DATASECURITY

Nowadays, “SECURITY” become a more sensible issue either it may be in the

“REAL WORLD” or in the “CYBER WORLD”. As citizens are using network for
banking, shopping, filing their tax returns and other purposes, network security is
looming on the horizon as a potentially massive problem.

Data security involves not only protection, but also detecting offends of secured
communication and attacks on the infrastructure, and then responding to these attacks.
The main problems that occurred in network security are secrecy, authentication, non-
repudiation and integrity control.
This paper discusses with a perspective view of how a continuous cycle of
protection, detection and response can be consistently maintained. Also concerns about
different types of security attacks such as spoofing, virus, worm and security mechanisms
such as firewalls, cryptography and describes about how security provided in mobile
networks.
Cryptography is defined as information hiding. Cryptography allows two
parties to exchange sensitive information in a secure manner. Cryptography has naturally
been extended into the realm of computers such as secure access to private networks,
electronic commerce, and health care, and provides a solution to the electronic security
and privacy issue.

This paper mainly concerns about two types of cryptographic standards such as
symmetric and asymmetric algorithms and also the specification and implementation of
above methods. And also explained Encryption and Decryption Methods, Digital
Signatures, Authentication and Keys. The implementation of public key cryptography
requires several supporting components to handle key creation, distribution and
revocation –Public Key Infrastructure (PKI).While the implementation of private key
cryptography requires encryption and decryption methods which are also specified.
Today’s new cryptography system and advanced elliptic curve technology in
smartcard technology are also specified.
 INTRODUCTION
1. DEFINITION: Security is defined as “a guarantee that an obligation will be met”. In
simplest form it is concerned with people trying to access remote services that they are
not authorized to use or it is concerned with making sure that nosy people cannot read, or
worse yet, modify messages intended for other recipients.

Security is a broad topic and covers a multitude of sins. Most security problems
intentionally caused by malicious people trying to gain some benefit or harm someone. A
few of the most common perpetrators are student, hacker, sales representative, business
man, ex-employee, accountant, stock broker, conman, spy, etc. The intruders would first
have a panoramic view of the victim’s network and then start digging the holes. Today
the illicit activities of the hackers are growing by leaps and bounds.

Data security problems can be divided roughly into four intertwined areas:
Secrecy, Authentication, NonRepudiation and Integrity control. The solutions for various
type of security attacks are provided by cryptography, firewalls etc.

a) Secrecy – has to do with keeping information out of the hands of unauthorized

users.
b) Authentication- deals with determining whom you are talking to before revealing
sensitive information or entering into a business deal.
c) Non repudiation- deals with signatures
d) Data integrity- Ensures that the information exchanged in an electronic
transaction is not alterable without detection, typically provided by digital
signatures.
2. TYPES OF SECURITY ATTACKS:

I. D
enial-of-Service (DoS) attacks (attacks and counter-attacks): User’s system is simply
saturated by an excessive workload as the attacker sends spurious traffic into resource.
This is DoS attack. Typically, a DoS attack works by creating so much work for the
infrastructure under attack that legitimate work cannot be performed. There are two
types of DoS attacks: Operating System Attacks and Networking Attacks.
 II. PACKET SNIFFING:
A Packet sniffer is a program running in a network-attached device that
passively receives all data-link layer frames passing by the device’s network adapter. In a
broadcast environment such as an Ethernet LAN, this means that the packet sniffer
receives all frames being transmitted from or to all hosts on the LAN.
III.SPOOFING:
Any Network-connected device necessarily sends IP datagrams into the
network. These data grams carry the sender’s IP address, as well as upper-layer data. A
user with complete control over that device’s software can easily modify the device’s
protocols to place an arbitrary IP address into a datagram’s Source Address Field. This is
known as IP Spoofing. IP spoofing is used in DoS attacks to hide the originator(s) of
attack.
IV.VIRUS:
It’s a piece of code that copies itself into a program and executes when the
program runs. Similarly to how viruses attack humans, computer viruses can grow,
replicate, travel, and consume resources.
There are some other attacks like DDOS, TROJAN HORSE, and WORM etc.
3. Network security in TCP/IP STACK:
a. Physical layer: Wild tapping can be foiled by enclosing transmission lines in
sealed tubes containing organ gas at high pressure. Any attempt to drill into a
tube will release some gas, reducing the pressure and triggering an alarm. Some
military systems use this technique.
b. Data link Layer: In packet transmission from one machine to another machine
packet have to traverse multiple routers because packets have to be decrypted at
each router leaving them vulnerable to attacks from with in the router. Link
Encryption method can be easily used.
c. Network layer: IP Protcol is an Internet Security Protocol for transporting
secure traffic across untrusted link. Services provided are Access Control,
Connection Less Integrity, Origin Authentication, confidentiality. IPSec
software can be directly placed into IP Source Code, or under IP Protocol Stack
or use a separate piece of equipment and attach it to a host.
d. Transport layer:
 SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are provided
security in this layer.
e. Application layer: The PGP is used in this layer.
4 .FIRE
. WALLS::
DEFINITION: A Firewall is best described as a s/w or h/w or both s/w & h/w packet
filter that allows only selected packets to pass through from the internet to a private
internal network by listening to all ports on a system attempting to open a connection.
When it detects such an attempt, it reacts according to a predefined set of rules.
There are two types of firewalls: Packet-filtering firewalls (which operate in network
layer) and Application-level gateways (which operate at the application layer).
• WHY GO FOR A FIREWALL?
None can connect to the internet solitarily. If somehow a crazy guy
succeeds in finding an IP address he can exploit any vulnerability existing in that system-
damage the data or even use that system to hack other computers.
• HOW A FIREWALL WORKS?
This is where the firewalls are inextricable with a secured network. They,
just like their name suggests, protect from unsolicited connection probes, scans and
attacks. They listen to all ports for any connection requests received and sent. As such
an instance is recorded, it pops up a warning asking whether to allow the connection to
initiate or not. This warning message also contains the IP that is trying to initiate
connection and also the port number to which it is trying to connect i.e., the port to which
the packet was sent. It also protects a system from port scans, DoS attacks, vulnerability
attacks etc.
• AN EXAMPLE FIREWALL- “A PROXY SERVER”:
Each of the techniques employed by the attackers to obtain the target
system’s IP address can be counter-attacked. A proxy server basically acts as a shield by
protecting your IP address form getting into malicious hands. It acts as a very own
personal secretary and a buffer between thy and thy host.
A proxy server removes the need of a system to receive or send messages
directly to the remote host. When any message is intended to be transmitted, then it is
actually sent to the proxy server, which in turn passes it on to the remote host. All
communication between the two parties is conducted indirectly, via the proxy server.
Such a scenario can be depicted in the following manner:
 OUR SYS. PROXY SERVER REMOTE SYSTEM

• BREAKING THROUGH FIREWALLS:

Firewalls can create as many problems as they solve if they are not
implemented properly. Firewalls themselves are vulnerable to security violations.
Remember firewalls are not clairvoyant. There are several holes existing in popular
firewalls waiting to be exploited. Here, we quote a hole in Zone Alarm Version 2.1.10 to
2.0.26, which allows the attacker to port scan the target system (although normally, it
should stop such scans).
If one uses port-67 as the source port of a TCP or UDP scan; Zone Alarm will let
the packet through and will not notify the user. This means, that one can TCP or UDP
port scan a Zone Alarm protected computer as If there was no firewall if one uses port-67
as the source port on the packets.

5. SECURITY IN WIRELESS NETWORKS:

The WEP (Wired Equivalent Privacy) Protocol is meant to provide security in
802.11 Networks. It provides both authentication and data encryption between a host and
a wireless access point (Base station) using a symmetric shared approach.
Steps involved --
I. A wireless host first requests authentication by an access point.
II. The access point responds to the authentication request with 128-byte nonce
value.
III. The wireless host encrypts the nonce using the symmetric key that it shares with
the access point.

