Transcript Document

Chapter 17
Security
Information Systems
• Cryptography
• Key Exchange Protocols
• Password Combinatorics
• Other Security Issues
12-2
Chapter Goals
• Cryptography Techniques
• Information Security Issues
12-3
Cryptography and
Information Security
12-4
Cryptography
Cryptography
The field of study related to encoded information
(comes from Greek word for "secret writing")
Encryption
The process of converting plaintext into ciphertext
Decryption
The process of converting ciphertext into plaintext
5
Cryptography
Encryption
plaintext
message
ciphertext
message
Decryption
Encrypted(Information) cannot be read (understood )
Decrypted(Encrypted(Information)) can be
6
Cryptography
Cipher
An algorithm used to encrypt and decrypt text
Key
The set of parameters that guide a cipher
• Neither is any good without the other
• Need to keep at least one of these secret
• (or even better, both)
7
Cryptography
Substitution cipher --A cipher that substitutes one
character with another
Caesar cipher --A substitution cipher that shifts
characters a certain number of positions in the
alphabet
Transposition ciphers --A cipher that rearranges the
order of existing characters in a message in a certain
way (e.g., a route cipher)
8
Substitution cipher
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
Encrypt(COMPUTER) = FRPSXWHU
Decrypt(FRPSXWHU) = COMPUTER
Why is this called the Caesar cipher?
What is the key?
9
Transposition Cipher
T O D A Y
+ I S + M
O N D A Y
Algorithm 1:
Write across rows
Read down columns
Encrypt(TODAY IS MONDAY) = T+OOINDSDA+AYMY
10
The key is the table dimensions, 5 x 3
Transposition Cipher
T O D A Y
+ I S + M
O N D A Y
Algorithm 2:
Write across rows
Read in a counter clockwise spiral from top-left
Encrypt(TODAY IS MONDAY) = T+ONDAYMYADOIS+
11
Cryptanalysis
Cryptanalysis
Decrypting a message without knowing the
cipher or the key
Substitution and transposition ciphers are easy
for modern computers to break using frequency
analysis of characters and patterns
To protect information more sophisticated
schemes are needed
12
Cryptanalysis with
Frequency analysis
Frequency Analysis
Breaking a cipher by looking
for the frequency of letters
(or other patterns)
English 
13
Letter
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Frequency
8.23
1.26
4.04
3.40
12.32
2.28
2.77
3.94
8.08
0.14
0.43
3.79
3.06
6.81
7.59
2.58
0.14
6.67
7.64
8.37
2.43
0.97
1.07
0.29
1.46
0.09
Encryption Standards
There are 2 standard encryption systems:
1) 3DES aka Private Key Cryptography
Efficient, but needs a secret key!
2) RSA aka Public-Key Cryptography
Actually uses a pair of keys, one public, one private
12-14
3DES
(Triple Data Encryption Standard)
3DES
• Uses multiple substitutions and
transpositions to hide patterns
• Etext appears essentially random
• it is very hard to crack
The cipher algorithm is public
The key is kept secret
15
3DES
(Triple Data Encryption Standard)
3DES
Since the cipher is public, bad guys can always
try to guess the key
The key is 128 bits so quessing takes a
loooooooooooooooong time:
2 ^ 128 = 340,000,000,000,000,000,000,000,000,000,000,000,000 keys
PROBLEM: How to keep the key secret????
16
RSA Public Key Cryptography
Public-key cryptography
• There are two related keys, one public and
one private
• Sender encrypts an outgoing message, using
the Receiver's public key
• Only the Receiver's private key can decrypt
the message
17
Exchanging Secret Keys
• 3DES is a more efficient algorithm than RSA
• However, the problem with 3DES is how to do
the secret exchange of the private “session
key” between sender and receiver
• RSA can help with this exchange
12-18
RSA Public Key Cryptography
Session Key Exchange
1) B generates a “session key”, encrypts it using
A’s public key, and sends it to A
2) A uses its private key to decrypt the session
key
12-19
3 Things RSA can help do
• Session Key Exchange
• Used to exchange 3DES “session keys”
• Authentication - Are you who you say you are?
– Like a written signature says: “I am me”
• Certification - Are you a “good guy”
– Like a drivers license says “CA says I can drive”
– Or a Diploma says “FLC says I am educated”
12-20
Authentication
Digital Signatures
Key Exchange Protocol with Authentication:
• A encrypts a random number using B’s public key
• B decrypts A’s number using B’s private key,
combines the number with a Session Key, encrypts
the whole message using A’s public key, and sends it
to A
• A decrypts the message using A’s private key, if the
random number matches the message must be from
B.
– (Or at least from the same person who sent “B’s public key”)
21
Certification
Digital certificate
Uses a Third Party to prove you are a “good guy”
Example: Verisign
Made possible by RSA key pairs
Certificates can only be decrypted by Certificate Issuer,
essentially validating the certificate bearer
22
Passwords
Combinations
12-23
Password Strength
Math number bases can be used to calculate
password strength
Questions
how many combinations are there for a 4 digit
base ten number?
how about a 4 digit binary number?
How about a 4 (capital) letter password?
24
Password Strength
Answers
9999 = 9999
11112 = 1510
ZZZZ = ??
25
More Security Issues
12-26
Computer Security
Malicious Code
A computer program that attempts to bypass
appropriate authorization and/or perform unauthorized
functions
Worm stands alone, targets network resources
Trojan horse disguised as benevolent resource
Virus self-replicating
Logic bomb set up to execute at system event
27
Computer Security
Security Attacks
An attack on the computer system itself
Password guessing
Phishing trick users into revealing security
information
Spoofing malicious user masquerades as
authorized user
Back door unauthorized access to anyone who
knows it exists
28
Computer Security
Denial-of-service attack that overwhelms a
system
Man-in-the-middle network communication is
intercepted in an attempt to obtain key data
29