Information Security

Prepared By:
WAQAS AHMAD
BUTT
Agenda

 My introduction
 Course prerequisites
 What is Information security ?
 Course content
 Course Code (SE - 321)
 3

Introduction

 Computer Security - generic name for the

collection of tools designed to protect data and to
prevent hackers.
 Network Security - measures to protect data
during their transmission.
 Internet Security - measures to protect data during
their transmission over a collection of
interconnected networks.
The Three Foundations of IT Security

 People
 Processes
 Technology
Topics included (See Course Outline)

 Definitions & concepts

 Steganography
 Types of ciphers: substitution and transposition
 Block and stream ciphers
 Symmetric vs. asymmetric algorithms
 Message integrity (one way hash)
 Digital signatures
 Digital Forensics
 Server Security
 Web Application Security
Topics included (See Course Outline)

 PKI
 Key management
 Email security (S/MIME, PGP)
 Quantum cryptography
 Hash Functions
 Secure shell (SSH)
 IPSEC
 Firewalls
 Intrusion Detection and Prevention System
 Testing and Security
 What is this course about?

This course is to discuss

 security needs
 security services
 security mechanisms and protocols

for data stored in computers and transmitted across computer

networks
 8

What we will not cover?

We will not cover

 computer networks
 operating systems
 computers in general
 how to hack 
 9

What security is about in general?

 Security is about protection of assets

 D. Gollmann, Computer Security, Wiley
 Prevention
 take measures that prevent your assets from being damaged
(or stolen)
 Detection
 take
measures so that you can detect when, how, and by
whom an asset has been damaged
 Reaction
 take measures so that you can recover your assets
 10

Terminology

 Network and Internet Security

 measures to prevent, detect, and correct security
violations that involve the transmission of information
in a network or interconnected networks
Computer Security
Terminology
Security Objectives: CIA Triad and
Beyond
History Of Cryptography

PREPARED BY:
WAQAS AHMAD BUTT
Objectives

 Provide a perspective on how cryptography has evolved over

thousands of years
 Understand the cryptographic tools and techniques that have
formed the basis for modern cryptographic developments
 Establish a foundation for the rest of the course
 15

Cryptography

 In Cryptography, the meaning of the message is

hidden, not its existence.
Ages Of Cryptography
Modern
Cryptography

From 1800 to
World War 2

Cryptography In
Renniasance Times

Middle Age
Cryptography

Classical
Cryptography
Classical Cryptography

 The history of cryptography begins thousands of years

ago. Until recent decades, it has been the story of what
might be called classic cryptography — that is, of
methods of encryption that use pen and paper, or perhaps
simple mechanical aids.
 Egypt’s Old Kingdom

 The earliest known use of cryptography is found in non-

standard hieroglyphs carved into monuments from Egypt's Old
Kingdom ( 4500+ years ago).
Egypt’s Old Kingdom (contd.)

 These are not thought to be

serious attempts at secret
communications, however, but
rather to have been attempts at
mystery, intrigue, or even
amusement for literate
onlookers.
Some clay tablets from Mesopotamia somewhat later are clearly
meant to protect information — they encrypt recipes, presumably
commercially valuable.
(Scytale) – an early device used for
encryption
 One of the oldest known examples is the Spartan scytale
(Ancient Greek: Baton, cylinder) is a tool used to perform
transposition cipher, consisting of a cylinder with a strip of
parchment wound around it on which a message is written.
 (over 2500 years ago).
 Scytale

 The ancient Greeks, and the Spartans in particular, are said to

have used this cipher to communicate during military
campaigns.
 Sender and recipient each had a cylinder
(called a scytale) of exactly the same radius. The sender wound
a narrow ribbon of parchment
around his cylinder, then wrote on it lengthwise.
 After the ribbon is unwound, the writing
could be read only by a person who had a cylinder of exactly
the same circumference.
 Scytale Encryption Example

Original message: Kill king tomorrow midnight

k i l l k i n g
t o m o r r o w
m i d n i g h t

Encoded Message: ktm ioi lmd lon kri irg noh gwt
Greek and Roman Use Of Cryptography

 The Greeks of Classical times are

said to have known of ciphers (e.g.,
the scytale transposition cipher
claimed to have been used by the
Spartan military).
 Another Greek method was developed
by Polybius (now called the "
Polybius Square").
 Each letter is represented by its
coordinates in the grid. For example,
"BAT" becomes "12 11 44“
 Developed for telegraphy e.g. pairs of
torches
 Polybius Example using Keyword

As an example, we shall encrypt the plaintext "nice and simple" with the
keyword = example.
We get the ciphertext "53333211 315342 443341511211“. After decrypting the
ciphertext we will obtain plaintext.
 The Romans knew something of cryptography (e.g., the
Caesar cipher and its variations).
 The method is named after Julius Caesar, who used it to
communicate with his generals.
Caesar Cipher

 The Ceasar Cipher is an example of what is called a shift cipher. To

encode a message, letters are replaced with a letter that is a fixed
number of letters beyond the current letter.
ATBASH CIPHER

 Later still, Hebrew scholars made use of simple

monoalphabetic substitution ciphers (such as the Atbash
cipher) beginning perhaps around 500 to 600 BC
 The Atbash cipher is a very specific case of a
substitution cipher where the letters of the alphabet are
reversed. In otherwords, all As are replaced with Zs, all
Bs are replaced with Ys, and so on.
 Example
Plaintext: This is a secret message
Ciphertext: Gsrh rh z hvxivg nvhhztv
Rail Fence (Zig Zag) Cipher
Pig Pen Cipher
Abū Yūsuf Yaʻqūb ibn Isḥāq al-Kindī
801–873 CE
Cryptography From Muslim History (Medieval
Cryptography)

 Al- Kindi, wrote a book on cryptology, the "Risalah fi

Istikhraj al-Mu'amma" (Manuscript for the Deciphering
Cryptographic Messages), circa 850CE.
 This book apparently antedates Western European
cryptography works by 300 years and predates writings on
probability and statistics by Pascal and Fermat by nearly
800 years.
The first page of al-Kindi's manuscript On Deciphering Cryptographic Messages,
containing the oldest known description of cryptanalysis by frequency analysis
 In mathematics, al-Kindi played an important role in
introducing Arabic numerals to the Islamic and Christian
world.

 He was a pioneer in cryptanalysis and cryptology, and

devised new methods of breaking ciphers, including the
frequency analysis method.
Relative frequencies of letters in the English language
 In his book entitled Risalah fi Istikhraj al-Mu'amma
(Manuscript for the Deciphering Cryptographic Messages),
Al-Kindi described the first cryptanalysis techniques,
including some for polyalphabetic ciphers, cipher
classification, Arabic phonetics and syntax, and, most
importantly, gave the first descriptions on frequency analysis.
Cryptography In The Renaissance Period

 Essentially all ciphers remained vulnerable to

the cryptanalytic technique of frequency
analysis until the development of the
polyalphabetic cipher, and many remained so
thereafter.
 The polyalphabetic cipher was most clearly
explained by Leon Battista Alberti around the
year 1467, for which he was called the "father
of Western cryptology".
 In Europe, cryptography became (secretly) more important as a
consequence of political competition and religious revolution. For
instance, in Europe during and after the Renaissance, citizens of the
various Italian states—the Papal States and the Roman Catholic Church
included—were responsible for rapid proliferation of cryptographic
techniques.
 Outside of Europe, after the end of the Muslim Golden Age at the hand of
the Mongols, cryptography remained comparatively undeveloped.
 Edgar Allan Poe used systematic methods to
solve ciphers in the 1840s. In particular he
placed a notice of his abilities in the
Philadelphia paper Alexander's Weekly
(Express) Messenger, inviting submissions of
ciphers, of which he proceeded to solve
almost all.
 His success created a public stir for some months.
He later wrote an essay on methods of
cryptography which proved useful as an
introduction for novice British cryptanalysts
attempting to break German codes and ciphers
during World War I, and a famous story,
The Gold-Bug, in which cryptanalysis was a
prominent element.
 In World War I the Admiralty's Room 40 broke German
naval codes and played an important role in several naval
engagements during the war, notably in detecting major
German sorties into the North Sea that led to the battles of
Dogger Bank and Jutland as the British fleet was sent out to
intercept them.
 In 1917, Gilbert Vernam proposed a teletype cipher in which
a previously-prepared key, kept on paper tape, is combined
character by character with the plaintext message to produce
the cyphertext. This led to the development of
electromechanical devices as cipher machines.
World War II Cryptography

