Submit Search
Upload
Information Security Concepts.pdf
•
0 likes
•
168 views
S
SameeraSarathchandra1
Follow
Information Security Concepts
Read less
Read more
Technology
Slideshow view
Report
Share
Slideshow view
Report
Share
1 of 58
Download now
Download to read offline
Recommended
Computer Security
Computer Security
Cristian Mihai
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
Network Security
Network Security
Manoj Singh
The information security audit
The information security audit
Dhani Ahmad
Introduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
Secure Design: Threat Modeling
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
Software security engineering
Software security engineering
aizazhussain234
Basics of Network Security
Basics of Network Security
Dushyant Singh
Recommended
Computer Security
Computer Security
Cristian Mihai
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
Network Security
Network Security
Manoj Singh
The information security audit
The information security audit
Dhani Ahmad
Introduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
Secure Design: Threat Modeling
Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
Software security engineering
Software security engineering
aizazhussain234
Basics of Network Security
Basics of Network Security
Dushyant Singh
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
Tripwire
Chapter 3 Presentation
Chapter 3 Presentation
Amy McMullin
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
sommerville-videos
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
mike parks
Basics of Information System Security
Basics of Information System Security
chauhankapil
IT infrastructure security 101
IT infrastructure security 101
April Mardock CISSP
Application Security Verification Standard Project
Application Security Verification Standard Project
Narudom Roongsiriwong, CISSP
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
Information security
Information security
AlaaMahmoud108
Network Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and Techniques
waqasahmad1995
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
Information security
Information security
avinashbalakrishnan2
Pen Testing Explained
Pen Testing Explained
Rand W. Hirt
InformationSecurity
InformationSecurity
learnt
Operating system security
Operating system security
Rachel Jeewa
Threat Modelling
Threat Modelling
n|u - The Open Security Community
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of Us
Eoin Woods
La sécurité informatique expliquée aux salariés
La sécurité informatique expliquée aux salariés
NRC
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
vkarthi314
Cloud Security.pptx
Cloud Security.pptx
Binod Rimal
More Related Content
What's hot
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
Tripwire
Chapter 3 Presentation
Chapter 3 Presentation
Amy McMullin
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
sommerville-videos
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
mike parks
Basics of Information System Security
Basics of Information System Security
chauhankapil
IT infrastructure security 101
IT infrastructure security 101
April Mardock CISSP
Application Security Verification Standard Project
Application Security Verification Standard Project
Narudom Roongsiriwong, CISSP
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Yulian Slobodyan
Information security
Information security
AlaaMahmoud108
Network Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and Techniques
waqasahmad1995
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
Information security
Information security
avinashbalakrishnan2
Pen Testing Explained
Pen Testing Explained
Rand W. Hirt
InformationSecurity
InformationSecurity
learnt
Operating system security
Operating system security
Rachel Jeewa
Threat Modelling
Threat Modelling
n|u - The Open Security Community
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of Us
Eoin Woods
La sécurité informatique expliquée aux salariés
La sécurité informatique expliquée aux salariés
NRC
What's hot
(20)
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
Chapter 3 Presentation
Chapter 3 Presentation
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Cybersecurity 1. intro to cybersecurity
Cybersecurity 1. intro to cybersecurity
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
Basics of Information System Security
Basics of Information System Security
IT infrastructure security 101
IT infrastructure security 101
Application Security Verification Standard Project
Application Security Verification Standard Project
Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and Tools
Information security
Information security
Network Security: Attacks, Tools and Techniques
Network Security: Attacks, Tools and Techniques
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Information security
Information security
Pen Testing Explained
Pen Testing Explained
InformationSecurity
InformationSecurity
Operating system security
Operating system security
Threat Modelling
Threat Modelling
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of Us
