CSI105 Week 09

SECURITY AND
ETHICAL ISSUES

Tam Nguyen (FU HL- SE)

Oct 2023
 Last 2 Weeks

MON THU

Topic: AI
Topic: Security & Ethical
Week 09
Issues (cont.) Lab 2 (on CMS)

Week 10 Topic: AI (cont.) PT3 + Review

3
 CONTENT

• Introduction

• Confidentiality

• Other Aspects of Security

• Ethical Principles
• Privacy

• Hackers

4
 Objectives

After studying this chapter, the student should be able to:

• Define security goals: confidentiality, integrity, and availability.

• Show how confidentiality can be achieved using symmetric-key and asymmetric-key cipher.

• Discuss other aspects of security: message integrity, message authentication, digital signature, entity authentication, and
key management.

• Discuss the use of firewalls to protect a system from harmful messages.

• Define three ethical principles related to the use of computers.

• Distinguish between physical and intellectual property and list some types of intellectual property.

• Define privacy as related to the use of computers.

• Give the definition of a computer crime and discuss types of attacks, motivation for attacks, and how to protect against
attacks.

• Define hackers and the damage done by them

5
 CONTENT

• Introduction

• Confidentiality

• Other Aspects of Security

• Ethical Principles
• Privacy

• Hackers

6
 INTRODUCTION

• We are living in the information age. We need to keep information about every
aspect of our lives. Thus, information is an asset that has a value like any other
asset. As an asset, information needs to be secured from attacks.

• To be secure, information needs

o to be hidden from unauthorized access (confidentiality),
o protected from unauthorized change (integrity),
o and available to an authorized entity when it is needed (availability).

7
 SECURITY GOALS

• Confidentiality
o The most common aspect of InfoSec – protect our confidential information
o Storage & Transmission of information

• Integrity
o Information needs to be changed constantly
o Integrity = changes need to be done only by authorized entities & through
authorized mechanisms

• Availability
o The information created and stored by an organization needs to be available to
authorized entities.
o Information is useless if it is unavailable – as harmful as a lack of the two above
8
 ATTACKS

Three goals of security can be threatened by security attacks. Three groups of

attacks related to the security goals as below:

Figure 12.1 Taxonomy of attacks with relation to security goals 9

 ATTACK DESCRIPTION

Snooping Unauthorized access to or interception of data

Attackers can obtain some other type of information by monitoring online

Traffic Analysis
traffic – e.g., email addresses, nature of transaction, …
After intercepting or accessing information, the attacker modifies the
Modification
information to make it beneficial to them
Masquerading
happens when the attacker impersonates somebody else
(Spoofing)
The attacker obtains a copy of a message sent by a user and later tries to
Replaying
replay it
performed by one of the two parties in the communication: the sender or
Repudiation
the receiver (deny that they have sent or received something)
Common attack which attempts to slow down or totally interrupt the
Denial of Service
service of a system
10
 SERVICES & TECHNIQUES

ITU-T defines some security services to achieve security goals and prevent attacks. Each
of these services is designed to prevent one or more attacks while maintaining security
goals. Two techniques are below:
Cryptography (general) Steganography (specific)
Although in the past cryptography referred The word steganography, with origins in
only to the encryption and decryption of Greek, means ‘covered writing’, in contrast
messages using secret keys. to cryptography, which means ‘secret
writing’..

11
 CONTENT

• Introduction

• Confidentiality

• Other Aspects of Security

• Ethical Principles
• Privacy

• Hackers

12
 Cipher classification

Confidentiality can be achieved using ciphers.

Ciphers

Symmetric- Asymmetric
Hashing
key -key

Traditional Modern

q Substitution (Monoalphabetic, Polyalphabetic)

q Transposition

Cipher classification 13
 SYMMETRIC-KEY CIPHERS

A symmetric-key cipher uses the same key for both encryption and decryption,
and the key can be used for bidirectional communication, which is why it is called
symmetric.

Figure 12.2. General idea of a symmetric-key cipher 14

 SYMMETRIC-KEY CIPHERS (cont.)

• Symmetric-key encipherment uses a single key for both encryption and decryption.

