Data Security - PowerPoint PPT Presentation


PPT – Data Security PowerPoint presentation | free to download - id: 541155-ODFkO


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Data Security


Data Security Data Security Understanding Data Communications and Networks William A. Shay (3E) Data Security 7. Both sides confirm this arrangements and start ... – PowerPoint PPT presentation

Number of Views:401
Avg rating:3.0/5.0
Slides: 55
Provided by: HaS124
Learn more at:
Tags: data | security


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Data Security

Data Security
Data Security
  • Understanding Data Communications and Networks
    William A. Shay (3E)

Data Security
  • To ensure that the data is received meaningfully
  • only by the intended recipient
  • Approach Alter (encrypt) the message (un-
  • intelligible even if intercepted)
  • Algorithms
  • Public key encryption
  • Secure Transfer over internet

Data Security
  • Definitions
  • Changing the encrypted data into its original
  • decryption
  • Plaintext P- original form
  • Cipher-text C - encrypted data
  • Encryption algorithm and key Ek, changes P to C
  • C Ek(P),
  • Decryption algorithm and key Dk, changes C to P
  • P Dk(C), in many cases k k

Data Security
  • Mono-alphabetic cipher
  • Replaces each plaintext character with another
  • Add 1 to ASCII code of each character
  • A turns into B, B to C,
  • Simple but Rarely used in serious applications
  • Relatively easy to decipher
  • Commonly used letters E, T, O, A, N gt if
    certain letters appear frequently in cipher-text,
    probably it is one of these (than Q or Z)

Data Security
  • Mono-alphabetic cipher
  • P Please add money to
  • gt \ 4 times
  • gt S Twice
  • gt R Thrice
  • gt P Twice
  • They may be substitutions of common
  • characters, even blank spaces

Data Security
  • Mono-alphabetic cipher
  • Try various combinations of common ones
  • EADE\AFF\,ONEU\YO(R by E, S by A, P by O)
  • Replace \ by blank spaces
  • Clues Two letter word ends with O, Three letter
    word begins with A followed by repeated letter
  • gt With educated guesses, message can be decrypted

Data Security
Mono-alphabetic cipher Drawbacks preserving
particular letter sequences, frequency with which
letters occur Poly-alphabetic Cipher Change the
frequencies and break-up common sequences A
plaintext character is not always replaced with
the same one cipher-text character. Replacement
f (P, its position in the message)

Data Security
  • Poly-alphabetic Cipher
  • For (int i 0 i lt length of P i)
  • Ci Pi K (i mod 3)
  • Assume, K 1.
  • 1 is added for positions 0, 3, 6,
  • 2 is added for positions 1, 4, 7,
  • 3 is added for positions 2, 5, 8,
  • gt Repetition has reduced, but still present

Data Security
  • Poly-alphabetic Cipher
  • THE appears as UJH, VKF, WIG
  • If there were more THE, the pattern would
  • repeat.
  • Also, there are other patterns
  • First letters of each THE cipher-text are
    consecutive UVW, (also the 2nd one as JKI, and
    the 3rd one as HFG)
  • gt Clues for decryption

Data Security
  • Transposition Cipher
  • Rearranges the P letters of a message (not
  • Replacing them)
  • One way store characters in a 2-dimensional
  • array with m-columns
  • gt First m-characters in 1st row, next
    m-characters in 2nd row, ..
  • Determine a permutation of numbers 1 to m
  • p1, p2, , pm

Data Security
  • Transposition Cipher
  • Transmit p1 column first, then p2, , then pm.
  • F O L L O
  • W T H E
  • Y E L L
  • O W B R
  • I C K R
  • O A D

Data Security
  • Transposition Cipher
  • Transmit columns 2, 4, 3, 1, 5 (permutation)
  • If, receiver knows the permutation and the number
    of columns -gt reconstruct the message
  • Drawbacks letter frequencies are preserved, also
    by grouping the characters in different columns
    for sequences like THE, IS are helpful for

Data Security
  • Bit-Level ciphering
  • Previous methods are applicable to character
  • Files may contain raw bits (execution files),
    This method handles them
  • - Encryption key is a randomly chosen bit-string
  • Message bit string is divided into substrings
  • Length is the same as that of the key

