(c) razmi.zahir@gmail.

com 30-Sep-23

13.4.2 Data Security

• Data security refers to protective digital privacy measures that are applied to prevent
unauthorized access to computers, databases and websites.
• Data security also protects data from corruption.
• Data security is an essential aspect of IT for organizations of every size and type.
• Methods of data security include file encryption and password protection
• Cryptography involves creating written or generated codes that allow information to be kept
secret.
• Data security applies to:
• personal files,
• email transfers,
• data stored in the cloud,
• secure web sites,
• digital devices,
• Internet of Things devices

Number of possible codes to unlock a padlock

• A 2-digit padlock can have a key between 00 and 99 (102)
• A 3-digit padlock key possibilities are between 000 and 999(103)
• If you have an n digit padlock, the possibilities are 10n
• The more digits in the lock, it becomes more difficult to break the lock
• Imagine a binary 3 bit padlock:
• possible combinations are 000,001,010,011,100,101,110,111 (23 = 8)
• If the encryption key is 128 bits, that means there are (2128 possibilities)

A 256-bit encryption key is significantly more difficult for brute-force

attacks to guess than a 128-bit key; however, because the latter
takes so long to guess, even with a huge amount of computing
power, it is unlikely to be an issue for the foreseeable future.

1
(c) razmi.zahir@gmail.com 30-Sep-23

Cryptography
• Cryptography involves creating written or generated codes that allow
information to be kept secret.
• Cryptography converts data into a format that is unreadable for an
unauthorized user, allowing it to be transmitted without unauthorized
entities decoding it back into a readable format, thus compromising the data.
• Information security uses cryptography on several levels.
• The information cannot be read without a key to decrypt it.
• The information maintains its integrity during transit and while being stored.
• Cryptography also aids in non-repudiation. This means that the sender and the
delivery of a message can be verified.
• Cryptography is also known as cryptology.

Encryption
• Encryption is the process of encoding data, making it unintelligible and scrambled.
• In a lot of cases, encrypted data is also paired with an encryption key, and only those that possess
the key will be able to open it.
• An encryption key is a collection of algorithms designed to be totally unique.
• These are able to scramble and unscramble data, essentially unlocking the information and
turning it back to readable data.
• Encryption does not itself prevent interference, but denies the intelligible content to a would-be
interceptor.
• With end-to-end encryption, only the sender and recipient are able to unlock and read the
information. For example with WhatsApp, the messages are passed through a server, but it is not
able to read the messages.
• There are two main types of encryption
• Symmetric encryption
• Asymmetric encryption (public-key cryptography)

2
(c) razmi.zahir@gmail.com 30-Sep-23

Symmetric encryption
• Symmetric encryption is the process of using the same key for both encrypting and
decrypting data.
• This will mean two or more parties will have access to the same key, which for some is
a big drawback, even though the mathematical algorithm to protect the data is pretty
much impossible to crack.

An example of using symmetric encryption

• Claire, the sender, wants to send Jacqueline, the recipient, a confidential document
• Claire would use the secret key to encrypt the file and send it to Jacqueline, who
would be unable to read its contents until she entered the same key that Claire just
used to encrypt the file.
• Conversely, if Jacqueline makes changes to the document and wishes to share them
with Claire, she’d use the same key to re-encrypt the file and send it back to Claire,
who will use the same key to decrypt the file and access its contents, and the process
repeats itself.
• Symmetric encryption is not limited to the sharing of data between one sender and
one recipient.
• Symmetrically encrypted information can be accessed by anyone – Claire, Jacqueline,
their co-worker Frank, their boss, Jennifer, etc. – who ever knows the secret key.
• There in lies the problem when the same key is used. Too many people might know it.

3
(c) razmi.zahir@gmail.com 30-Sep-23

Advantages and disadvantages of symmetric encryption

Security: symmetric encryption algorithms like AES take billions of years to crack using brute-force
attacks.
Speed: symmetric encryption, because of its shorter key lengths and relative simplicity compared to
asymmetric encryption, is much faster to execute.
Industry adoption and acceptance: symmetric encryption algorithms like AES have become the gold
standard of data encryption because of their security and speed benefits, and as such, have enjoyed
decades of industry adoption and acceptance.
Use of a single, secret cryptographic key to encrypt and decrypt information.
If this secret key is stored in an insecure location on a computer, then hackers could gain access to it
using software-based attacks, allowing them to decrypt the encrypted data and thereby defeating the
entire purpose of symmetric encryption.
In addition, if one party or entity is encrypting at one location and a separate party or entity
decrypting at a second, then the key will need to be transmitted, leaving it vulnerable to interception
if the transmission channel is compromised.

