SlideShare a Scribd company logo

CRYPTOGRAPHY AND NETWORK SECURITY ppt by me.pptx

Download as PPTX, PDF
Nune SrinivasRao
Nune SrinivasRao

Cryptography and network security are important topics. Cryptography involves encrypting messages to make them unintelligible during transmission and then decrypting them upon arrival. The objectives of information security are confidentiality, integrity, availability, and nonrepudiation. As technology has advanced, the need for computer and network security has increased. Modern attacks can be automated to target many systems quickly. Collecting and sharing personal data also raises privacy concerns. To address these issues, organizations use various security approaches like trusted systems and security models.

1 of 35
Cryptography - The art or science encompassing the principles and methods of transforming an intelligible message into one that is unintelligible, and then retransforming that message back to its original form Plaintext The original intelligible message Cipher text The transformed message Network - a group or system of interconnected people or things. "the company has a network of 326 branches" “ College has a big network for placements “ “Computer lab has network connected systems” Security - the state of being free from danger or threat. "the system is designed to provide maximum security against toxic spills" CRYPTOGRAPHY AND NETWORK SECURITY 1
• Information Security - the state of being protected against the unauthorized use of information, especially electronic data, or the measures taken to achieve this. Example – is the use of rugged filling cabinets with a combination of locks for storing sensitive documents. • With the introduction of computers, the need for automated tools for protecting files and other information stored on the computer became evident, this is especially the case for shared system, such as a time-sharing system, data network or the internet. • Computer Security – The generic name for the collection of tools designed to protect data and to thwart hackers. (thwart - prevent (someone) from accomplishing something.) • Internet security – The network security is some what misleading because virtually all business, government and academic organisations interconnect their data processing equipment with a collection of interconnect networks, such a collection is often referred as an internet and the term internet security is used. 2
Course Objectives: • Explain the objectives of Information Security.( Principles of Security) The Objectives are 1. Security: 2. Confidentiality, 3. Integrity, 4. Availability, 5. Nonrepudiation • Importance of Information Security • Understanding various cryptographic algorithms. • Symmetric and Asymmetric key cryptography • Understand the basic categories of threats to computers and networks 3
• The most common network security threats 1. Computer virus. We've all heard about them, and we all have our fears. ... 2. Rogue security software. Leveraging the fear of computer viruses, scammers have a found a new way to commit Internet fraud. ... 3. Trojan horse. ... 4. Adware and spyware. ... 5. Computer worm. ... 6. DOS and DDOS attack. ... 7. Phishing. ... 8. Rootkit. • Describe public-key cryptosystem • Describe the enhancements made to IPv4 by IPSec • In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. 4
• Understand Intrusions and intrusion detection To compromise a computer system by breaking the security of such a system or causing it to enter into an insecure state. The act of intruding—or gaining unauthorized access to a system—typically leaves traces that can be discovered by intrusion detection systems. • Discuss the fundamental ideas of public-key cryphotgraphy In such a system, any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver’s private key • Generate and distribute a PGP key pair and use the PGP package to send an encrypted e-mail message. Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. • Discuss web security and Firewalls. 5
Unit – I Security Concepts Introduction • Computer data often travels from one computer to another, leaving the safety of its protected physical surroundings. Once the data is out of hand, people with bad intention could modify or forge your data, either for amusement or for their own benefit. • Cryptography can reformat and transform our data, making it safer on its trip between computers. The technology is based on the essentials of secret codes, augmented by modern mathematics that protects our data in powerful ways. 6
The Need for Security – • Most previous computer applications has no , the best , very little security. This was continued for number of years until the importance of data was truly realized. • When computer applications were developed to handle financial and personal data, the real need for security was came. • People realized that data on computer is an extremely important aspect of modern life, therefore various areas in security began to gain. • Two typical examples of each security mechanisms were… 1. Provide a user identification and password to every user. 2. Encode information stored in the database in some fashion- so that it is not visible to users who do not have the permission. • Organization employed their own mechanisms in order to provide the basic security mechanisms. 7
• As Technology improved the communication infrastructure became extremely mature and newer applications began to be developed for users demand and needs. Example- • The internet took major role in the world – example of what could happen if there was insufficient security built in the application developed for the internet. • Fig shows what can happen when you use your credit card for making purchases over the internet. • From the user computer the user details such as user id , order details , and payment details such as credit card information travel across the internet to the server i.,e to the merchant’s computer. The merchant stored the details in its database. 8
