Information Security


Published on

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Information Security

  1. 2. <ul><li>The Key to Security awareness is embedded in the word security </li></ul><ul><li>SEC – U – R – IT – Y </li></ul><ul><li>Information security means protecting information and information systems from unauthorized users. </li></ul><ul><li>Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take. </li></ul><ul><li>Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. </li></ul>
  2. 3. <ul><li>Data security is ensuring that data is kept safe from corruption and that access to it is suitably controlled. </li></ul><ul><li>Thus data security helps to ensure privacy. It also helps in protecting personal data. </li></ul><ul><li>This is particularly important to ensure individuals are treated fairly, for example for credit checking purposes. </li></ul>
  3. 4. <ul><li>In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. </li></ul><ul><li>In many contexts, the word encryption also implicitly refers to the reverse process, decryption </li></ul><ul><li>Encryption is the conversion of data into a form, called a cipher text, that cannot be easily understood by unauthorized people. </li></ul><ul><li>Computer encryption is based on the science of cryptography , which has been used throughout history. Before the digital age, the biggest users of cryptography were governments, particularly for military purposes </li></ul>
  4. 5. <ul><li>Most computer encryption systems belong in one of two categories: </li></ul><ul><li>Symmetric-key encryption </li></ul><ul><li>Public-key encryption </li></ul><ul><li>In symmetric-key encryption , each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. </li></ul><ul><li>Symmetric-key requires that you know which computers will be talking to each other so you can install the key on each one. </li></ul>
  5. 6. <ul><li>You create a coded message to send to a friend in which each letter is substituted with the letter that is two down from it in the alphabet. </li></ul><ul><li>So &quot;A&quot; becomes &quot;C,&quot; and &quot;B&quot; becomes &quot;D&quot;. </li></ul><ul><li>You have already told a trusted friend that the code is &quot;Shift by 2&quot;. </li></ul><ul><li>Your friend gets the message and decodes it. Anyone else who sees the message will see only nonsense. </li></ul>
  6. 7. <ul><li>Public-key encryption uses a combination of a private key and a public key. The private key is known only to your computer, while the public key is given by your computer to any computer that wants to communicate securely with it. </li></ul><ul><li>A very popular public-key encryption utility is called Pretty Good Privacy (PGP), which allows you to </li></ul><ul><li>To implement public-key encryption on a large scale, such as a secure Web server might need, requires a different approach. This is where digital certificates come. </li></ul><ul><li>A digital certificate is basically a bit of information that says that the Web server is trusted by an independent source known as a certificate authority . </li></ul>
  7. 8. <ul><li>A popular implementation of public-key encryption is the Secure Sockets Layer , SSL is an Internet security protocol used by Internet browsers and Web servers to transmit sensitive information. SSL has become part of an overall security protocol known as Transport Layer Security (TLS). </li></ul><ul><li>Look for the &quot;s&quot; after &quot;http&quot; in the address whenever you are about to enter sensitive information, such as a credit-card number, into a form on a Web site. </li></ul>
  8. 9. <ul><li>In your browser, you can tell when you are using a secure protocol, such as TLS, in a couple of different ways. You will notice that the &quot;http&quot; in the address line is replaced with &quot;https,&quot; and you should see a small padlock in the status bar at the bottom of the browser window. </li></ul><ul><li>The padlock symbol lets you know that you are using encryption </li></ul>
  9. 10. <ul><li>The key in public-key encryption is based on a hash value . </li></ul><ul><li>This is a value that is computed from a base input number using a hashing algorithm . </li></ul><ul><li>The important thing about a hash value is that it is nearly impossible to derive the original input number without knowing the data used to create the hash value. </li></ul>
  10. 11. <ul><li>You can see how hard it would be to determine that the value 1,525,381 came from the multiplication of 10,667 and 143. </li></ul><ul><li>But if you knew that the multiplier was 143, then it would be very easy to calculate the value 10,667. </li></ul><ul><li>Public-key encryption is actually much more complex than this example, but that is the basic idea. </li></ul>Input number Hashing algorithm Hash value 10,667 input * 143 1,525,381
