Professional Documents
Culture Documents
IFT 503A Information Assurance and Security
IFT 503A Information Assurance and Security
General
objective
The course is deigned to provide the students with
the fundamental concepts and techniques of
computer systems security.
Objectives
Course CO1: Introduce essential knowledge and techniques for
Objectives computer systems security.
Chapter 1: Introduction
Facets of the security problem of computer systems.
Potential vulnerabilities of computer systems security.
Meaning of Computer Systems Security.
Importance of Computer Systems Security.
Categories of Attackers.
History of Computer System Security.
Course Goals of System Security.
Topics Security Domains.
Chapter 4: Cryptography
Conventional encryption
Character-level cryptography
Bit-level cryptography
Conventional algorithm DES
Public-key encryption
Chapter 5: Security
Services
Key management
Authentication
Digital signature
Data Integrity
INTRODUCTION TO
COMPUTER SYSTEMS
SECURITY
Facets of the security problem of computer systems.
Vulnerabilities of computer systems security.
Meaning of Computer Systems Security.
Importance of Computer Systems Security.
Categories of Attackers.
Objectives of Chapter
1
By the end of this chapter, the student will be able to:
Understand the meaning of computer systems
security.
Trace the history of security industry.
Identify the main goals of computer systems
security.
Appreciate the need for security in today’s
Chapter 1 hostile
world.
CLO1
SW
OS
HW
l
College of Computers
and Information Technology
Malware may
infect the system.
Potential
Vulnerabilities
Categories of security weakness
1 Physical weakness
The buildings and equipment rooms are vulnerable.
Intruders can break into the server room, and sabotage as well as
vandalize the system equipment.
They can also steal backup media and printouts, or obtain information that
will allow them to more easily hack their way in at a later time.
Locks, guards, and biometric devices provide an important first defense
against break-ins.
Potential
Vulnerabilities
Categories of security weakness
2- Technology weakness
Every technology has some known or unknown inherent weaknesses, or
vulnerabilities that can be exploited by attackers.
Among others, we can mention some:
Potential
Vulnerabilities
Categories of security weakness
Physical
Technology Policy Configuration Human
weakness
weakness weakness weakness weakness
3- Policy weakness
Security policy weakness is a catchall phrase for company policies, or a
lack of policies, that inadvertently lead to security threats.
The following policy issues that can negatively impact a computer
system:
1 No written security policy.
2 Lack of a disaster recover plan.
3 No policy for software and hardware additions or changes.
4 Lack of security monitoring.
5 Employment policies.
6 Internal policies.
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Potential
Vulnerabilities
Categories of security weakness
Physical
Technology Policy Configuration Human
weakness
weakness weakness weakness weakness
4- Configuration weakness
Many network devices have default settings that ease of installation
without regard for security issues.
Installation without correcting these settings may result in
problems.
Network administrators need reconfigure the computing devices.
Some common configuration issues include the following:
1 Ineffective access control lists failing to block intended traffic
2 Default, missing, or old passwords
3 Unneeded ports or services left active
4 User IDs and passwords exchanged in clear text
5 Weak or unprotected remote access through the Internet.
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Potential
Vulnerabilities
Categories of security weakness
Physical
Technology Policy Configuration Human
weakness
weakness weakness weakness weakness
5- Human weakness
The people who administer and use the computer system represent the
greatest vulnerability of all.
Human stupidity, carelessness, laziness, greed, and anger represent the
greatest threats to computer system security.
Human vulnerabilities are the most difficult to defend against.
If the administrator is poorly trained, or decides to take to a life of crime,
the system is in grave peril.
Staff people can also be bribed or coerced into giving away passwords,
opening doors, or otherwise jeopardizing security in the system.
SW
OS
HW
Internet security
In connection with the Internet,
4- System design
This can be accomplished by taking advantage of basic hardware and
software security characteristics.
For example, using a system architecture that is able to segment memory,
thus isolating privileged processes from non-privileged processes.
Importance of Computer
Security
1 To Avoid Malware's Damage
The viruses and worms are the most common problem that
an organization faces.
The organization may be exposed to viruses and worms as a
result of employees not following procedures.
Viruses and worms generally are non-discriminating threats
that are released without targeting a specific organization.
Importance of Computer
Security
2- To Prevent Hacker's Sabotage
The hackers deliberately access computer systems and
networks without authorization.
The term hacking also applies to the act of exceeding
one’s
authority in a system.
The process to gain access to a system takes
persistence
and dogged determination.
The type of attackers has evolved over the years.
The automated tools allow even novice attackers to
exploit Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Importance of Computer
Security
3- To Save Information Infrastructure
Nations have increasingly become dependent on computer
systems and networks.
This information infrastructure might be targeted by
terrorist organizations.
Information may also be used as a weapon.
This threat is characterized by longer period of
preparation,
financial backing, and organized group of attackers.
The threat may include attempts not only to subvert
insiders but also to plant individuals inside of a
potential Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Importance of Computer
Security
4- To Combat Electronic Crimes and Fraud
In a networked world, new generation of vandals and data
thugs do not need to have physical contact with the victim.
Data can be easily copied, transmitted, modified or
destroyed.
Thus, the scene of crime is a particularly difficult one.
There are no traces, identification of the culprits is nearly
impossible, apprehension even more so and the legal
framework does not make adequate provision for justice in
this kind of crime.
Importance of Computer
Security
5- To Clear Responsibility
Computer security is a multibillion dollar industry that
addresses a threat that now impacts everyone.
If you use a computer of any kind, anywhere,
computer
security not only affects you, it is your responsibility.
If your device is compromised, you could be an
unwitting
partner in crime, or at least a source of
inconvenience.
you need to worry about power failures, natural disasters,
backups. Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Categories of
Attackers
Categories of attackers
Insider Outsider
Professionals Armatures
Categories of
Attackers
1 Insiders
An Insider is a legitimate user, but
2- Outsiders
An outsider has no authorized access
attempts to obtain unauthorized
and wishes to enter into that network
access to data, system resources and
using security holes.
services or misuses authorized data.
Those attackers can be further divided
They are disgruntled or dishonest
into hackers and crackers.
employees or former employees.
A hacker is a person with good IT
They can do great damage due to
skills that can find security holes of
their internal access permissions and
the designed systems.
knowledge of corporate systems.
A cracker can defeat anti-piracy
Companies that experience incidents
protections and uses knowledge in an
of theft, or sabotage often find that
unethical way.
their own employees are the
culprits.
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Categories of
Attackers
Categories of
Attackers
Security
Domains
Security domains
1 Physical security
The Physical security is the protection of physical computer equipment
from damage by natural disasters and intruders.
Physical security methods include old-fashioned locks and keys, as well as
more advanced technologies such as smart cards and biometric devices.
It, therefore, ensures controlling the comings and goings of people and
materials.
Security
Domains
Security domains
2- Personal security
It is important for organizations to have policies in place relative to their
employees.
This encompasses hiring employees, background screening, training,
security briefings, monitoring, and handling departures.
The organization needs to make sure that it hires individuals who can be
trusted with the organization’s data and that of its clients.
Finally, policies must be developed to address the inevitable point in the
future when an employee leaves the organization.
