Cryptography

Course Introduction

Ashutosh Bhatia
BITS Pilani
[email protected]
 Overview
 Cyber Security Facts
 Grading Policy
 Security Concepts
 Goals
Attacks
Services
Mechanisms
 Cyber Security Facts
 A new Zero-Day vulnerability is discovered every week.

 Advanced attack groups continue to profit from

previously undiscovered flaws in browsers and
website plugins.

 Exploit the vulnerabilities until they are publicly

exposed, then toss them aside for newly
discovered vulnerabilities.

Ref: 2016 Internet Security Threat Report

 Cyber Security Facts
 Over Half a Billion Personal Records Were Stolen or Lost in 2015

Ref: 2016 Internet Security Threat Report

 Cyber Security Facts
 Phishing Campaigns Targeting Employees Increased 55 Percent in 2015

Ref: 2016 Internet Security Threat Report

 Cyber Security Facts
 Ransomware Increased 35 Percent in 2015

Ref: 2016 Internet Security Threat Report

 Cyber Security Facts
 There were more than three times as many Android apps classified as containing
malware in 2015 than in 2014, an increase of 230 percent.

Ref: 2016 Internet Security Threat Report

 Cyber Security Facts: Coin Mining Attack
The rise in cryptocurrency values inspired many cyber criminals to
shift to coin mining as an alternative revenue source.

As compared to the previous year (2016), the number of coinminers

present over the internet have increased by 8,500 percent.

600 percent increase in overall IoT attacks in 2017, which means that
cyber criminals could exploit the connected nature of these devices
for mining purpose.

Ref: 2018 Internet Security Threat Report

 Cyber Security Facts: Attacks on Software Supply Chain
 Finding vulnerabilities in the software are becoming increasingly difficult for attackers to identify
and exploit.

 An alternative approach taken by attackers is to inject malware implants into the supply chain to
 infiltrate unsuspecting organizations.

 There is a a 200 percent increase in such attack with one every month of 2017 as compared to
four attacks annually in years prior.

 Hijacking software updates provides attackers with an entry point for compromising well-
protected targets

 The Petya (Ransom.Petya) outbreak was the most notable example: after using Ukrainian
accounting software as the point of entry, Petya/NotPetya used a variety of methods to spread
across corporate networks to deploy the attackers’ malicious payload.

Ref: 2018 Internet Security Threat Report

 Cyber Security Facts
 Federal government has suffered 680% increase in cyber security breaches in the
past six years
 Governments, not hackers, are most likely to launch cyber attacks
 More than 600,000 accounts are compromised every day on Facebook alone
 National Nuclear Security Administration records 10 million attempted hacks a day
 US Navy receives 110,000 attacks per hour
 Every second 18 adults suffer cybercrime (1.5 million/day)
 Global spam rate in 2013 is 68%. Of these 61% are adult/dating messages, 28% are
pharmaceutical.
 Grading

• Mid-Term 30%
• Final Exam (Open Book) 40%
• Assignments (2) 15%
• Project 15%
 Why Security

Protecting good from bad

 Definitions
• Computer Security - generic name for the collection of tools
designed to protect data and to thwart hackers
• Network Security - measures to protect data during their
transmission
• Internet Security - measures to protect data during their
transmission over a collection of interconnected networks
• Mobile Security, Web Security, Software Security, OS security
…..
Three Attributes of Information

Authorized Users

Content (Data)

Time
 Information Security Goals

• Confidentiality of the Content: Assures that private

or confidential information is not made available or
disclosed to unauthorized individuals

Confidentiality • Confidentiality of Authorized Users (Privacy):

Assures that individuals control or influence what
information related to them may be collected and stored
and by whom and to whom that information may be
disclosed
 Information Security Goals

• Content: Assures that information content is

changed only in a specified and authorized
manner.

Integrity • Authorized Users: Assures the no adversary is

able to claim as the authorized users of the
information

• Time: Assures that any modification related to

the timing of the information gets detected
 Information Security Goals

• Assures that systems work promptly and service

Availability
is not denied to authorized users
 Information Security Goals
• Confidentiality of the Content: Assures that private or confidential
information is not made available or disclosed to unauthorized individuals
Confidentiality • Confidentiality of Authorized Users (Privacy): Assures that individuals
control or influence what information related to them may be collected
and stored and by whom and to whom that information may be disclosed

• Content: Assures that information content is changed only in a specified

and authorized manner.
• Authorized Users: Assures the no adversary is able to claim as the
Integrity authorized users of the information
• Time: Assures that any modification related to the timing of the
information gets detected

• Assures that systems work promptly and service is not denied to

Availability authorized users
 Attacks

The three goals of security (confidentiality, integrity, and availability)

can be threatened by security attacks.

