Information Assurance and Security :[BE: IT/Comp]

Information Assurance and Security is one of the most important, most interesting and an extremely useful subject you will come across in your Engineering Career. This subject is introduced as a regular subject for IT in the 7th Semester and as an elective subject for Computer Engineering in the 8th Semester with the name Network Information Security. The contents of the syllabus for both Computer and IT Engineering is almost the same with just a few minor changes.

 Never use any available local author books for this subject, I would suggest you to prefer only  References for this subject. The subject contains many security based algorithms, brief introduction to Digital Certificates, Digital Signatures and many other security related concepts. The subject is very interesting to learn and extremely easy. Scoring 65+ in this subject is an extremely easy task. Many students even score 70+ easily. Every year the question paper for this subject is a bit applicative and not that straight forward. But still students manage to score well as the subject is totally conceptual : no theory at all.

Let us have a brief analysis of the subject.

Unit 1:

Relatively simple unit. This unit includes the most important concept in Security : 'CIA' .You will find this principle applied whenever security comes into the picture in any subject. A very simple concept and extremely important. This unit includes basics of a few security implementation techniques and a few algorithms and theorems. Among the algorithms and theorems Modular Arithmetic, GCD, Euclid’s Algorithms  are extremely simple ,only the chinese remainder theorem is a bit confusing . We would be providing a detailed implementation of the Chinese Remainder theorem in the upcoming tutorials. Rest of the unit is very simple. Questions from this unit are easily predictable.

Unit 2:

Introduces to you cryptography and associated algorithms and its implementation techniques. This unit will be a little time consuming as it includes various new algorithms and not that easy to understand in the first go. AES , DES, RSA, Blowfish,SHA -1 and MD5 are a few algorithms in this unit. The first attempt to understand these algorithms will be a little time consuming process. But , we have provided animations for most of the tutorials in our website. You can easily understand these algorithms using our animations. But overall this unit is very intersting.

Unit 3:

Easier than 2nd unit. This unit introduces to you the basics of Key Management Techniques and a few protocols (easier ones, not like the previous ones).

Unit 4 :

A very important unit ,as it introduces to you to most widely used security implementations for the network : SSL , Transport layer security. IPSEC,  a few protocols and brief introduction to Intrusion Detection Systems. Easy to understand as there are huge examples and tutorials available over the net.

Unit 5:

Easiest unit. Most of you would not even require to read this unit as it includes all new technologies which are well known to the youth like Electronic Payment, Smart Cards, Payment over Internet, Mobile Payment, Electronic cash and related terms. Easy and extremely scoring unit.

Unit 6:

Again a very simple unit, gives you a short introduction to cyber crimes,forensics, IT Laws  and recovering electronic evidence etc. Very easy and most questions are easily predictable.

Verdict:

Very interesting, extremely important and easy to learn subject. Totally conceptual.

Difficulty Level : Easy to Learn

Scoring Pattern :  easy to score 65+

Books Recommended :


Local  Author : 
Only Technical Publications was available for 2012 Batch. This book should only be used for Question papers, few sums and a few important topics in the last unit. Rest should be referred from Reference Books.


References :


 From exam point of View :
 The most important books are

(For Units 1- 4)

Computer Security : Principles and Practices - William Stallings
or

Cryptography and Network Security - Behrouz Forouzan

(For Unit 5)

Network Security and Cryptography - Bernard Menzes
---------------------------------------------------------------------------------

Even though,  the university recommends Bruice Schneier's books, the language used in this book is not that lucid. William Stalling or Behrouz Forouzan would be the best choice for the first 4 units.

One book recommended for Information Security is  'Cryptography and Network Security - Atul Kahate'. this book even though not recommended by the university, this book has one of the most amazingly organized contents and easiest language used. The book is so easy to learn, that you would end up reading the entire book as a novel in no time. All concepts about security can be easily understood using this book. Users rating for the book by Atul Kahate is 5 star. Unfortunately, there are no PDF Ebooks of this book available for download . You can order one from Flipkart, it would cost RS 300 only. It is definitely worth spending 300 bucks for this book.

    

Books for Download

Cryptography and Network Security

William Stallings

------------------------------------------------------------------------

Applied Cryptography

Bruce Schneier

-------------------------------------------------------------------------

Read More

Transposition Ciphers : Information Security

     
A transposition cipher is a method of encryption by which the positions held by units of plaintext (which are commonly characters or groups of characters) are shifted according to a regular system, so that the ciphertext constitutes a permutation of the plaintext. That is, the order of the units is changed.    

