8/11/2019 Information Security - A Primer
1/76
8/11/2019 Information Security - A Primer
2/76
Information Security What it Means to Us
2
Scope
Information Security Overview Cyber Security Safe Practices Network Security A Primer Cryptography & PKI A Primer
8/11/2019 Information Security - A Primer
3/76
8/11/2019 Information Security - A Primer
4/76
Information Security What it Means to Us
4
Information SecurityClassical Definitions
Availability (of service/ data) Network Security Confidentiality (of data) Ciphers (Block & Stream)
Integrity (of data) Hash Functions Authenticity (Identification of Entity, Message & Key )
Digital Signature, PKI Non-Repudiation (of Entity) Digital Signature, PKI
Controls (to infrastructure & data) Physical, Administrative, Logical
The Problem is not Technology, but Acceptability, Awareness & Implementation (Change Management)
8/11/2019 Information Security - A Primer
5/76
Information Security What it Means to Us
5
Information AssuranceClassical Definitions
Information Security (Technical) Information Assurance (Managerial)
Legal (fraud, accounting, forensics, ) Organisational (HR risk & profiling) Education & Certification Risk Assessment & Audit
Business Continuity Archiving & Disaster Recovery
8/11/2019 Information Security - A Primer
6/76
Information Security What it Means to Us
6
Information SecurityTechnical Implications
APPLICATION
PRESENTATION
SESSION
TRANSPORT
NETWORK
DATA LINK
PHYSICAL Bits
Data LinkHeader DATAPHSHTHNHDLH
NetworkHeader DATAPHSHTHNH
TransportHeader
DATAPHSHTH
SessionHeader
DATAPHSH
PresentationHeader PH DATA
DATA
Open Systems I nterconnect Model (1974)
Transmits the dataon the medium
Adds MAC address
Adds networkaddress
Controls Data Flow(ACK & Re-transmit)
Establishes aconnection
Presents data in anacceptable form
Communicationbetween
Applications
BEU
Firewall/ IDS/
IPS/IPSec
VPN/SSL
AppCrypto/
Anti Virus
Standard Protocols
8/11/2019 Information Security - A Primer
7/76
Information Security What it Means to Us
7
Information Security
International Organisation for Standardisation (ISO) ISO-15443 (IT Security Techniques Framework for Info Assurance) ISO-17799 (IT Security Techniques Info Sec Management Practice)
ISO-20000 (IT Service Management) ISO-27001 (IT Security Techniques Info Sec Management Systems)
FIPS (from NIST) Internet Standards
IETF (Internet Engineering Task Force) IAB (Internet Architecture Board)
Information Security Forum Standard of Good Practice SEI (Carnegie Mellon University) Governing for Enterprise
Security (GES)
Standards
8/11/2019 Information Security - A Primer
8/76
Information Security What it Means to Us
8
What Can (And Does!) Go Wrong
Organisations must remember not to expend all their energies on repelling the 'wilyhacker' , at the expense of ignoring all those people who every day log on to yoursystems. All evidence suggests that the insider remains the real threat
ROBERT TEMPLE (HEAD OF IT SECURITY, BRITISH TELECOM)
8/11/2019 Information Security - A Primer
9/76
Information Security What it Means to Us
9
Information Security Imperatives
Cryptology Computationally secure algorithms Role, Survivability, Secrecy,
Availability, Interoperability
Cryptanalysis Key Design & Management Standards, Common Criteria
Identification, Authentication & Access Control
Network protection Firewalls & Intrusion Detection/ Prevention Network Vulnerability & Penetration Testing Tools LAN security & configuration monitoring systems
8/11/2019 Information Security - A Primer
10/76
Information Security What it Means to Us
10
Information Security Imperatives
Technology Hardware Network Components, Storage etc Software Operating Systems, System Software & Firmware Embedded systems Protocols, APIs Open Source Software Digital Rights Management
Viruses, Spyware & Malware Information Infrastructure
Public Key Infrastructure (PKI) Disaster Management
8/11/2019 Information Security - A Primer
11/76
Information Security What it Means to Us
11
Information Security Imperatives
Vulnerability & Susceptibility (Side Channel Attacks) Human Engineering Power Analysis Electrical Probing Electromagnetic Probing
