INTRODUCTION

Nguyen Thi Le Quyen

University of Science and Technology – The University of Danang

April, 2020
The Connected World

1/21/2021 2
Information Storage

1/21/2021 3
Increased Security Breaches

1/21/2021 4
Increased Security Breaches

1/21/2021 5
Increased Security Breaches

1/21/2021 6
1/21/2021 7
1/21/2021 8
Information Security Objectives
CIA Triad

The Security Requirements Triad

1/21/2021 9
Information Security Objectives
Confidentiality (Tính bí mật của thông tin)
▪ Data confidentiality
o Assures that private or confidential information is not made available or disclosed to
unauthorized individuals
▪ Privacy
o Assures that individuals control or influence what information related to them may be
collected and stored and by whom and to whom that information may be disclosed

Integrity (Tính toàn vẹn thông tin)

▪ Data integrity
o Assures that information and programs are changed only in a specified and authorized
manner
▪ System integrity
o Assures that a system performs its intended function in an unimpaired manner, free
from deliberate or inadvertent unauthorized manipulation of the system

Availability (Tính sẵn sàng của hệ thống)

▪ Assures that systems work promptly and service is not denied to authorized
users

1/21/2021 10
Possible Additional Concepts
Authentication (Tính xác thực)
▪ Assures to one entity that another entity is who he/she/it claims to
be

Non-repudiation (Tính không thể phủ nhận)

▪ Assures that entities cannot deny that operations have been actually
performed

1/21/2021 11
Terms
Threat (Mối đe dọa)
▪ A potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security
and cause harm. That is, a threat is a possible danger that might
exploit a vulnerability.
Attack (Tấn công)
▪ An assault on system security that derives from an intelligent threat;
that is, an intelligent act that is a deliberate attempt (especially in
the sense of a method or technique) to evade security services and
violate the security policy of a system.

1/21/2021 12
Security Threats

- Hardware

- System Software
Networks/ Communication links
(Operating Systems/ Hypervisor)

- Applications

Peripherals

1/21/2021 13
Why difficult to prevent?
Attackers need to target the weakest link in the chain

1/21/2021 14
Security Threats (Research)

- Hardware
Hardware Security
Network Security
- System Software System Security
Networks/ Communication links
(Operating Systems/ Hypervisor)
OS Security
- Applications

Cloud Security

DBMS Security Web Security

Cryptography

Peripherals
Embedded Security
1/21/2021 15
Cryptography
A crucial component in all security systems
Fundamental component to achieve
▪ Confidentiality
o Allows only authorized users access to data

1/21/2021 16
Cryptography
A crucial component in all security systems
Fundamental component to achieve
▪ Confidentiality
▪ Data Integrity
o Cryptography can be used to ensure that only
authorized users can make modifications (for
instance to a bank account number)

1/21/2021 17
Cryptography
A crucial component in all security systems
Fundamental component to achieve
▪ Confidentiality
▪ Data Integrity
▪ Authentication
o Cryptography helps prove identities

1/21/2021 18
Cryptography
A crucial component in all security systems
Fundamental component to achieve
▪ Confidentiality
▪ Data Integrity I did not
▪ Authentication send that
▪ Non-repudiation

The sender of a
message cannot
claim that she did
not send it

1/21/2021 19
Scheme for Confidentiality
Problem: Alice wants to send a message to Bob (and only to Bob) through
an untrusted communication link

Untrusted communication link

Meet
at 8a.m Alice Bob

Eve

1/21/2021 20
Encryption
Secrets:
▪ Only Alice knows the encryption key 𝐾𝐸
▪ Only Bob knows the decryption key 𝐾𝐷

𝐾𝐸 𝐾𝐷

Untrusted communication link

E D
!#Rrejfd^^df$ Meet
encryption (cipher text) decryption at 8a.m
Meet Alice Bob
at 8a.m

Only sees ciphertext

!#Rrejf
Cannot get the plaintext message
d^^df$
because she does not know the keys
Eve

1/21/2021 21
Encryption Algorithms
Should be easy to compute for Alice/ Bob (who know the key)
Should be difficult to compute for Eve (who does not know the key)
What is ‘difficult’?
▪ Ideal case: Prove that the probability of Eve determining the encryption/ decryption
key is no better than a random guess
▪ Computationally: Show that it is difficult for Eve to determine the keys even if she has
massive computational power

𝐾𝐸 𝐾𝐷

Untrusted communication link

E D
!#Rrejfd^^df$ Meet
encryption (cipher text) decryption at 8a.m
Meet Alice Bob
at 8a.m

1/21/2021 22
Algorithmic Attacks
Can Eve use tricks to break the algorithm?

Thereby reducing the ‘difficulty’ of getting the key.

1/21/2021 23
Encryption Keys
How are keys managed
▪ How does Alice & Bob select the keys?
▪ Need algorithms for key exchange

𝐾𝐸 𝐾𝐷

Untrusted communication link

E D
!#Rrejfd^^df$ Meet
encryption (cipher text) decryption at 8a.m
Meet Alice Bob
at 8a.m

1/21/2021 24
Ciphers
Symmetric Algorithms
▪ Encryption & Decryption use the same key
▪ 𝐾𝐸 = 𝐾𝐷
▪ Examples:
o Block Ciphers: DES, AES, PRESENT, etc.
o Stream Ciphers: A5, Grain, etc.
Asymmetric Algorithms
▪ Encryption & Decryption keys are different
▪ 𝐾𝐸 ≠ 𝐾𝐷
▪ Examples:
o RSA
o ECC

1/21/2021 25
Ciphers Implementations
Cryptography is always an overhead!!
E

For security, the algorithms need to be computation intensive

▪ Often require large numbers, complex mathematical operations
Design Challenges: Performance, Size, Power
▪ Algorithms to achieve this

1/21/2021 26
Encryption Devices
Side Channels:
▪ E.g. Power consumption/ radiation of device, execution time, etc.

