Documente Academic
Documente Profesional
Documente Cultură
Uttaranchal University
[2017]
Abstract - Communication security is the discipline of in preventing unauthorized interceptors of from accessing any communication
in an eavesdrop form, when two entities are communicating and do not want a third party to listen in for that they need to
communicate a way not capable to interception. In recent years, secure communication have become a very important subject of
research. The new service for wireless and wire network is to provide confidentially, authentication, authorization and data integrity.
Infect, security services are necessary to protect basic applications in each and every field especially, in banks and defence.
Keywords - Group Communication, Authentication Control, Security Policy, Encryption, Security Services, Security Methodology.
In any case, ample of tools are available to eventually numerous sources advise a password history of 9
compromise password if the machine is in the physical to 15.
possession of the attacker, or if the attacker can obtain 4) Maximum Password Age: Users may be
physical possession of the password database. Every system
required to change their password on a regular
should be physically protocol, but where a centralized
database of accounts exists, extra precautions should be taken. schedule. This can be accomplished by
In addition user training and account controls can strengthen specifying a number of days after which user
password and make the attacker’s job harder – perhaps hard must change their password. A typical
enough that attacker will move on to easier pickings. recommendation is 30 days.
5) Account Restriction: Limiting user access to
Authentication Controls
system is an important component of security.
In addition to understanding and choosing strong
authentication algorithms and training users to create and use Some systems allow restrictions as to the time of
strong passwords, authentication controls can be used to the day and the workstations at which a
enforce a strong password policy. There are some typical particular account can be used.
controls[3]: 6) Account Lockout: When a password-cracking
1) Password Length: A number of characters can attack is directed at specific accounts, an attacker
be assigned as the minimum password length. may eventually deduce the password. To limit
The maximum password length is limited by the the possibility that this will happen, account
operating system. Opinions vary, but commonly lockout parameters can be set to lock out the
recommended number is seven or eight account after the number of logon tries. The
characters. This is based on compromise current recommendation is to set this number
between a longer password being more difficult high perhaps 30 or so, so that simple fumble-
to crack , and too long password being more fingered mistakes on the part of valid user does
difficult to crack , and a too-long password not result in an account lockout. An additional
inevitably being written down by the user concern is that an attacker could run an attack on
because it is too long to remember, and thus the entire account list, and if an account lockout
being more available for theft. is set, lock all accounts, which would result in
2) Password Complexity or Filters: Some systems successful denial of service attack. While this is
allows you to set password filters. When a possible, such attacks are not currently being
password is changed, the new password is reported.
evaluated for its adherence to some standard or
is compared to known weak passwords.
Passwords are rejected if they don’t meet the IV. SECURITY POLICY DEVELOPMENT
system standard. For example ,a password filter A security policy should not be developed only by an
might require that password use three of the Information Technology organisation. It should be a joint
following character types: uppercase and effort among all the organisations that will be affected by its
lowercase characters, numbers, and special rules. A good security policy will not be much more
complicated because it must be easily accessible to its
symbols. audience. The security must be concise an easy to read in
3) Password History: When users are required to order to be effective. Whether its audience is all employees ,
frequently change their password, they may management, or support staff, the policy need to be readable
tempted, in spite of a strict policy to the and understandable so that everyone can fulfil there correct
contrary, to reuse password . A password history role and apply the security policy to there daily efforts. The
requirement prevents the reuse of a password by security policy is a part of hierarchy of management controls.
Its scope is defined by a scope definition, which is
remembering the last few passwords for each
performance is advance of a development of the security
user. This provides a list against which any new policy. The needs of the business drive the principles of the
password of user may be checked. Previously security policy, and the security policy defines parameters that
used password that are recorded in the list will are used in building computers, networks, and data storage
be rejected. How many previous password the infrastructure. The overall approach is to begin with what and
system remembers can be set of the system – why, proceed to the how, when, and when other details. The
security policy tells its audience what must be done. A
International Conference on Software Technology and Engineering Modules
Uttaranchal University
[2017]
security policy is the essential foundation for an effective and questions helps define the business requirement and leads the
comprehensive security program. A security policy should be implementation .To the solution that fits those business
in written form. It provides instructions to employees about recruitment.
what kinds of behaviour or resources usage are require and A. Assets
acceptable, and about what is forbidden and unacceptable[4]. What is to be protected? Identifying the assets
that will be protected by security measures in a
critical first steps in any security implementation.
