Cyber Security

Unit-1
What is Cyber Security?
The technique of protecting internet-connected systems such as
computers, servers, mobile devices, electronic systems, networks, and
data from malicious attacks is known as cybersecurity. We can divide
cybersecurity into two parts one is cyber, and the other is security.
Cyber refers to the technology that includes systems, networks,
programs, and data. And security is concerned with the protection of
systems, networks, applications, and information. In some cases, it is
also called electronic information security or information
technology security.
 Unit-1
• Information System
• Type of information system
• Development of information system
• CIA model of Information Characteristics
• Introduction to Information Security
• Need of Information Security, Cyber Security, Business need
• Ethical and Professional issues of security.
 Information System
An information system can be defined as a set of interrelated
components that collect, manipulate, store data, distribute
information to support decision making and provide a
feedback mechanism to monitor performance. It may also
help the manager and workers to analyze problems, visualize
complex subject, and create new products. Software,
Hardware, information system users, computer system
connections and information, and the system's housing are all
part of an Information System.
 Components of Information System
The components that must be combined together in order to produce an information system are:
People: Peoples are the most essential part of the information system because without them the system cannot be
operated correctly.
Hardware: It is the part of a physical component of an information system which we can touch. The information
system hardware includes the computer, processors, monitors, printer, keyboards, disk drives, iPads, flash drives, etc.
Software: It is a set of instruction that tells the hardware what to do. It can be used to organize, process and analyze
data in the information system.
Data: Data is a collection of facts. Information systems work with data. These data can be aggregated, indexed, and
organized into tables and files together to form a database. These databases can become a powerful tool for every
businesses information system.
Network: It includes internet, intranet, extranet to provide successful operations for all types of organizations and
computer-based information system.
Procedures: It specifies the policies that govern the operation of an information system. It describes how specific
method of data are processed and analyzed to get the answers for which the information system is designed.
Feedback: It is the component of an information system which defines that an IS may be provided with feedback.
1. Executive Information Systems (EIS)
It is a strategic-level information system which is found at the top of the Pyramid. Its primary goal is to provide
information gathered from both internal and external sources to the senior executives and management to analyze the
environment in which the organization operates, and to plan appropriate courses of action for identifying the long-term
trends. It can also be used to monitor organization performance as well as to identify opportunities and problems. EIS is
designed in such a way that it can be operated directly by executives without the need for intermediaries.

•It is concerned for ease of use.

•It supports unstructured decisions.
•It concerned with predicting the future.
•It is highly flexible.
•It is effective.
•It uses both internal and external data sources.
•It is used only at the higher levels of authority.
2. Decision Support Systems
A DSS or Decision Support System is a computer application program used by senior managers to analyze the
business data and presents it in that form in which the users can make business decisions more easily. These systems
are usually interactive and can be used to solve semi-structured problems in an organization. It helps in exchanging
the information within the organization.
The role of Decision Support System are:
•It supports ill-structured or semi-structured decisions.
•It is used by senior managerial levels.
•It has analytical and/or modeling capacity.
•It is concerned with predicting the future.
3. Management Information Systems
MIS or Management Information System is the use of information technology, people, and business processes to record,
store, manipulate, and process data to produce meaningful information. These information helps decision makers to
make day to day decisions correctly and accurately. It is used to make a tactical decision (middle-term decision) to
ensure the smooth running of an organization. It also helps to evaluate the organization's performance by comparing
previous outputs with current output.
The role of Management Information Systems are:
•It is based on internal information flows.
•It supports relatively structured decisions.
•It is inflexible and has a little analytical capacity.
•It is used by lower and middle managerial levels.
•It deals with the past and presents rather than the future.
4. Transaction Processing Systems
TPS or transaction processing system is a type of information processing system for business transactions that
involve the collection, storage, modification and retrieval of all data transaction of an enterprise. The
characteristics of a Transaction Processing System includes reliability, performance, and consistency. A TPS is
also known as real-time processing.

The role of Transaction Processing System are:

•It produces the information for other systems.
•It is used by operational personnel plus supervisory levels.
•It is efficiency oriented.
CIA Model of Information Characteristics
• Confidentiality – restrict access to authorized individuals
• Integrity – data has not been altered in an unauthorized manner
• Availability – information can be accessed and modified by
authorized individuals in an appropriate timeframe. Assurance
that the systems responsible for delivering, storing and
processing information are accessible when needed, by those
who need them

Information
Security

Availability

CIA Model of Information

Development of Information System
Need of Information Security
Need for Information Security
Companies have realized the need and importance of information security and taken steps to be included among
organizations known to have the most secure IT infrastructure. As a result, enormous capital is spent every year
from companies’ budgets to protect the critical information that forms the foundation of their business. Below are
a few reasons why information security is critical to the success of any organization

Business Need
To prevent data breaches
A data breach resulting in the loss of critical business information is quite common. Due to a large amount of data
stored on company servers, businesses often become the main target of cyber-criminals if the network is
unprotected. The breaches involving business secrets, confidential health information, and intellectual property
can greatly impact the overall health of a business.
To check for compromised credentials and broken authentication
Data breaches and other cyber attacks are usually a result of lax authentication, weak passwords, and poor
certificate or key management. Companies often struggle with assigning permissions to appropriate users or
departments, resulting in identity theft.

To avoid account hijacking

Phishing, fraud, and software exploitations are still very common. Companies relying on cloud services are
especially at risk because they are an easy target for cybercriminals, who can eavesdrop on activities, modify
data and manipulate transactions. These third-party applications can be used by attackers to launch other attacks
as well.
To mitigate cyber threats from malicious insiders
An existing or former employee, a cunning business partner, a system administrator or an intruder can destroy the whole
information infrastructure or manipulate data for their own purpose. Therefore, it is the responsibility of an organization to
take effective measures to control the encryption process and keys. Effective monitoring, logging, and auditing activities are
extremely important to keep everything under control.

Types of Information Security Controls

There are three different types of information security controls used to protect data.
Physical Control: Physical controls are the simplest form of information security. These are the things that can actually
be touch and seen, such as password-protected locks to avoid unauthorized entry to a secure server room, alarm systems,
fences and more.
Administrative Control: These controls mainly involve manual efforts to ensure data security. These include enforcing
policies, standards, guidelines and following procedures to ensure business continuity and data protection. Some of the
examples of administrative controls include disaster recovery plans, internet usage policies and termination procedures.
Technical Control: These controls are considered the most effective of all because they make use of the latest
technologies and systems to limit access to information. Some of the examples of technical controls include firewalls,
anti-virus software, file permissions, access control lists and cutting-edge data security technologies that are hard to
penetrate.
Ethical and Professional issues of security
Ethical issues faced by organizations in information technology are generally
concerned with privacy, property rights, or the effects of an activity on society. Some
of the common ethical issues in the cyber world are as follows:

Privacy
Nowadays, computer users can access different information from various servers
located all over the world. Though the users have their private computer, tools, and
operating system, their network is distributed at a large scale when they try to access
information. As a result, their information is likely to be disclosed to various
organizations, and their privacy is not maintained.