    Transposition ciphers are rather simple to understand. As the name implies, a transposition cipher involves the transposing – or moving – of characters from one place to another. See the example below. You’ll notice that all the characters used in the original text are also present in the transposed text.

Original Text: HELLO WORLD
Transposed Text: HLOOLOLWRD
Side note: This is an example of a rail fence cipher. A rail fence cipher is computed as follows. Notice the words are spelled out in columns, starting at the top left:

HLOOL
ELWRD

Cracking the Code

Cracking a transposition cipher can be accomplished with a process called anagramming.  Using language statistics, its relatively easy to crack a transposition cipher. If you know the frequency in which certain letter combinations occur, it is possible to crack a transposition cipher (see Alan Konheim’s book for an in-depth review).  In this case, we can crack the cipher as such:

The letter pairs HL, HW, HR and HD have a frequency of less than 0.0010 in the English language, so we’ll discard those for now. HE has a frequency of 0.0305. However, other arrangements – “HO” for example – are also candidates which shouldn’t be ruled out. In the end, you should get something like:

HE
LL
OW
OR
LD

While this method is rather reliable, remember that you’re also relying on statistical pattern matching, which is always error prone to some degree.

By themselves, transposition ciphers provide very little confidentiality.  Modern algorithms still use transposition, however only as a piece of the algorithm – not the whole.

Other methods for Transposition Cipher:

One of the oldest ways to do this was created by the ancient Egyptians and Greeks. It uses a stick called scytale . They would have used wooden sticks and parchment, but we're going to use poster tubes and adding machine tape!

How the scytale cipher works

1. Get a scytale and a strip of parchment.
2. Wrap your parchment around your scytale until the stick is covered. Try to avoid overlapping and gaps.
3. Write your message along the length of the stick, one character per pass of the paper. If you need more space, rotate the stick away from you and keep writing.
4. Unwrap the scytale and send the scrambled message to a friend with the same-diameter stick.
5. The friend then wraps his scytale with the encoded parchment. Since the diameters are the same, the message is clearly legible!

This technique was very useful in ancient battles; the Spartans are known to have used this rather extensively. Each general was given a stick of uniform diameter so that he could quickly encipher and decipher any message sent from other generals. Notice how quick and easy this is to use!

          However, it is also rather easy to crack. In a battle situation, the most likely way to crack this would be to steal a general's scytale. Then, each message could be read easily. However, it can be cracked even without stooping to theivery. As it ends up, the scytale is just a very old (and rather simple) version of a greater class of ciphers called matrix transposition ciphers. The way the simplest of these works is by picking a matrix of a fixed size (say, 6x10) and then writing your message across the rows. The encipherment step consists of writing down the letters in the matrix by following the columns. Here's a simple 6x10 example:

T	R	O	O	P	S	H	E	A	D
I	N	G	W	E	S	T	N	E	E
D	M	O	R	E	S	U	P	P	L
I	E	S	S	E	N	D	G	E	N
E	R	A	L	D	U	B	O	I	S
M	E	N	T	O	A	I	D

Where we've written the message:

troops heading west need more supplies. send general dubois' men to aid

row by row into the matrix. Then, to encipher this, we simply read off the columns to get:

TIDIE MRNME REOGO SANOW RSLTP EEEDO
SSSNU AHTUD BIENP GODAE PEIDE LNS

The scytale cipher is just like one of these. Note that the number of "rows" in your message is determined by the diameter of your stick and the size of your writing. Cracking them, as you may guess, is just a matter of systematic guess-and-check.

How to crack the simple matrix transposition ciphers:

1. Count how many letters are in the ciphertext (for this example, assume the ciphertext is 99 letters long)
2. Make all of the matrices that would fit such a length (e.g. 2x50, 3x33, 4x25, 5x20, 6x17, 7x15, 8x13, 9x11, 10x10). Use TWO of each size.
3. For each size matrix, write out the ciphertext across the rows on one copy. On the other copy, write out the ciphertext down the columns.
4. At each stage, see if you can find anything legible, reading perpendicular to how you put the ciphertext in.

A harder version of the matrix transposition cipher is the column-scrambled matrix transposition cipher. Just like the ones above, you find a matrix of suitable dimensions and write your text in row-by-row. If there are blank cells left, fill them in with a dummy character (sometimes an 'X'). However, before writing down the ciphertext from the columns, you first scramble the columns. This generates a new matrix of the same size. Now read off the text down the columns, as before. This is a harder cipher, but there is a systematic way to crack it.

