Information security

The protection of information systems from unauthorized access, use, disruption, modification,
or destruction in order to provide confidentiality, integrity, and availability.

This includes the protection of personal information, financial information, and sensitive or
confidential information stored in both digital and physical forms.

Security Design Principles

The security design principles are considered while designing any security mechanishm for a
system.

The main secure design principles are the following:

1. Economy of Mechanism

Keep the design as simple and small as possible. So more the design is simple less can go wrong
& when errors occur they are easier to understand & fix.

This would ease the testers to test the security measures thoroughly.

If the designed security mechanism is complex then it is likely that the tester would get a chance
to exploit the weakness in the design.

When the security design is simple, it easy to update or modify the design.

2. Fail-safe Defaults

Base access decisions on permission rather than exclusion.

If any user wants access to any mechanism then whether the access is permitted or denied should
be based on authorization rather than elimination.

This means by default access to all mechanism should be denied.

This principle denies unauthorized access. That mechanism fails by simply denying access,
which is the safest condition.

1
3. Complete Mediation

Every access to every object must be checked for authority. So, there must be an access control
mechanism which would check every access occurring on the system.

All access level should be checked not only the first one in order to grant permission.

4. Open Design

The design should not be considered secret. The secret is always data, like a password or a
cryptographic key.
This security principle suggests that the security mechanism design should be open to the public.
Like in the cryptographic algorithm, the encryption key is kept secret while the encryption
algorithm is opened for a public investigation.

5. Separation of Privilege

It’s always safer if it takes two parties to agree on a decision than if one can do it alone.

This security principle states that whenever a user tries to gain access to a system, the access
should not be granted based on a single attribute or condition.

Instead, there must be multiple situations or conditions or attribute which should be verified to
grant access to the system. Multiple techniques must be implemented to authenticate a user.

For example, while conducting online money transfer we require user-id, password, transaction
password along with OTP.

6. Least Privilege

Operate with the minimal set of powers needed to get the job done.
Each user should be able to access the system with the least privilege. Only those limited
privileges should be assigned to the user which are essential to perform the desired task.

Now, the least set of privileges should be assigned to each role which is essential to perform its
functions. So, the access control mechanism enables each role only those privileges for which it
is authorized. In this way, unauthentic roles are unable to access the protected resources.

An example is role-based access control(RBAC). The role-based designed security

mechanism should discover and describe various roles of the users or processes.

2
Like, the users accessing database has privilege only to retrieve the data they are not authorized
to modify the data.

7. Least Common Mechanism

There should be Minimum common functions to shared between different users.

This principle reduces the count of communication paths and therefore further reduces the
hardware and software implementation.

Ultimately this principle reduces the threat of unwanted access to the system as it becomes easy
to verify if there are some unwanted access to the shared function.

8. Psychological Acceptability

Security mechanism should not add to difficulty of accessing resources. Design security systems
for ease of use for humans.

As this would irritate the user ad user may disable this security mechanism on the system.
Therefore, it is suggested that the security mechanism should introduce minimum hurdles to the
user of the system.

The security mechanism should not be designed such that it becomes difficult for the user to
access the resources in the system.

9. Isolation

The system that has critical data, processes or resources must be isolated such that it restricts
public access. .

Files or data of one user must be kept isolated with the files or data of another user.

Nowadays the new operating system has this functionality.Each user operating the system have
an isolated memory space, process space, file space along with the mechanism to prevent
unwanted access.

3
10. Encapsulation

This security design principle is a form of isolation which is designed on the principle of object-
oriented principles.

12. Layering

Multiple security layers must be used in order to protect the opponent from accessing important
information. Applying multiple security layers provides multiple barriers if he tries to access the
protected system

Goal of Information Security:

Que. What are the aspects of information security?
Information Security programs are build around 3 objectives, commonly known as CIA –
Confidentiality, Integrity, Availability.

