Block 3
Uploaded by
MamthaBlock 3
Uploaded by
Mamtha126 Information Security and Risk Management
Notes
Unit 3: Network Security
Structure:
3.1 Network Security Issues
3.1.1 IT Manager and Network Administrator Role
3.1.2 Reasons of Security Issues to Networks
3.1.3 Recommended Steps for Network Safety
3.2 Threats and Solutions
3.3 Cryptography
3.3.1 Hieroglyph í The Oldest Cryptographic Technique
3.3.2 Steganography
3.3.3 Evolution of Cryptography
3.3.4 Characteristics of Modern Cryptography
3.3.5 Context of Cryptography
3.3.6 Security Services of Cryptography
3.3.7 Cryptography Primitives
3.3.8 Components of a Cryptosystem
3.3.9 Types of Cryptosystems
3.3.10 Relation between Encryption Schemes
3.3.11 Kerckhoff’s Principle for Cryptosystem
3.3.12 Details of the Encryption Scheme
3.3.13 Earlier Cryptographic Systems
3.4 Summary
3.5 Check Your Progress
3.6 Questions and Exercises
3.7 Key Terms
3.8 Check Your Progress: Answers
3.9 Case Study
3.10 Further Readings
Objectives
After studying this unit, you should be able to understand:
Ɣ Network security issues
Ɣ About cryptography algorithm
Ɣ Encryption
Ɣ Crypto analysis
Ɣ Methods for breaking cryptography algorithm
Ɣ A case study based on this unit
Amity Directorate of Distance and Online Education
Network Security 127
Overview Notes
The unprecedented connectivity of the Internet age has led to enormous social and
economic benefits, but has also introduced numerous new challenges. In a fully
connected world, security threats continue to evolve, keeping ahead of the most
advanced defenses.
Background
Network-based security threats have led to widespread identity theft and financial
fraud. Spam, viruses and spyware cause significant problems for consumers and
businesses. A security breach may irreparably damage a company’s brand or reputation.
In the US, security issues threaten to slow the national adoption of electronic medical
records. In the EU, consumer confidence regarding security and data protection is a
barrier to the more rapid expansion of e-commerce across member state borders.
Today’s information attacks are a profitable business enterprise and are often
controlled by organized crime syndicates. A growing number of sophisticated cyber crime
business models, including the emergence of criminal enterprises, are built around
selling tools and services for launching network attacks, rather than simply selling
information gained from attacks.
Security technology continues to advance, changing from passive, point
product-based to active, end-to-end approaches to security recognition, containment,
and quarantine. In addition, Internet Service Providers (ISPs) are competing on security
and consumer ISPs offer security as part of their service.
Policymakers around the world are focused on the state of the information
infrastructure. Policymakers want to ensure that users of networks employ the best
technology and process practices to make networks as secure as possible. Governments
and businesses continually update their strategies to prevent attacks, and public-private
partnerships have been formed to develop voluntary, market-based approaches to
security.
Cisco’s Position
Cisco believes that governments can help decrease cyber security threats by:
Ɣ Raising consumer and industry awareness of the importance of network security
Ɣ Educating users about best practices
Ɣ Using best practices to secure their own systems
Ɣ Funding long-term research and development
Ɣ Aggressively enforcing the laws against cyber crime and prosecuting criminals
that use or attempt to use the network for theft, fraud, extortion, or other crimes
Ɣ Increasing cooperation at an international level with other governments, law
enforcement agencies, and the private sector on the socialization of best
practices and international prosecution of cyber crime
Cisco does not believe that governments should regulate security. In general, regulation:
Ɣ Stifles innovation by picking and choosing specific technology, rather than
letting market competition develop the best and most advanced solutions
Ɣ Does not advance quickly enough to keep pace with current industry needs
and newly posed threats
Ɣ May actually decrease Internet security by creating specific points for systemic
failure
Amity Directorate of Distance and Online Education
128 Information Security and Risk Management
Notes 3.1 Network Security Issues
Computer networks have highly benefited various fields of educational sectors,
business world and many organizations. They can be seen everywhere they connect
people all over the world. There are some major advantages which computer networks
have provided making the human life more relaxed and easy. Some of them are listed
below:
Communication: Communication is one of the biggest advantages provided by the
computer networks. Different computer networking technology has improved the way of
communications. People from the same or different organization can communicate in the
matter of minutes for collaborating the work activities. In offices and organizations,
computer networks are serving as the backbone of the daily communication from top to
bottom level of organization. Different types of softwares can be installed which are
useful for transmitting messages and e-mails at fast speed.
Data sharing: Another wonderful advantage of computer networks is the data
sharing. All the data such as documents, file, accounts information, reports multimedia,
etc. can be shared with the help of computer networks. Hardware sharing and application
sharing is also allowed in many organizations such as banks and small firms.
Instant and multiple accesses: Computer networks are multi processed. Many of
users can access the same information at the same time. Immediate commands such as
printing commands can be made with the help of computer networks.
Video conferencing: Before the arrival of the computer networks, there was no
concept for the video conferencing. LAN and WN have made it possible for the
organizations and business sectors to call the live video conferencing for important
discussions and meetings.
Internet service: Computer networks provide internet service over the entire
network. Every single computer attached to the network can experience the high speed
internet, fast processing and workload distribution.
Broadcasting: With the help of computer networks, news and important messages
can be broadcasted just in the matter of seconds who saves a lot of time and effort of the
work. People can exchange messages immediately over the network any time or we can
say 24 hour.
Photographs and large files: Computer network can also be used for sending
large data file such as high resolution photographs over the computer network to more
than one user at a time.
Saves cost: Computer networks save a lot of cost for any organizations in different
ways. Building up links thorough the computer networks immediately transfers files and
messages to the other people which reduced transportation and communication expense.
It also raises the standard of the organization because of the advanced technologies that
are used in networking.
Remote access and login: Employees of different or same organization connected
by the networks can access the networks by simply entering the network remote IP or
web remote IP. In this, the communication gap which was present before the computer
networks no more exist.
Flexible: Computer networks are quite flexible. All of its topologies and networking
strategies supports addition for extra components and terminals to the network. They are
equally fit for large as well as small organizations.
Amity Directorate of Distance and Online Education
Network Security 129
Reliable: Computer networks are reliable when safety of the data is concerned. If
Notes
one of the attached system collapse, same data can be gathered from another system
attached to the same network.
Data transmission: Data is transferred at the fast speed even in the scenarios
when one or two terminals machine fails to work properly. Data transmission is seldom
affected in the computer networks. Almost complete communication can be achieved in
critical scenarios too.
Provides broader view: First and far most important task which is required to be
done after developing a network on any scale is to protect the network. This section will
cover network security, and solutions, tips to avoid anti-spamming, trojans, viruses,
malware, etc. All networks face one or more issues mentioned above. It is computer
network administrator or IT manager job to keep himself updated regarding latest threats
and maintaining the computer networks.
It is right of the users of the network to get smooth working network system, without
any interruption by annoying messages or experience slow communication between
computers. This is only possible if network administrator keep the network secure for
malicious software, worms and other threats. Keeping different biometrics and using
authentication procedures can help to only certain levels. Hackers and intruders are
always on search to get some loopholes to exploit corporate sector including financial
data and other sensitive information. In all scenarios, data integrity and security can
never be compromised. Therefore, keeping network secure and running flawlessly,
IT manager and computer network administrator needs to be on monitoring ends all the
time.
3.1.1 IT Manager and Network Administrator Role
The most important factor in maintaining the security of network is knowledge of
IT manager or network administrator (NA). The role of these personnels are extremely
important in any organization when it comes to keep the network secure. Network
administrator should always be updated for all the possible and latest threats and
attacking techniques to the network and of course know how to avoid them and solutions
to them when it happens. NA should search on internet for latest viruses on role, latest
security threats, malware, trojans and e-mail attachments, etc. and find solution to these
threats before his own network become the victim of these threats. He should always be
ready to scan the entire network for malware, trojans, virus, et.c and if any system is
found, it should be removed and fixed to keep rest of the network secure. Spyware and
small network intrusions are designed to target certain companies just to steal or upload
confidential information without being noticed, NA should always scan all the systems for
such activities, and all the systems should be shut down when they are not in use.
3.1.2 Reasons of Security Issues to Networks
There are multiple reasons for any network to get victimized by viruses, malware,
worms and other security threats. Most common reasons for such security attacks in
small sized companies are not using proper, licensed versions of anti-virus software. And
of course, using risky sites also download dangerous malware when network is not
properly secured, which infects the entire network.
When any network uses non-genuine, non-licensed or cracked versions of anti-virus
and similar software, they do not update the latest virus signature file to protect the
system till date. When new viruses are launched, this software doesn’t have latest
viruses threats defined in their signature files. Hence, it exposes the entire network to
these virus threats, and more often or a not network does get infected. As much as NA
Amity Directorate of Distance and Online Education
130 Information Security and Risk Management
knowledge is important, I couldn’t emphasize more on end-user awareness as well.
Notes
End-users are those users who put the entire network to use and put on risk at the same
time. Their education is very crucial and has importance as well. The end-user education
on security threats and how do avoid them can play a major role in keeping network
up-to-date and securely running.
There is another major type of attack which most of the companies ignore and
eventually pay for it. These attacks are commonly known to be inside attacks.
Ex-employee of the company can be serious threat to the company networks, especially
if ex-employee had network related job, since all the critical information related network
can be known. In such cases, they can easily connect to the networks by making remote
connection. Using VPN, or through other sources, they can transfer viruses, malicious
software which can leak secret and important information for organizational point of view.
There can be many other threats which can make any company life uneasy. To avoid
such incidences, make sure to update all information, username and password as soon
as someone from network related jobs get vacant.
Admin information should always be updated once in 24 hours any way to keep
network safe from any unwanted situations.
It is responsibility of NA to keep closer look to all the employees of the network.
They should be aware about their activities being logged and looked upon. There would
be fewer chances of any inside security attacks if users are under an impression of being
watched closely.
3.1.3 Recommended Steps for Network Safety
There are six recommended steps which are of great importance keeping security of
network in mind. If these steps are properly followed by NA, there are greater chances to
avoid security threats of computer networks at the first place.
(a) Larger computer networks should be divided in segments for management of
the network and ease in finding culprit systems. Internet access should be
filtered by blocking port 1433 and port 1434 or one can use different firewall
software to implement such type of filters. All unwanted or not required ports
should be kept blocked for any chance of being misused; only required
communication ports should be open to data transfer. Internet access to SQL
systems should be allowed from outside.
(b) Keep closer look on open ports. Port 80 is the most commonly used port for
http access.
(c) Network administrator should make sure to keep all the systems including
server updated operating system files and latest patches. These critical
updates and patches keep the system secure from vulnerabilities. NA make
sure to keep clients automatic update option enabled in Windows platform, so
that whenever updates are released, clients machine download and installed
them and secure them to the maximum level. Same should be done for server
operating system but keep closer look should be kept in update server OS.
Third party security tools are also available and can be installed after testing for
meeting better security measures. IT managers can also use powerful
authentication methodologies to keep the network secure from security threats.
(d) Sometimes having limited Network Administrators can help in keeping network
secure as the lesser the people managing the network lesser the chances for
security malfunctioning. It is also important to not give any local client computer
admin rights. If any application which require admin rights for installation, only
Amity Directorate of Distance and Online Education
Network Security 131
NA should install it. Providing admin information to anyone else for assistance
Notes
can be very risky.
(e) Older known threats can attack again. It should be kept in mind of NA to keep
computer network secure from latest ones and should also be secured from
previously known attacks. Windows known services Talnet and Clipbook
should not be disabled. They have certain task to perform. Do not disable any
default service until you are sure and you know what you are doing.
(f) Create, configure and implement security policies. Implementing security
policies can be useful in keeping network secure. Keep network users
educated on these policies and make sure to send out notice to all clients if any
updates are made in these policies. These security measures are useful and
come with prices. Deploying, maintaining and implementing all these
methodologies can increase security costs. NA should be very careful in
following above-mentioned points. He should also regularly update network
users for latest threats and what should and should not be done for keep things
smooth and secure. He should also help network users to assist in unwanted
e-mails which can be risky to network administrators.
3.2 Threats and Solutions
All computers, from the family home computer to those on desktops in the largest
corporations in the country, can be affected by computer security breaches. This guide
provides general overview of the most common computer security threats and the steps
you can take to protect against these threats and ensure that your computer is both safe
and cannot easily be used to attack other computers on a network or on the Internet
itself.
Importance of Security: While the Internet has transformed and greatly improved
our lives, this vast network and its associated technologies have opened the door to an
increasing number of security threats from which individuals, families and business must
protect themselves. The consequences of attacks can range from the mildly inconvenient
to the completely debilitating. Important data can be lost, privacy can be violated and
your computer can even be used by an outside attacker to attack other computers on the
Internet.
Threats to Data: As with any type of crime, the threats to the privacy and integrity of
data come from a very small minority. However, while a car thief can steal only one car at
a time, a single hacker working from a single computer can generate damage to a large
number of computer networks that can wreak havoc on our country’s information
infrastructure. Whether you want to secure a car, a home or a nation, a general
knowledge of security threats and how to protect yourself is essential.
Viruses: Viruses are the most widely known security threat because they often
garner extensive press coverage. Viruses are computer programs that are written by
devious programmers and are designed to replicate themselves and infect computers
when triggered by a specific event. For example, viruses called macro viruses attach
themselves to files that contain macro instructions (routines that can be repeated
automatically, such as sending e-mail) and are then activated every time the macro runs.
The effects of some viruses are relatively benign and cause annoying interruptions such
as displaying a comical message when striking a certain letter on the keyboard. Other
viruses are more destructive and cause such problems as deleting files from a hard drive
or slowing down a system. A computer can be infected with a virus only if the virus enters
through an outside source – most often an attachment to an e-mail or a file downloaded
from the Internet. When one computer on a network becomes infected, the other
Amity Directorate of Distance and Online Education
132 Information Security and Risk Management
computers on the network – or for that matter other computers on the Internet – are
Notes
highly susceptible to contracting the virus.
Trojan Horse Programs: Trojan horse programs, or Trojans, are delivery vehicles
for destructive computer code. Trojans appear to be harmless or useful software
programs, such as computer games, but are actually enemies in disguise. Trojans can
delete data, mail copies of themselves to e-mail address lists and open up computers to
additional attacks. Trojans can be contracted only by copying the Trojan horse program
to a computer, downloading from the Internet or opening an e-mail attachment.
