Chameli Devi Group of Institutions
Department of Information Technology
Subject Name: Information Security Subject Code: IT 801
Subject Notes
Syllabus:
Introduction: Fundamental Principles of Information Security- Confidentiality, Availability, Integrity, Non-
Repudiation, The OSI Security Architecture, Security Attacks, Security Services, Security Mechanisms, a
Model for Network Security; Classical Encryption Techniques: Symmetric Cipher Model, Substitution
Techniques, Transposition Techniques, Steganography.
__________________________________________________________________________________________
Course Objectives:
The objective of this course is to familiarize the students with the fundamentals of information security and
the methods used in protecting both the information present in computer storage as well as information
traveling over computer networks.
__________________________________________________________________________________________
Unit-I
Fundamental Principles of Information Security- Confidentiality, Availability, Integrity
Principles of Information Security are depending upon Confidentiality, Availability, and Integrity while it may
vary depending on the organization, information can be classified according to the following standard:
Public: The Information in this class is openly available to the public and does not require special handling.
Internal: This is data shared within the organization, and should not be disclosed outside the organization. It
will likely have some level of access control applied to it.
Confidential: This can constitute general information about a client and will have access control in place so
that only a specific audience has access.
Special Confidential: The information in this class is not only confidential but has a still higher degree of
sensitivity around whom and how it’s accessed. There are three fundamental principles unpinning
information security, or 3 lenses to look at information security through. They are the CIA Triad of information
security, and they are confidentiality, integrity, and availability. The CIA triad is a well-known model for
security policy development, used to identify problem areas and solutions for information security.
Figure 1.1: Fundamentals of Information Security
Confidentiality
Confidentiality is about privacy. The purpose of this principle is to keep information hidden and make it only
accessible to people that is authorized to access it. For example, medical history is something want to be kept
private and only a few people, such as the doctor should have access to it. Typically some method of
Chameli Devi Group of Institutions
Department of Information Technology
encryption and strict access control is utilized to help ensure information is kept confidential. Even with
encryption though, confidentiality can be easily breached. For example, a doctor calls by any full name in the
reception area of a medical clinic. If full name of any person is considered confidential. So this can be a breach
of confidentiality. Each employee in an organization must be aware of their responsibilities in maintaining the
confidentiality of the information they have access to.
Integrity
Integrity refers to the accuracy and the reliability of data or information in the system. One of the things that
hackers attempt to do makes unauthorized modifications or changes to data stored in a system. For example,
a hacking attack happens on an e-commerce website and the hacker modifies the shipping postal code. The
integrity of the banking records has been compromised. Corrupting data integrity isn’t limited to malicious
attacks. More often it happens very accidentally, users of an information system can simply make a mistake.
For example, a database administrator is making a bulk update to an employee registry but mistakenly
updates the wrong registry. The accuracy and reliability of the information have been corrupted and therefore
the integrity has been compromised.
Availability
Availability is the accessibility of information. This means that the people with authorization have access to
information when they need it. The most common example of this is an interruption in an authorized users
access to information. One cause of interruption that most people are familiar with would be when a hacker
“takes down” a website with a DDoS attack. Like confidentiality and integrity, interruptions in availability can
happen without any intention of harming. For example, a cloud-based service like Amazon Web Services
(AWS) can experience technical outages that impact the availability of information systems using the platform.
Other concerns can include power outages and natural disasters.
Non Repudiation in IS
Non-repudiation is the assurance that someone cannot deny the validity of something. Non-repudiation is a
legal concept that is widely used in information security and refers to a service, which provides proof of the
origin of data and the integrity of the data. In other words, non-repudiation makes it very difficult to
successfully deny who/where a message came from as well as the authenticity and integrity of that message.
Figure 1.2: Non Repudiation in IS
Chameli Devi Group of Institutions
Department of Information Technology
Digital signatures can offer non-repudiation when it comes to online transactions, where it is crucial to ensure
that a party to a contract or a communication can't deny the authenticity of their signature on a document or
send the communication in the first place. In this context, non-repudiation refers to the ability to ensure that a
party to a contract or communication must accept the authenticity of their signature on a document or the
sending of a message.
The OSI Security Architecture
To assess effectively the security needs of an organization and to evaluate and choose various security
products and policies, the manager responsible for security needs some systematic way of defining the
requirements for security and characterizing the approaches to satisfying those requirements. This is difficult
enough in a centralized data processing environment with the use of local and wide area networks, the
problems are compounded.