La sécurité informatique expliquée aux salariés
La sécurité informatique expliquée aux salariés
Similar to Information Security Concepts.pdf
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
vkarthi314
Cloud Security.pptx
Cloud Security.pptx
Binod Rimal
Information Technology Security Basics
Information Technology Security Basics
Mohan Jadhav
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.ppt
shahadd2021
Intro to Security
Intro to Security
primeteacher32
002.itsecurity bcp v1
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
Ch1 cse
Ch1 cse
bhaskard8
Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2
Kabul Education University
SEMINAR ON CYBER SECURITY.pptx
SEMINAR ON CYBER SECURITY.pptx
GauravWankar2
CNS Unit-1.pptx
CNS Unit-1.pptx
bhaskar810658
Concept Of Cyber Security.pdf
Concept Of Cyber Security.pdf
FahadZaman38
IAS101_Week 2-3_Introduction to Information Systems and Security.pptx
IAS101_Week 2-3_Introduction to Information Systems and Security.pptx
Angela Arago
information security (network security methods)
information security (network security methods)
Zara Nawaz
Information security ist lecture
Information security ist lecture
Zara Nawaz
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network security
Ahmed Habib
Intro
Intro
JustineJohn3
Network Security
Network Security
Vipul Mosaic
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01
ITNet
1_Introduction to security.pptx
1_Introduction to security.pptx
diaa46
Introduction to Computer Security
Introduction to Computer Security
Kamal Acharya
Similar to Information Security Concepts.pdf
(20)
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
Cloud Security.pptx
Cloud Security.pptx
Information Technology Security Basics
Information Technology Security Basics
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.ppt
Intro to Security
Intro to Security
002.itsecurity bcp v1
002.itsecurity bcp v1
Ch1 cse
Ch1 cse
Cryptography and Network Security # Lecture 2
Cryptography and Network Security # Lecture 2
SEMINAR ON CYBER SECURITY.pptx
SEMINAR ON CYBER SECURITY.pptx
CNS Unit-1.pptx
CNS Unit-1.pptx
Concept Of Cyber Security.pdf
Concept Of Cyber Security.pdf
IAS101_Week 2-3_Introduction to Information Systems and Security.pptx
IAS101_Week 2-3_Introduction to Information Systems and Security.pptx
information security (network security methods)
information security (network security methods)
Information security ist lecture
Information security ist lecture
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network security
Intro
Intro
Network Security
Network Security
Ia 124 1621324143 ia_124_lecture_01
Ia 124 1621324143 ia_124_lecture_01
1_Introduction to security.pptx
1_Introduction to security.pptx
Introduction to Computer Security
Introduction to Computer Security
Recently uploaded
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Katpro Technologies
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Pixlogix Infotech
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
Recently uploaded
(20)
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Information Security Concepts.pdf
1.
Level III -
Semester 5 © 2022 e-Learning Centre, UCSC 1 : Information Security Concepts IT5306 - Principles of Information Security
2.
© 2022 e-Learning
Centre, UCSC List of sub topics 2 1.1 Computer Security Concepts: Confidentiality, Integrity, and Availability 1.2. Threats, Attacks, and Assets 1.3. Security Functional Requirements 1.4. Fundamental Security Design Principles 1.5. Attack Surfaces and Attack Trees 1.6. Computer Security Strategy 1.7. Concepts of Encryption, Decryption, Plain Text and Cipher Text 1.8. Stream and Block Ciphers
3.
© 2022 e-Learning
Centre, UCSC What do we mean by “secure”? 3 ● At one time Bank robbery was common. Now its very rare. What has changed or been implemented to provide this security? − Sophisticated alarms − Criminal investigation techniques (DNA testing) − Change in “assets” (cash was/is inherently insecure) − Improvements in communication and transportation ● Risk becomes so high that it is no longer beneficial. Introduction
4.
© 2022 e-Learning
Centre, UCSC Security is all about protecting valuables ● In our case the “valuables” are computer related assets instead of money − Though these days money is so electronic that one can argue that the protection of money is a subset of computer asset security ● Information seems to be the currency of the 21st century. 4 Introduction
5.
© 2022 e-Learning
Centre, UCSC Money vs. Information 5 ● Size and portability − Banks are large and unportable. − Storage of information can be very small and extremely portable. (So small that an entire corporations intellectual property can be stored on something the size of a postage stamp.)Ability to avoid physical contact − Banks: physical interaction with the bank and the loot is unavoidable or impossible to circumvent − Computers: require no physical contact to either gain access to, copy or remove data. ● Value of assets: − Bank: generally very high (or why would somebody bother to put it in a bank?) − Computers: Variable, from very low (useless) to very high. Introduction
6.