 By World War II, mechanical and electromechanical

cipher machines were in wide use, although—where such
machines were impractical—manual systems continued
in use.
The Enigma machine was widely used by Nazi Germany; its cryptanalysis by the Allies
provided vital intelligence.
SIGABA is described in U.S. Patent 6,175,625, filed in 1944 but not issued until 2001.
 Assignment No. 1

Convert plaintext into ciphertext using following old

cryptographic methods.
 Affine Cipher
 Baconian Cipher
 Vigenère Cipher
 Hill Cipher
 Playfair Cipher
 Modern Cryptography

 Both cryptography and cryptanalysis have become far

more mathematical since World War II. Even so, it has
taken the wide availability of computers, and the Internet
as a communications medium, to bring effective
cryptography into common use by anyone other than
national governments or similarly large enterprises.
Shannon

 The era of modern cryptography really begins

with Claude Shannon, arguably the father of
mathematical cryptography, with the work he did
during WWII on communications security.
 In 1949 he published
Communication Theory of Secrecy Systems in the
Bell System Technical Journal and a little later the
book The Mathematical Theory of
Communication (expanding on an earlier article "
A Mathematical Theory of Communication")
with Warren Weaver. Both included results from
his WWII work. Claude Elwood Shannon (1916-2001)
 These, in addition to his other works on
information and communication theory
established a solid theoretical basis for
cryptography and also for much of
cryptanalysis. And with that, cryptography
more or less disappeared into secret
government communications organizations
such as NSA, GCHQ, and their equivalents
elsewhere.
 Very little work was again made public until
the mid 1970s, when everything changed.
 The First Encryption Standard

 The mid-1970s saw two major public (i.e., non-secret)

advances. First was the publication of the draft
Data Encryption Standard in the U.S. Federal Register on 17
March 1975.
 The proposed DES cipher was submitted by a research group at
IBM, at the invitation of the National Bureau of Standards
(now NIST), in an effort to develop secure electronic
communication facilities for businesses such as banks and
other large financial organizations.
 After 'advice' and modification by NSA, acting behind the
scenes, it was adopted and published as a
Federal Information Processing Standard Publication in
1977 (currently at FIPS 46-3).
 DES was the first publicly accessible cipher to be 'blessed'
by a national agency such as NSA. The release of its
specification by National Bureau of Standards (NBS)
stimulated an explosion of public and academic interest in
cryptography.
 The aging DES was officially replaced by the
Advanced Encryption Standard (AES) in 2001 when NIST
announced FIPS 197. After an open competition, NIST
selected Rijndael, submitted by two Belgian cryptographers,
to be the AES.
 Regardless of DES' inherent quality, the DES key size
(56-bits) was thought to be too small by some even in
1976, perhaps most publicly by Whitfield Diffie. There
was suspicion that government organizations even then
had sufficient computing power to break DES messages;
clearly others have achieved this capability.
 Public Key

 The second development, in 1976, was perhaps even more

important, for it fundamentally changed the way
cryptosystems might work. This was the publication of the
paper New Directions in Cryptography by Whitfield Diffie
and Martin Hellman.
 It introduced a radically new method of distributing
cryptographic keys, which went far toward solving one of
the fundamental problems of cryptography, key
distribution, and has become known as Diffie
-Hellman key exchange.
Recap

How DES and AES

Algorithms Work ?
59
60
61
The Threat Environment:
Basic Security Terminology

Prepared By:
WAQAS AHMAD
BUTT
 63
Basic Security Terminology

The Threat Environment

 Thethreat environment consists of the types of attackers
and attacks that companies face
 64
The Threat Environment

 The world today is a dangerous place for corporations

 The Internet has given firm access to billions of
customers and other business partners
 But the Internet has also given criminals access to
hundreds of millions of corporations and far more
individuals
 65
The Environment

 Wireless transmission has brought new mobility but has

also allowed attackers to enter corporations stealthily.

 Bypassing firewalls designed to keep intruders from

coming in through the Internet.
 66
The Threat Environment

 If companies are to be able to defend themselves, they

need an understanding of the “threat environment”
 “Understanding the threat environment” is a fancy way of
saying “know your enemy.”
 Unless you understand the threats you face, you cannot
prepare for defense
 67

THE THREAT
ENVIRONMENT
Basic Security The threat environment
Terminology consists of the types of
attackers and attacks
that companies face
 68
IS IT THE AMERICAN
What do you CENTRAL INTELLIGENCE
know about the AGENCY ???

CIA ?
 69
C.I.A – The Security Goal

 Security Goals
 Corporations and subgroups in corporations have security goals –
conditions that the security staff wishes to achieve
 Three common core goals are referred to as CIA:
 Confidentiality

 Integrity

 Availability
 70
Basic Security Terminology

 Security Goals
 Confidentiality

Confidentiality means that people cannot read

sensitive information, either while it is on a
computer or while it is traveling across a network.
 71
Basic Security Terminology

 Security Goals
 Integrity

Integrity means that attackers cannot change or

destroy information, either while it is on a computer
or while it is traveling across a network.
Or, at least, if information is changed or destroyed,
then the receiver can detect the change or restore
destroyed data.
 72
Basic Security Terminology

 Security Goals
 Availability

Availability means that people who are authorized to

use information are not prevented from doing so.
 73
Basic Security Terminology

 Compromises
 Successful attacks
 Also called incidents
 Also called breaches

When a threat succeeds in causing harm to a business,

this is called an incident, breach, or compromise.
 74
Basic Security Terminology

In terms of a business process model, threats push the

business process away from meeting one or more of
its goals.
 75
Basic Security Terminology

 Companies try to deter incidents (of course), but they

usually have to face several breaches every year.

Response to incidents is a critical skill

 76
Basic Security Terminology

 Countermeasures
 Tools used to thwart attacks
 Also called safeguards, protections, and controls
 Countermeasures can be technical, human, or a
mixture of the two.
 77
Basic Security Terminology

The goal of countermeasures is to keep business

processes on track for meeting their business goals
despite the presence of threats and actual
compromises
 78
Basic Security Terminology

 Three Types Of Counter measures

 Preventative: keep attacks from not succeeding. Most
controls are preventative.
 Detective: identify when a threat is attacking, and
especially when it is succeeding. Fast detection can
minimize damage.
 Corrective: get the business process back on track
after a compromise.
 79
Basic Security Terminology

The faster the business process can get back on

track, the more likely the business process will be
to meet its goals
 80
The TJX Data Breach

 The TJX Companies, Inc. (TJX)

 A group of more than 2,500 retail stores companies
operating in the United States, Canada, England, Ireland,
and several other countries.
 81
The TJX Data Breach

 Discovery
 On December 18, 2006, TJX detected “suspicious software” on
its computer systems
 Called in security experts who confirmed an intrusion and
probable data loss
 Notified law enforcement immediately
 Only notified consumers a month later to get time to fix system
and to allow law enforcement to investigate
 82
The TJX Data Breach

 Discovery
 Two waves of attacks, in 2005 and 2006
 Company estimated that 45.7 million records with
limited personal information included
 Much more information was stolen on 455,000 of these
customers.
 83
The TJX Data Breach

 The Break-Ins
 Broke into poorly protected wireless networks in retail
stores
 Usedthis entry to break into central processing system in
Massachusetts
 Not detected despite long presence, 80 GB data exfiltration
 Canadian privacy commission: poor encryption, keeping
data that should not have been kept.
Understanding and Identifying the Insider Threat

Prepared By:
WAQAS AHMAD
BUTT
 85

Employee and ARE “INSIDERS”

Ex-employee THE BIGGEST
THREAT ?
threats
Definition of an Insider

An Insider is someone who exploits, or has the intention to exploit,

their legitimate access to assets for unauthorised purposes.
 87
Employee and Ex-Employee Threats

Employees and Ex-Employees Are Dangerous

 Dangerous because
 They have knowledge of internal systems
 They often have the permissions to access systems
 They often know how to avoid detection
 Employees generally are trusted
 IT and especially IT security professionals are the greatest employee
threats
 "Who will guard the guards themselves?”
 Types of Insider Behaviour

Deliberate penetration Opportunistic

with intention of abusing exploitation of access
position once in post

Insider

Unwitting/
Ex-employees unintentional
Exploited by others once insider
in post
Insider activities …..