Furthermore, hackers often intrude into the computer system of people and access the
user's information without authorization. Some organizations also sell the information
and data of their users. This also raises the question of user information privacy.
Access right
Lots of industries use computer software and technology to provide services to their
customers. This software should be capable of preventing unauthorized access to the
system.
Especially in payment or banking software, the developers need to create software that
guarantees authorized access and stops malware, viruses, or unauthorized access to the
system.
Prevention of loss
According to this ethical principle, information technology should not be used in a
manner that would cause harm or loss of property, information, ownership, or
destruction of the property. The employees, users, and other public should use all the
equipment with care to prevent any severe loss.
In computer science, ethics are regarded as how professionals
make decisions for professional and social conduct. There are
rules and practices that determine what is right or wrong. Ethical
issues occur when a decision or activity creates a dispute with
society's moral policies. They could be generated due to an
individual or an entire organization.
 UNIT-II
• Information Security Model
• Component of an Information security
• Aspect of information security
• Security attacks (Active and Passive Attacks)
• Security mechanism and Security Services (X.800)
 What is Information Security

Information security covers the tools and processes that organizations use to protect information. This
includes policy settings that prevent unauthorized people from accessing business or personal information.
InfoSec is a growing and evolving field that covers a wide range of fields, from network and infrastructure
security to testing and auditing.

Information security protects sensitive information from unauthorized activities, including inspection,
modification, recording, and any disruption or destruction. The goal is to ensure the safety and privacy of
critical data such as customer account details, financial data or intellectual property.
Information Security Model
• A model describes the system
• e.g., a high level specification or an abstract machine
description of what the system does
• A security policy
• defines the security requirements for a given system
• Verification techniques that can be used to show that
a policy is satisfied by a system
• System Model + Security Policy = Security Model
Information Security Model
A security model is a computer model which can be used to identify and impose security policies. It does not
need some prior formation it can be founded on the access right model or analyzing computing model or
computation model.

A security model is a structure in which a security policy is developed. The development of this security policy is
geared to a specific setting or instance of a policy. A security policy is based upon authentication, but built
inside the confines of a security model. For example, designing a security model based upon authentication
and authorization, one consider the 4-factor model of security, such as authentication, authorization, availability,
and authenticity.

A security policy determines how data is accessed, what level of security is needed, and what procedure should
be taken when these requirements are not met. The policy framework the expectations of a computer system or
device.
If a security policy states that no one from a lower security level should be able to view or change data at a
higher security level, the supporting security model will define the essential logic and rules that require to be
implemented to provide that under no situations can a lower-level subject access a higher-level object in an
unauthorized manner. A security model supports a higher description of how a computer operating system
should be created to properly provide a definite security policy.

Information Security Models overpass the gap between security policy declarations (define which users should
have access to data) and the operating system execution (which allows a management to organize access
control). The models provide map theoretical objective onto mathematical associations that strengthen
whichever execution is finally selected.
Component of an Information security

The protection of computer systems and networks from information disclosure, theft of, or damage to
their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they
provide.[
 INFORMATION SECURITY MANAGEMENT

Information security management describes the set of policies and procedural controls that IT and
business organizations implement to secure their informational assets against threats and vulnerabilities.
Many organizations develop a formal, documented process for managing InfoSec ,called an Information
Security Management System
Network security is any activity designed to protect the
usability and integrity of your network and data.
•It includes both hardware and software technologies
•It targets a variety of threats
•It stops them from entering or spreading on your network
•Effective network security manages access to the network
 ASPECT OF INFORMATION SECURITY

While confidentiality, integrity, and authenticity are the significant concerns of an information security manager, privacy is the
essential aspect of information security for web users.
Authenticity − Authentication defines that users are who they request to be. Availability defines that resources are available by
authorized parties; “denial of service” attacks, which are the subject matter of national news, are attacks against availability.
The concerns of information security professionals are access control and Nonrepudiation. Authorization defines the power that
it can have over distinguishing authorized users from unauthorized users, and levels of access in-between. Authenticity defines
the constant checks that it can have to run on the system to make sure sensitive places are protected and working perfectly.
Integrity − Integrity defines that information is protected against unauthorized changes that are not perceptible to authorized
users; some incidents of hacking compromise the integrity of databases and multiple resources.
Accuracy − The accuracy and completeness of information systems and the data supported within the systems should be an
administration concern. Information which has been inappropriately changed or destroyed (by external or employees) can
impact the organization. Each organization should make controls to provide that data entered into and saved in its automated
files and databases are complete and accurate, and provide the accuracy of disseminated data.
Confidentiality − The principle of confidentiality defines that only the sender and the intended recipient(s) must be able to
create the content of a message. Confidentiality have compromised if an unauthorized person is able to create a message.
Access Control − The principle of access control decides who must be able to access what. For example, it must be able to
define that user A can view the data in a database, but cannot refresh them. User A can be allowed to create updates as well.
An access-control mechanism can be install to provide this.
Access control is associated to two areas including role management and rule management. Role management apply on the
user side, whereas rule management targets on the resources side.
 Security mechanism and Security Services
(X.800)
X.800 defines a security service as a service that is provided by a protocol layer of
communicating open systems and that ensures adequate security of the systems or
of data transfers. Perhaps a clearer definition is found in RFC 4949, which provides
the following definition: a processing or communication service that is provided by
a system to give a specific kind of protection to system resources; security services
implement security policies and are implemented by security mechanisms.
X.800 divides these services into five categories and fourteen specific services
(Table 1.2).
 Security Mechanisms (X.800)
SPECIFIC SECURITY MECHANISMS May be incorporated into the appropriate protocol layer in order to provide
some of the OSI security services.
Encipherment The use of mathematical algorithms to transform data into a form that is not readily intelligible. The
transformation and subsequent recovery of the data depend on an algorithm and zero or more encryption keys.
Digital Signature Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data
unit to prove the source and integrity of the data unit and protect against forgery (e.g., by the recipient).
Access Control A variety of mechanisms that enforce access rights to resources.
Data Integrity A variety of mechanisms used to assure the integrity of a data unit or stream of data units.
PERVASIVE SECURITY MECHANISMS Mechanisms that are not specific to any particular OSI security service or
protocol layer.
Trusted Functionality That which is perceived to be correct with respect to some criteria (e.g., as established by a
security policy).
Security Label The marking bound to a resource (which may be a data unit) that names or designates the security
attributes of that resource.
Event Detection Detection of security-relevant events.
Security Audit Trail Data collected and potentially used to facilitate a security audit, which is an independent review
and examination of system records and activities.
Security Recovery Deals with requests from mechanisms, such as event handling and management functions, and takes
recovery actions.
SPECIFIC SECURITY MECHANISMS
Authentication Exchange
A mechanism intended to ensure the identity of an entity by means of information exchange.
Traffic Padding
The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts.
Routing Control
Enables selection of particular physically secure routes for certain data and allows routing changes,
especially when a breach of security is suspected.
Notarization
The use of a trusted third party to assure certain properties of a data exchange.
Unit-III
Security Policy

Unit-4
 Privacy Policy
The objective of this policy is to model the correct use of sensitive personal data, such as
medical data, biometric data, and financial data, in terms of the agreed-upon rationale for
utilizing these sensitive personal data and to protect them from violations . Accordingly, it
prevents the disclosure, use, access, collection, transfer, and exchange of sensitive personal
data without the knowledge of persons, by tightening control via user consent, or a
responsibility to keep data safe by a data-controlling organization’s trustworthy
administration

Website Security Policy

The correct usage of online applications and services is defined by this policy. The goal is to
determine the level of security and identify vulnerabilities in websites . It also serves to
safeguard critical client information from harmful scripts on other pages . This is to avoid
web application assaults such as scripting, that injects programs into data-driven applications

Cloud Computing Security Policy

The goal of this policy is to guarantee that Cloud services meet security standards as well as
legal and regulatory obligations. A Cloud computing security policy is a document prepared by
top management for the whole Cloud system to notify all workers and important external
parties. The first Cloud security policy addresses all aspects of security, including access
control, data storage, and encryption. Second, it addresses network issues such as transmission
security. The third part is computer security. To enable secure data exchange and interactions,
the Cloud employs a trusted third-party policy.
Email Security Policy
This policy is divided into three parts : First utilizing emails as per user recommendations. This
policy aims at clarifying what constitutes appropriate email usage, and to educate all employees
on what constitutes acceptable and unacceptable email usage. Some of these recommendations
are to use emails solely for business purposes, protect data and attachments sent via email, as
well as any business information included in them, to not send disruptive or offensive
communications by email, and to not send personal messages using the company’s title. Second,
email security policies serve as a guide for administrators in businesses. The goal of this policy is
to keep track of all message traffic and content, as well as to archive and examine user emails.
Third, there is the utilization of encrypted communications and digital signatures to prevent spam
messages when communicating through email.

