The Need For Information Security
The Need For Information Security
The Need For Information Security
Apart from this there is one more principle that governs information security
programs. This is Non repudiation.
Authenticity – means verifying that users are who they say they are and
that each input arriving at destination is from a trusted source.This
principle if followed guarantees the valid and genuine message received
from a trusted source through a valid transmission. For example if take
above example sender sends the message along with digital signature
which was generated using the hash value of message and private key.
Now at the receiver side this digital signature is decrypted using the public
key generating a hash value and message is again hashed to generate
the hash value. If the 2 value matches then it is known as valid
transmission with the authentic or we say genuine message received at
the recipient side
Accountability – means that it should be possible to trace actions of an
entity uniquely to that entity. For example as we discussed in Integrity
section Not every employee should be allowed to do changes in other
employees data. For this there is a separate department in an
organization that is responsible for making such changes and when they
receive request for a change then that letter must be signed by higher
authority for example Director of college and person that is allotted that
change will be able to do change after verifying his bio metrics, thus
timestamp with the user(doing changes) details get recorded. Thus we
can say if a change goes like this then it will be possible to trace the
actions uniquely to an entity.
advantages to implementing an information classification system in an
organization’s information security program:
1. Improved security: By identifying and classifying sensitive information,
organizations can better protect their most critical assets from
unauthorized access or disclosure.
2. Compliance: Many regulatory and industry standards, such as HIPAA
and PCI-DSS, require organizations to implement information
classification and data protection measures.
3. Improved efficiency: By clearly identifying and labeling information,
employees can quickly and easily determine the appropriate handling and
access requirements for different types of data.
4. Better risk management: By understanding the potential impact of a
data breach or unauthorized disclosure, organizations can prioritize
resources and develop more effective incident response plans.
5. Cost savings: By implementing appropriate security controls for different
types of information, organizations can avoid unnecessary spending on
security measures that may not be needed for less sensitive data.
6. Improved incident response: By having a clear understanding of the
criticality of specific data, organizations can respond to security incidents
in a more effective and efficient manner.
There are some potential disadvantages to implementing an
information classification system in an organization’s information
security program:
1. Complexity: Developing and maintaining an information classification
system can be complex and time-consuming, especially for large
organizations with a diverse range of data types.
2. Cost: Implementing and maintaining an information classification system
can be costly, especially if it requires new hardware or software.
3. Resistance to change: Some employees may resist the implementation
of an information classification system, especially if it requires them to
change their usual work habits.
4. Inaccurate classification: Information classification is often done by
human, so it is possible that some information may be misclassified,
which can lead to inadequate protection or unnecessary restrictions on
access.
5. Lack of flexibility: Information classification systems can be rigid and
inflexible, making it difficult to adapt to changing business needs or new
types of data.
6. False sense of security: Implementing an information classification
system may give organizations a false sense of security, leading them to
overlook other important security controls and best practices.
7. Maintenance: Information classification should be reviewed and updated
frequently, if not it can become outdated and ineffective.
Types of attcks
Security attacks: Any action that compromises the security of information owned by an
organization. These attacks are classified as:
1. Passive Attacks
2. Active Attacks
Security service:-
Many businesses need security services in cryptography to safeguard any
data processing systems and information transfers by countering any cyber
attacks. Depending on your businesses’ security needs, you may only need
a few or more if they happen to overlap with one another. There are five
security services with cryptography that promote cybersecurity in various
ways.
What Types of Security Services?
Authentication: To ensure you don’t have any unauthorized people seeing
your business’s information, having authentication is a great way to ensure
security by having someone prove they are who they claim to be.
Additionally, it can have the source of received data verified as legitimate
during any transfer of information.
Data Confidentiality: Remember how cryptography can make encrypted
messages into unintelligible characters? This security service does that! It
helps keep data confidential by having select people know the real
information while third-party sources would view it completely differently.
Access Control: It’s easy to assume access control is the same as
authorization. However, the key difference lies in the level of access. All
information in a business needs to be known by everyone working there. In
this case, access control gives more tier-based access to select people
within your business. It does this while also being able to deter
unauthorized users.
Data Integrity: You can ensure whatever data received hasn’t been
tampered with through data integrity. It does this by ensuring the data sent
from another authorized person wasn’t modified after it was created,
transmitted or stored. This security service is great for businesses that
prefer a digital paper trail to uphold ethical operations.
Non-Repudiation: Digital signatures are a good example of what non-
repudiation does. For example, during online transactions, it ensures that a
person cannot later deny sending information or the authenticity of its
signature. To sum it up, it’s all about protection against any form of denial
when communicating with another party.
Security Mechanism
A process (or a device incorporating such a process) that is designed to detect,
prevent, or recover from a security attack. The mechanisms are divided into those
that are implemented in a specific protocol layer, such as TCP or an application-layer
protocol.
1. Encipherment: Encipherment is hiding or covering data and can provide
confidentiality. It makes use of mathematical algorithms to transform data into
a form that is not readily intelligible. The transformation and subsequent
recovery of the data depend on an algorithm and zero or more encryption
keys. Cryptography and Steganography techniques are used for enciphering.
2. Data integrity: The data integrity mechanism appends a short check value to
the data which is created by a specific process from the data itself. The
receiver receives the data and the check value. The receiver then creates a
new check value from the received data and compares the newly created
check value with the one received. If the two check values match, the integrity
of data is being preserved.
3. Digital Signature: A digital signature is a way by which the sender can
electronically sign the data and the receiver can electronically verify it. The
sender uses a process in which the sender owns a private key related to the
public key that he or she has announced publicly. The receiver uses the
sender's public key to prove the message is indeed signed by the sender who
claims to have sent the message.
