Information Security

Information Security/ Cyber Security /Network Security

Type of data

• At rest
• In motion
Basics to Secure Data/Information

• Confidentiality
• Integrity
• Availability
Confidentiality

(a) Data confidentiality:

Assures that private or confidential information is not made available
or disclosed to unauthorized individuals.

(b) Privacy:
Assures that individuals control or influence
• what information related to them may be collected and stored
• by whom and to whom that information may be disclosed.
 Integrity
(a) Data integrity:
Assures that information and programs are changed only in a specified and
authorized manner.

(b) System integrity:

Assures that a system performs its planned function in an unimpaired
manner (not weakened or damaged).
Availability
• Assures that systems work promptly and service is not denied to
authorized users.

➢Two more terminologies:

• Authenticity
• Accountability
Level of Impact
Level of Impact
• If we fail to achieve confidentiality, availability and integrity then we
might have to face some adverse impacts.
Levels of Impact
• There are three levels of impact.

• These levels are defined in FIPS PUB 199 (Federal

Information Processing Standards)

• Three security levels are:

oLow
oModerate
oHigh
Low Impact
➢The loss could be expected to have a limited negative effect on:
➢ organizational operations
➢organizational assets
➢individuals

➢A limited negative effect means:

(i) minor degradation in effectiveness of the functions
(ii) minor damage to organizational assets
(iii) minor financial loss
(iv) minor harm to individuals
Moderate Impact
➢The loss could be expected to have a significant negative effect on:
➢ organizational operations
➢organizational assets
➢Individuals

➢A significant negative effect means:

(i) significant degradation in effectiveness of the functions
(ii) significant damage to organizational assets
(iii) significant financial loss
(iv) significant harm to individuals
High Impact
➢The loss could be expected to have a major negative effect on:
➢ organizational operations
➢organizational assets
➢Individuals

➢A major negative effect means:

(i) major degradation in effectiveness of the functions
(ii) major damage to organizational assets
(iii) major financial loss
(iv) major harm to individuals
Computer Security Challenges
1. not simple – easy to get it wrong
Taken from
2. must consider potential attacks Network security essential
By William Stallings
3. procedures used counter-intuitive

4. involve algorithms and secret info

5. must decide where to deploy mechanisms

6. battle of wits between attacker / admin

7. not perceived on benefit until fails

8. requires regular monitoring a process, not an event

9. too often an after-thought

10. Security should user friendly

Encryption
 What is Encryption?
• The process of converting the data or information into meaningless form.
Some Basic Terminology
• plaintext - original message

• ciphertext - coded message

Some Basic Terminology

• cipher - algorithm for transforming plaintext to ciphertext

• key - info used in cipher known only to sender/receiver

Some Basic Terminology
• encipher (encrypt) - converting plaintext to ciphertext

• decipher (decrypt) - recovering plaintext from ciphertext

Some Basic Terminology
cryptography - study of encryption principles/methods

cryptanalysis (codebreaking) - study of principles/ methods of deciphering ciphertext

without knowing key

cryptology - field of both cryptography and cryptanalysis

Types of Operation
• The type of operations used for transforming plaintext to ciphertext

• Substitution
o substitution, in which each element in the plaintext (bit, letter, group of bits or
letters) is mapped into another element
o It can be monoalphabetic or polyalphabetic

• Transposition
o transposition, in which elements in the plaintext are rearranged. The
fundamental requirement is that no information be lost

• Product
o product systems, involve multiple stages of substitutions and transpositions
ROT 13
• ROT13 is a simple letter substitution cipher that replaces a letter with
the 13th letter after it in the alphabet. It is monoalphabetic cipher.

A B C D E F G H I J K L M

N O P Q R S T U V W X Y Z

➢EXAMPLE
Plain Text: S E C U R I T Y Cipher Text: C Y N L
Cipher Text: F R P H E V G L Plain Text: P L A Y
______________________ ______________________
Encryption Decryption
Rail Fence Cipher
• The rail fence cipher is the simplest transposition cipher.
• The plain text is written as a sequence of diagonals.
• To obtain the cipher text the text is read as a sequence of rows.
➢EXAMPLE
• Plain Text: HOW ARE YOU
H W R Y U

O A E O
• Cipher Text: H W R YU O A E O
Types of Encryption

• The process of converting plain text into cipher text using some
process (algorithm) is known as encryption.

• Two major types:

• Symmetric/private key
• Asymmetric/public key
 Symmetric Vs Asymmetric
Examples:
Symmetric encryption

Same key • AES

Private key
Private key • DES
• Blowfish
Plain text Cipher text Plain text • RC4
• Vigenere
encryption decryption • playfair
ASymmetric encryption

different
Public key key Examples:
Private key
• RSA
• ECC
Plain text Cipher text Plain text • DSA

encryption decryption
 Stream Vs Block Cipher
H J
Examples:
O D
Stream cipher

• RC4
L Encryption T
Plain • Caesar
text
I key P cipher
text • playfair
D W
A Z
Y Y
Examples:
• DES
Hello
Block cipher

Plain text • AES

cipher text
howa
Hello how are Encryption jlnp rdj stc uyo
you reyo key
u###
blocks
Caesar cipher
➢Convert the given plain text into cipher text using Caesar cipher.
Plain text: B U Z Z
Features:
A B C D E F G H I J K L M • stream
0 1 2 3 4 5 6 7 8 9 10 11 12 • Substitution
N O P Q R S T U V W X Y Z • monoalphabetic
13 14 15 16 17 18 19 20 21 22 23 24 25

For B For U For Z For Z

(B + 3) mod 26 (U+ 3) mod 26 (Z+ 3) mod 26 (Z+ 3) mod 26
(1 + 3 ) mod 26 (20 + 3 ) mod 26 (25 + 3 ) mod 26 (25 + 3 ) mod 26
4 mod 26 23 mod 26 28 mod 26 28 mod 26
4 (E) 23 (X) 2 (C) 2 (C)
Cipher Text: E X C C
Vigenere Cipher
• It is polyalphabetic substitution symmetric key encryption method.

