Security Basic Notions

0.0(0)
Studied by 0 people
call kaiCall Kai
Locked
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/82

encourage image

There's no tags or description

Looks like no tags are added yet.

Last updated 8:35 PM on 7/9/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai
Chat

No analytics yet

Send a link to your students to track their progress

83 Terms

1
New cards

Information Security

Preservation of confidentiality, integrity, and availability of information

Other properties can also be involved, such as authenticity, accountability, nonrepudiation, and availability

2
New cards

Network Security

Protection of networks and their service from unauthorized modification, destruction, or disclosure

Provision of assurance that the network performs its critical functions correctly and there are no harmful side effects

3
New cards

Communications Security

Protection of communications through network devices

4
New cards

Device/System Security

Protection of device/system against intruders that could gain access to the system in various ways to perform unauthorized actions

5
New cards

Key objectives to achieve information and network security

Confidentiality

Integrity

Availability

Authenticity

Accountability

6
New cards

CIA Triad

Confidentiality

Integrity

Availability

7
New cards

Confidentiality

Data confidentiality: Assurance that private or confidential information is not made available or

disclosed to unauthorized individuals

Privacy: Assurance that individuals control or influence what information related to them may be

collected and stored and by whom and to whom that information may be disclosed

8
New cards

Integrity

Data integrity: Assurance that data and programs are changed only in a specified and authorized manner (incl. authenticity)

System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation (incl. accountability)

9
New cards

Availability

Assurance that a service is not denied to authorized users

10
New cards

Types of Attacks

Passive Attacks

Active Attacks

11
New cards

Passive Attacks

Attempt to learn or make use of information without affecting system resources

  • Eavesdropping

  • Traffic Analysis

Difficult to detect, but (relatively) easy to prevent

12
New cards

Active Attacks

Involve active actions on information flow

  • Masquerade/Impersonation

  • Replay Attacks

  • Data deletion

13
New cards

ITU-T X.800 Recommendation

Standard that establishes Security Service Framework

14
New cards

Security Service

a capability that supports one or more security objectives

15
New cards

Six (6) fundamental security services

  • Authentication

  • Access Control

  • Confidentiality

  • Integrity

  • Non-Repudiation

  • Availability

16
New cards

Authentication

Assurance that an entity is really the one who it claims to be (assurance can be provided in multiple ways)

Can be one-way or mutual

17
New cards

Peer Authentication

In a connection-oriented transfer, it ensures confidence that the entity you are communicating with is the one who claims to be

Usually performed at:

Connection Initiation

Connection Refresh

Re-synchronization

18
New cards

Connection Initiation

Establishment phase where two communication systems first greet each other and build a secure relationship

19
New cards

Connection Refresh

Maintenance phase that keeps an ongoing session secure over a long period of time

20
New cards

Re-synchronization

21
New cards

Data Authentication

In a connection-less transfer, it ensures that the source/destination of the data are the intended ones

22
New cards

Access Control / Authorization

Offers the assurance that the entity performing a given action has the rights to do so

23
New cards

Data Confidentiality

Guarantee that data are available only to intended parties

Protection against unauthorized disclosure

Specific portions of data may be protected

Prevention of Eavesdropping Attacks (e.g., reading a file)

24
New cards

Data Integrity

Assurance that data have not been modified maliciously

  • No insertion, modification,reordering

Prevention of Active Attacks

25
New cards

Non-Repudiation

Ensures that an entity cannot deny having done an action (e..g, either the sender or the receiver cannot deny to have sent/received a particular message)

Related to Data Authenticity, but extends the concept (time, data)

26
New cards

Services Availability

Property of a system to be always available and ready to serve requesting entities

27
New cards

Security Mechanism/Algorithm

A mathematical procedure applied to secure data

28
New cards

Security Protocols

Sequence of operations providing one or more security services to the data or the communication, through one or more security algorithms

29
New cards

Security Algorithms

AES

SHA-3

HMAC

Classes: Hashing, Key Agreement, Encryption, Symmetric and Asymmetric Crypto

30
New cards

Security Protocols

ECDH, TLS, WPA

Classes: Key Agreement

31
New cards
<p>Generic Network Security Model Details</p>

Generic Network Security Model Details

The channel is shared and publicly-available (also to attackers)

