Information Security Information Security: Prepared By: Dr. Reema Patel

Information Security
PREPARED BY: DR. REEMA PATEL
9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 1

Course Coverage
• 5 Hours Per Week
◦ 3 Theory Lectures
◦ 2 Hours Practical – For Computer Science Students Only
• Exam:
• Mid Semester: 50 Marks
• End Semester: 100 Marks
• Internal Marks: 25 Marks - 1 or 2 Assignments, 2 or 3 Quizzes, Summary Presentation

Course Content
• UNIT - I
• Introduction
◦ Information Security Requirements
◦ Security Attacks
◦ Security Services and Mechanisms
• Classical Encryption techniques
◦ Substitution Techniques
◦ Transposition Techniques
◦ Block Ciphers
• Symmetric Key Cryptography

Course Content
• UNIT - II
• Mathematical Background for Cryptography
◦ Divisibility and Division Algorithm
◦ Euclidean Algorithm
◦ Modular Arithmetic
◦ Groups, Rings, and Fields
◦ Polynomial Arithmetic
• Data Encryption Standard

• Advanced Encryption Standard
• Block Cipher Operation

Course Content
• UNIT - III
• Public Key Cryptography
◦ Diffie-Hellman Key Exchange
◦ RSA
◦ Elgamal Public Key Encryption
◦ Elliptic Curve Cryptography
• UNIT - IV
• Cryptographic Hash functions (Self Study)
• Message Authentication Code
• Digital Signature

Recommended Books
1. Cryptography and Network Security
◦ William Stallings, 5/E, Pearson Education
2. Handbook of Applied Cryptography
◦ Menezes, Oorschot, Vanstone, CRC Press, 1996
3. Cryptography Theory and Practice
◦ Douglas Stinson, 3/E, Chapman and Hall/CRC
4. Applied Cryptography
◦ Bruce Scheneir, 2/E, John Wiley, 1996.
5. Cryptography & Network Security
◦ Behrouz Forouzan, 1/E, TMH, 2007

SECURITY WORLD WIDE

Security Breaches
• Dunkin’ Donuts Reports Credential Stuffing Attack – November 2018
• Where hackers leveraged user credentials leaked at other sites to enter DD Perks rewards
accounts.
• The type of information stored in a DD Perks account, which provides repeat customers a
way to earn points and get free merchandise or discounts, includes the user’s first and last
names, emails (usernames) and a 16-digit DD Perks account number and QR code.
• According to ZDNet, the hackers weren’t after users’ personal information stored in the
rewards accounts; instead, they were after the account itself in order to sell on Dark Web
forums.

Security Breaches
• Toyota's Second Data Breach Affects Millions Of Drivers
• Toyota revealed the issue on its official website on March 29, 2019, saying the breach
potentially affected 3.1 million people.
• The company said it did not believe the hackers accessed private customer or employee
data in that instance.

Security Breaches
• Investigation Of Walmart Email Breach
• The FBI is investigating allegations that employees from one of Walmart’s technology
suppliers was illegally monitoring the retailer’s e-mail communication.
• The New York Times reports that in late 2015 through early 2016, Compucom employees
assigned to Walmart’s help desk were using their access to monitor specific e-mail
accounts at the retailer and allegedly using that information to get an edge over
competitors.

Security Breaches
• Customs and Border Protection Contractor Perceptics – May 2019
• In May, a surveillance contractor for US Customs and Border Protection suffered a breach,
and hackers stole photos of travelers and license plates related to about 100,000 people.
• Ransomware
• Criminal groups continue to target businesses, health care providers, and, most visibly,
local governments with these brash hacks, in which malware is used to encrypt a system's
data and then demand a ransom to decrypt it—swindling victims of billions of dollars a
year in the process.

Security Breaches
• American Medical Collection Agency breach
• One of the most concerning corporate data breaches so far is that of the American Medical
Collection Agency, a massive health-care-related debt collector.
• 12 million patients records exposed
• the compromised information included first and last names, dates of birth, phone
numbers, addresses, dates of medical services, health care providers, and data on
balances due

Security Breaches
• Russian Grid Hacking
• In 2017, security researchers sounded the alarm about Russian hackers infiltrating and
probing United States power companies;
• US Universities
• In March, the Department of Justice indicted nine Iranian hackers over an alleged spree of
attacks on more than 300 universities in the United States and abroad.
• The DOJ says the hackers stole 31 terabytes of data, estimated to be worth $3 billion in
intellectual property.

