1

SECURITY IN
COMPUTING,
FIFTH EDITION
Topic 2: Symmetric Key Cryptography

Chapter 2: Toolbox: Authentication, Access

Control, and Cryptography

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 2

Objectives for
Topic 2
• Survey authentication mechanisms
• List available access control implementation options
• Explain the problems encryption is designed to solve
• Public Key (Symmetric) Cryptography
• Understand the various categories of encryption tools
as well as the strengths, weaknesses, and applications
of each
• Learn about certificates and certificate authorities
 3

C-I-A Triad Review

• Confidentiality: PII
and Encryption
• Integrity: Digital
Certificates
• Availability:
Mirrors Servers
• Sometimes two
other desirable
characteristics:
• Authentication
• Nonrepudiation
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 CIA and Non-Repudiation

• Repudiation: an illicit attempt to deny sending or receiving a

transaction. Examples of transactions include:
• A user sending an e-mail message to another user
• Web session in which a purchase is made
• A network host sending a series of port scans to a remote server
• Non-repudiation: the ability to prove that a transaction has, in fact,
occurred
• Non-repudiation is made possible through signatures (digital and
physical), as well as encryption and the logging of transactions
Authentication
• Authentication credentials can include:
• A user name and password
• Tokens, such as those created by token cards
• Digital certificates
• Summarizing the logon process
• Identification
• Authentication
• Authorization
• Access
 Authentication Methods
• Something You Know: Password, Pin
• Something You Have: Hardware Token
• Something You Are: Scan, Biometrics

• Single-factor
authentication
• Two (Dual) -factor
authentication
• Multifactor authentication
 7

Something You Know

• Passwords
• Security questions
• Attacks on “something you know”:
• Dictionary attacks
• Inferring likely passwords/answers
• Guessing
• Defeating concealment
• Exhaustive or brute-force attack: Defend with Bcrypt, which is a
password hashing function designed by Niels Provos and David
Mazières, based on the Blowfish cipher on OpenBSD Project
• Rainbow tables: a precomputed table for reversing cryptographic
hash functions, usually for brute force cracking password hashes
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 8

Distribution of Password Types

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 9

Password Storage

Plaintext Concealed

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 10

Tokens: Something You Have

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 11

Biometrics: Something You Are

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 12

Problems with Biometrics

• Intrusive
• Expensive
• Single point of failure
• Sampling error
• False readings
• Speed
• Forgery

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Single Sign-On (SSO) Authentication
• A single system (can be a set of servers) holds
authentication information
• When a user, host or process has a credential, it is said to
have a security context
 14

Access Control

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 Access Control Methods
• The three major access control
methods
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Role-Based Access Control (RBAC)
• You must understand the details of
each of these models, as well as how
they relate to operating systems that
you may administer
Discretionary Access Control (DAC)
• Users control access to resources (in other words,
objects) they own; at owners discretion
• Essential concepts
• Ownership
• Permissions
• Access control list (ACL)
• Capabilities
• Common permissions and inheritance
• DAC strengths and weaknesses
Mandatory Access Control (MAC)
• Systems that use Mandatory Access
Control (MAC) are not based on user
ownership of resources; ownership is
controlled by the operating system, not
the individual user
• Three essential MAC principles
• Access policy
• Label
• Access level
• Understanding access levels
Role-Based Access Control (RBAC)
• Operating systems and services
that use Role-Based Access
Control (RBAC) manage users
and services based on the
function of that user or service in
a particular organization
• Based on MAC
• RBAC and the health-care
industry
• Based on role: Doctor, Nurse,
Therapist etc
 21

Access Policies
• Goals:
• Check every access
• Enforce least privilege
• Verify acceptable usage
• Track users’ access
• Enforce at appropriate
granularity
• Use audit logging to track
accesses

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 22

Access Control List

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Cryptography/Cryptology
Access Control covers authorized access. How do we protect
against UNauthorized access
 24

Problems Addressed by Encryption

• Suppose a sender wants to send a message to a
recipient. An attacker may attempt to
• Block the message
• Intercept the message
• Modify the message
• Fabricate an authentic-looking alternate message

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 25

Encryption Terminology
• Sender
• Recipient
• Transmission medium
• Interceptor/intruder
• Encrypt, encode, or encipher
• Decrypt, decode, or decipher
• Cryptosystem
• Plaintext
• Ciphertext

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 November 1, 2004 Slide #8-26

Cryptography
• The word cryptography comes from two Greek words
meaning “secret writing” and
• It is the art and science of concealing meaning.
• Cryptanalysis is the breaking of codes.
• The basic component of cryptography is a
cryptosystem.