There are various security holes- 1. An intruder can capture the credit card details as they travel from the client to the server. Some how we protects this transit form an intruder’s attack. 2. It is still does not solve our problem, once the merchant computer receives the credit card details and validates them so as to process the order and later obtain payments, the merchant computer stores the credit card information into its database. 3. Now an attacker can simply succeed in accessing this database and therefore gain access to all the credit card information stored in. 4. Once Russian called MAXIM managed to intrude into a merchant internet site and obtained 3,00,000 credit card number from its database. 9
10
Modern Nature of Attacks • A few salient features of the modern nature of attacks are 1. Automating Attacks • The speed the computers make several attacks worthwhile for miscreants. For Example: • In the real world suppose someone manages to create a machine that can produce counterfeit coins. How many such coins would the attacker be able to get . • But the scenario is quite different with computers. For example • They could excel in somehow stealing a very low amount say a half dollar from a million bank accounts in a few minutes. Fig show … 11
12
Privacy Concerns • Collecting information about people and later misusing it is turning out to be a huge problem these days. • The so-called data mining applications gather , process and tabulate all sorts of details about individuals. • People can illegally sell this information . For example • The information that can come out of this are… • which stores the person buys more from , • which restaurant he/she eats in, • where he/she goes for vocation frequently • Every company eg shopkeepers, banks , airlines and insurers are collecting and processing a mind boggling amount of information about us, with our knowing to us. 13
Distance Does not matter • Thieves would attack banks, because banks had money. • Banks do have money today, • Money is in digital from inside the computers and moves around by using computers networks. • Therefore, a modern thief would perhaps not like a wear a mask and attempt a robbery.. instead it is far easier and cheaper to attempt an attack on the computer system on the bank by sitting at home. • It may be far from prudent for the attacker to break into the banks servers, or steak credit card/ ATM information. • In 1995 a Russian hacker broke into citibank’s computer remotely stealing $12 million…and later attacker was traced. • Fig shows.. 14
15
Security Approaches Trusted Systems • A trusted system is a computer system that can be trusted to s specified extent to enforce a specified security policy. • These are primarily interest to the military, however these days they have spanned across various areas like in the banking and financial community. • For this Trusted system often use to term reference monitor. This is an entity that is at logical heart of the computer system. • It is mainly responsible for all the decisions related to access controls like… 1. It should be tamper- proof. 2. It should always be invoked. 3. It should be small enough so that it can be tested independently. 16
• In 1983 Orange Book also called the Trusted Computer System Evaluation Criteria (TCSEC), the National Security Agency (NSA) of the US government defined a set of evaluation classes. • These described the features and assurances that the user could expect from a trusted system. • The highest levels of assurance were provided by significant efforts directed towards reduction of the size of the trusted computing base – TCB. • TCB was defined as a combination of hardware and software and firmware responsible for enforcing the system’s security policy. 17
Security Models • An organization can take several approaches to implement its security model, they are 1. No Security – the approach could be a decision to implement no security at all. 2. Security through Obscurity – in this model a system is secure and simple because nobody knows about its existence and contents. • This approach cannot work long because an attacker can come to know about it 3. Host Security – In this scheme, the security for each host is enforced individually. This is a safe approach, but the trouble is that it cannot scale well. • The complexity and diversity of modern sites/organizations make the task harder. 4. Network Security – Host security it tough to achieve as organizations grow and become more diverse. • In this technique the focus is to control network access to various hosts and there services, rather than individual host security. • This is very efficient and scalable model. 18
Security Management Practices • Good Security-management practices always talk of a security policy being in place, putting a security policy in place . • A good security policy and its proper implementation go a long way in ensuring adequate security-management practice. • A good security policy generally takes care of four key aspects – 1. Affordability – how much money and effort does this security implementation cost. 2. Functionality – What is the mechanism of providing security ? 3. Cultural Issues – Does this policy complement the people’s expectations, working style and beliefs? 4. Legality – Does the policy meet the legal requirements? Once a security policy is designed , the following points should be ensured a) Explanation of the policy to all concerned b) Outline everybody’s responsibilities. c) Use simple language in all communications. d) Accountability should be established. e) Provide for exceptions and periodic reviews. 19
PRINCIPLES OF SECURITY • Discuss Some of the attacks that have occurred in the real life, • let us now classify the principles of security. • This will help us understand the attacks better, • and also help us in thinking about the possible solutions to tackle them. For Example • Let us assume that a person A wants to send a cheque work of $100 to another person B , Normally what the factors that A and B will think of in such a case ? • A will write cheque and put it inside an envelope and send B. 20