Data Security
  • Encrypted string message string XOR key
  • Decryption Encrypted string XOR key
  • E (algorithm) is same as D (algorithm)
  • pi is a plaintext bit, if encryption key contains
    0 in that position
  • pi XOR 0 XOR 0 pi
  • if encryption key contains 1 in that position
  • pi XOR 1 XOR 1 pi XOR (1 XOR 1) pi XOR 0

Data Security
  • Security depends partly on the length of the
  • Short key gt many substrings gt more chance of
    repetition of the encrypted substring,
  • In extreme case, the key length message length
    gt each bit is encrypted uniquely
  • If the key-bits are random gt unbreakable code
    (but long key needs to be transferred)

Data Security
  • Data Encryption Standards (DES)
  • Approach is to keep the key short compared to
    the message and to use complex procedure to
    encrypt the message
  • Based on block-cipher
  • Divides the message into 64-bit blocks, uses a
    key to employ a complex transformation.
  • It uses transposition (rearrangement) and
    substitution (replacing one bit-group with another

Data Security
  • Steps
  • Transposition on the block data and the key
  • 16 successive encryptions with different keys
    derived from the original, output of one fed to
    the next input
  • Swap (32 bits)
  • Reverse transposition (of the 1st step)

Data Security
  • Encryption operations
  • data C64 L32 R32, K56 key
  • (R32 transpose, duplicate bits) results in R48
  • (K56 shift on each half, transpose) results in
  • R48 XOR K48 (first) X48
  • Divide into 8 (6-bit) groups
  • Substitute each by 4-bit value
  • Combine into a 32-bit string, transpose X32

Data Security
  • L32 XOR X32 X32
  • Form final 64 bits R32 X32
  • Idea was to develop a method with many
    convoluted steps
  • If the same 64-bit block occurs more than once,
    it generates the same cipher-text.
  • Cipher Block Chaining (CBC) disrupts that

Data Security
  • CBC
  • Initialization vector (IV)
  • Block 1 XOR IV -gt DES -gt Block 1C
  • Block 1C XOR Block 2 -gt DES -gt Block 2C
  • Block 2C XOR Block 3 -gt DES -gt Block 3C
  • Cipher-text f (plaintext, its position)
  • gt Same plain text in different positions means
    different cipher text also

Data Security
  • DES Effectiveness Brute force method of attack
    trying all possible keys -gt 256 possible keys,
    it was possible to break the code in hours using
    gigahertz processors.
  • Using 128-bit key gt 9.5 1015 years to try all
    possible keys _at_ 1015 keys per second

Data Security
  • Public Key Encryption (PKE)
  • Knowing the encryption key and the algorithm
    renders decryption easy
  • PKE makes decryption algorithm and key
    determination difficult even when encryption
    algorithm and key are known
  • - Many sources can send message using same Ek.
    Only the receiver knows the Dk.

Data Security
  • RSA algorithm
  • Uses modulo-arithmetic and factorization of very
    large numbers
  • Cipher-text is easy to calculate but difficult to
  • Assign simple code to letters (1 to 26 for a to
  • Choose n (200 or more digits) as a product of
    two large prime numbers p, q.

Data Security
  • For simplicity, n p q 11 7 77
  • 3. Find a number K that is relatively prime (no
    common factors except 1) to (p-1) (q-1). Choose
    k 7 as the encryption key (there is always a k)
  • 4. Divide the message into components (with many
    letters in one, avoids repetition), For
    simplicity hello divided as h, e, l, l, o

Data Security
  • 5. For each component, concatenate all the binary
    code of each letter and interpret it as an
    integer. Here, integers are 8, 5, 12, 12, 15.
  • 6. Encrypt the message by raising each number to
    the power of k (modulo n)
  • Encrypted message 57 47 12 12 71
  • Decryption
  • 1. Find a value k such that (k k) 1 is
    evenly divisible by (p-1) (q-1). K is the
    decryption key .

