The document discusses various methods of securing data including encryption techniques like symmetric encryption, public key encryption, hashing, and digital signatures as well as network security concepts like firewalls, intrusion detection, and viruses. It provides details on algorithms like DES, RSA, and protocols like SSL/TLS while summarizing common data security threats and approaches to mitigate risks.
2. Data Security
‘To ensure that the data is received meaningfully
only by the intended recipient’
Approach – Alter (encrypt) the message (un-
intelligible even if intercepted)
- Algorithms
- Public key encryption
- Secure Transfer over internet
3. Data Security
Definitions:
‘Changing the encrypted data into its original form
– decryption’
Plaintext P- original form
Cipher-text C - encrypted data
Encryption algorithm and key Ek, changes P to C
C = Ek(P),
Decryption algorithm and key Dk’, changes C to P
P = Dk’(C), in many cases k = k’
4. Data Security
Mono-alphabetic cipher:
‘Replaces each plaintext character with another’
- Add 1 to ASCII code of each character
- A turns into B, B to C, …
- Simple but Rarely used in serious applications
- Relatively easy to decipher
- Commonly used letters: E, T, O, A, N => if
certain letters appear frequently in cipher-
text, probably it is one of these (than Q or Z)
5. Data Security
Mono-alphabetic cipher:
P = PLEASE ADD MONEY TO
C = {;RSDRSFF,PMRUYP
=> 4 times
=> S Twice
=> R Thrice
=> P Twice
They may be substitutions of common
characters, even blank spaces
6. Data Security
Mono-alphabetic cipher:
‘Try various combinations of common ones’
{;EADEAFF,ONEUYO…(R by E, S by A, P by O)
“Replace ‘’ by blank spaces”
{;EADE AFF ,ONEU YO
Clues: ‘Two letter word ends with O, Three letter
word begins with A followed by repeated letter’
{;EADE ADD ,ONEU TO
=> With educated guesses, message can be
decrypted
7. Data Security
Mono-alphabetic cipher:
Drawbacks: preserving particular letter
sequences, frequency with which letters occur
Poly-alphabetic Cipher:
‘Change the frequencies and break-up common
sequences’
A plaintext character is not always replaced with
the same one cipher-text character.
Replacement = f (P, its position in the message)
8. Data Security
Poly-alphabetic Cipher:
For (int i = 0; i < length of P; i++)
C[i] = P[i] + K + (i mod 3)
Assume, K =1.
1 is added for positions 0, 3, 6, …
2 is added for positions 1, 4, 7, …
3 is added for positions 2, 5, 8, …
THEMTHENTHEY -> UJHNVKFPWIG
=> Repetition has reduced, but still present
9. Data Security
Poly-alphabetic Cipher:
‘THE’ appears as UJH, VKF, WIG
If there were more ‘THE’, the pattern would
repeat.
Also, there are other patterns:
First letters of each ‘THE’ cipher-text are
consecutive – UVW, (also the 2nd one as JKI,
and the 3rd one as HFG)
=> Clues for decryption
10. Data Security
Transposition Cipher:
‘Rearranges the P letters of a message (not
Replacing them)’
One way – store characters in a 2-dimensional
array with m-columns
=> First m-characters in 1st row, next m-
characters in 2nd row, …..
Determine a permutation of numbers 1 to m:
p1, p2, ……, pm
12. Data Security
Transposition Cipher:
Transmit columns 2, 4, 3, 1, 5 (permutation)
O YWCALHLB LTE KDFW OIOOELRR
If, receiver knows the permutation and the
number of columns -> reconstruct the
message
Drawbacks: letter frequencies are preserved,
also by grouping the characters in different
columns for sequences like ‘THE, IS’ are
helpful for guessed-decryption.
