CRYPTOGRAPHY & INFORMATION SECURITY

CRYPTOGRAPHY & INFORMATION SECURITYOverview of Cryptography & Its Applications:

People want and need privacy and security while communicating. In the past, cryptography is heavily used for military applications to keep sensitive information secret from enemies (adversaries). Julius Caesar used a simple shift cipher to communicate with his generals in the battlefield. Now a days, with the technologic progress as our dependency on electronic systems has increased we need more sophisticated techniques. Cryptography provides most of the methods and techniques for a secure communication.

Overview of Information Security & Its Applications:

It mainly specifies that how a particular information is protected. i.e., protectionSecurity makes the information to in access it by the third party. It contains 4 basic structures, namely 1. Security Attacks 2. Security Services 3. Security Mechanisms 4. A model for network security

Security attacks: Any action that comprises the security of information wont by an organization. Normal Information Flow The 4 general categories of attacks are namely, Interruption: This is an attack on availability in which the resources of a computer system are damaged or becomes unavailable. SOURCEDESTINATIONSOURCE DESTINATION Interception: It affects the confidentiality of information in which an unauthorized person or program gets the access or control to some system resource.

Modification: It is an attack against the integrity of the Information. i.e., modifying the values in a data file.

Fabrication: This is an attack on the authenticity of a message in which an unauthorized party adds fake objects into the system.

SOURCEDESTINATIONINTRUDERSOURCE DESTINATIONINTRUDERSOURCEDESTINATIONINTRUDERSecurity attacks(contd.):There are 2 types of attacks, namely Passive Attack: It refers to the process of monitoring or wiretapping of the ongoing transmission. It includes 1. Release of message contents 2. Traffic AnalysisActive Attack: An Attacker can alter the information or sometimes generates fraudulent information into the network. It includes 1. Masuerade 2. Replay 3. Modification 4. Denial of service Security Services:

X.800 defines it as: a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfersRFC 2828 defines it as: a processing or communication service provided by a system to give a specific kind of protection to system resourcesX.800 defines it in 5 major categoriesAuthentication - assurance that the communicating entity is the one claimedAccess Control - prevention of the unauthorized use of a resourceData Confidentiality protection of data from unauthorized disclosureData Integrity - assurance that data received is as sent by an authorized entityNon-Repudiation - protection against denial by one of the parties in communication.

Security Mechanisms: The security mechanisms in x.800 are categorized into 2 types,namely Specific security mechanisms: The Mechanisms that are executed in a particular protocol layer. It includes, 1. Encipherment 2. Digital Signatures 3. Access Controls 4. Data Integrity 5. Authentication Exchange 6. Traffic Padding 7. Routing Control 8. Notarization

Security Mechanisms:(contd.) Pervasive Mechanisms: The Mechanisms that are not specific to any protocol layer. It includes, 1. Trusted functionality 2. Security Labels 3. Event Detection 4. Security Audit Trails 5. Security Recovery

A Model For Network Security: Trusted Third Party

(Secret Information) (Opponent) (Secret Information)MSGsecure Message Information ChannelSecure MessageMSGTerminology Related To Cryptography:

Cryptology: All-inclusive term used for the study of secure communication over non-secure channels and related problems.Cryptography: The process of designing systems to realize secure communications over non-secure channels.Cryptoanalysis: The discipline of breaking the cryptographic systems.Coding Theory: Deals with representing the information using codes. It covers: compression, secrecy, and error-correction. Recently, it is predominantly associated with error-correcting codes which ensures the correct transmissions over noisy-channels.

Cryptography: process of making and using codes to secure transmission of informationEncryption: converting original message into a form unreadable by unauthorized individuals. i.e., converting a given particular plain text into cipher text.Decryption: Converting the obtained cipher text into original message. i.e., Plain Text.

Secure Communications:Encrypt Decrypt Alice Bob EveEncryption KeyDecryption KeyplaintextciphertextBasic Communication ScenarioEnemy orAdversary Mallory Oscar Eves Goals:

Read the messageFigure out the key Alice is using and read all the messages encrypted with that keyModify the content of the message in such a way that Bob will think Alice sent the altered message.Impersonate Alice and communicate with Bob who thinks he is communicating with Alice. Oscar is a passive observer who is trying to perform (1) and (2).

Mallory is more active and evil who is trying to perform (3) And (4).

