Authentication and Authorization in Cryptography

Authentication:
Authentication is the process of verifying the identity of a user, system, or entity to ensure
that they are who they claim to be. It is a fundamental security measure to prevent
unauthorized access. Authentication is typically achieved through the use of credentials, such
as usernames and passwords, or more advanced methods like biometrics or multi-factor
authentication.
1. Types of Authentications:
Single-Factor Authentication (SFA): Involves the use of a single method for verification, such
as a password.
Multi-Factor Authentication (MFA): Requires multiple methods of verification, adding an
extra layer of security. This could include a combination of passwords, security tokens,
biometrics, or other factors.
2. Authentication Protocols:
Kerberos: A network authentication protocol that uses secret-key cryptography to secure
authentication.
OAuth (Open Authorization): Used for delegated authorization, allowing applications to
access resources on behalf of a user.
3. Biometric Authentication:
Involves the use of physical or behavioral characteristics like fingerprints, facial recognition,
or voice patterns for user identification.

Authorization:
Authorization is the process of determining what actions or resources a verified and
authenticated user is allowed to access. Once a user's identity is established through
authentication, authorization defines the level of access and permissions granted to that user.
1. Access Control Models:
Discretionary Access Control (DAC): Allows the owner of a resource to control access to that
resource.
Mandatory Access Control (MAC): Access decisions are based on the security labels assigned
to subjects and objects.
2. Role-Based Access Control (RBAC):
Users are assigned roles, and permissions are associated with those roles. This simplifies
administration and ensures that users only have the access they need to perform their duties.
3. Access Control Lists (ACL):
Lists that specify which users or system processes are granted access to objects, as well as
what operations are allowed on given objects.

Relationship between Authentication and Authorization:

1. Authentication precedes Authorization:
Before authorizing access, it is crucial to verify the identity of the user through
authentication.
2. MFA enhances security in both Authentication and Authorization:
Multi-factor authentication not only strengthens user authentication but also adds an extra
layer of security to the authorization process.
3. Access Control decisions are based on Authentication information:
Authorization decisions often depend on the authenticated identity, determining what
resources and actions the authenticated entity is allowed to access.
In summary, authentication ensures that users are who they claim to be, while authorization
determines what actions or resources they are allowed to access after their identity is verified.
These two components work together to create a secure and controlled environment for
information systems.

Hash Function:
In cryptography, hash functions are mathematical functions that convert an input value into a
compressed numerical value. They are commonly used to ensure the integrity and security of
data. Hash functions take an input, such as a file or a message, and produce a fixed-size
output called a hash value or digest. This hash value is unique to the input data, meaning that
even a small change in the input will result in a completely different hash value.

Hash functions have several important properties that make them useful in cryptography.
Firstly, they are deterministic, meaning that given the same input, they will always produce
the same output. Secondly, they are computationally efficient, making them ideal for
processing large amounts of data. Additionally, hash functions are one-way, meaning that it is
extremely difficult to derive the original input data from the hash value.

Cryptographic hash functions provide additional security properties. They are designed to be
collision-resistant, meaning that it is computationally infeasible to find two different inputs
that produce the same hash value. This property ensures that even a small change in the input
will result in a significantly different hash value.

Hash functions are used in various applications within cryptography, such as digital
signatures, password storage, and data integrity verification. They play a crucial role in
ensuring the security and authenticity of data in various information systems.

2
Access control derivatives/ mechanisms:

An access control mechanism is a security safeguard that prevents unauthorized access to a

physical facility or information system. It can be implemented using a combination of
hardware and software features, physical controls, operating procedures, and management
procedures.