Examples of symmetric algorithms

• AES encryption is used by the U.S. government to protect classified information and is implemented in software
and hardware throughout the world to encrypt sensitive data
• AES encryption, which uses block ciphers of 128, 192, or 256 bits to encrypt and decrypt data, is one of the most
well-known and effective symmetric encryption techniques in use today.
• It would take billions of years to crack, and that’s why it’s used to secure sensitive information in government,
healthcare, banking, and other industries
• Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.
• Blowfish uses block cipher that uses a variable-length key, from 32 bits to 448 bits, making it useful for both
domestic and exportable use.
• DES encryption is now considered to be a legacy symmetric encryption algorithm because it has long been
ineffective at safeguarding sensitive information from brute-force attacks.
• Triple data is key block cipher, which applies the DES cipher algorithm three times to each data block.

4
(c) razmi.zahir@gmail.com 30-Sep-23

Block and stream cipher

• A block cipher is a method of encrypting data in blocks to produce ciphertext
using a cryptographic key and algorithm.
• The block cipher processes fixed-size blocks simultaneously, as opposed to a
stream cipher, which encrypts data one bit at a time.
• Since Block Cipher converts blocks at a time, it converts a more significant
number of bits than Stream Cipher.
A brute-force attack is a trial-and-error method
used by application programs to decode login
information and encryption keys to use them to
gain unauthorized access to systems.

Using brute force is an exhaustive effort rather

than employing intellectual strategies.

Asymmetric (Public-key) cryptography

• Asymmetric cryptography uses a pair of keys one for encrypting the data and the other for decrypting it.
• The first key is called the public key and the second is called the private key.
• The public key is shared with the servers so the message can be sent, while the private key, which is owned
by the possessor of the public key, is kept a secret, totally private.
• Only the person with the private key matching the public one will be able to access the data and decrypt it,
making it impenetrable to intruders.

5
(c) razmi.zahir@gmail.com 30-Sep-23

An example of using public-key cryptography

• Alice, the sender, and Bob, the recipient, want to continually send a confidential file back and
forth to each other
• Alice and Bob will give their unique and respective public keys to each other.
• Alice will then use Bob’s public key to encrypt the file, since it’s intended for Bob only, and
send the file to Bob.
• Upon receipt of the file, Bob will use his private key – keyword, “private,” meaning no one
else other than Bob knows it - to decrypt the file and access its contents.
• No one other than Bob, not even Alice, can decrypt this file, because no one other than Bob
knows Bob’s private key.
• The same process applies when Bob wants to send the file back to Alice. Bob ties it to Alice’s
public key, and Alice uses her private key to decrypt the file.

Advantages and disadvantages of public-key encryption

Key distribution not necessary: securing key distribution channels has long been a headache
in cryptography.
• Asymmetric encryption eliminates key distribution entirely.
• The needed public keys are exchanged through public-key servers.
• The shared public keys cannot be used to derive private keys.
Exchange of private keys not necessary: with asymmetric encryption, private keys should
remain stored in a secure location and thus private to the entities using them.
Digital signature authentication: with asymmetric encryption, senders can use their private
keys to digitally sign and verify that a message or file originated from them and not an
untrusted third party.
Slower than symmetric encryption because of its longer key lengths, not to mention that
asymmetric encryption calculations tend to be much more complex than their symmetric
counterparts.

6
(c) razmi.zahir@gmail.com 30-Sep-23

Is asymmetric more secure than symmetric encryption?

• Technically, whether symmetric or asymmetric encryption is more secure depends largely on
key size and the security of the media that stores or transmits cryptographic keys.
• One reason asymmetric encryption is often regarded as more secure than symmetric
encryption is that asymmetric encryption, unlike its counterpart, does not require the
exchange of the same encrypt-decrypt key between two or more parties.
• Yes, public keys are exchanged, but users sharing data in an asymmetric cryptosystem have
unique public and private key pairs, and their public keys, because they’re used for encryption
only, pose no risk of unauthorized decryption by hackers.
• Should the public keys become known, hackers cannot decrypt the encrypted data as the
private key is not known

Examples of asymmetric algorithms

• Elliptical curve cryptography (ECC) is a technique based on elliptic curve theory
that can be used to create faster, smaller, and more efficient cryptographic keys.
• Diffie–Hellman is a method of securely exchanging cryptographic keys over a
public channel and was one of the first public-key protocols.
• RSA is based on the practical difficulty of the factorization of the product of two
large prime numbers, the "factoring problem".