Interoperability & Standards Legal Issues The Big Brother syndrome
8/11/2019 Information Security - A Primer
12/76
Information Security What it Means to Us
12
Information Security
Physical Security Cyber Security Network Security Cryptography & Public Key Infrastructure
Areas of Concern
8/11/2019 Information Security - A Primer
13/76
Information Security What it Means to Us
13
Cyber SecuritySafe Practices
8/11/2019 Information Security - A Primer
14/76
Information Security What it Means to Us
14
Information Security Awareness
Importance of Cyber Security
Computer Ethics Safe Practices
Mobile Security
Data Security Physical Security
Scope
8/11/2019 Information Security - A Primer
15/76
Information Security What it Means to Us
15
Needs to be addressed at all levels Individual (all ages) Organisations Government Nation
Various facets Cyber Security (Internet) Mobile Security Data Security Physical Security
Information Security
f h
8/11/2019 Information Security - A Primer
16/76
Information Security What it Means to Us
16
Users (Individuals) Identity Theft Sensitive Data
Organisations Financial Information Sensitive & Critical Data Denial of Service
What needs to be tackled Administrative Practices Software vulnerabilities Information Assurance & Security
Cyber Security
I f i S i Wh i M U
8/11/2019 Information Security - A Primer
17/76
Information Security What it Means to Us
17
Set of moral principles Acceptable behaviour of computer users Usage of computers Copyright & IPR (legal right of owner)
Ethical Rules Do not harm others Do not steal information or access information
without permission Respect Copyright laws Respect privacy of individuals and organisations Complain about illegal activities
Computer Ethics
I f i S i Wh i M U
8/11/2019 Information Security - A Primer
18/76
Information Security What it Means to Us
18
Operating System Security Password Policies
Internet Browser Security E-Mail Security Viruses & Spyware Identity Theft
Downloading Guidelines
Safe Practices
I f ti S it Wh t it M t U
8/11/2019 Information Security - A Primer
19/76
Information Security What it Means to Us
19
What is an Operating System? Complex Vulnerable
For Individual Users Screen saver password (+ CMOS & OS password) File Sharing Firewall
Delete software & OS features not used Disable Guest Account Update latest patches (esp. Linux) Backup (regularly get paranoid!) Win Utils USE LINUX
Safe PracticesOperating System Security
8/11/2019 Information Security - A Primer
20/76
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
21/76
Information Security What it Means to Us
21
Importance of a password Identity Authorization
Good Passwords (difficult to guess) Minimum 8 characters (letters, numbers &
symbols) Non-dictionary
Not linked to personal information Easy to remember (should not be written down) Not used earlier
Safe PracticesPassword Policies
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
22/76
Information Security What it Means to Us
22
DOs & DONTs Ensure you use a STRONG password. Take care that no one can see you enter the
password. Never tell any one (not even the system
administrator). Never write a password down. Remember it.
Change the password regularly. Store passwords on the computer encrypted.
Th!5iS@g0odP4s5wD (This is a goodpassword)
Jamres123 is a bad password
Safe PracticesPassword Policies
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
23/76
Information Security What it Means to Us
23
Browsers (Internet Explorer or Mozilla Firefox)are the primary interface with the internet.
Block Pop-ups Trusted & Untrusted Web Sites Privacy settings
Cookies (files that store user related information usedby web sites to load faster)
Files History
Content Java Script Control (active controls)
Safe PracticesInternet Browser Security
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
24/76
Information Security What it Means to Us
24
Update OS and Browser (latest patches/ version) Anti Virus & Anti Spyware
Display file extensions Only trusted sites No personal information to be given (https://) Firewall ON always Disconnect/ switch off modem when not in use.
