Cyber Security TM256

Block 2: Systems security

By
Dr. Ahmed Mahfouz
AOU, Oman
Block 2: Systems security
• Part 1: An overview of systems security
1. What is a system?
2. Information systems
3. Attack vectors
4. What makes a system secure?
5. The ISO 27000 information security standards
• Part 2 Principles of cryptography: fundamentals and symmetric systems
1. Evolution of cryptography
2. Fundamentals of cryptography
3. Modern symmetric systems and standards
4. Initialization Vector
5. Substitution–permutation network
6. Applications of symmetric systems
7. Limitations of symmetric systems
8. Steganography
Learning outcomes
• Demonstrate an understanding of the theory and practice of systems
security that includes identifying associated threats, controls and
policies.
• Recognize threats, vulnerabilities and attack methods, and propose
appropriate mitigation and security controls towards the design and
implementation of secure systems and infrastructure.
• Communicate and analyze problems effectively within a computing
environment using appropriate personal and technical skills.
• Demonstrate the ability to undertake ongoing learning to keep up to
date with cyber security developments within digital systems.
Working with NetLabs
• NetLabs is an online laboratory environment that will help you
develop practical skills relating to different aspects of systems
security.

• At different points during your study of the module, you will be asked
to complete activities in NetLabs. These activities are prefixed
‘NetLabs Activity’ to differentiate them from the activities embedded
in the module materials.

• Activity 2.2 NetLabs – Practical cyber security skills (CLMS)

