Scribd
Upload
13 views55 pages

Chapter 3

Chapter 3 discusses various security techniques including encryption, cryptography, access control, and firewalls. It emphasizes the importance of system access controls, data access controls, and multifactor authentication for securing systems. The chapter also details the Data Encryption Standard (DES) and its mechanisms for encrypting data.

Uploaded by

shemse
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
13 views55 pages

Chapter 3

Chapter 3 discusses various security techniques including encryption, cryptography, access control, and firewalls. It emphasizes the importance of system access controls, data access controls, and multifactor authentication for securing systems. The chapter also details the Data Encryption Standard (DES) and its mechanisms for encrypting data.

Uploaded by

shemse
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 55

Security Techniques

Chapter 3

Prepared by: Dr. Oliver 1


Topics
1. Encryption
2. Cryptography
3. Access Control
4. Firewall

Prepared by: Dr. Oliver 2


What Makes a System Secure?
• System access controls - ensure that
unauthorized users don’t get into the system
and encourage (sometimes force) authorized
users to be security-conscious.
• Data access controls - monitor who can
access what data, and for what purpose.
Another word for this is authorization, that is,
what you can do once you are authenticated.
– discretionary access controls
– mandatory access controls
Prepared by: Dr. Oliver 3
• System and Security Administration -
methods perform the offline procedures that
make or break a secure system—by clearly
delineating system administrator
responsibilities, by training users
appropriately, and by monitoring users to
make sure that security policies are observed.
• System Design - take advantage of basic
hardware and software security
characteristics.

Prepared by: Dr. Oliver 4


I. System Access: Logging into Your System

• Trying to log into a system is a kind of


challenge/response scenario.
• You tell the system who you are, and the
system requests that you prove it by providing
information that matches what the computer
has stored about you.
• In security terms, this two-step process is
called identification and authentication.

Prepared by: Dr. Oliver 5


Identification and Authentication
• Identification is the way you tell the system
who you are.
• Authentication is the way you prove to the
system that you are who you say you are.

Prepared by: Dr. Oliver 6


There are three classic ways to do so:
• What you know - The most familiar example is a password.
The theory is that if you know the secret password for an
account, you must be the owner of that account.
• What you have - Examples are keys, tokens, badges, and
smart cards you must use to unlock your terminal or your
account. The theory is that if you have the key or equivalent,
you must be the owner of it.
• What you are - Examples are physiological or behavioral
traits, such as your fingerprint, handprint, retina pattern, iris
pattern, voice, signature, or keystroke pattern. Biometric
systems compare your particular trait against the one stored
for you and determine whether you are who you claim to be.

Prepared by: Dr. Oliver 7


Multifactor authentication
• Multifactor authentication is a way to cascade
the three methods listed previously such that if
an attacker gets past one safeguard, they still
have to pass another.
• Passwords are still, far and away, the
authentication tool of choice.
• In a multifactor authentication system,
username and password would be augmented
with one of the other two systems.

Prepared by: Dr. Oliver 8


Login Processes
• Encryption - This method scrambles a
password so that it cannot be deciphered by
someone who monitors storage or
transmissions.
• Challenge and response - With this method,
the user is asked to authenticate at the
beginning of the exchange, and frequently at
random intervals thereafter.

Prepared by: Dr. Oliver 9


The language of cryptography

Alice’s Bob’s
K encryption K decryption
A
key Bkey

plaintext encryption ciphertext decryption plaintext


algorithm algorithm

m plaintext message
KA(m) ciphertext, encrypted with key KA
m = KB(KA(m))

Prepared by: Dr. Oliver 10


Simple Encryption transformations:
• Substitution
• Permutation (bit shuffle)

Prepared by: DR. OLIVER 11


a. Substitution
• A substitution specifies, for each of the 2k
possible values of the input, the k-bit output.
• The process of substitution involves
replacement of the plaintext characters.
• Example: Caesar Cipher
Fence Cipher

Prepared by: DR. OLIVER 12


b. Permutation
• A permutation specifies, for each of the k
input bits, the output position to which it
goes. For instance, the 1st bit might become
the 13th bit of output, the 2nd bit would
become the 61st bit of output, and so on.
• It involves re-arrangement of the characters of
the plaintext.

