CRYPTOGRAPHY

Cryptography
 Cryptography is the study of secure
communications techniques that allow
only the sender and intended recipient of
a message to view its contents.
 The term is derived from the Greek
word kryptos, which means hidden.
 Cryptography is about constructing and
analyzing protocols that prevent third
parties or the public from reading
private messages
Cryptographic algorithms and protocols can be
grouped into four main areas:

■ Symmetric encryption: Used to conceal the

contents of blocks or streams of data of any size,
including messages, files, encryption keys, and
passwords.
■ Asymmetric encryption: Used to conceal small
blocks of data, such as encryption keys and hash
function values, which are used in digital
signatures.
■ Data integrity algorithms: Used to protect
blocks of data, such as messages, from alteration.
■ Authentication protocols: These are schemes
based on the use of cryptographic algorithms
designed to authenticate the identity of entities.
Essential Network and Computer Security
Requirements
 Confidentiality: Preserving authorized restrictions
on information access and disclosure, including
means for protecting personal privacy and
proprietary information.
 Integrity: Guarding against improper
information modification or destruction,
including ensuring information nonrepudiation and
authenticity.
 Availability: Ensuring timely and reliable access
to and use of information.
 Authenticity: The property of being genuine and
being able to be verified and trusted
confidence in the validity of a transmission, a
message, or message originator.
 Accountability: The security goal that generates
the requirement for actions of an entity to be
traced uniquely to that entity.
 Legal, Ethical and Professional
Aspects of Security

Cybercrime And Computer Crime:

 Computer crime, or cybercrime, is a
term used broadly to describe criminal
activity in which computers or computer
networks are a tool, a target, or a place of
criminal activity.
 The term cybercrime has a connotation
of the use of networks specifically,
whereas computer crime may or may
not involve networks.
The U.S. Department of Justice [DOJ]
categorizes computer crime based
on the role that the computer plays in
the criminal activity, as follows:
 Computers as targets
 Computers as storage devices
 Computers as communications tools
Privacy Law and Regulation
A number of international organizations and
national governments have introduced laws and
regulations intended to protect individual privacy.
 Notice
 Consent
 Consistency
 Access
 Security
 Onward transfer
 Enforcement
 Law and Ethics in Information
Security
Laws:
 Rules that mandate or prohibit certain behavior
 Drawn from ethics
Ethics:
 Define socially acceptable behaviors
Key difference:
 Laws carry the authority of a governing body
 Ethics do not carry the authority of a governing body
 Based on cultural mores
 Fixed moral attitudes or customs
 Some ethics standards are universal
 Policy Versus law
Policies:
 Guidelines that describe acceptable and unacceptable
employee behaviors
 Functions as organizational laws
 Has penalties, judicial practices, and sanctions
Difference between policy and law:
 Ignorance of policy is acceptable
 Ignorance of law is unacceptable
Keys for a policy to be enforceable:
 Dissemination
 Review
 Comprehension
 Compliance
 Uniform enforcement
 Types of Law
 Civil – govern a nation or state
 Criminal – addresses activities and
conduct harmful to public
 Private – encompasses family, commercial,
labor, and regulates the relationship
between individuals and organizations
 Public – regulates the structure and
administration of government agencies and
their relationships with citizens, employees,
and other governments
United States Privacy Initiatives:

