TTM4135: Information Security
Chapter 1: Computer Security Concepts
Computer Security
The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).
The CIA triad
Traditional definitions of information security are based on three information security goals:
 Conﬁdentiality
 Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.
 Integrity
 Guarding against improper information modification or destruction, including information nonrepudation and authenticity. A loss of integrity is the unauthorized modification or destruction of information.
 Availability
 Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.
Although the use of the CIA triad to define security objectives is well established, some in the security field feel that additional concepts are needed to present a complete picture. Two of the most commonly mentioned are as follows:
 Authenticity
 The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator. This means verifying that users are who they say they are and that each input arriving at the system came from a trusted source.
 Accountability
 The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudation, deterrence, fault isolation, intrusion detection and prevention, and afteraction recovery and legal action. Because truly secure systems are not yet an achievable goal, we must be able to trace a security breach to a responsible party. Systems must keep records of their activities to permit later forensic analysis to trace security breaches or to aid in transaction disputes.
Security Attacks
Security attacks can be either passive or active.
Passive attacks
Passive attacks are in the nature of eavsdropping on, or monitoring of, transmissions. The goal of the attacker is to obtain information that is being transmitted. Two types of passive attacks are the release of message contents (eavesdropping) and traffic analysis.
 Eavesdropping
 The attacker monitors the communication, for example by sniffing packets or tapping a telephone wire.
 Traffic analysis
 The attacker monitors the amount, source and destination of communication.
Passive attacks are very difficult to detect, because they do not involve any alteration of the data. Typically, the message traffic is sent and received in an apparently normal fashion, and neither the sender nor receiver is awere that a third party has read the messages or observed the traffic pattern. however, it is feasible to prevent the success of these attacks, usually by means of encryption. Thus, the emphasis in dealing with passive attacks is on prevention rather than detection.
Active attacks
Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service.
 Masquerade
 The attacker claims to be a different entity.
 Replay
 The attacker sends a message which has already been sent.
 Modification of messages
 The attacker changes messages during transmission.
 Denial of service
 The attacker prevents legitimate users from accessing resources
Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely because of the wide variety of potential physical, software, and network vulnerabilities. Instead, the goal is to detect active attacks and to recover from any disruption or delays caused by them. If the detection has a deterrent effect, it may also contribute to prevention.
Security services
A security service is a processing or communication service to give a specific kind of protection to system resources.
 Peer entity authentication
 Provides confirmation of the claimed identity of an entity.
 Data origin authentication
 Provides confirmation of the claimed source (origin) of a data unit (message).
 Access control
 Provides protection against unauthorized use of resources.
 Access control service
 Is usually provided in combination with authentication and authorisation services.
 Data confidentiality
 Protects data against unauthorised disclosure.
 Traffic flow confidentiality
 Protects disclosure of data which can be derived from knowledge of traffic flows.
 Data integrity
 Detects any modification, insertion, deletion or replay of data in a message or a stream of messages.
 Nonrepudiation
 Protects against any attempt by the creator of a message to falsely deny creating the data or its contents. X.800 talks about nonrepudiation of origin to protect against denial by the sender of a message, and nonrepudiation of receipt to protect against denial by the recipient of a message.
 Availability service
 protects a systems against denial of service. It is not listed in X.800 as a separate service.
Security mechanisms
A security mechanism is a method of implementing one or more security services.
 Encipherment
 Transformation of data in order to hide its information content
 Digital signature mechanisms:
 Cryptographic algorithms which transform data using a signing key. The essential property is that signed data can only be created with the signing key.
 Access control mechanisms
 Access control lists, passwords, or tokens may be used to indicate access rights.
 Data Integrity mechanisms
 "Corruption detection techniques" which can be used with "sequence information".
 Authentication exchange mechanisms
 Protocols which exchange information to ensure identity of protocol participants. We will study examples such as TLS later.
 Traffic padding
 Spurious traffic generated to protect against traffic analysis. Traffic padding is typically used in combination with encipherment.
 Routing control mechanism
 Use of specific secure routes.
 The notarization mechanism
 Uses a trusted third party to assure the source or receipt of data. The trusted third party is sometimes called a notary.
Risk management
A key tool in information security management.
 Identify threats
 Classify all threats according to likelihood and severity
 Apply security controls based on cost benefit analysis
Chapter 2: Number Theory
Please feel free to fill this missing chapter.
