Fr. C.

Rodrigues Institute of Technology, Vashi, Navi-Mumbai

Department of Computer Engineering

Cryptography and System Security (CSS)

CSC602

By
Mrs. Smita Rukhande

1
1
 Syllabus
Chapter 1 -Introduction to Number Theory & cryptography

1.1 Security Goals, Services, Mechanisms and attacks

• The OSI security architecture​
• Classical Encryption techniques –
• Substitution techniques: mono-alphabetic (Caesar) and poly-alphabetic (Vigenere
cipher, playfair cipher, Hill cupher)
• Transposition techniques : keyed and keyless transposition ciphers
1.2 Modular Arithmetic :
• Euclid‘s algorithm​. Fermat‘s and Euler‘s theorem​

2
2
What is computer security ?

• Protection of computer systems and information from harm, theft, and

unauthorized use.
• It is the process of preventing and detecting unauthorized use of
computer system.

3
3
 A person or entity that can exploit
an assets bypassing your control

A person or entity that can

exploit an assets bypassing Weakness or
your control lack of control

Action taken to safeguard an is an instance of

assets being harmed

harm occurring to an assets

4
 Goals of Security
• Confidentiality − to protect data from unauthorized persons.
Confidentiality makes sure that the data is available only to the intended
and authorized persons.

• Integrity − maintaining and assuring the accuracy and consistency

of data. The function of integrity is to make sure that the data is reliable
and is not changed by unauthorized persons.

• Availability − The function of availability is to make sure that the data,

network resources/services are continuously available to the legitimate
users, whenever they require it and service is not denied to authorized
user .

The main goal of keeping the data secure is to prevent the data from Fig.- CIA Triad
various types of security attacks.
Q. Define goals of security. Or
5
Enlist security goals. Mention their significance. 5
 Vulnerability vs threat vs risk

• A vulnerability is a weakness, flaw or other shortcoming in a

system (infrastructure, database or software). It exposes your
organization to threats.
• A threat is a malicious or negative event that takes advantage of a
vulnerability which could affect the confidentiality, integrity or
availability of your systems, data, people and more.

• The risk is the probability of a negative (harmful) event occurring

as well as the potential of scale of that when the threat does occur.

6
The OSI security architecture

7
 The OSI security architecture
Security attack: Any action that compromises the security of information
owned by an organization.
Security mechanism: A process (or a device incorporating such a process) that
is designed to detect, prevent, or recover from a security attack.
Security service: A processing or communication service that enhances the
security of the data processing systems and the information transfers of an
organization.
The services make use of one or more security mechanisms to provide the
service.

8
8
 Security Attack
Any action that compromises the security of information owned by
an organization.

4 types of attack
 Interception – attack on confidentiality.
 Fabrication – attack on authentication.
 Modification – attack on integrity .
 Interruption – attack on availability.

These attacks are further grouped in to two types :

9
Passive attack and Active attack
9
Interruption

An asset of the system is destroyed or becomes unavailable or unusable.

This is an attack on availability.
e.g., destruction of piece of hardware, cutting of a communication line or
disabling of file management system.

10
Interception

An unauthorized party gains access to an asset.

This is an attack on confidentiality.

Unauthorized party could be a person, a program or a computer.

e.g., wire tapping to capture data in the network

11
Modification

An unauthorized party not only gains access to but tampers with an asset.
This is an attack on integrity.

e.g., changing values in data file, altering a program, modifying the contents of
messages being transmitted in a network.

12
Fabrication
An attacker deliberately modifies messages, parameters, properties of
information system components try to alter the behavior of the system
bypassing security controls.
This is an attack on authenticity.
e.g.- insertion of spurious message in a network or addition of records to a file.
SQL injection

13
 Security Attacks

Security attacks

Passive attack Active attack

1) Release of message contents 1) Masquerade
2)Traffic analysis 2) Replay
3) Modification of message
4) Denial of service

14
14
 Passive Attacks
 A Passive attack attempts to learn or make use of information from the system
but does not affect system resources.
 Passive attacks are in the nature of eavesdropping on or monitoring transmissions of data.
 The goal of the opponent is to obtain information that is being transmitted.
 The term Passive indicated that the attacker does not attempt to perform any modification to
the data.
 That’s why it is very difficult to detect.
 Neither the sender nor receiver is aware that a third party has read the message or observed the
traffic pattern.
 Types of Passive attacks are - Release of message content and Traffic analysis

Emphasis in dealing with passive attack is on prevention rather than detection.

