Uploaded by Vijaya Durga

UNIT-1 cns

advertisement
Cryptography & Network Security
Dept of CSE
Cryptography & Network Security
By
P.V.VIJAYA DURGA
Dept of CSE
Vishnu Institute of Technology
Mrs P. V. Vijaya DUrga
Cryptography & Network Security
Dept of CSE
UNIT- I Basic Principles: Security Goals, Cryptographic Attacks, Services and
Mechanisms, Mathematics of Cryptography.
INTRODUCTION:
Computer data often travels from one computer to another, leaving the safety of its
protected physical surroundings. Once the data is out of hand, people with bad intention
could modify or forget your data, either for amusement or for their own benefit.
Cryptography can reformat and transform our data, making it safer on its trip between
computers. The technology is based on the essentials of secret codes, augmented by
modern mathematics that protects our data in powerful ways.
• Computer Security - generic name for the collection of tools designed to protect data and
to thwart hackers
• Network Security - measures to protect data during their transmission
• Internet Security - measures to protect data during their transmission over a collection of
interconnected networks.
Cryptography: Cryptography ensures that the information that is sent safely and securely,
preserves the concept of confidentiality, integrity, and authenticity. Having seen, the basics
of cryptography and the different types of encryption, let us next view the different types of
attacks that are possible.
The text that is to be transmitted which can be commonly read is known as ‘plaintext’.
This plaintext is converted to unreadable format by the process of encryption and it is then
known as ‘Ciphertext’.
This ciphertext can now be transmitted over insecure channels confidently without the
danger of snooping. Once it has been successfully transmitted, it has to be decrypted at the
receiver’s end and the ‘plaintext’ is again recovered.
An algorithm is a complex mathematical formula that aids in encrypting the information
along with the “key”.
The “key” is a long sequence of bits which is used to encrypt and decrypt the text.
Vishnu Institute of Technology
Mrs P. V. Vijaya DUrga
Cryptography & Network Security
Dept of CSE
This is the basic and fundamental concept behind cryptography. There are two modes of
encryption – the symmetric encryption and asymmetric encryption.
In ‘Symmetric encryption’ algorithms, the same key which is used to encrypt is used to
decrypt a message.
In ‘Asymmetric encryption’ algorithms, different keys are used to encrypt and decrypt a
message.
Security Goals:
The objective of Cyber security is to protect information from being stolen, compromised or
attacked. Cyber security can be measured by at least one of three goals• Confidentiality
• Integrity
• Availability
These three pillars of Network Security are often represented as CIA Triangle, as shown
below.
Vishnu Institute of Technology
Mrs P. V. Vijaya DUrga
Cryptography & Network Security
Dept of CSE
1.Confidentiality:
The first goal of Network Security is "Confidentiality". The function of "Confidentiality" is in
protecting precious business data (in storage or in motion) from unauthorized persons.
Confidentiality part of Network Security makes sure that the data is available OLNY to
intended and authorized persons. Access to business data should be only for those
individuals who are permitted to use that data.
Eg: Data encryption is a good example to ensure confidentiality.
Tools for Confidentiality:
Encryption: It is a method of transforming
information to make it unreadable for unauthorized
users by using an algorithm. The transformation of data
uses a secret key (an encryption key) so that the
transformed data can only be read by using another
secret key (decryption key). It protects sensitive data
such as credit card numbers by encoding and
transforming data into unreadable cipher text. This
encrypted data can only be read by decrypting it.
Asymmetric-key and symmetric-key are the two
primary types of encryption.
Access control: It defines rules and policies for limiting access to a system or to physical
or virtual resources. It is a process by which users are granted access and certain privileges
to systems, resources or information. In access control systems, users need to present
credentials before they can be granted access such as a person's name or a computer's
serial number.
Authentication: It is a process that ensures and confirms a user's identity or role that
someone has. It can be done in a number of different ways, but it is usually based on a
combination of-something the person has (like a smart card or a radio key for storing secret
keys),something the person knows (like a password),something the person is (like a human
with a fingerprint).
Authentication is the necessity of every organizations because it enables organizations to
keep their networks secure by permitting only authenticated users to access its protected
Vishnu Institute of Technology
Mrs P. V. Vijaya DUrga
Cryptography & Network Security
Dept of CSE
resources. These resources may include computer systems, networks, databases, websites
and other network-based applications or services.
Authorization: It is a security mechanism which gives permission to do or have
something. It is used to determine a person or system is allowed access to resources, based
on an access control policy, including computer programs, files, services, data and
application features. It is normally preceded by authentication for user identity verification.