Example: Convert the given plain text into cipher text with help of
given key using Vigenere method.

Plain Text: H E L L O
Key: A B C D

Note: Key will be repetitive until it becomes equal to length of plain text.
 Vigenere Cipher (continue..)
Plain Text: H E L L O
Key: A B C D A
A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25

(P1 + k1) mod 26 (P2 + k2) mod 26 (P3 + k3) mod 26 (P4 + k4) mod 26 (P5 + k5) mod 26
(H + A ) mod 26 (E + B ) mod 26 (L + C ) mod 26 (L + D ) mod 26 (O + A ) mod 26
(7+ 0) mod 26 (4+ 1) mod 26 (11+ 2) mod 26 (11+ 3) mod 26 (14+ 0) mod 26
7 mod 26 5 mod 26 13 mod 26 14 mod 26 14 mod 26
7 (H) 5 (F) 13 (N) 14 (O) 15 (O)

Cipher Text: H F N O O
Vigenere Cipher (continue..)
Example: Convert the given cipher text into plain text with help of given key using
Vigenere method.
Cipher Text: X W C F R
Key: T Z C

(C1 - k1) mod 26 (C2 – k2) mod 26 (C3 – k3) mod 26 (C4 – k4) mod 26 (C5 – k5) mod 26
(X - T ) mod 26 (W - Z ) mod 26 (C - C ) mod 26 (F - T ) mod 26 (R - Z ) mod 26
(23 - 19) mod 26 (22 - 25) mod 26 (2 - 2) mod 26 (5 - 19) mod 26 (17 - 25) mod 26
4 mod 26 -3 mod 26 0 mod 26 -14 mod 26 -8 mod 26
4 (E) 23 (X) 0 (A) 12 (M) 18 (S)
Plain Text: E X A M S
Playfair Cipher
➢Convert the given plain text into cipher text using playfair technique.
Plain text: C O M M E R C E
Key: H E L L O
H E L O H E L O A
B C D F G
I/J K M N P
Q R S T U
V W X Y Z

Make pair of plain text: CO MM ER CE

Pair cannot be made with same letter: CO MZ ME RC EX
Playfair Cipher (continue..)
CO MZ ME RC EX

H E L O A H E L O A H E L O A
B C D F G B C D F G B C D F G
I/J K M N P I/J K M N P I/J K M N P
Q R S T U Q R S T U Q R S T U
V W X Y Z V W X Y Z V W X Y Z

Plain text: CO MZ ME R C E X
Cipher text: F E P X K L WK L W
Cipher Text: FEPXKLWKLW
SECURITY ATTACKS
➢Security attacks are classified into two types:

• passive attacks
• active attacks
Passive Attacks
▪ use of information from the system but does not affect system resources.

▪ eavesdropping or monitoring of transmissions.

▪ The goal of the opponent is to obtain information that is being transmitted.

▪ Two types of passive attacks are the release of message contents and traffic
analysis.
Passive Attack—Release of Message Content

A telephonic conversation, an E-mail

message or a transferred file may contain
confidential data. A passive attack (Release
of Message Content) may monitor the
contents of these transmission
Passive Attack—Traffic Analysis

In this attack the eavesdropper analyzes

the traffic, determine the location,
identify communicating hosts, observes
the frequency and length of message
being exchanged. Using all these
information they predict the nature of
communication . All incoming and out
Observe pattern of messages
going traffic of network is analyzed but
from Bob to Alice
not altered.
Passive Attacks-Summary
• Passive attacks are very difficult to detect.

• they do not involve any alteration of the data.

• Typically, the message traffic is sent and received in an apparently normal

fashion.

• neither the sender nor receiver is aware that a third party has read the
messages or observed the traffic pattern.

• However, it is feasible to prevent the success of these attacks, usually by means

of encryption.

• Thus the emphasis in dealing with passive attacks is on prevention rather than
detection.
Active Attacks
• An active attack attempts to alter system resources or affect their operation.

• It involve some modification of the data stream or the creation of a false stream
and can be subdivided into four categories:
• masquerade
• replay
• modification of messages
• denial of service
Active Attack: Masquerade

A masquerade takes place

when one entity pretends to
be a different entity
Active Attack: Replay

Replay involves the capture of a data

unit and its subsequent retransmission
to produce an unauthorized effect
(replay previous messages )
Active Attack: Modification

Modification of messages simply

means that some portion of a
legitimate message is altered, or that
messages are delayed or reordered,
to produce an unauthorized effect.
Modified
Message
Active Attack: Denial of Service

The denial of service prevents the

normal use or management of
communications facilities . This
attack may have a specific target;
for example, an entity may
suppress all messages directed to a Block delivery of message
particular destination
Active Attacks: Summary

• Easy to detect

• difficult to prevent active attacks.

• Because wide variety of potential physical, software, and

network vulnerabilities.
More slides will be uploaded soon