Physical Security Policy

The goal of this policy is to secure the organization’s assets, resources, equipment, hardware, and
facilities against unauthorized people damaging or stealing them. Furthermore, this policy uses
access control measures to prohibit unauthorized individuals from accessing the assets of the
business. It also attempts to safeguard an organization’s information systems, physical systems,
human assets, and those who interact with these assets
Network Security Policy
The security of network components, connections, and contents is the focus of this policy. It
also attempts to guarantee that the network is trustworthy and that users are informed of
what is acceptable and what is not. This is conducted to secure computer networks and
communication equipment including routers, switches, and servers, as well as information
and any service transfers that take place across these networks.

Information Security Policy

Information resources in any company are protected by rules. The goal of this policy is to
establish guidelines for organizations to follow to safeguard all physical and digital assets
against illegal access, copying, modification, disclosure, destruction, and transfer to third
parties for personal gain.

Access Control Policy

These rules protect physical resources, information systems, and IT resources against
unauthorized access by identifying, authenticating, authorizing, and monitoring who has
access to them. In this regard, several steps are implemented. Restriction mechanisms,
access control, permission mechanisms, and authorization are examples of systems that
translate users’ access requests to govern the usage, entrance, and consumption of an
organization’s resources or network services.
Data-Retention Policy
This policy specifies which data should be retained, how long it should be kept, and in
what format it should be stored. The goal of this policy is to protect vital information by
storing it in encrypted data backups for a certain amount of time

Data-Protection Policy
The goal of this policy is to protect the processing and management of personal data. This
policy guarantees that third-party data are collected, utilized, shared, stored, transported, and
sent securely, to use the data for needed and defined reasons. It also establishes the
anticipated behavior of employees when dealing with such material. Moreover, this policy
describes how businesses should handle consumer data and raises user awareness to prevent
data loss
 Security Policies
Security policies are a formal set of rules which is issued by an organization to ensure that
the user who are authorized to access company technology and information assets comply
with rules and guidelines related to the security of information. It is a written document in
the organization which is responsible for how to protect the organizations from threats and
how to handles them when they will occur. A security policy also considered to be a
"living document" which means that the document is never finished, but it is continuously
updated as requirements of the technology and employee changes.
 Need of Security policies-
1) It increases efficiency.
The best thing about having a policy is being able to increase the level of consistency which
saves time, money and resources. The policy should inform the employees about their
individual duties, and telling them what they can do and what they cannot do with the
organization sensitive information.
2) It upholds discipline and responsibility
When any human mistake will occur, and system security is compromised, then the security
policy of the organization will back up any disciplinary action and also supporting a case in
a court of law. The organization policies act as a contract which proves that an organization
has taken steps to protect its academic property, as well as its customers and clients.
3) It can make or break a business deal
It is not necessary for companies to provide a copy of their information security policy to
other vendors during a business deal that involves the transference of their sensitive
information. It is true in a case of bigger businesses which ensures their own security
interests are protected when dealing with smaller businesses which have less high-end
security systems in place.
 4) It helps to educate employees on security literacy
A well-written security policy can also be seen as an educational document which
informs the readers about their importance of responsibility in protecting the
organization sensitive data. It involves on choosing the right passwords, to providing
guidelines for file transfers and data storage which increases employee's overall
awareness of security and how it can be strengthened.

We use security policies to manage our network security. Most types of security policies are automatically
created during the installation. We can also customize policies to suit our specific environment. There are
some important cyber security policies recommendations describe below-
1. Virus and Spyware Protection policy
This policy provides the following protection:
It helps to detect, removes, and repairs the side effects of viruses and security risks by using signatures.
It helps to detect the threats in the files which the users try to download by using reputation data from
Download Insight.
It helps to detect the applications that exhibit suspicious behavior by using SONAR heuristics and
reputation data.
2. Firewall Policy
This policy provides the following protection:
It blocks the unauthorized users from accessing the systems and networks that connect to the Internet.
It detects the attacks by cybercriminals.
It removes the unwanted sources of network traffic.
3. Intrusion Prevention policy
This policy automatically detects and blocks the network attacks and browser attacks. It
also protects applications from vulnerabilities. It checks the contents of one or more data
packages and detects malware which is coming through legal ways.
4. Live Update policy
This policy can be categorized into two types one is Live Update Content policy, and
another is Live Update Setting Policy. The Live Update policy contains the setting which
determines when and how client computers download the content updates from Live
Update. We can define the computer that clients contact to check for updates and schedule
when and how often clients computer check for updates.
5. Application and Device Control
This policy protects a system's resources from applications and manages the peripheral
devices that can attach to a system. The device control policy applies to both Windows and
Mac computers whereas application control policy can be applied only to Windows
clients.
 Why are security policies important?
Security policies are important because they protect an organizations' assets, both
physical and digital. They identify all company assets and all threats to those assets.