Safe PracticesInternet Browser Security Guidelines
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
25/76
Information Security What it Means to Us
25
Phishing Tricks you into clicking on a link that redirects you to a
malicious site or injects malware
Do not click on link that comes in an e-mail. Go directly to thesite by typing the address
Hoaxes Spreading of rumours or falsehoods Information on internet is NOT all TRUE or CORRECT
Trojans Malicious code that is hidden along with other files Collects passwords, keyboard strokes, Credit Card info and
sends it out on the net
Safe PracticesInternet Browser Security Guidelines
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
26/76
Information Security What it Means to Us
26
All mail is scanned. (NSA Echelon) All mail is backed up (even after you delete it!)
There is NO Privacy unless encrypted and even then
Mail goes through a number of servers at each ofwhich there is a possibility of hacking
Spam (unsolicited mail from strangers who haveobtained e-mail id surreptitiously )
Divulging e-mail id in malls (surveys, discounts)
Safe PracticesE-Mail Security Threats
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
27/76
Information Security What it Means to Us
27
Encrypt using PGP Filter out Spam. DELETE Do not open mail from strangers. DELETE Scan all attachments for virus Do not send messages with attachments that contain
executable code. Use Rich Text Format instead of thestandard .DOC format.
Avoid sending personal information/ filling forms. Do not click on links in the e-mail. Do not open e-mail that offer FREE gifts or money No Chain Mails
Safe PracticesE-Mail Security Guidelines
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
28/76
Information Security What it Means to Us
28
Virus (started with DOS) Captures an interrupt & Terminate but Stay Resident (TSR) Self Replicating Malicious - Causes Damage
Keep Anti Virus up-to-date Anti-Virus Configuration
Macro protection enabled Disable option for code to execute directly on Mail Clients
Scan All files coming in Your computer everyday
Use Genuine Anti-Virus AVG, QH, Bit-Def, NAV, Kasp,McAfee etc
Safe Practices Viruses
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
29/76
Information Security What it Means to Us
29
Spyware Captures an interrupt & Terminate but Stay Resident (TSR) Self Replicating
Malicious Observes behaviour, Takes control (changes search engine, new tool bars) Re-directs and sends out data Number of Pop-ups
Reduces surfing speed Anti-Spyware
Works in real-time Prevents spyware from being installed (scans IP packets)
Safe PracticesSpyware
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
30/76
y
30
Precautions Do NOT click anywhere inside pop-up windows (these could
contain spyware that will infect the system) Block Pop-ups
Downloads from untrusted sites could contain Spyware Do NOT follow the links that offer free anti-Spyware
Use Genuine Anti-Spyware (normally bundled with Anti- Virus packages) AVG, QH, Bit-Def, NAV, Kasp, McAfeeetc
Safe PracticesSpyware
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
31/76
y
31
Stealing of Personal information Credit Card Numbers, PINs, Passwords
Preventive Measures Shred trash (Dumpster Diving) Use Virtual Keyboard for entering passwords Do not allow anyone to see you entering PIN/ password Never give personal information on phone/ e-mail Cancel credit cards not in use for a long time Ensure secure site (https://) from known provider Monitor accounts Photographs on cards with signature Never leave cards out of your sight
Safe PracticesIdentity Theft
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
32/76
y
32
Do not get software from P2P sites/ e-mailattachments
Only freeware or software for which you arelicensed/ registered
Only trusted web sites Check validity of thecertificate and issuer of certificate for a site fromwhich software is downloaded
Always scan downloads before installation Read license agreement carefully Cracks are dangerous
Safe PracticesDownloading Guidelines
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
33/76
y
33
Legal Problems (MMS, SMS) Trackable Accountable
Malicious programs (Trojans, Spyware, Worms,) Steal personal information Inflate bills (toll-free numbers offers) Get access to mobile/ laptop
IMEI
I nternational Mobile Equipment I dentifier 15 (or 17) digit number Unique for each and every mobile device Dial * # 0 6 # for IMEA number Can be used to disable phone if lost
Mobile Device Security
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
34/76
34
Securing Mobile Devices (Phones, Laptops etc.) Same as E-Mail precautions + Backup Bluetooth major vulnerability ( Video )
Use PIN, Security Settings, Infrared Settings, CallBarring & Restriction services
Do NOT store personal data on mobile (Credit Carddetails, passwords etc)
Mobile Device Security
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
35/76
35
Confidentiality Encryption Authenticity & Integrity PKI/ Digital signature Access
Authenticated SSL (https://) Public Key Encryption (Secure Shell instead of telnet) VPN
Backup REGULARLY (Complete & Incremental) Electronically shred files (not undelete -able)
Single Pass DoD 5520.22-M Guttmann
Data Security
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
36/76
36
Criticality, Location & Budget Specific Locks BIOS Security
Passwords (boot and set up) Access to battery
Side Channel attacks Power analysis
Electrical & Electromagnetic Probing Human Engineering Static Power Supply & Environment
Physical Security
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
37/76
37
Network Security A Primer
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
38/76
38
Need for Network Security
The philosophy of exchange of information over thenetwork that can be attacked (Vulnerability) hardware and software especially vulnerable
extent of the vulnerability is not always readily apparent The security only as strong as the weakest link Safeguards available for workstations, especially PCs are
significantly weaker than was the case with classicmainframes
Distributed computer systems Cannot be protected by organisational measures alone Technical mechanisms are also necessary
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
39/76
39
What are we trying to Protect?