Security
Domains
Security domains
3- System security
This includes the following:
1 user access and authentication controls,
2 assignment of privilege,
3 maintaining file and file-system integrity,
4 backups, monitoring processes,
5 log-keeping, and
6 auditing.
Security
Domains
Security domains
4- Network security
This ensures the following:
1 protecting network and telecommunications equipment,
2 protecting network servers and transmissions,
3 combating eavesdropping,
4 controlling access from untrusted networks,
5 firewalls, and
6 detecting intrusions.
Security
Domains
Security domains
5- Operational/procedural security
This ensures covering everything from managerial policy decisions to
reporting hierarchies.
Policies are high-level statements created by management that lay
out the
organization’s positions on particular issues.
Policies describe mandatory activities but are not specific in their
details.
Policies are focused on the result, not the methods for achieving it.
Procedures are step-by step instructions that prescribe exactly how
employees act in a given situation or to accomplish a specific task.
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
DESIGN OF A
SECURE COMPUTER
SYSTEM
Security Attacks
Security Threats
CLO2
Objectives of Chapter
2
By the end of this chapter, the student will be able to:
Understand the security attacks and threats.
Identify the main security services.
Design a secure computer system.
Chapter 2
CLO2
Security
Attacks
Categories of security attacks
1 Interruption
This is an attack on the availability of
system resources such as:
1 Server resources
2 Database and information
resources Information
Information Information
3 Local resources Source Destination
4 Network resources
An asset of the system is destroyed or
becomes unusable.
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Security
Attacks
Categories of security attacks
Interruption
Examples include:
1 destruction of a piece of hardware
such as a hard disk,
2 cutting the communication line, or Information
Information
Information
3 disabling the file management system. Source Destination
4 denial of service.
Security
Attacks
Categories of security attacks
2- Interception
This is an attack on confidentiality.
Unauthorized party (person, program) Information
Information Information
gains access to an asset. Source Destination
Examples include:
Security
Attacks
Categories of security attacks
Interception
There are three routes of data Information
Information Information
interception: Source Destination
1 Direct observation of display screens
or removing Information on USB
memory.
2 Interception of data transmissions. Unauthorized
3 Electromagnetic interception. Party
Security
Attacks
Categories of security attacks
Interruption
Modification Fabrication
Interception
3- Modification
This is an attack on data integrity. Information Information
Security
Attacks
Categories of security attacks
4- Fabrication
This is an attack on authenticity. Information
Security
Threats
Categories of security threats
Passive Active
threats threats
Passive threats
The attacker goal is just to obtain information and does not modify
transmissions
A passive attacker only threatens the confidentiality of data.
Passive attacks are very difficult to detect because they do not affect
Security
Threats
Categories of security threats
Passive Active
threats threats
Security
Threats
1 Eavesdropping
Network communications occur in an
Security
Threats
2- Traffic analysis
Examining messages may deduce
Security
Threats
Categories of security threats
Passive Active
threats threats
Active threats
Active attacks employ more overt actions on the network or system.
as confidentiality.
It is quite difficult to prevent active attacks absolutely.
They can be easier to detect, but they can be much more devastating to
a network.
Security
Threats
Categories of security threats
Passive Active
1- Spoofing (mastqh ureea rtsade) threats
attacks
It means one entity pretends to be a
data.
Security
Threats
Categories of security threats
Passive Active
2- Replay attacksthreats threats
A valid data transmission is maliciously
captured
and altered a key part of a
message.
By resending this message, a hacker
Security
Threats
Categories of security threats
Passive Active
threats threats
3- Modification
masquerade Replay modification
Modification of messages simply
Main in the
means that some portion of a Denial of service
middle Persistent
Security
Threats
Categories of security threats
4- Denial-of- Active
servi
TheyPcaessadesigne
are ivtetacks
tdhrteoatss hut threats
Security
Threats
Categories of security threats
Passive Active
threats threats
5- M a n in the middle attack
An intruder intercepts connection masquerade Replay modification
Security
Threats
Categories of security threats
P a s s iv e Active
6- Advanced persthreats
i ste nt threats
threat
An unauthorized person gains access
to a network and stays there masquerade Replay modification
undetected for a long period of time.
Main in the
Its intention is to steal data rather
Denial of service
middle Persistent
Security
Threats
Categories of security threats
Security
Services
Categories of security services
1 Confidentiality (Privacy)
It is the protection of the stored, processed or transmitted data from passive
attacks.
It refers to the ability to keep things private/confidential.
Security
Services
Categories of security services
Confidentiality (Privacy)
Classification of Information
Organizations deal with many types of information of different importance.
Factors that affect the classification of specific information include: 1- its value
Security
Services
Categories of security services
Security
Services
Categories of security services
2- Authentication
It assures that a communication is authentic.
First, at connection initiation, the service assures that two entities are
authentic.
Second, the service must assure that the connection is not interfered with a
Security
Services
Categories of security services
Accomplishing authentication
Authentication can be accomplished by telling the system who you are, and
the system proves that you are (or you aren't) who you claim to be.
In security terms, this process is called identification and authentication.
Identification is the way you tell the system who you are.
Authentication is the way you prove to system that you are who you say.
In any multi-user system, you must identify yourself, and the system must
Security
Services
Categories of security services
Security
Services
Categories of security services
Security
Services
Categories of security services
Security
Services
Categories of security services
Security
Services
Categories of security services
4- Non-repudiation
It refers to ability to prevent individuals from denying that information, data, or
files were sent or received or accessed or altered, when in fact they were.
When a message is sent, the receiver can prove that the message was in fact sent
Security
Services
Categories of security services
Security
Services
Categories of security services
5- Access control
This refers to the ability to control the level of access that individuals or entities
have to a network or system and how much information they can receive.
Level of authorization determines what you're allowed to do once you are
authenticated and allowed access to a system, or information.
It is the determination of the level of authorization to a system, or
information.
To achieve this control, each entity trying to gain access must first be identified,
or authenticated.
Access rights can be tailored to the individual.
Security
Services
Categories of security services
Security
Services
Categories of security services
6- Availability
System resources need to be available to authorized entities at legal times.
Availability means that computer system's hardware and software keeps working
efficiently and that the system is able to recover quickly if a disaster occurs.
The opposite of availability is denial of service where the users are unable to get
Security
Services
Categories of security services
Security
Services
Categories of security services
7- Accountability
This refers to the ability to track or audit what an individual or entity is doing on
a network or system.
This allows the system to maintain a record of functions performed, files
Data
SW
OS Encrypted
HW messages
Intrusion
Antivirus detection Internet
software
Password authentication
Physical security
PHYSICAL SECURITY
OF COMPUTER
SYSTEMS
Physical Security Threats
Physical and Environmental Security
Physical Access Controls
Objectives of Chapter
3
By the end of this chapter, the student will be able to:
Define the interrelation between physical security
and technology-oriented security.
Appreciate the physical security threats.
Implement the key physical security mechanisms.
Compare between different physical access controls.
Discuss the main principles and techniques of
Chapter 3 biometric systems.
CLO2
Computer Systems
Security
Computer systems security
Intrusion detection
Fire fighting
Antivirus
Biometrics
Authentication and
access control
Physical
Security
Relation between physical and technology-based security
Computer systems security requires protection of both
logical and physical assets.
Physical security protects physical resources as
people,
hardware, data transmission, storage, and processing.