• The encryption and decryption algorithms are inverses of each other.

• If P = plaintext, C = ciphertext, K = key, E! (x) = encryption algorithm, D! (x) =

decryption algorithm, E! (x) and D! (x) are inverses of each other, we have:

Encryption: C = E! (P) Decryption: P = D! (C)

Symmetric-key

Traditional Modern
q Substitution (Monoalphabetic, Polyalphabetic)
q Transposition
15
SYMMETRIC-KEY CIPHERS (cont.): Traditional symmetric-key

Mono-alphabetic

q Substitution
Poly-alphabetic
replaces one
Traditional
symbol w/ another
symmetric-
key ciphers

q Transposition

reorders symbols
16
 SYMMETRIC-KEY CIPHERS (cont.): Traditional symmetric-key

1.1.1. Substitution ciphers

• A substitution cipher replaces one symbol with another. If the symbols in the
plaintext are alphabetic characters, we replace one character with another.

o For example, we can replace letter A with letter D and letter T with letter Z.
If the symbols are digits (0 to 9), we can replace 3 with 7 and 2 with 6.

• Substitution ciphers can be categorized as either monoalphabetic ciphers or

polyalphabetic ciphers

17
 SYMMETRIC-KEY CIPHERS (cont.): Traditional symmetric-key

1.1.1.1. Mono-alphabetic ciphers

In a monoalphabetic cipher, a character (or a symbol) in the plaintext is always changed to the
same character (or symbol) in the ciphertext regardless of its position in the text.

In additive cipher, the

plaintext, ciphertext, and key
are integers in modulo 26.

Representation of plaintext and ciphertext characters in modulo 26

Example: Use the additive cipher with key = 15 to encrypt the message 'hello'

18
 SYMMETRIC-KEY CIPHERS (cont.): Traditional symmetric-key

1.1.1.2. Polyalphabetic ciphers

In a polyalphabetic cipher, each occurrence of a character may have a different substitute.
We need to make each ciphertext character dependent on both the corresponding plaintext
character and the position of the plaintext character in the message.
the key is a stream of
subkeys, in which
each subkey is used to
encrypt the corresponding
A simple polyalphabetic cipher called the autokey cipher character in the plaintext

Example: autokey cipher with initial key value k1 = 12, msg = 'attack is today'

19
SYMMETRIC-KEY CIPHERS (cont.): Traditional symmetric-key

Mono-alphabetic

q Substitution
Poly-alphabetic
replaces one
Traditional
symbol w/ another
symmetric-
key ciphers

q Transposition

reorders symbols
20
 SYMMETRIC-KEY CIPHERS (cont.): Traditional symmetric-key

1.1.2. Transposition
ciphers
A transposition cipher
does not substitute one
symbol for another;
instead it changes the
location of the symbols.

Figure 12.3. Transposition cipher 21

SYMMETRIC-KEY CIPHERS (cont.): Stream & Block symmetric-key

• Stream cipher: In a stream cipher, encryption and decryption are done one symbol (such
as a character or a bit) at a time. We have a plaintext stream, a ciphertext stream, and a
key stream. Call the plaintext stream P, the ciphertext stream C, and the key stream K:

• Block ciphers: In a block cipher, a group of plaintext symbols of size 𝑚 (𝑚 > 1) are
encrypted together, creating a group of ciphertext of the same size. In a block cipher, a
single key is used to encrypt the whole block even if the key is made of multiple values. In
a block cipher, a ciphertext block depends on the whole plaintext block.
22
 SYMMETRIC-KEY CIPHERS (cont.): Modern symmetric-key

• The traditional symmetric-key ciphers are character-oriented ciphers.

• With the advent of the computer, we need bit-oriented ciphers.
• A modern cipher can be either a block cipher or a stream cipher.