Vandals: Websites have come alive through the development of such software
applications as ActiveX and Java Applets. These applications enable animation and
other special effects to run, making websites more attractive and interactive. However,
the ease with which these applications can be downloaded and run has provided a new
vehicle for inflicting damage. Vandals can take on the form of a software application or
applet that causes destruction of various degrees. A vandal can destroy a single file or a
major portion of a computer system.
Attacks: Innumerable types of network attacks have been documented, and they
are commonly classified in three general categories: (1) reconnaissance attacks,
(2) access attacks, and (3) denial-of-service (DoS) attacks.
Reconnaissance attacks are essentially information gathering activities by which
hackers collect data that is used to later compromise networks. Usually, software tools,
such as sniffers and scanners, are used to map out and exploit potential weaknesses in
home computers, web servers and applications. For example, software exists that is
specifically designed to crack passwords. Such software was originally created for
computer administrators to assist people who have forgotten their passwords or to
determine the passwords of people that have left a company without telling anyone what
their passwords were. Placed in the wrong hands, however, this type of software can
become a very dangerous weapon. Access attacks are conducted to gain entry to e-mail
accounts, databases and other confidential information. DoS attacks prevent access to
all or part of a computer system. They are usually achieved by sending large amounts of
jumbled or other unmanageable data to a machine that is connected to the Internet,
blocking legitimate traffic from getting through. Even more malicious is a Distributed
Denial-of-service attack (DDoS) in which the attacker compromises multiple machines or
hosts.
Data Interception: Data transmitted via any type of network can be subject to
interception by unauthorized parties. The intercepting perpetrators might eavesdrop on
communications or even alter the data packets being transmitted. Perpetrators can use
various methods to intercept data. IP spoofing, for example, entails posing as an
unauthorized party in the data transmission by using the Internet Protocol (IP) address of
one of the data recipients.
Scams: Con artists have been perpetrating scam operations for decades. Now
more than ever, the stakes are higher as they’ve got easy access to millions of people on
the Internet. Scams are often sent by e-mail and may contain a hyperlink to a website
that asks you for personal information, including your password. Other times, scam
e-mail may contain a solicitation for your credit card information in the guise of a billing
request. There are ways to take proactive steps toward protecting yourself from scams
on the Internet, such as never giving out your password, billing information or other
personal information to strangers online. Because it is easy to fake e-mail addresses, be
mindful of who you’re listening to or talking with before you give out personal information.
Don’t click on hyperlinks or download attachments from people or websites you don’t
Amity Directorate of Distance and Online Education
Network Security 133
know. Be skeptical of any company that doesn’t clearly state its name, physical address
Notes
and telephone number.
Spam: Spam is the commonly used term for unsolicited e-mail or the action of
broadcasting unsolicited advertising messages via e-mail. Spam is usually harmless, but
it can be a nuisance, taking up people’s time and storage space on their computer.
Security Tools: Once you understand the threats, putting the proper safeguards in
place becomes much easier. You have an extensive choice of technologies, ranging from
anti-virus software packages to firewalls for providing protection. With all the options
currently available, it is possible to implement proper computer security without
compromising the need for quick and easy access to information.
Anti-virus Software: Virus protection software can counter most virus threats if the
software is regularly updated and correctly maintained. Anti-virus software relies on a
vast network of users to provide early warnings of new viruses, so that antidotes can be
developed and distributed quickly. With thousands of new viruses being generated every
month, it is essential that the virus database be kept up-to-date. The virus database is the
record held by the anti-virus package that helps it identify known viruses when they
attempt to strike. The software can prompt users to periodically collect new data. It is
essential to update your anti-virus software regularly.
Security Policies: Organizations, both large and small, need to craft computer
security policies. Security policies can be rules that are electronically programmed and
stored within computer security equipment as well as written or verbal regulations by
which an organization operates. Written policies as basic as warning computer users
against posting their passwords in work areas can often pre-empt security breaches.
Customers or suppliers with access to certain parts of the network need to be adequately
regulated by the policies as well.
Passwords: Making sure that your computer system is password protected is the
simplest and most common way to ensure that only those that have permission can enter
your computer or certain parts of your computer network. However, the most powerful
network security infrastructures are virtually ineffective if people do not protect their
passwords. Many users choose easily remembered numbers or words as passwords,
such as birthdays, phone numbers, or pets’ names, and others never change their
passwords and are not very careful about keeping them secret. The golden rules, or
policies for passwords are:
Ɣ Make passwords as meaningless as possible
Ɣ Change passwords regularly
Ɣ Never divulge passwords to anyone
Firewalls: A firewall is a hardware or software solution to enforce security policies.
In the physical security analogy, a firewall is equivalent to a door lock on a perimeter door
or on a door to a room inside of the building – it permits only authorized users such as
those with a key or access card to enter. A firewall has built-in filters that can disallow
unauthorized or potentially dangerous material from entering the system. It also logs
attempted intrusions.
Make sure you have anti-virus software on your computer! Anti-virus software is
designed to protect you and your computer against known viruses. So, you don’t have to
worry. But with new viruses emerging daily, anti-virus programs need regular updates, like
annual flu shots, to recognize these new viruses. Be sure to update your anti-virus software
regularly! The more often you keep it updated, say once a week, the better. Check with the
website of your anti-virus software company to see some sample descriptions of viruses
and to get regular updates for your software. Stop viruses in their tracks!
Amity Directorate of Distance and Online Education
134 Information Security and Risk Management
A simple rule of thumb is that if you don’t know the person who is sending you an
Notes
e-mail, be very careful about opening the e-mail and any file attached to it. Should you
receive a suspicious e-mail, the best thing to do is to delete the entire message, including
any attachment. Even if you do know the person sending you the e-mail, you should
exercise caution if the message is strange and unexpected, particularly if it contains
unusual hyperlinks. Your friend may have accidentally sent you a virus. Such was the
case with the “I Love You” virus that spread to millions of people in 2001. When in doubt,
delete!
Use hard-to-guess passwords: Passwords will only keep outsiders out if they are
difficult to guess! Don’t share your password, and don’t use the same password in more
than one place. If someone should happen to guess one of your passwords, you don’t
want them to be able to use it in other places. The golden rules of passwords are: (1) A
password should have a minimum of 8 characters, be as meaningless as possible, and
use uppercase letters, lowercase letters and numbers, e.g., xk28LP97. (2) Change
passwords regularly, at least every 90 days. (3) Do not give out your password to
anyone!
Use “firewalls” to protect your computer from Internet intruders: Equip your
computer with a firewall! Firewalls create a protective wall between your computer and
the outside world. They come in two forms, software firewalls that run on your personal
computer and hardware firewalls that protect a number of computers at the same time.
They work by filtering out unauthorized or potentially dangerous types of data from the
Internet, while still allowing other (good) data to reach your computer. Firewalls also
ensure that unauthorized persons can’t gain access to your computer while you’re
connected to the Internet. You can find firewall hardware and software at most computer
stores nationwide. Don’t let intruders in!
Don’t share access to your computers with strangers: Your computer operating
system may allow other computers on a network, including the Internet, to access the
hard-drive of your computer in order to “share files”. This ability to share files can be used
to infect your computer with a virus or look at the files on your computer if you don’t pay
close attention. So, unless you really need this ability, make sure you turn off file sharing.
Check your operating system and your other program help files to learn how to disable
file sharing. Don’t share access to your computer with strangers!
Disconnect from the Internet when not in use: Remember that the Digital
Highway is a two-way road. You send and receive information on it. Disconnecting your
computer from the Internet when you’re not online lessens the chance that someone will
be able to access your computer. And if you haven’t kept your anti-virus software
up-to-date, or don’t have a firewall in place, someone could infect your computer or use it
to harm someone else on the Internet. Be safe and disconnect!
Back up your computer data: Experienced computer users know that there are
two types of people: those who have already lost data and those who are going to
experience the pain of losing data in the future. Back up small amounts of data on floppy
disks and larger amounts on CDs. If you have access to a network, save copies of your
data on another computer in the network. Most people make weekly backups of all their
important data. And make sure you have your original software start-up disks handy and
available in the event your computer system files get damaged. Be prepared!
Regularly download security protection update “patches”: Most major software
companies today have to release updates and patches to their software every so often.
Sometimes bugs are discovered in a program that may allow a malicious person to attack
your computer. When these bugs are discovered, the software companies, or vendors,
create patches that they post on their websites. You need to be sure you download and
Amity Directorate of Distance and Online Education
Network Security 135
install the patches! Check your software vendors’ websites on a regular basis for new
Notes
security patches or use the new automated patching features that some companies offer.
If you don’t have the time to do the work yourself, download and install a utility program to
do it for you. There are available software programs that can perform this task for you.
Stay informed!
Check your security on a regular basis: When you change your clocks for
daylight savings time, reevaluate your computer security. The programs and operating
system on your computer have many valuable features that make your life easier, but
can also leave you vulnerable to hackers and viruses. You should evaluate your
computer security at least twice a year – do it when you change the clocks for daylight
savings! Look at the settings on applications that you have on your computer. Your
browser software, for example, typically has a security setting in its preferences area.
Check what settings you have and make sure you have the security level appropriate for
you. Set a high bar for yourself!
Make sure your family members and/or your employees know what to do if
your computer becomes infected: It’s important that everyone who uses a computer
be aware of proper security practices. People should know how to update virus protection
software, how to download security patches from software vendors and how to create a
proper password. Make sure they know these tips too!
3.3 Cryptography
The art of cryptography is considered to be born along with the art of writing. As
civilizations evolved, human beings got organized in tribes, groups, and kingdoms. This
led to the emergence of ideas such as power, battles, supremacy, and politics. These
ideas further fueled the natural need of people to communicate secretly with selective
recipient which in turn ensured the continuous evolution of cryptography as well.
The roots of cryptography are found in Roman and Egyptian civilizations.
3.3.1 Hieroglyph í The Oldest Cryptographic Technique
The first known evidence of cryptography can be traced to the use of ‘hieroglyph’.
Some 4000 years ago, the Egyptians used to communicate by messages written in
hieroglyph. This code was the secret known only to the scribes who used to transmit
messages on behalf of the kings. One such hieroglyph is shown below.
Later, the scholars moved on to using simple mono-alphabetic substitution ciphers
during 500 BC to 600 BC. This involved replacing alphabets of message with other
alphabets with some secret rule. This rule became a key to retrieve the message back
from the garbled message.
The earlier Roman method of cryptography, popularly known as the Caesar Shift
Cipher, relies on shifting the letters of a message by an agreed number (three was a
common choice), the recipient of this message would then shift the letters back by the
same number and obtain the original message.
Amity Directorate of Distance and Online Education
136 Information Security and Risk Management
Notes Original Message
a t t a c k a t d a w n
Each letter is shifted by “2”
c v v c e m c v f c y p
Secret Message
3.3.2 Steganography
Steganography is similar but adds another dimension to Cryptography. In this
method, people not only want to protect the secrecy of an information by concealing it,
but they also want to make sure any unauthorized person gets no evidence that the
information even exists. For example, invisible watermarking.
In steganography, an unintended recipient or an intruder is unaware of the fact that
observed data contains hidden information. In cryptography, an intruder is normally
aware that data is being communicated, because they can see the coded/scrambled
message.
Attack the Hill at GR Message to be hidden
3614
Embedding data
Carrier File Carrier File with Hidden Message
3.3.3 Evolution of Cryptography
It is during and after the European Renaissance, various Italian and Papal states led
the rapid proliferation of cryptographic techniques. Various analysis and attack
techniques were researched in this era to break the secret codes.
Ɣ Improved coding techniques such as Vigenere Coding came into existence in
the 15th century, which offered moving letters in the message with a number of
variable places instead of moving them the same number of places.
Ɣ Only after the 19th century, cryptography evolved from the ad hoc approaches
to encryption to the more sophisticated art and science of information security.
Ɣ In the early 20th century, the invention of mechanical and electromechanical
machines, such as the Enigma rotor machine, provided more advanced and
efficient means of coding the information.
Ɣ During the period of World War II, both cryptography and cryptanalysis
became excessively mathematical.
Amity Directorate of Distance and Online Education
Network Security 137
With the advances taking place in this field, government organizations, military units,
Notes
and some corporate houses started adopting the applications of cryptography. They used
cryptography to guard their secrets from others. Now, the arrival of computers and the
Internet has brought effective cryptography within the reach of common people.
Modern cryptography is the cornerstone of computer and communications security.
Its foundation is based on various concepts of mathematics such as number theory,
computational complexity theory, and probability theory.
3.3.4 Characteristics of Modern Cryptography
There are three major characteristics that separate modern cryptography from the
classical approach.
Classic Cryptography Modern Cryptography
It manipulates traditional characters, i.e., It operates on binary bit sequences.
letters and digits directly.
It is mainly based on ‘security through It relies on publicly known mathematical
obscurity’. The techniques employed for coding algorithms for coding the information. Secrecy
were kept secret and only the parties involved is obtained through a secrete key which is used
in communication knew about them. as the seed for the algorithms. The
computational difficulty of algorithms, absence
of secret key, etc., make it impossible for an
attacker to obtain the original information even
if he knows the algorithm used for coding.
It requires the entire cryptosystem for Modern cryptography requires parties
communicating confidentially. interested in secure communication to possess
the secret key only.
3.3.5 Context of Cryptography
Cryptology, the study of cryptosystems, can be subdivided into two branches í
Ɣ Cryptography
Ɣ Cryptanalysis
Cryptology
Cryptography Cryptanalysis
What is Cryptography?
Cryptography is the art and science of making a cryptosystem that is capable of
providing information security.
Cryptography deals with the actual securing of digital data. It refers to the design of
mechanisms based on mathematical algorithms that provide fundamental information
security services. You can think of cryptography as the establishment of a large toolkit
containing different techniques in security applications.
Amity Directorate of Distance and Online Education
138 Information Security and Risk Management
What is Cryptanalysis?
Notes
The art and science of breaking the ciphertext is known as cryptanalysis.
Cryptanalysis is the sister branch of cryptography and they both co-exist. The
cryptographic process results in the ciphertext for transmission or storage. It involves the
study of cryptographic mechanism with the intention to break them. Cryptanalysis is also
used during the design of the new cryptographic techniques to test their security
strengths.