CRYPTOGRAPHY

Encryption and decryption typically occur using complex mathematical

algorithms with the use of a key. The two key-based encryption algorithms are

A. symmetric (private key)

B. asymmetric (public key)
1. USAGE OF KEYS:

Since the key forms the basis of the encryption, its strength against attack is an
important feature. An indication of a key’s strength can be obtained from its length – for a
given encryption algorithm the longer the key, the stronger the key.

Current symmetric encryption technologies typically use 128-bit length keys –

this means that there are 2128 different key combinations. Current asymmetric encryption
technologies typically use 1024-bit length keys. Finally, note that the key strength
becomes weaker as computing power increases.

2. Symmetric (Private key) encryption:

Symmetric encryption is the simpler of the two classes of key-based encryption

algorithms. In this class, the same key is used to encrypt and decrypt the message as
shown in fig.

In the symmetric encryption schemes (the classical form of cryptography) the

same key (called the secret key) is used to both encrypt and decrypt the text. The problem
with these systems is to transport the secret key from the sender to the receiver, without
security exposures. Some systems use only symmetric secret-keys to communicate
securely over public networks, but they are difficult to implement in large organizations
and need some extra security procedures like a central "trusted and secure” server.
The DES (Data Encryption Standard) algorithm is one good example.

In a group of N people wishing to communicate securely, N*(N-1)/2 private keys

need to exist. As the number of people N increases, the management of the private keys
becomes a costly and cumbersome exercise.

3. Asymmetric (Public key) encryption:

Asymmetric cryptosystems (also called public key cryptosystems) use one key the public
key to encrypt a message and a different key the private key to decrypt it. Given an
encryption key it is virtually impossible to determine the decryption key (and vice versa).
The main disadvantage is its slower computing speed when compared to the symmetric
encryption (due to its computing complexity).
Two different asymmetric algorithms are RSA (Rivest Shamir Adleman) which is
permutable (one key may either encrypt or decrypt) and ECDSA (Elliptic Curve Digital
Signature Algorithm, a variant of the well-known DSA), that may implement existing
algorithms using elliptic curves. The keys are smaller and consequently faster processing
times. This is shown in below fig.

Three different formats of messages can be used in public-key cryptosystems:

Encrypted message: A symmetric key encrypts the message and the public key
encrypts the symmetric key.
Signed message: The message is hashed into a digital fingerprint, which is
Encrypted into a digital signature using a private key.
Signed and encrypted message: A combination of the above concepts, in which
the message is signed using the private key of the sender and after encrypted using
the public key.

4. Digital Signatures:
An authentication mechanism that enables the creator to attach a code that acts as
a signature. The signature guarantees the source and integrity of the file and provides
authenticity and integrity.
Digital signature solves
(I). Information integrity (II). Authentication (III). Non repudiation
5. AN EXAMPLE CRYPTOGRAPHY SYSTEM:

6. The Implementation of Public Key Cryptography Infrastructure (PKI)

Turning the theory of public key cryptography into a useful, real-world system requires
more than just the implementation of the core algorithm. A number of supporting
operational elements need to be in place before public key cryptography can be used
effectively. The supporting infrastructure is collectively known as Public Key
Infrastructure or PKI for short.

A PKI consists of a set of policies, procedures and services to support applications

of public key cryptography. A PKI can therefore be split into the following components

a. A Security Policy b. A Certificate Authority (CA)

c. A Registration Authority (RA) d. A Directory Service

a. Security Policy:
The security policy contains definitions of the actual operation of the PKI. The
operation of the other PKI components should be detailed here, as well as procedures for
key generation, issuance, storage, and revocation. The security policy in effect acts as the
framework on which the PKI is built.

b. Certificate Authority (CA):

However, a key by itself does not contain supporting information such as who it
belongs to, who issued the key, and the period over which it is valid. Without this
information, then there is nothing linking a public key with its correct owner. The
solution takes the form of digital certificates. A certificate contains information linking a
specific public key to a specific individual. The current industry standard for digital
certificates is the CCITT X.509 international standard.

c. Registration Authority (RA):

When a user applies for a digital certificate from a CA, the CA has to verify that the
applicant is truly who he claims to be. The role of the Registration Authority is to provide
this verification. A real-world analogy would be a Notary Public, for example.