23
 SYMMETRIC-KEY CIPHERS (cont.): Modern symmetric-key

1.2.1. Modern block ciphers

A symmetric-key modern block cipher encrypts an 𝑛 −bit block of plaintext or decrypts an
𝑛 −bit block of ciphertext. The encryption or decryption algorithm uses a 𝑘 −bit key.
o E.g., Digital Encryption Standard (DES) – n=64, k=56; Advanced Encryption Standard (AES) – n=128,
k=128|192|256

Figure 12.4. A modern block cipher

24
 SYMMETRIC-KEY CIPHERS (cont.): Modern symmetric-key

1.2.2. Modern stream ciphers

With plain text 𝑝 and key 𝑘 of same bit length,

One-Time-Pad is specified as:
E(p, k) = p XOR k = c
D(c, k) = c XOR k = (p XOR k) XOR k = p
Figure 12.5. One-time pad

Plain text 1 1 0 0 0 1 0 0 0 1 1 1 ...

3 requirements of OTP: ⊕
• P & k have same bit length Pad 0 0 1 1 1 1 0 1 0 0 0 1 ...
• Key stream must be truly random
• Key stream is used only once Cipher 1 1 1 1 1 0 0 1 0 1 1 0 ...
25
 Cipher classification

Confidentiality can be achieved using ciphers.

Ciphers

Symmetric- Asymmetric
Hashing
key -key

Traditional Modern

q Substitution (Monoalphabetic, Polyalphabetic)

q Transposition

Cipher classification 26
 ASYMMETRIC-KEY CIPHERS

Symmetric-key Asymmetric-key
Based on sharing secrecy Based on personal secrecy
Symbols are permuted or substituted Numbers are manipulated

Figure 12.6. General idea of asymmetric-key cryptosystem 27

 RSA cryptosystem

• One of the common public-key algorithms is the RSA cryptosystem, named for its
inventors (Rivest, Shamir, and Adleman).

• RSA uses two exponents, 𝑒 and 𝑑, where 𝒆 is public and 𝒅 is private

and
ϕ = (𝑝 − 1)×(𝑞 − 1)

Such that
e×𝑑 mod ϕ = 1

Figure 12.7. Encryption, decryption, and key generation in RSA 28

 Cipher classification

Symmetric Asymmetric Hashing

Feature same key for both use a pair of keys: a public key take an input (or message)
encryption and decryption. for encryption and a private key and return a fixed-length
for decryption string of characters,
typically a hash value.
Application secure data at rest secure data transmission, digital data integrity checks,
used in securing network signatures, and key exchange, password storage, and
communications securing email communications, digital signatures
online banking, and HTTPS
connections on the internet.
Examples Advanced Encryption RSA (Rivest-Shamir-Adleman): SHA-256 (Secure Hash
Standard (AES): encrypting used for secure email & digital Algorithm 256-bit): create a
files, securing coms, & signatures digital signature & verify
protecting data on mobile the integrity of blockchain
devices transactions 29
 CONTENT

• Introduction

• Confidentiality

• Other Aspects of Security

• Ethical Principles
• Privacy

• Hackers

30
 OTHER ASPECTS OF SECURITY

• The cryptography systems provide confidentiality.

• Other aspects need to be taken care of:
o Message integrity
o Message authentication
o Entity authentication
o Non-repudiation
o Key management

31
 OTHER ASPECTS: MESSAGE INTEGRITY
Figure 12.8. Message & digest
• The message should be unchanged.
• Message & message digest: A
cryptographic hash function creates a
compressed image of the message,
called a digest.

• A cryptographic hash function takes a message of arbitrary length and creates a

message digest of fixed length.
• A compression function compresses an 𝑛-bit string to create an 𝑚-bit string where 𝑛 is
normally greater than 𝑚.
• Several hash functions: MD2, MD4, MD5, SHA
The message digest needs to be safe from change.
32
 OTHER ASPECTS: MESSAGE AUTHENTICATION

• Message Authentication Code (MAC)

Figure 12.9. Message Authentication Code (MAC)

A MAC provides message integrity and message authentication using

a combination of a hash function and a secret key. 33
 OTHER ASPECTS: DIGITAL SIGNATURE

• A digital signature needs a public-key system. The signer signs with her private key; the
verifier verifies with the signer’s public key.
• A cryptosystem uses the private and public keys of the receiver; a digital signature
uses the private and public keys of the sender.

Figure 12.10. Digital signature

34
 OTHER ASPECTS: DIGITAL SIGNATURE (cont.)

• A digital signature can directly provide message authentication, message integrity, and
non-repudiation (with the help of a trusted third party).