Data Security
  • Here, (p-1) (q-1) 60, k 43 works well.
    (there is always a k)
  • 2. Raise each encrypted number to the power of k
    (modulo n)
  • Results are the original numbers 8, 5, 12, 12,
  • Potential problem How to find 71 43 modulo 77?
  • Break the power in 2, 4, 8,
  • Find the modulo for the lowest to the highest.

Data Security
  • How secure is RSA?
  • n and k are needed for encryption,
  • If they are intercepted, K could be deduced.
  • However, it needs p and q the factors of
  • If n is large (200 or more digits) gt
    difficult, time-consuming

Data Security
  • Transport layer security (TLS) and Server
  • To ensure access to the proper encryption
    methods and keys to protect privacy
  • Also to ascertain the legitimacy of the site
    connected to
  • Secure Sockets Layer (SSL) and Transport Layer
    Security Protocols, X.509 certificates

Data Security
  • TLS and SSL lies between application layer and
    transport layer
  • Sender side encrypts the message from
    application layer and passes it to the transport
  • Receiver side receives the message from
    transport layer and passes the decrypted message
    to the application layer
  • TLS has the ability to revert to SSL 3.0, there
    are some low level differences

Data Security
  • X.509 certificate
  • Electronic ID to prove that a site is what it
    claims to be
  • Certificate Authority (CA) issues certificates
  • Consumer maintains a list of trustworthy CAs in
    his computer
  • Trusted CA list is developed over the time
  • Certificate contains a period of validity and
    two fingerprints

Data Security
  • Authentication is the process of validating the
    identity of the message-source
  • Fingerprints are values calculated using some
    algorithms for authentication
  • Browser
  • - downloads the server certificate
  • - checks the period of validity
  • - checks the fingerprints
  • - checks the CA
  • All must be affirmative in order to proceed

Data Security
  • An initial set of exchange takes place between
    the server and the client handshake
  • Handshake defines the cryptographic routines,
    key exchanges, and authentication process
  • 1. Client to server highest TLS (SSL) version
    available, a list of encryption algorithms, a
    list of key exchange algorithms, and a list of
    supported compression methods.

Data Security
  • 2. Server chooses each one of the above items
    from the suggested list of the client. It also
    sends its certificate.
  • 3. Client needs to authenticate the certificate.
    Issuing CA attaches a digital signature /
    Fingerprints to it. Two methods are used to
    provide extra security. Also, it verifies the
    domain name in the certificate with that of
  • 4. Client sends key to server.
  • 5. If required, server may authenticate the
  • 6. Both client and server exchanges session-keys.

Data Security
  • 7. Both sides confirm this arrangements and start
  • If user A wants to send an encrypted message to
    user B, the plaintext is encrypted with the
    public key of _.
  • a) User A b) User B c) The network d) (a) or (b)

Data Security
  • Firewalls
  • Machines are at risk when they are not actively
    doing anything
  • Risk comes from malicious attacks disrupting
    activities, causing harm
  • Challenge is to prevent attacks from being
  • Approach - All internet traffic has to pass
    through special machine(s) Firewall

Data Security
  • It examines passing traffic to look for possible
  • The challenge is to identify the threats
  • IP layer 3, TCP layer 4
  • IP packet contains data, source and destination
    addresses, layer 4 protocol (TCP / UDP) using it.
  • Server is identified by IP address and the
    specific service by port number

Data Security
  • Telnet Port 23, FTP - Port 21, SMTP - Port 25
  • Some approaches
  • Packet Filtering
  • Examine the header of each packet and decide
  • Decision may base on
  • - Address field
  • - port number
  • - transport protocol represented

Data Security
  • Example decisions
  • Allow any incoming packet with TCP port
    designation of 23 (allowing remote login to any
  • Allow any incoming packet with TCP port
    designation of 23 with destination address found
    in a maintained list. Implication?
  • Allow any outgoing packet with destination
    address found in a maintained list. Implication?

Data Security
  • The above specifies criteria to allow packets.
  • gt Blocks unless otherwise specified (default)
  • Alternative Allows unless otherwise specified
  • Block any incoming packet with TCP port
    designation of 23. Implication?
  • Block any incoming packet with source address
    found in a maintained list. Implication?