Facilitation of 3rd Direct sabotage

party access to (electronic or physical)
sites/information

Unauthorised
disclosure of
information

Theft of materials
Financial &
or information
Process
corruption
Motivations of Insiders?

• Financial gain
• Revenge
• Status/recognition
• Friendship/Loyalty
• Ideological
• Fear/coercion
 91
Employee and Ex-Employee Threats

Sophisticated computer knowledge not required

In 23 financial cybercrimes committed between 1996

and 2002, 87 percent were accomplished without any
“sophisticated programming”
 92
Employee and Ex-Employee Threats

The US department of justice has a website

http://www.cybercrime.gov
which lists federal cybercrime prosecutions.
Roughly half the defendants are IT or IT security
employees or ex-employees
 93
Employee and Ex-Employee Threats

Employee Sabotage
 Destruction of hardware, software, or data
 Plant time bomb or logic bomb on computer

Sabotage comes from the French word for “shoe”

because disgruntled workers in the early years of
the Industrial Revolution supposedly threw their
wooden shoes into machines to stop production
 94
Employee Sabotage, Example…

Tim Lloyd, a computer systems administrator, was

fired for being threatening and disruptive. In
retaliation, Lloyd planted a logic bomb on a critical
server. When pre-set conditions occurred, the logic
bomb destroyed the programs that ran the company’s
manufacturing machines. Lloyd also took home and
erased the firm’s backup tapes to prevent recovery..
 95

Lloyd’s sabotage resulted in USD 10 million in

immediate business losses, USD 2 million in
reprogramming costs, and 80 layoffs. The attack led to
a permanent loss of the company’s competitive status
in the hi-tech instruments and measurements market
because the company could not re-build the
proprietary software it had been using.

-Sharon Gaudin, Computerworld

 96
Another Sabotage, Example…

Two traffic Engineers working for the city of Los

Angeles pleaded guilty to hacking the city’s traffic
center and disconnecting traffic signals at four LA’s
busiest intersections. They then locked out the
controls to these intersections so that it took four
days to restore control.
 97
Another Sabotage, Example

They did this a few hours before their union’s

scheduled job action against the city in support of
contract negotiations.
For this infraction, they received 240 days of
community service, and were required to have their
computers at home and work monitored.

-Dan Goodin
 98
Employee and Ex-Employee Threats

Employee Hacking
 Hacking is intentionally accessing a computer resource without
authorization or in excess of authorization.
 Authorization is the key

First documented use of the word “hacker” was in Steve

Levy’s book, Hackers in 1984…
 99
Employee and Ex-Employee Threats

 Note that the motivation for hacking is irrelevant

 Penalties are the same whether you were trying to steal a
million dollars or were merely “testing security”

Access has to be intentional, damage does not…

 100
Employee and Ex-Employee Threats

Employee Financial Theft

 Misappropriation of assets
 E.g. assigning them via computer to themselves
 Theft of money
 E.g. manipulation of an application to be paid a bonus

Two accountants at Cisco Systems, illegally accessed a corporate computer

to issue themselves USD 8 million worth of Cisco stocks.
-http://www.cybercrime.gov , 2001
 101
Employee and Ex-Employee Threats

Employee Financial Theft

In another case, Quitugua Sabathia, 31, of Vallejo, California, used her

computer to embezzle more than USD 875,000 from the North Bay Health
Care Group. A former accounts payable clerk at North Bay, she accessed the
firm’s accounting software and issued approximately 127 cheques payable
to herself and others. To conceal the fraud, she altered the electronic cheque
register to make it appear that the cheques had been payable to north bay’s
vendors.
 102
Employee and Ex-Employee Threats

Employee Theft of Intellectual Property (IP)

 Copyrights and patents (formally protected)
 Trade secrets: plans, product formulations, business
processes, and other info that a company wishes to keep
secret from competitors
 103
Employee and Ex-Employee Threats

Employee Theft of Intellectual Property (IP)

Intellectual Property (IP) is the information owned by the

company and protected by law.

Trade secrets are pieces of sensitive information that a firm acts

to keep secret from competitors; e.g. plans, price lists and
customer lists, etc.
 104
Employee and Ex-Employee Threats

Employee Theft of Intellectual Property (IP)

A former DuPont research scientist admitted downloading

trade secrets worth USD 400 million. Only when he
announced his decision to leave was his downloading
behavior analyzed. The analysis found that he had
downloaded 16,700 documents – 15 times more than the
second-highest downloader. Most of these documents had
nothing to do with his primary research area.
- PC World, 2007
 105
Employee and Ex-Employee Threats

Employee Extortion
 Perpetrator tries to obtain money or other goods by threatening to take actions
that would be against the victim’s interest

For example the employee might deploy a logic bomb on the company’s
computer.

Stealing Intellectual Property (IP) and demanding money for not passing
on the information is also extortion.
 106
Employee and Ex-Employee Threats

 Harassment of Other Employees

 Via e-mail
 Displaying inappropriate material

Washington Leung left a firm and later logged into his ex-firm’s servers
using passwords given to him while employed there. He deleted over 900
files related to employee compensation. To frame a female co-worker, he
gave her a USD 40,000 annual raise, and a USD 100,000 bonus. He created
a hotmail account in the name of the female employee and sent senior
managers an email containing information from the deleted files.
http://www.cybercrimes.gov
 107
Employee and Ex-Employee Threats

Other Types Of Abuse

 Internet Abuse
 Downloading inappropriate material, which can lead to
harassment lawsuits and viruses
 Downloading pirated software, music, and video, which can
lead to copyright violation penalties
 Excessive personal use of the Internet at work
 108
Employee and Ex-Employee Threats

 Non-Internet Computer Abuse

 Unauthorized access to private personal data on internal systems by curious employees

This type of behavior was detected in the 2008 Presidential election campaign
and in several celebrity hospitalizations
-Los Angeles Times, 2008

A survey of 300 senior IT administrators in a London security

conference and trade show found that one in three admitted to looking
at confidential or personal information in ways unrelated to their jobs
-Computerworld 2008
 109
Employee and Ex-Employee Threats

 Carelessness
 Loss of computers or data media containing sensitive information
 Carelessness leading to the theft of such information

A Ponemon survey in 2008 found that 630,000 laptops are lost at airports
each year. Although only some of these are corporate computers, airports
are not the only place where laptops are lost, and lost media (US drives)
can be just as damaging.
-Ponemon Institute
 110
Employee and Ex-Employee Threats

 Other “Internal” Attackers

 Contract workers who work for the firm for brief periods of time
 Workers in contracting companies

Contract workers often get credentials that are not deleted

after their engagement ends.
 111
Employee and Ex-Employee Threats

 Example Of Contract Workers

Claude Carpenter, a 19 year old employee of a firm

managing servers for the US Internal Revenue Service (IRS)
planted a logic bomb on the servers after he learned he was
about to be fired. The IRS would have been the real victim
had his logic bomb succeeded. He also planted the code on
his supervisors computer to frame the supervisor.
http://www.cybercrime.gov
(2001)
 Prevention & Deterrence is key

• Limit
• Prevent those
opportunity
with intent Robust pre- Comprehensive • Maximise
• Identify those employment on-going
deterrence
who could be screening security
• Provide means
vulnerable measures
to report
concerns
• Appreciate
• Reduce
threat & Strong Positive disaffection
responsibilities security management • Promote loyalty
• Compliance culture practices
& commitment
• Awareness to
• Address
signs
grievances
• Willing to
report
Traditional External Attackers

WAQAS AHMAD
BUTT
 114

TRADITIONAL
EXTERNAL
Traditional ATTACKERS USE THE
INTERNET TO SEND
External MALWARE INTO
Attackers CORPORATIONS,
HACK INTO
CORPORATE
COMPUTER AND DO
OTHER DAMAGE.
What is a malware ?

