcs10 S/MIME entity is used to transfer
a certification request
 The certification request includes
certificationRequestInfo block, followed by an identifier
of the public-key encryption algorithm, followed by the
signature of the certificationRequestInfo block, made
using the sender’s private key
 The certificationRequestInfo block includes a name of
the certificate subject and a bit-string representation of
the user’s public key.
45
CERTIFICATES-ONLY MESSAGE
 A message containing only certificates or a
certificate revocation list (CRL) can be sent in
response to a registration request.
 The message is an application/pkcs7-mime
type/subtype with an smime-type parameter of
degenerate.
 The steps involved are the same as those for
creating a signedData message, except that there
is no message content and the signerInfo field is
empty.

46
Web Security

47
Secure Electronic Transaction (SET)
 SET is a set of security protocols and formats that
enables users to employ the existing credit card
payment infrastructure on an open network, such
as the Internet, in a secure fashion
 It provides 3 major services
 Provides a secure communications channel

among all parties involved in a transaction

 Provides trust by the use of X.509v3 digital

certificates
 Ensures privacy

48
Requirements of SET
 Provide confidentiality of payment and ordering
information
 Ensure the integrity of all transmitted data
 Provide authentication for cardholder and merchant
 Ensure the use of the best security practices and system
design techniques to protect all legitimate parties in an
electronic commerce transaction
 Create a protocol that neither depends on transport
security mechanisms nor prevents their use
 Facilitate and encourage interoperability among
software and network providers
49
SET

50
SET Participants
 Cardholder: A cardholder is an authorized holder of
a payment card (e.g., MasterCard, Visa) that has
been issued by an issuer
 Merchant: A merchant is a person or organization
that has goods or services to sell to the cardholder
 Issuer: This is a financial institution, such as a
bank, that provides the cardholder with the
payment card
 Certification Authority (CA): This is an entity that
is trusted to issue X.509v3 public-key certificates for
cardholders, merchants, and payment gateways

51
SET Participants
 Acquirer: A financial institution that establishes an
account with a merchant and processes payment card
authorizations and payments

It provides authorization to the merchant that a
given card account is active and that the proposed
purchase does not exceed the credit limit

The acquirer also provides electronic transfer of
payments to the merchant's account
 Payment Gateway: interfaces between SET and the
existing bankcard payment networks for authorization
and payment functions. The merchant exchanges SET
messages with the payment gateway over the Internet

52
Sequences of events in SET
 The customer opens an account
 The customer receives a certificate.
 Merchants have their own certificates
 The customer places an order
 The merchant is verified
 The order and payment are sent
 The merchant requests payment authorization
 The merchant confirms the order
 The merchant provides the goods or service
 The merchant requests payment
53
Dual Signature
 The purpose of the dual signature is to link two messages
that are intended for two different recipients
 In this case, the customer want to send the order
information (OI) to the merchant and the payment
information (PI) to the bank
 The merchant does not need to know the customer's credit
card number, and the bank does not need to know the
details of the customer's order
 The two items must be linked in a way that can be used to
resolve disputes if necessary
 The link is needed so that the customer can prove that this
payment is intended for this order and not for some other
goods or service.

54
Dual Signature

55
Payment Processing

Payment processing includes

Purchase request

Payment authorization

Payment capture

56
Purchase Request
 The purchase request exchange consists of
four messages:
1. Initiate Request
2. Initiate Response
3. Purchase Request
4. Purchase Response

57
Purchase Request
1. Initiate Request - customer requests the merchant to
send the certificate
 It also includes brand of the credit card that the

customer is using, message ID and a nonce to

ensure timeliness
2. Initiate Response - Merchant generates a response and
signs it with its private signature key
 The response includes the nonce from the customer,

another nonce for the customer to return in the next

message, and a transaction ID for this purchase
transaction
 In addition, it includes the merchant's signature

certificate and the payment gateway's key exchange 58

Purchase Request
3. Purchase Request - the cardholder prepares the Purchase
Request message
For this purpose, the cardholder generates a one-time
symmetric encryption key, Ks. The message includes the
following:
i.Purchase-related information. This information will be

forwarded to the payment gateway by the merchant and

consists of

The PI

The dual signature

The OI message digest (OIMD)