Confidentiality – The principle of confidentiality specifies that only the sender and the intended
recipient should be able to access the content of the message.
Only authorized user can view or see a content of information. It is the most common aspect of
information security. we need to protect our confidential information

The confidential information sent by A to B which is accessed by C without the permission or

knowledge of A and B that means confidentiality of data is lost.

• For example if we say I have a password for my Gmail account but someone
saw while I was doing a login into Gmail account. In that case Confidentiality
has been lost
• An organization needs to guard against those malicious actions that danger the
confidentiality of its information.
• In the miltrary, concealment of sensitive information is the major concern.
4
 • In industry, hiding some information from competitors is crucial to the operation
of the organization.
• In banking, customers accounts need to be kept secret.

Integrity – This means data cannot be edited& modified in an unauthorized way. means
maintaining accuracy and completeness of data.
Integrity means that changes need to be done only by authorized entities and through
authorized mechanisms.

The confidential information sent by A to B which is accessed& modified by C without the

permission or knowledge of A and B.

Information needs to be changed constantly. In a bank, when a customer deposits or

withdraws money, the balance of her account needs to be changed.

Availability – means information must be available when needed.

Denial of service attack is one of the factor that can hamper the availability of information.
The information created and stored by an organization needs to be available to authorized
entities. Information is useless, if it is not available.
The unavailability of information is just as harmful for an organization as the lack of
confidentiality or integrity

Non repudiation – Ability to verify that a message has been sent & recived & that the sender
can be identified & verified.
Request for this is online transaction, means one party cannot deny receiving a message or a
transaction nor can the other party deny sending a message or a transaction.
For example in cryptography it is sufficient to show that message matches the digital signature
signed with sender’s private key and that sender could have a sent a message and nobody else
could have altered it in transit.
Access control-Access control is an essential element of security that determines who is allowed
to access certain data, apps, and resources, the person who is authorized to access corporate data
and resources.
At a high level, access control is about restricting access to a resource.

5
Authentication- Verifying the identity of a user, process.
Authentication perform during the log on process when user submits the username & password.

The job of Authentication mechanism is to ensure that only valid user are admitted.but it is
usually based on a combination of-

o something the person has (like a smart card or a radio key for storing secret keys),
o something the person knows (like a password),
o something the person is (like a human with a fingerprint).

Authentication is the necessity of every organizations because it enables organizations to

keep their networks secure by permitting only authenticated users to access its protected
resources. These resources may include computer systems, networks, databases, websites and
other network-based applications or services.

Authorization- is a process of verifying that a known person has the authority to perform a
certain operation. Authorization can not occur without authentication.

Security services
There are various security services which are as follows –
• Authentication:
• Access Control
• Data Confidentiality.
• Data Integrity:
• Non-Repudiation:

Message Confidentiality − : Information is not made available to unauthorized

individual.It is designed to prevent snooping and traffic analysis attack

6
 The principle of confidentiality defines that only the sender and the intended recipient
should be capable to create the element of the message. It protects the transmitted data
from passive attack.

• Data Integrity − It is designed to protect data from modification,insertion,deletion,and

replaying by an adversary, It may protect the whole message or part of the message.
Data integrity is designed to secure information from modification, insertion, deletion and
rehashing by any entity. Data integrity can be used to a flow of message, an individual
message or a selected portion inside a message. Data integrity can be used to support total
stream protection.

Authentication − In connection oriented communication,it provides authentication of

the sender and receiver during the connection establishment.In connection-less
communication, it authenticates the source of the data.

Non-repudiation − Nonrepudiation avoids either sender or receiver from adverse a

transmitted message. Therefore, when a message is sent, the receiver can validate that
the asserted sender actually sent the message. protection against denial of sending or
receiving in the communication.

Likewise, when a message is received, the sender can validate that the asserted receiver
actually received the message.