Failure to ask this question may lead to inadequate
security controls, security control that protect the
wrong thing. For example, designing are an e-
commerce web site, asking this question may lead to
designer to identify the following as need to
protected: Customer name and address, credit cards
number, web server availability. Encryption of the
network connection, location date on a separate
database and encrypting that data , a firewall with
Fig. 1 Security policy audience denial – of – service protection capability , and
redundant web servers and needed to protect these
A security policy gives clear instructions to IT staff things. Failure to ask this question may lead to the
and security professionals about how to restrict authority and designer to forget about encryption, especially in the
enact access controls, authentications methods, privacy database or redundancy or denial – of – service filters.
practices, and accounting techniques. A security policy also The answer to this question is a simple list of assets
provides information for all employees about how to help to be protected .
protect their employer's assets and information, and it B. Risks
provides instructions regarding acceptable ( and unacceptable ) What are the threat vectors vulnerabilities and
practices and behaviour. A security policy is the primary way risks? After the assets to be protected have been
in which management's expectations for guidance to the identified in question 1, the threat to those assets
people building, installing, and maintaining computer should be enumerated along with their possible
systems, so they don't have to make those decisions by sources. The vulnerabilities associated with the
themselves. A security policy does not specify technologies or assets that might be exploited by the threat should
specific solutions; it defines a specific set of intentions and then be discovered. The risks, which are the
conditions that will help protect a company's assets to conduct likelihood and cost of each realized threat, should
business. We can say a security policy is the statements of also be identified. Together these 3 factors provide
responsible decision-makers about how to protect a company's information necessary to determine its security
physical and information assets. In its basic form, a security controls to consider, where they might be placed
policy is a documents that describes a company's or (for example, inside or outside the firewall, on the
organization's security controls and activities. network, or on servers), and how much to spend on
Security policies often include rules intended to: them
• Preserve and protect valuable, conferential, or (based on the expected loss identified in the risk
proprietary information from unauthorized access analysis, if may not make sense to spend more
of disclosure. money on a security control then the asset is worth,
• Limit or eliminate potential legal liability from or the cost of realized threat).The answer to this
employees or third parties. question is the result of a risk analysis.
• Prevent waste or inappropriate use of organisation C. Protections
resources. How will the assets be protected? Once the
business requirement have been identified and
There are five steps to better security in secure group documented as question 1, and the risk analysis has
communication[4]. The five-steps process, followed carefully been completed based on question 2, the security
in order helps ensure that security effort address important, practitioner can then consider the actual policies,
specific problem in a controlled ,effective manner and that process, and technique that will be used to provide
security costs are managed and appropriate to the values of the appropriate level of production to the asserts against
assets they protect. their associated threat vectors. The security
Before undertaking any security effort , ask the practitioner can then be assumed that they are well
following question. This inquire is part of the analysis phase positioned for success in their security
that should be part of any implementation effort. These implementation. Some protections will be provided
International Conference on Software Technology and Engineering Modules
Uttaranchal University
[2017]
procedurally, that is, by providing user and It is a technique which is widely used in
administrator with instructions about how to conduct computer networks to enhance security. It
their business, along with appropriate enforcement. makes plain text unintelligible by means of
Some protection will be provided by defensive some types of reversible encoding scheme
technology such as firewall, access control device, developed around a private key known only to
filtering software, authentication mechanism, the transmitter and receiver.
encryption, and the like. Other protections will be G. Random Traffic
provided by detective and deterrent controls, such as It is use to creating random data flow to
monitoring software and manual monitoring by make the presence of genuine communication
administrators, which is then used by Human harder to detect and traffic analysis less
Resource to correct employee behavior. The answer reliable.
to this question is the list of general techniques that
will used to protect the assets. There are five services which are provided
D. Tools to make secure group communication in
What will done to ensure that protection? Given computer network:
the broad categories of protection identified by A. Confidentiality
question 3,a specific selection of tools follow. At this Confidentiality means that the message
stage, a product evaluation takes place, usage should be confidentiality. The transmitted
policies are identified where needed and procedure message must make sense to only the intended
that must be documented are defined. The answer to receiver. To all others, the message must be
this question is the list of protective steps that will be garbage. When a customer communications
taken. with her bank, she expects that the
E. Priorities communication is totally confidential. It
In what will be protective steps be implemented? specifies only the sender and the intended
Once the tools and techniques to protect the assets recipient should be able to access the contents
from the threats have been identified, and assuming of message. Confidentially gets compromised
the organization does not have enough resources to if an unauthorized person is able to access a
implement everything simultaneously, priorities message. Example of compromising the
should be assign to each tools and technique, so they confidentiality of message is show in Figure.
can be implemented in a reasonable order. Turning Here the user of computer A sends a message
on a web server before installing a firewall may be a to user of computer of B. (Actually, from here
good idea; instead, installing a firewall first, then onwards, we shall use the term A to mean the
hardening the web server, then implementation user A, B mean user B etc, although we shall
encryption on,may make the most sense. The details just show the computers of user A, B etc).