The digital envelope - formed by encrypting Ks with the
payment gateway's public key-exchange key
59
Purchase Request

ii. Order-related information. This

information is needed by the merchant and
consists of
 The OI

 The dual signature

 The PIMD

 Cardholder certificate

60
61
Purchase Request

4. Purchase Response - includes a response

block that acknowledges the order and
references the corresponding transaction
number
This block is signed by the merchant using its

private signature key and sent to the customer,

along with the merchant's signature certificate
When the cardholder software receives the

purchase response message, it verifies the

merchant's certificate and then verifies the
signature on the response block
62
Payment Authorization
 The payment authorization ensures that the
transaction was approved by the issuer
 This authorization guarantees that the
merchant will receive payment; the merchant
can therefore provide the services or goods to
the customer
 The payment authorization exchange consists
of two messages:
 Authorization Request

 Authorization response

63
Payment Authorization
Authorization request message consists of
1.Purchase-related information - obtained from the

customer
2.Authorization-related information - generated by the

merchant and consists of

 An authorization block that includes the transaction ID, signed with
the merchant's private signature key and encrypted with a one-
time symmetric key generated by the merchant.
 A digital envelope - formed by encrypting the one-time key with
the payment gateway's public key-exchange key3
3. Certificates

64
Payment Authorization
The payment gateway returns an Authorization Response
message to the merchant. It includes the following elements
1.Authorization-related information. Includes an authorization

block, signed with the gateway's private signature key and

encrypted with a one-time symmetric key generated by the gateway
 Also includes a digital envelope that contains the one-
time key encrypted with the merchant’s public key-exchange
key.
2.Capture token information. This information will be used to

effect payment later. This block is of the same form as (1)—namely,

a signed, encrypted capture token together with a digital envelope.
This token is not processed by the merchant. Rather, it must be
returned, as is, with a payment request.
3.Certificate. The gateway's signature key certificate

65
Payment Capture
 To obtain payment, the merchant engages the
payment gateway in a payment capture transaction,
consisting of a capture request and a capture
response message.
 For the Capture Request message, the merchant
generates, signs, and encrypts a capture request
block, which includes the payment amount and the
transaction ID.
 The message also includes the encrypted capture
token received earlier (in the Authorization Response)
for this transaction, as well as the merchant's
signature key and key-exchange key certificates

66
Payment Capture
 After verification, the gateway then notifies
the merchant of payment in a Capture
Response message.
 The message includes a capture response
block that the gateway signs and encrypts. T
 The message also includes the gateway's
signature key certificate.
 The merchant software stores the capture
response to be used for reconciliation with
payment received from the acquirer.

67
Intruders
 One of the most publicized threat to security is the intruder, generally
referred to as hacker or cracker
 Three classes of intruders are as follows:

Masquerader – an individual who is not authorized to use the
computer and who penetrates a system’s access controls to exploit
a legitimate user’s account.


Misfeasor – a legitimate user who accesses data, programs, or
resources for which such access is not authorized, or who is
authorized for such access but misuse his or her privileges.


Clandestine user – an individual who seizes supervisory control of
the system and uses this control to evade auditing and access
controls or to suppress audit collection.

68
Intruders
 Based on the technical skills, Intruders are classified as

Apprentice: Hackers with minimal technical skill who
primarily use existing attack toolkits


Journeyman: Hackers with sufficient technical skills
to modify and extend attack toolkits to use newly
discovered, or purchased, vulnerabilities; or to focus
on different target groups.


Master: Hackers with high-level technical skills
capable of discovering brand new categories of
vulnerabilities, or writing new powerful attack toolkits.