Here are some access control models:

 Mandatory Access Control (MAC)
This model regulates access rights based on multiple security levels. An organization's
administrator sets strict policies for users, data, resources, and information. Users cannot
add, alter, or remove permissions.
 Discretionary Access Control (DAC)
This model is based on the identity and need-to-know of subjects and the groups they
belong to. Subjects with certain access permissions can pass on that access to other
subjects.
 Role-Based Access Control (RBAC)
This model allows organizations to grant user permissions and enforce access policies.
 Rule-Based Access Control (RuBAC)
This is one of the four main access control models.
There are two types of access control mechanisms:
 User based: Grants access to a particular user's account
 Host based: Grants access to a particular host, or machine
Access control systems usually include:
 Identifiers, such as usernames
 Authentication methods, such as passwords
 Authorization processes

KEY ESTABLISHMENT, MANAGEMENT CERTIFICATION:

Key establishment, management, and certification are crucial aspects of cryptography to
ensure secure communication. In cryptography, the distribution of public and private keys
between the sender and receiver is a tedious task. It is essential to establish a secure method
for sharing keys to prevent unauthorized access.

To address these challenges, various methodologies and protocols have been developed. One
approach is to use key establishment protocols, which define a set of rules for securely

3
exchanging keys between parties. These protocols ensure that the keys are distributed
securely and cannot be easily intercepted or tampered with during transmission.

Key management is another essential aspect of cryptography. It involves the secure storage,
generation, distribution, and revocation of cryptographic keys. Effective key management
ensures that keys are properly protected throughout their lifecycle and that only authorized
entities have access to them. This includes mechanisms for key generation, key storage, key
distribution, and key revocation.

Certification plays a role in ensuring the authenticity and integrity of keys. Certification
authorities (CAs) are trusted entities that issue digital certificates to validate the ownership
and authenticity of public keys. These certificates are used to verify the identity of the parties
involved in the communication process and ensure that the keys being used are legitimate.

Overall, key establishment, management, and certification are essential components of

cryptography to establish secure communication channels, protect sensitive information, and
prevent unauthorized access. By following proper key management practices and utilizing
secure protocols, organizations can mitigate the risk of key compromise and uphold the
confidentiality and integrity of their cryptographic systems.

TRUSTED THIRD PARTIES AND PUBLIC KEY CERTIFICATES:

In cryptography, trusted third parties (TTPs) play a crucial role in facilitating secure
interactions between parties who trust the TTP. A trusted third party acts as an intermediary,
ensuring the authenticity, confidentiality, and integrity of data exchanged between the parties
involved. One important application of TTPs in cryptography is the use of public key
certificates.
Public key certificates are a fundamental component of a Public Key Infrastructure (PKI)
system. The PKI system consists of four main components: public key encryption, trusted
third parties (such as Certification Authorities or CAs), registration authorities, and a
certificate database.

A public key certificate associates a public key with a particular entity, typically an
individual or an organization. The certificate is digitally signed by a trusted third party, such
as a CA, to verify the authenticity of the public key and its association with the entity. This
enables secure communication and authentication in a networked environment. The
certificate contains important information, including the public key itself, the entity's
identification information, and the digital signature of the trusted third party.
By using public key certificates, parties can establish secure communication channels and
verify the identities of each other without directly trusting each other. Instead, they trust the
trusted third party that has signed and issued the certificates. This helps prevent
impersonation, tampering, and other security risks in cryptographic communication.

It is worth mentioning that the level of trust placed in a TTP can vary. Some TTPs may be
unconditionally trusted, meaning they are trusted on all matters, including access to secret
and private keys. However, the level of trust in a TTP depends on the specific
implementation and the trustworthiness of the organization operating as the TTP.

4
In summary, trusted third parties and public key certificates are essential components in
cryptography. TTPs facilitate secure interactions between parties, while public key
certificates help establish secure communication channels and verify the authenticity of
entities in a networked environment.

PSEUDORANDOM NUMBERS AND SEQUENCES:

Pseudorandom numbers and sequences play a vital role in cryptography. A pseudorandom

number generator (PRNG) is an algorithm that uses mathematical formulas to generate sequences
of numbers that appear random but are actually deterministic and repeatable. These numbers are
crucial in cryptographic systems for tasks such as key generation, encryption, and secure
communication.