Access Control − The principle of access control decides who should be capable to
access information or system through communication link. It supports the avoidance of
unauthorized use of a resource. It provides protection against unauthorized access to
data

Attack
Any action that compromises the security of information owned by an organization.

An attack is an information security threat that involves an attempt to obtain, alter, destroy,
remove information without authorized access or permission.

There are basically two types of attacks

7
Active attacks:

Active attacks are a type of cybersecurity attack in which an attacker attempts to alter,
destroy, or disrupt the normal operation of a system or network.
Active attacks involve the attacker taking direct action against the target system or network,
and can be more dangerous than passive attacks,
These attacks are normally easier to detect than to prevent because an attacker can launch
them in a variety of ways
Types of active attacks are as follows:
• Masquerade
• Modification of messages
• Replay
• Repudiation
• Denial of Service

Masquerade –

Masquerade is a type of cybersecurity attack in which an attacker pretends to be someone else in

order to gain access to systems or data. This can involve act like a legitimate user or system to
trick other users or systems into providing sensitive information or granting access to restricted
areas.
For example, an attacker might steal the bank card PIN of a bank customer and pretend that she
is that customer
There are several types of masquerade attacks, including:
Username and password masquerade: In a username and password masquerade attack, an
attacker uses stolen or forged credentials to log into a system or application as a legitimate
user.
IP address masquerade: In an IP address masquerade attack, an attacker spoofs or forges
their IP address to make it appear as though they are accessing a system or application
from a trusted source.
Website masquerade: In a website masquerade attack, an attacker creates a fake website that
appears to be legitimate in order to trick users into providing sensitive information or
downloading malware.

8
 Email masquerade: In an email masquerade attack, an attacker sends an email that appears to
be from a trusted source, such as a bank or government agency, in order to trick the
recipient into providing sensitive information or downloading malware.

Masquerade Attack

Modification of messages –

After intercepting or accessing information, the attacker modifies the information to make
it beneficial to herself.
It means that some portion of a message is altered or that message is delayed or reordered to
produce an unauthorized effect. Modification is an attack on the integrity of the original data. It
basically means that unauthorized parties not only gain access to data but also spoof the data by
triggering denial-of-service attacks, such as altering transmitted data packets or flooding the
network with fake data. Manufacturing is an attack on authentication. For example, a message
meaning “Allow JOHN to read confidential file X” is modified as “Allow Smith to read
confidential file X”.
For example, a customer sends a message to a bank to do some transaction. The attacker
intercepts the message and changes the type of transaction to benefit herself.

9
 Modification of messages

Replay –

It involves the passive capture of a message and its subsequent transmission to produce an
authorized effect. In this attack, the basic aim of the attacker is to save a copy of the data
originally present on that particular network and later on use this data for personal uses. Once the
data is corrupted or leaked it is insecure and unsafe for the users.
• The attacker obtains a copy of a message sent by a user and later tries to replay it.

For example , a person sends a request to her bank to ask for payment to the attacker, who has
done a job for her. The attacker intercepts the message and sends it again to receive another
payment from the bank

10
 Replay
Repudiation:
This type of attack is different from others because it is performed by one of the two parties in
the communication:sender and the receiver.

The sender of the message might later deny that she has sent the message; the receiver of the
message might later deny that she has received the message.

Denial of Service –

It is very common attack.It may slow down or totally interrupt the service of a system.
The sender sends so many bogus requests to a server that the server crashes because of heavy
load.

Denial of Service (DoS) is a type of cybersecurity attack that is designed to make a system or
network unavailable to its intended users by overwhelming it with traffic or requests. In a DoS
attack, an attacker floods a target system or network with traffic or requests in order to consume
its resources, such as bandwidth, CPU cycles, or memory, and prevent legitimate users from
accessing it. .

It can be classified into the following-

11
There are several types of DoS attacks, including:
Flood attacks: In a flood attack, an attacker sends a large number of packets or requests to a
target system or network in order to affect its resources.
Amplification attacks: In an amplification attack, an attacker uses a third-party system or
network to amplify their attack traffic and direct it towards the target system or
network, making the attack more effective.