Most technology-based controls can be circumvented
if
attacker gains physical access to devices being
controlled.
Physical security is just as important as logical security
to the computer system. Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Physical Security
Threats
Examples of physical security threats
1 Exposing the system to extreme temperature conditions.
2 Exposing the system to war gases, commercial vapors, humid
or dry air, suspended particles, water, and chemicals.
3 Natural environmental threats such as floods, earthquakes,
storms and tornadoes.
4 Environmental anomalies as electrical surge or failure,
magnetism, static electricity, and aging circuitry.
5 Man-made threats as unauthorized access, explosions, damage,
errors, vandalism, fraud, theft, stealing equipment,
credentials, passwords, and laptops.
6 A competitor sneaking into a facility with a camera.
7 Physical attacks on individuals or property.
Physical Security
Responsibility
Responsible organization’s communities
Responsible communities
1 General management
General management is responsible for:
4 exterior security,
5 fire protection,
6 building access,
7 other controls such as guard dogs and door locks.
Physical Security
Responsibility
Responsible organization’s communities
Responsible communities
Physical Security
Responsibility
Responsible organization’s communities
Responsible communities
mobile, or portable.
Static systems are installed in structures at fixed locations.
Mobile systems are installed in vehicles that perform the function of a
Physical Access
Control
Why physical access control?
It aims at restricting entry and exit of personnel, equipment
and media from an area such as an office, data center, or
server room.
It can include controlled areas, barriers that isolate each
area, entry points in barriers, and screening measures at
entry points.
Staff members serve an important role in providing physical
security as they can challenge people they do not recognize.
Physical Access
Control
Physical access controls
Physical Access
Control
1 Walls, fencing, and gates
The first line of defense is perimeter control at the site
location to prevent unauthorized access to the facility.
Some of the oldest and most reliable elements of
physical
security are walls, fencing, and gates.
Walls and fences with suitable gates are essential to
control
access of employees require to physical locations.
These types of controls vary widely in appearance and
function to fulfill the security goals and proper image.
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Physical Access
Control
Physical Access
Control
2- Guards
Controls like fences and walls with gates are static, and are
therefore unresponsive to actions.
Some are programmed to respond with specific actions to
specific stimuli, as opening for person who has correct key.
Guards can evaluate each situation as it arises and make
reasoned responses.
Most guards have clear standard operating procedures that
help them to act decisively in unfamiliar situations.
Physical Access
Control
3- Dogs
Dogs are valuable part of physical security if they are
integrated into the plan and managed properly.
Guard dogs are useful because their keen sense of
smell and
hearing can detect intrusions that human guards cannot.
They can be placed in harm’s way when necessary to avoid
risking the life of a person.
Security dogs go through intensive training to respond to a
wide range of commands and to perform many tasks.
Dogs can hold an intruder smell smoke to alert others.
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Physical Access
Control
4- Identification cards and badges
An ID is typically concealed, whereas a name badge is visible.
Both devices can serve a number of purposes:
1 they serve to authenticate access to the facility.
2 the IDs with magnetic strip can be read by automated
control devices to restrict access to sensitive areas.
However, they are not foolproof and can be easily duplicated,
stolen, or modified.
Because of this inherent weakness, such devices should not be
used as the only means of controlling access to restricted
areas.
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Physical Access
Control
5- Locks and keys
Locks are inexpensive access control mechanisms that are
widely accepted and used.
They are considered delaying devices to intruders.
There are two types of lock mechanisms: mechanical and
electromechanical.
The mechanical lock may rely on a key or a dial.
Electromechanical locks can accept a variety of inputs as
keys.
This includes magnetic strips on IDs, radio signals from badges,
personal numbers typed to activate the locking mechanism.
Physical Access
Control
5- Locks may fail
Sometimes locks fail, and thus facilities need to have
alternative procedures in place for controlling
access.
These procedures must take into account that locks fail in one
of two ways: the door lock fails and the door becomes
unlocked.
Physical Access
Control
5- Categories of Locks
1 Manual locks are often preset by the manufacturer
and therefore unchangeable.
2 Programmable locks can be changed to allow key
changes.
3 Electronic locks can be integrated into alarm systems
and sensors to create various combinations of locking
behavior.
4 Biometric locks such as finger, palm, and hand readers,
iris and retina scanners, and voice and signature readers.
Physical Access
Control
5- Electronic monitoring
Monitoring equipment can be used to record events in areas
where other types of physical controls are not practical.
It includes closed-circuit television (CCT) systems that collect
constant video feeds, while others rotate input from a number
of cameras, sampling each area in turn.
These video monitoring systems have some drawbacks:
1 they are passive and do not prevent access or activity.
2 there are no intelligent systems capable of reliably
evaluating a video feed.
Physical Access
Control
5- Electronic
monitoring
Physical Access
Control
5- Electronic monitoring
To determine if unauthorized activities have occurred, a
security staff must:
1 constantly review the information in real time,
2 or review the information collected in video recordings.
For this reason, CCT is most often used as an evidence
collection device rather than as a detection
instrument.
In high-security areas such as banks, casinos, and shopping
centers, security personnel monitor CCT systems constantly.
BIOMETRIC
S
Biometric
s
Biometric authentication
It refers to the identification of humans by their characteristics
or traits.
It is used as a form of identification and access control as well
as to identify individuals in groups that are under surveillance.
Biometric identifiers are the distinctive, measurable
characteristics used to label and describe individuals.
As biometric identifiers are unique to individuals, they are
more reliable in verifying identity than token-based methods.
Biometrics verifies an individual’s identity by analyzing a
unique personal attribute or behavior.
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
1 Physiological characteristics
Physiological characteristics are 2- Behavioral characteristics
related to the shape of the body. Behavioral characteristics are related
Examples include, but are not limited to the pattern of behavior of a person,
to fingerprint, face recognition, DNA, including but not limited to typing
palm print, hand geometry, iris rhythm, gait, and voice.
recognition, retina and odour or sent. Behavioral is “what you do”.
Physiological is “what you are”.
Biometric
s
Criteria for choosing biometrics
Many different aspects of human physiology, chemistry or
behavior can be used for biometric authentication.
The selection of a particular biometric for use in a specific
application involves a weighting of several factors.
Seven factors can be used when assessing the suitability of any
trait for use in biometric authentication.
Biometric
s
Criteria for choosing biometrics
1 Universality
It means that every person using a system should possess the
trait.
2- Uniqueness
It means the trait should be different for individuals in relevant
population so that they can be distinguished from one
another.
3- Permanence
A trait with 'good' permanence will be reasonably invariant
over time with respect to the specific matching
algorithm. Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Biometric
s
Criteria for choosing biometrics
4- Measurability (collectability)
It relates to the ease of acquisition or measurement of the
trait.
5- Performance
It relates to the accuracy, speed, and robustness of technology
used.
6- Acceptability
It relates to how well individuals accept the technology such
that their biometric trait captured and assessed.
Biometric
s
Criteria for choosing biometrics
7- Circumvention
It relates to the ease with which a trait might be imitated using
an artifact or substitute.
Biometric
s
Advantages of biometrics
1 Accuracy
Biometrics is one of the most effective and accurate methods
of verifying identification.
