Discuss the steps to take to increase the security of information on your computer and online

Discuss the steps to take to increase the security of information on your computer and online

INVITATION TO

Computer Science 11

Chapter 8 Information Security

Objectives

After studying this chapter, students will be able to:

• Describe the steps to take to increase the security of

information on your computer and online

• Explain how passwords are encrypted using a hash

function on many systems

• Describe cyber-attacks, including viruses, worms,

Trojan horses, DOS attacks, and phishing, and explain

how they differ from each other

• Encrypt and decrypt messages using simple Caesar

ciphers and matrix-based block ciphers

Invitation to Computer Science, 6th Edition 2

Objectives (continued)

After studying this chapter, students will be able to:

• Describe the overall process used by symmetric

encryption algorithms such as DES

• Compare symmetric versus asymmetric (public key)

encryption

• Describe the overall process used by RSA encryption

• Explain why web transmission protocols such as SSL

and TLS use multiple forms of encryption to secure

data transfer over the web

• Explain the importance of considering computer

security for networked embedded systems

Invitation to Computer Science, 6th Edition 3

Introduction

• Information security

– Keep information safe

– Control access to authorized people only

• Physical security – lock doors, maintain control of

devices

• Online security

– Secure assembly language

– Secure operating system

– Secure network

Invitation to Computer Science, 7th Edition 4

Threats and Defenses

• Authentication: establishing identity

• Require usernames and passwords

• Secure a password file with a hash function;

one-way encryption

• Example: password = badboy2

1. Replace letters by numbers: 2 1 4 2 15 25 2

2. Add digits: 2+1+4+2+15+25+2=51

3. Remainder of sum/7: 51 mod 7 = 2

4. Add 1 and multiply by 9: (2+1)*9 = 27

5. Reverse digits and convert to letters: 72 = gb

Invitation to Computer Science, 7th Edition 5

Threats and Defenses (cont’d.)

• Password file security: no plain text password

stored

• On log in:

– Read username and password

– Look up entry for username in a password file

– Hash input password and compare

• More secure method

– Keep password creation time

– Add creation time to password before hashing

– Identical passwords won’t hash to identical values

Invitation to Computer Science, 7th Edition 6

Threats and Defenses (cont’d.)

Password attacks

• Guess password, brute force or from knowledge

– Try common passwords (e.g,123456)

– Try personal references (e.g., pet name)

– Try all possible passwords (computationally difficult)

• Steal password file and use password-cracking

software

– Tries words and word combinations, millions of

password possibilities per second

• Social engineering: get a person to tell password

Invitation to Computer Science, 7th Edition 7

Threats and Defenses (cont’d.)

Other authentication methods

• Answer personal information question

• Biometric information (fingerprint or retinal scans)

• One-time password scheme

– User enters ID and a partial password

– System or user device generates last half of the

password

– Last half of the password is good for only a few

seconds

Invitation to Computer Science, 7th Edition 8

Threats and Defenses (cont’d.)

• Authorization: set of permitted actions for each

authorized person

• Operating system maintains access control lists

– Read access (read a file)

– Write access (modify a file)

– Execute access (run a program)

– Delete access (remove a file

• System administrator or superuser has universal

access and sets up authorization

Invitation to Computer Science, 7th Edition 9

Threats and Defenses (cont’d.)

• Malware: malicious software arriving from the

network

– Virus: program embedded within another program

or file, replicates itself and attacks other files

– Worm: program that can send copies of itself to

other nodes on the network

– Trojan horse: program that seems beneficial, but

hides malicious code within it

• Keystroke logger: records all keys typed

• Drive-by exploit/drive-by download: Trojan horse

downloaded by simply visiting a bad website

Invitation to Computer Science, 7th Edition 10

Threats and Defenses (cont’d.)

• Denial-of-service (DOS) attack: many computers

try to access the same URL at the same time

– Clogs the network, prevents legitimate access, and

causes the server to crash

– Distributed DOS uses thousands of computers

• Uses a zombie army (botnet): many innocent

computers infected with malware

• Phishing: obtain sensitive information by

impersonating legitimate sources

– Many emails; just a few “bites” are enough

Invitation to Computer Science, 7th Edition 11

Encryption

• Cryptography: science of secret writing

• Encryption and decryption (inverse operations)

– Convert from plaintext to ciphertext and back again

• Symmetric encryption algorithm

– A secret key shared by the sender and the receiver

– Same key is used to encrypt and decrypt

• Asymmetric encryption algorithm (public key)

– Uses two keys, public and private

– Use public key (generally known) to encrypt

– Use private key (known only to receiver) to decrypt

Invitation to Computer Science, 7th Edition 12

Encryption (cont’d.)

• Caesar cipher (shift cipher)

– Map characters to others a fixed distance away in

alphabet

– Example: AE, BF, CG…UY, VZ, WA

– Stream cipher: encode each character as it comes

• Substitution cipher: similar, but implement other

mappings

• Pros: easy and fast, can do character by character

• Cons: letter frequency, double letters, still pertain,

makes it easy to break

Invitation to Computer Science, 7th Edition 13

Encryption (cont’d.)

