Data Security

Data Security Data Security Understanding Data Communications and Networks – William A. Shay (3E)

Data Security ‘To ensure that the data is received meaningfully only by the intended recipient’ Approach – Alter (encrypt) the message (un- intelligible even if intercepted) • Algorithms • Public key encryption • Secure Transfer over internet

Data Security Definitions: ‘Changing the encrypted data into its original form – decryption’ Plaintext P- original form Cipher-text C - encrypted data Encryption algorithm and key Ek, changes P to C C = Ek(P), Decryption algorithm and key Dk’, changes C to P P = Dk’(C), in many cases k = k’

Data Security Mono-alphabetic cipher: ‘Replaces each plaintext character with another’ • Add 1 to ASCII code of each character • A turns into B, B to C, … • Simple but Rarely used in serious applications • Relatively easy to decipher • Commonly used letters: E, T, O, A, N => if certain letters appear frequently in cipher-text, probably it is one of these (than Q or Z)

Data Security Mono-alphabetic cipher: P = Please add money to C = {;RSDR\SFF\,PMRU\YP\ => \ 4 times => S Twice => R Thrice => P Twice They may be substitutions of common characters, even blank spaces

Data Security Mono-alphabetic cipher: ‘Try various combinations of common ones’ {;EADE\AFF\,ONEU\YO…(R by E, S by A, P by O) “Replace ‘\’ by blank spaces” {;EADE AFF ,ONEU YO Clues: ‘Two letter word ends with O, Three letter word begins with A followed by repeated letter’ {;EADE ADD ,ONEU TO => With educated guesses, message can be decrypted

Data Security Mono-alphabetic cipher: Drawbacks: preserving particular letter sequences, frequency with which letters occur Poly-alphabetic Cipher: ‘Change the frequencies and break-up common sequences’ A plaintext character is not always replaced with the same onecipher-text character. Replacement = f (P, its position in the message)

Data Security Poly-alphabetic Cipher: For (inti = 0; i < length of P; i++) C[i] = P[i] + K + (i mod 3) Assume, K =1. 1 is added for positions 0, 3, 6, … 2 is added for positions 1, 4, 7, … 3 is added for positions 2, 5, 8, … THEMTHENTHEY -> UJHNVKFPWIG\ => Repetition has reduced, but still present

Data Security Poly-alphabetic Cipher: ‘THE’ appears as UJH, VKF, WIG If there were more ‘THE’, the pattern would repeat. Also, there are other patterns: First letters of each ‘THE’ cipher-text are consecutive – UVW, (also the 2nd one as JKI, and the 3rd one as HFG) => Clues for decryption

Data Security Transposition Cipher: ‘Rearranges the P letters of a message (not Replacing them)’ One way – store characters in a 2-dimensional array with m-columns => First m-characters in 1st row, next m-characters in 2nd row, ….. Determine a permutation of numbers 1 to m: p1, p2, ……, pm

Data Security Transposition Cipher: Transmit p1 column first, then p2, ……, then pm. P = ‘Follow THE YELLOW BRICK ROAD’ F O L L O W T H E Y E L L O W B R I C K R O A D

Data Security Transposition Cipher: Transmit columns 2, 4, 3, 1, 5 (permutation) O YWCALHLB LTE KDFW OIOOELRR If, receiver knows the permutation and the number of columns -> reconstruct the message Drawbacks: letter frequencies are preserved, also by grouping the characters in different columns for sequences like ‘THE, IS’ are helpful for guessed-decryption.

Data Security Bit-Level ciphering: ‘Previous methods are applicable to character sequences’ ‘Files may contain raw bits (execution files), This method handles them’ - Encryption key is a randomly chosen bit-string • Message bit string is divided into substrings • Length is the same as that of the key

Data Security Encrypted string = message string XOR key • Decryption: Encrypted string XOR key • E (algorithm) is same as D (algorithm) • pi is a plaintext bit, if encryption key contains ‘0’ in that position: pi XOR 0 XOR 0 = pi if encryption key contains ‘1’ in that position: pi XOR 1 XOR 1 =pi XOR (1 XOR 1) = pi XOR 0 = pi

Data Security ‘Security depends partly on the length of the key’ • Short key => many substrings => more chance of repetition of the encrypted substring, susceptible • In extreme case, the key length = message length => each bit is encrypted uniquely • If the key-bits are random => unbreakable code (but long key needs to be transferred)

Data Security Data Encryption Standards (DES): ‘Approach is to keep the key short compared to the message and to use complex procedure to encrypt the message’ • Based on ‘block-cipher’ • Divides the message into 64-bit blocks, uses a key to employ a complex transformation. • It uses transposition (rearrangement) and substitution (replacing one bit-group with another

Data Security Steps: • Transposition on the block data and the key • 16 successive encryptions with different keys derived from the original, output of one fed to the next input • Swap (32 bits) • Reverse transposition (of the 1st step)

Data Security Encryption operations: data = C64 = L32 R32, K56 = key (R32: transpose, duplicate bits) results in R48 (K56: shift on each half, transpose) results in K56 R48 XOR K48 (first) = X48 Divide into 8 (6-bit) groups Substitute each by 4-bit value Combine into a 32-bit string, transpose = X32

Data Security L32 XOR X32 = X32 Form final 64 bits = R32X32 ‘Idea was to develop a method with many convoluted steps’ • If the same 64-bit block occurs more than once, it generates the same cipher-text. ‘Cipher Block Chaining (CBC)’ disrupts that pattern.

