College of Engineering and Technology Department of Computer Science
College of Engineering and Technology Department of Computer Science
College of Engineering and Technology Department of Computer Science
Page | 1
1. Discuss the following terms with example. (6pts)
a. Confidentiality
b. Integrity, which may include authentication and non-repudiation
c. Availability
A.Confidentiality:-means that data, objects and resources are protected from unauthorized
viewing and other access
Encryption
Password
Two-factor authentication
Biometric verification
B.Integritymeans that data is protected from unauthorized changes to ensure that it is reliable
and correct
Integrity: can the recipient be confident that the message has not been modified during its
lifecycle.
Authentication: can the recipient be confident that the message was originated from the sender?
Non-repudiation: if the recipient passes the message and the proof to a third party, can the third
party be confident that the message was originated from the sender.
Page | 2
2. — System integrity: Assures that a system performs its intended function in an unimpaired
manner, free from deliberate or inadvertent unauthorized manipulation of the system.
EXAMPLE: A newspaper may print information obtained from a leak at the White House but
attribute it to the wrong source. The information is printed as received (preserving data integrity),
but its source is incorrect (corrupting origin integrity
Encryption
User access controls
Version control
Backup and recovery procedures
Error detection software
C.Availability means that authorized users have access to the systems and the resources they
need
Off-site backups
Disaster recovery
Redundancy
Failover
Proper monitoring
Environmental controls
Virtualization
Server clustering
Continuity of operations planning
2. List at least three kinds of damage a company could suffer when the integrity of
a program or company data is compromised?(3pts)
Three kinds of damage that company would suffer when the integrity of a program or company
data is compromised and latest concepts that used to implement the vulnerability attack are listed
below.Loss of confidentiality, companies old history stored in computers may be lost, loss in
shares
Hacker breaks down the system by using various hacking tool and modifies the data in
unauthorized manner. The latest concept used in this case is network controls. Controls
are the mechanism by which vulnerability or threat as can be prevented. Controls such as
password control prevent the hacker to break down the system.
Page | 3
Virus or worms get download from internet itself and modify the data of system. Latest
concept used is to install antivirus software on system that protects the system from new
viruses, worms, and Trojan horses.
Malware short for malicious software is any gather sensitive information, or gain access
to private computer systems. Malware is defined by its malicious internet, acting against
the requirements of computer user, and does not include softwarethat causes
unintentional harm due to some deficiency. The term barware is sometimesused, and
applied to both true (malicious) malwareand unintentionally harmful software.
A threat is defined as the set of circumstances to the computing system that possess
the potential to cause the loss, damage or harm to the computing system.
A threat is an obvious danger.
Threat: a threat to a computing system is a set of circumstance that has the potential to cause loss
or harm.
Control: we use control as a protective measure. That is control is an action, device, procedure,
or technique that removes or reduce vulnerability, threat is blocked by control of vulnerability.
4. Do you currently use any computer security control measures? If so, what?
Against what attacks are you trying to protect? (3pts)
Page | 4
Yes:-to protect computer security control measure we use the following
User accountaccess controls and cryptography can protect systems files and data,
respectively.
Firewalls are by far the most common prevention systems from a network security
perspective as they can (if properly configured) shield access to internal network
services, and block certain kinds of attacks through packet filtering. Firewalls can be both
hardware- or software-based.
Intrusion Detection System (IDS) products are designed to detect network attacks in-
progress and assist in post-attack forensics, while audit trails and logs serve a similar
function for individual systems.
"Response" is necessarily defined by the assessed security requirements of an individual
system and may cover the range from simple upgrade of protections to notification of
legal authorities, counter-attacks, and the like. In some special cases, the complete
destruction of the compromised system is favored, as it may happen that not all the
compromised resources are detected
Generally:-I use access control so that no one but I can get to the framework as executive by
utilizing login id and secret key. likewise utilize anti infection programming to shield the pc
from malignant programming and other malware assaults’ consistently change my wifi secret
word to forestall hacking and does not open messages from obscure person to obtain from
phishing messages.
A security policy must identify all of a company's assets as well as all the potential threats to
those assets. Company employees need to be kept updated on the company's security policies.
The policies themselves should be updated regularly as well.?
A security policy is a formal statement of rules and practices that specify or regulate how a
system or organization provides security services to protect sensitive and critical system
resources . Such a formal security policy lends itself to being enforced by the system’s technical
controls as well as its management and operational controls. In developing a security policy, a
security manager needs to consider the following factors:
Page | 5
6. Discuss the difference between symmetric cryptography and public key
cryptography (3pts)
Symmetric cryptography is the way that the vast majority of cryptographic schemes have worked
since the dawn of time. The same secret — the “key” — that’s used to encrypt a message is also
used to decrypt it. This keeps things simple, but it creates a huge problem: key secrecy. If you
want to send a secret message to me, we need to both know the key. If you suspect that the key is
compromised, how do you safely send a new key to me?
