LECTURE NOTES

III YEAR / 5th SEM

CW3551 DATA AND INFORMATION SECURITY

(R-2021)
UNIT- 1

ABDUL KAREEM.D (Asst.Prof-AI & DS)

----------------------------------------------------------------------------------------------

GRT INSTITUTE OF ENGINEERING AND TECHNOLOGY

(An Autonomous Institution)
GRT MAHALAKSHMI NAGAR
TIRUTTANI – 631 209.
CW3551 DATA AND INFORMATION SECURITY LTPC
3003
COURSE OBJECTIVES:
• To understand the basics of Information Security
• To know the legal, ethical and professional issues in Information Security
• To equip the students’ knowledge on digital signature, email security and web security

UNIT I INTRODUCTION 9
History, What is Information Security?, Critical Characteristics of Information, NSTISSC Security Model,
Components of an Information System, Securing the Components, Balancing Security and Access, The
SDLC, The Security SDLC

UNIT II SECURITY INVESTIGATION 9

Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and Professional Issues - An Overview
of Computer Security - Access Control Matrix, Policy-Security policies, Confidentiality policies, Integrity
policies and Hybrid policies

UNIT III DIGITAL SIGNATURE AND AUTHENTICATION 9

Digital Signature and Authentication Schemes: Digital signature-Digital Signature Schemes and their
Variants- Digital Signature Standards-Authentication: Overview- Requirements Protocols - Applications -
Kerberos -X.509 Directory Services

UNIT IV E-MAIL AND IP SECURITY 9

E-mail and IP Security: Electronic mail security: Email Architecture -PGP – Operational Descriptions- Key
management- Trust Model- S/MIME.IP Security: Overview- Architecture - ESP, AH Protocols IPSec
Modes – Security association - Key management.

UNIT V WEB SECURITY 9

Web Security: Requirements- Secure Sockets Layer- Objectives-Layers -SSL secure communication-
Protocols - Transport Level Security. Secure Electronic Transaction- Entities DS Verification-SET
processing.
TOTAL: 45 PERIODS
COURSE OUTCOMES:
Upon successful completion of this course, students will be able to:
CO1: Understand the basics of data and information security
CO2: Understand the legal, ethical and professional issues in information security
CO3: Understand the various authentication schemes to simulate different applications.
CO4: Understand various security practices and system security standards
CO5: Understand the Web security protocols for E-Commerce applications

TEXT BOOKS:
1. Michael E Whitman and Herbert J Mattord, “Principles of Information Security, Course Technology,
6th Edition, 2017.
2. Stallings William. Cryptography and Network Security: Principles and Practice, Seventh Edition,
Pearson Education, 2017.
REFERENCES
1. Harold F. Tipton, Micki Krause Nozaki,, “Information Security Management Handbook, Volume 6, 6th Edition,
2016.
2. Stuart McClure, Joel Scrambray, George Kurtz, “Hacking Exposed”, McGraw- Hill, Seventh Edition, 2012.
3. Matt Bishop, “Computer Security Art and Science, Addison Wesley Reprint Edition, 2015.
Behrouz A Forouzan, Debdeep Mukhopadhyay, Cryptography And network security, 3rd Edition, . McGraw-Hill
Education, 2015.
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

UNIT I INTRODUCTION 9
History, What is Information Security?, Critical Characteristics of
Information, NSTISSC Security Model, Components of an Information
System, Securing the Components, Balancing Security and Access, The
SDLC, The Security SDLC

1.1 HISTORY
Ancient and Early Methods
 Ancient Civilizations: Early methods of safeguarding information included
physical security measures like locked rooms and guarded scrolls. For
example, ancient Egyptians used complex hieroglyphics (one of the earliest
known writing systems) to protect the secrecy of their records.
Early 20th Century
 1920s-1930s: With the advent of early computing and communication
technologies, the need for securing information became more pronounced.
The development of the telegraph and telephone systems introduced new
vulnerabilities.
 1940s-1950s: During World War II, cryptography became crucial. The
Allies' use of code breaking (e.g., the work of Alan Turing and the Enigma
machine) highlighted the importance of protecting information from
unauthorized access.

Birth of Modern Computer Security

 1960s: The concept of computer security began to emerge with the
development of early mainframe computers. Researchers at institutions like
MIT started exploring ways to protect these systems from unauthorized
access.
 1970s: The advent of the ARPANET, a precursor to the internet, introduced
new security challenges.

Early Information Security Industry

 1980s: The growing use of personal computers and networks led to

increased attention to data security. The development of antivirus software
and firewalls began during this period. The first computer worm, the Morris
Worm, in 1988 highlighted vulnerabilities in networked systems.

 1990s: The rise of the internet brought about new security challenges. The
development of encryption standards, such as RSA (Rivest-Shamir-
Adleman – A widely used encryption and digital signature algorithm)
and the establishment of SSL/TLS (Secure Sockets Layer/Transport Layer
Security) protocols, became crucial for securing online communications.

 1999: The publication of the "Information Security Management

Standards" by the International Organization for Standardization (ISO
27001) marked an important step in establishing formal information
security practices.

1
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Modern Era
 2000s: The threat landscape evolved with the proliferation of cybercrime
and sophisticated attacks, including the rise of identity theft and data
breaches. Legislation like the Sarbanes-Oxley Act (SOX) in 2002 and the
Health Insurance Portability and Accountability Act (HIPAA) in the U.S.
introduced stricter requirements for data protection.

 2010s: Major data breaches and high-profile cyber attacks became more
common, prompting increased investment in cyber security. The General
Data Protection Regulation (GDPR) was introduced by the European
Union in 2018, setting new standards for data privacy and protection.

Recent Developments
 2020s: The cyber security landscape continues to evolve with advances in
Artificial Intelligence, Machine Learning, and Quantum Computing.
Cyber threats have become more sophisticated, with an increase in
ransomware attacks, nation-state espionage, and Advanced Persistent
Threats (APTs).

1.2 WHAT IS INFORMATION SECURITY?

What is Security?

Information security protects sensitive information from unauthorized activities,

including inspection, modification, recording, and any disruption or destruction.
The goal is to ensure the safety and privacy of critical data such as customer
account details, financial data or intellectual property.

Information Technology (IT) includes computers and everything that can be done
with them. IT security is focused on protecting these computers, networks, and
other digital systems against cyber attacks and other threats.

Data Security Best Practices:

 Regularly Update Systems: Keep software and systems up-to-date with

the latest security patches.
 Use Strong Passwords: Implement strong, unique passwords and consider
using Multi-Factor Authentication (MFA).
 Implement Least Privilege: Grant users the minimum level of access
necessary to perform their job functions.
 Secure Physical Access: Protect physical access to systems and data
storage to prevent unauthorized access.
 Regular Audits and Assessments: Perform regular security audits and
vulnerability assessments to identify and address potential weaknesses.
2
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Types of Security

o Physical security, which encompasses strategies to protect people, physical

assets, and the workplace from various threats including fire, unauthorized
access, or natural disasters

o Personal security, which overlaps with physical security in the protection of

the people within the organization

o Operations security, which focuses on securing the organization’s ability to

carry out its operational activities without interruption or compromise

o Communications security, which encompasses the protection of an

organization’s communications media, technology, and content, and its ability
to use these tools to achieve the organization’s objectives

o Network security, which addresses the protection of an organization’s data

networking devices, connections, and contents, and the ability to use that
network to accomplish the organization’s data communication functions

o Information security includes the broad areas of information security

management, computer and data security, and network security.

Infromation Security

Information security is a critical field focused on protecting data from

unauthorized access, disclosure, modification, or destruction. It
encompasses various practices and technologies designed to safeguard
information integrity, confidentiality, and availability. Here’s a broad overview:

3
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Information security Key Concepts:

1. Confidentiality: Ensures that information is only accessible to those who

have the proper authorization. Techniques include encryption, access
controls, and secure communication channels.
2. Integrity: Ensures that information remains accurate and unaltered
during storage, transmission, and processing. Measures include hashing,
checksums, and digital signatures.
3. Availability: Ensures that information and resources are available to
authorized users when needed. This involves implementing redundancy,
failover systems, and disaster recovery plans.

Core Principles:

 Authentication: Verifying the identity of users or systems. Common

methods include passwords, biometrics, and Multi-Factor Authentication
(MFA).
 Authorization: Determining what an authenticated user or system is
allowed to do. This often involves permissions and roles.
 Accounting/Logging: Tracking user actions and system activities to detect
and respond to potential security incidents.
 Non-repudiation: Ensuring that once a transaction or action is performed,
the entity involved cannot deny having performed it. This is often achieved
through audit trails and digital signatures.

Common Threats:
 Malware: Software designed to harm or exploit systems, such as viruses,
worms, and ransomware.
 Phishing: Attempts to deceive individuals into divulging sensitive
information or downloading malicious software.
 Insider Threats: Risks posed by individuals within the organization who
may misuse their access.
 Denial of Service (DoS): Attacks aimed at disrupting service availability by
overwhelming systems or networks.

Ransomware is a type of malware that permanently blocks access to the

victim's personal data unless a "ransom" is paid. While some simple
ransomware may lock the system without damaging any files, more
advanced malware uses a technique called crypto viral extortion.

Security Measures:
 Firewalls: Network security devices that monitor and control incoming and
outgoing traffic based on predetermined security rules.
 Intrusion Detection Systems (IDS): Tools that detect unauthorized access
or abnormal behavior within a network.
 Encryption: The process of converting data into a code to prevent
unauthorized access. Examples include AES and RSA algorithms.
 Patch Management: Regularly updating software to fix vulnerabilities and
improve security.
 Security Policies: Formalized rules and procedures designed to protect an
organization’s information assets.
4
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Compliance and Standards:

Various regulations and standards guide information security practices,

including:
 General Data Protection Regulation (GDPR): European Union regulation
focusing on data protection and privacy.
 Health Insurance Portability and Accountability Act (HIPAA): U.S.
regulation that protects sensitive patient health information.
 ISO/IEC 27001: An international standard for information security
management systems (ISMS).
 Payment Card Industry Data Security Standard (PCI DSS): A set of
requirements designed to ensure secure handling of credit card
information.
Information security is an ever-evolving field, requiring constant vigilance and
adaptation to new threats and technologies.

Importance Of Information Security

The term virus (Vital Information Resources Under Siege) refers to a type of malicious
software program designed to replicate itself and spread to other systems.

Understanding Computer Viruses:

 Definition: A computer virus is a type of malware that attaches itself to
legitimate programs or files, and once executed, it can replicate and spread
to other files, programs, or systems.
 Behavior: Viruses can corrupt, delete, or steal data, and they often disrupt
the normal functioning of a computer or network.

Key Characteristics:

1. Self-Replication: Viruses can reproduce themselves and spread to other

files or systems without user intervention.
2. Activation: Viruses are typically activated when the infected file or
program is executed.
3. Infection Vectors: Viruses can spread through email attachments,
infected websites, or removable media like USB drives.
4. Payload: The virus may carry a payload that performs malicious actions,
such as deleting files, corrupting data, or creating backdoors for further
attacks.

5
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Types of Computer Viruses:

 File Infector Virus: Attaches itself to executable files and can spread when
these files are run.
 Macro Virus: Infects macro scripts in applications like Microsoft Word or
Excel and spreads when documents containing the infected macros are
shared.
 Boot Sector Virus: Infects the boot sector of a computer’s hard drive or
removable storage media, often making the system unbootable.
 Polymorphic Virus: Changes its code or appearance to evade
(escape/avoid) detection by antivirus software.
 Metamorphic Virus: Rewrites its own code to avoid detection and analysis,
making it harder for security software to identify.

Prevention and Protection:

 Antivirus Software: Regularly updated antivirus programs can detect and

remove viruses before they cause damage.
 Regular Updates: Keeping your operating system and applications updated
can close security vulnerabilities that viruses exploit.
 Safe Practices: Avoid opening unknown email attachments, downloading
files from untrusted sources, and use secure websites.

1.3 CRITICAL CHARACTERISTICS OF INFORMATION

The critical characteristics of information that are fundamental to its protection

and effective management are often referred to as the CIA triad—
CONFIDENTIALITY, INTEGRITY, and AVAILABILITY. These characteristics are
essential for ensuring that information remains secure and serves its intended
purpose. Here’s a closer look at each characteristic:

6
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Information Security components:

 CONFIDENTIALITY
 INTEGRITY
 AVAILABILITY

CIA Triangle

 The C.I.A. triangle - confidentiality, integrity, and availability - has

expanded into a more comprehensive list of critical characteristics of
information.
 At the heart of the study of information security is the concept of policy.
Policy, awareness, training, education, and technology are vital concepts
for the protection of information and for keeping information systems from
danger.

Information Security, often abbreviated as InfoSec, refers to the practices,

strategies, and measures used to protect information from unauthorized access,
disclosure, modification, destruction, or disruption.

7
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Core Principles of Information Security

1. Confidentiality

 Definition: Ensures that information is only accessible to those who are

authorized to view it.
 Importance: Protects sensitive data from unauthorized access and
disclosure, which can prevent data breaches and maintain privacy.
 Examples: Encrypting sensitive data, implementing strong access controls,
using secure communication channels.

2. Integrity

 Definition: Ensures that information is accurate and unaltered from its

original state during storage, processing, and transmission.
 Importance: Maintains the correctness and reliability of data, preventing
unauthorized modifications or corruption that could lead to misinformation
or errors.
 Examples: Using checksums, hashes, digital signatures, and version
control systems to verify data integrity.

3. Availability

 Definition: Ensures that information and resources are accessible to

authorized users when needed.
 Importance: Guarantees that information systems and services remain
operational and accessible, preventing downtime that could disrupt
business operations.
 Examples: Implementing redundancy, backup solutions, disaster recovery
plans, and load balancing to ensure system reliability.

Additional Characteristics

While the CIA triad covers the primary aspects, other characteristics are also
crucial in certain contexts:

4. Authenticity

 Definition: Verifies that information is genuine and comes from a

legitimate source.
 Importance: Ensures that users can trust the information and that it
hasn’t been tampered with or falsified.
 Examples: Digital signatures, authentication mechanisms, and certificates.

5. Non-repudiation

 Definition: Ensures that actions or transactions cannot be denied after

they have occurred.
 Importance: Provides proof of the origin, integrity, and authenticity of
data, which is essential for accountability and legal compliance.
 Examples: Audit trails, digital signatures, and logging mechanisms.
8
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

6. Privacy

 Definition: Refers to the protection of personal or sensitive data to prevent

unauthorized use or disclosure.
 Importance: Ensures compliance with legal and regulatory requirements,
and protects individual rights and personal data.
 Examples: Data anonymization, access controls, and privacy policies.

7. Reliability

 Definition: The consistency and dependability of information and systems

over time.
 Importance: Ensures that information systems perform as expected and
provide consistent results.
 Examples: Regular maintenance, system testing, and performance
monitoring.

8. Usability

 Definition: Ensures that information and systems are user-friendly and

accessible to authorized users.
 Importance: Balances security with ease of use, ensuring that security
measures do not overly hinder the user experience.
 Examples: Intuitive interfaces, user training, and support services.

9. Compliance

 Definition: Adherence to legal, regulatory, and contractual requirements

related to information handling and protection.
 Importance: Ensures that information management practices meet legal
and regulatory obligations, preventing legal issues and penalties.
 Measures: Implementation of policies and procedures aligned with relevant
regulations, such as GDPR, HIPAA, or SOX.

10. Accuracy

 Definition: The degree to which information correctly reflects the real-

world conditions or facts it represents.
 Importance: Ensures that decisions and actions based on information are
based on correct and reliable data.
 Measures: Data validation processes, error-checking mechanisms, and
verification procedures.

11. Traceability

 Definition: The ability to track the origin, movement, and changes to

information over time.
 Importance: Enables organizations to understand the history of
information, detect issues, and ensure accountability.
 Measures: Audit logs, version control, and change management processes.

9
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Importance of Information Security

1. Protects Sensitive Data: Information security measures help safeguard

personal, financial, and proprietary data from breaches and theft.
2. Maintains Trust: Effective security practices build trust with customers,
partners, and stakeholders by demonstrating a commitment to protecting
information.
3. Ensures Compliance: Many industries are subject to regulations and
standards that require specific security measures. Information security
helps organizations meet these compliance requirements.
4. Prevents Financial Loss: Security breaches can result in significant
financial losses due to fines, legal fees, and damage to reputation. Proper
information security helps mitigate these risks.
5. Supports Business Continuity: Information security practices ensure that
systems remain operational and data is protected, supporting
uninterrupted business operations even in the event of an incident.

1.3 NSTISSC SECURITY MODEL

The NSTISSC (National Security Telecommunications and Information

Systems Security Committee) model primarily aims to enhance the security
and integrity of national security-related telecommunications and information
systems.

NSTISSC objectives include:

1. Protecting Sensitive Information: Ensure the confidentiality, integrity,

and availability of sensitive and classified information transmitted over
telecommunications and processed within information systems.
2. Establishing Security Standards: Provide a set of standards and
guidelines for security practices to be followed by federal agencies and
organizations involved in national security.
3. Risk Management: Implement risk management processes to identify,
assess, and mitigate potential security threats and vulnerabilities that
could impact national security information systems.
4. Promoting Security Best Practices: Encourage the adoption of best
practices and security measures to safeguard information systems against
unauthorized access, data breaches, and other security incidents.
5. Facilitating Coordination: Foster coordination and cooperation among
federal agencies, private sector partners, and other stakeholders to ensure
a unified approach to information security.
6. Ensuring Compliance: Develop and enforce compliance requirements to
ensure that organizations adhere to established security policies and
procedures involved in national security.
7. Supporting Incident Response: Provide guidelines and frameworks for
responding to security incidents and breaches, including reporting,
investigation, and recovery processes.
8. Promoting Continuous Improvement: Encourage ongoing assessment
and enhancement of security measures and practices to adapt to evolving
threats and technological advancements.

10
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

 By achieving these objectives, the NSTISSC model aims to create a robust

security environment that protects national security information and
systems from a wide range of potential threats and vulnerabilities.
 The NSTISSC was a U.S. government body responsible for coordinating and
developing security policies and standards for national security systems.
 The 3 dimensions of each axis become a 3x3x3 cube with 27 cells
representing areas that must be addressed to secure today’s Information
systems.
 To ensure system security, each of the 27 cells must be properly addressed
during the security process.
 For example, the intersection between technology, Integrity & storage areas
requires a control or safeguard that addresses the need to use technology
to protect the Integrity of information while in storage.
 This NSTISSC model is designed to provide a structured approach to
safeguarding telecommunications and information systems vital to national
security.

Key benefits of NSTISSC:

 Comprehensive Security Framework
 Standardization and Consistency
 Enhanced Risk Management
 Improved Incident Response
 Increased Compliance
 Coordination and Collaboration
 Continuous Improvement
 Enhanced Security Awareness
 Structured Security Controls
 Risk Mitigation (the process of reducing or minimizing the severity, impact)

11
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Overview of the NSTISSC Security Model

1. Purpose and Scope

o Purpose: The NSTISSC Security Model was designed to establish a
comprehensive and standardized approach to information security
for national security systems, including government and military
communications.
o Scope: It covers various aspects of security, including the protection
of sensitive information, communication systems, and data handling.

2. Core Components The NSTISSC Security Model includes several key

components that define its approach to information security:
o Security Objectives: The model emphasizes the need to protect the
confidentiality, integrity, and availability of information. These
objectives align with the core principles of information security.
o Security Policies: It outlines policies and procedures for ensuring
that information systems are secure and that security measures are
consistently applied across national security systems.
o Security Controls: The model specifies various security controls and
practices that should be implemented to protect information systems
from threats and vulnerabilities.

3. Information Assurance and Security

o Information Assurance (IA): The NSTISSC model focuses on
ensuring that information systems are protected against
unauthorized access, misuse, or disruption. IA encompasses the
measures and practices necessary to achieve this level of protection.
o Security Measures: The model includes guidance on implementing
security measures such as encryption, access controls, and physical
security to safeguard information systems.

4. Integration with Other Standards

o Alignment with Other Frameworks: The NSTISSC Security Model is
designed to be compatible with other security frameworks and
standards, including those established by the National Institute of
Standards and Technology (NIST) and the International Organization
for Standardization (ISO).
o Standardization: The model promotes the use of standardized
security practices and controls to ensure consistency and
effectiveness in protecting national security systems.

5. Evolution and Legacy

o Evolution: While the NSTISSC Security Model laid the groundwork
for information security practices within national security systems,
its principles and guidelines have influenced the development of
subsequent security standards and models.
o Legacy: The model's emphasis on comprehensive security practices
and alignment with other standards has contributed to the broader
field of information security, influencing how organizations approach
and implement security measures.

12
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Key Security Principles in the NSTISSC Model

1. Confidentiality
o Protecting sensitive information from unauthorized access and
disclosure.
2. Integrity
o Ensuring the accuracy and reliability of information and preventing
unauthorized modifications.
3. Availability
o Ensuring that information systems are accessible to authorized users
when needed.
4. Authentication
o Verifying the identity of users and systems to ensure that only
authorized entities have access.
5. Accountability
o Maintaining records and logs to track access and changes to
information systems, supporting the ability to audit and investigate
security incidents.
6. Non-repudiation
o Ensuring that actions taken within the information system can be
traced back to the responsible parties, preventing denial of
involvement.

1.5 COMPONENTS OF AN INFORMATION SYSTEM ***

Explain the components of an information system. Also, enlighten about

balancing methodologies of information security and access. MAY 2024

13
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

1. Hardware
 Definition: The physical devices and equipment used in an information
system.
 Examples: Computers, servers, storage devices, networking equipment
(routers, switches), and input/output devices (keyboards, monitors,
printers).
2. Software
 Definition: The programs and applications that run on hardware and
perform tasks related to data processing and management.
 Categories:
o System Software: Operating systems (e.g., Windows, Linux, macOS)
and utility programs that manage hardware resources.
o Application Software: Programs that perform specific tasks for
users (e.g., word processors, spreadsheets, database management
systems).
3. Data
 Definition: Raw facts and figures that are processed into meaningful
information.
 Types:
o Structured Data: Organized in a predefined manner (e.g., databases,
spreadsheets).
o Unstructured Data: Not organized in a predefined format (e.g.,
emails, documents, multimedia files).
4. People
 Definition: Individuals who interact with the information system, including
users, IT professionals, and system administrators.
 Roles:
o End Users: People who use the system to perform tasks and make
decisions.
o IT Staff: Includes system administrators, network engineers, and
support personnel who maintain and manage the system.
5. Processes
 Definition: The procedures and workflows that define how data is
collected, processed, stored, and disseminated.
 Examples: Business processes, data entry procedures, information
retrieval methods, and reporting practices.
6. Networks
 Definition: The communication infrastructure that connects hardware
components and enables data exchange.
 Components:
o Local Area Network (LAN): Connects devices within a limited area
like an office.
o Wide Area Network (WAN): Connects devices over larger geographic
areas, including internet connectivity.
o Internet: The global network connecting millions of private, public,
academic, and government networks.
7. Databases
 Definition: Structured collections of data that are stored and managed to
facilitate efficient retrieval and management.

14
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

 Examples: Relational databases (e.g., MySQL, Oracle), NoSQL databases

(e.g., MongoDB, Cassandra), and data warehouses.

8. Security
 Definition: Measures and protocols implemented to protect the information
system from unauthorized access, data breaches, and other threats.
 Components:
o Access Control: Mechanisms to restrict who can access and modify
data.
o Encryption: Techniques to protect data by converting it into a secure
format.
o Firewalls and Antivirus Software: Tools to protect against external
threats and malware.

Integration of Components
 The effectiveness of an information system depends on the integration and
coordination of these components.
 Proper alignment of hardware, software, data, people, processes, and
security ensures that the system functions smoothly and meets the needs
of its users

Integration of Components
For an information system to function effectively, these components must work
together seamlessly:
 Hardware and Software: Hardware provides the platform for software
applications to run.
 Data and Procedures: Data is processed and managed according to
established procedures.
 People and Services: Users interact with the system and receive support
to maximize its effectiveness.
 Networks and Data: Networks facilitate the communication and transfer of
data between hardware and users.

Information security management comprises five key components:

1. Security Measures
2. Security Policies and Procedures
3. Physical And Environmental Protection
4. Monitoring Processes and Systems
5. Asset Management.
15
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

A methodology is crucial in the implementation of information security for

several reasons: MAY 2024

1. Structured Approach: A methodology provides a systematic framework for

addressing security concerns. It helps ensure that security measures are
applied in a consistent and organized manner, reducing the likelihood of
oversight and gaps.
2. Risk Management: A well-defined methodology helps in identifying,
assessing, and managing risks systematically. It guides organizations in
prioritizing security measures based on the potential impact and likelihood
of risks, allowing for more effective allocation of resources.
3. Compliance and Standards: Methodologies often align with industry
standards and regulatory requirements (e.g., ISO/IEC 27001, NIST, GDPR).
Adhering to established methodologies helps organizations meet
compliance requirements and demonstrate due diligence in protecting
sensitive information.
4. Efficiency: By following a structured methodology, organizations can
streamline their security processes, avoid redundant efforts, and ensure
that all necessary aspects of security are addressed. This improves overall
efficiency and effectiveness in implementing security measures.
5. Consistency: A methodology ensures consistency in security practices
across an organization. It helps standardize procedures, documentation,
and responses to security incidents, leading to more reliable and
predictable outcomes.
6. Continuous Improvement: Many security methodologies incorporate
feedback loops and continuous improvement principles. This helps
organizations regularly assess and enhance their security posture in
response to evolving threats and changes in technology.
7. Communication and Training: A clear methodology provides a common
framework that can be communicated across the organization. It facilitates
better training and awareness programs, ensuring that all employees
understand their roles and responsibilities in maintaining information
security.
8. Incident Response: In the event of a security incident, a predefined
methodology offers a clear response plan. This helps in managing and
mitigating the impact of the incident effectively and in a coordinated
manner.
16
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

1.6 SECURING THE COMPONENTS ***

Briefly, describe the approaches to information security implementation

MAY 2024

CEO - Chief Executive Officer

CFO - Chief Financial Officer
CIO - Chief Information Officer
COO - Chief Operating Officer
CISO - Chief Information Security Officers
VP - Vice President

DISCRETIONARY means freedom or authority to make decisions

17
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

The implementation of the security model has an important phase to be carried

out. In order to ensure the integrity of the security model, it can be designed
using two methods:

1. Bottom-Up Approach: The Company’s security model is applied by system

administrators or people who are working in network security or as cyber-
engineers. The main idea behind this approach is for individuals working in this
field of information systems to use their knowledge and experience in cyber
security to guarantee the design of a highly secure information security model.

 Key Advantages: An individual’s technical expertise in their field ensures

that every system vulnerability is addressed and that the security model is
able to counter any potential threats.

 Disadvantage:: Due to the lack of cooperation between senior managers

and relevant directives, it is often not suitable for the requirements and
strategies of the organization.

2. Top-Down Approach: This type of approach is initialized and initiated by the

executives of the organization.
 They formulate policies and outline the procedures to be followed.
 Determine the project’s priorities and expected results
 Determine liability for every action needed

Advantages of Top-Down Approach

 This approach looks at each department’s data and explores how it’s
connected to find vulnerabilities.
 Managers have the authority to issue company-wide instructions while
still allowing each person to play an integral part in keeping data safe
 Compared to an individual or department, a management-based approach
incorporates more available resources and a clearer overview of the
company’s assets and concerns.

Disadvantages of Top-Down Approach

o A top-down approach generally has more lasting power and efficacy than
a bottom-up approach because it makes data protection a company-wide
priority instead of placing all the responsibility on one person or team.
o Data vulnerabilities exist in all offices and departments, and each
situation is unique.
o The only way for an information security program to work is by getting
every manager, branch, department, and employee in agreement with a
company-wide plan.

Implementing information security effectively involves various approaches and

strategies to protect data, systems, and networks from threats and
vulnerabilities.

Here are key approaches to information security implementation:

18
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

1. Risk-Based Approach
Definition: Focuses on identifying, assessing, and prioritizing risks to implement
appropriate security measures.
Components:
 Risk Assessment: Identify potential threats, vulnerabilities, and the impact
of security incidents.
 Risk Mitigation: Implement controls to address identified risks based on
their severity and likelihood.
 Continuous Monitoring: Regularly review and update risk assessments
and mitigation strategies.
Benefits:
 Prioritizes security measures based on actual risks.
 Allocates resources efficiently to address the most critical threats.

2. Defense-in-Depth
Definition: Uses multiple layers of security controls to protect information
systems.
Components:
 Physical Security: Protects physical assets like servers and workstations.
 Network Security: Uses firewalls, intrusion detection systems (IDS), and
intrusion prevention systems (IPS).
 Application Security: Implements secure coding practices and application
firewalls.
 Data Security: Applies encryption, access controls, and data loss
prevention (DLP) measures.
 Operational Security: Includes procedures for secure operations and
incident response.
Benefits:
 Provides multiple layers of protection, reducing the likelihood of a single
point of failure.
 Enhances overall security posture by addressing different aspects of
security.

3. Policy-Based Approach
Definition: Establishes security policies and procedures to guide the protection
of information systems.
Components:
 Security Policies: Defines rules and guidelines for handling data and
managing security.
 Procedures: Specifies the steps to implement security policies, including
data protection and incident response.
 Compliance: Ensures adherence to regulatory requirements and industry
standards.
Benefits:
 Creates a structured framework for managing security.
 Ensures consistency and clarity in security practices.

4. Access Control
Definition: Manages who can access information and resources and under what
conditions.
19
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Components:
 Authentication: Verifies the identity of users (e.g., passwords, biometric
verification).
 Authorization: Determines what resources users are allowed to access and
what actions they can perform.
 Accountability: Tracks and logs user activities to monitor and audit
access.
Benefits:
 Prevents unauthorized access to sensitive information.
 Ensures that users have appropriate permissions for their roles.

5. Security Awareness and Training

Definition: Educates employees and users about security risks and best
practices.
Components:
 Training Programs: Provides regular training on security policies,
procedures, and threat awareness.
 Phishing Simulations: Tests employees’ ability to recognize phishing and
social engineering attacks.
 Awareness Campaigns: Promotes security best practices through ongoing
communications and resources.
Benefits:
 Reduces human error and improves security hygiene.
 Enhances the overall security culture within an organization.

6. Incident Response and Management

Definition: Prepares for and manages security incidents to minimize damage and
recovery time.
Components:
 Incident Response Plan: Defines procedures for detecting, responding to,
and recovering from security incidents.
 Incident Handling: Involves the steps taken during an incident, such as
containment, eradication, and recovery.
 Post-Incident Review: Analyzes incidents to identify lessons learned and
improve future responses.
Benefits:
 Ensures a quick and effective response to security breaches.
 Minimizes the impact and supports recovery efforts.

7. Security Audits and Compliance

Definition: Regularly evaluates security practices and ensures compliance with
regulations and standards.
Components:
 Security Audits: Conducts internal and external audits to assess the
effectiveness of security controls.
 Compliance Checks: Reviews adherence to legal, regulatory, and industry
standards (e.g., GDPR, HIPAA).
 Reporting and Documentation: Maintains records of audits, findings, and
corrective actions.

20
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Benefits:
 Identifies weaknesses and areas for improvement.
 Ensures that security practices meet regulatory and industry requirements.

8. Vulnerability Management
Definition: Identifies, assesses, and mitigates vulnerabilities in information
systems.
Components:
 Vulnerability Scanning: Regularly scans systems for known
vulnerabilities.
 Patch Management: Applies updates and patches to address
vulnerabilities.
 Penetration Testing: Simulates attacks to find weaknesses before they can
be exploited.
Benefits:
 Reduces the risk of exploitation by addressing vulnerabilities.
 Enhances system security through proactive measures.