In cryptography, it is essential to have secure and unpredictable random numbers to ensure the
strength of cryptographic algorithms and protect sensitive data. Pseudorandom numbers are used
as a substitute for true random numbers because generating true randomness computationally is
challenging.

PRNGs are designed to produce sequences of numbers that exhibit certain statistical properties
similar to random numbers. This allows them to be used effectively in cryptographic applications.
They typically employ algorithms that use previous numbers in the sequence as seeds to generate
subsequent numbers, creating a stream of pseudorandom numbers.

One example of a commonly used PRNG algorithm is the Linear Congruential Generator (LCG),
which uses a linear equation to generate a sequence of numbers. Another popular PRNG
algorithm is the Mersenne Twister, which has a longer period and better statistical properties
compared to LCG.

It is important to note that while pseudorandom numbers appear random within the limitations of
statistical tests, they are not truly random. Since PRNGs are deterministic, given the same initial
state or seed, they will produce the same sequence of numbers. This property can be both
advantageous, as it allows for reproducibility, and potentially risky if the seed is predictable or
compromised.

To enhance the security of cryptographic systems, cryptographic algorithms often incorporate

additional sources of randomness, such as hardware-based random number generators (TRNGs).
TRNGs utilize physical processes, such as electronic noise or radioactive decay, to generate
random numbers that are not based on deterministic algorithms.

In summary, pseudorandom numbers and sequences are crucial in cryptography for tasks like key
generation and encryption. PRNGs use mathematical algorithms to produce sequences of
numbers that appear random but are deterministic and repeatable. While PRNGs have their
limitations, they provide an important building block for cryptographic systems, and additional
sources of randomness are often combined to enhance security.

5
Public Key Infrastructure/Data Encryption Standard in
Cryptography
Public Key Infrastructure (PKI) and Data Encryption Standard (DES) are two important
components of cryptography that play crucial roles in securing digital communications. Let's
explore each of them in more detail:

Public Key Infrastructure (PKI):

Definition: PKI is a framework that manages digital keys and certificates to secure
communication in a network. It enables the secure transfer of information over an insecure
network, such as the internet.
Key Components:
Public Key: A cryptographic key that is freely distributed and available to anyone.
Private Key: A key that is kept secret and known only to the owner.
Digital Certificates: These bind the public key to an individual's or entity's identity, providing
a way to verify the authenticity of the public key.
Functions of PKI:
Authentication: Verifying the identity of parties involved in digital communication.
Encryption: Securing data by using public and private key pairs for encryption and
decryption.
Digital Signatures: Ensuring the integrity and authenticity of digital messages or documents.
Use Cases:
Secure Email: PKI is commonly used to secure email communications through methods like
S/MIME (Secure/Multipurpose Internet Mail Extensions).
SSL/TLS: PKI is fundamental to the functioning of secure sockets layer (SSL) and transport
layer security (TLS) protocols used to secure web communication.

Data Encryption Standard (DES):

Definition: DES is a symmetric key algorithm for the encryption of electronic data. It was a
widely used encryption standard in the past, though it's now considered insecure for many
applications due to its small key size.

6
Key Features:
Symmetric Encryption: Uses the same key for both encryption and decryption.
Block Cipher: Operates on fixed-size blocks of data, typically 64 bits.
Key Length: DES uses a 56-bit key, which is considered relatively short by today's standards.
Operation:
Key Generation: The 56-bit key is derived from a user-supplied password or generated
randomly.
Block Encryption: The plaintext is divided into blocks, and each block undergoes a series of
transformations using the key.
Challenges:
Key Length: DES has a small key size, making it vulnerable to brute-force attacks.
Security Concerns: Due to advances in computing power, DES is no longer considered secure
for many cryptographic applications.
Successor Algorithms:
DES has been succeeded by more secure symmetric-key algorithms like Triple DES (3DES)
and Advanced Encryption Standard (AES).