Chapter 3: Classical Encryption Techniques:
Symmetric Cipher Model
A symmetric encryption scheme has five ingredients:
 Plaintext
 This is the original intelligible message or data that is fed into the algorithm as input.
 Encryption algorithm
 The encryption algorithm performs various substitutions and transformations on the plaintext.
 Secret key
 The secret key is also input to the encryption algorithm. The key is a value independent of the plaintext and of the algorithm. The algorithm will produce a different output depending on the specific key being used at the time. The exact substitutions and transformations performed by the algorithm depend on the key.
 Ciphertext
 This is the scrambled message produced as output. It depends on the plaintext and the secret key. for a given message, two different keys will produce two different ciphertexts. The ciphertext is an apparently random stream of data and, as it stands, is unintelligible.
 Decryption algorithm
 This is essentially the encryption algorith run in reverse. It takes the ciphertext and the secret key and produces the original plaintext.
There are two requirements for seccure use of conventional encryption:

We need a strong encryption algorithm. At a minimum, we would like the algorithm to be such that an opponent who knows the algorithm and has access to one or more ciphertexts would be unable to decipher the ciphertext or figure out the key. This requirement is usually stated in a stronger form: The opponent should be unable to decrypt ciphertext or discover the key even if he or she is in possession of a number of ciphertexts together with the plaintext that produced each ciphertext.

Sender and receiver must have obtained copies of the secret key in a secure fashion and must keep the key secure. If someone can discover the key and knows the algorithm, all communication using this key is readable.
Cryptography
Cryptographic systems are characterized along three independent dimensions:

The type of operations used for transforming plaintext to ciphertext. All encryption algorithms are based on two general principles: substitution, in which each element in the plaintext (bit, letter, group of bits or letter) is mapped into another element, and transposition, in which elements in the plaintext are rearranged. The fundamental requirement is that no information be lost (i.e., that all operations are reversible). Most systems, referred to as product systems, involve multiple stages of substitutions and transpositions.

The number of keys used. If both sender and receiver use the same key, the system is referred to as symmetric, singlekey, secretkey, or conventional encryption. If the sender and receiver use different keys, the system is referred to as asymmetric, twokey, or publickey encryption.

The way which the plaintext is processed. A block cipher processes the input one block of elements at a time, producing an output block for each input block. A stream cipher processes the input elements continuously, producing output one element at a time, as it goes along.
Cryptoanalysis and BruteForce Attack
Typically the objective of attacking an encryption system is to recover the key in use rather than simply to recover the plaintext of a single ciphertext. There are two general approaches to attacking a conventional encryption scheme:
 Cryptoanalysis
 Cryptoanalytic attacks rely on the nature of the algorithm plus perhaps some knowledge of the general characteristics of the plaintext or even some sample plaintextciphertext pairs. This type of attack exploits the characteristics of the the algorithm to attempt to deduce a specific plaintext or to deduce the key being used.
 Bruteforce attack
 The attacker tries every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained. On average, half of all possible keys must be tried to achieve success.
Type of Attacks on Encrypted Messages
 Ciphertext only
 Encryption algorithm and ciphertext are known to cryptanalyst.
 Known plaintext
 Encryption algorithm, ciphertext, and plaintext message chosen by crpytanalyst, together with its corrresponding ciphertext generated with the secret key are known to cryptanalyst.
 Chosen ciphertext
 Encryption algorithm, ciphertext, and ciphertext chosen by crpytanalyst, together with its corrresponding plaintext generated with the secret key are known to cryptanalyst.
 Chosen text
 Encryption algorithm, ciphertext, plaintext message chosen by crpytanalyst, together with its corrresponding ciphertext generated with the secret key, and ciphertext chosen by crpytanalyst, together with its corrresponding plaintext generated with the secret key are known to cryptanalyst.
Transposition Techniques
Encrypt the plaintext by performing some sort of permutation on the letters.
The Rail Fence technique
The simplest transposition cipher. The plaintext is written down as a sequence of diagonals and then read off as a sequence of rows.
https://www.youtube.com/watch?v=VRiN9M0v3ZQ
Definitions
These are definitions found in course material (mostly exercises) which may prove useful for the exam
Chapter 1
 Availability
 ensuring resources are accessible when required by an authorised user
 Cipher
 See own section
 Conﬁdentiality
 preventing unauthorised disclosure of information
 Data origin authentication
 provides confirmation of the claimed source (origin) of a data unit (message)
 Entity authentication
 provides confirmation of the claimed identity of an entity
 Integrity
 preventing unauthorised (accidental or deliberate) modification or destruction of information
 Kerckhoffs’ principle
 the cryptanalyst has complete knowledge of the cipher. The only unknown part is the decryption key.