13. Data Security
Bit-Level ciphering:
‘Previous methods are applicable to character
sequences’
‘Files may contain raw bits (execution files), This
method handles them’
- Encryption key is a randomly chosen bit-string
- Message bit string is divided into substrings
- Length is the same as that of the key
14. Data Security
Encrypted string = message string XOR key
- Decryption: Encrypted string XOR key
- E (algorithm) is same as D (algorithm)
- pi is a plaintext bit, if encryption key contains
‘0’ in that position:
pi XOR 0 XOR 0 = pi
if encryption key contains ‘1’ in that position:
pi XOR 1 XOR 1 = pi XOR (1 XOR 1) = pi XOR 0 =
pi
15. Data Security
‘Security depends partly on the length of the
key’
- Short key => many substrings => more chance
of repetition of the encrypted substring,
susceptible
- In extreme case, the key length = message
length => each bit is encrypted uniquely
- If the key-bits are random => unbreakable
code (but long key needs to be transferred)
16. Data Security
Data Encryption Standards (DES):
‘Approach is to keep the key short compared to the
message and to use complex procedure to
encrypt the message’
- Based on ‘block-cipher’
- Divides the message into 64-bit blocks, uses a key
to employ a complex transformation.
- It uses transposition (rearrangement) and
substitution (replacing one bit-group with
another
17. Data Security
Steps:
- Transposition on the block data and the key
- 16 successive encryptions with different keys
derived from the original, output of one fed to
the next input
- Swap (32 bits)
- Reverse transposition (of the 1st step)
18. Data Security
Encryption operations:
data = C64 = L32 R32, K56 = key
(R32: transpose, duplicate bits) results in R48
(K56: shift on each half, transpose) results in K56
R48 XOR K48 (first) = X48
Divide into 8 (6-bit) groups
Substitute each by 4-bit value
Combine into a 32-bit string, transpose = X32
19. Data Security
L32 XOR X32 = X32
Form final 64 bits = R32 X32
‘Idea was to develop a method with many
convoluted steps’
- If the same 64-bit block occurs more than
once, it generates the same cipher-text.
‘Cipher Block Chaining (CBC)’ disrupts that
pattern.
20. Data Security
CBC:
Initialization vector (IV):
Block 1 XOR IV -> DES -> Block 1C
Block 1C XOR Block 2 -> DES -> Block 2C
Block 2C XOR Block 3 -> DES -> Block 3C …
Cipher-text = f (plaintext, its position)
=> Same plain text in different positions means
different cipher text also
21. Data Security
• DES Effectiveness: Brute force method of
attack – trying all possible keys -> 256 possible
keys, it was possible to break the code in
hours using gigahertz processors.
• Using 128-bit key => 9.5 * 1015 years to try all
possible keys @ 1015 keys per second
22. Data Security
Public Key Encryption (PKE):
‘Knowing the encryption key and the algorithm
renders decryption easy’
‘PKE makes decryption algorithm and key
determination difficult even when encryption
algorithm and key are known’
- Many sources can send message using same Ek.
Only the receiver knows the Dk’.
23. Data Security
RSA algorithm:
- Uses modulo-arithmetic and factorization of
very large numbers
- Cipher-text is easy to calculate but difficult to
break
1.Assign simple code to letters (1 to 26 for ‘a’ to
‘z’)
2.Choose ‘n’ (200 or more digits) as a product of
two large prime numbers p, q.
24. Data Security
For simplicity, n = p * q = 11 * 7 = 77
3. Find a number K that is relatively prime (no
common factors except 1) to (p-1) * (q-1).
Choose k = 7 as the encryption key (there is
always a k)
4. Divide the message into components (with
many letters in one, avoids repetition), For
simplicity: “hello” divided as h, e, l, l, o
25. Data Security
5. For each component, concatenate all the binary
code of each letter and interpret it as an integer.
Here, integers are: 8, 5, 12, 12, 15.
6. Encrypt the message by raising each number to
the power of k (modulo n)
Encrypted message = 57 47 12 12 71
Decryption:
1. Find a value k’ such that (k * k’) – 1 is evenly
divisible by (p-1) * (q-1). K’ is the decryption key .
26. Data Security
Here, (p-1) * (q-1) = 60, k’ = 43 works well.