Data Security CBC: Initialization vector (IV): Block 1 XOR IV -> DES -> Block 1C Block 1C XOR Block 2 -> DES -> Block 2C Block 2C XOR Block 3 -> DES -> Block 3C … Cipher-text = f (plaintext, its position) => Same plain text in different positions means different cipher text also

Data Security • DES Effectiveness: Brute force method of attack – trying all possible keys -> 256 possible keys, it was possible to break the code in hours using gigahertz processors. • Using 128-bit key => 9.5 * 1015 years to try all possible keys @ 1015 keys per second

Data Security Public Key Encryption (PKE): ‘Knowing the encryption key and the algorithm renders decryption easy’ ‘PKE makes decryption algorithm and key determination difficult even when encryption algorithm and key are known’ - Many sources can send message using same Ek. Only the receiver knows the Dk’.

Data Security RSA algorithm: • Uses modulo-arithmetic and factorization of very large numbers • Cipher-text is easy to calculate but difficult to break • Assign simple code to letters (1 to 26 for ‘a’ to ‘z’) • Choose ‘n’ (200 or more digits) as a product of two large prime numbers p, q.

Data Security For simplicity, n = p * q = 11 * 7 = 77 3. Find a number K that is relatively prime (no common factors except 1) to (p-1) * (q-1). Choose k = 7 as the encryption key (there is always a k) 4. Divide the message into components (with many letters in one, avoids repetition), For simplicity: “hello” divided as h, e, l, l, o

Data Security 5. For each component, concatenate all the binary code of each letter and interpret it as an integer. Here, integers are: 8, 5, 12, 12, 15. 6. Encrypt the message by raising each number to the power of k (modulo n) Encrypted message = 57 47 12 12 71 Decryption: 1. Find a value k’ such that (k * k’) – 1 is evenly divisible by (p-1) * (q-1). K’ is the decryption key .

Data Security Here, (p-1) * (q-1) = 60, k’ = 43 works well. (there is always a k’) 2. Raise each encrypted number to the power of k’ (modulo n) Results are the original numbers 8, 5, 12, 12, 15. Potential problem: How to find 71 43 modulo 77? Break the power in 2, 4, 8, … Find the modulo for the lowest to the highest.

Data Security • How secure is RSA? ‘n’ and ‘k’ are needed for encryption, If they are intercepted, K’ could be deduced. However, it needs ‘p’ and ‘q’ – the factors of ‘n’. • If ‘n’ is large (200 or more digits) => difficult, time-consuming

Data Security Transport layer security (TLS) and Server Authentication: ‘To ensure access to the proper encryption methods and keys to protect privacy’ ‘Also to ascertain the legitimacy of the site connected to’ ‘Secure Sockets Layer (SSL) and Transport Layer Security Protocols, X.509 certificates’

Data Security ‘TLS and SSL lies between application layer and transport layer’ Sender side: encrypts the message from application layer and passes it to the transport layer Receiver side: receives the message from transport layer and passes the decrypted message to the application layer ‘TLS has the ability to revert to SSL 3.0, there are some low level differences’

Data Security X.509 certificate: ‘Electronic ID to prove that a site is what it claims to be’ ‘Certificate Authority (CA) issues certificates’ ‘Consumer maintains a list of trustworthy CAs in his computer’ ‘Trusted CA list is developed over the time’ ‘Certificate contains a period of validity and two fingerprints’

Data Security ‘Authentication is the process of validating the identity of the message-source’ ‘Fingerprints are values calculated using some algorithms for authentication’ Browser: - downloads the server certificate - checks the period of validity - checks the fingerprints - checks the CA ‘All must be affirmative in order to proceed’

Data Security ‘An initial set of exchange takes place between the server and the client – handshake’ ‘Handshake defines the cryptographic routines, key exchanges, and authentication process’ 1. Client to server: highest TLS (SSL) version available, a list of encryption algorithms, a list of key exchange algorithms, and a list of supported compression methods.

Data Security 2. Server chooses each one of the above items from the suggested list of the client. It also sends its certificate. 3. Client needs to authenticate the certificate. Issuing CA attaches a digital signature / Fingerprints to it. Two methods are used to provide extra security. Also, it verifies the domain name in the certificate with that of server. 4. Client sends key to server. 5. If required, server may authenticate the client. 6. Both client and server exchanges session-keys.

