Chapter 2

Brief Overview of Commercial Issues

The main commercial issue is security, privacy, continuity, assurance, profit and
customer attraction.

But in this course we will see security, assurance and privacy in detail.

The business man need to achieve data confidentiality, data integrity, and
availability. How?

By creating secure communication over the unsecure environment.

To overcome these issues we have to implement some security mechanism.

Example applying cryptography

By Zebrehe G. 1
 Why Security?
1. The Internet was initially designed for connectivity
Trust assumed
We do more with the Internet nowadays
 Security protocols are added on top of the TCP/IP
2. Fundamental aspects of information must be protected
Confidential data
Employee information
Business models
Protect identity and resources
3. We can’t keep ourselves isolated from the Internet
Most business communications are done online
We provide online services
We get services from third-party organizations online
By Zebrehe G. 2
 Types of Security
1. Computer Security

Generic name for the collection of tools designed to protect data and to prevent
hackers.

2. Network Security

Measures to protect data during their transmission.

3. Internet Security

Measures to protect data during their transmission over a collection of

interconnected networks.

By Zebrehe G. 3
 Secure Communication
Needs and Requirements
 Well established needs for secure communication
• War time communication
• Business transactions
• Illicit Love Affairs
 Requirements of secure communication
1. Secrecy
 Only intended receiver understands the message
2. Authentication
 Sender and receiver need to confirm each others identity
3. Message Integrity
 Ensure that their communication has not been altered, either maliciously or
by accident during transmission

By Zebrehe G. 4
 Security relies on the following elements:
Authentication. Authentication addresses the question: who are you? It is the process of uniquely
identifying the clients of your applications and services.

Authorization. Authorization addresses the question: what can you do? It is the process that governs
the resources and operations that the authenticated client is permitted to access. Resources include files,
databases, tables, rows, and so on, together with system-level resources such as registry keys and
configuration data. Operations include performing transactions.

Auditing. Effective auditing and logging is the key to non-repudiation. Non-repudiation guarantees that
a user cannot deny performing an operation or initiating a transaction. For example, in an e-commerce
system, non-repudiation mechanisms are required to make sure that a consumer cannot deny ordering
100 copies of a particular book.

By Zebrehe G. 5
 Security relies on the following elements:
Confidentiality. Confidentiality, also referred to as privacy, is the process of making sure that data
remains private and confidential, and that it cannot be viewed by unauthorized users or eavesdroppers
who monitor the flow of traffic across a network. Encryption is frequently used to enforce
confidentiality. Access control lists (ACLs) are another means of enforcing confidentiality.

Integrity. Integrity is the guarantee that data is protected from accidental or deliberate (malicious)
modification. Like privacy, integrity is a key concern, particularly for data passed across networks.
Integrity for data in transit is typically provided by using hashing techniques and message authentication
codes.

Availability. From a security perspective, availability means that systems remain available for
legitimate users. The goal for many attackers with denial of service (DoS) attacks is to crash an
application
By Zebrehe G. 6
Why we Study cryptology?

Communications security

By Zebrehe G. 7
 The Basic Problem
We consider the confidentiality goal:
Alice and Bob are Friends && Darth is a hacker
Alice says to Bob “borrow 1000 birr to my account 1000045645879”
Darth wants to read the message (borrow 1000 birr to my account
1000045645879) and change Alice’s account by his account. At the same time
Alice and Bob wants to prevent from this.
Assumption: The network is OPEN: Darth is able to eavesdrop and read all data
sent from Alice to Bob.
Consequence: Alice must not send messages directly – they must be “scrambled”
or encrypted using a ‘secret code’ unknown to Darth but known to Bob.
By Zebrehe G. 8
 Security Attacks
 Attack is any action that compromises the security of information
owned by an organization. We have two basic categories of attacks
 Passive attacks
o Read message contents but not modified and deleted
o Monitoring traffic flows
 Active attacks
o Masquerading of one entity as some other
o Replay previous messages
o Modify messages in transmit
o Add, delete messages
o Denial of service
By Zebrehe G. 9
 Basic terms of Cryptography
 Cryptology (to be very precise)
 Plaintext: original message to be sent. Could be
Cryptography --- code designing(secrete writing)
text, audio, image, etc.
Cryptanalysis --- code breaking
 Encryption/Decryption Algorithm:
 Cryptologist:

mathematical tool (software) used to encrypt or Cryptographer & cryptanalyst

decrypt the message .  Encryption/ encipherment

 Key: A string of bits used by to encrypt the Scrambling data into unintelligible to unauthorised parties

 Decryption/decipherment
plaintext or decrypt the cipher text.
Un-scrambling
 Cipher text: encrypted message. Looks like a
random stream of bits

By Zebrehe G. 10
 Cont..
 Cryptanalyst: cryptanalyst is a person who studies encryption and encrypted
message and tries to find the hidden meanings (to break an encryption).

