Lecture 1:
Introduction
4 th Year- Course, CCSIT, UoA
1
Information Security Sufyan Al-Janabi 2015
� Lecture Goals
To introduce the student to some basic
definitions of information security.
To describe the conventional cryptography
model.
To supply the student with the some relevant
historical background emphasizing the role of
Muslim scholars in the field.
2
Information Security Sufyan Al-Janabi 2015
� Definitions
o Computer Security - generic name for the collection
of tools designed to protect data and to thwart
hackers
o Network Security - measures to protect data during
their transmission
o Internet Security - measures to protect data during
their transmission over a collection of
interconnected networks
OSI Security Architecture: ITU-T X.800 "Security
Architecture for OSI" defines a systematic way of
defining and providing security requirements
3
Information Security Sufyan Al-Janabi 2015
� Aspects of Security
1. Security attack: Any action that compromises
information security
2. Security mechanism: Process designed to
detect, prevent or recover from security
attack
3. Security service: Service that enhances
system's security by utilizing one or more
security mechanisms
4
Information Security Sufyan Al-Janabi 2015
� Security Attack
o Any action that compromises the security of
information owned by an organization is a security
attack.
o Information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
o Threat & attack used to mean same thing
o There are two generic types of attacks:
1. Passive attacks
2. Active attacks
5
Information Security Sufyan Al-Janabi 2015
� Passive Attacks (1)
The strategy for such attack is to eavesdrop, and
monitor transmission, in order to obtain information
being transmitted
1. Type 1: Release of message contents: like tapping on
phone line to hear conversation, or getting
unauthorized copy of email message
2. Type 2: Traffic analysis: This is done by observing
message pattern, even if encrypted, and then
determining location and identity of parties
Passive attacks are very difficult to detect; because
they make no alteration of data
6
Information Security Sufyan Al-Janabi 2015
� Passive Attacks (2)
7
Information Security Sufyan Al-Janabi 2015
� Active Attacks (1)
Modification of transmitted data or creating false data
represent an active attack.
1. Type 1- Masquerade: Pretending to be a different
entity
2. Type 2- Replay: Capturing data for subsequent
retransmission
3. Type 3- Modification of message: Some portion of
legitimate message is altered
4. Type 4- Denial of service: Disruption of network or
system resources by disabling or overloading
8
Information Security Sufyan Al-Janabi 2015
� Active Attacks (2)
9
Information Security Sufyan Al-Janabi 2015
� Active Attacks (3)
10
Information Security Sufyan Al-Janabi 2015
� Security Service
A security service is used to enhance security of data
processing systems and information transfers of an
organization
Security services are intended to counter security
attacks
A security service may use one or more security
mechanisms
Security service often replicates functions normally
associated with physical documents which, for
example, have signatures, dates; need protection from
disclosure, tampering, or destruction; be notarized or
witnessed; be recorded or licensed
11
Information Security Sufyan Al-Janabi 2015
� Main Security Services (X.800)
1. Authentication - assurance that the communicating
entity is the one claimed
2. Access Control - prevention of the unauthorized use
of a resource
3. Data Confidentiality -protection of data from
unauthorized disclosure
4. Data Integrity - assurance that data received is as
sent by an authorized entity
5. Non-Repudiation - protection against denial by one
of the parties in a communication
12
Information Security Sufyan Al-Janabi 2015
� Security Mechanism
Security mechanism is a feature designed to
detect, prevent, or recover from a security
attack
There is no single mechanism that will support
all services required
However, there is one particular element
underlies many of the security mechanisms in
use which is:
Cryptography
13
Information Security Sufyan Al-Janabi 2015
� Security Mechanisms (X.800)
14
Information Security Sufyan Al-Janabi 2015
�Model for Network Security
15
Information Security Sufyan Al-Janabi 2015
� Requirements of the Model for Network
Security
1. Design a suitable algorithm for the security
transformation
2. Generate the secret information (keys) used by the
algorithm
3. Develop methods to distribute and share the secret
information (keys)
4. Specify a protocol enabling the principals to use the
transformation and secret information for a security
service
16
Information Security Sufyan Al-Janabi 2015
� Model For Network (or System)
Access Security
Intrusion 1. Intrusion
Prevention Detection
2. System
Recovery
17
Information Security Sufyan Al-Janabi 2015
� Requirements of the Model for Network
(or System) Access Security
1. Select appropriate gatekeeper functions to identify
users
2. Implement security controls to ensure only
authorized users access designated information or
resources
3. Implement intrusion detection and recovery tools
4. Trusted computer systems may be useful to help
implement this model
18
Information Security Sufyan Al-Janabi 2015
� Cryptography
Cryptography in Greek means “secret writing“. It is the
practice and study of (mathematical) techniques
for secure communication in the presence of third parties
(called adversaries).
Modern cryptography exists at the intersection of the
disciplines of mathematics, computer science,
and electrical engineering.
Cryptographic systems can be divided into two main
types:
1. Conventional cryptography (also called symmetric,
private-key, or single-key cryptography)
2. Public-key cryptography (also called asymmetric, or
two-key cryptography)
19
Information Security Sufyan Al-Janabi 2015
� Conventional Cryptography
Conventional cryptography is also called symmetric,
private-key, secret key, or single-key cryptography
In conventional cryptography, sender and recipient
share a common key
All classical encryption algorithms (i.e. before
computer age) are from this type.