Note: Cryptography concerns with the design of cryptosystems, while cryptanalysis studies the
breaking of cryptosystems.
3.3.6 Security Services of Cryptography
The primary objective of using cryptography is to provide the following four
fundamental information security services. Let us now see the possible goals intended to
be fulfilled by cryptography.
Confidentiality: Confidentiality is the fundamental security service provided by
cryptography. It is a security service that keeps the information from an unauthorized
person. It is sometimes referred to as privacy or secrecy.
Confidentiality can be achieved through numerous means starting from physical
securing to the use of mathematical algorithms for data encryption.
Data Integrity: It is security service that deals with identifying any alteration to the
data. The data may get modified by an unauthorized entity intentionally or accidently.
Integrity service confirms that whether data is intact or not since it was last created,
transmitted, or stored by an authorized user.
Data integrity cannot prevent the alteration of data, but provides a means for
detecting whether data has been manipulated in an unauthorized manner.
Authentication: Authentication provides the identification of the originator. It
confirms to the receiver that the data received has been sent only by an identified and
verified sender.
Authentication service has two variants:
Ɣ Message authentication identifies the originator of the message without any
regard router or system that has sent the message.
Ɣ Entity authentication is assurance that data has been received from a
specific entity, say a particular website.
Apart from the originator, authentication may also provide assurance about other
parameters related to data such as the date and time of creation/transmission.
Non-repudiation: It is a security service that ensures that an entity cannot refuse
the ownership of a previous commitment or an action. It is an assurance that the original
creator of the data cannot deny the creation or transmission of the said data to a recipient
or third party.
Non-repudiation is a property that is most desirable in situations where there are
chances of a dispute over the exchange of data. For example, once an order is placed
electronically, a purchaser cannot deny the purchase order, if non-repudiation service
was enabled in this transaction.
3.3.7 Cryptography Primitives
Cryptography primitives are nothing but the tools and techniques in Cryptography
that can be selectively used to provide a set of desired security services:
Ɣ Encryption
Ɣ Hash functions
Amity Directorate of Distance and Online Education
Network Security 139
Ɣ Message Authentication Codes (MAC)
Ɣ Digital Signatures
Notes
The following table shows the primitives that can achieve a particular security
service on their own.
Note: Cryptographic primitives are intricately related and they are often combined to achieve a set
of desired security services from a cryptosystem.
A cryptosystem is an implementation of cryptographic techniques and their
accompanying infrastructure to provide information security services. A cryptosystem is
also referred to as a cipher system.
Let us discuss a simple model of a cryptosystem that provides confidentiality to the
information being transmitted. This basic model is depicted in the illustration below:
Sender Receiver
encryption key decryption key
plaintext ciphertext plaintext
Encryption Decryption
algorithm algorithm
Interceptor
The illustration shows a sender who wants to transfer some sensitive data to a receiver
in such a way that any party intercepting or eavesdropping on the communication channel
cannot extract the data.
The objective of this simple cryptosystem is that at the end of the process, only the
sender and the receiver will know the plaintext.
3.3.8 Components of a Cryptosystem
The various components of a basic cryptosystem are as follows:
Ɣ Plaintext. It is the data to be protected during transmission.
Amity Directorate of Distance and Online Education
140 Information Security and Risk Management
Ɣ Encryption Algorithm. It is a mathematical process that produces a Ciphertext
Notes
for any given plaintext and encryption key. It is a cryptographic algorithm that
takes plaintext and an encryption key as input and produces a ciphertext.
Ɣ Ciphertext. It is the scrambled version of the plaintext produced by the
encryption algorithm using a specific encryption key. The Ciphertext is not
guarded. It flows on public channel. It can be intercepted or compromised by
anyone who has access to the communication channel.
Ɣ Decryption Algorithm. It is a mathematical process, that produces a unique
plaintext for any given Ciphertext and decryption key. It is a cryptographic
algorithm that takes a Ciphertext and a decryption key as input, and outputs a
plaintext. The decryption algorithm essentially reverses the encryption
algorithm and is thus closely related to it.
Ɣ Encryption Key. It is a value that is known to the sender. The sender inputs
the encryption key into the encryption algorithm along with the plaintext in order
to compute the ciphertext.
Ɣ Decryption Key. It is a value that is known to the receiver. The decryption key
is related to the encryption key, but is not always identical to it. The receiver
inputs the decryption key into the decryption algorithm along with the
Ciphertext in order to compute the plaintext.
For a given cryptosystem, a collection of all possible decryption keys is called a key
space.
An interceptor (an attacker) is an unauthorized entity who attempts to determine
the plaintext. He can see the Ciphertext and may know the decryption algorithm. He,
however, must never know the decryption key.
3.3.9 Types of Cryptosystems
Fundamentally, there are two types of cryptosystems based on the manner in which
encryption-decryption is carried out in the system:
Ɣ Symmetric Key Encryption
Ɣ Asymmetric Key Encryption
The main difference between these cryptosystems is the relationship between the
encryption and the decryption key. Logically, in any cryptosystem, both the keys are
closely associated. It is practically impossible to decrypt the Ciphertext with the key that
is unrelated to the encryption key.
Symmetric Key Encryption
The encryption process where same keys are used for encrypting and
decrypting the information is known as Symmetric Key Encryption.
The study of symmetric cryptosystems is referred to as symmetric cryptography.
Symmetric cryptosystems are also sometimes referred to as secret key cryptosystems.
A few well-known examples of symmetric key encryption methods are Digital
Encryption Standard (DES), Triple DES (3DES), IDEA, and BLOWFISH.
Amity Directorate of Distance and Online Education
Network Security 141
Sender Secure Distribution
Receiver Notes
Method
Shared Secret (Key) Shared Secret (Key)
ciphertext
plain Decrypt plain
Encrypt
text text
Insecure Communication
Channel
Prior to 1970, all cryptosystems employed symmetric key encryption. Even today, its
relevance is very high and it is being used extensively in many cryptosystems. It is very
unlikely that this encryption will fade away, as it has certain advantages over asymmetric
key encryption.
The salient features of cryptosystem based on symmetric key encryption are í
Ɣ Persons using symmetric key encryption must share a common key prior to
exchange of information.
Ɣ Keys are recommended to be changed regularly to prevent any attack on the
system.
Ɣ A robust mechanism needs to exist to exchange the key between the
communicating parties. As keys are required to be changed regularly, this
mechanism becomes expensive and cumbersome.
Ɣ In a group of n people, to enable two-party communication between any two
persons, the number of keys required for group is n × (n – 1)/2.
Ɣ Length of Key (number of bits) in this encryption is smaller and hence, process
of encryption-decryption is faster than asymmetric key encryption.
Ɣ Processing power of computer system required to run symmetric algorithm is
less.
Challenges of Symmetric Key Cryptosystem
There are two restrictive challenges of employing symmetric key cryptography.
Ɣ Key establishment í Before any communication, both the sender and the
receiver need to agree on a secret symmetric key. It requires a secure key
establishment mechanism in place.
Ɣ Trust Issue í Since the sender and the receiver use the same symmetric key,
there is an implicit requirement that the sender and the receiver ‘trust’ each
other. For example, it may happen that the receiver has lost the key to an
attacker and the sender is not informed.
These two challenges are highly restraining for modern day communication. Today,
people need to exchange information with non-familiar and non-trusted parties. For
example, a communication between online seller and customer. These limitations of
symmetric key encryption gave rise to asymmetric key encryption schemes.
Asymmetric Key Encryption
The encryption process where different keys are used for encrypting and
decrypting the information is known as Asymmetric Key Encryption. Though the keys
Amity Directorate of Distance and Online Education
142 Information Security and Risk Management
are different, they are mathematically related and hence, retrieving the plaintext by
Notes
decrypting Ciphertext is feasible. The process is depicted in the following illustration:
Repository
Public Key Public Key
(Host 1) (Host 2)
Reliable
Host 1 (Sender) Host 2 (Receiver)
Distribution
Private Key Channel Private Key
Public Key
(Host 1) (Host 2) (Host 2)
plain plain
Encrypt Decrypt text
text
Asymmetric Key Encryption was invented in the 20th century to come over the
necessity of pre-shared secret key between communicating persons. The salient
features of this encryption scheme are as follows:
Ɣ Every user in this system needs to have a pair of dissimilar keys, private key
and public key. These keys are mathematically related í when one key is
used for encryption, the other can decrypt the Ciphertext back to the original
plaintext.
Ɣ It requires to put the public key in public repository and the private key as a
well-guarded secret. Hence, this scheme of encryption is also called Public
Key Encryption.
Ɣ Though public and private keys of the user are related, it is computationally not
feasible to find one from another. This is a strength of this scheme.
Ɣ When Host1 needs to send data to Host2, he obtains the public key of Host2
from repository, encrypts the data, and transmits.
Ɣ Host2 uses his private key to extract the plaintext.
Ɣ Length of Keys (number of bits) in this encryption is large and hence, the
process of encryption-decryption is slower than symmetric key encryption.
Ɣ Processing power of computer system required to run asymmetric algorithm is
higher.
Symmetric cryptosystems are a natural concept. In contrast, public key cryptosystems
are quite difficult to comprehend.
You may think, how can the encryption key and the decryption key are ‘related’, and
yet it is impossible to determine the decryption key from the encryption key? The answer
lies in the mathematical concepts. It is possible to design a cryptosystem whose keys
have this property. The concept of public key cryptography is relatively new. There are
fewer public key algorithms known than symmetric algorithms.
Amity Directorate of Distance and Online Education
Network Security 143
Challenges of Public Key Cryptosystem
Notes
Public key cryptosystems have one significant challenge í the user needs to trust
that the public key that he is using in communications with a person really is the public
key of that person and has not been spoofed by a malicious third party.
This is usually accomplished through a Public Key Infrastructure (PKI) consisting a
trusted third party. The third party securely manages and attests to the authenticity of
public keys. When the third party is requested to provide the public key for any
communicating person X, they are trusted to provide the correct public key.
The third party satisfies itself about user identity by the process of attestation,
notarization, or some other process í that X is the one and only, or globally unique, X.
The most common method of making the verified public keys available is to embed them
in a certificate which is digitally signed by the trusted third party.
3.3.10 Relation between Encryption Schemes
A summary of basic key properties of two types of cryptosystems is given below:
Symmetric Cryptosystems Public Key Cryptosystems
Relation between Keys Same Different, but mathematically related
Encryption Key Symmetric Public
Decryption Key Symmetric Private
Due to the advantages and disadvantages of both the systems, symmetric key and
public key cryptosystems are often used together in the practical information security
systems.
3.3.11 Kerckhoff’s Principle for Cryptosystem
In the 19th century, a Dutch cryptographer, A. Kerckhoff furnished the requirements
of a good cryptosystem. Kerckhoff stated that a cryptographic system should be secure
even if everything about the system, except the key, is public knowledge. The six design
principles defined by Kerckhoff for cryptosystem are:
Ɣ The cryptosystem should be unbreakable practically, if not mathematically.
Ɣ Falling of the cryptosystem in the hands of an intruder should not lead to any
compromise of the system, preventing any inconvenience to the user.
Ɣ The key should be easily communicable, memorable, and changeable.
Ɣ The Ciphertext should be transmissible by telegraph, an unsecure channel.
Ɣ The encryption apparatus and documents should be portable and operable by
a single person.
Ɣ Finally, it is necessary that the system be easy to use, requiring neither mental
strain nor the knowledge of a long series of rules to observe.
The second rule is currently known as Kerckhoff principle. It is applied in virtually
all the contemporary encryption algorithms such as DES, AES, etc. These public
algorithms are considered to be thoroughly secure. The security of the encrypted
message depends solely on the security of the secret encryption key.
Keeping the algorithms secret may act as a significant barrier to cryptanalysis.
However, keeping the algorithms secret is possible only when they are used in a strictly
limited circle.
In modern era, cryptography needs to cater to users who are connected to the
Internet. In such cases, using a secret algorithm is not feasible, hence Kerckhoff
principles became essential guidelines for designing algorithms in modern cryptography.
Amity Directorate of Distance and Online Education
144 Information Security and Risk Management
In cryptography, the following three assumptions are made about the security
Notes
environment and attacker’s capabilities.
3.3.12 Details of the Encryption Scheme
The design of a cryptosystem is based on the following two cryptography algorithms:
Ɣ Public Algorithms: With this option, all the details of the algorithm are in the
public domain, known to everyone.
Ɣ Proprietary Algorithms: The details of the algorithm are only known by the
system designers and users.
In case of proprietary algorithms, security is ensured through obscurity. Private
algorithms may not be the strongest algorithms as they are developed in-house and may
not be extensively investigated for weakness.
Secondly, they allow communication among closed group only. Hence, they are not
suitable for modern communication where people communicate with large number of
known or unknown entities. Also, according to Kerckhoff’s principle, the algorithm is
preferred to be public with strength of encryption lying in the key.
Thus, the first assumption about security environment is that the encryption
algorithm is known to the attacker.
Availability of Ciphertext
We know that once the plaintext is encrypted into ciphertext, it is put on unsecure
public channel (say e-mail) for transmission. Thus, the attacker can obviously assume
that it has access to the Ciphertext generated by the cryptosystem.
Availability of Plaintext and Ciphertext
This assumption is not as obvious as other. However, there may be situations where
an attacker can have access to plaintext and corresponding ciphertext. Some such
possible circumstances are:
Ɣ The attacker influences the sender to convert plaintext of his choice and
obtains the ciphertext.
Ɣ The receiver may divulge the plaintext to the attacker inadvertently. The
attacker has access to corresponding Ciphertext gathered from open channel.
Ɣ In a public key cryptosystem, the encryption key is in open domain and is
known to any potential attacker. Using this key, he can generate pairs of
corresponding plaintexts and ciphertexts.
Cryptographic Attacks
The basic intention of an attacker is to break a cryptosystem and to find the plaintext
from the ciphertext. To obtain the plaintext, the attacker only needs to find out the secret
decryption key, as the algorithm is already in public domain.
Hence, he applies maximum effort towards finding out the secret key used in the
cryptosystem. Once the attacker is able to determine the key, the attacked system is
considered as broken or compromised.
