Cryptography Introduction BUP

8/17/2019 Cryptography Introduction BUP

1/71

Introduction

Dr. Md. Mahbubur Rahman


2/71

Textbook

Cryptography: Theory and

Practice

by Douglas R. Stinson CRC

press

Cryptography and Network

Security: Principles and

Practice;By William Stallings

Prentice Hall

Network Security: Private

Communication in a Pulic

World

Charlie !au"man# $adia


3/71

Learning Objectives

• Describe the key security requirements ofcondentiality, integrity, and availability

• Discuss the types of security threats andattacks that must be dealt with and give

examples of threats and attacks that apply todierent categories of computer and networkassets

• Summarie the functional requirements for

computer security

• Describe the !"#$$ security architecture for%S&

• 'ryptography applications


4/71

Cryptography

()idden writing*

&ncreasingly used to protect

information 'an ensure condentiality• &ntegrity and +uthenticity too


5/71

History – The Manual Era

Dates back to at least $$$ -"'" .en and .aper 'ryptography

/xamples• Scytale

• +tbash

• 'aesar• 0igen1re


6/71

&nvention of cipher machines /xamples• 'onfederate +rmy2s 'ipher Disk

• 3apanese 4ed and .urple 5achines

• 6erman /nigma

History – The Mechanical Era


7/71

'omputers7

/xamples• 8ucifer

• 4i9ndael

• 4S+

• /l6amal

History – The Modern Era


8/71

Computer Security Concepts

• -efore the widespread use of data processingequipment, the security of information valuable toan organiation was provided primarily by physicaland administrative means

• :ith the introduction of the computer, the need for

automated tools for protecting les and otherinformation stored on the computer becameevident

• +nother ma9or change that aected security is the

introduction of distributed systems and the use ofnetworks and communications facilities for carryingdata between terminal user and computer andbetween computers


9/71

• Computer security• ;he generic name for the collection of

tools designed to protect data and to

thwart hackers• internet security

• 'onsists of measures to deter, prevent,detect, and correct security violations that

involve the transmission o inormation


10/71

Security Trends


11/71

Computer Se%urity “The protection

afforded to an automated

information system inorder to attain the

applicable objectives of

preserving the integrity,

availability, andconfidentiality of

information system

resources (includes

hardware, software,

firmware,

information/data, and

telecommunications)”

The '(ST Computer

Security Handook defines

the term %omputer se%urity

as)

This definition introdu%es three

key ob*e%ti#es that are at the

heart of %omputer se%urity.

N!T" National nstitute of !tandards

and Technology


12/71

!IST


13/71

Computer Security Objectives

• "ata con#dentiality• +ssures that private or condential

information is not made available ordisclosed to unauthoried individuals

•

$rivacy• +ssures that individuals control or

in


14/71

• "ata integrity• +ssures that information and programs

are changed only in a specied andauthoried manner• System integrity• +ssures that a system performs itsintended function in an unimpaired

manner, free from deliberate orinadvertent unauthoried manipulation ofthe system

&ntegrity


15/71

C(A Triad

The Se%urity Re+uirements Triad


16/71


17/71

Integrity : Information needs to be changed constantly.

Integrity means that changes need to be done only by authorized

entities and through authorized mechanisms.

Availability : The information created and stored by an

organization needs to be available to authorized entities.

Information needs to be constantly changed, which means it must

be accessible to authorized entities.

Confidentiality is probably the most common aspect of

information security. We need to protect our confidential

information. An organization needs to guard against those

malicious actions that endanger the confidentiality of its

information.


18/71

"ossible additional %on%epts)

+uthenticity• 0erifying that users

are who they saythey are and thateach input arrivingat the system camefrom a trustedsource

+ccountability• ;he security goal

that generates therequirement foractions of an entityto be traceduniquely to thatentity


19/71

,rea%h of Se%urity

- e#els of (mpa%t

• ;he loss could be expected to have asevere or catastrophic adverseeect on organiational operations,organiational assets, or individuals

)igh

• ;he loss could be expected to havea serious adverse e%ect onorganiational operations,organiational assets, or individuals

5oderate

• ;he loss could be expected

to have a limitedadverse e%ect onorgani&ationaloperations'organiational assets, orindividuals

8ow


20/71

E(amples o Security )e*uirements

Con#dentiality

Student gradeinormation is an

asset whosecondentiality isconsidered to be

highly important bystudents

4egulated by the=amily /ducational

4ights and .rivacy +ct>=/4.+?