(there is always a k’)
2. Raise each encrypted number to the power of
k’ (modulo n)
Results are the original numbers 8, 5, 12, 12, 15.
Potential problem: How to find 71 43 modulo 77?
Break the power in 2, 4, 8, …
Find the modulo for lowest to the highest.
27. Data Security
• How secure is RSA?
‘n’ and ‘k’ are needed for encryption,
If they are intercepted, K’ could be deduced.
However, it needs ‘p’ and ‘q’ – the factors of ‘n’.
• If ‘n’ is large (200 or more digits) => difficult,
time-consuming
28. Data Security
Transport layer security (TLS) and Server
Authentication:
‘To ensure access to the proper encryption
methods and keys to protect privacy’
‘Also to ascertain the legitimacy of the site
connected to’
‘Secure Sockets Layer (SSL) and Transport Layer
Security Protocols, X.509 certificates’
29. Data Security
‘TLS and SSL lies between application layer and
transport layer’
Sender side: encrypts the message from application
layer and passes it to the transport layer
Receiver side: receives the message from transport
layer and passes the decrypted message to the
application layer
‘TLS has the ability to revert to SSL 3.0, there are
some low level differences’
30. Data Security
X.509 certificate:
‘Electronic ID to prove that a site is what it
claims to be’
‘Certificate Authority (CA) issues certificates’
‘Consumer maintains a list of trustworthy CAs in
his computer’
‘Trusted CA list is developed over the time’
‘Certificate contains a period of validity and two
fingerprints’
31. Data Security
‘Authentication is the process of validating the
identity of the message-source’
‘Fingerprints are values calculated using some
algorithms for authentication’
Browser:
- downloads the server certificate
- checks the period of validity
- checks the fingerprints
- checks the CA
‘All must be affirmative in order to proceed’
32. Data Security
‘An initial set of exchange takes place between
the server and the client – handshake’
‘Handshake defines the cryptographic routines,
key exchanges, and authentication process’
1. Client to server: highest TLS (SSL) version
available, a list of encryption algorithms, a list
of key exchange algorithms, and a list of
supported compression methods.
33. Data Security
2. Server chooses each one of the above items from
the suggested list of the client. It also sends its
certificate.
3. Client needs to authenticate the certificate.
Issuing CA attaches a digital signature /
Fingerprints to it. Two methods are used to
provide extra security. Also, it verifies the domain
name in the certificate with that of server.
4. Client sends key to server.
5. If required, server may authenticate the client.
6. Both client and server exchanges session-keys.
34. Data Security
7. Both sides confirm this arrangements and
start secure-communication.
# If user A wants to send an encrypted message
to user B, the plaintext is encrypted with the
public key of _.
a) User A b) User B c) The network d) (a) or
(b)
35. Data Security
Firewalls
‘Machines are at risk when they are not actively
doing anything’
‘Risk comes from malicious attacks disrupting
activities, causing harm’
‘Challenge is to prevent attacks from being
successful’
‘All internet traffic has to pass through special
machine(s) – Firewall’
36. Data Security
‘It examines passing traffic to look for possible
threats’
‘The challenge is to identify the threats’
IP – layer 3, TCP – layer 4
IP packet contains data, source and destination
addresses, layer 4 protocol (TCP / UDP) using
it.
Server is identified by IP address and the specific
service by port number
37. Data Security
Telnet – Port 23, FTP - Port 21, SMTP - Port 25
Some approaches:
Packet Filtering:
‘Examine the header of each packet and decide’
Decision may base on:
- Address field
- port number
- transport protocol represented
38. Data Security
Example decisions:
- Allow any incoming packet with TCP port
designation of 23 (allowing remote login to
any machine)
- Allow any incoming packet with TCP port
designation of 23 with destination address
found in a maintained list. Implication?
- Allow any outgoing packet with destination
address found in a maintained list.
Implication?
39. Data Security
The above specifies criteria to allow packets.
=> Blocks unless otherwise specified (default)
Alternative: Allows unless otherwise specified
(default)
- Block any incoming packet with TCP port
designation of 23. Implication?