9. Encryption and Data Protection

Definition: Secures data through encryption and other data protection
techniques.
Components:
 Data Encryption: Protects data in transit and at rest using cryptographic
techniques.
 Data Masking: Hides sensitive information in non-production
environments.
 Data Loss Prevention (DLP): Monitors and protects sensitive data from
unauthorized access and leakage.
Benefits:
 Protects data from unauthorized access and breaches.
 Ensures data confidentiality and integrity.

10. Business Continuity and Disaster Recovery

Definition: Plans and processes to ensure that critical business functions
continue during and after a disruption.
Components:
 Business Continuity Plan (BCP): Outlines how to maintain operations
during disruptions.
 Disaster Recovery Plan (DRP): Details procedures for recovering IT
systems and data after a disaster.
 Testing and Exercises: Regularly tests BCP and DRP to ensure
effectiveness.
Benefits:
 Minimizes downtime and operational impact during disruptions.
 Ensures quick recovery and continuity of business operations.

21
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Guide to securing each component of an information system:

Securing the components of an information system involves implementing

strategies and controls to protect each element from threats and vulnerabilities.

1. Securing Hardware

 Physical Security: Protect hardware from theft, damage, and unauthorized

access through:
o Access Controls: Restrict physical access to critical hardware (e.g.,
servers, data centers) using locks, biometric scanners, or security
guards.
o Environmental Controls: Ensure proper cooling, fire suppression,
and protection from natural disasters.
o Surveillance: Use cameras and monitoring systems to keep an eye
on physical access points.
 Hardware Encryption: Use hardware-based encryption solutions to protect
data at rest, such as self-encrypting drives (SEDs).
 Regular Maintenance: Perform regular checks and updates to ensure
hardware is functioning properly and securely.

2. Securing Software

 Update and Patch Management: Regularly update operating systems,

applications, and system software to fix vulnerabilities.
 Secure Coding Practices: Develop and test software using secure coding
practices to avoid common vulnerabilities like SQL injection or cross-site
scripting (XSS).
 Application Security: Use application firewalls, conduct regular security
assessments (e.g., penetration testing), and employ code review practices.

3. Securing Data

 Data Encryption:
o At-Rest: Encrypt data stored on disk drives, databases, and other
storage media.
o In-Transit: Use encryption protocols such as TLS/SSL to protect
data during transmission over networks.
 Access Controls: Implement role-based access controls (RBAC) and least
privilege principles to ensure only authorized individuals can access
sensitive data.
 Data Masking and Anonymization: Apply data masking or anonymization
techniques to protect sensitive information, especially in non-production
environments or for analytics.
 Backup and Recovery: Regularly back up data and test recovery processes
to ensure data can be restored in case of loss or corruption.

22
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

4. Securing People

 User Training and Awareness: Educate users about security best

practices, phishing attacks, and safe internet behavior.
 Authentication: Implement strong authentication methods, such as multi-
factor authentication (MFA), to ensure that only authorized users can
access systems.
 Role-Based Access Control: Assign access rights based on roles and
responsibilities to minimize exposure of sensitive information.

5. Securing Processes

 Security Policies: Develop and enforce comprehensive security policies

and procedures covering data handling, incident response, and system
usage.
 Change Management: Implement a formal change management process to
control and document changes to systems and software.
 Incident Response Plan: Establish and regularly update an incident
response plan to effectively manage and mitigate security incidents.

6. Securing Networks

 Firewalls: Deploy firewalls to filter and control incoming and outgoing

network traffic based on security rules.
 Intrusion Detection and Prevention Systems (IDPS): Use IDPS to detect
and respond to suspicious network activity.
 Network Segmentation: Divide the network into segments to limit the
spread of attacks and isolate sensitive data.
 VPNs: Use Virtual Private Networks (VPNs) to secure remote access to
network resources and protect data in transit.

7. Securing Databases

 Database Encryption: Encrypt sensitive data stored in databases both at

rest and in transit.
 Database Access Controls: Implement granular access controls and audit
logging to monitor database access and modifications.
 Regular Audits: Perform regular database security audits and vulnerability
assessments to identify and address potential weaknesses.

8. Securing Security Measures

 Security Updates: Ensure that security tools and software (e.g., antivirus,
intrusion detection systems) are regularly updated with the latest
definitions and patches.
 Configuration Management: Maintain secure configurations for all
security devices and software, following best practices and standards.
 Compliance and Regulations: Adhere to relevant security standards and
regulations (e.g., GDPR, HIPAA) to ensure that security measures meet
legal and regulatory requirements.

23
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Primary approaches to Information security implementation

Information security implementation can be approached from several angles to

ensure the Confidentiality, Integrity, And Availability of information. Here’s a
breakdown of the primary approaches:

1. Preventive Controls
These are designed to prevent security incidents before they occur. They include:
 Access Controls: Ensuring only authorized individuals have access to
systems and data. This involves authentication mechanisms like
passwords, multi-factor authentication (MFA), and biometric systems.
 Firewalls and Network Segmentation: Firewalls help to block
unauthorized access to network resources, while network segmentation
limits access within the network.
 Encryption: Encrypting data both in transit and at rest to protect it from
unauthorized access or tampering.
 Secure Software Development Practices: Implementing security at the
design phase of software development, such as code reviews, static
analysis, and secure coding practices.

2. Detective Controls
These are used to identify and detect security incidents and breaches. They
include:
 Intrusion Detection Systems (IDS) and Intrusion Prevention Systems
(IPS): Monitoring network traffic for signs of suspicious activity or attacks.
 Log Management and Analysis: Collecting and analyzing logs from various
systems to identify anomalies or potential security breaches.
 Security Information and Event Management (SIEM): Aggregating and
analyzing security data from across the organization to provide real-time
threat detection and response.

3. Corrective Controls
These are aimed at responding to and mitigating the impact of security incidents
after they occur. They include:
 Incident Response Plans: Procedures for responding to security breaches,
including containment, eradication, recovery, and lessons learned.
 Patch Management: Regularly updating and patching systems to fix
vulnerabilities and prevent exploitation.
 Disaster Recovery and Business Continuity Planning: Ensuring that the
organization can continue operations and recover data in the event of a
major disruption or disaster.

4. Compensatory Controls
These are alternative measures implemented to mitigate risk when primary
controls are not feasible or effective. For example:
 Alternative Security Measures: If encryption is not possible,
compensating with strict access controls and monitoring.
 Additional Monitoring: Enhanced surveillance and logging when direct
preventive measures are not fully implemented.

24
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

5. Administrative Controls
These involve policies and procedures that govern how security is managed and
enforced. They include:
 Security Policies and Procedures: Establishing clear policies on security
practices, including acceptable use policies, data handling procedures, and
incident reporting protocols.
 Training and Awareness Programs: Educating employees about security
best practices, threats, and their role in maintaining security.
 Risk Assessment and Management: Regularly assessing and managing
risks to identify vulnerabilities and apply appropriate controls.

6. Physical Controls
These address the physical environment and hardware components to protect
against physical threats. They include:
 Secure Facilities: Implementing access controls like keycards or biometric
systems to secure physical locations where sensitive information is stored.
 Surveillance: Using cameras and security personnel to monitor physical
access to sensitive areas.
 Environmental Controls: Ensuring that physical environments are
protected against environmental hazards such as fire, water damage, or
power outages.

7. Technical Controls
These involve technology-based measures to protect systems and data. They
include:
 Antivirus and Anti-Malware: Protecting systems from malicious software
through regular scans and real-time protection.
 Data Loss Prevention (DLP): Monitoring and controlling data transfers to
prevent unauthorized data leakage.
 Patch Management Tools: Automating the application of patches and
updates to ensure systems are up-to-date with the latest security fixes.

1.7 BALANCING SECURITY AND ACCESS *** MAY 2024

What is balancing in security?

Balanced Security is about finding the sweet spot where security protocols are
strong enough to prevent breaches but not so cumbersome that they hinder
productivity or cause frustration among staff.
This can include cyber attacks, data breaches, human errors, natural disasters,
or legal compliance issues.

25
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

How do you balance infrastructure security needs with accessibility

requirements?
1. Assess your risks and priorities.
2. Implement layered and robust security controls.
3. Educate and empower your users and stakeholders.
4. Review and update your security posture.
5. Seek feedback and collaboration.
6. Develop your skills and career .

Balancing security and access is a crucial aspect of information security

management. It involves ensuring that systems and data are adequately
protected while still allowing authorized users to access the resources they need
to perform their tasks efficiently.

26
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Strategies and considerations to achieve this security balance:

1. Implementing Role-Based Access Control (RBAC)
 Definition: RBAC assigns access rights based on roles within an
organization, rather than individual users. Each role has predefined
permissions.
 Benefits:
o Efficiency: Simplifies management of permissions, especially in large
organizations.
o Least Privilege: Ensures users have only the access necessary for
their role, reducing risk.
2. Adopting the Principle of Least Privilege
 Definition: Grant users the minimum level of access required to perform
their job functions.
 Implementation:
o Regular Reviews: Periodically review and adjust access rights to
ensure they remain appropriate.
o Temporary Access: Use temporary permissions for specific tasks or
projects, and revoke them when no longer needed.
3. Multi-Factor Authentication (MFA)
 Definition: MFA requires users to provide multiple forms of verification
before accessing systems or data.
 Benefits:
o Enhanced Security: Adds an extra layer of protection beyond just a
username and password.
o Flexibility: Can be implemented for different levels of access,
balancing security with user convenience.
4. Granular Access Controls
 Definition: Define access controls at a detailed level, such as specific files,
applications, or functions.
 Benefits:
o Targeted Security: Allows precise control over who can access what,
minimizing unnecessary restrictions.
o Customization: Tailors access to specific needs, reducing the risk of
over-privileged accounts.
5. Security Policies and Procedures
 Definition: Develop and enforce policies that define how security and
access should be managed.
 Components:
o Access Control Policies: Outline who can access what information
and under what conditions.
o Incident Response: Procedures for handling security incidents
related to access control breaches.
6. User Education and Training
 Definition: Educate users about security best practices and the
importance of access controls.
 Benefits:
o Awareness: Reduces the likelihood of accidental breaches or
mishandling of access privileges.
o Compliance: Ensures users understand and adhere to security
policies.
27
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

7. Continuous Monitoring and Auditing

 Definition: Regularly monitor and audit access logs and security controls
to detect and address potential issues.
 Tools:
o Security Information and Event Management (SIEM): Provides
real-time analysis and alerts on security incidents.
o Access Audits: Regularly review access rights and usage to ensure
compliance with policies.
8. Adaptive Access Control
 Definition: Use contextual information (e.g., user behavior, location,
device) to adjust access permissions dynamically.
 Benefits:
o Flexibility: Allows for varying levels of access based on current risk
levels or specific conditions.
o Risk-Based: Adapts to changes in user behavior or risk profiles,
providing enhanced security without unnecessary friction.
9. Balancing Usability and Security
 Definition: Design security measures that protect data without overly
hindering user productivity.
 Strategies:
o Usability Testing: Assess how security controls affect user
workflows and adjust to minimize disruptions.
o Feedback Loops: Collect user feedback to improve security measures
while maintaining accessibility.
10. Zero Trust Architecture
 Definition: A security model that assumes no trust, whether inside or
outside the network, and requires continuous verification of all users and
devices.
 Components:
o Micro-Segmentation: Limits access to data and resources based on
strict policies, regardless of user location.
o Continuous Authentication: Regularly re-evaluates user credentials
and device status.
Key Considerations:
 Risk Assessment: Regularly assess the risks associated with different
levels of access and adjust policies accordingly.
 Regulatory Compliance: Ensure access controls comply with relevant
regulations and standards, such as GDPR, HIPAA, or PCI DSS.
 Balance and Flexibility: Find a balance between security and user
convenience, adapting strategies as technology and threat landscapes
evolve.

1.8 THE SDLC ***

SDLC stands for Software Development Life Cycle.

The Software Development Life Cycle (SDLC) is a framework that describes

the stages involved in developing software from inception to retirement. It aims to
produce high-quality software that meets or exceeds customer expectations, is
completed on time and within budget, and is maintainable and reliable.

28
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Summarize the steps common to both the System Development Life Cycle
(SDLC) and the Security System Development Life Cycle (SSDLC). Elaborate
the steps unique to the security systems development Life Cycle MAY 2024

Software development life cycle (SDLC) is a structured process that is used

to design, develop, and test good-quality software. SDLC, or software
development life cycle, is a methodology that defines the entire procedure of
software development step-by-step.

The goal of the SDLC life cycle model

 To deliver high-quality, maintainable software that meets the user’s
requirements.
 SDLC in software engineering models outlines the plan for each stage so
that each stage of the software development model can perform its task
efficiently to deliver the software at a low cost within a given time frame
that meets users’ requirements.

Definition of Software Development Life Cycle (SDLC)

SDLC is a process followed for software building within a software

organization. SDLC consists of a precise plan that describes how to develop,
maintain, replace, and enhance specific software. The life cycle defines a method
for improving the quality of software and the all-around development process.

Need for SDLC

 SDLC is a method, approach, or process that is followed by a software
development organization while developing any software.
 SDLC models were introduced to follow a disciplined and systematic
method while designing software.
 SDLC comprises a detailed description or step-by-step plan for designing,
developing, testing, and maintaining the software.

29
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Typical Phases of SDLC

1. Requirement Analysis
o Definition: The process of gathering and analyzing the needs and
requirements of stakeholders and users.
o Activities: Identifying what the software should do, documenting
requirements, and defining the scope of the project.
o Deliverables: Requirements specification document, use cases, and
functional requirements.
2. Planning
o Definition: Developing a plan to guide the software development
process.
o Activities: Estimating time and cost, defining project milestones,
and creating a project schedule.
o Deliverables: Project plan, budget, and timeline.
3. Design
o Definition: Creating the architecture and detailed design for the
software.
o Activities: Designing system architecture, user interfaces, data
models, and software components.
o Deliverables: Design specifications, architectural diagrams, and
interface designs.
4. Implementation (or Development)
o Definition: Writing and compiling the code according to the design
specifications.
o Activities: Coding, integrating components, and developing
functionalities.
o Deliverables: Source code, compiled software, and initial version of
the application.
5. Testing
o Definition: Verifying and validating that the software meets the
requirements and is free of defects.
o Activities: Conducting various types of testing, such as unit testing,
integration testing, system testing, and acceptance testing.
o Deliverables: Test cases, test reports, and defect logs.
6. Deployment
o Definition: Releasing the software to the production environment
where it will be used by end-users.
o Activities: Installing the software, configuring systems, and
transitioning from the development environment.
o Deliverables: Deployed software, installation guides, and user
manuals.
7. Maintenance
o Definition: Performing ongoing support and updates to ensure the
software remains functional and relevant.
o Activities: Fixing bugs, implementing updates and enhancements,
and providing user support.
o Deliverables: Maintenance patches, updated versions, and support
documentation.

30
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Stages of the Software Development Life Cycle

SDLC specifies the task(s) to be performed at various stages by a software
engineer or developer. It ensures that the end product is able to meet the
customer’s expectations and fits within the overall budget. Hence, it’s vital for a
software developer to have prior knowledge of this software development
process.

The SDLC model involves six phases or stages while developing any software.
SDLC is a collection of these six stages, and the stages of SDLC are as follows:

Stage-1: Planning and Requirement Analysis

Planning is a crucial step in everything, just as in software development. In this

same stage, requirement analysis is also performed by the developers of the
organization. This is attained from customer inputs, and sales
department/market surveys.

The information from this analysis forms the building blocks of a basic project.
The quality of the project is a result of planning. Thus, in this stage, the basic
project is designed with all the available information.

31
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Stage-2: Defining Requirements

In this stage, all the requirements for the target software are specified. These
requirements get approval from customers, market analysts, and stakeholders.
This is fulfilled by utilizing SRS (Software Requirement Specification). This is
a sort of document that specifies all those things that need to be defined and
created during the entire project cycle.

Stage-3: Designing Architecture

SRS is a reference for software designers to come up with the best architecture
for the software. Hence, with the requirements defined in SRS, multiple designs
for the product architecture are present in the Design Document Specification
(DDS).
This DDS is assessed by market analysts and stakeholders. After evaluating all
the possible factors, the most practical and logical design is chosen for
development.

Stage-4: Developing Product

At this stage, the fundamental development of the product starts. For this,
developers use a specific programming code as per the design in the DDS.
Hence, it is important for the coders to follow the protocols set by the
association. Conventional programming tools like compilers, interpreters,
debuggers, etc. are also put into use at this stage. Some popular languages like
C/C++, Python, Java, etc. are put into use as per the software regulations.

32
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Stage-5: Product Testing and Integration

After the development of the product, testing of the software is necessary to

ensure its smooth execution. Although, minimal testing is conducted at every
stage of SDLC. Therefore, at this stage, all the probable flaws are tracked, fixed,
and retested. This ensures that the product confronts the quality requirements
of SRS.

Stage-6: Deployment and Maintenance of Products

After detailed testing, the conclusive product is released in phases as per the
organization’s strategy. Then it is tested in a real industrial environment. It is
important to ensure its smooth performance. If it performs well, the organization
sends out the product as a whole. After retrieving beneficial feedback, the
company releases it as it is or with auxiliary improvements to make it further
helpful for the customers. However, this alone is not enough. Therefore, along
with the deployment, the product’s supervision.

Documentation, Training, and Support:

 Software documentation is an essential part of the software development
life cycle.
 A well-written document acts as a tool and means to information
repository necessary to know about software processes, functions, and
maintenance.
 Documentation also provides information about how to use the product.
 Training in an attempt to improve the current or future employee
performance by increasing an employee’s ability to work through learning,
usually by changing his attitude and developing his skills and
understanding.

Key Practices for Integrating Security into SDLC

 Security Training: Provide ongoing security training for developers and

system administrators.
 Security Policies: Develop and enforce security policies and procedures
throughout the SDLC.

33
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Additional Considerations
 Compliance and Regulations: Ensure adherence to relevant regulations
and standards, such as GDPR, HIPAA, ISO 27001, and NIST guidelines.
GDPR - General Data Protection Regulation
HIPAA - Health Insurance Portability and Accountability Act
NIST - National Institute of Standards and Technology

 Training and Awareness: Provide ongoing training for development and

security teams to keep them updated on best practices and emerging
threats.
 Documentation: Maintain thorough documentation of security
requirements, design decisions, testing results, and incident responses.

SDLC Models

Several models and methodologies exist for implementing the SDLC, including:

 Waterfall Model: A linear and sequential approach where each phase must
be completed before moving on to the next.
 Agile Model: An iterative and incremental approach that emphasizes
flexibility, collaboration, and customer feedback. Common frameworks
include Scrum and Kanban
(Kanban is a visual management method for managing and optimizing
workflows).
 Spiral Model: Combines iterative development with risk analysis, allowing
for repeated refinement of software through cycles or "spirals."
 V-Model: Emphasizes validation and verification, where each development
phase is directly associated with a corresponding testing phase.

Software Development Life Cycle Models

We’ve listed the top five most popular SDLC models below.

1. Waterfall Model

34
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

 It is the fundamental model of the software development life cycle.

 This is a very simple model. The waterfall model is not in practice
anymore, but it is the basis for all other SDLC models.
 Because of its simple structure, the waterfall model is easier to use and
provides a tangible output.
 In the waterfall model, once a phase seems to be completed, it cannot be
changed, and due to this less flexible nature, the waterfall model is not in
practice anymore.

2. Agile Model

 The agile (iterative development) model in SDLC was mainly designed to

adapt to changing requests quickly.
 The main goal of the Agile model is to facilitate quick project completion.
The agile model refers to a group of development processes.
 These processes have some similar characteristics but also possess
certain subtle differences among themselves.

3. Iterative Model

35
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

In the Iterative model in SDLC, each cycle results in a semi-developed but

deployable version; with each cycle, some requirements are added to the
software, and the final cycle results in the software with the complete
requirement specification.

4. Spiral Model

The spiral model in SDLC is one of the most crucial SDLC models that provide
support for risk handling. It has various spirals in its diagrammatic
representation; the number of spirals depends upon the type of project. Each
loop in the spiral structure indicates the Phases of the Spiral model.

5. V-Shaped Model (verification or validation)

The V-shaped model in SDLC is executed in a sequential manner in V-shape.

Each stage or phase of this model is integrated with a testing phase. After every
development phase, a testing phase is associated with it, and the next phase
will start once the previous phase is completed, i.e., development & testing. It is
also known as the verification or validation model.
36
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

1.9 THE SECURITY SDLC

Secure Software Development Life Cycle (SSDLC) ensures that computer

programs are built with security in mind right from the beginning. It involves
planning, designing, coding, testing, deploying, and maintaining software while
consistently addressing security concerns at each step.

 SSDLC is crucial to identify and fix security issues early, reducing the risk
of cyber threats.
 By integrating security measures throughout the development process,
SSDLC aims to create safer and more trustworthy software applications.
 It is an essential practice in the ever-changing landscape of cyber
security.

Key Principles of Secure SDLC (Secure Software Development Life Cycle)

The key principles of Secure Software Development Life Cycle (SDLC) lay out
the fundamental ideas guiding the process of creating secure software. These
principles help developers and teams understand how to approach security in
each stage of development.

 Security by Design: This principle highlights the need to think about

security right from the start of creating software. It means including security
requirements in the initial planning and design stages of development.
 Continuous Monitoring: Continuous monitoring is an ongoing process of
regularly checking and ensuring the security of the software at every step of
its development. It’s not a one-time thing but a continuous effort to find and
fix security issues throughout the entire development process.
 Risk Assessment: This principle involves evaluating and understanding
potential security risks early in the development process. It includes
identifying vulnerabilities and deciding which risks need the most attention
and quick action to reduce potential threats.

37
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

 Education and Training: Education and training are essential to make sure
everyone involved in creating the software, especially developers, knows about
security issues. It emphasizes providing the necessary training so that
individuals have the skills to handle security concerns effectively.
 Collaboration: Collaboration is a crucial principle that stresses the
importance of teamwork. It involves encouraging collaboration between
different teams, like developers, operations, and security teams. This ensures
that everyone is working together, sharing knowledge, and coordinating
efforts to achieve common security goals during the software development
process.

Phases of Secure SDLC(Secure Software Development Life Cycle)

 Phases of Secure Software Development Life Cycle (SDLC) refer to the
different stages involved in building secure software. These phases guide
the step-by-step process from the initial planning to the ongoing
maintenance of the software.

Phases of Secure SDLC:

 Planning: In the planning stage, the main focus is on figuring out the
security requirements for the software. This includes identifying possible risks
and creating a plan for how to make the software secure from the beginning.
 Design: During the design phase, the plan for security is put into action. This
involves making decisions about how to build security features into the
software. The goal is to ensure that the design can handle potential security
problems.
 Implementation: In the implementation phase, developers start building the
software using secure coding practices. This means writing code in a way that
reduces the chances of security problems. Code reviews are done to catch and
fix any security issues.
 Testing: Testing is all about checking how secure the software is. Different
tests are done, like trying to break into the software to find vulnerabilities,
scanning the code for potential problems, and making sure the software can
handle different security threats.
 Deployment: Deployment is when the software is released. Here, the focus is
on making sure the release process is secure, taking precautions to avoid any
security issues during this stage.
 Maintenance: Maintenance is an ongoing process where the software is
continuously looked after. This involves keeping an eye on security and
regularly updating the software to deal with new threats, making sure it stays
secure over time.
38
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

The Secure Software Development Life Cycle (Secure SDLC) is designed to

integrate security considerations into every phase of the software development
process.

The purpose of Secure SDLC is to ensure that software is developed with a focus
on minimizing security vulnerabilities and protecting against potential threats
from the outset.

Here are the primary purposes and objectives of Secure SDLC:

**1. Integrate Security into Every Phase

 Objective: To embed security practices into all stages of software
development, from planning through deployment and maintenance. This
ensures that security is considered at every step rather than being an
afterthought.
 Benefit: Reduces the risk of vulnerabilities being introduced during
development and helps create a more robust and secure application.
**2. Identify and Mitigate Security Risks Early
 Objective: To identify potential security risks and threats early in the
development process, allowing for their mitigation before the software is
released.
 Benefit: Minimizes the likelihood of security breaches and reduces the cost
and complexity of addressing vulnerabilities discovered later.
**3. Ensure Compliance with Security Standards and Regulations
 Objective: To ensure that the software complies with relevant security
standards, regulations, and industry best practices (e.g., GDPR, HIPAA,
OWASP).
 Benefit: Helps avoid legal and regulatory penalties and enhances trust
with customers and stakeholders.
**4. Protect Sensitive Data
 Objective: To ensure that sensitive and personal data is protected
throughout its lifecycle, including storage, processing, and transmission.
 Benefit: Reduces the risk of data breaches and protects the privacy and
confidentiality of user data.
**5. Enhance Software Resilience and Reliability
 Objective: To build software that is resilient to attacks and capable of
handling unexpected security events effectively.
 Benefit: Increases the overall reliability and robustness of the software,
leading to higher user confidence and satisfaction.
**6. Improve Security Awareness and Practices
 Objective: To promote security awareness among developers and other
stakeholders, ensuring that they are aware of and adhere to secure coding
practices and security requirements.
 Benefit: Fosters a culture of security within the development team and
organization, leading to better overall security practices.
**7. Facilitate Efficient Incident Response and Management
 Objective: To ensure that security incidents are detected, managed, and
resolved efficiently, and that lessons learned are incorporated into future
development processes.

39
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

 Benefit: Enhances the ability to respond to and recover from security

incidents, reducing the impact on the organization and its users.
**8. Reduce the Cost of Security Fixes
 Objective: To identify and address security issues during development
rather than after deployment, which can be more costly and disruptive.
 Benefit: Lowers the cost of fixing security vulnerabilities and reduces the
need for extensive rework and patching.
**9. Support Continuous Improvement
 Objective: To continually assess and improve security practices and
processes based on feedback, lessons learned, and evolving threats.
 Benefit: Keeps the development process and software security practices
up-to-date with the latest threats and best practices.

Examples of a Secure SDLC (Secure Software Development Life Cycle):

The following are a few instances of well-known frameworks for creating safe
software development lifecycles:

NIST Secure Software Development Framework (SSDF):

o The National Institute of Standards and Technology (NIST), which is also

responsible for maintaining the National Vulnerability Database (NVD),
which keeps track of publicly known software vulnerabilities, developed
the secure software development framework (SSDF).
o A secure SDLC can be realized with the aid of the software development
techniques defined by the SSDF.
o Documents outlining and recommending standards, principles, and
software development processes are included in the framework.
o Prominent behaviors consist of:
 Giving developers instruction in secure code to guarantee security right away
 Security issues can be identified as near to the point of remedy as feasible by
automating and integrating security tests.
 Security libraries and open source components used in projects

MS Security Development Lifecycle (MS SDL):

o Microsoft introduced MS SDL to provide reliable security considerations to
support the contemporary development workflow.
o A selection of procedures selected specifically to support security
assurance and compliance needs are included in the SDL.
o The SDL can help developers cut down on the quantity and seriousness of
vulnerabilities in their codebase, as well as the expenses and delays
associated with late-stage remediation.

OWASP Comprehensive, Lightweight Application Security Process (CLASP):

o Best practices for security are implemented by the rule-based components

that make up CLASP.
o It can assist developers in implementing security in a systematic and
repeatable manner and securing apps early in the development cycle.

40
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

o In order to create CLASP, real-world development teams were examined,

their development lifecycles dissected, and the best way to include
security procedures into their routines was determined.
o In addition to discussing how to improve currently in place processes,
CLASP assists teams in addressing particular vulnerabilities and coding
flaws that may be used to cause significant security breaches.

Comparison of SDLC Process versus SSDLC Process:

ANNA UNIVERSITY PROMINENT QUESTIONS

PART-A QUESTIONS AND ANSWERS

1. What is the difference between vulnerability and exposure? MAY 2024

Sl.
Vulnerability Exposure
No
Definition: Vulnerability is a Definition: Exposure refers to the
specific weakness or flaw that can state of being in a position where
1 be exploited or triggered by an one is at risk or allowing to
external threat, leading to potential threats or hazards.
potential harm or damage.
Vulnerability is the specific Exposure is the state of being at
2 weakness that could be exploited risk
to cause harm
Vulnerability identifies what the Exposure indicates that there is a
3 risk specifically is and how it can potential risk
be exploited.

41
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

2. Why is a methodology important in the implementation of information

security? How does a methodology improve the process? MAY 2024
A methodology enhances the implementation of information security by providing
a structured, consistent, and efficient approach to managing security.

It ensures that all critical aspects are addressed, facilitates compliance, and
supports continuous improvement, ultimately leading to a more robust and
effective security posture.

3. What is information security?

Information Security, often abbreviated as InfoSec, is the practice of protecting
information from unauthorized access, disclosure, disruption, modification, or
destruction. Its primary goal is to ensure the confidentiality, integrity, and
availability of information, often summarized as the CIA triad:
 Confidentiality: Ensuring that information is accessible only to
those authorized to access it. This involves measures such as
encryption and access controls.
 Integrity: Ensuring that information remains accurate and unaltered
during transmission or storage. This includes protection against
unauthorized modifications and ensuring data consistency.
 Availability: Ensuring that information and resources are accessible
to authorized users when needed. This involves measures to prevent
disruptions, such as redundancy and disaster recovery plans.

4. What is the primary goal of information security?

The primary goal of information security is to protect the confidentiality,
integrity, and availability (CIA) of information and information systems. These
three core principles, often referred to as the CIA triad, are essential for
maintaining effective security

5. What is security vulnerability?

Security vulnerability is a weakness or flaw in a system, application, or network
that can be exploited by attackers to gain unauthorized access, disrupt services,
or compromise data. Vulnerabilities can exist in various components of an IT
environment, including hardware, software, and procedural aspects.
Characteristics of Security Vulnerabilities
 Weakness
 Exploitation
 Impact

6. What is data encryption, and why is it used?

Encryption Process: Data encryption involves using an algorithm (cipher)
and a key to convert plaintext (readable data) into ciphertext (encoded
data). The encryption algorithm applies complex mathematical operations
to the plaintext data, making it unreadable without the decryption key.
Types of Encryption:
 Symmetric Encryption: AES (Advanced Encryption Standard) and
DES (Data Encryption Standard)
 Asymmetric Encryption: RSA (Rivest-Shamir-Adleman) and
ECC (Elliptic Curve Cryptography)

42
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

7. What is a risk assessment in information security?

A risk assessment in information security is a systematic process used to
identify, evaluate, and prioritize risks associated with information assets.
The goal is to understand the potential threats and vulnerabilities that
could impact the confidentiality, integrity, and availability of information
systems and data

8. What are the main objectives of the NSTISSC?

 Develop and Implement Security Policies and Standards
 Coordinate National Security Information System Security
 Promote Best Practices in Information Security
 Support Risk Management and Mitigation
 Enhance Security Training and Awareness
 Address Emerging Threats and Vulnerabilities

9. What is the difference between Alpha and Beta testing?

Alpha testing is performed by internal teams before the software is released
to external users, while Beta testing involves real users testing the software
in a real-world environment to provide feedback.

10. What is Agile SDLC?

Agile SDLC is an iterative and incremental approach to software
development that emphasizes flexibility, collaboration, and customer
feedback throughout the development process.