Introduction to Computer Security

©2004 Matt Bishop
 Cryptosystem
• Quintuple (E, D, M, K, C)
• M set of plaintexts
• K set of keys
• C set of ciphertexts
• E set of encryption functions e: M  K  C
• D set of decryption functions d: C  K  M
 November 1, 2004 Slide #8-28

Caesar Cipher
• Caesar cipher is the
widely known cipher in
which letters are shifted.
• For example, if the key is
3, the letter A becomes
D, B becomes E, and so
• forth, ending with Z
becoming C. So the word
“HELLO” is enciphered as
KHOOR.

Introduction to Computer Security

©2004 Matt Bishop
 Cryptosystem
• Quintuple (E, D, M, K, C)
• M set of plaintexts (hello)
• K set of keys (3)
• C set of ciphertexts (khoor)
• E set of encryption functions e: M  K  C (How
to get khoor)
• D set of decryption functions d: C  K  M (How
to get hello)
• 26 letters of the alphabet- how many
combinations?
• Permutation of 26 alphabits
• 26! (26 factorial) = 4.0329146e+26
 30

Symmetric vs. Asymmetric

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 Classical Cryptography
• Classical cryptosystems (also called single-key or
symmetric cryptosystems) are cryptosystems that
use the same key for encipherment and
decipherment.
• Sender, receiver share common key
• Keys may be the same, or trivial to derive from
one another
• Sometimes called symmetric cryptography
• Two basic types
• Transposition ciphers
• Substitution ciphers: Like Caesar Cypher
• Combinations are called product ciphers
 Transposition Cipher (TC)
• Rearrange letters in plaintext to produce ciphertext
• Example (Rail-Fence Cipher)
• The rail fence cipher is composed by writing the plaintext in two rows,
proceeding down, then across, and reading the ciphertext across, then
down.
• TC breaks the patterns in language
• Plaintext is HELLO WORLD
• Rearrange as
HLOOL
ELWRD
• Ciphertext is HLOOL ELWRD

LAB ASSIGNMENT:
Cryptography
 November 1, 2004 Slide #8-33

Atbash cypher (circa 500BC)

• Atbash Cypher is a simple substitution cipher for the
Hebrew alphabet. It consists in substituting aleph (the
first letter) for tav (the last), beth (the second) for shin
(one before last), and so on, reversing the alphabet

Introduction to Computer Security

©2004 Matt Bishop
 November 1, 2004 Slide #8-34

Polyalphabetic Cipher
Based on substitution, but used multiple substitution alphabets. Invented by
Leon Battista Alberti in 1467.Alberti would use a common Caesar cipher to
encrypt messages, but would switch alphabet keys, indicating switch by
capitalizing the first letter of the new alphabet.

Introduction to Computer Security

©2004 Matt Bishop
November 1, 2004 Slide #8-35

Vigènere Cipher
• Like Cæsar cipher, but use a phrase
• Because this requires several different key letters, this
type of cipher is called polyalphabetic.
• Example
• Message THE BOY HAS THE BALL
• Key VIG
• Encipher using Cæsar cipher for each letter:
key VIGVIGVIGVIGVIGV
plain THEBOYHASTHEBALL
cipher OPKWWECIYOPKWIRG

Introduction to Computer Security

©2004 Matt Bishop
 36

Encryption/Decryption Process

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 37

Air Force Cyber Space Command Center

(Search Cyber Space)

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 38

Stream Ciphers

In stream ciphers, each byte of the data stream is encrypted

separately. This is as opposed to block ciphers, which are
shown on the next slide.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 39

Block Ciphers

Unlike a stream cipher, a block cipher

encrypts a group of plaintext symbols as
a single block. The pros and cons of
each model are discussed on the next
slide.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 40

Stream vs. Block

Stream Block
Advantages  Speed of  High diff usion
transformation
 Immunity to
 Low error insertion of
propagation symbol

Disadvantages  Low diff usion  Slowness of

encryption
 Susceptibility to
malicious  Padding
insertions and
modifications  Error
propagation

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 41

DES: The Data Encryption Standard

• Symmetric block cipher
• Developed in 1976 by IBM for the US National Institute of
Standards and Technology (NIST)