Two assumptions underlie this belief:
2 Biometric device is accurate in the environment in which it
is used.
3 The transmission from the biometric device to the
computer's analysis process is tamperproof.
2- Ease of use
Biometric
s
Disadvantages of biometrics
1 Expensive
Biometrics is the most expensive method of verifying a
person’s identity.
2- Unacceptability
People reject them as being intrusive, time-consuming, or even
dangerous as retina identification.
3- Time inadaptable
Biometrics depends upon unique traits of living things there
are notorious for not remaining the same.
Biometric
s
Rank of biometrics based on
effectiveness
Retina pattern
Fingerprint
Handprint
Voice pattern
Keystroke pattern
Signature
Biometric
s
Rank of Biometrics based on social
acceptance
Keystroke pattern
Signature
Voice pattern
Handprint
Fingerprint
Retina pattern
Biometric
1 Fingerprint
Systems
Everybody has a unique set of fingerprints.
Fingerprint verification systems examine unique characteristics
of the fingerprints to determine whether or not to allow access.
The detailed features of the print are called minutiae.
It is the distinctiveness of these minutiae that gives each
individual a unique fingerprint.
A person places one finger on a glass plate.
Light flashes inside the machine, reflects off the
fingerprint,
and is captured by a scanner.
System allows access only if fingerprint matches the
template. Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Biometric
Systems
1-
Fingerprint
Biometric
Systems
1 Fingerprint
Because, the cameras needed to optically scan the fingerprints are
bulky, another approach can be used.
A capacitative technique uses differences in electrical charges of
the whorls on the finger to detect those parts of the finger
touching a chip and those raised.
The data is converted into a graph.
At this point, determining matches becomes a problem of graph
matching.
Biometric
Systems
1 Fingerprint
A sophisticated system performs a 3D analysis of the fingerprint
including infrared mechanisms for ensuring that a pulse is
present.
This means that an intruder can't gain entry by presenting a mold
of an authorized user's finger.
Fingerprint systems are accepted by users in criminal justice
organizations, military, high-security organizations and
banks.
Biometric
Systems
Disadvantages of fingerprints
1 They are slower than certain other types of biometric systems.
2 Their ability to work properly depends on the condition of the
fingers being presented (burns, dust, grease, glue).
3 Gelatin coatings can allow someone to "forge" a fingerprint.
Biometric
Systems
2- Retina pattern
Everybody has a unique retinal vascular pattern in the backside
of the eyeball.
Retina pattern verification systems examine the unique
characteristics of an individual's retina.
Biometric
Systems
2- Retina pattern
A system uses an IR beam to scan the retina, measuring the
intensity of light reflected and producing a digital profile of
the blood vessel patterns in the retina.
Retina systems are very reliable as it is affected only by very
serious injuries and a few rare diseases.
They have been used in national labs, office buildings, and
prisons, but they are not well-accepted as access
devices.
Retina systems seem to be the most threatening.
Biometric
Systems
3- Iris scan
Iris scan looks at the colored part of the front of the eye that
surrounds the pupil.
The iris has unique patterns, rifts, colors, rings, coronas, and
furrows.
The uniqueness of these characteristics is captured.
Biometric
Systems
3- Iris scan
Iris scans are the most accurate.
The iris remains constant through adulthood, which reduces
errors that can happen during the authentication process.
Sampling the iris offers more reference coordinates than any
other type of biometric.
Iris is much easier to image.
Iris scans may provide a feasible biometric where retina scans
still meet resistance.
Biometric
Systems
4- Palm scan
The palm has many aspects that are used to identify an
individual.
The palm has creases, ridges, and grooves throughout
that are
unique to a specific person.
The palm scan also includes the fingerprints of each
finger.
An individual places his hand on the biometric device, which
scans and captures this information.
Biometric
Systems
4- Palm
scan
Biometric
s
5- Handprint (geometry and topology)
Everybody has a unique handprint or hand geometry.
The shape of a person’s hand (the length and width of the hand
and fingers) defines hand geometry.
A person places his hand on a device that has grooves for each
finger with glass between.
Biometric
s
5- Handprint
A sensor beneath the plate scans the fingers, recording light
intensity from an overhead light, and measuring fingers
from tip to palm.
The information is digitized and compared against a handprint
template stored in the system.
The system compares the geometry of each finger, and the
hand as a whole, to the reference information to verify identity.
Biometric
s
5- Handprint
Also, hand topology looks at the different peaks and valleys of
the hand, along with its overall shape and curvature.
This attribute is not unique enough to authenticate individuals
by itself and is used in conjunction with hand geometry.
Biometric
s
5- Handprint
The older handprint systems examined finger length and the
thickness and curve of the webbing between fingers.
The newer systems examine a whole set of topographical
characteristics, such as the depth of skin creases in the
palm.
The technology is accepted because it's not considered to be as
intrusive as other types of biometric systems.
Handprint systems are less reliable than fingerprint systems.
Like fingerprint systems, their ability to work properly depends
on the physical condition of the hand.
Biometric
s
6- Facial scan
People have different bone structures, nose ridges, eye widths,
forehead sizes, and chin shapes.
These are all captured during a facial scan and compared to an
earlier captured scan held within a reference record.
If the information is a match, the person is positively
identified.
The correlation is affected by the differences in the lighting, by
distortion, by "noise," and by the view of the face.
Biometric
s
7- Voiceprint
Voice verification systems examine the unique characteristics
of individual's voiceprint.
Some systems also examine phonetic and linguistic patterns.
With a voice verification system, the individual speaks a
particular phrase.
The system converts the acoustic strength of a speaker's voice
into component frequencies and analyzes their
distributions.
Biometric
s
7- Voiceprint
Voice systems are accepted in banks (particularly vaults),
credit card authorization centers, and certain ATMs.
Their ability to work properly depends to some extent on
the
physical condition of the larynx.
Respiratory diseases, injuries, stress, and background noises
may affect the system's ability to match a voiceprint.
Biometric
s
8- Signature dynamics
When a person signs a signature, usually they do so in the
same manner and speed each time.
Signing a signature produces electrical signals that can be
captured by a biometric system.
The physical motions performed when someone is signing a
document create these electrical signals.
The signals provide unique characteristics that can be used to
distinguish one individual from another.
Biometric
s
8- Signature dynamics
Signature verification systems examine unique characteristics
of individuals signature, and the way of writing their
signature.
With a signature verification system, the individual signs his
name using a biometric pen attached to a workstation.
The pen or the pad converts the signature into a set of
electrical signals that store the dynamics of the signing process.
Biometric
s
8- Signature dynamics
It may also analyze various timing characteristics, such as pen-
in-air movements, that are unique to the individual.
Signature dynamics provides more information than a static
signature.
Signature dynamics is different from a digitized signature.
Signature systems are accepted because people are
accustomed to having their signatures
scrutinized.
Such systems are also much cheaper than others.
Biometric
s
9- Keystroke dynamics
Keyboard dynamics captures electrical signals when a person
types a certain phrase.
As a person types a specified phrase, the biometric system
captures the speed and motions of this action.
Each individual has a certain style and speed, which translate
into unique signals.
This type of authentication is more effective than typing in a
password, because a password is easily obtainable.
It is much harder to repeat a person’s typing style.
