1/82
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced | Call with Kai | Chat |
|---|
No analytics yet
Send a link to your students to track their progress
Information Security
Preservation of confidentiality, integrity, and availability of information
Other properties can also be involved, such as authenticity, accountability, nonrepudiation, and availability
Network Security
Protection of networks and their service from unauthorized modification, destruction, or disclosure
Provision of assurance that the network performs its critical functions correctly and there are no harmful side effects
Communications Security
Protection of communications through network devices
Device/System Security
Protection of device/system against intruders that could gain access to the system in various ways to perform unauthorized actions
Key objectives to achieve information and network security
Confidentiality
Integrity
Availability
Authenticity
Accountability
CIA Triad
Confidentiality
Integrity
Availability
Confidentiality
Data confidentiality: Assurance that private or confidential information is not made available or
disclosed to unauthorized individuals
Privacy: Assurance that individuals control or influence what information related to them may be
collected and stored and by whom and to whom that information may be disclosed
Integrity
Data integrity: Assurance that data and programs are changed only in a specified and authorized manner (incl. authenticity)
System integrity: Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation (incl. accountability)
Availability
Assurance that a service is not denied to authorized users
Types of Attacks
Passive Attacks
Active Attacks
Passive Attacks
Attempt to learn or make use of information without affecting system resources
Eavesdropping
Traffic Analysis
Difficult to detect, but (relatively) easy to prevent
Active Attacks
Involve active actions on information flow
Masquerade/Impersonation
Replay Attacks
Data deletion
ITU-T X.800 Recommendation
Standard that establishes Security Service Framework
Security Service
a capability that supports one or more security objectives
Six (6) fundamental security services
Authentication
Access Control
Confidentiality
Integrity
Non-Repudiation
Availability
Authentication
Assurance that an entity is really the one who it claims to be (assurance can be provided in multiple ways)
Can be one-way or mutual
Peer Authentication
In a connection-oriented transfer, it ensures confidence that the entity you are communicating with is the one who claims to be
Usually performed at:
Connection Initiation
Connection Refresh
Re-synchronization
Connection Initiation
Establishment phase where two communication systems first greet each other and build a secure relationship
Connection Refresh
Maintenance phase that keeps an ongoing session secure over a long period of time
Re-synchronization
Data Authentication
In a connection-less transfer, it ensures that the source/destination of the data are the intended ones
Access Control / Authorization
Offers the assurance that the entity performing a given action has the rights to do so
Data Confidentiality
Guarantee that data are available only to intended parties
Protection against unauthorized disclosure
Specific portions of data may be protected
Prevention of Eavesdropping Attacks (e.g., reading a file)
Data Integrity
Assurance that data have not been modified maliciously
No insertion, modification,reordering
Prevention of Active Attacks
Non-Repudiation
Ensures that an entity cannot deny having done an action (e..g, either the sender or the receiver cannot deny to have sent/received a particular message)
Related to Data Authenticity, but extends the concept (time, data)
Services Availability
Property of a system to be always available and ready to serve requesting entities
Security Mechanism/Algorithm
A mathematical procedure applied to secure data
Security Protocols
Sequence of operations providing one or more security services to the data or the communication, through one or more security algorithms
Security Algorithms
AES
SHA-3
HMAC
Classes: Hashing, Key Agreement, Encryption, Symmetric and Asymmetric Crypto
Security Protocols
ECDH, TLS, WPA
Classes: Key Agreement

Generic Network Security Model Details
The channel is shared and publicly-available (also to attackers)
Sender and Receiver cooperate to securely exchange messages
Algorithms
Secrets
Trusted Third-Party (TTP) may be involved to distribute secrets and synchronize communications
Secure Transformation via Cryptography
Cryptography allows to hide the message content through a secure transformation
Such transformation is also reversable: anyone in possession of the correct information can re-obtain the original message, i.e., the plaintext, starting from the secure message, i.e., the ciphertext

Elements of a Cryptosystem
Plaintext: m
Ciphertext: c
Encryption Key: k
Encryption Algorithm: E(k,m) = E k (m) = c
Decryption Key: k’
Decryption Algorithm: D(k’,c) = D k (m) = m
3 Dimensions of Cryptographic Systems
The type of operations used for transforming plaintext to ciphertext
The number of keys used
The way in which the plaintext is processed
The type of operations used for transforming plaintext to ciphertext
Substitution
Transposition
The number of keys used
Symmetric, or secret-key, encryption
Asymmetric, or public-key encryption
The way in which the plaintext is processed
Block cipher
Stream cipher