How to crack the column-scrambled matrix transposition ciphers:

1. Count how many letters are in your ciphertext (for example, 75) and factor that number (75 =5*5*3).
   
   
2. Create all of the possible matrices to fit this ciphertext (in our case, 3x25, 5x15, 15x5, 25x3).
   
   
3. Write the ciphertext into these matrices down the columns.
   
   
4. For each of your matrices, consider all of the possible permutations of the columns (for n columns, there are n! possible rearrangements). In our case, we hope that the message was enciphered using one of the last two matrices (the 15x5 and the 25x3), since in those cases, we have only 6 and 120 possibilites to check (3! = 6, 5! = 120, 15! ~ 1.31x10^12, 25! ~ 1.55x10^25).
   
   
5. Rearrange each matrix to see if you get anything intelligible. Read the message off row-by-row. Note that this is much more easily done by a computer than by hand, but it is doable (for small matrices).

Material referenced from Infosecschool and Cornell University

Read More

MD5 - Message Digest 5 : Information Security - BE-[Comp/IT]

   What is a Message Digest -  A simple answer to this question is  - Message Digest is basically a Cryptographic Hash Function. Still, if you are not yet clear with the term Message Digest, lets make it even more simple - Message Digest is simply  a digital summary for a given piece of information. Basically, it is the 'fingerprint' of the message, i.e. the message digest can be used to uniquely identify a message.

    I had used the term 'cryptographic' when i intended to explain the term Message Digest. How does crytography come into the picture, what does it mean? - well, cryptography is simply the scrambling of data i.e representing the data in such a way, that no one else except for the intended recipient can make sense out of it. Lets say , like 'Monday' can be represented as 'npoebz' (here,scrambling is done in the fashion of shifting all alphabets towards the right by 1. Eg : 'a' is replaced by b, 'b' is replaced by 'c' etc ). When we use both the terms together - Cryptographic + Hashing : Things gradually start making sense.

  Lets get a little more technical.

Defining : Cryptographic Hashing

   MD5 stands for Message Digest algorithm 5, and was invented by US cryptographer Professor Ronald Rivest in 1991 to replace the old MD4 standard. MD5 is simply the name for a type of cryptographic hashing function Ron came up with, way back in ’91.

   The idea behind cryptographic hashing is to take an arbitrary block of data and return a fixed-size “hash” value. It can be any data, of any size but the hash value will always be fixed. 

The ideal cryptographic hash function has four main or significant properties:

• it is easy to compute the hash value  (but not necessarily quick)  for any given message
• it is infeasible to generate a message that has a given hash
• it is infeasible to modify a message without changing the hash
• it is infeasible to find two different messages with the same hash

    Cryptographic hashing has a number of uses, and there are a vast number of algorithms (other than MD5) designed to do a similar job. One of the main uses for cryptographic hashing is for verifying the contents of a message or file after transfer.

Like ,consider the following case,

  The  method works for messages, with the hash verifying that the message received matches the message sent.

  On a very basic level, if you and a friend have a large file each and wish to verify they’re exactly the same without the hefty transfer, the hash code will do it for you.

   Hashing algorithms also play a part in data or file identification. A good example for this is peer to peer file sharing networks, such as eDonkey2000. The system used a variant of the MD4 algorithm (below) which also combined file’s size into a hash to quickly point to files on the network.

   A signature example of this is in the ability to quickly find data in hash tables, a method commonly used by search engines.

   Another use for hashes is in the storage of passwords. Storing passwords as clear text is a bad idea, for obvious reasons so instead they are converted to hash values. When a user inputs a password it is converted to a hash value, and checked against the known stored hash. As hashing is a one-way process, provided the algorithm is sound then there is theoretically little chance of the original password being deciphered from the hash.

  Cryptographic hashing is also often used in the generation of passwords, and derivative passwords from a single phrase.

Message Digest algorithm 5

  The MD5 function provides a 32 digit hexadecimal number. If we were to turn ‘makeuseof.com’ into into an MD5 hash value then it would look like:64399513b7d734ca90181b27a62134dc. It was built upon a method called the Merkle”“DamgÃ¥rd structure (below), which is used to build what are known as “collision-proof” hash functions.

