CASE STUDY 21MCS011 21CSP06

Bala harish kumar k

21mcs011
21csp06
Cryptography and Network security

Case Study

Computer Security concepts by application of various Cryptographic and

Encryption techniques
CASE STUDY 21MCS011 21CSP06

Introduction:-
The last twenty years have witnessed a major development in a formal methods used to
improve security protocols. The design of such protocols has so far been largely an empirical
and ad-hoc procedure, giving rise to various approaches. These methods are now being
systematically applied to develop a system that is both efficient and can comply with strong
security requirements. Computer data often travels from one computer to another, leaving the
safety of its protected physical surroundings.

Once the data is out of hand, people with bad intention could modify or forge your data,
either for amusement or for their own benefit. Cryptography can reformat and transform our
data, making it safer on its trip between computers. The technology is based on the essentials
of secret codes, augmented by modern mathematics that protects our data in powerful ways
. • Computer Security - generic name for the collection of tools designed to protect data and
to thwart hackers
• Network Security - measures to protect data during their transmission
• Internet Security - measures to protect data during their transmission over a collection of
interconnected networks

Security Attacks, Services and Mechanisms

To assess the security needs of an organization effectively, the manager responsible for
security needs some systematic way of defining the requirements for security and
characterization of approaches to satisfy those requirements.
One approach is to consider three aspects of information security: Security attack – Any
action that compromises the security of information owned by an organization. Security
mechanism – A mechanism that is designed to detect, prevent or recover from a security
attack. Security service – A service that enhances the security of the data processing systems
and the information transfers of an organization. The services are intended to counter security
attacks and they make use of one or more security mechanisms to provide the service. Basic
Concepts Cryptography The art or science encompassing the principles and methods of
transforming an intelligible message into one that is unintelligible, and then retransforming
that message back to its original form Plaintext The original intelligible message Cipher text
The transformed message

Security Models
An organization can take several approaches to implement its security model:
CASE STUDY 21MCS011 21CSP06

● No security: In this simplest case, the approach could be a decision to implement no

security at all.
● Security through obscurity: In this model, a system is secure simply because nobody
knows about its existence and content.
● Host security: In this scheme, the security for each host is enforced individually. This is a
very safe approach, but the trouble is that it cannot scale well. The complexity and the
diversity of modern sites/organizations make the task even harder.
● Network security: Host security is difficult to achieve as organizations grow and become
more diverse. In this technique, the focus is to control network access to various hosts and
their services, rather than the individual host’s security. This is an efficient and scalable
model. 1.3.2 Security Management Practices Good security management practices always
include a security policy. Putting a security policy in place is actually quite difficult. A good
security policy and its proper implementation go a long way in ensuring adequate security
management practices. A good security policy generally takes care of four key aspects.
Security Concepts •
● Affordability: How much money and effort does this security implementation cost?
● Functionality: What is the mechanism of providing security? ●
Cultural Issues: Does the policy take into consideration people’s expectations, working style,
and beliefs?
● Legality: Does the policy meet the legal requirements? Once a security policy is in place,
the following points should be ensured: a. Include an explanation of the policy to all
concerned. b. Outline everybody’s responsibilities. c. Use simple language in all
communications. d. Accountability should be established. e. Provide for exceptions and
periodic reviews.
PRINCIPLES OF SECURITY
Having discussed some of the attacks that have occurred in real life, let us now classify the
principles related to security. This will help us understand the attacks better and think about
the possible solutions. Let us assume that a person, A, wants to send a check worth $100 to
another person, B. Normally, what are the factors that A and B think of in such a case? A will
write the check for $100, put it inside an envelope, and send it to B.
● A wants to ensure that no one expects B will get the envelope, and even if someone else
gets it, she does not want anyone to know about the details of the check. This is the principle
of confidentially.
● A and B would like to make sure that no one can tamper with the contents of the check
(such as its amount, date, signature, or name of the payee). This is the principle of integrity.
● B would like to be assured that the check has indeed come from A, and not from someone
else posing as A (as it could be a fake check). This is the principle of authentication. ● What
will happen tomorrow if B deposits the check into her account, the money is transferred from
A’s account, and then A claims to have not written/ sent the check? The court of law will use
CASE STUDY 21MCS011 21CSP06

A’s signature to disallow A to refute this claim and settle the dispute. This is the principle of
non-repudiation.

