Cryptography and System Security

(CSS)

Module 1
Introduction and Number Theory
Information Security

 Information security ensures that both physical

and digital data is protected from unauthorized
access, use, disclosure, disruption, modification,
inspection, recording or destruction.

2
Cybersecurity

 Cybersecurity protects only digital data.

 Cybersecurity, a subset of information security,

which is the practice of defending your
organization’s networks, computers and data from
unauthorized digital access, attack or damage by
implementing various processes, technologies and
practices.

3
Network Security

 Network security, a subset of cybersecurity, aims

to protect any data that is being sent through
devices in your network to ensure that the
information is not changed or intercepted.

 Network security consists of the policies and

practices adopted to prevent and monitor
unauthorized access, misuse, modification, or
denial of a computer network.
4
Cryptography

 Cryptography, which translates as "secret

writing," refers to the science of concealing the
meaning of data so only specified parties
understand a transmission's contents.

5
System Security

. The objective of system security is the protection



of information and property from theft, corruption

and other types of damage, while allowing the
information and property to remain accessible
and productive.

 System security includes the development and

implementation of security countermeasures.

6
ICT Security

7
Computer Security

 The NIST Computer Security Handbook [NIST95] defines

. the term computer security as follows:

The protection afforded to an automated information

system in order to attain the applicable objectives of
p r e s e r v i n g t h e i n t e g r i t y, a v a i l a b i l i t y a n d
confidentiality of information system resources
(includes hardware, software, firmware,
information/data, and telecommunications).
 This definition introduces three key objectives that are at
the heart of computer security
8
Key Security Concepts

Security Objectives

9
Key Security Concepts

• Confidentiality (covers both data confidentiality and privacy):

• Data confidentiality: Assures that private or confidential

information is not made available or disclosed to
unauthorized individuals
• Privacy: Assures that individuals control or influence what
information related to them may be collected and stored
and by whom and to whom that information may be
disclosed.

• A loss of confidentiality is the unauthorized disclosure of information.

10
Key Security Concepts

• Integrity (covers both data and system integrity):

Data integrity: Assures that information and programs are
changed only in a specified and authorized manner.
System integrity: Assures that a system performs its
intended function in an unimpaired manner, free from
deliberate or inadvertent unauthorized manipulation of the
system.

• A loss of integrity is the unauthorized modification or destruction of

information.

11
Key Security Concepts

•Availability: Ensuring timely and reliable access to and use of

information.
Assures that systems work promptly and service is not
denied to authorized users.
A loss of availability is the disruption of access to or use of
information or an information system.

These three concepts form what is often referred to as the

CIA triad

12
 Key Security Concepts

• Although the use of the CIA triad to define security objectives is well
established, some in the security field feel that additional concepts are
needed to present a complete picture.
Two of the most commonly mentioned are:
• Authenticity: The property of being genuine and being able to be
verified and trusted; confidence in the validity of a transmission, a
message, or message originator.
• Accountability: The security goal that generates the requirement for
actions of an entity to be traced uniquely to that entity.
Systems must keep records of their activities to permit later
forensic analysis to trace security breaches or to aid in
transaction disputes.

13
Levels of Impact

 3 levels of impact from a security breach

can be defined
lLow
lModerate
lHigh
Low Impact

• The loss could be expected to have a limited adverse effect on

organizational operations, organizational assets, or individuals.
• Example, the loss of confidentiality, integrity, or availability might
• (i) cause a degradation in mission capability to an extent and
duration that the organization is able to perform its primary
functions, but the effectiveness of the functions is noticeably
reduced;
• (ii) result in minor damage to organizational assets;
• (iii) result in minor financial loss; or
• (iv) result in minor harm to individuals
Moderate Impact

• The loss could be expected to have a serious adverse effect on

organizational operations, organizational assets, or individuals.
• Example, the loss might
• (i) cause a significant degradation in mission capability to an
extent and duration that the organization is able to perform its
primary functions, but the effectiveness of the functions is
significantly reduced;
• (ii) result in significant damage to organizational assets;
• (iii) result in significant financial loss; or
• (iv) result in significant harm to individuals that does not involve
loss of life or serious, life-threatening injuries.
High Impact

• The loss could be expected to have a severe or catastrophic

adverse effect on organizational operations, organizational assets,
or individuals.
• Example, the loss might
• (i) cause a severe degradation in or loss of mission capability
to an extent and duration that the organization is not able to
perform one or more of its primary functions;
• (ii) result in major damage to organizational assets;
• (iii) result in major financial loss; or
• (iv) result in severe or catastrophic harm to individuals
involving loss of life or serious life threatening injuries.
Levels of Impact Examples

• Confidentiality
• Student grade information –high
• Student enrollment information –moderate
• Student and faculty list – low
• Integrity
• Patient allergy information – high
• Forum website for registered users –moderate
• Anonymous online poll --low
Levels of Impact Examples

• Availability
• A system that provides authentication services for
critical systems, applications, and devices – high
• A public Web site for a university –moderate
• An online telephone directory lookup application --low
The OSI Security Architecture