© 2022 e-Learning
Centre, UCSC Information security are methods and technologies for protection, integrity, availability, authenticity and extended functionality of computer programs and data “Definition” of Information Security 6
7.
© 2022 e-Learning
Centre, UCSC Method, Opportunity and Motive 7 ● Method: The skills knowledge and tools that enable the attack ● Opportunity: The time, access and circumstances that allow for the attack ● Motive: The reason why the perpetrator wants to commit the attack Threats, Attacks and Assert
8.
© 2022 e-Learning
Centre, UCSC Accidental access to unauthorized resources and execution of unauthorized operations (no harm to regular users) Amateurs . . . Crackers Criminals Regular users 8 People 8
9.
© 2022 e-Learning
Centre, UCSC Active attempts to access sensitive resources and to discover system vulnerabilities (minor inconveniences to regular users) Amateurs Crackers . . . Criminals Regular users 9 People 9
10.
© 2022 e-Learning
Centre, UCSC Active attempts to utilize weaknesses in protection system in order to steal or destroy resources (serious problems to regular users) Amateurs Crackers Criminals . . . Regular users 10 People 10
11.
© 2022 e-Learning
Centre, UCSC Special requirements: authentication in open networks, authorization, message integrity, non-repudiation, special transactions Amateurs Crackers Criminals Regular users . . . The People Involved 11 People 11
12.
© 2022 e-Learning
Centre, UCSC Vulnerability,Attack,Control, Problems, Threats, and Risks 12 ● Vulnerability: A weakness in the security system. ● Attack: A human exploitation of a vulnerability. ● Control: A protective measure. An action, device or measure taken that removes, reduces or neutralizes a vulnerability. ● Problems : Consequences of unintentional accidental errors ● Threat: a set of circumstances that has the potential to cause loss or harm. ● Risks : Probabilities that some threat or problem will occur due to system vulnerabilities Threats, Attacks and Assert
13.
© 2022 e-Learning
Centre, UCSC Threats with a single system – Illegal access to a system – Authentication of users 13 Threats, Attacks and Assert
14.
© 2022 e-Learning
Centre, UCSC 14 • Active attacks are attacks in which the attacker attempts to change or transform the content of messages or information. • These attacks are a threat to the integrity and availability of the system. • Due to these attacks, systems get damaged, and information can be altered. • The prevention of these attacks is difficult due to their high range of physical and software vulnerabilities. Attack Types: An Active Attack
15.
© 2022 e-Learning
Centre, UCSC 15 • Passive attacks are the ones in which the attacker observes all the messages and copy the content of messages or information. • They focus on monitoring all the transmission and gaining the data. • The attacker does not try to change any data or information he gathered. • Although there is no potential harm to the system due to these attacks, they can be a significant danger to your data’s confidentiality. Attack Types: A Passive Attack
16.
© 2022 e-Learning
Centre, UCSC 16 • In active attacks, modification of messages is done, but on the other hand, in passive attacks, the information remains unchanged. • The active attack causes damage to the integrity and availability of the system, but passive attacks cause damage to data confidentiality. • In active attacks, attention is given to detection, while in the other one, attention is given to prevention. • The resources can be changed in active attacks, but passive attacks have no impact on the resources. Active vs Passive Attacks
17.
© 2022 e-Learning
Centre, UCSC 17 • The active attack influences the system services, but the information or data is acquired in passive attacks. • Inactive attacks, information is gathered through passive attacks to attack the system, while passive attacks are achieved by collecting confidential information such as private chats and passwords. • Active attacks are challenging to be prohibited, but passive attacks are easy to prevent. Active vs Passive Attacks
18.
© 2022 e-Learning
Centre, UCSC 18 ● What makes a “secure” system? − Financial “Security” requirements − Home “security” − Physical “security” − Information “security” ● All these concepts of security have different requirements. We are, of course, interested mostly on computer security; which requires three items: Security Functional Requirements
19.
© 2022 e-Learning
Centre, UCSC ● The presence of all three things yields a secure system: Secure Integrity Availability Confidentiality 19 Security Functional Requirements
20.
