CBE 321– Cloud Computing

and Security
Dr. E.Silambarasan
Assistant Professor
Department of CSE - Cyber Security
Indian Institute of Information Technology, Kottayam
Access Control
• Access control is a security technique that regulates who or what can view or use
resources in a computing
• environment. It is a fundamental concept in security that minimizes risk to the
business or organization.
• The main models of access control are the following:

Identity-Based Access Control (IBAC): By using this model network administrators

can more effectively manage activity and access based on individual requirements.

Mandatory Access Control (MAC): A control model in which access rights are
regulated by a central authority based on multiple levels of security.
Security Enhanced Linux is implemented using MAC on the Linux operating system.
Access Control
Role-Based Access Control (RBAC): RBAC allows access based on the job title. RBAC
eliminates discretion on a large scale when providing access to objects.
For example, there should not be permission for human resources specialists to create
network accounts.
Rule-Based Access Control (RAC): The RAC method is largely context-based.
An example of this would be only allowing students to use the labs during a certain
time of day.
Defense in Depth
• A fundamental security strategy involves deploying multiple layers of defense to
protect systems and data.
• In the context of cloud security, defense in depth is crucial for mitigating various
threats and ensuring a comprehensive security posture.
• Here's an overview of defense-in-depth principles as applied to cloud security:

Network Security:
Firewalls: Implementing firewalls at different levels, such as perimeter firewalls,
subnet firewalls, and host-based firewalls, helps control and monitor incoming and
outgoing traffic.

Virtual Private Clouds (VPCs): Utilizing VPCs with proper network segmentation
adds a layer of protection by isolating different parts of the infrastructure.
Defense in Depth
Identity and Access Management (IAM):
Strong Authentication: Enforcing strong authentication mechanisms, including multi-factor
authentication (MFA), adds an extra layer of protection against unauthorized access.
Role-Based Access Control (RBAC): Implementing RBAC ensures that users and systems have
the least privilege necessary for their roles, reducing the impact of potential breaches.

Data Encryption:
Encryption at Rest: Applying encryption to stored data protects it from unauthorized access.
Cloud providers often offer services to enable encryption at rest for databases, storage, and
other data repositories.
Encryption in Transit: Encrypting data during transmission over networks prevents
eavesdropping and man-in-the-middle attacks
Least Privilage
• The principle of least privilege (PoLP) is a fundamental concept in cloud security
that emphasizes restricting user and system permissions to the minimum levels
necessary for performing specific tasks or accessing particular resources.
• This principle is designed to minimize the potential damage caused by accidental
mishandling or intentional misuse of privileges within a computing environment.
The principle of least privilege:
• Minimizes the attack surface, diminishing avenues a malicious actor can use to
access sensitive data or carry out an attack by protecting superuser and
administrator privileges.
• Reduces malware propagation by not allowing users to install unauthorized
applications.
• Improves operational performance with reductions in system downtime that might
otherwise occur because of a breach, malware spread or incompatibility issues
between applications.
• Safeguards against human error that can happen through mistake, negligence.
Cryptographic System
• Cryptography is the practice and study of techniques for securing communication
and information from adversaries.
• It involves the use of mathematical algorithms to transform data into a format that is
unintelligible without the appropriate knowledge or key.
Symmetric Cryptography
• Symmetric cryptography, also known as secret-key or shared-key cryptography, is a
cryptographic approach where the same key is used for both the encryption and
decryption of the data.
• In symmetric-key cryptography, the entities involved in communication (sender and
receiver) share a common secret key that must be kept confidential.
• This shared key is used to perform both the encryption and the corresponding
decryption of the information.
• Symmetric-key algorithms are generally faster and computationally more efficient
than their asymmetric counterparts.
Cryptographic System
• AES (Advanced Encryption Standard) and DES (Data Encryption Standard) are both
symmetric key block cipher algorithms used for encrypting and decrypting data.
• However, they differ in terms of key length, block size, and overall security