 Confusion: it is a technique for ensuring that ciphertext has no clue about the
original message.

 Diffusion: it increases the redundancy of the plaintext by spreading it across rows

and columns.

 Substitution: substitute one symbol with another.

 Transposition: the position of the symbols are changed.

By Zebrehe G. 11
 Cryptography
Cryptography or cryptology (from Greek kryptós, "hidden, secret"; and graphein,
"writing", "study", respectively, is the practice and study of techniques for secure
communication in the presence of third parties called opponent.

Cryptography is a method of storing and transmitting data in a particular form so

that only those for whom it is intended can read and process it.

More generally, cryptography is about constructing and analyzing protocols that

prevent third parties or the public from reading private messages.

By Zebrehe G. 12
 Cont…
Today, cryptography goes beyond encryption/decryption to include

Techniques for making sure that encrypted messages are not modified in route

Techniques for secure identification/authentication of communication partners.

Modern cryptography concerns itself with the following four objectives:

1 Confidentiality

2 Integrity

3 Non-repudiation

4 Authentication

By Zebrehe G. 13
 Cont…
1. Confidentiality: Assures that private or confidential information is not made
available or disclosed to unauthorized individuals.

2. Integrity: The assurance that data received are exactly as sent by an authorized
entity (no modification, insertion, deletion, or replay).

3. Non-repudiation: is a security service that ensures that an entity cannot refuse

the ownership of a previous commitment or an action. It is an assurance that the
original creator of the data cannot deny the creation or transmission of the said
data to a recipient or third party.

4. Authentication: is a mechanism helps in establishing proof of identification.

By Zebrehe G. 14
 Cont..
 Cryptography can characterize by:
 type of operations used for encryption process
 substitution / transposition / product
 number of keys used
 Single-key or private key = Symmetric cryptography
 Two-key or public key = Asymmetric cryptography
 way in which data is processed
 Block / stream

By Zebrehe G. 15
 Cont..
 Cryptography can characterize by:

 Number of keys used

 Single-key or private key = Symmetric cryptography

 Two-key or public key = Asymmetric cryptography

 Way in which data is processed

 Block / stream

 Type of operations used for encryption and decryption process

 Substitution / Transposition

By Zebrehe G. 16
 Cont….
Types of Cryptographic Functions The hierarchy of cryptography
Secret/Symmetric key functions

Public key functions

Hash functions

By Zebrehe G. 17
 Symmetric Encryption
 Symmetric or conventional / secret-key / single-key
 Both sender and recipient share a common key
 Using a single key for encryption/decryption.
 For a group of N people using a secret-key cryptosystem, it is
necessary to distribute a number of keys equal to N * (N-1)/2.
 Symmetric cryptographic is divided into stream and block ciphers.
Example of All classical encryption Caesar, play fair, Rail fence, DES,
AES,3DES,RC5,IDEA etc.

By Zebrehe G. 18
 Cont..
 Stream cipher: it converts one symbol of plaintext directly into a symbol of ciphertext.
Advantages:
 Speed of transformation: algorithms are linear in time and constant in space.
 Low error propagation: an error in encrypting one symbol likely will not affect
subsequent symbols.
Disadvantages:
 Low diffusion: all information of a plaintext symbol is contained in a single ciphertext
symbol.
 Susceptibility to insertions/ modifications: an active interceptor who breaks the
algorithm might insert spurious text that looks authentic.