Part 1: An overview of systems security

1. What is a system?

2. Information systems

3. Attack vectors

4. What makes a system secure?

5. The ISO 27000 information security standards

 1 What is a system?
• A system is a set of functional components, either people or digital technologies, working together
to achieve a specific purpose.
• The components of the system are connected in an organized way and can interact with each other
by exchanging information.
• Socio-technical system refers to systems that have interactions between people and technologies
in a given operating context, without direct interaction with the physical environment.
• The term cyber-physical-social system refers to systems that combine digital (cyber) technologies
and people (social) with interactions with their physical operating environment (Wang et al., 2010).
• In the context of cyber security, we deal with digital systems that combine digital technologies and
people, who are connected through communication channels that enable them to exchange data
and interact with each other.
• To secure such systems, we must understand the operation of the system and determine the
security threats that are relevant to it. So, we can implement security controls that help in
protecting such threats.
• Activity 2.3 Exploring examples of systems (CLMS)
2 Information systems
• Laudon and Laudon (2013, p. 143) define an
information system as consisting of
interrelated components working together to
collect, process, store and disseminate
information to support decision-making,
coordination, control, analysis and
visualization in an organisation.
• Valacich and Schneider (2013) define
information systems as combinations of
hardware, software and telecommunications
networks that people build and use to collect,
create and distribute useful data, typically in
organizational settings.
This figure illustrates the six components of an information
system, which, broadly speaking, is a combination of
technologies, processes and people.
2.1 Interaction in information systems
• An interface is a means through which two systems interact
or a system interacts with the environment, as illustrated in
the Figure.
• The interaction between a user and the web page uses a
User Interface (UI), the database
• The web server interact through a software interface, termed
an ‘Application Programming Interface’ (API) as these
software components all operate at the application layer of
the system.
• The web server and the database interact with the hardware
components of the computers that they are running on, as
well as the network components that allow them to
communicate with each other, through the host layer of the
system.
 2.2 Security terminology – putting things together
• Assets are tangible/intangible things of value: cash value,
system function, and assets (i.e., data, software and hardware).
• Assets are targeted by threats: theft, stopping a system or a
system function. The estimated threat-level differs based on the
context.
• Assets could be attacked by exploiting a vulnerability: If they
are not protected (secured), they will succumb to it. An exploit
is an unauthorized access to an asset that is part of the system.
• Assets could contain a vulnerability: Attackers will ‘exploit’ the
vulnerability, if there is one. In the context of software and
applications, the vulnerabilities are often unnoticed
programming or logic errors that are exploited by malicious
attackers whose intent is to impede, distort or stop a function Figure 2.4 Terminology of systems security
of the system.
• A security mechanism responds to an attack: The security
mechanisms help the system to ensure that its security
objectives are achieved by taking steps that will respond to an
attack.
2.2 Security terminology – putting things together
• Availability: Multiple, redundant instances of key components of a system, such as web and
database servers, or backups of data stored by the system, help ensure that the system is always
fully functional and available to the user.
• Authentication: Multi-factor authentication can be used to ensure that only legitimate users can
use the system.
• Authorization: Using access control techniques, like role-based access control, can ensure that
only specific users can perform specific operations on the system. For example, only system
administrators would be allowed to change the software installed on the web and database
servers.
• Confidentiality: Techniques like cryptography and access control can be used to ensure that only
authorized users have access to the data handled by the system.
• Integrity: Again, a combination of cryptography and access control can ensure that only
authorized users can make changes to the data in the system.
• Accounting: and Non-repudiation Mechanisms to ensure that all actions performed on the
system are logged with the identity of the user performing them, together with the date and
time, provide accounting and non-repudiation capabilities.
3 Attack vectors
• An attack vector is the means an attacker typically deploys to launch an
attack on a system. The objective is to gain access into the system and
the data within the system. There are two primary objectives that, if
compromised, can cause the highest impact – confidentiality and
availability.
• Information is either stored or communicated. When communicated,
there are two parties involved (a source and a destination) and the
communication happens via a communications medium (a note, a letter,
a file on disk or in memory, an email, a file download, etc.). The objective
is to preserve the confidentiality and therefore the integrity and
availability of the information. At all times, availability implies the
‘availability of data in its original and intended form’.
3 Attack vectors
• The only way to get information is to access it. Accessing it when it
is stored requires access to the system where it is held. Accessing
when it is being communicated (in transit) requires access to the
communications medium, which could be a wired or wireless
network.
• Malicious actors who intend to get to the information compromise
either the authentication mechanism or the access control
mechanism to access the system or overhear the information in
transit across the network.
• Following this, malicious actors tend to make a copy of the
information or change the information content to their advantage.
It should be noted that, in some cases, just accessing part of a
message isn’t helpful unless the attacker can also understand the
context in which the information is being exchanged.
• Attack vectors are generally classified by how the attacker targets
the system to compromise it. An attack vector indicates how a
threat actor gains unauthorized access to a victim system and
compromises the security of data.
3.1 Interception
• Interception is the act of preventing someone or
something from reaching the intended destination in
an uncompromised manner.
• In the context of real-world systems, interception
happens when information is in transit across a wired
or wireless network (packet-sniffing).
• Malicious actors attempt to retrieve information and
piece it together to reconstruct the information
transfer between the two parties.
• Confidentiality requires that only users who are
authorized to access data can read it. Figure 2.6 Interception attack vector
• In most breaches of confidentiality, the intent of the
attacker is to access the personal information (e.g.,
name, address, bank details, card number, PIN) of
users who are registered to various online services.
3.2 Modification
• An interception is often a precursor to
modification. An attacker can intercept data,
modify it and put it back (Figure 2.7). The
recipient of that data will obviously miss the
original message or see two different messages.
• Effectively, there is an integrity breach as a result
of modifying the data. Typically, the attacker’s
intent is to send a wrong message to the receiver
as a means of breaching other security
objectives. Figure 2.7 Modification attack vector
• In the context of a system, an integrity breach
results in wrong data and that, in turn, can affect
all other processes that use the data.
 3.3 Interruption
• In the context of information security, an
interruption would occur if the communication
between a sender and a receiver is
deliberately stopped by an attacker, resulting
in the two parties being unable to
communicate (Figure 2.8).
• Interruptions are caused by attacks on the
communications infrastructure (network) or on
individual units of the system, such as servers
or applications running on the servers.
• The availability of the system ensures the
availability of the data stored on it. Similarly, Figure 2.8 Interruption attack vector
the availability of communications services
ensures that components of a system can have
access to data that is stored remotely.
3.4 Replay
• An attacker first intercepts data and then
communicates a copy of the same data, without
any modification, to the sender or the recipient
after a delay (Figure 2.9). The intent is to solicit a
response from the receiver that may contain
information of interest to the attacker, such as
an encryption key.
• A man-in-the-middle (MITM) attack might use a
replay attack vector, as well as a modification
attack vector.
Figure 2.9 Replay attack vector
• A replay attack vector compromises
confidentiality, which in turn can lead to a
breach of integrity, availability, authentication
and non-repudiation.
3.5 Fabrication
• Fabrication means fabricating a message or
data. This attack vector is an extension of the
replay attack vector.
• The attacker fabricates a message and sends it
to the receiver. The fabricated message is often
based on observing message exchanges over an
extended period of time. In a sense, the
attacker mimics a sender (Figure 2.10).
• Fabrication is used to solicit responses from the
recipient and extract information that is of Figure 2.10 Fabrication attack vector
interest to the attacker. It can be used to breach
one of the five security objectives –
confidentiality, integrity, availability,
authentication and non-repudiation.
3.6 Breaching of security objectives