1. DES (Data Encryption Standard):

• Key Length: DES uses a fixed key length of 56 bits.
• Block Size: DES operates on 64-bit blocks of data.
• Operation: DES uses a Feistel network structure, which involves multiple rounds of
permutation and substitution operations on the data.
• Rounds: DES typically uses 16 rounds of processing for each block of data.
• Security Concerns: DES was considered secure when it was first introduced in the 1970s,
but as computational power increased, its vulnerability to brute-force attacks became
apparent.
• By the late 1990s, DES was considered obsolete for many applications due to its short key
length.
Cryptographic System
AES (Advanced Encryption Standard):
• Key Length: AES supports key lengths of 128, 192, or 256 bits.
• Block Size: AES operates on 128-bit blocks of data.
• Operation: AES uses a substitution-permutation network (SPN) structure. It consists of
multiple rounds of substitution, permutation, and mixing operations.
• Rounds: The number of rounds in AES depends on the key length: 10 rounds for 128-bit keys,
12 rounds for 192-bit keys, and 14 rounds for 256-bit keys.
• Security: AES is considered more secure than DES, especially when using longer key lengths.
• It has withstood extensive cryptanalysis and is widely used for various cryptographic
applications.
• Example - AES (Advanced Encryption Standard) is a widely used symmetric-key algorithm. It
supports key sizes of 128, 192, or 256 bits, making it suitable for various security
requirements.
Cryptographic System
Stream Ciphers
• In stream cipher, one byte is encrypted at a time while in block cipher ~128 bits are
encrypted at a time.
• Initially, a key(k) will be supplied as input to a pseudorandom bit generator and then
it produces a random 8-bit output which is treated as keystream.
The resulting keystream will be of size 1 byte, i.e., 8 bits.
1. Stream Cipher follows the sequence of pseudorandom number stream.
2. One of the benefits of following stream cipher is to make cryptanalysis more
difficult, so the number of bits chosen in the Keystream must be long to make
cryptanalysis more difficult.
3. By making the key longer it is also safe against brute force attacks.
4. The longer the key the stronger security is achieved, preventing any attack
Cryptographic System
5. Keystream can be designed more efficiently by including a greater number of 1s and 0s,
making cryptanalysis more difficult.
6. A considerable benefit of a stream cipher is, it requires few lines of code compared to a block
cipher.
For Encryption,
•Plain Text and Keystream produces Cipher Text (The same keystream will be used for
decryption.).
•The Plaintext will undergo XOR operation with keystream bit-by-bit and produce the Cipher
Text.
For Decryption,
•Cipher Text and Keystream gives the original Plain Text (The same keystream will be used for
encryption.).
•The Ciphertext will undergo XOR operation with keystream bit-by-bit and produce the actual
Plain Text.
Decryption is just the reverse process of Encryption i.e., performing XOR with Cipher Tex
Cryptographic System
Block Ciphers
• Block cipher is an encryption algorithm that takes a fixed size of input say b bits and
produces a ciphertext of b bits again.
• If the input is larger than b bits it can be divided further.
• For different applications and uses, there are several modes of operations for a block
cipher.
Electronic Code Book (ECB) :
• Electronic codebook is the easiest block cipher mode of functioning.
• It is easier because of direct encryption of each block of input plaintext and output is
in the form of blocks of encrypted ciphertext.
• Generally, if a message is larger than b bits in size, it can be broken down into a
bunch of blocks and the procedure is repeated.
Cryptographic System
Cipher Block Chaining –
• Cipher block chaining or CBC is an advancement made on ECB since ECB
compromises some security requirements.
• In CBC, the previous cipher block is given as input to the next encryption algorithm
after XOR with the original plaintext block.
• In a nutshell here, a cipher block is produced by encrypting an XOR output of the
previous cipher block and present plaintext block.
Cryptographic System
Cipher Feedback Mode (CFB) –
• In this mode the cipher is given as feedback to the next block of encryption with
some new specifications: first, an initial vector IV is used for first encryption and
output bits are divided as a set of s and b-s bits.
• The left-hand side s bits are selected along with plaintext bits to which an XOR
operation is applied.
• The result is given as input to a shift register having b-s bits to lhs,s bits to rhs and
the process continues.
• The encryption and decryption process for the same is shown below, both of them
use encryption algorithms.
Cryptographic System
Output Feedback Mode –
The output feedback mode follows nearly the same process as the Cipher Feedback
mode except that it sends the
encrypted output as feedback instead of the actual cipher which is XOR output. In this
output feedback mode, all bits
of the block are sent instead of sending selected s bits. The Output Feedback mode of
block cipher holds great
resistance towards bit transmission errors. It also decreases the dependency or
relationship of the cipher on the
plaintext.