 Banking and financial records

 Credit reports
 Medical and health insurance records
 Children’s privacy
 Electronic communications
Ethical issues arise as the result of the roles of
computers, such as the following:
 Repositories and processors of information:
Unauthorized use of otherwise unused computer services or
of information stored in computers raises questions of
appropriateness or fairness.
 Producers of new forms and types of assets: For
example, computer programs are entirely new types of
assets, possibly not subject to the same concepts of
ownership as other assets.
 Instruments of acts: To what degree must computer
services and users of computers, data, and programs be
responsible for the integrity and appropriateness of
computer output?
 Symbols of intimidation and deception: The images of
computers as thinking machines, absolute truth producers,
infallible, subject to blame, and as anthropomorphic
replacements of humans who err should be carefully
considered.
 Need for Security at Multiple
levels
 The field of Network and Internet
security consists of measures to deter,
prevent, detect, and correct security
violations that involve the transmission of
information
 Following are some examples for security
violation
 User A transmits a file to user B. The file
contains sensitive information that is to be
protected from disclosure. User C, who is not
authorized to read the file, is able to monitor
the transmission and capture a copy of the
file during its transmission
 Need for Security at Multiple
levels
 A network manager, D, transmits a message to a
computer, E, under its management. The message
instructs computer E to update an authorization file
to include the identities of a number of new users
who are to be given access to that computer. User F
intercepts the message, alters its contents to add or
delete entries, and then forwards the message to
computer E, which accepts the message as coming
from manager D and updates its authorization file
accordingly
 Rather than intercept a message, user F constructs
its own message with the desired entries and
transmits that message to computer E as if it had
come from manager D. Computer E accepts the
message as coming from manager D and updates its
authorization file accordingly
 Security Policy
P.1.  A policy on cryptographic controls
will be developed with procedures to
provide appropriate levels of protection to
sensitive information while ensuring
compliance with statutory, regulatory and
contractual requirements.
P.2.  Classified information shall only be
taken for use away from the organization
in an encrypted form unless its
confidentiality can otherwise be assured.
 Security Policy
P.3.  Procedures shall be established to
ensure that authorized staff may gain
access, when needed, to any important
business information being held in
encrypted form.
P.4. The confidentiality of information
being transferred on portable media or
across networks, must be protected by
use of appropriate encryption techniques.
 Security Policy
P.5. Encryption shall be used whenever
appropriate on all remote access
connections to the organization's network
and resources.
P.6. A procedure for the management of
electronic keys, to control both the
encryption and decryption of sensitive
documents or digital signatures, must be
established to ensure the adoption of
best practice guidelines and compliance
with both legal and contractual
requirements.
OSI Security Architecture
 It is a systematic way of defining the
requirements for the security
 It characterize the approaches to
satisfy the various security products
and polices
 X.800 security architecture of OSI
defines such a systematic approach
 OSI security architecture is useful for
organizing the task of providing
security
OSI Security Architecture
 Since this architecture was
developed as an international
standard, Computer and
Communications vendors have
developed security features for
their products and services that
relate to this structured definition
of services and mechanisms
OSI Security Architecture
 The OSI security architecture focuses
on
Security Attacks

Security Mechanism

Security Services
 Security Attacks
Security Attacks:
 Any action that compromises the
security of information owned by an
organization
Classifications:
Passive attacks
Active attacks
 Passive Attacks
 Passive attacks are in the nature of
eavesdropping on, or monitoring
of, transmissions.
 Passive Attacks
 The goal of the opponent is to
obtain information that is being
transmitted.
 Two types of passive attacks are
 Release of message contents
 Traffic analysis.
 Passive Attacks
• Release of message contents
– capture and read the content.
– A telephone conversation, an electronic mail
message, and a transferred file may contain
sensitive or confidential information.
• Traffic analysis
– Can’t read the information, But observe the
pattern
– Determine the location and identity of
communicating parties
– Observe frequency and length of
communication
 Active Attacks
 Active attacks involve some
modification of the data stream or
the creation of a false stream
 Active Attacks
 It can be subdivided into four
categories:
 Masquerade
 Replay
 Modification of messages
 Denial of service
 Active Attacks
 Masquerade
 A masquerade takes place when one
entity pretends to be a different entity
 Masquerade is a type of attack where
the attacker pretends to be an
authorized user of a system in order
to gain access to it or to gain greater
privileges than they are authorized for.
 Active Attacks
 Replay
 A replay attack also known as
playback attack.
 Replay involves the passive capture of a
data unit and its subsequent
retransmission to produce an
unauthorized effect.
 Active Attacks
 Modification of messages
 It simply means that some portion of a
legitimate message is altered, or that
messages are delayed or reordered, to
produce an unauthorized effect
 Denial of service
 A denial-of-service (DoS) is any type of
attack where the attackers (hackers)
attempt to prevent legitimate users
from accessing the service
 Security Mechanisms
 Security mechanism:
 A process that is designed to detect, prevent,
or recover from a security attack
 The following are some security
mechanisms defined in X.800
• Encipherment
• Access Control
• Digital Signature
• Data Integrity
• Authentication Exchange
• Traffic Padding
• Routing Control
 Security Mechanisms
 Encipherment
– The use of mathematical algorithms to
transform data into a form that is not
readily intelligible.
– The transformation and subsequent
recovery of the data depend on an
algorithm and zero or more encryption
keys.
 Security Mechanisms
 Access Control
– A variety of mechanisms that enforce
access rights to resources.
 Security Mechanisms
 Digital Signature
– Here the sender can electronically sign
the data and the receiver can
electronically verify the signature.
 Security Mechanisms
 Data Integrity
– The assurance that the data has not been
altered in an unauthorised manner since the
time that the data was last created,
transmitted, or stored by an authorised user.
– A variety of mechanisms used to assure the
integrity of a data unit or stream of data
units.
 Security Mechanisms
 Authentication Exchange
– A mechanism intended to ensure the
identity of an entity by means of
information exchange.
 Security Mechanisms
 Traffic Padding
– The insertion of bits into gaps in a data stream to
frustrate traffic analysis attempts
– Traffic padding may be used to hide the traffic
pattern, which means to insert dummy traffic
into the network and present to the intruder a
different traffic pattern.
 Security Mechanisms
 Routing Control
– Enables selection of particular physically
secure routes for certain data and allows
routing changes, especially when a
breach of security is suspected.
 Notarization
– The use of a trusted third party to
assure certain properties of a data
exchange.
 Security Mechanisms
 Notarization
– The use of a trusted third party to
assure certain properties of a data
exchange.
 Security Services
 It is a processing or communication
service that is provided by a system
to give a specific kind of
protection to system resources.
 Security services implement
security policies and are
implemented by security
mechanisms.
 X.800 divides these services into five
categories and fourteen specific
services
 Security Services
 The five categories are

