Chapter 7: Data security and

integrity

1
 Overview

What is Security?
 Security : “the quality or state of being secure—to be free
from danger.”
 In other words, protection against adversaries—from those
who would do harm, intentionally or otherwise—is the
objective.
 Data security is the process of protecting corporate data and
preventing data loss through unauthorized access.
 This includes protecting your data from attacks that can
encrypt or destroy data, such as ransomware, as well as
attacks that can modify or corrupt your data.
2
Goals of security
 Prevention : means that an attack will fail.
 Eg. passwords ( prevent unauthorized users
from accessing the system).
 Detection : is most useful when an attack
cannot be prevented, but it can also indicate
the effectiveness of preventative measures.
 Detection mechanisms accept that an attack will
occur;
 determine that an attack is underway, or has
occurred, and report it.
 The attack may be monitored, however, to
provide data about its nature, severity, and
3
results.
Goals…
 Recovery: requires resumption of correct
operation.
 has two forms.
 The first is to stop an attack and to assess
and repair any damage caused by that
attack.
 E.g if the attacker deletes a file, recovery
restore the file from backup tapes.
 the attacker may return, so recovery involves
identification and fixing of the vulnerabilities
used by the attacker to enter the system
 In both these cases, the system's
functioning is inhibited by the attack.
4
 Goals…
 In a second form of recovery, the system
continues to function correctly while an attack
is underway.
 fault tolerance.
 It differs from the first form of recovery,
because at no point does the system function
incorrectly. However, the system may disable
nonessential functionality.

5
Basic concepts…
 Privacy
 “informational self-determination”
 This means that you get to control
information about you
 “Control” means many things:
 Who gets to see it
 Who gets to use it
 What they can use it for
 Who they can give it to

6
Data Integrity
 Integrity- detect unauthorized writing
(i.e., modification of data)
 Example: Inter-bank fund transfers
 Confidentiality is nice, but integrity is critical
 Encryption provides confidentiality
(prevents unauthorized disclosure)
 Encryption alone does not provide
integrity

7
Cryptography and Encryption
Techniques

8
Terminologies
 Cryptography: Schemes for encryption
and decryption
 Encryption algorithm:
algorithm technique or
rules selected for encryption.
 Key:
Key is secret value used to encrypt
and/or decrypt the text.
 Cryptanalysis: The study of “breaking
the code”.
 Cryptology: Cryptography and
cryptanalysis together constitute the
9
area of cryptology.
Introduction
What is cryptography ?
 Cryptography is the study of Encryption
 Greek kryptos means “hidden” and
graphia means “writtings”
 Encryption is an ancient form of
information protection. … dates back
4,000 years.
 process by which plaintext is converted into
ciphertext.
 Decryption is the inverse of Encryption.

10
 Introduction ….
 Cryptography has seven components:
 Plaintext: This is what you want to encrypt.
 Ciphertext: The encrypted output.
 Enciphering or encryption: The process by which
plaintext is converted into ciphertext.
 Encryption algorithm: The sequence of data
processing steps that go into transforming plaintext
into ciphertext.
 Secret Key: is used to set some or all of the various
parameters used by the encryption algorithm.
 Deciphering or decryption: Recovering plaintext
from ciphertext.
 Decryption algorithm: The sequence of data
processing steps that go into transforming
ciphertext back into plaintext.
 Security depends on the secrecy of the key, not the
secrecy
11 of the algorithm
Introduction ….
Simplified Encryption Model:

12
Introduction …
 A sender S wanting to transmit
message M to a receiver R
 To protect the message M, the sender
first encrypts it into meaningless
message M’
 After receipt of M’, R decrypts the
message to obtain M
 M is called the plaintext
 What we want to encrypt
 M’ is called the ciphertext
 The encrypted output
13
Introduction…
 Notation
Given
P=Plaintext
C=CipherText

C = EK (P) Encryption
P = DK (C) Decryption

14
Services Provided by Cryptography
 Confidentiality
 provides privacy for messages and
stored data by hiding
 Message Integrity
 provides assurance to all parties that a
message remains unchanged
 Non-repudiation
 Can prove a document came from the
intended user
 Authentication
 identifies the origin of a message
 verifies the identity of person using a