ANNA UNIVERSITY PROMINENT QUESTIONS

PART-B & C
1. Explain the components of an information system. Also, enlighten about
balancing methodologies of information security and access. MAY 2024
2. Briefly, describe the approaches to information security implementation.
MAY 2014
3. Summarize the steps common o both the System Development Life Cycle (SDLC)
and the Security System Development Life Cycle (SSDLC). Elaborate the steps
unique to the security system development life cycle. MAY 2024
4. Discuss the components and characteristics of information security system

ASSIGNMENT-1 QUESTIONS
(UNIT I INTRODUCTION)
1. Explain the components of information system
2. Explain the NSTISSC security model
3. Approches to information security implementation
4. Explain the phases of SDLC security

Assignment Submission Date: 15.09.2024

<<<@!@>>>

43
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-I
 LECTURE NOTES

III YEAR / 5th SEM

CW3551 DATA AND INFORMATION SECURITY

(R-2021)
UNIT- 2

ABDUL KAREEM.D (Asst.Prof-AI & DS)

----------------------------------------------------------------------------------------------

GRT INSTITUTE OF ENGINEERING AND TECHNOLOGY

(An Autonomous Institution)
GRT MAHALAKSHMI NAGAR
TIRUTTANI – 631 209.
CW3551 DATA AND INFORMATION SECURITY LTPC
3003
COURSE OBJECTIVES:
• To understand the basics of Information Security
• To know the legal, ethical and professional issues in Information Security
• To equip the students’ knowledge on digital signature, email security and web security

UNIT I INTRODUCTION 9
History, What is Information Security?, Critical Characteristics of Information, NSTISSC Security Model,
Components of an Information System, Securing the Components, Balancing Security and Access, The
SDLC, The Security SDLC

UNIT II SECURITY INVESTIGATION 9

Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and Professional Issues - An Overview
of Computer Security - Access Control Matrix, Policy-Security policies, Confidentiality policies, Integrity
policies and Hybrid policies

UNIT III DIGITAL SIGNATURE AND AUTHENTICATION 9

Digital Signature and Authentication Schemes: Digital signature-Digital Signature Schemes and their
Variants- Digital Signature Standards-Authentication: Overview- Requirements Protocols - Applications -
Kerberos -X.509 Directory Services

UNIT IV E-MAIL AND IP SECURITY 9

E-mail and IP Security: Electronic mail security: Email Architecture -PGP – Operational Descriptions- Key
management- Trust Model- S/MIME.IP Security: Overview- Architecture - ESP, AH Protocols IPSec
Modes – Security association - Key management.

UNIT V WEB SECURITY 9

Web Security: Requirements- Secure Sockets Layer- Objectives-Layers -SSL secure communication-
Protocols - Transport Level Security. Secure Electronic Transaction- Entities DS Verification-SET
processing.
TOTAL: 45 PERIODS
COURSE OUTCOMES:
Upon successful completion of this course, students will be able to:
CO1: Understand the basics of data and information security
CO2: Understand the legal, ethical and professional issues in information security
CO3: Understand the various authentication schemes to simulate different applications.
CO4: Understand various security practices and system security standards
CO5: Understand the Web security protocols for E-Commerce applications

TEXT BOOKS:
1. Michael E Whitman and Herbert J Mattord, “Principles of Information Security, Course Technology,
6th Edition, 2017.
2. Stallings William. Cryptography and Network Security: Principles and Practice, Seventh Edition,
Pearson Education, 2017.
REFERENCES
1. Harold F. Tipton, Micki Krause Nozaki,, “Information Security Management Handbook, Volume 6, 6th Edition,
2016.
2. Stuart McClure, Joel Scrambray, George Kurtz, “Hacking Exposed”, McGraw- Hill, Seventh Edition, 2012.
3. Matt Bishop, “Computer Security Art and Science, Addison Wesley Reprint Edition, 2015.
Behrouz A Forouzan, Debdeep Mukhopadhyay, Cryptography And network security, 3rd Edition, . McGraw-Hill
Education, 2015.
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

UNIT II SECURITY INVESTIGATION 9

Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and
Professional Issues - An Overview of Computer Security - Access Control
Matrix, Policy-Security policies, Confidentiality policies, Integrity policies
and Hybrid policies

1.1 NEED FOR SECURITY

Security in information security is crucial for protecting an organization’s data,
systems, and networks from various threats and vulnerabilities. Here’s an
overview of the need for robust security measures in information security:

1. Protection of Confidential Information

 Data Privacy: Security measures ensure that sensitive information such as
personal data, financial records, and intellectual property is protected from
unauthorized access and breaches.
 Regulatory Compliance: Adherence to data protection laws (e.g., GDPR,
CCPA) requires implementing strong security practices to safeguard
personal and sensitive information.
2. Prevention of Data Breaches
 Mitigating Risks: Effective security helps prevent unauthorized access to
data, reducing the risk of data breaches that can lead to financial loss,
reputational damage, and legal consequences.
 Threat Detection: Security measures such as Intrusion Detection Systems
(IDS) and firewalls help identify and respond to potential threats before
they cause harm.

1
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

3. Maintaining Data Integrity

 Accuracy and Reliability: Ensuring data integrity prevents unauthorized
modifications or corruption of data, which is essential for accurate
business operations and decision-making.
 Tamper Prevention: Security practices protect data from being altered or
tampered with, maintaining its accuracy and reliability.
4. Ensuring Availability of Information
 Service Continuity: Security measures, including redundancy and backup
systems, help ensure that critical information and services remain available
and operational even in the event of a cyber attack or system failure.
 Disaster Recovery: Effective security includes disaster recovery plans that
enable organizations to recover data and resume operations quickly after
an incident.
5. Protecting Against Cyber Threats
 Malware and Ransomware: Security measures protect against malicious
software, such as viruses, worms, and ransomware, which can compromise
systems and data.
 Phishing and Social Engineering: Security training and safeguards help
prevent attacks that exploit human vulnerabilities, such as phishing scams
and social engineering tactics.
6. Safeguarding Intellectual Property
 Competitive Advantage: Protecting intellectual property (IP) from theft or
unauthorized use ensures that proprietary information and innovations
remain secure, preserving a competitive edge.
 Trade Secrets: Security practices prevent the leakage of trade secrets and
confidential business strategies.
7. Maintaining Customer Trust
 Reputation Management: Strong security practices build customer trust
by demonstrating a commitment to protecting their data and privacy.
 Customer Assurance: Effective security measures reassure customers that
their information is handled securely and responsibly.
8. Meeting Legal and Regulatory Requirements
 Compliance: Adhering to industry regulations and standards (e.g., PCI-
DSS, HIPAA) requires implementing robust security measures to protect
data and ensure compliance.
 Avoiding Penalties: Non-compliance with security regulations can result
in legal penalties, fines, and lawsuits.
9. Mitigating Financial Losses
 Cost of Breaches: Security incidents can lead to significant financial losses
due to data breaches, legal fees, regulatory fines, and loss of business.
 Insurance Costs: Effective security reduces the likelihood of costly
incidents and helps manage insurance premiums related to cyber risk.
10. Supporting Business Operations
 Operational Efficiency: Security measures support smooth business
operations by protecting systems from disruptions and ensuring data
availability.
 Business Continuity: Ensuring robust security helps maintain business
continuity by safeguarding against risks that could impact operational
stability.

2
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

1.2 BUSINESS NEEDS, THREATS, ATTACKS

Business Needs in Information Security

1. Data Protection:
o Confidentiality: Safeguard sensitive information such as customer
data, financial records, and intellectual property from unauthorized
access.
o Integrity: Ensure data remains accurate, complete, and unaltered by
unauthorized entities.
o Availability: Maintain the availability of data and systems to support
business operations and continuity.
2. Regulatory Compliance:
o Adherence to Standards: Meet industry-specific regulations and
standards (e.g., GDPR, HIPAA, PCI-DSS) to avoid legal penalties and
ensure legal and ethical handling of data.
o Reporting and Audits: Provide accurate documentation and
reporting to demonstrate compliance and support audit processes.
3. Risk Management:
o Identifying Risks: Identify and assess potential risks to data and
systems to prioritize security measures.
o Mitigating Threats: Implement controls and safeguards to mitigate
identified risks and protect against potential security incidents.
4. Operational Continuity:
o Disaster Recovery: Develop and maintain disaster recovery plans to
quickly restore operations following disruptions or incidents.
o Business Continuity: Ensure that critical business functions can
continue in the event of a security breach or other incidents.
5. Customer Trust and Reputation:
o Trust Building: Establish and maintain customer trust by
demonstrating a commitment to protecting their personal and
financial information.
o Reputation Management: Protect the organization’s reputation by
preventing data breaches and security incidents that could damage
public perception.
6. Cost Management:
o Reducing Financial Impact: Implement cost-effective security
measures to reduce potential financial losses from security incidents.
o Budgeting for Security: Allocate resources and budget for ongoing
security investments and improvements.

3
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Threats in Information Security

1. Cyber Threats:
o Malware: Malicious software designed to damage, disrupt, or gain
unauthorized access to systems (e.g., viruses, ransomware, spyware).
o Phishing: Deceptive attempts to obtain sensitive information by
masquerading as a trustworthy entity in electronic communications.
2. Insider Threats:
o Malicious Insiders: Employees or contractors who intentionally
misuse their access to harm the organization or steal information.
o Negligent Insiders: Individuals who unintentionally compromise
security due to lack of awareness or improper handling of data.
3. External Threats:
o Hackers: Individuals or groups who exploit vulnerabilities to gain
unauthorized access or disrupt systems.
o Nation-State Actors: State-sponsored entities that engage in cyber
espionage (practice of spying) or attacks to further national interests.
4. Physical Threats:
o Theft: Physical theft of devices or hardware that contain sensitive
information.
o Damage: Physical damage to infrastructure or systems due to
natural disasters, accidents, or vandalism.
5. Advanced Persistent Threats (APTs):
o Long-Term Attacks: Prolonged and targeted cyber attacks designed
to gain and maintain unauthorized access to systems and data over
time.

4
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Attacks in Information Security

1) Malware
Malware attacks are the most common cyber security threats. Malware is
defined as malicious software, including spyware, ransomware, viruses, and
worms, which gets installed into the system when the user clicks a dangerous
link or email. Once inside the system, malware can block access to critical
components of the network, damage the system, and gather confidential
information, among others.
“According to Accenture, the average cost of a malware attack is USD 2.6
million”

2) Phishing
Cybercriminals send malicious emails that seem to come from legitimate
resources. The user is then tricked into clicking the malicious link in the
email, leading to malware installation or disclosure of sensitive information
like credit card details and login credentials.
“Phishing attack accounts for over 80% of reported cyber incidents”

3) Spear Phishing
Spear phishing is a more sophisticated form of a phishing attack in which
cybercriminals target only privileged users such as system administrators
and C-suite executives.
“More than 71% of targeted attacks involve the use of spear phishing ”.

4) Man in the Middle Attack

Man in the Middle (MitM) attack occurs when cyber criminals place
themselves between a two-party communications. Once the attacker
interprets the communication, they may filter and steal sensitive data and
return different responses to the user.
o Eavesdropping: Intercepting and monitoring communications
between two parties without their knowledge.
o Session Hijacking: Taking control of a user’s session to gain
unauthorized access to systems or data.
“According to Netcraft, 95% of HTTPS servers are vulnerable to MitM.”
5
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

5) Denial of Service Attack (DoS)

Denial of Service attacks aims at flooding systems, networks, or servers with
massive traffic, thereby making the system unable to fulfill legitimate
requests. Attacks can also use several infected devices to launch an attack on
the target system. This is known as a Distributed Denial of Service (DDoS)
attack.
o Flood Attacks: Overwhelm a system or network with excessive traffic
to render it unavailable to legitimate users.
o Distributed Denial of Service (DDoS): Use multiple compromised
systems to launch a coordinated attack on a target.

“The year 2019 saw a staggering 8.4 million DDoS attacks.”

6) SQL Injection
A Structured Query Language (SQL) injection attack occurs when
cybercriminals attempt to access the database by uploading malicious SQL
scripts. Once successful, the malicious actor can view, change, or delete data
stored in the SQL database.
“SQL injection accounts for nearly 65.1% of all web application attacks ”

7) Zero-day Exploit
A zero-day attack occurs when software or hardware vulnerability is
announced, and the cybercriminals exploit the vulnerability before a patch or
solution is implemented.
“It is predicted that zero-day attacks will rise to one per day by 2021.”

8) Advanced Persistent Threats (APT)

An advanced persistent threat occurs when a malicious actor gains
unauthorized access to a system or network and remains undetected for an
extended time.
“45% of organizations feel that they are likely to be the target of an APT. ”

9) Ransomware
Ransomware is a type of malware attack in which the attacker locks or
encrypts the victim’s data and threatens to publish or block access to data
unless a ransom is paid. Learning more about ransomware threats can help
companies prevent and cope with them better.
o Data Encryption: Encrypting files and demanding a ransom payment for
the decryption key.
o Ransom Demands: Threatening to publish or destroy data if the ransom is
not paid
“Ransomware attacks are estimated to cost global organizations USD 20
billion by 2021.”

10) DNS Attack

A DNS attack is a cyber attack in which cybercriminals exploit vulnerabilities
in the Domain Name System (DNS). The attackers leverage the DNS
vulnerabilities to divert site visitors to malicious pages (DNS Hijacking) and
remove data from compromised systems (DNS Tunneling).
“The average cost of a DNS attack stood at USD 924,000 in 2020.”
6
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

11) Exploit Attacks:

o Zero-Day Exploits: Attacks that target unknown vulnerabilities
before they are patched by the vendor.
o SQL Injection: Insertion of malicious SQL queries into input fields to
manipulate or access databases.
12) Social Engineering Attacks:
o Pretexting: Creating a fabricated scenario to obtain information or
access from targets.
o Baiting: Offering something enticing to trick individuals into
divulging sensitive information or downloading malicious software.
13) Credential Theft:
o Password Attacks: Using techniques such as brute force or phishing
to obtain user credentials.
o Credential Stuffing: Using stolen credentials from one breach to
gain access to other accounts.

1.3 LEGAL, ETHICAL AND PROFESSIONAL ISSUES

Difference between ethics and law

# ETHICS LAW
These are formal, well-
1 These are unwritten principles.
documented principles.
These are defined by
These are created by the
2 individuals and may vary
Government and court.
depending on personal choice.
These cannot be applied to
everyone. Most of the time, the
3 Laws are applicable to everyone.
ethics of different companies
will be different.

Legal Issues in Information Security

1. Data Protection Laws and Regulations:

o General Data Protection Regulation (GDPR): Requires
organizations to protect the personal data of EU citizens and
stipulates conditions for data collection, processing, and storage.
o California Consumer Privacy Act (CCPA): Provides California
residents with rights regarding their personal information and
imposes requirements on businesses handling that data.
o Health Insurance Portability and Accountability Act (HIPAA):
Governs the protection of health information in the U.S., requiring
safeguards to protect patient data.
2. Data Breach Notification Laws:
o Notification Requirements: Many jurisdictions require
organizations to notify affected individuals and regulators in the
event of a data breach. Compliance involves timely and accurate
reporting.
o Penalties: Failure to comply with breach notification laws can result
in significant fines and legal consequences.

7
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

3. Intellectual Property (IP) Protection:

Copyright and Patents: Organizations must ensure they respect IP

o
laws and avoid unauthorized use of software, data, or proprietary
technology.
o Trade Secrets: Protecting trade secrets involves implementing
measures to prevent unauthorized disclosure or use of sensitive
business information.
4. Contractual Obligations:
o Service Level Agreements (SLAs): Security obligations may be
outlined in contracts with third-party vendors or partners.
Organizations must adhere to these agreements to avoid breaches of
contract.
o Data Processing Agreements (DPAs): Agreements that outline how
data will be processed and protected when shared with third parties.
5. Legal Liability:
o Negligence: Organizations can be held liable for damages if they fail
to implement adequate security measures and a data breach occurs
as a result.
o Regulatory Fines: Non-compliance with regulations can lead to
substantial fines and legal actions.

Ethical Issues in Information Security

1. Privacy:
o Respect for Individual Privacy: Ethical considerations involve
protecting individuals' privacy and ensuring that data collection and
usage are conducted transparently and with consent.
o Data Minimization: Collect only the data necessary for specific
purposes and avoid excessive data collection.
2. Honesty and Integrity:
o Disclosure of Vulnerabilities: Ethical behavior includes responsibly
disclosing security vulnerabilities to affected parties and vendors
rather than exploiting them for personal gain.
o Accurate Reporting: Ensure that all security-related reports and
communications are truthful and not misleading.
3. Responsibility and Accountability:
o Accountability for Actions: Individuals and organizations must take
responsibility for their actions and decisions related to information
security.
o Ethical Decision-Making: Decisions should be made based on
ethical principles, such as protecting data and respecting user rights,
rather than solely focusing on business interests.
4. Respect for Consent:
o Informed Consent: Obtain explicit consent from individuals before
collecting or using their personal data, and provide clear information
about how their data will be used.
o Opt-Out Options: Provide users with the ability to opt-out of data
collection or sharing practices.

8
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Professional Issues in Information Security

1. Code of Conduct:
o Adherence to Standards: Information security professionals should
follow established codes of conduct and ethical guidelines from
professional organizations like (ISC), ISACA, and (ISC).
o Professional Integrity: Maintain high standards of professionalism,
including honesty, integrity, and competence in security practices.
2. Confidentiality:
o Handling Sensitive Information: Professionals must ensure the
confidentiality of sensitive information they handle, including client
data and organizational secrets.
o Non-Disclosure Agreements (NDAs): Abide by NDAs and
confidentiality agreements to protect sensitive information.
3. Continuous Learning:
o Keeping Skills Updated: Stay current with evolving threats,
technologies, and best practices through ongoing education and
professional development.
o Certification and Training: Obtain and maintain relevant
certifications and participate in training programs to ensure expertise
and competence in the field.
4. Ethical Hacking and Testing:
o Authorization: Conduct security testing and ethical hacking only
with proper authorization and within agreed-upon boundaries.
o Impact Awareness: Ensure that testing does not inadvertently
disrupt operations or compromise data.
5. Conflict of Interest:
o Avoiding Conflicts: Avoid situations where personal interests or
relationships could compromise professional judgment or the
objectivity of security assessments.

9
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

1.4 AN OVERVIEW OF COMPUTER SECURITY

 Computer security, often considered a core component of information

security, focuses on protecting computer systems and networks from a
variety of threats.
 It encompasses measures and practices designed to ensure the
confidentiality, integrity, and availability of data and resources within
computer systems.
 Here’s computer security in the context of information security:

1. Key Objectives of Computer Security

1. Confidentiality:
o Protection of Data: Ensure that sensitive information is accessible
only to authorized individuals or systems. This involves encrypting
data, implementing access controls, and securing communication
channels.
o Access Control: Restrict access to systems and data based on user
roles and permissions, ensuring that only authorized users can
access or modify information.
10
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

2. Integrity:
o Data Accuracy: Maintain the accuracy and completeness of data by
preventing unauthorized modifications or tampering. This includes
using checksums, hashes, and digital signatures to verify data
integrity.
o System Integrity: Ensure that systems operate correctly and that
software and configurations remain unaltered by unauthorized
changes.
3. Availability:
o System Uptime: Ensure that computer systems and data are
available to authorized users when needed. This involves
implementing redundancy, failover mechanisms, and regular
backups to mitigate the impact of hardware failures or attacks.
o Disaster Recovery: Develop and maintain disaster recovery plans to
quickly restore operations in the event of a security incident or
system failure.

2. Core Components of Computer Security

1. Authentication:
o User Verification: Confirm the identity of users attempting to access
systems or data. Common methods include passwords, biometrics,
smart cards, and two-factor authentication (2FA).
o Multi-Factor Authentication (MFA): Enhance security by requiring
multiple forms of verification before granting access.
2. Authorization:
o Access Controls: Define and enforce permissions that determine
what resources and actions users are allowed. This includes
implementing Role-Based Access Control (RBAC) and managing user
privileges.
o Least Privilege: Adhere to the principle of least privilege by providing
users with the minimum level of access necessary to perform their
tasks.
3. Encryption:
o Data Protection: Use cryptographic techniques to protect data both
at rest (e.g., stored on disks) and in transit (e.g., during transmission
over networks). Encryption helps safeguard against unauthorized
access and data breaches.
o Secure Communication: Employ encryption protocols (e.g.,
TLS/SSL) to secure communication channels and protect data from
eavesdropping and tampering.
4. Firewalls:
o Network Security: Implement firewalls to filter and control incoming
and outgoing network traffic based on predefined security rules.
Firewalls help prevent unauthorized access and mitigate potential
threats.
o Intrusion Prevention: Use firewalls in conjunction with Intrusion
Detection And Prevention Systems (IDPS) to identify and block
malicious activities.

11
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

5. Antivirus and Anti-Malware:

o Threat Detection: Deploy antivirus and anti-malware software to
detect, prevent, and remove malicious software such as viruses,
worms, and ransomware.
o Regular Scanning: Perform regular scans and updates to ensure the
software can detect and address new and evolving threats.
6. Patch Management:
o Software Updates: Regularly update and patch software and
operating systems to address known vulnerabilities and protect
against exploits.
o Vulnerability Management: Monitor for security advisories and
apply patches in a timely manner to reduce the risk of exploitation.
7. Backup and Recovery:
o Data Backup: Regularly back up critical data and systems to ensure
that information can be restored in the event of data loss or
corruption.
o Recovery Testing: Test backup and recovery procedures periodically
to ensure they work effectively and can be relied upon in a crisis.

3. Common Threats and Attacks

1. Malware:
o Viruses, Worms, Trojans: Malicious software designed to damage or
disrupt systems.
o Ransomware: Encrypts files and demands a ransom for the
decryption key.
2. Phishing:
o Deceptive Communications: Attempts to obtain sensitive
information by pretending to be a trustworthy entity through email or
other communication channels.
3. Denial of Service (DoS):
o Service Disruption: Overwhelm systems or networks with excessive
traffic to make them unavailable to legitimate users.
4. Intrusions and Hacking:
o Unauthorized Access: Exploiting vulnerabilities to gain
unauthorized access to systems and data.
5. Data Breaches:
o Unauthorized Data Access: Breaching security to access and
potentially exfiltrate (process of extracting) sensitive data.

4. Best Practices for Computer Security

1. Implement Strong Password Policies: Require complex passwords and

regular changes to enhance authentication security.
2. Regular Security Training: Educate employees about security best
practices, phishing awareness, and safe computing habits.
3. Secure Configuration: Follow security best practices for configuring
hardware and software to minimize vulnerabilities.
4. Regular Audits and Monitoring: Conduct regular security audits and
continuous monitoring to detect and respond to potential security incidents
promptly.
12
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

1.5 ACCESS CONTROL MATRIX

 The Access Control Matrix (ACM) is a fundamental concept in information
security, particularly important in managing and enforcing access controls
during security investigations.
 Access control matrix is a security model that protects digital resources or
“objects” from unauthorized access.
 It can be thought of as an array of cells with each column and row for
users “subject” and object.
 An entry in a given cell demonstrates a specific subject’s access mode on
the corresponding object.
 Every column represents an object’s access list, while a row is equivalent to
a subject’s access profile.

Definition of Access Control Matrix

An Access Control Matrix is a table or a model used to define and manage access
rights and permissions for users or entities (like processes) across different
resources (like files, databases, or systems). It essentially maps who can access
what, and what actions they can perform on those resources.

Example of an Access Control Matrix (ACM)

 Rows: Represent users or subjects (e.g., employees, roles, processes).
 Columns: Represent resources or objects (e.g., files, databases,
applications).
 Cells: Indicate the permissions or access rights that a user has over a
resource (e.g., read, write, execute).

User/Process File A File B Database X Application Y

Alice Read, Write Read None Execute
Bob Read Write Read, Write None
Carol None None Read Read
Read, Write, Read, Read, Write,
Admin Read, Write, Execute
Execute Write Execute
 Alice can read and write to File A, read File B, and execute Application Y.
 Bob can read File A, write File B, and both read and write Database X.
 Carol has no access to File A or File B, but can read Database X and
Application Y.
 Admin has full access to all resources.
13
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Role in Information Security Investigations

1. Identifying Access Rights:

o Permission Review: During an investigation, the ACM helps in
reviewing and auditing the permissions granted to users or entities.
This can help identify if any unauthorized or excessive access rights
were granted.
o Access Mapping: Provides a clear picture of who had access to which
resources and what actions they could perform, aiding in the
understanding of potential security breaches or incidents.
2. Enforcing Access Controls:
o Access Management: Ensures that access control policies are
implemented correctly, and helps in verifying that users have only
the permissions necessary for their roles.
o Policy Enforcement: Supports the enforcement of access control
policies by providing a structured approach to managing and
monitoring permissions.
3. Incident Analysis:
o Breach Investigation: Helps in determining the scope of a security
breach by identifying which users had access to compromised
resources. This can be crucial for understanding the impact of the
breach.
o Attribution: Assists in attributing actions to specific users or
processes, which is useful for forensic analysis and identifying
potential insiders or external attackers.
4. Compliance and Auditing:
o Regulatory Compliance: Ensures that access control practices
comply with regulatory requirements and standards (e.g., GDPR,
HIPAA) by providing a documented record of access rights.
o Audit Trails: Facilitates audits by providing a detailed matrix of
access permissions, which can be reviewed for compliance and
security posture assessment.
5. Updating and Remediation:
o Permission Updates: Assists in updating permissions during or after
an investigation to remediate any identified issues, such as revoking
unnecessary access or correcting misconfigured permissions.
o Risk Mitigation: Helps in identifying and mitigating risks by
ensuring that access controls align with current security needs and
policies.

Best Practices for Using an Access Control Matrix

1. Regular Review: Periodically review and update the ACM to ensure it

reflects current access control policies and user roles.
2. Principle of Least Privilege: Apply the principle of least privilege by
granting users only the permissions necessary for their tasks.
3. Documentation: Maintain accurate and up-to-date documentation of
access rights and changes to facilitate audits and investigations.
4. Integration with Other Controls: Combine ACM with other security
controls such as authentication mechanisms, logging, and monitoring for
comprehensive access management.
14
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

1.6 INFORMATION SECURITY POLICIES

 Security policies in information security investigations are critical for
guiding the response to security incidents, managing risks, and ensuring
that investigations are conducted in a systematic and compliant manner.
 These policies provide a framework for handling incidents, protecting
evidence, and maintaining operational continuity.

Importance of security policies

 If an organization has a risk regarding social engineering, then there
should be a policy reflecting the behavior desired to reduce the risk of
employees being socially engineered.
 One such policy would be that every employee must take yearly security
awareness training (which includes social engineering tactics).
 Since information security itself covers a wide range of topics, a company
information security policy (or policies) are commonly written for a broad
range of topics such as the following:
 Access control
 Data classification
 Encryption
 Remote access
 Acceptable use
 Patching
 Malicious code protections
 Physical security
 Backups
 Server security (e.g. hardening)
 Employee on/off boarding
 Change management
 Identification, Authentication and passwords

15
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

1. Incident Response Policy

Purpose: To establish a structured approach for responding to and managing
security incidents.
Key Elements:
 Incident Classification: Define categories and severity levels of incidents
(e.g., low, medium, high) to prioritize response efforts.
 Roles and Responsibilities: Outline the roles of the incident response
team, including incident managers, analysts, and communication
personnel.
 Response Procedures: Detailed steps for detecting, containing,
eradicating, and recovering from incidents.
 Communication Protocols: Guidelines for internal and external
communication, including reporting to regulatory bodies and affected
parties.
 Documentation and Reporting: Requirements for documenting incidents,
actions taken, and lessons learned.
2. Data Handling and Evidence Preservation Policy
Purpose: To ensure proper handling and preservation of digital evidence during
investigations.
Key Elements:
 Evidence Collection Procedures: Guidelines for collecting and preserving
evidence to maintain its integrity and admissibility.
 Chain of Custody: Procedures for documenting the handling of evidence
from collection to presentation in court, ensuring its integrity.
 Storage and Security: Requirements for secure storage of evidence,
including encryption and access controls.
 Handling Protocols: Guidelines for accessing and analyzing evidence to
avoid contamination or alteration.
3. Access Control Policy
Purpose: To manage and restrict access to information and systems during
investigations.
Key Elements:
 Access Authorization: Procedures for granting, modifying, and revoking
access rights for investigative activities.
 User Authentication: Requirements for strong authentication mechanisms
to access sensitive systems and data.
 Audit Trails: Monitoring and logging of access to systems and evidence to
ensure accountability and traceability.
 Least Privilege Principle: Ensure that users have only the access
necessary to perform their investigative duties.
4. Communication and Reporting Policy
Purpose: To manage internal and external communication regarding security
incidents.
Key Elements:
 Incident Reporting: Procedures for reporting incidents to management,
stakeholders, and regulatory bodies.
 Public Communication: Guidelines for handling media inquiries and
public statements to protect the organization’s reputation.
 Confidentiality: Ensure that communication about incidents is handled
confidentially and that sensitive information is not disclosed.
16
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

5. Legal and Regulatory Compliance Policy

Purpose: To ensure that all investigative activities comply with relevant laws and
regulations.
Key Elements:
 Legal Requirements: Adherence to data protection laws, regulations, and
industry standards (e.g., GDPR, CCPA).
 Warrants and Permissions: Procedures for obtaining necessary legal
permissions or warrants for accessing data and systems.
 Compliance Audits: Regular audits to ensure ongoing compliance with
legal and regulatory requirements.

6. Forensic Analysis Policy

Purpose: To guide the forensic analysis of digital evidence and ensure accurate
and reliable results.
Key Elements:
 Forensic Tools and Techniques: Approved tools and methods for
conducting forensic analysis.
 Analysis Procedures: Detailed steps for analyzing digital evidence while
maintaining its integrity.
 Validation: Procedures for validating forensic findings and ensuring that
they are accurate and reliable.

7. Incident Documentation and Reporting Policy

Purpose: To standardize the documentation and reporting of security incidents
and investigative findings.
Key Elements:
 Report Format: Standardized format for incident reports, including
sections for description, impact, actions taken, and recommendations.
 Report Review: Procedures for reviewing and approving incident reports
before distribution.
 Record Keeping: Requirements for maintaining records of incidents,
actions taken, and outcomes for future reference and compliance.

8. Post-Incident Review and Improvement Policy

Purpose: To facilitate continuous improvement by reviewing and analyzing the
effectiveness of the incident response and investigation process.

Key Elements:
 Post-Incident Review: Procedures for conducting reviews after an incident
to assess the effectiveness of the response and identify areas for
improvement.
 Lessons Learned: Mechanisms for capturing lessons learned and
incorporating them into updated policies and procedures.
 Continuous Improvement: Ongoing process for updating and enhancing
security practices based on review findings.

17
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

9. Incident Management Policy

Purpose: To define the overall framework for managing and coordinating security
incidents.
Key Elements:
 Incident Management Lifecycle: Phases of incident management,
including detection, assessment, response, and recovery.
 Coordination: Guidelines for coordinating between different teams (IT,
legal, and communications) involved in incident management.
 Resources and Tools: Tools and resources available for managing
incidents effectively.
10. Training and Awareness Policy
Purpose: To ensure that personnel involved in security investigations are
properly trained and aware of their roles and responsibilities.
Key Elements:
 Training Programs: Regular training on incident response, evidence
handling, and security best practices.
 Certification Requirements: Certification requirements for roles involved
in investigations (e.g., Certified Information Systems Security Professional
(CISSP), Certified Forensic Computer Examiner (CFCE)).
 Awareness Campaigns: Ongoing campaigns to raise awareness of security
policies and procedures among all employees.

18
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

1.7 CONFIDENTIALITY POLICIES

 Confidentiality policies in information security are essential for protecting
sensitive information from unauthorized access, disclosure, or exposure.
 These policies ensure that confidential information is only accessible to
authorized individuals and is handled in a manner that maintains its
privacy and integrity.

1. Purpose of Confidentiality Policies

 Protect Sensitive Information: Safeguard sensitive data such as personal
information, financial records, intellectual property, and trade secrets.
 Maintain Trust: Ensure that customer, employee, and business
information is handled responsibly to build and maintain trust.
 Regulatory Compliance: Adhere to legal and regulatory requirements
related to data privacy and protection.
2. Key Components of Confidentiality Policies
1. Definition of Confidential Information:
o Identification: Clearly define what constitutes confidential
information within the organization. This may include personal data,
proprietary information, financial data, and more.
o Categories: Classify information based on sensitivity levels (e.g.,
public, internal, confidential, top secret) and specify handling
requirements for each category.
2. Access Controls:
o Authorization: Implement strict access controls to ensure that only
authorized individuals can access confidential information. Use role-
based access control (RBAC) to enforce permissions.
o Authentication: Utilize strong authentication mechanisms (e.g.,
multi-factor authentication) to verify the identity of individuals
accessing sensitive information.
3. Data Handling and Protection:
o Encryption: Encrypt sensitive data both at rest and in transit to
protect it from unauthorized access.
o Data Masking: Use data masking techniques to obscure sensitive
information in non-production environments or during data
processing.
o Secure Storage: Ensure that confidential information is stored
securely, with appropriate physical and digital safeguards.
4. Information Sharing:
o Internal Sharing: Define protocols for sharing confidential
information within the organization, ensuring that it is shared only
on a need-to-know basis.
o External Sharing: Establish guidelines for sharing information with
external parties, including the use of non-disclosure agreements
(NDAs) and secure communication methods.
5. Incident Management:
o Breach Response: Outline procedures for responding to breaches of
confidentiality, including notification requirements and steps for
mitigating the impact.
o Reporting: Encourage employees to report suspected breaches or
incidents involving confidential information.