Sender and Receiver cooperate to securely exchange messages

  • Algorithms

  • Secrets

Trusted Third-Party (TTP) may be involved to distribute secrets and synchronize communications

32
New cards

Secure Transformation via Cryptography

Cryptography allows to hide the message content through a secure transformation

Such transformation is also reversable: anyone in possession of the correct information can re-obtain the original message, i.e., the plaintext, starting from the secure message, i.e., the ciphertext

33
New cards
<p>Elements of a Cryptosystem</p>

Elements of a Cryptosystem

  • Plaintext: m

  • Ciphertext: c

  • Encryption Key: k

  • Encryption Algorithm: E(k,m) = E k (m) = c

  • Decryption Key: k’

  • Decryption Algorithm: D(k’,c) = D k (m) = m

34
New cards

3 Dimensions of Cryptographic Systems

The type of operations used for transforming plaintext to ciphertext

The number of keys used

The way in which the plaintext is processed

35
New cards

The type of operations used for transforming plaintext to ciphertext

Substitution

Transposition

36
New cards

The number of keys used

Symmetric, or secret-key, encryption

Asymmetric, or public-key encryption

37
New cards

The way in which the plaintext is processed

Block cipher

Stream cipher

38
New cards
<p>Symmetric Cryptography features</p>

Symmetric Cryptography features

  • The encryption and decryption keys are the same (k = k’)

  • Limited computational overhead

  • Sender and receiver must have obtained copies of the secret key in a secure fashion and must keep the key secure

  • Algorithm should be strong enough

39
New cards

Caesar’s Algorithm

  • Substitution cipher

  • Involves replacing each letter of the alphabet with the letter standing three places further down the alphabet (substitution cipher)

  • Alphabet is wrapped around so that the letter following Z is A

40
New cards

Attacking an Encryption System

Objective: Recover the key in use rather than simply to recover the plaintext of a single ciphertext

41
New cards

Two approaches to Encryption System attack

Cryptanalysis

Brute-force

42
New cards

Cryptanalysis

Rely on the nature of the algorithm plus some knowledge of the general characteristics of the plaintext

43
New cards

Brute-force

  • Try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained

  • On average, attackers should try half of the possible keys to have success

  • Longer keys, higher security

44
New cards
<p>Vernam Cipher</p>

Vernam Cipher

  • Stream Cipher

  • Original version re-used keys after long periods of time, thus enabling cryptanalysis with sufficient ciphertext

  • Random key for each plaintext, no correlation with the plaintext Security depends on the randomness of the key

  • Theoretically unbreakable, but hardly feasible

    • Key Generation and Distribution

    • Perfect Security

45
New cards
<p>Stream Ciphers</p>

Stream Ciphers

  • Encryption of digital stream bit per bit or byte per byte

  • Keystream is of the same size of the plaintext

  • If the keystream is random, the cipher is unbreakable

  • Practical issues with actual deployment

    • Very long keystream for high-volume data

    • Distribution of such keystream to intended receivers

46
New cards
<p>Block Cipher</p>

Block Cipher

  • Encryption of a block of plaintext producing a block of ciphertext of the same size

  • Typical block size: 64 or 128 bits

  • Widely used in modern encryption systems

47
New cards
<p>Feistel Cipher</p>

Feistel Cipher

Alternating two basic operations

  • Substitutions: fixed replacement of groups of plaintext with groups of ciphertext

  • Permutations: the order in which the elements appear in the sequence is randomly changed

48
New cards

Steps of Feistel Cipher

  • Spit plaintext into half

  • Right side enters function with key k, XORd with left side

  • Left side switches positions with right side

  • Process repeated however many times

  • Same steps can be repeated to decrypt the ciphertext

49
New cards
<p>Data Encryption Standard (DES)</p>

Data Encryption Standard (DES)

  • Data are encrypted in 64-bit blocks using a 56-bit key

  • The algorithm transforms 64-bit input in a series of steps into a 64-bit output

  • The same steps, with the same key, are used to reverse the encryption

50
New cards

DES Steps

  • 64 bit key is generated (56 bits of actual key is used, 8 bits are parity bits)