Block cipher

• Block of plaintext encoded into a block of ciphertext

• Each character contributes to multiple characters

• Matrix-based block cipher

– Group characters into blocks n characters long

– Find invertible n by n matrix, M, and its inverse, M’

as keys

– Map characters to letters A1, B2, etc.

– Wrap values 26 and above back to zero: 260,

271, etc.

Invitation to Computer Science, 7th Edition 14

Invitation to Computer Science, 7th Edition 15

Encryption (cont’d.)

Example: use 2 by 2 matrices:

M = M′ =

Encrypt block GO

• Convert to vector V = [7 15]

• Matrix multiplication:

V x M = [7*3 + 15*2 7*5 + 15*3]

= [51 80] = [25 2]

• Convert to string: YB

Invitation to Computer Science, 7th Edition 16

3 5

2 3

23 5

2 23

Encryption (cont’d.)

Example: Use 2 by 2 matrices:

M = M′ =

Decrypt block YB

• Convert to vector V2 = [25 2]

• Matrix multiplication:

V2 x M′ = [25*23 + 2*2 5*25 + 23*2]

= [579 171] = [7 15]

• Convert to string: YB

Invitation to Computer Science, 7th Edition 17

3 5

2 3

23 5

2 23

Encryption (cont’d.)

DES (Data Encryption Standard)

• Symmetric encryption algorithm

• Designed for digital data: plaintext is a binary string

• Uses 64-bit binary key (56 bits actually used)

• Sixteen rounds of the same series of manipulations

Invitation to Computer Science, 7th Edition 18

Encryption (cont’d.)

DES (Data Encryption Standard)

• Decryption uses the same algorithm; keys in

reverse

• Fast and effective, but requires shared key

– 56 bits is too small for modern technology

• AES (Advanced Encryption Standard) uses a

similar approach; longer keys

Invitation to Computer Science, 7th Edition 19

Encryption (cont’d.)

DES manipulations

• Split string

• Duplicating some bits

• Omit some bits

• Permute bit order

• Combine bit strings with

XOR (exclusive or)

Invitation to Computer Science, 7th Edition 20

Invitation to Computer Science, 7th Edition 21

Encryption (cont’d.)

Public-key systems: RSA key creation

• Pick 2 large prime numbers: p and q

• Compute n = p×q, and m = (p-1)×(q-1)

• Choose large number e at random, so that e and m

are relatively prime (no common factors except 1)

• Find unique value d, between 0 and m, such that

(e×d) modulo m = 1

• Public key = (n, e), Private key = d

Invitation to Computer Science, 7th Edition 22

Encryption (cont’d.)

RSA key creation, example:

• p = 7, q = 13

• n = 7×13 = 91, and m = 6×12 = 72

• Let e = 77 (72 = 2 * 2 * 2 * 3 * 3, 77 = 7 * 11)

• d = 29

• Public key = (91, 25), Private key = 29

Invitation to Computer Science, 7th Edition 23

Encryption (cont’d.)

RSA encryption:

Given public key (n, e)

• Convert message to integer P

• Calculate C = Pe modulo n

RSA decryption:

Given private key d

• Calculate Cd modulo n

Invitation to Computer Science, 7th Edition 24

Encryption (cont’d.)

RSA encryption, example:

Given public key (91, 25)

• Convert message to integer P = 37

• Calculate C = 3725 modulo 91 = 46

RSA decryption:

Given private key 29

• Calculate 4629 modulo 91 = 37

Invitation to Computer Science, 7th Edition 25

Web Transmission Security

• Ecommerce requires secure transmission of

names, passwords, and credit card numbers

• Web protocols: SSL (Secure Sockets Layer) and

TLS (Transport Layer Security)

– Client-server applications

– Server provides certificate of authentication and

server’s public key

– Client sends its DES key, encrypted using RSA

– Data is sent encrypted by the (now shared) DES key

Invitation to Computer Science, 7th Edition 26

Invitation to Computer Science, 7th Edition 27

Embedded Computing

• Embedded computers: special-purpose, limited

computers in other systems

• Examples: automobiles, smart appliances, remote

controls, and patient monitoring systems

• New trend: connect embedded computers to a

network

– Transmit data, receive updates

• Targeting embedded systems could cause chaos

– Change thermostats, disrupt patient care, or disable

aircraft or automobiles

Invitation to Computer Science, 7th Edition 28

Summary

• Internet and web are meant to promote information

exchange, so information security is hard

• Online attacks include viruses, worms, Trojan

horses, DOS attacks, and phishing, among others

• Data security involves encrypting sensitive data

before transmitting or storing in unsecured location

• Symmetric encryption requires a shared key

• Asymmetric encryption uses public and private

keys

Invitation to Computer Science, 7th Edition 29

Summary (cont’d.)

• Caesar cipher is a simple symmetric encryption,

substitution ciphers are similar

• Block ciphers combine blocks of plaintext symbols

into blocks of ciphertext

• DES and AES are strong symmetric encryption

algorithms

• RSA is the most common asymmetric algorithm

• Secure web transmission requires protocols:

SSL/TLS

• Embedded systems are the next problem to solve

Invitation to Computer Science, 7th Edition 30

You may also like...