Data Secrecy
Integrity Availability
Resources Hard-disk space Processor Memory Bandwidth
Reputation Identities Theft
Websites Defacement Data Loss Loss of Trust
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
40/76
40
Security Threat Perception
Intrusion Gaining unauthorised access by guessingpasswords, social engineering, planting malicious code,exploiting vulnerabilities to gain root access, etc
Denial of Service Impossible to avoid DOS attacks.Relatively easier to carry out.
Information Theft Get data without having to directlyuse the computer. Generally use internet services that aredesigned to give information. Active: Port Scanning, Exploit OS vulnerabilities, Session Hijacking Passive: Sniffing data, passwords in network traffic
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
41/76
41
Approaches to Security
Reactive Worry about problems that are apparent
currently. Concentrate on Fire-fighting
Proactive Plan for protection from attacks that are
theoretically possible
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
42/76
42
Why be Proactive?
Limits on what is difficult changes rapidly incomputing
Problems rarely come in isolation. One attack thatstoo difficult may help someone find an easier one Eventually, attackers always turn to more difficult
attacks Attacks move instantly from never attempted to
widely used
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
43/76
43
Security Models
Security through Obscurity Assume that no oneknows about the existence of the system. The
model does not work for long. Host Security Enforce security on each hostmachine separately. Does not scale up to a largenumber of machines.
Network Security Control network access tovarious hosts and services
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
44/76
44
Network Security Approaches
Firewalls Intrusion Detection Systems Strong Authentication Methods Encryption of sensitive data
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
45/76
45
Computer Security Principles
No single security model can solve all problems No security model can take care of management
problems Security must be built into the network design No Network is completely secure and no model
provides complete protection Though security may not prevent every single
incident, it can keep an incident from damaging orshutting down operations
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
46/76
46
What is a Firewall?
System or group of systems that enforces an accesscontrol policy between two networks
Blocks unauthorised or malicious data traffic Permits authorised and truthful data traffic Limits the amount of damage when used within an
organization
Enforces security policies and practices Characterized by a Default Permit or a Default Deny Policy Is most often installed at a point where a protected internal
network connects to an un-trusted external network
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
47/76
47
INTERNAL
NETWORK
FIREWALL EXTERNALNETWORK
Classical Firewall Positioning
What is a Firewall?
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
48/76
48
What a Firewall can do
Can prevent certain users or machines from accessing certainServers / Services (Enforces a security policy)
Can prevent unauthenticated interactive logins Can prevent network-borne attacks Can limit the exposure of an internal network Can provide a choke point and thus is a focus for security
decisions Can monitor & record communication between the internal
and external network Can encrypt data traffic between two firewalls (IPSEC)
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
49/76
49
What a Firewall cannot do
A Firewall is an excellent security solution but not acomplete one. Certain threats are outside the controlof the firewall.