19
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

6. Training and Awareness:

o Employee Training: Provide regular training to employees on
confidentiality policies, data handling practices, and the importance
of protecting sensitive information.
o Awareness Programs: Implement awareness programs to keep
confidentiality at the forefront of employees’ minds.
7. Monitoring and Auditing:
o Access Logs: Maintain logs of access to confidential information and
regularly review them to detect unauthorized access or anomalies.
o Audits: Conduct periodic audits to ensure compliance with
confidentiality policies and identify areas for improvement.
8. Policy Enforcement and Disciplinary Actions:
o Compliance: Clearly state the consequences for violating
confidentiality policies, including potential disciplinary actions.
o Enforcement: Ensure that policies are consistently enforced and
that violations are addressed promptly.

3. Confidentiality Policies in Different Contexts

1. Data Privacy Laws and Regulations:
o General Data Protection Regulation (GDPR): Requires
organizations to protect personal data and ensure it is processed
lawfully and transparently.
o Health Insurance Portability and Accountability Act (HIPAA):
Mandates the protection of health information and the confidentiality
of patient data in the U.S.
o California Consumer Privacy Act (CCPA): Provides California
residents with rights over their personal data and imposes
obligations on businesses to protect it.
2. Corporate Confidentiality Policies:
o Employee Agreements: Include confidentiality clauses in
employment contracts to legally bind employees to protect company
information.
o Vendor Agreements: Ensure that third-party vendors and
contractors adhere to confidentiality requirements through
contractual agreements.
3. Digital Communication and Collaboration Tools:
o Secure Communication: Use encrypted communication channels
(e.g., email encryption, secure messaging platforms) to protect
confidential information shared electronically.
o Access Controls: Implement access controls on collaboration tools to
restrict access to confidential information to authorized users only.

4. Best Practices for Implementing Confidentiality Policies

1. Regular Updates:
o Policy Review: Periodically review and update confidentiality policies
to address changes in regulations, technology, and business
practices.
o Adaptation: Adapt policies to reflect evolving threats and the latest
best practices in information security.

20
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

2. Integration with Other Policies:

o Alignment: Ensure that confidentiality policies are integrated with
other security policies, such as data protection, incident response,
and access control policies.
o Consistency: Maintain consistency across all policies to provide a
cohesive approach to information security.
3. Documentation and Communication:
o Policy Documentation: Clearly document confidentiality policies
and make them easily accessible to all employees.
o Effective Communication: Communicate policies effectively to
ensure that all employees understand their responsibilities regarding
confidential information.

1.8 INTEGRITY POLICIES

 Integrity policies in information security are essential for ensuring the

accuracy and reliability of data and systems.
 These policies are designed to prevent unauthorized modifications, ensure
data consistency, and maintain the trustworthiness of information
throughout its lifecycle.
 In the context of an information security investigation, integrity policies
play a crucial role in maintaining the correctness and authenticity of data
and evidence.

21
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

1. Purpose of Integrity Policies

 Protect Data Accuracy: Ensure that data remains accurate and unaltered
by unauthorized parties, maintaining its reliability for decision-making and
compliance.
 Preserve System Integrity: Safeguard the integrity of systems and
applications from unauthorized changes or tampering.
 Support Investigations: Provide a framework for preserving and verifying
the integrity of evidence during investigations to ensure its admissibility
and validity.
2. Key Components of Integrity Policies
1. Data Integrity:
o Validation Mechanisms: Implement mechanisms to validate data
integrity, such as checksums, hashes, and digital signatures. These
methods help detect any unauthorized changes or corruption.
o Access Controls: Restrict write access to data to authorized
individuals or systems only, reducing the risk of inadvertent or
malicious modifications.
o Version Control: Use version control systems to track changes to
data and maintain a history of modifications, facilitating audit trails
and rollback if necessary.
2. System Integrity:
o Configuration Management: Establish and enforce policies for
managing system configurations to prevent unauthorized or
unintended changes. Use configuration management tools to monitor
and control system settings.
o Patch Management: Regularly update and patch systems and
applications to address known vulnerabilities and maintain system
integrity.
o Integrity Checking: Employ tools and techniques to monitor system
files and configurations for unauthorized changes, such as File
Integrity Monitoring (FIM) Solutions.
3. Evidence Integrity:
o Chain of Custody: Maintain a chain of custody for digital evidence to
ensure its integrity from collection through to presentation in court.
Document each person who handles the evidence and the actions
taken.
o Preservation Techniques: Use appropriate techniques to preserve
the integrity of digital evidence, such as creating bit-for-bit copies
and using write blockers to prevent modifications during analysis.
o Secure Storage: Store evidence in secure environments with
restricted access to protect it from tampering or unauthorized access.
4. Data Integrity Policies:
o Data Handling Procedures: Define procedures for handling data,
including data entry, storage, transmission, and disposal, to prevent
accidental or deliberate alterations.
o Audit Trails: Maintain detailed logs and audit trails of data access
and modifications to provide visibility into changes and support
forensic analysis.

22
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

5. Integrity in Communication:
o Secure Transmission: Use encryption and secure communication
channels to protect data integrity during transmission over networks.
o Authentication: Employ strong authentication mechanisms to verify
the identity of users and systems involved in data exchange.
6. Incident Response and Management:
o Incident Detection: Implement monitoring and detection systems to
identify potential integrity breaches or anomalies in data or system
configurations.
o Response Procedures: Establish procedures for responding to
incidents affecting data or system integrity, including containment,
investigation, and remediation actions.
3. Implementing Integrity Policies
1. Policy Development:
o Define Objectives: Clearly define the objectives and scope of
integrity policies, including the types of data and systems covered.
o Create Guidelines: Develop detailed guidelines and procedures for
maintaining and verifying data and system integrity.
2. Training and Awareness:
o Educate Personnel: Provide training to employees and stakeholders
on integrity policies and best practices for preserving data and
system integrity.
o Raise Awareness: Ensure ongoing awareness of the importance of
data and system integrity and the role each individual plays in
maintaining it.
3. Monitoring and Auditing:
o Regular Reviews: Conduct regular reviews and audits of data and
system integrity practices to identify and address potential
weaknesses or non-compliance.
o Continuous Monitoring: Implement continuous monitoring tools to
track changes to data and systems and detect potential integrity
issues in real-time.
4. Policy Enforcement:
o Enforcement Mechanisms: Define and enforce consequences for
violations of integrity policies, ensuring accountability and adherence
to policies.
o Compliance Checks: Regularly check compliance with integrity
policies and address any deviations or breaches promptly.
4. Best Practices for Integrity Policies
1. Integrate with Other Security Policies:
o Alignment: Ensure that integrity policies are integrated with other
security policies, such as confidentiality and availability policies, to
provide a comprehensive security framework.
o Consistency: Maintain consistency across all security policies to
avoid conflicts and ensure a unified approach to information
security.
2. Leverage Technology:
o Automated Tools: Use automated tools and technologies to enforce
integrity policies, such as integrity monitoring software and
automated configuration management systems.
23
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Advanced Techniques: Incorporate advanced techniques like

o
blockchain or cryptographic methods for enhanced data integrity and
immutability.
3. Regular Updates and Reviews:
o Policy Updates: Regularly update integrity policies to reflect changes
in technology, regulations, and organizational needs.
o Continuous Improvement: Continuously improve integrity practices
based on lessons learned from incidents, audits, and emerging
threats.

1.9 HYBRID POLICIES

 Hybrid information security policies combine elements from various

security frameworks, standards, and best practices to create a more
comprehensive and adaptable approach to managing security risks.
 These policies aim to integrate different methodologies and controls to
address diverse security needs and compliance requirements effectively.

Key Aspects of Hybrid Information Security Investigation Policies

1. Integration of Investigation Frameworks
o Combining Approaches: Utilize elements from different investigative
frameworks such as the NIST Computer Security Incident Handling
Guide (SP 800-61), ISO/IEC 27035, and the SANS Incident Handling
Lifecycle. This approach allows for a more holistic investigation
process.
o Cross-Disciplinary Techniques: Integrate techniques from digital
forensics, threat hunting, and incident response to cover all aspects
of an investigation.
2. Data Collection and Analysis
o Forensic Tools: Use digital forensic tools and methods to collect,
preserve, and analyze evidence. This includes disk imaging, memory
analysis, and log analysis.

24
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

oBehavioral Analysis: Combine forensic analysis with behavioral

analytics to detect anomalies and understand the context of
suspicious activities.
3. Cross-Functional Collaboration
o Coordination Among Teams: Involve various departments (IT, legal,
compliance, and HR) to ensure a comprehensive approach to the
investigation. Each department provides different insights and
expertise that contribute to a thorough investigation.
o External Collaboration: Engage with external experts, law
enforcement, or cybersecurity firms when needed to gain additional
perspectives and resources.
4. Regulatory and Compliance Considerations
o Legal and Regulatory Requirements: Ensure that the investigation
complies with legal and regulatory requirements. This includes data
protection laws, privacy regulations, and industry-specific standards.
o Documentation and Reporting: Maintain detailed documentation of
the investigation process, findings, and actions taken. This
documentation is crucial for compliance and potential legal
proceedings.
5. Incident Response Integration
o Incident Response Plans: Integrate investigation policies with
incident response plans to ensure a coordinated approach. This
includes having predefined procedures for different types of
incidents.
o Post-Incident Analysis: Conduct post-incident reviews and root
cause analysis to understand what went wrong and how to improve
future responses.
6. Technology and Automation
o Automation Tools: Use automation tools for tasks such as log
analysis, threat detection, and data collection to speed up the
investigation process and reduce manual effort.
o AI and Machine Learning: Implement AI and machine learning
algorithms to identify patterns, anomalies, and potential threats that
may not be immediately visible through traditional methods.

Benefits of Hybrid Information Security Investigation Policies

 Comprehensive Coverage: By integrating various investigative methods

and frameworks, hybrid policies provide a more thorough approach to
identifying and addressing security incidents.
 Improved Efficiency: Combining automated tools with manual
investigation techniques can enhance the speed and accuracy of incident
detection and response.
 Enhanced Collaboration: Cross-functional and external collaboration
ensures that all aspects of an incident are addressed and that expertise
from various domains is utilized.
 Regulatory Compliance: Ensuring that investigations adhere to legal and
regulatory requirements helps avoid potential legal issues and enhances
the credibility of the investigation.

25
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Challenges of Hybrid Information Security Investigation Policies

 Complexity: Managing and integrating multiple investigative methods and

tools can be complex and may require significant resources and expertise.
 Coordination: Ensuring effective coordination among different teams and
external partners can be challenging, particularly in high-pressure
situations.
 Resource Allocation: Hybrid investigations may demand additional
resources, including specialized tools and skilled personnel, which can be a
burden for some organizations.

Practical Steps for Implementing Hybrid Investigation Policies

1. Assess Needs and Objectives: Determine the specific needs of your
organization, including the types of threats you face and regulatory
requirements, to design a suitable hybrid investigation policy.
2. Develop Integrated Policies: Create policies that blend various
investigative frameworks and techniques. Ensure these policies are
practical and address the specific challenges your organization faces.
3. Train and Equip Teams: Provide training for your incident response and
investigation teams on the hybrid policies and tools. Ensure they are
equipped with the necessary resources and knowledge.
4. Implement and Test: Put the policies into practice and conduct regular
tests and simulations to ensure they work effectively and can handle real-
world scenarios.
5. Review and Improve: Continuously review and refine the hybrid policies
based on lessons learned from incidents, changes in the threat landscape,
and advancements in technology.
26
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

ANNA UNIVERSITY PROMINENT QUESTIONS

PART-A QUESTIONS AND ANSWERS

1. What is the primary goal of a security investigation?

The primary goal of a security investigation is to identify, analyze, and
understand the nature and scope of a security incident or breach. This includes
determining how the incident occurred, what systems or data were affected, the
extent of the damage, and who or what was responsible. Ultimately, the
investigation aims to mitigate the impact of the incident, prevent future
occurrences, and improve the overall security posture of the organization.

2. What are common indicators of a security breach?

Unusual Network Activity: Unexpected spikes in network traffic, unauthorized
access attempts, or unfamiliar IP addresses accessing the network.
Strange System Behavior: Unexplained changes in system configurations, slow
performance, or frequent crashes.
Unauthorized Access: Access to systems or data by users who should not have
permissions or access outside normal hours.
Anomalies in Logs: Irregularities or unexpected entries in system and security
logs, such as failed login attempts or unusual user activity.
Suspicious Emails or Phishing Attempts: Unsolicited emails requesting
sensitive information or containing malicious attachments.

3. What role does log analysis play in a security investigation?

Log analysis plays a crucial role in a security investigation by providing detailed
records of system and network activity that can help investigators identify,
understand, and respond to security incidents. Here’s how log analysis
contributes:
1. Detecting Anomalies: Logs can reveal unusual patterns or anomalies in
system and network activity that may indicate a security breach or
malicious behavior.
2. Identifying the Attack Vector: By examining logs, investigators can trace
the origin and path of an attack, including how it entered the network and
which systems were affected.
3. Tracking User Activity: Logs record user activities, helping to identify
unauthorized access or suspicious behavior by tracking logins, file
accesses, and changes.
4. Establishing a Timeline: Logs provide a chronological sequence of events,
which is crucial for reconstructing the timeline of an incident and
understanding how it unfolded.
5. Verifying System Integrity: Analyzing logs can help determine whether
systems or data have been altered or tampered with during an attack.

4. How can you distinguish between a false positive and a genuine threat?
a systematic approach to analyze and validate the alerts or signals generated by
security tools. Here’s how you can differentiate between the two:
1. Contextual Analysis: Examine the context in which the alert occurred.
Consider factors such as recent changes to the system, legitimate user
behavior, and known activities that might trigger alerts.

27
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

2. Corroborate with Other Sources: Cross-reference the alert with other data
sources, such as network logs, system logs, and threat intelligence feeds, to
verify if there are other indicators of a genuine threat.
3. Check for Known Issues: Determine if the alert corresponds with known
issues or benign activities (e.g., routine system updates or maintenance)
that might trigger false positives.
4. Analyze Patterns and Behavior: Look at the patterns of activity leading up
to the alert. Genuine threats often exhibit consistent and suspicious
behavior, while false positives might show irregular or isolated incidents.
5. Verify with the Source: Confirm the source of the alert. If it’s a security
tool or software, ensure it’s up-to-date and properly configured, as
outdated or misconfigured tools can produce false positives.

5. What is digital forensics, and why is it important in security

investigations?
Digital forensics is a branch of forensic science focused on the identification,
preservation, analysis, and presentation of digital evidence in a manner that is
legally admissible. It involves investigating electronic devices such as computers,
smartphones, servers, and storage media to uncover and interpret data relevant
to legal proceedings or security investigations.

6. What are the key steps in conducting a security incident investigation?

 Identification
 Containment
 Eradication
 Recovery
 Analysis
 Communication
 Documentation
 Post-Incident Review
 Improve Defenses
7. How can encryption aid in the security investigation process?
Encryption plays a significant role in the security investigation process by
ensuring data confidentiality and integrity.
1. Protecting Evidence
2. Maintaining Chain of Custody
3. Securing Communications
4. Safeguarding Forensic Data

8. Write the significance of access control matrix. MAY 2014

An access control matrix is a foundational concept in information security that
defines and manages the permissions and access rights of users or entities to
various resources within a system
 Granular Access Control
 Clear Overview
 Enforcement of Security Policies
 Risk Management
 Audit and Compliance

28
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

9. How is technological obsolescence a threat to information security? How

can an Organization protect against it? MAY 2014
Threats from Technological Obsolescence:
1. Security Vulnerabilities:
2. Increased Risk of Exploits:
3. Compliance Issues:
4. Integration Problems:
5. Lack of Support:
6. Increased Costs:

Protecting Against Technological Obsolescence:

1. Regularly Update and Patch Systems:
2. Plan for Technology Refresh:
3. Implement Security Best Practices:
4. Maintain Compatibility:
5. Vendor Management:

10. List out important policies in information security investigation.

Important policies in information security:
1. Incident Response Policy
2. Data Handling and Evidence Preservation Policy
3. Access Control Policy
4. Communication and Reporting Policy
5. Legal and Regulatory Compliance Policy
6. Forensic Analysis Policy
7. Training and Awareness Policy
8. Incident Documentation and Reporting Policy
9. Post-Incident Review and Improvement Policy
10. Incident Management Policy

ANNA UNIVERSITY PROMINENT QUESTIONS

PART-B & C
1. Summarize the various laws related to information security. How do people
from varying ethnic backgrounds differ in their views of computer ethics?
MAY 2024
2. Discuss the following in details: Confidential policies, Integrity policies
Hybrid policies. MAY 2024
3. Explain about Legal, Ethical and Professional Issues
4. Explain the Business Needs, Threats, Attacks MAY 2024

ASSIGNMENT-1 QUESTIONS
(UNIT II SECURITY INVESTIGATION)
1. Explain about Threats and Attacks
2. Explain various laws for information security
3. Explain various information securities polices

Assignment Submission Date: 15.09.2024

<<<@!@>>>
29
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-2
 LECTURE NOTES

III YEAR / 5th SEM

CW3551 DATA AND INFORMATION SECURITY

(R-2021)
UNIT- 3

ABDUL KAREEM.D (Asst.Prof-AI & DS)

----------------------------------------------------------------------------------------------

GRT INSTITUTE OF ENGINEERING AND TECHNOLOGY

(An Autonomous Institution)
GRT MAHALAKSHMI NAGAR
TIRUTTANI – 631 209.
CW3551 DATA AND INFORMATION SECURITY LTPC
3003
COURSE OBJECTIVES:
• To understand the basics of Information Security
• To know the legal, ethical and professional issues in Information Security
• To equip the students’ knowledge on digital signature, email security and web security

UNIT I INTRODUCTION 9
History, What is Information Security?, Critical Characteristics of Information, NSTISSC Security Model,
Components of an Information System, Securing the Components, Balancing Security and Access, The
SDLC, The Security SDLC

UNIT II SECURITY INVESTIGATION 9

Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and Professional Issues - An Overview
of Computer Security - Access Control Matrix, Policy-Security policies, Confidentiality policies, Integrity
policies and Hybrid policies

UNIT III DIGITAL SIGNATURE AND AUTHENTICATION 9

Digital Signature and Authentication Schemes: Digital signature-Digital Signature Schemes and their
Variants- Digital Signature Standards-Authentication: Overview- Requirements Protocols - Applications -
Kerberos -X.509 Directory Services

UNIT IV E-MAIL AND IP SECURITY 9

E-mail and IP Security: Electronic mail security: Email Architecture -PGP – Operational Descriptions- Key
management- Trust Model- S/MIME.IP Security: Overview- Architecture - ESP, AH Protocols IPSec
Modes – Security association - Key management.

UNIT V WEB SECURITY 9

Web Security: Requirements- Secure Sockets Layer- Objectives-Layers -SSL secure communication-
Protocols - Transport Level Security. Secure Electronic Transaction- Entities DS Verification-SET
processing.
TOTAL: 45 PERIODS
COURSE OUTCOMES:
Upon successful completion of this course, students will be able to:
CO1: Understand the basics of data and information security
CO2: Understand the legal, ethical and professional issues in information security
CO3: Understand the various authentication schemes to simulate different applications.
CO4: Understand various security practices and system security standards
CO5: Understand the Web security protocols for E-Commerce applications

TEXT BOOKS:
1. Michael E Whitman and Herbert J Mattord, “Principles of Information Security, Course Technology,
6th Edition, 2017.
2. Stallings William. Cryptography and Network Security: Principles and Practice, Seventh Edition,
Pearson Education, 2017.
REFERENCES
1. Harold F. Tipton, Micki Krause Nozaki,, “Information Security Management Handbook, Volume 6, 6th Edition,
2016.
2. Stuart McClure, Joel Scrambray, George Kurtz, “Hacking Exposed”, McGraw- Hill, Seventh Edition, 2012.
3. Matt Bishop, “Computer Security Art and Science, Addison Wesley Reprint Edition, 2015.
Behrouz A Forouzan, Debdeep Mukhopadhyay, Cryptography And network security, 3rd Edition, . McGraw-Hill
Education, 2015.
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

UNIT III DIGITAL SIGNATURE AND AUTHENTICATION 9

Digital Signature and Authentication Schemes: Digital signature-DIGITAL
SIGNATURE SCHEMES and their Variants- Digital Signature Standards-
Authentication: Overview- Requirements Protocols - Applications -
KERBEROS -X.509 DIRECTORY SERVICES

3.1 DIGITAL SIGNATURE AND AUTHENTICATION SCHEMES

 In our modern digital age, cryptography has become an

essential cybersecurity tool for protecting sensitive information from
hackers and other cybercriminals.
 Derived from the Greek word “kryptos,” meaning hidden, graphy meaning
writing, cryptography literally translates to “hidden writing.”
 It can be used to obscure any form of digital communication, including
text, images, video or audio.
 In practice, cryptography is mainly used to transform messages into an
unreadable format (known as ciphertext) that can only be decrypted into
a readable format (known as plain text) by the authorized intended
recipient by using a specific secret key.
 A digital signature is a cryptographic mechanism used to verify the
authenticity and integrity of digital messages or documents.
 It serves a similar purpose to a handwritten signature or a stamped seal
but is more secure in the digital world.
 A cryptographic mechanism is a technique or method used to secure
information and communications through encryption and decryption.
 These mechanisms rely on complex mathematical algorithms to protect
data from unauthorized access and ensure its integrity and authenticity.

PRINCIPLES OF CRYPTOGRAPHY
1. Confidentiality: Encrypted information can only be accessed by the person
for whom it is intended and no one else.
2. Integrity: Encrypted information cannot be modified in storage or in
transit between the sender and the intended receiver without any
alterations being detected.
3. Non-repudiation: The creator or sender of encrypted information cannot
deny their intention to send the information.
4. Authentication: The identities of the sender and receiver, as well as the
origin and destination of the information are confirmed.

TYPES OF CRYPTOGRAPHY

1. Symmetric cryptography
Symmetric key cryptography uses a shared single key for both encryption and
decryption.
Some of the main attributes of symmetric encryption include:
 Speed: The encryption process is comparatively fast.
 Efficiency: Single key encryption is well suited for large amounts of data
 Confidential: Symmetrical encryption effectively secures data

1
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

2. Asymmetric cryptography (pair of public and private keys)

Asymmetric cryptography (also referred to as public key cryptography) uses one
private key and one public key.
Some of the main attributes of symmetric encryption include:
 Security: Asymmetric encryption is considered more secure.
 Robust: Public key cryptography offers more benefits, providing
confidentiality, authenticity and non-repudiation.
 Resource intensive: Unlike single key encryption, asymmetrical
encryption is slow and requires greater resources

KEY CRYPTOGRAPHIC MECHANISMS

 A cryptographic mechanism is a method used to protect data of any type
or structure.
 It can be developed to suit specific contexts or applications, such as
cloud computing.
 These mechanisms are often used in Privacy-Preserving Data Mining and
distributed privacy-preserving scenarios, where the goal is to mine data
without revealing individual data.
 Cryptographic mechanisms can involve high computational costs
compared to other data protection techniques.

The following Cryptographic mechanisms are essential for securing

communications, protecting data, and verifying identities.
1. Symmetric Encryption
 Definition: Uses the same key for both encryption and decryption.
 Mechanisms:
o AES (Advanced Encryption Standard): Widely used, provides strong
encryption with key sizes of 128, 192, or 256 bits.
o DES (Data Encryption Standard): Older standard, now considered
insecure due to its short key length (56 bits).
o 3DES (Triple DES): Applies DES encryption three times for
increased security, but is also considered outdated.
 Applications: Used for encrypting data at rest, securing communications
between trusted parties.
2. Asymmetric Encryption
 Definition: Uses a pair of keys—one public and one private. The public
key encrypts data, while the private key decrypts it.
 Mechanisms:
o RSA (Rivest-Shamir-Adleman): One of the most widely used
asymmetric encryption algorithms, relying on the difficulty of
factoring large integers.
o ECC (Elliptic Curve Cryptography): Provides similar security to RSA
but with shorter key lengths, making it more efficient.
 Applications: Used for secure key exchange, digital signatures, and
encrypting data sent over insecure channels.
3. Hash Functions

A hash function in cryptography is like a mathematical function that takes

various inputs, like messages or data, and transforms them into fixed-length
strings of characters.

2
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Example:

Key Points of Hash Functions

 Hash functions are mathematical operations that "map" or change a given
collection of data into a fixed-length bit string that is referred to as the
"hash value." The output is usually represented as a hexadecimal number.
 Cryptocurrency, password security, and communication security all use
hash functions.
 Hash functions are one-way functions, meaning they cannot be reversed
to retrieve the original data.
 Mechanisms:
o SHA-256 (Secure Hash Algorithm 256-bit): Part of the SHA-2
family, widely used for cryptographic security.
o MD5 (Message Digest Algorithm 5): Older and now considered weak
due to vulnerabilities, not recommended for security-sensitive
applications.
 Applications: Used for data integrity verification, password hashing, digital
signatures.
3
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

4. DIGITAL SIGNATURES
 Definition: Provides authenticity and integrity to messages or documents
by using a private key to create a signature, which can be verified by
anyone with the corresponding public key.
 Mechanisms:
o RSA Signatures: Uses RSA algorithm for creating and verifying
signatures.
o ECDSA (Elliptic Curve Digital Signature Algorithm): Uses elliptic
curve cryptography for creating digital signatures, offering efficiency
and strong security.
 Applications: Used for signing documents, software, and communications
to verify the identity of the sender and ensure data integrity.

5. Key Exchange Protocols

 Definition: Securely exchanges cryptographic keys between parties to
enable encrypted communication.
 Mechanisms:
o Diffie-Hellman Key Exchange: Allows two parties to securely share
a secret key over an insecure channel.
o ECDH (Elliptic Curve Diffie-Hellman): An elliptic curve variant of
Diffie-Hellman, providing similar functionality with better efficiency.
 Applications: Used in various encryption protocols like SSL (Secure Socket
Layer) /TLS (Transport Layer Securities) to establish secure communication
channels.

6. Public Key Infrastructure (PKI)

 Definition: A framework for managing digital certificates and public key
encryption, including Certificate Authorities (CAs) and Registration
Authorities (Ras).
 Mechanisms:
o Certificate Authorities (CAs): Issue and manage digital certificates.
o Certificate Revocation Lists (CRLs) and OCSP (Online Certificate
Status Protocol): Used for checking the status of certificates to
ensure they haven’t been revoked.
 Applications: Used in web security (e.g., SSL/TLS certificates), email
encryption, and digital signatures.

7. Message Authentication Codes (MACs)

 Definition: Provides data integrity and authenticity by combining the
message with a secret key.
 Mechanisms:
o HMAC (Hash-based Message Authentication Code): Uses a
cryptographic hash function and a secret key to create a MAC.
o CMAC (Cipher-based Message Authentication Code): Uses a block
cipher (like AES) for creating a MAC.

4
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

COMMON USES FOR CRYPTOGRAPHY

Passwords
Cryptocurrency
Secure web browsing
Electronic signatures
Authentication
Secure communications
5
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

3.2 DIGITAL SIGNATURE

A digital signature is an electronic, encrypted, stamp of authentication on
digital information such as email messages, macros, or electronic
documents. A signature confirms that the information originated from the
signer and has not been altered.

6
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Working principles of digital signatures

1. Key Pairs: Digital signatures use a pair of cryptographic keys: a private

key and a public key. The private key is kept secret by the owner, while
the public key is shared with others.
2. Signing Process:
o Create Hash: When someone wants to sign a document, they first
create a hash of the document using a hash function. A hash is a
fixed-size string of bytes that is unique to the content of the
document.
o Encrypt Hash: The hash is then encrypted with the signer’s private
key.
3. Verification Process:
o Decrypt Hash: The recipient of the signed document uses the
sender’s public key to decrypt the digital signature. This reveals the
hash that was created by the sender.
o Generate Hash: The recipient also generates a hash of the received
document using the same hash function.
o Compare Hashes: If the generated hash matches the decrypted
hash, it verifies that the document hasn’t been altered and confirms
the authenticity of the sender.

Benefits of Digital Signatures:

 Authenticity: Ensures that the signature was created by the claimed
sender.
 Integrity: Confirms that the document has not been altered after signing.
 Non-repudiation (Non-repudiation means a user cannot deny (repudiate) having
performed a transaction): Prevents the signer from denying the signature
since only the signer has access to their private key.
Applications of Digital Signature
 Secure email
 Software distribution
 Financial transactions
 Digital communications and transactions.
7
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

3.3 DIGITAL SIGNATURE SCHEMES AND THEIR VARIANTS

Digital signature schemes are cryptographic methods used to ensure the
authenticity, integrity, and non-repudiation of digital messages or documents.

Working principles of Digital signature schemes:

How Digital Signatures Work

1. Key Generation: A pair of cryptographic keys is generated—one private
and one public. The private key is kept secret by the owner, while the
public key is shared with others.
2. Signing: To sign a message, the sender creates a unique hash (a fixed-
size string of characters) of the message using a hash function. This hash
is then encrypted with the sender's private key to create the digital
signature.
3. Verification: The recipient receives the message along with the digital
signature. They first hash the received message using the same hash
function. They then decrypt the digital signature using the sender’s public
key to obtain the original hash.

If the decrypted hash matches the hash of the received message, the
signature is valid, indicating the message has not been altered and was
indeed (really/truly) signed by the holder of the private key.

Digital signature schemes are essential for ensuring the authenticity and integrity
of digital communications and transactions.

1. RSA (Rivest-Shamir-Adleman) ***

 RSA is the most common public-key algorithm, named after its

inventors Rivest, Shamir, and Adelman (RSA).
 Overview: RSA is one of the earliest and most widely used public-key
cryptographic algorithms. It’s based on the mathematical problem of
factoring large integers.
 RSA encryption algorithm is a type of public-key encryption algorithm.

Public key encryption algorithm:

 Public Key encryption algorithm is also called the Asymmetric algorithm.

Asymmetric algorithms are those algorithms in which sender and receiver
use different keys for encryption and decryption. Each sender is
assigned a pair of keys:
 Public key is used for encryption
 Private key is used for decryption
 Decryption cannot be done using a public key. The two keys are linked,
but the private key cannot be derived from the public key.
 The public key is well known, but the private key is secret and it is
known only to the user who owns the key.
 It means that everybody can send a message to the user using user's public
key. But only the user can decrypt the message using his private key.

8
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

The RSA algorithm has four main steps:

1. Key generation: Two large prime numbers are selected, and their product and
totient are calculated. This process generates a private key and a public key.
2. Key distribution: The public key is shared across the network.
3. Encryption: The sender uses the receiver's public key to encrypt a message.
4. Decryption: The receiver uses their private key to decrypt the message

The Public key algorithm operates in the following manner:

o The data to be sent is encrypted sender A using the public key of the
intended receiver
o B decrypts the received ciphertext using its private key, which is known
only to B. B replies to A encrypting its message using A's public key.
o A decrypts the received ciphertext using its private key, which is known
only to him

9
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Note:
PRIME NUMBER – A prime number is a natural number greater than 1 that has
no positive divisors other than 1 and itself. In other words, a prime number can
only be divided evenly (without leaving a remainder) by 1 and the number itself.
Example:
Examples of prime numbers include 2, 3, 5,7,11,13,17,19,23,29,31,37,41,43,47..
Remember, 2 is the only even prime number; all other even numbers can be
divided by 2, making them composite.