Integrity

+consistency,

$atient inormationstored in a database

@ inaccurateinformation could

result in serious harmor death to a patient

and expose thehospital to massive

liability+ -eb site thato%ers a orum to

registered users todiscuss some specic

topic would beassigned a moderate

level of integrity+n example of a lowAintegrity requirement

is an anonymous

online poll

.vailability

;he more critical acomponent or

service, the higherthe level of availability

required

+ moderateavailability

requirement is apublic -eb site or

a university

+n online telephonedirectory loo/up

application would beclassied as a lowA

availability

requirement


21/71

Computer Security Challenges

Se%urity is not simple#otential attac$s on the

se%urity features need to

be considered

"ro%edures used to pro#ide

parti%ular ser#i%es are oftencounter%intuitive

(t is ne%essary to de%ide

where to use the #arious

se%urity me%hanisms

Re+uires constantmonitoring

(s too often an

afterthought

Se%urity me%hanismstypi%ally in#ol#e more than

a particular algorithm or

protocol

Se%urity is essentially a

battle of wits bet/een aperpetrator and the designer

&ittle benefit from se%urity

in#estment is perceived

until a se%urity failure o%%urs

Strong se%urity is often#ie/ed as an impediment

to effi%ient and user0friendly

operation


22/71

IT01T

The T' Telecommunication !tandardiation !ector

1T'%T2 is one of the three se%tors 1di#isions or units2 ofthe (nternational Tele%ommuni%ation 3nion 1(T324 it

%oordinates standards for tele%ommuni%ations.

The (T30T mission is to ensure the effi%ient and timely

produ%tion of standards %o#ering all fields of

tele%ommuni%ations on a /orld/ide basis! as /ell as

defining tariff and a%%ounting prin%iples for internationaltele%ommuni%ation ser#i%es.

http://en.wikipedia.org/wiki/International_Telecommunication_Unionhttp://en.wikipedia.org/wiki/Telecommunicationshttp://en.wikipedia.org/wiki/Telecommunicationshttp://en.wikipedia.org/wiki/International_Telecommunication_Union


23/71

OSI

!% The nternational rganiation for

!tandardiation (*rench" Organisation internationale

de normalisation+) produced ! ($pen Systems

(nter%onne%tion Referen%e Model! the $S( Referen%eModel! or e#en *ust the $S( Model)

http://en.wikipedia.org/wiki/French_languagehttp://en.wikipedia.org/wiki/French_language


24/71

History O2 OSI

(n the late 5678s! t/o pro*e%ts began independently! /iththe same goal) to define a unifying standard for the

ar%hite%ture of net/orking systems.

$ne /as administered by the (nternational $rganiationfor Standardiation 1(S$2! /hile the other /as undertaken

by the (nternational Telegraph and Telephone Consultati#e

Committee! or CC(TT 1the abbre#iation is from the 9ren%h

#ersion of the name2.

These t/o international standards bodies ea%h de#eloped

a do%ument that defined similar net/orking models. (S$

7:6;! (T30T 1formerly CC(TT 2 standard


25/71

34566


26/71

$S( Se%urity Ar%hite%ture

!ecurity attac$

ny action that compromises the se%urity of information

o/ned by an organiation

!ecurity mechanism

process 1or a de#i%e in%orporating su%h a pro%ess2 thatis designed to detect, prevent, or recover from a se%urity

atta%k

!ecurity service

processing or communication service that enhances

the security of the data pro%essing systems and theinformation transfers of an organiation

ntended to counter security attac$s! and they make

use of one or more se%urity me%hanisms to pro#ide the

ser#i%e

(T30T Re%ommendation


27/71

IET2 and )2C

The nternet -ngineering Tas$ *orce 1-T*2 156;>2

de#elops and promotes #oluntary (nternet standards! in

parti%ular the standards that %omprise the

(nternet proto%ol suite 1TC"?("2.

A .euest for 0omments 1.*02 is a publi%ation of the

(nternet @ngineering Task 9or%e 1(@T92 and the

(nternet So%iety! the prin%ipal te%hni%al de#elopment and

standards0setting bodies for the (nternet.

The nternet !ociety 1!oc2 is an international! non0

profit organiation founded in 566= to pro#ide leadership

in (nternet related standards! edu%ation! and poli%y.

http://en.wikipedia.org/wiki/Internet_standardhttp://en.wikipedia.org/wiki/Internet_protocol_suitehttp://en.wikipedia.org/wiki/Internet_Engineering_Task_Forcehttp://en.wikipedia.org/wiki/Internet_Societyhttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Internethttp://en.wikipedia.org/wiki/Internet_Societyhttp://en.wikipedia.org/wiki/Internet_Engineering_Task_Forcehttp://en.wikipedia.org/wiki/Internet_protocol_suitehttp://en.wikipedia.org/wiki/Internet_standard


28/71

ATTACKS

The three goals of security

confidentiality,integrity, and availability can be threatened

by security attacks.