15
computer system
 Cipher Techniques

Transposition Cipher Vs Substitution Cipher

16
Transposition and Substitution

security security security

Encryption Encryption Encryption

cusetyri tfdvsjuz 19 5 3 21 18 9 20 25
Simple
Transposition Simple Substitution

17
Substitution Cipher
 Replace bits, characters, or block of characters by
other bits, characters.
 Types of Substitution cipher:
 Monoalphabetic Cipher
 Caesar Cipher
 Modified Caesar Cipher
 Polygram Cipher
 Playfair cipher
 Polyalphabetic ciphers
 Vigenere cipher
 One-time pad

18
Caesar Cipher Substitution
 Caesar Cipher is used by Julius Caesar's military
 substitutes each letter of the alphabet with the
letter standing three places further down the
alphabet

19
 Activity
 Convert it ....to Caesar Ciphertext?
 Plaintext: are you ready
 Ciphertext: duh brx uhdgb

Plaintext a b c d e f g h i j k l mn o p q r s t u v w x y z
Ciphertext D E F G H I J K L M N O P Q R S T U V WX Y Z A B C

20
Modified Caesar Cipher
 The algorithm can be expressed as, for
each plaintext letter P, substitute
ciphertext letter C.
 C = E(3, p) = (p + 3) mod 26
 Mathematically give each letter a number

 General Caesar algorithm as:

c = E(k, p) = (p + k) mod (26)
p = D(k, c) = (c – k) mod (26)
 Where k is [1 to 26]. Secret-key

21
Modified Caesar Cipher
 In this version of Caesar cipher the cipher text
alphabets corresponding to the original plain text
alphabets may not necessarily be three places down
the order, but instead, can be any places down the
order
 First we must translate our message into our numerical alphabet
 Choose the number you want to shift by
 Then we add the B-shift to each number
 E.g 1. The name 'James' encrypted with a B-shift of 7 is:
 J = 9 + 7 = 16
 A=0+7=7
 M = 12 + 7 = 19
 E = 4 + 7 = 11
 S = 18 + 7 = 25
 16 = Q, 7 = H, 19 = T, 11= L, 25 = Z.
 QH T L Z

22
Modified Caesar Cipher
 E.g.2. The phrase 'is a spy' using the same B-shift.
 I = 8 + 7 = 15,
 S = 18 + 7 = 25

 A = 0 + 7 = 7

 S = 18 + 7 = 25

 P = 15 + 7 = 22

 Y = 24 + 7 = 31

 So 15 is P, 25 is Z, 7 is H, 25 is Z again, and 22 is
W, but what is 31?
 Use mod 26
 Since, 31 mod 26 = 5, which corresponds to F
 So “is a spy” = PZHZWF

23
Modified Caesar Cipher
 In order for someone to translate the message,
they would have to use our cipher backwards.
 PZHZWF -> is a spy
 So first they would translate the letters into numbers
again
 In order to solve the cipher they would also need to know
that we used a B-shift of 7, then we would need to
subtract.
 Since 15- 7 which is I , 25 – 7 which is S, So on …..
 But, F becomes 5, 5 minus 7 is negative 2?
 Reverse the 'mod 26' calculation
 Negative 2 plus 26 is 24, which translates to Y

24
Modified Caesar Cipher
 Shift ciphers can also work in the opposite order,
where you subtract the B-shift first when you are
encrypting and then add it back when you are
decrypting.
 Another kind of cipher is called a multiplication
cipher. It is similar to the shift cipher, except that
you multiply and divide instead of add and
subtract.