To prevent DoS attacks, organizations can implement several measures, such as:
1.Using firewalls and intrusion detection systems to monitor network traffic and block
suspicious activity.
2.Limiting the number of requests or connections that can be made to a system or network.
3.Using load balancers and distributed systems to distribute traffic across multiple servers or
networks.
4.Implementing network segmentation and access controls to limit the impact of a DoS attack.

Denial of Service

Man in the middle attacks

12
It is a type of attack that allows an attacker to intercepts the connection between client and server
and acts as a bridge between them. Due to this, an attacker will be able to read, insert and modify
the data in the intercepted connection
Passive attacks:
The attackers goal is just to obtain information.This means that the attack does not modify
data or harm the system.
The system continues with its normal operation.
A Passive attack attempts to learn or make use of information from the system but does not
affect system resources. Passive Attacks are in the nature of eavesdropping on or monitoring
transmission. The goal of the opponent is to obtain information that is being transmitted. Passive
attacks involve an attacker passively monitoring or collecting data without altering or destroying
it. Examples of passive attacks include eavesdropping, where an attacker listens in on network
traffic to collect sensitive information, and sniffing, where an attacker captures and analyzes data
packets to steal sensitive information. Attacks that threaten confidentiality
Types of Passive attacks are as follows:
• The release of message content
• Traffic analysis

The release of message content –

Telephonic conversation, an electronic mail message, or a transferred file may contain sensitive
or confidential information. We would like to prevent an opponent from learning the contents of
these transmissions.

13
 Passive attack

Traffic analysis –

Suppose that we had a way of masking (encryption) information, so that the attacker even if
captured the message could not extract any information from the message.
The opponent could determine the location and identity of communicating host and could
observe the frequency and length of messages being exchanged. This information might be
useful in guessing the nature of the communication that was taking place.
The most useful protection against traffic analysis is encryption of SIP traffic. To do this, an
attacker would have to access the SIP proxy (or its call log) to determine who made the call.

14
 Traffic analysis

Sniffing Attack
A sniffer is a software or hardware tool that allows the user to “sniff” or monitor your internet
traffic in real time, capturing all the data flowing to and from your computer.
Attackers use a sniffer or packet analyzer to intercept and capture packets that pass over a
network. Sniffing attacks are data thefts perpetrated by capturing network traffic with packet
sniffers, which can illegally access and read unencrypted data.
During a sniffing attack, a hacker intercepts small bits of data sent over the internet, and if the
hacker grabs the right packets, your account numbers, passwords, or secrets could all be sold on
the black market
A successful sniffing attack can have several consequences for the targets. These can
include:
• Loss of sensitive data, such as login credentials, financial information, and email messages
• Injection of malicious code into target systems, allowing attackers to control devices or
access sensitive information
• Interruption of network traffic, which can cause communication problems and slow down
network performance
• Damage to the reputation of the organization whose network has been compromised

15
There are many ways to protect your network against sniffing attacks. Some key measures
include:
• Using encryption to protect sensitive data from being intercepted
• Never sending sensitive information over an unencrypted connection
• Ensuring that all computers on a network are adequately protected with antivirus and
firewall software
• Staying aware of what type of traffic passes through the network and taking steps to
protect sensitive information
• Using a VPN when connecting to public Wi-Fi networks

Spoofing

Spoofing is not but a method to gain important or sensitive information from people behaving
like genuine people or genuine customers. Cyber attackers often use well-known names and
products while simulating these spoofing attacks.
A spoofing attack is a situation in which a person or program successfully identifies as another
by falsifying data, to gain an illegitimate advantage in the context of information security, and
especially network security123. Essentially, it attempts to gain unauthorirized access to systems,
devices or networks by masquerading as a valid user23. Spoofing attackers try to mimic or copy
the behavior of authorized users to steal information or gain access23. Spoofing attacks come in
many forms, including email spoofing, website and/or URL spoofing, caller ID spoofing, text
message spoofing, and GPS spoofing . 3

Vulnerabilities in Information Security

A vulnerability in security is a weakness or opportunity in an information system that
cybercriminals can exploit and gain unauthorized access to a computer system.

