Duration: 60 min VI semester ISE Dept 21ISE161

Cryptography &
Information Security
Prof: Dr Saritha Chakrasali
ENGAGE 5
min

https://forms.gle/J5kfXPBTa9QWPV5E9

EXPLORE
EXPLAIN
CIA triad
■ Confidentiality: Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information.
A loss of confidentiality is the unauthorized disclosure of information.

■ Integrity: Guarding against improper information modification or destruction, including

ensuring information nonrepudiation and authenticity.
A loss of integrity is the unauthorized modification or destruction of information.

■ Availability: Ensuring timely and reliable access to and use of information.

A loss of availability is the disruption of access to or use of information or an information
system.

■ Authenticity: The property of being genuine and being able to be verified and trusted;
confidence in the validity of a transmission, a message, or message originator. This means
verifying that users are who they say they are and that each input arriving at the system came
from a trusted source.

■ Accountability: The security goal that generates the requirement for actions of an entity to be
traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation,
intrusion detection and prevention, and after action recovery and legal action. Because truly
secure systems are not yet an achievable goal, we must be able to trace a security breach to a
responsible party. Systems must keep records of their activities to permit later forensic analysis
to trace security breaches or to aid in transaction disputes
ENGAGE 10
min

Three levels of impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or
availability)

EXPLORE
EXPLAIN
OSI Security Architecture

■ Security attack: Any action that compromises the security of information owned by an organization.

■ Security mechanism: A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from
a security attack.

■ Security service: A processing or communication service that enhances the security of the data processing systems and the
information transfers of an organization. The services are intended to counter security attacks, and they make use of one or
more security mechanisms to provide the service.
EXPLAIN

Passive Attacks
• Release of message contents
• Traffic Analysis
EXPLAIN Active Attacks
EXPLAIN Active Attacks
•X.800 defines a security service as a
service that is provided by a protocol
layer of communicating open systems
and that ensures adequate security of
the systems or of data transfers.
EXPLAIN Security Mechanisms
EXPLAIN
ENGAGE 10
min

Attack Tree

EXPLORE
EXPLAIN Model for Network Security

This general model shows that there are four

basic tasks in designing a particular security
service:
1. Design an algorithm for performing the
security-related transformation. The
algorithm should be such that an
opponent cannot defeat its purpose.
2. 2. Generate the secret information to be
used with the algorithm.
3. 3. Develop methods for the distribution
and sharing of the secret information.
4. 4. Specify a protocol to be used by the
two principals that makes use of the
security algorithm and the secret
information to achieve a particular
security service.
ENGAGE 10
min

Consider an automated cash deposit machine in which

users provide a card or an account number to deposit
cash. Give examples of confidentiality, integrity, and
avail ability requirements associated with the system,
and, in each case, indicate the degree of importance of
the requirement.

EXPLORE
ENGAGE 10
min

For each of the following assets, assign a low, moderate, or high impact level for the loss of
confidentiality, availability, and integrity, respectively. Justify your answers.
a. A student maintaining a blog to post public information.
b. An examination section of a university that is managing sensitive information about exam
papers.
c. An information system in a pathological laboratory maintaining the patient’s data.
d. A student information system used for maintaining student data in a university that
contains both personal, academic information and routine administrative in formation (not
privacy related). Assess the impact for the two data sets separately and the information
system as a whole.
e. A University library contains a library management system which controls the distribution
of books amongst the students of various departments. The library management system
contains both the student data and the book data. Assess the impact for the two data sets
separately and the information system as a whole.

EXPLORE