25
Monoalphabetic Cipher
 In this scheme rather than using a uniform
scheme for all the alphabets in a given plain
text message, a random substitution is used.
 This means that in a given plain text message,
each A can be replaced by any other alphabet
(B through Z), each B can also be replaced by
any other random alphabet (A or C through Z),
and so on.
 We can have any permutation or
combination of the 26 alphabets, which
means (26*25*24…..2) or 26! = 4 x 1026
keys
26
Monoalphabetic Cipher
 Rather than just shifting the alphabet could
shuffle (jumble) the letters arbitrarily each
plaintext letter maps to a different random
ciphertext letter. Hence, key is 26 letters long

Plain: abcdefghijklmnopqrstuvwxyz
Cipher: DKVQFIBJWPESCXHTMYAUOLRGZN

Plaintext:
ifwewishtoreplaceletters
Ciphertext: WIRFRWAJUHYFTSDVFSFUUFYA

27
Polygram Cipher
 In Polygram substitution cipher technique,
rather than replacing one plain text alphabet
with one cipher text alphabet at a time, a
block of alphabets is replaced with another
block.
 For instance, HELLO could be replaced by YUQQW,
but HELL could be replaced by a totally different
cipher text block TEUI
 The replacement of plain text happens block by
block, rather than character by character

28
Playfair Cipher
 A manual symmetric encryption technique
 It was the first literal digraph substitution
cipher.
 The scheme was invented in 1854 by Charles
Wheatstone, but bears the name of Lord Playfair
who promoted the use of the cipher.
 Used in WWI and WWII

29
Playfair Key Matrix
 a 5X5 matrix of letters based on a keyword
 fill in letters of keyword (no duplicates, i & j)
 fill rest of matrix with other letters
 E g. using the keyword (key) simple

s i/j m p l
e a b c d
f g h k n
o q r t u
v w x y z

30
Playfair Cipher
 Use filler letter to separate repeated letters
 eg. "balloon" encrypts as "ba lx lo on" Encrypt two letters
together
 Same row– >followed letters
 ac--bd
 Same column–> letters under
 qw--wi
 Otherwise—>square’s corner at same row
 ar--bq

31
Activity 1
Eg. Keyword. Now Then finish filling up the
write the letters remaining squares of the
keyword in the first matrix with the remaining
squares of a five by letters of the alphabet, in
five matrix: alphabetical order

For example, the sentence “Why,

don’t you?” becomes
WH YD ON TY OU
Ciphertext :YI EA ES VK EZ
32
 instruments

Activity2
 Q: construct the playfair matrix using the
keyword MONARCHY ?
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z

Plaintext: Ethiopia
Ciphertext:
klbfhvsb
Would you please try this: “instruments” with
the above keyword
33
 instruments

Activity3
 Dear students let us consider one extra example when the
secret key have similar letter, consider like this just only
take one character from the rest of similar letters.
 Q: construct the playfair matrix using the keyword Hello world ?
 We want to encrypt the text “hide the gold,” which has an
odd number of alphabets. Hence, we want to pad it with ‘Z”
at the end. After splitting it into digraphs, it will look like
 HI DE TH EG OL DZ

 Plaintext: hide the goldz

 Ciphertext: lfgdnwdpwocv

34
  Advantages:
 It is significantly harder to break since the frequency analysis
technique used to break simple substitution ciphers is difficult
but still can be used on (25*25) = 625 digraphs rather than
25 monographs which is difficult.
 Frequency analysis thus requires more cipher text to crack
the encryption.
 Disadvantages:
 An interesting weakness is the fact that a digraph in the
ciphertext (AB) and it’s reverse (BA) will have corresponding
plaintexts like UR and RU (and also ciphertext UR and RU will
correspond to plaintext AB and BA, i.e. the substitution is self-
inverse). That can easily be exploited with the aid of
frequency analysis, if the language of the plaintext is known.
 Another disadvantage is that playfair cipher is a
symmetric cipher thus same key is used for both encryption
35
and decryption.
Polyalphabetic ciphers
 Using multiple substitution alphabets.
 Make cryptanalysis harder with more
alphabets to guess and flatter frequency
distribution
 Use a key to select which alphabet is used for
each letter of the message
 Use each alphabet in turn
 Repeat from start after end of key is reached

36
Vigenere Cipher
 Simplest Polyalphabetic substitution cipher
 Meaning that instead of there being a one-
to-one relationship between each letter and
its substitute, there is a one-to-many
relationship between each letter and its
substitutes.
 The encipherer chooses a keyword and repeats
it until it matches the length of the plaintext

