___________________________

Information Assurance and

Security (ITec4133)
_________________________________
Chapter 2

Overview of Commercial Issues

_______________________________________
1
 BRIEF OVERVIEW OF COMMERCIAL ISSUES

❑ Businesses face a much more complex set of security challenges

than ever before.

❑ Where the physical security of buildings once stood as the top

concern, now businesses of all sizes must manage a host of data
security risks, ranging from

 viruses on the Internet to

 the carelessness of password habits of employees, without

sacrificing customer service.

2
 CRYPTOGRAPHY

❑ Cryptography is the study of Secret (Crypto-) writing (Graphy)

❑ Cryptography -- from the Greek for “secret writing” -- is the
mathematical “scrambling” of data so that only someone with the
necessary key can “unscramble” it.
❑ Cryptography is the art of achieving security by encoding messages
to make them non-readable.
❑ Cryptography or Cryptology is the practice and study of
techniques for secure communication the presence of third parties
called adversaries.
 More generally cryptography is about constructing and
analysing protocols that prevent third parties or the public
from reading private messages

3
 BASICS OF CRYPTOGRAPHY
• Cryptography is the science of using mathematics to encrypt and
decrypt data.
• Cryptography enables you to store sensitive information or
transmit it across insecure networks (like the Internet) so that it
cannot be read by anyone except the intended recipient.
• While cryptography is the science of securing data, cryptanalysis is
the science of analyzing and breaking secure communication.
• Classical cryptanalysis involves an interesting combination of
analytical reasoning, application of mathematical tools, pattern
finding, patience, determination, and luck.
• Cryptanalysts are also called attackers.

4
 BASIC TERMINOLOGY
▪ Plain text - the original message
▪ Cipher text - the coded/scrambled message
▪ Cipher - algorithm for transforming plaintext to ciphertext
▪ Key - info used in cipher known only to sender/receiver
▪ Encipher (encrypt) - converting plaintext to ciphertext
▪ Decipher (decrypt) - recovering ciphertext from plaintext
▪ Cryptanalysis - Cryptanalysis is the study of analyzing
information systems in order to study the hidden aspects of the
systems.
▪ Cryptanalysis is used to breach cryptographic security systems
and gain access to the contents of encrypted messages, even if the
cryptographic key is unknown.
▪ Cryptology is a branch of mathematics which deals with both
cryptography and cryptanalysis. 5
 CONT’D…
• Cryptography has five ingredients:

• Plaintext

• Encryption algorithm

• Secret Key

• Cipher text

• Decryption algorithm

• Security depends on the secrecy of the key, not the secrecy

of the algorithm.
6
 PURPOSE OF CRYPTOGRAPY

• Confidentiality
• Authentication
• Integrity
• Access Control
• Availability
• Defending against external/internal hackers
• Securing E-commerce
• Securing bank accounts/electronic transfers
• Securing intellectual property

7
 CRYPTOSYSTEM
▪ Cryptosystems are used for sending messages in a secure manner over
the internet, such as credit card information and other private data.
▪ A Cryptosystem is a five-tuple (P,C,K,E,D), where the following are satisfied:
▪ P is a finite set of possible plaintexts.
▪ C is a finite set of possible ciphertexts.
▪ K the key space, is a finite set of possible keys
▪ E (encryption rule)
▪ D (decryption rule).

Each EK: P → C and DK: C → P

Plaintext Encryption Ciphertext Decryption
Algorithm E Algorithm D
P C P e

• Algorithms with a parameter – key K

8
 TYPES OF CRYPTOGRAPHY

• Symmetric Key Cryptography (Secret Key /Private Key Cryptography)

• Same Key is used by both parties
Advantages
1. Simpler and Faster

Disadvantages
1. Less Secured

9
 SYMMETRIC CRYPTOSYSTEM

Plaintext Encryption Ciphertext Decryption Plaintext

P Algorithm E C Algorithm D P

Secret channel
K K

• C=E(P,K)

• P=D(C,K)

10
SYMMETRIC CRYPTOGRAPHY

11
 PRIVATE-KEY CRYPTOGRAPHY

• Traditional private/secret/single key cryptography uses one

key

• Key is shared by both sender and receiver

• if the key is disclosed communications are compromised

• also known as symmetric, both parties are equal

12
• Asymmetric Key Cryptography (Public Key Cryptography)
• 2 different keys are used
• Users get the Key from an Certificate Authority