While a vulnerability refers to weaknesses in hardware, software, or procedures—the entryway

for hackers to access systems.

—an exploit is the actual malicious code that cybercriminals use to take advantage of
vulnerabilities and compromise the IT infrastructure.

An attacker must have at least one applicable tool or technique that can connect to a system
weakness.

Examples and Common Types of Vulnerabilities in Security

16
The four main types of vulnerabilities in information security are:.

1. Network vulnerabilities are weaknesses within an organization’s hardware or

software infrastructure that allow cyberattackers to gain access and cause harm. These areas
of exposure can range from poorly-protected wireless access all the way to misconfigured
firewalls that don’t guard the network at large.

2. Operating system (OS) vulnerabilities are exposures within an OS that allow

cyberattackers to cause damage on any device where the OS is installed. An example of an
attack that takes advantage of OS vulnerabilities is a Denial of Service (DoS) attack, where
repeated fake requests clog a system so it becomes overloaded.

3. Process vulnerabilities are created when procedures that are supposed to act as
security measures are insufficient. One of the most common process vulnerabilities is an
authentication weakness, where users, and even IT administrators, use weak passwords.

4. Human vulnerabilities are created by user errors that can expose networks, hardware,
and sensitive data to malicious actors. Examples of human vulnerability in security are
opening an email attachment infected with malware, or not installing software updates on
mobile devices.

Causes Vulnerabilities?

Human error – When end users fall victim to phishing and other social engineering
tactics, they become one of the biggest causes of vulnerabilities in security.

Software bugs – These are flaws in a code that cybercriminals can use to gain unauthorized
access to hardware, software, data, or other assets in an organization’s network. sensitive data

and perform unauthorized actions, which are considered unethical or illegal.

System complexity – When a system is too complex, it causes vulnerability because

there’s an increased likelihood of misconfigurations, flaws, or unwanted network access.

Increased connectivity – Having so many remote devices connected to a network creates

new access points for attacks.
17
 Poor access control – improperly managing user roles, like providing some users more
access than they need to data and systems or not closing accounts for old employees, makes
networks vulnerable from both inside and outside breaches.

Threat
A security threat is the threat of a malicious attack by an individual or organization attempting
to gain access to a computer network, corrupt data, or steal confidential information.
A threat can be anything that can take advantage of a vulnerability to breach security and
negatively alter, erase, harm object or objects of interest.
Threats can originate from various actors, including corporate spies, hacktivists, terrorist groups,
hostile nation-states, criminal organizations, lone hackers and disgruntled employees.

Types of Security Threats

Cyber security professionals should have an in-depth understanding of the following types of
cyber security threats.
1. Malware
Malware is malicious software such as spyware, ransomware, viruses and worms. Malware is
usually installed into the system when the user opens a malicious link or email. Once installed,
malware can block access to critical components of your network, damage your system, and
export confidential information to destinations unknown

Spyware allows attackers to obtain information about your computer activities by transmitting
data covertly from your hard drive.

Ransomware blocks access to files on a device, rendering any files (and the systems that rely on
them) unavailable. Usually, malicious actors demand a cash ransom in exchange for a decryption
key.

2) Backdoor

Backdoor Attack is using any malware or technology taking advantage of software's weak point
to gain unauthorized access by bypassing all the security measures.

It is a method that bypasses the normal authentication process. A developer may create a
backdoor so that an application or operating system can be accessed for troubleshooting or other
purposes.
18
 Backdoors allow the attackers to quietly get into the system bypassing the security protocols and
gain administrative access.

