Scribd Logo
Upload

Welcome to Scribd!

  • Lecture3 Intro Confidentiality

    Uploaded by

    Love Gates
    6 views44 pages
    This document provides an overview of information security concepts including security policy, confidentiality, and cryptographic solutions. It discusses how security policy helps define rules and practices to protect system resources using the CIA principles of confidentiality, integrity, and availability. It then covers cryptographic solutions for confidentiality including symmetric and asymmetric approaches. Symmetric cryptography uses the same key for encryption and decryption while asymmetric cryptography uses different keys. The document emphasizes that cryptographic algorithms should be kept secret to ensure the safety of encrypted data.

    Original Description:

    Original Title

    Lecture3_Intro_Confidentiality

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides an overview of information security concepts including security policy, confidentiality, and cryptographic solutions. It discusses how security policy helps define rules and practices to protect system resources using the CIA principles of confidentiality, integrity, and availability. It then covers cryptographic solutions for confidentiality including symmetric and asymmetric approaches. Symmetric cryptography uses the same key for encryption and decryption while asymmetric cryptography uses different keys. The document emphasizes that cryptographic algorithms should be kept secret to ensure the safety of encrypted data.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    6 views44 pages

    Lecture3 Intro Confidentiality

    Uploaded by

    Love Gates
    This document provides an overview of information security concepts including security policy, confidentiality, and cryptographic solutions. It discusses how security policy helps define rules and practices to protect system resources using the CIA principles of confidentiality, integrity, and availability. It then covers cryptographic solutions for confidentiality including symmetric and asymmetric approaches. Symmetric cryptography uses the same key for encryption and decryption while asymmetric cryptography uses different keys. The document emphasizes that cryptographic algorithms should be kept secret to ensure the safety of encrypted data.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 44

    Foundation of Information

    Security
    Lecture-3
    Topics Covered…
    • Definition of Information Security
    • CIA Triad
    • Security Terminology
    • Security Terminology and Relationship
    • Types of Attacks/Attackers
    • Countermeasure
    • Threat Consequences
    Today’s Content…

    • Security Policy
    • Confidentiality
    • Cryptographic Solution
    • Symmetric Approach
    • Asymmetric Approach
    Security Policy

    • A set of rules and practices that specify or regulate how a system or


    organization provides security services to protect sensitive and critical
    system resources.

    • CIA principle helps to design security policy


    Security Policies
    • Important to implement policies and taking the appropriate steps to
    educate users about those policies.
    • Information security policies should be comprehensive but flexible
    enough to accommodate changes in technology without requiring
    frequent rewrites.
    • The policies should also be made available to all members of the
    organization and its affiliates.
    Security Functional Requirements
    Countermeasures that may be used to reduce vulnerabilities and deal
    with threats to system assets.

    1. Countermeasures that require computer security technical measures,


    either hardware or software, or both; and
    2. Countermeasures that are fundamentally management issues

    Need to combine technical and managerial approaches to achieve


    effective computer security!
    Computer Security Strategy
    • Specification/policy
    - what is the security scheme supposed to do?
    - codify in policy and procedures
    • Implementation/mechanisms
    - how does it do it?
    - prevention, detection, response, recovery
    • Correctness/assurance
    - does it really work?
    - assurance, evaluation
    Computer
    and
    Network
    Attacks

    - A Common Language for Computer Security Incidents, John D. Howard, Thomas A. Longstaff, 1998
    Computer An attacker uses a tool to exploit a vulnerability to perform an
    and action on a target in order to achieve an unauthorized Result
    Network
    Attacks

    - A Common Language for Computer Security Incidents, John D. Howard, Thomas A. Longstaff, 1998
    Defense in Depth
    • Strategy toward preventing security attacks

    - Foundation of Information Security A Straightforward Introduction, Jason Andress.


