2. What is security?
In the context of computers, security generally means three things:
Confidentiality
Access to systems or data is limited to authorized parties
Integrity
When you ask for data, you get the “right” data
Availability
The system or data is there when you want it
A computing system is said to be secure if it has all three properties.
3. Attacks, Services, and Mechanisms
Security Attack: Any action that compromises the security of information owned
by an organization.
Security Mechanism: A mechanism that is designed to detect, prevent, or recover
from a security attack.
Security Service: A service that enhances the security of data processing
systems and information transfers of an organization. A security service
makes use of one or more security mechanisms.
4. Security Attacks
•Interruption: An asset of the system is destroyed or
becomes unavailable or unusable.”This is an attack on
availability.”
•Example: the destruction of a piece of hardware, such as a
hard disk, the cutting of a communication line, or the disabling
of the file management system.
5. Security Attacks
•Interception: An unauthorized user (party) gain access to an
asset. “This is an attack on confidentiality.” The unauthorized
user may be a person, computer or program.
•Examples:Wiretapping to capture data in a network, and the
unauthorized copying of files or programs.
6. Security Attacks
•Modification: An unauthorized user (party) not only gains
access to but tampers with an asset. “This is an attack on
integrity.”.
•Examples: Changing data in a data file, altering a program so
that it performs differently, and modifying the content of
messages being transmitted on a network.
7. Security Attacks
•A useful categorization of the above mentioned attacks is in
terms of passive and active attacks.
Passive Attacks
Passive attacks are in the nature of eavesdropping on, or
monitoring of, transmissions. The goal of the opponent is to
obtain information that is being transmitted. There are two
types of passive attacks: (1) release of message contents and
(2) traffic analysis.
Examples(traffic analysis): Creating a customer profile of a
user by using information about the sites that he or she visits.
8. Security Attacks
Active Attacks
These attacks involve some modification of the data stream
or the creation of a false stream.
Categories: masquerade, replay, modification of messages,
denial service.
A masquerade takes place when one entity pretends to be
a different entity.
Replay involves the passive capture of a data unit and its
subsequent retransmission to produce an unauthorized effect.
9. Security Services
• Confidentiality (privacy): confidentiality is the
protection of transmitted data from passive attacks
• Authentication: the authentication service is
concerned with assuring the identity of the sender
(who created or sent the data)
• Integrity :integrity service is the protection of data
from unauthorized modifications during the
transmission
•Non-repudiation : this service prevents either
sender or receiver from denying transmitted
message.
10. Security Services
•Access control: in the context of network security, access
control is the ability to limit and control the access to host
systems and applications via communications links. To
achieve this control, each entity trying to gain access must
first be identified, so that access rights can be tailored to the
individual.
• Availability: This service is concerned with assuring the
permanence of a service or data for authorized users
- Denial of Service Attacks
- Virus that deletes files
13. Model for Network Security
Using this model requires us to:
1. design a suitable algorithm for the security
transformation
1.generate the secret information (keys) used
by the algorithm
2.develop methods to distribute and share the
secret information
3.specify a protocol enabling the principals to
use the transformation and secret information
for a security service
15. Model for Network Security
using this model requires us to:
1.select appropriate gatekeeper functions to
identify users
2.implement security controls to ensure only
authorised users access designated
information or resources
16. CSCE 522 - FarkasLecture 1
Computer Criminals
Amateurs: regular users, who exploit the vulnerabilities of the
computer system
Motivation: easy access to vulnerable resources
Crackers: attempt to access computing facilities for which they
do not have the authorization
Motivation: enjoy challenge, curiosity
Career criminals: professionals who understand the computer
system and its vulnerabilities
Motivation: personal gain (e.g., financial)
17. A Simplified DES-Type Algorithm
•Suppose that a message has 12 bits and is written as L0R0 , where L0 consists
of the first 6 bits and R0 consists of the last 6 bits.
•The key K has 9 bits. The ith round of the algorithm transforms an input Li-1Ri-1
to the output LiRi using an 8-bit key Ki derived from K.
The main part of the encryption process is a function f(Ri-1,Ki) that takes a
6-bit inputRi-1 and an 8-bit input Ki and produces a 6-bit output which will be
described later.
•The output of the ith round is defined as:
Li = Ri-1 and Ri = Li-1 XOR f(Ri-1,Ki)
The decryption is the reverse of encryption.
[Ln] [Rn XOR f(Ln, Kn)] = … =[Rn-1] [Ln-1]
18. The Operations of f Function
E(Li)=E(011001)=E(01010101) (Expander)
S-boxes
S1 101 010 001 110 011 100 111 000
001 100 110 010 000 111 101 011
S2 100 000 110 101 111 001 011 010
101 011 000 111 110 010 001 100
The input for an S-box has 4 bits. The first
bit specifies which row will be used: 0 for 1st
19. The other 3 bits represent a binary number that
specifies the column: 000 for the 1st column,
001 for the 2nd column, … 111 for the 7th column.
For example, an input 1010 for S1 box will yield
the output 110.
The key K consists of 9 bits. Ki is the key for the
ith round starting with the ith bit of K.
Let K=010011001, then K4=01100101.
20. Ri-1=100110 and Ki=01100101
E(Ri-1) XOR Ki =10101010 XOR 01100101
= 11001111
S1(1100)=000
S2(1111)=100
Thus, Ri = f(Ri-1,Ki)=000100, Li =Ri-1 =100110
Li-1Ri-1 = 011100100110 → (?) LiRi
100110011000
28. Encryption (Round) (cont.)
•Separate plaintext as L0R0
•L0: left half 32 bits of plaintext
•R0: right half 32 bits of plaintext
•Expansion/permutation: E( )
•Substitution/choice: S-box( )
•Permutation: P( )
1 1( _ ( ( ) ~ ))~ ii i iR L P S box E R Key
1i iL R
F
32. Key Generation (cont.)
D0C0
Input Key
Permuted Choice One (PC-1)
Permuted Choice Two (PC-2)
Schedule of Left Shifts
Di-1Ci-1
DiCi
▪
▪
▪
▪
▪
▪
Keyi
33. Key Generation (cont.)
Original Key: Key0
Permuted Choice One: PC_1( )
Permuted Choice Two: PC_2( )
Schedule of Left Shift: SLS( )
00 0( , ) _ 1( )C D PC Key
1 1( , ) ( , )i i i iC D SLS C D
1 1_ 2( ( , ))i i iKey PC SLS C D
34. Decryption
The same algorithm as encryption.
Reversed the order of key (Key16, Key15, … Key1).
For example:
IP undoes IP-1 step of encryption.
1st round with SK16 undoes 16th encrypt round.
[1]
35. Strength of DES
Criticism
Reduction in key size of 72 bits
Too short to withstand with brute-force attack
S-boxes were classified.
Weak points enable NSA to decipher without key.
56-bit keys have 256 = 7.2 x 1016 values
Brute force search looks hard.
A machine performing one DES encryption per microsecond
would take more than a thousand year to break the cipher.
36. Strength of DES (cont.)
Avalanche effect in DES
If a small change in either the
plaintext or the key, the
ciphertext should change
markedly.
DES exhibits a strong
avalanche effect.