Discuss the steps to take to increase the security of information on your computer and online
INVITATION TO
Computer Science 11
Chapter 8 Information Security
Objectives
After studying this chapter, students will be able to:
• Describe the steps to take to increase the security of
information on your computer and online
• Explain how passwords are encrypted using a hash
function on many systems
• Describe cyber-attacks, including viruses, worms,
Trojan horses, DOS attacks, and phishing, and explain
how they differ from each other
• Encrypt and decrypt messages using simple Caesar
ciphers and matrix-based block ciphers
Invitation to Computer Science, 6th Edition 2
Objectives (continued)
After studying this chapter, students will be able to:
• Describe the overall process used by symmetric
encryption algorithms such as DES
• Compare symmetric versus asymmetric (public key)
encryption
• Describe the overall process used by RSA encryption
• Explain why web transmission protocols such as SSL
and TLS use multiple forms of encryption to secure
data transfer over the web
• Explain the importance of considering computer
security for networked embedded systems
Invitation to Computer Science, 6th Edition 3
Introduction
• Information security
– Keep information safe
– Control access to authorized people only
• Physical security – lock doors, maintain control of
devices
• Online security
– Secure assembly language
– Secure operating system
– Secure network
Invitation to Computer Science, 7th Edition 4
Threats and Defenses
• Authentication: establishing identity
• Require usernames and passwords
• Secure a password file with a hash function;
one-way encryption
• Example: password = badboy2
1. Replace letters by numbers: 2 1 4 2 15 25 2
2. Add digits: 2+1+4+2+15+25+2=51
3. Remainder of sum/7: 51 mod 7 = 2
4. Add 1 and multiply by 9: (2+1)*9 = 27
5. Reverse digits and convert to letters: 72 = gb
Invitation to Computer Science, 7th Edition 5
Threats and Defenses (cont’d.)
• Password file security: no plain text password
stored
• On log in:
– Read username and password
– Look up entry for username in a password file
– Hash input password and compare
• More secure method
– Keep password creation time
– Add creation time to password before hashing
– Identical passwords won’t hash to identical values
Invitation to Computer Science, 7th Edition 6
Threats and Defenses (cont’d.)
Password attacks
• Guess password, brute force or from knowledge
– Try common passwords (e.g,123456)
– Try personal references (e.g., pet name)
– Try all possible passwords (computationally difficult)
• Steal password file and use password-cracking
software
– Tries words and word combinations, millions of
password possibilities per second
• Social engineering: get a person to tell password
Invitation to Computer Science, 7th Edition 7
Threats and Defenses (cont’d.)
Other authentication methods
• Answer personal information question
• Biometric information (fingerprint or retinal scans)
• One-time password scheme
– User enters ID and a partial password
– System or user device generates last half of the
password
– Last half of the password is good for only a few
seconds
Invitation to Computer Science, 7th Edition 8
Threats and Defenses (cont’d.)
• Authorization: set of permitted actions for each
authorized person
• Operating system maintains access control lists
– Read access (read a file)
– Write access (modify a file)
– Execute access (run a program)
– Delete access (remove a file
• System administrator or superuser has universal
access and sets up authorization
Invitation to Computer Science, 7th Edition 9
Threats and Defenses (cont’d.)
• Malware: malicious software arriving from the
network
– Virus: program embedded within another program
or file, replicates itself and attacks other files
– Worm: program that can send copies of itself to
other nodes on the network
– Trojan horse: program that seems beneficial, but
hides malicious code within it
• Keystroke logger: records all keys typed
• Drive-by exploit/drive-by download: Trojan horse
downloaded by simply visiting a bad website
Invitation to Computer Science, 7th Edition 10
Threats and Defenses (cont’d.)
• Denial-of-service (DOS) attack: many computers
try to access the same URL at the same time
– Clogs the network, prevents legitimate access, and
causes the server to crash
– Distributed DOS uses thousands of computers
• Uses a zombie army (botnet): many innocent
computers infected with malware
• Phishing: obtain sensitive information by
impersonating legitimate sources
– Many emails; just a few “bites” are enough
Invitation to Computer Science, 7th Edition 11
Encryption
• Cryptography: science of secret writing
• Encryption and decryption (inverse operations)
– Convert from plaintext to ciphertext and back again
• Symmetric encryption algorithm
– A secret key shared by the sender and the receiver
– Same key is used to encrypt and decrypt
• Asymmetric encryption algorithm (public key)
– Uses two keys, public and private
– Use public key (generally known) to encrypt
– Use private key (known only to receiver) to decrypt
Invitation to Computer Science, 7th Edition 12
Encryption (cont’d.)
• Caesar cipher (shift cipher)
– Map characters to others a fixed distance away in
alphabet
– Example: AE, BF, CG…UY, VZ, WA
– Stream cipher: encode each character as it comes
• Substitution cipher: similar, but implement other
mappings
• Pros: easy and fast, can do character by character
• Cons: letter frequency, double letters, still pertain,
makes it easy to break
Invitation to Computer Science, 7th Edition 13
Encryption (cont’d.)
