Information Security
description
Transcript of Information Security
![Page 2: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/2.jpg)
What do we need to avoid threats , vulnerability, risks and attacks ?
Access Control Access Control
Cryptography Cryptography
Other Methods …..Other Methods …..
2
![Page 3: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/3.jpg)
Access Control Topics
Access control categories Access control techniques Access control administration Access control models Authentication methods Data ownership Vulnerabilities
3
![Page 4: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/4.jpg)
Access Control Definition of access control:
• It is a collection of methods and components that supports
• confidentiality
• integrity Goal: allow only authorized subjects to access permitted
objects• Subject
• The entity that requests access to a resource
• Object
• The resource a subject attempts to access
![Page 5: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/5.jpg)
Access Control
Least privilege philosophy
• A subject is granted permissions needed to accomplish required tasks and nothing more
Information leak
• Lack of controls lets people without need to access data
• E.g., physician needs data about the patient’s health and not about the insurance
![Page 6: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/6.jpg)
Controls Controls
• Mechanisms put into place to allow or disallow object access Controls organized into different categories
• Administrative
• enforce security rules through policies
• E.g. security awareness training
• Logical / technical controls
• implement object access restrictions
• E.g. password , encryption
• Physical
• limit physical access to hardware
• E.g. Fences , Walls , locked doors
![Page 7: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/7.jpg)
Access Control Techniques
Techniques are based on the organization’s needs and their impact to the users
Considerations include
• Level of security required
• User and environmental impact of security measures
Techniques differ in
• The way objects and subjects are identified
• How decisions are made to approve or deny access
• Policies governing access
![Page 8: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/8.jpg)
Access Control Designs
Access control designs define rules for users accessing files or devices
Three common access control designs• Mandatory access control
• Discretionary access control
• Task-based access control
![Page 9: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/9.jpg)
Mandatory Access Control Assigns a security label to each subject and object Matches label of subject to label of object to determine when access
should be granted E.g Military Information classification Top Secret (TS)
• The highest level of classification of information on a national level. Such material would cause "exceptionally grave damage" to national security if publicly available.
Secret
• Such material would cause "serious damage" to national security if publicly available.
![Page 10: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/10.jpg)
Mandatory Access Control Confidential
• Such material would cause "damage“ to national security if publicly available.
Restricted
• Such material would cause "undesirable effects" if publicly available. Some countries do not have such a classification.
Unclassified
• Technically not a classification level, but is used for government documents that do not have a classification listed above. Such documents can sometimes be viewed by those without security clearance.
10
![Page 11: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/11.jpg)
Discretionary Access Control
Uses identity of subject to decide when to grant an access request
All access to an object is defined by the object owner Most common design in commercial operating systems
• Generally less secure than mandatory control
• Generally easier to implement and more flexible Includes
• Identity-based access control
• Access control lists (ACLs)
![Page 12: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/12.jpg)
Task-based Access Control or Nondiscretionary Access Control
Uses a subject’s role or task to grant or deny object access• Task objects or requirements will be granted to the user
Task-based access list may contain just one member, if necessary
Lattice-based control is a variation of non-discretionary control
• Relationship between subject and object has a set of access boundaries that define rules and conditions for access
![Page 13: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/13.jpg)
Access Control Administration Once the access control technique is chosen , we need to
decide on the way these techniques can be administrated
• Implemented as centralized, decentralized, or hybrid
Centralized access control administration
• All requests go through a central authority
• Administration is relatively simple
• Single point of failure, sometimes performance bottlenecks
![Page 14: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/14.jpg)
Access Control Administration
Decentralized access control administration• Object access is controlled locally rather than centrally
• Put the control administrator closer to the object in question
• More difficult administration• Objects may need to be secured at multiple locations
• More stable• Not a single point of failure
• Usually implemented using security domains
![Page 15: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/15.jpg)
Accountability
System auditing used by administrators to monitor
• Who is using the system