Biometric
9- Keystroke dynamics
s
The system requires a signature based on keystroke intervals,
pressure, duration, and where the key is struck.
This signature is unique as written signatures.
Keystroke recognition can be both static and dynamic.
Static recognition is done once, at authentication time, and
usually involves typing of a fixed or known string.
Dynamic recognition is done throughout the session, so the
aforementioned attack is not feasible.
Keystroke doesn't require a separate verification cycle and it
wins wide acceptance.
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
CRYPTOGRAPH
Y
Conventional encryption methods
Character-level encryption
Bit-level encryption
Conventional encryption algorithm (DES)
CLO3
Objectives of Chapter
4
By the end of this chapter, the student will be able to:
Differentiate between ciphering approaches.
Encipher data using character-level conventional
encryption.
Understand the operation of bit-level ciphering.
Explain the operation of DES algorithm.
Understand the operation of public-key
Chapter 4 ciphering.
Apply RSA algorithm for data ciphering.
Specify the main features and types of hash
CLO functions.
3
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Public-key
cryptography
RSA
Hash function
Data Security
Techniques
Data security techniques
Cryptography Steganography
Cryptography Steganography
Cryptography means secrete writing. Steganography means covered
It refers to the art of transforming writing.
messages to make them secure and It refers to concealing the message
Steganography
Objective of Steganography
It hides information either for secrecy or to protect
copyright, prevent tampering or add extra information.
Text Cover
We can use single space between words to represent bit
0 and double space to represent bit 1.
Example:
Consider the ASCII code of letter A: 01000001.
Thiscourseisintendedtoprovidedatasecuritybasics.
0 1 0 0 0 0 0 1
Steganography
Image Cover
Secrete data can be covered under a color image.
Images are made of pixels, each of 3 bytes.
In LSB method, LSBs are set to 0s.
The ASCII code of the character is inserted in LSBs.
Example:
Consider the ASCII code of letter M: 01001101.
This can be hide in 3 pixels.
01010011 10111100 01010101 01100101 10111100
01011110 00010101 01001010 01111110
Principal Principal
Message Message
Security Security
related Channel related
transformation transformation
Secret Secret
information information
Opponent
Cryptography
Cryptography
Arrangement
Ke Kd
Plaintext Plaintext
Network
Ciphertext
Categories of
Cryptography
Encryption/Decryption
Character-level Bit-level
encryption encryption
Conventional
Cryptography
Secrete key shared by
sender and recipient
Conventional
Cryptography
Ingredients of Conventional Cryptography
1 Plaintext
The original message that is fed into the algorithm as
input. 2- Encryption algorithm
It transforms the plaintext to a
ciphertext. 3- Secret key
Transformations performed depend on
that key.
4- Ciphertext
It is the scrambled message produced as
output. 5- Decryption algorithm
It is the encryption algorithm run in reverse to produce
plaintext from the ciphertext.
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Conventional
Cryptography
Properties
1 It was the only type of encryption in use till the late 1970s.
2 The encryption and decryption keys (Ke), (Kd) are the same and
should be kept secrete.
3 It is also referred to as symmetric encryption, secret-key,
or single-key encryption.
4 The Decryption algorithm is the inverse of the Encryption
algorithm.
5 Any one who knows the encryption algorithm and key
can deduce the decryption algorithm.
6 For m users, the number of required keys is [m×(m-1)]/2.
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Conventional
Cryptography
Methods of exchanging the key
1 The two principals can meet once and exchange the key
face-to-face.
2 They can trust a third party to give them the same key.
3 They can create a temporary secrete key using asymmetric
key cipher.
Conventional
Cryptography
Requirements for secure encryption
1 We need a strong encryption algorithm.
An opponent who knows the algorithm and ciphertext
should not deduce the key or decipher the ciphertext.
2- Sender and receiver must have copies of the secret key in a
secure fashion and must keep the key secure.
Kerckhoff’s
Principle
States that
We do not need to keep the algorithm secret; we need to
keep only the key secret.
The strength of the cipher to attack must be based only
on
the secrecy of the key.
The key domain should be so large to make guessing the
key is so difficult.
System
Security
The security of the system should depend entirely on:
1 Keeping the key secrete.
2 The length (in bits) of the key itself.
It is usually a good indicator of the work factor required to
crack the ciphertext by trying every possible key in turn
"called an exhaustive search or brute force attack".
Cryptanalysi
s
Meaning of Cryptanalysis
Cryptanalysis is the science and art of breaking the ciphers.
It refers to the process of attempting to discover the
plaintext or key.
The strategy of cryptanalysis depends on the encryption
scheme and the information available to the cryptanalyst.
4 Cryptanalysis
Methods
Cryptanalysis attacks
4 Cryptanalysis
Methods
1 Ciphertext-only attack
Attacker has access only to some ciphertext.
He tries to find the key and the plaintext.
User A User B
Plaintext
Attacker
Analyze
Ciphertext
Ciphertext Ciphertext
4 Cryptanalysis
Methods
1 Ciphertext-only attack
Attacker has access only to some ciphertext.
He tries to find the key and the plaintext.
4 Cryptanalysis
Methods
1 Ciphertext-only attack
Attacker has access only to some ciphertext.
He tries to find the key and the plaintext.
created in ciphertext.
These patterns can be used to
4 Cryptanalysis
Methods
2- Known Plaintext Attack
Attacker has access to some plaintext/ciphertext pairs in
addition to ciphertext he wants to break.
User A Previous pair User B
Plaintext
Plaintext
Attacker
Analyze
Ciphertext
Ciphertext
Ciphertext Ciphertext
4 Cryptanalysis
Methods
2- Known Plaintext Attack
Attacker uses the relationship between the previous pair
to analyze the current ciphertext assuming that the key
has not been changed.
It is less likely to happed because the key is usually
changed.
4 Cryptanalysis
Methods
3- Chosen Plaintext Attack
Attacker has access to A’s computer and choose some
plaintext and intercept the created ciphertext.
User A
Plaintext
Plaintext
User B
Attacker
Ciphertext
Analyze
Pair created
from chosen Ciphertext
ciphertext
Ciphertext Ciphertext
4 Cryptanalysis
Methods
4- Chosen Ciphertext Attack
Attacker chooses some plaintext and decrypts it to form a
ciphertext/plaintext pair by access to B’s computer
User A Plaintext User B
Plaintext
Attacker
Ciphertext
Analyze
Pair created
Ciphertext from chosen
ciphertext
Ciphertext Ciphertext
Strength of
Cryptosystem
Measure of Strength of Cryptosystem
An encryption scheme is computationally secure if the
ciphertext meets one or both of the following criteria:
1 The cost of breaking the cipher exceeds the
value of
the encrypted information.
2 The time required to break the cipher exceeds
the
useful lifetime of the information.
Conventional
Cryptography
Conventional Encryption
Permutation
Mono-alphabetic Exclusive OR
Rotation
Poly-alphabetic
Conventional
Cryptography
2- Bit-level encryption
1 Character-level encryption
In this method, the data as text,
In this method, encryption is
graphics, audio, or video are first
done at character level.
divided into blocks of bits.
There are two general methods
Then bits are altered by
for character-level encryption:
encoding/decoding, permutation,
substitutional and
substitution, exclusive OR,
transpositional.
rotation, and so on.