• The OSI security architecture is useful to

managers as a way of organizing the task of
providing security.
• ITU-T Recommendation X.800, Security
Architecture for OSI, defines a systematic
approach of defining the requirements for
security and characterizing the approaches to
satisfying those requirements.
• The OSI security architecture focuses on security
attacks, mechanisms, and services.
The OSI Security Architecture

• Security attack
• Any action that compromises the security of information
owned by an organization
• Security mechanism (control)
• A process (or a device incorporating such a process) that is
designed to detect, prevent, or recover from a security
attack
• Security service
• A processing or communication service that enhances the
security of the data processing systems and the information
transfers of an organization. The services are intended to
counter security attacks, and they make use of one or more
security mechanisms to provide the service.
Important Terms

• Threat – a potential for violation of security. A threat

is a possible danger that might exploit a vulnerability.

• Vulnerability – a way by which loss can happen

• Attack – an assault on system security, a deliberate

attempt to evade security services and violate the
security policy of a system.
Security Attacks

• Passive Attacks
• A passive attack attempts to learn or make use of information from the
system but does not affect system resources.
• This means that the attacker or attack doesn’t modify data or harm
the system.
Active Attacks
• An active attack attempts to alter system resources or affect their
operation. Active attacks threaten the integrity and availability.
Passive Attacks

• Passive attacks are in the nature of

eavesdropping(spy) on, or monitoring of
transmissions.
• The goal of the opponent is to obtain
information that is being transmitted.
• Two types of passive attacks
• Release of Message Content
• Traffic Analysis.
Passive Attacks

Release of Message Contents Traffic Analysis

Security Attacks

Passive Attack
Threat to Confidentiality

1. Snooping: Unauthorized accessed to or

interception of data

2. Traffic Analysis: Monitoring the online traffic

27
Active Attacks

• Active attacks involve some modification

of the data stream or the creation of a
false stream and can be subdivided into
four categories:
• Masquerade,
• Replay,
• Modification of Messages
• Denial of Service.
Active Attacks

Masquerade Replay

Modification Denial of Service

Threat to Integrity

1. Modification: After intercepting or accessing

information, the user can modify it.

30
Active Attacks

1. Modification/Fabrication

Fabricated message

31
Threat to Integrity

2. Masquerading: Masquerading or spoofing

happens when the attacker impersonates someone
else

32
3. Replay: A replay attack is a type of
network attack in which an attacker
captures a valid network transmission and
then retransmit it later. The main objective
is to trick the system into accepting the
retransmission of the data as a legitimate
one.
Active Attacks

3. Replay

34
Replay

Imagine Tom sends a login request to a website—

the login request is verified, and Tom can log in.
Sally intercepts the login request without Tom or
the website being aware. Sally doesn’t even need
to read the contents of the request; she can
simply “replay” it. To the website, it will appear
as though Tom is logging in again, and Sally’s
login request (as Tom) will be successful.
Threat to Integrity

4. Repudiation meaning: to say that you refuse to

accept or believe something

The sender might deny sending the message or the

receiver might deny having received the message

36
Threat to Availability

Denial of Service (DoS): It may slow down the

service or interrupt the service of the system
• The attacker might send so many bogus requests
to a server that it crashes due to heavy load
• The attacker might intercept and delete a
server’s response to the client making the client
believe that the server is not responding
• The attacker may intercept requests from the
clients causing the clients to send requests many
times and overload the systems
37
SECURITY ATTACKS

Categorizing passive and active attacks

Attacks Passive / Active Threatening
Snooping Passive Confidentiality
Traffic analysis
Modification Active Integrity
Masquerading
Replaying
Repudiation
Denial of Active Availability
Service
Security Services

• International Telecommunication Union – Telecommunication

Standardization Sector (ITU-T) (X.800) has defined five services
related to security goals and attacks.
• X.800 divides these services into five categories and
fourteen specific services.
• Authentication
• Access Control
• Data Confidentiality
• Data Integrity
• Nonrepudiation
Security Services

• Authentication
• The authentication service is concerned with assuring
that a communication is authentic.
• Access Control
• In the context of network security, access control is
the ability to limit and control the access to host
systems and applications via communications links.
Security Services

• Data Confidentiality
• Confidentiality is the protection of transmitted data
from passive attacks .
• It is a security service that keeps the information from an
u n a u t h o ri z e d p e rs o n . I t i s s o m e t i m e s r e f e r r e d t o
as privacy or secrecy. It prevents snooping and traffic
analysis attack.
Security Services

• Data Integrity
• The assurance that data received are exactly as sent by an
authorized entity (contain no modification, insertion, deletion or
replay).
Security Services

• Nonrepudiation
It is a security service that ensures that an entity cannot refuse the
ownership of a previous commitment or an action. It is an assurance
that the original creator of the data cannot deny the creation or
transmission of the said data to a recipient or third party.
Non-repudiation is a property that is most desirable in situations where
there are chances of a dispute over the exchange of data.
• When a message is sent, the receiver can prove that the
alleged sender in fact sent the message.
• When a message is received, the sender can prove that the
alleged receiver in fact received the message.
Security Mechanisms
Security Mechanisms