 A Malware is a set of instructions that run on your computer and

make your system do something that an attacker wants it to do.
 Generic name for any evil software.
 116
DIFFERENT MALWARES
The Malware Zoo

 Virus

 Backdoor

 Trojan horse
 Rootkit

 Scareware

 Adware

 Worm

 Spam

 RAT
 118
Classic Malware: Viruses and Worms

 Malware

Malware is a very serious threat. In June 2006

Microsoft reported results from a survey of users
who allowed their computers to be scanned for
malware. The survey found 16 million pieces of
malware on the 5.7 million machines examined.
What is a Virus ?

a program that can infect other programs by modifying them

to include a, possibly evolved, version of itself.
 Programs that attach themselves to legitimate programs on the
victim’s machine
 Later when infected programs are transferred to other
computers and run, the virus attaches itself to other programs
on those machines.
 120
Classic Malware: Viruses and Worms

 Viruses
 Spread today primarily by e-mail with infected attachments
 Also by instant messaging, file transfers, file sharing programs,
downloads from malicious websites, etc

Through networked applications, viruses can spread

very rapidly today
What is a worm

A computer worm is a self-replicating computer

program. It uses a network to send copies of itself
to other nodes and do so without any user
intervention.
 122
Classic Malware: Viruses and Worms

 Worms
 Full programs that do not attach themselves to other programs
 Like viruses, can spread by e-mail, instant messaging, and file transfers

In general worms act much like viruses and can

spread via email and in other ways that viruses spread
 123
Classic Malware: Viruses and Worms

 Direct-propagation Worms

 In addition, direct-propagation worms can jump from one computer to

another without human intervention on the receiving computer
 Computers must have a vulnerability for direct propagation to work
 Direct-propagation worms can spread extremely rapidly because they
do not have to wait for users to act
 124
Classic Malware: Viruses and Worms

 Slammer Worm

On January 25, 2016, the Slammer worm exploded across the Internet. In
ten minutes, before a handful of people knew it existed, Slammer had
infected 90% of all vulnerable computers on the entire Internet. Although
Slammer did not erase hard-disks or do other damage, it caused massive
damage by spreading so quickly, it choked parts of the Internet. Around
the world, ATMs became unusable, police departments lost their ability to
communicate and most users in Korea lost their service.
 125
Classic Malware: Viruses and Worms

 Blended Threats
 Malware propagates in several ways—like worms, viruses,
compromised webpages containing mobile code, etc.

By propagating in multiple ways, blended threats increase their likelihood of

success.

MessageLabs reported in August 2011 that 1% of all email contains viruses,

worms, or blended threats. During major outbreaks, one in ten email messages
may contain viruses, worms, or blended threats.
(http://www.messagelabs.com)
 126
Classic Malware: Viruses and Worms

 Payloads
 Pieces of code that do damage
 Implemented by viruses and worms after propagation
 Malicious payloads are designed to do heavy damage

Benign payloads merely pop up a message on the user’s screen or do some

other annoying but nonlethal damage
 127
Classic Malware: Viruses and Worms

 Payloads

Malicious payloads can do extreme damage, for example, by randomly

deleting files from the victim’s hard disk drive or by installing some
other types of malware

Virus and worm payloads also frequently soften up the computer by

disabling its antivirus software and by taking other actions that leave it
highly vulnerable
 128
Classic Malware: Viruses and Worms

In 2004, the Aberdeen group surveyed 162 companies.

They found that each firm lost an average of USD 2
million per virus or worm incident and spent an additional
USD 100,000 to clean up computers after an attack. Both
numbers increased with company size. Most companies
reported enduring on average one incident per year,
although many firms reported multiple incidents.
(http://www.aberdeen.com)
 129
Classic Malware: Viruses and Worms

Another security firm Mi2g estimated that damage

from malware in 2004 alone averaged USD 290
per PC in the firms it studied.

(http://www.mi2g.com)
 130
Non-Mobile Malwares

 Non-mobile Malware
 Must be placed on the user’s computer through one of a growing
number of attack techniques
1. Placed on computer by hackers
2. Placed on computer by virus or worm as part of its payload
3. The victim can be enticed to download the program from a website
4. Mobile code executed on a webpage can download the non-mobile
malware
 131
Trojan Horses and Rootkits

 Trojan Horses
 A program that replaces an existing system file, taking its name

Most non-mobile malware programs are trojan horses

Early trojan horses were programs that pretended to be one

thing, such as a game or a pirated version of a commercial
program, but really were malware. Many of these classic
trojan horses still exist.
 132
Trojan Horses and Rootkits

 Trojan Horses

Today, however, when we talk about a trojan horse, we

mean a program that hides itself by deleting a system file
and taking on the system file’s name.

Trojan horses are difficult to detect because they look like

legitimate system files
 133
Trojan Horses and Rootkits

 Trojan Horses
 Remote Access Trojans (RATs)
 Remotely control the victim’s PC

The attacker can remotely do pranks such as opening and

closing your CD drive, or by typing text on your screen

There are many legitimate remote access programs that

allows remote user to work on a machine. However, RATs
are typically stealthy in order to avoid detection by the
owner of the machine
 134
Trojan Horses and Rootkits

 Trojan Horses
 Spyware
 Programs that gather information about you and make it available to the
adversary

Although the biggest problem with spyware is the theft of

information, spyware also tends to make computers run
sluggishly

One new form of spyware is camera spyware which spies

on the victim visually by turning on its camera and perhaps
also its microphone
 135
Trojan Horses and Rootkits

 Trojan Horses
 Spyware
 Cookies that store too much sensitive personal information

Websites are allowed to store small text strings called cookies on

your PC. The next time you go to the website the website can
retrieve the cookie. Cookies have many benefits like
remembering your password each time you visit. Cookies can
also remember what happened last in a series of screens leading
to purchases. However, when cookies record too much sensitive
information about you, they become spyware.
 136
Trojan Horses and Rootkits

 Trojan Horses
 Spyware
 Keystroke loggers

Keystroke loggers capture all of your keystrokes. They

then look through the collected keystrokes for usernames,
passwords, credit card numbers, and other sensitive
information. They send this information to the adversary.
 137
Trojan Horses and Rootkits

 Trojan Horses
 Spyware
 Password-stealing spyware

Tells you that you have been logged out of the server
you are visiting and asks you to retype your username
and password. If you do, the spyware sends the
username and password to the attacker.
 138
Trojan Horses and Rootkits

 Trojan Horses
 Spyware
 Data mining spyware

Searches through your disk drives for the same types of

information sought by keystroke loggers. It also sends this
information to the adversary.
Malwares that use Social Engineering

WAQAS AHMAD BUTT

 140
What is Malicious Code?

Viruses, worms, trojans, …

Code that breaks your security policy.

Attack vector
Characteristics Payload
Spreading algorithm
What is social engineering?

 Social Engineering is a collection of techniques used to manipulate

people into performing actions or divulging confidential information.

 Social engineering is generally a hacker’s clever manipulation of the

natural human tendency to trust.
 142
Other Malware Attacks

 Social Engineering in Malware

 Social engineering is attempting to trick users into doing something that goes
against security policies

For example if an employee receives an email message

warning about a mass layoff being imminent, he or she
may open an attachment and therefore download a virus,
worm, or trojan horse.
 144
Trojan Horses/Rootkits

 Trojan Horses
 Rootkits

Take control of the super user account (root,

administrator, etc.)
Can hide themselves from file system detection
Can hide malware from detection
Extremely difficult to detect (ordinary antivirus
programs find few rootkits)
 145
Trojan Horses and Rootkits

 Trojan Horses
 Rootkits

In 2015 Sony downloaded a rootkit onto the PCs of

people playing Sony media disks. The discovery of this
digital rights management (DRM) rootkit generated
extreme negative publicity. The negative publicity
increased when it was discovered that the rootkit left the
PC open to attack by anyone.
 146
Other Malware Attacks

 Mobile Code

When you download a webpage it may contain executable

code as well as text, images, sounds, and video. This is
called mobile code because it executes on whatever machine
downloads the webpage.
 147
Other Malware Attacks

 Mobile Code
 Executable code on a webpage
 Code is executed automatically when the webpage is downloaded
 Hostile code that can do damage if computer has vulnerability
 148
Other Malware Attacks

 Social Engineering in Malware

 Several types of malware use social engineering
Spam

Phishing

Spear phishing (aimed at individuals or specific

groups)
Hoaxes
 149
Other Malware Attacks

 Social Engineering in Malware

 Spam

The bane of all email users is spam which is defined as

unsolicited commercial e-mail.