 Nonrepudiation
 Ensures that you cannot hide the source (origin) of a data unit (message).
 Substitution
 each character (or set of characters) is replaced by a different character (or set of characters)
 Transposition
 the characters in the plaintext are mixed up with each other (permuted)
Chapter 2
 Confusion
 This involves substitution to make the relationship between the key and ciphertext as complex as possible.
 Diffusion
 This involves transformations that dissipate the statistical properties of the plaintext across the ciphertext. (A small change in plaintext should give a completely different ciphertext)
 Feistel cipher
 An iterated cipher in which the round function swaps the two halves of the block and forms a new right hand half
 Iterated cipher
 Most modern ciphers in this category, read more below.
 Product cipher
 A product cipher is a cryptosystem in which the encryption function is formed by applying (or composing) several subencryption functions.
 Substitutionpermutation network
 An iterated cipher. Takes a block of the plaintext and the key as inputs, and applies several rounds of permutations, known as substitution boxes(Sbox) and permutation boxes (Pbox). A Sbox substitutes subblocks of size l bits (its input) by another block of bits (its output). It can be thought of as a substitution cipher. A Pbox takes the output from the Sboxes of one round, permutes the bits and feed them into the Sboxes in the next round. It can be thought of as a transposition cipher. At each round, the round key is combined with some operation such as XOR.
 Group generator
 A group generator is a group element g that in the operation
$g^k \mod p$ represents all the elements that are relatively prime to p. Consider for example the group G$\mathbb{Z}_5$ . G consists of the elements {1, 2, 3, 4}. One or several of these group elements may be a group generator for G. A way to check this is to use$g^k \mod 5$ for the k group elements and see if they represent all the group elements.
Example:
2 is a group generator for
 Finite ﬁeld
 placeholder
Chapter 3
 Electronic Code Book (ECB) Mode
 The basic mode of a block cipher. Plaintext block
$P$ is encrypted with key$K$ to produce ciphertext block$C_t$ . Ciphertext block$C$ is decrypted with key$K$ to produce plaintext block$P_t$ .  Cipher Block Chaining (CBC) Mode
 A random initialization vector (IV) is chosen and sent together with the ciphertext blocks.
$C_t=E(P_t\oplus C_{t1},K)$ where$C_0=IV$ $P_t=D(C_t,K)\oplus C_{t1}$ where$C_0=IV$  CTR Mode
 CTR is a synchronous stream cipher. The keystream is generated by encrypting successive values of a "counter", initialised using a nonce (randomly chosen value) N:
$O_t=E(T_t,K)$ , where$T_t=Nt$ is the concatenation of the nonce and block number t. Encryption:$C_t=O_t\oplus P_t$ . Decryption:$P_t=O_t\oplus C_t$ .  True Random Number Generator (TRNG)
 is a physical process which outputs each valid string independently with equal probability
 Pseudo Random Number Generator (PRNG)
 is a deterministic algorithm which approximates a TRNG.
 Message Authentication Code (MAC)
 A message authentication code (MAC) is a cryptographic mechanism used for ensuring message integrity. A MAC tag should at least be of length
$\log_2{I/R}$ where$I$ is a limit on how many invalid messages are detected before the key is changed and$R$ is the acceptable probability that a false message is accepted.  Stream Cipher
 Stream ciphers are characterised by the generation of a keystream using the short key and an initialisation value as input. Each element of the keystream is used successively to encrypt one or more ciphertext characters. Stream ciphers are usually symmetric key ciphers: sender and receiver share the same key and can generate the same keystream given the same initialisation value.
 Synchronous stream ciphers
 The keystream is generated independently of the plaintext. Both sender and receiver need to generate the same keystream and synchronise on its usage.
 One Time Pad
 The key is a random sequence of characters, all of them independently generated. Each character in the key is used one time only. The onetime pad provides perfect secrecy.
 Linear Feedback Shift Register
 A LFSR is a common component in design of stream ciphers.
Chapter 4
 Factorisation problem
 Given an integer of m bits, find its prime factors. Factorisation by trial division is an exponential time algorithm and is hopeless for numbers of a few hundred bits. A number of special purpose methods exist, which apply if the integer to be factorised has special properties. The best current general method is known as the number field sieve. The number field sieve is a subexponential time algorithm.