GCD - Greatest Common Divisor

The GCD, or greatest common divisor, of two or more numbers is the largest
positive integer that divides each of the numbers without leaving a remainder.
Example:
Let's find the GCD of 24 and 36.
Step 1: List the factors of each number.
 Factors of 24: 1, 2, 3, 4, 6, 8, 12, 24
 Factors of 36: 1, 2, 3, 4, 6, 9, 12, 18, 36
Step 2: Identify the common factors.
 Common factors: 1, 2, 3, 4, 6, 12
Step 3: Find the largest common factor.
 The largest common factor is 12.
Conclusion:
The GCD of 24 and 36 is 12.

Euler’s Totient - φ
The Euler's Totient Function, denoted as ϕ(n), is a function in number theory
that counts the number of positive integers up to n that are co-prime to n. Two
numbers are considered co-prime if their Greatest Common Divisor (GCD) is 1

RSA Algorithm***
RSA algorithm uses the following procedure to generate public and private
keys:
Step:1 Select two large prime numbers, p and q.

Step:2 Multiply these numbers to find n = p X q, where n is called the modulus

for encryption and decryption.

Step:3 Choose a number e less than n,

such that n is relatively prime to (p - 1) X (q -1)
ie Euler’s Totient φ (n)=(p - 1) X (q -1)

It means that e and (p - 1) X (q - 1) have no common factor except 1.

Choose "e" such that 1<e < φ (n), e is prime to φ (n),gcd (e,d(n)) =1

Step:4 If n = p X q, then the public key is <e, n>. A plaintext message m is

encrypted using public key <e, n>. To find ciphertext from the plain text following
formula is used to get ciphertext C.
C = me mod n

10
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Here, m must be less than n. A larger message (>n) is treated as a concatenation

of messages, each of which is encrypted separately.
o To determine the private key, we use the following formula to calculate the
d such that:
d X e mod {(p - 1) x (q - 1)} = 1
d X e mod φ (n) = 1 Since φ (n)=(p - 1) X (q -1)
o The private key is <d, n>. A ciphertext message c is decrypted using
private key <d, n>. To calculate plain text m from the ciphertext c following
formula is used to get plain text m.
m = cd mod n
Example of RSA encryption algorithm:
Example 1:
This example shows how we can encrypt plaintext 9 using the RSA public-key
encryption algorithm. This example uses prime numbers 7 and 11 to generate the
public and private keys.

Explanation:
Step 1: Select two large prime numbers, p, and q.
p=7
q = 11
Step 2: Multiply these numbers to find n = p x q, where n is called the modulus
for encryption and decryption.
First, we calculate
n=pxq
n = 7 x 11
n = 77
Step 3: Choose a number e less that n, such that n is relatively prime to (p - 1) x
(q -1). It means that e and (p - 1) x (q - 1) have no common factor except 1.
Choose "e" such that 1<e < φ (n), e is prime to φ (n), gcd (e, d (n)) =1.
Second, we calculate
φ (n) = (p - 1) x (q-1)
φ (n) = (7 - 1) x (11 - 1)
φ (n) = 6 x 10
φ (n) = 60
Let us now choose relative prime e of 60 as 7
Thus the public key is <e, n> = (7, 77)

Step 4: A plaintext message m is encrypted using public key <e, n>. To find
ciphertext from the plain text following formula is used to get ciphertext C.
To find ciphertext from the plain text following formula is used to get ciphertext
C. C = me mod n
C = 97 mod 77
C = 37

Step 5: The private key is <d, n>. To determine the private key, we use the
following formula d such that:
d X e mod {(p - 1) x (q - 1)} = 1 or d X e mod φ (n) = 1
7d mod 60 = 1, which gives d = 43 [i.e 7*43 =301, 301 mod 60 =1]
The private key is <d, n> = (43, 77)
11
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Step 6: A ciphertext message c is decrypted using private key <d, n>. To

calculate plain text m from the ciphertext c following formula is used to get plain
text m.
m = cd mod n
m = 3743 mod 77
m=9
In this example, Plain text = 9 and the ciphertext = 37

Example 2:
In an RSA cryptosystem, a particular A uses two prime numbers, 13 and
17, to generate the public and private keys. If the public of A is 35. Then
the private key of A is ……………?.

Step 1: in the first step, select two large prime numbers, p and q.
p = 13
q = 17
Step 2: Multiply these numbers to find n = p x q, where n is called the modulus
for encryption and decryption.
First, we calculate
n=pxq
n = 13 x 17
n = 221
Step 3: Choose a number e less that n, such that n is relatively prime to (p - 1) x
(q -1). It means that e and (p - 1) x (q - 1) have no common factor except 1.
Choose "e" such that 1<e < φ (n), e is prime to φ (n), gcd (e, d (n)) =1.
Second, we calculate
φ (n) = (p - 1) x (q-1)
φ (n) = (13 - 1) x (17 - 1)
φ (n) = 12 x 16
φ (n) = 192
g.c.d (35, 192) = 1 [ i.e Public key A is 35 given]
Step 3: To determine the private key, we use the following formula to calculate
the d such that:
Calculate d, d X e mod φ (n) = 1
d = d x 35 mod 192 = 1
d = (1 + k.φ (n))/e [let k =0, 1, 2, 3………………]
Put k = 0
d = (1 + 0 x 192)/35
d = 1/35
Put k = 1
d = (1 + 1 x 192)/35
d = 193/35
Put k = 2
d = (1 + 2 x 192)/35
d = 385/35
d = 11
The private key is <d, n> = (11, 221) , Hence, private key i.e. d = 11

12
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Example 3:
A RSA cryptosystem uses two prime numbers 3 and 13 to generate the
public key= 3 and the private key = 7. What is the value of cipher text for a
plain text?

Explanation:
Step 1: In the first step, select two large prime numbers, p and q.
p=3
q = 13
Step 2: Multiply these numbers to find n = p x q, where n is called the modulus
for encryption and decryption.
First, we calculate
n=pxq
n = 3 x 13
n = 39
Step 3: If n = p x q, then the public key is <e, n>. A plaintext message m is
encrypted using public key <e, n>. Thus the public key is <e, n> = (3, 39).
To find ciphertext from the plain text following formula is used to get ciphertext
C.
C = me mod n
C = 53 mod 39
C = 125 mod 39
C=8

Hence, the ciphertext generated from plain text, C = 8.

Example: 4
Choose p = 3 and q = 11.
Compute n = p * q = 3 * 11 = 33.
Compute φ(n) = (p - 1) * (q - 1) = 2 * 10 = 20.
Choose e such that 1 < e < φ(n) and e and φ (n) are co-prime (GCD)
Compute a value for d such that (d * e) % φ(n) = 1
Public key is (e, n) => (7, 33)
Private key is (d, n) => (3, 33)

Example: 5
Choose p = 3 and q = 11
Compute n = p * q = 3 * 11 = 33
Compute φ(n) = (p - 1) * (q - 1) = 2 * 10 = 20
Choose e such that 1 < e < φ(n) and
e and φ (n) are co-prime (GCD) Let e = 7
Compute a value for d such that (d * e) % φ(n) = 1.
One solution is d = 3 [(3 * 7) % 20 = 1]
Public key is (e, n) => (7, 33)
Private key is (d, n) => (3, 33)
The encryption of m = 2 is c = 27 % 33 = 29 i.e C = me mod n
The decryption of c = 29 is m = 293 % 33 = 2 i.e m = cd mod n

13
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

2. DSA (Digital Signature Algorithm) ***

Overview: DSA is a Federal Information Processing Standard for digital
signatures, designed to provide secure and efficient digital signing.
 Signing Process: The hash of the message is used along with a random
value (nonce) to generate the signature.
 Verification Process: The recipient uses the sender’s public key and the
signature to verify the integrity and authenticity of the message.
Variants:
 ELGAMAL SIGNATURE SCHEME: Related to DSA and often used in
conjunction with DSA in some cryptographic systems.

3. ECDSA (Elliptic Curve Digital Signature Algorithm)

Overview: ECDSA uses elliptic curve cryptography to provide the same level of
security as RSA but with shorter key lengths, which results in faster
computations and reduced resource usage.
 Signing Process: The hash of the message is signed using the sender’s
private key and elliptic curve operations.
 Verification Process: The recipient uses the sender’s public key to verify
the signature against the hash of the received message.
Variants:
 ECDSA with Different Curves: ECDSA can be used with various elliptic
curves such as P-256, P-384, and P-521, each providing different levels of
security and performance characteristics.

4. Schnorr Signatures
Overview: Schnorr signatures are efficient and has provable security properties.
They are used in various cryptographic protocols and are known for their
simplicity and security.
 Signing Process: Uses a combination of a secret key, a nonce, and the
hash of the message to produce the signature.
 Verification Process: The recipient verifies the signature using the public
key and hash values.
Variants:
 Schnorr Signatures with Aggregation: Schnorr signatures is useful in
reducing the size of cryptographic proofs.
Note:
Digital signature schemes are crucial for securing digital
communications, and each scheme has its unique properties and use
cases.
RSA, DSA, and ECDSA are widely used in security and performance.
As technology evolves, especially with the potential rise of quantum
computing to ensure long-term security.

Applications of Digital Signature

 Secure Email: Ensuring that the content of an email has not been altered
and confirming the sender’s identity.
 Software Distribution: Verifying that software has not been tampered with
and is from a legitimate source.
 Digital Contracts: Providing non-repudiation for agreements and contracts
made electronically.
14
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

ELGAMAL DIGITAL SIGNATURE SCHEME*** MAY 2024

ElGamal ("ElGamal": Pronounced as L "Gah-mall") is named after its inventor,

Taher ElGamal in 1985., and refers to cryptographic algorithms developed by
him. The primary ElGamal cryptographic algorithms include:
 ElGamal Encryption: A public-key encryption scheme based on the
difficulty of the discrete logarithm problem.
 ElGamal Digital Signature Scheme: A method for generating and verifying
digital signatures also based on the discrete logarithm problem.

Working principles of Elgamal Encryption Algorithm:

These cryptographic mechanisms are used for secure communication and digital
signatures, leveraging the security of the discrete logarithm problem.

In cryptography, the ElGamal encryption system is an asymmetric key

encryption algorithm for public-key cryptography which is based on the Diffie–
Hellman key exchange.

The ElGamal digital signature scheme is a cryptographic protocol used to

provide authenticity and integrity for messages. It’s based on the ElGamal
encryption algorithm and the difficulty of the discrete logarithm problem.
15
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Elgamal Digital Signature Algorithm

Elgamal Cryptography is a type Asymmetric cryptographic protocol; it uses a

pair of keys-public key and Private key with the following three steps

1. KEY GENERATION
2. ENCRYPTION
3. DECRYPTION
1. KEY GENERATION

STEP1: Select large Prime number p

STEP2: Select Decryption key or Private key d
STEP3: Select Second part of Encryption key or public key E1
STEP4: Find Third part of Encryption key or public key E2
Formula E2=E1d mod p
STEP5: Public key=(E1,E2,p)

2. ENCRYPTION
STEP1: Select Random integer (R)
STEP2: Cipher text C1=E1R mod p
STEP3: Cipher text C2=(PT * E2R) mod p
STEP4: Cipher text CT=(C1,C2)

3. DECRYPTION
PT=[C2 * (C1d)-1] mod p

Note: (125)-1 mod 11 or

(125 * x) mod 11=1
Let us take x=3 , now 375 mod 11=1
Example1:

The following example to demonstrate Elgamal

1. KEY GENERATION (Pair of Public and Private key)

STEP1: Select large Prime number p=11

STEP2: Select Decryption key or Private key d=3
STEP3: Select Second part of Encryption key or public key E1=2
STEP4: Find Third part of Encryption key or public key E2
E2=E1d mod p
E2=23 mod 11 = 8
E2=8
16
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

STEP5: Public key=(E1,E2,p)

Public key=(2,8,11)

Now Private key is 3 and public key (2,8,11) was generated.

2. ENCRYPTION
STEP1: Select Random integer R=4
STEP2: Cipher text C1=E1R mod p
C1=24 mod 11
C1=5
STEP3: Cipher text C2=(PT * E2R) mod p [Let us assume Plain Text PT=7]
C2=(7 * 84) mod p
=28672 mod p =6
C2=6
STEP4: Cipher text CT=(C1,C2)
CT=(5,6)
Now plain text Plain Text PT 7  [Encryption]  Cipher Text (5,6)

3. DECRYPTION

Now let us find original Plain Text PT

PT= [C2 * (C1d)-1] mod p

= [6 * (53)-1] mod 11
= [6 * (125)-1 mod 11 Here 125-1 mod 11 Simplify as = (125 *x) mod =1
= (6 * 3) mod p=1
= 18 mod 11
PT=7

Here Original Plain Text PT=7, Senders Plain Text PT=7 is Encrypted as Cipher
Text CT (5,6) and Receiver Decrypted cipher text to as original Plain Text 7

Applications of ElGamal Encryption Algorithm

1. Encryption: ElGamal is used for encrypting messages where public
key cryptography is required.
2. Digital Signatures: A variant of ElGamal is used for creating digital
signatures, ensuring message authenticity and integrity.

Advantages
 Security: ElGamal is based on the discrete logarithm problem, which is
considered to be a hard problem to solve. This makes it secure against
attacks from hackers.
 Key distribution: The encryption and decryption keys are different,
making it easier to distribute keys securely. This allows for secure
communication between multiple parties.
 Digital signatures: ElGamal can also be used for digital signatures,
which allows for secure authentication of messages.

17
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

3.4 DIGITAL SIGNATURE STANDARDS

 Digital Signature Standards (DSS) are a set of standards developed to

ensure the security and authenticity of digital communications.
 They are primarily used to verify the integrity and authenticity of
electronic documents or messages.
 The core standard for digital signatures in the United States is the Digital
Signature Algorithm (DSA)
 Digital Signature Standard (DSS) specified by the National Institute of
Standards and Technology (NIST).

Here are some key aspects of DSS:

1. Digital Signature Algorithm (DSA): This is the algorithm specified by the
DSS for generating and verifying digital signatures. It uses a combination of
hash functions and modular arithmetic to create a digital signature.
2. Hash Functions: These are cryptographic functions that produce a fixed-
size hash value from variable-size data. The hash value is unique to the
data, so any change in the data results in a different hash value. In DSS,
hash functions ensure that even a small change in the document results in
a completely different digital signature.
3. Public and Private Keys: DSS involves a pair of keys: a private key used
for signing and a public key used for verification. The private key is kept
secret by the signer, while the public key is distributed openly. The
signature can be verified by anyone who has access to the public key.
4. Signature Generation: To create a digital signature, the signer generates a
hash of the document, then encrypts the hash with their private key. The
result is the digital signature, which is attached to the document.
5. Signature Verification: To verify the signature, the recipient decrypts the
signature with the public key and compares the result with the hash of the
document. If they match, the signature is valid and the document is
authentic.
6. Compliance and Standards: DSS complies with the Federal Information
Processing Standards (FIPS) 186 series, including FIPS 186-4, which
outlines the DSA and its use in digital signatures.
7. Security and Algorithms: DSS and DSA use specific algorithms and
parameters to ensure security. The security of digital signatures relies on
the strength of these algorithms and the keys used.
18
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Important of Digital Signature Standards (DSS)

1. Authentication
 Proof of Identity: Digital signatures provide a way to confirm the identity
of the sender of a digital message or document.
2. Integrity
 Data Integrity: Digital signatures ensure that the content of a message or
document has not been altered during transmission.
3. Non-Repudiation
 Preventing Denial: Once a document is signed with a digital signature, the
signer cannot deny having signed it.
4. Security
 Encryption and Hashing: Digital signatures use cryptographic techniques
to secure data and ensures that the signatures are difficult to forge
5. Compliance
 Regulatory Requirements: Many industries and governments require the
use of digital signatures for compliance with legal and regulatory
standards.
6. Efficiency
 Streamlined Processes: Digital signatures reduce the need for physical
paperwork, speeds up transactions, and reduce the potential for errors.
7. Trust
 Building Confidence: The use of established digital signature standards
helps build trust in digital transactions and communications.
8. Interoperability
 Standardization: DSS ensures that digital signatures can be used across
different systems and platforms.
9. Fraud Prevention
 Mitigating Risks: DSS helps prevent fraud and unauthorized changes,
which is particularly important in sectors like finance and legal services.
10. Legal Validity
 Legal Recognition: In many jurisdictions, digital signatures that comply
with DSS are legally recognized and have the same standing as traditional
handwritten signatures. This legal validity is important for enforceable
contracts and agreements.
19
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

 These standards play a crucial role in

o Secure communications,
o Digital transactions, and
o Data integrity.
 They are widely used in various applications, including
o Email security,
o Software distribution, and
o Financial transactions.
 Digital Signature Standards (DSS) are crucial for ensuring the
o Security, authenticity, and integrity of digital communications and
transactions.

3.5 DIGITAL SIGNATURE AUTHENTICATION

Digital signature authentication is a critical process in ensuring the integrity,
authenticity, and non-repudiation of digital communications and transactions.

Working principles of Digital Signature Authentication:

1. Document Signing:
o Hash Generation: When a document is signed, a cryptographic hash
function generates a unique hash value (digest) of the document’s
content.
o Signature Creation: The hash value is then encrypted with the
signer's private key using a digital signature algorithm (like RSA,
DSA, or ECDSA). This encrypted hash, along with the hashing
algorithm used, forms the digital signature.
o Signature Attachment: The digital signature is attached to the
document, creating a signed document.
2. Signature Verification:
o Hash Recalculation: The recipient or verifier recalculates the hash
value of the received document using the same hash function.
o Signature Decryption: The verifier decrypts the digital signature
using the signer's public key, which reveals the original hash value
that was encrypted.
o Comparison: The recalculated hash value is compared with the
decrypted hash value. If they match, it means the document has not
been altered and the signature is authentic.

20
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Key Concepts in Digital Signature Authentication

 Private Key: Used by the signer to create the digital signature. It must be
kept secure and confidential.
 Public Key: Distributed openly and used by recipients to verify the
signature. It helps ensure that the signature was created by the holder of
the private key.
 Hash Function: A cryptographic function that generates a fixed-size hash
value from variable-size data. It ensures that any modification to the data
results in a completely different hash value.

Importance of Digital Signature Authentication

1. Verification of Identity:
o Authenticity: Confirms that the digital signature was created by the
claimed signer, providing assurance of their identity.
2. Document Integrity:
o Data Protection: Ensures that the content of the document has not
been altered during transmission or storage. If the document is
changed after signing, the hash values will not match, signaling
tampering.
3. Non-Repudiation:
o Accountability: Provides evidence that the signer cannot deny
having signed the document.
4. Trust and Security:
o Confidence: Builds trust in electronic transactions and
communications by providing a reliable method of verifying the
authenticity and integrity of digital documents.
5. Compliance and Legal Validity:
o Regulatory Adherence: Meets legal and regulatory requirements for
electronic signatures in many jurisdictions, making them legally
binding and enforceable.
6. Efficiency:
o Streamlined Processes: Facilitates faster and more efficient signing
and verification processes compared to traditional paper-based
methods.

21
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Common Use Cases

 Contracts and Agreements: Digital signatures are commonly used to sign
contracts, agreements, and legal documents electronically.
 Financial Transactions: They are used in banking and financial services
to authenticate transactions and prevent fraud.
 Email Security: Digital signatures ensure the authenticity and integrity of
email messages.
 Software Distribution: Developers use digital signatures to verify the
authenticity of software and updates, protecting users from malicious code.

Digital signature authentication is a cornerstone of modern digital security,

ensuring that electronic interactions are secure, verifiable, and reliable.

3.6 REQUIREMENTS OF DIGITAL SIGNATURE PROTOCOLS

Digital signature protocols are designed to provide security features essential for
the authenticity, integrity, and non-repudiation of digital communications and
documents. To be effective, digital signature protocols must meet several critical
requirements:
1. Authentication
 Proof of Identity: The protocol must ensure that the signature can be
used to verify the identity of the signer.
2. Integrity
 Data Integrity: The protocol must ensure that the content of the signed
document or message has not been altered after it was signed.
3. Non-Repudiation
 Prevention of Denial: The protocol must ensure that once a signature is
created, the signer cannot deny having signed the document.
4. Confidentiality (Optional)
 Protection of Signature Information: While not always required, some
protocols may include measures to protect the confidentiality.
5. Security
 Cryptographic Strength: The protocol must use strong cryptographic
algorithms to ensure that signatures cannot be forged and that the
integrity of the signed data is preserved.
6. Key Management
 Secure Key Generation and Storage: The protocol must provide
mechanisms for securely generating, storing, and managing cryptographic
keys.
7. Verification Process
 Signature Validation: The protocol must define a clear process for
verifying signatures.
8. Interoperability
 Standardization: The protocol should be based on widely accepted
standards to ensure interoperability between different systems and
platforms.
9. Efficiency
 Performance Considerations: The protocol should be efficient in terms of
computational resources and time.

22
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

10. Usability
 User-Friendly: The protocol should be implemented in a way that is user-
friendly and integrates smoothly with existing systems and workflows.
11. Scalability
 Handling Large Volumes: The protocol should be capable of handling large
volumes of signatures and transactions efficiently, especially in
environments where many signatures are generated and verified, such as
in enterprise systems or large-scale digital document management systems.
12. Legal and Regulatory Compliance
 Adherence to Standards: The protocol should comply with relevant legal
and regulatory requirements for digital signatures, ensuring that
signatures are legally binding and meet industry standards.

3.7 APPLICATIONS

**1. Email Security

 Authenticated Emails: Digital signatures are used to verify the
authenticity of the sender and ensure that the email content has not been
altered during transmission.
 Anti-Phishing Measures: By verifying the sender's identity through a
digital signature, recipients can better guard against phishing attacks and
email spoofing.
**2. Document Signing
 Contracts and Agreements: Digital signatures facilitate the signing of
contracts, agreements, and legal documents electronically, streamlining the
process and providing a secure method for verifying authenticity and
integrity.
 Legal and Regulatory Compliance: Many legal frameworks and
regulations accept digital signatures as legally binding, making them
essential for compliance in various industries.
**3. Software Distribution
 Code Signing: Developers use digital signatures to sign software and
updates, providing users with assurance that the code has not been
tampered with and is from a trusted source.
 Protection Against Malware: Digital signatures help ensure that software
and applications are free from malware and unauthorized modifications.
**4. Financial Transactions
 Online Banking: Digital signatures secure online banking transactions by
verifying the identity of the user and ensuring the integrity of the
transaction data.
 Electronic Payments: They are used in electronic payment systems to
prevent fraud and ensure that transactions are legitimate and accurately
processed.
**5. Healthcare
 Electronic Health Records (EHR): Digital signatures are used to secure
and authenticate patient records, ensuring that sensitive health
information is protected and has not been altered.
 Prescription Management: They are used to verify the authenticity of
electronic prescriptions and ensure secure communication between
healthcare providers and pharmacies.

23
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

**6. Government Services

 E-Government: Digital signatures facilitate secure online interactions with
government services, such as tax filings, social services, and licensing
applications.
 Voting Systems: They can be used to ensure the integrity and authenticity
of electronic voting systems, helping to secure the voting process and
prevent tampering.
**7. Supply Chain Management
 Transaction Verification: Digital signatures ensure the authenticity of
transactions and documentation in supply chain management, such as
orders, shipments, and invoices.
 Tracking and Compliance: They help maintain the integrity and
compliance of product data throughout the supply chain.
**8. Intellectual Property Protection
 Patent and Copyright: Digital signatures are used to protect intellectual
property by verifying the authenticity of patents, copyrights, and other legal
documents related to intellectual property rights.
**9. Access Control and Authentication
 User Authentication: Digital signatures are used in multi-factor
authentication systems to verify user identities and control access to
secure systems and data.
 Secure Logins: They provide an additional layer of security for user logins
and access controls, ensuring that access attempts are legitimate.
**10. Digital Certificates
 Public Key Infrastructure (PKI): Digital signatures are integral to PKI,
where they validate digital certificates used to secure communications and
authenticate users and systems.
 SSL/TLS Encryption: Digital certificates signed with trusted authorities
are used to establish secure connections for websites and online services.
**11. Research and Academic Publishing
 Verification of Scholarly Work: Digital signatures are used to
authenticate academic papers, research findings, and scholarly articles,
ensuring that the content is original and has not been altered.
**12. Smart Contracts and Blockchain
 Blockchain Transactions: Digital signatures are essential in blockchain
technology to verify the authenticity of transactions and smart contracts.
 Automated Enforcement: In smart contracts, digital signatures enforce
contract terms automatically based on pre-defined rules and conditions.
**13. Insurance
 Claims Processing: Digital signatures are used to authenticate and
process insurance claims, reducing fraud and speeding up the claims
handling process.
 Policy Management: They help secure electronic insurance policies and
endorsements, ensuring that they are legitimate and have not been altered.
**14. Telecommunications
 Secure Communication: Digital signatures are used to secure
telecommunications data, such as text messages and VoIP
communications, ensuring the authenticity and integrity of the transmitted
information.

24
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

3.8 KERBEROS *** MAY 2024

Kerberos is a network authentication protocol designed to provide secure

authentication for users and services in a network. It helps ensure that entities
(users and services) in a network can prove their identities to each other in a
secure manner, typically without transmitting passwords over the network.

Kerberos is the computer network authentication protocol initially developed in

the 1980s by Massachusetts Institute of Technology (MIT) computer scientists.
The idea behind Kerberos is to authenticate users while preventing passwords
from being sent over the internet.

Overview of Kerberos
1. Purpose:
o Kerberos provides strong authentication for client-server
applications by using secret-key cryptography. It helps to verify
the identity of users and services and enables secure communication
over an insecure network.
2. Design Goals:
o Secure Authentication: Ensure that users and services can
authenticate each other without exposing passwords.
o Mutual Authentication: Verify that both the client and the server
are who they claim to be.
o Single Sign-On (SSO): Allow users to authenticate once and gain
access to multiple services without re-entering credentials.

Kerberos Working principles

Kerberos uses a combination of secret-key cryptography and a centralized

authentication server (the Key Distribution Center, or KDC) to authenticate
users and services. Here’s a simplified overview of the Kerberos authentication
process:
1. Key Distribution Center (KDC):
o Authentication Server (AS): Verifies user credentials and issues a
Ticket-Granting Ticket (TGT).
o Ticket-Granting Server (TGS): Issues service tickets based on the
TGT for access to specific services.
2. Authentication Process:

Kerberos uses symmetric key cryptography and a Key Distribution Center (KDC)
to authenticate and verify user identities.
A KDC involves three aspects:
1. A Ticket-Granting Server (TGS) that connects the user with the
Service Server (SS)
2. A Kerberos database that stores the password and identification of all
verified users
3. An Authentication Server (AS) that performs the initial
authentication

25
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Kerberos authentication is a multistep process that consists of the following

components:
 The client who initiates the need for a service request on the user's behalf
 The server, which hosts the service that the user needs access to
 The AS, which performs client authentication. If authentication is
successful, the client is issued a ticket-granting ticket (TGT) or user
authentication token, which is proof that the client has been
authenticated.
 The KDC and its three components: the AS, the TGS, and the Kerberos
database
 The TGS application that issues service tickets

1. Initial Authentication:
 Login Request: The user logs in by providing their credentials
(username and password) to the AS.
 TGT Request: The AS verifies the credentials and, if valid,
issues a TGT encrypted with a secret key known only to the AS
and the user.
 TGT Storage: The TGT is stored securely on the user’s
machine.
Benefits of Kerberos Authentication
 Access control
 Mutual authentication
 Limited ticket lifetime
 Reusable authentication
 Security

2. Service Access:
 Service Ticket Request: When the user wants to access a
service, they present the TGT to the TGS to request a service
ticket.
 Service Ticket Issuance: The TGS verifies the TGT, and if
valid, issues a service ticket that includes a session key for
communication with the service.

26
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

3. Service Access:
 Service Request: The user presents the service ticket to the
service they wish to access.
 Service Verification: The service verifies the ticket and grants
access if it is valid. The service and user then use the session
key for secure communication.

Key Components of Kerberos

1. Ticket-Granting Ticket (TGT):

o A credential issued by the AS that proves the user’s identity. It can
be used to obtain service tickets from the TGS.
2. Service Ticket:
o A credential issued by the TGS that allows access to a specific
service. It includes a session key for secure communication between
the user and the service.
3. Session Key:
o A temporary encryption key used for secure communication between
the client and the service. It is included in both the TGT and service
tickets.
4. Key Distribution Center (KDC):
o A centralized server that consists of both the Authentication Server
(AS) and the Ticket-Granting Server (TGS). It manages authentication
and ticket issuance.

Security Features

 Mutual Authentication: Both the client and the server authenticate each
other, reducing the risk of impersonation.
 Single Sign-On: Users can access multiple services with a single
authentication, enhancing convenience and security.
 Ticket-Based: Tickets eliminate the need to transmit passwords over the
network, reducing the risk of password theft.
 Time-Based Tickets: Tickets are time-stamped and have expiration times
to limit the impact of compromised credentials.

Use Cases
 Enterprise Networks: Kerberos is widely used in enterprise environments
for authenticating users and services within Active Directory environments.
 Single Sign-On (SSO): It provides SSO capabilities, allowing users to log in
once and access various network services without re-entering credentials.
 Secure Communication: Used in various network protocols and services
to secure authentication and communications.

Limitations
 Time Synchronization: Kerberos relies on accurate time synchronization
between clients and servers, as tickets are time-stamped.
 Complexity: Implementing and managing Kerberos can be complex,
particularly in large-scale environments.
 Single Point of Failure: The KDC is a critical component; if it becomes
unavailable, authentication services can be disrupted.
27
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Kerberos is a robust and widely adopted protocol that plays a critical role in
network security by providing secure and efficient authentication
mechanisms.

An Overview of the Kerberos Protocol Flow

28
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

The Kerberos protocol flow involves three secret keys:

1. Client/user hash
2. TGS secret key, and
3. SS secret key.

The basic protocol flow steps are as follows:

Step1: Initial Client Authentication Request - The protocol flow starts with the
client logging in to the domain. In this step, the user asks for the TGT or
authentication token from the AS. The TGT request is sent to the Kerberos KDC.

Step2: Verification of Client Credentials - The KDC must verify the user's
credentials to send an encrypted session key and TGT. The AS checks for the
TGS's and client's availability in the database. If both values are found, the AS
generates the secret key. It also creates a session key (SK1) that is encrypted by
the user's secret key and a TGT with the client network address, identification
(ID), timestamp, lifetime, and SK1. Then, the TGS secret key encrypts the ticket.

Step3: Message Decryption - The client uses the client/user hash or secret key
to extract the TGT and SK1 and decrypt the message, then generates the
authenticator that validates the TGS.

Step4: Request for Access Using the TGT - The client then requests a ticket
from the SS by sending the authenticator and the extracted TGT to the TGS.

Step5: Creation of Ticket for the File Server - The TGS secret key is used to
decrypt the TGT from the client and extract the SK1. TGS also decrypts the
authenticator and verifies that it matches the network address and the client ID,
and ensures that the TGT is not expired by using an extracted timestamp. If all
checks are done successfully, the KDC will generate a shared service session key
(SK2) for the target server and the client. The KDC then creates a service ticket
with the client network address, ID, timestamp, and SK2. This ticket will be
encrypted with the server's secret key, and the client will receive the service ticket
and SK2, which will be encrypted with the SK1.

Step6: Authentication Using the File Ticket - The client then uses the file
ticket to authenticate by decrypting the message with SK1 and extracting SK2.
Doing so will generate another authenticator, encrypted with SK2, that includes
the client ID, network address, and timestamp. The client then sends a service
ticket along with the new authenticator to the target server.