Data Security 7. Both sides confirm this arrangements and start secure-communication. # If user A wants to send an encrypted message to user B, the plaintext is encrypted with the public key of _. a) User A b) User B c) The network d) (a) or (b)

Data Security Firewalls ‘Machines are at risk when they are not actively doing anything’ ‘Risk comes from malicious attacks disrupting activities, causing harm’ ‘Challenge is to prevent attacks from being successful’ Approach - ‘All internet traffic has to pass through special machine(s) – Firewall’

Data Security ‘It examines passing traffic to look for possible threats’ ‘The challenge is to identify the threats’ IP – layer 3, TCP – layer 4 IP packet contains data, source and destination addresses, layer 4 protocol (TCP / UDP) using it. Server is identified by IP address and the specific service by port number

Data Security Telnet – Port 23, FTP - Port 21, SMTP - Port 25 Some approaches: Packet Filtering: ‘Examine the header of each packet and decide’ Decision may base on: - Address field - port number - transport protocol represented

Data Security Example decisions: • Allow any incoming packet with TCP port designation of 23 (allowing remote login to any machine) • Allow any incoming packet with TCP port designation of 23 with destination address found in a maintained list. Implication? • Allow any outgoing packet with destination address found in a maintained list.Implication?

Data Security The above specifies criteria to allow packets. => Blocks unless otherwise specified (default) Alternative: Allows unless otherwise specified (default) • Block any incoming packet with TCP port designation of 23. Implication? • Block any incoming packet with source address found in a maintained list. Implication?

Data Security • Block any incoming packet with destination address found in a maintained list. Implication? - Block any outgoing packet with source and destination addresses found in a maintained list. Implication? Better ‘default’ approach? Block packet – nothing will pass unless explicitly stated, Ensures more security.

Data Security Application Level Gateway: Packet filtering works at layer 3, making decision on packet contents, inflexible on an action within an application. Gateway provides that flexibility, works at a higher layer. ‘Allow for file transfer – download files but not upload’ ‘More logic into a firewall that understands the applications and their abilities – called proxy server’

Data Security ‘Special programs for each type of application it needs to watch.’ ‘It examines application layer requests and allows (denies) based on the information provided to the firewall’ ‘A gateway program for each application’ • Main advantage: flexibility • Significant overhead

Data Security Stateful Inspection: ‘Works at the network layer and avoids overhead’ ‘It examines the contents of a packet in the context of what has happened previously’ Example: a ‘ping’ command response indicates that a device is reachable and the time needed for a round-trip’ => Command sends an echo request and site responds with echo response

Data Security Stateful inspection ensures that a response packet is not allowed unless there was a previous request. Also the source and the destination should reverse in these two events. (security against denial-of-service attack)

Data Security Viruses ‘A collection of instructions attached to an executable file that does something not intended originally’ Virus attachment to a file -> infected file Worms usually appear as a separate program, intruding a system, threatening security. ‘Infected file contains a branch instruction to unintended tasks, and branches to some point of the original code’ - diagram

Data Security ‘User may not be aware of the virus unless it causes a major distraction’ ‘Worst viruses avoid massive, immediate destruction, rather making small, unnoticeable changes over time’ ‘As such, even back-ups may be infected’ ‘Virus may probe file system looking for executable files on disk, if found, it duplicates itself and stores a copy in the file’

Data Security Memory Resident viruses: ‘Resides in memory, attacks a file when it enters the memory’ It needs to be referenced to be executed. It may use the interrupt mechanism to do so. ‘Modifies the Interrupt table with vectors pointing to the virus instead’

Data Security Early Antivirus programs worked by looking for signature – a sequence of bytes contained in the virus- at the beginning and end of file. Signatures were encrypted and the decryption algorithm was added to virus. Antivirus programs looked for byte patterns of decryption algorithm, examined decrypted result and look for signatures – proved quite successful

Data Security Virus Sources: ‘Individuals trying to invade a system’ ‘It spreads by sharing resources – through removable disks, networks’ ‘Prevention is the best approach’ Internet worm: ‘Replicates quickly throughout internet, clogging communications, forcing system shut down’

Data Security One approach taken by the worm: ‘Used an utility program that allows one user to obtain information of other user’ ‘A flaw that did not check for buffer-overflow was exploited’ ‘The worm was able to overflow the buffer and overwrote part of the system stack’ ‘The original return address was lost, pointing to some instructions in the buffer’

Data Security

Data Security

Presentation Transcript

Data Security

Data Security

DATA SECURITY

Data Security

Data Warehouse Security

Security of Data

electronic data security

Strengthening Data Security

Data Security Issues

DATA Security

Data security

Data Center Security

Data Security

Data Security

Data Security

Security Data Readers

Data Security Training

Medical data security

Data Security:

Data Security

Data Security