System administrators are typically assigned permission levels covering all system and user
resources. During authorization, a system verifies an authenticated user's access rules and
either grants or refuses resource access.
Physical security: It describes measures designed to deny the unauthorized access of IT
assets like facilities, equipment, personnel, resources and other properties from damage. It
protects these assets from physical threats including theft, vandalism, fire and natural
disasters.
2. Integrity
The second goal of Network Security is "Integrity". Integrity aims at maintaining and
assuring the accuracy and consistency of data. The function of Integrity is to make sure that
the date is accurate and reliable and is not changed by unauthorized persons or hackers.
The data received by the recipient must be exactly same as the data sent from the sender,
without change in even single bit of data.
Tools for Integrity:
Backup: It is the periodic archiving of data. It is a process of making copies of data or data
files to use in the event when the original data or data files are lost or destroyed. It is also
Vishnu Institute of Technology
Mrs P. V. Vijaya DUrga
Cryptography & Network Security
Dept of CSE
used to make copies for historical purposes, such as for longitudinal studies, statistics or for
historical records or to meet the requirements of a data retention policy. Many applications
especially in a Windows environment, produce backup files using the .BAK file extension.
Checksum: It is a numerical value used to verify the integrity of a file or a data transfer.
In other words, it is the computation of a function that maps the contents of a file to a
numerical value. They are typically used to compare two sets of data to make sure that they
are the same. A checksum function depends on the entire contents of a file. It is designed in
a way that even a small change to the input file (such as flipping a single bit) likely to results
in different output value.
Data Correcting Codes: It is a method for storing data in such a way that small changes can be
easily detected and automatically corrected.
3. Availability
Availability is the property in which information is accessible and modifiable in a timely
fashion by those authorized to do so. It is the guarantee of reliable and constant access to
our sensitive data by authorized people.
Tools for Availability:
Physical Protections
Computational Redundancies
Physical Protections:
Physical safeguard means to keep information available even in the event of physical
challenges. It ensure sensitive information and critical information technology are housed in
secure areas.
Computational redundancies:
It is applied as fault tolerant against accidental faults. It protects computers and storage
devices that serve as fallbacks in the case of failures.
Cryptographic Attacks:
Vishnu Institute of Technology
Mrs P. V. Vijaya DUrga
Cryptography & Network Security
Dept of CSE
The basic intention of an attacker is to break a cryptosystem and to find the plaintext from
the ciphertext. To obtain the plaintext, the attacker only needs to find out the secret
decryption key, as the algorithm is already in public domain.
Security attacks:
1.Based on information:
There are different types of security attacks which affect the communication process
in the network and they are as follows
Interruption: This type of attack is due to the obstruction of any kind during the
communication process between one or more systems. So the systems which are
used become unusable after this attack by the unauthorized users which results in
the wastage of systems.
Examples: Overloading a server host so that it cannot respond, Cutting a
communication line.
Interception: The phenomenon of confidentiality plays an important role in this type of
attack. The data or message which is sent by the sender is intercepted by an unauthorized
individual where the message will be changed to the different form or it will be used by the
individual for his malicious process. So the confidentiality of the message is lost in this type
of attack.
Examples: Wiretapping telecommunications networks,Illicit copying of files or programs.
Vishnu Institute of Technology
Mrs P. V. Vijaya DUrga
Cryptography & Network Security
Dept of CSE
Modification: As the name indicates the message which is sent by the sender is modified
and sent to the destination by an unauthorized user. The integrity of the message is lost by
this type of attack. The receiver cannot receive the exact message which is sent by the
source which results in the poor performance of the network.
Examples: Modifying the contents of messages in the network,Changing information stored
in data files.
Fabrication: In this type of attack a fake message is inserted into the network by an
unauthorized user as if it is a valid user. This results in the loss of confidentiality,
authenticity and integrity of the message.
Examples: Inserting messages into the network using the identity of another individual,
Replaying previously intercepted messages, Spoofing a web site or other network service.
II) Based on the action performed by attacker
Attacks are typically categorized based on the action performed by the attacker. An
attack, thus, can be passive or active.
Active attacks: An Active attack attempts to alter system resources or effect their
operations. Active attack involve some modification of the data stream or creation of false
statement. Types of active attacks are as following:
i)Masquerade
Masquerade attack takes place when one entity pretends to be different entity. A
Masquerade attack involves one of the other form of active attacks.
Vishnu Institute of Technology
Mrs P. V. Vijaya DUrga
Cryptography & Network Security
Dept of CSE
II)ModificationofMessages
It means that some portion of a message is altered or that message is delayed or reordered
to produce an unauthorised effect. For example, a message meaning “Allow JOHN to read
confidential file X” is modified as “Allow Smith to read confidential file X”.