• What users are doing
Logs can trace events back to originating users
Process of auditing can have a negative effect on system performance
• Must limit data collected in logs
• Clipping levels set thresholds for when to start collecting data
![Page 16: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/16.jpg)
Authentication Methods
Two-factor authentication uses two phases
• Identification
• Authentication
Security practices often require input from multiple categories of authentication techniques
Most complex authentication mechanism is biometrics (detection and classification of a subject’s physical attributes)
![Page 17: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/17.jpg)
Authentication Methods
Type 1 What you know Password, PIN,
Challenge question
Type 2 What you have Smart Card
Type 3 What you are Biometrics
![Page 18: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/18.jpg)
Authentication Methods
Type 1 -- What you know:
• Password , PIN, and Challenge question Password must be difficult to guess and easy to remember
• At least 6 characters
• Contains at least one number or any punctuation character
• Do not use dictionary words
• Do not use common personal data
• Never write down your password
Type 2 -- What you have:
• More complex than Type 1 but it is more secure since it uses special devices to read your cards for example
18
![Page 19: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/19.jpg)
Authentication Methods
Type 3---What you are
• Fingerprint, Hand geometry , Voice print, Retina/iris scan, or signature
• Very complex system due to the imperfection of the nature of biometrics analysis
• False Rejection rate (FRR) : the of filature of detection the right subject
• False Acceptance Rate (FAR) : the rate of acceptance of invalid subjects
• Crossover Error Rate (CER) : balance between FRR and FAR
19
![Page 20: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/20.jpg)
Data Ownership Different layers of responsibility for ensuring security of
organization’s information
Data owner• Bears ultimate responsibility, sets classification levels
Data custodian• Enforces security policies, often a member of IT
department Data user
• Accesses data on a day-to-day basis• responsible for following the organization’s security
policies
![Page 21: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/21.jpg)
Vulnerabilities
Brute force attack
• Try all possible combinations of characters to satisfy Type 1 authentication (password guessing)
Dictionary attack
• Subset of brute force
• Instead of all possible combinations, uses a list of common passwords
Spoofing attack
• Create fake login program, prompt for User ID, password
• Return login failure message, store captured information
![Page 22: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/22.jpg)
Policies for Vulnerability Handling
Log all data – login, transaction Analyze data in real time Set security alerts based on data analysis Develop scenarios for system shut off Disseminate policies related to vulnerability
handling
![Page 23: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/23.jpg)
What do we need to avoid threats , vulnerability, risks and attacks ?
Access Control Access Control
Cryptography Cryptography
Other Methods …..Other Methods …..
23
![Page 24: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/24.jpg)
Cryptography
24
![Page 25: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/25.jpg)
Security Services and Mechanisms
25
International Telecommunication Union Telecommunication Standardization (ITU-T) Provides:
• Services
• Mechanisms
![Page 26: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/26.jpg)
Security Services
26
Authentication - assurance that the communicating entity is the one claimed
Access Control - prevention of the unauthorized use of a resource
Data Confidentiality –protection of data from unauthorized disclosure
Data Integrity - assurance that data received is as sent by an authorized entity
Non-Repudiation - protection against denial by one of the parties in a communication
![Page 27: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/27.jpg)
Security Mechanisms
27
Specific security mechanisms:• Implemented on specific layer (OSI model)
• Encipherment, digital signatures, access controls, data integrity, authentication exchange, routing control, notarization
Pervasive security mechanisms:• Not related to a specific layer
• Trusted functionality, security labels, event detection
![Page 28: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/28.jpg)
Model for Network Security
28
![Page 29: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/29.jpg)
Model for Network Security
29
Using this model requires us to: • Design a suitable algorithm for the security
transformation.
• Generate the secret information (keys) used by the algorithm.
• Develop methods to distribute and share the secret information.
• Specify a protocol enabling the principals to use the transformation and secret information for a security service.
![Page 30: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/30.jpg)
30
Symmetric Cipher Model
![Page 31: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/31.jpg)
Symmetric Cipher Model
31
Known as:• Conventional Encryption
• Single-Key Encryption
Plaintext• Original text/msg
Ciphertext• Coded msg
Enciphering/Encryption• The process of converting the plaintext to ciphertext
Deciphering/Decryption • The process of converting the ciphertext to plaintext
![Page 32: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/32.jpg)
Symmetric Cipher Model (Cont.)