CHARACTER -LEVEL
ENCRYPTION
Substitutional
Ciphering
This is the simplest and oldest technique.
Each character in the message is replaced by another using
some rule.
In monoalphabetic substitution, each character is replaced
by another character in the set.
The elation between letters in plaintext and ciphertext is
one-to-one.
Substitutional
Ciphering
Simple Monoalphabetic Encryption
The encryption algorithm simply adds a number to the
ASCII code of the character.
The decryption algorithm simply subtracts the same number
from the ASCII code.
K e and K d are the same and define the added or subtracted value.
If letters of the alphabet were shifted by 3 positions, hence
A becomes D, B becomes E, etc.
If the substituted character is beyond the last character
(Z), we wrap it around.
Substitutional
Ciphering
Example of Simple Monoalphabetic
Encryption
Ke=3 Kd=3
Decryption Encryption
Algorithm Algorithm
Information Information
Source Destination
Add Ke Subtract Kd
Monoalphabetic
Ciphers
Numerical Monoalphabetic Encryption
To be able to apply mathematical operations, we assign a
numerical value to each letter.
a b c d e f g h i j k l m n o p q r s t u v w x y z
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Monoalphabetic
1 Additive CipherCiphers
It is the simplest.
It is also called a shift cipher or Caesar cipher.
User A User B
Plaintext
Plaintext
P P
K K
C = (P + k) mod 26 P = (C - k) mod 26
Ciphertext Ciphertext
C
C
Encryption
C
Decryption
Monoalphabetic
Ciphers
1 Additive Cipher: Example 1
Use the additive cipher with K=15 to encrypt “hello”.
e 04 (04+15) mod 26 19 T
l 11 (11+15) mod 26 00 A
l 11 (11+15) mod 26 00 A
o 14 (14+15) mod 26 03 D
Monoalphabetic
Ciphers
1 Additive Cipher: Example 2
Use the additive cipher with K=15 to decrypt “WTAAD”.
Ciphertext Operation Plaintext
W 22 (22-15) mod 26 07 h
T 19 (19-15) mod 26 04 e
A 00 (00-15) mod 26 11 l
A 00 (00-15) mod 26 11 l
D 03 (03-15) mod 26 14 o
Monoalphabetic
Ciphers
2- Multiplicative Cipher
It is also called a shift cipher or Caesar cipher.
User A User B
Plaintext Plaintext
P P
K K
C = (P × k) mod 26 P = (C / k) mod 26
Ciphertext Ciphertext
C
C C
Encryption Decryption
Monoalphabetic
Ciphers
2- Multiplicative Cipher: Example 1
Use the multiplicative cipher with K=7 to encrypt “hello”.
e 04 (04×7) mod 26 02 C
l 11 (11×7) mod 26 25 Z
l 11 (11×7) mod 26 25 Z
o 14 (14×7) mod 26 20 U
Monoalphabetic
3- Affine Cipher
Ciphers
It is a combination of additive ciphers with key K 1 and
multiplicative cipher with key K 2 applied one after another.
User A User B
K1 K1
T = (P × k1 ) mod T = (P × k1 -1) mod 26
26 K2
C = (T + k 2) mod 26 C = (T - k2) mod 26 K2
Ciphertext Ciphertext
C
C C
Encryption Decryption
Monoalphabetic
Ciphers
3- Affine Cipher: Example
Use an affine cipher with K=(7,2) to encrypt “hello”.
Monoalphabetic
Ciphers
4- Random Mapping Cipher
This cipher creates a mapping between each plaintext
character and the corresponding ciphertext character.
The two users can agree on a mapping table.
plaintext a b c d e f g h i j k l m n o p q r s t u v w x y z
Ciphertext N K M T R O U C F A X D Q G Y E J H V I B L P Z S W
He
nc
e,
the
wo Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Monoalphabetic
Ciphers Ciphers
Cryptanalysis of monoalphabetic
Monoalphabetic substitution is very simple.
But the code can be broken easily by snoopers because it
cannot hide the natural frequencies of characters.
In English, the most frequently used characters are E, T,
A.
Accordingly, this cipher can be broken easily by using
statistical characteristics of the languages as:
Letter frequencies, Trigrams (eg., the, and) are
common.
Some words may be more likely in the particular
context. Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Monoalphabetic
Ciphers
Statistical Characteristics of
Letters
Polyalphabetic
Ciphers
Statistical Characteristics of Letters
Each character can have a different substitute.
The relationship between a character in plaintext to
character in ciphertext is one-to-many.
It hides the letter frequency of the language.
Each ciphertext character depends on both the plaintext
character and the position of the character in plaintext.
Types of polyalphabetic Ciphers
Polyalphabetic
Ciphers
1 Keyless Cipher
This is the simplest polyalphabetic cipher.
Find the position of the character in plaintext and use that
value as the key.
Ke= position Kd=Position
Decryption Encryption
Algorithm Algorithm
Information
Information
Add Ke Subtract Kd Destination
Source
Polyalphabetic
Ciphers
Security of Keyless Cipher
The two occurrences of "DEAR" are encrypted differently.
In this way, the frequencies of the characters are not
preserved and it is more difficult to break the code.
Polyalphabetic substitution is not very secure either.
The reason is that the order of characters in "EGDV" and
"JLIA" is still the same.
The code can easily be broken by a more experienced
snooper.
Polyalphabetic
Ciphers
2- AutoKey Cipher
The key is a stream of subkeys that encrypt characters.
The first subkey is a predetermined value secretly agreed by
the two parties.
Second subkey is the value of the first plaintext character.
Third subkey is the value of the second plaintext character.
P = P 1 P2 P3 … C = C1 C2 C3 … K = K 1 P1 P2 …
Polyalphabetic
Ciphers
2- AutoKey Cipher: Example
Use an autokey cipher with initial key K1=12 to encrypt
“Attack is today”.
Plaintext a t t a c k i s t o d a y
P’s Value 00 19 19 00 02 10 08 18 19 14 03 00 24
Key
12 00 19 19 00 02 10 08 18 19 14 03 00
stream
C’s Value 12 19 12 19 02 12 18 00 11 7 17 03 24
Ciphertext M T M T C M S A L H R D Y
The result is “MTMTCMSALHRDY”
Polyalphabetic
Ciphers
3- Playfair Cipher
It was used by British army during World War I.
The secrete key is made of 25 alphabet letters arranged in a
(5x5) matrix.
Different arrangements of letters in a matrix can be
created.
L G D B A
Q M H E C
U R N I/J F
X V S O K
Z Y W T P
Polyalphabetic
Ciphers
3- Playfair Cipher
Plaintext is arranged in two-letters pairs.
If 2 letters in pair is the same, a bogus letter is inserted.
If the two letters are located in the same row, the cipher is
the next letter to the right in the same row.
If the two letters are located in the same column, the cipher
is the letter beneath it the same column.
If the two letters are not in the same row or column, the
cipher is the letter that is in its row but in the same column
as the other letter.
Polyalphabetic
Ciphers
3- Playfair Cipher: Example 1
Use the key in table to cipher “hello”.
Group letters in two-character pairs, we get: “he, ll, o”.
We need to insert an x between the two l’s as: “he, lx, lo”
Encrypting will give:
he EC lx QZ lo BX.
