UNIT-I

UNIT I : Classical Encryptions Techniques

Objectives: The Objectives of this unit is to present an overview of the main concepts of
cryptography, understand the threats & attacks, understand ethical hacking.
Introduction: Security attacks, services & mechanisms, Symmetric Cipher Model, Substitution
Techniques, Transportation Techniques, Cyber threats and their defense (Phishing Defensive
measures, web based attacks, SQL injection & Defense techniques), Buffer overflow & format
string vulnerabilities, TCP session hijacking (ARP attacks, route table modification) UDP
hijacking (man-in-the-middle attacks).

Topic to be covered: Security attacks

Cryptography:
Cryptography is the art and science of hiding the information, providing a secured means
of communication between two parties such that this becomes humanly or even computationally
extremely difficult to insinuate.
Objectives of Computer Security:
Confidentiality, Integrity and Availability
Confidentiality:
Data confidentiality ensures that private or confidential information is not made available
or disclosed to unauthorized individuals. Privacy ensures that individuals control or influence
what information related to them may be collected and stored and by whom and to whom that
information may be disclosed.
Integrity:
Integrity can be Data Integrity or System Integrity. Data integrity ensures that
information and programs are changed only in a specified and authorized manner and System
integrity ensures that a system performs its intended function in an unimpaired manner, free from
deliberate or inadvertent unauthorized manipulation of the system.
Availability:
Availability ensures that systems work promptly and service is not denied to authorize
users.

Security attack:
Security attack means any action that compromises the security of information owned by an
organization.
Different security attacks: Security attacks are two types Passive attacks and Active attacks.

Passive attacks
Passive attacks are two types - 1.Release of Message contents and 2. Traffic analysis

Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions.
The goal of the opponent is to obtain information that is being transmitted.
There are two types of passive attacks
1. Release of message contents
2. Traffic analysis
Release of message contents:
A telephone conversation, an electronic mail message, and a transferred file may contain
sensitive or confidential information. One should prevent an opponent from learning the contents
of these transmissions.
Traffic Analysis:
Suppose that we had a way of masking the contents of messages or other information
traffic so that opponents, even if they captured the message, could not extract the information
from the message. The common technique for masking contents is encryption. If we had
encryption protection in place, an opponent might still be able to observe the pattern of these
messages.
The opponent could determine the location and identity of communicating hosts and could
observe the frequency and length of messages being exchanged. This information might be
useful in guessing the nature of the communication that was taking place.
Passive attacks are very difficult to detect, because they do not involve any alteration of
the data. However, it is feasible to prevent the success of these attacks, usually by means of
encryption. Thus, the emphasis in dealing with passive attacks is on prevention rather than
detection.
Active Attacks:
Active attacks involve some modification of the data stream or the creation of a false stream.
Active attacks are of 4 types - masquerade, replay, modification of messages, and denial of
service.

A masquerade takes place when one entity pretends to be a different entity. For
example, authentication sequences can be captured and replayed after a valid authentication
sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra
privileges by impersonating an entity that has those privileges.

Replay involves the passive capture of a data unit and its subsequent retransmission to produce
an unauthorized effect.
 Modification:
•
An unauthorized party not only accessing the information and also modifies (tampers) the
information and sends to destination is called modification.
Example:
A customer sends a message to a bank to do some transaction. The attacker intercepts the
message and changes the transaction to benefit her.

The denial of service prevents or inhibits the normal use or management of

communications facilities. This attack may have a specific target; for example, an entity may
suppress all messages directed to a particular destination

Challenges of Computer Security:

1. Security is not as simple as it might first appear to the novice. But the mechanisms used to
meet confidentiality, authentication, nonrepudiation or integrity can be quite complex, and
understanding them may involve rather subtle reasoning.
2. In developing a particular security mechanism or algorithm, one must always consider
potential attacks on those security features.
3. Security mechanisms are complex.
4. Having designed various security mechanisms, it is necessary to decide where to use them.
5. Security mechanisms typically involve more than a particular algorithm or protocol. They also
require that participants be in possession of some secret information (e.g., an encryption key),
which raises questions about the creation, distribution, and protection of that secret information.
6. Computer and network security is essentially a battle of wits between a perpetrator who tries
to find holes and the designer or administrator who tries to close them. The great advantage that
the attacker has is that he or she needs only to find a single weakness, while the designer must
find and eliminate all weaknesses to achieve perfect security.
7. There is a natural tendency on the part of users and system managers to perceive little benefit
from security investment until a security failure occurs.
8. Security requires regular, even constant, monitoring, and this is difficult in today’s short-term,
overloaded environment.
9. Security is still too often an afterthought to be incorporated into a system after the design is
complete rather than being an integral part of the design process.
10. Many users and even security administrators view strong security as an impediment to
efficient and user-friendly operation of an information system or use of information.
Differentiate between threat and attack:
Threat: A potential for violation of security, which exists when there is a circumstance,
capability, action, or event that could breach security and cause harm. That is, a threat is a
possible danger that might exploit vulnerability.

Attack: An assault on system security that derives from an intelligent threat; that is, an intelligent
act that is a deliberate attempt (especially in the sense of a method or technique) to evade
security services and violate the security policy of a system.

