Data Security - PowerPoint PPT Presentation

Loading...

PPT – Data Security PowerPoint presentation | free to download - id: 541155-ODFkO



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Data Security

Description:

Data Security Data Security Understanding Data Communications and Networks William A. Shay (3E) Data Security 7. Both sides confirm this arrangements and start ... – PowerPoint PPT presentation

Number of Views:401
Avg rating:3.0/5.0
Slides: 55
Provided by: HaS124
Learn more at: http://etidweb.tamu.edu
Category:
Tags: data | security

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Data Security


1
Data Security
Data Security
  • Understanding Data Communications and Networks
    William A. Shay (3E)

2
Data Security
  • To ensure that the data is received meaningfully
  • only by the intended recipient
  • Approach Alter (encrypt) the message (un-
  • intelligible even if intercepted)
  • Algorithms
  • Public key encryption
  • Secure Transfer over internet

3
Data Security
  • Definitions
  • Changing the encrypted data into its original
    form
  • decryption
  • Plaintext P- original form
  • Cipher-text C - encrypted data
  • Encryption algorithm and key Ek, changes P to C
  • C Ek(P),
  • Decryption algorithm and key Dk, changes C to P
  • P Dk(C), in many cases k k


4
Data Security
  • Mono-alphabetic cipher
  • Replaces each plaintext character with another
  • Add 1 to ASCII code of each character
  • A turns into B, B to C,
  • Simple but Rarely used in serious applications
  • Relatively easy to decipher
  • Commonly used letters E, T, O, A, N gt if
    certain letters appear frequently in cipher-text,
    probably it is one of these (than Q or Z)


5
Data Security
  • Mono-alphabetic cipher
  • P Please add money to
  • C RSDR\SFF\,PMRU\YP\
  • gt \ 4 times
  • gt S Twice
  • gt R Thrice
  • gt P Twice
  • They may be substitutions of common
  • characters, even blank spaces


6
Data Security
  • Mono-alphabetic cipher
  • Try various combinations of common ones
  • EADE\AFF\,ONEU\YO(R by E, S by A, P by O)
  • Replace \ by blank spaces
  • EADE AFF ,ONEU YO
  • Clues Two letter word ends with O, Three letter
    word begins with A followed by repeated letter
  • EADE ADD ,ONEU TO
  • gt With educated guesses, message can be decrypted


7
Data Security
Mono-alphabetic cipher Drawbacks preserving
particular letter sequences, frequency with which
letters occur Poly-alphabetic Cipher Change the
frequencies and break-up common sequences A
plaintext character is not always replaced with
the same one cipher-text character. Replacement
f (P, its position in the message)


8
Data Security
  • Poly-alphabetic Cipher
  • For (int i 0 i lt length of P i)
  • Ci Pi K (i mod 3)
  • Assume, K 1.
  • 1 is added for positions 0, 3, 6,
  • 2 is added for positions 1, 4, 7,
  • 3 is added for positions 2, 5, 8,
  • THEMTHENTHEY -gt UJHNVKFPWIG\
  • gt Repetition has reduced, but still present



9
Data Security
  • Poly-alphabetic Cipher
  • THE appears as UJH, VKF, WIG
  • If there were more THE, the pattern would
  • repeat.
  • Also, there are other patterns
  • First letters of each THE cipher-text are
    consecutive UVW, (also the 2nd one as JKI, and
    the 3rd one as HFG)
  • gt Clues for decryption



10
Data Security
  • Transposition Cipher
  • Rearranges the P letters of a message (not
  • Replacing them)
  • One way store characters in a 2-dimensional
  • array with m-columns
  • gt First m-characters in 1st row, next
    m-characters in 2nd row, ..
  • Determine a permutation of numbers 1 to m
  • p1, p2, , pm



11
Data Security
  • Transposition Cipher
  • Transmit p1 column first, then p2, , then pm.
  • P Follow THE YELLOW BRICK ROAD
  • F O L L O
  • W T H E
  • Y E L L
  • O W B R
  • I C K R
  • O A D



12
Data Security
  • Transposition Cipher
  • Transmit columns 2, 4, 3, 1, 5 (permutation)
  • O YWCALHLB LTE KDFW OIOOELRR
  • If, receiver knows the permutation and the number
    of columns -gt reconstruct the message
  • Drawbacks letter frequencies are preserved, also
    by grouping the characters in different columns
    for sequences like THE, IS are helpful for
    guessed-decryption.