By Zebrehe G. 19
 Cont..
 Block ciphers: It encrypt a group of plaintext symbols as one block.
Advantages:
 High diffusion: information from one plaintext symbol is diffused into several
ciphertext symbols.
 Immunity to tampering: difficult to insert symbols without detection.
Disadvantages:
 Slowness of encryption: an entire block must be accumulated before encryption /
decryption can begin.
 Error propagation: An error in one symbol may corrupt the entire block.
 Simple substitution is an example of a stream cipher. Columnar transposition is a
block cipher.
By Zebrehe G. 20
 Cont..
Substitution cipher is divided into two :

1. Mono alphabetic Ciphers : a character or symbol in the plaintext is always

changed to the same character or symbol in the cipher regardless of its position in
the text. Example Caesar cipher.

2. Polyalphabetic Ciphers : each occurrence of a character can have a different

substitute.

By Zebrehe G. 21
 Mono alphabetic Ciphers : Caesar Cipher
Earliest known substitution cipher.

Was used by Julius Caesar to communicate military messages with his generals .

Replaces each letter by 3rd letter on.

Mathematically give each letter a number.

a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

Then have Caesar cipher as:

Example:
c = E(p) = (p + k) mod (26) Aksum Institute Of Technology.
p = D(c) = (c – k) mod (26) Dnuxp Lqvwlwxwh Ri Whfkqrorjb

By Zebrehe G. 22
 Polyalphabetic Ciphers : Play fair Cipher
Not even using large keys in a Mono alphabetic cipher provides security .

One better approach to improving security was to use Polyalphabetic Ciphers and
a given character can be encrypted into multiple different corresponding characters.

Create a 5x5 matrix of letters based on a keyword treating I and j as they are same.

Fill in letters of keyword (leave any duplicates) and fill rest of matrix with other
letters. Example, Create Play fair matrix using the keyword MONARCHY
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W
By Zebrehe G.
X Z 23
 Encryption Using Play fair
Plaintext is encrypted two letters at a time

1. If a pair is a repeated letter, insert filler like 'X‟.

2. If both letters fall in the same row, replace each with letter to right (wrapping back
to start from end) .

3. If both letters fall in the same column, replace each with the letter below it (again
wrapping to top from bottom).

4. Otherwise each letter is replaced by the letter in the same row and in the column of
the other letter of the pair.

By Zebrehe G. 24
 Decryption Using Play fair
Ciphertext is decrypted two letters at a time

1. If both letters fall in the same row, replace each with letter to the left (wrapping
back to start from end) .

2. If both letters fall in the same column, replace each with the letter above it (again
wrapping to top from bottom).

3. Otherwise each letter is replaced by the letter in the same row and in the column of
the other letter of the pair.

4. Remove a filler like 'X‟.

By Zebrehe G. 25
 Cont..
Example Encryption :

1. plain text = Mekelle => Me, me, lx,le ….. b/c ll is repeated insert x

Cipher text = Clefsuul

2. Plain text Axum => Ax, um

Cipher text = Bamc

Example Decryption:

1. Cipher text = Clefsuul => Cl, ef, su, ul

Plain text = Mekelxle ….. Then remove x => Mekelle

2. Cipher text = Bamc = Ba, mc…. Axum

By Zebrehe G. 26
 Poly alphabetic Ciphers : Rail Fence cipher
These hide the message by rearranging the order of the letters.

Without altering the actual letters used.

Can recognise these since have the same frequency distribution as the original text.

Rail Fence cipher

Write the plain text in a diagonal fashion of depth n.
And the key corresponds to the number of rails
Then read row by row to generate the cipher text.
E.g. Encrypt the given plain text if the depth is 2.
Plain text = “MEKELLE” M K L E
cipher text= MKLEEEL E E L

By Zebrehe G. 27
 Block Ciphers

Map n-bit plaintext blocks to n-bit ciphertext blocks (n = block length).

For n-bit plaintext and ciphertext blocks and a fixed key, the encryption function is
a bijection;

y=Ek(x) for a given key and plain text which is reversible.

The inverse mapping is the decryption function, x= Dk(y) denotes the decryption
of plaintext ciphertext under k.

By Zebrehe G. 28
 Block Ciphers Features

Block size: in general larger block sizes mean greater security.

Key size: larger key size means greater security (larger key space).

Number of rounds: multiple rounds offer increasing security.

Encryption modes: define how messages larger than the block size are encrypted,
very important for the security of the encrypted message.

By Zebrehe G. 29
 Feistel Network
Several block ciphers are based on the structure proposed by Feistel in 1973

A Feistel Network is fully specified given

 the block size: n = 2w

number of rounds: d

 d round functions f1, …, fd:

Used in DES, IDEA, RC5, and many other block ciphers.