    Defense in Depth
    • Strategy toward preventing security attacks

    -Firewall
    -VPN
    -Penetration Testing
    - Proxy
    Defense in Depth
    • Strategy toward preventing security attacks

    -IDS/IPS
    -Penetration Testing
    -Logging
    -Firewall
    -VPN
    -Penetration Testing
    - Proxy
    Defense in Depth
    • Strategy toward preventing security attacks

    - Antivirus
    - IDS/IPS
    - Penetration Testing
    - Authentication
    -IDS/IPS
    -Penetration Testing
    -Logging
    -Firewall
    -VPN
    -Penetration Testing
    - Proxy
    Defense in Depth
    • Strategy toward preventing security attacks

    - Content Filtering
    - Penetration Testing
    - SSO
    - Antivirus
    - IDS/IPS
    - Penetration Testing
    - Authentication
    -IDS, IPS
    -Penetration Testing
    -Logging
    -Firewall
    -VPN
    -Penetration Testing
    - Proxy
    Defense in Depth
    • Strategy toward preventing security attacks

    - Access Control
    - Encryption
    - Backup - Content Filtering
    - Penetration Testing
    - Antivirus - SSO
    - IDS/IPS
    - Penetration Testing
    - Authentication
    -IDS, IPS
    -Penetration Testing
    -Logging
    -Firewall
    -VPN
    -Penetration Testing
    - Proxy
    Confidentiality

    • Cryptographic Solution
    • Symmetric Approach
    • Asymmetric Approach
    Basic Setup:
    • Communication over an insecure channel
    • Types of insecure channel
    • Internet (unprotected network of computers)
    • Wifi (not password protected)
    • Air Waves (GSM connection) etc.
    Meet Alice and Bob

    Insecure network channel

    ALICE BOB at Bank


    Meet Alice and Bob
    Message
    Username: sweetalice
    Password: alice123
    TRANSFER Rs. 100 TO
    ACCOUNT NO. XYZ

    Insecure network channel

    ALICE BOB at Bank


    Meet Alice and Bob
    Message
    Username: sweetalice
    Password: alice123
    TRANSFER Rs. 100 TO
    ACCOUNT NO. XYZ

    Insecure network channel

    ALICE BOB at Bank

    NOT
    ENCRYPTED
    Meet Charlie – the eavesdropper
    Message
    Username: sweetalice
    Password: alice123
    TRANSFER Rs. 100 TO
    ACCOUNT NO. XYZ

    ALICE BOB

    CHARLIE
    Meet Charlie – the eavesdropper
    Message
    Username: sweetalice
    Password: alice123
    TRANSFER Rs. 100 TO
    ACCOUNT NO. XYZ

    Listen

    ALICE BOB

    CHARLIE
    Username, Password sent in clear!!!
    Message
    Username: sweetalice
    Password: alice123
    TRANSFER Rs. 100 TO
    ACCOUNT NO. XYZ

    ALICE BOB

    CHARLIE
    Username, Password sent in clear!!!
    Message
    Username: sweetalice
    Password: alice123
    TRANSFER Rs. 100 TO
    ACCOUNT NO. XYZ

    LISTENS AND GETS LOGIN DETAILS OF


    ALICE

    ALICE BOB

    CHARLIE
    Username, Password sent in clear!!!

    Modify

    Message Message
    Username: sweetalice Username: sweetalice
    Password: alice123 Password: alice123
    TRANSFER Rs. 100 TO TRANSFER Rs. 1000000 TO
    ACCOUNT NO. XYZ ACCOUNT NO. 5678
    Confidentiality can be achieved using
    encryption/decryption

    Encryption Decryption
    Secure Network

    E ^d@#*^

    D
    &!h^*hi ^d@#*^
    &!h^*hi

    Message
    (I love you) Message
    (I love you)