Activity 2.4 Exploring breaches of security objectives (CLMS)

3.7 Network communications
4 What makes a system secure?
• Protecting the whole system, comprising applications, host devices and networking
components, together with people and processes.
• One of the key challenges in securing systems is that in most cases an attacker only
needs to succeed once but the defenders of the system need to successfully prevent
every attack.
• To do this, defenders can adopt strategies like having multiple defensive layers, one at
each layer of the system. This approach is called defense in depth.
• For example, technologies like firewalls and cryptographic protection of communications
can protect the network layer of the system from the attack vectors we considered
earlier.
• Cryptography can also be used at the application and host layers of the system to meet
confidentiality and integrity objectives.
• Across all layers, techniques like logging, multi-factor authentication and access control
mechanisms can be used to ensure authenticity, accounting and non-repudiation
objectives are met.
4 What makes a system secure?
• Each component (hardware, operating system,
applications) has to be secured in order to achieve
complete system security.
• Systems security comprises the set of controls and
protection measures taken to ensure its information
infrastructure (networks, computers, servers, etc.) and
resources (power supply, maintenance, etc.) are safe
from interference, malicious intrusions or being shut
down.
• In practice, we must consider the complexity,
performance and, ultimately, financial cost associated
with implementing security controls on each
component, and weigh this against the impact and
likelihood of a successful attack on the system (i.e., the
risk).
• Consideration of these aspects as well as those
applicable to a larger system forms the focus of a series
of information systems security standards known as the
ISO/IEC 27000 series of standards.
5 The ISO 27000 information security
standards
• The ISO 27000 series of international standards from the International
Organisation for Standardization (ISO) provides guidelines for what are
termed Information Security Management Systems (ISMSs). The series is
formally called ISO/IEC 27000:2018. The year denotes the latest version of
the standards.
• The ISO 27000 series evolved from British Standard 7799, which was
originally published in three parts, addressing three domains of security
implementation:
1. Best Practices of Information Security
2. Information Security Management Systems – Specification and Guidance for Use
3. Risk Analysis and Management
• Conforming to these standards demonstrates that an organisation meets a
level of information security maturity.
5.1 What does the ISO 27000 series address
5.1 What does the ISO 27000 series address
• The standards provide recommendations to establish, implement, operate,
monitor, maintain, review and improve an ISMS implementation by
addressing the following functions:
• risk assessment
• security policy
• asset management
• security of human resources
• physical and environmental security
• access control
• information system acquisition, development and maintenance
• information security incident management and response management
• business continuity management
• compliance.
5.2 Information security standards across industry sectors