Encryption and decryption are almost the same operation.

 Not used in AES

By Zebrehe G. 30
 Feistel Network

By Zebrehe G. 31
 Data Encryption Standard (DES) Features
Features:

Block size = 64 bits

The F-function, operates on half a block (32 bits) at a time and consists of four
stages:

Key size = 56 bits (in reality, 64 bits, but 8 are used as parity-check bits for error
control, see next slide).

Number of rounds = 16

16 intermediary keys, each 48 bits

By Zebrehe G. 32
General Structure of DES

By Zebrehe G. 33
 Detail of DES

IP(x) = L0R0

Li= Ri-1

 Ri= Li-1⊕f(Ri-1, Ki)

 y = IP-1(R16L16)

Note: IP means Initial Permutation

By Zebrehe G. 34
 Cont..
Final Permutation (IP-1): is the
. inverse of the initial permutation.

By Zebrehe G. 35
By Zebrehe G. 36
Expansion Box

By Zebrehe G. 37
 S-boxes
.

By Zebrehe G. 38
.

By Zebrehe G. 39
 Key length in DES

• In the DES specification, the key length is 64 bit:

• 8 bytes; in each byte, the 8th bit is a parity-check bit.

Each parity-check bit is the XOR of the previous 7 bits

By Zebrehe G. 40
 Key Generation

The round-key generator

creates sixteen 48-bit
keys out of a 56-bit
cipher key.
The process of key
generation is depicted in
the following illustration:

By Zebrehe G. 41
By Zebrehe G. 42
By Zebrehe G. 43
 DES Decryption
Decryption uses the same algorithm as encryption, except that
the subkeysK1, K2, …K16 are applied in reversed order

By Zebrehe G. 44
 Public Key Cryptography
In public-key cryptography the key used to encrypt a message is not the same as the
key used to decrypt it.

 Each user has a pair of cryptographic keys such as a public key and a private key
where the public key used for encryption and the private key is used for decryption.

The public key is widely distributed, while the private key is known only to its
owner.

Similarly, a key pair used for digital signatures consists of a private signing key and
a public verification key.

By Zebrehe G. 45
 Cont..
The keys are related mathematically, but the parameters are chosen so
that calculating the private key from the public key is either impossible
or too expensive.

Encryption, by itself, can protect the confidentiality of messages.

 but other techniques are still needed to protect the integrity and
authenticity of a message;
for example, verification of a message authentication code (MAC) or a digital
signature.

By Zebrehe G. 46
 Cont..
.

By Zebrehe G. 47
Cont.

encryption
plaintext ciphertext

Public key

Private key
ciphertext plaintext
decryption
• Each individual has two keys
 a private key (d): need not be reveal(Make known) to anyone
 a public key (e): preferably known to the entire world
• Public key crypto is also called asymmetric crypto.
By Zebrehe G. 48
Cont…
Digital Signatures
 Proving that a message is generated by a particular individual
 Non-repudiation: the signing individual can not be denied, because only him/her knows the
private key.

signing
plaintext Signed
message
Private key

Public key
Signed plaintext
message
verification
By Zebrehe G. 49
 Hash Function
A hash function is a mathematical function that converts a numerical input value
into another compressed numerical value.

The input to the hash function is of arbitrary length but output is always of fixed
length.

Values returned by a hash function are called message digest or simply hash values.

The hash function is considered practically impossible to invert, that is, to recreate
the input data from its hash value alone.

By Zebrehe G. 50
 Hash Function
The ideal cryptographic hash function has four main properties:

 it is easy to compute the hash value for any given message

 it is infeasible to generate a message that has a given hash

 it is infeasible to modify a message without changing the hash

 it is infeasible to find two different messages with the same hash.

The following picture illustrated hash function:

By Zebrehe G. 51
 Hash Function
The ideal cryptographic hash function has four main properties: The typical features of hash
functions are:

Fixed Length Output (Hash Value)

Hash function coverts data of arbitrary length to a fixed length. This process is often referred
to as hashing the data.

In general, the hash is much smaller than the input data, hence hash functions are sometimes
called compression functions.

Since a hash is a smaller representation of a larger data, it is also referred to as a digest.