    E: Encryption- Charlie cannot see what is being sent over the channel
    D: Decryption- Bob can successfully decrypt the message
    Basic Definitions:
    • Plaintext (P) – The original message
    • Ciphertext (C) – The scrambled message
    • E() – Encryption Function
    • D() – Decryption Function
    Basic Definitions:
    • Plaintext (P) – The original message
    • Ciphertext (C) – The scrambled message
    • E() – Encryption Function
    • D() – Decryption Function

    Q. To ensure safety of our data, should the enc./dec. algorithm be


    known to all or kept secret ??
    Why secrecy of algorithms is not a good idea ?
    1. Maintaining secrecy of algorithms is very cumbersome
    • Industrial espionage
    • Insider Threat
    • Reverse Engineering of the code
    Why secrecy of algorithms is not a good idea ?
    1. Maintaining secrecy of algorithms is very cumbersome
    • Industrial espionage
    • Insider Threat
    • Reverse Engineering of the code

    2. Public design enables establishment of standards


    • Designs which withstand years of public scrutiny – likely to gain more
    confidence on its robustness
    • Better that flaws are revealed by ethical hackers than malicious attackers
    Thought to be secure

    Enigma Machine
    Thought to be secure

    Enigma Machine

    Alan Turing and his team


    broke the enigma
    encryption method
    Thought to be secure

    Enigma Machine

    Alan Turing and his team


    broke the enigma
    encryption method
    But …
    • We can’t make everything public
    • Eve can easily decrypt then
    But …
    • We can’t make everything public
    • Eve can easily decrypt then

    • Incorporate a second parameter


    • The “KEY”
    • Short secret data shared by both communicating parties
    But …
    • We can’t make everything public
    • Eve can easily decrypt then

    • Incorporate a second parameter


    • The “KEY”
    • Short secret data shared by both communicating parties

    Kerckhoff’s Principle [1883]:

    A cryptosystem should be secure even if the attacker knows all the details of
    the system, with the exception of the secret key.
    Depending upon the key, cryptosystems can be
    divided into:

    • Symmetric Cryptosystems
    • Asymmetric Cryptosystems
    Symmetric Encryption
    • Both the parties use the same key to encrypt and decrypt

    Hi, Meet you at xydA@tyhskykb Hi, Meet you at


    Starbucks on mc88888*!$6jgj Starbucks on
    Friday at 3:00 gb768$gh^kkdv Friday at 3:00
    PM. Encryption mmmvmvbb Decryption PM.

    Plaintext Ciphertext Plaintext

    38
    Asymmetric Encryption
    • Communicating parties use two keys – public key (known to all) and private key
    (known only to owner) to encrypt and decrypt
    Asymmetric Encryption
    • Communicating parties use two keys – public key (known to all) and private key
    (known only to owner) to encrypt and decrypt

    1. Bob gives Alice his


    public key
    Asymmetric Encryption
    • Communicating parties use two keys – public key (known to all) and private key
    (known only to owner) to encrypt and decrypt

    Hi, Meet you at xydA@tyhskykb


    Starbucks on mc88888*!$6jgj
    Friday at 3:00 gb768$gh^kkdv
    PM. Encryption mmmvmvbb

    Plaintext Ciphertext

    1. Bob gives Alice his 2. Alice uses the public key of Bob
    public key to encrypt her message
    Asymmetric Encryption
    • Communicating parties use two keys – public key (known to all) and private
    key (known only to owner) to encrypt and decrypt

    3. Bob receives Alice’s


    encrypted message
    Asymmetric Encryption
    • Communicating parties use two keys – public key (known to all) and private
    key (known only to owner) to encrypt and decrypt

    xydA@tyhskykb Hi, Meet you at


    mc88888*!$6jgj Starbucks on
    gb768$gh^kkdv Friday at 3:00
    mmmvmvbb Decryption PM.

    Ciphertext Plaintext

    3. Bob receives Alice’s 4. Bob uses his private key to


    encrypted message decrypt her message
    Asymmetric Encryption

    • Can the reverse be used, i.e., private key is used for encryption and
    public key is used for decryption ?
    • Why or why not ?

    You might also like