Advantages
1. More Secured
2. Authentication

Disadvantages
1. Relatively Complex

13
 ASYMMETRIC CRYPTOSYSTEM
Asymmetric key cryptography uses two separate keys: one private and one
public.
Locking and unlocking in asymmetric-key cryptosystem

14
ASYMMETRIC CRYPTOSYSTEM (CONT..,)
General idea of asymmetric-key cryptosystem

General formulae of asymmetric-key cryptosystem

C = f (Kpublic , P) P = g(Kprivate , C)

15
ASYMMETRIC CRYPTOGRAPHY

16
 PUBLIC-KEY CRYPTOGRAPHY

• Probably most significant advance in the 3000 year history of cryptography

• Uses two keys – a public key and a private key
• Asymmetric since parties are not equal
• Uses clever application of number theory concepts to function

Can classify uses into 3 categories:

▪ Encryption decryption (provide secrecy)

▪ Digital signatures (provide authentication)

▪ Key exchange (of session keys)

• Some algorithms are suitable for all uses, others are specific to one.

17
 SYMMETRIC (vs) ASYMMETRIC

▪ Symmetric algorithm 100 to 1000 times faster than asymmetric

one.

▪ Symmetric key 10 times shorter than asymmetric key.

▪ In Asymmetric algorithm Public Key must be authenticated by CA.

▪ Asymmetric Key Generator robustness.

▪ Asymmetric algorithm is mainly used for exchange and storage of

the secret (symmetric) keys.

18
 COMPARISON

SYMMETRIC KEY CRYPTOGRAPHY ASYMMETRIC KEY CRYPTOGRAPHY

1) The same algorithm with the same key is 1) One algorithm is used for encryption and
used for encryption and decryption. decryption with a pair of keys, one for
encryption and one for decryption.

2) The key must be kept secret. 2) One of the two keys must be kept secret.

3) It may be impossible or at least impractical 3) It may be impossible or at least impractical

to decipher a message if no other information to decipher a message if no other information
is available. is available.

19
 APPLICATIONS OF CRYPTOGRAPHY
• Defense services
• Secure data manipulation
• E –commerce
• Business transactions
• Internet payment systems
• User identification systems
• Access control
• Data security

20
 Classical Encryption Techniques
➢ They are traditional symmetric cryptosystems
➢ They are simple cryptosystems
i. Substitution techniques: map plaintext
elements (characters, bits) into ciphertext
elements.
ii. Transposition techniques: systematically
transpose the positions of plaintext elements
(rearrange their orders).
21
 Substitution ciphers
• A substitution cipher is one in which the letters of plaintext are replaced by
other letters or by numbers or symbols.
• Substitution ciphers can be categorized as either
a. Monoalphabetic ciphers
b. Polyalphabetic ciphers

I. Monoalphabetic ciphers
• In this case, a character ( or symbol) in the plaintext is always changed to the
same character (or symbol) in the ciphertext regardless of its position or text.
• For example, if the algorithm says that letter A in the plaintext is
changed to letter D, every letter A is changed to letter D.
• The relationship in between plaintext and ciphertext is one-to-one.
• Example: The following example shows a plaintext and the corresponding
ciphertext.
• We use the lowercase characters to show the plaintext and uppercase
characters to show the ciphertexts. The cipher is monoalphbetic because both
the l’s are encrypted as O’s:
22
Plaintext: hello Ciphertext: KHOOR
• The group of mono alphabetic ciphers includes:
i. Additive ciphers or Caesar ciphers
ii. Multiplicative ciphers
iii. Affine ciphers
i. Additive ciphers:
• This is the simplest mono alphabetic cipher.
• We assume that the plaintext contains the lowercase characters (a to z)
and the ciphertext contain the upper text characters (A to Z) as follows:

values → 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

• In the Figure, each character is assigned an integer in Z26 .

• The secret key is also an integer in Z26
• The encryption algorithm adds the key to the plaintext characters and the
decryption algorithm subtracts the key from the ciphertext characters.