Physical security policies

Physical security policies protect all physical assets in an organization, including
buildings, vehicles, inventory and machines. These assets include IT equipment, such
as servers, computers and hard drives.
Protect valuable assets. These policies help ensure the confidentiality, integrity and
availability
Types of security policies
Security policy types can be divided into three types based on the scope and purpose of
the policy:
1.Organizational. These policies are a master blueprint of the entire organization's
security program.
2.System-specific. A system-specific policy covers security procedures for an
information system or network.
3.Issue-specific. These policies target certain aspects of the larger organizational
policy. Examples of issue-related security policies include the following:
1. Acceptable use policies define the rules and regulations for employee use of
company assets.
2. Access control policies say which employees can access which resources.
3. Change management policies provide procedures for changing IT assets so that
adverse effects are minimized.
4. Disaster recovery policies ensure business continuity after a service disruption.
These policies typically are enacted after the damage from an incident has
occurred.
5. Incident response policies define procedures for responding to a security breach
or incident as it is happening.
Information Security Standards-
ISO
Unit-5
Security Standards
To make cyber security measures explicit, the written norms are required. These norms
are known as cyber security standards: the generic sets of prescriptions for an ideal
execution of certain measures. The standards may involve methods, guidelines, reference
frameworks, etc. It ensures efficiency of security, facilitates integration and
interoperability, enables meaningful comparison of measures, reduces complexity, and
provide the structure for new developments.
A security standard is "a published specification that establishes a common language, and
contains a technical specification or other precise criteria and is designed to be used
consistently, as a rule, a guideline, or a definition." The goal of security standards is to
improve the security of information technology (IT) systems, networks, and critical
infrastructures. The Well-Written cyber security standards enable consistency among
product developers and serve as a reliable standard for purchasing security products.
Security standards are generally provided for all organizations regardless of their size or
the industry and sector in which they operate. This section includes information about
each standard that is usually recognized as an essential component of any cybersecurity
strategy.
1. ISO
ISO stands for International Organization for Standardization. International Standards
make things to work. These standards provide a world-class specification for products,
services and computers, to ensure quality, safety and efficiency. They are instrumental in
facilitating international trade.
 2. IT Act
The Information Technology Act also known as ITA-2000, or the IT Act main aims is to
provide the legal infrastructure in India which deal with cybercrime and e-commerce. The
IT Act is based on the United Nations Model Law on E-Commerce 1996 recommended by
the General Assembly of United Nations. This act is also used to check misuse of cyber
network and computer in India. It was officially passed in 2000 and amended in 2008. It
has been designed to give the boost to Electronic commerce, e-transactions and related
activities associated with commerce and trade. It also facilitate electronic governance by
means of reliable electronic records.
IT Act 2000 has 13 chapters, 94 sections and 4 schedules. The first 14 sections concerning
digital signatures and other sections deal with the certifying authorities who are licensed to
issue digital signature certificates, sections 43 to 47 provides penalties and compensation,
section 48 to 64 deal with appeal to high court, sections 65 to 79 deal with offences, and
the remaining section 80 to 94 deal with miscellaneous of the act.
3. Copyright Act
The Copyright Act 1957 amended by the Copyright Amendment Act 2012 governs the subject
of copyright law in India. This Act is applicable from 21 January 1958. Copyright is a legal
term which describes the ownership of control of the rights to the authors of "original works of
authorship" that are fixed in a tangible form of expression. An original work of authorship is a
distribution of certain works of creative expression including books, video, movies, music, and
computer programs. The copyright law has been enacted to balance the use and reuse of
creative works against the desire of the creators of art, literature, music and monetize their work
by controlling who can make and sell copies of the work.
The copyright act covers the following-
•Rights of copyright owners
•Works eligible for protection
•Duration of copyright
•Who can claim copyright

The copyright act does not covers the following-

•Ideas, procedures, methods, processes, concepts, systems, principles, or discoveries
•Works that are not fixed in a tangible form (such as a choreographic work that has not
been notated or recorded or an improvisational speech that has not been written down)
•Familiar symbols or designs
•Titles, names, short phrases, and slogans
•Mere variations of typographic ornamentation, lettering, or coloring
4. Patent Law
Patent law is a law that deals with new inventions. Traditional patent law protect
tangible scientific inventions, such as circuit boards, heating coils, car engines, or
zippers. As time increases patent law have been used to protect a broader variety of
inventions such as business practices, coding algorithms, or genetically modified
organisms. It is the right to exclude others from making, using, selling, importing,
inducing others to infringe, and offering a product specially adapted for practice of the
patent.

5. IPR
Intellectual property rights is a right that allow creators, or owners of patents, trademarks
or copyrighted works to benefit from their own plans, ideas, or other intangible assets or
investment in a creation. These IPR rights are outlined in the Article 27 of the Universal
Declaration of Human Rights. It provides for the right to benefit from the protection of
moral and material interests resulting from authorship of scientific, literary or artistic
productions. These property rights allow the holder to exercise a monopoly on the use of
the item for a specified period.
6. Software licensing in cyber law
A software license is a document that provides legally binding guidelines for the use
and distribution of software. Software licenses typically provide end users with the
right to one or more copies of the software without violating copyrights.
 Cyber Law
Cyber Law also called IT Law is the law regarding Information-technology including
computers and the internet. It is related to legal informatics and supervises the digital
circulation of information, software, information security, and e-commerce.
IT law does not consist of a separate area of law rather it encloses aspects of contract,
intellectual property, privacy, and data protection laws. Intellectual property is a key
element of IT law. The area of software license is controversial and still evolving in
Europe and elsewhere.
According to the Ministry of Electronics and Information Technology, Government of India :

Cyber Laws yields legal recognition to electronic documents and a structure to support e-filing and
e-commerce transactions and also provides a legal structure to reduce
Importance of Cyber Law:
•It covers all transactions over the internet.
•It keeps eye on all activities over the internet.
•It touches every action and every reaction in cyberspace.

Area of Cyber Law:

Cyber laws contain different types of purposes. Some laws create rules for how individuals
and companies may use computers and the internet while some laws protect people from
becoming the victims of crime through unscrupulous activities on the internet. The major
areas of cyber law include:
Fraud:
Consumers depend on cyber laws to protect them from online fraud. Laws are made to
prevent identity theft, credit card theft, and other financial crimes that happen online. A
person who commits identity theft may face confederate or state criminal charges. They
might also encounter a civil action brought by a victim. Cyber lawyers work to both defend
and prosecute against allegations of fraud using the internet.
Copyright:
The internet has made copyright violations easier. In the early days of online
communication, copyright violations were too easy. Both companies and individuals
need lawyers to bring an action to impose copyright protections. Copyright violation
is an area of cyber law that protects the rights of individuals and companies to profit
from their creative works.

Defamation:
Several personnel uses the internet to speak their mind. When people use the
internet to say things that are not true, it can cross the line into defamation.
Defamation laws are civil laws that save individuals from fake public statements
that can harm a business or someone’s reputation. When people use the internet to
make statements that violate civil laws, that is called Defamation law.

Harassment and Stalking:

Sometimes online statements can violate criminal laws that forbid harassment and
stalking. When a person makes threatening statements again and again about
someone else online, there is a violation of both civil and criminal laws. Cyber
lawyers both prosecute and defend people when stalking occurs using the internet
and other forms of electronic communication.
Freedom of Speech:
Freedom of speech is an important area of cyber law. Even though cyber laws forbid
certain behaviors online, freedom of speech laws also allows people to speak their
minds. Cyber lawyers must advise their clients on the limits of free speech including
laws that prohibit obscenity. Cyber lawyers may also defend their clients when there is a
debate about whether their actions consist of permissible free speech.

Trade Secrets:
Companies doing business online often depend on cyber laws to protect their trade
secrets. For example, Google and other online search engines spend lots of time
developing the algorithms that produce search results. They also spend a great deal of
time developing other features like maps, intelligent assistance, and flight search
services to name a few. Cyber laws help these companies to take legal action as
necessary to protect their trade secrets.

Contracts and Employment Law:

Every time you click a button that says you agree to the terms and conditions of using a
website, you have used cyber law. There are terms and conditions for every website that
are somehow related to privacy concerns.
Advantages of Cyber Law:
Organizations are now able to carry out e-commerce using the legal infrastructure
provided by the Act.

•Digital signatures have been given legal validity and sanction in the Act.

•It has opened the doors for the entry of corporate companies for issuing Digital
Signatures Certificates in the business of being Certifying Authorities.

•It allows Government to issue notifications on the web thus heralding e-

governance.

•It gives authority to the companies or organizations to file any form, application,
or any other document with any office, authority, body, or agency owned or
controlled by the suitable Government in e-form using such e-form as may be
prescribed by the suitable Government.

•The IT Act also addresses the important issues of security, which are so critical
to the success of electronic transactions.

•Cyber Law provides both hardware and software security.

IP Security
 IPsec
• The IPsec authentication header in transport
mode for IPv4.
 IPsec (2)
Encapsulating Security Payload (ESP)

• (a) ESP in transport mode. (b) ESP in tunnel

mode.