© 2022 e-Learning
Centre, UCSC Thing one: 20 ● Confidentiality: Computer related assets are only available to authorized parties. Only those that should have access to something will actually get that access. ● “Access” isn't limited to reading. But also to viewing, printing or... ● Simply even knowing that the particular asset exists (steganography) − Straight forward concept but very hard to implement. Security Functional Requirements
21.
© 2022 e-Learning
Centre, UCSC 21 ● Integrity Can mean many things: Something has integrity if it is: ● Precise ● Accurate ● Unmodified ● Consistent ● Meaningful and usable Security Functional Requirements
22.
© 2022 e-Learning
Centre, UCSC Integrity 22 ● Three important aspects towards providing computer related integrity: − Authorized actions − Seperation and protection of resources − Error detection and correction. ● Again, rather hard to implement; usually done so through rigorous control of who or what can have access to data and in what ways. Security Functional Requirements
23.
© 2022 e-Learning
Centre, UCSC Thing three: 23 ● Availability − There is a timely response to our requests − There is a fair allocation of resources (no starvation) − Reliability (software and hardware failures lead to graceful cessation of services and not an abrupt crash) − Service can be used easily and in the manner it was intended to be used. − Controlled concurrency, support for simultaneous access with proper deadlock and access management. Security Functional Requirements
24.
© 2022 e-Learning
Centre, UCSC Threats to Data and Programs: illegal read, illegal access, data (files) deletion, illegal users, criminal acts, sabotage, etc. Confidentiality . . . Integrity Availability Functionality 24 Security Design Principles
25.
© 2022 e-Learning
Centre, UCSC Threats to software and data: technical errors, software errors, processing errors, transmission correctness, etc. Integrity . . . Availability Functionality Confidentiality 25 Security Design Principles
26.
© 2022 e-Learning
Centre, UCSC Requirements for: timely response, fair allocation, fault tolerance, usability, controlled concurrency Integrity Availability . . . Functionality Confidentiality Principles of Computer Security 26 Security Design Principles
27.
© 2022 e-Learning
Centre, UCSC New functions needed for electronic data transactions: authentication, digital signature, confidentiality, and others Integrity Availability Functionality . . . Confidentiality 27 Security Design Principles
28.
© 2022 e-Learning
Centre, UCSC So what does computer security concern itself with? 28 ● The entire system: − Hardware − Software − Storage media − Data − Memory − People − Organizations − Communications Attack Surface
29.
© 2022 e-Learning
Centre, UCSC 29 An attack surface consists of reachable and exploitable vulnerabilities in a system and can be classified into three categories: Network attack surface refers to vulnerabilities over an enterprise network or the internet. Examples of this include network protocol vulnerabilities, such as those used for a DDoS attack, disruption of communication links and various forms of intruder attacks. Software attack surface refers to vulnerabilities in application, utility, or operating system code. A particular focus in this category is web server software. Human attack surface refers to vulnerabilities created by personnel or outsiders, such as social engineering, human error and trusted insiders. Attack Surface
30.
© 2022 e-Learning
Centre, UCSC 30 • An attack tree is a tree structure that represents attacks against a system. • Each subnode defines a subgoal, and each subgoal may, in turn, have its own set of subgoals, and so on. • The leaf nodes of the attack tree represent different ways to initiate an attack. • Each node other than a leaf is either an AND-node or an OR- node. • To achieve the goal represented by an AND-node, all of the child subgoals must be achieved; and for an OR-node, at least one of the child subgoals must be achieved. Attack trees
31.
© 2022 e-Learning
Centre, UCSC 31 Privacy Attack Tree with Threat Scenarios
32.
© 2022 e-Learning
Centre, UCSC 32 Computer Security Strategy
33.
© 2022 e-Learning
Centre, UCSC Encryption Policies Physical controls SW & HW Controls 33 Computer Security Strategy
34.
© 2022 e-Learning
Centre, UCSC Effective for: confidentiality, users and messages authentication, access control Encryption . . . Policies Physical controls SW & HW Controls 34 Computer Security Strategy
35.
© 2022 e-Learning
Centre, UCSC Available methods: software and hardware controls (internal SW, OS controls, development controls, special HW devices) Encryption Policies Physical controls SW & HW Controls Protection Methods 35 Computer Security Strategy
36.
© 2022 e-Learning
Centre, UCSC Precise specifications: special procedures, security methods, security parameters, organizational issues Policies . . . Encryption Physical controls SW & HW Controls Protection Methods 36 Computer Security Strategy
37.