Based on the methodology used, attacks on cryptosystems are categorized as
follows:
Ɣ Ciphertext Only Attacks (COA): In this method, the attacker has access to a
set of ciphertext(s). He does not have access to corresponding plaintext. COA is
said to be successful when the corresponding plaintext can be determined from
a given set of ciphertext. Occasionally, the encryption key can be determined
Amity Directorate of Distance and Online Education
Network Security 145
from this attack. Modern cryptosystems are guarded against ciphertext-only
Notes
attacks.
Ɣ Known Plaintext Attack (KPA): In this method, the attacker knows the
plaintext for some parts of the ciphertext. The task is to decrypt the rest of the
Ciphertext using this information. This may be done by determining the key or
via some other method. The best example of this attack is linear cryptanalysis
against block ciphers.
Ɣ Chosen Plaintext Attack (CPA): In this method, the attacker has the text of
his choice encrypted. So, he has the ciphertext-plaintext pair of his choice. This
simplifies his task of determining the encryption key. An example of this attack
is differential cryptanalysis applied against block ciphers as well as hash
functions. A popular public key cryptosystem, RSA is also vulnerable to chosen
plaintext attacks.
Ɣ Dictionary Attack: This attack has many variants, all of which involve
compiling a ‘dictionary’. In simplest method of this attack, attacker builds a
dictionary of ciphertexts and corresponding plaintexts that he has learnt over a
period of time. In future, when an attacker gets the ciphertext, he refers the
dictionary to find the corresponding plaintext.
Ɣ Brute Force Attack (BFA): In this method, the attacker tries to determine the
key by attempting all possible keys. If the key is 8 bits long, then the number of
possible keys is 28 = 256. The attacker knows the Ciphertext and the algorithm,
now he attempts all the 256 keys one by one for decryption. The time to
complete the attack would be very high if the key is long.
Ɣ Birthday Attack: This attack is a variant of brute force technique. It is used
against the cryptographic hash function. When students in a class are asked
about their birthdays, the answer is one of the possible 365 dates. Let us
assume the first student’s birth date is 3rd Aug. Then to find the next student
whose birth date is 3rd Aug, we need to enquire 1.25*¥365 § 25 students.
Similarly, if the hash function produces 64 bit hash values, the possible hash
values are 1.8 × 1019. By repeatedly evaluating the function for different inputs,
the same output is expected to be obtained after about 5.1 × 109 random
inputs.
If the attacker is able to find two different inputs that give the same hash value,
it is a collision and that hash function is said to be broken.
Ɣ Man in Middle Attack (MIM): The targets of this attack are mostly public key
cryptosystems where key exchange is involved before communication takes
place.
Ŷ Host A wants to communicate to host B, hence requests public key of B.
Ŷ An attacker intercepts this request and sends his public key instead.
Ŷ Thus, whatever host A sends to host B, the attacker is able to read.
Ŷ In order to maintain communication, the attacker re-encrypts the data
after reading with his public key and sends to B.
Ŷ The attacker sends his public key as A’s public key so that B takes it as if
it is taking it from A.
Ɣ Side Channel Attack (SCA): This type of attack is not against any particular
type of cryptosystem or algorithm. Instead, it is launched to exploit the
weakness in physical implementation of the cryptosystem.
Ɣ Timing Attacks: They exploit the fact that different computations take different
times to compute on processor. By measuring such timings, it is be possible to
Amity Directorate of Distance and Online Education
146 Information Security and Risk Management
know about a particular computation the processor is carrying out. For example,
Notes
if the encryption takes a longer time, it indicates that the secret key is long.
Ɣ Power Analysis Attacks: These attacks are similar to timing attacks except
that the amount of power consumption is used to obtain information about the
nature of the underlying computations.
Ɣ Fault analysis Attacks: In these attacks, errors are induced in the cryptosystem
and the attacker studies the resulting output for useful information.
Practicality of Attacks
The attacks on cryptosystems described here are highly academic, as majority of
them come from the academic community. In fact, many academic attacks involve quite
unrealistic assumptions about environment as well as the capabilities of the attacker. For
example, in chosen-Ciphertext attack, the attacker requires an impractical number of
deliberately chosen plaintext-Ciphertext pairs. It may not be practical altogether.
Nonetheless, the fact that any attack exists should be a cause of concern,
particularly if the attack technique has the potential for improvement.
3.3.13 Earlier Cryptographic Systems
Before proceeding further, you need to know some facts about historical
cryptosystems:
Ɣ All of these systems are based on symmetric key encryption scheme.
Ɣ The only security service these systems provide is confidentiality of
information.
Ɣ Unlike modern systems which are digital and treat data as binary numbers, the
earlier systems worked on alphabets as basic element.
These earlier cryptographic systems are also referred to as Ciphers. In general, a
cipher is simply just a set of steps (an algorithm) for performing both an encryption, and
the corresponding decryption.
Caesar Cipher
It is a mono-alphabetic cipher wherein each letter of the plaintext is substituted by
another letter to form the ciphertext. It is a simplest form of substitution cipher scheme.
This cryptosystem is generally referred to as the Shift Cipher. The concept is to
replace each alphabet by another alphabet which is ‘shifted’ by some fixed number
between 0 and 25.
For this type of scheme, both sender and receiver agree on a ‘secret shift number’
for shifting the alphabet. This number which is between 0 and 25 becomes the key of
encryption.
The name ‘Caesar Cipher’ is occasionally used to describe the Shift Cipher when
the ‘shift of three’ is used.
Process of Shift Cipher
Ɣ In order to encrypt a plaintext letter, the sender positions the sliding ruler
underneath the first set of plaintext letters and slides it to LEFT by the number
of positions of the secret shift.
Ɣ The plaintext letter is then encrypted to the Ciphertext letter on the sliding ruler
underneath. The result of this process is depicted in the following illustration for
an agreed shift of three positions. In this case, the plaintext ‘tutorial’ is
encrypted to the Ciphertext ‘WXWRULDO’. Here is the Ciphertext alphabet for
a Shift of 3:
Amity Directorate of Distance and Online Education
Network Security 147
Plaintext Alphabet a b c d e f g h i j k l m n o p q r s t u v w x y z
Notes
Ciphertext Alphabet D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Ɣ On receiving the ciphertext, the receiver who also knows the secret shift,
positions his sliding ruler underneath the Ciphertext alphabet and slides it to
RIGHT by the agreed shift number, 3 in this case.
Ɣ He then replaces the Ciphertext letter by the plaintext letter on the sliding ruler
underneath. Hence, the Ciphertext ‘WXWRULDO’ is decrypted to ‘tutorial’. To
decrypt a message encoded with a Shift of 3, generate the plaintext alphabet
using a shift of ‘–3’ as shown below:
Ciphertext Alphabet A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Plaintext Alphabet x y z a b c d e f g h i j k l m n o p q r s t u v w
Security Value
Caesar Cipher is not a secure cryptosystem because there are only 26 possible
keys to try out. An attacker can carry out an exhaustive key search with available limited
computing resources.
Simple Substitution Cipher
It is an improvement to the Caesar Cipher. Instead of shifting the alphabets by some
number, this scheme uses some permutation of the letters in alphabet.
For example, A.B…..Y.Z and Z.Y……B.A are two obvious permutation of all the
letters in alphabet. Permutation is nothing but a jumbled up set of alphabets.
With 26 letters in alphabet, the possible permutations are 26! (Factorial of 26) which
is equal to 4 × 1026. The sender and the receiver may choose any one of these possible
permutation as a Ciphertext alphabet. This permutation is the secret key of the scheme.
Process of Simple Substitution Cipher
Ɣ Write the alphabets A, B, C, ..., Z in the natural order.
Ɣ The sender and the receiver decide on a randomly selected permutation of the
letters of the alphabet.
Ɣ Underneath the natural order alphabets, write out the chosen permutation of
the letters of the alphabet. For encryption, sender replaces each plaintext
letters by substituting the permutation letter that is directly beneath it in the
table. This process is shown in the following illustration. In this example, the
chosen permutation is K, D, G, ..., O. The plaintext ‘point’ is encrypted to
‘MJBXZ’.
Here is a jumbled Ciphertext alphabet, where the order of the Ciphertextletters is a key.
Plaintext Alphabet A b c d e f g h i j k l m n o p q r s t u v w x y z
Ciphertext Alphabet K D G F N S L V B W A H E X J M Q C P Z R T Y I U O
Ɣ On receiving the ciphertext, the receiver, who also knows the randomly chosen
permutation, replaces each Ciphertext letter on the bottom row with the
corresponding plaintext letter in the top row. The Ciphertext ‘MJBXZ’ is
decrypted to ‘point’.
Security Value
Simple Substitution Cipher is a considerable improvement over the Caesar Cipher.
The possible number of keys is large (26!) and even the modern computing systems are
not yet powerful enough to comfortably launch a brute force attack to break the system.
Amity Directorate of Distance and Online Education
148 Information Security and Risk Management
However, the Simple Substitution Cipher has a simple design and it is prone to design
Notes
flaws, say choosing obvious permutation, this cryptosystem can be easily broken.
Mono-alphabetic and Poly-alphabetic Cipher
Mono-alphabetic Cipher is a substitution cipher in which for a given key, the cipher
alphabet for each plain alphabet is fixed throughout the encryption process. For example,
if ‘A’ is encrypted as ‘D’, for any number of occurrence in that plaintext, ‘A’ will always get
encrypted to ‘D’.
All of the substitution ciphers we have discussed earlier in this chapter are
mono-alphabetic; these ciphers are highly susceptible to cryptanalysis.
Poly-alphabetic Cipher is a substitution cipher in which the cipher alphabet for the
plain alphabet may be different at different places during the encryption process. The
next two examples, Playfair and Vigenere Cipher are poly-alphabetic ciphers.
Playfair Cipher
In this scheme, pairs of letters are encrypted, instead of single letters as in the case
of simple substitution cipher.
In playfair cipher, initially a key table is created. The key table is a 5 × 5 grid of
alphabets that acts as the key for encrypting the plaintext. Each of the 25 alphabets must
be unique and one letter of the alphabet (usually J) is omitted from the table as we need
only 25 alphabets instead of 26. If the plaintext contains J, then it is replaced by I.
The sender and the receiver deicide on a particular key, say ‘tutorials’. In a key table,
the first characters (going left to right) in the table is the phrase, excluding the duplicate
letters. The rest of the table will be filled with the remaining letters of the alphabet, in
natural order. The key table works out to be:
T U O R I
A L S B C
D E F G H
K M N P Q
V W X Y Z
Process of Playfair Cipher
Ɣ First, a plaintext message is split into pairs of two letters (digraphs). If there is
an odd number of letters, a Z is added to the last letter. Let us say we want to
encrypt the message “hide money”. It will be written as:
HI DE MO NE YZ
Ɣ The rules of encryption are:
Ŷ If both the letters are in the same column, take the letter below each one
(going back to the top if at the bottom).
T U O R I
A L S B C
‘H’ and ‘I’ are in same column, hence take letter below them to
D E F G H
replace. HI ĺ QC.
K M N P Q
V W X Y Z
Ɣ If both letters are in the same row, take the letter to the right of each one (going
back to the left if at the farthest right).
Amity Directorate of Distance and Online Education
Network Security 149
T U O R I Notes
A L S B C
‘D’ and ‘E’ are in same row, hence take letter to the right of them
D E F G H
to replace. DE ĺ EF.
K M N P Q
V W X Y Z
Ɣ If neither of the preceding two rules are true, form a rectangle with the two
letters and take the letters on the horizontal opposite corner of the rectangle.
T U O R I ‘M’ and ‘O’ nor on same column or same row, hence from
A L S B C rectangle as shown, and replace letter by picking up opposite
corner letter on same row MO ĺ NU.
D E F G H
K M N P Q
V W X Y Z
Using these rules, the result of the encryption of ‘hide money’ with the key of
‘tutorials’ would be:
QC EF NU MF ZV
Decrypting the Playfair cipher is as simple as doing the same process in reverse.
Receiver has the same key and can create the same key table, and then decrypt any
messages made using that key.
Security Value
It is also a substitution cipher and is difficult to break compared to the simple
substitution cipher. As in case of substitution cipher, cryptanalysis is possible on the
Playfair cipher as well, however it would be against 625 possible pairs of letters (25 × 25
alphabets) instead of 26 different possible alphabets.
The Playfair cipher was used mainly to protect important, yet non-critical secrets, as
it is quick to use and requires no special equipment.
Vigenere Cipher
This scheme of cipher uses a text string (say, a word) as a key, which is then used
for doing a number of shifts on the plaintext.
For example, let’s assume the key is ‘point’. Each alphabet of the key is converted to
its respective numeric value: In this case,
p ĺ 16, o ĺ 15, i ĺ 9, n ĺ 14, and t ĺ 20.
Thus, the key is: 16 15 9 14 20.
Process of Vigenere Cipher
Ɣ The sender and the receiver decide on a key. Say ‘point’ is the key. Numeric
representation of this key is ‘16 15 9 14 20’.
Ɣ The sender wants to encrypt the message, say ‘attack from south east’. He will
arrange plaintext and numeric key as follows:
a t t a c k f r o m s o u t h e a s t
16 15 9 14 20 16 15 9 14 20 16 15 9 14 20 16 15 9 14
Ɣ He now shifts each plaintext alphabet by the number written below it to create
Ciphertext as shown below:
Amity Directorate of Distance and Online Education
150 Information Security and Risk Management
a t t a c k f r o m s o u t h e a s t
Notes
16 15 9 14 20 16 15 9 14 20 16 15 9 14 20 16 15 9 14
Q I C O W A U A C G I D D H B U P B H
Ɣ Here, each plaintext character has been shifted by a different amount – and
that amount is determined by the key. The key must be less than or equal to
the size of the message.
Ɣ For decryption, the receiver uses the same key and shifts received Ciphertext
in reverse order to obtain the plaintext.
Q I C O W A U A C G I D D H B U P B H
16 15 9 14 20 16 15 9 14 20 16 15 9 14 20 16 15 9 14
a t t a c k f r o m s o u t h e a s t
Security Value
Vigenere Cipher was designed by tweaking the standard Caesar cipher to reduce
the effectiveness of cryptanalysis on the Ciphertext and make a cryptosystem more
robust. It is significantly more secure than a regular Caesar Cipher.
In the history, it was regularly used for protecting sensitive political and military
information. It was referred to as the unbreakable cipher due to the difficulty it posed to
the cryptanalysis.
Variants of Vigenere Cipher
There are two special cases of Vigenere cipher:
Ɣ The keyword length is same as plaintext message. This case is called Vernam
Cipher. It is more secure than typical Vigenere cipher.