𝐾𝐸 𝐾𝐷

Untrusted communication link

E D
!#Rrejfd^^df$
encryption (cipher text) decryption Meet
Alice Bob at
Meet 8a.m
at
8a.m

Gets information about the keys by

monitoring Side Channels of the device
Eve

1/21/2021 27
Side Channel Analysis

00111

E
encryption
Alice
Meet
at Eve
8a.m

Radiation from Device

Secret information

1/21/2021 28
Ciphers Design Challenges
Tradeoff between Security, Speed, Side-Channel Attacks

We want crypto algorithms

to be fast & small

For security, the algorithms are

computationally intensive. Need to protect against
Typically use large numbers, side channel attacks
complex operations
1/21/2021 29
Cryptography Study
Mathematics
Computer science
Electrical engineering
Communication science
Physics

1/21/2021 30
Some Hot Research Trends
Homomorphic encryption
Hardware-based whole disk encryption
Moving target defense
Wearable two-factor authentication
A resurgence of physical-based security
Quantum cryptography
Smart contracts for encrypted payments
Honey encryption
IoT product security
Voice biometrics and facial recognition
Blockchain
Tokenization

1/21/2021 31
Security Threats (Research)

- Hardware
Hardware Security
Network Security
- System Software System Security
Networks/ Communication links
(Operating Systems/ Hypervisor)
OS Security
- Applications

Cloud Security

DBMS Security Web Security

Cryptography

Peripherals
Embedded Security
1/21/2021 32
Cryptography
Practice of the enciphering and deciphering of messages in
secret code in order to render them unintelligible to all but the
intended receiver.

1/21/2021 33
Early Cryptography
3500 BC: Sumerians
▪ Cuneiform writings (Chữ
hình nêm)

1/21/2021 34
Early Cryptography
1900 BC: Egypt
▪ First known use of cryptography

1/21/2021 35
Early Cryptography
500 – 600 BC: ATBASH Cipher
▪ Used by Hebrew scribes
▪ Substitution cipher (reversed alphabet)

1/21/2021 36
Early Cryptography
486 BC: Greece (Hy Lạp)
▪ Skytale - Cây gậy mật mã

1/21/2021 37
Early Cryptography
60 – 50 BC: Julius Ceasar
▪ Substitution cipher (Mã thay thế)
▪ Shift letters by X positions:
o E.g.: k=3: A→D, B→E, C→F,...
▪ Weakness:
o Frequency analysis (1000AD)
▪ 1466: Leon Albertini: cipher disk
o Used until 16th century

1/21/2021 38
Medieval Cryptography
1587: Vigenère Cipher
▪ Polyalphabetic: one to many
relationship (Mã thay thế
dùng nhiều bảng chữ cái)
▪ Example
o Plaintext: ATTACKATDAWN
o Keyword: LEMON
o Ciphertext: LXFOPVEFR

1/21/2021 39
Modern Cryptography
1845: Morse Code
▪ Representation by code signal
▪ States (on and off) composed into symbols

1/21/2021 40
Modern Cryptography
1863: Kasiski breaks Vigenere
▪ Find length of keyword
▪ Divide message into substitution cryptograms
▪ Use frequency analysis to solve these

1/21/2021 41
Modern Cryptography
1918: ADFGVX Cipher
▪ Used in the German army in WWI

1/21/2021 42
Modern Cryptography
1918: The Enigma
▪ Arthur Scherbius
▪ Business: confidential docs
▪ No codebooks
▪ Rotors → multi substitution
▪ Wiring changes as-you-type
▪ German forces in WWII

1/21/2021 43
Modern Cryptography
1937 – 1945: Navajo Code Talkers

1/21/2021 44
Modern Cryptography
1949: Shannon
▪ Communication Theory of Secret
Systems
▪ Proved: One time pad unbreakable

1/21/2021 45
Modern Cryptography
1976: Diffe – Hellman Key Exchange
▪ Whitfield Diffe & Martin Hellman
▪ Discrete logarithm problem

1/21/2021 46
Modern Cryptography
So how does it work?
Exploits?
▪ Man in the middle
▪ Fix: additional authentication

1/21/2021 47
Modern Cryptography
Public Key Crypto
▪ Key exchange problem
▪ Asymmetric key algorithm
▪ VD: RSA, MIT, 1977

1/21/2021 48
Modern Cryptography
1991: PGP Pretty Good Privacy
▪ Protocol, uses RSA
▪ Encryption & decryption
▪ Digital signatures
o How does that work?
▪ Web of Trust (WOT)
o Third party signs (public) key to attest association (hiệp hội chứng thực)
between person and key
▪ Other possibility: Hierarchical, Certification Authority(CA) based
o VD: X.509 Certificates in SSL

1/21/2021 49