Certain legal contracts require the signing process to be witnessed by a Notary

Public, who acts to verify the signer’s identity. In a similar way, the RA verifies the
identity of the applicant and passes the application on to the CA. The degree of rigor
applied by the RA during the verification will affect the degree of trust in the digital
certificate.

d. Directory Service:
 In our example with A sending an encrypted message to B, we have not yet
discussed where and how A gets hold of B’s certificate. The solution forms another
component of a PKI – the directory service. In the same way that you might look in a
standard phonebook to look up a telephone number, the directory service allows you to
look up the digital certificate for someone to whom you wish to send an encrypted
message.

Elliptic Curve Cryptography

(A New Trend Cryptography)

Since the invention of public-key cryptography, numerous public-key

cryptographic systems have been proposed. Each of these systems relies on a difficult
mathematical problem for its security. None has been proven to be intractable rather,
They are believed to be intractable.
Implementation of public-key cryptosystems in smart cards has usually been
associated with high-end cards, typically with both large memory configurations and a
Cryptographic coprocessor.
Today, the elliptic curve discrete logarithmic system is provided according to the
mathematical problem on which it is based, and considered as both secure and efficient.
In 1985, Neal Koblitz and Victor Miller independently proposed public-key
systems using a group of points on an elliptic curve, and elliptic curve cryptography
(ECC) was born. Today it offers those looking for a smaller, faster public-key system a
practical and secure technology for even the most constrained environments.

ECC delivers the highest strength per bit of any known public-key system because
of the difficulty of the hard problem upon which it is based. This greater difficulty of the
hard problem – the elliptic curve discrete logarithm problem (ECDLP) – means that
smaller key sizes yield equivalent levels of security.
1. ECC Implementation:

An elliptic curve is a set of points specified by two variables that are elements
over a field Fq. A field is a set of elements with two custom-defined arithmetic operations,
usually addition and multiplication.
ECC requires the use of two types of mathematics:

• elliptic curve point arithmetic

• The underlying finite field arithmetic.

Most of the computation for ECC takes place at the finite field level.
The two most common choices for the underlying finite field are:

• F2m, also known as characteristic two or even (containing 2m elements, where m is

an integer greater than one)
• Fp, also known as integers modulo p, odd, or odd prime (containing p elements,
where p is an odd prime number).

Both of these finite fields are included in draft standards for ECC.

Point compression allows the points on an elliptic curve to be represented with

fewer bits of data. In smart card implementations, point compression is essential .It can
be accomplished with negligible computation usingF2 SIZE="1">m, but can affect Fp
implementations considerablyF2 SIZE="1">m hardware implementations offer
significant performance and die size advantages over Fp hardware implementations.
Existing crypto coprocessors, which are optimized for modular arithmetic over Fp, do not
substantially increase the performance of F2 SIZE="1">m modular arithmetic.
If the field F2 SIZE="1">m is used as the underlying finite field, then the elements of F2
SIZE="1">m can be represented in two efficient ways .These two ways are.

• an optimal normal basis representation

• a polynomial basis representation.