Figure 2.12 ISO standards for specific industry sectors

• Network security and application security are also addressed separately, in ISO/IEC 27033 and 27034, respectively.
ISO/IEC 27035 addresses what happens when a security incident occurs and how to respond, with guidelines on
information security incident management and response management.
5.3 Benefits of ISO 27001 certification
• Implementing ISO 27001 helps businesses to:
• improve risk management
• provide a normalized interoperability between organizations, or groups within
organizations
• demonstrate good security practices resulting in a competitive advantage
• win business with companies in regulated sectors
• fulfil regulatory compliance (GDPR) and pre-requisites for large contracts
• establish market reputation for secure practices
• avoid financial losses and regulatory penalties arising from security breaches.
Summary
• In the first part of Block 2, you have explored what is meant by an information system and looked at how the different security
concepts you learned about in Block 1 can be applied to such systems. The Khan Kreatives example illustrated the different
elements that make up an information system and how systems security concepts apply in practice.
• You were also introduced to the NetLabs environment, which you will continue to use during the module to practice and develop
hands-on cyber security skills.
• The material covered this week also highlighted how cryptography is an important foundation of many systems security solutions.
The next three parts of this block will focus on the core principles of cryptography, its applications in different contexts and ways in
which it can be attacked.
• Block 2 will end with an exploration of operating systems security, including how authentication, authorization and accounting
capabilities are integrated into systems. In combination with the content on cryptography, this will give you a clear foundation on
which to build your understanding of network, host and application security, which will be covered in Block 3.
• The content of Block 2 is designed to provide you with well-rounded exposure to the foundational principles of systems security.
You will gain an understanding of the elements of systems security and how they come together to make a system secure.
• As you progress through the material, you will be required to access and digest different types of information relating to systems
security. The activities will further engage you by illustrating the core knowledge areas with examples, programming exercises,
short articles and industry opinions for your critical analysis and review. These should help prepare you for presenting your
arguments in your assignments as part of this module.
• Don’t forget to make use of your learning journal throughout this module. Recording your reflections, learning and discussions
with peers on the forums should help you to develop your understanding of key concepts and skills, and help you prepare for your
assessment.
Part 2 Principles of cryptography:
fundamentals and symmetric systems
1. Evolution of cryptography
2. Fundamentals of cryptography
3. Modern symmetric systems and standards
4. Initialization Vector
5. Substitution–permutation network
6. Applications of symmetric systems
7. Limitations of symmetric systems
8. Steganography
1 Evolution of cryptography
• The origins of cryptography date back to the ancient Egyptians and Romans.
• Substitution ciphers, where each character in a message is substituted by another, were prevalent during the Roman era
and evolved to include use of the Caesar cipher around 50 BC.
• Edward Hebern invented an electromechanical machine in which the encryption ‘key’ was embedded in a rotating disc
(1914).
• Arthur Scherbius, a German electrical engineer, invented the Enigma machine, which used multiple rotors (1918).
• Alan Turing was able to crack the Enigma (1940).
• Claude Shannon at AT&T provided the basis for modern cryptography with his work titled ‘The Mathematical theory of
cryptography’ (1940).
• Public key cryptography was developed in 1975, followed by a key exchange algorithm called Diffie-Hellman (DH) in 1976.
• The Data Encryption Standard (DES) protocol was formally used in banking in the USA in 1977, which also saw the
publication of the Rivest–Shamir–Adleman (RSA) algorithm.
• Code breaking and new, improved encryption standards continued apace and in 2001.
• The DES was replaced by the AES. Meanwhile, the Secure Hash Algorithm (SHA-1) was declared deprecated in 2011.
• The mathematical techniques of cryptography have also influenced cryptocurrencies such as ‘Bitcoin’.
• Quantum computing, while still in early stages of development, is seen as a major force of change in encryption
techniques.
1.1 Uses and vulnerabilities
• Cryptography is widely used in network communications including ordinary telephone,
mobile and satellite communications and, of course, on the internet itself.
• Cryptography is used in social media, cloud services, email and online streaming of video
and audio. It is also used to secure confidential data held in numerous government and
private databases.
• Cryptanalysis is used to detect vulnerabilities in established and proposed cryptographic
techniques.
• Vulnerabilities can range from something simple, such as a password that can be easily
guessed, to complex new mathematical techniques that make a previously safe method
vulnerable.
• Kerckhoff's principle is the concept that a Cryptographic system should be designed to
be secure, even if all its details, except for the key, are publicly known.
• Reverse engineering is a process in which software are deconstructed to extract design
information from them.
1.2 Principles of cryptography and the CIA
triangle, non-repudiation and authentication
1. Non-repudiation

2. Confidentiality

3. Integrity

4. Availability

5. Authentication - digital signatures and public key infrastructures

1.2.1 Non-repudiation
• Non-repudiation is a service that is used to provide assurance of the
integrity and origin of data in such a way that the integrity and origin can
be verified and validated by a third party as having originated from a
specific entity in possession of the private key (i.e., the signatory).
• Non-repudiation can be provided through the careful use of different
encryption algorithms, together with digital signatures and certificates.
• Non-repudiation can be applied both to the sender of a message (so that
they can’t deny that they sent it) and also to the receiver (so that they can’t
deny that they have received it) – like signing for a parcel on delivery.
1.2.2 Confidentiality
• If I want to send some printed legal documents that I don’t want
anyone else to see to a friend overseas, I could do one of the
following:
• I could lock them in a secure box using a padlock to which my friend and I
each have a key (this is analogous to using a symmetric cryptographic
algorithm). As long as the padlock is not broken, I can be reasonably confident
that the documents will remain confidential. My confidence is in the
robustness of the padlock and the fact that the keys are secure.
• I could use a padlock that my friend had previously sent me. In this case, they
alone have the key to the padlock. This is like using asymmetric cryptography.
• There are different encryption methods and different types of ‘key’
that are used to encrypt digital information.
1.2.3 Integrity
• Guarding against improper information
modification or destruction and includes
ensuring information non-repudiation
and authenticity.
• In electronic transmission of data, it is
important that the recipient knows that
the message they have just received has
not been tampered with.
• Cryptography can be used to ensure that
a message’s integrity can be trusted.
Methods include the use of a hash and
the use of a digital signature.
1.2.4 Availability

• Ensuring timely and reliable access to and use of information.