Public key cryptography is a new advancement. In public key cryptography there are two keys,
not one. A message encrypted with one key can only be decrypted with the other. That means
that I can generate a pair of keys and use them very differently. One key is my “public key”; I
can shout it to the world. The other key is my “private key”; ideally I share it with no one. If you
know my public key, you can use it to encrypt a message and send it to me. Even though you
don’t know my private key, you can be sure that I’ll be able to decode the message.
Because symmetric key cryptography uses the same key for both decryption and encryption, it is
much faster than public key cryptography, is easier to implement, and generally requires less
processing power. A disadvantage of symmetric key cryptography is that the 2 parties sending
messages to each other must agree to use the same private key before they start transmitting
secure information. This may be impossible depending on the circumstances – because the 2
parties who want to communicate with each other through a secure means may be on different
sides of the world. And this means that they will need a secure way to tell each other what the
private key will be – if there were a secure way to do this, then the cryptography would not have
been necessary in the first place in order to create that secure channel.
The advantage of using public key cryptography is that the public key used for encryption does
not need to remain secure (that is why it’s called “public” – because it does not matter if other
people know about it). What often happens is that people use public key cryptography to create a
shared session key and then they communicate through symmetric key cryptography using the
shared session key. This way they can get the best of both worlds – the performance/speed of
shared key cryptography along with the convenience of public key cryptography.
Page | 6
However, Electronic Code Book is not a good system to use with small block sizes (for example,
smaller than 40 bits) and identical encryption modes. This is because some words and phrases
may be reused often enough so that the same repetitive part-blocks of cipher text can emerge,
laying the groundwork for a codebook attack where the plaintext patterns are fairly obvious.
However, security may be improved if random pad bits are added to each block. On the other
hand, 64-bit or larger blocks should contain enough unique characteristics (entropy) to make a
codebook attack unlikely to succeed.
In terms of error correction, any bit errors in a cipher text block affect decryption of that block
only. Chaining dependency is not an issue in that reordering of the cipher text blocks will only
reorder the corresponding plaintext blocks, but not affect decryption.
Cipher block chaining (CBC) is a mode of operation for a block cipher (one in which a
sequence of bits are encrypted as a single unit or block with a cipher key applied to the
entire block). Cipher block chaining uses what is known as an initialization vector (IV) of
a certain length. One of its key characteristics is that it uses a chaining mechanism that
causes the decryption of a block of cipher text to depend on all the preceding cipher text
blocks. As a result, the entire validity of all preceding blocks is contained in the
immediately previous cipher text block. A single bit error in a cipher text block affects
the decryption of all subsequent blocks. Rearrangement of the order of the ciphertext
blocks causes decryption to become corrupted.
Ciphertext feedback (CFB) is a mode of operation for a block cipher. In contrast to the
cipher block chaining (CBC) mode, which encrypts a set number of bits of plaintext at a
time, it is at times desirable to encrypt and transfer some plaintext values instantly one at
a time, for which ciphertext feedback is a method. Like cipher block chaining, ciphertext
feedback also makes use of an initialization vector (IV). CFB uses a block cipher as a
component of a random number generator.
In cryptography, output feedback (OFB) is a mode of operation for a block cipher. It has
some similarities to the ciphertext feedback mode in that it permits encryption of
differing block sizes, but has the key difference that the output of the encryption block
function is the feedback (instead of the ciphertext). The XOR (exclusive OR) value of
each plaintext block is created independently of both the plaintext and ciphertext. It is
this mode that is used when there can be no tolerance for error propagation, as there are
no chaining dependencies. Like the ciphertext feedback mode, it uses an initialization
vector (IV). Changing the IV in the same plaintext block results in different ciphertext.
Page | 7
The DES (Data Encryption Standard) algorithm is a symmetric-key block cipher created in the
early 1970s by an IBM team and adopted by the National Institute of Standards and Technology
(NIST). The algorithm takes the plain text in 64-bit blocks and converts them into ciphertext
using 48-bit keys.
Since it’s a symmetric-key algorithm, it employs the same key in both encrypting and decrypting
the data. If it were an asymmetrical algorithm, it would use different keys for encryption and
decryption.
DES is based on the Festal block cipher, called LUCIFER, developed in 1971 by IBM
cryptography researcher Horst Feaster. DES uses 16 rounds of the Festal structure, using a
different key for each round.
DES became the approved federal encryption standard in November 1976 and subsequently
reaffirmed as the standard in 1983, 1988, and 1999. For the longest time, DES was the data
encryption standard in information security.
DES’s dominance came to an end in 2002, when the Advanced Encryption Standard (AES)
replaced the DES encryption algorithm as the accepted standard, following a public competition
to find a replacement. The NIST officially withdrew FIPS 46-3 (the 1999 reaffirmation) in May
2005, although Triple DES (3DES), remains approved for sensitive government information
through 2030.
Triple DES is a symmetric key-block cipher which applies the DES cipher in triplicate. It
encrypts with the first key (k1), decrypts using the second key (k2), then encrypts with the third
key (k3). There is also a two-key variant, where k1 and k3 are the same keys.
