CRYPTOGRAPHY AND NETWORK SECURITY

Cryptography - The art or science encompassing the principles and methods

of transforming an intelligible message into one that is unintelligible, and
then retransforming that message back to its original form

Plaintext The original intelligible message

Cipher text The transformed message
Network - a group or system of interconnected people or things.
"the company has a network of 326 branches"
“ College has a big network for placements “
“Computer lab has network connected systems”
Security - the state of being free from danger or threat.
"the system is designed to provide maximum security against toxic spills"
1
• Information Security - the state of being protected against the unauthorized use of
information, especially electronic data, or the measures taken to achieve this.
Example – is the use of rugged filling cabinets with a combination of locks
for storing sensitive documents.
• With the introduction of computers, the need for automated tools for protecting
files and other information stored on the computer became evident, this is
especially the case for shared system, such as a time-sharing system, data network
or the internet.

• Computer Security – The generic name for the collection of tools designed to
protect data and to thwart hackers. (thwart - prevent (someone) from
accomplishing something.)

• Internet security – The network security is some what misleading because virtually
all business, government and academic organisations interconnect their data
processing equipment with a collection of interconnect networks, such a collection
is often referred as an internet and the term internet security is used. 2
Course Objectives:
• Explain the objectives of Information Security.( Principles of Security)
The Objectives are
1. Security:
2. Confidentiality,
3. Integrity,
4. Availability,
5. Nonrepudiation
• Importance of Information Security
• Understanding various cryptographic algorithms.
• Symmetric and Asymmetric key cryptography
• Understand the basic categories of threats to computers and
networks

3
• The most common network security threats
1. Computer virus. We've all heard about them, and we all have our fears. ...
2. Rogue security software. Leveraging the fear of computer viruses,
scammers have a found a new way to commit Internet fraud. ...
3. Trojan horse. ...
4. Adware and spyware. ...
5. Computer worm. ...
6. DOS and DDOS attack. ...
7. Phishing. ...
8. Rootkit.
• Describe public-key cryptosystem
• Describe the enhancements made to IPv4 by IPSec
• In computing, Internet Protocol Security (IPsec) is a secure network
protocol suite that authenticates and encrypts the packets of data to provide
secure encrypted communication between two computers over an
Internet Protocol network. 4
• Understand Intrusions and intrusion detection
To compromise a computer system by breaking the security of such a system
or causing it to enter into an insecure state. The act of intruding—or gaining
unauthorized access to a system—typically leaves traces that can be
discovered by intrusion detection systems.
• Discuss the fundamental ideas of public-key cryphotgraphy
In such a system, any person can encrypt a message using the receiver's public
key, but that encrypted message can only be decrypted with the receiver’s
private key
• Generate and distribute a PGP key pair and use the PGP package to send an
encrypted e-mail message.
Pretty Good Privacy (PGP) is an encryption program that provides
cryptographic privacy and authentication for data communication. PGP is used for
signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk
partitions and to increase the security of e-mail communications.
• Discuss web security and Firewalls.
5
 Unit – I
Security Concepts
Introduction
• Computer data often travels from one computer to another, leaving
the safety of its protected physical surroundings. Once the data is out
of hand, people with bad intention could modify or forge your data,
either for amusement or for their own benefit.
• Cryptography can reformat and transform our data, making it safer on
its trip between computers. The technology is based on the essentials
of secret codes, augmented by modern mathematics that protects
our data in powerful ways.

6
The Need for Security –
• Most previous computer applications has no , the best , very little security.
This was continued for number of years until the importance of data was
truly realized.
• When computer applications were developed to handle financial and
personal data, the real need for security was came.
• People realized that data on computer is an extremely important aspect of
modern life, therefore various areas in security began to gain.
• Two typical examples of each security mechanisms were…
1. Provide a user identification and password to every user.
2. Encode information stored in the database in some fashion- so that it is not visible
to users who do not have the permission.
• Organization employed their own mechanisms in order to provide the
basic security mechanisms.