2. Smart Cards and ECC:

Smart cards are small, portable, tamper-resistant devices providing users with
convenient storage and processing capability. Smart cards are proposed for use in a wide
variety of applications such as electronic commerce, identification, and health care. For
many of these proposed applications, cryptographic services offered by digital signatures
would be required. Smart cards also need to be inexpensive.
Meeting the Implementation Constraints with ECC:
(i).Less EEPROM and Shorter Transmission Times:
The strength of the ECDLP algorithm means that strong security is achievable
with proportionately smaller key and certificate sizes. The smaller key size in turn means
that less EEPROM is required to store keys and certificates and that less data needs to be
passed between the card and the application so that transmission times are shorter.
(ii). Scalability:
 As smart card applications require stronger and stronger security (with longer
keys), ECC can continue to provide the security with proportionately fewer additional
system resources. This means that with ECC, smart cards are capable of providing higher
levels of security without increasing their cost.
(iii). No Coprocessor:
The nature of the actual computations – more specifically, ECC's reduced
processing times – also contribute significantly to why ECC meets the smart card
platform requirements so well. Other public-key systems involve so much computation
that a dedicated hardware device known as a crypto coprocessor is required. With ECC,
the algorithm can be implemented in available ROM, so no additional hardware is
required to perform strong, fast authentication.
Advantages:
Since the crypto sensitive operations (signing and decrypting) can be many times faster
using ECC than using RSA, ECC is more appropriate for use in secure devices such as
smart cards and wireless devices with constrained computational power. The non crypto-
sensitive (public key) operations can usually be performed in terminal or PC
environments that typically have more computational power. Because the RSA crypto-
sensitive operations require more computational power, they are less suitable for use in
constrained environments, and as security (key size) requirements increase in the future,
the problem could become worse.
Related Cryptography technologies:

I. C
MS - Cryptographic Message Syntax:
The Cryptographic Message Syntax is used to digitally sign, digest, authenticate,
or encrypt arbitrary messages. Its main goal is to define the data structures and
processes for digitally signing and encrypting other data structures and it can Support
a variety of architectures for certificate-based key management, such as the one
defined by the PKIX working group.
II. S
SL: The SSL protocol runs above TCP/IP and below higher-level protocols such as
HTTP or IMAP. It allows a server to authenticate itself to a client, allows the Client to
authenticate itself to the server, and allows both machines to establish an encrypted
connection.
III. S
ecure e-mail / S/MIME: Security services can be added to each communication link
 along a path, or it can be wrapped around the data being sent, so that it is independent of
the communication mechanism. Short for Secure Multipurpose Internet Mail Extension
- A new version of the MIME protocol that supports encryption of messages -
S/MIME is based on RSA's public-key encryption technology.
IV. VPN: A virtual private network (VPN) is a private data network that makes use of
the Public telecommunication infrastructure - instead of owned or leased lines
-maintaining privacy through the use of a tunneling protocol and security procedures. The
idea of VPN is to give a company the same capabilities at much lower cost by using the
shared public infrastructure rather than a private one. VPNs are an important part of an
e-business tool.
V.PGP: Pretty Good Privacy is a product family that enables people to securely
exchange messages, and to secure files, disk volumes and network connections with
both privacy and strong authentication. PGP is a freely available encryption program
that protects the privacy of files and electronic mail, using powerful public key.

Conclusion:

The capability of security enabled components still lags behind the claims. Basic
security challenges in the corporate realm are not yet completely addressed. A case in
point is that, E-ATTACKS are becoming notoriously peerless as compared with the
traditional nuke-wars. Consequently, in the quench of thirst for more and more secured
systems BIOMETRIC SYSTEMS, QUANTUM-CRYPTOGRAPHY and many more are
innovatively being implemented at a cumulative pace. If we are not exaggerating, let’s be
optimistic of a 100% foolproof, secured global village in the near future
Cryptography provides a solution to the problem of information security and privacy. For
electronic communications, the techniques of private and public key cryptography are
becoming increasingly popular.
 BIBLIOGRAPHY:

1. Computer Networks (III edition) Andrew S. Tanenbaum.

2. Smith, Internet Cryptography, Addison-Wesley, 1997.
4. Cheswick and Bellovin, Firewalls and Internet Security, Addison-Wesley,
1994.
5. Simson Garfinkel, PGP: Pretty Good Privacy, O’Reilly, 1995.