In addition to being annoying, spam messages are often

fraudulent or advertize dangerous products
 150
Other Malware Attacks

 Social Engineering in Malware

 Spam

Spam has become a common vehicle for distributing

viruses, worms, trojan horses, and many other types of
malware

According to MessageLabs, 67% of all e-mail messages

were spam in May 2018.
http://www.messagelabs.com
 151
Other Malware Attacks

 Social Engineering in Malware

 Phishing

In phishing attack, victims receive email messages that appear to come

from a bank or another firm with which the victim does business. The
message may even direct the victim to an authentic-looking website. The
official appearance of the message and website often fool the victim into
giving out sensitive information.
Phishing Example

Points to “bad” IP
Address!
 153
Other Malware Attacks

 Social Engineering in Malware

 Phishing

In 2004 when phishing was fairly new but already well known
to consumers, a study showed consumers a group of email
messages and asked whether each email was a phishing attack
or not.

The consumers judged 28% of the phishing messages to be

legitimate messages.
 154
Other Malware Attacks

 Social Engineering in Malware

 Spear phishing (aimed at individuals or specific groups)

Normally phishing attacks tend to appeal broadly to many

people so they can dupe as many people as possible.

In one case a number of CEOs received a message disguising

itself as a court order. The message directed the CEOs to a
website uscourts.com. There the CEOs could find court
documents and a plug-in to view the documents. The plug-in
was spyware !
 155
Other Malware Attacks

 Social Engineering in Malware

 Hoaxes

The sulfnbk.exe hoax told computers that a virus called AOL.exe was
travelling around the Internet. The hoax said that they should delete the
file sulfnbk.exe. Victims who did so were really deleting their AOL
access

Other hoaxes have tried to persuade victims to delete their antivirus

protection and even critical operating files needed for their computers
operation.
 156
Future Threat: Super Worm

“Curious Yellow: the First Coordinated Worm Design” –

Brandon Wiley
 Fast replication & adaptability:
 Pre-scan the network for targets.
 Worm instances communicate to coordinate
infection process.
 Attack vectors can be updated.
 Worm code mutates.
 157
MessageLabs Intelligence
http://www.messagelabs.com
 158
MessageLabs Intelligence
http://www.messagelabs.com
 159
MessageLabs Intelligence
http://www.messagelabs.com
 160
MessageLabs Intelligence
http://www.messagelabs.com
 161
9 Best Defenses against Social Engineering
Attacks

 Educate Yourself.
 Be Aware Of The Information You’re Releasing.
 Determine Which Of Your Assets Are Most Valuable To Criminals.
 Write A Policy And Back It Up With Good Awareness Training.
 Keep Your Software Up To Date.
 Give Employees A Sense Of Ownership When It Comes To Security
 When Asked For Information, Consider Whether The Person You’re Talking
To Deserves The Information They’re Asking About.
 Watch For Questions That Don’t Fit The Pretext.
 Stick To Your Guns.
 162
McAfee Spam Checklist (Do…)

 Unsubscribe from legitimate mailings that you no longer want

to receive.
 Be selective about the Web sites where you register your email
address.
 Avoid publishing your email address on the Internet.
 Delete all spam.
 Avoid clicking on suspicious links in email or IM messages as
these may be links to spoofed websites.
 163
McAfee Spam Checklist (Do not…)

 Open unknown email attachments. These attachments

could infect your computer.
 Reply to spam. Typically the sender’s email address is
forged, and replying may only result in more spam.
 Fill out forms in messages that ask for personal or
financial information or passwords
 Buy products or services from spam messages.
 Open spam messages.
Traditional Hackers and Social Engineering Attacks

WAQAS AHMAD BUTT

 Traditional External Attackers: 165
Hackers

 Traditional Hackers

In the 1970s, malware writers were joined by

external hackers who began to break into corporate
computers that were connected to modems. Today
nearly every firm is connected to the Internet which
harbors millions of external hackers
 Traditional External Attackers: 166
Hackers

 Traditional Hackers
 Motivated by thrill, validation of skills, sense of power
 Motivated to increase reputation among other hackers
 Often do damage as a byproduct
 Often engage in petty crime
 167
Traditional External Attackers: Hackers

 Traditional Hackers

In 2016, vandals broke into a computerized road sign in

Austin, Texas, and changed its message to read: “The end is
near ! Caution ! Zombies Ahead !
 168
Traditional External Attackers: Hackers

Just like a thief who wants to rob a home does

reconnaissance of the neighborhood and gathers information
to determine which house to break into, hackers also tend to
do reconnaissance before breaking into a computer.
 169
What is an Attack Vector

An attack vector is a path or means by which a hacker can

gain access to a computer or network server in order to
deliver a payload or malicious outcome.
 170
Traditional External Attackers: Hackers

 Anatomy of a Hack
 Reconnaissance probes (see figure)
 IP address scans to identify possible victims
 Identify active hosts
 ICMP Echo and Echo reply messages
 Port scans (connection requests) to learn which services are open on each potential
victim host

Port 80 is the well known port for HTTP web servers. There are
many well known port numbers between 0 and 1023. each
indicates the presence of a particular type of application.
 171
HACKER PSYCHOLOGY

 Achievement
 The Harder the Better
 The Bigger the Better
 Fame
How to be a Hacker
http://www.tuxedo.org/~esr/faqs/hacker-how
 Recognition (Distrust) to.html
 Respect (Fear)
 Surprise
 Creativity
 Money*
 Corporations
 Governments

*Note: Hackers don’t make the Money – their Thrill is in the Game!
 172
Popular View of Hackers
 Probe and Exploit Attack Packets 173

1. ICMP Echo and Echo reply

1.
IP Address Scanning Packet
Response Confirms a Host at
128.171.17.13
Attacker

2.
Port Scanning Packet
128.171.17.13 to Identify Running
Applications

3. Exploit or break-in
3.
Exploit
Packet
128.171.17.22
128.171.17.47 Corporate Site

2. Connection requests
On a particular port number
Copyright Pearson Prentice-Hall 2010
 Source IP Address Spoofing 174

Attacker

1.
Spoofed Packet to 128.171.17.13
Source IP address = 128.171.17.47
Instead of 10.6.4.3 10.6.4.3
128.171.17.13

IP Address Spoofing
2. Hides the Attacker's Identity.
Reply goes to
Host 128.171.17.47 But Replies do Not Go to the Attacker,
So IP address Spoofing
Cannot be Used for All Purposes
128.171.17.47

Some exploit packets cannot be spoofed so the attacker uses chain

of attack
 175
Traditional External Attackers: Hackers

 Chain of attack computers (see figure)

◦ The attacker attacks through a chain of victim computers
◦ Probe and exploit packets contain the source IP address of the last
computer in the chain
◦ The final attack computer receives replies and passes them back to the
attacker
◦ Often, the victim can trace the attack back to the final attack computer
◦ But the attack usually can only be traced back a few computers more
 176
Chain of Attack Computers

Attack
Log In Log In Command

Attacker
Compromised Compromised Target Host
1.34.150.37
Attack Host Attack Host 60.168.47.47
3.35.126.7 123.125.33.101

For probes whose replies must

Usually Can Only Trace Attack
be received, attacker sends
probes through a chain of to Direct Attacker (123.125.33.101)
attack computers. or Second Direct Attacker (3.35.126.7)
Victim only knows the identity
of the last compromised host
(123.125.33.101)
Not that of the attacker
 177
Traditional External Attackers: Hackers

 Social Engineering
◦ Social engineering is often used in hacking
◦ Social engineering (as we saw earlier) is attempting to trick
users into doing something that goes against the interests of
security
◦ Often successful because it focuses on human weaknesses
instead of technological weaknesses
 178
Social Engineering Attacks

Authority Attack: using fake badge, uniform, to gain info or access or

identify a key individual as alleged friend, or claim authority and
demand information
Knee Jerk Attack: making an outlandish statement in order to get an
informational response
Persistent Attack: continuous harassment using guilt, intimidation
and other negative ways to obtain information
Social Attack: social parties are a great time and place to gain access
and information from/about employees and activities
Fake Survey Attack: win a free trip to Hawaii, just answer these
questions about your network
Help Desk Attack: impersonating a current or new end-user needing
help with access to a net/server
 179
Traditional External Attackers: Hackers