Security Breaches
• Under Armour
• Hackers breached Under Armour's MyFitnessPal app in late February 2018, compromising
usernames, email addresses, and passwords from the app's roughly 150 million users.
• VPN Filter:
• At the end of May, officials warned about a Russian hacking campaign that has impacted
more than 500,000 routers worldwide. The attack spreads a type of malware, known as
VPNFilter, which can be used to coordinate the infected devices to create a massive
botnet.

Security Breaches
• Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data
breach
• The data analytics firm that worked with Donald Trump’s election team and the winning
Brexit campaign harvested millions of Facebook profiles of US voters, in one of the tech
giant’s biggest ever data breaches, and used them to build a powerful software program to
predict and influence choices at the ballot box.

Publicly available numbers from Javelin Strategy & Research

Average cost of a data breach rises
• Cost of the average data breach to companies worldwide: $3.86 million (U.S. dollars)
• Cost of the average data breach to a U.S. company: $7.91 million (U.S. dollars)
• Average time it takes to identify a data breach: 196 days

Introduction
• The art of war teaches us to rely not on the likelihood of the enemy's not
coming, but on our own readiness to receive him; not on the chance of his
not attacking, but rather on the fact that we have made our position
unassailable.
—The Art of War, Sun Tzu

Introduction
• We are living in the information age
• Information: a meaningful data
• We need to keep information about every aspect of our lives

◦ Information is an asset that has a value like any other asset
• As an asset, information needs to be secured from attacks

Introduction
• To be secured,
◦ Information needs to be hidden from unauthorized access
◦ Protected from unauthorized change
◦ And available to an authorized entity when it is needed

Introduction
• Until a few decades ago,
◦ The information collected by an organization was stored on physical files
◦ Confidentiality of files: achieved by restricting the access to a few authorized and trusted
people in the organization
◦ Integrity: Only a few authorized people were allowed to change the contents of the files
◦ Availability: achieved by designating at least one person who would have access to the
files at all times

Introduction
• With the advent of computers,
◦ Information storage became electronic
◦ Instead of being stored on physical media, it was stored in computers
• The files stored in computers require confidentiality, integrity, and availability.
• The implementation of these requirements, however is different and more challenging

Introduction
• During the last few decades, computer networks created a revolution in the use of
information
◦ Information is now distributed
• Authorize people can send and retrieve information from a distance using computer
networks
• Three security requirements – confidentiality, integrity, and availability have not changed,
they have new dimensions
• Not only should information be confidential when it is stored in a computer,

◦ There should also be a way to maintain its confidentiality when it is transmitted from one
computer to another
Introduction

Confidentiality
• Confidentiality is probably the most common aspect of information security.
• We need to protect our confidential information. An organization needs to guard against

those malicious actions that endanger the confidentiality of its information.
• Example:
◦ In military, concealment of sensitive information is the major concern,
◦ In industry, hiding some information from competitors is crucial to the operation of the
organization
◦ In banking, customers’ accounts need to be kept secret

Confidentiality
• Data confidentiality: Assures that private or confidential information is not made available
or disclosed to unauthorized individuals.
• Preserving authorized restrictions on information access and disclosure, including means

for protecting personal privacy and proprietary information.
• A loss of confidentiality is the unauthorized disclosure of information.

Integrity
• Information needs to be changed constantly.
◦ In a bank, when a customer deposits or withdraws money, the balance of her account needs to be
changed
• Integrity means that changes need to be done only by authorized entities and through
authorized mechanisms.

Integrity
• Data integrity: Assures that information and programs are changed only in a specified and
authorized manner.
• System integrity: Assures that a system performs its intended function in an unimpaired
manner, free from deliberate or inadvertent unauthorized manipulation of the system.
• Integrity: Guarding against improper information modification or destruction, including

ensuring information nonrepudiation and authenticity.
• A loss of integrity is the unauthorized modification or destruction of information.

Availability
• The information created and stored by an organization needs to be available to authorized
entities.
• Information is useless if it is not available

• Information constantly changed, means it must be accessible to authorized entities
◦ Imagine, what would happen to a bank, if customers could not access their accounts for
transactions

Availability
• Availability: Assures that systems work promptly and service is not denied to authorized
users.
• Ensuring timely and reliable access to and use of information.

• A loss of availability is the disruption of access to or use of information or an information
system.