13
Data Security
  • Bit-Level ciphering
  • Previous methods are applicable to character
    sequences
  • Files may contain raw bits (execution files),
    This method handles them
  • - Encryption key is a randomly chosen bit-string
  • Message bit string is divided into substrings
  • Length is the same as that of the key


14
Data Security
  • Encrypted string message string XOR key
  • Decryption Encrypted string XOR key
  • E (algorithm) is same as D (algorithm)
  • pi is a plaintext bit, if encryption key contains
    0 in that position
  • pi XOR 0 XOR 0 pi
  • if encryption key contains 1 in that position
  • pi XOR 1 XOR 1 pi XOR (1 XOR 1) pi XOR 0
    pi


15
Data Security
  • Security depends partly on the length of the
    key
  • Short key gt many substrings gt more chance of
    repetition of the encrypted substring,
    susceptible
  • In extreme case, the key length message length
    gt each bit is encrypted uniquely
  • If the key-bits are random gt unbreakable code
    (but long key needs to be transferred)


16
Data Security
  • Data Encryption Standards (DES)
  • Approach is to keep the key short compared to
    the message and to use complex procedure to
    encrypt the message
  • Based on block-cipher
  • Divides the message into 64-bit blocks, uses a
    key to employ a complex transformation.
  • It uses transposition (rearrangement) and
    substitution (replacing one bit-group with another


17
Data Security
  • Steps
  • Transposition on the block data and the key
  • 16 successive encryptions with different keys
    derived from the original, output of one fed to
    the next input
  • Swap (32 bits)
  • Reverse transposition (of the 1st step)


18
Data Security
  • Encryption operations
  • data C64 L32 R32, K56 key
  • (R32 transpose, duplicate bits) results in R48
  • (K56 shift on each half, transpose) results in
    K56
  • R48 XOR K48 (first) X48
  • Divide into 8 (6-bit) groups
  • Substitute each by 4-bit value
  • Combine into a 32-bit string, transpose X32


19
Data Security
  • L32 XOR X32 X32
  • Form final 64 bits R32 X32
  • Idea was to develop a method with many
    convoluted steps
  • If the same 64-bit block occurs more than once,
    it generates the same cipher-text.
  • Cipher Block Chaining (CBC) disrupts that
    pattern.


20
Data Security
  • CBC
  • Initialization vector (IV)
  • Block 1 XOR IV -gt DES -gt Block 1C
  • Block 1C XOR Block 2 -gt DES -gt Block 2C
  • Block 2C XOR Block 3 -gt DES -gt Block 3C
  • Cipher-text f (plaintext, its position)
  • gt Same plain text in different positions means
    different cipher text also


21
Data Security
  • DES Effectiveness Brute force method of attack
    trying all possible keys -gt 256 possible keys,
    it was possible to break the code in hours using
    gigahertz processors.
  • Using 128-bit key gt 9.5 1015 years to try all
    possible keys _at_ 1015 keys per second

22
Data Security
  • Public Key Encryption (PKE)
  • Knowing the encryption key and the algorithm
    renders decryption easy
  • PKE makes decryption algorithm and key
    determination difficult even when encryption
    algorithm and key are known
  • - Many sources can send message using same Ek.
    Only the receiver knows the Dk.


23
Data Security
  • RSA algorithm
  • Uses modulo-arithmetic and factorization of very
    large numbers
  • Cipher-text is easy to calculate but difficult to
    break
  • Assign simple code to letters (1 to 26 for a to
    z)
  • Choose n (200 or more digits) as a product of
    two large prime numbers p, q.


24
Data Security
  • For simplicity, n p q 11 7 77
  • 3. Find a number K that is relatively prime (no
    common factors except 1) to (p-1) (q-1). Choose
    k 7 as the encryption key (there is always a k)
  • 4. Divide the message into components (with many
    letters in one, avoids repetition), For
    simplicity hello divided as h, e, l, l, o


25
Data Security
  • 5. For each component, concatenate all the binary
    code of each letter and interpret it as an
    integer. Here, integers are 8, 5, 12, 12, 15.
  • 6. Encrypt the message by raising each number to
    the power of k (modulo n)
  • Encrypted message 57 47 12 12 71
  • Decryption
  • 1. Find a value k such that (k k) 1 is
    evenly divisible by (p-1) (q-1). K is the
    decryption key .