Data Security
  • Block any incoming packet with destination
    address found in a maintained list. Implication?
  • - Block any outgoing packet with source and
    destination addresses found in a maintained list.
  • Better default approach? Block packet nothing
    will pass unless explicitly stated,
  • Ensures more security.

Data Security
  • Application Level Gateway
  • Packet filtering works at layer 3, making
    decision on packet contents, inflexible on an
    action within an application.
  • Gateway provides that flexibility, works at a
    higher layer.
  • Allow for file transfer download files but not
  • More logic into a firewall that understands the
    applications and their abilities called proxy

Data Security
  • Special programs for each type of application it
    needs to watch.
  • It examines application layer requests and
    allows (denies) based on the information provided
    to the firewall
  • A gateway program for each application
  • Main advantage flexibility
  • Significant overhead

Data Security
  • Stateful Inspection
  • Works at the network layer and avoids overhead
  • It examines the contents of a packet in the
    context of what has happened previously
  • Example a ping command response indicates that
    a device is reachable and the time needed for a
  • gt Command sends an echo request and site
    responds with echo response

Data Security
  • Stateful inspection ensures that a response
    packet is not allowed unless there was a previous
  • Also the source and the destination should
    reverse in these two events. (security against
    denial-of-service attack)

Data Security
  • Viruses
  • A collection of instructions attached to an
    executable file that does something not intended
  • Virus attachment to a file -gt infected file
  • Worms usually appear as a separate program,
    intruding a system, threatening security.
  • Infected file contains a branch instruction to
    unintended tasks, and branches to some point of
    the original code - diagram

Data Security
  • User may not be aware of the virus unless it
    causes a major distraction
  • Worst viruses avoid massive, immediate
    destruction, rather making small, unnoticeable
    changes over time
  • As such, even back-ups may be infected
  • Virus may probe file system looking for
    executable files on disk, if found, it duplicates
    itself and stores a copy in the file

Data Security
  • Memory Resident viruses
  • Resides in memory, attacks a file when it enters
    the memory
  • It needs to be referenced to be executed.
  • It may use the interrupt mechanism to do so.
  • Modifies the Interrupt table with vectors
    pointing to the virus instead

Data Security
  • Early Antivirus programs worked by looking for
    signature a sequence of bytes contained in the
    virus- at the beginning and end of file.
  • Signatures were encrypted and the decryption
    algorithm was added to virus.
  • Antivirus programs looked for byte patterns of
    decryption algorithm, examined decrypted result
    and look for signatures proved quite successful

Data Security
  • Virus Sources
  • Individuals trying to invade a system
  • It spreads by sharing resources through
    removable disks, networks
  • Prevention is the best approach
  • Internet worm
  • Replicates quickly throughout internet, clogging
    communications, forcing system shut down

Data Security
  • One approach taken by the worm
  • Used an utility program that allows one user to
    obtain information of other user
  • A flaw that did not check for buffer-overflow
    was exploited
  • The worm was able to overflow the buffer and
    overwrote part of the system stack
  • The original return address was lost, pointing
    to some instructions in the buffer

Data Security
  • This enabled it to copy itself and infect new

Data Security
  • Mono- alphabetic cipher has no real value where
    serious security is needed. T/F
  • Public key encryption allows different people
    to use the same encryption key even when they are
    not supposed to know what another person is
    sending. T/F
  • Any block cipher that encrypts a block at a
    time is essentially a substitution cipher,
    replacing one block with another. T/F

Data Security
  • An encryption method that uses longer key is
    more secure than one that uses a shorter key. T/F
  • The most serious viruses destroy a lot of data
    very quickly. T/F
  • Firewalls are commonly used to protect a
    network against incoming viruses. T/F

Data Security
  • A _ can forward or block packets based on the
    information in the network and transport layer
  • a) Proxy Firewall b) Packet filter firewall
  • c) Message Digest d) Private key
  • A _ can forward or block packets based on the
    information in the message itself.
  • a) Proxy Firewall b) Packet filter firewall
  • c) Message Digest d) Private key