    No security is everything-proof, however and in 1996 potential flaws were found within the MD5 hashing algorithm. At the time these were not seen as fatal, and MD5 continued to be used. In 2004 a far more serious problem was discovered after a group of researchers described how to make two separate files share the same MD5 hash value. This was the first instance of a collision attack being used against the MD5 hashing algorithm. A collision attack attempts to find two arbritary outputs which produce the same hash value ““ hence, a collision (two files existing with the same value).

   Over the next few years attempts to find further security problems within MD5 took place, and in 2008 another research group managed to use the collision attack method to fake SSL certificate validity. This could dupe users into thinking they are browsing securely, when they are not. The US Department of Homeland Security announced that: “users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use“.

    Despite the government warning, many services still use MD5 and as such are technically at risk. It is however possible to “salt” passwords, to prevent potential attackers using dictionary attacks (testing known words) against the system. If a hacker has a list of random often-used passwords and your user account database, they can check the hashes in the database against those on the list. Salt is a random string, which is linked to existing password hashes and then hashed again. The salt value and resulting hash is then stored in the database.

   If a hacker wanted to find out your users’ passwords then he would need to decipher the salt hashes first, and this renders a dictionary attack pretty useless. Salt does not affect the password itself, so you must always choose a hard-to-guess password.

Conclusion

   MD5 is one of many different methods of identifying, securing and verifying data. Cryptographic hashing is a vital chapter in the history of security, and keeping things hidden. As with many things designed with security in mind, someone’s gone and broken it.

Read More

CIA - Confidentiality, Integrity & Availability

Confidentiality, Integrity, Availability (CIA)

What is it?

     You may have heard information security specialists referring to the "CIA" -- but they're usually not talking about the Central Intelligence Agency or the Culinary Institute of America.

   

   CIA is a widely used benchmark for evaluation of information systems security, focusing on the three core goals of confidentiality, integrity and availability of information.

Data confidentiality

  Confidentiality refers to limiting information access and disclosure to authorized users -- "the right people" -- and preventing access by or disclosure to unauthorized ones -- "the wrong people." 

   

   Underpinning the goal of confidentiality are authentication methods like user-IDs and passwords, that uniquely identify a data system's users, and supporting control methods that limit each identified user's access to the data system's resources.

   Also critical to confidentiality -- and data integrity and availability as well -- are protections against malicious software (malware), spyware, spam and phishing attacks.

Confidentiality is related to the broader concept of data privacy -- limiting access to individuals' personal information.  

Data integrity 

Integrity refers to the trustworthiness of information resources. 

     It includes the concept of "data integrity" -- namely, that data have not been changed inappropriately, whether by accident or deliberately malign activity.  It also includes "origin" or "source integrity" -- that is, that the data actually came from the person or entity you think it did, rather than an imposter.

    Integrity can even include the notion that the person or entity in question entered the right information -- that is, that the information reflected the actual circumstances (in statistics, this is the concept of "validity") and that under the same circumstances would generate identical data (what statisticians call "reliability").

   On a more restrictive view, however, integrity of an information system includes only preservation without corruption of whatever was transmitted or entered into the system, right or wrong.

Data availability

    Availability refers, unsurprisingly, to the availability of information resources.  An information system that is not available when you need it is at least as bad as none at all.  It may be much worse, depending on how reliant the organization has become on a functioning computer and communications infrastructure.

    Almost all modern organizations are highly dependent on functioning information systems.  Many literally could not operate without them. Availability, like other aspects of security, may be affected by purely technical issues (e.g., a malfunctioning part of a computer or communications device), natural phenomena (e.g., wind or water), or human causes (accidental or deliberate).

    While the relative risks associated with these categories depend on the particular context, the general rule is that humans are the weakest link.  (That's why each user's ability and willingness to use a data system securely are critical.)

Prevention vs. detection

  

      Security efforts to assure confidentiality, integrity and availability can be divided into those oriented to prevention and those focused on detection. The latter aims to rapidly discover and correct for lapses that could not be -- or at least were not -- prevented. 

    The balance between prevention and detection for depends on the circumstances, and the available security technologies.  For example, many homes have easily defeated door and window locks, but rely on a burglar alarm to detect (and signal for help after) intrusions through a compromised window or door.  

   Most information systems employ a range of intrusion prevention methods, of which user-IDs and passwords are only one part.  They also employ detection methods like audit trails to pick up suspicious activity that may signal an intrusion.

CIA - Principles of Information Security

Read More

Encryption & Decryption : Information Security

Download this guide as PDF

Encryption is the conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood.