Security Attacks

Security Attacks
• The three goals of security : confidentiality, integrity, and availability can be threatened by
security attacks.
• Attacks Threatening Confidentiality

• Attacks Threatening Integrity
• Attacks Threatening Availability
• Passive versus Active Attacks

Security Attacks
• any action that compromises the security of information owned by an organization
• information security is about how to prevent attacks, or failing that, to detect attacks on
information-based systems
• have a wide range of attacks
• can focus of generic types of attack
◦ Passive
◦ Active

Passive Attack

Active Attack

Taxonomy of attacks with relation to security goals

Attacks Threatening Confidentiality
• Snooping refers to unauthorized access to or interception of data.
• Traffic analysis refers to obtaining some other type of information by monitoring online
traffic.

Attacks Threatening Integrity
• Modification means that the attacker intercepts the message and changes it.
• Masquerading happens when the attacker impersonates somebody else.
• Replaying means the attacker obtains a copy of a message sent by a user and later tries to
replay it.
• Repudiation means that sender of the message might later deny that she has sent the
message; the receiver of the message might later deny that he has received the message.

Attacks Threatening Availability
• Denial of service (DoS) is a very common attack. It may slow down or totally interrupt the
service of a system.

Passive Versus Active Attacks

Security Basics
• The International Telecommunication Union-Telecommunication Standardization Sector
(ITU-T)
◦ Provides some security secrecy and some mechanisms to implement those services
• ITU-T Recommendation X.800, Security Architecture for OSI

◦ defines such a systematic approach of defining and providing security requirements

Security Basics
• X.800 focuses on three aspects of information security
1. Security service
◦ properties which any security solution should satisfy e.g. ……
2. Security mechanism
◦ tools and techniques by which, the security services can be achieved e.g.
3. Security attack
◦ actions that are attempts at violating the security rules.

Security Services

Security Services - X.800 objectives
• Authentication : assurance that the communicating entity is the one claimed
• Access Control : prevention of the unauthorized use of a resource
• Data Confidentiality : protection of data from unauthorized disclosure
• Data Integrity : assurance that data received are exactly as sent by an authorized entity
• Non-Repudiation : protection against denial by one of the parties in a communication

Security Mechanism
• Feature designed to detect, prevent, or recover from a security attack
• No single mechanism that will support all services required

Security Mechanism

Security Services and Security Mechanisms
• Relation between Security Services and Security Mechanisms

Techniques
• The actual implementation of security goals needs some techniques.
• Two techniques are prevalent today:

◦ cryptography and steganography.

Steganography
• The word steganography, with origin in Greek, means “covered writing,” in contrast with
cryptography, which means “secret writing.”
• the practice of concealing messages or information within other non-secret text or data.

Steganography

Cryptography
• Cryptography, a word with Greek origins, means “secret writing.”
• However, we use the term to refer to the science and art of transforming messages to
make them secure and immune to attacks.

Cryptography
• kryptos – “hidden”
• grafo – “write”
• Keeping messages secret

◦ Usually by making the message unintelligible to anyone that intercepts it

Problem
Private Message
Bob Alice
Eavesdropping
Eve
Solution
Private Message
Encryption Decryption
Scrambled Message
Bob Alice
Eavesdropping

Basic Terminology
• plaintext - original message
• ciphertext - coded message
• cipher - algorithm for transforming plaintext to ciphertext
• key - info used in cipher known only to sender/receiver
• encipher (encrypt) - converting plaintext to ciphertext
• decipher (decrypt) - recovering ciphertext from plaintext
• cryptography - study of encryption principles/methods
• cryptanalysis (codebreaking) - study of principles/ methods of deciphering ciphertext
without knowing key
• cryptology - field of both cryptography and cryptanalysis

Ciphers
• Symmetric cipher: same key used for encryption and decryption
• Block cipher:
◦ encrypts a block of plaintext at a time (typically 64 or 128 bits)
• Stream cipher:
◦ encrypts data one bit or one byte at a time
• Asymmetric cipher: different keys used for encryption and decryption

Symmetric Cipher Model
• An encryption scheme has five ingredients:
◦ Plaintext
◦ Encryption algorithm
◦ Secret Key
◦ Ciphertext
◦ Decryption algorithm
• Security depends on the secrecy of the key, not the secrecy of the algorithm

Symmetric Key Cipher Model

Symmetric Encryption
• Mathematically:
◦ Y = EK(X) or Y = E(K, X)
◦ X = DK(Y) or X = D(K, Y)
• X = plaintext
• Y = ciphertext
• K = secret key
• E = encryption algorithm
• D = decryption algorithm
• Both E and D are known to public