23
• Then the algorithm can be expressed as follows:
• For each plaintext letter P, substitute the ciphertext letter C:
• The encryption algorithm is
C = E(k, P) = (P + k) mod 26 ; where k takes a value in the range 1 to 25.
• The decryption algorithm is simply
P = D(k, C) = (C - k) mod 26 ; where k takes a value in the range 1 to 25

Example: Use the additive cipher with key =15 to encrypt the message “hello”.
Soln. : We apply the encryption algorithm to the plaintext character by character
Plaintext : h → 07 Encryption: (07+15)mod 26 Ciphertext: 22→ W
Plaintext : e → 04 Encryption: (04+15)mod 26 Ciphertext: 19 → T
Plaintext : l → 11 Encryption: (11+15)mod 26 Ciphertext: 00 → A
Plaintext : l → 11 Encryption: (11+15)mod 26 Ciphertext: 00 → A
Plaintext : o → 14 Encryption: (14+15)mod 26 Ciphertext: 03 → D
So, the result is “WTAAD”
Note: By using the reverse decrypt algorithm, we can now decrypt the ciphertext
“WTAAD”.
• Perform decryption 24
• Additive cipher is also called as shift cipher. The reason
is that the encryption algorithm can be interpreted as
“shift key character down” and the decryption algorithm
can be interpreted as “shift key character up”.
• Three important characteristics of this problem enabled
us to use a brute-force cryptanalysis:
1. The encryption and decryption algorithms are known.
2. There are only 25 keys to try.
3. The language of the plaintext is known and easily
recognizable.

25
➢ Julius Caesar used an additive cipher to
communicate with his officers. For this reason,
this cipher is also sometimes called as caesar
cipher.
➢ Caesar Cipher: The earliest known example of a
substitution cipher in which each character of a
message is replaced by a character three position
down in the alphabet. For example:
➢ Plaintext: are you ready
➢ Ciphertext: duh brx uhdgb

26
ii. Multiplicative cipher:
• In this cipher, the encryption algorithm specifies the multiplication of the plaintext by
the key and the decryption algorithm specifies the division of the ciphertext by the key.
• Since operations are in Z26, decryption here means multiplying by the multiplicative
inverse of the key.
➢ The general multiplicative encryption algorithm is
C = E(k, P) = (P * k) mod 26 ; where k takes on a value in the range 1 to 25.
➢ The general multiplicative decryption algorithm is
P = D(k, C) = (C*k-1) mod 26 ; where k takes on a value in the range 1 to 25.
Example: Use the multiplicative cipher with key =7 to encrypt the message “hello”.;

Soln. : We apply the encryption algorithm to the plaintext character by character

Plaintext : h → 07 Encryption: (07*07)mod 26 Ciphertext: 23→ X
Plaintext : e → 04 Encryption: (04*07)mod 26 Ciphertext: 02 →C
Plaintext : l → 11 Encryption: (11*07)mod 26 Ciphertext: 25 → Z
Plaintext : l → 11 Encryption: (11*07)mod 26 Ciphertext: 25→ Z
Plaintext : o → 14 Encryption: (14*07)mod 26 Ciphertext: 20 → U
So, the result is “XCZZU”
Note: By using the reverse decrypt algorithm, we can now decrypt the ciphertext
27
“XCZZU”. (Use K-1 = 15)
iii. Affine cipher:
• Affine cipher is a combination of additive and multiplicative ciphers with a pair of keys.
• The first key is used with multiplicative cipher and the second key is used with the
additive cipher.
• Affine cipher is actually two ciphers applied one after the other.
• In the affine cipher, the relations between the plaintext and ciphertext are
C = E(k1, k2 ; P) = (P * k1 + k2 )mod 26 and P = D(C; k1, k2) = ((C - k2 )*k1-1 )mod 26

Example: Use the affine cipher with key pair (7, 2) to encrypt the message “hello”.
Soln. : We use 7 for the multiplicative key and 2 for the additive key.
We apply the encryption algorithm to the plaintext character by character
Plaintext : h → 07 Encryption: (07*07+2)mod 26 Ciphertext: 25 → Z
Plaintext : e → 04 Encryption: (04*07+2)mod 26 Ciphertext: 04 → E
Plaintext : l → 11 Encryption: (11*07+2)mod 26 Ciphertext: 01 → B
Plaintext : l → 11 Encryption: (11*07+2)mod 26 Ciphertext: 01 → B
Plaintext : o → 14 Encryption: (14*07+2)mod 26 Ciphertext: 22 → W
So, the result is “ZEBBW”.
Note: By using the reverse decrypt algorithm, we can now decrypt the ciphertext
“ZEBBW”.
28
• Because additive, multiplicative and affine ciphers have
small key domain, they are vulnerable to brute-force
attack.
• A brute-force attack involves trying every possible key
until an intelligible translation of the ciphertext into
plaintext is obtained. On average, half of all possible
keys must be tried to achieve success.
• After the sender and the receiver agreed Ki a single key,
that key is used to encrypt each letter in the plaintext or
decrypt each letter in the ciphertext.
• A better solution is to create a mapping in between each
letter of the plaintext and each letter of the ciphertext.
29
 II. Polyalphabetic cipher
• In this kind of cipher, each occurrence of character may have a
different substitute.
• The relationship between the characters in the plaintext and the
characters in ciphertext is one-to-many.
• For example, ‘a’ could be enciphered as ‘D’ in the beginning, but
as ‘N’ in the middle.
• Polyalphabetic ciphers have the advantage of hiding the letter
frequency of the underlying language.
• To create a polyalphabetic cipher, we need to make each
ciphertext character dependent on both the plaintext character
and the position of the plaintext character.
• We need to have a key stream k= (k1, k2, k3,…) in which ki is used
to encipher the ith character in the plaintext to create the ith
character in the ciphertext.
30
• The group of polyalphabetic ciphers includes:
a) Autokey cipher
b) Playfair cipher
c) Vegenere cipher
d) Hill cipher
e) One-time pad