1. A will like to ensure that no one except B get the envelope and even if someone else gets it he/she does not come to know about the details of cheque. This is the principle of confidentiality. 2. A and B will further like to make sure that no one can tamper with the contents of the cheque such as amount, date and signature , name – This is principle of Integrity. 3. B would like to be assured the cheque has indeed come from A, and not from someone else possing as A - This is the principle of Authentication. 4. What will happen tomorrow if B deposits the cheque in the bank , the money is transferred from A ‘s accounts to B’s account, and then refuses having written/sent cheque ? The court of law will use A’s signature to disallow A to refute this claim and settle the dispute – this it the principle of non-repudiation. (Requires that neither the sender nor the receiver of a message be able to deny the transmission.) 21
• These are four principle of security , there are two more 1. access control and 2. availability. Confidentiality • Ensures that the information in a computer system and transmitted information are accessible only for reading by authorized parties. • Fig shows the example 22
23
• User A send the message to B , another user C gets access to this message which is not desired, and therefore defeats the purpose of confidentiality. • An example of this could be a confidential email message sent by A to B. which is accessed by C without the permission or knowledge of A and B . • This type of attack is called interception. ( causes loss of confidentiality) 24
Authentication • Authentication mechanism help establish proof of identities. • The authentication process ensures that the origin of an electronic message or document is correctly identified. For Example • Users C send an electronic document over the internet to user B, however the trouble is that user C had posed as user A. • How could be user B know that the message has come from user C, who is posing as user A ? • An example real life example case user C posing as user A sending a funds transfer request from A ‘s account to C’s account to bank B. • The bank transfers the funds from A’s account to C’s account – after it would think that user A has requested for funds transfer - This type of attack is called fabrication. 25
26
Integrity • Ensures that only authorized parties are able to modify computer system assets and transmitted information. Modification includes writing, changing status, deleting, creating and delaying or replaying of transmitted messages. • When the contents of a message are changed after the sender sends it, but before it reaches the intended recipient, we say that the integrity of the message is lost. • For Example fig shows…. 27
28
• Suppose we intended to send or transfer of $100 to user B , however you noticed that in the statement results in $1000. This is the loss of message integrity. • Here user C tampers and manages to access it and change its contents and send the changed message to B with knowing to B. • User A also does not know about this change. This type of attack is called modification. 29
30
31
32
33
34
35

More Related Content

CRYPTOGRAPHY AND NETWORK SECURITY ppt by me.pptx

  • 1. Cryptography - The art or science encompassing the principles and methods of transforming an intelligible message into one that is unintelligible, and then retransforming that message back to its original form Plaintext The original intelligible message Cipher text The transformed message Network - a group or system of interconnected people or things. "the company has a network of 326 branches" “ College has a big network for placements “ “Computer lab has network connected systems” Security - the state of being free from danger or threat. "the system is designed to provide maximum security against toxic spills" CRYPTOGRAPHY AND NETWORK SECURITY 1
  • 2. • Information Security - the state of being protected against the unauthorized use of information, especially electronic data, or the measures taken to achieve this. Example – is the use of rugged filling cabinets with a combination of locks for storing sensitive documents. • With the introduction of computers, the need for automated tools for protecting files and other information stored on the computer became evident, this is especially the case for shared system, such as a time-sharing system, data network or the internet. • Computer Security – The generic name for the collection of tools designed to protect data and to thwart hackers. (thwart - prevent (someone) from accomplishing something.) • Internet security – The network security is some what misleading because virtually all business, government and academic organisations interconnect their data processing equipment with a collection of interconnect networks, such a collection is often referred as an internet and the term internet security is used. 2
  • 3. Course Objectives: • Explain the objectives of Information Security.( Principles of Security) The Objectives are 1. Security: 2. Confidentiality, 3. Integrity, 4. Availability, 5. Nonrepudiation • Importance of Information Security • Understanding various cryptographic algorithms. • Symmetric and Asymmetric key cryptography • Understand the basic categories of threats to computers and networks 3
  • 4. • The most common network security threats 1. Computer virus. We've all heard about them, and we all have our fears. ... 2. Rogue security software. Leveraging the fear of computer viruses, scammers have a found a new way to commit Internet fraud. ... 3. Trojan horse. ... 4. Adware and spyware. ... 5. Computer worm. ... 6. DOS and DDOS attack. ... 7. Phishing. ... 8. Rootkit. • Describe public-key cryptosystem • Describe the enhancements made to IPv4 by IPSec • In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. 4