• Availability of the document could be affected by inadequate

poor cryptographical methods.

• Losing a key also leads to a loss of availability.

1.2.5 Authentication – digital signatures and
public key infrastructures
• Authentication is the process of verifying the identity of a user, process, or device, often as a
prerequisite to allowing access to resources in an information system.
• Asymmetric cryptography provides the additional property of allowing for authentication. This
encryption method relies on a linked key pair – the private and the public key.
• Digital signatures is a way in which
• that the sender of a message, Bob, for example, can self-authenticate the message.
• The receiver, Alice, can have confidence that the message has come from the sender and not from an imposter.
• One way of doing that is by sending a hash of the message, either by a separate channel from the message or else
encrypted in some way.
• Bob could use his private key to sign the hash.
• Alice could then obtain Bob’s public key and use it to decrypt the hash.
• By comparing this with a freshly generated hash, Alice can be certain that the message came from Bob and has
not been tampered with.
• A digital signature, digital certificate and public key can be used to guarantee that Bob is the
originator of a message or the author of a piece of information. However, Alice needs to trust that
the digital signature or certificate is genuine or that the public key really does belong to Bob.
Example – Man-in-the-middle attack
Suppose that Alice wants to send a confidential document
to Bob. She rings Bob and asks him to send her his public
key. A few minutes later she receives an email from Bob
that contains his public key. However, Alice is concerned
that someone might be eavesdropping, let’s call her Eve,
and might carry out a man-in-the-middle (MITM) attack to
intercept Bob’s email (Figure 2.14). If Eve is successful in
this attempt, she may then swap Bob’s key with her own
public key. If Alice sends the encrypted document to Bob,
how can she be sure that Eve can’t intercept it and use
her private key to decrypt the document? (Remember
that Eve has fraudulently sent Alice her public key
claiming to be Bob, so the message that Alice sends is
encrypted with Eve’s public key but decrypted with Eve’s
private key.) Alice needs someone who she believes in to
verify that the key is indeed Bob’s key. There is, therefore,
a problem of trust.
1.2.5 Authentication – digital signatures and
public key infrastructures
• There are two main methods to provide public trust in key
distribution:
1. The first is to have a well-known and trusted central agency that will vouch
for the information.
2. The second method of establishing trust is through a concept known as a
web of trust.
• Activity 2.6 The web of trust (CLMS)
2 Fundamentals of cryptography
• Plaintext is unencrypted information that can be read directly by humans or a machine.
• Ciphertext is an encrypted information.
• A cipher or cryptographic algorithm is the mathematics responsible for turning plaintext into
ciphertext and reverting ciphertext to plaintext.
• Encryption is the process of converting plaintext to ciphertext.
• Decryption is the process of reverting ciphertext to plaintext.
• A cryptographic key is a value that is used to control the output from an encryption (or decryption)
process for a given plaintext. A key is a string of bits and is of a specific size, depending on the cipher.
• An encryption key is a type of cryptographic key and is a piece of information used in combination
with an algorithm (a ‘cipher’) to transform plaintext into ciphertext. (A decryption key would be used
to reverse the process.)
• Symmetric cryptography is a cryptographic scheme in which both the encryption and decryption
processes use the same cryptographic key.
• Asymmetric cryptography is a cryptographic scheme in which the encryption and decryption
processes use different cryptographic keys.
2.1 Encryption and decryption using ROT13
• The ROT13 algorithm is a substitution cipher because it
transposes every letter in a message with a letter that is 13
letters higher in the alphabet. If the count requires the letter to
be ‘above’ the letter ‘z’, the algorithm starts at the beginning
again with ‘a’. Figure 2.15 shows an algorithm for encrypting a
plaintext input into ciphertext using ROT13 encryption.
• ROT13 is a variation of the Caesar cipher (which traditionally
used 3 as the key).
• It is used in some places on Microsoft Windows Registry keys.
Figure 2.16 The ROT system of encryption

