Cryptography &

System Security
 What is this course about?
– Objectives
• Security needs / threats
• Security Goals
• Risks
• Controls
• Cryptography
• security mechanisms and protocols
– for data stored in computer sytems and transmitted across
computer networks
 What we will cover?
– Vulnerabilities, threats, security Goals, and methods of
defense
– cryptography
– Access Control and security protocols in use for Access
Control
– securing computer systems
• Program security
• Network security
• IDS & Firewalls
– Security in networks
– Protocol vulnerabilities
 Recommended Reading
1. Behrouz A Fourouzan, Debdeep Mukhopadhyay, “Cryptography and Network”, 2nd edition,
TMH.

2. Bruce Schneier, “Applied cryptography: protocols, algorithms, and source code in C”, 2nd
edition, Wiley Students edition

3. Bernard Menezes, “Network Security and Cryptography”, 2nd edition, Cengage Learning..

4. William Stallings, “Cryptography and Network Security: Principles and Practice” 5th edition, ,
Pearson

5. Charles P. Pfleeger, “Security in Computing”, Pearson Education

6. Matt Bishop, “Computer Security Art and Science”, Addison-Wesley

7. V K Pachghare: Cryptography and Information Security, PHE ,2013.

 Vulnerability, Threat and Control
• A vulnerability is a weakness in the security system, in procedure,
design, or implementation that might be exploited to cause loss or
harm
• A threat to a computer system is a set of circumstances that has the
potential to cause loss or harm
• Control is an action, device, procedure, or technique that removes or
reduces a vulnerability
• A threat is blocked by control of a vulnerability
Figure Threats, Controls, and Vulnerabilities.
 Attacks, Services and Mechanisms
• Security Attack: Any action that compromises the security
of information.
• Security Mechanism: A mechanism that is designed to
detect, prevent, or recover from a security attack.
• Security Service: A service that enhances the security of
data processing systems and information transfers. A security
service makes use of one or more security mechanisms.
 Security Goals

Confidentiality

Integrity Availability
Figure Relationship Between Confidentiality, Integrity, and Availability.
 Confidentiality
• It ensures that computer-related assets are accessed only by
authorized parties
• Access means reading, viewing, printing, or simply
knowing that a particular asset exists
• It is sometimes also called secrecy or privacy
 Integrity
• It means that assets can be modified only by authorized
parties only in authorized ways.
• The integrity of an item is preserved if it is:
– Precise, accurate, unmodified, modified only in acceptable ways,
modified by authorized people, modified by authorized processes,
consistent, meaningful and usable.
 Availability
• It applies to both data and data processing
• A data item, service or system is available if
– There is a timely response to our request
– Fair to all i.e. some requesters are not favored over others
– Fault tolerant
– There is controlled concurrency, deadlock management, and
exclusive access as required
Security Attacks
Figure System Security Threats.
 Security Attacks
• Interruption: This is an attack on availability
• Interception: This is an attack on confidentiality
• Modification: This is an attack on integrity
• Fabrication: This is an attack on authenticity
 Method, Opportunity and Motive
• Method : the skills, knowledge, tools and other things with which to
be able to pull off the attack
• Opportunity : the time and access to accomplish the attack
• Motive : a reason to want to perform this attack against this system

DENY ANY OF THESE THREE THINGS AND

ATTACKS WILL NOT OCCUR
 Attacks

• Cryptanalytic Attacks
• Exploit mathematical weakness of cryptographic
algorithm

• Non-cryptanalytic Attacks
• Threats to goal of security
1.2 Continued

1.19
 Security Services
• Confidentiality (privacy)
• Authentication (who created or sent the data)
• Integrity (has not been altered)
• Non-repudiation (the order is final)
• Access control (prevent misuse of resources)
• Availability (permanence, non-erasure)
– Denial of Service Attacks
– Virus that deletes files
 Security Services

1.21
 Security Mechanism

1.22
 Relation between Services and Mechanisms

Tableelation between security services and mechanisms

1.23
 Vulnerabilities
• Hardware vulnerabilities
• Software vulnerabilities
– Software deletion
– Software modification
• Viruses etc.
– Software theft
• Unauthorized copying etc.
• Data vulnerabilities
Figure Security of Data.
Figure Vulnerabilities of Computing Systems.
 Computer Criminals
• Amateurs
– Personal works
• Crackers
– Trying to access computing facilities for which they are not authorized
– The perception that nobody is hurt or even endangered by a little stolen
machine time
– Others attack for curiosity, personal gain, or self-satisfaction
• Career Criminals
 Methods of Defense
• Prevent it, by blocking the attack or closing the vulnerability
• Deter it, by making attack harder if not impossible
• Deflect it, by making another target more attractive
• Mitigate it, by making its impact less severe
• Detect it, either as it happens or some time after the fact
• Recover from its effects
Figure Multiple Controls.
 Methods of Defense
• Controls
– Encryption
– Hardware Controls
• Hardware/smart card implementations of encryption
• Locks or cables limiting access
• Devices to verify users’ identity
• Firewalls
• Intrusion detection systems
– Software Controls
• Internal program controls,
• OS and Network system controls
• Independent control program (anti virus, passwords etc.)
• Development control
– Policies and Procedures
– Physical Controls
 Effectiveness of Controls
• Awareness of Problem
– Highlighting Need of security
• Likelihood of Use
– They must be efficient, easy to use, and appropriate
• Overlapping Controls
– Use several different controls, layered defense
• Periodic reviews
– Judging the effectiveness of control is an ongoing task
 Others Exposed Assets
• Networks
– Network’s lack of physical proximity
– Use of insecure, shared media
– Inability to identify remote users positively
• Access
– Computer time
– Malicious access
– Denial of service to legitimate user
• Key People
 What’s Next
• Encryption overview
• Cryptography in detail