Cannot protect against attacks that do not go through thefirewall Cannot protect against malicious insiders Cannot work without a consistent Network Security Policy
Cannot protect against configuration errors and it cannot setitself up correctly Cannot protect if administrators are vulnerable to Social
Engineering Cannot protect against completely new threats
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
50/76
50
Cryptography & PKI A Primer
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
51/76
51
IntroductionThe Art of Cryptology
CRYPTOLOGY
STEGANOGRAPHY(Hiding)
TRANSPOSITION(changing positionkeeping data same)
SUBSTITUTION(replacing keepingposition same)
CODE(replacing words)
CIPHER(combination ofsubstitution &transposition ofletters)
CRYPTOGRAPHY(Scrambling)
The study of mathematicaltechniques for scramblingdata confidentiality,integrity, authentication, ...
CRYPTANALYSIS(Cracking) The study ofmathematical techniquesfor defeatingcryptographic techniques
Key
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
52/76
52
IntroductionCryptographic Schemes
SYMMETRIC KEY SYSTEMS
STREAMCIPHERS
LFSR
ADDITIVEGENERATORS
ALGo M
TelephonyLinkEncrypt
Secure Fax
BLOCKCIPHERS
DES/3DES
IDEA
TWOFISH
RIJNDAEL(AES)
Messaging
Archiving
DiskEncrypt
ASYMMETRIC (PUBLIC)KEY SYSTEMS
RSA
MERKLE-HELLMANKNAPSACK
EL GAMAL
RABIN
Authentication
DigitalCertification
Non- Repudiation
UNKEYED SYSTEMS
SHA, MD2, MD4, MD5(Hash Functions)
RNGs, PRNGs
Integrity
Key Generation
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
53/76
53
Non-Repudiation & Key Exchange
(Key Management & Distribution)
Confidentiality
Symmetric (Private) KeySystems
Asymmetric (Public) Key Systems
Hybrid Systems
Integrity & Authentication (Hashing & Digital Signatures)
IntroductionCryptographic Services
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
54/76
54
Basic Concepts
Symmetric-key CryptographyBlock CiphersStream Ciphers
Public-key Cryptography Confidentiality Authentication
Integrity & Authentication Hash Functions Digital Signatures
Non-Repudiation & Key Distribution/ Exchange
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
55/76
55
Encryption Algorithm
Decryption Algorithm
KeySource
Cryptanalyst
X
K
Secure channel
Y X Plain Text
X: Plain TextY: Cipher TextK: Encryption/
Decryption Key
Sender A Receiver B
The Decryption Algorithmis the inverse of the
Encryption Algorithm
Cipher Text Plain Text
Private Key
Algorithm
Plain Text Approxi mation
Pri vate Key Approximation
Cipher Text
Private Key K
Symmetric-Key CryptographyBasic Model
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
56/76
56
Shared secret key between sender & receiver
Authenticity implicit
Security depends upon secrecy of key
Good performance for bulk encryption of data
Used for High Security, Mission Critical Applications
Two types of Conventional Ciphers
Block CiphersStream Ciphers
Symmetric-Key CryptographyFeatures
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
57/76
57
Substitution and Transposition individually DO NOTprovide high security
Combining the basic transformations yields strongciphers
A suitable combination (composition) of S and T is calleda round
Having multiple rounds enhances security
Therefore most block ciphers are Product Ciphers usingmultiple rounds
Symmetric-Key CryptographyBlock Ciphers
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
58/76
58
They encrypt individual characters (usually binary digits)
Generally faster than block-ciphers in hardware
Most appropriate in applications where buffering is aproblem, eg., In telecommunications
Few fully specified algorithms in open literature thoughenormous theoretical knowledge exists
Have significant advantages and therefore, their use islikely to grow
Symmetric-Key CryptographyStream Ciphers
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
59/76
59
Encryption Algorithm
Decryption Algorithm
Key pairSource
X Y X
KR b
Sender A Receiver B
Public Key
Ring KU b
KU b
Public-Key CryptographyConfidentiality
Plain Text Cipher Text
P r ivate Keyof B
CryptanalystAlgorithm
Plai n Text
Private Key of B (to decrypt messages to B)
Cipher Text
P u blic Keyof B
P u blic Keyof B
Plain Text
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
60/76
60
Encryption Algorithm
Decryption Algorithm
Key pairSource
X
KU a
Y X
KR a
Sender A Receiver B
Public Key
Ring
KU a
Public-Key Cryptography Authentication
Plain Text Cipher Text
P r ivate Keyof A
P u blic Keyof A
P u blic Keyof A
