Security objectives and attack models¶

We want to utilise data networks as widely as possible in our various activities, so we need secure data transmission. But what does security really mean? This module defines the foundations of common security objectives in networked data transmission. In addition, it examines the actions of attackers, who continuously attempt to threaten and undermine security.

Security objectives of network systems¶

In designing secure data networks, several mutually supporting security objectives are pursued. Summarised in the ”CIA” model, they are the same as earlier in this material: confidentiality, integrity, and availability. When applied to network systems and using email as an example, confidentiality means that only the sender and the recipient can know the contents of the message. In fact, no unauthorised party should even be aware that a message was transmitted from the sender to the recipient. Correspondingly, in addition to the message arriving unchanged, integrity requires that the email recipient can observe all events of the transmission as they occurred (e.g. the names of intermediate servers and timestamps). Availability means that the delivery of the message is neither prevented nor delayed.

As in other areas of security, additional objectives beyond the CIA model have been defined. Continuing with the email example, authenticity means that the recipient can be sure that the claimed sender actually sent the message. Non-repudiation extends authenticity by allowing the recipient to prove to others that the message came from a specific sender. On the other hand, anonymity may be desired, where the sender of the message cannot be traced. This is more useful in contexts other than email, and in such cases anonymity of the recipient may also be sought. More advanced privacy-related objectives, such as unlinkability, are outside the scope of this module.

Achieving these security objectives requires cryptography, which has been described separately at the level of theory and practice. Before applying it to data networks, possible attacks are modelled next.

Attack models¶

Attack models are used to anticipate the possible actions of attackers in advance, so that countermeasures for securing networked systems can be planned.

Dolev–Yao attacker model describes an extremely powerful attacker with full control over the network: they can observe all traffic, read messages, block or delay them, and create new messages using available keys. The model is used in particular in the analysis of security protocols because it represents the worst possible scenario.

In reality, attackers’ capabilities vary. Active attackers can modify and disrupt traffic, whereas passive attackers only listen to it. An eavesdropper can collect, for example, unprotected passwords or payment information, and even encrypted traffic can sometimes be analysed statistically to infer sensitive information. Attacks may also target data transmission itself, such as in man-in-the-middle attacks (MITM), where the attacker positions themselves between the communicating parties. In addition, connections can be disrupted using forged packets or denial-of-service attacks.

The impact of an attack depends on its target and scope. An attack targeting a single user is usually limited, whereas an attack targeting, for example, a service provider may disrupt large systems. Particularly effective are distributed attacks, where multiple devices (e.g. a botnet) are used, significantly increasing the impact and potentially affecting entire services or infrastructures.