Block cipher
• Block of plaintext encoded into a block of ciphertext
• Each character contributes to multiple characters
• Matrix-based block cipher
– Group characters into blocks n characters long
– Find invertible n by n matrix, M, and its inverse, M’
as keys
– Map characters to letters A1, B2, etc.
– Wrap values 26 and above back to zero: 260,
271, etc.
Invitation to Computer Science, 7th Edition 14
Invitation to Computer Science, 7th Edition 15
Encryption (cont’d.)
Example: use 2 by 2 matrices:
M = M′ =
Encrypt block GO
• Convert to vector V = [7 15]
• Matrix multiplication:
V x M = [7*3 + 15*2 7*5 + 15*3]
= [51 80] = [25 2]
• Convert to string: YB
Invitation to Computer Science, 7th Edition 16
3 5
2 3
23 5
2 23
Encryption (cont’d.)
Example: Use 2 by 2 matrices:
M = M′ =
Decrypt block YB
• Convert to vector V2 = [25 2]
• Matrix multiplication:
V2 x M′ = [25*23 + 2*2 5*25 + 23*2]
= [579 171] = [7 15]
• Convert to string: YB
Invitation to Computer Science, 7th Edition 17
3 5
2 3
23 5
2 23
Encryption (cont’d.)
DES (Data Encryption Standard)
• Symmetric encryption algorithm
• Designed for digital data: plaintext is a binary string
• Uses 64-bit binary key (56 bits actually used)
• Sixteen rounds of the same series of manipulations
Invitation to Computer Science, 7th Edition 18
Encryption (cont’d.)
DES (Data Encryption Standard)
• Decryption uses the same algorithm; keys in
reverse
• Fast and effective, but requires shared key
– 56 bits is too small for modern technology
• AES (Advanced Encryption Standard) uses a
similar approach; longer keys
Invitation to Computer Science, 7th Edition 19
Encryption (cont’d.)
DES manipulations
• Split string
• Duplicating some bits
• Omit some bits
• Permute bit order
• Combine bit strings with
XOR (exclusive or)
Invitation to Computer Science, 7th Edition 20
Invitation to Computer Science, 7th Edition 21
Encryption (cont’d.)
Public-key systems: RSA key creation
• Pick 2 large prime numbers: p and q
• Compute n = p×q, and m = (p-1)×(q-1)
• Choose large number e at random, so that e and m
are relatively prime (no common factors except 1)
• Find unique value d, between 0 and m, such that
(e×d) modulo m = 1
• Public key = (n, e), Private key = d
Invitation to Computer Science, 7th Edition 22
Encryption (cont’d.)
RSA key creation, example:
• p = 7, q = 13
• n = 7×13 = 91, and m = 6×12 = 72
• Let e = 77 (72 = 2 * 2 * 2 * 3 * 3, 77 = 7 * 11)
• d = 29
• Public key = (91, 25), Private key = 29
Invitation to Computer Science, 7th Edition 23
Encryption (cont’d.)
RSA encryption:
Given public key (n, e)
• Convert message to integer P
• Calculate C = Pe modulo n
RSA decryption:
Given private key d
• Calculate Cd modulo n
Invitation to Computer Science, 7th Edition 24
Encryption (cont’d.)
RSA encryption, example:
Given public key (91, 25)
• Convert message to integer P = 37
• Calculate C = 3725 modulo 91 = 46
RSA decryption:
Given private key 29
• Calculate 4629 modulo 91 = 37
Invitation to Computer Science, 7th Edition 25
Web Transmission Security
• Ecommerce requires secure transmission of
names, passwords, and credit card numbers
• Web protocols: SSL (Secure Sockets Layer) and
TLS (Transport Layer Security)
– Client-server applications
– Server provides certificate of authentication and
server’s public key
– Client sends its DES key, encrypted using RSA
– Data is sent encrypted by the (now shared) DES key
Invitation to Computer Science, 7th Edition 26
Invitation to Computer Science, 7th Edition 27
Embedded Computing
• Embedded computers: special-purpose, limited
computers in other systems
• Examples: automobiles, smart appliances, remote
controls, and patient monitoring systems
• New trend: connect embedded computers to a
network
– Transmit data, receive updates
• Targeting embedded systems could cause chaos
– Change thermostats, disrupt patient care, or disable
aircraft or automobiles
Invitation to Computer Science, 7th Edition 28
Summary
• Internet and web are meant to promote information
exchange, so information security is hard
• Online attacks include viruses, worms, Trojan
horses, DOS attacks, and phishing, among others
• Data security involves encrypting sensitive data
before transmitting or storing in unsecured location
• Symmetric encryption requires a shared key
• Asymmetric encryption uses public and private
keys
Invitation to Computer Science, 7th Edition 29
Summary (cont’d.)
• Caesar cipher is a simple symmetric encryption,
substitution ciphers are similar
• Block ciphers combine blocks of plaintext symbols
into blocks of ciphertext
• DES and AES are strong symmetric encryption
algorithms
• RSA is the most common asymmetric algorithm
• Secure web transmission requires protocols:
SSL/TLS
• Embedded systems are the next problem to solve
Invitation to Computer Science, 7th Edition 30