Ɣ Vigenere cipher becomes a cryptosystem with perfect secrecy, which is called
One-time Pad.
One-time Pad
The circumstances are:
Ɣ The length of the keyword is same as the length of the plaintext.
Ɣ The keyword is a randomly generated string of alphabets.
Ɣ The keyword is used only once.
Security Value
Let us compare Shift cipher with one-time pad.
Shift Cipher í Easy to Break
In case of Shift cipher, the entire message could have had a shift between 1 and 25.
This is a very small size, and very easy to brute force. However, with each character now
having its own individual shift between 1 and 26, the possible keys grow exponentially for
the message.
One-time Pad í Impossible to Break
Let us say, we encrypt the name “point” with a one-time pad. It is a 5-letter text. To
break the Ciphertext by brute force, you need to try all possibilities of keys and conduct
computation for (26 × 26 × 26 × 26 × 26) = 265 = 11881376 times. That’s for a message
with 5 alphabets. Thus, for a longer message, the computation grows exponentially with
every additional alphabet. This makes it computationally impossible to break the
Ciphertext by brute force.
Amity Directorate of Distance and Online Education
Network Security 151
Transposition Cipher
Notes
It is another type of cipher where the order of the alphabets in the plaintext is
rearranged to create the ciphertext. The actual plaintext alphabets are not replaced.
An example is a ‘simple columnar transposition’ cipher where the plaintext is written
horizontally with a certain alphabet width. Then the Ciphertext is read vertically as shown.
For example, the plaintext is “golden statue is in eleventh cave” and the secret
random key chosen is “five”. We arrange this text horizontally in table with number of
column equal to key value. The resulting text is shown below.
g o l d e
n s t a t
u e i s i
n e l e v
e n t h c
a v e
The Ciphertext is obtained by reading column vertically downward from first to last
column. The Ciphertext is ‘gnuneaoseenvltiltedasehetivc’.
To decrypt, the receiver prepares similar table. The number of columns is equal to
key number. The number of rows is obtained by dividing number of total Ciphertext
alphabets by key value and rounding of the quotient to next integer value.
The receiver then writes the received Ciphertext vertically down and from left to right
column. To obtain the text, he reads horizontally left to right and from top to bottom row.
Digital data is represented in strings of binary digits (bits) unlike alphabets. Modern
cryptosystems need to process this binary strings to convert in to another binary string.
Based on how these binary strings are processed, a symmetric encryption schemes can
be classified into:
Block Ciphers
In this scheme, the plain binary text is processed in blocks (groups) of bits at a time;
i.e., a block of plaintext bits is selected, a series of operations is performed on this block
to generate a block of Ciphertext bits. The number of bits in a block is fixed. For example,
the schemes DES and AES have block sizes of 64 and 128, respectively.
Stream Ciphers
In this scheme, the plaintext is processed one bit at a time, i.e., one bit of plaintext is
taken, and a series of operations is performed on it to generate one bit of ciphertext.
Technically, stream ciphers are block ciphers with a block size of one bit.
Block Cipher Key
Plaintext
Block n Plaintext
Plaintext Ciphertext
Block 2 Encryption
Block 1 Block n Ciphertext
Function
Block 2 Ciphertext
Block 1
Stream Cipher
Key
Key
Generator
Bit stream 101011000101110110010
Bit Ciphertext
Plaintext 110010001010
Function 100110101101
Amity Directorate of Distance and Online Education
152 Information Security and Risk Management
Encryption Process
Notes
The encryption process uses the Feistel structure consisting multiple rounds of
processing of the plaintext, each round consisting of a “substitution” step followed by a
permutation step.
Feistel Structure is shown in the following illustration:
Plaintext block
(Divide into two halves, L and R)
Round Keys
L R
K1
Round1
F(K,R)
L R
K2
Round2
F(K,R)
L R
Kn
Roundn
F(K,R)
Ciphertext block
Ɣ The input block to each round is divided into two halves that can be denoted as
L and R for the left half and the right half.
Ɣ In each round, the right half of the block, R, goes through unchanged. But the
left half, L, goes through an operation that depends on R and the encryption
key. First, we apply an encrypting function ‘f’ that takes two input í the key K
and R. The function produces the output f(R,K). Then, we XOR the output of
the mathematical function with L.
Ɣ In real implementation of the Feistel Cipher, such as DES, instead of using the
whole encryption key during each round, a round-dependent key (a subkey) is
derived from the encryption key. This means that each round uses a different
key, although all these subkeys are related to the original key.
Ɣ The permutation step at the end of each round swaps the modified L and
unmodified R. Therefore, the L for the next round would be R of the current
round. And R for the next round be the output L of the current round.
Ɣ Above substitution and permutation steps form a ‘round’. The number of
rounds are specified by the algorithm design.
Amity Directorate of Distance and Online Education
Network Security 153
Ɣ Once the last round is completed, then the two subblocks, ‘R’ and ‘L’ are
Notes
concatenated in this order to form the Ciphertext block.
The difficult part of designing a Feistel Cipher is selection of round function ‘f’. In
order to be unbreakable scheme, this function needs to have several important
properties that are beyond the scope of our discussion.
Decryption Process
The process of decryption in Feistel cipher is almost similar. Instead of starting with
a block of plaintext, the Ciphertextblock is fed into the start of the Feistel structure and
then the process thereafter is exactly the same as described in the given illustration.
The process is said to be almost similar and not exactly same. In the case of
decryption, the only difference is that the subkeys used in encryption are used in the
reverse order.
The final swapping of ‘L’ and ‘R’ in last step of the Feistel Cipher is essential. If these
are not swapped, then the resulting Ciphertextcould not be decrypted using the same
algorithm.
Number of Rounds
The number of rounds used in a Feistel Cipher depends on desired security from the
system. More number of rounds provide more secure system. But at the same time, more
rounds mean the inefficient slow encryption and decryption processes. Number of rounds
in the systems, thus, depend upon efficiency-security trade-off.
The Data Encryption Standard (DES) is a symmetric key block cipher published by
the National Institute of Standards and Technology (NIST).
DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure. The
block size is 64-bit. Though key length is 64-bit, DES has an effective key length of
56 bits, since 8 of the 64 bits of the key are not used by the encryption algorithm (function
as check bits only). General Structure of DES is depicted in the following illustration:
64-bit plaintext
DES
Initial permutation
K1
Round 1
48-bit
Round-key generator
K2
Round 2
48-bit 56-bit cipher key
K16
Round 16
48-bit
Final permutation
64-bit ciphertext
Amity Directorate of Distance and Online Education
154 Information Security and Risk Management
Since DES is based on the Feistel Cipher, all that is required to specify DES is:
Notes
Ɣ Round function
Ɣ Key schedule
Ɣ Any additional processing í Initial and final permutation
Initial and Final Permutation
The initial and final permutations are straight Permutation boxes (P-boxes) that are
inverses of each other. They have no cryptography significance in DES. The initial and
final permutations are shown as follows:
1 2 8 25 40 58 64
Initial
Permutation
1 2 8 25 40 58 64
16 Round
1 2 8 25 40 58 64
Final
Permutation
1 2 8 25 40 58 64
Round Function
The heart of this cipher is the DES function, f. The DES function applies a 48-bit key
to the rightmost 32 bits to produce a 32-bit output.
In
f (RI–1, KI)
32 bits
Expansion P-box
48 bits
XOR KI (48 bits)
48 bits
S-Boxes
32 bits
Straight P-box
32 bits
Out
Amity Directorate of Distance and Online Education
Network Security 155
Ɣ Expansion Permutation Box: Since right input is 32-bit and round key is a
48-bit, we first need to expand right input to 48-bits. Permutation logic is Notes
graphically depicted in the following illustration:
From bit 32 From bit 1
32-bit input
Ɣ The graphically depicted permutation logic is generally described as table in
DES specification illustrated as shown:
32 01 02 03 04 05
04 05 06 07 08 09
08 09 10 11 12 13
12 13 14 15 16 17
16 17 18 19 20 21
20 21 22 23 24 25
24 25 26 27 28 29
28 29 31 31 32 01
Ɣ XOR (Whitener): After the expansion permutation, DES does XOR operation
on the expanded right section and the round key. The round key is used only in
this operation.
Ɣ Substitution Boxes: The S-boxes carry out the real mixing (confusion). DES
uses 8 S-boxes, each with a 6-bit input and a 4-bit output. Refer the following
illustration:
48-bit input
Array of S-Boxes
S-Box S-Box S-Box S-Box S-Box S-Box S-Box S-Box
32-bit output
Ɣ The S-box rule is illustrated below:
bit 1 bit 2 bit 3 bit 4 bit 5 bit 6
S-box
bit 1 bit 2 bit 3 bit 4
Amity Directorate of Distance and Online Education
156 Information Security and Risk Management
Ɣ There are a total of eight S-box tables. The output of all eight S-boxes is then
Notes
combined into 32-bit section.
Ɣ Straight Permutation: The 32-bit output of S-boxes is then subjected to the
straight permutation with rule shown in the following illustration:
16 07 20 21 29 12 28 17
01 15 23 26 05 18 31 10
02 08 24 14 32 27 03 09
19 13 30 06 22 11 04 25
Key Generation
The round key generator creates sixteen 48-bit keys out of a 56-bit cipher key. The
process of key generation is depicted in the following illustration:
Key with
parity bits
(64-bits
Parity drop
Shifting Cipher key (56 bits)
Rounds Shift
1, 2, 9, 16 one bit 28 bits 28 bits
Others two bits
Shift left Shift left
28 bits 28 bits
Compression
P-box
48 bits
Round Key 1
Shift left Shift left
28 bits 28 bits
Compression
P-box
48 bits
Round Key 2
Shift left Shift left
28 bits 28 bits
Compression
P-box
Round Key 16 48 bits
The logic for Parity Drop, Shifting and Compression P-box is given in the DES
description.
Amity Directorate of Distance and Online Education
Network Security 157
DES Analysis
Notes
The DES satisfies both the desired properties of block cipher. These two properties
make cipher very strong.
Ɣ Avalanche effect: A small change in plaintext results in the very great change
in the ciphertext.
Ɣ Completeness: Each bit of Ciphertext depends on many bits of plaintext.
During the last few years, cryptanalysis have found some weaknesses in DES when
key selected are weak keys. These keys shall be avoided.
DES has proved to be a very well designed block cipher. There have been no
significant cryptanalytic attacks on DES other than exhaustive key search.
The speed of exhaustive key searches against DES after 1990 began to cause
discomfort amongst users of DES. However, users did not want to replace DES as it
takes an enormous amount of time and money to change encryption algorithms that are
widely adopted and embedded in large security architectures.
The pragmatic approach was not to abandon the DES completely, but to change the
manner in which DES is used. This led to the modified schemes of Triple DES
(sometimes known as 3DES).
Incidentally, there are two variants of Triple DES known as 3-key Triple DES
(3TDES) and 2-key Triple DES (2TDES).
3-key Triple DES
Before using 3TDES, user first generate and distribute a 3TDES key k, which
consists of three different DES keys k1, k2 and k3. This means that the actual 3TDES key
has length 3 × 56 = 168 bits. The encryption scheme is illustrated as follows:
P 64-bit plaintext P 64-bit plaintext
DES DES
cipher k1 reverse cipher
DES DES
reverse cipher k2 cipher
DES DES
cipher k1 reverse cipher
C 64-bit ciphertext C 64-bit ciphertext
The encryption-decryption process is as follows:
Ɣ Encrypt the plaintext blocks using single DES with key k1.
Ɣ Now, decrypt the output of step 1 using single DES with key k2.
Amity Directorate of Distance and Online Education
158 Information Security and Risk Management
Ɣ Finally, encrypt the output of step 2 using single DES with key k3.
Notes
Ɣ The output of step 3 is the ciphertext.
Ɣ Decryption of a Ciphertext is a reverse process. User first decrypt using k3,
then encrypt with k2, and finally decrypt with k1.
Due to this design of Triple DES as an encrypt-decrypt-encrypt process, it is
possible to use a 3TDES (hardware) implementation for single DES by setting k1, k2, and
k3 to be the same value. This provides backwards compatibility with DES.
Second variant of Triple DES (2TDES) is identical to 3TDES except that k3 is
replaced by k1. In other words, user encrypt plaintext blocks with key k1, then decrypt with
key k2, and finally encrypt with k1 again. Therefore, 2TDES has a key length of 112-bits.
Triple DES systems are significantly more secure than single DES, but these are
clearly a much slower process than encryption using single DES.
The more popular and widely adopted symmetric encryption algorithm likely to be
encountered nowadays is the Advanced Encryption Standard (AES). It is found at least
six time faster than triple DES.
A replacement for DES was needed as its key size was too small. With increasing
computing power, it was considered vulnerable against exhaustive key search attack.
Triple DES was designed to overcome this drawback but it was found slow.
The features of AES are as follows:
Ɣ Symmetric key symmetric block cipher
Ɣ 128-bit data, 128/192/256-bit keys
Ɣ Stronger and faster than Triple DES
Ɣ Provide full specification and design details
Ɣ Software implementable in C and Java
Digital Signature
Digital signatures are the public key primitives of message authentication. In the
physical world, it is common to use handwritten signatures on handwritten or typed
messages. They are used to bind signatory to the message.
Similarly, a digital signature is a technique that binds a person/entity to the digital
data. This binding can be independently verified by receiver as well as any third party.
Digital signature is a cryptographic value that is calculated from the data and a
secret key known only by the signer.
In real world, the receiver of message needs assurance that the message belongs
to the sender and he should not be able to repudiate the origination of that message. This
requirement is very crucial in business applications, since likelihood of a dispute over
exchanged data is very high.
Model of Digital Signature
As mentioned earlier, the digital signature scheme is based on public key
cryptography. The model of digital signature scheme is depicted in the following
illustration:
Amity Directorate of Distance and Online Education
Network Security 159
Signer Verifier Notes
Signer’s Hashing
Private Function
Data Key
Equal?
Data
Hashing Signature Verification
Function Algorithm Signature Algorithm Hash
Signer’s
Hash Public
Key
The following points explain the entire process in detail:
Ɣ Each person adopting this scheme has a public-private key pair.
Ɣ Generally, the key pairs used for encryption/decryption and signing/verifying
are different. The private key used for signing is referred to as the signature
key and the public key as the verification key.