31
 1. Autokey cipher
• In this cipher, the key is a stream of sub keys, in which each sub key is
used to encrypt the corresponding character in the plaintext.
• The first sub key is a predetermined value agreed upon by the sender and
the receiver.
• The second sub key is the value of first plaintext character (between 0
and 25).
• The third subkey is the value of second plaintext character and so on.
• The name of the cipher autokey implies that the sub keys are
automatically generated from the plaintext cipher characters during the
encryption process.
P=P1P2P3… C=C1C2 C3… k=k1P1P2…
Encryption: Ci= (Pi+ki) mod 26
Decryption: Pi = (Ci – ki) mod 26
32
Example: Encrypt the plaintext “attack is today” using the
initial key value k1 = 12.
Sol.: Here enciphering is done character by character.
• Each character in the plaintext is first replaced by its integer
value as shown in the figure. The first subkey is added to create
the first ciphertext character.
The rest of the key is created as the plaintext characters are read.

• We note that the cipher is polyalphabetic because the three

occurrences of “a” in the plaintext are encrypted differently. The
three occurrences of the “t” are enciphered differently.
• Decryption
33
 2.Play-fair cipher
• The Play-fair cipher also called Play-fair square.

• Is a Cryptographic technique used for manual encryption of data.

• Not even the large number of keys in a mono-alphabetic cipher

provides security

• One approach to improving security was to encrypt multiple letters

the Play-fair Cipher is an example

• Invented by Charles Wheatstone in 1854, but named after his friend

Baron Play-fair

34
 Play-fair key matrix
• a 5X5 matrix of letters based on a keyword

• (I and J aren’t distinguished)

• fill in letters of keyword (sans duplicates)

• fill rest of matrix with other letters

• Steps

1. Enter the keyword in the matrix row-wise, left-to-right, and then top-
to-bottom

2. Drop duplicate letters.

3. Fill the remaining spaces in the matrix with the rest of the English
alphabets (A-Z)
35
 Play-fair key matrix
• The plaintext is first conditioned by replacing J with I wherever it
occurs, then dividing it into letter pairs, preventing double letters
occurring in a pair by separating them with an x, and finally adding a
z if necessary to complete the last letter pair.
• The example Playfair wrote on his napkin was “Lord Granville’s
letter,” which becomes “lo rd gr an vi lx le sl et te rz”.
• It is then enciphered two letters at a time using the following rules:
• If two letters are in the same row or column, they are replaced
by the succeeding letters.
• Otherwise, the two letters stand at two of the corners of a
rectangle in the table, and we replace them with the letters at
the other two corners of this rectangle.
36
 Play-fair key matrix
• Example: encrypt and decrypt balloon using the keyword
MONARCHY by using Playfair cipher technique.
M O N A R
C H Y B D
E F G I K
L P Q S T
U V W X Z
• Cipher text: IBSUPMNA
• Perform decryption?
37
 3. Vegenere cipher
• This cipher was designed by Blaise de Vegenere, a
sixteenth century French mathematician.
• A Vegenere cipher uses a different strategy to create the
key stream.
• The key stream is a repetition of an initial secret key
stream of length m, where we have 1≤m≤26.
• The cipher can be described as follows where (k1,k2,…, km)
is the initial secret key agreed by the sender and the
receiver.
❖ P=P1P2… C= C1C2… K=[(k1, k2,…,km), (k1, k2,…,km), ….]
Encryption: Ci =( Pi+ ki )mod 26
Decryption: Pi =( Ci - ki )mod 26
38
• The difference between the Vegenere cipher and the other two
polyalphabetic ciphers is that the Vegenere key stream does not
depend on the plaintext characters; it depends only on the
position of the character in the plaintext.
• In other words, the key stream can be created without knowing
what the plaintext is.
Example: Encrypt &decrypt the message “she is listening” using
the 6-character keyword “PASCAL”.
Sol.: The initial key stream is (15, 0, 18, 2, 0, 11). The key stream is
the repetition of this initial key stream.