29/71

Threats and .ttac/s +)2C 7878,

Internet Security9lossary' :ersion ;

;his 6lossary provides denitions, abbreviations, andexplanations of terminology for information systemsecurity"


30/71


31/71

Se%urity Atta%ks

means of classifying se%urity atta%ks! used both in


32/71

"assi#e Atta%ks

1T/o types2

Two types of passi#e

atta%ks are)

The release of

message %ontentsTraffi% analysis

Are in the nature ofeavesdropping on! or

monitoring of !transmissions

Boal of the opponent isto obtain information

that is being transmitted


33/71

Snooping refers to unauthorized access to or interception ofdata.


34/71

Traffic analysis refers to obtaining some other type ofinformation by monitoring online traffic.

.ctive .ttac/s +7 types,


35/71

.ctive .ttac/s +7 types,

nvolve some modification of the data stream or the%reation of a false stream

1ifficult to prevent be%ause of the /ide #ariety of potential

physi%al! soft/are! and net/ork #ulnerabilities

2oal is to detect attac$s and to recover from any disruption

or delays %aused by them


36/71

Modification means that the attacker intercepts the message

and changes it.

Masquerading or spoofing happens when the attacker

impersonates somebody else.

Replaying means the attacker obtains a copy

of a message sent by a user and later tries to replay it.

Repudiation means that sender of the message might laterdeny that she has sent the message the receiver of the

message might later deny that he has received the message.


37/71

Denial of service (DoS) is a very common attack. It mayslow down or totally interrupt the service of a system.


38/71

ctive ttac$s (3 types)


39/71


40/71


41/71

SERVICES AND MECHANISMS

IT!T provides some security services and some

mechanisms to implement those services. Security

services and mechanisms are closely related because a

mechanism or combination of mechanisms are used to

provide a service.


42/71

Security Services

Se%urity ser#i%e defined by


43/71


44/71


45/71

SecurityServices>!"#$$?

Authenti%ation


46/71

Authenti%ation

Con%erned /ith assuring that a %ommuni%ation is

authenti%(n the %ase of a single message! assures the

re%ipient that the message is from the sour%e that it

%laims to be from

(n the %ase of ongoing intera%tion! assures the twoentities are authentic and that the %onne%tion is

not interfered /ith in su%h a /ay that a third party

%an mas+uerade as one of the t/o legitimate

parties

T/o entities are %onsidered peers if they implement

the same proto%ol in different systems 1e.g.! t/o TC" modules in t/o

%ommuni%ating systems2.


47/71

A%%ess Control

The ability to limit and control the access to hostsystems and appli%ations #ia %ommuni%ations links

To a%hie#e this! ea%h entity trying to gain a%%ess must

first be identified! or authenticated, so that a%%ess

rights %an be tailored to the indi#idual


48/71

Data Confidentiality

The prote%tion of transmitted data from passive attac$s

4roadest service prote%ts all user data transmittedbet/een t/o users o#er a period of time

Narrower forms of service in%lude the protection of

a single message or e#en spe%ifi% fields /ithin a

message

The protection of traffic flow from analysis

This re+uires that an attac$er not be able to observe

the source and destination, freuency, length, or

other %hara%teristi%s of the traffi% on a %ommuni%ations

fa%ility

Data (ntegrity


49/71

Data (ntegrity

'onrepudiation


50/71

'onrepudiation

"re#ents either sender or re%ei#er from denying a

transmitted message

hen a message is sent! the receiver can prove that

the alleged sender in fa%t sent the message

hen a message is re%ei#ed! the sender can prove

that the alleged re%ei#er in fa%t re%ei#ed the message

A#ailability ser#i%e


51/71


A#ailability

The property of a system or a system resour%e being

accessible and usable upon demand by anauthoried system entity! a%%ording to

performan%e spe%ifi%ations for the system


$ne that prote%ts a system to ensure its availabilityddresses the security %on%erns raised by denial%

of%service attac$s

Depends on proper management and %ontrol of

system resour%es

Security Mechanisms +3 566,


52/71

Security Mechanisms +34566,

• Specic security mechanismsB incorporatedinto the appropriate protocol layer in order toprovide some of the %S& security services

• /ncipherment

• digital signatures

• access controls

• data integrity

• authentication exchange

• traCc padding

• routing control

• notariation


53/71


54/71

Security

5echanisms>!"#$$?