SECURITY SERVICES
The classification of security services are as follows: Confidentiality: Ensures that the
information in a computer system a n d transmitted information are accessible only for
reading by autho
rized parties. E.g. Printing, displaying and other forms of disclosure. Authentication: Ensures
that the origin of a message or electronic document is correctly identified, with an assurance
that the identity is not false. Integrity: Ensures that only authorized parties are able to modify
computer system assets and transmitted information. Modification includes writing, changing
status, deleting, creating and delaying or replaying of transmitted messages. Non repudiation:
Requires that neither the sender nor the receiver of a message be able to deny the
transmission. Access control: Requires that access to information resources may be controlled
by or the target system. Availability: Requires that computer system assets be available to
authorized parties when needed.
SECURITY ATTACKS
There are four general categories of attack which are listed below
. Interruption
An asset of the system is destroyed or becomes unavailable or unusable. This is an
attack on availability e.g., destruction of piece of hardware, cutting of a communication line
or Disabling of file management system.
Interception
An unauthorized party gains access to an asset. This is an attack on confidentiality.
Unauthorized party could be a person, a program or a computer.e.g., wire tapping to captdata
in the network, illicit copying of files Sender Receiver Eavesdropper or forger

Modification
An unauthorized party not only gains access to but tampers with an asset. This is an
attack on integrity. e.g., changing values in data file, altering a program, modifying the
contents of messages being transmitted in a network. S

Cryptography
Cryptographic systems are generally classified along 3 independent dimensions: Type
of operations used for transforming plain text to cipher text All the encryption algorithms are
based on two general principles: substitution, in which each element in the plaintext is
mapped into another element, and transposition, in which elements in the plaintext are
rearranged. The number of keys used If the sender and receiver uses same key then it is said
to be symmetric key (or) single key (or) conventional encryption. If the sender and receiver
use different keys then it is said to be public key encryption. The way in which the plain text
is processed A block cipher processes the input and block of elements at a time, producing
output block for each input block.
CASE STUDY 21MCS011 21CSP06

SECURITY SERVICES
The classification of security services are as follows: Confidentiality: Ensures that the
information in a computer system a n d transmitted information are accessible only for
reading by authorized parties. E.g. Printing, displaying and other forms of disclosure.
Authentication: Ensures that the origin of a message or electronic document is correctly
identified, with an assurance that the identity is not false. Integrity: Ensures that only
authorized parties are able to modify computer system assets and transmitted information.
Modification includes writing, changing status, deleting, creating and delaying or replaying
of transmitted messages. Non repudiation: Requires that neither the sender nor the receiver of
a message be able to deny the transmission. Access control: Requires that access to
information resources may be controlled by or the target system. Availability: Requires that
computer system assets be available to authorized parties when needed.

Cryptographic Attacks
Passive Attacks
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The
goal of the opponent is to obtain information that is being transmitted. Passive attacks are of
two types: Release of message contents: A telephone conversation, an e-mail message and a
transferred file may contain sensitive or confidential information. We would like to prevent
the opponent from learning the contents of these transmissions. Traffic analysis: If we had
encryption protection in place, an opponent might still be able to observe the pattern of the
message. The opponent could determine the location and identity of communication hosts
and could observe the frequency and length of messages being exchanged. This information
might be useful in guessing the nature of communication that was taking place. Passive
attacks are very difficult to detect because they do not involve any alteration of data.
However, it is feasible to prevent the success of these attacks. Active attacks These attacks
involve some modification of the data stream or the creation of a false stream. These attacks
can be classified in to four categories: Masquerade – One entity pretends to be a different
entity. Replay – involves passive capture of a data unit and its subsequent transmission to
produce an unauthorized effect. Modification of messages – Some portion of message is
altered or the messages are delayed or recorded, to produce an unauthorized effect. Denial of
service – Prevents or inhibits the normal use or management of communication facilities.
Another form of service denial is the disruption of an entire network, either by disabling the
network or overloading it with messages so as to degrade performance. It is quite difficult to
prevent active attacks absolutely, because to do so would require physical protection of all
communication facilities and paths at all times. Instead, the goal is to detect them and to
recover from any disruption or delays caused by them.

Active attacks
These attacks involve some modification of the data stream or the creation of a false stream.
These attacks can be classified in to four categories: Masquerade – One entity pretends to be
a different entity. Replay – involves passive capture of a data unit and its subsequent
transmission to produce an unauthorized effect. Modification of messages – Some portion of
message is altered or the messages are delayed or recorded, to produce an unauthorized
effect. Denial of service – Prevents or inhibits the normal use or management of
CASE STUDY 21MCS011 21CSP06

communication facilities. Another form of service denial is the disruption of an entire

network, either by disabling the network or overloading it with messages so as to degrade
performance. It is quite difficult to prevent active attacks absolutely, because to do so would
require physical protection of all communication facilities and paths at all times. Instead, the
goal is to detect them and to recover from any disruption or delays caused by them

Conclusion
Cryptography has a role to play in many areas. Like seat belts, it will not completely protect us. In the
chapters that follow, I will develop the basic ideas about cryptography and then illustrate some of the
ways it interacts with and protects us. The above statement is about Computer Security concepts by
application of various Cryptographic and Encryption techniques

Reference
From the book :Computer Security and  Cryptography
Alan G. Konheim

url: https://ebooksllc.com/ebook/cryptography-and-security-in-computing/