Conventional cryptography was the only type prior to
invention of public-key cryptography in 1970's and by
far most widely used
20
Information Security Sufyan Al-Janabi 2015
� Ingredients of Conventional
Cryptography
1. Plaintext: Original intelligible message
2. Encryption algorithm: Performs substitutions and/or
transformations
• Input: plaintext, key
• Output: ciphertext
3. Secret Key (Different keys produce different outputs)
4. Cipher text: Unintelligible scrambled message that
depends on plaintext and key
5. Decryption algorithm: It is the Encryption algorithm
run in reverse
• Input: ciphertext, key
• Output: plaintext
21
Information Security Sufyan Al-Janabi 2015
� Simplified Model for Conventional
Cryptography
22
Information Security Sufyan Al-Janabi 2015
� Conventional Cryptography Formal Model
23
Information Security Sufyan Al-Janabi 2015
� Requirements of Conventional
Cryptography
1. Strong encryption algorithm
2. Secret key known only to sender / receiver
3. Y = EK(X)
4. X = DK(Y)
5. Assume encryption algorithm is known (Kerckhoffs'
Principle)
6. Implies a secure channel to distribute key
24
Information Security Sufyan Al-Janabi 2015
� Characterization of
Conventional Cryptography
1. According to the type of operation:
A. Substitution: each element of plaintext (bit,
character) mapped to another element
B. Transposition: plaintext elements rearranged
2. According to the processing method:
A. Stream cipher: element by element (bit, byte)
B. Block cipher: block (of bytes) transformed as a
whole
25
Information Security Sufyan Al-Janabi 2015
� Historical Notes (Not required in Exam)
Two absolutely fascinating books:
1. The Codebreakers, by David Kahn, 1996,
Scribner.
2. The Code Book: The Science of Secrecy from
Ancient Egypt to Quantum Cryptography, by
Simon Singh, 1999, Anchor Books
26
Information Security Sufyan Al-Janabi 2015
� Ancient Mesopotamia
The oldest Mesopotamian
encipherment:
o A 3" x 2" cuneiform tablet,
dating from ~1500 B.C.
o Earliest known formula for
pottery glazes.
o Uses cuneiform signs in their
least common syllabic values
to attempt to hide the secrets
of the formulae
27
Information Security Sufyan Al-Janabi 2015
� Ancient Greece
Herodotus, in The Histories, chronicled
the conflicts between Greece and
Persia in the 5th century B.C.
Herodotus also described another
incident:
Histaiaeus wanted to encourage
Aristagoras of Miletus to revolt
against the Persian king.
To send the message securely, he
shaved the head of his messenger,
wrote on his scalp, and then waited
for the hair to regrow.
28
Information Security Sufyan Al-Janabi 2015
� The Evolution of Secret Writing
Strategy was: Hiding the message (steganography)
Cryptography: Hiding the meaning (encryption).
Cryptography was developed in parallel with
steganography. It had the obvious advantage that
without knowing the scrambling protocol, the enemy
could not easily determine the message.
Two branches of cryptography: Transposition &
Substitution.
The Caesar (shift) cipher is based on a cipher alphabet
that is shifted a certain number of places (in Caesar's
case three) relative to the plain alphabet.
29
Information Security Sufyan Al-Janabi 2015
� Muslim Cryptanalysts (1)
The year 750 A.D. heralded the golden age of Islamic civilization.
The social order relied on an effective system of administration,
which in turn relied on secure communication achieved through
the use of encryption.
The Arab scholars invented cryptanalysis, the science of
unscrambling a message without knowledge of the key. They
cracked the monoalphabetic substitution cipher after several
centuries of its successful use.
Starting around the 8th century A.D. Al-Khalil ibn Ahmad al
Farahidi:
1. Solved a cryptogram in Greek for the Byzantine emperor
2. Was the first to discover and write down the methods of
cryptanalysis
30
Information Security Sufyan Al-Janabi 2015
�Muslim Cryptanalysts (2)
The innocuous observation that some letters are more common
than others in written documents would lead to the first great
breakthrough in cryptanalysis. The method, called frequency
analysis is described in a treatise by Abu Yusuf Ya'qub al-Kindi in
the ninth century.
Greatest treatise, rediscovered in 1987 in the Sulaimaniyyah
Ottoman Archive in Instanbul, is entitled: “A Manuscript on
Deciphering Cryptographic Messages”. It describes a
revolutionary system of cryptanalysis which is still in use today.
In 1412 A.D., the Arabic knowledge of cryptology was fully
described in the "Subh al-a'sha" a huge 14- volume encyclopedia,
written by Shihab al-Din abu'l-Abbas Ahmad al-Qalqashandi
31
Information Security Sufyan Al-Janabi 2015
�Renaissance in the West
13th Century—Cryptography was introduced into Western
Civilization by European monks: Epistle on the Secret Works of
Art and the Nullity of Magic Roger Bacon (English Franciscan
monk)
15th Century—The revival in the arts, sciences and scholarship
during the Renaissance nurtured the capacity for cryptography,
while an explosion in political machinations offered ample
motivation for secret communication. Each state had a cipher
office, and each ambassador had a cipher secretary.
This was a period of transition, with cryptographers still relying
on the monoalphabetic substitution cipher, while cryptanalysts
were beginning to use frequency analysis to break it.
32
Information Security Sufyan Al-Janabi 2015
� Finally . . .
Acknowledgment: These lecture notes are based on
the textbook by William Stallings and notes prepared
by Avinash Kak, Purdue University. My sincere thanks
are devoted to them and to all other people who
offered the material on the web.
Students are advised to study and solve the problems
and answer the questions in Assignment-1.
33
Information Security Sufyan Al-Janabi 2015