7
(c) razmi.zahir@gmail.com 30-Sep-23

End-to-end encryption
• End-to-end encryption is intended to prevent data being read or secretly modified, other than by the true
sender and recipient(s).
• The messages are encrypted by the sender but the third party does not have a means to decrypt them, and
stores them encrypted.
• It uses an asymmetric encryption algorithm.
• Text messaging applications frequently use end-to-end encryption

Non-repudiation
• Data encrypted with the public key can only be decrypted with the private key, and data encrypted with the
private key can only be decrypted with the public key.
• Alice, Bob and Janice.
• Bob got a message to meet at 5. How can he be sure its from Alice and not from someone else?
• Alice must encrypt the message first using her private key.
• The encrypted message will then be encrypted again using Bob’s public key and sent out…
• How can Alice be sure only Bob can read it?
• As only Bob has his private key, only he can read it..
• How can Bob be sure the message is from Alice?
• Only Alice has access to her private key..
• So the 2nd decryption using Alice’s public key means the message was indeed sent by Alice.

Asymmetric encryption also provides non-repudiation which means

that the sender cannot deny sending a message or altering its
contents this is because the message is encrypted with the sender s
private key and only their public key can decrypt it

8
(c) razmi.zahir@gmail.com 30-Sep-23

Encryption approach: Full-disk encryption (FDE)

• Full-disk encryption (FDE) or “whole disk” encryption methods encrypt every file stored on the drive (or
drives), including the operating system.
• FDE and self-encrypting drives (SED) encrypt data as it is written to the disk and decrypt data as it is read off
the disk.
• Everything on the drive is encrypted, including temporary files, increasing security of all your data.
• If a user loses his password that grants access to the encrypted system, he has no access to his data at all.
Since all data on the drive is encrypted, even if an alternative boot medium is used against an encrypted
system, the data on the drive is unreadable and therefore useless to the thief.
Simplest method of deploying encryption
Transparent to applications, databases, and users.
High-performance, hardware-based encryption
Some FDE programs can cause an increase in data access times.
Addresses a very limited set of threats—protects only from physical loss of storage media.
Lacks safeguards against malicious insiders, or external attackers
Meets minimal compliance requirements
Doesn’t offer access audit logs
• FDE is suitable for laptops and mobile devices, which are highly
susceptible to loss or theft.
• FDE isn’t suitable for risks faced in data center and cloud environments.

Encryption approach: File Level encryption

• File/folder encryption, is a form of disk encryption where individual files or directories are
encrypted by the file system itself.
• Files that you need to encrypt can be stored in a particular folder and data that does not need
to be protected can be stored elsewhere.
• When there is a need to move the data, data can be encrypted on a file level and then moved
off the storage location, one needs to make sure that the unencrypted copy is removed.
• Modern operating systems can perform efficient file encryption on the fly.
Many file-level encryption products allow you to integrate access-level restrictions. This allows
you to manage who has access to what.
Some file-level encryption systems offer the capability to track who attempts to access a file
and when.
File-level encryption tends to consume less resource overhead, thus less impact on system
performance.
Performance issues can be caused for backup processes.
Extra resources for key management are required since more keys need to be managed.
• You could encrypt a file in Microsoft Windows by right clicking and selecting encrypt file in
advanced option.

9
(c) razmi.zahir@gmail.com 30-Sep-23

Digital certificate
• A digital certificate is an electronic document used to prove the validity of a public key.
• Digital certificate authentication helps organizations ensure that only trusted devices and users can
connect to their networks.
• A digital certificate certifies the ownership of a public key by the named subject of the certificate.
• A certificate authority (CA) stores, signs, and issues digital certificates.
• These certificates are data files used to cryptographically link an entity with a public key.
• Web browsers use them to authenticate content sent from web servers, ensuring trust in content
delivered online
• The certificate includes information about
• the key,
• information about the identity of its owner (called the subject),
• and the digital signature of an entity that has verified the certificate's contents (called the issuer).
• If the signature is valid, and the software examining the certificate trusts the issuer, then it can use
that key to communicate securely with the certificate's subject

Certificate Authority (CA)

• A Certificate Authority is an organization that issues the certificate.
• It is a trusted entity that issues Secure Sockets Layer (SSL) certificates.
• A Certificate Authority maintains a list of certificates that have been issued.
• The Certificate Authority verifies that the entity/business registering the certificate is who
they say they are.
• A Certificate Authority maintains a list of certificates that have been revoked (officially
cancelled)/expired.
• A Certificate Authority determines if a certificate is authentic/valid.