4. Authentication exchange: A mechanism intended to ensure the identity of
an entity by means of information exchange. The two entities exchange some
messages to prove their identity to each other. For example the three-way
handshake in TCP.
5. Traffic padding: The insertion of bits into gaps in a data stream to frustrate
traffic analysis attempts.
6. Routing control: Enables selection of particular physically secure routes for
certain data and allows routing changes which means selecting and
continuously changing different available routes between the sender and the
receiver to prevent the attacker from traffic analysis on a particular route.
7. Notarization: The use of a trusted third party to control the communication
between the two parties. It prevents repudiation. The receiver involves a
trusted third party to store the request to prevent the sender from later
denying that he or she has made such a request.
8. Access Control: A variety of mechanisms are used to enforce access rights
to resources/data owned by a system, for example, PINS, and passwords.
Reference :William Stallings, Cryptography and Network Security: Principles and Practice, PHI 3rd Edition,
2006
Reference :William Stallings, Cryptography and Network Security: Principles and Practice, PHI 3rd Edition,
2006
Introduction to Crypto-terminologies
3. Hashing: It involves taking the plain text and converting it to a hash value
of fixed size by a hash function. This process ensures the integrity of the
message as the hash value on both, the sender’s and receiver’s sides
should match if the message is unaltered.
Symmetric Asymmetric
Feature Hash functions algorithms algorithms
Number of Keys 0 1 2
recommended by
NIST
SHA-256, SHA3-
AES or 3DES RSA, DSA, ECC
Example 256, SHA-512
Cryptanalysis:
Advantages:
Disadvantages:
Defining Ciphertext
The result of employing encryption methods, often referred to as cyphers, is
called ciphertext. When data cannot be understood by individuals or devices
lacking the appropriate cypher, it is considered encrypted. To interpret the data,
the cypher is necessary. Algorithms transform plaintext into ciphertext, and vice
versa, to convert ciphertext back into plaintext. These processes are known as
encryption and decryption.
In simpler terms, letters are substituted for other letters. In the past, recording
corresponding characters to decipher a message was feasible.
Difference Between Plain Text And Cipher Text
Category Plain Text Cipher Text
Definition Original readable data in its natural form. Encrypted form of data, not easily readable.
Accessibility It can be understood and used without decryption. Requires decryption to be understood.
Representation Represents the actual content of the message. Represents an encrypted version of the message
Security Prone to unauthorized access and disclosure. Offers greater security against breaches.
Conversion Input to encryption; output from decryption. Output of encryption; input for decryption.
Purpose Easily read and understood by humans. Secure transmission and storage of data.
Substitution Techniques
In which each element in the plaintext is mapped into another element.
1. Caesar Cipher
2. Monoalphabetic cipher
3. Playfair Cipher
4. Hill Cipher
5. Polyalphabetic Cipher
6. One Time Pad
Caesar Cipher
The process of turning plain text into an encrypted form (cipher text) is
known as encryption. Sensitive data is transmitted in an encrypted form so
that it can be protected and a strong encryption mechanism ensures that the
data is not misused even if a hacker gets hold of it. Decryption is the reverse
mechanism where the encrypted cipher text is converted back into its
original form.
Read through this article to find out more about encryption and decryption
and how they are different from each other.
Encryption
Decryption
The following table highlights the major differences between encryption and
decryption −
The size of cipher text is the same or The size of cipher text is the same or
smaller than the original plain text. larger than the original plain text.
The length of key used is 128 or 256 bits The length of key used is 2048 or higher
1) Rail-Fence Technique
This technique is a type of Transposition technique and does is write
the plain text as a sequence of diagonals and changing the order
according to each row.
Example,
Now let's decide on an order for the column as 4, 1, 3 and 2 and now
we will read the text in column-wise.
Cipher-text: LHIEEIUESSCEPWMNDLAO
Algorithm:
Example:
Now let's decide on an order for the column as 4, 1, 3 and 2 and now
we will read the text in column-wise.
Round 2:
Cipher-text: EEENLESPICUMHISW
Algorithm:
Example:
One time pad should be discarded after every single use and this
technique is proved highly secure and suitable for small messages
but illogical if used for long messages.
4) Book/Running-Key Cipher
This technique also (incorrectly) known as running key cipher. This
technique very simple and similar to our previous Vernam Cipher.
For getting a cipher, some portion of text from a book is used as a
one-time pad, rest it works in same way as Vernam cipher does.
Steganography
Steganography approach can be used to images, a video file or an audio file.
Generally, however, steganography is written in characters such as hash
marking, but its usage inside images is also common. At any rate,
steganography secure from pirating possess materials as well as aiding in
unauthorized viewing.
All rounds have the same structure. A substitution is performed on the left half
of the data (as similar to S-DES). This is done by applying a round function F to
the right half of the data and then taking the XOR of the output of that
function and the left half of the data. The round function has the same general
structure for each round but is parameterized by the round sub key ki.
Following this substitution, a permutation is performed that consists of the
interchange of the two halves of the data. This structure is a particular form of
the substitution-permutation network. The exact realization of a Feistel
network depends on the choice of the following parameters and design
features:
Key size - Increasing size improves security, makes exhaustive key searching
harder, but may slow cipher
Subkey generation - Greater complexity can make analysis harder, but slows cipher
Round function - Greater complexity can make analysis harder, but slows
cipher
Fast software en/decryption & ease of analysis- are more recent concerns for
practical use and testing.