39
 4. Hill cipher
• The Hill Cipher works on multiple letters at the same time.

• For this reason, the hill cipher belongs to a category of ciphers

called Block ciphers.

• Hence, it is a type of polygraph substitution cipher.

• Its invented by Lester Hill in 1929.

• The Hill cipher has its roots in the matrix theory of mathematics.

• More specifically , we need to know how to compute the inverse of

a matrix.
• Encryption : C=E(p,k)=p*k mod 26
• Decryption : P=D(c,k)= c*k -1 mod 26 40
 Hill cipher (cont..,)
Example:
1. Treat every letter in the Plain text message as a number, so that
A= 0, B = 1, C = 2, D = 3 ……… Z = 25
2. The Plain text message is organized as a matrix of numbers,
based on the above conversation.
• For example, if our plain text is CAT. Based on the above step,
we know that C = 2 A = 0 and T = 19. Therefore our plain text
matrix would look as follows:
2
0
19

41
 Hill cipher (cont..,)

3. Now our plain text matrix is multiplied by a matrix of

randomly chosen keys. The key matrix consists of size n
*n, where n is the number of rows in our plain text
matrix.
For example, we take the following key matrix:
6 24 1
13 16 10
20 17 15

42
 Hill cipher (cont..,)
4. Now multiply the two matrices as shown below:

2 6 24 1
0 * 13 16 10
19 20 17 15

The result is :
2*6+0*24+19*1 31
2*13+0*16+19*10 216
2*20+0*17+19*15 325

43
5. Now compute a mod 26 value of the above matrix. That
is take the remainders after dividing the above matrix
values by 26. That is
31 5
216 mod 26 8
325 13
6. Now translating the numbers to alphabets, 5 = F, 8 = I
and 13 = N. Therefore our cipher text is FIN
• Go back to your Applied Mathematics course and
read about for computing Inverse of a matrix and
perform Decryption.

44
 4.One-time pad (or) vernam cipher
• The vernam cipher, whose specific subset is called one-time pad, is
implemented using a random set of non-repeating characters as the
inputs cipher text.
• The most significant point here is that once an input cipher text for
transposition is used, it is never used again for any other message
(hence the name one-time)
• The length of the input cipher text is equal to the length of the
original plain text.
• Since for any plaintext & any ciphertext there exists a key
mapping one to other

45
 One-time pad (cont..,)
The algorithm used in the vernam cipher is describe in below:

1. Treat each plain text alphabet as a number in an increasing

sequence like ( A=0, B=1, C=2 …… Z=25)

2. Do the same for each character of the input cipher text.

3. Add each number corresponding to the plain text alphabet to the

corresponding input cipher text alphabet number.

4. If the sum thus produced is greater than 26, subtract 26 from it.

5. Translate each number of the sum back to the corresponding

alphabet. This gives the output cipher text.
46
 One-time pad (cont..,)
• Let us apply the vernam cipher algorithm to a plain text message HOW ARE
YOU using a one-time pad NCBTZQARX to produce a cipher text message.
1. Plain Text
H O W A R E Y O U
7 14 22 0 17 4 24 14 20
2. One-time pad
N C B T Z Q A R X
13 2 1 19 25 16 0 17 23
3. Initial Total
20 16 23 19 42 20 24 31 43
4. Subtract 26,
if >25
20 16 23 19 16 20 24 5 17
47
 One-time pad (cont..,)
5. Cipher text
U Q X T Q U Y F R

• Perform decryption?
The one-time pad has two difficulties:
1. There is a practical problem of making large quantities of random
keys.
2. Even more difficult is the problem of key distribution and
protection.