37
Vigenere Cipher
 write the plaintext out
 write the keyword repeated above it
 use each key letter as a caesar cipher key
 encrypt the corresponding plaintext letter

38
 Activity
 Q: encrypt the given
plaintext letter using
Vigenère Cipher, use
keyword deceptive
 plaintext:
wearediscoveredsaveyour
self
 Key:
deceptivedeceptivedece
ptive
 Ciphertext:
zicvtwqngrzgvtwavzhcqy
glmgj
39
Transposition Cipher
 Transposition ciphers differ form substitution
cipher technique in addition to replace on
alphabet with another they perform some
permutation over the plain text alphabet
 Rearrange bits or characters in the data
 Letters stay the same
 Order is different

40
Transposition Cipher
 Types of Transposition Cipher Techniques:
 Spartans cipher
 Rail fence cipher
 Simple Columnar Transposition
 Route cipher
 Book cipher/running key cipher

41
Classical Transposition
 Spartans cipher , fifth century B.C.
Start the war today

Encryption: rearrange the text in 3

columns

S t a
r t t
h e w
a r t
o d a Rewrite it by
reading down y

Srhaoytterdatwta
42
Rail Fence Cipher
Write the plaintext downwards on successive "rails" of
an imaginary fence. When you get to the bottom start
moving up. Write the message line by line.
Example: if we have 3 "rails" and a message of 'WE ARE
DISCOVERED. FLEE AT ONCE', the cipherer writes out:

W R I O R F E O E
E E S V E L A N
A D
The message: C E D E T C

WRIORFEOEEESVELANADCEDETC.

43
Columnar Transposition
Write the message in rows of a fixed length,
and then read out again column by column.
The columns are chosen in some scrambled
order. Both the length of the rows and the
permutation of the columns are usually
defined by a keyword.

44
Key Columnar Transposition
Example: Let the key word be: ZEBRA.
Z E B R A
W E A R E
D I S C O
V E R E D
F L E E A
T O N C E
The message:
EODAEASRENEIELORCEECWDVFT.

45
Route Cipher
The plaintext is first written out in a grid of given
dimensions, then we read it off in a pattern given in
the key.
Example: The key say: read message from top right corner down and
W.
to the left D V F T
E I E L O
A S R E N
R C E E C
E O D A E

The message:
TONCEADOEFLEEECRVERSADIEW.
46
 Cryptanalysis

47
Cryptanalysis
 Types of attacks encryption
 The attacker has only the ciphertext and
his/her goal is to find the corresponding
plaintext
 The attacker has a ciphertext and the
corresponding plaintext and his/her goal
is to find the key
 A good cryptosystem protects against all
types of attacks

48
Cryptanalysis
 general approaches:
 Cryptanalytic attack
 exploits the characteristics of the algorithm
 Brute-force attack
 try every possible key on a piece of cipher text
 Letter frequency analysis attack
 Objective to recover key not just
message

49
Cryptanalytic Attacks
 Ciphertext only
 Only know algorithm & ciphertext, is statistical, know or can identify
plaintext .
 Find the plain text of the message or the key. Most difficult
 Known plaintext
 Know/suspect plaintext & ciphertext
 Find key or algorithm
 Chosen plaintext
 select plaintext and obtain ciphertext
 Chosen ciphertext
 select ciphertext and obtain plaintext
 Chosen text
 select plaintext or ciphertext to en/decrypt

50
Cryptanalysis…
 given a ciphertext Caesar cipher, then a
brute-force is easy performed:
 simply try all the 25 possible keys.
 Assuming language of the plaintext is known.
 Thus, Caesar cipher is far from secure.
 Eg: try to break this Caesar cipher
BRXDUHKDFNLQJ

51
Brute Force Search
 always possible to simply try every key
 assume either know / recognise plaintext
 impractical if we use an algorithm that
employs a large number of keys.
 most basic attack, proportional to key size