• Backdoor can be a gateway for dangerous malware like trojans, ransomware, spyware, and
others.
• Backdoors are the best medium to conduct a DDoS attack in a network.
• Using backdoors, hackers can modify sensitive system settings like Administrative
passwords and others.
• Backdoors can help cyber attackers to use your internet connection remotely for uploading
and downloading.
• Attackers can also install and run some specific applications or tasks with the help of
Backdoors.

Types of Backdoor

Administrative Backdoor
Sometimes software developers intentionally leave a backdoor into the program so that in case
of any failure or error, they can easily reach the core of the software's code and quickly solve the
issue. Such Backdoors are called the Administrative Backdoors. These deliberate Backdoors can
also help the software testers to testify the codes.
Though such Backdoors are only known to the developers, a skillful hacker can take advantage
of it and silently use it for his benefit. So Administrative Backdoor can be called a type of
loophole in the program.
Malicious Backdoor

• Malicious Backdoors are the backdoors installed on the system by cybercriminals using
malware

Programs like Remote Access Trojan (RAT). These are

specifically designed for taking control of the system or network and conduct malicious tasks

• Trojans are malware or code that acts as a legitimate application or file to trick you into
loading and executing the malware on your device. A trojan’s goal is to damage or steal your
organization’s data or to inflict some other harm on your network.
• A computer virus is malicious code designed to spread from device to device. These self-
copying threats are usually intended to damage a machine or steal data.

19
 3) Worms
Worms are malware that spread copies of themselves from computer to computer without
human interaction. They replicate itself ,They do not need to attach themselves to a software
program to cause damage..

• It is a type of malware whose primary function is to replicate itself to spread to uninfected

computers. It works same as the computer virus. Worms often originate from email attachments
that appear to be from trusted senders
•
• When worm replicate itself victim computer processing power , memory get slow down ,
in some cases it may even cause system to crash
• In 2001, a worm named NIMDA spread across the entire network in just 22 minutes.

4. Virus
A virus is a program which attaches itself to another program & causes damage to the computer
system or network.

It is a type of malicious software program that spread throughout the computer files if user
install a file or open a program without the knowledge of a user & its need human action to
spread in computer. All computer viruses are manmade.

It is a self-replicating malicious computer program that replicates by inserting copies of itself

into other computer programs when executed. It can also execute instructions that cause harm to
the system.

5.Spyware
Spyware is a type of malicious software -- or malware -- that is installed on a computing
device without the end user's knowledge. It invades the device, steals sensitive information
and internet usage data, and relays it to advertisers, data firms or external users.

Spyware is one of the most common threats to internet users. Once installed, it monitors
internet activity, tracks login credentials and spies on sensitive information. The primary
goal of spyware is usually to obtain credit card numbers, banking information and
passwords.

What does spyware do

• Spyware spy on users’s behaviours , They can watch web pages you visit & report that
information to server or person
20
 • It shows unwanted advertising popup ads. As it spy pusesh ads that user likes
• Spyware can use unwanted memory & bring performance slow.
• They can allow installation of backdoors, can change settings, hijack your browse.

6.Ransomware
Ransomware is a type of malware that threatens to publish the victim's personal data or
permanently block access to it unless a ransom is paid off.

While some simple ransomware may lock the system without damaging any files, It prevents
users from accessing their system or personal files and demands ransom payment in order to
regain access.

While some people might think "a virus locked my computer," ransomware would typically be
classified as a different form of malware than a virus.

By making regular or continuous data backups, an organization could limit costs from these
types of ransomware attacks and often avoid paying the ransom demand.

7. Trojan horse
It is a malicious program that occurs unexpected changes to computer setting and unusual
activity, even when the computer should be idle. It misleads the user of its true intent. It appears
to be a normal application but when opened/executed some malicious code will run in the
background.