Encapsulating Security Payload (ESP) provides confidentiality, in addition to

authentication, integrity, and anti-replay. ESP can be used alone, or in combination with
AH.
WEB Security

SSL
DNSSEC
 What is SSL?

• A protocol developed by Netscape.

• It is a whole new layer of protocol which
operates above the Internet TCP protocol and
below high-level application protocols.
 What Can SSL Do?
• SSL uses TCP/IP on behalf of the higher-level
protocols.
• Allows an SSL-enabled server to authenticate
itself to an SSL-enabled client;
• Allows the client to authenticate itself to the
server;
• Allows both machines to establish an
encrypted connection.
 What Does SSL Concern?

• SSL server authentication.

• SSL client authentication. (optional)
• An encrypted SSL connection or
Confidentiality. This protects against electronic
eavesdropper.
• Integrity. This protects against hackers.
• The exchange of messages facilitates the
following actions:
Authenticate the server to the client; Allows
the client and server to select a cipher that
they both support; Optionally authenticate
the client to the server; Use public-key
encryption techniques to generate share
secrets; Establish an encrypted SSL conn.
 How does SSL Work?
• How a client and a server create a secure
connection?
• The SSL protocol uses RSA public key
cryptography for Internet Security.
• Public key encryption uses a pair of
asymmetric keys for encryption and
decryption.
 How does SSL Work?
• Each pair of keys consists of a public key and a
private key. The public key is made public by
distributing it widely; the private key is always
kept secret.
• Data encrypted with the public key can be
decrypted only with the private key, and vice
versa.
 SSL architecture
SSL SSL Change SSL
applications
Handshake Cipher Spec Alert
(e.g., HTTP)
Protocol Protocol Protocol

SSL Record Protocol

TCP

IP

11
 SSL components
• SSL Handshake Protocol
– negotiation of security algorithms and parameters
– key exchange
– server authentication and optionally client authentication
• SSL Record Protocol
– fragmentation
– compression
– message authentication and integrity protection
– encryption
• SSL Alert Protocol
– error messages (fatal alerts and warnings)
• SSL Change Cipher Spec Protocol
– a single message that indicates the end of the SSL handshake

12
SSL Record Protocol Operation

13
SSL Handshake

14
SSL Handshake Protocol – overview
client server
client_hello Phase 1: Negotiation of the session ID, key exchange
server_hello algorithm, MAC algorithm, encryption algorithm, and
exchange of initial random numbers

certificate
Phase 2: Server may send its certificate and key
server_key_exchange
exchange message, and it may request the client
certificate_request to send a certificate. Server signals end of hello
phase.
server_hello_done

certificate
Phase 3: Client sends certificate if requested and may
client_key_exchange send an explicit certificate verification message.
certificate_verify Client always sends its key exchange message.

change_cipher_spec

finished
Phase 4: Change cipher spec and finish handshake
change_cipher_spec

finished
15
• SSL includes two sub-protocols: the SSL
Record Protocol and the SSL Handshake
Protocol.
• Record Protocol -- defines the format used to
transmit data.
• Handshake Protocol -- using the Record
protocol to exchange messages b/t an SSL-
enable server and an SSL-enable client.
 SSL—The Secure Sockets Layer
• Layers (and protocols) for a home user
browsing with SSL.
DNSSEC (DNS Security Extensions)
 DNSSEC Mechanisms

• New Resource Records

• Setting Up a Secure Zone
• Delegating Signing Authority
 Data flow through the DNS
Where are the vulnerable
Registrars
points?
& Registrants

Server vulnarability

Secondary
Man in the Middle DNS

primary
DNS

Registry spoofing
&
Secondary Man in the Middle
DNS
 DNSSEC protects all these end-
to-end
• As an aside:
There is a protection mechanism against the man
in the middle: TSIG(Transaction Signature)
– Provides hob-by-hop security
– TSIG is operationally deployed today
– Based on shared secret: not scalable
 What does DNSSEC provide
• provides message authentication and integrity verification through
cryptographic signatures
– You know who provided the signature
– No modifications between signing and validation
• It does not provide authorization
• It does not provide confidentiality
• It does not provide protection against DDOS
Metaphor

OK
 Metaphor
• Envelope sealed when
data is published in the
DNS system
• Does not provide OK
confidentially
• The seal protects the
delivery process
• No assertion about the
message
OK
 Data flow through the DNS
End to end security
Registrars
& Registrants
O
O K
K Secondary
DNS

primary
DNS

Registry

Secondary
DNS
Trust and DNS system

Confidence

Registry system
• DNSSEC enables confidence in the DNS
• It does not change the trust we put in the
Registry/Registrar procedures
– Although introduction of DNSSEC may
improve some of the procedures
 The mechanism used
• Using public key cryptographic algorithms
signatures are applied over the DNS data
• By comparing the signatures with public keys
the integrity and authenticity of the data can
be established.
 Public key cryptography
in a nutshell
• Two large numbers and an encryption and
decryption algorithm
• If one of the numbers (the private key) and a
message are used for encryption
• The other number (public key) and the
decryption algorithm can be used to retrieve
the original message
Hash Function

 The hash value represents

concisely the longer message
 may called the message digest

 A message digest is as a
``digital fingerprint'' of the
original document

condenses arbitrary message to fixed size

h = H(M)

1
Hashing V.S. Encryption
Hello, world. k NhbXBsZSBzZW50ZW5jZS
A sample sentence to E B0byBzaG93IEVuY3J5cHR
show encryption. pb24KsZSBzZ

Hello, world. k
NhbXBsZSBzZW50ZW5jZS
A sample sentence to D
B0byBzaG93IEVuY3J5cHR
show encryption. pb24KsZSBzZ

 Encryption is two way, and requires a key to encrypt/decrypt

This is a clear text that

can easily read without 52f21cf7c7034a20
using the key. The
h 17a21e17e061a863
sentence is longer than
the text above.

 Hashing is one-way. There is no 'de-hashing’

Motivation for Hash Algorithms
 Intuition
 Limitation on non-cryptographic checksum
 Very possible to construct a message that matches the
checksum
 Goal
 Design a code where the original message can not be inferred
based on its checksum
 such that an accidental or intentional change to the message
will change the hash value
Hash Function Applications
 Used Alone
 Fingerprint -- file integrity verification, public key fingerprint
 Password storage (one-way encryption)

 Combined with encryption functions

 Hash based Message Authentication Code (HMAC)
 protects both a message's integrity and confideltaility
 Digital signature
 Ensuring Non-repudiation
 Encrypt hash with private (signing) key and verify with public
(verification) key
Integrity

 to create a one-way password file

 store hash of password not actual password
 for intrusion detection and virus detection
 keep & check hash of files on system
Password Verification
Store Hashing Password Verification an input password against the stored hash

Iam#4VKU Iam#4VKU
Password
store

h h

661dce0da2bcb2d8 661dce0da2bcb2d8 661dce0da2bcb2d8

2884e0162acf8194 2884e0162acf8194 2884e0162acf8194

Hash Matching
Exactly?
Password
Yes No
store Deny
Grant
Topics
 Overview of Cryptography Hash Function
 Usages
 Properties
 Hashing Function Structure
 Attack on Hash Function
 The Road to new Secure Hash Standard
Hash Function Usages (I)

Message encrypted : Confidentiality and authentication

Message unencrypted: Authentication

Hash Function Usages (II)

Message encrypted : Authentication (no encryption needed!)

