CSE 102

Introduc0on to Computer Science

Lecture 9

Dept. of Information Systems

Hanyang University
 Objectives
After studying this chapter, students will be able to:
• Describe the steps to take to increase the security of
information on your computer and online
• Explain how passwords are encrypted using a hash
function on many systems
• Describe cyber-attacks, including viruses, worms,
Trojan horses, DOS attacks, and phishing, and explain
how they differ from each other
• Encrypt and decrypt messages using simple Caesar
ciphers and matrix-based block ciphers

Invitation to Computer Science, 6th Edition 2

 Objectives (continued)
After studying this chapter, students will be able to:
• Describe the overall process used by symmetric
encryption algorithms such as DES
• Compare symmetric versus asymmetric (public key)
encryption
• Describe the overall process used by RSA encryption
• Explain why web transmission protocols such as SSL
and TLS use multiple forms of encryption to secure data
transfer over the web
• Explain the importance of considering computer
security for networked embedded systems
Invitation to Computer Science, 6th Edition 3
 Introduction

• Information security:
– Keep information safe
– Control access to authorized people only
• Physical security: lock doors, maintain control of
devices
• Online security:
– Secure assembly language
– Secure operating system
– Secure network

Invitation to Computer Science, 6th Edition 4

 Threats and Defenses

• Authentication: establishing identity

• Require usernames and passwords
• Secure password file with hash function, one-way
encryption
• Example: password = 1comp2
1. Replace letters by numbers: 1 3 15 13 16 2
2. Add digits: 1+3+15+13+16+2=50
3. Remainder of sum/7: 50 mod 7 = 1
4. Add 1 and multiply by 9: (1+1)*9 = 18
5. Reverse digits and convert to letters: 81 = ha
Invitation to Computer Science, 6th Edition 5
 Threats and Defenses (continued)

• Password file security: no plain text password stored

• On log in:
– Read username and password
– Look up entry for username in password file
– Hash input password and compare
• More secure:
– Keep password creation time
– Add creation time to password before hashing
– Identical passwords won’t hash to identical values

Invitation to Computer Science, 6th Edition 6

 Threats and Defenses (continued)

Password attacks
• Guess password, brute force or from knowledge
– Try common passwords (e.g,123456)
– Try personal references (e.g., pet name)
– Try all possible passwords (computationally difficult)
• Steal password file and use password-cracking
software
– Tries words and word combinations, millions of
password possibilities per second
• Social engineering: get person to tell password
Invitation to Computer Science, 6th Edition 7
 Passwords
Passwords
• Probably oldest authentication mechanism used in
computer systems
• User enters user ID and password, maybe multiple
attempts in case of error
• Usability problems
• Forgotten passwords might not be recoverable (though
this has been changing recently, see later)
• Entering passwords is inconvenient
• If password is disclosed to unauthorized individual, the
individual can immediately access protected resource
• Unless we use multi-factor authentication
• If password is shared among many people, password
updates become difficult
3-32
 Password guessing a:acks (1)
Password guessing attacks
• Brute-force: Try all possible passwords using
exhaustive search
• Can test 350,000 Microsoft Word passwords per
second on a 3-GHz Pentium 4
• For passwords of length 8 consisting only of
letters, there are about 2 · 1011 possibilities
• Takes 600,000 seconds or 166 hours to test them
• Expected wait till success is 83 hours
• Easy to buy more hardware if payo↵ is worth it
• Parallelizing search and running it on Graphics
Processing Unit can achieve a speedup of 25
• Can make attack harder by including digits and
special characters in password
• However,. . . 3-33
 Threats and Defenses (continued)

Other authentication methods

• Answer personal information question
• Biometric information (fingerprint or retinal scans)
• One-time password scheme:
– User enters ID and a partial password
– System or user device generates last half of
password
– Last half password good for only a few seconds

Invitation to Computer Science, 6th Edition 10

 Threats and Defenses (continued)

• Authorization: Set of permitted actions for each

authorized person
• Operating system maintains access control lists
– Read access (read a file)
– Write access (modify a file)
– Execute access (run a program)
– Delete access (remove a file
• System administrator or superuser has universal
access and sets up authorization

Invitation to Computer Science, 6th Edition 11

 Threats and Defenses (continued)

• Malware: malicious software arriving from the

network
– Virus: program embedded within another program or
file, replicates itself and attacks other files
– Worm: program that can send copies of itself to
other nodes on the network
– Trojan horse: program that seems beneficial, but
hides malicious code within it
• keystroke logger: records all keys typed
• drive-by exploit/drive-by download: Trojan horse
downloaded by simply visiting a bad web site

Invitation to Computer Science, 6th Edition 12

 Trojan horses
Trojan horses
 Threats and Defenses (continued)

• Denial-of-service (DOS) attack:

– Many computers try to access same URL at the
same time
– Clogs the network, prevents legitimate access,
causes server to crash
– Distributed DOS uses thousands of computers
• Uses a zombie army (botnet), many innocent
computers infected with malware
• Phishing: Obtain sensitive information by
impersonating legitimate sources
– Many e-mails, just a few “bites” are enough
Invitation to Computer Science, 6th Edition 14
 Encryption

• Cryptography: Science of secret writing

• Encryption and decryption (inverse operations)
– Convert from plaintext to ciphertext and back again
• Symmetric encryption algorithm
– Uses a secret key shared by sender and receiver
– Same key used to encrypt and decrypt
• Asymmetric encryption algorithm (public key)
– Uses two keys, public and private
– Use public key (generally known) to encrypt
– Use private key (known only to receiver) to decrypt
Invitation to Computer Science, 6th Edition 15
 Encryption (continued)