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 42

Symmetric

Overview
DES
Invented by IBM
In 1976 became an official Federal Information
Processing Standard (FIPS) NIST
Effective key length 56-bit (Key used was 64 bit)
Double DES, Triple DES
 Controversy

• Considered too weak

• Diffie & Hellman [the first researchers
credited to have invented public key
cryptography] said in a few years
technology would allow DES 256
permutation would be broken in days (2
years was previous estimate)
• Design decisions not public
• S-boxes may have backdoors
November 1, 2004 Slide #8-44

The Downfall of DES

• Design for computer system, associated software
that could break any DES-enciphered message in a
few days published in 1998
• Several challenges to break DES messages solved
using distributed computing

Symmetric: Rise of the AES
NIST contest  the Second AES Conference
 the First AES Conference
August 20, 1998
15 candidate algorithms
• 5 US, 10 international
45
 March 22, 1999
 Technical Analysis
 Announcement of 5
finalists
• Mars, RC6, Rijndeal,
Serpent, and TwoFish
 the Third AES Conference
 April 13, 2000
 Winner: Rijndeal
November 1, 2004 Slide #8-46

And the winner is: Rijndael

• Rijndael (pronounced rain-dahl) is the block cipher
algorithm that has been selected by the U.S. National
Institute of Standards and Technology (NIST) as the
candidate for the Advanced Encryption Standard (AES).
• http://www.formaestudio.com/rijndaelinspector/archivos/
Rijndael_Animation_v4_eng.swf

Introduction to Computer Security

©2004 Matt Bishop
 47

DES vs. AES

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Symmetric: Rise of the AES
 49

The Serpent Algorithm

Second place
Designed by Ross Anderson, Eli
Biham and Lars Knudsen
Substitution-Permutation Network
• S-boxes: transform input bits into
output bits
• P-boxes: permute or transpose bits
across S-box inputs.
 50

The Serpent Algorithm

a block size of 128 bits
key length vary from 128 to 256 bits long
33 128-bit subkeys
32 rounds
The Serpent cipher is in the public domain and has not
been patented. There are no restrictions or
encumbrances whatsoever regarding its use. As a
result, anyone is free to incorporate Serpent in their
software (or hardware implementations) without paying
license fees.
 51

The TwoFish Algorithm

 In cryptography, Twofish is a symmetric key block cipher with a
block size of 128 bits and key sizes up to 256 bits. It was one of
the five finalists of the Advanced Encryption Standard contest, but
it was not selected for standardization. Twofish is related to the
earlier block cipher Blowfish, which is still one of the fastest
encryption protocols available.
 The TwoFish Algorithm
Designed by Bruce Schneier, John Kelsey,
Doug Whiting, David Wagner, Chris Hall,
and Niels Ferguson
block size 128 bits
128 to 256 bits key length
16 rounds
 52

Error Detecting Codes

• Demonstrates that a block of data has been modified
• Simple error detecting codes:
• Parity checks
• Cyclic redundancy checks (CRC)
• Cryptographic error detecting codes:
• One-way hash functions
• Cryptographic checksums
• Digital signatures
 53

One-Way Hash Function:

Message Digest (MD5)

An algorithm that turns messages or text

into a fixed string of digits, usually for
security or data management purposes.
The "one way" means that it's nearly
impossible to derive the original text
from the string.
A one-way hash function is used to
create digital signatures, which in turn
identify and authenticate the sender and
message of a digitally distributed
message.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 54

Digital Signature

Digital Signature Lab in Topic 3

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 Cryptographic Checksums
• A checksum is a count of the number of bits in a transmission unit
that is included with the unit so that the receiver can check to see
whether the same number of bits arrived. If the counts match, it's
assumed that the complete transmission was received.
• Mathematical function to generate a set of k bits from a set of n
bits (where k ≤ n).
 56

Certificates: Trustable Identities and Public Keys

• A certificate is a public key

and an identity bound
together and signed by a
certificate authority (CA).
• A certificate authority is an
authority that users trust to
accurately verify identities
before generating
certificates that bind those
identities to keys.
 57

Cryptographic Tool Summary

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 58

Summary
• Users can authenticate using something they know,
something they are, or something they have
• Systems may use a variety of mechanisms to implement
access control
• Encryption helps prevent attackers from revealing,
modifying, or fabricating messages
• Symmetric and asymmetric encryption have
complementary strengths and weaknesses
• Certificates bind identities to digital signatures

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
Cryptography/Cryptology
Quiz Goes Live at 3 PM!