Symmetric Encryption
• type of encryption operations used
◦ Substitution
◦ Transposition
◦ Product
• way in which plaintext is processed
◦ Block
◦ Stream

Classical Ciphers
• Plaintext is viewed as a sequence of elements (e.g., bits or characters)
• Substitution cipher:
◦ replacing each element of the plaintext with another element.
• Transposition (or permutation) cipher:

◦ rearranging the order of the elements of the plaintext.
• Product cipher: using multiple stages of substitutions and transpositions

Caesar Cipher / Shift Cipher
• earliest known substitution cipher
• by Julius Caesar
• first use in military affairs
• replaces each letter by 3rd letter after
• example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB

Caesar Cipher / Shift Cipher
• mathematically give each letter a number
abcdefghij k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
• then have Caesar cipher as:

c = Ek(p) = (p + k) mod (26)
p = Dk(c) = (c – k) mod (26)

Cryptanalysis of Caesar Cipher
• only have 26 possible ciphers
◦ A maps to A,B,..Z
• could simply try each in turn
• a brute force search
• given ciphertext, just try all shifts of letters
• do need to recognize when have plaintext
• eg. break ciphertext "jfxd yt gwjfp"

Brute Force Search
• always possible to simply try every key
• most basic attack, exponential in key length
• assume either know / recognise plaintext

Language Redundancy and Cryptanalysis
• human languages are redundant
• e.g., "th lrd s m shphrd shll nt wnt"
• letters are not equally commonly used
• in English E is by far the most common letter
◦ followed by T,R,N,I,O,A,S
• other letters like Z,J,K,Q,X are fairly rare
• have tables of single, double & triple letter frequencies for various languages

Frequency
Analysis

Frequency analysis
Sorted Relative Frequencies
14.000
12.000
10.000
8.000
6.000
4.000
2.000
0.000
E T A O I N S H R D L C U MW F G Y P B V K J X Q Z

Example
• Cipher Text:
◦ wkh sdvvzrug lv vhyhq grqw whoo dqbrqh

Example Cryptanalysis
• given ciphertext:
◦ UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
◦ VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
◦ EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
• count relative letter frequencies

Example Cryptanalysis
 given ciphertext:
UZQSOVUOHXMOPVGPOZPEVSGZWSZOPFPESXUDBMETSXAIZ
VUEPHZHMDZSHZOWSFPAPPDTSVPQUZWYMXUZUHSX
EPYEPOPDZSZUFPOMBZWPFUPZHMDJUDTMOHMQ
 guess P & Z are e and t
 guess ZW is th and hence ZWP is “the”

Information Security Information Security: Prepared By: Dr. Reema Patel

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Information Security Information Security: Prepared By: Dr. Reema Patel

Caricato da

Copyright:

Formati disponibili

Information Security

PREPARED BY: DR. REEMA PATEL

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 1

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 2

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 3

• Data Encryption Standard

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 4

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 5

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 6

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 7

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 8

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 9

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 10

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 11

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 12

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 13

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 14

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 15

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 16

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 18

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 19

• We need to keep information about every aspect of our lives

• As an asset, information needs to be secured from attacks

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 20

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 21

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 22

• The files stored in computers require confidentiality, integrity, and availability.

• The implementation of these requirements, however is different and more challenging

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 23

• Not only should information be confidential when it is stored in a computer,

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 25

• We need to protect our confidential information. An organization needs to guard against

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 26

• Preserving authorized restrictions on information access and disclosure, including means

• A loss of confidentiality is the unauthorized disclosure of information.

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 27

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 28

• Integrity: Guarding against improper information modification or destruction, including

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 29

• Information is useless if it is not available

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 30

• Ensuring timely and reliable access to and use of information.

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 31

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 32

• Attacks Threatening Confidentiality

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 33

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 34

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 35

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 36

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 37

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 38

• Masquerading happens when the attacker impersonates somebody else.

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 39

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 40

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 41

• ITU-T Recommendation X.800, Security Architecture for OSI

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 42

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 43

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 44

• Access Control : prevention of the unauthorized use of a resource

• Data Confidentiality : protection of data from unauthorized disclosure

• Non-Repudiation : protection against denial by one of the parties in a communication

9/10/2019 DR. REEMA PATEL, B.TECH, SOT, PDPU, IS-2019 45