ITU-T Recommendation of X.800, Security Architecture for OSI, defines such a systematic approach. The OSI
security architecture is useful to managers as a way of organizing the task of providing security. Because this
architecture was developed as an international standard, computer and communications vendors have
developed security features for their products and services that relate to this structured definition of services
and mechanisms. The International Telecommunication Union (ITU) Telecommunication Standardization
Sector (ITU-T) is a United Nations-sponsored agency that develops standards, called Recommendations,
relating to telecommunications and to open systems interconnection (OSI). The OSI security architecture was
developed in the context of the OSI protocol architecture.
Figure 1.3: The OSI Security Architecture
The OSI security architecture focuses on security attacks, mechanisms, and services. These can be defined
briefly as follows:
Security attack: Any action that compromises the security of information owned by an organization.
Security mechanism: A process (or a device incorporating such a process) that is designed to detect,
prevent, or recover from a security attack.
Security service: A processing or communication service that enhances the security of the data
processing systems and the information transfers of an organization. The services are intended to
counter security attacks, and they make use of one or more security mechanisms to provide the
service.
Chameli Devi Group of Institutions
Department of Information Technology
Security Attacks:
Active and Passive attacks in Information Security
Active attacks: An active attack attempts to alter system resources or affect their operations. Active attacks
involve some modification of the data stream or the creation of false statements. Types of active attacks are
as follows:
Masquerade
A masquerade attack takes place when one entity pretends to be a different entity. A Masquerade
attack involves one of the other forms of active attacks.
Figure 1.4: Masquerade attack
Modification of messages
It means that some portion of a message is altered or that message is delayed or reordered to produce an
unauthorized effect. For example, a message meaning “Allow the person to read confidential file X” is
modified as “Allow Smith to read confidential file X”.
Figure 1.5: Modification of messages
Repudiation
This attack is done by either sender or receiver. The sender or receiver can deny later that he/she has
sent or received a message. For example, a customer asks his bank “To transfer an amount to
Chameli Devi Group of Institutions
Department of Information Technology
someone” and later on the sender (customer) denies that he had made such a request. This is
repudiation.
Replay
It involves the passive capture of a message and its subsequent transmission to produce an authorized
effect.
Figure 1.6: Reply of messages
Denial of Service
It prevents the normal use of communication facilities. This attack may have a specific target. For example, an
entity may suppress all messages directed to a particular destination. Another form of service denial is the
disruption of entire networks by disabling the network or by overloading it with messages to degrade
performance.
Passive attacks: A passive attack attempts to learn or make use of information from the system but does not
affect system resources. Passive Attacks are like eavesdropping on or monitoring transmission. The goal of the
opponent is to obtain information that is being transmitted.
The release of message content
Telephonic conversation, an electronic mail message, or a transferred file may contain sensitive or
confidential information and prevent an opponent from learning the contents of these transmissions.
Figure 1.7: The release of message content
Chameli Devi Group of Institutions
Department of Information Technology
Traffic analysis
Way of masking (encryption) of information that the attacker even if captured the message could not
extract any information from the message. The opponent could determine the location and identity of
communicating host and could observe the frequency and length of messages being exchanged. This
information might be useful in guessing the nature of the communication that was taking place.
Security Services and Security Mechanisms
Security service is a service that enhances the security of data processing systems and information transfers a
security service makes use of one or more security mechanisms.
Figure 1.8: Security Services
Authentication: Assures recipient that the message is from the source that it claims to be from.
Access Control: Controls that can have access to resource.
Availability: available to authorized entities for 24/7.
Confidentiality: information is not made available to unauthorized individual.
Integrity: assurance that the message is unaltered.
Non-Repudiation: protection against denial of sending or receiving in the communication.
Security Mechanisms:
Security mechanism is a mechanism that is designed to detect, prevent, or recover from a security attack.
Types of Security Mechanism are:
1. Encipherment:
This security mechanism deals with hiding and covering of data which helps data to become confidential. It is
achieved by applying mathematical calculations or algorithms which reconstruct information into not readable
form. It is achieved by two famous techniques named Cryptography and Encipherment. Level of data
encryption is dependent on the algorithm used for encipherment.
Chameli Devi Group of Institutions
Department of Information Technology
2. Access Control:
This mechanism is used to stop unattended access to data . It can be achieved by various techniques such as
applying passwords, using firewall, or just by adding PIN to data.