Ɣ Signer feeds data to the hash function and generates hash of data.
Ɣ Hash value and signature key are then fed to the signature algorithm which
produces the digital signature on given hash. Signature is appended to the
data and then both are sent to the verifier.
Ɣ Verifier feeds the digital signature and the verification key into the verification
algorithm. The verification algorithm gives some value as output.
Ɣ Verifier also runs same hash function on received data to generate hash value.
Ɣ For verification, this hash value and output of verification algorithm are
compared. Based on the comparison result, verifier decides whether the digital
signature is valid.
Ɣ Since digital signature is created by ‘private’ key of signer and no one else can
have this key; the signer cannot repudiate signing the data in future.
It should be noticed that instead of signing data directly by signing algorithm, usually
a hash of data is created. Since the hash of data is a unique representation of data, it is
sufficient to sign the hash in place of data. The most important reason of using hash
instead of data directly for signing is efficiency of the scheme.
Let us assume RSA is used as the signing algorithm. As discussed in public key
encryption chapter, the encryption/signing process using RSA involves modular
exponentiation.
Signing large data through modular exponentiation is computationally expensive
and time-consuming. The hash of the data is a relatively small digest of the data, hence
signing a hash is more efficient than signing the entire data.
Importance of Digital Signature
Out of all cryptographic primitives, the digital signature using public key cryptography is
considered as very important and useful tool to achieve information security.
Apart from ability to provide non-repudiation of message, the digital signature also
provides message authentication and data integrity. Let us briefly see how this is
achieved by the digital signature:
Amity Directorate of Distance and Online Education
160 Information Security and Risk Management
Ɣ Message authentication: When the verifier validates the digital signature
Notes
using public key of a sender, he is assured that signature has been created
only by sender who possess the corresponding secret private key and no one
else.
Ɣ Data integrity: In case an attacker has access to the data and modifies it, the
digital signature verification at the receiver end fails. The hash of modified data
and the output provided by the verification algorithm will not match. Hence,
receiver can safely deny the message assuming that data integrity has been
breached.
Ɣ Non-repudiation: Since it is assumed that only the signer has the knowledge
of the signature key, he can only create unique signature on a given data. Thus,
the receiver can present data and the digital signature to a third party as
evidence if any dispute arises in the future.
By adding public key encryption to digital signature scheme, we can create a
cryptosystem that can provide the four essential elements of security namely í Privacy,
Authentication, Integrity, and Non-repudiation.
Encryption with Digital Signature
In many digital communications, it is desirable to exchange an encrypted messages
than plaintext to achieve confidentiality. In public key encryption scheme, a public
(encryption) key of sender is available in open domain, and hence anyone can spoof his
identity and send any encrypted message to the receiver.
This makes it essential for users employing PKC for encryption to seek digital
signatures along with encrypted data to be assured of message authentication and
non-repudiation.
This can be archived by combining digital signatures with encryption scheme. Let us
briefly discuss how to achieve this requirement. There are two possibilities,
sign-then-encrypt and encrypt-then-sign.
However, the cryptosystem based on sign-then-encrypt can be exploited by receiver
to spoof identity of sender and sent that data to third party. Hence, this method is not
preferred. The process of encrypt-then-sign is more reliable and widely adopted. This is
depicted in the following illustration:
Sender’s Side
Encryption using
Data Encrypted Data
Receiver’s public key
+
Digital Signature
Hashing
Function
Digital Signature with
Hash
Sender’s private key
Amity Directorate of Distance and Online Education
Network Security 161
The receiver after receiving the encrypted data and signature on it, first verifies the
Notes
signature using sender’s public key. After ensuring the validity of the signature, he then
retrieves the data through decryption using his private key.
Cryptography – Benefits
Cryptography is an essential information security tool. It provides the four most
basic services of information security:
Ɣ Confidentiality: Encryption technique can guard the information and
communication from unauthorized revelation and access of information.
Ɣ Authentication: The cryptographic techniques such as MAC and digital
signatures can protect information against spoofing and forgeries.
Ɣ Data integrity: The cryptographic hash functions are playing vital role in
assuring the users about the data integrity.
Ɣ Non-repudiation: The digital signature provides the non-repudiation service to
guard against the dispute that may arise due to denial of passing message by
the sender.
All these fundamental services offered by cryptography has enabled the conduct of
business over the networks using the computer systems in extremely efficient and
effective manner.
Cryptography – Drawbacks
Apart from the four fundamental elements of information security, there are other
issues that affect the effective use of information:
Ɣ A strongly encrypted, authentic, and digitally signed information can be
difficult to access even for a legitimate user at a crucial time of
decision-making. The network or the computer system can be attacked and
rendered non-functional by an intruder.
Ɣ High availability, one of the fundamental aspects of information security,
cannot be ensured through the use of cryptography. Other methods are
needed to guard against the threats such as denial-of-service or complete
breakdown of information system.
Ɣ Another fundamental need of information security of selective access control
also cannot be realized through the use of cryptography. Administrative
controls and procedures are required to be exercised for the same.
Ɣ Cryptography does not guard against the vulnerabilities and threats that
emerge from the poor design of systems, protocols, and procedures. These
need to be fixed through proper design and setting up of a defensive
infrastructure.
Ɣ Cryptography comes at cost. The cost is in terms of time and money:
Ŷ Addition of cryptographic techniques in the information processing leads
to delay.
Ŷ The use of public key cryptography requires setting up and maintenance
of public key infrastructure requiring the handsome financial budget.
Ɣ The security of cryptographic technique is based on the computational difficulty
of mathematical problems. Any breakthrough in solving such mathematical
problems or increasing the computing power can render a cryptographic
technique vulnerable.
Amity Directorate of Distance and Online Education
162 Information Security and Risk Management
Future of Cryptography
Notes
Elliptic Curve Cryptography (ECC) has already been invented but its advantages
and disadvantages are not yet fully understood. ECC allows to perform encryption and
decryption in a drastically lesser time, thus allowing a higher amount of data to be passed
with equal security. However, as other methods of encryption, ECC must also be tested
and proven secure before it is accepted for governmental, commercial, and private use.
Quantum computation is the new phenomenon. While modern computers store
data using a binary format called a “bit” in which a “1” or a “0” can be stored; a quantum
computer stores data using a quantum superposition of multiple states. These multiple
valued states are stored in “quantum bits” or “qubits”. This allows the computation of
numbers to be several orders of magnitude faster than traditional transistor processors.
To comprehend the power of quantum computer, consider RSA-640, a number with
193-digits, which can be factored by eighty 2.2GHz computers over the span of 5 months,
one quantum computer would factor in less than 17 seconds. Numbers that would
typically take billions of years to compute could only take a matter of hours or even
minutes with a fully developed quantum computer.
In view of these facts, modern cryptography will have to look for computationally
harder problems or devise completely new techniques of archiving the goals presently
served by modern cryptography.
Cracking Encryption Algorithms
Need for Secure Encryption Algorithms
Good cryptographic systems should always be designed so that they are as difficult
to break as possible. Governments have always had concerns with strong encryption
fearing that it could be used against their countries by criminals. Sophisticated
technology is used by law enforcement agencies to decipher encrypted information that
might contain incriminating evidence. In theory, one can break any encryption algorithm
by exhausting every key in a sequence. This brute force method requires vast amounts
of computing power as length of the key increase. For example a 32-bit key takes 2 ^ 32
(4294967296) steps. A system with 40-bit keys (e.g., US-exportable version of RC4)
takes 2 ^ 40 steps – this kind of computing power is available in most universities and
even small companies.
Encryption Key Lengths and Hacking Feasibility
Type of Attacker Budget Tool Time and Cost/Key Time and
40-bit Cost/Key
56-bit
Regular User Minimal Scavenged computer time 1 week Not feasible
$400 FPGA 5 hours ($08) 38 years ($5,000)
Small Business $10,000 FPGA1 12 min.($08) 556 days ($5,000)
Corporate $300,000 FPGA 24 sec. ($08) 19 days ($5,000)
Department
ASIC2 0.18 sec. ($001) 3 hours ($38)
Large Corporation $10M ASIC 0.005 sec.($0.001) 6 min. ($38)
Intelligence Agency $300M ASIC 0.0002 sec.($0.001) 12 sec. ($38)
Amity Directorate of Distance and Online Education
Network Security 163
As key lengths increase, the number of combinations that must be tried for a brute
Notes
force attack increase exponentially. For example, a 128-bit key would have 2 ^ 128
(3.402823669209e + 38) total possible combinations. For example, to theoretically crack
the 128-bit IDEA key using brute force, one would have to:
Ɣ develop a CPU that can test 1 billion IDEA keys per second
Ɣ build a parallel machine that consists of one million of these processors
Ɣ mass produce them to an extent that everyone can own one hundred of these
machines
Ɣ network them all together and start working through the 128-bit key space
Assuming ideal performance and no downtime, one should be able to exhaustively
search the key space in over 20,000 years. A common concern amongst many is
deciding what key length is secure. There is a metronome for technological progress
called Moore’s Law which states that; “the number of components that can be packed on
a computer chip doubles every 18 months while the price stays the same”. Essentially,
this means that computing power per dollar doubles every eighteen months. Using a
derivative of this above law, one can also say that, if a key length of x is considered
safe today, in 18 months, the key length would have to be x + 1 to keep up to par
with the computing power. Recent studies performed by independent scientists have
shown that key lengths should be no less than 90-bits long to ensure complete security
for the next 20 years.
3.4 Summary
Network security is accomplished through hardware and software. The software
must be constantly updated and managed to protect you from emerging threats. A
network security system usually consists of many components. Ideally, all components
work together, which minimizes maintenance and improves security. Network security
components often include:
Ɣ Anti-virus and anti-spyware
Ɣ Firewall, to block unauthorized access to your network
Ɣ Intrusion prevention systems (IPS), to identify fast-spreading threats, such as
zero-day or zero-hour attacks
Ɣ Virtual Private Networks (VPNs), to provide secure remote access
Many network security threats today are spread over the Internet. The most
common include:
Ɣ Viruses, Worms, and Trojan horses
Ɣ Spyware and adware
Ɣ Zero-day attacks, also called zero-hour attacks
Ɣ Hacker attacks
Ɣ Denial-of-service attacks
Ɣ Data interception and theft
Ɣ Identity theft
3.5 Check Your Progress
I. Fill in the Blanks
1. The largest category of computer criminals consist in this group (__________).
Amity Directorate of Distance and Online Education
164 Information Security and Risk Management
2. A __________ is an individual who gains unauthorized access to a computer
Notes
with the intent of doing harm.
3. A __________ is an individual who gains unauthorized access to a computer
for the fun or challenge of it.
4. A __________ is a malicious computer program that can migrate through
networks and attach itself to programs.
5. __________ horses are programs that come into a computer system disguised
as something else.
6. A __________ attack attempts to slow down or stop a computer system or
network.
7. A __________ is a fraudulent or deceptive act or operation designed to trick
individuals into spending their time and money for little or no return.
8. Giving a friend a copy of a word processing program you own is an example of
software __________.
9. Using your company’s computer to do personal work is an example of the
crime of computer __________.
II. True or False
1. Cookie-cutter programs allow you to selectively filter or block the most intrusive
cookies while allowing selective traditional cookies to operate.
2. Organizations are legally required to seek your permission before depositing
cookies on your hard disk.
3. The Code of Fair Information Practice is adopted by many information
collecting businesses but is not a law.
4. Privacy of information is primarily a legal issue in the United States.
5. The majority of computer criminals come from outside the company.
6. Hackers and crackers break into computers to do damage or steal information.
7. Crackers break into computers to do damage or steal information.
8. Crackers break into computers simply for the fun of it.
9. Viruses are spread from computer to computer through networks and operating
systems.
10. Worms are programs that primarily attach themselves to programs and
databases and migrate through networks and operating systems.
11. Virus checkers are detection programs that alert users when certain kinds of
viruses and worms enter their system.
III. Multiple Choice Questions
1. In the world of computing, the essential element that controls how computers
are used is __________.
(a) ethics
(b) legal laws
(c) security requirements
(d) business demands
2. The guidelines for the morally acceptable use of computers in society are
__________.
(a) computer ethics
(b) privacy
(c) morality
(d) legal systems
Amity Directorate of Distance and Online Education
Network Security 165
3. The issues that deal with the collection and use of data about individuals is
Notes
__________.
(a) access
(b) property
(c) accuracy
(d) privacy
4. The ethical issue concerned with the correctness of data collected is
__________.
(a) access
(b) property
(c) exactness
(d) privacy
5. The ethical issue that involves who is able to read and use data is
__________.
(a) access
(b) property
(c) accuracy
(d) privacy
6. The vast industry involving the gathering and selling of personal data is
__________.
(a) direct marketing
(b) fund-raising
(c) information reselling
(d) government agencies
7. Identity theft is the __________.
(a) impersonation by a thief of someone with a large bank account
(b) impersonation by a thief of someone with computer skills
(c) impersonation by a thief of someone with good credit
(d) impersonation by a thief of someone’s identity for the purpose of
economic gain
8. Businesses search employees’ electronic mail and computer files using
so-called __________.
(a) Trojan horses
(b) cookies
(c) snoopware
(d) theft-ware
9. Small files that are deposited on a user’s hard drive when they visit a website
are best described as __________.
(a) cookies
(b) codes
(c) profiles
(d) trackers
10. Two types of cookies are __________.
(a) advanced and remedial
(b) traditional and natural
(c) natural and ad network
(d) ad network and traditional
Amity Directorate of Distance and Online Education
166 Information Security and Risk Management
11. A program that allows the user to selectively filter or block the most intrusive ad
Notes
network cookies is called __________.
(a) technical cookie program
(b) cookie-cutter program
(c) anti-cookie cutter program
(d) cookie monster program
12. Information about how often you visit a website can be stored in a ________ on
your hard drive.
(a) info-byte
(b) history file
(c) net minder
(d) cookie
13. Privacy is primarily a(n) __________ matter.
(a) ethical
(b) legal
(c) security
(d) business
14. The Code of Fair Information Practice was a response to __________.
(a) privacy concerns
(b) ethical concerns
(c) copyright concerns
(d) piracy concerns
15 A computer crime is __________.
(a) any activity in which the thief uses computer technology
(b) an illegal action in which the perpetrator uses special knowledge of
computer technology
(c) an immoral action in which the thief uses special knowledge of computer
technology without the other person knowing
(d) any threat to computer or data security
3.6 Questions and Exercises
1. What is Network Security?
2. What is Network Security and how does it protect you?
3. How does Network Security work?
4. What are the business benefits of Network Security?
5. Explain the problems with key management and how it affects symmetric
cryptography.