Hash function with n bit output is referred to as an n-bit hash function. Popular hash
functions generate values between 160 and 512 bits.

By Zebrehe G. 52
 Hash Function
Efficiency of Operation

Generally for any hash function h with input x, computation of h(x) is a fast
operation.

Computationally hash functions are much faster than a symmetric encryption.

By Zebrehe G. 53
 Hash Function
Cryptographic hash functions have many information security applications, notably
in digital signatures, message authentication codes (MACs), and other forms of
authentication.

They can also be used to index data in hash tables, for fingerprinting, to detect
duplicate data or uniquely identify files, and as checksums to detect accidental data
corruption.

A cryptographic hash function must be able to withstand all known types of

cryptanalytic attack.

By Zebrehe G. 54
 Hash Function
At a minimum, it must have the following properties:

Pre-image resistance

Given a hash h it should be difficult to find any message m such that h = hash(m). This concept is
related to that of one-way function.

Second pre-image resistance

Given an input m1 it should be difficult to find another input m2 such that m1 ≠ m2 and hash(m1) =
hash(m2).

Collision resistance

It should be difficult to find two different messages m1 and m2 such that hash(m1) = hash(m2).
Such a pair is called a cryptographic hash collision. This property is sometimes referred to as strong
collision resistance.

By Zebrehe G. 55
 Encryption Versus Hashing
Encryption Hashing

Password is usually added

Uses a key as an
to text; the two are
Use of Key input to an
combined, and the
encryption method
combination is hashed

Output is of a fixed
Length of Output is similar in
short length,
Result length to input
regardless of input

Reversible; ciphertext One-way function; hash

Reversibility can be decrypted cannot be “de-hashed” back
back to plaintext to the original string

By Zebrehe G. 56
 Public key encryption algorithms
Definition: The multiplicative inverse of x with modulo n is y such that (x*y) mod n = 1

E.g:x=3; n=10, => y=7; since (3*7) mod 10 = 1

• The above multiplicative inverse can be used to create a simple public key cipher:
either x or y can be thought of as a secret key and the other is the public key. Let x = 3,
y = 7, n = 10, and M be the message:
• M=4;
• 3*4 mod 10 = 2; (ciphertext) - encrypting
• 2*7 mod 10 = 4 = M ; (message) - decrypting
• M =6 ;
• 3*6 mod 10 = 8;
• 8*7 mod 10 = 6 = M (message)

By Zebrehe G. 57
 RSA
RSA was invented by three scholars Rivest, Shamir, and Adleman.

The two aspects of the RSA are pair of key generation and encryption-decryption algorithms.

1. Generate the RSA modulus (n)

Select two large primes, p and q , Calculate n=p*q.

 For strong unbreakable encryption, let n be a large number, typically a minimum of 512 bits.

Find Derived Number (e)

 Number e must be greater than 1 and less than ɸ =(p − 1)(q − 1).

There must be no common factor for e and ɸ except for 1.

 In other words two numbers e and ɸ are coprime.
By Zebrehe G. 58
 Cont..
Form the public key

 The pair of numbers (n, e) form the RSA public key and is made public.

 Interestingly, though n is part of the public key, difficulty in factorizing a large prime number ensures
that attacker cannot find in finite time the two primes (p & q) used to obtain n. This is strength of
RSA.

 Generate the private key

 Private Key d is calculated from p, q, and e. For given n and e, there is unique number d.

 Number d is the inverse of e modulo ɸ. This means that d is the number less than ɸ such that when
multiplied by e, it is equal to 1 modulo ɸ.

 This relationship is written mathematically as follows: ed = 1 mod ɸ.

 The Extended Euclidean Algorithm takes p, q,

By Zebrehe G.
and e as input and gives d as output. 59
 Cont..
2. Encryption and Decryption

The process of encryption and decryption are relatively straightforward and

computationally easy. modulo n

RSA operates on numbers. Hence, it is necessary to represent the plaintext as a

series of numbers less than n.

By Zebrehe G. 60
 Cont..

An example of generating RSA Key pair is given below.

 Let two primes be p = 7 and q = 13. Thus, modulus n = pq = 7 x 13 = 91.

 Select e = 5, which is a valid choice since there is no number that is common factor of 5 and (p − 1)(q
− 1) = 6 × 12 = 72, except for 1.