26
Data Security
  • Here, (p-1) (q-1) 60, k 43 works well.
    (there is always a k)
  • 2. Raise each encrypted number to the power of k
    (modulo n)
  • Results are the original numbers 8, 5, 12, 12,
    15.
  • Potential problem How to find 71 43 modulo 77?
  • Break the power in 2, 4, 8,
  • Find the modulo for the lowest to the highest.


27
Data Security
  • How secure is RSA?
  • n and k are needed for encryption,
  • If they are intercepted, K could be deduced.
  • However, it needs p and q the factors of
    n.
  • If n is large (200 or more digits) gt
    difficult, time-consuming

28
Data Security
  • Transport layer security (TLS) and Server
    Authentication
  • To ensure access to the proper encryption
    methods and keys to protect privacy
  • Also to ascertain the legitimacy of the site
    connected to
  • Secure Sockets Layer (SSL) and Transport Layer
    Security Protocols, X.509 certificates


29
Data Security
  • TLS and SSL lies between application layer and
    transport layer
  • Sender side encrypts the message from
    application layer and passes it to the transport
    layer
  • Receiver side receives the message from
    transport layer and passes the decrypted message
    to the application layer
  • TLS has the ability to revert to SSL 3.0, there
    are some low level differences


30
Data Security
  • X.509 certificate
  • Electronic ID to prove that a site is what it
    claims to be
  • Certificate Authority (CA) issues certificates
  • Consumer maintains a list of trustworthy CAs in
    his computer
  • Trusted CA list is developed over the time
  • Certificate contains a period of validity and
    two fingerprints


31
Data Security
  • Authentication is the process of validating the
    identity of the message-source
  • Fingerprints are values calculated using some
    algorithms for authentication
  • Browser
  • - downloads the server certificate
  • - checks the period of validity
  • - checks the fingerprints
  • - checks the CA
  • All must be affirmative in order to proceed


32
Data Security
  • An initial set of exchange takes place between
    the server and the client handshake
  • Handshake defines the cryptographic routines,
    key exchanges, and authentication process
  • 1. Client to server highest TLS (SSL) version
    available, a list of encryption algorithms, a
    list of key exchange algorithms, and a list of
    supported compression methods.


33
Data Security
  • 2. Server chooses each one of the above items
    from the suggested list of the client. It also
    sends its certificate.
  • 3. Client needs to authenticate the certificate.
    Issuing CA attaches a digital signature /
    Fingerprints to it. Two methods are used to
    provide extra security. Also, it verifies the
    domain name in the certificate with that of
    server.
  • 4. Client sends key to server.
  • 5. If required, server may authenticate the
    client.
  • 6. Both client and server exchanges session-keys.


34
Data Security
  • 7. Both sides confirm this arrangements and start
    secure-communication.
  • If user A wants to send an encrypted message to
    user B, the plaintext is encrypted with the
    public key of _.
  • a) User A b) User B c) The network d) (a) or (b)


35
Data Security
  • Firewalls
  • Machines are at risk when they are not actively
    doing anything
  • Risk comes from malicious attacks disrupting
    activities, causing harm
  • Challenge is to prevent attacks from being
    successful
  • Approach - All internet traffic has to pass
    through special machine(s) Firewall


36
Data Security
  • It examines passing traffic to look for possible
    threats
  • The challenge is to identify the threats
  • IP layer 3, TCP layer 4
  • IP packet contains data, source and destination
    addresses, layer 4 protocol (TCP / UDP) using it.
  • Server is identified by IP address and the
    specific service by port number


37
Data Security
  • Telnet Port 23, FTP - Port 21, SMTP - Port 25
  • Some approaches
  • Packet Filtering
  • Examine the header of each packet and decide
  • Decision may base on
  • - Address field
  • - port number
  • - transport protocol represented


38
Data Security
  • Example decisions
  • Allow any incoming packet with TCP port
    designation of 23 (allowing remote login to any
    machine)
  • Allow any incoming packet with TCP port
    designation of 23 with destination address found
    in a maintained list. Implication?
  • Allow any outgoing packet with destination
    address found in a maintained list. Implication?

39
Data Security
  • The above specifies criteria to allow packets.
  • gt Blocks unless otherwise specified (default)
  • Alternative Allows unless otherwise specified
    (default)
  • Block any incoming packet with TCP port
    designation of 23. Implication?
  • Block any incoming packet with source address
    found in a maintained list. Implication?