3. Notarization:
This security mechanism involves use of trusted third party in communication. It acts as mediator between
sender and receiver so that if any chance of conflict is reduced. This mediator keeps record of requests made
by sender to receiver for later denied.
4. Data Integrity:
This security mechanism is used by appending value to data to which is created by data itself. It is similar to
sending packet of information known to both sending and receiving parties and checked before and after data
is received. When this packet or data which is appended is checked and is the same while sending and
receiving data integrity is maintained.
5. Authentication exchange:
This security mechanism deals with identity to be known in communication. This is achieved at the TCP/IP
layer where two-way handshaking mechanism is used to ensure data is sent or not.
6. Bit stuffing:
This security mechanism is used to add some extra bits into data which is being transmitted. It helps data to
be checked at the receiving end and is achieved by even parity or Odd Parity.
7. Digital Signature:
This security mechanism is achieved by adding digital data that is not visible to eyes. It is form of electronic
signature which is added by sender which is checked by receiver electronically. This mechanism is used to
preserve data which is not more confidential but sender’s identity is to be notified.
Chameli Devi Group of Institutions
Department of Information Technology
Figure 1.9: Security Mechanisms
Relation between security services and mechanisms
Table1.1: Relation between security services and mechanisms
A Model for Network Security
When send any data from source side to destination side have to use some transfer method like the internet
or any other communication channel by which they are able to send our message. The two parties, who are
the principals in this transaction, must cooperate for the exchange to take place. When the transfer of data
happened from one source to another source some logical information channel is established between them
by defining a route through the internet from source to destination and by the cooperative use of
communication protocols (e.g., TCP/IP) by the two principals. Use of protocol for this logical information
channel the main aspect security has come. Who may present a threat to confidentiality, authenticity, and so
on .All the technique for providing security have to components:
1. A security-related transformation on the information to be sent.
Chameli Devi Group of Institutions
Department of Information Technology
2. Some secret information was shared by the two principals and, it is hoped, unknown to the
Opponent.
A trusted third party may be needed to achieve secure transmission. For example, a third party may be
responsible for distributing the secret information to the two principals while keeping it from any opponent.
Or a third party may be needed to arbitrate disputes between the two principals concerning the authenticity
of a message transmission.
This model shows that there are four basic tasks in designing a particular security service:
1. Design an algorithm for performing the security-related transformation.
2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of secret information.
4. Specify a protocol to be used by the two principals that make use of the security algorithm and the
secret information to achieve a particular security service.
Symmetric Cipher Model
Symmetric Cipher Model: (uses a single secret key for both encryption & decryption)
Figure1.10: Symmetric Cipher Model
Where,
K= Secret Key
X = Plaintext/Message
Ciphertext Y = E(X,K)
Decrypted/Plaintext X = D(Y,K)
A symmetric encryption scheme has five components:
Plaintext: This is the original intelligible message or data that is fed into the algorithm as input.
Chameli Devi Group of Institutions
Department of Information Technology
Encryption algorithm: The encryption algorithm performs various substitutions and transformations on the
plaintext.
Secret key: The secret key is also input into the encryption algorithm. The key is a value independent of the
plaintext and the algorithm. The algorithm will produce a different output depending on the specific key being
used at the time. The exact substitutions and transformations performed by the algorithm depend on the key.
Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the secret key.
For a given message, two different keys will produce two different ciphertexts. The ciphertext is a random
stream of data and, as it stands, is unintelligible.
Decryption algorithm: This is essentially the encryption algorithm run in reverse. It takes the ciphertext and
the secret key and produces the original plaintext.
Types of Substitution Techniques
1. Mono-alphabetic Cipher:
Predictability of Caesar Cipher was its weakness once any key replacement of a single alphabet is known then,
the whole message can decipher and almost 25 attempts are required to break it. In this technique, simply
substitute any random key for each alphabet letter, that is 'A' can be being replaced with any letters from B to
Z and 'B' can be changed to the rest of the alphabets but itself and so on. Let's say substitute A with E that
doesn't mean that B will be replaced by F. Mathematically, have 26 alphabet permutations which mean (26 x
25 x 24 x...2) which is about 4 x 1026 possibilities.
There is only one problem with it and that is a short text created using this technique, a crypto analyst can try
different attacks solely based on her knowledge of the English language. English analysts found that the
probability of occurrence of the letter P is 13.33% which highest followed by Z with 11.67% and the
occurrence of letters like C, K, L, N, or R is negligible. A cryptanalyst can try various alphabets in place of the
cipher-text alphabet or she can look for repeated patterns of the word for is example word 'to' or 'is' occur
frequently in English so she can try replacing all the T's and O's from the cipher-text and deduce further to
three letter words like 'the', 'and' and so on.