Cryptographic System
Counter Mode –
The Counter Mode or CTR is a simple counter-based block cipher implementation.
Every time a counter-initiated
value is encrypted and given as input to XOR with plaintext which results in ciphertext
block. The CTR mode is
independent of feedback use and thus can be implemented in parallel.
Its simple implementation is shown below:
Cryptographic System
Public Key Cryptography
Public Key Cryptography, also known as asymmetric cryptography, is a cryptographic
system that uses pairs of keys:
public keys and private keys. This system enables secure communication and
authentication between parties, even if
they have never met before or shared a secret key previously. Public key cryptography
is widely used in various
security protocols, including securing internet communications, digital signatures, and
encrypting sensitive data.
RSA (Rivest–Shamir–Adleman), DSA (Digital Signature Algorithm), and ECC (Elliptic
Curve Cryptography) are
cryptographic algorithms used for different purposes, including public-key encryption
and digital signatures.
Cryptographic System
RSA (Rivest–Shamir–Adleman):
•Type: RSA is a public-key encryption algorithm.
•Key Generation: RSA involves the generation of a pair of keys: a public key and a
private key. The
public key is used for encryption, while the private key is used for decryption.
•Mathematical Basis: RSA's security is based on the difficulty of factoring large
composite numbers
into their prime factors. The security of RSA relies on the practical impossibility of
factoring the
product of two large prime numbers.
•Usage: RSA is widely used for secure data transmission, digital signatures, and key
exchange
protocols. It is considered secure when used with sufficiently large key sizes.
Cryptographic System
DSA (Digital Signature Algorithm):
•Type: DSA is a digital signature algorithm.
•Key Generation: DSA also involves the generation of a pair of keys: a private key for
signing and a
corresponding public key for signature verification.
Mathematical Basis: DSA relies on the discrete logarithm problem for its security. The
algorithm
uses a group of prime order, and the security is based on the difficulty of computing
discrete
logarithms in this group.
•Usage: DSA is commonly used for digital signatures in various security protocols,
including digital
signatures for certificates in public key infrastructure (PKI) systems
Cryptographic System
ECC (Elliptic Curve Cryptography):
•Type: ECC can be used for both public-key encryption and digital signatures.
•Key Generation: ECC uses elliptic curves over finite fields to generate key pairs. The
security of ECC
is based on the difficulty of the elliptic curve discrete logarithm problem.
•Advantages: ECC provides strong security with shorter key lengths compared to
traditional
algorithms like RSA. This makes ECC particularly attractive for resource-constrained
environments,
such as mobile devices and embedded systems.
•Usage: ECC is increasingly used in applications where efficiency and smaller key sizes
are crucial,
such as in mobile communication, IoT (Internet of Things), and digital signatures.
Cryptographic System
Hashing
Hashing is a process of converting input data (often referred to as a "message") into a fixed-size string of
characters,
which is typically a hexadecimal number. The output, known as the hash value or hash code, is generated by a
hash
function. Hash functions are designed to be fast and efficient, and they should produce a unique hash value for
each
unique input.
There are majorly three components of hashing:
1.Key: A Key can be anything string or integer which is fed as input in the hash function the technique that
determines an index or location for storage of an item in a data structure.
2.Hash Function: The hash function receives the input key and returns the index of an element in an array
called a hash table. The index is known as the hash index.
3.Hash Table: Hash table is a data structure that maps keys to values using a special function called a hash
function. Hash stores the data in an associative manner in an array where each data value has its own unique
index. .
Cryptographic System
Popular hash functions include MD5 (Message Digest Algorithm 5), SHA-1 (Secure
Hash Algorithm 1), and the
SHA-2 family (which includes SHA-256, SHA-384, and SHA-512). SHA-3 is another
notable hash function. When
considering security, it's important to use a hash function that is currently considered
secure and resistant to attacks.
What is Collision?
The hashing process generates a small number for a big key, so there is a possibility
that two keys could produce the
same value. The situation where the newly inserted key maps to an already occupied,
and it must be handled using
some collision handling technology.
Cryptographic System
Digital Signatures
A digital signature is a mathematical technique which validates the authenticity and integrity of a message,
software or digital documents. It allows us to verify the author’s name, date and time of signatures, and
authenticate the message contents. The digital signature offers far more inherent security and intended to
solve the problem of tampering and impersonation (Intentionally copy another person's characteristics) in
digital communications.