The result is: “ECQZBX”. L G D B A
Q M H E C
U R N I/J F
X V S O K
Z Y W T P
Polyalphabetic
Ciphers
3- Playfair Cipher: Example 2
Encrypt the word “Saudi” with the key:
“College of Computer”.
Start the table with the key without duplication of
characters and then complete with remaining alphabets.
Group letters in two-character pairs, we get: “sa, ud, ix”.
Encrypting will give: C o l e g
Sa KH ud ix NV. f m p u t
DQ r a b d h
I/J k n q s
The result is: “KHDQN”.
v w x y z
Polyalphabetic
Ciphers
4- Vignere Cipher
It was invented by sixteenth century French mathematician
Blaise de Vigenere.
The key stream is a repetition of an initial secrete key
stream of length m.
Vigenere key stream does not depend on the plaintext
character, it depends only on the position of the character.
The key stream can be created without knowing what the
plaintext is.
Polyalphabetic
Ciphers
4- Vignere Cipher: Example 1
Use Vigenere cipher to encrypt the message “She is
listening” using keyword “PASCAL”.
The initial key stream is (15, 00, 18, 02, 00, 11).
Plaintext s h e i s l i s t e n i n g
P’s Value 18 07 04 08 18 11 08 18 19 04 13 08 13 06
Key
15 00 18 02 00 11 15 00 18 02 00 11 15 00
stream
C’s Value 07 07 22 10 18 22 23 18 11 06 13 19 02 06
Ciphertext H H W K S W X S L G N T C G
Ci = (Pi + K i ) mod 26
Polyalphabetic
Ciphers
4- Vignere Cipher: Vignere Tabuleau
Another way of Vigenere cipher is through Vigenere tableau.
Plaintext a b c d e f g h i j k l m n o p q r s t u v w x y z
A A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
Key character
C C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
Transpositional
Ciphers
Transpositional Conventional Charater-Level Cryptography
The characters retain their plaintext form but change their
positions to create the ciphertext.
The text is organized into a two-dimensional table, and the
columns are interchanged according to a key.
The key defines which columns should be swapped.
Transpositional
Ciphers
1 Keyless Transpositional ciphering
It has no key.
The text is written into a table column by column and then
transmitted row by row.
Or, it may be written into a table row by row and then
transmitted column by column.
Transpositional
Ciphers
1 Keyless Transpositional ciphering: Example: Rail fence cipher
The plaintext is arranged in two lines as a zigzag pattern.
The ciphertext is created by reading row by row.
Consider the message: “Meet me at the park”.
m e m a t e a k
e t e t h P R
Transpositional
Ciphers
1 Keyless Transpositional ciphering: Example 2
Transpositional
Ciphers
2- Keyed transpositional cipher
The characters retain their plaintext form but change their
positions to create the ciphertext.
The text is organized into a two-dimensional table, and the
columns are interchanged according to a key.
The key defines which columns should be swapped.
Transpositional
Ciphers
2- Keyed transpositional cipher: Example
1
1 2 3 4 Ke=Kd
5 6 7 8 9 10 11
Encryption Decryption
6 9 3 10 5 1 2 4 8 7 11
Encryption Decryption
Algorithm Algorithm
A G O O D G O O D D G G O A O O O D A G O O D G O O D
F R I E N D I S D I I N F S R E F R I E N D I S
B E T T E R T H A N R T T E B A H E T N B E T T E R T H A N
A T R E A S U R E A S T U E A E R R A T R E A S U R E
Transpositional
Ciphers
2- Keyed transpositional cipher: Example
2
Key=order in
F alphabetic
A N C Y
Encryption Decryption
3 1 4 2 5
Encryption Decryption
Algorithm Algorithm
m e e t m E T M E M m e e t m
e a t n e A N E T E e a t n e
x t m i d T I X M D x t m i d
n i g h t I H N G T n i g h t
Transpositional
Ciphers
3- Keyed columnar transposition cipher
It combine the two approaches to achieve better
scrambling.
Encryption is done in three steps:
1 The plaintext is written into a table row by row.
2 The permutation (transposition) is done by reordering
the columns.
3 The new table is read column by column.
Transpositional
3- Keyed columnarCiphers
transposition cipher:
Example User B
User A
e n e m y e n e m y
a t t a c a t t a c
k s t o n k s t o n
i g h t z i g h t z
1 2 3 4 5
E E M Y N E 2 5 1 3 4
D E E M Y N
T A A C T T A A C T
T K O N S T K O N S
H I T Z G H I T Z G
Read column by column Write column by column
Ciphertext
ETTHEAKIMAOTYCNZNTSG ETTHEAKI
Encryption MAOTYCN
ZNTSG
Decryption
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Transpositional
Ciphers
Security of transpositional ciphering
Transpositional encryption is not very secure either.
The character frequencies are preserved and the snooper
can find the plaintext through trial and error.
Multi-stage transposition was the basis of the famous
Enigma encryption machine used by German armed force.
It was famously cracked by the British intelligence service
at Bletchely Park in the second world war.
BIT-LEVEL
ENCRYPTION
Bit-Level
Ciphering
Bit-level Ciphers
With the advent of computers, modern ciphers use Bit-level
ciphering.
This is because we need to encrypt many types of data in
the form of stream of bits.
Bit-level encryption
Bit-Level
Ciphering
1 Encoding/decoding
A decoder changes an input of n bits into an output of 2n bits.
The output should have only one single 1, located at the
position determined by the input.
An encoder has 2n inputs and only n outputs.
The input should have only one single 1.
Input
00 0001 0001
01 0010 2x4 Decoder 00 4x2 Encoder
10 0100 0010
11 1000 01
0100
Output 10 Output
1000
11
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Bit-Level
Ciphering
2- Permutation
A permutation unit (P-box) parallels transpositional cipher
for characters.
It can be implemented as a hardware with internal wiring to
perform very quickly.
P-boxes are keyless with predetermined mapping of bits.
In hardware, it is prewired.
In software, a permutation table shows the rules of mapping.
Bit-Level
Ciphering
2- Permutation
There are 3 types of permutation unit P-box.
Input
Bit-Level
Ciphering
2- Permutation
There are 3 types of permutation unit P-box.
Input
1 0 0 0 1 1 0 1
2- Compressed permutation P-box
Compressed P-box with n inputs and
m outputs; m<n.
Some inputs are blocked and don’t
reach the output.
It is used when we need to permute
bits and decrease the number of bits
1 0 1 0 1 1
for the next stage.
Output It is not invertible.
Bit-Level
Ciphering
2- Permutation
There are 3 types of permutation unit P-box.
Input
3- Expanded permutation P-box
1 0 0 0 1 1 0 1
expanded P-box with n inputs and m
outputs; m>n.
Some inputs are connected to more
than one output.
It is used when we need permute
bits and increase the number of bits
1 1 0 0 1 0 0 1 1 1
for the next stage.
It is not invertible. Output
Bit-Level
Ciphering
3- Exclusive OR
The result of the exclusive-OR operation on two bits is 0 if
the two bits are the same and 1 if the two bits are different.
The input data and the key are exclusive ORed together to
create the output ciphertext.
The exclusive-OR operation is reciprocal.
This means that the same key can be used with the
ciphertext at the receiver to recreate the original plaintext.
