Professional Documents
Culture Documents
Chapter 4 Security Techniques
Chapter 4 Security Techniques
Security Techniques
Objectives
Cryptography
Introduction
Definitions and Terms
Cryptanalysis Schemes
Cipher Methods (Operations)
Private Key cryptosystems
Public key cryptosystems
Hash (Message Digest) Algorithms
Data Encryption Standards(DES) and Advanced Encryption Standards(AES)
Digital Signature/Digital Certificates/Certificate Authorities (CAs)
Access Control
Firewalls
Intrusion Detection and Prevention Systems (IDPS)
Authentication
PKI and Kerberos (Network-Based Authentication)
10/10/2023 Chapt. 4 Security Technologies 2
Cryptography- Definition
● Unconditional security
○ No matter how much computer power is available,
the cipher cannot be broken
○ The ciphertext (no matter how much of it you have )
provides insufficient information to uniquely
determine the corresponding plaintext
● Computational security
○ The cost of breaking the cipher exceeds the value of
the encrypted info
○ The time required to break the cipher exceeds the
useful lifetime of the info
10/10/2023 Chapt. 4 Security Technologies 10
Computational Security Cont’d…
Time
Relationship between value of information and Time
10/10/2023 Chapt. 4 Security Technologies 11
Block vs. Stream Ciphers
● Decryption
○ To decrypt a received ciphertext, the receiver has to perform the following steps:
○ Knowing the secret keyword, and the length of the received message, the
receiver has to work out the column lengths by dividing the cipher length
by the key length and then the table of the same size, as the one used for
encryption, should be created.
○ The ciphertext should be entered into columns, from the leftmost columns to the
rightmost column, from top to bottom.
○ The Rows should be rearranged, and put into the order defined by the
keyword.
○ The decrypted message should be read out, row by row, starting from the top
row, and from left to right.
10/10/2023 Chapt. 4 Security Technologies 19
Columnar Transposition Exercise
4 3 21 4 3
WEARED
I S COVE
REDF LE
EATONC
EXXXXX
● Consider – Transposition
● Encrypting it with the keyword Zebra
Z EBR A Key
5 3 2 4 1 Key-Order
1 2 3 4 5 Original Order
TRANS
POS I T
IONXX
● Take-off columns( original column order) 5,3,2,4,1: STX ASN ROO NIX TPI
● Key is shape ( figure i.e. how many columns) and the order (5,3,2,4,1)
● Hence , decryption makes the reverse process on slide # 24: make a 3 column rectangle (since
we have three rows in the cipher) from the cipher and then transpose the rows with the
reverse order of the columns
○ Make rows columns and columns rows( transpose)
10/10/2023 Chapt. 4 Security Technologies 23
Transposition cont’d…
● Cipher: STX ASN ROO NIX TPI
● Decryption Box
1 2 3
STX
ASN
R OO
NIX
TPI
In these formulas
‘k’ is the secret key. The symbols ’E’ and ’D’ stand for
encryption and decryption respectively, and p and c are
characters in the plain and cipher text respectively.
10/10/2023 Chapt. 4 Security Technologies 26
Cipher Methods –Polyalphabetic Substitution
Ciphers
● An advanced type of substitution cipher that uses a simple
polyalphabetic code is the Vigenère cipher.
● The cipher is implemented using the Vigenère square (or table), which is
made up of twenty-six distinct cipher alphabets.
● In the header row, the alphabet is written in its normal order. In each
subsequent row, the alphabet is shifted one letter to the right until a 26
X 26 block of letters is formed.
● There are a number of ways to use the Vigenère square
○ Could perform an encryption by simply starting in the first row and finding a
substitute for the first letter of plaintext and then moving down the rows
for each subsequent letter of plaintext.
○ With this method, the word SECURITY in plaintext becomes TGFYWOAG in
ciphertext.
10/10/2023 Chapt. 4 Security Technologies 27
Vigenère cipher - The Vigenère Square
SACKGAULSPARENOONE
● To perform the substitution, start with the first combination of
keyword and message letters, “IS”.
● Use the keyword letter to locate the column, and the message letter
to find the row, and then look for the letter at their intersection.
● Thus, for column “I” and row “S,” you will find the ciphertext letter “A”.
● The final cipher text is : ATCVEINLDNIKEYMWGE
○ Without knowing key, message could be anything with the correct number of bits in it
● Difficulty: distributing key is as hard as distributing message.
● Difficulty: generating truly random bits.
○ Can’t use computer random number generator! Not truly random
■ Leaky diode ( the current approach and is built into new Intel x86 CPUs)
■ Lava lamp
10/10/2023 Chapt. 4 Security Technologies 35
Vernam(One-time pads) cont’d…
● Look at the following example.
● Rows three and four in this example show, respectively, the one-time pad text
that was chosen for this encryption and the one-time pad value
● The pad value, like the plaintext value ( the value of “SACK GAUL SPARE NO
ONE”), is derived from the position of each pad text letter in the alphabet.
● Decryption: Using the pad values and the ciphertext, the decryption process
works as follows: “Y” becomes the number 25, from which we subtract the pad
value for the first letter of the message, 06. This yields a value of 19, or the
letter “S.” .
Q#. If you have n communicating entities, how many secret keys do you need, to
allow each party communicate to each other confidentially? (Mesh Topology in
networking, what is the number of lines needed to connect the n nodes ?)