 The pair of numbers (n, e) = (91, 5) forms the public key and can be made available to anyone whom
we wish to be able to send us encrypted messages.

 Input p = 7, q = 13, and e = 5 to the Extended Euclidean Algorithm. The output will be d = 29.

 Check that the d calculated is correct by computing: de = 29 × 5 = 145 = 1 mod 72

 Hence, public key is (91, 5) and private keys is (91, 29).

By Zebrehe G. 61
 Cont..
RSA Encryption

The sender wish to send some text message to someone whose public key is (n, e).

The sender then represents the plaintext as a series of numbers less than n.

To encrypt the first plaintext P, which is a number modulo n. The encryption process
is simple mathematical step as: C = 𝑷𝑒 mod n

In other words, the ciphertext C is equal to the plaintext P multiplied by itself e times
and then reduced modulo n. This means that C is also a number less than n.

Returning to our Key Generation example with plaintext P = 10, we get ciphertext C

= 105 mod 91 By Zebrehe G. 62

 Cont..
RSA Decryption

The decryption process for RSA is also very straightforward. Suppose that the
receiver of public-key pair (n, e) has received a ciphertext C.

Receiver raises C to the power of his private key d. The result modulo n will be the
plaintext P: Plaintext = 𝐶 𝑑 mod n

Returning again to our numerical example, the ciphertext C = 82 would get

decrypted to number 10 using private key 29: Plaintext = 8229 mod 91 = 10.

By Zebrehe G. 63
 RSA Analysis
The security of RSA depends on the strengths of two separate functions. The RSA
cryptosystem is most popular public-key cryptosystem strength of which is based on
the practical difficulty of factoring the very large numbers.

Encryption Function: is considered as a one-way function of converting plaintext

into ciphertext and it can be reversed only with the knowledge of private key d.

Key Generation: The difficulty of determining a private key from an RSA public
key is equivalent to factoring the modulus n.
 An attacker thus cannot use knowledge of an RSA public key to determine an RSA private key
unless he can factor n. It is also a one way function, going from p & q values to modulus n is easy
but reverse is not possible.
By Zebrehe G. 64
 RSA Analysis
If either of these two functions are proved non one-way, then RSA will be broken.
In fact, if a technique for factoring efficiently is developed then RSA will no longer
be safe.

The strength of RSA encryption drastically goes down against attacks if the number
p and q are not large primes and/ or chosen public key e is a small number.

By Zebrehe G. 65
 RSA example:
Bob chooses p=5, q=7. Then n=35, ɸ =24.
e=5 (so e, ɸ relatively prime).
d=29 (so ed-1 exactly divisible by ɸ.
Keys generated are
Public key: (35,5)
Private key is (35, 29)

letter m me c = me mod n
encrypt:
l 12 1524832 17

d
decrypt:
c c m = cd mod n letter
17 481968572106750915091411825223071697 12 l

By Zebrehe G. 66
Cont…
Encrypt the word love using (c = me mod n)
Assume that the alphabets are between 1 & 26
Plain Text Numeric Representation me Cipher Text (c = me mod n)

l 12 248832 17
o 15 759375 15
v 22 5153632 22

Decrypt
e the word love
5 using (m3125= cd mod n) 10

n = 35, c=29
Cipher cd (m = me mod n) Plain
Text Text
17 481968572106750915091411825223072000 17 l

15 12783403948858939111232757568359400 15 o

22 852643319086537701956194499721110000000 22 v

By Zebrehe G. 67
10 100000000000000000000000000000 10 e
Question
Given that in the RSA algorithm model p=7,q=9,e=5 and the quotient
when we divide ed-1 by ɸ is 3 (in other words: ed mod ɸ = 1 ).
Calculate:
1. n
2. ɸ
3. d
4. Public Key
5. Private Key Assignment 5 (2%) : Solve the above question?

By Zebrehe G. 68
 DES, 3DES, and AES

DES 3DES AES

Key Length (bits) 56 112 or 168 128, 192, 256

Key Strength Weak Strong Strong

Processing
Moderate High Modest
Requirements

RAM Requirements Moderate High Modest

Assignment 5 (2%) : Types of Cryptanalytic Attacks?

69
By Zebrehe G.
Web services
A web service is any piece of software that makes itself available over the internet
and uses a standardized XML messaging system.