  • 16 subkeys are generated from this initial key

  • Feistel cipher applied, 48 bit subkey is used in the function

  • Final 32 bit swap of both halves applied after 16 rounds

51
New cards

Limitations of DES

Keys are too short (56 or 64 bits)

  • Vulnerable to brute-forcing attacks in very short time

Differential and Linear Cryptanalysis can also break DES with less complexity than brute-forcing

52
New cards
<p>Advanced Encryption Standard (AES)</p>

Advanced Encryption Standard (AES)

Encryption and Decryption Operations are different circuits

10 rounds

53
New cards

Advanced Encryption Standard Round Steps

  1. Substitute Bytes (changing values with fixed lookup table)

  2. Shift Rows

  3. Shift Columns

  4. Add Round Key (XOR with Round Key derived from Main Key)

  5. Round Keys are generated using Key Expansion that generates words from preceding words

54
New cards

Mode of Operation

Specific way the cryptographic algorithm is used, in combination with the key and the plaintext, to generate the ciphertext

55
New cards

Mode of Operation Types

Electronic Code Book

Cipher Block Chaining

Cipher Feedback

Output Feedback

Counter Mode

56
New cards
<p>Electronic Code Book</p>

Electronic Code Book

Each block is encrypted separately

Simple to implement

Prone to cryptanalysis

Block order can be altered (no integrity)

57
New cards
<p>Cipher Block Chaining (CBC)</p>

Cipher Block Chaining (CBC)

Blocks ordering dependence

Error Propagation (errors propagate forever…)

58
New cards
<p>Cipher Feedback (CFB)</p>

Cipher Feedback (CFB)

Dependence on the past (same input, different output)

Works on group of s bits

  • S s → first s bits of S

Errors propagate to 1 + b/s parts of the plaintext

Not very fast (you need the plaintext..)

59
New cards

Steps of Cipher Feedback

b bit segment is the shift register that updates per iteration

b bit block split into b-s and s bit long segments

entire b bit segment is encrypted with function E and key k

s and b-s bit segments are swapped over

s is XORd with plain text segment, propagated to shift register, old s bits are discarded

due to this mechanism, errors can propagate for another b/s times

60
New cards
<p>Output Feedback</p>

Output Feedback

Similar mechanism to Cipher Feedback but instead the s bit is directly propagated to the shift register without XOR on plaintext

61
New cards
<p>Counter Mode</p>

Counter Mode

Start with a base value, increment it by 1 for every block of cipher text and encrypt it

Very fast

62
New cards
<p>AES - Galois Counter Mode (GCM)</p>

AES - Galois Counter Mode (GCM)

Extends Counter Mode with Authentication through creation of Auth Tag

mult H is a hashing function

63
New cards

Assymetric Cryptography

Encryption and Decryption Keys are different

Usage of complex problems over modular groups

Many different schemes

64
New cards
<p>Diffie Hellman (DH)</p>

Diffie Hellman (DH)

Both parties agree on a g and p value (even attacker knows this)

One party picks unique value “a,“ the other picks unique value ”b”

Exponent-Modulo calculation is done on a and b separately to create A and B

A and B are exchanged

A and B are raised to the parties other chosen number, to create the final key

Note: Does not have authentication mechanism built in, MITM can occur

65
New cards
<p>Rivest Shamir Adleman (RSA)</p>

Rivest Shamir Adleman (RSA)

Private key generated through two huge primes (p and q)

Signature is created using private key and exponential-modulo calc

Signature sent alongside original plaintext, receiving party unscrambles signature to verify authenticity

66
New cards

Usages of Asymmetric Cryptography

Confidentiality – Symmetric Key Distribution

Message Authentication

Data Confidentiality and Authentication (opposite also possible, both public and private key can be used to encrypt/decrypt information)

67
New cards
<p>Elliptic Curve Cryptography (ECC)</p>

Elliptic Curve Cryptography (ECC)

Elliptic Curve arithmetic, in place of modular arithmetic

Advantage: reduced computational complexity, and many existing problems are harder to solve