Bit-Level
Ciphering
3- Exclusive OR: Example
Synchronization
Ciphering Deciphering
1 1 0 1 0 1 1
Ciphered data
Bit-Level
Ciphering
4- Rotation
Another way to encrypt a bit pattern is to rotate bits to the
right or to the left.
The key is the number of bits to be rotated.
Plaintext 0 1 1 0 0 0 1 1 Before
Conventional Encryption
Algorithms
The most commonly used conventional encryption algorithms
are block ciphers.
It processes the plaintext input into fixed-size blocks and
produces a block of ciphertext of equal size for each block.
The two most important algorithms are the Data Encryption
Standard (DES) and the Triple Data Encryption Algorithm
(TDEA).
Other symmetric block ciphers include International Data
Encryption Algorithm (IDEA) developed in 1991,
Blowfish developed in 1993, and RC5 developed in
1994.
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
1 Transposition
K1
2 Complex
Sub-key
Key
K2
Generator
3 Complex
56 bits
18 Swapping
19 Transposition
Ciphertext
28 bits 28 bits
Rotate Rotate
28 bits 28 bits
Combine
56-bits
Compressed permutation
48-bit subkey
48 bits
From previous step
XOR Subkey Kn
48 bits
64-bit data
Compressed permutation
Divide 32 bits
Permutation
Combine
32 bits
64-bit data
XOR
To next step
32 bits 32 bits
Conventional DES
Algorithm
Problem with DES
Imagine that a bank wants to give customers remote access
to their accounts using conventional encryption.
To limit each customer's access to only his own account, the
bank would create millions of encryption algorithms and keys.
This solution is impractical.
On the other hand, giving the same encryption algorithm and
key to every customer, will not guarantee the privacy.
PUBLIC-KEY
CRYPTOGRAPHY
Public-key versus
DES
Need for Public-key cipher
The solution to this problem is public key encryption.
Every user has the same encryption algorithm and key.
The decryption algorithm and key are kept secret.
Anyone can encrypt information, but only an authorized
receiver can decrypt it.
Decryption algorithm is not inverse of encryption algorithm.
In addition, the keys are different.
Even with the encryption algorithm and encryption key,
an intruder still will be unable to decipher the code.
Public-key
Cryptography
Encryption Revolution
The public-key encryption is first publicly proposed by Diffie
and Hellman in 1976.
It is the first truly revolutionary advance in encryption.
The public-key algorithms are based on mathematical
functions rather than on simple operations on bit patterns.
Public-key cryptography is asymmetric, involving the use of
two separate keys.
The use of two keys has profound consequences in the
areas of confidentiality, key distribution, and authentication.
Public-key
Cryptography
Misconceptions with Public-key
There are three misconceptions about public-key
cryptography.
Misconception 1: Misconception 2:
Public-key encryption is more secure Public-key encryption is a general-
from cryptanalysis than conventional purpose technique that has
encryption. made conventional encryption
Fact obsolete.
The security of any encryption scheme Fact
depends on: On the contrary, because of the
1 the length of the key. computational overhead of public-key
2 the computational work involved in encryption schemes, there seems no
breaking a cipher. foreseeable likelihood that
conventional encryption will be
abandoned.
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Public-key
Cryptography
Misconceptions with Public-key
There are three misconceptions about public-key
cryptography.
Misconception 3:
The key distribution is trivial when
using public-key encryption, compared
to conventional encryption.
Fact
Some form of protocol is needed that
is not simpler or more efficient than
those required for conventional
encryption.
Public-key
Cryptography
Public-key
algorithm
A's Public
key ring B's private key
B's public key
Plaintext Plaintext
Encryption Decryption
Algorithm Network Algorithm
(RSA)
Input Output
Ciphertext
User A User B
Transmitted
Public-key
Cryptography
Ingredients of Public-key system
Plaintext
This is the readable message that is fed into the
algorithm. Encryption algorithm
It performs various transformations on the plaintext.
Public and private key
This is a pair of keys if one is used for encryption, the other is used
for decryption.
Ciphertext
This is the scrambled message produced as
output. Decryption algorithm
This algorithm accepts the ciphertext and the matching key and
produces the original plaintext.
Public-key
Cryptography
Basics of Public-key cryptography
The public key of the pair is made public for others to use.
The private key is known only to its owner.
Public-key cryptographic algorithm relies on one key for
encryption and a different but related key for decryption.
Public-key
Cryptography
Essential steps of Public-key cryptography
1 Each user generates a pair of keys to be used for the encryption
and decryption of messages.
2 Each user places one key in a public register or other
accessible file. This is the public key. The companion key is kept
private.
3 Each user maintains a collection of public keys obtained
from others.
4 If user A wishes to send a private message to user B, then
user A
encrypts the message using B's public key.
5 When B receives the message, he decrypts it using his own
private key. Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Public-key
Cryptography
Applications of Public-key cryptography
1 Encryption/decryption
Sender encrypts a message with the recipient's public
key. 2- Digital signature
The sender "signs" a message with his private key.
Signing is achieved by a cryptographic algorithm applied to
the message or to a small block (digest) of the message.
3- Key exchange
Two sides cooperate to exchange a session key.
Public-key
Cryptography
Requirements of Public-key cryptography
1 It is computationally easy for a party B to generate a pair
(public key KUb, private key KRb).
2 It is computationally easy for a sender A, knowing the
public key and the message, M, to generate the ciphertext.
3 It is computationally easy for the receiver B to decrypt
the ciphertext using the private key to recover the original
message.
4 It is computationally infeasible for an opponent,
knowing the public key, KUb, to determine the private
key, KRb .
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Public-key
Cryptography
Requirements of Public-key cryptography
5 It is computationally infeasible for an opponent,
knowing the public key, KUb, and a ciphertext, C, to
recover the original message.
6 Either of the two related keys can be used for encryption,
with the other used for decryption.
Comparison between
Ciphers
Aspect symmetric Asymmetric
The secrete must be shared
Key secrecy The secrete is personal.
between users
No. of keys One secrete key Two keys: Public + private.
Different keys are used in each
Direction The key is used in both directions
direction
For n users n(n-1)/2 shared secretes n personal secretes
Plaintext and Plaintext and ciphertext are Plaintext and ciphertext are
ciphertext symbols (characters or bits) numbers
Mathematical functions on
Operation Simple operations on bits
numbers
Encryption + authentication +
Applications Encryption
key exchange.
Public-key
Cryptography
The function
A function is a rule that associates (maps) one element in
domain set A to one element in range set B.
y = f(x)
x f y
Set A f -1 Set B
Domain Rang
e
An invertible function is a function that associates each
element in the range with exactly one element in domain.
Public-key
Cryptography
One-way function
1 f is easy to compute: given x, y=f (x) can be easily
computed.
2 f -1 is difficult to compute: given y, it is computationally
infeasible to calculate x=f -1(y).
Trapdoor one-way function
3 Given y and a trapdoor (secrete), x can be computed easily.
y = f(x)
x f y
Set A Set B
f -1
Domain Rang
e
Prof. Mostafa Nofal
College of Computers تابسالحا ةيلك
and Information Technology تامولعلما ةينقتو
Encryption Decryption
Algorithm Algorithm
Output
Input
Ciphertext
Transmitted