Apply Encryption To

Network And System

Security
Lecture 3
What is Encryption?
• Encryption is the process of taking some information or data,
manipulating or changing its format in a way that stops it from being
used or read by unauthorized people or systems.
• Encryption involves scrambling data so that it needs to be
unscrambled, or decrypted, to be read.
• Encryption can be applied to data in storage (file systems, media, etc)
or in transit via network or Internet connections.
Encryption Methods
• Information encrypted needs to be decrypted by authorised systems
or people for it to be of any use. To decrypt, the receiver may need
some additional information.
• For example you are given a coded message on a piece of paper. To read it
you need to know how it was coded. It may use a simple method of
substituting numbers for letters but to decipher the message you need to
know what letter equates to what number. This is the 'key' that will unlock
the code.
The encryption process requires the following:

• Original information – This is the data or information prior to being

encrypted (may be referred to as plain or clear text)
• An algorithm – a mathematical formula or process that accepts the
input of original information and key data to produce an output or
coded information (called cipher text)
• Key data – data used by an encryption algorithm to encrypt or decrypt
information
• Cipher text – this is the encrypted original information produced by
the encryption algorithm and key data.
The algorithm may work in both directions meaning that information
can be encrypted and decrypted with the correct keys.
Ciphering
• Ciphering is the process of how data or the original information is
converted into cipher text.
• The process uses algorithms and encryption processes, but more
specifically this refers to how the raw data is managed.
• There are generally two cipher methods.
• Stream cipher
• Block cipher
Stream cipher
• is a relatively simple method where each bit of data in the original
information is sequentially encrypted using one bit of the key.
• If the key is of a fixed length it may be possible to mathematically
deduce the key by analysing the cipher text.
• Using a variable length key or continually changing the key in the
stream cipher process can theoretically produce an unbreakable
encryption system.
• One-Time pad is the process of continually varying the encryption key
with random numbers. This method is not commonly used because
of overheads and encrypting efficiency.
Block cipher
• encrypts the original information into chunks. Depending upon the
encryption system, the size of these chunks or blocks will be fixed.
• Each block is processed by an algorithm and key to produce blocks of
cipher text.
• These cipher text blocks can be further used with encryption keys to
strengthen the encryption.
• Block cipher processes more data than stream cipher on each pass
and is more commonly used today.
Private Key Encryption
• Private key encryption is also known as symmetric encryption or
single key encryption.
• This encryption method requires the use of one key to both encrypt
and decrypt information.
• All people and systems accessing the cipher text must use the same
key to decipher that was used to encrypt the data.
Public Key Encryption
• Public key encryption, also known as asymmetrical encryption, uses
two keys known as a key pair.
• One key is a private key and it is kept secret, only known to one
person or system.
• A second key, known as the public key, is generated (mathematically
derived) from the private key.
• The public key is not kept secret and is freely distributed to people or
systems that wish to use encryption.
Authentication - Digital Signatures
• The public key is not secret and freely available so anyone could have
encrypted the original data or information.
• The originator can authenticate their data by using their private key.
• This is done by using the originator's private key to encrypt
information about the original data (usually checksum information).
• This encrypted information is kept with or appended to the original
data. This is known as a digital signature.
• The purpose of digital signatures is to certify information, not conceal
it.
Digital Certificates
• If the recipient of the message wishes to verify the digital signature
they must use the sender's public key.
• Digital Certificates provide a means of identifying and managing
public keys. A digital certificate is a password protected and
encrypted file that contains information about an individual's identity
and their public key.
• A certificate server stores digital certificates and is used as a central
location for users requiring public keys.
Public Key Infrastructure (PKI)
• Public Key Infrastructure provides a means for users of an insecure
network to exchange data securely and privately.
• It is a complete infrastructure using public key encryption to provide
the end to end security, confidentiality and accountability required for
information exchange.
A public key infrastructure consists of:

• A certificate authority (CA) that issues and verifies digital certificates. A

certificate includes the public key or information about the public key.
• A registration authority (RA), a network authority that verifies user
requests for a digital certificate and tells the certificate authority (CA) to
issue it.
• Locations where the certificates (with their public keys) are held.
• A certificate management system.
Kerberos
• Kerberos is an authentication protocol that uses secret-key encryption
to verify client identity and exchange information securely.
• When a user attempts to logon to a server or system, a local agent
sends an authentication request to the Kerberos server.
• The server responds by sending encrypted credentials for the user
back to the requesting server or system.
• These credentials are then decrypted using the user-supplied
password.
• If this is successful, the user is issued Kerberos authentication tickets
and a set of cipher keys to encrypt data sessions.
Internet Protocol Security (IPSec)
• This protocol defines encryption, authentication and key management
for TCP/IP transmissions. It secures data in transmission by various
means at the IP packets level.
The key components of IPSec are:
• Authentication Header (AH) This component authenticates and
validates data packets. Each packet basically contains a digital
signature
• Encapsulation Security Payload (ESP) This component encrypts the
data payload of the packet.
• Internet Key Exchange (IKE) The above components AH and ESP use
asymmetric encryption. IKE manages the public/private key
exchanges for encryption and decryption.
IPSec can operate in two modes:

• 'Transport' mode encrypts communications between two hosts.

• 'Tunnel' mode places an encrypted IP packet into a traditional IP
packet to ‘tunnel through' to a destination. This is used to support
VPN transmissions.
Point-to-Point Tunnelling Protocol (PPTP)
• The original Point-to-Point Protocol (PPP) is an encapsulation protocol
for transporting IP traffic over point-to-point connections.
• The Point-to-point Tunnelling Protocol (PPTP) is an expansion of the
existing Point-to-Point Protocol (PPP).
• PPTP uses the same principle of encapsulating other protocol packets
so that they can be transported via a switched network (the Internet)
to a specific destination.
Virtual Private Network (VPN)
• Virtual Private Networks are basically a secure connection through a
network (Internet, WAN, etc) that connects either computers or
networks together.
• These connections make remote users appear that they are on one
single network.
• The main functions provided by VPNs are tunneling, data security,
data integrity and authentication
Secure Sockets Layer (SSL)
• This is a method of encrypting TCP/IP transmissions between hosts.
• It is used for the encrypt web pages and data on web forms reroute.
The encryption method uses public key encryption.
• It requires Digital Certificates
Secure Shell (SSH)
• This provides a secure means of establishing remote connections to a
host.
• It provides authentication via the exchange of digital certificates and
uses public key encryption.
• It is mainly used in Unix/Linux environment and is a means of using
insecure protocols (telnet, ftp, etc) in a secure fashion.
Pretty Good Privacy (PGP)
• This is one of the most popular encryption programs.
• This is a public key encryption system that provides authentication
and encryption.
• It is commonly used for email transmissions and supports a wide
range of operating systems.
Secure Data Storage
• Encryption may be used to protect the confidentiality, integrity and
authenticity of data in storage, such as that on a hard disk drive or
tape.
• Most operating systems and storage systems have inbuilt encryption
facilities.
• Implementing these may be more efficient but does place a reliance
on the operating system.
Threats to Encryption Systems
• Deficiencies in human and business processes or procedures
• Deficiencies in the cipher algorithm or process
• Brute force attacks against the key
Implementing Encryption Solutions
• In all cases, any implementation of encryption solutions will be
governed by the security requirements for an organisation or process.

• The benefits of encryption need to be weighed against the real

threats to data security, implementation requirements and costs.