48
 Transposition Techniques
• Systematically transpose the positions of plaintext elements
(rearrange their orders).
• A transposition cipher does not substitute one symbol for another,
instead it changes the location of the symbols.
• A symbol in the first position of the plaintext may appear in the
tenth position of the ciphertext.
• A symbol in the eighth position in the plaintext may appear in the
first position of the ciphertext.
• In the other words, a transposition cipher reorders (transposes) the
symbols.
➢ This group of ciphers include:
1. Keyless transposition ciphers
2. Keyed transposition ciphers 49
1. Keyless Transposition ciphers
• The simple transposition ciphers are keyless.
• There are two methods for permutation of characters .
• In the first method, the text is written into a table column by
column and then transmitted row by row.
• In the second method, the text is written into the table row by
row and then transmitted column by column.
Example: Rail fence cipher
➢ In this cipher the plaintext is arranged in two lines as a zigzag
pattern ( which means column by column); the ciphertext is
created by reading the pattern row by row.
➢ For example, to send the message “ meet me at the park” to the
receiver, the sender writes

50
 ➢He then creates the ciphertext “ MEMATEAKETETHPR” by
sending the first row followed by the second row
➢The receiver receives the ciphertext and divides it in half ( in
this case the second half has one less character)
➢The first half forms the first row; the second half the second row.
➢The receiver reads the result in zigzag.
2. Keyed Transposition cipher:
❖ The keyless ciphers permutes the characters by using writing
plaintext in one way (row by row , for example) and reading it in
another way (column by column , for example).
❖ The permutation is done on the whole plaintext to create the
whole ciphertext.
❖ Another method is to divide the plain text into groups of
predetermined size, called blocks, and then use a key to permute
the characters in each block separately.
51
Example: The sender needs to send the message” enemy attacks tonight”
➢ In this case, both agreed to divide the text into groups of five
characters and then permute the characters in each group.
➢ The following show the grouping after adding a bogus character at the
end to make the last group the same size as the others.
enemy attac kston ightz
➢ The key used for encryption and decryption is a permutation key,
which shows how the character are permuted.
➢ For this message, assume that the sender and the receiver used the
following key

➢ The third character in the plaintext block becomes the first character
in the ciphertext block; the first character in the plaintext block
becomes the second character in the ciphertext block; and so on. The
permutation yields
EEMYNTAACTTKONSHITZG
➢ The receiver divides the ciphertext into 5-character groups and , using
the key in the reverse order, finds the plaintext.
52
 WHAT IS WEB SERVICES SECURITY?

• Web Services Security (WS Security) is a specification that

defines how security measures are implemented in web
services to protect them from external attacks.
• It is a set of protocols that ensure security for SOAP-based
messages by implementing the principles of confidentiality,
integrity and authentication.
• The aim of WS-Security is to ensure that communication
between two parties is not interrupted or interpreted by an
unauthorized third party.
• The receiver needs to be assured that the message was
indeed sent by the sender, and the sender should be assured
the receiver cannot deny receiving the message.

53
 LAYERS INVOLVED IN WEB SECURITY
• Many "layers" must work in concert to produce a functioning
web-based system.
• Each layer has its own security vulnerabilities, and its own
procedures and techniques for coping with these vulnerabilities.
• Hardware
• Physical access to computer hardware gives evens a slightly-skilled person
total control of that hardware.

• Without physical security to protect hardware (i.e. doors that lock) nothing
else about a computer system can be called secure

54
 CONT’D…
• Operating System
• As the software charged with controlling access to the hardware, the
file system, and the network, weaknesses in an operating system are
the most valued amongst crackers.
• Most OS authentication is handled through user names and
passwords.
• Biometric(e.g. voice, face, retina, iris, fingerprint) and physical token-
based (swipe cards, pin-generating cards) authentication are
sometimes used to augment simple passwords, but the costs and
accuracy of the technology limit their adoption.
• Once authenticated, the OS is responsible for enforcing
authorization rules for a user's account.
• The guiding thought here is the Principle of Least Privilege: disallow
every permission that isn't explicitly required.
55
 CONT’D…

• Service
• For our purposes, a "service" is any class of software that
typically runs unattended on a server-style computer and
performs some task in response to a network-originated
request.
• Web servers (e.g. Apache, IIS, including server-side scripting
platforms), FTP servers, email servers (e.g. Send mail, Qmail,
Exim), Telnet and SSH servers, file and print servers (e.g.
SMB/Samba), database servers (e.g. Oracle, SQL Server, MySQL,
DB/2, PostgreSQL) and so on are all example of these services.

56
 CONT’D…
• Data
• As an organization's most valuable IT asset, the nonchalant
treatment and security of data is often surprising.