15
15
 Passive Attacks - The release of message content

The release of message content-

Telephonic conversation, an electronic mail A
message or a transferred file may contain
sensitive or confidential information. We
would like to prevent an opponent from
learning the contents of these transmissions.

countermeasure - send noise time to

time or use random channel
or communication. S R
16
16
 Passive Attacks - Traffic analysis
In traffic analysis, the network traffic and its patterns are watched out over a period
of time to infer important information and guess possible activities.

For example: Following is some information that can

be possibly guessed just by knowing the traffic
volume and patterns.

Long communication: It can denote some

emergency.
Short communications: It can denote planning,
checking, and negotiation.
No communication: It can indicate a lack of activity.
Time of communication: It can indicate who works
when.
17
 Passive Attacks - Traffic analysis
Traffic analysis-
Suppose that we had a way of masking
(encryption) of information, so that the
attacker even if captured the message could
not extract any information from the message.
The opponent could determine the location
and identity of communicating host and could
observe the frequency and length of messages
being exchanged. This information might be
useful in guessing the nature of the
communication that was taking place.

countermeasure - randomize communication or send fake traffic time to time

to degrade quality of information that the attacker can gather for
analysis. 18
18
 Active Attacks

• In active attack, attacker tries to modify

system resources or affect their operation.
• It involves some modification of the data
stream or the creation of a false stream.

19
19
 Active Attacks- Types of active attacks…

1. Masquerade attack
is a type of attack in which the attacker pretends to be an authentic sender in
order to gain unauthorized access to a system.

This type of attack can involve the attacker using stolen or forged credentials, or
manipulating authentication or authorization controls in some other way.

countermeasure - Use multifactor authentication , strong password policies

20
20
 Active Attacks- Types of active attacks…

2. Replay attack
The attacker obtains a copy of message sent by a user and later tries to replay it.
A
Example: a person sends a request to his bank
to ask for payment to the
attacker, who has done a job for
him. The attacker can receive
another payment from the bank
by intercepting the message and
again send it to the bank.

countermeasure - use timestamps and

sequence no. 21
S R 21
 Active Attacks- Types of active attacks

3 Modification of Messages-:

Message is modified before it is

received by the user at the receiver
side

countermeasure - Hashing, redundancy check

22
22
 Active Attacks- Types of active attacks
4. The Denial of Service-:
is an attack where attacker attempt to prevent legitimate users from accessing some
services, which they are eligible for.

This attack may have a specific target.

Example - An unauthorized user might send too
many login request to a server using random user id
after the other in quick succession so as to flood the
network and deny the legitimate user an access to the
network.
Another form of service denial is the disruption
of an entire network, either by disabling the network
or by overloading it with messages so as to degrade
performance. 23
23
 Active Attacks- Types of active attacks
4. The Denial of Service-:

countermeasure - firewall, application

limit.
Firewall can be used to drop network
connections that come from
particular location.
Application limit can protect
application from crashing
when the rate of requests
goes beyond a set limit.

24
24
 Difference between Active & Passive Attack

[Link] Active Attack Passive Attack

1. Attacker needs to have physical Attacker needs to observe
control of the media or network. the communication in the media or
network.
2. Attacker's goal to change Attackers goal is just to obtain the
and modify the information. information.
3. It can be easily detected. It cannot be easily detected.

4. It affects the system. It does not affect the system.

5. It involves in modification of It involves in monitoring of

data. data.
25
25
 Difference between Active & PassiveAttack
S. No. Active Attack Passive Attack

6. Type of active attack are: Types of passive attack are :

1) Masquerade 1) Release of message contents
2) Replay 2) Traffic analysis
3) Modification of message
4) Denial of service
7. It is difficult to prevent Passive attack can be prevented.
from active attack.
8. Examples:- Attempt to log into Examples:-Listen to
Traffic someone else's account. system password, analysis and Data
capturing.
26
26
 Security Services
To ensure that the security goals are met, certain principles
or services are proposed which must be met to ensure the
complete security of data.

27
27
 Security services

Services Function
Confidentiality Protects sensitive data from unauthorized access.
Integrity Ensures data is accurate and unaltered.
Ensures that systems and data are accessible when
Availability
needed.
Authentication Verifies the identity of users or systems.
Non-repudiation Prevents denial of actions or transactions.
Access Control Defines and enforces who can access what resources.