Message unencrypted: Authentication, confidentiality

Hash Function Usages (III)

Authentication, digital signature

Authentication, digital signature, confidentiality

Topics
 Overview of Cryptography Hash Function
 Usages
 Properties
 Hashing Function Structure
 Attack on Hash Function
 The Road to new Secure Hash Standard
Hash Function Properties
 Arbitrary-length message to fixed-length digest

 Preimage resistant (One-way property)

 Second preimage resistant (Weak collision resistant)

 Collision resistant (Strong collision resistance)

Properties : Fixed length

Hello, world 661dce0da2bcb2d8

h 2884e0162acf8194

Fixed length L
This is a clear text that
can easily read without
52f21cf7c7034a20
using the key. The h
17a21e17e061a863
sentence is longer than
the text above.

 Arbitrary-length message to fixed-length digest

Preimage resistant
 This measures how difficult to devise a message which hashes to the
known digest
 Roughly speaking, the hash function must be one-way.

Given only a message digest, can’t find any message

(or preimage) that generates that digest.
Second preimage resistant
 This measures how difficult to devise a message which hashes to the
known digest and its message

 Given one message, can’t find another message that has the same message digest. An attack that
finds a second message with the same message digest is a second pre-image attack.
 It would be easy to forge new digital signatures from old signatures if the hash function used
weren’t second preimage resistant
Collision Resistant

 Can’t find any two different messages with the same message digest
 Collision resistance implies second preimage resistance
 Collisions, if we could find them, would give signatories a way to repudiate their signatures
Topics
 Overview of Cryptography Hash Function
 Usages
 Properties
 Hashing Function Structure
 Attack on Hash Function
 The Road to new Secure Hash Standard
Two Group of Compression Functions
 The compression function is made from scratch
 Message Digest

 A symmetric-key block cipher serves as a compression

function
 Whirlpool
Merkle-Damgard Scheme

 Well-known method to build cryptographic hash function

 A message of arbitrary length is broken into blocks
 length depends on the compression function f
 padding the size of the message into a multiple of the block size.
 sequentially process blocks , taking as input the result of the hash so far and the current
message block, with the final fixed length output
Hash Functions Family
 MD (Message Digest)
 Designed by Ron Rivest
 Family: MD2, MD4, MD5
 SHA (Secure Hash Algorithm)
 Designed by NIST
 Family: SHA-0, SHA-1, and SHA-2
 SHA-2: SHA-224, SHA-256, SHA-384, SHA-512
 SHA-3: New standard in competition

 RIPEMD (Race Integrity Primitive Evaluation Message

Digest)
 Developed by Katholieke University Leuven Team
 Family : RIPEMD-128, RIPEMD-160, RIPEMD-256, RIPEMD-320
MD5, SHA-1, and RIPEMD-160

21
MD2, MD4 and MD5
 Family of one-way hash functions by Ronald Rivest
 All produces 128 bits hash value
 MD2: 1989
 Optimized for 8 bit computer
 Collision found in 1995
 MD4: 1990
 Full round collision attack found in 1995
 MD5: 1992
 Specified as Internet standard in RFC 1321
 since 1997 it was theoretically not so hard to create a collision
 Practical Collision MD5 has been broken since 2004
 CA attack published in 2007
MD5 Overview
Topics
 Overview of Cryptography Hash Function
 Usages
 Properties
 Hashing Function Structure
 MD5
 SHA
 Attack on Hash Function
 The Road to new Secure Hash Standard
MD5 Overview

2. Append
length
(64bits)

1. Append padding
bits
(to 448 mod 512)

3. Initialize MD buffer (4x32 bits Word)

Word A = 01 23 45 67
Word B = 89 AB CD EF
Word C = FE DC BA 98
Word D = 76 54 32 10
Hash Algorithm Design – MD5

16 steps

X[k] = M [q*16+k] (32 bit)

Constructed from sine function

The ith 32-bit word in matrix T, constructed from the sine function
M [q*16+k] = the kth 32-bit word from the qth 512-bit block of the msg

Single step
Topics
 Overview of Cryptography Hash Function
 Usages
 Properties
 Hashing Function Structure
 MD5
 SHA
 Attack on Hash Function
 The Road to new Secure Hash Standard
Secure Hash Algorithm
 SHA originally designed by NIST & NSA in 1993
 revised in 1995 as SHA-1
 US standard for use with DSA signature scheme
 standard is FIPS 180-1 1995, also Internet RFC3174
 based on design of MD4 with key differences
 produces 160-bit hash values
 recent 2005 results on security of SHA-1 have raised concerns
on its use in future applications
Revised SHA
 NIST issued revision FIPS 180-2 in 2002
 adds 3 additional versions of SHA
 SHA-256, SHA-384, SHA-512
 designed for compatibility with increased security
provided by the AES cipher
 structure & detail is similar to SHA-1
 hence analysis should be similar
 but security levels are rather higher
 SHA Versions

MD5 SHA-0 SHA-1 SHA-224 SHA-256 SHA-384 SHA-512

Digest size 128 160 160 224 256 384 512

Message size 264-1 264-1 264-1 264 -1 264-1 2128-1 2128-1

Block size 512 512 512 512 512 1024 1024
Word size 32 32 32 32 32 64 64
# of steps 64 64 80 64 64 80 80

Full collision found

Sample Processing

Type bits data processed

MD5 128 469.7 MB/s
SHA-1 160 339.4 MB/s
SHA-512 512 177.7 MB/s

 Mac Intel 2.66 Ghz core i7

 1024 bytes block of data
SHA-512 Overview
Padding and length field in SHA-512

 What is the number of padding bits if the length of the original message
is 2590 bits?
 We can calculate the number of padding bits as follows:

 The padding consists of one 1 followed by 353 0’s.

SHA-512 Round Function
Topics
 Overview of Cryptography Hash Function
 Usages
 Properties
 Hashing Function Structure
 MD5
 SHA
 Attack on Hash Function
 The Road to new Secure Hash Standard
Hash Function Cryptanalysis
 cryptanalytic attacks exploit some property of algorithm
so faster than exhaustive search
 hash functions use iterative structure
 process message in blocks (incl length)
 attacks focus on collisions in function f
Attacks on Hash Functions
 brute-force attacks and cryptanalysis
 cryptanalytic attacks exploit some property of algorithm so
faster than brute-force
 a preimage or second preimage attack
 find y such that H(y)equals a given hash value
 collision resistance
 find two messages x & y with same hash so H(x) = H(y)

"md5 and sha1 are both clearly broken (in terms of collision-resistance”
Ron Rivest

http://mail.python.org/pipermail/python-dev/2005-December/058850.html
Topics
 Overview of Cryptography Hash Function
 Usages
 Properties
 Hashing Function Structure
 MD5
 SHA
 Attack on Hash Function
 The Road to new Secure Hash Standard
The need of new Hash standard
 MD5 should be considered cryptographically broken and
unsuitable for further use, US CERT 2010
 In 2004, a collision for the full SHA-0 algorithm was
announced