III)Repudiation
This attack is done by either sender or receiver. The sender or receiver can deny later that
he/she has send or receive a message. For example, customer ask his Bank “To transfer an
amount to someone” and later on the sender(customer) deny that he had made such a
request. This is repudiation.
Vishnu Institute of Technology
Mrs P. V. Vijaya DUrga
Cryptography & Network Security
Dept of CSE
iv)Replay –
It involves the passive capture of a message and its subsequent the transmission to produce
an authorized effect.
v)DenialofService :
It prevents normal use of communication facilities. This attack may have a specific target.
For example, an entity may suppress all messages directed to a particular destination.
Another form of service denial is the disruption of an entire network wither by disabling the
network or by overloading it by messages so as to degrade performance.
Passive attacks: A Passive attack attempts to learn or make use of information from
the system but does not affect system resources. Passive Attacks are in the nature of
eavesdropping on or monitoring of transmission. The goal of the opponent is to obtain
information is being transmitted. Types of Passive attacks are as following:
Vishnu Institute of Technology
Mrs P. V. Vijaya DUrga
Cryptography & Network Security
Dept of CSE
1. The release of message content :
Telephonic conversation, an electronic mail message or a transferred file may
contain sensitive or confidential information. We would like to prevent an opponent
from learning the contents of these transmissions.
Traffic analysis :
Suppose that we had a way of masking (encryption) of information, so that the attacker
even if captured the message could not extract any information from the message.
The opponent could determine the location and identity of communicating host and could
observe the frequency and length of messages being exchanged. This information might
be useful in guessing the nature of the communication that was taking place.
Vishnu Institute of Technology
Mrs P. V. Vijaya DUrga
Cryptography & Network Security
Dept of CSE
Based on the methodology used, attacks on cryptosystems are categorized as follows −
Ciphertext Only Attacks (COA) − In this method, the attacker has access to a set of
ciphertext(s). He does not have access to corresponding plaintext. COA is said to be
successful when the corresponding plaintext can be determined from a given set of
ciphertext. Occasionally, the encryption key can be determined from this attack.
Known Plaintext Attack (KPA) − In this method, the attacker knows the plaintext for
some parts of the ciphertext. The task is to decrypt the rest of the ciphertext using this
information. This may be done by determining the key or via some other method.
Chosen Plaintext Attack (CPA)
− In this method, the attacker has the text of his choice
encrypted. So he has the ciphertext-plaintext pair of his choice. This simplifies his task of
determining the encryption key.. A popular public key cryptosystem, RSA is also vulnerable to
chosen-plaintext attacks.
Dictionary Attack − This attack has many variants, all of which involve compiling a ‘dictionary’.
In simplest method of this attack, attacker builds a dictionary of ciphertexts and corresponding
plaintexts that he has learnt over a period of time. In future, when an attacker gets the ciphertext,
he refers the dictionary to find the corresponding plaintext.
Brute Force Attack (BFA) −
In this method, the attacker tries to determine the key by
attempting all possible keys. If the key is 8 bits long, then the number of possible keys is 28 = 256.
The attacker knows the ciphertext and the algorithm, now he attempts all the 256 keys one by one
for decryption. The time to complete the attack would be very high if the key is long.
Birthday Attack −
This attack is a variant of brute-force technique. It is used against the
cryptographic hash function. When students in a class are asked about their birthdays, the answer is
one of the possible 365 dates. Let us assume the first student's birthdate is 3rd Aug. Then to find the
next student whose birthdate is 3rd Aug, we need to enquire 1.25* √365 ≈ 25 students.
Man in Middle Attack (MIM)
− Man-in-the-middle attacks are a common type of
cybersecurity attack that allows attackers to eavesdrop on the communication between two targets.
The attack takes place in between two legitimately communicating hosts, allowing the attacker to
“listen” to a conversation they should normally not be able to listen to, hence the name “man-inthe-middle.”
Host A wants to communicate to host B, hence requests public key of B.
An attacker intercepts this request and sends his public key instead.
Thus, whatever host A sends to host B, the attacker is able to read.
Vishnu Institute of Technology
Mrs P. V. Vijaya DUrga
Cryptography & Network Security
Dept of CSE
In order to maintain communication, the attacker re-encrypts the data after reading with his public
key and sends to B.
The attacker sends his public key as A’s public key so that B takes it as if it is taking it from A.