- Block any incoming packet with source
address found in a maintained list.
Implication?
40. Data Security
- Block any incoming packet with destination
address found in a maintained list.
Implication?
- Block any outgoing packet with source and
destination addresses found in a maintained
list. Implication?
Better ‘default’ approach? Block packet –
nothing will pass unless explicitly stated,
Ensures more security.
41. Data Security
Application Level Gateway:
Packet filtering works at layer 3, making decision on
packet contents, inflexible on an action within an
application.
Gateway provides that flexibility, works at a higher
layer.
‘Allow for file transfer – download files but not
upload’
‘More logic into a firewall that understands the
applications and their abilities – called proxy
server’
42. Data Security
‘Special programs for each type of application it
needs to watch.’
‘It examines application layer requests and
allows (denies) based on the information
provided to the firewall’
‘A gateway program for each application’
- Main advantage: flexibility
- Significant overhead
43. Data Security
Stateful Inspection:
‘Works at the network layer and avoids
overhead’
‘It examines the contents of a packet in the
context of what has happened previously’
Example: a ‘ping’ command response indicates
that a device is reachable and the time
needed for a round-trip’
=> Command sends an echo request and site
responds with echo response
44. Data Security
Stateful inspection ensures that a response
packet is not allowed unless there was a
previous request.
Also the source and the destination should
reverse in these two events. (security against
denial-of-service attack)
45. Data Security
Viruses
‘A collection of instructions attached to an
executable file that does something not
intended originally’
Virus attachment to a file -> infected file
Worms usually appear as a separate program,
intruding a system, threatening security.
‘Infected file contains a branch instruction to
unintended tasks, and branches to some point
of the original code’ - diagram
46. Data Security
‘User may not be aware of the virus unless it
causes a major distraction’
‘Worst viruses avoid massive, immediate
destruction, rather making small,
unnoticeable changes over time’
‘As such, even back-ups may be infected’
‘Virus may probe file system looking for
executable files on disk, if found, it duplicates
itself and stores a copy in the file’
47. Data Security
Memory Resident viruses:
‘Resides in memory, attacks a file when it enters
the memory’
It needs to be referenced to be executed.
It may use the interrupt mechanism to do so.
‘Modifies the Interrupt table with vectors
pointing to the virus instead’
48. Data Security
Early Antivirus programs worked by looking for
signature – a sequence of bytes contained in
the virus- at the beginning and end of file.
Signatures were encrypted and the decryption
algorithm was added to virus.
Antivirus programs looked for byte patterns of
decryption algorithm, examined decrypted
result and look for signatures – proved quite
successful
49. Data Security
Virus Sources:
‘Individuals trying to invade a system’
‘It spreads by sharing resources – through
removable disks, networks’
‘Prevention is the best approach’
Internet worm:
‘Replicates quickly throughout internet, clogging
communications, forcing system shut down’
50. Data Security
One approach taken by the worm:
‘Used an utility program that allows one user to
obtain information of other user’
‘A flaw that did not check for buffer-overflow
was exploited’
‘The worm was able to overflow the buffer and
overwrote part of the system stack’
‘The original return address was lost, pointing to
some instructions in the buffer’
52. Data Security
# Mono- alphabetic cipher has no real value
where serious security is needed. T/F
# Public key encryption allows different people
to use the same encryption key even when
they are not supposed to know what another
person is sending. T/F
# Any block cipher that encrypts a block at a
time is essentially a substitution cipher,
replacing one block with another. T/F
53. Data Security
# An encryption method that uses longer key is
more secure than one that uses a shorter key.
T/F
# The most serious viruses destroy a lot of data
very quickly. T/F
# Firewalls are commonly used to protect a
network against incoming viruses. T/F
54. Data Security
# A _ can forward or block packets based on the
information in the network and transport layer
headers.
a) Proxy Firewall b) Packet filter firewall
c) Message Digest d) Private key
# A _ can forward or block packets based on the
information in the message itself.
a) Proxy Firewall b) Packet filter firewall
c) Message Digest d) Private key