© 2022 e-Learning
Centre, UCSC Measures for: isolation of equipment, access to equipment, authorization for personnel, backup and archiving SW & HW Controls Encryption Policies Physical controls Protection Methods 37 Computer Security Strategy
38.
© 2022 e-Learning
Centre, UCSC Cipher Algorithm Encrypted Data Cipher Algorithm Basic Concept 38 Concept of Cryptography P clear (plain) text, message-readable (intelligible) information C ciphertext-encrypted information E encryption (enciphering)-transforming clear text into ciphertext D decryption (deciphering)-transforming ciphertext back into plaintext
39.
© 2022 e-Learning
Centre, UCSC Cryptography Basic 39 ● Why Encrypt? − Protect stored information − Protect information in transmission ● Cryptography originally used for secrecy ● Encryption - process by which plaintext is converted to ciphertext using a key ● Decryption - process by which ciphertext is converted to plaintext (with the appropriate key) ● plaintext (cleartext)- intelligible data Concept of Cryptography
40.
© 2022 e-Learning
Centre, UCSC Cryptography History 40 ▪ Historic examples... ● Earliest cryptography: an Egyptian scribe using non-standard hieroglyphics ● Julius Caesar (“Caesar Cipher”) Each plaintext letter is replaced by a letter some fixed number of positions further down the alphabet (e.g. Belgica (3 positions) ehojlfd) ● The Kama Sutra recommends cryptography as 44th and 45th art (of 64) men and women should know Concept of Cryptography
41.
© 2022 e-Learning
Centre, UCSC Cryptography History 41 − ENIGMA Used by the Germans in WW2 – and the subsequent code-breaking activities at Bletchley park (still a popular subject of books and movies) − 1976: Public Key Cryptography concept (Whitfield Diffie & Martin Hellman) − 1977: first (published) practical PKC cryptosystem invented (RSA - Rivest, Shamir, Adleman) − October 2000 Rijndael is chosen as AES (Advanced Encryption Standard) Concept of Cryptography
42.
© 2022 e-Learning
Centre, UCSC Ci = E(Pi)= Pi+3 Plain Text : A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Cipher Text : D E F G H I J K L M N O P Q R S T U V W X Y Z A B C 42 The Caesar Cipher
43.
© 2022 e-Learning
Centre, UCSC Kamasutra 43 One of the earliest descriptions of encryption by substitution appears in the Kama-sutra, a text written in the 4th century AD by the Brahmin scholar Vatsyayana, but based on manuscripts dating back to the 4th century BC. How it work The kamasutra generate list of 26 alphabet with no duplicate. Then divide by 2 row. Find for each letter of message text in table and choose the opposite of the letter Kamasutra
44.
© 2022 e-Learning
Centre, UCSC for example: Key = G H A J R I O B E S Q C L F V Z T Y K M X W N U D P divide by 2 rows G H A J R I O B E S Q C L F V Z T Y K M X W N U D P Given String = KAMASUTRA K is at 2nd row and 5th column. Get the opposite of K that is I. Do each letter until the end Cipher : IZOZNQJYZ 44 Kamasutra
45.
© 2022 e-Learning
Centre, UCSC Plain Text : A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Cipher Text : K E Y G H I J K L M N O P Q R S T U V W X Y Z A B C A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Letter Frequency 45 Polyalalphaberic Substitutions
46.
© 2022 e-Learning
Centre, UCSC Plain Text : A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Cipher Text : A D G J N O S V Y B E H K N Q T W Z C F I L O R U X Table for Odd Positions Plain Text : A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Cipher Text : N S X C H M R W B G I Q V A F K P U Z E J O T Y D I Table for Even Positions Plain Text : SSIBL Cipher Text : czysh 46 Polyalalphaberic Substitutions
47.
© 2022 e-Learning
Centre, UCSC Columnar Transposition c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12 etc. c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12 etc. Cipher text formed by c1 c6 c11 c2 c7 c12 c3 c8 ... Transposition (Permutation) Substitutions 47 Transposition (Permutation) Substitutions
48.