40
Data Security
  • Block any incoming packet with destination
    address found in a maintained list. Implication?
  • - Block any outgoing packet with source and
    destination addresses found in a maintained list.
    Implication?
  • Better default approach? Block packet nothing
    will pass unless explicitly stated,
  • Ensures more security.


41
Data Security
  • Application Level Gateway
  • Packet filtering works at layer 3, making
    decision on packet contents, inflexible on an
    action within an application.
  • Gateway provides that flexibility, works at a
    higher layer.
  • Allow for file transfer download files but not
    upload
  • More logic into a firewall that understands the
    applications and their abilities called proxy
    server


42
Data Security
  • Special programs for each type of application it
    needs to watch.
  • It examines application layer requests and
    allows (denies) based on the information provided
    to the firewall
  • A gateway program for each application
  • Main advantage flexibility
  • Significant overhead


43
Data Security
  • Stateful Inspection
  • Works at the network layer and avoids overhead
  • It examines the contents of a packet in the
    context of what has happened previously
  • Example a ping command response indicates that
    a device is reachable and the time needed for a
    round-trip
  • gt Command sends an echo request and site
    responds with echo response


44
Data Security
  • Stateful inspection ensures that a response
    packet is not allowed unless there was a previous
    request.
  • Also the source and the destination should
    reverse in these two events. (security against
    denial-of-service attack)


45
Data Security
  • Viruses
  • A collection of instructions attached to an
    executable file that does something not intended
    originally
  • Virus attachment to a file -gt infected file
  • Worms usually appear as a separate program,
    intruding a system, threatening security.
  • Infected file contains a branch instruction to
    unintended tasks, and branches to some point of
    the original code - diagram


46
Data Security
  • User may not be aware of the virus unless it
    causes a major distraction
  • Worst viruses avoid massive, immediate
    destruction, rather making small, unnoticeable
    changes over time
  • As such, even back-ups may be infected
  • Virus may probe file system looking for
    executable files on disk, if found, it duplicates
    itself and stores a copy in the file


47
Data Security
  • Memory Resident viruses
  • Resides in memory, attacks a file when it enters
    the memory
  • It needs to be referenced to be executed.
  • It may use the interrupt mechanism to do so.
  • Modifies the Interrupt table with vectors
    pointing to the virus instead


48
Data Security
  • Early Antivirus programs worked by looking for
    signature a sequence of bytes contained in the
    virus- at the beginning and end of file.
  • Signatures were encrypted and the decryption
    algorithm was added to virus.
  • Antivirus programs looked for byte patterns of
    decryption algorithm, examined decrypted result
    and look for signatures proved quite successful


49
Data Security
  • Virus Sources
  • Individuals trying to invade a system
  • It spreads by sharing resources through
    removable disks, networks
  • Prevention is the best approach
  • Internet worm
  • Replicates quickly throughout internet, clogging
    communications, forcing system shut down


50
Data Security
  • One approach taken by the worm
  • Used an utility program that allows one user to
    obtain information of other user
  • A flaw that did not check for buffer-overflow
    was exploited
  • The worm was able to overflow the buffer and
    overwrote part of the system stack
  • The original return address was lost, pointing
    to some instructions in the buffer


51
Data Security
  • This enabled it to copy itself and infect new
    machines


52
Data Security
  • Mono- alphabetic cipher has no real value where
    serious security is needed. T/F
  • Public key encryption allows different people
    to use the same encryption key even when they are
    not supposed to know what another person is
    sending. T/F
  • Any block cipher that encrypts a block at a
    time is essentially a substitution cipher,
    replacing one block with another. T/F


53
Data Security
  • An encryption method that uses longer key is
    more secure than one that uses a shorter key. T/F
  • The most serious viruses destroy a lot of data
    very quickly. T/F
  • Firewalls are commonly used to protect a
    network against incoming viruses. T/F


54
Data Security
  • A _ can forward or block packets based on the
    information in the network and transport layer
    headers.
  • a) Proxy Firewall b) Packet filter firewall
  • c) Message Digest d) Private key
  • A _ can forward or block packets based on the
    information in the message itself.
  • a) Proxy Firewall b) Packet filter firewall
  • c) Message Digest d) Private key

About PowerShow.com