The NIST had to replace the DES algorithm because its 56-bit key lengths were too small,
considering the increased processing power of newer computers. Encryption strength is related to
the key size, and DES found itself a victim of the ongoing technological advances in computing.
It reached a point where 56-bit was no longer good enough to handle the new challenges to
encryption.
Note that just because DES is no longer the NIST federal standard, it doesn’t mean that it’s no
longer in use. Triple DES is still used today, but it’s considered a legacy encryption algorithm.
Note that NIST plans to disallow all forms of Triple-DES from 2024 onward. All things being
equal, you may want to familiarize yourself with AES as well, considering that it has knocked
DES off the top of the data encryption heap.
To put it in simple terms, DES takes 64-bit plain text and turns it into a 64-bit ciphertext. And
since we’re talking about asymmetric algorithms, the same key is used when it’s time to decrypt
the text.
Page | 8
The process begins with the 64-bit plain text block getting handed over to an initial
permutation (IP) function.
The initial permutation (IP) is then performed on the plain text.
Next, the initial permutation (IP) creates two halves of the permuted block, referred to as
Left Plain Text (LPT) and Right Plain Text (RPT).
Each LPT and RPT goes through 16 rounds of the encryption process.
Finally, the LPT and RPT are rejoined, and a Final Permutation (FP) is performed on the
newly combined block.
The encryption process step (step 4, above) is further broken down into five stages:
Key transformation
Expansion permutation
S-Box permutation
P-Box permutation
XOR and swap
For decryption, we use the same algorithm, and we reverse the order of the 16 round keys.
RSA was first publicly described in 1977 by Ron Rivest, Adi Shamir and Leonard Adelman of
the Massachusetts Institute of Technology, though the 1973 creation of a public key algorithm by
British mathematician Clifford Cocks was kept classified by the U.K.'s GCHQ until 1997.
Public key cryptography, also known as asymmetric cryptography, uses two different but
mathematically linked keys -- one public and one private. The public key can be shared with
everyone, whereas the private key must be kept secret.
In RSA cryptography, both the public and the private keys can encrypt a message; the opposite
key from the one used to encrypt a message is used to decrypt it. This attribute is one reason why
RSA has become the most widely used asymmetric algorithm: It provides a method to assure the
confidentiality, integrity, authenticity, and non-repudiation of electronic communications and
data storage.
Many protocols like secure shell, OpenPGP, S/MIME, and SSL/TLS rely on RSA for encryption
and digital signature functions. It is also used in software programs -- browsers are an obvious
Page | 9
example, as they need to establish a secure connection over an insecure network, like the
internet, or validate a digital signature. RSA signature verification is one of the most commonly
performed operations in network-connected systems.
RSA derives its security from the difficulty of factoring large integers that are the product of two
large prime numbers. Multiplying these two numbers is easy, but determining the original prime
numbers from the total -- or factoring -- is considered infeasible due to the time it would take
using even today's supercomputers.
The public and private key generation algorithm is the most complex part of RSA cryptography.
Two large prime numbers, p and q, are generated using the Rabin-Miller primarily test
algorithm. A modulus, n, is calculated by multiplying p and q. This number is used by both the
public and private keys and provides the link between them. Its length, usually expressed in bits,
is called the key length.
C.AES ALGORITHM
The Advanced Encryption Standard (AES) is a symmetric block cipher chosen by the U.S.
government to protect classified information. AES is implemented in software and hardware
throughout the world to encrypt sensitive data. It is essential for government computer security,
cyber security and electronic data protection.
The National Institute of Standards and Technology (NIST) started development of AES in 1997
when it announced the need for an alternative to the Data Encryption Standard (DES), which was
starting to become vulnerable to brute-force attacks.
NIST stated that the newer, advanced encryption algorithm would be unclassified and must be
"capable of protecting sensitive government information well into the [21st] century." It was
intended to be easy to implement in hardware and software, as well as in restricted environments
-- such as a smart card -- and offer decent defenses against various attack techniques.
AES-128 uses a 128-bit key length to encrypt and decrypt a block of messages, while AES-192
uses a 192-bit key length and AES-256 a 256-bit key length to encrypt and decrypt messages.
Each cipher encrypts and decrypts data in blocks of 128 bits using cryptographic keys of 128,
192 and 256 bits, respectively.
Symmetric, also known as secret key, ciphers use the same key for encrypting and decrypting, so
the sender and the receiver must both know -- and use -- the same secret key. The government
Page | 10
classifies information in three categories: Confidential, Secret or Top Secret. All key lengths can
be used to protect the Confidential and Secret level. Top Secret information requires either 192-
or 256-bit key lengths.
There are 10 rounds for 128-bit keys, 12 rounds for 192-bit keys and 14 rounds for 256-bit keys.
A round consists of several processing steps that include substitution, transposition and mixing
of the input plaintext to transform it into the final output of cipher text.
Page | 11