Plain Text
CryptanalystAlgorithm
Plai n Text
Pri vate Key of A ( to spoof identi ty of A)
Cipher Text
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
61/76
61
Mathematically related key pair
Private key - known only to user;kept secret
Public key - made available publicly Encryption/Decryption very slow (time-consuming)
Used for
Confidentiality (only for small data sizes)
Authentication (Digital Signature)
Non-Repudiation(Key Management & Distribution)
Key Exchange
Public-Key CryptographyFeatures
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
62/76
62
Myth - 1: Public-key Encryption is more secure fromcryptanalysis than is conventional encryption . In actual fact , thesecurity of any encryption scheme depends on the length of the key &the computational work involved in breaking a cipherMyth - 2: Public-key Encryption has made conventionalencryption obsolete . In actual fact even today Private keyCryptography is used for encryption and Public-key Cryptography isrestricted to key management & signature applications
Myth - 3: Key distribution is trivial when using Public-keyEncryption, compared to the rather cumbersome handshakinginvolved with key distribution centres for conventionalencryption. In actual fact , the procedures involved for Public-keyCryptography are no simpler nor any more efficient than those requiredfor conventional encryption
Public-Key CryptographyMyths
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
63/76
63
PlainText h(f)
MessageDigest
Fixed sizeHash Function
To be Transmittedwith the message
Integrity & AuthenticationHash Functions
x h(x)
One-way functionInput is a message of any lengthOutput is fixed
Cannot be generated from another messageIs different from the result of any other message
Not reversible - Impossible to recover message from hashUniquely identifies message and verifies integrityCommonly used hash algorithms
Secure Hash Algorithm (SHA)Message Digest algorithm (MD2, MD4, MD5)
Length is typically 128 or 160 bits
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
64/76
64
Enables verification of sender, date & time of signature
Trusted Time & Date Stamping
Authenticates information content at time of signatureDepends on content of information (Hash)
Should be unique to sender (Private Key)
Verifiable by third party for arbitrationEasy to produce, recognise, verify & store
Computationally infeasible to forge
Integrity & AuthenticationDigital Signatures
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
65/76
65
EP
KRa
||
K
KUa
Compare
DC M
K
Signature tied to cryptogram
M EC H
H
EKRa [H(E K[M])]
EK[M]
DP
Sender A Receiver B
Private Key Algorithm
Hash Function Algorithm
Public Key Algorithm
EC
H
EP
MessageDigest
MessageDigest
Public Key of A
DigitalSignature
CryptogramCryptogram
SignedCryptogram Cryptogram
DigitalSignature
P r ivate Key of A
MessageDigest
Message Message
SecretKey
SecretKey
Integrity & AuthenticationDigital Signature Implementation - 1
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
66/76
66
EP
||
M
M
Signature tied to plain text
KR a
H
EC DC HM
KK
Compare
DP
KUa E K[M||E KRa [H(M)]]
E KRa [H(M)]
Sender A Receiver B
MMessage
Message
DigitalSignatureMessage
Digest
SignedMessage Cryptogram
DigitalSignature
MessageDigest
MessageDigest
Message
Public Key of A
P r ivate Key of A
SecretKey
SecretKey
SignedMessage
Integrity & AuthenticationDigital Signature Implementation - 2
Private Key Algorithm
Hash Function Algorithm
Public Key Algorithm
EC
H
EP
8/11/2019 Information Security - A Primer
67/76
67
Non Repudiation & KeyExchange
(Key Management & Distribution)
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
68/76
68
A B
KUa KUa
KUaKUa
KU bKU b
KU b
KU b
Public Announcement of Keys
Uncontrolled Public Key Distribution
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
69/76
69
Public KeyDirectory
A B
KUa KU b
Public Key PublicationPublicly Available (Access Controlled) Directory
Information Security What it Means to Us
P bli K A h i
8/11/2019 Information Security - A Primer
70/76
70
Public KeyAuthority
InitiatorA
ResponderB
(1) Request || Time 1 (4) Request || Time 2
(6)E KUa [N a || N b]
(7)E [N b]
(2)E kRauth [KU b || Request || Time 1]
(5)E kRauth [KUa || Request || Time 2]
KU b
(3)E [ID A || N a]KU b
Public Key AuthorityCentral Authority Maintaining Dynamic Directory of
Centrally Generated KeysSteps 1 to 7 have to be carr ied out forevery tr ansaction. Th is i s tedious and i sovercome using certi f ication.