 SHA-1 not yet fully “broken”

 but similar to the broken MD5 & SHA-0
 so considered insecure and be fade out
 SHA-2 (esp. SHA-512) seems secure
 shares same structure and mathematical operations as
predecessors so have concern
 SHA-3 Requirements
 NIST announced in 2007 a competition for the SHA-3 next
gen hash function
 Replace SHA-2 with SHA-3 in any use
 so use same hash sizes
 preserve the nature of SHA-2
 so must process small blocks (512 / 1024 bits)
 evaluation criteria
 security close to theoretical max for hash sizes
 cost in time & memory
 characteristics: such as flexibility & simplicity
Timeline Competition
 Nov 2007: Announce public competition
 Oct 2008: 64 Entries
 Dec 2008: 51 Entries as 1st Round
 Jul 2009: 14 Entries as 2nd Round
 Dec 2010: 5 Entries as 3rd Round
 Jan 2011: Final packages submission and enter public
comments
 2012: SHA-3 winner announcement (Still in progress)
Summary
 Hash functions are keyless
 Applications for digital signatures and in message authentication codes
 The three security requirements for hash functions are
 one-wayness, second preimage resistance and collision resistance
 MD5 and SHA-0 is insecure
 Serious security weaknesses have been found in SHA-1
 should be phased out
 SHA-2 appears to be secure
 May use SHA-512 and use the first 256 bytes
 The ongoing SHA-3 competition will result in new standardized
hash functions in a next year
Digital Signature
Digital Watermarking

Unit-3
 What is a watermark ?
What is a watermark ? A distinguishing mark impressed on
paper during manufacture; visible when paper is held up to
the light (e.g. INR Bill)

the way to protect Multimedia files

 Digital Watermarking?

◼ Allows users to embed SPECIAL PATTERN or SOME

DATA into digital contents without changing its
perceptual quality.
◼ When data is embedded, it is not written at HEADER
PART but embedded directly into digital media itself
by changing media contents data
◼ Watermarking is a key process for the PROTECTION
of copyright ownership of electronic data.
 Types of Watermarking
◼ Invisible/Inaudible
◼ Information is embedded without digital content degradation,
because of the level of embedding operation is too small for
human to notice the change.
◼ Inseparable
◼ The embedded information can survive after some
processing, compression and format transformation.
◼ Unchanging data file size
◼ Data size of the media is not changed before and after
embedding operation because information is embedded
directly into the media.
 CLASSIFICATION OF
WATERMARK
◼ According to Human Perception
◼ Invisible
◼ Visible

◼ According to Robustness
◼ Fragile
◼ Semi fragile
◼ Robust

◼ According to types of Document

◼ Text
◼ Image
◼ Audio
◼ Video
 Visible Watermark
• Logo or seal of the organization which holds the
rights to the primary image, it allows the primary
image to be viewed, but still visible it clearly as the
property of the owning organization.

• Overlay the watermark in such a way that makes it

difficult to remove, if the goal of indicating property
rights is to be achieved.
 Invisible Watermark
• Embedding level is too small to notice
• Can be retrieved by extraction software
• Applications:
– Authentication
– Copyrighting
– Etc…
Invisible Watermark
CLASSIFICATION BY
“ROBUSTNESS”
 Fragile/Semi Fragile/Robust
• A watermark is called fragile if it fails to be
detected after the slightest modification.
• A watermark is called semi-fragile if it resists
beginning transformations but fails detection
after malignant transformations.
• A watermark is called robust if it resists a
designated class of transformations.
Public Key Cryptography

Unit-3
Public Key Authentication
 Public Key Requirements
1. computationally easy to create key pairs
2. computationally easy for sender knowing public key to
encrypt messages
3. computationally easy for receiver knowing private key to
decrypt ciphertext
4. computationally infeasible for opponent to determine private
key from public key
5. computationally infeasible for opponent to otherwise
recover original message
6. useful if either key can be used for each role
 Public Key Algorithms
RSA (Rivest, Shamir, Adleman)
developed in 1977
only widely accepted public-key encryption algorithm
given tech advances need 1024+ bit keys
 RSA
➢ to encrypt a message M the sender:
⚫ obtains public key of recipient PU={e,n}
⚫ computes: C = Me mod n, where 0≤M<n
➢ to decrypt the ciphertext C the owner:
⚫ uses their private key PR={d,n}
⚫ computes: M = Cd mod n
➢ note that the message M must be smaller than
the modulus n (block if needed)
 RSA Key Setup
➢ each user generates a public/private key pair by:
➢ selecting two large primes at random: p, q
➢ computing their system modulus n=p.q
⚫ note ø(n)=(p-1)(q-1)
➢ selecting at random the encryption key e
⚫ where 1<e<ø(n), gcd(e,ø(n))=1

➢ solve following equation to find decryption key d

⚫ e.d=1 mod ø(n) and 0≤d≤n

➢ publish their public encryption key: PU={e,n}

➢ keep secret private decryption key: PR={d,n}
 RSA Example - Key Setup
1. Select primes: p=17 & q=11
2. Calculate n = pq =17 x 11=187
3. Calculate ø(n)=(p–1)(q-1)=16x10=160
4. Select e: gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d < 160 Value is
d=23 since 23x7=161= 10x160+1
6. Public key PU={7,187}
7. Keep secret private key PR={23,187}
 RSA Example - En/Decryption
➢ sample RSA encryption/decryption is:
➢ given message M = 88 (nb. 88<187)
➢ encryption:
C = 887 mod 187 = 11
➢ decryption:
M = 1123 mod 187 = 88
Progress in Factoring
Symmetric vs. Public-Key
 Digital Signatures
• have looked at message authentication
– but does not address issues of lack of trust
• digital signatures provide the ability to:
– verify author, date & time of signature
– authenticate message contents
– be verified by third parties to resolve disputes
• hence include authentication function with
additional capabilities
 Digital Signature Properties
• must depend on the message signed
• must use information unique to sender
– to prevent both forgery and denial
• must be relatively easy to produce
• must be relatively easy to recognize & verify
• be computationally infeasible to forge
– with new message for existing digital signature
– with fraudulent digital signature for given message
• be practical save digital signature in storage
 Digital Signature Standard (DSS)
• US Govt approved signature scheme FIPS 186
• uses the SHA hash algorithm
• designed by NIST & NSA in early 90's
• DSS is the standard, DSA is the algorithm
• a variant on ElGamal and Schnorr schemes
• creates a 320 bit signature, but with 512-1024 bit
security
• security depends on difficulty of computing discrete
logarithms
 DSA Key Generation
• have shared global public key values (p,q,g):
– a large prime p = 2L
• where L= 512 to 1024 bits and is a multiple of 64
– choose q, a 160 bit prime factor of p-1
– choose g = h(p-1)/q
• where h<p-1, h(p-1)/q (mod p) > 1
• users choose private & compute public key:
– choose x<q
– compute y = gx (mod p)
 DSA Signature Creation
• to sign a message M the sender:
– generates a random signature key k, k<q
– nb. k must be random, be destroyed after use, and
never be reused
• then computes signature pair:
r = (gk(mod p))(mod q)
s = (k-1.SHA(M)+ x.r)(mod q)
• sends signature (r,s) with message M
 DSA Signature Verification
• having received M & signature (r,s)
• to verify a signature, recipient computes:
w = s-1(mod q)
u1= (SHA(M).w)(mod q)
u2= (r.w)(mod q)
v = (gu1.yu2(mod p)) (mod q)
• if v=r then signature is verified
• see book web site for details of proof why
 Unit 3