The use of encryption/decryption is as old as the art of communication. In wartime, a cipher, often incorrectly called a code, can be employed to keep the enemy from obtaining the contents of transmissions. Simple ciphers include the substitution of letters for numbers, the rotation of letters in the alphabet, and the "scrambling" of voice signals by inverting the sideband frequencies. More complex ciphers work according to sophisticated computer algorithms that rearrange the data bits in digital signals.

In order to easily recover the contents of an encrypted signal, the correct decryption key is required. The key is an algorithm that undoes the work of the encryption algorithm. Alternatively, a computer can be used in an attempt to break the cipher. The more complex the encryption algorithm, the more difficult it becomes to eavesdrop on the communications without access to the key.

Encryption/decryption is especially important in wireless communications. This is because wireless circuits are easier to tap than their hard-wired counterparts. Nevertheless, encryption/decryption is a good idea when carrying out any kind of sensitive transaction, such as a credit-card purchase online, or the discussion of a company secret between different departments in the organization. The stronger the cipher -- that is, the harder it is for unauthorized people to break it -- the better, in general. However, as the strength of encryption/decryption increases, so does the cost.

Encryption is mainly of two types :

•  Asymmetric Key Encryption (Public-Key Encryption)
•  Symmetric Key Encryption

Symmetric-Key Encryption

   With symmetric-key encryption, the encryption key can be calculated from the decryption key, and vice versa. With most symmetric algorithms, the same key is used for both encryption and decryption. 

The following figure shows a symmetric-key encryption.

Symmetric-Key Encryption

Implementations of symmetric-key encryption can be highly efficient, so that users do not experience any significant time delay as a result of the encryption and decryption. Symmetric-key encryption also provides a degree of authentication, since information encrypted with one symmetric key cannot be decrypted with any other symmetric key. Thus, as long as the symmetric key is kept secret by the two parties using it to encrypt communications, each party can be sure that it is communicating with the other as long as the decrypted messages continue to make sense.

   Symmetric-key encryption is effective only if the symmetric key is kept secret by the two parties involved. If anyone else discovers the key, it affects both confidentiality and authentication. A person with an unauthorized symmetric key not only can decrypt messages sent with that key, but can encrypt new messages and send them as if they came from one of the two parties who were originally using the key.

    Symmetric-key encryption plays an important role in the SSL protocol, which is widely used for authentication, tamper detection, and encryption over TCP/IP networks. SSL also uses techniques of public-key encryption, which is described in the next section.

 Asymmetric Key Encryption :

Public-Key Encryption

The most commonly used implementations of public-key encryption are based on algorithms patented by RSA Data Security. Therefore, this section describes the RSA approach to public-key encryption.

   Public-key encryption (also called asymmetric encryption) involves a pair of keys—a public key and a private key—associated with an entity that needs to authenticate its identity electronically or to sign or encrypt data. Each public key is published, and the corresponding private key is kept secret. 

The following figure shows a simplified view of the way public-key encryption works.

Public-Key Encryption

    Public—key encryption lets you distribute a public key, and only you can read data encrypted by this key. In general, to send encrypted data to someone, you encrypt the data with that person’s public key, and the person receiving the encrypted data decrypts it with the corresponding private key.

   Compared with symmetric-key encryption, public-key encryption requires more computation and is therefore not always appropriate for large amounts of data. However, it’s possible to use public-key encryption to send a symmetric key, which can then be used to encrypt additional data. This is the approach used by the SSL protocol.

     As it happens, the reverse of the scheme shown in Figure also works: data encrypted with your private key can be decrypted with your public key only. This would not be a desirable way to encrypt sensitive data, however, because it means that anyone with your public key, which is by definition published, could decrypt the data. Nevertheless, private-key encryption is useful, because it means you can use your private key to sign data with your digital signature—an important requirement for electronic commerce and other commercial applications of cryptography. Client software can then use your public key to confirm that the message was signed with your private key and that it hasn’t been tampered with since being signed. Digital Signatures on Digital Signatures and subsequent sections describe how this confirmation process works.

========================

Video Lectures

Symmetric Key Cryptography : part 1

Symmetric Key Cryptography : part 2

Symmetric Key Cryptography : Block Ciphers & DES

Block Ciphers, DES, Triple DES

Integrity & message Authentication

Symmetric & Asymmetric Encryption

Asymmetric Encryption

============================================

Read More