 Discrete logarithm problem
 Let g be a generator of
$\mathbb{Z}_p^*$ for a prime p. The discrete log problem over$\mathbb{Z}_p^*$ is: given y in$\mathbb{Z}_p^*$ find x with y =$g^x$ mod p.  Big Onotation
 placeholder
 Fermat test
 if a number p is prime then
$a^{p−1}$ mod p = 1 for all a with gcd(a, p) = 1. If we examine a number n and find that$a^{n−1}$ mod n$\neq$ 1 then we know that n is not prime.  MillerRabin test
 placeholder
 RSA Encryption equation
 placeholder
 RSA Decryption equation
 placeholder
 RSA Padding
 placeholder
 Prime number theorem
 placeholder
 Håstad's attack
 placeholder
Chapter 5
 Generator of
$\mathbb{Z}_p^*$  placeholder
 DiffieHellman key exchange
 placeholder
 Elgamal cryptosystem
 placeholder
 Collision resistance
 placeholder
 Second preimage resistance
 placeholder
 Onewayness
 placeholder
 Birthday paradox
 placeholder
 HMAC
 placeholder
 GCM Mode
 placeholder
Chapter 6
 Digital signature
 placeholder
 Existential forgery
 placeholder
 Selective forgery
 placeholder
 Digital Signature Algorithm (DSA)
 placeholder
 Key predistribution
 placeholder
 Session key distribution
 placeholder
 Key agreement
 placeholder
 NeedhamSchroeder protocol
 placeholder
 Kerberos
 placeholder
TODO: Scrape definitions from all exercises (currently they are just from exercise 16)
Ciphers
Symmetric cipher
(secret key cipher) encryption and decryption keys known only to sender and receiver. (DES)
Asymmetric cipher
(public key cipher) each participant has a public key and a private key, may allow both encryption and signatures. (RSA)
Attacks
Ciphertext only attack
the cryptanalyst has available only the intercepted cipher text.
Known plaintext attack
the cryptanalyst knows a small amount of plaintext and its cipher text equivalent
Chosen plaintext attack
The cryptanalyst can obtain the cipher text equivalent of some plaintext which can be selected by the attacker, i.e the attacker has an "inside encryptor” available
Chosen cipher text attack
The cryptanalyst can obtain the plaintext equivalent of some cipher text which can be selected by the attacker, i.e. the attacker has an “inside decryptor” available.
Historical ciphers
 Caesar
 Substitution
 Vigenère. Caesar, but also uses a key in order to choose how many steps to shift the alphabet for each letter
Stream ciphers
Block ciphers
DES
TripleDES
To increase the security of DES, the algorithm may be run multiple times. Two times would be the simplest, but is vulnerable to a meetinthemiddle attack.
To counter this, three runs are needed. This is often implemented as EncryptDecryptEncrypt. This allows backwards compatibility with normal DES, by using the same key for all three steps:
While 3DES takes three keys as parameters, using it with only two keys is enough to stop the meetinthemiddle attack, and often good enough:
Some applications, like PGP and S/MIME, still use three keys with 3DES.
AES
Consists of four stages:
 Substitute bytes
 Uses an Sbox to perform a bytebybyte substitution of the block
 ShiftRows
 A simple permutation
 MixColumns
 A substitution that makes use of arithmetic over
$GF(2^8)$  AddRoundKey
 A simple bitwise XOR of the current block with a portion of the expanded key
Only the AddRoundKey
stage makes use of the key. The other three stages provides confusion, diffusion and nonlinearity, but no security in themselves.
When decrypting with AES, the inverses of the three first stages are used. The AddRoundKey
stage is the same, because
Key expansion
 Input
 16byte key.
 Output
 176 bytes (44 words)
The first four words are used in the initial AddRoundKey step. The next ten wordgroups are used in the ten rounds of the cipher.
RSA
Iterated ciphers
 Encryption process divided into r similar rounds
 the sub encryption functions g are the same for all rounds
 Each key
$K_i$ is derived from the overall master key K. The keys$K_i$ are called round keys or subkeys and are derived from K using a process called the key schedule.
Encryption
Given a plaintext block, P, a round function g and round keys
Pseudorandom number generation
Generated numbers should be as random as possible. This is defined by two criteria:
 Uniform distribution
 The frequency of occurence of ones and zeros should be approximately equal.
 Independence
 It should not be possible to infer a subsequence from any other.