INFORMATION ASSURANCE AND SECURITY
What is information assurance and security?
To safeguard an organization data from unauthorized access or modification and keep the data safe from attacks and assure that the data is protected with different types of cryptographic algorithms.
The main terms used in the process of converting the plain text into the encrypted text are:
- Plain text: the text which are going to encrypt and send to the recipient.
- Encryption algorithm: the plain text is encrypted by using some of the algorithms which will convert the plain text into the encrypted text.
- Secret key: it is the input to the algorithm based on which it sets the parameters for the encryption process.
- Cipher text: the final outcome of the encryption algorithm is the encrypted text. In technical terms it is also called as cipher text.
What is security attack?
Any action that leads to the insecurity of the organization data is termed as security breach or attack. There are two types of security attacks.
- Passive attacks.
- Active attacks.
In this type of attacks the attackers aim is to sniff the information passing over the communication channel and there is no modification of data in these type of attacks. In this the users overs the communication channel cannot identify the third party who is sniffing the data even through the acknowledgement. Because there is no loss in the actual data which is sent.
Passive attacks are mainly of two types.
- Release of message contents.
- Traffic analysis.
Release of message contents:
It refers to the unauthorized access or interception of data. An unauthorized party gets the information throughout the conversation over the communication channel.
It is the process of intercepting the messages in order to deduce information from pattern in communication. The opponent may determine the origin and the identity of the communicating hosts.
Unlike the passive attacks active attacks may lead to the change or modification of data. This type of attacks also causes the damage to the systems. In this the recipient will know the data is attacked with the proper acknowledgment. Active attacks are mainly of four types.
- Modification of messages.
- Denial of services.
It is a type of attack where the attacker acts as an authorized user of a system in order to gain the access to it or to gain the greater privileges than they are authorized for.
It is a type of network attack in which a valid data transmission is repeated or delayed. In this attack the attacker captures the message from the sender and sends reply to the receiver.
Modification of messages:
In this type of attack the attacker modifies the message which is sent by the sender and then sends to the receiver.
Denial of service:
In this type attack the attacker attacks the server of the recipient. Suppose say the server has the capacity to handle 1000 requests/sec. the attacker will send 5000 requests/sec. this leads to the failure of the server.
Related terms in the encryption:
It is the branch which deals with the study of encryption principles. We can characterize cryptographic system by
- Type of encryption operations used.
- Number of keys used.
- Ways in plain text is processed.
Type of encryption operations used:
- Substitution: In this type a letter is replaced by another letter.
- Transposition: in this type a letter is arranged by another letter in the given plain text.
Number of keys used:
- One-key: symmetric encryption.
- Two-key: Asymmetric encryption.
Ways in which plain text is processed.
- Block: in this the plain text is processed block by block.
- Stream: in this the plain text is processed as the stream.
It is the process of decrypting the cipher text without the prior knowledge on the type of encryption algorithm used and the secret key used.
The ways in which cryptanalysis used are:
- Cryptanalytic attack.
- Brute-force attack.
- Known plaintext.
- Chosen plaintext.
- Chosen cipher text.
- Cipher text only.
knows plaintext/cipher text pairs encrypted by that source or uses same key or finds relationship b/w plaintext/cipher text pairs to find plaintext or key or there may be a standardized header or banner to an electronic funds transfer message, and so on. All these are examples of known plaintext.
- Similar to known-plaintext attack but in this type of attack plaintext/cipher text pairs are assumed or chosen by cryptanalyst.
- If the analyst is able somehow to get the source system to insert into the system a message chosen by the analyst, then a chosen-plaintext attack is possible.
Chosen cipher text:
Similar to chosen-plaintext except that cipher text is chosen and decrypted by cryptanalyst.
Cipher text only
Only know algorithm & cipher text are known, cryptanalyst has to find key & plaintext
It is the method where we try to decrypt the cipher text without having any knowledge on algorithm used and the key.
These are the mechanisms and the frame works involved in the encryption and the decryption strategies. There are several security services which make the assurance and the security of information. Some of them are:
- RFC 2828
The security mechanisms offered by the above services are:
- Access control
- Data confidentiality
- Data integrity
It is the mechanism that gives assurance that the communicating entity is claimed.
It is the mechanism that prevents the unauthorized use of resource by the dart (third party).
It is the mechanism that makes the data protected from unauthorized disclosure.
It is the mechanism that makes the data received is exactly as sent by the sender.
it is the mechanism that gives the protection against denial by one of the parties in the communication channel.