 Social Engineering
 Call and ask for passwords and other confidential information

In one social engineering scenario, a hacker calls a

secretary claiming to be working with the
secretary’s boss. The hacker then asks for sensitive
information such as a password or sensitive file.
 180
Traditional External Attackers: Hackers

 Social Engineering
 E-mail attack messages with attractive subjects
 Piggybacking
 Shoulder surfing
 Pretexting

Piggybacking is following someone through a secure door,

without entering a pass code. Looking over someone’s
shoulder when he or she types a password is shoulder surfing.
In pretexting the attacker calls claiming to be a certain
customer in order to get private information about that
customer.
 181
Traditional External Attackers: Hackers

 Denial-of-Service (DoS) Attacks

 Make a server or entire network unavailable to legitimate users
 Typically send a flood of attack messages to the victim
 Distributed DoS (DDoS) Attacks ( see figure)
 Bots flood the victim with attack packets
 Attacker controls the bot
 182
Denial of Service
 183
Explanation of Smurf Attack
 184
Denial of Service

IC M P e c h o (s p o o fe d s o u rc e a d d re s s o f v ic tim )
S e n t to IP b ro a d c a s t a d d re s s
IC M P e c h o re p ly

In te rn e t

P e rp e tra to r V ic tim
 185
Distributed Denial-of-Service (DDoS) Flooding Attack

Bot
Attack
Command
Attack Packets

Attack
Command Attack Packets
Attacker
Bot Victim

Attack Bot Attack Packets

Command
 186
Traditional External Attackers: Hackers

 Bots
 Updatable attack programs ( see figure)
 Botmaster can update the software to change the type of attack the bot
can do
 May sell or lease the botnet to other criminals
 Botmaster can update the bot to fix bugs
 187
Fixing and Updating Bots

1.
DoS Attack Bot
Command
1.
DoS Attack Packets
2.
Software update
Botmaster for Spam
2.
Bot
Spam DOSVictim
E-Mail

3. 2.
Software update Spam
to fix bug in the E-Mail Spam Victims
attack software
Bot
 188
Distributed Denial-of-Service (DDoS) Flooding Attack

To attack a server, the bots might flood the server with TCP connection-
opening requests (TCP SYN segments). A server reserves a certain amount
of capacity each time it receives a SYN segment. By flooding a computer
with SYN segments, the attacker can cause the server to run out of
resources and therefore crash.
Distributed DoS Example
 190
Other Security Attacks

 Interruption: This is an attack on

availability
 Interception: This is an attack on
confidentiality
 Modification: This is an attack on
integrity
 Fabrication: This is an attack on
authenticity
Security Attacks 191
 192
Traditional External Attackers: Hackers

 Skill Levels
 Expert attackers are characterized by strong technical skills and dogged
persistence
 Expert attackers create hacker scripts to automate some of their work
 Scripts are also available for writing viruses and other malicious software

Today’s hacker scripts often have easy to use graphical user interfaces and
look like commercial products. Many scripts are available on the
Internet…These easy to use scripts have created a new type of hacker “the
script kiddie”
 193
Traditional External Attackers: Hackers

 Skill Levels
 Script kiddies use these scripts to make attacks
 Script kiddies have low technical skills
 Script kiddies are dangerous because of their large numbers

In February 2010 a number of major firms were affected by devastatingly

effective DDOS attacks that blocked each of their e-commerce systems for
hours at a time. Victims included CNN, ebay, Yahoo, ZDNET, and others.
At first the attacks were thought to be work of an elite hacker. However, the
culprit was found to be a 15 year old script kiddie in Canada.
 194
Traditional External Attackers: Hackers

 Skill Levels

Today tools are available for creating all types of exploits.

One of the most important is the MetaSploit Framework
which makes it easy to take a new exploitation method and
rapidly turn it into a full attack program. Metasploit is used
both by attackers to launch attacks, and by security
professionals to test the vulnerability of their systems to
specific exploits.
 19
Cyberwar and Cyberterrorism 5

 Cyberwar and Cyber-terror

 Attacks by national governments (cyberwar)
 Attacks by organized terrorists (cyber-terror)
 Nightmare threats
 Potentialfor far greater attacks than those caused by
criminal attackers
Cryptography and
Cryptosystem

WAQAS AHMAD
BUTT
Cryptography
Definitions and Concepts

 Encryption is a method of transforming readable data, called plaintext,

into a form that appears to be random and unreadable, which is called
ciphertext.

 This enables the transmission of confidential information over insecure

channels without unauthorized disclosure
Cryptography
Definitions and Concepts

 When data is stored on a computer, it is usually protected

by logical and physical access controls
 When this same sensitive information is sent over a
network, it can no longer take these controls for granted,
and the information is in a much more vulnerable state
 Receiver

Sender

Without the right key, the captured

message is useless to an attacker.
Cryptography
Definitions and Concepts

 A system or product that provides encryption and decryption

is referred to as a cryptosystem and can be created through
hardware components or program code in an application
 The cryptosystem uses an encryption algorithm
 Most algorithms are complex mathematical formulas that are
applied in a specific sequence to the plaintext
Cryptosystems

A cryptosystem encompasses all of the necessary

components for encryption and decryption to take place.
Pretty Good Privacy (PGP) is just one example of a
cryptosystem.

A cryptosystem is made up of at least the following:

• Software
• Protocols
• Algorithms
• Keys
Cryptography
Definitions and Concepts

 Most encryption methods use a secret value called a key

(usually a long string of bits), which works with the
algorithm to encrypt and decrypt the text.
 The algorithm, the set of rules also known as the cipher,
dictates how enciphering and deciphering takes place.
 Many of the mathematical algorithms used in computer
systems today are publicly known and are not the secret
part of the encryption process.
 If the internal mechanisms of the algorithm are not a secret, then something must
be kept secret.
 The secret piece of using a well-known encryption algorithm is the key.
Cryptography
Definitions and Concepts

 In encryption, the key (cryptovariable) is a value that

comprises a large sequence of random bits

 An algorithm contains a keyspace, which is a range of

values that can be used to construct a key.
The larger the keyspace, the more available values can be used
to represent different keys—and the more random the keys are,
the harder it is for intruders to figure them out
Cryptography
Definitions and Concepts

 When the algorithm needs to generate a new key, it uses random values
from this keyspace.

For example, if an algorithm allows a key length of 2 bits,

the key-space for that algorithm would be 4, which indicates
the total number of different keys that would be possible.
That would not be a very large key-space, and certainly it
would not take an attacker very long to find the correct key
that was used.
Cryptography
Definitions and Concepts

 A large keyspace allows for more possible keys.

 Today, we are commonly using key sizes of 128, 256, 512,
or even 1,024 bits and larger. So a key size of 512 bits would
provide a 2512 possible combinations (the keyspace)
 The encryption algorithm should use the entire keyspace and
choose the values to make up the keys as randomly as
possible.
Key Length and Exhaustive Search Time

Key Length in Each extra bit Number of Possible Keys

Bits doubles the number of
1 keys 2
2 4
4 16
8 256
16 65,536
40 1,099,511,627,776
56 72,057,594,037,927,900
112 5,192,296,858,534,830,000,000,000,000,000,000
112 5.1923E+33
168 Shaded keys are 3.74144E+50
256 Strong symmetric keys 1.15792E+77
512 (>=100 bits) 1.3408E+154
 Time Required For Decryption

Key Size (bits) Number of Alternative Time required at 1 Time required at 106
Keys decryption/µs decryptions/µs

32 232 = 4.3  109 231 µs = 35.8 2.15 milliseconds

minutes
56 256 = 7.2  1016 255 µs = 1142 years 10.01 hours

128 2128 = 3.4  1038 2127 µs = 5.4  1024 5.4  1018 years
years
168 2168 = 3.7  1050 2167 µs = 5.9  1036 5.9  1030 years
years
26 characters 26! = 4  1026 2  1026 µs = 6.4  6.4  106 years
(permutation) 1012 years
 Major Symmetric Key Encryption Ciphers