Issue of Public Key of A
Issue of Public Key of B
Request for
Public Keyof A
Request for Public Keyof B
Authenticated Exchangeof Public Keys
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
71/76
71
Exchange of Public Key Certificates
CertificateAuthority
A B
(2)C B
(1)C A
KUa KU b
C A=E KRauth [Time 1 ID A KUa]||||
C B=E KRauth [Time 2 || ID B KU b ]||
E KRauth
ID A :Identifier of A
: Private Keyof Authority
Public Key Certificates
Registration
Registration
Issue ofCertificate to A
Issue ofCertificate to B
Exchange of Certificates
A Cer tif icate can be used forany number of tr ansactions forthe per iod of i ts validity
Time 1 & Time 2 refer to the
Period ofValidity
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
72/76
72
Public-Private Key Pair Generated Individually by User Uncontrolled (Public Announcement) of Public Keys Public Key Publication in a Publicly available (access controlled)
directoryCannot achieve Non RepudiationNo central control & TrustEasy & Cheap to implement
Public-Private Key Pair Generated Centrally Public Key Authority Certificate Authority (could be generated individually by user)
Non Repudiation achievedCentral Control & Trust Complex & Expensive Infrastructure
Non Repudiation Achieved bySuitable Key Distribution
Information Security What it Means to Us
Introduction
8/11/2019 Information Security - A Primer
73/76
73
Non-Repudiation & Key Exchange
(Key Management & Distribution)
Confidentiality
Symmetric (Private) KeySystems
Asymmetric (Public) Key Systems
Hybrid Systems
Integrity & Authentication (Hashing & Digital Signatures)
IntroductionCryptographic Services
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
74/76
74
Issues 1
Cryptology Computationally secure algorithms Role, Survivability, Secrecy,
Availability Cryptanalysis (Linguistics, Maths, Int. etc) & Algorithm Analysis Key Design Key Management & Administration (Distribution) Public Key Infrastructure (PKI)
Technology Hardware obsolescence Software key storage Protocols Open Source Software authenticity, need to analyse
Information Security What it Means to Us
8/11/2019 Information Security - A Primer
75/76
75
Issues 2
Vulnerability & Susceptibility (Side Channel Attacks) System (Hardware & Software) Vulnerabilities Social Engineering
Interoperability & Standards Data Transfer between networks with different security classification
Policy (Integrated, Institutionalised) Expertise (Long Term gains)
Maths, Physics, Computing, Language
Design, Development, Production, Life Cycle Support Gradation/ Certification & Audit Accountability & Trust Key Escrow Insurance Utilisation of Indigenous Academia & Industry Control, Funding, Authority
Information Security What it Means to Us
l h h
8/11/2019 Information Security - A Primer
76/76
Some Final Thoughts
The IT infrastructure is a complex technological system. All suchcomplex systems exhibit interactive complexity (sub -systems interactin unexpected ways) and tight coupling (sub -systems have rapidimpact on each other). These characteristics make the system accident-prone. Such systems have serious accidents as a consequence of theinherent complexities irrespective of the intent or skill of the designersor operators. The best systems operated by the best men will fail andfail regularly .
Normal Accidents: Living with High -Risk Technologies by Charles Perrow
How much should we computerise?How much should we trust such systems?Have we catered for Normal Accidents? What are WE doing about Information Security