• Threatening Confidentiality
Attacks • Threatening Integrity
• Threatening Availability

Classification: Active and Passive

 Attacks on Confidentiality

Attacks on the confidentiality of the content or the authorized user

• Snooping : An unauthorized access to or interception of data

• Traffic Analysis: Obtaining the information about the data by

monitoring on line traffic
 Attacks on Integrity

Modification: Unauthorized changes in the content of the information

Masquerading: Attacker impersonating as one of the authorized entity

Repudiation: An authorized entity trying to disown itself from the

information
Replaying: An unauthorized attempt to resend the same data sometime
later
 Attack on Availability

Denial of Service: Either slow down or totally

disrupt the service of a system
 Security Attacks

Security
Attacks

Threat to Threat to Threat to

Confidentiality integrity Availability

Traffic Denial of
Snooping Modification Masquerading Replaying Repudiation
Analysis Service
 Classifying Attacks
• A means of classifying security
attacks, used both in X.800 and
RFC 4949, is in terms of passive
attacks and active attacks

•A passive attack attempts to

learn or make use of information
from the system but does not
affect system resources

•An active attack attempts to

alter system resources or affect
their operation
 Passive Attacks

•Are in the nature of

eavesdropping on, or
monitoring of, transmissions

• Goal of the opponent is to

obtain information that is
being transmitted • Two types of passive attacks are:
• The release of message contents
• Traffic analysis
 Active Attacks
• Involve some modification of the
data stream or the creation of a
false stream
• Difficult to prevent because of the
wide variety of potential physical,
software, and network
vulnerabilities
• Goal is to detect attacks and to
recover from any disruption or
delays caused by them
• Takes place when one entity pretends
to be a different entity
Masquerade
• Usually includes one of the other
forms of active attack
• Involves the passive capture of a data
unit and its subsequent
Replay
retransmission to produce an
unauthorized effect
• Some portion of a legitimate message
Modification is altered, or messages are delayed or
reordered to produce an
of messages unauthorized effect
Denial of • Prevents or inhibits the normal use or
management of communications
service facilities
 Standards
National Institute of Standards and Technology
• NIST is a U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use
and to the promotion of U.S. private-sector innovation
• Despite its national scope, NIST Federal Information Processing Standards (FIPS) and Special Publications (SP) have a
worldwide impact

Internet Society
• ISOC is a professional membership society with world-wide organizational and individual membership
• Provides leadership in addressing issues that confront the future of the Internet and is the organization home for the groups
responsible for Internet infrastructure standards

ITU-T
• The International Telecommunication Union (ITU) is an international organization within the United Nations System in which
governments and the private sector coordinate global telecom networks and services
• The ITU Telecommunication Standardization Sector (ITU-T) is one of the three sectors of the ITU and whose mission is the
development of technical standards covering all fields of telecommunications

ISO
• The International Organization for Standardization is a world-wide federation of national standards bodies from more than
140 countries
• ISO is a nongovernmental organization that promotes the development of standardization and related activities with a view to
facilitating the international exchange of goods and services and to developing cooperation in the spheres of intellectual,
scientific, technological, and economic activity
 Services and Mechanisms
• ITU-T provides some security services and some mechanisms to implement
those services.

• A processing or communication service Intended to counter security

attacks, and they make use of one or more security mechanisms to provide
the service.

• A process (or a device incorporating such a process) that is designed to

detect, prevent, or recover from a security attack

• Security services and mechanisms are closely related because a mechanism

or combination of mechanisms are used to provide a service.
 Security Services
Security Attacks

Threat to
Threat to integrity Threat to Availability
Confidentiality

Traffic Denial of
Snooping Modification Replaying Masquerading Repudiation
Analysis Service

Security Services

Data Data Non- Access

Authentication
Confidentiality Integrity Repudiation Control

Proof of Proof of
Anti Change Anti Replay Peer Entity Data Origin
Origin Delivery
 Security Mechanisms
Encipherment Hiding or covering data

Data integrity Adding a Check Value

Digital Signature To digitally sign and verify a data

Authentication
Challenge/Response Mechanism
Exchange
Security Mechanisms
Traffic Padding To avoid traffic analysis

Routing Control Selection of secure routes

Involving a trusted third party in the

Notarization
communication

Access Control To prove that user has access right

 Relationship between services and mechanism

Security Services Security Mechanisms

Data Confidentiality Encipherment, and Routing control
Data Integrity Encipherment, Digital Signature, Data Integrity
Authentication Encipherment, Digital Signature, Authentication Exchange
Non Repudiation Digital Signature, Data Integrity, notarization
Access Control Access Control Mechanisms
 Encipherment Techniques

Cryptography: A word with Greek origin means “secret

writing”. Science and art of transferring message (i.e.
encipherment) to make them immune to attacks.

Steganography: A word with Greek origin means

“Covered Writing”. Science and art of transferring
message to make them immune to attacks. Concealing
the message itself by covering it with something else
 Computer Security Challenges

• Security is not simple

• Potential attacks on the security need to be considered
• Procedures used to provide particular services are often counter intuitive
• It is necessary to decide where to use security mechanism
• It is too often an after thought
• Typically involve more than a particular algorithm or protocol
• Never ending process
• No visible benefit
• Strong security is often seen as an impediment to efficient and user
friendly operation
Threats and Attacks (RFC 4949)

• A potential for violation • An intelligent and

of security, which exist
when there is a
circumstance,
capability, action, or
event that could breach
the security and cause
harm.
deliberate attempt
to invade security
services and violate
security policy of a
system

Threat Attack
 Quiz-1
Which security services and mechanisms are involved in each of the
following cases?
a) BITS demand your user name and password to use the internet.
b) You automatically get disconnected if you are logged in for more than two hours
c) A professor provides your grades to you through mail only on receiving a mail from
your side containing a value that was preassigned by him to you.
d) BITS does not allow you to reach a certain types of sites
e) To withdraw from the Cryptography course your professor required signed withdrawal
form from you.
f) Night canteen requires your ID to give you food
g) Requesting AUGUSD division to repeat cryptography course by producing an
application duly signed by the course in-charge
h) Professor coming up a mechanism so that the students cannot add/delete the
contents in the answer sheets during marks distribution
Thank You