69
Examples of Intrusion
 Performing a remote root compromise of an e-mail
server
 Defacing a Web server
 Guessing and cracking passwords
 Copying a database containing credit card numbers
 Viewing sensitive data, including payroll records and
medical information, without authorization
 Running a packet sniffer on a workstation to capture
usernames and passwords
 Using an unattended, logged-in workstation without
permission

70
Intrusion Techniques
 Objective is to gain access to a system or to increase the range
of privileges accessible on a system

 Most initial attacks use system or software vulnerabilities that

allow a user to execute code that opens a back door into the
system

 Alternatively, the intruder attempts to acquire information that

should have beenProtected (user password)

 With knowledge of some other user’s password, an intruder can

log in to a system and exercise all the privileges accorded to the
legitimate user

71
Intrusion Techniques
 The password files can be protected in one of the
two ways:
 One way encryption – the system stores only an
encrypted form of user’s password. In practice, the
system usually performs a one way transformation
(not reversible) in which the password is used to
generate a key for the encryption function and in
which a fixed length output is produced.
 Access control – access to the password file is limited
to one or a very few accounts.

72
Techniques for learning passwords
1. Try default passwords used with standard accounts that
are shipped with the system
2. Exhaustively try all short passwords
3. Try words in the system’s online dictionary or a list of likely
passwords
4. Collect information about users, such as their full names,
the names of their spouse and children,etc
5. Try users’ phone numbers, Social Security numbers, and
room numbers
6. Try all legitimate license plate numbers for this state
7. Use a Trojan
8. Tap the line between a remote user and the host system

73
Intrusion Detection System(IDS)
 IDS can be classified by where detection takes
place
 Network based intrusion detection

 Host based intrusion detection

 or the detection method that is employed

 Signature based intrusion detection

 Anomaly-based intrusion detection

74
Intrusion Detection System(IDS)
1. Network intrusion detection systems (NIDS)
Placed at a strategic point or points within the

network to monitor traffic to and from all devices

on the network
It performs an analysis of passing traffic on the

entire subnet, and matches the traffic that is

passed on the subnets to the library of known
attacks
Once an attack is identified, or abnormal

behavior is sensed, the alert can be sent to the

administrator
75
Intrusion Detection System(IDS)
2. Host intrusion detection systems (HIDS)
It run on individual hosts or devices on the

network
It monitors the inbound and outbound packets

from the device only and will alert the user or

administrator if suspicious activity is detected
It takes a snapshot of existing system files and

matches it to the previous snapshot

If the critical system files were modified or

deleted, an alert is sent to the administrator to

investigate
76
Intrusion Detection System(IDS)
3. Signature-based IDS
Detection of attacks by looking for specific

patterns, such as byte sequences in network

traffic, or known malicious instruction sequences
used by malware
Originates from anti-virus software, which refers

to these detected patterns as signatures

It can easily detect known attacks, it is difficult

to detect new attacks, for which no pattern is

available

77
Intrusion Detection System(IDS)
4. Anomaly based IDS
primarily introduced to detect unknown

attacks
basic approach is to use machine learning to

create a model of trustworthy activity, and

then compare new behavior against this
model

78
Audit Records
 A fundamental tool for intrusion detection is the
audit record
 Each audit record contains the following fields:

Subject: Initiators of actions

Action: Operation performed by the subject on or with an
object; for example, login, read, perform I/O, execute.

Object: Receptors of actions. Examples include files,
programs, messages, records, terminals, printers, and
user- or program-created structures.

