Introduction to Information

Security

by
Dr. Rana Al-janabi
These slides depend on
Cryptography and network
security book
by William Stallings
 Information Security
• is the practice of protecting information by
mitigating information risks. It is part of
information risk management. It typically
involves preventing or at least reducing the
probability of unauthorized/inappropriate access,
use, disclosure, disruption, deletion/destruction,
corruption, modification, inspection, recording or
devaluation, although it may also involve
reducing the adverse impacts of incidents.

06/01/2020 2
06/01/2020 3
• Information security's primary focus is the
balanced protection of the confidentiality,
integrity and availability of data (also
known as the CIA triad) while maintaining
a focus on efficient policy implementation,
all without hampering organization
productivity

06/01/2020 4
 Definitions
• Computer Security - generic name for
the collection of tools designed to protect
data and to thwart hackers
• Network Security - measures to protect
data during their transmission

06/01/2020 5
 Information security aspects

• There are three aspects of information

06/01/2020 6
 Information security aspects
 Security attacks are classified
as either passive attacks, which
include unauthorized reading of a
message of file and traffic
analysis or active attacks,such as
modification of messages or
files,and denial of service.

06/01/2020 7
 Information security aspects
 A security mechanism is any process (or a
device incorporating such a process) that is
designed to detect, prevent, or recover
from a security attack. Examples of
mechanisms are encryption algorithms,
digital signatures, and authentication
protocols.
Security services include authentication
,access control, data confidentiality, data
integrity, non-repudiation,and availability.

06/01/2020 8
 Security Services
• Authentication -is distinct from authorization ,
which is the process of giving individuals access
to system objects based on their identity.
Authentication merely ensures that the
individual is who he or she claims to be, but
says nothing about the access rights of the
individual.
• Access Control - is a security term used to
refer to a set of policies for restricting access to
information prevention of the unauthorized use
of a resource
06/01/2020 9
 Security Services
• Data Confidentiality –protection of data
from unauthorized disclosure
• Data Integrity - assurance that data
received is as sent by an authorized entity
• Non-Repudiation - is a legal concept that
is widely used in information security and
refers to a service, which provides proof of
the origin of data and the integrity of the
data.
06/01/2020 10
 Security Mechanisms
• specific security mechanisms:
– encipherment, digital signatures, access
controls, data integrity, authentication
exchange, traffic padding, routing control,
notarization
• pervasive security mechanisms:
– trusted functionality, security labels, event
detection, security audit trails, security
recovery
06/01/2020 11
 Security Attack
• is security threat that involves an
attempt to obtain, alter, destroy,
remove , reveal information without
permission. It happens to both
individuals and organizations

06/01/2020 12
 Security Attacks can be
classified as
• passive attacks - eavesdropping on, or
monitoring of, transmissions to:
– obtain message contents, or
– monitor traffic flows
• active attacks – modification of data stream to:
– masquerade of one entity as some other
– replay previous messages
– modify messages in transit
– denial of service

06/01/2020 13
 Types of Attacks
• An active attack involves using
information gathered during a passive
attack to compromise a user or network.
There are many types of active attacks.
In a masquerade attack, an intruder will
pretend to be another user to gain access
to the restricted area in the system.

06/01/2020 14
 Passive Attack

06/01/2020 15
 Active Attack

06/01/2020 16
 Cryptography
• can characterize by:
– type of encryption operations used
• substitution / transposition / product
– number of keys used
• single-key or private / two-key or public
– way in which plaintext is processed
• block / stream

06/01/2020 17
 Symmetric Encryption
• or conventional / private-key / single-key
• sender and recipient share a common key
• all classical encryption algorithms are
private-key
• was only type prior to invention of public-
key in 1970’s

06/01/2020 18
 Requirements
• two requirements for secure use of
symmetric encryption:
– a strong encryption algorithm
– a secret key known only to sender / receiver
Y = EK(X)
X = DK(Y)
• assume encryption algorithm is known
• implies a secure channel to distribute key
06/01/2020 19
 Brute Force Search
• It always try every possible key
• It depends on key size
• assume either know / recognise plaintext

06/01/2020 20
 Classical Substitution Ciphers
• In classical substitution ciphers, letters of
plaintext are replaced by other letters or by
numbers or symbols
• or plaintext bit patterns are replaced with
ciphertext bit patterns

06/01/2020 21
 Monoalphabetic Cipher
• rather than just shifting the alphabet
• could shuffle (jumble) the letters arbitrarily
• each plaintext letter maps to a different random
ciphertext letter
• hence key is 26 letters long

Plain: abcdefghijklmnopqrstuvwxyz
Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN
Plaintext: ifwewishtoreplaceletters
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA
06/01/2020 22
Monoalphabetic Cipher Security
• It uses 26 keys
• In spite of so many keys that are used ,
this type of cipher is not secure
• problem is language characteristics

06/01/2020 23
 Language Redundancy and
Cryptanalysis
• natural languages are redundant
• eg "th lrd s m shphrd shll nt wnt"
• letters are not equally commonly used
• in English e is by far the most common letter
• then T,R,N,I,O,A,S
• other letters are fairly rare
• cf. Z,J,K,Q,X

06/01/2020 24
 English Letter Frequencies

06/01/2020 25
 Polyalphabetic Ciphers
• It is another approach to improving security is to
use multiple cipher alphabets
• called polyalphabetic substitution ciphers
• makes cryptanalysis harder with more alphabets
to guess and flatter frequency distribution
• use a key to select which alphabet is used for
each letter of the message
• use each alphabet in turn
• repeat from start after end of key is reached
06/01/2020 26
 Vigenère Cipher
• simplest polyalphabetic substitution cipher
is the Vigenère Cipher
• effectively multiple caesar ciphers
• key is multiple letters long K = k1 k2 ... kd
• ith letter specifies ith alphabet to use
• use each alphabet in turn
• repeat from start after d letters in message
• decryption simply works in reverse

06/01/2020 27
 Example
• write the plaintext out
• write the keyword repeated above it
• use each key letter as a caesar cipher key
• encrypt the corresponding plaintext letter
• eg using keyword deceptive
key: deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ

06/01/2020 28
 One-Time Pad
• if a truly random key as long as the
message is used, the cipher will be secure
• called a One-Time pad
• is unbreakable since ciphertext bears no
statistical relationship to the plaintext
• since for any plaintext & any ciphertext
there exists a key mapping one to other
• can only use the key once though
• have problem of safe distribution of key
06/01/2020 29
 Transposition Ciphers
• now consider classical transposition or
permutation ciphers
• these hide the message by rearranging
the letter order
• without altering the actual letters used
• can recognise these since have the same
frequency distribution as the original text

06/01/2020 30
 Row Transposition Ciphers
• a more complex scheme
• write letters of message out in rows over a
specified number of columns
• then reorder the columns according to
some key before reading off the rows
Key: 4 3 1 2 5 6 7
Plaintext: a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ

06/01/2020 31
 Product Ciphers
• ciphers using substitutions or transpositions are
not secure because of language characteristics
• hence consider using several ciphers in
succession to make harder, but:
– two substitutions make a more complex substitution
– two transpositions make more complex transposition
– but a substitution followed by a transposition makes a
new much harder cipher
• this is bridge from classical to modern ciphers

06/01/2020 32