Data Security and

Encryption
Lecture # 2
By: Engr. Sundas Hanif
[email protected]
An Introduction
Threats and C – I – A

• Threats can apply to the confidentiality, integrity,

or availability (C – I – A) of a system
• Confidentiality: the ability of a system to ensure
that assets are viewable only by authorized parties
• Integrity: the ability of a system to ensure that
assets are modifiable only by authorized parties
• Availability: the ability of a system to ensure that
assets are usable by and accessible to all
authorized parties
Additional Pillars of Data
Security
• Aside from C – I – A, following are also desirable
system properties;
• Authentication: the ability of a system to
confirm the identity of a sender
• Nonrepudiation: the ability of a system to
confirm that the sender cannot convincingly
deny sending a message
• Auditability: the ability of a system to trace all
actions related to a given asset – to trace back,
who did what and when!
Harmful Acts
• Harm to information systems can be affected in
four different ways;
• disclosure, or unauthorized access to
information;
• deception, or acceptance of false data;
• disruption, or interruption or prevention of
correct operation;
• usurpation, or unauthorized control of some
part of a system.
• Each of these four acts can cause harm to a
Confidentiality
• Use the “need to know” basis for data
access
• How do we know who needs what data?
• Access control specifies who can access
what
• How do we know a user is the person that it
claims to be?
• Need to verify their identity
• Identification and authentication
Cont.
• Identification: Process of proving who they are
• Authentication: Process of proving that something is
genuine, true or authentic
• In real world information systems, authentication is
used rather than identification
• Similarly, access to physical assets should be granted
only on a “need” base
• Example: access to a computer room or a desktop
• Confidentiality is difficult to ensure
Integrity
• Integrity vs confidentiality
• Integrity is concerned with preventing
unauthorized modification to assets
• Confidentiality is concerned with access to assets
• Integrity is more difficult to measure as it includes
• Data integrity
• Origin integrity
• Example: The information is printed as received
(preserving data integrity), but its source is
incorrect (corrupting origin integrity)
Availability
• Availability refers to the ability to use the
information or resource desired
• An unavailable system is at least as bad as no
system at all
• The aspect of availability that is relevant to
security is that someone may deliberately
arrange to deny access to data or to a service by
making it unavailable
Threats To Information System
Policy and Mechanism
• A security policy is a statement of what is, and
what is not, allowed
• A security mechanism is a method, tool, or
procedure for enforcing a security policy
Cryptography
What is Cryptography?
• It is the science and study of secret writing
• A cipher is a secret method of writing,
• plaintext (or cleartext) is transformed into ciphertext
(sometimes called a cryptogram)
• The process of transforming plaintext into
ciphertext is called encipherment or encryption
• the reverse process of transforming ciphertext into
plaintext is called decipherment or decryption
• Both encipherment and decipherment are
controlled by a cryptographic key or keys
Types of Ciphers
• There are two basic types of ciphers
• Transposition
• Substitution
Transposition Ciphers
• Rearranges bits or characters in the data
• First, the plaintext is written into the figure according
to some "write-in" path
• Second, the ciphertext is taken off the figure according
to some "take-off'' path
• The key consisted of the figure together with the write-
in and take-off paths
• For example, with a "rail-fence“ cipher, the letters of a
plaintext message are written down in a pattern
resembling a rail fence, and then removed by rows
Decryption
• Decrypt this– Rail Fence of depth 3
• MMTHGRETEFETEOAATEARTPY

• IOEUDSALVKRITN

• IWTKGAAAEHNSOOMKATD
Assignment 1
• Submit handwritten assignment by
March 5, 2018
• Total marks = 10
• How to fail in this assignment?
• Copy it from someone
• Give your assignment to someone
Write a note on the following;

• Snooping
• Wiretapping– Active and passive
• Modification
• Masquerading/ Spoofing
• Delegation
• Denial of receipt
• Delay
• Denial of service