• Authentication

• Access Control

• Data Confidentiality

• Data Integrity

• Nonrepudiation
 Authentication
 The authentication service is
concerned with assuring that a
communication is authentic
 Two specific authentication services
are defined in X.800:
 Peer entity authentication
 Data origin authentication
 Authentication
 Peer entity authentication
– Used in association with a logical
connection to provide confidence in the
identity of the entities connected.
 Data origin authentication
– In a connectionless transfer, provides
assurance that the source of
received data is as claimed
 Access Control
 The prevention of unauthorized
use of a resource.
(i.e., this service controls who can
have access to a resource, under what
conditions access can occur, and what
those accessing the resource are
allowed to do)
 Data Confidentiality
 Confidentiality is the protection of
transmitted data from passive attacks
 Connection Confidentiality

 Connectionless Confidentiality

 Selective-Field Confidentiality

 Traffic-Flow Confidentiality
 Data Confidentiality
• Connection Confidentiality
– The protection of all user data on a
connection
• Connectionless Confidentiality
– The protection of all user data in a single
data block
• Selective-Field Confidentiality
– The confidentiality of selected fields within
the user data on a connection or in a single
data block.
• Traffic-Flow Confidentiality
– The protection of the information that might be
derived from observation of traffic flows
 Data Integrity
 The assurance that data received
are exactly as sent by an authorized
entity (i.e., contain no
modification, insertion, deletion,
or replay).
 Connection Integrity with Recovery
 Connection Integrity without Recovery
 Selective-Field Connection Integrity
 Connectionless Integrity
 Selective-Field Connectionless
Integrity
 Data Integrity
• Connection Integrity with Recovery
– Provides for the integrity of all user data on a
connection and detects any modification,
insertion, deletion, or replay of any data within an
entire data sequence, with recovery
attempted.
• Connection Integrity without Recovery
– As above, but provides only detection without
recovery
• Selective-Field Connection Integrity
– Provides for the integrity of selected fields within
the user data of a data block transferred over
a connection and takes the form of determination
of whether the selected fields have been modified,
inserted, deleted, or replayed.
 Data Integrity
• Connectionless Integrity
– Provides for the integrity of a single
connectionless data block and may
take the form of detection of data
modification.
– Additionally, a limited form of replay
detection may be provided.
• Selective-Field Connectionless Integrity
– Provides for the integrity of selected
fields within a single connectionless
data block; takes the form of
determination of whether the selected
fields have been modified
 Nonrepudiation
 Provides protection against denial by
one of the entities involved in a
communication of having participated in
all or part of the communication
 Nonrepudiation Origin
Proof that the message was sent by
the specified party.
 Nonrepudiation, Destination
Proof that the message was received
by the specified party.
Relationship Between Security
Services and Mechanisms