Step7: Decryption and Authentication of the Target Server - As the final step
in the Kerberos protocol, the target server then decrypts the service ticket and
extracts the SK2 using the server's secret key. SK2 decrypts the authenticator,
and checks are performed to ensure that the client network address and ID from
the service ticket and the authenticator match. After all checks are made and
met, the client will receive a message from the server stating that the server and
the client have authenticated each other.

29
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

3.9 X.509 DIRECTORY SERVICES

The X.509 directory is a standard framework for managing digital certificates and
Public Key Infrastructure (PKI).

What is X.509?
 X.509 is a standard from the International Telecommunication Union
(ITU) that defines the format of public-key certificates. These certificates
are used to verify the identities of entities (like individuals, organizations,
or devices) and to facilitate secure communication over networks.
Key Components

1. Certificates: X.509 certificates contain a public key and the identity of the
certificate holder, along with information about the certificate authority
(CA) that issued it. The certificates are used to establish trust between
communicating parties.
2. Certificate Authorities (CAs): CAs are trusted entities that issue and
manage digital certificates. They validate the identity of the certificate
requestor before issuing a certificate.
3. Certificate Revocation Lists (CRLs): CRLs are lists of certificates that
have been revoked before their expiration date. They are used to ensure
that certificates that are no longer valid are not used.
4. Online Certificate Status Protocol (OCSP): OCSP is an alternative to
CRLs for checking the status of a certificate. It allows for real-time checking
of a certificate’s validity.

X.509 Directory Services

 Directory Service: This is a centralized service that stores and manages
digital certificates and related information. X.509 directories are often used
to look up certificates and other information necessary for establishing
secure communications.
 LDAP (Lightweight Directory Access Protocol): Often used for
implementing X.509 directories, LDAP provides a way to query and modify
directory services over a network.

Working of X.509 Authentication Service Certificate:

30
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

 The core of the X.509 authentication service is the public key certificate
connected to each user. These user certificates are assumed to be
produced by some trusted certification authority and positioned in the
directory by the user or the certified authority.
 These directory servers are only used for providing an effortless reachable
location for all users so that they can acquire certificates.
 X.509 standard is built on an IDL known as ASN.1. With the help of
Abstract Syntax Notation, the X.509 certificate format uses an associated
public and private key pair for encrypting and decrypting a message.

Once an X.509 certificate is provided to a user by the certified authority, that

certificate is attached to it like an identity card. The chances of someone
stealing it or losing it are less, unlike other unsecured passwords.

31
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

 X.509 is a digital certificate that is built on top of a widely trusted

standard known as ITU or International Telecommunication Union
X.509 standard, in which the format of PKI certificates is defined.
 X.509 digital certificate is a certificate-based authentication security
framework that can be used for providing secure transaction processing
and private information.
 These are primarily used for handling the security and identity in
computer networking and internet-based communications.

Format of X.509 Authentication Service Certificate:

Generally, the certificate includes the elements given below:

 Version number: It defines the X.509 version that concerns the certificate.
 Serial number: It is the unique number that the certified authority issues.
 Signature Algorithm Identifier: This is the algorithm that is used for signing
the certificate.
 Issuer name: Tells about the X.500 name of the certified authority which
signed and created the certificate.
 Period of Validity: It defines the period for which the certificate is valid.
 Subject Name: Tells about the name of the user to whom this certificate has
been issued.
 Subject’s public key information: It defines the subject’s public key along
with an identifier of the algorithm for which this key is supposed to be used.
 Extension block: This field contains additional standard information.
 Signature: This field contains the hash code of all other fields which is
encrypted by the certified authority private key.

32
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Applications of X.509 Authentication Service Certificate:

Many protocols depend on X.509 and it has many applications, some of them
are given below:
 Document signing and Digital signature
 Web server security with the help of Transport Layer Security (TLS)/Secure
Sockets Layer (SSL) certificates
 Email certificates
 Code signing
 Secure Shell Protocol (SSH) keys
 Digital Identities

Use Cases
 Secure Communications: X.509 certificates are widely used in SSL/TLS
for secure web browsing, ensuring that communications between a client
and server are encrypted and authenticated.
 Digital Signatures: Certificates are used to digitally sign documents and
software, ensuring integrity and authenticity.
In summary, the X.509 directory and related standards are foundational to
modern digital security, providing a structured way to manage and verify digital
identities and secure communications.

33
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

ANNA UNIVERSITY PROMINENT QUESTIONS

PART-A QUESTIONS AND ANSWERS
1. What is digital signature in network security?
A digital signature is a cryptographic output used to verify the authenticity of
data. A digital signature algorithm allows for two distinct operations: a signing
operation, which uses a signing key to produce a signature over raw data.
2. What are the two types of digital signature?
The three different types of electronic signatures are simple electronic signatures
(SES), advanced electronic signatures (AES), and qualified electronic signatures
(QES).

3. What is a digital signature?

A digital signature refers to a more secure electronic signature that is generated
using a digital certificate and cryptographically bound to the document using
public key infrastructure (PKI).

4. Distinguish between direct and arbitrated digital signature. MAY 2024

Distinguish
between direct
Direct Signature Arbitrated Digital Signature
and arbitrated
digital signature
A digital signature made and A digital signature made and confirmed
confirmed by an endorser by an underwriter with the involvement
Definition
without the inclusion of a of a trusted third party.
trusted third party.
The underwriter makes the The signer sends the message and the
signature utilizing their private hash of the message to a trusted third
key, whereas the beneficiary party (TTP), who makes the signature
Signing Process
confirms the signature using the utilizing their private key. The beneficiary
public key of the signer. confirms the signature utilizing the TTP's
public key.
The signer is mindful of The TTP is dependable for overseeing its
overseeing their private key, and claim private key/keys and the public
Key
the beneficiary is dependable for keys of all underwriters.
Administration
overseeing the signer's public
key.
Coordinate digital signatures are Arbitrated digital signatures are more
more helpless to assaults since secure since the trusted third party
Security there's no trusted third party confirms the character of the endorser
included and guarantees the judgment of the
message.
Coordinate digital signatures are Arbitrated digital signatures are
ordinarily less costly since they ordinarily more costly since they require
Cost
don't require the inclusion of a the association of a trusted third party.
trusted third party.

5. Assume the client X wants to communicate Y using Kerberos procedure.

How can it be achieved?. Give the authentication standard. MAY 2024
Kerberos is a network authentication protocol designed to provide strong
authentication for client-server applications by using secret-key cryptography.
Here’s a simplified explanation of how Client X can communicate with Server Y
using Kerberos:
34
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Kerberos Authentication Procedure

1. Initialization
o Client X and Server Y are both registered with a Kerberos Key
Distribution Center (KDC). The KDC consists of two main
components:
 Authentication Server (AS): Handles the initial authentication
of clients.
 Ticket Granting Server (TGS): Issues service tickets after the
client is authenticated.
2. Login and Request for Ticket-Granting Ticket (TGT)
Step 1: Client X Logs In
o Client X enters its credentials (usually a username and password).
o Client X’s password is used to derive a secret key which is used in
encryption and decryption.
Step 2: Request TGT from AS
o Client X sends a request to the AS for a Ticket-Granting Ticket (TGT).
This request includes:
 Client X’s ID.
 A timestamp encrypted with Client X’s password-derived key
(to prove Client X knows the password).
 The AS responds with:
 A TGT, which includes a session key (a symmetric key)
for communication with the TGS.
 An encrypted part that includes the timestamp and
Client X’s ID, encrypted with Client X’s password-derived
key.
Step 3: Store the TGT
o Client X decrypts the response using the password-derived key and
stores the TGT and the session key for future use.
3. Request for Service Ticket
Step 4: Request Service Ticket from TGS
o When Client X wants to access a service on Server Y, it sends a
request to the TGS. This request includes:
 The TGT obtained earlier.
 An authenticator (a piece of data including Client X’s ID and a
timestamp), encrypted with the session key received from the
TGT.
Step 5: TGS Issues Service Ticket
o The TGS decrypts the TGT using its own key and retrieves the
session key.
o It then decrypts the authenticator with the session key.
o If the authenticator is valid, the TGS issues a service ticket, which
includes:
 A new session key for communication between Client X and
Server Y.
 The client ID and other relevant information.
o The TGS sends this service ticket back to Client X.

35
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

4. Access Service
Step 6: Client X Accesses Server Y
o Client X sends the service ticket to Server Y along with an
authenticator.
o Server Y decrypts the service ticket using its own key, retrieves the
session key, and verifies the authenticator.

Step 7: Server Y Responds

o If the authenticator is valid, Server Y sends a confirmation message
back to Client X, which is encrypted with the session key.
5. Secure Communication
o Client X and Server Y can now communicate securely using the
session key exchanged in the service ticket.
Authentication Standard
Kerberos is based on the principles of symmetric key cryptography and relies on
the following key concepts:
 Secret-Key Cryptography: All keys used are symmetric; that is, the same
key is used for both encryption and decryption.
 Tickets: Kerberos uses time-limited tickets to grant access to resources,
reducing the risk of replay attacks.
 Session Keys: Temporary keys are used for communication between the
client and server after authentication to minimize exposure.
Kerberos provides mutual authentication (ensuring both parties are who they
claim to be) and is widely used in enterprise environments to manage access to
network services securely.

ANNA UNIVERSITY PROMINENT QUESTIONS

PART-B & C
1. With a neat sketch, illustrate the ElGamal digital signature scheme in
detail. MAY 2024
2. What is Kerberos? Elucidate how it provides authenticated service.
MAY 2024
3. Describe X.509 directory services
4. Explain the working principles of digital signature techniques

ASSIGNMENT-2 QUESTIONS
(UNIT III DIGITAL SIGNATURE AND AUTHENTICATION)
1. Discus in detail about ElGamal digital signature scheme
2. Explain in detail about Kerberos authentication
3. Describe X.509 directory services

Assignment Submission Date: 15.10.2024

<<<@!@>>>

36
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-3
 LECTURE NOTES

III YEAR / 5th SEM

CW3551 DATA AND INFORMATION SECURITY

(R-2021)
UNIT- 4

ABDUL KAREEM.D (Asst.Prof-AI & DS)

----------------------------------------------------------------------------------------------

GRT INSTITUTE OF ENGINEERING AND TECHNOLOGY

(An Autonomous Institution)
GRT MAHALAKSHMI NAGAR
TIRUTTANI – 631 209.
CW3551 DATA AND INFORMATION SECURITY LTPC
3003
COURSE OBJECTIVES:
• To understand the basics of Information Security
• To know the legal, ethical and professional issues in Information Security
• To equip the students’ knowledge on digital signature, email security and web security

UNIT I INTRODUCTION 9
History, What is Information Security?, Critical Characteristics of Information, NSTISSC Security Model,
Components of an Information System, Securing the Components, Balancing Security and Access, The
SDLC, The Security SDLC

UNIT II SECURITY INVESTIGATION 9

Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and Professional Issues - An Overview
of Computer Security - Access Control Matrix, Policy-Security policies, Confidentiality policies, Integrity
policies and Hybrid policies

UNIT III DIGITAL SIGNATURE AND AUTHENTICATION 9

Digital Signature and Authentication Schemes: Digital signature-Digital Signature Schemes and their
Variants- Digital Signature Standards-Authentication: Overview- Requirements Protocols - Applications -
Kerberos -X.509 Directory Services

UNIT IV E-MAIL AND IP SECURITY 9

E-mail and IP Security: Electronic mail security: Email Architecture -PGP – Operational Descriptions- Key
management- Trust Model- S/MIME.IP Security: Overview- Architecture - ESP, AH Protocols IPSec
Modes – Security association - Key management.

UNIT V WEB SECURITY 9

Web Security: Requirements- Secure Sockets Layer- Objectives-Layers -SSL secure communication-
Protocols - Transport Level Security. Secure Electronic Transaction- Entities DS Verification-SET
processing.
TOTAL: 45 PERIODS
COURSE OUTCOMES:
Upon successful completion of this course, students will be able to:
CO1: Understand the basics of data and information security
CO2: Understand the legal, ethical and professional issues in information security
CO3: Understand the various authentication schemes to simulate different applications.
CO4: Understand various security practices and system security standards
CO5: Understand the Web security protocols for E-Commerce applications

TEXT BOOKS:
1. Michael E Whitman and Herbert J Mattord, “Principles of Information Security, Course Technology,
6th Edition, 2017.
2. Stallings William. Cryptography and Network Security: Principles and Practice, Seventh Edition,
Pearson Education, 2017.
REFERENCES
1. Harold F. Tipton, Micki Krause Nozaki,, “Information Security Management Handbook, Volume 6, 6th Edition,
2016.
2. Stuart McClure, Joel Scrambray, George Kurtz, “Hacking Exposed”, McGraw- Hill, Seventh Edition, 2012.
3. Matt Bishop, “Computer Security Art and Science, Addison Wesley Reprint Edition, 2015.
Behrouz A Forouzan, Debdeep Mukhopadhyay, Cryptography And network security, 3rd Edition, . McGraw-Hill
Education, 2015.
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

UNIT IV E-MAIL AND IP SECURITY 9

E-mail and IP Security: Electronic mail security: EMAIL ARCHITECTURE -
PGP – OPERATIONAL DESCRIPTIONS- Key management- Trust Model-
S/MIME.IP Security: Overview- ARCHITECTURE - ESP, AH PROTOCOLS
IPSec MODES – Security association - Key management.

4.1 E-MAIL AND IP SECURITY: ELECTRONIC MAIL SECURITY:

Electronic mail, commonly known as email, is a method of exchanging

messages over the internet.
1. An email address: This is a unique identifier for each user, typically in the
format of name@domain.com.
2. An email client: This is a software program used to send, receive and
manage emails, such as Gmail, Outlook, or Apple Mail.
3. An email server: This is a computer system responsible for storing and
forwarding emails to their intended recipients.

To send an email:
1. Compose a new message in your email client.
2. Enter the recipient’s email address in the “To” field.
3. Add a subject line to summarize the content of the message.
4. Write the body of the message.
5. Attach any relevant files if needed.
6. Click “Send” to deliver the message to the recipient’s email server.
7. Emails can also include features such as cc (carbon copy) and bcc (blind
carbon copy) to send copies of the message to multiple recipients, and reply,
reply all, and forward options to manage the conversation.

 Electronic Mail (e-mail) is one of most widely used services of Internet.

 This service allows an Internet user to send a message in formatted
manner (mail) to the other Internet user in any part of world.
 Message in mail not only contain text, but it also contains images, audio
and videos data.
 The person who is sending mail is called sender and person who receives
mail is called recipient. It is just like postal mail service.
 Components of E-Mail System :
The basic components of an email system are:
User Agent (UA), Message Transfer Agent (MTA), Mail Box.

1. UserAgent (UA) :
 The UA is normally a program which is used to send and receive mail.
 It is called as mail reader.
 It accepts variety of commands for composing, receiving and replying to
messages as well as for manipulation of the mailboxes.
2. Message Transfer Agent (MTA):
 MTA is actually responsible for transfer of mail from one system to
another.
 To send a mail, a system must have client MTA and system MTA.
 The delivery from one MTA to another MTA is done by Simple Mail
Transfer Protocol (SMTP).
1
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

1. Mail box:
 It is a file on local hard drive to collect mails.
 Delivered mails are present in this file.
 The user can read it delete it according to his/her requirement.
 To use e-mail system each user must have a mail box.
 Access to mailbox is only to owner of mailbox.

2. Spool file:
 This file contains mails that are to be sent.
 User agent appends outgoing mails in this file using SMTP.
 MTA extracts pending mail from spool file for their delivery.
 E-mail allows one name, an alias, to represent several different e-mail
addresses.It is known as mailing list, Whenever user have to sent a
message, system checks recipient’s name against alias database.

Services provided by E-mail system:

 Composition
 Transfer
 Reporting
 Displaying
 Disposition

Advantages of email
 Convenient and fast communication with individuals or groups globally.
 Easy to store and search for past messages.
 Ability to send and receive attachments such as documents, images, and
videos.
 Cost-effective compared to traditional mail and fax.
 Available 24/7.

2
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Disadvantages of email
o Risk of spam and phishing attacks.
o Huge amount of emails can lead to information overload.
o Can lead to decreased face-to-face communication and loss of personal
touch.
o Potential for miscommunication due to lack of tone and body language
in written messages.
o Technical issues, such as server issues, can disrupt email service.
o It is important to use email responsibly and effectively, for example, by
keeping the subject line clear, concise and protecting against security
threats.

E-mail Security

E-mail security focuses on protecting the confidentiality, integrity, and

authenticity of e-mail messages.

1. S/MIME (Secure/Multipurpose Internet Mail Extensions): Provides

encryption and digital signatures for e-mail, ensuring confidentiality and
authentication.
2. PGP (Pretty Good Privacy): Offers similar functionality as S/MIME, using
a decentralized approach for encryption and signing e-mails.
3. TLS (Transport Layer Security): Secures e-mail transmissions over the
internet by encrypting the connection between mail servers, preventing
eavesdropping (act of secretly listening to or intercepting private
conversations).
4. Spam Filtering: Helps protect users from phishing attempts and malicious
content.
5. DKIM (Domain Keys Identified Mail): Allows senders to associate their
domain name with an e-mail message, helping verify that it has not been
altered in transit.
6. DMARC (Domain-based Message Authentication, Reporting, and
Conformance): Builds on SPF (Sender Policy Framework) and DKIM to
protect against spoofing and phishing.

IP Security (IPsec)

IPsec is a suite of protocols used to secure Internet Protocol (IP)

communications by authenticating and encrypting each IP packet in a
communication session.
1. Authentication: Ensures that the data comes from a verified source.
2. Encryption: Protects the data from being read by unauthorized users.
3. Integrity: Confirms that the data has not been altered during
transmission.
4. Modes of Operation:
o Transport Mode: Encrypts only the payload of the IP packet.
o Tunnel Mode: Encrypts both the payload and the original IP header,
creating a new IP header for encapsulated packets.

3
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
 GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

5. Use Cases: Commonly used in VPNs (Virtual Private Network) to secure

remote connections to networks, enabling safe access to corporate
resources.
Integration
 E-mail over IPsec: E-mails can be sent over secure connections
established by IPsec, ensuring that the entire transmission is encrypted.
 Layered Security: Using e-mail security protocols in conjunction with
IPsec provides a multi-layered security approach, safeguarding both the
content of the messages and the transmission channels.
Note:
Both e-mail security and IPsec are essential for protecting sensitive data and
maintaining privacy in digital communications, each serving distinct purposes
but often complementing each other in securing data.

4.2 EMAIL ARCHITECTURE

Email Architecture, Gmail two Step Verification, SMTP POP3 IMAP-We will
discuss the Email Architecture with the different protocols like

SMTP “Simple Mail Transfer Protocol”,

PoP3 “Post Office Protocol”, and
IMAP “Internet Mail Access Protocol”

Email architecture consists of three components:

 User Agent (UA)
 Message Transfer Agent (MTA)
 Message Access Agent (MAA)

User Agent:
A User Agent is a Package “or in simple words a program” of a software that
composes, Reads, Responds to, and forward messages. It also handles user
computers with local mailboxes.

Sending Mail:
In order to send a mail, the user creates mail through the UA which looks very
similar to Postal Mail.
4
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Receiving Mail:
The User agent, or a timer, is triggered by the User. Where a user has mail, the
UA will notify the user with a notice if the user is ready to read the mail, a list will
be shown in which each line includes a description of a particular message’s
mailbox information.
Addresses:
A mail handling system must use a system address with unique addresses to
deliver mails. Each user has a unique email address which is selected the time a
person sign up for an email ID.

Mailing List or Group List:

Electronic mail allows for the one name, an alias, to represent several different
email addresses; this is called a mailing list.

Mail Transfer Agent “MTA”:

The actual mail transmission is done through MTAs. Simple Mail Transfer
Protocol “SMTP” is the formal protocol that defines the MTA client and server
within the internet.

Message Access Agent “MAA”:

SMTP is used in the first and second phases of mail deliver. SMTP is not involved
in the third stage, however, as SMTP is a push protocol; it transmits the client’s
message to the server. There are currently two protocols for accessing messages.
Post Office Protocol version 3 “POP3” and Internet Mail Access Protocol “IMAP”.

5
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Simple Mail Transfer Protocol (SMTP):

SMTP is used two times, between the sender and the sender’s mail server and
between the two mail servers. SMTP simply defines how commands and
responses must be sent back and forth between an MTA client and an MTA
server.

Commands:
Hello e.g. Electroniclinic.com
Send from e.g. engrfahad@wordpress-1263046-4550097.cloudwaysapps.com
Send to e.g. xyz@yahoo.com
Data: e.g. “Hope you are fine” etc
Response:
 Services Ready
 User not local; the message will be forwarded
 The command is not executed; mailbox unavailable etc.

Mail Transfer Phases: (Three phases): Forming links, Exchanging mail and
Terminating the connections.

Email architecture refers to the components and protocols involved in sending,

receiving, and storing emails.
1. Email Clients
 Definition: Applications used by users to compose, send, receive, and
manage emails.
 Types:
o Web-based clients (e.g., Gmail, Outlook.com)
o Desktop clients (e.g., Microsoft Outlook, Thunderbird)
o Mobile clients (e.g., iOS Mail, Android Mail)

6
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

2. Email Servers
 Definition: Servers that handle the sending, receiving, and storage of
emails.
 Types:
o Mail Transfer Agents (MTAs): Handle the sending and routing of
emails (e.g., Postfix, Send mail).
o Mail Delivery Agents (MDAs): Store emails and deliver them to
users' mailboxes (e.g., Dovecot, Courier).
o Mail User Agents (MUAs): User-facing applications that interact with
email servers.
3. Protocols
 SMTP (Simple Mail Transfer Protocol): The protocol used for sending
emails from a client to a server or between servers.
 IMAP (Internet Message Access Protocol): Used by clients to retrieve and
manage emails stored on the server, allowing access to multiple devices.
 POP3 (Post Office Protocol version 3): Used to download emails from the
server to a local client, usually deleting them from the server.
4. Domain Name System (DNS)
 Role: DNS translates domain names into IP addresses and helps route
emails.
 Email-specific records:
o MX Records (Mail Exchange Records): Specify the mail servers
responsible for receiving email for a domain.
o SPF Records (Sender Policy Framework): Define which IP
addresses are authorized to send emails on behalf of a domain.
o DKIM (DomainKeys Identified Mail): Allows for email signing to
verify the sender's authenticity.
5. Email Storage
 Mailbox: Each user has a mailbox where incoming emails are stored.
 Formats: Emails can be stored in various formats (e.g., MBOX, Maildir).
6. Security Components
 Encryption:
o TLS (Transport Layer Security): Encrypts email in transit between
servers and clients.
o S/MIME and PGP: Provide end-to-end encryption for email content.
 Authentication:
o DKIM: Verifies that emails are sent by authorized servers.
o DMARC: Provides policy enforcement for email validation.
7. User Interaction
 Interfaces: Users interact with emails through the email client interface,
which includes features for composing, replying, forwarding, and
organizing messages.
Note:
 Email architecture is a complex system involving various components and
protocols that work together to ensure reliable, secure, and efficient email
communication.
 Understanding this architecture is essential for managing and
troubleshooting email systems effectively.

7
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

4.3 PGP – OPERATIONAL DESCRIPTIONS***

Definition:

Pretty Good Privacy or PGP was a popular program used to encrypt and
decrypt email over the internet, as well as authenticate messages with digital
signatures and encrypted stored files that implements the OpenPGP public key
cryptography standard.

PGP (Pretty Good Privacy) is an encryption program that provides cryptographic

privacy and authentication for data communication.

1. Overview
PGP is a data encryption and decryption program that provides cryptographic
privacy and authentication. It is primarily used for securing emails but can also
encrypt files and ensure data integrity.

2. Key Components
 Public Key Cryptography:
o Uses a pair of keys: a public key (shared with others) and a private
key (kept secret).
 Symmetric Key Encryption:
o A session key is generated for encrypting the actual message. This
key is then encrypted using the recipient’s public key.
 Digital Signatures:
o Allows users to sign messages, enabling the recipient to verify the
sender's identity and message integrity.
3. Key Management
 Key Generation: Users create their own public/private key pairs using
PGP software.
 Web of Trust: Instead of a centralized authority, users verify each other's
public keys by signing them, establishing a decentralized trust network.

4. Operational Workflow
Encryption Process:
1. Compression: The plaintext message is compressed to reduce size.
2. Session Key Generation: A random symmetric key is created for the
session.
3. Message Encryption: The message is encrypted using the session key.
4. Key Encryption: The session key is encrypted with the recipient’s public
key.
5. Transmission: The encrypted message and the encrypted session key are
sent to the recipient.

Decryption Process:
1. Key Decryption: The recipient uses their private key to decrypt the session
key.
2. Message Decryption: The session key is used to decrypt the message.

Note: PGP is a powerful tool for securing communications through encryption

and digital signatures.
8
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Services of PGP

 PGP was designed to provide all four aspects of security, i.e.,

 Privacy, Integrity, Authentication, and Non-Repudiation in the sending of
email.
 PGP uses a digital signature (a combination of hashing and public key
encryption) to provide integrity, authentication, and non-repudiation.

Components of a PGP message

A message consists of three components:
1. The message component,
2. A signature (optional), and
3. A session key component (optional).

Uses of PGP

 Pretty Good Privacy (PGP) is an encryption program that provides

cryptographic privacy and authentication for data communication.
 PGP is used for signing, encrypting, and decrypting texts, e-mails, files,
directories, and whole disk partitions and to increase the security of e-mail
communications.

File type is PGP

 PGP is short for Pretty Good Privacy and it's one of the most widely used
technologies for encrypting and authenticating files.
 It can help encrypt, decrypt, authenticate, and verity various file types
including emails, files, directories, disk partitions, and more.

Basic steps for using PGP

1. Install PGP on your computer.

2. Create a private and public key pair.
3. Before you can begin using PGP, you need to generate a key pair.
4. Exchange public keys with others.
5. Validate public keys.
6. Encrypt and sign your email and files.
7. Decrypt and verify your email and files.
8. Wipe (clean) files.

Note: The following companies using PGP

Companies using PGP Website Country

Ireland
Accenture PLC accenture.com
India
Infosys Ltd infosys.com
United States
HP Development Company, L.P hp.com
United States
International Business Machines Corporation ibm.com

9
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

4.4 PGP KEY MANAGEMENT***

 PGP uses a passphrase to encrypt your private key on your machine.

 Your private key is encrypted on your disk using a hash of your passphrase
as the secret key.
 You use the passphrase to decrypt and use your private key.
 A passphrase should be hard for you to forget and difficult for others to
guess.

1. Key Types
 Public Key: This key can be shared with anyone and is used to encrypt
messages sent to the owner of the key.
 Private Key: This key is kept secret by the owner and is used to decrypt
messages that were encrypted with the corresponding public key. It is also
used to create digital signatures.
2. Key Generation
 Users generate their own key pairs using PGP software. This typically
involves:
o Choosing a key size (e.g., 2048 bits or higher is recommended).
o Selecting a passphrase to protect the private key.
3. Key Storage
 Local Storage: Keys are stored securely on the user’s device. It’s essential
to back up the private key and keep it safe.
 Key Servers: Public keys can be uploaded to key servers for easier
distribution and retrieval by others.
4. Key Distribution
 Share the public key with anyone you wish to communicate with securely.
o Direct sharing (via email or messaging).
o Uploading to public key servers.

10
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

5. Key Trust Model

 Web of Trust: PGP uses a decentralized model where users sign each
other’s public keys to establish trust. This is done by:
o Verifying the identity of the key owner.
o Signing the public key to vouch for its authenticity.
6. Key Revocation
 Users can create a revocation certificate for their keys in case they are
compromised or lost. This certificate can be published to inform others that
the key should no longer be trusted.
7. Key Expiry
 Keys can be set to expire after a certain period. This encourages users to
regularly update and rotate their keys.
8. Best Practices
 Use Strong Passphrases: Protect private keys with strong, unique
passphrases.
 Regularly Update Keys: Periodically generate new key pairs to enhance
security.
 Backup Keys: Keep backups of both public and private keys in secure
locations.
 Verify Keys: Always verify public keys through trusted channels to prevent
man-in-the-middle attacks.

Note:

Effective key management is crucial for the security and usability of PGP.
By understanding key generation, distribution, trust models, and best
practices, users can enhance their encryption experience and ensure the
integrity of their communications.

PGP Working Principle

11
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

1. Key Pair Generation

 Public Key: Shared with others for encryption.
 Private Key: Kept secret by the user for decryption and signing.
2. Message Encryption Process
1. Compression: The plaintext message is compressed to reduce its size.
2. Session Key Generation: A random symmetric key (session key) is created
for the session.
3. Message Encryption: The plaintext message is encrypted using the session
key (using a symmetric encryption algorithm like AES).
4. Key Encryption: The session key is then encrypted with the recipient’s
public key (using an asymmetric encryption algorithm).
5. Transmission: Both the encrypted message and the encrypted session key
are sent to the recipient.
3. Message Decryption Process
1. Key Decryption: The recipient uses their private key to decrypt the session
key.
2. Message Decryption: The session key is used to decrypt the message back
into plaintext.
4. Digital Signatures
 Signing: The sender creates a hash of the message and encrypts it with
their private key to create a digital signature.
 Verification: The recipient can use the sender’s public key to verify the
signature, ensuring the message's authenticity and integrity.
Note:
 PGP combines symmetric encryption for message security and
asymmetric encryption for secure key exchange.
 It ensures confidentiality, integrity, and authentication in
communications.
 The use of a web of trust allows users to establish the authenticity of
public keys through mutual verification.
 This combination of techniques allows PGP to provide a robust framework
for secure communication.

Advantages of PGP

 Security: PGP encryption provides a high level of security, making it

difficult for unauthorized parties to read your messages.
 Privacy: PGP encryption ensures that only the intended recipient can read
your messages, protecting your privacy

Applications of PGP Encryption

o Email Encryption: Some encrypted email solutions, such as ProtonMail,

support the use of PGP.
o File Encryption: In addition to encrypting emails, PGP can encrypt files or
data in general.
o Digital Signatures: PGP can also digitally sign data as well as encrypt it.

12
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

A PGP user may have multiple public keys. So that a recipient knows which
public key is being used by a sender, a key ID, consisting of the least
significant 64bits of the public key, is sent with the message. What is the
probability that a user with N public keys will have at least one duplicate
key ID? MAY 2024

To determine the probability that a user with N public keys will have at least one
duplicate key ID, we can utilize the concept of the "birthday problem."

Key ID Characteristics
1. The key ID is derived from the least significant 64 bits of the public key.
2. Since 64 bits can represent 264 distinct values, there are 264 possible
unique key IDs.

Probability of No Duplicates
To find the probability of having at least one duplicate key ID, we first calculate
the probability of having no duplicates among N keys.

1. The first key can take any of the 264 values.

2. The second key can take any of the 264−1 values (to avoid matching the
first).
3. The third key can take any of the 264−2 values, and so on.
Thus, the probability P(no duplicates) can be computed as follows:

This simplifies to

Probability of At Least One Duplicate

The probability of having at least one duplicate key ID is then:
P(at least one duplicate)=1−P(no duplicates)

Approximating the Probability

For large N relative to 264, calculating P(no duplicates) directly becomes complex.

We can use the approximation based on the exponential function:

Thus, the probability of at least one duplicate is approximately:

The probability that a user with N public keys will have at least one duplicate key
ID is:

This result shows that as N increases, especially when approaching √264

(which is 232), the probability of having at least one duplicate key ID becomes
significant.
13
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

4.5 TRUST MODEL S/MIME.IP SECURITY:

 S/MIME means Secure/Multipurpose Internet Mail Extensions.