Prepared by: DR. OLIVER 13


Simple encryption scheme
Permutation cipher: substituting one thing for another

plaintext: abcdefghijklmnopqrstuvwxyz

ciphertext: mnbvcxzasdfghjklpoiuytrewq

e.g.: Plaintext: bob. i love you. alice


ciphertext: nkn. s gktc wky. mgsbc

Encryption key: mapping from set of


26 letters
to ch-3
set of 26 letters 14
Data Encryption Standard (DES)
• DES was published in 1977 by the National
Bureau of Standards for use in commercial and
unclassified U.S. Government applications.
• It was based on an algorithm known as the
Lucifer cipher designed by IBM.
• DES uses:
– a 56-bit key
– maps a 64-bit input block into a 64-bit output block.

Prepared by: DR. OLIVER 15


DES overview
1. The 64-bit input is subjected to an initial permutation
to obtain a 64-bit result (which is just the input with
the bits shuffled).
2. The 56-bit key is used to generate sixteen 48-bit per-
round keys, by taking a different 48-bit subset of the
56 bits for each of the keys.
3. Each round takes as input the 64-bit output of the
previous round, and the 48-bit per-round key, and
produces a 64-bit output.
4. After the 16th round, the 64-bit output is subjected to
another permutation, which happens to be the
inverse of the initial permutation.
Prepared by: DR. OLIVER 16
Prepared by: DR. OLIVER 17
1. The Permutations of the Data
• The input is 8 bytes. The output is 8 bytes. The
bits in the first byte of input get spread into the
8th bits of each of the bytes.
• The pattern of spreading the 8 bits of the input
bytes among the output bytes is that the even-
numbered bits go into bytes 1-4, and the odd-
numbered bits go into bytes 5-8.

Prepared by: DR. OLIVER 18


Prepared by: DR. OLIVER 19
Prepared by: DR. OLIVER 20
2. Generating the Per-Round Keys
• The DES key looks like it's 64 bits long, but 8 of
the bits are parity.
• Let's number the bits of the DES key from left
to right as 1, 2,...64. Bits 8, 16,...64 are the
parity bits.
• DES performs a function, which we are about
to specify, on these 64 bits to generate sixteen
48-bit keys, which are K1, K2,...K16.

Prepared by: DR. OLIVER 21


First it does an initial permutation on the 56 useful
bits of the key, to generate a 56-bit output, which it
divides into two 28-bit values, called C0, and D0.
The permutation is specified as:

Prepared by: DR. OLIVER 22


The way to read the table above is that the leftmost bit
of the output is obtained by extracting bit 57 from the
key. The next bit is bit 49 of the key, and so forth, with
the final bit of D0 being bit 4 of the key. Notice that
none of the parity bits (8, 16, ...64) is used in C0 or D0.

Prepared by: DR. OLIVER 23


Use Permuted Choice Two (PC2) to obtain the
48-bit key from C0 and D0.
Prepared by: DR. OLIVER 24
3. A DES Round
• In encryption, the 64-bit input is divided into two
32-bit halves called Ln and Rn.
• The round generates as output 32-bit quantities
Ln+1 and Rn+1.
• The concatenation of Ln+1 and Rn+1 is the 64-
bit output of the round.

Prepared by: DR. OLIVER 25


Prepared by: DR. OLIVER 26
The Mangler Function
• The mangler function first expands R from a 32-
bit value to a 48-bit value.
• It does this by breaking R into eight 4-bit chunks
and then expanding each of those chunks to 6
bits by taking the adjacent bits and
concatenating them to the chunk.
• The leftmost and rightmost bits of R are
considered adjacent.

Prepared by: DR. OLIVER 27


Prepared by: DR. OLIVER 28
• That 6-bit output is fed into an S box, a
substitution which produces a 4-bit output for
each possible 6-bit input.

Prepared by: DR. OLIVER 29


Prepared by: DR. OLIVER 30
Prepared by: DR. OLIVER 31
Prepared by: DR. OLIVER 32
Prepared by: DR. OLIVER 33
Apply the Permutation Function (P) to the
result of the S-Box to obtain the f (Rn,Kn)

Prepared by: DR. OLIVER 34


Apply the Final Permutation to the Rn and Ln
obtained.
Prepared by: DR. OLIVER 35
DES Example

Prepared by: DR. OLIVER 36


Let M be the plain text message M = 0123456789ABCDEF, where M is in
hexadecimal (base 16) format.
Rewriting M in binary format, we get the 64-bit block of text:
M = 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011
1100 1101 1110 1111

L = 0000 0001 0010 0011 0100 0101 0110 0111


R = 1000 1001 1010 1011 1100 1101 1110 1111
The first bit of M is "0". The last bit is "1". We read from left to right.