Relationship:
While PKI primarily deals with the management of keys and certificates for secure
communication, DES (and its successors) focuses on the actual encryption of data. In many
systems, PKI and symmetric-key encryption algorithms may be used together for a layered
approach to security. For example, PKI might be used to establish secure communication
channels and symmetric-key algorithms could be employed for efficient bulk data encryption.

UNIT 03 Data Security and Management

Introduction and oobjective of data security and management
Data security and management play a crucial role in protecting digital information from
unauthorized access, corruption, or theft throughout its lifecycle. The main objective of data
security is to safeguard the data that an organization directly owns or that belongs to a third
party while it is being stored, processed, or transmitted. It is important to develop a
comprehensive data security and risk management program to mitigate the security
challenges associated with data.

The introduction to data security involves understanding the importance of protecting

sensitive information and ensuring its confidentiality, integrity, and availability. It
encompasses various practices, technologies, and policies aimed at securing data from
potential threats, such as unauthorized access, data breaches, malware attacks, and data loss.

7
Effective data security and management involve implementing measures like encryption,
access controls, authentication mechanisms, firewalls, intrusion detection systems, and data
backups. These measures help to ensure that data is protected against unauthorized access,
alteration, and destruction, both at rest and in transit.

Moreover, data security and management also involve complying with regulatory
requirements and industry standards to protect sensitive information. Organizations need to
stay updated with the latest security practices and continuously monitor and assess their data
security posture to identify vulnerabilities and take appropriate measures to mitigate risks.

In summary, the introduction to data security emphasizes the importance of protecting digital
information from unauthorized access and ensuring its confidentiality, integrity, and
availability. The objectives of data security and management include safeguarding data,
mitigating security challenges, implementing effective security measures, and complying
with regulatory requirements.

Data security and management

Data security and data management are two important aspects when it comes to handling and
protecting data within an organization.
Data security refers to the practices and measures put in place to safeguard data from
unauthorized access, corruption, or theft throughout its entire lifecycle. It involves implementing
various security controls and technologies to protect sensitive information from being
compromised. This can include encryption, access control, authentication, and secure storage
mechanisms. The goal of data security is to ensure the confidentiality, integrity, and availability
of data.

On the other hand, data management refers to the processes and solutions used to effectively
handle and organize data. It involves tasks such as data collection, storage, retrieval, backup, and
archiving. Data management ensures that data is organized, accurate, and easily accessible when
needed. It also focuses on maintaining data quality, consistency, and data governance practices.

Both data security and data management play crucial roles in protecting and managing data
within an organization. Data security helps maintain the safety of data while it is being used or
stored, while data management ensures that data is properly organized and managed throughout
its lifecycle. By implementing robust data security measures and effective data management
practices, organizations can safeguard their data and ensure its integrity and availability.

LIMITATIONS
Like every technology that has advanced every day, the risks too increase. Even a mobile
phone/device and a computer having Internet technology has its limitations. Some of them
are mentioned below:
 Speed- The speed of the Internet is very essential for complete usage of a mobile device. If
the speed of an Internet connection is slow, it results in lagging or slows down of the
device and crashes which then renders the mobile device unusable.
 Accessibility- Websites though easily accessible on laptops may not be easily accessible
on a mobile device as the website may not have implemented mobile versions.
Therefore, a mobile phone may not always get the desired website to be accessed by a
user.

8
 Incompatibility- Mobile web browsers are not the same as a laptop or a computer web
browser works. Therefore, some web browsers may be incompatible with mobile
operating systems.
 Leakage of data- Mobile apps often provide free apps in the form of advertisements,
which usually do not undergo malware tests to ensure safety of the app. Therefore, users
downloading such mobile apps make themselves liable to unintentional data leakages
relating to personal data.
 Use of unsecured Wi-Fi- Users of internet want to preserve their cellular data for the
long run or to not receive hefty phone bills and therefore rely on free Wi-Fi networks. At
time such free Wi-Fi network are unsecured and leads to compromise of data security
which is liable to be hacked by technology users.
 SMishing- This type of scam is similar to the phishing scam wherein cybercriminals ask
users to download malware by clicking on malicious links. The method of SMishing
scam is done through text messages instead of email like in the case of phishing scams.