32
Cryptography • The developed encryption schemes
Cryptanalysis • Techniques used to get the plaintext out of the ciphertext without
prior knowledge to the encryption scheme (breaking the code)
Cryptology • Both the cryptography and cryptanalysis
![Page 33: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/33.jpg)
More Definitions
33
Unconditional Security • The ciphertext provides insufficient information to
uniquely determine the corresponding plaintext.
Computational Security • The time needed for calculations is greater than
age of universe
![Page 34: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/34.jpg)
Symmetric Cipher Model (Cont.)
34
![Page 35: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/35.jpg)
Symmetric Cipher Model
35
Requirements • Strong Key the opponent can not figure it out even if he/she has
a number of ciphertexts
• The key must be exchanged through a secure channel
• Y = E(K,X) ~ Y = EK(X)
• X =D(K,Y) ~ X = DK(Y)
![Page 36: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/36.jpg)
Brute Force Search
36
Always possible to simply try every key Most basic attack, proportional to key size
![Page 37: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/37.jpg)
37
Substitution Ciphers
![Page 38: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/38.jpg)
Lets have Fun
38
You are spying on your friend Ahmed while he is chatting with John, you received the following message:
“Ygjcxgvqmnnvjgrgumfgpv”
Can you decrypt this message?
![Page 39: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/39.jpg)
Answer
39
Ahmed is telling John:
“Ygjcxgvqmnnvjgrgumfgpv”
“We have to kill the president” Encryption Key:
• Replacement Table Plaintext ABCDEFGHIJKLMNOPQRSTUVWXYZ Ciphertext CDEFGHIJKLMNOPQRSTUVWXYZAB
Encryption Technique • Each letter is replaced by the second one after it
• Remove blanks
![Page 40: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/40.jpg)
Caesar Cipher
40
Earliest known substitution cipher by Julius Caesar first attested use in military affairs replaces each letter by 3rd one after it
E.g.meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB
![Page 41: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/41.jpg)
Caesar Cipher (Cont.)
41
Transformation :
Mathematically give each letter a numbera b c d e f g h i j k l m0 1 2 3 4 5 6 7 8 9 10 11 12n o p q r s t u v w x y Z13 14 15 16 17 18 19 20 21 22 23 24 25
Then have Caesar cipher as:C = E(p) = (p + k) mod (26)p = D(C) = (C – k) mod (26)
![Page 42: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/42.jpg)
Caesar Cipher (Cont.)
42
Cryptanalysis
• Only have 26 possible ciphers
•A maps to A,B,..Z
• Could simply try each in turn
![Page 43: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/43.jpg)
Monoalphabetic Cipher
43
Rather than just shifting the alphabet Could shuffle (jumble) the letters arbitrarily Each plaintext letter maps to a different random
ciphertext letter The key is 26 letters long
Plain: abcdefghijklmnopqrstuvwxyz Cipher: DKVQFIBJWPESCXHTMYAUOLRGZNPlaintext: ifwewishtoreplacelettersCiphertext: WIRFRWAJUHYFTSDVFSFUUFYA
![Page 44: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/44.jpg)
Monoalphabetic Cipher Security
44
now have a total of 26! = 4 x 1026 keys with so many keys, might think is secure but would be !!!WRONG!!!
Language Characteristics Problem
• Using the occurrence frequency of each letter , we can deduce the letters in the ciphertext
![Page 45: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/45.jpg)
English Letter Frequencies
45
![Page 46: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/46.jpg)
Playfair Cipher
46
Invented by Charles Wheatstone in 1854, but named after his friend Baron Playfair.