• What is not surprising is that crackers know this and most of their
efforts are ultimately focused on displaying, corrupting, or stealing
an organization's data.

• Finally, backups should be encrypted in some way to prevent any of

the many people that come into contact with the media from
reading all of the organization's data.

• In practice, this encryption is rarely performed.

57
 CONT’D…
• Application
• The main vulnerability of web applications is Cross-Site
Scripting(XSS).

• Cross-Site Scripting (a.k.a. XSS, script embedding, or script injection)

is more an attack on the users of a web application, than on the web
system itself.

• It usually involves injecting some client-side browser scripting code

(i.e. JavaScript) into one of the application's forms that, once
displayed on the site, results in that code being run (on the end
user's browser).
58
 CONT’D…
• Network Protocol

• It is at the network protocol layer that most of the web system

security is addressed by product marketing departments
• The primary technology that protects the web application
protocol in question, HTTP, is the Secure Sockets Layer (SSL),
now renamed Transport Layer Security (TLS).
• TLS provides both authentication and encryption services to
communicating computers using digital certificates issued by
Certificate Authorities (CAs) also known as Trust Authorities

59
 CONT’D…
• Browser
• Unfortunately, given the design of the HTTP protocol (even
when secured through SSL/TLS), there is very little that can be
done to protect the web system at the browser layer.
• Hence, web applications may never trust any data originating
from a client browser.
• TLS-based client digital certificates can be used to more
positively identify clients to servers, but they are as yet rarely
used, partially because of expense, but also because they are
difficult to move from one client computer to another, thereby
diminishing one of the benefits of web systems: client location
transparency.

60
 WEB SERVICES SECURITY

• Web services security includes several aspects:

• Authentication

• Authorization (or Access Control)

• Confidentiality

• Privacy

• Integrity and non repudiation

61
 CONT’D…
• Authentication: verifying that the user is who claims to be.

• A user’s identity is verified based on the credentials presented by

that user, such as:

• Credentials issued by a trusted authority such as a passport (real world)

or a smart card (IT world).

• A shared secret such as a password. biometric information.

• Using a combination of several types of credentials is referred to as

”strong” authentication, for example using an ATM card (something one
has) with a PIN or password (something one knows).
62
 AUTHORIZATION (OR ACCESS CONTROL))

• Authorization(Access Control):granting access to specific

resources based on an authenticated user’s entitlements.

• Entitlements are defined by one or several attributes.

• Supported by industry standards both at the transport level

(Secure Socket Layer) and at the application level.

63
 TRANSPORT LEVEL SECURITY
• Designed to facilitate privacy and data security for communications
over the Internet.
• Secure Socket Layer (SSL), known as Transport Layer Security
(TLS), the Internet Engineering Task Force (IETF) officially
standardized version of SSL, is the most widely used transport-
level data-communication protocol providing:
• Authentication (the communication is established between two
trusted parties).
• Confidentiality (the data exchanged is encrypted).
• Message integrity (the data is checked for possible corruption).
Secure key exchange between client and server.
• Application-level security complements transport-level
security.
64
 PUBLIC-KEY INFRASTRUCTURE (PKI)

• A public key infrastructure (PKI) is a set of rules, policies, and

procedures needed to create, manage, distribute, use, store, and
revoke digital certificates and manage public-key encryption.

• The purpose of a PKI is to facilitate the secure electronic

transfer of information for a range of network activities such as
e-commerce, internet banking and confidential email.

65
 CONT’D…
• It is required for activities where simple passwords are inadequate
authentication method and more rigorous proof is required to confirm
the identity of the parties involved in the communication and to validate
the information being transferred

• The PKI role that assures valid and correct registration is called a
registration authority (RA).

• An RA is responsible for accepting requests for digital certificates and

authenticating the entity making the request.

• In a Microsoft PKI, a registration authority is usually called a subordinate

CA
66
 CONT’D…

• A public key infrastructure (PKI) is a system for the creation,

storage, and distribution of digital certificates which are used to
verify that a particular public key belongs to a certain entity.

• The PKI creates digital certificates which map public keys to

entities, securely stores these certificates in a central repository
and revokes them if needed.

67
 CONT’D…

• A PKI consists of:

• A digital certificates (CA): that stores, issues and signs the digital
certificates

• A registration authority: which verifies the identity of entities

requesting their digital certificates to be stored at the CA

• A central directory: a secure location in which to store and index keys

• A certificate management system: managing things like the access to

stored certificates or the delivery of the certificates to be issued.