 It is a technology that allows us to encrypt the content of our e-mails, so
that they are not vulnerable to cyber attacks.
 In other words, S/MIME keeps our e-mails safe and makes sure that the
only person who reads them is the intended receiver.
 S/MIME was first developed by the RSA Data Security to ensure the
security of e-mail messages, then it became a standard with the help of
IETF.
 S/MIME is based on asymmetric encryption and public key
infrastructure.
 It aims to provide a layer of security for the e-mail messages with the help
of encryption and authentication techniques.
 The trust model for S/MIME (Secure/Multipurpose Internet Mail
Extensions) and IP Security (IPsec) involves different approaches to
establishing and managing trust for secure communications.

S/MIME Trust Model

1. Public Key Infrastructure (PKI):

o S/MIME relies on a PKI to manage digital certificates.

o Users obtain certificates from Certificate Authorities (CAs), which
validate identities and issue certificates.
o The trust model is hierarchical; root CAs are trusted implicitly, and
intermediate CAs help establish chains of trust.

14
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

2. Certificates:
o Each user has a public-private key pair.
o The public key is embedded in the digital certificate, which is signed
by a CA.
o When a user receives an S/MIME email, they can verify the sender’s
certificate using the CA’s public key.
3. Trust Anchors:
o Trust is anchored in trusted root CAs, which are often pre-installed
in email clients and systems.
o Users can manage their own trust settings, allowing them to add or
remove trusted CAs.
4. Revocation:
o Certificates can be revoked if compromised or if the user’s status
changes (e.g., leaving a company).
o Revocation is communicated through CRLs (Certificate Revocation
Lists) or OCSP (Online Certificate Status Protocol).

IP Security (IPsec) Trust Model

1. Security Associations (SAs):

o IPsec establishes SAs for secure communication between devices
(hosts or gateways).
o Each SA is a simplex connection that provides integrity, authenticity,
and confidentiality.
2. Authentication:
o IPsec can use various authentication methods, including pre-shared
keys or digital certificates.
o Digital certificates can be issued by a PKI similar to S/MIME,
establishing a trust model.
3. Key Management:
o The Internet Key Exchange (IKE) protocol is often used for negotiating
SAs and exchanging keys securely.
o IKE can utilize both manual and automated key management
techniques.
4. Trust Hierarchies:
o Trust can be established between organizations or devices through
certificate exchanges.
o Trust may also be established through mutual agreements, rather
than a centralized CA model.

Note:

Both S/MIME and IPsec utilize trust models that emphasize authentication
and key management, albeit in different contexts.
Understanding these models is essential for implementing secure
communication protocols effectively.

15
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

S/MIME digital signatures

Digital signatures provide the following security capabilities:

 Authentication: A signature serves to validate an identity.

 Non-repudiation: The uniqueness of a signature prevents the owner of the
signature from disowning the signature.
 Data integrity: Data integrity is a result of the specific operations that make
digital signatures possible.

S/MIME Encryption

Message encryption provides a solution to information disclosure.

SMTP-based internet email doesn't secure messages.
An SMTP internet email message can be read by anyone who sees it as it
travels or views it where it's stored.
 These problems are addressed by S/MIME using encryption.
 Encryption is a way to change information so that it can't be read or
understood until it's changed back into a readable and understandable
form.
 Message encryption provides two specific security services:
 Confidentiality: Message encryption serves to protect the
contents of an email message.
 Data integrity: As with digital signatures, message encryption
provides data integrity services as a result of the specific
operations that make encryption possible.
 Transport Layer Security (TLS) which replaces Secure Sockets Layer
(SSL):
o Encrypts the tunnel or the route between email servers in order to help
prevent snooping and eavesdropping.
o Encrypts the connection between email clients and email servers.
 BitLocker: Encrypts data on hard drives in client computers and servers.

16
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

How to Get S/MIME Certificates

The following are steps to have S/MIME certificates for securing your emails:

 Choose a Certificate Authority: You can select any trusted Certificate

Authority, such as Sectigo, DigiCert, or GlobalSign, that has the
functionality to provide you with S/MIME certificates. Most of these
Certificate Authorities provide both free and paid versions according to one’s
needs.
 Get or Apply for a Certificate
 Validate Your Identity
 Download and install the certificate
 Configuration of Your Email Client
 Test Your Setup

New S/MIME Requirements in 2024

 This document has seen rather a large number of upcoming modifications

to the way S/MIME certificates are issued during 2024.

 Many of these changes result from new S/MIME Baseline Requirements

from the CA/Browser Forum.

 New Intermediate CA Certificates

 Mailbox validation
 Organization Units (OUs) Removed
 Email Address in SAN
 Updated OIDs for certificate policy

Services of S/MIME
1. Digital Signature, which can maintain data integrity.
2. S/MIME can be used in encrypting messages.
3. By using this we can transfer our data using an e-mail without any problem
17
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Advantages of S/MIME
 It offers verification.
 It offers integrity to the message.
 By the use of digital signatures, it facilitates non-repudiation of origin.
 It offers seclusion.
 Data security is ensured by the utilization of encryption.
 Transfer of secure data files like images, audio, videos, documents, etc.
 Email Encryption
 Data Confidentiality
 Digital Signature
 Signature Authentication
 Non-repudiation by the Sender
 Content Integrity of the Email

Need of S/MIME protection

Getting S/MIME installed on your organization's email client helps prevent you
the following actions:
1. Phishing and Spoofing
2. Email tampering
3. Unauthorized access to confidential data

4.6 OVERVIEW-ARCHITECTURE – ESP ***

 Encapsulating Security Payload (ESP) is a protocol in the Internet

Protocol Security (IPsec) family that protects data transmitted between
devices over an IP network.
 ESP provides data confidentiality, integrity, and authentication, and can
also offer replay protection
 Encapsulating Security Payload (ESP) is a member of the Internet Protocol
Security (IPsec) set of protocols that encrypt and authenticate the packets
of data between computers using a Virtual Private Network (VPN).
 The focus and layer on which ESP operates makes it possible for VPNs to
function securely.
 The enhanced version of IPsec in use is an Internet-layer security protocol.
 It is pre-programmed for IP-layer application security whereas other
protocols such as Transport Layer Security (TLS) and Secure Shell (SSH)
function on the application layer.
 Security Authentication Header (AH) is another IPsec member protocol.
 ESP and AH can operate between hosts and between networks.
 The can also operate in two modes: the less-secure Transport Mode that
encrypts the data packet, for use between two workstations that are
running a VPN client; and Tunnel Mode, which is more secure. Tunnel
Mode encrypts the whole packet including header info and source, and is
used between networks.

18
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Example:

“Security for a VPN involves IPsec, and with IPsec’s protocols of AH and ESP, the
connection between a user and a network is secure. Going further ESP, on the
application layer, can run in its more secure Tunnel Mode offering the most
privacy.”

In the context of information security, ESP stands for Encapsulating Security

Payload. It is a protocol used in IPsec (Internet Protocol Security) to provide
confidentiality, integrity, and authentication for IP packets.

19
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Key Features of ESP:

1. Confidentiality: ESP encrypts the payload of the IP packets, ensuring that

the data being transmitted cannot be read by unauthorized parties.
2. Integrity: It provides data integrity checks, which ensure that the data has
not been altered during transmission. This is achieved using cryptographic
hashing.
3. Authentication: ESP can also provide authentication for the data, verifying
the identity of the sender and ensuring that the packet comes from a
legitimate source.
4. Traffic Flow Confidentiality: By encrypting the payload, ESP can obscure
the traffic patterns, making it harder for attackers to analyze the
communication flow.
Use Cases:
 VPNs (Virtual Private Networks): ESP is commonly used to secure VPN
connections, providing a secure tunnel for data transmission over the
internet.
 Secure Communication: Organizations use ESP to protect sensitive
communications between devices across insecure networks.

4.7 AH PROTOCOLS IPSEC MODES***

IPSec (Internet Protocol Security) is a suite of protocols designed to secure

Internet Protocol (IP) communications through authentication, encryption, and
integrity. It can operate in two main modes: Transport Mode and Tunnel Mode.
Here’s a breakdown of each:

20
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

1. Transport Mode
 Usage: Primarily used for end-to-end communication between two hosts.
 Functionality: Only the payload (the data portion) of the IP packet is
encrypted and/or authenticated. The original IP headers remain intact.
 Advantages:
o More efficient since only the data is processed, reducing overhead.
o Suitable for applications where end-to-end security is required, such
as secure connections between two applications.
 Limitations: Not suitable for protecting routing information, making it less
ideal for VPN scenarios where the entire packet needs to be protected.
2. Tunnel Mode
 Usage: Commonly used for VPNs (Virtual Private Networks) where secure
communication is required between networks.
 Functionality: The entire original IP packet is encapsulated within a new
IP packet, which has a new header. Both the original packet's header and
payload can be encrypted and/or authenticated.
 Advantages:
o Provides complete protection for both the payload and the original IP
header, which is important for protecting routing information.
o Ideal for site-to-site VPN configurations where two networks need to
communicate securely over the internet.
 Limitations: More overhead due to the extra header and the encryption of
the entire packet.
Summary
 Transport Mode: Encrypts the payload, keeps original headers. Best for
end-to-end communications.
 Tunnel Mode: Encrypts the entire packet, encapsulating it in a new IP
packet. Best for network-to-network communications.
21
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

The IPsec architecture document states that when two transport mode SAs
are bundled to allow both AH and ESP protocols on the same end-to-end
flow, only one ordering of security protocols seems appropriate: performing
the ESP protocol before performing the AH protocol. Why is this approach
recommended rather than authentication before encryption? MAY 2024

In IPsec, the recommendation to perform the Encapsulating Security Payload

(ESP) protocol before the Authentication Header (AH) protocol when both are
used in transport mode has to do with how each protocol functions and the goals
they aim to achieve.
1. Encryption First: ESP provides confidentiality by encrypting the payload
data. When ESP is applied first, it ensures that the data is protected from
eavesdropping. If AH were applied first, the plaintext data (including the
integrity check value) would be visible, potentially allowing an attacker to
manipulate the data without detection.
2. Integrity Check: AH provides authentication and integrity for the packet.
If you apply AH after ESP, the integrity check covers the encrypted data,
ensuring that the recipient can verify that the data has not been altered
during transmission. This maintains the integrity of the ciphertext.
3. Preventing Manipulation: If AH were applied before ESP, an attacker
could manipulate the plaintext before encryption, rendering the integrity
check ineffective. This is because the integrity check would be based on the
original plaintext, which could be tampered with before being encrypted.
4. Combining Security Features: Bundling ESP and AH allows for both
confidentiality (ESP) and authentication (AH) to be provided. Performing
encryption first ensures that the authentication process does not expose
sensitive information, maintaining the overall security of the
communication.

4.8 SECURITY ASSOCIATION

22
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

 An IPsec Security Association (SA) is a simplex (one-way) connection,

which may be used to negotiate ESP or AH parameters.
 If two systems communicate via ESP, they use two SAs (one for each
direction).
 If the systems leverage AH in addition to ESP, they use two more SAs, for a
total of four.
 In IPsec (Internet Protocol Security), a Security Association (SA) is a
fundamental concept that defines the parameters and state information for
securing communication between two endpoints. Here’s a breakdown of
what it entails:

Key Aspects of Security Associations:

1. Definition:
o An SA is essentially a one-way logical connection that provides the
security services (like encryption and integrity) for traffic between two
parties. Since IPsec can be used in both inbound and outbound
directions, two SAs are needed for bidirectional communication.
2. Components:
o Security Parameters Index (SPI): A unique identifier for the SA,
used to distinguish it from other SAs.
o Destination IP Address: The address of the endpoint with which the
SA is established.
o Security Protocol Identifier: Indicates whether the SA is for
Authentication Header (AH) or Encapsulating Security Payload (ESP).
o Encryption and Authentication Algorithms: Specifies the
algorithms used for encrypting and authenticating the data.
3. Establishment:
o SAs can be established manually (static configuration) or dynamically
using protocols such as the Internet Key Exchange (IKE). IKE
facilitates the negotiation of SAs, allowing endpoints to agree on the
security parameters.
4. Lifetime:
o SAs have a defined lifetime, after which they may need to be
refreshed or renegotiated to maintain security.
5. Usage:
o SAs are used to protect data packets as they traverse the network,
ensuring confidentiality, integrity, and authenticity of the data.
Importance of SAs in IPsec:
 Security: They provide a structured way to manage encryption and
authentication for data in transit, crucial for secure communications.
 Flexibility: Multiple SAs can be created for different types of traffic or
services, allowing tailored security policies.
 Scalability: Dynamic negotiation of SAs allows for scaling security
solutions as network demands change.
Understanding Security Associations is key to effectively implementing and
managing IPsec in a secure networking environment.

23
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

IPsec Security Associations

 IPSec uses two distinct protocols, Authentication Header (AH) and

Encapsulating Security Payload (ESP), which are defined by the IETF
(Internet Engineering Task Force).
 The AH protocol provides a mechanism for authentication only. AH
provides data integrity, data origin authentication, and an optional replay
protection service.
 An IPsec Security Association (SA) specifies security properties that are
recognized by communicating hosts.
 These hosts typically require two SAs to communicate securely.
 A single SA protects data in one direction.
 The protection is either to a single host or a group (multicast) address.
 Because most communication is peer-to-peer or client-to-server, two SAs
must be present to secure traffic in both directions.
 The security protocol (AH or ESP), destination IP address, and Security
Parameter Index (SPI) identify an IPsec SA. The SPI, an arbitrary 32-bit
value, is transmitted with an AH or ESP packet.

Key Management

A security association contains the following information:

 Material for keys for encryption and authentication
 The algorithms that can be used
 The identities of the endpoints
 Other parameters that are used by the system

SAs require keying material for authentication and encryption. The managing of
keying material that SAs require is called key management. The Internet Key
Exchange (IKE) protocol handles key management automatically.

 You can also manage keys manually with the ipseckey command. SAs on
IPv4 and IPv6 packets can use automatic key management.
 An IPsec Security Association (SA) is a set of specifications that govern
how two devices communicate securely over an IPSec connection:
 Components: SAs contain information about the security protocol,
encryption, authentication, and more.
 Uni- or bidirectional: SAs can be configured to protect data in one
direction or both.
 Identification: SAs are uniquely identified by a Security Parameter Index
(SPI), a security protocol identifier, and an IPv4 or IPv6 destination
address.
 Storage: IPSec stores all active SAs in a Security Association Database
(SAD).
 Lifetime: SAs have a lifetime, and when it expires, IKE negotiates a new
SA.
 Management: The pf_key interface and the in.iked daemon manage the
SAD and keys.

24
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

4.9 AH PROTOCOL KEY MANAGEMENT

In the context of IPsec, the Authentication Header (AH) protocol provides data
integrity and authentication for IP packets. Key management for AH involves
several critical components to ensure secure communication. Here’s an overview:

Key Management for AH Protocol

1. Key Establishment:
o Manual Keying: Keys can be statically configured on both ends of
the communication. This method is simple but not scalable and may
lead to security issues if keys are not changed regularly.
25
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Dynamic Keying: The Internet Key Exchange (IKE) protocol is

o
commonly used to dynamically negotiate and establish keys. IKE
supports two phases:
 Phase 1: Establishes a secure channel between the peers and
authenticates them, using methods like Pre-Shared Keys (PSK)
or digital certificates.
 Phase 2: Negotiates the actual AH (or ESP) SAs and derives
keys for their use.
2. Key Lifetimes:
o Keys should have a defined lifetime to limit exposure. Once a key
expires, a new key must be generated and distributed. This reduces
the risk of key compromise.
3. Key Management Protocols:
o IKE (and its versions, IKEv1 and IKEv2) is the primary protocol for
managing keys in IPsec implementations. It handles negotiation, key
generation, and exchange of cryptographic parameters.
4. Key Derivation:
o In AH, keys used for integrity and authentication are derived during
the IKE negotiation process. The exact method for key derivation can
depend on the cryptographic algorithms used.
5. Security Considerations:
o Keys must be protected in transit and at rest to prevent unauthorized
access.
o Use strong cryptographic algorithms and key lengths to enhance
security.
o Regularly rotate keys to mitigate the risk of long-term key
compromise.
6. Implementation:
o Most modern network devices (firewalls, routers, VPN gateways)
support automated key management through IKE, making dynamic
keying the preferred approach in most deployments.

Security Considerations

 Integrity: Ensure the integrity of the key exchange process to prevent

man-in-the-middle attacks.
 Confidentiality: While AH itself does not provide encryption, it is often
used in conjunction with ESP (Encapsulating Security Payload) to ensure
confidentiality.
 Algorithm Selection: Choosing strong cryptographic algorithms for
hashing (e.g., SHA-256) is vital for maintaining the security of the
authentication process.

 Effective key management in the AH protocol is essential for establishing

secure and reliable communication.
 By utilizing automatic keying methods and regularly refreshing keys,
organizations can enhance their security posture and protect against
potential threats.

26
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

ANNA UNIVERSITY PROMINENT QUESTIONS

PART-A QUESTIONS AND ANSWERS

1. What are the four principal services provided by S/MIME? MAY 2024
S/MIME (Secure/Multipurpose Internet Mail Extensions) provides four principal
services:
1. Confidentiality: S/MIME uses encryption to ensure that the content of
emails is only readable by the intended recipients, protecting sensitive
information from unauthorized access.
2. Authentication: It verifies the identity of the sender through digital
signatures, allowing recipients to confirm that the message truly comes from the
claimed sender.
3. Integrity: S/MIME ensures that the message has not been altered in
transit. If any changes are made to the message, the recipient can detect this
through the digital signature.
4. Non-repudiation: The sender cannot deny having sent the message, as
the digital signature provides proof of the sender's identity, ensuring
accountability.

2. What is the difference between transport mode and tunnel mode?

MAY 2024
The difference between transport mode and tunnel mode primarily relates to how
IPsec (Internet Protocol Security) handles the encapsulation of data for secure
communication.
Transport Mode:
 Usage: Typically used for end-to-end communication between two hosts
(e.g., client to server).
 Encryption: Only the payload (the actual data) of the IP packet is
encrypted. The IP header remains intact.
 Overhead: Lower overhead since the original IP header is preserved, which
can be more efficient for communication between two endpoints.
Tunnel Mode:
 Usage: Often used for network-to-network connections (e.g., VPNs) or for
securing communication between gateways.
 Encryption: Both the payload and the original IP header are encrypted. A
new IP header is added for the encapsulated packet.
 Overhead: Higher overhead due to the additional IP header, but this allows
for more flexible and secure routing through intermediate networks.
Note:
 Transport Mode is suitable for direct host-to-host communication,
preserving the original IP header, while Tunnel Mode is more suited for
securing traffic between networks or gateways, encapsulating the entire
packet.

3. What is SPF in email security?

SPF (Sender Policy Framework) is a protocol used to prevent email spoofing by
allowing domain owners to specify which mail servers are permitted to send
emails on their behalf.

27
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

4. What is a phishing attack?

A phishing attack is a fraudulent attempt to obtain sensitive information by
disguising as a trustworthy entity in electronic communications.

5. What does TLS stand for in email security?

TLS stands for Transport Layer Security, a protocol that ensures privacy between
communicating applications and users on the Internet.

6. What is DKIM?
DKIM (Domain Keys Identified Mail) is an email authentication method that
allows the receiver to check that an email was indeed sent and authorized by the
owner of that domain.

7. What is the main purpose of IPsec?

The main purpose of IPsec is to provide confidentiality, integrity, and authenticity
for data transmitted over IP networks.

8. What is AH in IPsec?
AH (Authentication Header) provides integrity and authentication for IP packets
but does not provide encryption.

9. What is ESP in IPsec?

ESP (Encapsulating Security Payload) provides confidentiality, integrity, and
authentication for IP packets.

10. What does IPsec stand for?

IPsec stands for Internet Protocol Security, a suite of protocols that secure
Internet Protocol (IP) communications.

ANNA UNIVERSITY PROMINENT QUESTIONS

PART-B & C
1. A PGP user may have multiple public keys. So that a recipient knows
which public key is being used by a sender, a key ID, consisting of the
least significant 64bits of the public key, is sent with the message.
What is the probability that a user with N public keys will have at least
one duplicate key ID? MAY 2024

2. The IPsec architecture document states that when two transport mode
SAs are bundled to allow both AH and ESP protocols on the same end-
to-end flow, only one ordering of security protocols seems appropriate:
performing the ESP protocol before performing the AH protocol. Why
is this approach recommended rather than authentication before
encryption? MAY 2024

3. Describe about AH Protocols IPSec MODES

4. Discuss in detail about E-mail and IP Security

5. Explain with relevant diagram about Email Architecture

28
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

ASSIGNMENT-2 QUESTIONS
(UNIT IV E-MAIL AND IP SECURITY)
1. Explain in detail about PGP Architecture
2. Describe with suitable diagram about Architecture of ESP
3. Explain AH Protocols, IPSec modes

Assignment Submission Date: 15.10.2024

<<<@!@>>>

29
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-4
 LECTURE NOTES

III YEAR / 5th SEM

CW3551 DATA AND INFORMATION SECURITY

(R-2021)
UNIT- 5

ABDUL KAREEM.D (Asst.Prof-AI & DS)

----------------------------------------------------------------------------------------------

GRT INSTITUTE OF ENGINEERING AND TECHNOLOGY

(An Autonomous Institution)
GRT MAHALAKSHMI NAGAR
TIRUTTANI – 631 209.
CW3551 DATA AND INFORMATION SECURITY LTPC
3003
COURSE OBJECTIVES:
• To understand the basics of Information Security
• To know the legal, ethical and professional issues in Information Security
• To equip the students’ knowledge on digital signature, email security and web security

UNIT I INTRODUCTION 9
History, What is Information Security?, Critical Characteristics of Information, NSTISSC Security Model,
Components of an Information System, Securing the Components, Balancing Security and Access, The
SDLC, The Security SDLC

UNIT II SECURITY INVESTIGATION 9

Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and Professional Issues - An Overview
of Computer Security - Access Control Matrix, Policy-Security policies, Confidentiality policies, Integrity
policies and Hybrid policies

UNIT III DIGITAL SIGNATURE AND AUTHENTICATION 9

Digital Signature and Authentication Schemes: Digital signature-Digital Signature Schemes and their
Variants- Digital Signature Standards-Authentication: Overview- Requirements Protocols - Applications -
Kerberos -X.509 Directory Services

UNIT IV E-MAIL AND IP SECURITY 9

E-mail and IP Security: Electronic mail security: Email Architecture -PGP – Operational Descriptions- Key
management- Trust Model- S/MIME.IP Security: Overview- Architecture - ESP, AH Protocols IPSec
Modes – Security association - Key management.

UNIT V WEB SECURITY 9

Web Security: Requirements- Secure Sockets Layer- Objectives-Layers -SSL secure communication-
Protocols - Transport Level Security. Secure Electronic Transaction- Entities DS Verification-SET
processing.
TOTAL: 45 PERIODS
COURSE OUTCOMES:
Upon successful completion of this course, students will be able to:
CO1: Understand the basics of data and information security
CO2: Understand the legal, ethical and professional issues in information security
CO3: Understand the various authentication schemes to simulate different applications.
CO4: Understand various security practices and system security standards
CO5: Understand the Web security protocols for E-Commerce applications

TEXT BOOKS:
1. Michael E Whitman and Herbert J Mattord, “Principles of Information Security, Course Technology,
6th Edition, 2017.
2. Stallings William. Cryptography and Network Security: Principles and Practice, Seventh Edition,
Pearson Education, 2017.
REFERENCES
1. Harold F. Tipton, Micki Krause Nozaki,, “Information Security Management Handbook, Volume 6, 6th Edition,
2016.
2. Stuart McClure, Joel Scrambray, George Kurtz, “Hacking Exposed”, McGraw- Hill, Seventh Edition, 2012.
3. Matt Bishop, “Computer Security Art and Science, Addison Wesley Reprint Edition, 2015.
Behrouz A Forouzan, Debdeep Mukhopadhyay, Cryptography And network security, 3rd Edition, . McGraw-Hill
Education, 2015.
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

UNIT V WEB SECURITY 9

Web Security: Requirements- Secure Sockets Layer- Objectives-Layers -SSL
SECURE COMMUNICATION-PROTOCOLS - TRANSPORT LEVEL SECURITY.
Secure Electronic Transaction- Entities DS VERIFICATION-SET processing.

5.1 INTRODUCTION TO WEB SECURITY

Web security refers to the measures and practices designed to protect websites,
web applications, and online services from cyber threats and attacks. It
encompasses various strategies and technologies to safeguard sensitive data,
ensure user privacy, and maintain the integrity and availability of web resources.

Key aspects of web security include:

1. Authentication: Verifying the identity of users accessing the system.

2. Authorization: Ensuring users have permission to access certain data or
features.
3. Data Encryption: Protecting data in transit and at rest to prevent
unauthorized access.
4. Input Validation: Ensuring that data received from users is safe and does
not contain harmful code (e.g., SQL injection, cross-site scripting).
5. Secure Communication: Using protocols like HTTPS to secure data
exchanges.
6. Regular Updates: Keeping software and systems up to date to protect
against vulnerabilities.
7. Monitoring and Logging: Continuously monitoring systems for suspicious
activity and maintaining logs for analysis.

1
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Overall, web security is crucial for protecting both users and organizations from
various online threats, such as data breaches, malware, and denial-of-service
attacks.

 WEB SECURITY protects networks, servers, and computer systems

from damage to or the theft of software, hardware, or data
 Web security is synonymous with cybersecurity and also covers website
security, which involves protecting websites from attacks.
 It includes cloud security and web application security, which defend
cloud services and web-based applications, respectively.
 Website protection technology has enabled enhanced protection
mechanisms, such as the protection of a Virtual Private Network (VPN)
 Web security is crucial to the smooth operation of any business that uses
computers.
 Web security is the practice of protecting websites and web applications
from various threats and vulnerabilities.

Key Concepts of Web security

1. Confidentiality, Integrity, and Availability (CIA Triad):

o Confidentiality: Ensuring that sensitive information is only
accessible to authorized users.
o Integrity: Protecting data from being altered or tampered with.
o Availability: Ensuring that services are accessible and operational
when needed.
2. Authentication and Authorization:
o Authentication: Verifying the identity of users (e.g., passwords,
multi-factor authentication).
o Authorization: Determining what authenticated users are allowed to
do (e.g., access controls).
3. Encryption: The process of converting data into a secure format that is
unreadable without a decryption key, ensuring that sensitive information
remains confidential during transmission and storage.
4. Vulnerability Management: Regularly identifying, assessing, and
mitigating vulnerabilities in web applications to minimize potential exploits.

Common Threats

1. Cross-Site Scripting (XSS): Attackers inject malicious scripts into web

pages viewed by users, potentially stealing cookies or session tokens.
2. SQL Injection (SQLi): Attackers manipulate SQL queries to gain
unauthorized access to databases, often leading to data breaches.
3. Cross-Site Request Forgery (CSRF): Exploits the trust a web application
has in the user's browser, tricking the user into performing actions without
their consent.
4. Distributed Denial of Service (DDoS): Overwhelming a web server with
traffic to render it unavailable to users.
5. Man-in-the-Middle (MitM): Intercepting and altering communication
between two parties, often used to steal sensitive information.

2
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Best Practices

1. Regular Security Audits: Conduct periodic assessments to identify

vulnerabilities and ensure compliance with security standards.
2. Input Validation: Validate and sanitize user inputs to prevent injection
attacks and other exploits.
3. Use HTTPS: Secure your website with HTTPS to encrypt data transmitted
between the server and users.
4. Implement Security Headers: Use HTTP security headers (e.g., Content
Security Policy, X-Content-Type-Options) to enhance protection against
common vulnerabilities.
5. Educate Users: Train users and developers about security practices,
including recognizing phishing attempts and maintaining strong
passwords.
6. Backup Data Regularly: Ensure regular backups to recover from potential
data loss due to attacks.
7. Stay Updated: Regularly update software, libraries, and frameworks to
patch known vulnerabilities.
Web Security and Web Protection

 To comply with internal policies, government-imposed criteria, or Open

Web Application Security Project (OWASP) standards, security
professionals consider a variety of factors when establishing a security
posture for their web security gateway.
 In addition to ensuring compliance with various standards and criteria,
encryption must be kept up to date, the latest threats in the Web Hacking
Incident Database (WHID) monitored, and user authentications properly
managed.

Tools and Technologies for Web Security

Various technologies are available to help companies achieve web security,

including web application firewalls (WAFs), security or vulnerability scanners,
password-cracking tools, fuzzing tools, black box testing tools, and white box
testing tools.
Web application firewalls (WAFs)
Security or vulnerability scanners
Password-cracking tools
Fuzzing tools
Black box testing tools
White box testing tools

Threats to Web Security

SQL injection
Cross-site scripting
Remote file inclusion
Password breach
Data breach
Code injection

3
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Best Defense Strategies for Developer for Web Security

Resource assignment
Web scanning
Protection Provided by Web Security
Stolen data
Phishing schemes
Session hijacking
Malicious redirects
SEO spam

Benefits of Web security

Essential steps for Web application security

4
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

5.2 REQUIREMENTS

Web security requirements are essential to protect websites and web applications
from various threats.

Here’s a comprehensive list of key requirements:

1. Authentication and Authorization

 Strong Password Policies: Enforce complexity and length requirements.
 Multi-Factor Authentication (MFA): Implement MFA to enhance security.
 Session Management: Secure session tokens and implement timeout
policies.
2. Data Protection
 Encryption: Use HTTPS to encrypt data in transit; encrypt sensitive data
at rest.
 Data Validation: Validate and sanitize user inputs to prevent SQL injection
and XSS attacks.
 Sensitive Data Handling: Limit access to sensitive data and implement
proper storage techniques.
3. Access Control
 Role-Based Access Control (RBAC): Define user roles and permissions.
 Least Privilege Principle: Users should have the minimum access
necessary.
 Access Logging: Maintain logs of access and changes to sensitive data.
4. Security Headers
 Content Security Policy (CSP): Mitigate XSS risks by defining sources for
content.
 X-Frame-Options: Prevent clickjacking by controlling how your site is
framed.
 X-XSS-Protection: Enable browser-based XSS protection.

5
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

5. Secure Development Practices

 Code Review and Testing: Regularly review and test code for
vulnerabilities.
 Use of Security Libraries: Utilize established libraries for authentication
and encryption.
 Regular Updates: Keep frameworks, libraries, and dependencies up to
date.
6. Input Validation and Output Encoding
 Whitelisting Inputs: Only accept expected inputs and reject the rest.
 Output Encoding: Encode data before rendering it to prevent injection
attacks.
7. Error Handling and Logging
 User-Friendly Errors: Avoid exposing sensitive information in error
messages.
 Comprehensive Logging: Log security events for monitoring and incident
response.
8. Protection Against Common Vulnerabilities
 Cross-Site Scripting (XSS): Use frameworks that automatically escape
output.
 Cross-Site Request Forgery (CSRF): Implement anti-CSRF tokens.
 SQL Injection: Use prepared statements and ORM tools.
9. Network Security
 Firewall and Intrusion Detection Systems (IDS): Protect the server from
unauthorized access.
 DDoS Protection: Implement strategies to mitigate Distributed Denial of
Service attacks.
10. Regular Security Audits and Assessments
 Penetration Testing: Conduct regular penetration tests to identify
vulnerabilities.
 Vulnerability Scanning: Use automated tools to scan for known
vulnerabilities.
11. User Education and Awareness
 Security Training: Provide training for users and developers on security
best practices.
 Phishing Awareness: Educate users on recognizing phishing attempts.
12. Incident Response Plan
 Develop a Response Plan: Prepare for potential security breaches with a
clear plan.
 Regular Drills: Conduct drills to ensure the team is prepared for a real
incident.
13. Compliance and Legal Requirements
 GDPR, HIPAA, PCI-DSS Compliance: Ensure compliance with relevant
regulations.
 Privacy Policies: Clearly communicate data handling practices to users.