6. Describe how elliptic curve cryptosystems work.
7. What is a digital signature? Why is it used?
8. What is the Microsoft Encrypting File System (EFS) and what are some of its
features?
9. What is a pluggable authentication module (PAM)?
Amity Directorate of Distance and Online Education
Network Security 167
3.7 Key Terms Notes
Ɣ Authentication: The process of verifying that a message was created by a
specific individual (or program). Like encryption, authentication can be either
symmetric or asymmetric. Authentication is necessary for effective encryption.
Ɣ Ciphertext: The encoded data, it’s not user readable. Potential attackers are
able to see this.
Ɣ Ciphertext indistinguishability: This is a property of encryption systems
whereby two encrypted messages aren’t distinguishable without knowing the
encryption key. This is considered a basic, necessary property for a working
encryption system.
Ɣ Decryption: The process of converting ciphertext to plaintext.
Ɣ Encryption: The process of converting plaintext to ciphertext.
Ɣ Key: Secret data is encoded with a function using this key. Sometimes multiple
keys are used. These must be kept secret, if a key is exposed to an attacker,
any data encrypted with it will be exposed.
Ɣ Nonce: A nonce is a number used once. Nonces are used in many
cryptographic protocols. Generally, a nonce does not have to be secret or
unpredictable, but it must be unique. A nonce is often a random or pseudo-
random number (see Random number generation). Since a nonce does not
have to be unpredictable, it can also take a form of a counter.
Ɣ Plaintext: User-readable data you care about.
Ɣ Private key: This is one of two keys involved in public key cryptography. It can
be used to decrypt messages which were encrypted with the corresponding
public key, as well as to create signatures, which can be verified with the
corresponding public key. These must be kept secret, if they are exposed, all
encrypted messages are compromised, and an attacker will be able to forge
signatures.
Ɣ Public key: This is one of two keys involved in public key cryptography. It can
be used to encrypt messages for someone possessing the corresponding
private key and to verify signatures created with the corresponding private key.
This can be distributed publicly, hence the name. Public Key Cryptography.
Ɣ Asymmetric cryptography: Cryptographic operations where encryption and
decryption use different keys. There are separate encryption and decryption
keys. Typically, encryption is performed using a public key, and it can then be
decrypted using a private key. Asymmetric cryptography can also be used to
create signatures, which can be generated with a private key and verified with
a public key.
Ɣ Symmetric cryptography: Cryptographic operations where encryption and
decryption use the same key.
3.8 Check Your Progress: Answers
I. Fill in the Blanks
1. employees
2. cracker
3. hacker
4. virus
5. Trojan
Amity Directorate of Distance and Online Education
168 Information Security and Risk Management
6. denial-of-service
Notes
7. scam
8. piracy
9. theft
II. True or False
1. True
2. False
3. True
4. False
5. False
6. False
7. True
8. False
9. True
10. False
11. True
III. Multiple Choice Questions
1. (a) ethics
2. (a) computer ethics
3. (d) privacy
4. (c) exactness
5. (a) access
6. (c) information reselling
7. (d) impersonation by a thief of someone’s identity for the purpose of economic
gain
8. (c) snoopware
9. (a) cookies
10. (d) ad network and traditional
11. (b) cookie-cutter program
12. (d) cookie
13. (a) ethical
14. (a) privacy concerns
15. (b) an illegal action in which the perpetrator uses special knowledge of
computer technology
3.9 Case Study
A Case Study: Network Security
The 2012 Cyber Crime and Security Survey: Systems of National Interest was
commissioned by Australia’s national computer emergency response team, CERT
Australia (the CERT), part of the Federal Attorney-General’s Department.
This report provides analysis of the findings, and identifies areas for further
exploration or improvement which may be addressed in future surveys. As there was a
strong response rate of almost 60% for this inaugural survey, the findings are considered
to be representative of this particular sample. The strong response rate also indicates a
good level of trust between the CERT and its business partners.
Amity Directorate of Distance and Online Education
Network Security 169
Established in 2010, the CERT works with the Australian business sector – primarily
Notes
the owners and operators of systems of national interest. These are the businesses that
underpin the social and economic well-being of the nation and the economy, such as
banking and finance, communications, energy, resources, transport and water.
The CERT provides cyber security threat and vulnerability information to help these
businesses manage risk, as well as providing support with incident response. The CERT
is also a member of the Cyber Security Operations Centre and the global CERT
community. By using its government, international and industry networks, the CERT
seeks to provide the most effective and timely advice and assistance possible.
About the Survey
The survey was designed to obtain a better picture of how cyber incidents are
affecting the businesses that partner with the CERT. It was produced by the Centre for
Internet Safety at the University of Canberra. More information on the Centre can be
found at [Link]/cis. The Centre was created to foster a safer, more
trusted internet by providing thought leadership and policy advice on the social, legal,
political and economic impacts of cyber crime and threats to cyber security. The survey
was hosted by the Online Research Unit.
Participating organizations were asked that an appropriate person complete the
survey, and were assured that all responses are anonymous.
The survey consisted of 24 questions, both closed and open ended, to ascertain:
Ɣ business description
Ɣ types of IT security used
Ɣ types of cyber security incidents experienced, and
Ɣ Industry reporting of incidents.
Respondents
Of the almost 450 organizations contacted, responses were received from 255,
which is approximately 60%. This is a strong response rate and reflects the trusted
relationship the CERT has with its business partners. It also reflects the willingness of
business to participate in a survey that will help government and improve understanding
of the cyber security threat environment in Australia.
Industry Sector
More than 11 industry sectors responded, with the greatest representation being
from energy (17%), defence industry (15%), communications (12%), banking and finance
(9%) and water (9%).
Trusted Information Sharing Network
The Trusted Information Sharing Network for Critical Infrastructure Resilience (TISN)
is led by the Federal Attorney-General’s Department. It provides an environment where
business and government can share information on security issues relevant to the
protection and resilience of critical infrastructure, and the continuity of essential services
in the face of all hazards. The TISN has seven main sector groups – banking and finance,
communications, food, energy, health, transport and water.
Disruption of Australia’s systems of national interest or critical infrastructure could
have a range of serious implications for business, governments and the community. It is
vital that owners and operators of these important organizations, both in the private and
public sector, are able to plan for, withstand and respond to a broad range of threats,
including cyber attacks from outside and inside their organization.
Amity Directorate of Distance and Online Education
170 Information Security and Risk Management
One-third of respondents reported their organization to be a member of the TISN.
Notes
This included organizations from banking, energy, communications, transport and water.
This provides a mostly representative picture of the TISN sectors that partner with the
CERT. One-third of respondents reported their organization was not a member of the
TISN, while one-third of respondents did not know if their organization is a member.
Security of IT Systems
Security of IT systems centers on preventing and detecting the unauthorized access
to or use of IT systems or impairment of those systems. To achieve such security,
modern organizations layer security defences in IT systems to reduce the chance of a
successful attack. This concept is known as defence-in-depth and seeks to manage risk
with multiple defensive strategies, so that if one layer of defence turns out to be
inadequate, another layer of defence will hopefully prevent a full breach. The multiple
defence mechanisms layered across an organization’s network infrastructure protect
data, networks, and users. A well-designed and implemented defence-in-depth strategy
can help system administrators identify internal and external attacks on a computer
system or network.
IT Security Technology
Organizations were asked what type of computer security technologies they used.
More than 90% of respondents reported using anti-virus software, spam filters, and
firewalls. More than 80% also reported using access control and virtual private networks
(VPNs).
IT security technology such as firewalls and spam filters are not always effective in
preventing or detecting sophisticated attacks, so security techniques are increasingly
incorporating the use of intrusion detection systems (IDS). Almost 60% of respondents
reported using a type of IDS.
Almost half the respondents also reported deploying reusable passwords and
multifactor authentication technologies such as biometrics, smartcards and tokens.
These results indicate that some organizations may need to strengthen their
IT security, by adopting a defence-in-depth approach.
IT Security Policy
According to respondents, basic security policies are being applied by the majority
of surveyed organizations. For example, 84% deploy user access management, 79%
perform media backup, 75% use documented standard operating procedures, and 73%
have external network access control.
Results indicate there are areas for improvement. For example, less than 50% of
respondents have plans in place for the management of removable computer media,
such as USB memory drives, and less than 25% have policies and procedures in place
for using cryptographic controls.
In addition, less than 12% of respondents reported having a forensic plan in place.
These plans help monitor use of the ICT systems, provide mechanisms to recover lost
data, and provide ways to protect information on systems.
IT Security Standards
Overall, 64% of respondents reported their organization did apply IT security
standards or guidelines.
Amity Directorate of Distance and Online Education
Network Security 171
Of the remaining respondents, 25% reported their organization did not apply
Notes
IT security standards or guidelines, and 11% did not know. These findings are a concern
and warrant future investigation.
Of the respondents who reported their organization did apply some form of
IT security standard, almost 50% followed or used as a guide, the ISO 27001. These
standard states it is mandatory for management to examine their organization’s
IT security risks to form a risk mitigation system and to ensure that the controls applied
are current for the needs of the business.
Of this same subset of respondents, just over 20% reported their organization
adhered to the Payment Card Industry Data Security Standard (PCI DDS). This is the
IT security standard commonly used by organizations using credit card data. In addition,
just over 15% used a vendor specific standard.
IT Security Qualifications
Responses indicated that 65% of participating organizations had IT security staff
with tertiary level IT qualifications. More than 50% of participating organizations had
IT security staff with some type of vendor based IT certifications. Almost 35% of
participating organizations had IT security staff with no formal training, although most of
these staff had more than five years working in the IT security industry.
These findings indicate that some organizations may need to improve the skill set of
their IT security staff.
This was supported by the additional finding that 55% of respondents thought their
organization needs to do more to ensure their IT security staff have an appropriate level
of qualification, training, experience and awareness.
These findings indicate that respondents are aware of the need for IT security staff
to keep their skills and knowledge up-to-date – which is essential, as cyber threats are
constantly evolving.
Respondents also thought their organization needs to do more to ensure other staff
has an appropriate level of IT skill and awareness:
Ɣ 70% of respondents reported this need for general staff,
Ɣ 70% of respondents reported this need for management, and
Ɣ 48% of respondents reported this need for their board of directors.
These findings indicate that respondents are aware that cyber security is a shared
responsibility. Even where networks are secure at the perimeter, security is dependent
on all staff being aware of vulnerabilities such as phishing attacks. This is a method used
to penetrate organizations without needing to breach IT security defences, by attempting
to get staff to divulge information and provide access – unwittingly – to corporate
systems.
These findings also indicate that many organizations are not confident that cyber
security is sufficiently understood and appreciated by staff, management and boards.
Cyber Incidents
Respondents were asked about the types of cyber security incidents their
organization had experienced in the previous 12 months, as well as possible motives for
the attacks, and why the attacks may have been successful.
A cyber security incident was classified as an electronic attack that harmed the
confidentiality, integrity or availability of the organization’s network data or systems.
Amity Directorate of Distance and Online Education
172 Information Security and Risk Management
Number of Incidents Experienced
Notes
When asked if their organization had experienced a cyber security incident in the
previous 12 months:
Ɣ 69% of respondents reported ‘no’,
Ɣ 22% of respondents reported ‘yes’, and
Ɣ 9% of respondents reported they ‘did not know’.
While these results indicate the majority of organizations did not experience a cyber
incident in the previous 12 months, this may more accurately reflect that a number of
cyber intrusions have gone undetected by some organizations. Anecdotal evidence
available to the CERT suggests that some businesses are unaware of the full scope of
unauthorized activity on their networks.
The CERT is also aware of hesitation from organizations to report a cyber security
incident. This may be for a variety of reasons – some are concerned that the information
they report may lead to negative publicity and/or regulatory scrutiny, others don’t
consider reporting to be worthwhile.
Of the respondents who reported their organization had experienced an incident in
the previous 12 months:
Ɣ 65% reported experiencing one to five incidents,
Ɣ 21% reported experiencing more than 10 incidents,
Ɣ 9% reported experiencing six to 10 incidents, and
Ɣ 5% did not know how many incidents had been experienced.
Types of Incidents Experienced
Of the respondents who reported their organization had experienced a cyber
incident in the previous 12 months, the main types reported were:
Ɣ theft of a notebook, tablet or mobile devices – 32%
Ɣ virus or worm infection – 28%
Ɣ Trojan or root kit malware – 21%
Ɣ unauthorized access – 18%
Ɣ theft or breach of confidential information – 17%
Ɣ Denial-of-service attack – 16%.
These findings may help organizations decide where to place additional resources
to protect their information assets. The high percentage of physical computing assets
being stolen highlights the need for physical security measures to be included in an
organization’s security risk management plan.
Interestingly, although respondents were provided with 13 specific types of incident
from which to choose – 34% of respondents reported the incidents their organization had
experienced were ‘none of the above’. As the types of incident were comprehensively
listed, this finding may be due to the respondent not knowing what type of incident was
actually experienced.
Of the respondents who knew they had suffered electronic attack, 71% reported
they had been subject to between 1 and 5 external attacks, whilst 44% reported they had
been subject to between 1 and 5 internal attacks. Many companies spend the majority of
their IT security budget on protection from external attacks. But the figures above serve
as a reminder that internal controls and measures are also important, to ensure that
internal risks are also managed. Should they have sufficient motivation – financial,
personal or cause-related – internal employees, whether they are permanent or casual
Amity Directorate of Distance and Online Education
Network Security 173
staff or contractors, can have access to sensitive information and the opportunity to
Notes
understand critical systems and exploit potential weaknesses in security.
Motives for the Attacks
Respondents were asked what they thought the motives for the incidents were. The
highest suspected motive was non-targeted unsolicited malicious damage (17%),
followed by indiscriminate attack (almost 16%).
Interestingly, more than half the respondents viewed the attacks to be targeted at
their organization – with motives being illicit financial gain (15%), hactivism (9%), using
the system for further attacks (9%), using the system for personal use (6%), being from a
foreign government (5%), personal grievance (5%), and being a competitor (4%).