Example: Email Hijacking
Hackers who use this tactic target email accounts of large organizations, especially financial
institutions and banks. Once they gain access to important email accounts, they will monitor the
transactions to make their eventual attack a lot more convincing. For example, they can wait for a
scenario where the customer will be sending money and respond, spoofing the company’s email
address, with their own bank details instead of the company’s. This way, the customer thinks they’re
sending their payment to the company, but they’re really sending it right to the hacker.
Side Channel Attack (SCA) −
This type of attack is not against any particular type of
cryptosystem or algorithm. Instead, it is launched to exploit the weakness in physical
implementation of the cryptosystem.
Timing Attacks
− They exploit the fact that different computations take different times to
compute on processor. By measuring such timings, it is be possible to know about a particular
computation the processor is carrying out. For example, if the encryption takes a longer time, it
indicates that the secret key is long.
Power Analysis Attacks − These attacks are similar to timing attacks except that the amount
of power consumption is used to obtain information about the nature of the underlying
computations.
Vishnu Institute of Technology
Mrs P. V. Vijaya DUrga
Cryptography & Network Security
Dept of CSE
Security services:
Security services include authentication,
integrity,nonrepudiation, and availability.
access
control,
data
confidentiality,
data
1. DATA CONFIDENTIALITY: The protection of data from unauthorized disclosure.
a. Connection Confidentiality: The protection of all user data on a connection.
b. Connectionless Confidentiality: The protection of all user data in a single data block
c. Selective-Field Confidentiality: The confidentiality of selected fields within the user data on a
connection or in a single data block.
d. Traffic Flow Confidentiality: The protection of the information that might be derived from
observation of traffic flows.
2. AUTHENTICATION: The assurance that the communicating entity is the one that it claims to
be.
a. Peer Entity Authentication: Provide confidence in the identity of the entities connected.
b. Data Origin Authentication: In a connectionless transfer, provides assurance that the source of
received data is as claimed.
3. ACCESS CONTROL:
The prevention of unauthorized use of a resource (i.e., this service
controls who can have access to which resource.)
4. DATA INTEGRITY:
The assurance that data received are exactly as sent by an authorized
entity (i.e., contain no modification, insertion, deletion, or replay).
Vishnu Institute of Technology
Mrs P. V. Vijaya DUrga
Cryptography & Network Security
Dept of CSE
a. Connection Integrity with Recovery: Provides for the integrity of all user data on a connection
and detects any modification, insertion, deletion, or replay of any data within an entire data
sequence, with recovery attempted.
b. Connection Integrity without Recovery: As above, but provides only detection without recovery.
c. Selective-Field Connection Integrity: Provides for the integrity of selected fields within the user
data of a data block transferred over a connection.
d. Connectionless Integrity: Provides for the integrity of a single connectionless data block.
e. Selective-Field Connectionless Integrity: Provides for the integrity of selected fields within a
single connectionless data block; takes the form of determination of whether the selected fields
have been modified.
5. NONREPUDIATION: Provides protection against denial by one of the entities
involved in a
communication of having participated in all or part of the communication.
a. Nonrepudiation, Origin: Proof that the message was sent by the specified party.
b. Nonrepudiation, Destination: Proof that the message was received by the specified party.
Security mechanisms:
A security mechanism is any process (or a device incorporating such a process) that is designed to
detect,prevent,or recover from a security attack. Examples of mechanisms are encryption
algorithms, digital signatures, and authentication protocols.
Vishnu Institute of Technology
Mrs P. V. Vijaya DUrga
Cryptography & Network Security
Dept of CSE
1.Encipherment: Hiding or covering of data by using some mathematical transformations is
called encipherment. (or) The use of mathematical algorithms to transform data into a form that is
not readily intelligible.
2. Data integrity: A variety of mechanisms used to assure the integrity of a data unit or stream
of data units. (or) Techniques used to protect data from unauthorized alteration.
3. Digital Signature: Technique through which sender can sign a document electronically and
receiver can verify the signature electronically. (Receiver can verify the authenticity of sender).
4. Authentication Exchange: Sender and receiver can exchange some messages to prove
their identity to each other.
5. Traffic padding: Inserting some dummy information between original information to confuse
and frustrate the intruder.
6. Notarization: Selecting a third party to control the communication between
sender and receiver. (Third party will act as a proof of communication between sender and receiver).
7. Routing Control: Sending the data to receiver through different available round rather than
using single channel of communication. So, that to confuse intruder to focus on particular channel.
8. Access control: A variety of mechanisms that enforce access rights to users
on resources. Like PIN, Passwords OTP etc.. Relation between Security services and Mechanisms
Vishnu Institute of Technology
Mrs P. V. Vijaya DUrga
Cryptography & Network Security
Vishnu Institute of Technology
Dept of CSE
Mrs P. V. Vijaya DUrga
Download