Figure 2.15 Algorithm for ROT13 encryption

2.2 Base64 encoding
• Base64, which is a group of binary-to-text encoding techniques that represent binary data in four
6-bit (24 bits sequence).
• It is widely used for encoding email attachments due to the way that Simple Mail Transport
Protocol (SMTP) developed.
• Base64 is used as a step in some encryption schemes.
• It is also used as part of Hypertext Transfer Protocol (HTTP) authentication, to encode non-HTTP-
compatible characters that may be in the user’s name or password.
• For example, the word ‘Cat’ consists of three characters that in ASCII binary are 0100 0011, 0110
0001 and 0111 0100. The algorithm concatenates these and splits the result into groups of six bits
as shown in this table:
2.3 Hashing

Figure 2.17 The hash algorithm

• The process of using a mathematical algorithm against data to produce a numeric

value that is representative of that data. (NIST)
• The output of the hash function should depend uniquely on the data; any slight
change in the data should produce a completely different hash. Furthermore, it
should not be possible to reconstruct the data from the hash.
• Since a hash has a fixed length that is smaller than the original data, it is possible
that two different sets of data produce an identical hash. This is known as a hash
collision and can lead to problems.
• Activity 2.9 NetLabs – Hashing things out (CLMS).
3 Modern symmetric systems and standards
• Ciphers can be categorized into two types: ‘block’ and ‘stream’.
1. A block cipher divides the plaintext into fixed lengths of bits; examples are 3DES and AES.
2. A stream cipher encrypts one bit or one byte at a time. Stream ciphers are faster than
block ciphers and, in general, more efficient for streaming video or audio; examples are
Rivest Cipher 4 (RC4) and Software-optimized Encryption Algorithm (SEAL).
• Digital Encryption Standard (DES) : It uses a key of Fifty-four bits to encode any
number between 0 and 254.
• 3DES is an implementation of the DES algorithm that uses three passes of the DES
algorithm instead of one as used in ordinary DES applications. It provides much
stronger encryption than DES.
• Advanced Encryption Standard (AES) is another block cipher and is one of the
most secure symmetric system. Like 3DES, the protocol is open; the protection of
data is in both the mathematics and the preservation of the secret key which can
be 128, 192 or 256 bits.
3 Modern symmetric systems and standards
• Software-Optimized Encryption Algorithm (SEAL) is a stream cipher and can
optionally be used in IP sec as part of, for example, a virtual private network system.
• The Blowfish system was designed by Bruce Schneier in 1993 and uses a 64-bit
block size with a variable-length key (up to 256 bits). Another system, Twofish, is
derived from it. Twofish has a larger, 128-bit block size.
• In the Rivest Cipher (RC) series, RC4 is a stream cipher with a variable-length key up
to 2048 bits. It was used in WPA on Wi-Fi networks but is no longer considered
secure. RC5 and RC6 are both block ciphers.
• Salsa20 and ChaCha20 are stream cipher families that was developed by Daniel
Bernstein in 2005 and 2008 respectively. ChaCha20, along with another encryption
method created by Bernstein known as Poly1305, is used by Google in an
application of Transport Layer Security (TLS) (i.e., used in websites whose address
starts ‘https’).
4 Initialization Vector in Block Cipher

Figure 2.18 The block cipher

• A binary vector used as the input to initialize the algorithm for the
encryption of a plaintext block sequence to increase security by
introducing additional cryptographic variance and to synchronize
cryptographic equipment. (NIST)
4.1 Random number generation
• Computers can generate numbers that appear to be random quite easily.
These numbers can be used in simulations and for some games and are
known as pseudo-random numbers.
• They usually rely on a number, called the ‘seed’, to start them and then
produce a string of numbers that eventually repeat. If the seed and the
algorithm are known, the numbers can be predicted.
• Pseudo-random number algorithms can be seeded by some environmental
input, such as the last digits of an internal clock or even a capture of some
aspect of the user’s mouse movements.
• A truly random number relies on an external random event. Hardware
random number generators generate values using random natural
phenomena such as electronic noise in circuits or the random radio noise
generated in the Earth’s upper atmosphere.
5 Substitution–permutation network
6 Applications of symmetric systems

• chip and PIN bank cards

• transmission of data on the internet

• WPA2 (Wi-Fi)

• Internet Protocol Security (IPsec)

• Transport Layer Security (TLS).