Trojan horse is a kind of channel that carries malicious program. Its like a normal program but
contain virus. Trojan horse appears to be useful program after user click & installing them, they
do open doors for other malicious program to enter into computer.

Trojan horse can steal sensitive information.

Types of Trojan Horse

1. Remote Access Trojan Horse:- It provide cetral control over victim computer
2. Data Sending Trojan Horse:- It install keylogger, they can access to confidential
data
3. Destructive Trojan Horse:- Will delete file for target system & making server
unavailable while performing DDOS attack on target syetm.
4. Proxy Trojan:- It turns a program into proxy server, making the computer
accessible to attacker
5. FTP Trojan: Open the port 21 allowing the attacker to connect via FTP

21
 How to Identify Trojan Horse:
• Colour setting change automatically
• Antivirus is automatically disabled
• Date & Time Change
• Mouse pointer disappear
• Popup suddenly appears

Trojan Counter Measure:

• Do not download file from unknown sites
• Run Antivirus, Firewall & IDS on computer
• Run Trojan Scanner
• While downloading useful file do not download other program

Your organization can prevent malware-based cyber attacks by:

• Using reputable antivirus and anti-malware solutions, email spam filters, and endpoint
security solutions.
• Ensuring that your cybersecurity updates and patches are all up to date.
• Requiring your employees to undergo regular cybersecurity awareness training to teach
them how to avoid suspicious websites and to avoid engaging with suspicious emails.

Limiting user access and application privileges

Classical Encryption Technique

1)Symmetric Encryption: Same key is used for encryption & decryption
2) Asymmetric Encryption:- Uses a pair of keys. Each key pair consist of public key &
private Key
In public key encryption anyone with public key can encrypt the message in ciphertext but those
who have correspoinding private key can decrypt the ciphertext to obtain original message

Conventional encryption

Conventional encryption is a cryptographic system that uses the same key used by the
sender to encrypt the message and by the receiver to decrypt the message.

It is still much preferred of the two types of encryption systems due to its simplicity. It is a
relatively fast process since it uses a single key for both encryption and decryption In this
encryption model, the sender encrypts plaintext using the receiver’s secret key, which can be
22
later used by the receiver to decrypt the ciphertext. Below is a figure that illustrates this
concept.
Symmetric encryption is also referred to as conventional encryption or single-key
encryption.

Suppose A wants to send a message to B, that message is called plaintext. Now, to avoid
hackers reading plaintext, the plaintext is encrypted using an algorithm and a secret key (at
1). This encrypted plaintext is called ciphertext. Using the same secret key and encryption
algorithm run in reverse(at 2), B can get plaintext of A, and thus the message is read and
security is maintained.
The idea that uses in this technique is very old and that’s why this model is called
conventional encryption.
Conventional encryption has mainly 5 ingredients :

1. Plain text –
It is the original data that is given to the algorithm as an input.

2. Encryption algorithm –
This encryption algorithm performs various transformations on plain text to convert it into
ciphertext.

3. Secret key –
The secret key is also an input to the algorithm. The encryption algorithm will produce
different outputs based on the keys used at that time.

4. Ciphertext –
It contains encrypted information because it contains a form of original plaintext that is
unreadable by a human or computer without proper cipher to decrypt it. It is output from
23
 the algorithm.

5. Decryption algorithm –
This is used to run encryption algorithms in reverse. Ciphertext and Secret key is input
here and it produces plain text as output.

Requirements for secure use of conventional encryption :

1. We need a strong encryption algorithm.
2. The sender and Receiver must have obtained copies of the secret key in a secure
fashion and must keep the key secure.

Advantages of Conventional Encryption :

1. Simple –
This type of encryption is easy to carry out.

2. Uses fewer computer resources –

Conventional encryption does not require a lot of computer resources when compared to
public-key encryption.

3. Fast –
Conventional encryption is much faster than asymmetric key encryption.

24
25