Encipherment
Encipherment deals with hiding and covering of data which helps data to
become confidential.
It is achieved by applying mathematical calculations or algorithms which
reconstruct information into not readable form.
It is achieved by two famous techniques named Cryptography and
Encipherment.
Level of data encryption is dependent on the algorithm used for
encipherment.
Security Mechanisms

Data Integrity
In data integrity, it is a connection-oriented integrity service, it
can handle with a flow of messages, and assure that messages
are received as sent with no duplication, insertion, modification,
reordering, or replays.
It is similar to sending packet of information known to both
sending and receiving parties and checked before and after data
is received.
Security Mechanisms

Digital Signature
A digital signature is a means by which the sender can
electronically sign the data and the receiver can electronically
verify the signature.
The sender uses a process that involves showing that she owns
a private key related to the public key that she has announced
publicly.
The receiver uses the sender’s public key to prove that the
message is indeed signed by the sender who claims to be have
sent the message.
Security Mechanisms

Authentication Exchange − This is a structure intended to provide the integrity of an entity by

means of information exchange.
Traffic Padding − The insertion of bits into gaps in an information flow is known as traffic
padding. This provide to counter traffic analysis attempts.
Routing Control − Routing control allows selection of specific physically secure routes for
specific data transmission and enables routing changes, particularly when a gap of
security is suspected.
Notarization − This is the usage of a trusted third party to assure specific properties of an
information exchange. It acts as mediator between sender and receiver so that if any
chance of conflict is reduced.
Access Control -This mechanism is used to stop unintended access to data which you
are sending. It can be achieved by various techniques such as applying passwords, using
firewall, or just by adding PIN to data.
Relationship between Security Services
and Mechanisms (IMPORTANT SLIDE)

Security Service Security Mechanism

Data confidentiality Encipherment, routing control
Data integrity Encipherment, digital signature, data integrity
Authentication Encipherment, digital signature,
authentication exchange
Nonrepudiation Digital signature, data integrity, notarization
Access control Access control
 Pervasive Security Mechanism

Mechanisms that are not specific to any particular OSI security service or
protocol layer.
1. Trusted Functionality: That which is perceived to be correct with
respect to some criteria (e.g., as established by a security policy).
2. Security Label: The marking bound to a resource (which may be a data
unit) that names or designates the security attributes of that resource
4. Event Detection: Detection of security-relevant events.
5. Security Audit Trail: Data collected and potentially used to facilitate a
security audit, which is an independent review and examination of
system records and activities.
6. Security Recovery: Deals with requests from mechanisms, such as event
handling and management functions, and takes recovery actions.

50
Security Techniques

Cryptography
 Cryptography is technique of securing information and
communications through use of codes so that only those
person for whom the information is intended can
understand it and process it. Thus preventing
unauthorized access to information.
 The prefix “crypt” means “hidden” and suffix graphy
means “writing”.
 Cryptography mechanisms:
ü 1. Symmetric Key Encipherment
ü 2. Asymmetric Key Encipherment
ü 3. Hashing
Symmetric Key Encipherment
 It is an encryption system where the sender and receiver of
message use a single common key to encrypt and decrypt
messages.
 Symmetric Key encipherment uses a single secret key for both
encryption and decryption.
 Encryption/decryption can be thought of as an electronic locking.
 Symmetric Key Systems are faster and simpler but the problem is
that sender and receiver have to somehow exchange key in a
secure manner.
 The most popular symmetric key cryptography system is Data
Encryption System(DES).
Asymmetric Key Encipherment
 Under this system a pair of keys is used to encrypt and decrypt
information. A public key is used for encryption and a private key is
used for decryption. Public key and Private Key are different.
 Even if the public key is known by everyone the intended receiver
can only decode it because he alone knows the private key.
Hashing
 There is no usage of any key in this algorithm. A hash value with
fixed length is calculated as per the plain text which makes it
impossible for contents of plain text to be recovered.
 Many operating systems use hash functions to encrypt passwords.
 Steganography
• The word steganography, with origin in Greek, means
“covered writing”. Cryptography means concealing the
contents of a message by enciphering; steganography
means concealing the message itself by covering it
with something else.
Model for Network Security

• A message is to be transferred from one party to

another across some sort of Internet.
• The two parties, who are the principals in this
transaction, must cooperate for the exchange to
take place.
• A logical information channel is established by
defining a route through the internet from
source to destination and by the cooperative use
of communication protocols (e.g., TCP/IP) by the
two principals.
Model for Network Security
Model for Network Security

• This general model shows that there are four basic tasks
in designing a particular security service:
• Design an algorithm for performing the security-related
transformation. The algorithm should be such that an
opponent cannot defeat its purpose.
• Generate the secret information to be used with the
algorithm.
• Develop methods for the distribution and sharing of the
secret information.
• Specify a protocol to be used by the two principals that
makes use of the security algorithm and the secret
information to achieve a particular security service.
Network Access Security Model