Let K be the hexadecimal key K = 133457799BBCDFF1.


This gives us as the binary key (setting 1 = 0001, 3 = 0011, etc., and grouping together
every eight bits, of which the last one in each group will be unused):
K = 00010011 00110100 01010111 01111001 10011011 10111100
11011111 11110001
Prepared by: DR. OLIVER 37
Creating subkeys
Example: From the original 64-bit key
K = 00010011 00110100 01010111 01111001 10011011
10111100 11011111 11110001
we get the 56-bit permutation

K+ = 1111000 0110011 0010101 0101111 0101010


1011001 1001111 0001111
Next, split this key into left and right halves, C0 and D0, where each half has 28 bits.

Example: From the permuted key K+, we get


C0 = 1111000 0110011 0010101 0101111
D0 = 0101010 1011001 1001111 0001111
Prepared by: DR. OLIVER 38
Example:
From original pair pair C0 and D0 we obtain:

C0 = 1111000011001100101010101111
D0 = 0101010101100110011110001111

C1 = 1110000110011001010101011111
D1 = 1010101011001100111100011110
Prepared by: DR. OLIVER 39
Example:
For the first key we have C1D1 = 1110000 1100110
0101010 1011111 1010101 0110011 0011110 0011110
which, after we apply the permutation PC-2, becomes

K1 = 000110 110000 001011 101111 111111 000111


000001 110010
Prepared by: DR. OLIVER 40
Encode each 64-bit block of data.

Example:
Applying the initial permutation to the block of text M, given previously, we
get
M = 0000 0001 0010 0011 0100 0101 0110 0111 1000
1001 1010 1011 1100 1101 1110 1111

IP = 1100 1100 0000 0000 1100 1100 1111 1111 1111


0000 1010 1010 1111 0000 1010 1010
Prepared by: DR. OLIVER 41
Next divide the permuted block IP into a left half L0 of 32 bits, and a
right half R0 of 32 bits.
Example: From IP, we get L0 and R0
L0 = 1100 1100 0000 0000 1100 1100 1111 1111
R0 = 1111 0000 1010 1010 1111 0000 1010 1010
Let + denote XOR addition, (bit-by-bit addition modulo 2).
Then for n going from 1 to 16 we calculate

Ln = Rn-1
Rn = Ln-1 + f(Rn-1,Kn)

Prepared by: DR. OLIVER 42


Example: For n = 1, we have
K1 = 000110 110000 001011 101111 111111 000111 000001
110010
L1 = R0 = 1111 0000 1010 1010 1111 0000 1010 1010
R1 = L0 + f(R0,K1)

Prepared by: DR. OLIVER 43


Example: We calculate E(R0) from R0 as follows:
R0 = 1111 0000 1010 1010 1111 0000 1010 1010
E(R0) = 011110 100001 010101 010101 011110 100001
010101 010101
(Note that each block of 4 original bits has been expanded to a block of 6 output bits.)
Next in the f calculation, we XOR the output E(Rn-1) with the key Kn:
Kn + E(Rn-1).

Example: For K1 , E(R0), we have


K1 = 000110 110000 001011 101111 111111 000111 000001
110010
E(R0) = 011110 100001 010101 010101 011110 100001
010101 010101
K1+E(R0) = 011000 010001 011110 111010 100001 100110
010100 100111. Prepared by: DR. OLIVER 44
Example: For the first round, we obtain as the output of the
eight S boxes:

K1 + E(R0) = 011000 010001 011110 111010 100001 100110


010100 100111.