This finding indicates a shift from previous views or conceptions, that most attacks
are non-targeted or indiscriminate.
Either way, building resilience to cyber security incidents requires constant vigilance
by IT security staff, in order to create and apply current and efficient risk treatments.
Attribution is always difficult. Where respondents think an attack may have come
from, may not be where it actually came from. What’s important is that an organization
understands enough about attacks so they can work out:
Ɣ the vulnerabilities on their network exploited by the attacker,
Ɣ what data may have been accessed, and
Ɣ what needs to be done to increase the protections of that network?
Case Study – Ransomware
In late September 2012, CERT Australia received a series of calls from more than
25 organizations being targeted by ransomware.
The attacks encrypted files on the compromised system and/or locked the victim out
of the desktop environment. The attacks also encrypted files in the system backups.
The victims were then asked by the attacker to pay a fine using a payment or money
transfer service, to obtain the codes that would unlock the computer and/or decrypt the
data.
In some cases, the ransomware included scareware, displaying a fake warning
screen, claiming that the victim’s computer had been associated with criminal activity.
This was a tactic to discourage the victim from reporting the attacks to law enforcement
agencies or the CERT. For example, one warning screen was set up to look like it was
from the Anti Cyber Crime Department of the Federal Internet Security Agency. There is
no such agency.
In the majority of cases, the attackers used Microsoft Remote Desktop Protocol as
an entry point to the target network. This was possibly using authentication credentials
obtained by key loggers, or accessing systems with weak credentials.
The severity of the damage done by the attacks varied across the target
organizations. In the worst-case scenario reported to the CERT, one victim lost 15 years’
worth of critical business data, which is a serious compromise.
So how does the CERT help business deal with such attacks?
Firstly, it worked directly with the affected organization to help it better defend
against the attack. Where the organization had outsourced management of its website,
the CERT helped the service provider protect the affected network.
Amity Directorate of Distance and Online Education
174 Information Security and Risk Management
The CERT also worked with law enforcement locally – because of the criminal
Notes
nature of the activity; Microsoft – to share data and analysis; and international
colleagues – as the threat actors or attackers used infrastructure-based overseas.
In addition, the CERT identified other organizations in Australia that had not yet
reported the activity. It then contacted them to warn the attacks were happening in their
sector, and then gave them advice about how to protect their systems.
The CERT also issued a guidance paper on the ransomware threat, which was
made publicly available on its website.
This case study highlights the nature of CERT Australia’s mission – it’s all about
helping business best prepare for and respond to cyber attacks. It does this by using its
government, industry and international partnerships to provide the most useful advice
possible – as soon as possible.
Contributing Factors to the Attacks
Respondents were asked what factors they thought may have contributed to the
incidents. The highest rated reason was the use of powerful automated attack tools
(14%), followed by exploitation of unpatched or unprotected software vulnerabilities
(11%), and exploitation of misconfigured operating systems, applications or network
devices (10%).
These findings highlight the need for organizations to stay vigilant to vulnerabilities
and apply appropriate mitigations – specifically where misconfigured systems are the
reason an attack was successful.
Expenditure on IT Security
When asked if their organization had increased expenditure on IT security in the
previous 12 months:
Ɣ 52% of respondents reported ‘yes’,
Ɣ 42% of respondents reported ‘no’, and
Ɣ 6% of respondents reported they ‘did not know’.
These findings indicate that more than half of participating organizations are
increasing their expenditure in information security. While it is unknown where this
expenditure was directed within an organization, it is a positive step demonstrating the
need for continual investment in information security.
Case Study – Distributed Denial-of-service
Distributed denial-of-service (DDoS) attacks are one of the most serious threats to
organizations with an online presence.
Historically, these attacks had non-financial motivations, aiming to bring attention to
certain events or protest specific issues. The more recent trend, however, is for DDoS to
be used for extortion.
Early in 2012, CERT Australia received reports from a range of Australian financial
companies that were being targeted by extortion-based DDoS attacks. They had been
called and threatened with an attack against their website, unless they made a payment.
This type of attack can cause serious problems. It can not only disrupt the
company’s online activities via its website, but also stop clients from doing business with
them online.
The attackers chose their targets carefully. They combed victim websites for pages
that would generate the most processing in order to increase the likelihood of
Amity Directorate of Distance and Online Education
Network Security 175
successfully taking down the site. Some websites were brought down by the attack;
Notes
others had the infrastructure to withstand it.
The CERT located the target list for the attacks and contacted the listed companies.
As the attacks were of a criminal nature, the CERT also provided all relevant information
to the Australian Federal Police’s High Tech Crime Operations for investigation.
The sites which had the ability to mitigate the attack were not targeted for long. With
the attacks being financially motivated, the attacker seemed quick to move on to other
potential victims. However, if the company communicated with the attacker, the site
appeared on the target list for longer periods of time.
The CERT was able to identify the international source of the attacks from a sample
of the DDoS traffic provided by one of the companies – this highlights the value of
sharing information. The CERT then notified its international counterpart, asking for
assistance in having the control hub taken down. The international CERT responded
quickly and the host was shut down.
However, as is normally the case with such incidents, the control hub then moved to
another internet address and recommenced attacks. The CERT again contacted
overseas counterparts to issue further take down requests.
The CERT also continued to follow up with affected companies, providing options
and advice on mitigation techniques for possible future attacks. The companies that were
most effective in mitigating the attacks had already well-established and tested response
procedures in place for dealing with DDoS.
This case study highlights the need for organizations to develop DDoS response
plans and test them. By partnering with the CERT – ideally before an incident occurs –
business can be better prepared to mitigate cyber attacks.
Reporting of Incidents
Respondents, who indicated their organization had experienced cyber attacks in the
previous 12 months, were asked a range of questions about reporting the incidents.
Just under half the respondents (44%) said they had chosen not to report the
incidents to an outside organization. Of the respondents who did report one or more
incidents, 44% were to a law enforcement agency, and 29% were to the CERT.
These findings indicate a high level of caution from organizations in reporting
incidents – although they may also reflect the actions of the respondent, rather than the
overall practice of the organization.
When asked why they had chosen not to report a cyber security incident to a law
enforcement agency, 74% indicated that they didn’t think the incident/s warranted law
enforcement intervention. This response may indicate the incident/s suffered by these
organizations were of a minor level and/or they were unaware of the threshold level for
interest and acceptance for investigation by a law enforcement agency. In addition, 35%
of organizations didn’t believe law enforcement had the capability to effectively conduct
an investigation into the incident, while 26% didn’t think the perpetrator would get caught.
Out of those respondents who did report a cyber security incident to law
enforcement, 33% stated that it was their understanding the incident was not investigated
and 29% stated they did not know the outcome from the referral, while 8% of matters
referred to law enforcement were reported to have resulted in a person being charged.
These findings highlight that the CERT needs to articulate to business the benefits
of reporting cyber security incidents to CERT Australia and to law enforcement, and that
all information provided to the CERT is held in the strictest confidence.
Amity Directorate of Distance and Online Education
176 Information Security and Risk Management
Notes Case Study – Criminal Investigation
In 2009, the Australian Federal Police received information regarding the
unauthorized modification of data at a Western Australian government department. The
subsequent investigation revealed two males who were contractors to the department,
sharing information regarding the illegal access to the departmental computer operating
system.
The investigation revealed communications between the two males pertaining to the
creation of malicious software and subsequent commands to hack network security
controls in an attempt to crack a file and reveal the user names and passwords of
departmental staff.
The AFP executed search warrants at both males’ addresses and seized a number
of computers and associated media. Both males were subsequently charged with
conspiracy to cause an unauthorized modification of data held in a computer, knowing
the modification to be unauthorized, and being reckless as to whether the modification
impaired the reliability, security or operation, of any such data and the modification is
caused by means of a carriage service, contrary to section 11.5(1) and sub-section
477.2(1) of the Criminal Code 1995 (Cth).
Upon appearing at Court, both males pleaded not-guilty to the above offence.
Following a trial, they were both found guilty. One of the offenders was sentenced to
30 months’ imprisonment to be released after having served 10 months and the other to
36 months to be released after having served 12 months, both to enter into a
recognizance to be of good behaviour for a period of 20 and 24 months respectively.
About CERT Australia
As Australia’s national computer emergency response team, the CERT works to
ensure that all Australians and Australian businesses have access to information on how
to better protect their information technology environment from cyber-based threats and
vulnerabilities.
The CERT is the initial point of contact for cyber security incidents impacting on
Australian networks.
The CERT is keen to highlight and reinforce the importance of business taking cyber
security seriously. This not only means being aware of cyber threats but also putting
effective controls and safeguards into practice. In Australia, it’s now publicly
acknowledged that cyber operations are one of the most rapidly evolving threats to our
national security.
The CERT encourages business to be prepared before an incident occurs. This
involves a business knowing its network, understanding the value of its information, and
understanding how both are protected.
As general guidance, the CERT advises business to use the Top 35 strategies for
mitigating cyber intrusions, released by the Defence Signals Directorate (DSD). This list
is informed by DSD’s experience in operational cyber security, including responding to
serious cyber incidents and performing vulnerability assessments and penetration testing
for Australian Government agencies. While the first four strategies have the potential to
mitigate up to 85% of attacks, this information does need to be tailored to suit the needs
and operating environment of each business.
The CERT also encourages business to understand what constitutes normal
behavior on its network. By knowing this, the business is more likely to detect unusual
behavior.
Amity Directorate of Distance and Online Education
Network Security 177
Being prepared before an incident occurs also involves having operational
Notes
relationships in place with those who can assist, such as the CERT and law enforcement
agencies. Having such contacts already established helps with the efficient and effective
sharing of information for prevention – and if necessary, mitigation.
Reporting incidents to the CERT is necessary and important. It allows the CERT to
make sure that businesses receive the right help – and all information provided to the
CERT is held in the strictest confidence.
The CERT is the entry point into government for Australian businesses. It works in
the Cyber Security Operations Centre, sharing information with other key agencies
including the Australian Security Intelligence Organization, the Australian Federal Police
and the Defence Signals Directorate. The CERT also works closely and shares
information with its international counterparts.
This means the CERT is very well connected and very well informed, which is a
great asset in helping businesses protect themselves from cyber attacks. The CERT is
also a strong point of referral, which can lead to some very positive outcomes in terms of
resolution and prosecution.
As such, the important messages for businesses are to:
Ɣ continue taking cyber security seriously by implementing effective controls,
Ɣ partner with the CERT before an incident occurs, and
Ɣ report cyber incidents to the CERT.
3.10 Further Readings
1. Stallings, Cryptography and Network Security: Principles and Practice, 5/e
(Prentice Hall, 2010). Relative to this book’s 4th edition, The Network Security
Components and an extra chapter on SNMP are also packaged as Stallings’
Network Security Essentials: Applications and Standards, 3/e (Prentice Hall,
2007).
2. Kaufman, Perlman and Speciner, Network Security: Private Communications
in a Public World, 2/e (Prentice Hall, 2003).
3. Menezes, van Oorschot and Vanstone, Handbook of Applied Cryptography
(CRC Press, 1996; 2001 with corrections), free online for personal use.
4. Stallings and Brown, Computer Security: Principles and Practice, 3/e (2014,
Prentice Hall).
5. Boyle and Panko, Corporate Computer Security, 3/e (2013, Prentice Hall). See
also: Panko, Corporate Computer and Network Security, 2/e (2009, Prentice
Hall).
6. Gollmann, Computer Security, 3/e (2011, Wiley).
7. Smith, Elementary Information Security (2011, Jones & Bartlett Learning).
8. Stamp, Information Security: Principles and Practice, 2/e (2011, Wiley).
9. Goodrich and Tamassia, Introduction to Computer Security (2010,
Addison-Wesley).
10 Saltzer and Kaashoek, Principles of Computer System Design (2009, Morgan
Kaufmann).
11. Smith and Marchesini, The Craft of System Security (2007, Addison-Wesley).
12. Pfleeger and Pfleeger, Security in Computing, 4/e (2007, Prentice Hall).
13. Bishop, Computer Security: Art and Science (2002, Addison-Wesley).
Amity Directorate of Distance and Online Education
178 Information Security and Risk Management
14. Adams and Lloyd, Understanding Public Key Infrastructure, 2/e (Macmillan
Notes
Technical, 2002).
15. Housley and Polk, Planning for PKI: Best Practices Guide for Deploying Public
Key Infrastructures (Wiley, 2001).
Miscellaneous Resources:
1. IEEE Security and Privacy magazine tables of contents (since Jan.2003).
2. Review of 10 cryptography books (plus background introduction), Susan
Landau. Bull. Amer. Math. Soc. 41 (2004), pp. 357-367, Copyright 2004, AMS.
3. (classic security paper) J.H. Saltzer, M.D. Schroeder. The Protection of
Information in Computer Systems. Web version. Proc. IEEE 63(9):1278-1308
(Sept.1975). DOI: 10.1109/PROC.1975.9939.
4. DoD Orange Book (1985) and other seminal papers in Computer Security
(thanks to: UC Davis/Matt Bishop).
5. Educational comic strips teaching about password guessing attacks (thanks to
Leah Zhang at Carleton).
Amity Directorate of Distance and Online Education
You might also like
- Understanding the Physical Layer in NetworkingNo ratings yetUnderstanding the Physical Layer in Networking55 pages
- Ethical Hacking Career Opportunities GuideNo ratings yetEthical Hacking Career Opportunities Guide19 pages
- Stormshield Proxy User Configuration GuideNo ratings yetStormshield Proxy User Configuration Guide485 pages
- Networking Case Study Questions and SolutionsNo ratings yetNetworking Case Study Questions and Solutions8 pages
- Myanmar Telecom Market Evolution 2013-2016No ratings yetMyanmar Telecom Market Evolution 2013-20169 pages
- Tripwire Remote Operations Services BriefNo ratings yetTripwire Remote Operations Services Brief7 pages
- Sample SIWES Logbook for Computer ScienceNo ratings yetSample SIWES Logbook for Computer Science8 pages
- AMIE Section B Computer Engineering SyllabusNo ratings yetAMIE Section B Computer Engineering Syllabus18 pages
- Gatorade vs. Powerade: Market StrategiesNo ratings yetGatorade vs. Powerade: Market Strategies85 pages
- Multimedia Overview by Gandeva Bayu SatryaNo ratings yetMultimedia Overview by Gandeva Bayu Satrya43 pages