Exception-Condition: Denotes which, if any, exception
condition is raised on return

Resource-Usage

timestamp
79
Approaches to Intrusion Detection
1. Statistical anomaly detection:
 Involves the collection of data relating to the behavior
of legitimate users over a period of time.
 Then statistical tests are applied to observed behavior
to determine whether that behavior is not legitimate
user behavior
 Threshold detection: This approach involves defining

thresholds, independent of user, for the frequency of

occurrence of various events
 Profile based: A profile of the activity of each user is

developed and used to detect changes in the

behavior of individual accounts
80
Approaches to Intrusion Detection

2. Rule-based detection:
Involves an attempt to define a set of rules that

can be used to decide that a given behavior is that

of an intruder
 Anomaly detection: Rules are developed to

detect deviation from previous usage patterns

 Penetration identification: An expert system

approach that searches for suspicious

behavior

81
Password Management

12-bit “salt” value is related to the time at which the password is assigned
to the user 82
Password Management

83
Firewalls
 A choke point of control and monitoring
 Provides an additional layer of defense,
insulating the internal systems from external
networks
 Packet filter

84
Firewall
 Firewall is hardware / software
 Protect the resources of a private network from
users from other networks
 Enforces access control between two networks
 Allows or denies the traffic to/from the network
 They are essential for the integrity and
confidentiality of the information present in the
internal network
 Firewall can act as gateway
 Firewall can act as proxy
 Firewall filter Incoming & Outgoing information
85
Firewall characteristics
 All traffic from inside to outside, and vice
versa, must pass through the firewall
 Only authorized traffic, as defined by the local
security policy, will be allowed to pass
 The firewall itself is immune to penetration -
implies the use of a hardened system with a
secured operating system
 Trusted computer systems are suitable for
hosting a firewall

86
Services provided by Firewall
 Service control

Determines the types of Internet services that
can be accessed, inbound or outbound.
 Direction control

Determines the direction in which particular
service flow through the firewall
 User control

Controls access to a service according to which
user is attempting to access it.
 Behaviour control

Controls how particular services are used
87
Capabilities of a Firewall
 Defines a single choke point that prevents

unauthorized users

vulnerable services from entering or leaving the
network

various kinds of IP spoofing and routing
 Helps in monitoring security-related events
 Acts as a convenient platform for several Internet
functions such as network address translator,
network management function that audits or logs
Internet usage
 Serves as the platform for IPsec
88
Limitations of Firewall
 It cannot protect against attacks that bypass
the firewall
 It may not protect fully against internal threats
 An improperly secured wireless LAN may be
accessed from outside the organization
 An internal firewall separates portions of an
enterprise network
 A laptop, PDA, or portable storage device may
be used and infected outside the corporate
network, and then attached and used internally

89
Types of Firewalls
 Firewalls can be categorized based on the OSI
model level at which they operate, there are 3
basic types of firewalls:
 Network level (Packet filters)

 Application level (Proxy server)

 Circuit level (Proxy server)

90
Types of Firewalls
1. Packet Filtering Firewall
A packet filtering firewall applies a set of rules to

each incoming and outgoing IP packet and then

forwards or discards the packet
Filtering rules are based on information contained in

a network packet:

Source IP address

Destination IP address

Source and destination transport-level address

IP protocol field

Interface
91
Packet Filtering Firewall

92
93
Packet Filtering Firewalls
 Network level firewalls employ one of two different
filtering approaches:
 Static packet filtering – filtering rules do not

change
 Dynamic packet filtering/Stateful inspection.

94
Weakness of Packet Filtering
Firewall
 They cannot prevent attacks that employ
application-specific vulnerabilities or functions
 Vulnerable to IP address spoofing attacks
 Source routing attacks
 Tiny fragment attacks

95
Types of Firewalls
2. Stateful Inspection
Firewalls
Context oriented

A stateful packet inspection

firewall reviews the same

packet information as a packet
filtering firewall, but also
records information about TCP
connections

96
Types of Firewalls
3. Application-level gateway
Also called an application proxy

Acts as a relay of application-level flow

The user contacts the gateway using a TCP/IP

application, such as Telnet or FTP

The gateway asks the user for the name of the remote

host to be accessed
When the user responds and provides a valid user ID

and authentication information, the gateway contacts

the application on the remote host and relays TCP
segments containing the application data between the
two endpoints
97
Application-level gateway

