DM 426

Computers and
Information Security
Fall 2023/2024
Lecture # 1

Introduction
 The text book
Class textbook:
INTRODUCTION TO CRYPTOGRAPHY AND
NETWORK SECURITY,
Behrouz A. Forouzan, McGraw-Hill.
 Course Information Policies
• Grading:
• 2 Quizzes: 8% (4% each)
• Homework & Attendance: 8%
• Project: 14%
• Midterm Exam: 30%
• Final Exam: 40%
• Attendance:
• Attendance is mandatory
 COURSE PLAN
Week Hours
Topic
# Total. Lec. Ex. Lab
1. Introduction & Mathematical Background 3 2 - 2
2. Classical Cryptography 3 2 - 2
3. Symmetric Key Cipher (DES and AES) 3 2 - 2
4. Asymmetric Key Cipher (RSA) 3 2 - 2
5. Hash Function 3 2 - 2
6. Digital Signature 3 2 - 2
7. Trust, PKI, Key Management 3 2 - 2
8. Network Layer Security: IPsec 3 2 - 2
9. Transport Layer Security: SSL/TLS 3 2 - 2
10. Application Layer Security: PGP, SMIME 3 2 - 2
11. Firewalls 3 2 - 2
12. Viruses and Worms 3 2 - 2
Total 36 24 - 24
 Lecture Contents

❑ Security objectives
❑ Security goals
❑ Security attacks
❑ Security services
❑ Security mechanisms
❑ Cryptography and steganography
Security Objectives, ADVERSARIES

Blue Cross Blue Shield

Association (BCBS) is
a federation, of, in 2022,
34 companies that
provide health insurance in
the United States
 Security
Security Objectives
Objectives

…
PRIVACY AUTHENTICITY IDENTITY

I don’t want others to see my emails or chats; get my national number, credit-card
number or medical records; know which web sites I visit, what I buy, where I travel. I don’t
want them to know my salary, how I vote, what movies I like, whether I sing in the shower.
Coca-Cola does not want its formula revealed, corporations want to protect their
technology, governments want their plans kept secret.
 Security Objectives
…
PRIVACY AUTHENTICITY IDENTITY

I don’t want the emails or chats I send or receive to be I want to be sure that entities I
modified or faked. I don’t want my allergy information to be interact with are who they claim to
erased from my medical record. I don’t want my accounts to be, whether it be my friend
be broken into. I don’t want the data I communicate to my Alice, my doctor or google.
bank to be modified.
Servers don’t want to hacked into. Companies want to
control access to their databases.
 Why privacy matters

If you have something that you don’t want anyone to know,

maybe you shouldn’t be doing it in the first place.
Glenn Greenwald

If you have nothing to hide then give me the passwords to

Eric Schmidt, CEO
ALL your email accounts, your text and chat histories, …
Google, 2009
https://www.youtube.com/watch?v=pcSlowAhvUk
20 minute video of TED talk
American journalist
The Chronicle of Higher Education
and writer
Why privacy matters even if you have nothing to hide
http://chronicle.com/article/Why-Privacy-Matters-Even-if/127461/

Bruce Schneier The Value of Privacy

Privacy protects us from abuses by those in power … We keep private
journals, … privacy is a basic human need.
https://www.schneier.com/blog/archives/2006/05/the_value_of_pr.html

http://zeroknowledgeprivacy.org/library/why-privacy-matters/
 AUTHENTICITY is the PRIVACY is the set of blinds
lock on your front door. on your living-room window.
Well, kind of …
PRIVACY
AUTHENTICITY
But these IDENTITY
are not precise terms or distinctions.
One should be wary of debating terms rather than issues!
The Snowden
The Snowden
revelations
revelations
 The Snowden revelations

Court-approved NSA access to Google and Yahoo accounts

Verizon hands phone records of millions of customers to NSA daily
Extensive wiretapping, tapping undersea cables
Harvesting of millions of email and instant-messaging contact lists
Tracking and mapping location of cellphones
Backdoor planted in Dual_EC_DBRG random-number generator
Paying corporations to adopt NSA-broken standards
Sophisticated malware
…
 SECURITY GOALS

Figure 1.1 Taxonomy of security goals

 1.1.1 Confidentiality
Confidentiality is probably the most common aspect of information
security. We need to protect our confidential information. An
organization needs to guard against those malicious actions that
endanger the confidentiality of its information.
1.1.2 Integrity
Information needs to be changed constantly. Integrity means
that changes need to be done only by authorized entities and
through authorized mechanisms.
1.1.3 Availability
The information created and stored by an organization needs
to be available to authorized entities. Information needs to
be constantly changed, which means it must be accessible to
authorized entities.
 1-2 ATTACKS

The three goals of security: confidentiality, integrity,

and availability can be threatened by security attacks.

Topics discussed in this section:

1.2.1 Attacks Threatening Confidentiality
1.2.2 Attacks Threatening Integrity
1.2.3 Attacks Threatening Availability
1.2.4 Passive versus Active Attacks
 1.2 Continued

Figure 1.2 Taxonomy of attacks with relation to security goals

 1.2.1 Attacks Threatening Confidentiality

Snooping refers to unauthorized access to or interception of data.

Traffic analysis refers to obtaining some other type of information

by monitoring online traffic.
 1.2.2 Attacks Threatening Integrity

Modification means that the attacker intercepts the message

and changes it.

Masquerading or spoofing happens when the attacker

impersonates somebody else.

Replaying means the attacker obtains a copy

of a message sent by a user and later tries to replay it.

Repudiation means that sender of the message might later

deny that she has sent the message; the receiver of the
message might later deny that he has received the message.
 1.2.3 Attacks Threatening Availability

Denial of service (DoS) is a very common attack. It may

slow down or totally interrupt the service of a system.
 Two Attacker Models

• Passive Attacker (Eve)

• Attacker can eavesdrop
• Protection Requires?
• Confidentiality

• Active Attacker (Mallory)

• Has full control over communication channel
• Protection Requires?
• Confidentiality & Integrity

20
1-3 SERVICES AND MECHANISMS

ITU-T provides some security services and some

mechanisms to implement those services. Security
services and mechanisms are closely related because a
mechanism or combination of mechanisms are used to
provide a service.

Topics discussed in this section:

1.3.1 Security Services
1.3.2 Security Mechanism
1.3.3 Relation between Services and Mechanisms
1.3.1 Security Services
Figure 1.3 Security services
1.3.2 Security Mechanism
Figure 1.4 Security mechanisms
1.3.3 Relation between Services and Mechanisms

Table 1.2 Relation between security services and mechanisms

 1-4 TECHNIQUES

Mechanisms discussed in the previous sections are only

theoretical recipes to implement security. The actual
implementation of security goals needs some
techniques. Two techniques are prevalent today:
cryptography and steganography.

Topics discussed in this section:

1.4.1 Cryptography
1.4.2 Steganography
 1.4.1 Cryptography

Cryptography, a word with Greek origins, means “secret

writing.” However, we use the term to refer to the science
and art of transforming messages to make them secure and
immune to attacks.
 1.4.2 Steganography
The word steganography, with origin in Greek, means
“covered writing,” in contrast with cryptography, which
means “secret writing.”

Example: covering data with text

 1.4.2 Continued

Example: using dictionary

Example: covering data under color image