)elationship


55/71

)elationship


56/71

)elationship


57/71

5.7

TECHNIQUES

!echanisms discussed already are only theoretical

recipes to implement security. The actual

implementation of security goals needs some

techni"ues. Two techni"ues are prevalent today#cryptograp"y and steganograp"y#

$ h


58/71

5.;

$ryptography

$ryptography, a word with %reek origins, means&secret writing.' (owever, we use the term to refer to

the science and art of transforming messages to make

them secure and immune to attacks.

Steganography


59/71

5.6

Steganography

The word steganography, with origin in %reek, means

&covered writing,' in contrast with cryptography, whichmeans &secret writing.'

)*ample# covering data with te*t


60/71

5.>8

)*ample# using dictionary

)*ample# covering data under color image

-hat is Cryptology


61/71

a s C yp o ogy

cryptographyB ;he act or art of writing in secret characters"

• cryptanalysisB ;he analysis and deciphering of secretwritings"• cryptologyB >:ebster2s? the scientic study of cryptographyand cryptAanalysis"&n our context cryptology is the scientic study of protection

of information"

Cryptographic Services


62/71

yp g p

'ryptography supports the following servicesB

" 'ondentiality

" &ntegrity

E" +uthentication

F" &dentity

G" ;imeliness

H" .roof of ownership

/ach has various dierent requirements in dierentcircumstances, and each issupported by a wide variety ofschemes"

.pplications


63/71

pp

" 'ommunications >encryption or

authentication?

" =ile and data base security

E" /lectronic funds transfer

F" /lectronic 'ommerce

G" Digital cash

H" 'ontract signing

I" /lectronic mail

#" +uthenticationB .asswords, .&Js

K" Secure identication, +ccess control

$" Secure protocols

" .roof of knowledge

.pplications +cont4,


64/71

pp + ,

" 'onstruction by collaborating parties >secret sharing?

E" 'opyright protection

F" etc"

Model for 'et/ork Se%urity


65/71

y

A Model for 'et/ork Se%urity


66/71

y

3sing this model re+uires us to)5. Design a suitable algorithm for the se%urity

transformation=. Benerate the se%ret information 1keys2 used by the

algorithm-. De#elop methods to distribute and share the se%retinformation

:. Spe%ify a proto%ol enabling the prin%ipals to use thetransformation and se%ret information for a se%urityser#i%e

'et/ork A%%ess Se%urity Model


67/71

y

A Model for 'et/ork A%%ess


68/71

A Model for 'et/ork A%%ess

Se%urity

3sing this model re+uires us to)5. Sele%t appropriate gatekeeper fun%tions to identify users=. (mplement se%urity %ontrols to ensure only authoried

users a%%ess designated information or resour%es

3n/anted A%%ess


69/71

"la%ement in a %omputersystem of logi% that exploits

#ulnerabilities in the system

and that %an affe%t appli%ation

programs as /ell as utilityprograms

standards


70/71

'(ST

'ational (nstitute of

Standards and Te%hnology

3.S. federal agen%y that

deals /ith measurement

s%ien%e! standards! andte%hnology related to 3.S.

go#ernment use and to the

promotion of 3.S. pri#ate0

se%tor inno#ation

'(ST 9ederal (nformation

"ro%essing Standards 19("S2

and Spe%ial "ubli%ations 1S"2

ha#e a /orld/ide impa%t

(S$C

(nternet So%iety

"rofessional membership so%iety

/ith /orld/ide organiational and

indi#idual membership

"ro#ides leadership in addressing

issues that %onfront the future of the

(nternet(s the organiation home for the

groups responsible for (nternet

infrastru%ture standards! in%luding

the (nternet @ngineering Task 9or%e

1(@T92 and the (nternet Ar%hite%ture

,oard 1(A,2(nternet standards and related

spe%ifi%ations are published as

Re+uests for Comments 1R9Cs2

Summary


71/71

Computer se%urity

%on%eptsDefinition

@xamples

Challenges

The $S( se%urityar%hite%ture

Se%urity atta%ks

"assi#e atta%ks

A%ti#e atta%ks

Se%urity ser#i%es

Authenti%ation A%%ess %ontrol

Data %onfidentiality

Data integrity

'onrepudiation A#ailability ser#i%e

Se%urity me%hanisms

Model for net/ork

se%urity

Standards

Documents

Cryptography Introduction BUP