14. Regular Security Audits

 Vulnerability Scanning: Perform regular scans to identify potential
security issues.
 Penetration Testing: Conduct thorough penetration tests to assess the
security posture.
6
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

15. Patch Management

 Keep Software Updated: Regularly update web servers, applications, and
dependencies to fix vulnerabilities.
 Automated Updates: Where possible, enable automated updates for
critical software components.
16. Content Security Policy (CSP)
 Define CSP: Implement CSP to mitigate risks like cross-site scripting (XSS)
by specifying which sources are trusted.
17. User Education and Awareness
 Training Programs: Educate users about security best practices, phishing
attacks, and social engineering.
18. Backup and Recovery
 Regular Backups: Ensure data is backed up regularly and stored securely.
 Disaster Recovery Plan: Have a clear plan for restoring services after a
security incident.
19. Web Application Firewalls (WAF)
 Deploy a WAF: Use a WAF to filter and monitor HTTP requests, protecting
against various attacks.
20. Error Handling and Logging
 Secure Error Messages: Avoid exposing sensitive information in error
messages.
 Logging: Implement secure logging practices to monitor for suspicious
activities.

5.3 SECURE SOCKETS LAYER *****

What is SSL/TLS encryption? How does SSL/TLS encryption work? Why is

SSL/TLS encryption important for security? MAY 2024

Secure Sockets Layer (SSL) is a standard security technology that establishes

an encrypted link between a web server and a browser. While SSL has largely
been replaced by Transport Layer Security (TLS), the principles remain relevant
in web security. Here’s a breakdown of SSL/TLS and its role in web security:

Key Features of SSL/TLS

1. Encryption: SSL/TLS encrypts data transmitted between clients and

servers, preventing eavesdropping. This ensures that sensitive information,
like passwords and credit card numbers, remains confidential.

2. Authentication: SSL/TLS uses digital certificates to verify the identity of

the parties involved in the communication. This helps ensure that users
are communicating with the legitimate server.

3. Data Integrity: The protocol ensures that data sent over the connection
cannot be tampered with during transmission. It uses Message
Authentication Codes (MACs) to verify the integrity of the data.

7
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Processes of SSL/TLS

1. Handshake Process:
o When a client (like a web browser) connects to a server, they initiate
a handshake to establish a secure connection. This involves:
 Agreeing on the SSL/TLS version and cipher suite.
 Authenticating the server via its SSL certificate.
 Generating session keys for encryption.
2. Session Establishment:
o Once the handshake is successful, a secure session is established
using the session keys. Data is then encrypted and transmitted
securely.
3. Connection Closure:
o At the end of a session, the connection can be securely closed,
ensuring no further data can be sent or received.

SSL/TLS Protocols

o SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer
Security), are essential protocols for securing communications over the
internet.
o SSL is the original protocol for securing communications, but it is now
considered outdated. TLS is the modern version and is widely used.
o SSL/TLS Protocols provide encryption, integrity, and authentication for
data transmitted between a client and a server.

Working principles of SSL/TLS

1. Handshake Process:
o When a client connects to a server, they perform a handshake to
establish a secure connection. When a client connects to a server, they
initiate a handshake that establishes the parameters of the secure session.

o The handshake involves:

 Client Hello: The client sends a message to the server

 Negotiating Protocol Version: Client and server agree on the
highest version of TLS they both support.
 Server Hello: The server responds with its chosen cipher suite,
SSL/TLS version, and another random number.
 Cipher Suite Selection: They agree on the encryption
algorithms to use.
 Authentication: The server presents its SSL/TLS certificate to
prove its identity.
 Session Keys Generation: Both parties generate a unique
session key for encrypting the data.
 Key Exchange: The client and server exchange keys to
establish a secure session.
 Certificate Exchange: The server sends its digital certificate to
the client for authentication.
8
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

SSL/TLS Handshake

9
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

2. Session Encryption:
o Once the handshake is complete, all data exchanged between the
client and server is encrypted using the session key.
o This prevents eavesdropping and ensures that even if data is
intercepted, it cannot be read.
3. Integrity:
o SSL/TLS includes mechanisms to verify that data has not been
altered during transmission. This is achieved through message
authentication codes (MACs).
4. Authentication:
o The server’s identity is verified through a digital certificate, which is
issued by a trusted Certificate Authority (CA). This helps prevent
man-in-the-middle attacks.

 By implementing SSL/TLS correctly, organizations can significantly

enhance their web security posture and protect both their data and their
users.

 SSL (Secure Sockets Layer) is a PROTOCOL that ensures secure

communication over a computer network.

 Though it's largely been succeeded by TLS (Transport Layer Security), the
terms are often used interchangeably.

10
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are
cryptographic protocols designed to provide secure communication over a
computer network. TLS is the successor to SSL, and while SSL is still commonly
referenced, TLS is the protocol that is widely used today.

Key components of SSL/TLS:

1. Encryption
 Symmetric Encryption: Uses the same key for both encryption and
decryption of data, ensuring confidentiality during communication.
Common algorithms include AES (Advanced Encryption Standard) and
ChaCha20.
 Asymmetric Encryption: Uses a pair of keys (public and private) for
secure key exchange. This ensures that even if a message is intercepted, it
cannot be decrypted without the private key. RSA (Rivest-Shamir-
Adleman) is a widely used algorithm.
2. Authentication
 Digital Certificates: Issued by Certificate Authorities (CAs), these
certificates verify the identity of the entities (e.g., websites) involved in the
communication. They contain the public key and information about the
entity.
 Certificate Authorities: Trusted entities that issue digital certificates.
They verify the identity of organizations before issuing certificates.
3. Integrity
 Message Authentication Code (MAC): Ensures that the data has not been
altered in transit. A MAC is generated using a shared secret key and a
hashing function, allowing the recipient to verify the message's integrity.
4. Handshake Protocol
 A series of messages exchanged between the client and server to establish a
secure connection. This process includes:
o Client Hello: The client initiates the handshake and proposes
encryption algorithms and other settings.
o Server Hello: The server responds with its chosen settings, including
its digital certificate.
o Key Exchange: The client and server exchange keys or agree on a
method for deriving session keys.
o Finished Messages: Both parties confirm that the handshake is
complete and secure.
5. Session Resumption
 Allows previously established secure sessions to be resumed quickly
without repeating the full handshake, improving performance.
6. TLS Versions
 Various versions of the protocol exist, with TLS 1.2 and TLS 1.3 being the
most commonly used today. TLS 1.3 simplifies the handshake process and
enhances security.
7. Protocol Support
 SSL/TLS protocols can support various applications, including HTTPS for
web traffic, FTPS for secure file transfer, and others.

11
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Importance of SSL/TLS in Web Security

1. Data Protection:
o Encrypts sensitive information, such as passwords, credit card
numbers, and personal data, ensuring confidentiality.
2. Trust and Credibility:
o Websites secured with SSL/TLS are marked as “secure” (often with a
padlock icon in the address bar), which builds trust with users.
3. SEO Benefits:
o Search engines like Google favor HTTPS (the secure version of HTTP)
websites, potentially improving search rankings.
4. Compliance:
o Many regulations (e.g., GDPR, PCI DSS) require encryption
5. Preventing Attacks:
o Helps various types of attacks, like man-in-the-middle attacks.

Implementation Tips

1. Obtain a Valid SSL/TLS Certificate:

o Choose a reputable Certificate Authority (CA) to issue your certificate.
2. Configure Your Web Server:
o Ensure proper SSL/TLS configuration (e.g., disable outdated
protocols like SSL 2.0/3.0, and weak cipher suites).
3. Regularly Update and Renew Certificates:
o Monitor expiration dates and renew certificates to maintain secure
connections.
4. Use HSTS (HTTP Strict Transport Security):
o This security feature helps prevent downgrade attacks by enforcing
the use of HTTPS.
5. Test Your SSL/TLS Configuration:
o Use tools like SSL Labs’ SSL Test to analyze your server’s SSL/TLS
setup and identify potential vulnerabilities.

Implementation Considerations

1. Choosing the Right Certificate:

o Different types of SSL certificates (e.g., Domain Validated,
Organization Validated, Extended Validation) provide varying levels of
validation and trust.
2. Renewal and Management:
o SSL certificates have expiration dates and must be renewed
regularly. Proper management is essential to avoid service disruption
3. Use of Strong Cipher Suites:
o Configure the server to use strong and up-to-date cipher suites,
avoiding devalued protocols like SSL 2.0 and SSL 3.0.
4. HSTS (HTTP Strict Transport Security):
o Implement HSTS to enforce the use of HTTPS and protect against
downgrade attacks.
5. Monitoring and Testing:
o Regularly test and monitor your SSL/TLS configuration using tools
like SSL Labs to ensure it meets best practices.
12
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Use Cases
 Web Browsing: Secures HTTP traffic (HTTPS).
 Email: Secures email protocols like SMTP, IMAP, and POP3.
 VPNs: Secures virtual private network connections.
Note:
 SSL/TLS is a foundational element of web security, providing critical
encryption, authentication, and data integrity.
 Implementing it correctly not only protects sensitive information but also
enhances user trust and helps ensure compliance with various regulations.

5.4 WEB SECURITY OBJECTIVES

Web security objectives focus on protecting web applications and their users
from various threats. Here’s a breakdown of the primary objectives:
1. Confidentiality
 Ensure that sensitive information is only accessible to authorized users.
This includes protecting data from unauthorized access during
transmission (e.g., using HTTPS) and at rest (e.g., encrypting databases).
2. Integrity
 Maintain the accuracy and completeness of data. This involves ensuring
that data cannot be altered or tampered with by unauthorized parties.
Techniques like hashing and digital signatures can help verify data
integrity.
3. Availability
 Ensure that web applications and services are available to authorized users
when needed. This involves protecting against Denial-Of-Service (Dos)
attacks and ensuring that infrastructure is resilient and can handle traffic
spikes.

13
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

4. Authentication
 Verify the identity of users and systems. Strong authentication
mechanisms, such as Multi-Factor Authentication (MFA), help ensure
that only legitimate users can access sensitive areas of the application.
5. Authorization
 Control access to resources and functionalities based on user roles and
permissions. Implementing Role-Based Access Control (RBAC) ensures
that users can only perform actions and access data they are permitted to.
6. Non-repudiation
 Ensure that users cannot deny their actions within the system. This can be
achieved through logging and auditing, providing a record of user actions
and transactions.
7. Accountability
 Maintain logs of user activities to enable tracking and auditing. This helps
in identifying malicious activities and holding users accountable for their
actions.
8. Resilience
 Design web applications to withstand attacks and recover from incidents.
This includes implementing regular backups, failover mechanisms, and
incident response plans.
9. Compliance
 Adhere to relevant legal and regulatory requirements, such as GDPR, PCI-
DSS, or HIPAA. Compliance not only protects users but also helps avoid
legal repercussions.
10. User Awareness and Education
 Educate users about security best practices, such as recognizing phishing
attempts and using strong passwords. An informed user base is a critical
line of defense against many threats.

WEB SECURITY LAYERS

14
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Web security involves multiple layers designed to protect web applications

and their data from various threats.
1. Network Security:
o Firewalls: Monitor and control incoming and outgoing network traffic
based on security rules.
o Intrusion Detection Systems (IDS) / Intrusion Prevention
Systems (IPS): Detect and respond to potential threats.
2. Application Security:
o Input Validation: Ensures that user inputs are checked for validity
to prevent injections and other attacks.
o Authentication & Authorization: Securely verify user identities and
manage access levels (e.g., OAuth, JWT).
o Encryption: Protects data in transit (TLS/SSL) and at rest (database
encryption).
3. Web Server Security:
o Secure Configuration: Hardening server settings to reduce
vulnerabilities.
o Patching: Regularly updating the server software to fix security
flaws.
4. Data Security:
o Database Security: Using access controls and encryption to protect
sensitive data stored in databases.
o Data Backup: Regular backups to recover from data loss / breaches.
5. User Security:
o User Education: Training users to recognize phishing and social
engineering attacks.
o Strong Password Policies: Encouraging or enforcing complex
passwords and Two-Factor Authentication (2FA).
6. Transport Security:
o TLS/SSL: Encrypts data transmitted between users and servers to
prevent eavesdropping.
7. Monitoring and Logging:
o Security Information and Event Management (SIEM): Collects and
analyzes security data for real-time monitoring and alerts.
o Audit Logs: Keep detailed logs of user activities and system changes
for forensic analysis.
8. Incident Response:
o Response Plans: Developing and maintaining plans to respond to
security breaches effectively.
o Testing: Regular drills to prepare for potential security incidents.
9. Compliance and Best Practices:
o Regulatory Compliance: Adhering to legal standards and
frameworks (e.g., GDPR, PCI DSS).
o Security Frameworks: Following established best practices and
frameworks (e.g., OWASP Top Ten).

GDPR - General Data Protection Regulation

PCI - Payment Card Industry
DSS - Data Security Standard
HIPAA - Health Insurance Portability and Accountability Act
15
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

5.5 SSL SECURE COMMUNICATION-PROTOCOLS

SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security),
are protocols used to secure communication over networks, primarily the
internet. Here are the main protocols and contexts in which SSL/TLS are
employed:
1. HTTPS (HTTP Secure)
 This is the most common use of SSL/TLS, securing HTTP traffic between a
web browser and a web server. It ensures that data exchanged (like login
credentials, personal information, etc.) is encrypted and secure from
eavesdroppers.
2. FTPS (FTP Secure)
 An extension of the File Transfer Protocol (FTP) that uses SSL/TLS to
encrypt the command and data channels. This secures file transfers over
the internet.
3. SMTP with STARTTLS
 Simple Mail Transfer Protocol (SMTP) can be secured with the STARTTLS
command, which upgrades an existing insecure connection to a secure one
using SSL/TLS. This is commonly used for sending email securely.
4. IMAPS and POP3S
 Internet Message Access Protocol (IMAP) and Post Office Protocol (POP) can
be secured using SSL/TLS (IMAPS and POP3S), providing secure access to
email servers.
5. LDAPS (Lightweight Directory Access Protocol Secure)
 This is LDAP (used for accessing directory services) over SSL/TLS, securing
communications between clients and directory servers.
6. MQTT over SSL/TLS
 MQTT (Message Queuing Telemetry Transport) is a lightweight messaging
protocol often used in IoT applications. It can be secured using SSL/TLS
for encrypted communication between devices and servers.
7. VPN Protocols
 Some Virtual Private Network (VPN) protocols, such as OpenVPN, can use
SSL/TLS to establish secure tunnels for data transmission.
8. RDP over SSL/TLS
 Remote Desktop Protocol (RDP) can be secured using SSL/TLS, providing a
secure way to remotely access and control computers.
9. WebSocket Secure (WSS)
 WebSockets can operate over SSL/TLS, allowing for secure, real-time
communication between web clients and servers.
Key Features of SSL/TLS Protocols
 Encryption: Protects data from being read by unauthorized parties.
 Authentication: Ensures that the parties involved in communication are
who they claim to be.
 Integrity: Verifies that the data has not been altered during transmission.
Note:
 SSL/TLS protocols play a crucial role in securing various types of
communications over the internet, ensuring the confidentiality, integrity,
and authenticity of the data exchanged.
 They are essential for protecting sensitive information across multiple
applications and services.
16
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

5.6 TRANSPORT LEVEL SECURITY

Definition of Transport Layer Security (TLS)

TLS is a cryptographic protocol that ensures privacy and data integrity between
applications communicating over a network. It replaces SSL (Secure Sockets
Layer) and is widely used in securing web traffic.

Transport Layer Security (TLS) is a crucial component of web security,

providing secure communication between clients and servers.

Here’s an overview of how TLS works and its significance in web security:

17
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Key Functions of TLS (Transport Layer Security)

1. Encryption: TLS encrypts the data transmitted between the client (e.g.,
web browser) and the server, making it unreadable to eavesdroppers. This
protects sensitive information like login credentials, credit card numbers,
and personal data.

2. Authentication: TLS provides a mechanism for authenticating the identity

of the parties involved. This is typically done using digital certificates
issued by trusted Certificate Authorities (CAs).

3. Data Integrity: TLS ensures that the data sent over the connection cannot
be altered in transit. It uses cryptographic checksums to verify that the
data received is the same as what was sent.

Working principles of TLS (Transport Layer Security)

1. Handshake Process:
o Client Hello: The client sends a message to the server proposing
SSL/TLS parameters (version, cipher suites).
o Server Hello: The server responds with its selected parameters and
sends its digital certificate.
o Key Exchange: The client and server exchange keys to establish a
secure session.
o Finished Messages: Both parties confirm that the handshake is
complete, and secure communication begins.
2. Session Encryption: After the handshake, the data transmitted is
encrypted using the negotiated cipher suite.

TLS Versions

 TLS 1.0/1.1/1.2: Older versions, with TLS 1.2 being widely used.
 TLS 1.3: The latest version, offering improved security and performance by
reducing the number of handshake steps.

Importance of TLS in Web Security

1. Protects User Data: TLS is essential for safeguarding sensitive user data
from interception during transmission.

2. Builds Trust: Websites using TLS (often indicated by "https://" in URLs)

signal to users that they are taking security seriously, fostering trust and
credibility.

3. SEO Benefits: Search engines like Google prioritize HTTPS websites, which
can improve search rankings.

4. Compliance: Many regulations (e.g., GDPR, PCI DSS) require the use of
secure communication protocols to protect sensitive data.

18
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Best Practices for Implementing TLS

1. Use Strong Protocols: Always implement the latest version of TLS
(preferably TLS 1.3) and disable older versions for security.
2. Obtain Valid Certificates: Use certificates from reputable Certificate
Authorities and ensure they are regularly updated.
3. Configure Servers Properly: Follow best practices for server configurations
to minimize vulnerabilities (e.g., using strong cipher suites).
4. Regular Audits: Regularly audit your web security to identify and fix
potential vulnerabilities.
19
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

5.7 SECURE ELECTRONIC TRANSACTION

Secure Electronic Transaction (SET) is a protocol designed to secure online

payment transactions. It was developed in the mid-1990s by a consortium of
companies, including Visa and MasterCard, to ensure safe credit card
transactions over the internet.

Key Features of SET:

1. Authentication:
o SET ensures that both the cardholder and the merchant are
authenticated. It uses digital certificates to verify identities, which
helps prevent fraud.
2. Encryption:
o Sensitive data, such as credit card information, is encrypted during
transmission. This protects the data from eavesdroppers and
unauthorized access.
3. Integrity:
o SET provides mechanisms to ensure that the data sent over the
network is not altered. Hashing techniques are used to verify the
integrity of the transaction data.
4. Confidentiality:
o Even though the transaction is processed, sensitive information is
only visible to the intended parties. Third parties, including payment
gateways, do not see the cardholder's credit card information.
5. Non-repudiation:
o SET provides Non-repudiation both parties cannot deny their
involvement in the transaction, thanks to digital signatures.
Relevance in Web Security:
 Fraud Prevention:
 Consumer Confidence:
 Legacy Issues:
20
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

5.8 ENTITIES DS VERIFICATION

Definition of Digital Signature Verification

A Digital Signature is a cryptographic mechanism that allows the sender of a

message to sign the message digitally, enabling the recipient to verify the
authenticity and integrity of the message. This process involves the use of public
key cryptography.

Digital Signature (DS) Verification is a process that ensures the authenticity

and integrity of a message, document, or transaction by validating its Digital
Signature.

Here’s a breakdown of the Entities involved in DS verification:

Key Entities in Digital Signature Verification

1. Signer:
o The individual or entity that creates and signs the digital document.
The signer uses their private key to generate the digital signature,
which is unique to both the signer and the document.
2. Verifier:
o The recipient of the signed document or message who needs to
confirm its authenticity. The verifier uses the signer's public key to
validate the digital signature.
3. Certificate Authority (CA):
o A trusted third-party entity that issues digital certificates. These
certificates bind the public key to the identity of the signer, helping
the verifier ensure that the public key belongs to the intended signer.
4. Public Key Infrastructure (PKI):
o A framework that manages digital certificates and public-key
encryption. It includes the CA and the necessary protocols to issue,
manage, and revoke certificates.

Verification Process

1. Receive the Signed Document: The verifier obtains the signed document
and the accompanying digital signature.
2. Obtain the Signer's Public Key: The verifier retrieves the signer's public
key, usually from a digital certificate issued by a CA.
3. Hash the Document: The verifier generates a hash of the received
document using the same hashing algorithm used by the signer.
4. Decrypt the Digital Signature: The verifier decrypts the digital signature
using the signer's public key, revealing the hash value that the signer
generated at the time of signing.
5. Compare Hashes: The verifier compares the hash value obtained from the
decrypted signature with the hash value generated from the received
document. If they match, it confirms that the document is authentic and
has not been altered.

21
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Key Components:
1. Public and Private Keys:
o Private Key: Kept secret by the signer and used to create the digital
signature.
o Public Key: Distributed openly and used by the verifier to check the
digital signature.
2. Hash Function:
o A cryptographic hash function generates a fixed-size hash value from
the original message. This hash is unique to the message; even a
small change in the message will produce a different hash.
3. Signature Creation:
o The sender hashes the original message and encrypts the hash with
their private key to create the digital signature.
4. Signature Verification:
o The recipient receives the original message and the digital signature.
They hash the original message using the same hash function and
decrypt the digital signature with the sender's public key. If the
decrypted hash matches the newly computed hash, the signature is
verified.
22
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Process of Digital Signature Verification:

1. Message Sending:
o Sender creates a digital signature by hashing the message and
encrypting the hash with their private key.
2. Message Receiving:
o Recipient receives the original message and the digital signature.
3. Hash Verification:
o Recipient hashes the received message.
o Recipient decrypts the digital signature using the sender’s public key
to obtain the original hash.
4. Comparison:
o If the hashes match, the signature is valid, confirming that the
message has not been altered and is from the claimed sender.

Relevance in Web Security:

1. Data Integrity:
o Ensures that the data has not been altered during transmission.
2. Authentication:
o Confirms the identity of the sender, preventing impersonation.
3. Non-repudiation:
o The sender cannot deny sending the message since the signature is
unique to them.
4. Secure Transactions:
o Used in various applications, such as secure emails, software
distribution, and online banking.
5. Regulatory Compliance:
o Many industries require the use of digital signatures for regulatory
compliance and secure transactions.

Applications in Web Security:

 SSL/TLS Certificates: Websites use digital signatures to verify the

authenticity of their SSL/TLS certificates, ensuring secure
communications.
 Code Signing: Software developers use digital signatures to verify the
integrity and authenticity of their applications.
 Email Security: Digital signatures help authenticate the sender's identity
in email communications.

Note:
 Entities digital signature verification is a foundational component of web
security, playing a vital role in protecting data integrity, authenticity, and
ensuring trust in digital communications.

 Understanding how digital signatures work and their application in various

security contexts is essential for anyone involved in web development or
cybersecurity.

23
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

5.9 SET PROCESSING ***

What is dual signature? Describe briefly how dual signature id generated

using SET. MAY 2024

A dual signature typically refers to a cryptographic concept where two separate

signatures are used to authenticate a message or transaction. This can enhance
security and ensure that both parties involved in a transaction can verify its
authenticity.

In some contexts, dual signatures can involve:

1. Multi-signature wallets: In cryptocurrency, a multi-signature wallet
requires multiple private keys to authorize a transaction, enhancing
security by requiring consensus from multiple parties.
2. Document signing: In legal or business contexts, a dual signature might
mean that two parties need to sign a document for it to be valid, ensuring
that both parties agree to the terms.
3. Authentication protocols: Some security protocols use dual signatures to
verify identities, combining different cryptographic keys or methods to
ensure that both sides of a communication are authenticated.

The Secure Electronic Transaction (SET) protocol is designed to secure online

payment transactions, ensuring that sensitive data is protected throughout the
process.

24
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

SET Processing Steps

1. Initialization:
o The cardholder (consumer) and merchant (vendor) each acquire
digital certificates from a Certificate Authority (CA) to ensure their
identities.
2. Transaction Request:
o The cardholder initiates a purchase on the merchant’s website. The
merchant sends a request for payment details (such as the total
amount and a description of the purchase).
3. Payment Details Preparation:
o The cardholder's system prepares a transaction request that
includes:
 The payment details (amount, merchant information, etc.).
 The cardholder’s payment information (credit card details).
 A hash of the transaction to ensure integrity.
4. Digital Signature:
o The cardholder signs the transaction request with their private key,
creating a digital signature. This signature confirms the identity of
the cardholder and ensures the message has not been altered.
5. Sending Payment Information:
o The cardholder sends the signed transaction request and the
cardholder’s digital certificate to the merchant.
6. Merchant Verification:
o Upon receiving the transaction request, the merchant:
 Verifies the cardholder's digital signature using the
cardholder’s public key.
 Checks the cardholder’s Certificate Against a CA to ensure it is
valid.
7. Request for Authorization:
o If the verification is successful, the merchant prepares a transaction
request for the payment gateway, including:
 The payment details.
 The cardholder’s digital signature.
 The merchant’s own digital signature.
8. Payment Gateway Processing:
o The merchant sends the request to the payment gateway (bank or
financial institution) for authorization.
o The payment gateway verifies the merchant's digital signature and
processes the transaction with the card issuer.
9. Authorization Response:
o The payment gateway responds with an authorization status
(approved or declined) and sends it back to the merchant.
10. Completion of Transaction:
o The merchant receives the authorization response and communicates
the outcome to the cardholder.
o If approved, the merchant processes the order and completes the
transaction.
11. Finalization:
o The merchant and cardholder may keep transaction records for
future reference and for dispute resolution if needed.
25
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

Key Security Features of SET Processing

 Authentication: Verifies the identities of both the cardholder and the

merchant through digital certificates.
 Confidentiality: Sensitive information, such as credit card details, is
encrypted, protecting it from unauthorized access.
 Integrity: Hash functions ensure that the transaction data has not been
tampered with during transmission.
 Non-repudiation: Digital signatures prevent either party from denying their
involvement in the transaction.

Note:

 The SET processing model established a robust framework for secure

online transactions
 SET laying the groundwork for modern payment protocols.
 While SET itself has not seen widespread adoption, its principles have
influenced contemporary security practices in online payments, such as the
use of SSL/TLS and tokenization.
 Understanding SET processing enhances comprehension of how secure
electronic transactions are facilitated in today's digital economy.

26
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

ANNA UNIVERSITY PROMINENT QUESTIONS

PART-A QUESTIONS AND ANSWERS

1. Compare the Transport Layer Security (TLS) and Secure Socket layer
(SSL) MAY 2024

SSL TLS
TLS stands for Transport
Layer
SSL stands for Secure Socket Layer.
Security.
TLS does not support
SSL supports the Fortezza algorithm.
the Fortezza algorithm.
In SSL, the Message digest is used to In TLS, a Pseudo-random function is
create a master secret. used to create a master secret.
In SSL, the Message Authentication In TLS, Hashed Message Authentication
Code protocol is used. Code protocol is used.
SSL is more complex than TLS TLS is simple.
SSL is less secured than TLS TLS provides high security.
TLS is highly reliable and upgraded. It
SSL is less reliable and slower.
provides less latency.
SSL has been devalued TLS is still widely used.

2. List the types of web security threats MAY 2024

Malware: Software designed to disrupt, damage, or gain unauthorized access to
systems. This includes viruses, worms, Trojans, and ransomware.
Phishing: Fraudulent attempts to obtain sensitive information (Password, PIN
Number) by pretending to be a trustworthy entity in electronic communications.
Cross-Site Scripting (XSS): An attack that injects malicious scripts into web
pages viewed by users, potentially stealing cookies or session tokens.
SQL Injection: An attack that targets databases by inserting malicious SQL
queries through input fields to manipulate or access data.
Distributed Denial of Service (DDoS): An attack that overwhelms a website or
service with traffic, rendering it inaccessible to legitimate users.
Man-in-the-Middle (MitM) Attacks: Eavesdropping attacks where the attacker
intercepts communication between two parties to steal or manipulate
information.
Credential Stuffing: An automated attack where stolen username/password
pairs are used to gain unauthorized access to user accounts across multiple
services.
Session Hijacking: An attack that takes control of a user session after the user
has logged in, often through stolen session cookies.( Cookies are small pieces of
data stored on a user's device by a web browser while browsing a website.)
Insecure APIs: Vulnerabilities in application programming interfaces that can
be exploited to gain unauthorized access or manipulate data.
Social Engineering: Manipulative tactics used to trick individuals into
exposing confidential information.
Zero-Day Exploits: Attacks that occur on the same day a vulnerability is
discovered, before it is patched.
Insider Threats: Risks posed by individuals within an organization who may
misuse their access to compromise data or systems.
27
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

DNS Spoofing: Manipulating DNS records to redirect users from legitimate

sites to malicious ones.
Supply Chain Attacks: Targeting less-secure elements in a supply chain to
compromise an end product or service.
Browser Vulnerabilities: Exploits that take advantage of security flaws in web
browsers to execute malicious code or steal information.

3. What is web security?

Web security refers to protecting networks and computer systems from damage to
or the theft of software, hardware, or data. It also includes protecting computer
systems from misdirecting or disrupting the services they are designed to
provide. Given today's digital environment, maintaining a high level of security is
paramount.

4. What is HTTPS and how does it enhance web security?

HTTPS (Hypertext Transfer Protocol Secure) is an extension of HTTP that uses
SSL/TLS to encrypt data exchanged between a web browser and a server. It
enhances web security by ensuring confidentiality, integrity, and authentication,
protecting sensitive information from eavesdropping and tampering.

5. What is the difference between WEP and WPA in wireless security?

WEP (Wired Equivalent Privacy) is an outdated wireless security protocol that
uses weak encryption and static keys, making it vulnerable to attacks. WPA (Wi-
Fi Protected Access) is a more secure protocol that uses stronger encryption
(TKIP) and dynamic key management, significantly improving wireless security.

6. What is the primary purpose of SSL/TLS?

The primary purpose of SSL (Secure Sockets Layer) and TLS (Transport Layer
Security) is to provide secure communication over a computer network by
encrypting data, ensuring confidentiality, integrity, and authentication between
the communicating parties.

7. What are the key components of the SSL/TLS handshake process?

The key components of the SSL/TLS handshake process include:
1. Client Hello: The client initiates the handshake by sending a message to
the server, proposing supported encryption methods and options.
2. Server Hello: The server responds with its chosen encryption settings and
sends its digital certificate for authentication.
3. Key Exchange: Both parties exchange keys or establish a session key for
encryption.
4. Finished Messages: Both the client and server confirm that the handshake
is complete, establishing a secure connection.

8. What is the purpose of Secure Electronic Transaction (SET)?

The purpose of Secure Electronic Transaction (SET) is to provide a secure method
for online credit card payments. It ensures the confidentiality, integrity, and
authenticity of transactions between consumers, merchants, and banks through
encryption and digital signatures.

28
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5
GRT IET AI & DS Abdul Kareem.D (Asst.Prof-AI & DS)

9. What is dual signature?

A dual signature is a cryptographic mechanism used in web security,
particularly in the Secure Electronic Transaction (SET) protocol. It involves
creating two separate digital signatures for a transaction to enhance security and
privacy.

10. How does SET ensure the confidentiality of payment information?

SET ensures the confidentiality of payment information by using dual signatures
and encryption. The cardholder’s payment details are encrypted and sent directly
to the payment gateway, while the merchant receives a separate signature
verifying the transaction without accessing sensitive payment data.

ANNA UNIVERSITY PROMINENT QUESTIONS

PART-B & C

1. What is SSL/TLS encryption? How does SSL/TLS encryption work? Why is

SSL/TLS encryption important for security? MAY 2024
2. What is dual signature? Describe briefly how dual signature id generated using
SET. MAY 2024
3. Explain in detail about Web security and WEP
4. Explain the entities DS verification of SET processing

ASSIGNMENT-3 QUESTIONS
(UNIT V WEB SECURITY)

1. Explain in detail about Web security and WEP

2. Discuss with suitable diagram of SSL architecture, SSL/TLS encryption
3. Describe briefly how Dual signature using SET
4. Explain the process of SET
5. Explain with suitable diagram of SSDLC

Assignment Submission Date: 15.11.2024

<<<@!@>>>

29
IIIrd Year 5th Semester CW3551 DATA AND INFORMATION SECURITY-R2021 UNIT-5