52
Language Redundancy and Cryptanalysis
 Human languages are redundant
 Letters are not equally commonly used
 In English E is by far the most common letter
 followed by T,R,N,I,O,A,S
 Other letters like Z,J,K,Q,X are fairly rare
 Have tables of single, double & triple letter
frequencies for various languages

53
Authentication protocols
 used to convince parties of each others
identity and to exchange session keys
 may be one-way or mutual
 key issues are – confidentiality – to protect
session keys – timeliness – to prevent replay
attacks
 published protocols are often found to have
flaws and need to be modified

54
Security mechanisms and techniques

Firewall

55
Firewall
 Is hardware, software, or a combination of
both
 used to prevent unauthorized programs or
Internet users from accessing a private
network and/or a single computer.

56
Hardware vs. Software Firewalls
 Hardware Firewalls
 Protect an entire network
 Implemented on the router level

 Software Firewalls
 Protect a single computer

57
How does a software firewall
work?

 Inspects each individual “packet” of data as it

arrives at either side of the firewall

 Determines whether it should be allowed to

pass through or if it should be blocked

58
Firewall Rules
 Allow – traffic that flows automatically
because it has been deemed

 Block – traffic that is blocked because it has

been deemed dangerous to your computer

 Ask – asks the user whether or not the traffic

is allowed to pass through

59
What Can a Firewall Do?
 Focus for security decisions
 Stop hackers from accessing your computer
 Can enforce security policy
 Protects your personal information
 Limits your exposure
 Blocks “pop up” ads and certain cookies
 Can log Internet activity efficiently
 Determines which programs can access the Internet
 Can't protect you against malicious insiders
 Can't protect you against connections that don't go through
it
 Can't protect against completely new threats

60
Firewall features
 General Firewall Features
 Port Control
 Network Address Translation
 Application Monitoring
 Packet Filtering
 Access control
 Additional features
 Data encryption
 Authentication
 Connection relay (hide internal network)
 reporting/logging
 e-mail virus protection
 spy ware protection

61
What It Protects You From
 Remote login
 SMTP session hijacking
 Operating system bugs
 Spam
 IP spoofing
 Denial of Service
 E-mail bombs
 Source routing

62
Security Strategies Implemented
 Default Deny
 Prohibit all communication that is not expressly permitted
 Default Permit
 Permit all communication that is not explicitly prohibited
 Least Privilege
 reduces the authorization level at which various actions are
performed
 Defense in Depth
 security approach whereby each system on the network is
secured to the greatest possible degree
 Choke Point
 forces attackers to use a narrow channel to bypass the
network

63
Example: Firewall Configuration

# ipchains -C forward -p tcp -s 172.16.1.0 1025 -d 44.136.8.2 80 -i eth0
accepted
source Destination
 # ipchains -C forward -p tcp -s 172.16.2.0 1025 -d 44.136.8.2 80 -i eth0
denied
Wrong

 # ipchains -C forward -p udp -s 172.16.1.0 1025 -d 44.136.8.2 80 -i eth0

denied
Wrong

 # ipchains -C forward -p tcp -s 172.16.1.0 1025 -d 44.136.8.2 23 -i eth0

denied
Wrong

64
Firewall Filtering Rule
 Egress Filtering
 Restricting the flow of information from a private TCP/IP
computer network to the Internet
 Outbound traffic from external address  Drop
 Ingress Filtering
 Contrast with egress filtering, it ensure that incoming packets are
actually from the networks from which they claim to originate
 Inbound Traffic from internal address  Drop
 Default

Src Src Dst Dst Ack

Rule Dir Proto Action
Addr Port Addr Port Set?
Egress Out Ext Any Ext Any Any Any Deny
Ingress In Int Any Int Any Any Any Deny
65 Default Any Any Any Any Any Any Any Deny
Types of Firewalls
 Packet Filtering Firewalls
 Proxy Server Firewalls or Application level
Gateway
 Circuit Level Gateway

66
Types of Firewalls ….
 Two primary types of firewalls are:
 Packet filtering firewall
 Proxy-server firewall
 Sometimes both are employed to protect a
network
 Firewalls can be designed to operate at any of
the following three layers in the TCP/IP protocol
stacks:
 The application layer(eg: HTTP proxy)
 The network and transport layer(eg: packet filtering)
 The layer b/n the application layer and the transport
layer (eg: SOCKS proxy)