• A certificate policy: stating the PKI's requirements concerning its

procedures. Its purpose is to allow outsiders to analyze the PKI's
68
trustworthiness
 USES OF PKI
• Encryption and/or sender authentication of e-mail messages
• Encryption and/or authentication of documents (e.g., the XML
Signature or XML Encryption standards if documents are encoded as
XML)
• Authentication of users to applications (e.g., smart card logon, client
authentication with SSL). There's experimental usage for digitally signed
HTTP.
• Bootstrapping secure communication protocols, such as Internet key
exchange(IKE) and SSL.
• Mobile signatures are electronic signatures that are created using a mobile
device and rely on signature or certification services in a location
independent telecommunication environment
• Internet of things requires secure communication between mutually
trusted devices. A public key infrastructure enables devices to obtain and
renew X509 certificates which are used to establish trust between devices
69
and encrypt communications using TLS.
 INTRUSION DETECTION SYSTEM
• Intrusions is any set of actions that threatens the integrity, availability, or
confidentiality of a network resource. eg. Denial of service (DOS)
• Intrusion detection is the process of monitoring the events occurring
in a computer system or network and analyzing them for:
• signs of possible incidents, which are violations or imminent threats
of violation of computer security policies, acceptable use policies, or
standard security practices.
• An IDS is software that automates the intrusion detection process.
• The Intrusion Detection System (IDS) provides the network with a level
of preventive security against any suspicious activity.

70
 INTRUSION PREVENTION SYSTEM(IPS)
• An IPS is software that has all the capabilities of an intrusion
detection system and can also attempt to stop possible incidents.
• They use several response techniques:
• The IPS stops the attack itself.
• Examples of how this could be done include the IPS terminating
the network connection being used for the attack and the IPS
blocking access to the target from the offending user account, IP
address, or other attacker attribute.
• Changes the security environment.
• The IPS could change the configuration of other security
controls to disrupt an attack.
• Common examples are the IPS reconfiguring a network firewall
to block access from the attacker.

71
 CONT’D…
• An Intrusion Prevention System (IPS) is a device that controls
access to IT networks in order to protect systems from attack
and abuse.
• It is designed to inspect attack data and take the corresponding
action, blocking it as it is developing and before it succeeds,
creating a series of rules in the corporate firewall
• Main functions of Intrusion Prevention System (IPS) are:
• Identify intrusion
• Log information about intrusion
• Attempt to block/stop intrusion and
• Report intrusion

72
 TYPES OF IDS

• Host Based IDS

• Network Based IDS

• Stack Based IDS

• Signature Based IDS

• Anomaly Based IDS

73
 HOST BASED IDS
• Host Based DS: Host Intrusion Detection Systems (HIDS)
are installed on the individual devices in the network.
• HIDS analyzes the incoming and outgoing packets from a
particular device.
• It is better than Network IDS as a comparison to detecting
malicious activities for a particular device.

74
 NETWORK BASED IDS
• Network Intrusion Detection Systems (NIDS) are monitoring
traffic at strategic points on the network.

• IDS uses as a dedicated platform for use to analyze all the

passing network traffic.

• NIDS work with the network and analyses the Ethernet packet
to be decide to apply rules.

75
 STACK BASED IDS

• Stack IDS is a technology, which are integrated with the TCP/IP

stack.

• Stack Intrusion Detection System allows the IDS to be

watching the packets, than IDS pull the packet from the stack
before the Operating system.

76
 SIGNATURE-BASED DETECTION
• A signature is a pattern that corresponds to a known attack or
type of attack.
• Signature-based detection is the process of comparing signatures
against observed events to identify possible attacks. Examples of
signatures are:
• A telnet attempt with a username of “root”, which is a
violation of an organization’s security policy

77
 ANOMALY-BASED DETECTION
• Anomaly-based detection is the process of comparing
definitions of what activity is considered normal against
observed events to identify significant deviations.
• Anomaly detection technique is a centralized process that
works on the concept of a baseline for network behavior.
• This baseline is a description of accepted network behavior,
which is learned or specified by the network administrators, or
both.
• It’s like a guard dog personally interviewing everyone at the
gate before they are let down the drive.

78
 HYBRID DETECTION

• A hybrid IDS uses both signature-based and anomaly-based

detection.
• This enables it to detect more potential attacks with a lower
error rate than using either system in isolation.

79
.

80