INFORMATION

SECURITY
Dr. Kashif Naseer Qureshi
Associate Professor
(MCS, MS-IT, Ph.D)
(MCSE, MCITP, CCNA, CCNP)

Department of Computer Science

Bahria University, Islamabad

1
In todays lecture
■ Basic notions of confidentiality
■ Integrity
■ Availability
■ Classical encryption Techniques (Overview)

2
The confidentiality, Integrity and Availability
Triad
– CIA Model provides security concepts.
– DAD (Disclosure, Alteration and Denial)

Confidentiality

• It is a concept similar to privacy, to protect the data from

unauthorized.
• Confidentiality is a concept that may be implemented at many
levels of a process.

3
Integrity
■ Several aspects of integrity are illustrated by the example of a hospital
patient’s allergy information stored in a database.
■ The doctor should be able to trust that the information is correct and
current.
■ Now suppose that an employee (e.g., a nurse) who is authorized to
view and update this information deliberately falsifies the data to cause
harm to the hospital.
■ The database needs to be restored to a trusted basis quickly, and it
should be possible to trace the error back to the person responsible.
■ Patient allergy information is an example of an asset with a high
requirement for integrity. Inaccurate information could result in serious
harm or death to a patient and expose the hospital to massive liability.

4
Availability
■ The more critical a component or service, the higher the
level of availability required.
■ Consider a system that provides authentication services for
critical systems, applications, and devices.
■ An interruption of service results in the inability for
customers to access computing resources and staff to
access the resources they need to perform critical tasks.
■ The loss of the service translates into a large financial loss
in lost employee productivity and potential customer loss.

5
Security Concepts and Relationships

6
Assets
The assets of a computer system can be categorized as
follows:
■ Hardware: Including computer systems and other data
processing, data storage, and data communications
devices
■ Software: Including the operating system, system
utilities, and applications.
■ Data: Including files and databases, as well as security-
related data, such as password files.
■ Communication facilities and networks: Local and
wide area network communication links, bridges, routers,
and so on.

7
Vulnerabilities of system
■ It can be corrupted, so that it does the wrong thing or
gives wrong answers. For example, stored data values may
differ from what they should be because they have been
improperly modified.
■ It can become leaky. For example, someone who should
not have access to some or all of the information available
through the network obtains such access.
■ It can become unavailable or very slow. That is, using
the system or network becomes impossible or impractical.

8
Threats, attacks, and assets

9
Scope of Computer Security

10
Computer and Network Assets, with
Examples of Threats

11
Classical Encryption Techniques

12
Cryptography
■ Comes from Greek kryptós "hidden" and gráfein "to write"

■ The principles and methods of transforming an intelligible

message into one that is unintelligible and retransforming that
message to its original form at the other end.

13
Some Basic Terminologies
■ plaintext - original message
■ ciphertext - coded message
■ cipher - algorithm for transforming plaintext to ciphertext
■ key - info used in cipher known only to sender/receiver
■ encipher (encrypt) - converting plaintext to ciphertext
■ decipher (decrypt) - recovering ciphertext from plaintext
■ cryptography - study of encryption principles/methods
■ cryptanalysis (codebreaking) - study of principles/ methods of
deciphering ciphertext without knowing key
■ cryptology - field of both cryptography and cryptanalysis

14
Ciphers

■ Symmetric cipher: same key used for encryption

and decryption
– Block cipher: encrypts a block of plaintext at a time
(typically 64 or 128 bits)
– Stream cipher: encrypts data one bit or one byte at a
time

■ Asymmetric cipher: different keys used for

encryption and decryption

15
Symmetric Cipher Model

16
17
Symmetric Encryption
■ Or conventional / secret-key / single-key
■ Sender and recipient share a common key
■ All classical encryption algorithms are symmetric
■ The only type of ciphers prior to the invention of asymmetric-key ciphers
in 1970’s
■ By far most widely used

18
 Symmetric Encryption
■ Mathematically:
Y = EK(X) or Y = E(K, X)
X = DK(Y) or X = D(K, Y)
■ X = plaintext
■ Y = ciphertext
■ K = secret key
■ E = encryption algorithm
■ D = decryption algorithm
■ Both E and D are known to public

19
Cryptography
■ Characterize cryptographic system by:
– type of encryption operations used
■ substitution / transposition / product
– number of keys used
■ single-key or private / two-key or public
– way in which plaintext is processed
■ block / stream

20
Classical encryption operations

■ Plaintext is viewed as a sequence of elements

(e.g., bits or characters)
■ Substitution cipher: replacing each element of
the plaintext with another element.
■ Transposition (or permutation) cipher:
rearranging the order of the elements of the
plaintext.
■ Product cipher: using multiple stages of
substitutions and transpositions

21
Cryptanalysis
■ Objective: to recover the plaintext of a
ciphertext or, more typically, to recover the
secret key.

■ Kerckhoff’s principle: the adversary knows all

details about a cryptosystem except the secret
key.