Symmetric Cryptography features
The encryption and decryption keys are the same (k = k’)
Limited computational overhead
Sender and receiver must have obtained copies of the secret key in a secure fashion and must keep the key secure
Algorithm should be strong enough
Caesar’s Algorithm
Substitution cipher
Involves replacing each letter of the alphabet with the letter standing three places further down the alphabet (substitution cipher)
Alphabet is wrapped around so that the letter following Z is A
Attacking an Encryption System
Objective: Recover the key in use rather than simply to recover the plaintext of a single ciphertext
Two approaches to Encryption System attack
Cryptanalysis
Brute-force
Cryptanalysis
Rely on the nature of the algorithm plus some knowledge of the general characteristics of the plaintext
Brute-force
Try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained
On average, attackers should try half of the possible keys to have success
Longer keys, higher security

Vernam Cipher
Stream Cipher
Original version re-used keys after long periods of time, thus enabling cryptanalysis with sufficient ciphertext
Random key for each plaintext, no correlation with the plaintext Security depends on the randomness of the key
Theoretically unbreakable, but hardly feasible
Key Generation and Distribution
Perfect Security

Stream Ciphers
Encryption of digital stream bit per bit or byte per byte
Keystream is of the same size of the plaintext
If the keystream is random, the cipher is unbreakable
Practical issues with actual deployment
Very long keystream for high-volume data
Distribution of such keystream to intended receivers

Block Cipher
Encryption of a block of plaintext producing a block of ciphertext of the same size
Typical block size: 64 or 128 bits
Widely used in modern encryption systems

Feistel Cipher
Alternating two basic operations
Substitutions: fixed replacement of groups of plaintext with groups of ciphertext
Permutations: the order in which the elements appear in the sequence is randomly changed
Steps of Feistel Cipher
Spit plaintext into half
Right side enters function with key k, XORd with left side
Left side switches positions with right side
Process repeated however many times
Same steps can be repeated to decrypt the ciphertext

Data Encryption Standard (DES)
Data are encrypted in 64-bit blocks using a 56-bit key
The algorithm transforms 64-bit input in a series of steps into a 64-bit output
The same steps, with the same key, are used to reverse the encryption
DES Steps
64 bit key is generated (56 bits of actual key is used, 8 bits are parity bits)
16 subkeys are generated from this initial key
Feistel cipher applied, 48 bit subkey is used in the function
Final 32 bit swap of both halves applied after 16 rounds
Limitations of DES
Keys are too short (56 or 64 bits)
Vulnerable to brute-forcing attacks in very short time
Differential and Linear Cryptanalysis can also break DES with less complexity than brute-forcing

Advanced Encryption Standard (AES)
Encryption and Decryption Operations are different circuits
10 rounds
Advanced Encryption Standard Round Steps
Substitute Bytes (changing values with fixed lookup table)
Shift Rows
Shift Columns
Add Round Key (XOR with Round Key derived from Main Key)
Round Keys are generated using Key Expansion that generates words from preceding words
Mode of Operation
Specific way the cryptographic algorithm is used, in combination with the key and the plaintext, to generate the ciphertext
Mode of Operation Types
Electronic Code Book
Cipher Block Chaining
Cipher Feedback
Output Feedback
Counter Mode

Electronic Code Book
Each block is encrypted separately
Simple to implement
Prone to cryptanalysis
Block order can be altered (no integrity)

Cipher Block Chaining (CBC)
Blocks ordering dependence
Error Propagation (errors propagate forever…)

Cipher Feedback (CFB)
Dependence on the past (same input, different output)
Works on group of s bits
S s → first s bits of S
Errors propagate to 1 + b/s parts of the plaintext
Not very fast (you need the plaintext..)
Steps of Cipher Feedback
b bit segment is the shift register that updates per iteration
b bit block split into b-s and s bit long segments
entire b bit segment is encrypted with function E and key k
s and b-s bit segments are swapped over
s is XORd with plain text segment, propagated to shift register, old s bits are discarded
due to this mechanism, errors can propagate for another b/s times

Output Feedback
Similar mechanism to Cipher Feedback but instead the s bit is directly propagated to the shift register without XOR on plaintext

Counter Mode
Start with a base value, increment it by 1 for every block of cipher text and encrypt it
Very fast

AES - Galois Counter Mode (GCM)
Extends Counter Mode with Authentication through creation of Auth Tag
mult H is a hashing function
Assymetric Cryptography
Encryption and Decryption Keys are different
Usage of complex problems over modular groups
Many different schemes