2. Homophonic Substitution Cipher:
The Homophonic Substitution cipher is a substitution cipher in which single plaintext letters can be replaced
by any of several different ciphertext letters. They are generally much more difficult to break than standard
substitution ciphers. In case of Homophonic Substitution, map an alphabet with a set of fixed keys (more than
one key). For instance, A can be replaced with H, J, O, P and B will replace with any of the following inspite of
A's key set D, I, W, Z etc.
3. Polygram Substitution Cipher:
In Polygram substitution cipher, instead of replacing one plain-text alphabet simply replace a block of the
word with another block of a word. For example, 'INCLUDEHELP' will change to 'WDSAEQTGTAI' whereas
'HELP' will replace 'RYCV'. This is true that the last four letters are the same but still different in both words.
Chameli Devi Group of Institutions
Department of Information Technology
Figure1.11: Polygram substitution cipher
4. Polyalphabetic Substitution Cipher:
Poly alphabetic Substitution cipher was introduced by Leon Battista in the year 1568, and its prominent
examples are the Vigenère cipher and Beaufort cipher.
Use multiple one-character keys, each key encrypts one plain-text character. This first key encrypts the first
plain-text character, the second key encrypt the second plain-text character, and so on, after all, keys are used
then they are recycled. If 50 one-letter keys, every 50th character in the plain text would be placed with the
same key and this number (in our case, 50) is the period of the cipher.
The key points of the polyalphabetic substation cipher are the following:
a. It uses a set of related mono-alphabetic substitution rules.
b. The rule used for transformations is determined by the key it uses.
Transposition Techniques
Transposition technique is an encryption method that is achieved by performing permutation over the plain
text. Mapping plain text into ciphertext using the transposition technique is called transposition cipher. Will
discuss variations of transposition technique, and will also observe how the transposition technique is
different from the substitution technique. On the one hand, the substitution technique substitutes a plain text
symbol with a ciphertext symbol. On the other hand, the transposition technique executes permutation on the
plain text to obtain the ciphertext.
Transposition Techniques are :
1. Rail Fence Transposition
2. Columnar Transposition
3. Improved Columnar Transposition
4. Book Cipher/Running Key Cipher
Rail Fence Cipher
The rail fence cipher is the simplest transposition cipher. The steps to obtain cipher text using this technique
are as follow:
Chameli Devi Group of Institutions
Department of Information Technology
Step 1: The plain text is written as a sequence of diagonals.
Step 2: Then, to obtain the ciphertext the text is read as a sequence of rows.
Plain Text: meet me Tomorrow
Now, will write this plain text sequence wise in a diagonal form as can see below:
Looking at the image,would get it why it got named rail fence because it appears like the rail fence.
Once have written the message as a sequence of diagonals, to obtain the ciphertext out of it have to read it as
a sequence of rows. So, reading the first row the first half of ciphertext will be:
memtmro
reading the second row of the rail fence,will get the second half of the ciphertext:
eteoorw
Now, to obtain the complete ciphertext combine both the halves of ciphertext and the complete ciphertext
will be:
Cipher Text: M E M T M R O E T E O O R W
Rail fence cipher is easy to implement and even easy for a cryptanalyst to break this technique. So, there was a
need for a more complex technique.
Columnar Transposition Technique
The columnar transposition cipher is more complex as compared to the rail fence. The steps to obtain
ciphertext using this technique are as follow:
Step 1: The plain text is written in the rectangular matrix of the initially defined size in a row by row pattern.
Step 2: To obtain the ciphertext read the text written in a rectangular matrix column by column. But have to
permute the order of column before reading it column by column. The obtained message is the ciphertext
message.
To understand the columnar transposition let us take an example:
Plain text: meet Tomorrow
Chameli Devi Group of Institutions
Department of Information Technology
Now, put the plain text in the rectangle of a predefined size. For our example, the predefined size of the
rectangle would be 3×4. As can see in the image below the plain text is placed in the rectangle of 3×4. And
have also permuted the order of the column.
Now, to obtain the ciphertext have to read the plain text column by column as the sequence of permuted
column order. So, the ciphertext obtained by the columnar transposition technique in this example is:
Cipher Text: MTREOREMOTOW.