S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) = 0101 1100


1000 0010 1011 0101 1001 0111

The final stage in the calculation of f is to do a


permutation P of the S-box output to obtain the final value
of f:
f = P(S1(B1)S2(B2)...S8(B8))

Prepared by: DR. OLIVER 45


Example: From the output of the eight S boxes:
S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) = 0101 1100 1000
0010 1011 0101 1001 0111
we get
f = 0010 0011 0100 1010 1010 1001 1011 1011
R1 = L0 + f(R0 , K1 )

= 1100 1100 0000 0000 1100 1100 1111 1111


+ 0010 0011 0100 1010 1010 1001 1011 1011
= 1110 1111 0100 1010 0110 0101 0100 0100
Prepared by: DR. OLIVER 46
If we process all 16 blocks using the method defined
previously, we get, on the 16th round,
L16 = 0100 0011 0100 0010 0011 0010 0011 0100
R16 = 0000 1010 0100 1100 1101 1001 1001 0101
We reverse the order of these two blocks and apply the final
permutation to
R16L16 = 00001010 01001100 11011001 10010101 01000011
01000010 00110010 00110100
IP-1 = 10000101 11101000 00010011 01010100 00001111
00001010 10110100 00000101
which in hexadecimal format is 85E813540F0AB405.

This is the encrypted form of M = 0123456789ABCDEF:


namely, C = 85E813540F0AB405.
Prepared by: Dr. Oliver 47
models of Login mechanisms
• Password Authentication Protocol - user provides a
username and password, and these are compared
with values stored in a table to see if they match.
• Challenge Handshake Authentication Protocol
(CHAP) – the device doing the authenticating, usually
a network server, sends the client program an ID
value and a random number, and both the sender
and peer share a predefined secret word, phrase or
value.
• Mutual authentication - can be thought of as two-
way authentication. The client authenticates to the
server, and then the server authenticates to the client
or workstation. Prepared by: Dr. Oliver 48
• One-time password - is a variation of the
username/password combination. With OTP,
the user creates a password, and the system
creates a variation of the password each time a
password is required.
• Per-session authentication - requires the client
to reauthenticate for each exchange of
information is burdensome, but it provides a
great deal of security.
• Tokens - A token or token card is usually a small
device that supplies the response to a
challenge that is received when trying to log on.
Prepared by: Dr. Oliver 49
• Biometrics - using personal measurements
such as fingerprints, hand outlines, iris and
retina scanners, voice recognition,
handwriting analysis, and keyboard analysis
can be a one-stop shop for authentication, but
it is seldom used that way.

Prepared by: Dr. Oliver 50


Protecting passwords
Most security administrators protect
passwords in three important ways:
1. they make passwords hard to guess
2. they make login controls hard to crack
3. and they protect the file in which passwords
are stored.

Prepared by: Dr. Oliver 51


Sample login/password controls
System Most systems display warning banners and announcement
messages messages before and/or after you successfully log in.
Limited After a certain number of unsuccessful tries at logging into the
attempts system (the number can be specified by the system
administrator), the system locks you out and won’t let you log in
from that terminal.
Limited time Certain users or terminals may be limited to logging in during
periods business hours or other specified times.
Incrementing Each time a login fails, a longer time must pass before allowing
login failure another attempt. That is, after the first attempt, it takes one
wait times second to reset; after the second attempt, two seconds;

Last login When you log in, the system may display the date and time of
message your last login. Many systems also display the number of
unsuccessful login attempts since the time of your last successful
login.

Prepared by: Dr. Oliver 52


User In many systems, you’re allowed to change your own
changeable password any time after its initial assignment by the system
passwords administrator and may be required to change it after a
certain interval.

System Some systems require you to use passwords generated


generated randomly by the system, rather than relying on your own
passwords selection of a difficult-to-guess password.

Password When a specified time is reached—for example, the end of


aging and the month—all passwords in the system may expire. The
expiration new passwords usually must not be identical to the old
passwords.

Minimum Because short passwords are easier to guess than long ones,
length some systems require that passwords be a certain length,
usually six to eight characters, but longer is better.

Password Locks allow the system administrator to restrict certain users


locks from logging in or to lock login accounts that haven’t been
used for an extended period of time.

Prepared by: Dr. Oliver 53


Password attacks
• brute force attack - try to guess a password by
trying every possible combination of
characters, one attempt at a time
• dictionary attack - With the help of online
dictionaries of common passwords (English
words, names of people, animals, cars,
fictional characters, places, and so on),
crackers are quite likely to be able to guess a
good many of the passwords most people are
likely to choose.
Prepared by: Dr. Oliver 54
END

Prepared by: Dr. Oliver 55

You might also like