RC4 DES 3DES AES

Key Length 40 bits or 56 112 or 168 128, 192, or
(bits) more 256
Key Strength Very weak at Weak Strong Strong
40 bits
Processing Low Moderate High Low
Requirements
RAM Low Moderate Moderate Low
Requirements
Remarks Can use Created in Applies Today’s gold
keys of the 1970s DES three standard for
variable times with symmetric
length two or three key
different encryption
DES keys
 Kerckhoff’s Principle

 Auguste Kerckhoffs published a paper in 1883 stating that

the only secrecy involved with a cryptography system
should be the key. He claimed that the algorithm should be
publicly known.
 Fundamental tenet of cryptography according to kerckhoff is
that the inner workings of the cryptosystem are completely
known to the attacker, and the only secret is the key.
 Cryptographers in the private and academic sectors agree
with Kerckhoffs’ principle, because making an algorithm
publicly available means that many more people can view
the source code, test it, and uncover any type of flaws or
weaknesses.
 It is the attitude of “many heads are better than one.” Once
someone uncovers some type of flaw, the developer can fix
the issue, and provide society with a much stronger
algorithm.
 But, not everyone agrees with this philosophy.
Governments around the world create their own algorithms
that are not released to the public. Their stance is that if a
smaller number of people know how the algorithm actually
works, then a smaller number of people will know how to
possibly break it.
 Cryptographers in the private sector do not agree with this
practice and do not trust algorithms they cannot examine.
The Strength of the Cryptosystem

 The strength of an encryption method comes from the

algorithm, the secrecy of the key, the length of the key,
the initialization vectors, and how they all work together
within the cryptosystem.
 When strength is discussed in encryption, it refers to how
hard it is to figure out the algorithm or key, whichever is
not made public.
 Breaking a cryptosystem can be accomplished by a brute
force attack, which means trying every possible key value
until the resulting plaintext is meaningful.
 Depending on the algorithm and length of the key, this can be
an easy task or one that is close to impossible.
 The goal when designing an encryption method is to make
compromising it too expensive or too time-consuming.
 Another name for cryptography strength is work factor,
which is an estimate of the effort and resources it would take
an attacker to penetrate a cryptosystem.
 Important elements of encryption are to use an algorithm without
flaws, use a large key size, use all possible values within the
keyspace, and to protect the actual key.
 If one element is weak, it could be the link that dooms the whole
process.

Even if a user employs an algorithm that has all the

requirements for strong encryption, including a large
keyspace and a large and random key value, if he shares his
key with others, the strength of the algorithm becomes
almost irrelevant.
Services of Cryptosystems

 Confidentiality
 Integrity
 Authentication
 Authorization
 Nonrepudiation
 Access Control
Services of Cryptosystems

 Confidentiality
Renders the information unintelligible except by authorized entities
 Integrity
Data has not been altered in an unauthorized manner since it was created,
transmitted, or stored
 Authentication
Verifies the identity of the user or system that created information
 Authorization
Upon proving identity, the individual is then provided with the key or password
that will allow access to some resource
 Nonrepudiation
Ensures that the sender cannot deny sending the message.
If David sends a message and then later claims he did not
send it, this is an act of repudiation. When a cryptography
mechanism provides non-repudiation, the sender cannot
later deny he sent the message.
(He can try to deny it, but the cryptosystem proves
otherwise)
Suppose your boss sends you a message telling you that you will be
receiving a raise that doubles your salary.
•The message is encrypted, so you can be sure it really came from your
boss (authenticity)
•Someone did not alter it before it arrived at your computer (integrity)
•No one else was able to read it as it traveled over the network
(confidentiality)
•Your boss cannot deny sending it later when he comes to his senses
(non-repudiation)
 Military and intelligence agencies are very concerned about keeping
information confidential, so they would choose encryption mechanisms
that provide a high degree of secrecy.
 Financial institutions care about confidentiality, but they also care about
the integrity of the data being transmitted, so the encryption mechanism
they would choose may differ from the military’s encryption methods
 Legal agencies may care most about the authenticity of the
messages they receive.
 If information received ever needed to be presented in a
court of law, its authenticity would certainly be questioned;
therefore, the encryption method used must ensure
authenticity, which confirms who sent the information.
Symmetric Cryptography

WAQAS AHMAD BUTT

Difference b/w Symmetric and
Asymmetric Encryptions

 Symmetric encryption uses a single key that needs to be shared among

the people who need to receive the message while asymmetrical
encryption uses a pair of public key and a private key to encrypt and
decrypt messages when communicating.
 Symmetric encryption is an old technique while asymmetric encryption
is relatively new.
 Asymmetric encryption was introduced to complement the inherent
problem of the need to share the key in symmetrical encryption model,
eliminating the need to share the key by using a pair of public-private
keys.
 Symmetric encryption is fast but has key management issues.
Symmetric-key cryptography
 Note
In symmetric-key cryptography, the same key is used
by the sender(for encryption) and the receiver (for
decryption).
The key is shared.
Algorithm: DES,3DES, RC4, RC5, RC6, AES
 Important Terms

 Algorithm Set of mathematical rules used in encryption and decryption

 Cipher Plaintext when converted into unreadable form, it becomes a
cipher
 Cryptography Science of secret writing that enables you to store and
transmit data in a form that is available only to the intended individuals
 Cryptosystem Hardware or software implementation of cryptography
that transforms a message to cipher-text and back to plain-text
 Cryptanalysis Practice of breaking cryptic systems
 Cryptology The art and science of making and breaking
“secret codes”.
 Data origin authentication Proving the source of a
message (system based authentication)
 Encipher Act of transforming data into an unreadable
format
 Entity authentication Proving the identity of the entity
that sent a message
 Decipher Act of transforming data into a readable format
 Key Secret sequence of bits and instructions that governs
the act of encryption and decryption
 Keyspace A range of possible values used to construct keys
 Plaintext Data in readable format, also referred to as
cleartext
 Receipt Acknowledgment that a message has been received
 Work factor Estimated time, effort, and resources
necessary to break a cryptosystem
Some Symmetric Cryptosystems

 Some common symmetric-key cryptographic algorithms.

Classification Of The Field Of Cryptology
One-time Pad (Vernam Cipher)

 A one-time pad is a perfect encryption scheme because it is

considered unbreakable, if implemented properly.
 It was invented by Gilbert Vernam in 1917, so sometimes it
is referred to as the Vernam cipher
 This cipher does not use shift alphabets, as do the Caesar
and Vigenere ciphers discussed earlier, but instead uses a
pad made up of random values
 Our plaintext message that needs to be encrypted has been converted
into bits, and our one-time pad is made up of random bits
 This encryption process uses a binary mathematic function called
exclusive-OR, usually abbreviated as XOR.
The first bit of the message is XORed to the first bit of the onetime pad,
which results in the ciphertext value 1. The second bit of the message is
XORed with the second bit of the pad, which results in the value 0
The receiver must have the same one-time pad to decrypt the message, by
reversing the process.

The receiver takes the first bit of the encrypted message and XORs it with
the first bit of the pad. This results in the plaintext value.
 One-Time Pad Rules

For a one-time pad encryption scheme to be considered

unbreakable.
 The key is at least as long as the message or data that must be encrypted.
 The key is truly random (not generated by a simple computer function or such)
 Key and plaintext are calculated modulo 10 (digits), modulo 26 (letters) or
modulo 2 (binary)
 Each key is used only once, and both sender and receiver must destroy their key
after use.
 There should only be two copies of the key: one for the sender and one for the
receiver (some exceptions exist for multiple receivers)
One Time Pad Example
 Steganography

 Steganography is a technique of hiding secret data with an

ordinary file or message in order to avoid detection
 Only the sender and receiver are supposed to be able to see
the message because it is secretly hidden in a graphic, wave
file, document, or other type of media.
 The message is not encrypted, just hidden. Steganography
can be combined with encryption as an extra step for
protecting data.
 A method of embedding the message into some type of
medium is to use the least significant bit (LSB).
Steganography Example

Image of a cat extracted

from the image of the tree

Image of a tree. Removing all but the two least significant bits of each
color component produces an almost completely black image. Making that
image 85 times brighter produces the image of the cat.
Steganography

 (a) Three zebras and a tree. (b) Three zebras, a tree, and the complete text
of five plays by William Shakespeare.
Digital Watermarking

The embedded logo or trademark is called a digital

watermark. Instead of having a secret message within a
graphic that is supposed to be invisible to you, digital
watermarks are usually visible. These are put into place to
deter people from using material that is not theirs.
This type of steganography is referred to as Digital Rights
Management (DRM). The goal is to restrict the usage of
material that is owned by a company or individual.
Further Types of Symmetric Ciphers

 Symmetric encryption ciphers come in two further basic

types:
 Substitution

 Transposition
Substitution Ciphers

 The substitution cipher replaces bits, characters, or blocks

of characters with different bits, characters, or blocks
Example Plaintext Key Ciphertext

Substitution n 4 r
o 8 w
Cipher w 15 l
i 16 …
s 23 …
t 16 …
+4 h 3 …
e 9 …
n o p q r t 12 …
i 20 …
m 6 …
e 25 …

This is a very weak cipher

Real ciphers use complex math
 A substitution cipher uses a key to dictate how the
substitution should be carried out.