■ Two general approaches:

– brute-force attack
– non-brute-force attack (cryptanalytic attack)

22
Brute-Force Attack
■ Try every key to decipher the ciphertext.
■ On average, need to try half of all possible keys
■ Time needed proportional to size of key space

Key Size (bits) Number of Time required at 1 Time required at 106

Alternative Keys decryption/µs decryptions/µs
32 232 = 4.3  109 231 µs = 35.8 minutes 2.15 milliseconds
56 256 = 7.2  1016 255 µs = 1142 years 10.01 hours
128 2128 = 3.4  1038 2127 µs = 5.4  1024 years 5.4  1018 years

168 2168 = 3.7  1050 2167 µs = 5.9  1036 years 5.9  1030 years

26 characters 26! = 4  1026 2  1026 µs = 6.4  1012 years 6.4  106 years
(permutation)

23
Cryptanalytic Attacks
■ Ciphertext only
– only knows algorithm & ciphertext
■ Known plaintext
– know/suspect plaintext & ciphertext
■ Chosen plaintext
– select plaintext and obtain ciphertext
■ Chosen ciphertext
– select ciphertext and obtain plaintext

24
Ciphertext-only attack

■ Given: a ciphertext c
■ Q: what is the plaintext m?
■ An encryption scheme is completely insecure if it cannot resist
ciphertext-only attacks.

25
Known-plaintext attack

■ Given: (m1,c1), (m2,c2), …, (mk,ck) and a new ciphertext c.

■ Q: what is the plaintext of c?

■ Q: what is the secret key in use?

26
 Chosen-plaintext attack
■ Given: (m1,c1), (m2,c2), …, (mk,ck), where m1, m2, …, mk are chosen by
the adversary; and a new ciphertext c.

■ Q: what is the plaintext of c, or what is the secret key?

27
Example: chosen-plaintext attack

■ In 1942, US Navy cryptanalysts discovered that Japan

was planning an attack on “AF”.
■ They believed that “AF” means Midway island.
■ Pentagon didn’t think so.
■ US forces in Midway sent a plain message that their
freshwater supplies were low.
■ Shortly, US intercepted a Japanese ciphertext saying
that “AF” was low on water.
■ This proved that “AF” is Midway.

28
Chosen-ciphertext attack

■ Given: (m1,c1), (m2,c2), …, (mk,ck), where c1, c2, …, ck are

chosen by the adversary; and a new ciphertext c.

■ Q: what is the plaintext of c, or what is the secret key?

29
More Definitions
■ Unconditional security
– no matter how much computer power or time is available, the
cipher cannot be broken since the ciphertext provides insufficient
information to uniquely determine the corresponding plaintext
■ Computational security
– given limited computing resources (eg time needed for
calculations is greater than age of universe), the cipher cannot be
broken

30
Cryptography - recap
■ characterize cryptographic system by:
– type of encryption operations used
■ substitution / transposition / product
– number of keys used
■ single-key or private : symmetric
■ two-key or public : Asymmetric
– way in which plaintext is processed
■ block / stream

31
Classical Substitution Ciphers
■ Letters/bits of plaintext are replaced by other
letters/bits.
■ Categorized as:
– Monoalphabetic Ciphers – Simple Cipher
– Homophonic Ciphers
– Polyalphabetic Ciphers
– Polygram Ciphers

32
Mono-alphabetic cipher/ Simple
Substitution
■ Substitution of single letters separately
■ simple substitution—can be demonstrated by writing
out the alphabet in some order to represent the
substitution.
■ This is termed a substitution alphabet.
■ The cipher alphabet may be shifted or reversed
(creating the Caesar and Atbash ciphers, respectively)
or scrambled in a more complex fashion, in which
case it is called a mixed alphabet or deranged
alphabet.

33
Caesar Cipher
■ Earliest known substitution cipher
■ Invented by Julius Caesar
■ Each letter is replaced by the letter three positions
further down the alphabet.

• Plain: abcdefghijklmnopqrstuvwxyz
Cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

■ Example: Attack  Dwwdfn

34
Caesar Cipher

■ Mathematically, map letters to numbers:

a, b, c, ..., x, y, z
0, 1, 2, ..., 23, 24, 25
■ Then the general Caesar cipher is:
c = EK(p) = (p + k) mod 26
p = DK(c) = (c – k) mod 26
■ Can be generalized with any alphabet.

35
Cryptanalysis of Caesar Cipher
■ Key space: {0, 1, ..., 25}
■ Vulnerable to brute-force attacks.

■ Need to recognize it when have the plaintext

■ What if the plaintext is written in Korean or …?

36
37