Important and previous JNTUK examination questions:

1. Explain in detail different passive and active attacks. [8M][Set-2, Mar - 2015]
2. What are the various security attacks? [8M][Set-1, Dec-2014]
3. Compare various active attacks.
4. Define threat and attack. What is the difference between them? [8M][Set-3, Nov - 2015]

Topic to be covered: Security services and mechanisms

Security service: A processing or communication service that enhances the security of the data
processing systems and the information transfers of an organization. The services are intended to
counter security attacks, and they make use of one or more security mechanisms to provide the
service.
Various security services:
Security services include authentication, access control, data confidentiality, data integrity,
nonrepudiation, and availability.
 X.800 defines a security service as a service that is provided by a protocol layer of
communicating open systems and that ensures adequate security of the systems or of data
transfers. X.800 divides these services into five categories and fourteen specific services.
Confidentiality (or Secrecy) (or privacy):
• Stored or transmitted information is accessible (even travel over insecure links) only
authorized parties; it doesn’t accessible to unauthorized parties.
• Only sender and, intended receiver should “understand“ message content
• Sender encrypts the message
• Receiver decrypts the message
• Confidentiality has been designed to prevent interception(such as snooping and traffic
analysis)
• It is used for sensitive fields such as government and industry
• It is important security service in information security

• Confidentiality uses the encipherment, routing control security mechanisms.

Authentication: (who created or sent the data):
• In authentication both sender and receiver should be able to confirm the proof identity
for talking (communication) each other
• Authentication is first step in any network security solution.

• Authentication has been designed to prevent fabrication (such as spoofing and

replaying) attacks.

• authentication uses the encipherment, digital signature security mechanisms

Data integrity (or message authentication):
• Integrity prevention of unauthorized party modification of information

• Integrity can apply to stream of messages.

• Integrity includes both content of information and source of data

 • Integrity has been designed to prevent the modification security attack.

• Integrity uses the encipherment, digital signature, data integrity security mechanisms

Non-repudiation:
• Non-repudiation service is protection against denial by one of the parties(sender,
receiver) in a communication

• In this case the sender and receiver can keep proofs to avoid repudiation.

• Non-repudiation has been designed to prevent the repudiation security attack.

• Non-repudiation uses the digital signature, data integrity, notarization security

mechanisms
Availability:
• The data must be available to the authorized parties when they required to access
them is called availability
• Availability has been designed to prevent the Denial of Service security attack.

• It is also prevent Virus that deletes files

• Availability uses data integrity, authentication exchange security mechanisms

Access control:
1. Access control prevention of the unauthorized use of a resource means the host
systems and applications are limited to access by the communication links and
any unauthorized part can’t access then.
2. Access control uses the access control security mechanisms

Security mechanism:
A process (or a device incorporating such a process) that is designed to detect, prevent, or
recover from a security attack.Security is divided into those that are implemented in a specific
protocol layer, such as TCP or an application-layer protocol, and those that are not specific to
any particular protocol layer or security service.
ITU-T (X.800) defined several security mechanisms are:
Encipherment
Digital signature
Data integrity
Authentication exchange
Traffic padding
Routing control
Notarization
Access Control
Encipherment: Encipherment is a security mechanism (or cryptography algorithms) to
transform intelligible data into an unintelligible form. The transformation and subsequent
recovery of the data depends on an algorithm and zero or more encryption keys.

Digital signature: A digital signature is a means by which the sender can electronically sign the
data and the receiver can electronically verify the signature.

Data integrity: The data integrity mechanism appends to the data a short check value that has
been created by a sender specific process from the data itself. The receiver receives the data and
the check value. He creates a new check value from the received data and compares the newly
created check value with the received one. If the two are the same, the integrity of data has been
preserved.

Authentication exchange: Check values In Authentication exchange, the two entities some
message to prove their identity to each other. The authentication can be one-way authentication
or two-way authentication.

Traffic padding: Traffic padding means inserting some bogus data into the original data to
prevent the traffic analysis attempts

Routing control: Routing control means selection and continuously changing different available
routes between the sender and receiver prevent the opponent from eavesdropping (secretly listen)
on the particular root

Notarization: Notarization means selecting third trusted party to control the communication
between two entities. This can be done, for example, to prevent repudiation. The receiver can
involve a trusted party to store the sender request in order to prevent the sender from later
denying that she has made such request.

Access control: Access control uses methods to prove that a user has access right to the data or
resource owned by a system.

Important and previous JNTUK examination questions:

1. Determine the security mechanisms required to provide various types of security services.
[8M][Set-1, Dec-2015]

2. What is meant by security service? Explain various security services listed in X.800. [8M]
[Set-3, Mar-2015] [Set-2, Dec-2014]
3. Discuss different types of authentications.

Topic to be covered: Symmetric encryption

Symmetric encryption:
 Symmetric encryption is a form of cryptosystem in which encryption and decryption are
performed
using the same key. It is also known as conventional encryption.
Components in Symmetric Cipher model:
Five components in Symmetric Cipher model: Plaintext, Encryption algorithm, Secret Key,
Cipher Text, Decryption algorithm
Purpose of Encryption algorithm:
The encryption algorithm performs various substitutions and transformations on the
plaintext.
Requirements for secure use of conventional encryption:
Need of strong encryption algorithm and secured exchange of keys - are the two
Symmetric Cipher Model:
A symmetric encryption scheme has five ingredients:
Plain Text, Encryption Algorithm, Secret Key, Cipher Text and Decryption Algorithm

There are two requirements for secure use of conventional encryption:

1. Strong encryption algorithm and
2. Sender and receiver must have obtained copies of the secret key in a secure fashion and must
keep the key secure.
Working of symmetric encryption scheme:

Assume a message in plaintext, X and for encryption, a key K is generated.

With the message X and the encryption key K as input, the encryption algorithm (E) forms the
cipher text Y = E (K, X)
At the Sender: Y = E (K, X)
Similarly at the receiver: X = D (K, Y)