10/10/2023 Chapt. 4 Security Technologies 44
Examples of Symmetric Key ciphers
● DES- (56 bit key length- block size 64 bits)- from IBM
● RC4 (1-2048 bit key)-stream cipher
● RC5 (128-256 key length, block size of 32, 64 or 128 bits)-from Ronal Rivest
● Serpent (128-256 bits Key length, block size 128 bit, very strong – from
Anderson, Biham& Knudsen
● Rijndael (128-256 key length and 128 Block size) – this is the best choice ( Known
as AES) , it has the option for 192 bit key length , but this key is rarely used.- from
Daemen and Rijmen
● Triple DES(3DES-Encrypt K1-Decrypty K2 –Encrypt K1) (168 bits key length,
64 bit block size) - From IBM
● Twofish (128-256 key length) very strong and widely used. –from Bruce
Schneier
10/10/2023 Chapt. 4 Security Technologies 45
Asymmetric Cryptosystem
Through the user access control procedure (log on), a user can
be identified to the system
Associated with each user, there can be a profile that specifies
permissible operations and accesses
Privileges or user rights provide the authorization (legitimacy)
to do things that affect the entire system.
The operating system can enforce rules based on the user
profile
The focus here is about Logical Access Control Models
Implementation can be done in Operating systems, Firewalls….etc
10/10/2023 Chapt. 4 Security Technologies 69
Access Control Models- Mechanisms
In general, all access control approaches rely on as the following
mechanisms:
Identification: is a mechanism whereby an unverified entity—called a
supplicant—that seeks access to a resource proposes a label by which they are
known to the system
Authentication: is the process of validating a supplicant’s purported
identity(Something a supplicant knows or Something a supplicant has or
Something a supplicant is )
Authorization: is the matching of an authenticated entity to a list of
information assets and corresponding access levels. This list is usually an ACL or
access control matrix
Accountability: also known as auditability, ensures that all actions on a system
—authorized or unauthorized—can be attributed to an authenticated identity.
Accountability is most often accomplished by means of system logs and
database journals
10/10/2023 Chapt. 4 Security Technologies 70
Access Control Model
○ Object permissions
File1: <R,W> File2: <R,W>
● Objects not listed are not File2: <R> File4: <R,W,X>
accessible File3: <R,W,X> File7: <W>
● How are these secured? File9: <R,W>
○ Kept in kernel
○ Cryptographically secured
10/10/2023 Chapt. 4 Security Technologies 77
Access Control List (a) Vs. Capability List (b)
Reference Monitor
Controlling element in the hardware and operating
system that regulates the access of subjects(processes)
to objects on the basis of security parameters
The monitor has access to a file (security kernel
database)
The monitor enforces the security rules (no read up, no
write down)
User
All system calls go Process User
through the “A”
space
reference monitor
for security
checking
Kernel
Reference monitor
Space
Trusted computing base
Operating system kernel
Application Layer
Hosts running through proxy servers
Logging and access control are done through software
components
Proxy Services
Application that mediates traffic between a protected network
and the Internet
Able to understand the application protocol being utilized and
implement protocol specific security
Protocols include: FTP, HTTP, Telnet etc
10/10/2023 Chapt. 4 Security Technologies 93
Firewall Features Cont’d…
Circuit Gateways
The circuit gateway firewall operates at the
transport layer.
Filter transport layer protocol (such as TCP/UDP)
specific requests.
They accomplish this by creating tunnels connecting
specific processes or systems on each side of the
firewall( end-to-end), and then allowing only
authorized traffic, such as a specific type of TCP
connection for authorized users, in these tunnels
10/10/2023 Chapt. 4 Security Technologies 94
Firewall Features Cont’d…
Hybrid firewalls
combine the elements of other types of firewalls—
that is, the elements of packet filtering and proxy
services, or of packet filtering and circuit gateways.
A hybrid firewall system may actually consist of two
separate firewall devices; but which are connected so
that they can work together.
Bastion host
Simple
Suitable for those networks that do not offer internet services to the
public
Not suitable if the network has a web server or an Email server
Demilitarized zone
Neither part of the internal network nor part of the
Internet
It prevents outside users from getting direct access
to a server that has company data
It is a computer host or small network
Users of the public network outside the company
can access only the DMZ host(s)
10/10/2023 Chapt. 4 Security Technologies 100
Firewall Topology …
Dual firewalls
Most secure
Most expensive
Additional layer of security
---------------Inner firewall……………..
corporate-data subnet
customer-data subnet
internal mail server INTRANET
internal DNS server
development subnet
10/10/2023 Chapt. 4 Security Technologies 102
Intranet, DMZ and the Internet
An IDS works like a burglar alarm in that it detects a violation (some system
activity analogous to an opened or broken window) and activates an alarm.
This alarm can be audible and/or visual (producing noise and lights,
respectively), or it can be silent (an e-mail message or pager alert).
An ID system gathers and analyzes information from various areas within a
computer or a network to identify possible security breaches
It detects both intrusions and misuse
Regardless of how an alert is detected, the administrator groups all the
alerts into one of four categories.
True positives (correct escalation of important events).
False positives (incorrect escalation of unimportant events)—this is IDS Error.
True negatives (correct ignorance of unimportant events).
False negatives (incorrect ignorance of important events) -this is IDS Error.
Firewall
Active filtering
Fail-close protocol
Prohibitive
Network IDS
Passive monitoring
Fail-open protocol
Permissive