  • 5. • Understand Intrusions and intrusion detection To compromise a computer system by breaking the security of such a system or causing it to enter into an insecure state. The act of intruding—or gaining unauthorized access to a system—typically leaves traces that can be discovered by intrusion detection systems. • Discuss the fundamental ideas of public-key cryphotgraphy In such a system, any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver’s private key • Generate and distribute a PGP key pair and use the PGP package to send an encrypted e-mail message. Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. • Discuss web security and Firewalls. 5
  • 6. Unit – I Security Concepts Introduction • Computer data often travels from one computer to another, leaving the safety of its protected physical surroundings. Once the data is out of hand, people with bad intention could modify or forge your data, either for amusement or for their own benefit. • Cryptography can reformat and transform our data, making it safer on its trip between computers. The technology is based on the essentials of secret codes, augmented by modern mathematics that protects our data in powerful ways. 6
  • 7. The Need for Security – • Most previous computer applications has no , the best , very little security. This was continued for number of years until the importance of data was truly realized. • When computer applications were developed to handle financial and personal data, the real need for security was came. • People realized that data on computer is an extremely important aspect of modern life, therefore various areas in security began to gain. • Two typical examples of each security mechanisms were… 1. Provide a user identification and password to every user. 2. Encode information stored in the database in some fashion- so that it is not visible to users who do not have the permission. • Organization employed their own mechanisms in order to provide the basic security mechanisms. 7
  • 8. • As Technology improved the communication infrastructure became extremely mature and newer applications began to be developed for users demand and needs. Example- • The internet took major role in the world – example of what could happen if there was insufficient security built in the application developed for the internet. • Fig shows what can happen when you use your credit card for making purchases over the internet. • From the user computer the user details such as user id , order details , and payment details such as credit card information travel across the internet to the server i.,e to the merchant’s computer. The merchant stored the details in its database. 8
  • 9. There are various security holes- 1. An intruder can capture the credit card details as they travel from the client to the server. Some how we protects this transit form an intruder’s attack. 2. It is still does not solve our problem, once the merchant computer receives the credit card details and validates them so as to process the order and later obtain payments, the merchant computer stores the credit card information into its database. 3. Now an attacker can simply succeed in accessing this database and therefore gain access to all the credit card information stored in. 4. Once Russian called MAXIM managed to intrude into a merchant internet site and obtained 3,00,000 credit card number from its database. 9
  • 10. 10
  • 11. Modern Nature of Attacks • A few salient features of the modern nature of attacks are 1. Automating Attacks • The speed the computers make several attacks worthwhile for miscreants. For Example: • In the real world suppose someone manages to create a machine that can produce counterfeit coins. How many such coins would the attacker be able to get . • But the scenario is quite different with computers. For example • They could excel in somehow stealing a very low amount say a half dollar from a million bank accounts in a few minutes. Fig show … 11
  • 12. 12
  • 13. Privacy Concerns • Collecting information about people and later misusing it is turning out to be a huge problem these days. • The so-called data mining applications gather , process and tabulate all sorts of details about individuals. • People can illegally sell this information . For example • The information that can come out of this are… • which stores the person buys more from , • which restaurant he/she eats in, • where he/she goes for vocation frequently • Every company eg shopkeepers, banks , airlines and insurers are collecting and processing a mind boggling amount of information about us, with our knowing to us. 13
  • 14. Distance Does not matter • Thieves would attack banks, because banks had money. • Banks do have money today, • Money is in digital from inside the computers and moves around by using computers networks. • Therefore, a modern thief would perhaps not like a wear a mask and attempt a robbery.. instead it is far easier and cheaper to attempt an attack on the computer system on the bank by sitting at home. • It may be far from prudent for the attacker to break into the banks servers, or steak credit card/ ATM information. • In 1995 a Russian hacker broke into citibank’s computer remotely stealing $12 million…and later attacker was traced. • Fig shows.. 14
  • 15. 15
  • 16. Security Approaches Trusted Systems • A trusted system is a computer system that can be trusted to s specified extent to enforce a specified security policy. • These are primarily interest to the military, however these days they have spanned across various areas like in the banking and financial community. • For this Trusted system often use to term reference monitor. This is an entity that is at logical heart of the computer system. • It is mainly responsible for all the decisions related to access controls like… 1. It should be tamper- proof. 2. It should always be invoked. 3. It should be small enough so that it can be tested independently. 16