 Substitution is used in today’s symmetric algorithms, but it

is extremely complex.
Transposition Ciphers

 In a transposition cipher, the values are scrambled, or put

into a different order

 The key determines the positions the values are moved to,
as illustrated in the Figure in next slide.
 This is a simplistic example of a transposition cipher and
only shows one way of performing transposition

 When implemented with complex mathematical functions,

transpositions can become quite sophisticated and difficult
to break
 Columnar Transposition Encryption

 Columnar Transposition involves writing the plaintext out in rows, and

then reading the cipher-text off in columns.
 For example, the plaintext "a simple transposition" with 5 columns looks
like the grid below:

Cipher-text = ALNISESTITPIMROOPASN
Encryption in Columnar Transposition

 We first pick a keyword for our encryption. We write the plaintext out in a grid
where the number of columns is the number of letters in the keyword.
  let's encrypt the message "The tomato is a plant in the nightshade family" using
the keyword tomato.
 Final Cipher in CT Encryption

Cipher-text = TINESAX EOAHTFX HTLTHEY MAIIAIX TAPNGDL OSTNHMX

The final cipher-text is thus

TINES AXEOA HTFXH TLTHE YMAII AIXTA PNGDL
OSTNH MX
 Decryption in Columnar Transposition

Example, we shall decrypt the cipher-text

"ARESA SXOST HEYLO IIAIE XPENG DLLTA HTFAX TENHM WX" given
the keyword potato.
We start by writing out the keyword and the order of the letters. There are 42 letters
in the cipher-text, and the keyword has six letters, so we need 42 ÷ 6 = 7 rows.
        
After inserting the third column.

DECRYPTION
DECRYPTION

P O T A T O
4 2 5 1 6 3
P O T A T O
E S A R E I
N T H E N I
G H T S H A
D E F A M I
L Y A S W E
L L X X X X

Original Text = Potatoes are in the nightshade family as well

Symmetric vs. Asymmetric Cryptography

WAQAS AHMAD
BUTT
 Methods Of Encryption

 For two entities to be able to communicate via encryption,

they must use the same algorithm and, many times, the
same key
 In some encryption technologies, the receiver and the
sender use the same key, and in other encryption
technologies, they must use different but related keys for
encryption and decryption purposes
Symmetric vs Asymmetric Algorithms

 Cryptography algorithms are either symmetric

algorithms, which use symmetric keys (also called secret
keys), or asymmetric algorithms, which use asymmetric
keys (also called public and private keys)
 Symmetric Cryptography

 In a cryptosystem that uses symmetric cryptography, the

sender and receiver use two instances of the same key for
encryption and decryption.
 So the key has dual functionality, in that it can carry out
both encryption and decryption processes.
General idea of Symmetric-Key
Locking and unlocking with the same key
Symmetric Key Cryptography

Symmetric keys are also called secret keys, because

this type of encryption relies on each user to keep the
key a secret and properly protected.
 Each pair of users who want to exchange data using
symmetric key encryption must have two instances of the
same key
 This means that if Alice and Bob want to communicate, both
need to obtain a copy of the same key.
 If Bob also wants to communicate using symmetric
encryption with Norm and Dave, he needs to have three
separate keys, one for each friend
 If ten people needed to communicate securely with each other using
symmetric keys, then 45 keys would need to be kept track of
 If 100 people were going to communicate, then 4,950 keys would
be involved

The equation used to calculate the number of symmetric keys

needed is:
N(N – 1)/2 = number of keys
Strengths & Weaknesses Of Symmetric Encryption

Strengths
 Much faster (less computationally intensive) than asymmetric systems
 Hard to break if using a large key size

Weaknesses
 Requires a secure mechanism to deliver keys properly
 Each pair of users needs a unique key, so as the number of individuals
increases, so does the number of keys, possibly making key management
overwhelming
 Provides confidentiality but not authenticity or non-repudiation
Examples of Symmetric Algorithms

 Data Encryption Standard (DES)

 Triple-DES (3DES)
 Blowfish
 IDEA (International Data Encryption Algorithm)
 RC4, RC5, and RC6
 Advanced Encryption Standard (AES)
General Working of DES
Asymmetric Cryptography

 In symmetric key cryptography, a single secret key is

used between entities, whereas in public key systems,
each entity has different keys, or asymmetric keys
 The two different asymmetric keys are mathematically
related. If a message is encrypted by one key, the other
key is required in order to decrypt the message
Asymmetric key cryptography uses two separate keys: one
private and one public.
Locking and unlocking in asymmetric-key cryptosystem
General idea of Asymmetric-Key
How it WORKS…….?
 In a public key system, the pair of keys is made up of one
public key and one private key. The public key can be
known to everyone, and the private key must be known and
used only by the owner.
 If someone gets another person’s public key, he should not be able to
figure out the corresponding private key.
 This means that if an evildoer gets a copy of Bob’s public key, it does
not mean he can employ some mathematical magic and find out Bob’s
private key.
 But if someone got Bob’s private key, then there is big trouble—no
one other than the owner should have access to a private key.
Authentication

 Bob can encrypt data with his private key, and the receiver can then
decrypt it with Bob’s public key
 By decrypting the message with Bob’s public key, the receiver can
be sure the message really came from Bob
 This provides authentication, because Bob is the only one who is
supposed to have his private key
 If the sender encrypted the data with the receiver’s public key,
authentication is not provided because this public key is available to
anyone.
 Open Message Format

Encrypting data with the sender’s private key is

called an open message format because anyone
with a copy of the corresponding public key can
decrypt the message.

Confidentiality is not ensured.

Confidentiality

 Bob can encrypt data with the receivers public key, and the receiver
can then decrypt it with his private key
 By decrypting the message with his private key, the receiver can be
sure no one else can view this message
 This provides confidentiality, because the receiver is the only one
who is supposed to have his private key
Public Key Encryption for Confidentiality
Secure Message Format

 If confidentiality is the most important security service to a sender,

he would encrypt the file with the receiver’s public key
 This is called a secure message format because it can only be
decrypted by the person who has the corresponding private key.
 Asymmetric algorithms are slower than symmetric
algorithms because they use much more complex
mathematics to carry out their functions, which requires
more processing time.
 Although they are slower, asymmetric algorithms can
provide authentication and non-repudiation, depending
on the type of algorithm being used.
Asymmetric systems also provide easier and more
manageable key distribution than symmetric systems and do
not have the scalability issues of symmetric systems.
Strengths & Weaknesses Of Asymmetric
Encryption

Strengths
 Better key distribution than symmetric systems
 Better scalability than symmetric systems
 Can provide authentication and non-repudiation
Weaknesses
 Works much more slowly than symmetric systems
 Mathematically intensive tasks
Examples of Asymmetric Key Algorithms

 RSA (Rivest-Shamir-Adleman)
 Elliptic curve cryptosystem (ECC)
 Diffie-Hellman Algorithm
 El Gamal
 Digital Signature Algorithm (DSA)
 Merkle-Hellman Knapsack
Symmetric Vs. Asymmetric
 Core Cryptographic Processes

Confidentiality Authentication
Symmetric Key Applicable. Sender Not applicable.
Encryption encrypts with key
shared with the
receiver.
Public Key Applicable. Sender Applicable. Sender
Encryption encrypts with (supplicant) encrypts with own
receiver’s public private key. Receiver (verifier)
key. Receiver decrypts with the public key of
decrypts with the the true party, usually obtained
receiver’s own from the true party’s digital
private key. certificate. Raymond R.
Panko