Prevention: locks at doors, window bars, walls around the property.
Detection: stolen items aren’t there any more, burglar alarms, CCTV, …
Reaction: call the police,…
Ex. 2 - ecommerce
Prevention: encrypt your orders, rely on the merchant to perform checks on the caller,…
Detection: an unauthorized transaction appears on your credit card statement
Reaction: complain, ask for a new credit card number, …
INFORMATION SYSTEM SECURITY
ISS deals with
Security of (end) systems
Examples: Databases, files in a host, records, operating system, accounting information, logs, etc.
Security of information in transit over a network
Examples: confidential e-mails, file transfers, record transfers, e-commerce transactions, online banking, authorization messages, etc.
INFORMATION SYSTEM SECURITY (ISS)? Security Services Attackers Security Mechanisms Security Architecture Information System (file, message) Policies
VULNERABILITY, THREAT, ATTACK
A vulnerability : is a weakness in security system
Can be in design, implementation, etc.
Can be hardware, or software
A threat : is a set of circumstances that has the potential to cause loss or harm
Or it’s a potential violation of security
Threat can be:
Accidental (natural disasters, human error, …)
Malicious (attackers, insider fraud, …)
An attack : is the actual violation of security
Confidentiality : keeping information secret from all but those who are authorized to see it.
Data integrity : ensuring information has not been altered by unauthorized or unknown means
Entity authentication: corroboration of the identity of an entity (e.g., a person, a credit card, etc.)
Identification, identity verification
Role based security.
A CIPHER SYSTEM ( achieving confidentiality) ciphertext Encryption algorithm Decryption algorithm encryption key decryption key plaintex t plaintext Interceptor Sender (Alice) Receiver (Bob)
ISS IN GENERAL
An information security service is a method to provide some specific aspects of security
Confidentiality is a security objective, encryption is an information security service
I ntegrity is another security objective, a method to ensure integrity is a security service.
Breaking a security service implies defeating the objective of the intended service
Cryptography is a means of providing information security.
Cryptography is the study of mathematical techniques related to aspects of information security such as confidentiality, integrity, authentication, and non-repudiation which form the main goals of cryptography
Encoding the message with 'Shift by 3' and produced the message as
Which obviously is in an unreadable format unless you know the method of deciphering .
Cryptanalysis: the study of mathematical techniques for attempting to defeat cryptographic techniques
Cryptanalyst: is the one who engages in cryptography
Cryptology: the study of cryptanalysis and cryptography
Cryptosystem: is a general term referring to a set of cryptographic primitives used to provide information security services.
Cryptographic techniques are divided into 2 types:
Same key for encryption and decryption
Key distribution problem
Practical cipher systems prior to the 1980’s were symmetric cipher systems.
TYPES OF SYMMETRIC CIPHERS
encrypt one bit at time
Break plaintext message in equal-size blocks
Encrypt each block as a unit
SYMMETRIC-KEY SYSTEMS Locking Unlocking =
Relatively new field – 1975
Each entity has 2 keys:
Private key (a secret)
Public key (well known)
ASYMMETRIC-KEY SYSTEMS (cont…)
ASYMMETRIC-KEY SYSTEMS (cont…)
Impossible to determine the decryption key from the encryption key.
Public and private must be different
Interchangeably used with public key cipher systems.
TYPES OF ASYMMETRIC-KEY SYSTEM
Plaintext 6*11 = 66 ciphertext
ASYMMETRIC-KEY SYSTEMS (cont…) Only a key holder can unlock Anyone can lock
The impact of a security breach may be far greater than you would expect. The loss of sensitive information may not only affect your competitiveness but also damage your reputation - something which may have taken you years to establish and which may be impossible to restore….!!