Cryptographic Protocols
• Arbitrated Protocols
• In a computer protocol arbiter is a trustworthy third party who
ensures fairness. The arbiter might be a person , a program, or a
machine. For example, in a network an arbiter might be a
program running on one machine of the network. The program
receives and forwards messages between users. The user trust
that when the arbiter forwards a message saying it comes from
A, the message really did come from user A.the notion of an
arbiter is the basis for type of secure protocol called an
arbitrated protocol.
Arbitrated Protocols disadvantages
• The two sides may not be able to find a neutral third party that
both sides trust. Suspicious users are rightfully suspicious of
unknown arbiter in a network.
• Maintaining the availability of an arbiter represents a cost to the
users or the network ; that cost may be high.
• Arbitration causes a time delay in communication because a third
party must receive, act on, and then forward every transaction.
• If the arbitration service is heavily used, it may become a
bottleneck in the network as many users try to access a single
arbiter.
• Secrecy becomes weak, because the arbiter has access to much
sensitive information.
• Adjudicated Protocols
Its able to see all sides third party to judge fairness based on
evidences.
Not only can a third party determine whether two parties
acted fairly, that is, within the rules of the protocol, but
third party can also determine who cheated.
Adjudicated protocols involve the services of a third party
only in case of a dispute. Therefore, they are usually less
costly, in terms of machine time or access to a trusted third
party software judge, than arbitrated protocols. However,
adjudicated protocols detect a failure to cooperate only
after the failure has occurred
 Hash Function Requirements
A hash function H must have the following properties:
• H can be applied to a block of data of any size
• H produces a fixed-length output
• H(x) is relatively easy to compute for any given x,
making both hardware and software implementations
practical
• For any given code h, it is computationally infeasible
to find x such that h(x)=h
• For any given block x, it is computationally infeasible
to find yx with h(y)=h(x)
• It is computationally infeasible to find any pair (x, y)
such that h(x)=h(y)
 Message Authentication Using a One-
Message
Way Hash Function

Message

Message
H

Compare
K
H
K
D
E

Using conventional encryption

Message

Message

Message
H

Compare
Kpublic
H
Kprivate
D
E

Using public-key encryption (Digital Signature)

UNIT-3
 Contents
•Information Security Techniques
•Introduction to Cryptography: Terminology, Cryptanalysis, Security of Algorithms
Substitution Cipher and Transposition Cipher, Single XOR, One-Way pad
•Cryptographic Protocols: Arbitrated and Adjudicated Protocol, One-way Hash Function,
Public key cryptography, Digital Signature
•Digital Water marking: Characteristics and Types
Information Security Techniques

Types of IT security
•Network security. Network security is used to
prevent unauthorized or malicious users from
getting inside your network. ...
•Internet security. ...
•Endpoint security. ...
•Cloud security. ...
•Application security.
Cryptography
Terminology of Cryptography
 Types of Security Protocols
• Arbitrated protocols
– Involving a trusted third party
• Adjudicated protocols
– Trusted third party, after the fact
• Self-enforcing protocols
– No trusted third party
 Key Exchange With Symmetric
Encryption and an Arbitrator

• Alice and Bob want to talk securely with a

new key
• They both trust Trent
– Assume Alice & Bob each share a key with
Trent
• How do Alice and Bob get a shared key?
 Step One

KA KB
Alice Bob
Alice
Who knows
Requests
what at this
Session
point?
Key for
Bob KA Trent KB
 Step Two

KA KB
Alice Bob
EKA(KS),
EKB(KS) Who knows
what at this
EKA(KS), point?
EKB(KS)
KA Trent KB
KS
 Step Three

KS KS
KA EKB(KS) KB
Alice Bob
EKA(KS),
EKB(KS) Who knows
what at this
point?

KA Trent KB
KS
 What Has the Protocol Achieved?
• Alice and Bob both have a new session key
• The session key was transmitted using keys
known only to Alice and Bob
• Both Alice and Bob know that Trent
participated
• But there are vulnerabilities
 Problems With the Protocol
• What if the initial request was grabbed by
Mallory?
• Could he do something bad that ends up
causing us problems?
• Yes!
 The Man-in-the-Middle Attack
• A class of attacks where an active attacker
interposes himself secretly in a protocol
• Allowing alteration of the effects of the
protocol
• Without necessarily attacking the encryption
 Applying the Man-in-the-Middle
Attack

KA KB
Alice KM
Bob
Mallory
Alice
Alice Who knows what at
this point?
Requests
Requests More precisely, what do
they think they know?
Session
Session
Key for
Key for
Mallory
Bob KA Trent KB
KM
 Trent Does His Job

KA KB
Alice KM
Bob
EKA(KS), Mallory
EKM(KS)

KA Trent KB
KM
 Alice Gets Ready to Talk to Bob
EKM(KS)
KS
KA KB
Alice KM
Bob
Mallory
KS EKM(KS) EKM(KS) Mallory can now
masquerade as
Bob

KA Trent KB
KM
 Really Getting in the Middle

KA KB
Alice KM
Bob KS1
EKM(KS1), Mallory KS
KS EKB(KS1) KS1 EKB(KS1)

Mallory can also

ask Trent for a
key to talk to Trent
KA KB
Bob KM
 Mallory Plays Man-in-the-Middle

Alice Bob KS1

Mallory KS
KS K Alice’s big secret
EKS (Alice’s big secret) S1
Bob’s big secret
Alice’s big secret EKS1(Alice’s big secret)
EKS(Alice’s big secret) EKS1(Bob’s big secret)
EKS1(Bob’s big secret)
EKS(Bob’s big secret) EKS(Bob’s big secret)
Bob’s big secret
Alice’s big secret
Bob’s big secret
 Data Encryption Standard (DES)

• Goal of DES is to completely scramble the data

and key so that every bit of cipher text depends
on every bit of data and ever bit of key
• DES is a block Cipher Algorithm
– Encodes plaintext in 64 bit chunks
– One parity bit for each of the 8 bytes thus it reduces
to 56 bits
• It is the most used algorithm
– Standard approved by US National Bureau of Standards
for Commercial and nonclassified US government use
in 1993
Data Encryption Standard (DES)
 Symmetric Encryption – Limitations
• Any exposure to the secret key compromises secrecy of
ciphertext
• A key needs to be delivered to the recipient of the coded
message for it to be deciphered
– Potential for eavesdropping attack during transmission of key
 Asymmetric Encryption
• Uses a pair of keys for encryption
– Public key for encryption
– Private key for decryption
• Messages encoded using public key can only be decoded by the
private key
– Secret transmission of key for decryption is not required
– Every entity can generate a key pair and release its public key

Plain Text Cipher Text Plain Text

Cipher Cipher

Public Key Private Key

 Asymmetric Encryption
• Two most popular algorithms are RSA & El Gamal
– RSA
• Developed by Ron Rivest, Adi Shamir, Len Adelman
• Both public and private key are interchangeable
• Variable Key Size (512, 1024, or 2048 bits)
• Most popular public key algorithm
– El Gamal
• Developed by Taher ElGamal
• Variable key size (512 or 1024 bits)
• Less common than RSA, used in protocols like PGP
 Asymmetric Encryption - RSA
• Choose two large prime numbers p & q
• Compute n=pq and z=(p-1)(q-1)
• Choose number e, less than n, which has no common factor (other
than 1) with z
• Find number d, such that ed – 1 is exactly divisible by z Keys are
generated using n, d, e
– Public key is (n,e)
– Private key is (n, d)
• Encryption: c = me mod n
– m is plain text
– c is cipher text
• Decryption: m = cd mod n
• Public key is shared and the private key is hidden
 Asymmetric Encryption - Weaknesses
• Efficiency is lower than Symmetric Algorithms
– A 1024-bit asymmetric key is equivalent to 128-bit
symmetric key
• Potential for eavesdropping attack during transmission of
key
• It is problematic to get the key pair generated for the
encryption