vary for each environment, these five questions,
asked in order, help the implementer to consider all
the factors that should lead to a successful
implementation.
encryption algorithm; Bob decrypts the message information is not necessarily used for secrete; it can
using a decryption algorithm. Symmetric - key also used to protect copy write, prevent tampering, or
encipherment uses a single secrete key for both add extra information.
encryption and decryption. Encryption / decryption
can be thought of as electronic locking. In 3) Text Cover: The cover of secrete data can be text.
symmetric - key enciphering. Alice puts the message There are several ways to insert binary data into an
in a box and locks the box using the shared secrete announces text. For example, we can use single space
key; Bob unlocks the box with the same key and between words to represent the binary digit 0 and
takes out the message. double space to represent binary digit . The following
short message hidden the 8- bit binary representation
2) Asymmetic- Key Encipherment: In asymmetric- key of the letter A in ASCII code (01000001).
encipherment (sometimes called public- key
encipherment or public- key cryptography), we have
the same situation as the same situation as the VII. SECURITY METHODOLOGY
symmetric- key encipherment, with a few exception. Security is just about keeping people out of your
First, there are two keys instead of one: one public network. Security access into your network in the way you
key and one private key. To send a secured message want to provide it, allow people to work together. There are
to Bob, Alice first encrypts the sage using Bob's many branches of security. If you consider the field of
public key. To decrypt the message, Bob uses his security as a hierarchy, you have "security" at the root and
own private key. many branches leading outward from that. For example,
national security, information security, and economic security
3) Hashing: In hashing, a fixed- length digest is may be considered subsets of the entire discipline of security.
created out of a variable- length message. The digest Beneath those are more sub divisions. Under this heading, we
is normally much smaller than the message. To be are considering network security which is a subset of
useful, both the message and the digest must be sent information security, which is a subset of security ( see Figure
to Bob. Hashing is used to provide check values, 6). The field of security is concerned with protecting general
which was discussed earlier in relation to providing assets. Information security is concerned with protecting
data integrity. information and information resources, such as books, faxes,
computer, and voice communications. Network security is
B. Steganography concerned with protecting data, hardware, and software on a
Another technique that was uses for secret computer network. These definitions are important because
communication in the past is being revived at the present time: they demonstrate the hierarchical relationship of network
steganography. The word steganography with the origin in security in relation to other branches of security. A focus only
Greek, means "cover writing", in contrast with cryptography, on the security of computers leads to blind spots that attackers
which means "secret writing". Cryptography means might leverage to bypass the protective mechanisms employed
concealing the content of a message by enciphering while on the network. It is important to consider network security in
stenography means concealing the message itself by covering the context of its relationship to other security divisions, as
it with something else. well as to the rest of enterprise[7].
to better security in secure group communication; assets, risks, learn many things from all of you. Special thanks to
protections, tools and priorities. As we know security is very Kapil Joshi for his help to made this paper possible. Last
sensitive issue, the main idea is to have group members but not least, thanks to our family and friends who help
actively participate to the security of the “multicast group”. us to complete this paper.
Since, the group security is distributed among the group
members. We are focus on the security in this paper like that REFERENCES
security policies, security services, security techniques and [1] Andrew S. Tanenbaum, Vrije University, Amesterdam; Computer
security methodology. The goal of this paper presentation is Networks, 4th Ed., 2003.
[2] Andrew S. Tanenbaum, David J. Wetherall; Computer Networks, 4th
that to aware the people about secure group communication ed., Vrije University, University of Washington, 2012.
and security. [3] Uyless D. Black, Computer Networks: Protocols Standards And
Interfaces 2nd Ed, Prentice Hall, United States, 1996.
[4] Jerry FitzGerald, Alan Dennis, Business Data Communications and
Networking, The University of Michigan, 1995.
ACKNOWLEDGEMENT [5] Atul Kahate; Cryptography and Network Security, 2nd Ed, Head
You are see only the name of us as a author of Technology, Practice PrimesouringTM Division i-Flex Solutions
this paper, but actually this text would never be Limited, Pune,2003.
complete without the help of many talented people. [6] Behrouz A. Forouzan; Cryptography and Network Security, 2 reprint ,
New Delhi, New York, 2009.
Allow us to offer some heartfelt words of thanks to the [7] Roberta Bragg Mark Phodes-Ousley Keith Strassberg with Brian
many people who made this paper possible. First and Buege, Glen Carty, Bernard Chapple, Anil Desai, Thomas Knox, Nick
foremost, thanks to all of our classmates at Uttaranchal Efford; Network Security: The Complete Reference, 3rd reprint, New
University Dehradun, We have the pleasure of studying York, 2005.
with them. You all are extremely talented people and We