SECURITY MEASURES AND SOLUTIONS

As discussed on 3.3 which deal with security requirements, it has been stated that the concept
of CIA is very important. Further, security threats are inventive according to the new
information technology launched. These security threats constantly evolve and are harmful to
an organization as they steal, harm or corrupt information stored in an organization’s system.
An organization should arm themselves with resources to safeguard themselves from the
ever-growing security threats. Therefore, the CIA triad though being a security model and
guide for organizations to protect their sensitive data there are a few other data security
considerations that one should be aware of:
8
 Access security- By restricting access of users who have been granted access to
information, thereby results in monitoring who all have access to a particular data.
Therefore, in cases of data theft, sifting through the timelines of access granted to users
can be easier to track down the culprit.
 Data encryption- Data when kept unencrypted leads to misuse of personal data by
cybercriminals. Therefore, data has to be encrypted by usage of unique encryption codes,
so as to avoid leakage of vital information stored in databases. When data has been
encrypted and only the user has access to such a data has the decryption code, results in
prevention of data theft.
 Email security-It is a form of procedure to protect an email account and the contents on
an email account from unauthorised access. Therefore, measures like strong email
passwords, end-to-end encryption of emails or messages that are sent from one person to
another result in prevention of misuse of data, as emails are a popular forum for hackers
to spread malware, spam and phishing attacks. For example- end-to-end encryption used
by WhatsApp.
 Risk-assessment analysis- Organizations have to take a proactive approach while
dealing with information security concerns. The main of conducting a risk assessment is
to identify the risks pertaining to information stored in an organizations system. By
conducting risk assessment analysis, an organization can understand and assess internal
and external risks to their security, confidentiality and personal information stored in
various storage media like laptops and portable devices.
 Monitor effectiveness- It is critical for an organization to verify security programs
established and to establish if such security programs manage cyber security measures
implemented for safeguarding an organization’s information or data. This is done
through regular tests and monitoring of information security programs annually or
quarterly helps to assess the number of attacks made to an organizations data.

9
 Third party issues- Website’s play a major role while showcasing an organization’s
success. Therefore, they implement third party tools to make their websites’ more
interactive and user-friendly and offer smooth connectivity for user interaction. These
third-party tools help in generating revenue for an organization’s website. Therefore, an
organization has to undertake to ensure that all reasonable steps have been taken prior to
giving access to third party service providers and that such third-party service providers
apply the stringiest security measures.
 Strong firewall- Firewall of a system is part of such system’s cyber security measure. A
firewall enables to protect a system from internet traffic and services it is exposed to.
These services are accessed by everyone who uses an internet. Therefore, firewalls
enable to control who gains access to an organization’s system like insider attacks which
may originate from within a network used by an organization. Antiviruses are for files
and firewalls are needed to protect from unauthorised access or usage of network. A
firewall simply helps to control Internet traffic that is generated by using a network for
work.
 Antivirus protection- An antivirus protection can be gained in the form of antivirus
software. This software is a program designed to avoid, detect and deal with cyber
9
security threats that an organization may face. The process of an antivirus is to run
background scans on a system to detect and restrict unauthorised access in the forms of
malware and to protect a system from vulnerabilities it may face. These solutions are
extremely important for data security and must be installed on computer systems. These
antivirus protections are available not only for laptops and computers but also for mobile
devices and help to fight unwanted threats to files and data.
 Back-up regularly- A data security is meant for protecting information stored on a
system from unauthorised access, destruction of such information and includes network
security. Therefore, to avoid loss of data, data should be regularly be stored and kept
somewhere safe where it cannot be accessed or violated by anyone. Further, the securing
of such data helps in preventing accidental modification to data, theft of data, breach of
confidentiality agreements and avoid release of data prior to its verification and
authentication.

10