67
Packet Filtering Firewalls/Routers
 Packet Filtering router applies a set of rules to each
incoming and outgoing IP packet and then forwards or
discards the packet.
 A filtering firewall works at the network level.
 The router is typically configured to filter packets going in
both directions (from and to the internal network).
 Filtering rules are based on information contained in a
network packet:
 Source IP address: The IP address of the system that originated
the IP packet (e.g., 192.178.1.1)
 Destination IP address: The IP address of the system the IP packet
is trying to reach (e.g., 192.168.1.2)
 Source and destination port address: The transport level (e.g.,
TCP or UDP) port number, which defines applications such as SNMP
or TELNET
68
Packet Filtering Firewalls
 Packet-filtering Router…
 Many network routers have the ability to perform some
firewall services.
 Filtering firewalls can be thought of as a type of router

69
Virtual private networks

70
Virtual private networks
 Types of VPN’s
Remote-Access VPN
Site to site VPN (Intranet based)
Site to Site VPN(Extranet based)
Remote access VPN
 A remote access VPN is for home or travelling users who need to access their central
LAN from a remote location
 They dial their ISP and connect over the internet to the LAN
 This is made possible by installing a client software program on the remote user’s
laptop or PC that deals with the encryption and decryption of the VPN traffic b/n itself
and the VPN gateway on the central LAN
Site to site VPN
 Intranet-based :- if a company has one or more remote locations that they wish to
join in a single private network, they can create an intranet VPN to connect LAN to
LAN
 Extranet based :- when a company has a close r/ship with another company (e.g a
partner, suppler or customer), they can build an extranet VPN that connect LAN to
71
LAN, and that allows all of the various companies to work in a shared environment.
Virtual private networks
 Types of VPN’s

72
Virtual private networks
VPN devices
 hardware
 software
 firewall

73
Virtual private networks
VPN devices
 hardware
 software
 firewall

74
Transport layer security
 Transport Layer attacks
 TCP SYN Flood attack: TCP operates using
synchronized
connections, initiated with 3 way handshake.
 TCP SYN flood attack exploits the vulnerability at
this stage of TCP connection.
 The attacker sends TCP SYN packets by
impersonating the IP address of an inactive host.
 The target machine responds SYN acknowledgment
waiting for the inactive host to respond.
 However, instead of opening a session, the attacker
continuously sends SYN requests and the victim’s
buffer will be flooded and cannot respond to other
requests.
75
Transport layer security
 Transport Layer attacks
 TCP sequence number attack: Each time a TCP message
is sent, the sender generates a 32 bit sequence number.
 The attacker intercepts and responds with a sequence
number similar to the one used in the original session.
 This means, the attacker hijacks the session and gains
access;
hence this type of attack is also called TCP session
hijacking.
 If the connection is one that allows command execution,
malicious code could be executed.
 There are some programs, e.g. Wireshark, that allow to
view TCP sequence number.

76
Transport Layer Security: Secure Sockets
Layer (SSL/TLS)
 Transport Layer attacks
 Security services
 Transport Layer Security defined in RFC 2246
 SSL general-purpose service
 Set of protocols that rely on TCP
 Two implementation options
 Part of underlying protocol suite
 Transparent to applications
 Embedded in specific packages
 E.g. Netscape and Microsoft Explorer and most
Web servers
 Minor differences between SSLv3 and TLS
 SSL is now depreciated

77
Transport Layer Security: Secure Sockets
Layer (SSL/TLS)
 Transport Layer attacks
SSL Vs TLS
 SSL
 Developed by Netscape in 1995
 Publicly shared and has been must-have feature after its 2nd
release: though, deprecated in 2015
TLS
 Is a new standard
 Better than SSL and have comparatively low vulnerabilities
 Is cryptographic protocol designed to provide communications
over a computer network
 Commonly used in Email, Instant Messaging, VoIP, HTTPS

78