Diffie Hellman (DH)
Both parties agree on a g and p value (even attacker knows this)
One party picks unique value “a,“ the other picks unique value ”b”
Exponent-Modulo calculation is done on a and b separately to create A and B
A and B are exchanged
A and B are raised to the parties other chosen number, to create the final key
Note: Does not have authentication mechanism built in, MITM can occur

Rivest Shamir Adleman (RSA)
Private key generated through two huge primes (p and q)
Signature is created using private key and exponential-modulo calc
Signature sent alongside original plaintext, receiving party unscrambles signature to verify authenticity
Usages of Asymmetric Cryptography
Confidentiality – Symmetric Key Distribution
Message Authentication
Data Confidentiality and Authentication (opposite also possible, both public and private key can be used to encrypt/decrypt information)

Elliptic Curve Cryptography (ECC)
Elliptic Curve arithmetic, in place of modular arithmetic
Advantage: reduced computational complexity, and many existing problems are harder to solve

ECC Basic Concepts
Any elliptic curve can be identified through six (6) parameters:
a,b parameters of the curve
G generator
n order
g cyclic group
γ, co-factor
Any scalar number a can be mapped on a curve through the generator G: A = a ⋅ G (it is possible to obtain A on the curve by jumping by G a times)
The addition of any two points on the curve gives another point: C = A + B (drawing line between A and B creates a new intersection at C)

Elliptic Curve Diffie Hellman
Publicly agreed: curve equation, base point on curve
Parties A and B pick their scalars, public key calculated using point scalar multiplication
These new calculation results are exchanged
Cryptographic key management
The process of administering or managing cryptographic keys for a cryptographic system
What does Cryptographic Key Management Entail?
It involves the generation, creation, protection, storage, exchange, replacement, and use of keys and enables selective restriction for certain keys
In addition to access restriction, key management also involves the monitoring and recording of each key’s access, use, and context
A key management system also includes key servers, user procedures, and protocols
The security of the cryptosystem is dependent upon successful key management
Secure Key Generation
Secure = random and unpredictable
Performed using Random Number Generation
2 requirements for Security Viable random numbers
Randomness
Uniformly-distributed 0s and 1s
All bits independent from each other
Unpredictability
You cannot predict the next bits looking at previous ones

Pseudorandom Number Generation and Functions
True random number generator: True random source converted to binary
Psuedorandom number generator: deterministic algorithm
Psuedorandom function: number generated depends on context info (ex. a string)
Randomness Tests
The generated bit stream needs to appear random even though it is deterministic
NIST SP 800-22
Uniformity, Scalability, Consistency
Frequency Tests (freq. of 0 and 1 in the generated stream are uniform)
Runs Tests (sequences of continuous 0 and 1 is as expected)
Maurer’s Tests (compression should lead to consistent information loss)
Algorithms for PRNG
Purpose-built algorithms (Algorithms designed specifically and solely for the purpose of generating pseudorandom bit streams)
Algorithms based on existing cryptographic algorithms (when processed, the cipher text stream looks indistinguishable from a random sequence)
Symmetric Key Distribution Options
Others should not see the key
Keys should also be changed frequently, to prevent compromise
A can select a key and physically deliver it to B
A third party can select the key and physically deliver it to A and B
If A and B have previously and recently used a key, one party can transmit the new key to the other, encrypted using the old key
If A and B each has an encrypted connection to a third-party C, C can deliver a key on the encrypted links to A and B
Asymmetric Key Distribution and Publication
Private key should be distributed (similiarly to symmetric)
Public key should be published

One-way Hashing Functions
One-Way: for any given h, it is computationally impossible to obtain the message m used to generate h
Weak Collision Resistance (a.k.a. Pre-image Resistance): given x, it is computationally hard to find y ≠ x s.t. H(x) = H(y)
Strong Collision Resistance: it is computationally hard to find any pair of messages (x,y) s.t. H(x) = H(y)
Secure Hash Algorithm Parameters
Message Digest Size: size of the memory used within the algorithm to process the data
Message Size
Block Size: input message is processed in chunks of this size, a batch of the message
Word Size: Chunk of the message derived from block
Number of Steps: number of times the core compression function is applied

Applications of One-Way Hashing Functions
Message Integrity Verification
Digest of the message at the sender matches reconstruction on the receiver (receiver uses same hash function to check integrity)
Signature Generation and Verification (hashes are also encrypted)
Hashing and Confidentiality
Applying one-way hashes does not allow to recover plaintext information, but only to verify it
Thus, confidentiality cannot be provided
One-way Hashes usage (Services)
Integrity
Authenticity