© 2022 e-Learning
Centre, UCSC Plain Text : V E R N A M C I P H E R Numeric Equivalent : 21 4 17 13 0 12 2 8 15 7 4 17 +Random Number : 76 48 16 82 44 3 58 11 60 5 48 88 = Sum : 97 52 33 95 44 15 60 19 75 12 52 105 =Mod 26 : 19 0 7 17 18 15 8 19 23 12 0 1 Cipher text : t a h r s p I t x m a b Binary Vernam Cipher Plain Text : 1 0 1 0 0 0 1 1 1 0 0 1 1 0 1 + Random Stream : 0 1 0 1 1 0 1 0 1 1 1 0 1 0 1 Cipher text : 1 1 1 1 1 0 0 1 0 1 1 1 0 0 0 48 The Vernam Cipher
49.
© 2022 e-Learning
Centre, UCSC The One-Time Pad 49 • If a truly random key as long as the message is used, the cipher will be secure • Called a One-Time pad • Has unconditional security: • ciphertext bears no statistical relationship to the plaintext since for any plaintext & any ciphertext there exists a key mapping one to other • Can only use the key once • Have problem of safe distribution of key The One-Time Pad
50.
© 2022 e-Learning
Centre, UCSC Encipherment Modes ● Stream Ciphers - Message broken into characters or bits and enciphered with a “key stream” • key stream - should be random and generated independently of the message stream ● Block ciphers process messages in blocks, each of which is then en/decrypted 50 Stream and Block Ciphers
51.
© 2022 e-Learning
Centre, UCSC Y ISSOPMI WEHTUA.. Plain text Cipher text Key (Optional) Advantage • Speed of transformation • Low error propagation Disadvantage • Low diffusion • Susceptibility to malicious insertion and modifications Cipher Cipher text(F) Plain text (A) Stream Cipher 51 Stream and Block Ciphers
52.
© 2022 e-Learning
Centre, UCSC Y XN OI TP YR CN BA QC KD EM MC Plain text Cipher text Key (Optional) Disadvantage • Slowness of encryption • Error propagation Advantage • Diffusion • Immunity to insertion Cipher Cipher text(FRWSU) Plain text (AKEDF) Block Cipher 52 Stream and Block Ciphers
53.
© 2022 e-Learning
Centre, UCSC Shannon Characteristics - 1949 • The amount of secrecy needed should determine the amount of labor appropriate for encryption and decryption • The set of keys and the encryption algorithm should be free from complexity • The implementation of the process should be as simple as possible • Errors in the ciphering should not propagate and cause corruption of further information in the message • The size of enciphered text should be no larger than the text of the original message 53 Characteristic of “GOOD” Cipher
54.
© 2022 e-Learning
Centre, UCSC Kerckhoff’s Principle 54 The security of the encryption scheme must depend only on the secrecy of the key and not on the secrecy of the algorithms. Reasons: •Algorithms are difficult to change •Cannot design an algorithm for every pair of users •Expert review •No security through obscurity! Kerckhoff’s Principle
55.
© 2022 e-Learning
Centre, UCSC 2.15 milliseconds 232 = 4.3 x 109 32 5.9 x 1030 years 2168 = 3.7 x 1050 168 5.4 x 1018 years 2128 = 3.4 x 1038 128 10 hours 256 = 7.2 x 1016 56 Time required at 106 Decryption/µs Number of Alternative Keys Key Size (bits) Brute Force Search 55 •Always possible to simply try every key •Most basic attack, proportional to key size •Assume either know/recognize plaintext Brute Force Search
56.
© 2022 e-Learning
Centre, UCSC Unconditional/Computational Security 56 Unconditional security no matter how much computer power is available, the cipher cannot be broken since the ciphertext provides insufficient information to uniquely determine the corresponding plaintext Computational security given limited computing resources (e.g. time needed for calculations is greater than age of universe), the cipher cannot be broken Unconditional/Computational Security
57.
© 2022 e-Learning
Centre, UCSC Sec_rity is not Complete without U 57 You, as a Computer User, have to make your contribution to computer security: You are responsible for the security and protection of your computers, the operating systems you run, the application you install, the software you program, the data you own - and the services and systems you manage. Sec_rity is not Complete without U
58.
© 2022 e-Learning
Centre, UCSC 58 Thank You
Download now