7
• As Technology improved the communication infrastructure became
extremely mature and newer applications began to be developed for
users demand and needs.
Example-
• The internet took major role in the world – example of what could
happen if there was insufficient security built in the application
developed for the internet.
• Fig shows what can happen when you use your credit card for making
purchases over the internet.
• From the user computer the user details such as user id , order details
, and payment details such as credit card information travel across the
internet to the server i.,e to the merchant’s computer. The merchant
stored the details in its database.

8
There are various security holes-
1. An intruder can capture the credit card details as they travel from
the client to the server. Some how we protects this transit form an
intruder’s attack.
2. It is still does not solve our problem, once the merchant computer
receives the credit card details and validates them so as to process
the order and later obtain payments, the merchant computer stores
the credit card information into its database.
3. Now an attacker can simply succeed in accessing this database and
therefore gain access to all the credit card information stored in.
4. Once Russian called MAXIM managed to intrude into a merchant
internet site and obtained 3,00,000 credit card number from its
database.
9
10
Modern Nature of Attacks
• A few salient features of the modern nature of attacks are
1. Automating Attacks
• The speed the computers make several attacks worthwhile for miscreants.
For Example:
• In the real world suppose someone manages to create a machine that can
produce counterfeit coins. How many such coins would the attacker be able
to get .
• But the scenario is quite different with computers.
For example
• They could excel in somehow stealing a very low amount say a half dollar
from a million bank accounts in a few minutes. Fig show …

11
12
Privacy Concerns
• Collecting information about people and later misusing it is turning out to
be a huge problem these days.
• The so-called data mining applications gather , process and tabulate all
sorts of details about individuals.
• People can illegally sell this information .
For example
• The information that can come out of this are…
• which stores the person buys more from ,
• which restaurant he/she eats in,
• where he/she goes for vocation frequently
• Every company eg shopkeepers, banks , airlines and insurers are collecting
and processing a mind boggling amount of information about us, with our
knowing to us.
13
Distance Does not matter
• Thieves would attack banks, because banks had money.
• Banks do have money today,
• Money is in digital from inside the computers and moves around by
using computers networks.
• Therefore, a modern thief would perhaps not like a wear a mask and
attempt a robbery.. instead it is far easier and cheaper to attempt an
attack on the computer system on the bank by sitting at home.
• It may be far from prudent for the attacker to break into the banks
servers, or steak credit card/ ATM information.
• In 1995 a Russian hacker broke into citibank’s computer remotely
stealing $12 million…and later attacker was traced.
• Fig shows..
14
15
 Security Approaches
Trusted Systems
• A trusted system is a computer system that can be trusted to s
specified extent to enforce a specified security policy.
• These are primarily interest to the military, however these days they
have spanned across various areas like in the banking and financial
community.
• For this Trusted system often use to term reference monitor. This is an
entity that is at logical heart of the computer system.
• It is mainly responsible for all the decisions related to access controls
like…
1. It should be tamper- proof.
2. It should always be invoked.
3. It should be small enough so that it can be tested independently.
16
• In 1983 Orange Book also called the Trusted Computer System
Evaluation Criteria (TCSEC), the National Security Agency (NSA) of
the US government defined a set of evaluation classes.
• These described the features and assurances that the user could
expect from a trusted system.
• The highest levels of assurance were provided by significant efforts
directed towards reduction of the size of the trusted computing base
– TCB.
• TCB was defined as a combination of hardware and software and
firmware responsible for enforcing the system’s security policy.

