Chapter 17

Security

Information Systems

•Cryptography•Key Exchange Protocols•Password Combinatorics•Other Security Issues

12-2

Chapter Goals

• Cryptography Techniques• Information Security Issues

12-3

Cryptography and Information Security

12-4

5

Cryptography

CryptographyThe field of study related to encoded information (comes from Greek word for "secret writing")EncryptionThe process of converting plaintext into ciphertextDecryptionThe process of converting ciphertext into plaintext

6

Cryptography

plaintextmessage

ciphertextmessage

Encryption

Decryption

Encrypted(Information) cannot be read (understood )

Decrypted(Encrypted(Information)) can be

7

Cryptography

CipherAn algorithm used to encrypt and decrypt textKeyThe set of parameters that guide a cipher

•Neither is any good without the other•Need to keep at least one of these secret•(or even better, both)

8

Cryptography

Substitution cipher --A cipher that substitutes one character with another

Caesar cipher --A substitution cipher that shifts characters a certain number of positions in the alphabet

Transposition ciphers --A cipher that rearranges the order of existing characters in a message in a certain way (e.g., a route cipher)

9

Substitution cipherA B C D E F G H I J K L M N O P Q R S T U V W X Y Z

D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

Encrypt(COMPUTER) = FRPSXWHU

Decrypt(FRPSXWHU) = COMPUTER

Why is this called the Caesar cipher?What is the key?

10

Transposition CipherT O D A Y

+ I S + M

O N D A Y

Algorithm 1:Write across rows Read down columns

Encrypt(TODAY IS MONDAY) = T+OOINDSDA+AYMY

The key is the table dimensions, 5 x 3

11

Transposition CipherT O D A Y

+ I S + M

O N D A Y

Algorithm 2:Write across rows Read in a counter clockwise spiral from top-left

Encrypt(TODAY IS MONDAY) = T+ONDAYMYADOIS+

12

Cryptanalysis

CryptanalysisDecrypting a message without knowing the cipher or the key

Substitution and transposition ciphers are easy for modern computers to break using frequency analysis of characters and patterns

To protect information more sophisticated schemes are needed

13

Cryptanalysis withFrequency analysis

Frequency AnalysisBreaking a cipher by looking for the frequency of letters (or other patterns)

English

Letter Frequency A 8.23B 1.26C 4.04D 3.40E 12.32F 2.28G 2.77H 3.94I 8.08J 0.14K 0.43L 3.79M 3.06N 6.81O 7.59P 2.58Q 0.14R 6.67S 7.64T 8.37U 2.43V 0.97W 1.07X 0.29Y 1.46Z 0.09

Encryption Standards

There are 2 standard encryption systems:

1)3DES aka Private Key CryptographyEfficient, but needs a secret key!

2)RSA aka Public-Key CryptographyActually uses a pair of keys, one public, one private

12-14

15

3DES (Triple Data Encryption Standard)

3DES•Uses multiple substitutions and transpositions to hide patterns•Etext appears essentially random•it is very hard to crack

The cipher algorithm is publicThe key is kept secret

16

3DES (Triple Data Encryption Standard)

3DESSince the cipher is public, bad guys can always try to guess the key

The key is 128 bits so quessing takes a loooooooooooooooong time: 2 ^ 128 = 340,000,000,000,000,000,000,000,000,000,000,000,000 keys

PROBLEM: How to keep the key secret????

17

RSA Public Key Cryptography

Public-key cryptography•There are two related keys, one public and one private

•Sender encrypts an outgoing message, using the Receiver's public key •Only the Receiver's private key can decrypt the message

Exchanging Secret Keys

• 3DES is a more efficient algorithm than RSA• However, the problem with 3DES is how to do

the secret exchange of the private “session key” between sender and receiver

• RSA can help with this exchange

12-18

RSA Public Key Cryptography

Session Key Exchange

1)B generates a “session key”, encrypts it using A’s public key, and sends it to A

2)A uses its private key to decrypt the session key

12-19

3 Things RSA can help do

• Session Key Exchange• Used to exchange 3DES “session keys”

• Authentication - Are you who you say you are? – Like a written signature says: “I am me”

• Certification - Are you a “good guy”– Like a drivers license says “CA says I can drive”– Or a Diploma says “FLC says I am educated”

12-20

21

AuthenticationDigital Signatures

Key Exchange Protocol with Authentication:• A encrypts a random number using B’s public key• B decrypts A’s number using B’s private key,

combines the number with a Session Key, encrypts the whole message using A’s public key, and sends it to A

• A decrypts the message using A’s private key, if the random number matches the message must be from B. – (Or at least from the same person who sent “B’s public key”)

22

Certification

Digital certificateUses a Third Party to prove you are a “good guy”

Example: Verisign

Made possible by RSA key pairsCertificates can only be decrypted by Certificate Issuer, essentially validating the certificate bearer

Passwords Combinations

12-23

24

Password Strength

Math number bases can be used to calculate password strength

Questions

how many combinations are there for a 4 digit base ten number?

how about a 4 digit binary number?

How about a 4 (capital) letter password?

25

Password Strength

Answers

9999 = 9999

11112 = 1510

ZZZZ = ??

More Security Issues

12-26

27

Computer SecurityMalicious Code

A computer program that attempts to bypass appropriate authorization and/or perform unauthorized functions

Worm stands alone, targets network resources

Trojan horse disguised as benevolent resource

Virus self-replicating

Logic bomb set up to execute at system event

28

Computer SecuritySecurity Attacks

An attack on the computer system itself

Password guessing

Phishing trick users into revealing security information

Spoofing malicious user masquerades as authorized user

Back door unauthorized access to anyone who knows it exists

29

Computer Security

Denial-of-service attack that overwhelms a system

Man-in-the-middle network communication is intercepted in an attempt to obtain key data