Figure 12.11. Digital signature

35
 OTHER ASPECTS: ENTITY AUTHENTICATION

• Entity versus Message authentication:

o Message authentication might not happen in real time; entity authentication does.
o Message authentication authenticates one message; the process needs to be
repeated for each new message. Entity authentication authenticates the claimant
for the entire duration of a session.

• Verification Categories:
o Something known: password, PIN, secret key
o Something possessed: passport, driver’s license, credit card, ID card
o Something inherent: conventional signatures, fingerprints, voice, facial
characteristics, retinal pattern, and handwriting

36
 OTHER ASPECTS: KEY MANAGEMENT

• How secret keys in symmetric-key cryptography, and public keys in asymmetric-

key cryptography, are distributed and maintained.
• Symmetric-key distribution: KDC (Key Distribution Centre), Multiple DKCs,
Session keys
• Public key distribution: Public announcement, Certificate Authority (CA)

37
 OTHER ASPECTS: KEY MANAGEMENT

Symmetric-key distribution:
• A session symmetric key between two
parties is used only once.

Figure 12.12. Session key with KDC

Public-key distribution:
• In public-key cryptography, everyone has
access to everyone’s public key; public
keys are available to the public.

Figure 12.13. Certification authority 38

 Question

1. Which of the following attacks is threatening integrity?

a. Traffic analysis

b. Denial of service
c. Masquerading

d. Snooping

39
 Question

2. Which of the following attacks is threatening availability?

a. Replaying

b. Denial of service
c. Modification

d. Snooping

40
 Question

3. _________ means concealing the message by covering it with

something else
a. Hashing
b. Cryptography
c. Steganography
d. Compressing

41
 Question

4. _________ means converting a plaintext (message) into an

unreadable format.
a. Hashing
b. Cryptography
c. Steganography
d. Compressing

42
 Question

5. _________ cryptography is often used for long messages.

a. Asymmetric-key

b. Public-key
c. Open-key

d. Symmetric-key

43
 Question

6. _________ means that the sender and the receiver expect

confidentiality.
a. Non-repudiation
b. Encryption & decryption
c. Integrity
d. Authentication

44
 Question

7. _________ can provide authentication, integrity, and

nonrepudiation for a message.
a. Digital signature
b. Encryption / Decryption
c. Compression
d. Key-exchange

45
 Question

8. _________ means that the data must arrive at the receiver

exactly as they were sent.
a. Non-repudiation
b. Authentication
c. Secrecy
d. Message integrity

46
 Question

9. In ___________, the identity of a party is verified once for the

entire duration of system access.
a. Message encryption
b. Message authentication
c. Entity authentication
d. Message integrity

47
 Question

10. The RSA algorithm for confidentiality uses _______

cryptography.
a. substitution
b. transposition
c. symmetric-key
d. asymmetric-key

48
 Question

11. In RSA, if user A wants to send an encrypted message to user B,

the plaintext is encrypted with the public key of _______.
a. user A
b. user B
c. a third party
d. the network

49
 CONTENT

• Introduction

• Confidentiality

• Other Aspects of Security

• Ethical Principles
• Privacy

• Hackers

51
 ETHICAL PRINCIPLES

• One of the ways to evaluate our responsibility towards the rest of the world when
using a computer is to base our decisions on ethics.

• Ethics is a very complex subject that would take several books to describe in detail. In
this chapter, we discuss only three principles that can be related to our goal.

Moral Rules
Ethical
Principles Utilization

Social Contract

Figure 12.14. Three main principles of ethics

52
 MORAL RULES

• The first ethical principle states that when

we make an ethical decision, we need to
consider if the decision is made in
accordance with a universally accepted
principle of morality.

• For example, if we want to illegally access

a computer to get some information, we
need to ask ourselves if this act is moral.

The first principle of ethics says that we should avoid

doing anything if it is against universal morality.
53
 UTILIZATION

• The second theory of ethics is related to the consequences of the act. An act is
ethical if it results in consequences which are useful for society.