68
New cards
<p>ECC Basic Concepts</p>

ECC Basic Concepts

Any elliptic curve can be identified through six (6) parameters:

  • a,b parameters of the curve

  • G generator

  • n order

  • g cyclic group

  • γ, co-factor

Any scalar number a can be mapped on a curve through the generator G: A = a ⋅ G (it is possible to obtain A on the curve by jumping by G a times)

The addition of any two points on the curve gives another point: C = A + B (drawing line between A and B creates a new intersection at C)

69
New cards
<p>Elliptic Curve Diffie Hellman</p>

Elliptic Curve Diffie Hellman

Publicly agreed: curve equation, base point on curve

Parties A and B pick their scalars, public key calculated using point scalar multiplication

These new calculation results are exchanged

70
New cards

Cryptographic key management

The process of administering or managing cryptographic keys for a cryptographic system

71
New cards

What does Cryptographic Key Management Entail?

It involves the generation, creation, protection, storage, exchange, replacement, and use of keys and enables selective restriction for certain keys

In addition to access restriction, key management also involves the monitoring and recording of each key’s access, use, and context

A key management system also includes key servers, user procedures, and protocols

The security of the cryptosystem is dependent upon successful key management

72
New cards

Secure Key Generation

Secure = random and unpredictable

Performed using Random Number Generation

73
New cards

2 requirements for Security Viable random numbers

Randomness

  • Uniformly-distributed 0s and 1s

  • All bits independent from each other

Unpredictability

  • You cannot predict the next bits looking at previous ones

74
New cards
<p>Pseudorandom Number Generation and Functions</p>

Pseudorandom Number Generation and Functions

True random number generator: True random source converted to binary

Psuedorandom number generator: deterministic algorithm
Psuedorandom function: number generated depends on context info (ex. a string)

75
New cards

Randomness Tests

The generated bit stream needs to appear random even though it is deterministic

NIST SP 800-22

  • Uniformity, Scalability, Consistency

  • Frequency Tests (freq. of 0 and 1 in the generated stream are uniform)

  • Runs Tests (sequences of continuous 0 and 1 is as expected)

  • Maurer’s Tests (compression should lead to consistent information loss)

76
New cards

Algorithms for PRNG

Purpose-built algorithms (Algorithms designed specifically and solely for the purpose of generating pseudorandom bit streams)

Algorithms based on existing cryptographic algorithms (when processed, the cipher text stream looks indistinguishable from a random sequence)

77
New cards

Symmetric Key Distribution Options

Others should not see the key

Keys should also be changed frequently, to prevent compromise

  • A can select a key and physically deliver it to B

  • A third party can select the key and physically deliver it to A and B

  • If A and B have previously and recently used a key, one party can transmit the new key to the other, encrypted using the old key

  • If A and B each has an encrypted connection to a third-party C, C can deliver a key on the encrypted links to A and B

78
New cards

Asymmetric Key Distribution and Publication

Private key should be distributed (similiarly to symmetric)

Public key should be published

79
New cards
<p>One-way Hashing Functions</p>

One-way Hashing Functions

One-Way: for any given h, it is computationally impossible to obtain the message m used to generate h

Weak Collision Resistance (a.k.a. Pre-image Resistance): given x, it is computationally hard to find y ≠ x s.t. H(x) = H(y)

Strong Collision Resistance: it is computationally hard to find any pair of messages (x,y) s.t. H(x) = H(y)

80
New cards

Secure Hash Algorithm Parameters

Message Digest Size: size of the memory used within the algorithm to process the data

Message Size

Block Size: input message is processed in chunks of this size, a batch of the message

Word Size: Chunk of the message derived from block

Number of Steps: number of times the core compression function is applied

81
New cards
<p>Applications of One-Way Hashing Functions</p>

Applications of One-Way Hashing Functions

Message Integrity Verification

  • Digest of the message at the sender matches reconstruction on the receiver (receiver uses same hash function to check integrity)

Signature Generation and Verification (hashes are also encrypted)

82
New cards

Hashing and Confidentiality

Applying one-way hashes does not allow to recover plaintext information, but only to verify it

Thus, confidentiality cannot be provided

83
New cards

One-way Hashes usage (Services)

Integrity

Authenticity