28
 Security Services

Data Confidentiality : This means the privacy of data. Only the person who is the sole
bearer of the data can access and read it.
Confidentiality gets compromised if an unauthorized user is able to access the message.

For example, let us consider sender A wants to

share some confidential information with
receiver B and the information gets intercepted
by the attacker C. Now the confidential
information is in the hands of an intruder C.

This type of attack is called interception.

Fig- Loss of confidentiality
29
Note –Interception causes loss of message confidentiality 29
 Security Services
Authentication :
This ensures that the origin of message or document is correctly identified.
Or communication is being held among the right individuals.

Example

Fig- Absence of authentication

30
Note –Fabrication is possible in the absence of proper authentication mechanism
30
 Security Services
Data Integrity : This means that no insertion, deletion or modification has been done in
the information. The data is present in its original form as it was sent by the sender.
For Example- consider that user A sends message to
user B. User C tampers with a message originally
sent by user A, which is actually destined for user B.
User C somehow manages to access it, change its
contents and send the changed message to user B.
User B has no way of knowing that the contents of
the message changed after user A had sent it. User A
also does not know about this change.

This type of attack is called modification.

Fig- loss of integrity

31
Note –Modification causes loss of message integrity.
31
 Security Services
Non-repudiation :

Requires that neither the sender nor the receiver of a message be able to deny the
transmission.

I Never sent that message

which you claim to have
received

Note –Non-repudiation does not allow the sender of a message to refuse the
claim of not sending that message . 32
32
 Security Services

Access Control :

Access control is the ability to limit and control the access to resources.
To achieve this, each entity trying to gain access must first be identified, or
authenticated.

Note –Access control specifies and controls who can access what .

33
33
 Security Services
Data Availability : Data available to authorized entities whenever required.

For Example - due to the intentional actions

of an unauthorized user C, an authorized user
A may not be able to contact a server B.

This would defeat the principle of availability. user server

Such an attack is called interruption.

attacker
Fig- Attack of availability

Note –Interruption puts availability of resource in danger. 34

34
Taxonomy of attacks with relation to security goals

35
 Taxonomy of attacks with relation to security goals

 Snooping refers to unauthorized access to or interception of

data.

 Traffic analysis refers to obtaining some other type of information by

monitoring online traffic.

 Modification means that the attacker intercepts the message and

changes it.

 Masquerading or spoofing happens when the attacker impersonates

somebody else.
36
36
 Taxonomy of attacks with relation to security goals

 Replaying means the attacker obtains a copy of a message

sent by a user and later tries to replay it.

 Repudiation means that sender of the message might later deny that
she has sent the message; the receiver of the message might later
deny that he has received the message.

 Denial of service (DoS) is a very common attack. It may slow down

or totally interrupt the service of a system.

37
37
 Security Mechanisms
A mechanism that is designed to detect, prevent, or recover from a security
attack.

38
38
 Security Mechanism..
1. Encipherment-:
With the use of mathematical algorithms to transform data into a form that is not readily
intelligible. The transformation and subsequent recovery of the data depend on an algorithm
and zero or more encryption keys or hiding or covering data that can provide confidentiality or
secrecy .
Two technique used for encipher is cryptography, steganography .

2. Data Integrity-:
added short check value, the receiver receives the data and the check value, he creates a new
check value from received data and compares the newly created check value with the one
received. If two check value are same that means integrity of data has been preserved.
39
39
 Security Mechanism…

3. Digital Signature-:
DS is a mean by which the sender can electronically sign the data and receiver can
electronically verify the signature. Provides authentication and integrity.

4. Authentication Exchange-:
Two entities exchange some message to provide their identity to each other.

5. Traffic Padding-:
Inserting some bit of data into the data traffic to thwart the adversary's attempt to use
the traffic analysis.
40
40
 Security Mechanism…
6. Routing control-:
Selecting and continuously changing different available routes between the sender
and the receiver to prevent the opponent from eavesdropping.

7. Notarization-:
means selecting a third trusted party to control the communication between two
entities.

8. Access control-:
access control use methods to prove that a user has right access to the data or
resources owned by a system. Eg-: passwords & PINs

41
41
Relation between security services and mechanisms

42
42
 Network security model
This model exhibits how the security service has been designed over the network
to prevent the opponent from causing a threat to the confidentiality or
authenticity of the information that is being transmitted through the network.

43
Fig- Model of network security
43
44
44