ICT 5301:

Information System
and Network Security
Dr. Hossen Asiful Mustafa
https://hossenmustafa.buet.ac.bd
 Reference Book
 Cryptography and Network Security
by W. Stallings

 Applied Cryptography: Protocols, Algorithms, and

Source Code in C
by Bruce Schneier

2
 Assessment
Type Percent
Midterm Exam (2) 40

Assignment 20

Final Exam 40

3
 Tentative Dates
Type Class
Midterm Exam-1 6

Midterm Exam-2 10

Assignment TBD

4
 Computer Security
 Protection afforded to an automated information
system in order to attain the applicable objectives of
preserving the integrity, availability and confidentiality
of information system resources (includes hardware,
software, firmware, information/data, and
telecommunications).

5
 Key Security Concepts

6
6
 Security Principles
 Authentication: It should be possible for the receiver of a
message to ascertain its origin; an intruder should not be able to
masquerade as someone else.
 Integrity: It should be possible for the receiver of a message to
verify that it has not been modified in transit; an intruder should
not be able to substitute a false message for a legitimate one.
 Nonrepudiation: A sender should not be able to falsely deny
later that he sent a message.
 Secrecy: A transferred message can only be read by the receiver.
 Availability – resource accessible/usable
7
 Vulnerabilities and Attacks
 System resource may
 be corrupted (loss of integrity)
 become leaky (loss of confidentiality)
 become unavailable (loss of availability)
 Attacks are threats carried out and may be
 passive
 active
 insider
 outsider
8
 Countermeasures
 Means used to deal with security attacks
 prevention
 detection
 recovery
 May result in new vulnerabilities
 Will have residual vulnerability
 Goal is to minimize risk given constraints

9
 Threat Consequences
 Unauthorized disclosure
 exposure, interception, inference, intrusion
 Deception
 masquerade, falsification, repudiation
 Disruption
 incapacitation, corruption, obstruction
 Usurpation
 misappropriation, misuse
10
 Passive or Active Attack
 Passive attacks are  Active attacks modify/fake
eavesdropping data
 release of message  masquerade
contents  replay
 traffic analysis  modification
 are hard to detect so aim to  denial of service
prevent  hard to prevent so aim to
detect

11
 Computer Security Strategy
 Specification/policy
 what is the security scheme supposed to do?
 codify in policy and procedures
 Implementation/mechanisms
 how does it do it?
 prevention, detection, response, recovery
 Correctness/assurance
 does it really work?
 assurance, evaluation
12
 Basic Communication

Alice talking to Bob

Alice Bob

13
 Active/Passive Attack

Eve listening the conversation

Alice Bob

14
 Secure Communication

Eve listening the conversation

Original
Plaintext
Encryption Decryption Plaintext
Ciphertext

Alice Bob

15
 Cryptography
 Generate ciphertext from a plaintext to keep the
plaintext secret from the attacker
 Assumes that:
 The attacker has complete access to the communication
channel
 The attacker knows the algorithm that generates ciphertext

16
 Symmetric Algorithms
 The encryption key can be calculated from the
decryption key and vice versa.
 In most symmetric algorithms, the encryption key and
the decryption key are the same.
 It requires that the sender and receiver agree on a key
before they can communicate securely.
 The security of a symmetric algorithm rests in the key;
divulging the key means that anyone could encrypt
and decrypt messages.
17
 Asymmetric Algorithms
 Also known as public-key algorithms
 Are designed so that the key used for encryption is different from
the key used for decryption.
 Furthermore, the decryption key cannot be calculated from the
encryption key.
 The algorithms are called “public-key” because the encryption key
can be made public
 The encryption key is often called the public key, and the
decryption key is often called the private key

18
 Remember!
 Security by obscurity doesn’t work!
 Cannot assume that the attacker doesn’t know algorithm’s
inner working
 Cannot assume that the attacker cannot disassemble your
code or reverse-engineer your algorithm
 The best algorithms we have are the ones that
 have been made public,
 have been attacked by the world’s best cryptographers for
years, and
 are still unbreakable.
19
 Brute Force Attack
 Try all possible combinations to break an algorithm
 Is not feasible in most cases;
 Example:
 If an algorithm has a processing complexity of 2128, then 2128
operations are required to break the algorithm.
 Assume that you have enough computing speed to perform a million
operations every second, and
 A million parallel processors are set against the task
 106 X 106 = 1012 operations per second
 It will still take over 1019 years to recover the key. That’s a billion
times the age of the universe.
20
 Security Trends

21
 Computer Security Losses

22
 Security Technologies Used

23