XML is used to encode all communications to a web service.

Web services are self-contained, modular, distributed, dynamic applications that can
be described, published, located, or invoked over the network to create products,
processes, and supply chains.

A web service is a collection of open protocols and standards used for exchanging
data between applications or systems.

By Zebrehe G. 70
 Cont…
To summarize, a complete web service is, therefore, any service that:

Is available over the Internet or private (intranet) networks

Uses a standardized XML messaging system

Is not tied to any one operating system or programming language

Is self-describing via a common XML grammar

Is discoverable via a simple find mechanism

By Zebrehe G. 71
 Web services Security
Security is critical to web services.

There are three specific security issues with web services:

1. Confidentiality: If a client sends an XML request to a server, can we ensure that

the communication remains confidential?

2. Authentication: If a client connects to a web service, how do we identify the user?

Is the user authorized to use the service?

3. Network Security:

By Zebrehe G. 72
 How Do You Build Secure Web Services?

The keys to building secure Web services include:

Identify your security objectives. This includes identifying your security
requirements.

Know your threats. Know which threats are relevant for your particular scenarios
and context. Threat modeling is an effective technique for helping you identify
relevant threats and vulnerabilities.

Apply proven principles, patterns, and practices. They are a good starting point
for building secure services.
 You can eliminate classes of security problems. You can also leverage lessons learned.

 Patterns are effectively reusable solutions and typically encapsulate underlying principles.
By Zebrehe G. 73
 Cont..
Apply effective security engineering throughout the application life cycle.

You should consider security throughout your application life cycle. You should

start with security objectives.

 Threat modeling will help you shape your design and make key trade-offs. Security design,

code, and deployment inspections, along with testing, will improve your overall security

posture.

By Zebrehe G. 74
 Wired/wireless Public key infrastructure
A public key infrastructure (PKI): is a set of rules, policies, and procedures
needed to create, manage, distribute, use, store, and revoke digital certificates and manage
public-key encryption.

The purpose of a PKI is to facilitate the secure electronic transfer of information for a
range of network activities such as e-commerce, internet banking and confidential
email.

Wireless Public Key Infrastructure (WPKI): is a two-factor authentication

scheme using mainly the mobile phone and a laptop.

It is mainly promoted by banks, mobile operators, and mobile network manufacturers.

By Zebrehe G. 75
 Windows Vista Security: Internet: Protocol versions 4/6

Windows Server 2008 and Windows Vista TCP/IP was completely redesigned to
support both Internet Protocol version 4 (IPv4) and Internet Protocol version 6
(IPv6) to meet the connectivity and performance needs of today's varied
networking environments and technologies.

By Zebrehe G. 76
 Cont…
Some important security features introduced with Windows Vista.

1. User Account Control (UAC): provides a much safer environment when privileged
and non-privileged applications share the same user session and desktop. This has
several important benefits:

It prevents lower-integrity processes from modify higher-integrity system objects and
registry keys.

It provides a first layer of protection against common shatter (breaker) attacks, wherein
malicious code attempts to use window messages to probe and then implement privilege
escalation by having vulnerable, elevated processes run arbitrary code.

By Zebrehe G. 77
 Cont…
It prevents lower-integrity processes from using window messages to drive the user
interface of an elevated process.

UAC uses this functionality to enable a key scenario called Admin Approval Mode (AAM).

The Logon Security Authentication Subsystem, unlike in previous version of Windows,

creates only a standard user security token for the base interactive session when UAC is
enabled.

When a user needs to run a process, or execute an action, that requires the full admin token,
that new process is then instantiated, after the user is prompted via a dialog box shown on
the secure desktop.

By Zebrehe G. 78
Cont…

By Zebrehe G. 79
 Cont…
2. Internet Explorer Protected Mode
This functionality is implemented by running Internet Explorer, when
UAC is enabled, with an integrity level below that of a standard user,
significantly reducing the ability of Internet Explorer to modify data or
install applications.

By Zebrehe G. 80
 Cont…
Standard User Support

To further support the standard user scenarios, Windows Vista implements
several additional key features. Standard users now can:

Change the displayed time (not the actual system clock) using the Change
the time zone privilege .