  11. 12. <ul><li>Authentication , is used to verify that the information comes from a trusted source. </li></ul><ul><li>Basically, if information is &quot;authentic,&quot; you know who created it and you know that it has not been altered in any way since that person created it. </li></ul><ul><li>These two processes, encryption and authentication, work hand-in-hand to create a secure environment . </li></ul>
  12. 13. <ul><li>Password - The use of a user name and password provides the most common form of authentication. </li></ul><ul><li>Pass cards - These cards can range from a simple card with a magnetic strip, similar to a credit card, to sophisticated smart cards that have an embedded </li></ul><ul><li>Digital signatures - A digital signature is basically a way to ensure that an electronic document (e-mail, spreadsheet, text file) is authentic. </li></ul><ul><li>The Digital Signature Standard (DSS) is based on a type of public-key encryption method that uses the Digital Signature Algorithm (DSA). </li></ul>
  13. 14. <ul><li>One very important feature of a good encryption scheme is the ability to specify a 'key' or 'password' of some kind, and have the encryption method alter itself such that each 'key' or 'password' produces a different encrypted output, which requires a unique 'key' or 'password' to decrypt </li></ul><ul><li>There are few operations in mathematics that are truly 'irreversible'. In nearly all cases, if an operation is performed on 'a', resulting in 'b', you can perform an equivalent operation on 'b' to get 'a'. </li></ul><ul><li>In some cases you may get the absolute value (such as a square root), or the operation may be undefined (such as dividing by zero). </li></ul>
  14. 15. The IBM 4758 is an extremely secure cryptographic co-processor. It is used by banking systems and in other security conscious applications to hold keying material. It is designed to make it impossible to extract this keying material unless you have the correct permissions and can involve others in a conspiracy. Can we crack this???
  15. 16. <ul><li>The DES cracker is searching a 2 56 key space (72,058,000,000,000,000 keys) at a speed of 33.333 MHz (i.e. 33.333 million keys/second). To search the entire key space would therefore take </li></ul><ul><li>68.50 years . </li></ul><ul><li>The DES cracker is actually searching for up to 16384 keys in parallel. If the whole key space was searched it would find keys at an average rate of one per 68.50/16384 years, which is one every 36.65 hours. </li></ul><ul><li>To calculate the expected time until the first key is found, one treats the system as having a Poisson distribution. Since the linear feedback shift back register is walking the key space pretty much at random this is a reasonable assumption. </li></ul>
  16. 17. <ul><li>So we have 2 56 possible keys in the key space and 2 14 possible matches. </li></ul><ul><li>Let the mean rate of matching be m = 2 14 / 2 56 = 2 -42 </li></ul><ul><li>The probability that any particular cell is empty is (m 0 / 0!) e -m </li></ul><ul><li>Simplifying this (m 0 = 1 and 0! = 1) we get the probability that a cell is empty = e -m </li></ul><ul><li>Let the probability that the first r cells are empty be p </li></ul><ul><li>Then p = (e -m ) r [independent events] </li></ul><ul><li>So p = e -mr </li></ul><ul><li>Taking the natural log of both sides and solving for r we have </li></ul><ul><li>r = -ln(p) / m </li></ul>
  17. 18. <ul><li>So for a probability, p, equal to 0.5 (i.e. average luck ) for our value of m we need to search r keys where r = 0.6931472 / 2.2737734E-13 = 3,048,497,000,000 keys. At 33.333MHz this will take 25.40 hours . </li></ul><ul><li>Note carefully that if your luck is worse, then one time in a thousand cracking attempts (i.e.: p = 0.001) then a lot more keys will need to be searched. In fact it will take about 10.5 days at 33.333MHz. </li></ul><ul><li>In practice we've had cracks that ran in times between 5 and 37 hours -- so we've never been especially unlucky </li></ul>RESULTS
  18. 19. <ul><li>Requirements </li></ul><ul><ul><li>You need access to a live IBM 4758 i.e. one that protects real key material, in a real bank. Because of the access permissions required, this sort of attack requires you to be a bank manager or security officer that plays a part in manual key entry into the device. In practice there might be about three or four people in the bank with the relevant access privileges. If your insider is not one of these people, there are plenty of ways you can go about stealing one of their passwords. </li></ul></ul>
  19. 20. <ul><li>Information security is the ongoing process of exercising due care and due diligence to protect information, and information systems, from unauthorized access, use, disclosure, destruction, modification, or disruption or distribution. </li></ul><ul><li>The never ending process of information security involves ongoing training, assessment, protection, monitoring & detection, incident response & repair, documentation, and review </li></ul>