Digital signature consists of three algorithms:

1. Key generation algorithm
The key generation algorithm selects private key randomly from a set of possible private keys. This algorithm
provides the private key and its corresponding public key.
2. Signing algorithm
A signing algorithm produces a signature for the document.
3. Signature verifying algorithm
A signature verifying algorithm either accepts or rejects the document's authenticity.
Cryptographic System
The steps which are followed in creating a digital signature are:
1.Select a file to be digitally signed.
2.The hash value of the message or file content is calculated. This message or file
content is encrypted
by using a private key of a sender to form the digital signature.
3.Now, the original message or file content along with the digital signature is
transmitted.
4.The receiver decrypts the digital signature by using a public key of a sender.
5.The receiver now has the message or file content and can compute it.
6.Comparing these computed message or file content with the original computed
message. The
comparison needs to be the same for ensuring integrity.
Cryptographic System
Public Key Infrastructure
Public key infrastructure or PKI is the governing body behind issuing digital certificates. It helps to protect
confidential data and gives unique identities to users and systems. Thus, it ensures security in communications.
The public key infrastructure uses a pair of keys: the public key and the private key to achieve security. The
public keys are prone to attacks and thus an intact infrastructure is needed to maintain them.

Public Key Infrastructure:

Public key infrastructure affirms the usage of a public key. PKI identifies a public key along with its purpose. It
usually consists of the following components:
•A digital certificate also called a public key certificate.
•Private Key tokens
•Registration authority
•Certification authority
•CMS or Certification management system
Cryptographic System
Working on a PKI:
•PKI and Encryption: The root of PKI involves the use of cryptography and encryption
techniques.
Both symmetric and asymmetric encryption uses a public key. The challenge here is – “how do
you
know that the public key belongs to the right person or to the person you think it belongs to?”.
There is
always a risk of MITM (Man in the middle). This issue is resolved by a PKI using digital
certificates. It
gives identities to keys to make the verification of owners easy and accurate.
•Public Key Certificate or Digital Certificate: Digital certificates are issued to people and
electronic
systems to uniquely identify them in the digital world. Here are a few noteworthy things about
a digital
certificate. Digital certificates are also called X.509 certificates. This is because they are based
on the
ITU standard X.509.
Cryptographic System
Working on a PKI:
•PKI and Encryption: The root of PKI involves the use of cryptography and encryption techniques.
Both symmetric and asymmetric encryption uses a public key. The challenge here is – “how do you
know that the public key belongs to the right person or to the person you think it belongs to?”. There
is
always a risk of MITM (Man in the middle). This issue is resolved by a PKI using digital certificates. It
gives identities to keys to make the verification of owners easy and accurate.
•Public Key Certificate or Digital Certificate: Digital certificates are issued to people and electronic
systems to uniquely identify them in the digital world. Here are a few noteworthy things about a
digital
certificate. Digital certificates are also called X.509 certificates. This is because they are based on the
ITU standard X.509.
• The Certification Authority (CA) stores the public key of a user along with other information
• about the client in the digital certificate. The information is signed, and a digital signature is
• also included in the certificate.
• •The affirmation for the public key then thus be retrieved by validating the signature using the
• public key of the Certification Authority.
Cryptographic System