Configure Wired Equivalent Privacy/Wi-Fi Protected Access (WEP/WPA)

settings when they connect to wireless networks (or conversely, profiles for
wireless can be centrally managed via Group Policy).
By Zebrehe G. 81
 Cont…
 Change power management settings.

Install critical Windows updates (or this can be enforced by administrators).

Install printer and other device drivers approved by IT administrators, as well as

ActiveX® control controls from administrator-approved sites, if enabled via Group

Policy settings.

By Zebrehe G. 82
 Cont…

BitLocker Drive Encryption

BitLocker™ is the Microsoft full volume drive encryption technology

that is available with Windows Vista Enterprise and Ultimate editions.

With the introduction of SP1, this technology allows for the encryption
of multiple volumes on a computer using one or more authentication
factors, as the Figure shows.

By Zebrehe G. 83
 Cont…
Windows Resource Protection

Windows Resource Protection (WRP) is a technology that restricts

access to certain core system files, folders, and registry keys that are
part of the Windows Vista installation. WRP prevents files with .dll,
.exe, .ocx, and .sys file extensions from being modified or replaced.

By Zebrehe G. 84
 Cont…

Advanced Firewall

One of the most important new enterprise features of Windows Vista is

the new network stack with its myriad advanced security features. The
Firewall and IPsec functionality are now built on a new subsystem
called the Windows Filtering Platform (WFP), which provides both the
core firewall functionality and is also fully extensible by third parties
via a well-documented call-out infrastructure.

By Zebrehe G. 85
 What is an intrusion prevention system?
Intrusion Prevention and Detection System Basics
An Intrusion Prevention System (IPS) is a network security/threat
prevention technology that examines network traffic flows to detect and
prevent vulnerability exploits.
IDS — A Passive Security Solution
An intrusion detection system (IDS) is designed to monitor all inbound and
outbound network activity and identify any suspicious patterns that may
indicate a network or system attack from someone attempting to break into or
compromise a system.

By Zebrehe G. 86
What is an intrusion prevention system?

By Zebrehe G. 87
 Cont…
The IPS often sits directly behind the firewall and is provides a complementary layer of
analysis that negatively selects for dangerous content.

IPS is placed inline (in the direct communication path between source and destination),
actively analyzing and taking automated actions on all traffic flows that enter the network.

these actions include:

 Sending an alarm to the administrator (as would be seen in an IDS)

 Dropping the malicious packets

 Blocking traffic from the source address

 Resetting the connection

By Zebrehe G. 88
 Cont…

The IPS has a number of detection methods for finding exploits, but
signature-based detection and statistical anomaly-based detection are the
two dominant mechanisms.

Statistical anomaly detection takes samples of network traffic at

random and compares them to a pre-calculated baseline performance
level. When the sample of network traffic activity is outside the
parameters of baseline performance, the IPS takes action to handle the
situation.
By Zebrehe G. 89
 Cont….
Signature-based detection is based on a dictionary of uniquely identifiable patterns (or
signatures) in the code of each exploit. Signature detection for IPS breaks down into two
types:

1. Exploit-facing signatures identify individual exploits by triggering on the unique

patterns of a particular exploit attempt. The IPS can identify specific exploits by finding a
match with an exploit-facing signature in the traffic stream

2. Vulnerability-facing signatures are broader signatures that target the underlying

vulnerability in the system that is being targeted. These signatures allow networks to be
protected from variants of an exploit that may not have been directly observed in the
wild, but also raise the risk of false-positives.

By Zebrehe G. 90
 IDS vs IPS
IDS (Intrusion Detection System) systems only detect an intrusion, log
the attack and send an alert to the administrator. IDS systems do not slow
networks down like IPS as they are not inline.

IDS can be used initially to see how the system behaves without actually
blocking anything. Then once fine tuned IPS can be turned on and the
system can be deployed inline to provide full protection.

By Zebrehe G. 91
 Intrusion Detection and Prevention software for Windows

Intrusion detection software are of two types.

1. Host-based intrusion detection system

2. Network-based intrusion detection system.

The network-based intrusion detection system relies on data packets travelling on the network to

make sure everything is alright.

It works by comparing data packets by known types of attacks and by finding out irregularities in data

packets travelling on the network.

The host-based intrusion system relies more on system settings to see if there is any kind of

compromise or if any software is trying to force changes on your computer or computer network.
By Zebrehe G. 92
By Zebrehe G. 93