Attack Methods:

Ciphertext only: Alice has only a copy of ciphertextKnown Plaintext: Eve has a copy of ciphertext and the corresponding plaintext and tries the deduce the key.Chosen Plaintext: Eve has a copy of ciphertext corresponding to a copy of plaintext selected by Alice who believes it is useful to deduce the key. Chosen Ciphertext: Eve has a copy plaintext corresponding to a copy of ciphertext selected by Alice who believes it is useful to deduce the key.

Cryptographic Algorithms:Often grouped into two broad categories, symmetric and asymmetric; todays popular cryptosystems use hybrid combination of symmetric and asymmetric algorithmsSymmetric and asymmetric algorithms distinguished by types of keys used for encryption and decryption operations

Cryptographic Algorithms (continued): Symmetric encryption: uses same secret key to encipher and decipher messageEncryption methods can be extremely efficient, requiring minimal processingBoth sender and receiver must possess encryption keyIf either copy of key is compromised, an intermediate can decrypt and read messages

Cryptographic Algorithms (continued):Data Encryption Standard (DES): one of most popular symmetric encryption cryptosystems64-bit block size; 56-bit keyAdopted by NIST in 1976 as federal standard for encrypting non-classified informationTriple DES (3DES): created to provide security far beyond DESAdvanced Encryption Standard (AES): developed to replace both DES and 3DESCryptographic Algorithms (continued):Asymmetric Encryption (public key encryption):Uses two different but related keys; either key can encrypt or decrypt messageIf Key A encrypts message, only Key B can decryptHighest value when one key serves as private key and the other serves as public key

Fundamental Cryptographic Applications: Confidentiality Authentication Integrity Non-repudiationHiding the contents of the messages exchanged in a transaction Ensuring that the origin of a message is correctly identifiedEnsuring that only authorized parties are able to modify computer system assets and transmitted informationRequires that neither of the authorized parties deny the aspects of a valid transactionOther Cryptographic Applications:

Digital Signatures: allows electronically sign (personalize) the electronic documents, messages and transactions Identification: is capable of replacing password-based identification methods with more powerful (secure) techniques. Key Establishment: To communicate a key to your correspondent (or perhaps actually mutually generate it with him) whom you have never physically met before. Secret Sharing: Distribute the parts of a secret to a group of people who can never exploit it individually. E-commerce: carry out the secure transaction over an insecure channel like Internet. (E-cash and Games) Protocols for Secure Communications:

Secure Socket Layer (SSL) protocol: uses public key encryption to secure channel over public InternetSecure Hypertext Transfer Protocol (S-HTTP): extended version of Hypertext Transfer Protocol; provides for encryption of individual messages between client and server across InternetS-HTTP is the application of SSL over HTTP; allows encryption of information passing between computers through protected and secure virtual connectionProtocols for Secure Communications (continued):Securing E-mail with S/MIME, PEM, and PGPSecure Multipurpose Internet Mail Extensions (S/MIME): builds on Multipurpose Internet Mail Extensions (MIME) encoding format by adding encryption and authenticationPrivacy Enhanced Mail (PEM): proposed as standard to function with public key cryptosystems; uses 3DES symmetric key encryptionPretty Good Privacy (PGP): uses IDEA Cipher for message encodingProtocols for Secure Communications (continued):Securing Web transactions with SET, SSL, and S-HTTPSecure Electronic Transactions (SET): developed by MasterCard and VISA in 1997 to provide protection from electronic payment fraudUses DES to encrypt credit card information transfersProvides security for both Internet-based credit card transactions and credit card swipe systems in retail storesAdvantages& Disadvantages of Cryptography and Information Security:Advantages: There will be a perfect security to the secret writing.

Disadvantages: There will be hacking problems, i.e., There is a problem to secret writing.

Future of Cryptography & Information Security:There will be Technology like Quantum Computing, where quantum computer would deal with quantum bits (qubits) that can simultaneously represent both 0 and 1 by simultaneously spinning in different directions.

Conclusion:Information security is increasingly important Have varying degrees of sensitivity of information--cf military info classifications: confidential, secret etc Subjects (people or programs) have varying rights of access to objects (information)Cryptography and encryption provide sophisticated approach to securityMany security-related tools use embedded encryption technologiesEncryption converts a message into a form that is unreadable by the unauthorizedMany tools are available and can be classified as symmetric or asymmetric, each having advantages and special capabilities