  • 17. • In 1983 Orange Book also called the Trusted Computer System Evaluation Criteria (TCSEC), the National Security Agency (NSA) of the US government defined a set of evaluation classes. • These described the features and assurances that the user could expect from a trusted system. • The highest levels of assurance were provided by significant efforts directed towards reduction of the size of the trusted computing base – TCB. • TCB was defined as a combination of hardware and software and firmware responsible for enforcing the system’s security policy. 17
  • 18. Security Models • An organization can take several approaches to implement its security model, they are 1. No Security – the approach could be a decision to implement no security at all. 2. Security through Obscurity – in this model a system is secure and simple because nobody knows about its existence and contents. • This approach cannot work long because an attacker can come to know about it 3. Host Security – In this scheme, the security for each host is enforced individually. This is a safe approach, but the trouble is that it cannot scale well. • The complexity and diversity of modern sites/organizations make the task harder. 4. Network Security – Host security it tough to achieve as organizations grow and become more diverse. • In this technique the focus is to control network access to various hosts and there services, rather than individual host security. • This is very efficient and scalable model. 18
  • 19. Security Management Practices • Good Security-management practices always talk of a security policy being in place, putting a security policy in place . • A good security policy and its proper implementation go a long way in ensuring adequate security-management practice. • A good security policy generally takes care of four key aspects – 1. Affordability – how much money and effort does this security implementation cost. 2. Functionality – What is the mechanism of providing security ? 3. Cultural Issues – Does this policy complement the people’s expectations, working style and beliefs? 4. Legality – Does the policy meet the legal requirements? Once a security policy is designed , the following points should be ensured a) Explanation of the policy to all concerned b) Outline everybody’s responsibilities. c) Use simple language in all communications. d) Accountability should be established. e) Provide for exceptions and periodic reviews. 19
  • 20. PRINCIPLES OF SECURITY • Discuss Some of the attacks that have occurred in the real life, • let us now classify the principles of security. • This will help us understand the attacks better, • and also help us in thinking about the possible solutions to tackle them. For Example • Let us assume that a person A wants to send a cheque work of $100 to another person B , Normally what the factors that A and B will think of in such a case ? • A will write cheque and put it inside an envelope and send B. 20
  • 21. 1. A will like to ensure that no one except B get the envelope and even if someone else gets it he/she does not come to know about the details of cheque. This is the principle of confidentiality. 2. A and B will further like to make sure that no one can tamper with the contents of the cheque such as amount, date and signature , name – This is principle of Integrity. 3. B would like to be assured the cheque has indeed come from A, and not from someone else possing as A - This is the principle of Authentication. 4. What will happen tomorrow if B deposits the cheque in the bank , the money is transferred from A ‘s accounts to B’s account, and then refuses having written/sent cheque ? The court of law will use A’s signature to disallow A to refute this claim and settle the dispute – this it the principle of non-repudiation. (Requires that neither the sender nor the receiver of a message be able to deny the transmission.) 21
  • 22. • These are four principle of security , there are two more 1. access control and 2. availability. Confidentiality • Ensures that the information in a computer system and transmitted information are accessible only for reading by authorized parties. • Fig shows the example 22
  • 23. 23
  • 24. • User A send the message to B , another user C gets access to this message which is not desired, and therefore defeats the purpose of confidentiality. • An example of this could be a confidential email message sent by A to B. which is accessed by C without the permission or knowledge of A and B . • This type of attack is called interception. ( causes loss of confidentiality) 24
  • 25. Authentication • Authentication mechanism help establish proof of identities. • The authentication process ensures that the origin of an electronic message or document is correctly identified. For Example • Users C send an electronic document over the internet to user B, however the trouble is that user C had posed as user A. • How could be user B know that the message has come from user C, who is posing as user A ? • An example real life example case user C posing as user A sending a funds transfer request from A ‘s account to C’s account to bank B. • The bank transfers the funds from A’s account to C’s account – after it would think that user A has requested for funds transfer - This type of attack is called fabrication. 25
  • 26. 26
  • 27. Integrity • Ensures that only authorized parties are able to modify computer system assets and transmitted information. Modification includes writing, changing status, deleting, creating and delaying or replaying of transmitted messages. • When the contents of a message are changed after the sender sends it, but before it reaches the intended recipient, we say that the integrity of the message is lost. • For Example fig shows…. 27
  • 28. 28
  • 29. • Suppose we intended to send or transfer of $100 to user B , however you noticed that in the statement results in $1000. This is the loss of message integrity. • Here user C tampers and manages to access it and change its contents and send the changed message to B with knowing to B. • User A also does not know about this change. This type of attack is called modification. 29
  • 30. 30
  • 31. 31
  • 32. 32
  • 33. 33
  • 34. 34
  • 35. 35