• Example: If a person accesses a bank’s computer and erases customer records, is

this act useful for society? Since this action may damage the financial status of the
bank’s customer, it is detrimental to society. It does not bring about a good result. It
is not ethical.

The second principle of ethics says that an act is ethical if it brings about a good result.

54
 SOCIAL CONTRACT

• The social contract theory says that an act is

ethical when the majority of people in society
agrees with it.
• If someone breaks into somebody else’s
house and commits a robbery, does this act
receive the approval of a majority of society?
Since the answer is negative, this act is not
ethical.

Figure 12.15. Majority of people in society

The third principle of ethics says an act is ethical if
a majority of people in society agree with it.
55
 CONTENT

• Introduction

• Confidentiality

• Ethical Principles

• Other Aspects of Security

• Privacy

• Hackers

56
 PRIVACY: Introduction

• Personal information about an individual is collected by private and public

agencies. Although in many cases the collection of this information is
necessary, it may also pose some risks.

• Some of the information collected by government or private companies can be

used commercially. In many countries, a citizen’s right to privacy is, directly or
indirectly, mentioned in the nation’s constitution.

• Data privacy is the concept of giving consumers control over how their
personal data is accessed, used, or shared. This personal data includes your
name, location, birthday, bank account information, and online activity.

57
 PRIVACY: Introduction

Codes of ethics related to the use of computers to collect data:

1. Collect only data that are needed.
2. Be sure that the collected data are accurate.
3. Allow individuals to know what data have been collected.
4. Allow individuals to correct the collected data if necessary.
5. Be sure that collected data are used only for the original purpose.
6. Use encryption techniques

58
PRIVACY: Why Data Privacy is important?

59
 PRIACY: Non-Disclosure Agreement

• A non-disclosure agreement (NDA) can also be known by other names such as a

confidentiality, non-use or trade secret agreement.

• Essentially, an NDA is a legally binding contract between parties that requires them to
keep certain information confidential.

Figure 12.10. An example of NDA

60
 CONTENT

• Introduction

• Confidentiality

• Ethical Principles

• Other Aspects of Security

• Privacy

• Hackers

61
 HACKERS: Introduction

• The word hacker today has a different meaning than when it was used in the past.
Previously, a hacker was a person with a lot of knowledge who could improve a
system and increase its capability.
• Today, a hacker is someone who gains unauthorized access to a computer
belonging to someone else in order to copy secret information.

Figure 12.16. Types of Hackers 62

 TYPES OF HACKERS

• Black Hat Hacker. Basically, these are the "bad guys". They are the types of hackers who break
into computer networks with purely negative motives such as monetary gain or reputation.
• White Hat Hacker. As opposed to the black hat, these are the "good guys". They are ethical
hackers who create algorithms to break existing internet networks to solve the loopholes in
them.
• Grey Hat Hacker. Basically, these are hackers who exploit the internet systems only to make
public, certain vast datasets of information that would be of benefit to everyone.
• Blue Hat Hacker. In one word, this is the amateur. Usually, their techniques are deployed out
of ill motives such as revenge attacks.
• Red Hat Hacker. The objective of a red hat hacker is to find black hat hackers, intercept and
destroy their schemes.
• Green Hat Hacker. This is the set of individuals who simply want to observe and learn about
the world of hacking. It comprises those who join learning communities to watch videos and
tutorials about hacking.

63
 COMMON TYPES OF HACKING

• Hacking for financial gain. Lone black hat hackers as well as hacking collectives are typically
thieves. Their cybercrimes are targeted at either directly stealing money, enabling later theft
via data hijacking, or selling the acquired data to other cybercriminals.

• Corporate espionage. With so many industries as cutthroat as they are, it’s unsurprising that
companies are often willing to get dirty to triumph over the competition. Corporate (or
industrial) espionage is the commercial application of hacking, malware, phishing, and other
unsavory spying techniques to obtain privileged insider information from a business
competitor — aka information hacking.

• State-sponsored hacking. The potential rewards from security hacking can be so great, even
governments want to get in on the party. Countries across the world are constantly playing
games of cat-and-mouse cyber warfare with one another. Everyone knows that everyone
else is doing it, and everyone acts surprised and offended when they get caught.

64