• Caesar cipher (shift cipher)

– Map characters to others a fixed distance away in
alphabet
– Example: A->E, B->F, C->G…U->Y, V->Z, W->A
– Stream cipher: encode each character as it comes
• Substitution cipher: similar, but have other
mappings
• Pros: easy and fast, can do character by character
• Cons: letter frequency, double letters, still pertain,
makes it easy to break

Invitation to Computer Science, 6th Edition 16

 Encryption (continued)

Block cipher
• Block of plaintext encoded into block of ciphertext
• Each character contributes to multiple characters
• Matrix-based block cipher:
– Group characters into blocks n characters long
– Find invertible n by n matrix, M, and its inverse, M’
as keys
– Map characters to letters A->1, B->2, etc.
– Wrap values 26 and above back to zero: 26->0, 27-
>1, etc.

Invitation to Computer Science, 6th Edition 17

Invitation to Computer Science, 6th Edition 18
 Encryption (continued)

Example: Use 2 by 2 matrices:

M= 3 5 M’ = 23 5
2 3 2 23

Encrypt block GO
• Convert to vector V = [7 15]
• Matrix multiplication:
V x M = [7*3 + 15*2 7*5 + 15*3]
= [51 80] = [25 2]
• Convert to string: YB

Invitation to Computer Science, 6th Edition 19

 Encryption (continued)

Example: Use 2 by 2 matrices:

M= 3 5 M’ = 23 5
2 3 2 23

Decrypt block YB
• Convert to vector V2 = [25 2]
• Matrix multiplication:
V2 x M’ = [25*23 + 2*2 5*25 + 23*2]
= [579 171] = [7 15]
• Convert to string: GO

Invitation to Computer Science, 6th Edition 20

 Encryption (continued)

DES (Data Encryption Standard)

• Symmetric encryption algorithm
• Designed for digital data: plaintext is binary string
• Uses 64-bit binary key (56 bits actually used)
• Sixteen rounds of same series of manipulations
• Decryption uses same algorithm, keys in reverse
• Fast and effective, but requires shared key, 56 bits
is too small for modern technology
• AES (Advanced Encryption Standard) similar
approach, longer keys
Invitation to Computer Science, 6th Edition 21
 Encryption (continued)

RSA key creation:

• Pick 2 large prime numbers: p and q
• Compute n = p×q, and m = (p-1)×(q-1)
• Choose large number e at random, so that e and m
are relatively prime (no common factors except 1)
• Find unique value d, between 0 and m, such that
(e×d) modulo m = 1
• Public key = (n, e), Private key = d

Invitation to Computer Science, 6th Edition 22

 Encryption (continued)

RSA key creation, example:

• p = 7, q = 13
• n = 7×13 = 91, and m = 6×12 = 72
• Let e = 77 (72 = 2 * 2 * 2 * 3 * 3, 77 = 7 * 11)
• d = 29
• Public key = (91, 25), Private key = 29

Invitation to Computer Science, 6th Edition 23

 Encryption (continued)

RSA encryption:
Given public key (n, e)
• Convert message to integer P
• Calculate C = Pe modulo n

RSA decryption:
Given private key d
• Calculate Cd modulo n

Invitation to Computer Science, 6th Edition 24

 Encryption (continued)

RSA encryption, example:

Given public key (91, 25)
• Convert message to integer P = 37
• Calculate C = 3725 modulo 91 = 46

RSA decryption:
Given private key 29
• Calculate 4629 modulo 91 = 37

Invitation to Computer Science, 6th Edition 25

 Web Transmission Security

• E-commerce requires secure transmission of

names, passwords, credit card numbers
• Web protocols: SSL (Secure Sockets Layer) and
TLS (Transport Layer Security)
– Client-server applications
– Server provides certificate of authentication and
server’s public key
– Client sends its DES key, encrypted using RSA
– Data is sent encrypted by the (now shared) DES key

Invitation to Computer Science, 6th Edition 26

Invitation to Computer Science, 6th Edition 27
 Think Small, Think Big

• Embedded computers: special-purpose, limited

computers in other systems
• Examples: automobiles, smart appliances, remote
controls, patient monitoring systems
• New trend: connect embedded computers to
network
– Transmit data, receive updates
• Targeting embedded systems could cause chaos
– Change thermostats, disrupt patient care, disable
aircraft or automobiles

Invitation to Computer Science, 6th Edition 28

 Summary

• Internet and Web are meant to promote information

exchange, so information security is hard
• Online attacks include viruses, worms, Trojan
horses, DOS attacks, and phishing, among others
• Data security involves encrypting sensitive data
before transmitting or storing in unsecured location
• Symmetric encryption requires a shared key
• Asymmetric encryption uses public and private
keys

Invitation to Computer Science, 6th Edition 29

 Summary (continued)

• Caesar cipher is a simple symmetric encryption,

substitution ciphers are similar
• Block ciphers combine blocks of plaintext symbols
into blocks of ciphertext
• DES and AES are strong symmetric encryption
algorithms
• RSA is the most common asymmetric algorithm
• Secure web transmission requires protocols: SSL/
TLS
• Embedded systems are the next problem to solve
Invitation to Computer Science, 6th Edition 30