98
Types of Firewalls
4. Circuit-Level Gateway
It can be a stand-alone system or it can be a

specialized function – meant for certain

applications
A circuit-level gateway does not permit an end-to-

end TCP connection; rather, the gateway sets up

two TCP connections,
 one between itself and a TCP user on an inner

host and
 one between itself and a TCP user on an

outside host.
99
Circuit-Level Gateway
• Once the two connections
are established, the
gateway typically relays
TCP segments from one
connection to the other
without examining the
contents
• The security function
consists of determining
which connections will be
allowed

100
Circuit-Level Gateway
 When a connection is set up, the circuit level firewall stores the
following:
1. A unique session identifier for the connection.
2. The state of the connection (handshake, established,
closing).
3. The sequencing information.
4. The source IP address.
5. The destination IP address.
6. The physical network interface through which the data
arrives.
7. The physical network interface through which the data
goes out.
101
Hardware Firewall
 Hardware firewalls are the physical devices that
serve as a gatekeeper between the network and the
external environment, managing traffic and
providing security

 Hardware firewalls use a combination of predefined

rules and algorithms to manage traffic

 They often come with additional security functions

like intrusion prevention and deep packet inspection,
providing a comprehensive security solution

102
Software Firewall
 Software firewalls are deployed on servers or virtual
machines, offering similar protection in environments
where deploying physical firewalls is difficult.

 They operate on a security operating system generally

run on generic hardware with a virtualization layer on top.

 Software firewalls are useful in complex, virtualized

environments like public clouds, containerized
environments, private clouds/virtualized environments.,
where they monitor and control the flow of application
and workload traffic to and from the network and between
clouds

103
Honeypots
 Honeypots are decoy systems that are designed to
lure a potential attacker away from critical systems
 Honeypots are designed to:
 Divert an attacker from accessing critical

systems
 Collect information about the attacker’s activity

 Encourage the attacker to stay on the system

long enough for administrators to respond

 These systems are filled with fabricated
information designed to appear valuable but that a
legitimate user of the system would not access

104
Honeypots
 The system is instrumented with sensitive
monitors and event loggers that detect these
accesses and collect information about the
attacker’s activities
 Honeypots can be deployed in a variety of
locations
 Location depends on a number of factors, such as
 type of information the organization is

interested in gathering
 level of risk that organizations can tolerate to

obtain the maximum amount of data

105
Trusted Systems

106
Terminology related to Trust
 Trust - The extent to which someone who relies on a
system can have confidence that the system meets its
specifications
 Trusted system - A system believed to enforce a given set
of attributes to a stated degree of assurance
 Trustworthiness - Assurance that a system deserves to be
trusted, such that the trust can be guaranteed in some
convincing way, such as through formal analysis or code
review
 Trusted computer system - A system that employs
sufficient hardware and software assurance measures to
allow its use for simultaneous processing of a range of
sensitive or classified information
107
Trusted Systems
 Trusted computing base (TCB) - A portion of a
system that enforces a particular policy. The TCB must
be resistant to tampering and circumvention
 Assurance - A process that ensures a system is
developed and operated as intended by the system’s
security policy
 Evaluation - Assessing whether the product has the
security properties claimed for it
 Functionality - The security features provided by a
product

108
Reference Monitor
 The reference monitor is a controlling element in
the hardware and operating system of a computer
that regulates the access of subjects to objects on
the basis of security parameters of the subject and
object

 The reference monitor has access to a file, known

as the security kernel database, that lists the
access privileges (security clearance) of each
subject and the protection attributes (classification
level) of each object

109
Reference Monitor
 The reference monitor enforces the security rules (no
read up, no write down) and has the following properties:

 Complete mediation: The security rules are

enforced on every access

 Isolation: The reference monitor and database

are protected from unauthorized modification

 Verifiability: The reference monitor’s

correctness must be provable

110
Reference Monitor Concept

111
References
 Cryptography and Network Security Principles
And Practice, William Stallings, 5e , Pearson
Education, 2011

112
Thank you

113