Computer Security:

Computer security is about protecting computer systems and the information they
hold. The goal is to ensure:

1. Integrity: The information is accurate and hasn’t been changed without

permission.
2. Availability: The system and data are available when needed.
3. Confidentiality: Only authorized people can see the information.

It covers everything in a computer system, including hardware, software, stored

data, and communication networks

List and briefly define the three key objectives of computer security

Key Objectives of Computer Security:

1. Confidentiality:
o Ensures private information is not shared with unauthorized people.
2. Integrity:
o Data Integrity: Ensures information and programs are changed only
as authorized.
o System Integrity: Ensures systems work as intended without
unauthorized changes.
3. Availability:
o Ensures systems and services are accessible to authorized users
without delay.

[ Although the use of the CIA triad to define security objectives is well
established, some in the security field feel that additional
**Authenticity: Ensures that something is real and trustworthy. It means verifying
users are who they claim to be and ensuring inputs come from trusted sources.

**Accountability: Makes sure actions can be traced back to the responsible person
or entity ]

What is the OSI security architecture?

1. Security Attack: Any action that threatens the security of an organization’s

information.
2. Security Mechanism: A process or tool used to detect, prevent, or fix a
security attack.
3. Security Service: A system or communication process that protects data and
information transfers by using security mechanisms to stop attacks.

Q. Challenges of computer security?

1. Security is not simple; it needs many steps to protect things.

নিরাপত্তা সহজ নয়; এটি সুরক্ষার জন্য অনেক ধাপের প্রয়োজন।
2. We must think about possible attacks while making security systems.
নিরাপত্তা ব্যবস্থা তৈরির সময় সম্ভাব্য আক্রমণ নিয়ে ভাবতে হবে।
 3. Security rules can be confusing and need complex methods to work.
নিরাপত্তার নিয়মগুলি জটিল হতে পারে এবং কাজের জন্য জটিল পদ্ধতির
প্রয়োজন হয়।
4. We need to choose the right place and level to use security systems.
নিরাপত্তা ব্যবস্থা ব্যবহারের জন্য সঠিক স্থান এবং স্তর নির্বাচন
করতে হবে।
5. Security needs secret keys, which are hard to create, share, and protect.
নিরাপত্তার জন্য গোপন কী প্রয়োজন, যা তৈরি, শেয়ার এবং সুরক্ষিত করা
কঠিন।
6. Attackers only need one weakness, but designers must fix all problems.
আক্রমণকারীদের একটি দুর্বলতা দরকার, কিন্তু ডিজাইনারদের সব সমস্যা
ঠিক করতে হয়।
7. People often understand the importance of security only after problems happen.
মানুষ সাধারণত সমস্যার পরই নিরাপত্তার গুরুত্ব বুঝতে পারে।
8. Security needs regular checking, which is hard in busy environments.
নিরাপত্তার জন্য নিয়মিত পর্যবেক্ষণ প্রয়োজন, যা ব্যস্ত পরিবেশে
কঠিন।
9. Security is often added later instead of during the system’s design.
নিরাপত্তা প্রায়ই সিস্টেম ডিজাইনের সময় নয়, পরে যোগ করা হয়।
10. Many think strong security slows down systems and makes them harder to use.
অনেকেই মনে করেন শক্তিশালী নিরাপত্তা সিস্টেমকে ধীর করে এবং
ব্যবহারে কঠিন করে তোলে।

List and briefly define categories of passive and active security attacks

1. Passive Attacks:
o Nature: Involves monitoring transmissions without altering the data.
o Types:
 Message Content Release: Reading sensitive messages like
emails or files.
 Traffic Analysis: Observing message patterns (e.g., frequency
or length) even if content is encrypted.
o Detection: Hard to detect since data isn’t changed.
o Focus: Prevention through encryption.
 2. Active Attacks:
o Nature: Involves monitoring and altering the transmissions data or
disrupting operations.
o Types:
 Masquerade: Pretending to be another entity to gain
unauthorized access.
 Replay: Capturing and retransmitting data to cause harm.
 Message Modification: Altering or reordering legitimate
messages.
 Denial of Service (DoS): Disrupting normal services, like
overloading a network.
o Prevention: Difficult due to various vulnerabilities.
o Focus: Detecting and recovering from attacks.