10
(c) razmi.zahir@gmail.com 30-Sep-23

Obtaining a digital certificate

Obtaining a digital certificate

• An applicant for a digital certificate will generate a key pair consisting of a private key and a public key, along
with a certificate signing request (CSR).
• A CSR is an encoded text file that includes the public key and other information that will be included in the
certificate (e.g. domain name, organization, email address, etc.).
• Key pair and CSR generation are usually done on the server or workstation where the certificate will be installed,
and the type of information included in the CSR varies depending on the validation level and intended use of the
certificate.
• Unlike the public key, the applicant’s private key is kept secure and should never be shown to the CA (or
anyone else).
• After generating the CSR, the applicant sends it to a CA, who independently verifies that the information it
contains is correct and, if so, digitally signs the certificate with an issuing private key and sends it to the
applicant.
• When the signed certificate is presented to a third party (such as when that person accesses the certificate-
holder’s website), the recipient can cryptographically confirm the CA’s digital signature via the CA’s public key.
• Additionally, the recipient can use the certificate to confirm that signed content was sent by someone in
possession of the corresponding private key, and that the information has not been altered since it was signed

11
(c) razmi.zahir@gmail.com 30-Sep-23

Contents of a digital certificate

• (Public/encryption) key value of the owner
• Identity/unique ID/name of the owner
• Identity/unique ID/name of the issuer/certificate authority
• Digital signature of the issuer/certificate authority
• Serial number of the certificate
• Date of issue
• Expiry date

SSL (Secure Socket Layer) certificate

• An SSL certificate is a form of digital certificate which is used to authenticate a website.
• This means any communication or data exchange between browser and website is secure
provided this certificate can be authenticated.
• Examples of where SSL would be used:
• online banking and all online financial transactions
• online shopping/commerce
• when sending software out to a restricted list of users
• sending and receiving emails
• using cloud storage facilities
• intranets and extranets (as well as the internet)
• Voice over Internet Protocols (VoIP) when carrying out video chatting and/or audio chatting over
the internet
• used in instant messaging
• when making use of a social networking site

12
(c) razmi.zahir@gmail.com 30-Sep-23

Password protection
• Password protection allows only those with an authorized password to gain access to certain
information
• All modern secure computer systems store users' passwords in an encrypted format.
• Whenever a user logs in, the password entered is encrypted initially, then compared to the
stored encryption of the password associated with the user's login name.
• A match succeeds and a mismatch fails -- it's that simple!
• Password encryption is usually a one-way process.
• This process uses a hashing algorithm, which always produces the same result for a given
password, but a very different one if even one character is mis-typed.
• Passwords could be stored as
• Plaintext
• hash, • Password: abc4
Encryption: e47e4f3a015b2bf63c3411fd87ab3579
• salted hash,
• Password: ABC4
• reversibly encrypted Encryption: ac3053745f6e1c8299a62d8732793fe6

Ways that passwords could get compromised

• Weak encryption used
• The system you are logging into may fail to encrypt your password before storing it
• The password may be exposed prior to encryption
• Temporary files might be used in the process.
• The system might be attached to an insecure network.
• The system support personnel could be untrustworthy.
• Your bank? Probably trustworthy. Your favorite leisure website? maybe not.
• The system may not really be the one you think it is
• Phishers could get you to disclose sensitive personal info., including your password.
• Strong passwords actually can be cracked
• Given time, a brute force attack could crack the password.

What is the difference between logon/authentication passwords and passwords on files/ compressed files?
• A login credential is a set of unique identifiers–such as a username and password–that enables a user to verify
identity in order to log in to an account.
• Password protecting a file prevents immediate access to your document, but the file is still in plain view behind the
fence. The valid password will unlock its contents.

13
(c) razmi.zahir@gmail.com 30-Sep-23

Hashing algorithm
• A hashing algorithm is a mathematical function that garbles data and makes it unreadable.
• Hashing algorithms are one-way programs, so the text can't be unscrambled & decoded by anyone else.
• Once a password is stored as a hashed text, you cannot unscramble it. You can only authenticate by
entering your password and checking whether the hashed value generated matches what is stored
• The hash will not have the same length as the plaintext. It would be longer.
• Salted hashing is essentially an additional step to keep passwords out of the hands of malicious hackers.
• It works rather simply, when a password is collected, salt (random data) is added to the password. This
password is then hashed.

Reversible encryption
• Storing encrypted passwords in a way that is reversible means that the encrypted passwords
can be decrypted.
• Reversible encryption is not commonly used for passwords because the specific requirements
and parameters of password authentication are incompatible with the weakness of
reversible encryption.
• The primary weakness of reversible encryption is simple: if the key is compromised, the
encrypted data is compromised.
• Encryption is generally reversible. If not reversible, the encrypted data are considered
unreadable and unusable. This reversal process is referred to as decryption.

• What is the difference between hashing and encryption?

• Encryption is a two-way function that includes encryption and decryption whilst hashing is a
one-way function that changes a plain text to a unique digest that is irreversible.

14