6.1 Transmission of data
• All other applications of symmetric encryption algorithms involve the
transmission and receipt of data across a physical medium.
• Symmetric encryption is commonly employed to help keep messages
private as they traverse the internet.
• Symmetric encryption and decryption can be carried out relatively
quickly and using common computer processors, without slowing
them down or taking up so much processing power.
• There is a need for designers to consider security from the design
stage and there has been criticism that many Internet of Things (IoT)
devices did not have security built in.
6.2 Bulk data encryption – an example of hardening
• Security hardening refers to any method used to make it more difficult for an
attacker to succeed in stealing confidential information.
• One method for encrypting data is Microsoft’s BitLocker. This can be used to
protect the contents of a computer’s entire storage system, be it a hard drive or
solid-state drive. BitLocker encrypts the complete volume or partition of a drive.
• Other full disk encryption systems include FileVault, which is included in Mac
operating systems, and Linux Unified Key Setup (LUKS), a Linux specification. All
these are based on AES.
• The encryption and decryption must take place at speed, so that a user who has
been authenticated as a valid user is able to access all the software and data
needed without being aware of the cryptography running in the background.
6.3 Investigation of a modern encryption method
7 Limitations of symmetric systems
• Symmetric systems rely on the ability of the sender and receiver to keep a
key secret. As you have seen, the protocol used in the exchange of data
can, and should, be public, so that its effectiveness can be analyzed
independently. But any key used must be secret. This leads to three major
limitations of symmetric keys:
• Limitation due to susceptibility to Brute-Force Attack (BFA)
• Limitation due to the key distribution problem
• Limitation due to the multiple key problem
8 Steganography
• Steganography is the study of hiding information inside other
information, which could be text documents, but in the digital age is
typically image or audio files. The information is often encrypted and
can only be retrieved from the cover file with the use of a password.
• A typical steganography program, Steghide for example, works by
compressing and encrypting the secret information and then
manipulating pixels or audio samples in a way determined by a
pseudo-random number that has been seeded by the pass phrase.
• Steganography can be used to counter plagiarism and copyright theft.
Recording studios and production companies embed information into
their files to help track them or to record copyright tags (Null Byte, 2018).
Summary
• In this week we introduce a review of basic cryptographical topics, and we also
looked at the principles of the CIA Triangle, non-repudiation and authentication in
the context of cryptography.
• In the context of using cryptography for authentication, the use of web of trust
was contrasted with the work of certificate authorities. You also looked at
currently used symmetric cryptography systems including 3DES and AES.
• Initialization Vectors, and substitution–permutation networks were considered
along with the importance of random number generation.
• Finally, we looked at the limitations of symmetric systems before considering one
final application – steganography.
• The NetLabs activities provided an opportunity to gain some practical experience
of the different concepts covered. If you haven’t had a chance to complete them,
you should try and do so before moving on to Part 3 where you will continue to
explore cryptography, this time looking at asymmetric cryptography techniques.
References
• Backlund, A. (2000) ‘The definition of system’, Kybernetes, 29(4), pp. 444–451. doi:
10.1108/03684920010322055.
• Laudon, J.P. and Laudon, K. (2013) Management information systems: managing the digital firm.
Available at: https://pmt-
eu.hosted.exlibrisgroup.com/permalink/f/gvehrt/TN_cdi_askewsholts_vlebooks_9780273790327
(Accessed: 30 November 2021).
• Schwab, K. (2016) The Fourth Industrial Revolution: what it means, how to respond. Available at:
https://www.weforum.org/agenda/2016/01/the-fourth-industrial-revolution-what-it-means-and-
how-to-respond/ (Accessed: 30 November 2021).
• Valacich, J. and Schneider, C. (2013) Information systems today: managing in the digital world.
Available at: https://pmt-
eu.hosted.exlibrisgroup.com/permalink/f/gvehrt/TN_cdi_askewsholts_vlebooks_9781292000015
(Accessed: 30 November 2021).
• Wang, E.K., Ye, Y., Xu, X., Yiu, S.M., Hui, L.C.K. and Chow, K.P. (2010) ‘Security issues and challenges
for cyber physical system’, 2010 IEEE/ACM International conference on green computing and
communications (GreenCom), and International conference on cyber, physical and social
computing (CPSCom), pp. 733–738.