Similar to the rail fence cipher, the columnar cipher can be easily broken. The cryptanalyst only has to try a
few permutations and combinations over the order of columns to obtain the permuted order of column and
get the original message. So, a more sophisticated technique was required to strengthen the encryption.
Columnar Transposition Technique with Multiple Rounds
It is similar to the basic columnar technique but is introduced with an improvement. The basic columnar
technique is performed over the plain text but more than once. The steps for columnar technique with
multiple rounds are as follow:
Step 1: The plain text is written in the rectangle of predetermined size row by row.
Step 2: To obtain the ciphertext, read the plain text in the rectangle, column by column. Before reading the
text in rectangle column by column, permute the order of columns the same as in the basic columnar
technique.
Step 3: To obtain the final ciphertext repeat the steps above multiple times.
Let us discuss one example of a columnar transposition technique for better understanding. Will consider the
same example of a basic columnar technique which will help in understanding the complexity of the method:
Plain Text: meet Tomorrow
Let us put this plain text in the rectangle of predefined size of 3×4. Proceeding with the next step, the order of
the columns of the matrix is permuted as can see in the image below:
Chameli Devi Group of Institutions
Department of Information Technology
Now after the first round the ciphertext obtained is as follow:
Cipher Text round 1: MTREOREMOTOW
Now, again have to put the ciphertext of round 1 in the rectangle of size 3×4 row by row and permute the
order of columns before reading the ciphertext for round 2. In the second round, the permuted order of the
column is 2, 3, 1, 4.
So, the obtained ciphertext for round 2 is MOOTRTREOEMW. In this way, can perform as many iterations as
required. Increasing the number of iterations increases the complexity of the techniques.
Book Cipher or Running Key Cipher
The book cipher or the running key cipher works on the basic principle of a one-time pad cipher. In onetime
pad cipher, the key is taken as long as the plain text and is discarded after use. Every time a new key is taken
for a new message.
The improvement to the onetime pad in Book cipher is that the key or the onetime pad is taken from the
book. Let us discuss the steps:
Step 1: Convert the plain text in numeric form consider A=0, B=1, C=3 …, Z=25
Step 2: Take a one-time pad or key from any of the books and convert it into numeric form also. But the key
must be as long as the length of plain text.
Step 3: Now add the numeric form of both plain text and key, each plain text letter with corresponding key
text letter. If the addition of any plain text letter with a corresponding key text letter is >26, then subtract it
with 26.
Let us understand with the example:
Plain text: Meet Tomorrow
Key is taken from the book: ANENCRYPTION.
Chameli Devi Group of Institutions
Department of Information Technology
Now have to convert this plain text and key text in numeric form and add them to get ciphertext as shown in
the image below:
The ciphertext obtained is MRIGVFKDKZDJ.
Steganography
Steganography is the art of concealing information. In computer science, it refers to hiding data within a
message or file. It serves a similar purpose to cryptography, but instead of encrypting data, steganography
simply hides it from the user. Invisible ink is an example of steganography that is unrelated to computers.
A person can write a message with clear or "invisible" ink that can only be seen when another ink or liquid is
applied to the paper. Similarly, in digital steganography, the goal is to hide information from users except
those who are meant to see or hear it.
Digital steganography usually involves hiding data inside innocuous files such as images, videos, and audio.
Digital steganography is one of the important components in the toolboxes of spies and malicious hackers, as
well as human rights activists and political dissidents. Steganography is the use of various methods to hide
information from unwanted eyes.
In ancient times, steganography was mostly done physically. In the centuries that followed, more modern
forms of steganography were invented, such as invisible inks. Today, steganography has moved to the digital
world. “Steganography by definition is the hiding of one file within another,” says Ira Winkler, lead security
principal at Trustwave. Steganography works by hiding information in a way that doesn’t arouse suspicion.
One of the most popular techniques is 'least significant bit (LSB) steganography. In this type of steganography,
the information hider embeds the secret information in the least significant bits of a media file.
For instance, in an image file each pixel is comprised of three bytes of data corresponding to the colors red,
green, and blue (some image formats allocate an additional fourth byte to transparency, or ‘alpha’). LSB
steganography changes the last bit of each of those bytes to hide one bit of data. So, to hide one megabyte of
data using this method, need an eight-megabyte image file. Since modifying the last bit of the pixel value
doesn’t result in a visually perceptible change to the picture, a person viewing the original and the
steganographically modified images won’t be able to tell the difference.