List and briefly define categories of security services

1. Authentication
o Ensures communication is authentic and from the claimed source.
2. Access Control
o Restricts unauthorized use of system resources.
o Requires identifying and authenticating users before granting tailored
access rights.
3. Data Confidentiality
o Protects data from unauthorized access during transmission.
4. Data Integrity
o Ensures data is not altered, duplicated, or reordered without detection.
5. Nonrepudiation
o Prevents sender or receiver from denying their actions.
6. Availability
o Ensures resources are accessible and usable when needed.
o Protects against denial-of-service attacks through proper resource
management.
List and briefly define categories of security mechanisms.

1. Encipherment: Encrypts data to ensure confidentiality

(reversible for decryption, irreversible for hashing).
2. Digital Signature: Verifies data integrity and source
authenticity; prevents forgery.
3. Access Control: Enforces access policies for resources.
4. Data Integrity: Ensures data is not tampered with during
storage or transmission.
5. Authentication Exchange: Confirms entity identity via
secure information exchange.
6. Traffic Padding: Adds redundant bits to obscure traffic
patterns.
7. Routing Control: Ensures secure routing of data, adjusts
routes if a breach occurs.

8. Notarization: Uses trusted third parties for data

exchange validation.

List and briefly define the fundamental security design principles.

Fundamental Security Design Principles

1. Economy of Mechanism: Keep designs simple to reduce flaws and make

testing easier.
2. Fail-Safe Defaults: Deny access by default; only allow when explicitly
permitted.
3. Complete Mediation: Check permissions every time access is requested.
 4. Open Design: Use public scrutiny for security mechanisms (e.g., open
encryption algorithms).
5. Separation of Privilege: Require multiple factors or permissions for
sensitive actions.
6. Least Privilege: Assign users/processes only the minimum privileges
needed.
7. Least Common Mechanism: Minimize shared resources to reduce security
risks.
8. Psychological Acceptability: Make security mechanisms user-friendly and
minimally intrusive.
9. Isolation: Separate critical resources from public access and users from each
other.
10.Encapsulation: Protect data by limiting access to specific procedures.
11.Modularity: Design security as separate, interchangeable modules.
12.Layering: Use multiple defenses to protect against failures (defense in
depth).
13.Least Astonishment: Ensure systems behave in ways users intuitively
expect.

Explain the difference between an attack surface and an attack tree

Symmetric Cipher Model

A symmetric encryption scheme has five main components:

1. Plaintext: The original readable message or data input into the encryption
process.
2. Encryption Algorithm: The process that applies substitutions and
transformations to the plaintext using a specific key.
3. Secret Key: A unique, independent value used by the algorithm. Different
keys produce different encrypted outputs (ciphertexts) for the same
plaintext.
4. Ciphertext: The scrambled, unreadable output of the encryption process,
created from the plaintext and secret key.
5. Decryption Algorithm: The reverse process of encryption that converts
ciphertext back into the original plaintext using the same secret key.
For secure use of conventional encryption, two key requirements must be met

1. Strong Algorithm:
The encryption method must be tough enough to prevent
attackers from breaking it, even if they know how it
works or have some example data.
2. Key Security:
The secret key must be kept safe and only shared
between the sender and receiver. If the key is exposed,
anyone can decrypt the messages.

Model of Symmetric Cryptosystem

Cryptographic systems are characterized along three independent dimensions

 Operations Used (Substitution and Transposition):

 Substitution: Replaces each element (bit, letter) in the plaintext with

another element.
 Transposition: Rearranges elements of the plaintext.
 Number of Keys:

 Symmetric (Secret-Key): Both sender and receiver use the same key.
 Asymmetric (Public-Key): Sender and receiver use different keys.

 Plaintext Processing:

 Block Cipher: Processes the plaintext in fixed-size blocks, creating an

output block for each input block.
 Stream Cipher: Processes the plaintext continuously, producing one output
element at a time.

Cryptanalysis vs Brute-Force Attack

1. Cryptanalysis:
o Uses knowledge of the algorithm and possibly some sample plaintext-
ciphertext pairs to deduce the plaintext or recover the key.
o Relies on exploiting weaknesses in the encryption method itself.
2. Brute-Force Attack:
o Involves trying every possible key until the correct one is found.
o On average, it takes trying half of all possible keys to break the
encryption.