Certifying Authorities: A CA issues and verifies certificates. This authority makes sure that the
information in a certificate is real and correct and it also digitally signs the certificate. A CA
or Certifying Authority performs these basic roles:
•Generates the key pairs – This key pair generated by the CA can be either independent or in
collaboration with the client.
•Issuing of the digital certificates – When the client successfully provides the right details about
his identity, the CA issues a certificate to the client. Then CA further signs this certificate
digitally so that no changes can be made to the information.
•Publishing of certificates – The CA publishes the certificates so that the users can find them.
They can do this by either publishing them in an electronic telephone directory or by sending
them out to other people.
•Verification of certificate – CA gives a public key that helps in verifying if the access attempt is
authorized or not.
•Revocation – In case of suspicious behaviour of a client or loss of trust in them, the CA has the
power to revoke the digital certificate.
Cryptographic System
Classes of a Digital Certificate:
A digital certificate can be divided into four broad categories. These are:
•Class 1: These can be obtained by only providing the email address.
•Class 2: These need more personal information.
•Class 3: This first checks the identity of the person making a request.
•Class 4: They are used by organizations and governments.

Process of creation of certificate:

The creation of a certificate takes place as follows:
•Private and public keys are created.
•CA requests identifying attributes of the owner of a private key.
•Public key and attributes are encoded into a CSR or Certificate Signing Request.
•Key owner signs that CSR to prove the possession of a private key.
•CA signs the certificate after validation.
Cryptographic System
Key Management
In cryptography, it is a very tedious task to distribute the public and private keys between
sender and receiver.
If the key is known to the third party (forger/eavesdropper) then the whole security
mechanism becomes
worthless. So, there comes the need to secure the exchange of keys.
There are two aspects for Key Management:
1.Distribution of public keys.
2.Use of public-key encryption to distribute secrets.
Distribution of Public Key:
The public key can be distributed in four ways:
1.Public announcement
2.Publicly available directory
3.Public-key authority
4.Public-key certificates
Cryptographic System
1. Public Announcement: Here the public key is broadcasted to everyone. The major weakness of this method
is a forgery. Anyone can create a key claiming to be someone else and broadcast it. Until forgery is discovered
can masquerade as claimed user.
2. Publicly Available Directory: In this type, the public key is stored in a public directory. Directories are
trusted here, with properties like Participant Registration, access and allow to modify values at any time,
contains entries like {name, public key}. Directories can be accessed electronically still vulnerable to forgery or
tampering.
3. Public Key Authority: It is like the directory but, improves security by tightening control over the
distribution of keys from the directory. It requires users to know the public key for the directory. Whenever the
keys are needed, real-time access to the directory is made by the user to obtain any desired public key
securely.
4. Public Certification: This time authority provides a certificate (which binds an identity to the public key) to
allow key exchange without real-time access to the public authority each time. The certificate is accompanied
by some other info such as period of validity, rights of use, etc. All this content is signed by the private key of
the certificate authority, and it can be verified by anyone possessing the authority’s public key.
First sender and receiver both request CA for a certificate which contains a public key and other information
and then they can exchange these certificates and can start communication