17
Security Models
• An organization can take several approaches to implement its security
model, they are
1. No Security – the approach could be a decision to implement no security at
all.
2. Security through Obscurity – in this model a system is secure and simple
because nobody knows about its existence and contents.
• This approach cannot work long because an attacker can come to know about it
3. Host Security – In this scheme, the security for each host is enforced
individually. This is a safe approach, but the trouble is that it cannot scale
well.
• The complexity and diversity of modern sites/organizations make the task harder.
4. Network Security – Host security it tough to achieve as organizations grow
and become more diverse.
• In this technique the focus is to control network access to various hosts and there
services, rather than individual host security.
• This is very efficient and scalable model. 18
Security Management Practices
• Good Security-management practices always talk of a security policy being in
place, putting a security policy in place .
• A good security policy and its proper implementation go a long way in ensuring
adequate security-management practice.
• A good security policy generally takes care of four key aspects –
1. Affordability – how much money and effort does this security implementation cost.
2. Functionality – What is the mechanism of providing security ?
3. Cultural Issues – Does this policy complement the people’s expectations, working style
and beliefs?
4. Legality – Does the policy meet the legal requirements?

Once a security policy is designed , the following points should be ensured

a) Explanation of the policy to all concerned
b) Outline everybody’s responsibilities.
c) Use simple language in all communications.
d) Accountability should be established.
e) Provide for exceptions and periodic reviews. 19
 PRINCIPLES OF SECURITY
• Discuss Some of the attacks that have occurred in the real life,
• let us now classify the principles of security.
• This will help us understand the attacks better,
• and also help us in thinking about the possible solutions to tackle
them.
For Example
• Let us assume that a person A wants to send a cheque worth of $100
to another person B , Normally what the factors that A and B will
think of in such a case ?
• A will write cheque and put it inside an envelope and send B.

20
1. A will like to ensure that no one except B get the envelope and even if
someone else gets it he/she does not come to know about the details
of cheque. This is the principle of confidentiality.
2. A and B will further like to make sure that no one can tamper with the
contents of the cheque such as amount, date and signature , name –
This is principle of Integrity.
3. B would like to be assured the cheque has indeed come from A, and
not from someone else possing as A - This is the principle of
Authentication.
4. What will happen tomorrow if B deposits the cheque in the bank , the
money is transferred from A ‘s accounts to B’s account, and then
refuses having written/sent cheque ? The court of law will use A’s
signature to disallow A to refute this claim and settle the dispute – this
it the principle of non-repudiation. (Requires that neither the sender
nor the receiver of a message be able to deny the transmission.)
21
• These are four principle of security , there are two more
1. access control and
2. availability.

Confidentiality

• Ensures that the information in a computer system and transmitted

information are accessible only for reading by authorized parties.
• Fig shows the example

22
23
• User A send the message to B , another user C gets access to this
message which is not desired, and therefore defeats the purpose of
confidentiality.
• An example of this could be a confidential email message sent by A to
B. which is accessed by C without the permission or knowledge of A
and B .
• This type of attack is called interception. ( causes loss of
confidentiality)

24
Authentication
• Authentication mechanism help establish proof of identities.
• The authentication process ensures that the origin of an electronic
message or document is correctly identified.
For Example
• Users C send an electronic document over the internet to user B, however
the trouble is that user C had posed as user A.
• How could be user B know that the message has come from user C, who is
posing as user A ?
• An example real life example case user C posing as user A sending a funds
transfer request from A ‘s account to C’s account to bank B.
• The bank transfers the funds from A’s account to C’s account – after it
would think that user A has requested for funds transfer - This type of
attack is called fabrication.
25
26
Integrity
• Ensures that only authorized parties are able to modify computer
system assets and transmitted information. Modification includes
writing, changing status, deleting, creating and delaying or replaying
of transmitted messages.

• When the contents of a message are changed after the sender sends
it, but before it reaches the intended recipient, we say that the
integrity of the message is lost.

• For Example fig shows….

27
28
• Suppose we intended to send or transfer of $100 to user B , however
you noticed that in the statement results in $1000. This is the loss of
message integrity.
• Here user C tampers and manages to access it and change its contents
and send the changed message to B with knowing to B.
• User A also does not know about this change. This type of attack is
called modification.

29
30
31
32
33
34
35