Encrypts multiple letters
Uses Playfair Matrix
Uses some of the rules to interpret the matrix
![Page 47: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/47.jpg)
Playfair Key Matrix
47
A 5X5 matrix of letters based on a keyword Fill in letters of keyword (Avoid repetition) Fill rest of matrix with other letters E.g. using the keyword MONARCHY
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
![Page 48: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/48.jpg)
Playfair Rules
48
Plaintext encrypted two letters at a time: • if a pair is a repeated letter, insert a filler like 'X',
• eg. "balloon" encrypts as "ba lx lo on"
• If both letters fall in the same row, replace each with letter to right (wrapping back to start from end), • eg. “ar" encrypts as "RM"
• If both letters fall in the same column, replace each with the letter below it (again wrapping to top from bottom), • eg. “mu" encrypts to "CM"
• Otherwise each letter is replaced by the one in its row in the column of the other letter of the pair,• eg. “hs" encrypts to "BP", and “ea" to "IM" or "JM" (as desired)
![Page 49: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/49.jpg)
Group Activity
49
Based on Playfair encryption, encrypt the word
“Hello”
Key :
Note: The key is an arrangement of all of the alphabetic letters
L G D B A
Q M H E C
U R N I/J F
X V S O K
Z Y W T P
![Page 50: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/50.jpg)
Answer
50
Step 1: Group the letters
• He ll o
• 1st rule repeated letters ll
• He lx lo Step 2: find the corresponding text in the key
• He EC - rule 2 H and e on the same row (replace each with letter to right) EC
• Lx QZ -- rule 3 L and x at the same column (replace each with the letter below it) QZ
• loBX -- rule 4 l and o at different rows and columns (replaced by the one in its row in the column of the other letter of the pair)
E (Hello) “ECQZBX”
![Page 51: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/51.jpg)
Security of the Playfair Cipher
51
Security much improved over monoalphabetic
Since have 26 x 26 = 676 diagrams
Was widely used for many years (eg. US & British military in WW1)
It can be broken, given a few hundred letters since still has much of plaintext structure
![Page 52: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/52.jpg)
Polyalphabetic Ciphers
52
Another approach to improving security is to use multiple cipher alphabets
Makes cryptanalysis harder with more alphabets to guess and flatter frequency distribution
Use a key to select which alphabet is used for each letter of the message
Use each alphabet in turn Repeat from start after end of key is reached
![Page 53: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/53.jpg)
Vigenère Cipher
53
Simplest polyalphabetic substitution cipher effectively multiple caesar ciphers key is multiple letters long K = k1 k2 ... kd ith letter specifies ith alphabet to use use each alphabet in turn repeat from start after d letters in message decryption simply works in reverse
![Page 54: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/54.jpg)
54
![Page 55: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/55.jpg)
Example
55
eg using repeated keyword deceptive
key: deceptivedeceptivedeceptive
plaintext: wearediscoveredsaveyourself
ciphertext:ZICVTWQNGRZGVTWAVZHCQYGLMGJ
From the previous table lookup the key letter then the
plain text letter.
The cipher letter is the intersection letter
![Page 56: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/56.jpg)
Security of Vigenère Ciphers
56
have multiple ciphertext letters for each plaintext letter
Letter frequencies are obscured
But not totally lost
![Page 57: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/57.jpg)
Autokey Cipher
57
Ideally want a key as long as the message Vigenère proposed the autokey cipher The keyword is prefixed to message as key Still have frequency characteristics to attack
Eg. given key deceptive
key: deceptivewearediscoveredsav
plaintext: wearediscoveredsaveyourself
ciphertext: ZICVTWQNGKZEIIGASXSTSLVVWLA
![Page 58: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/58.jpg)
One-Time Pad
58
Select a random key that is equal to the message length.
Use a table structure such as Vigenère table
Problems: • Generating long random keys
• Bandwidth problem sending the key as long as the Msg
![Page 59: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/59.jpg)
59
Transposition/Permutation Ciphers
![Page 60: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/60.jpg)
Transposition (Cont.)
60
The letters of the message are rearranged
Columnar transpositionThe number of columns is required
Example:
THIS IS A MESSAGE TO SHOW HOW A COLMUNAR TRANSPOSITION WORKS
![Page 61: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/61.jpg)
Transposition (Cont.)
61
T H I S I S A M E S S A G E T O S H O W H O W A C O L M U N A R T R A N S P O S I T I O N W O R K S
tssoh oaniw haaso lrsto imghw utpir seeoa mrook istwc nasna
![Page 62: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/62.jpg)
Group Activity
62
Given the following message
“ This is the second lecture”
Divide the message onto a block of 5 letters block Transpose the message Use Autokey cipher to encrypt the result
• Key : “ NetworkSecurity”
![Page 63: Information Security](https://reader035.fdocuments.net/reader035/viewer/2022062517/5681326a550346895d99059d/html5/thumbnails/63.jpg)
Stream Vs. Block Ciphers
63
Stream converts one symbol of plaintext into a symbol of ciphertext
Block encrypts a group of plaintext symbols as one block.