IT6011 Introduction to Information Security

Project 2 Phase 1 Report Assessment – Encryption Research Report

Semester: Semester A 2016 - 2017
Format: Individual Report
Tutors: Peter Little, Muhammad Ateeq, James Egan
Student Name: Sadeq Kadhem
Student ID: 201400445
Grade Value: 20% of the overall course mark
Learning Outcomes assessed: The following learning outcomes will be assessed in this
assessment:
1. Explain the principles of information security and the
measures to secure information.
4. Demonstrate an understanding of cryptographic
methods
5. Identify and describe security implications for modern
networks

Weighting: This is an individual project in which the students will submit

Instructions
a technical report of 3000 words +/- 10% excluding
appendices. The technical report should define the concepts
of and principles of cryptography and the methods used
along with good practice and recommendations. The report
should be uploaded on Moodle via Turnitin by Sunday 8 th
January 2017 at 5.00pm. A penalty of 5% will be applied for
an initial late submission and for each calendar day the report
is submitted late.

This report will be used in preparation for phase 2 of this project the practical implementation of a
crytopgraphic method to secure information.
Contents
Introduction ............................................................................................................................................ 3
Define the principles of information security and state measures to secure information by
demonstrating an understanding of cryptographic methods. ............................................................... 3
What is information security?............................................................................................................. 3
Cryptography and information security.............................................................................................. 3
Information security principles, aims and main components in relation to cryptography. ............... 3
Measures to secure information: ....................................................................................................... 4
Data at Rest .................................................................................................................................... 4
Data-in-Motion: .............................................................................................................................. 4
Cryptographic methods: ..................................................................................................................... 4
Hashing Encryption......................................................................................................................... 4
Symmetric Methods ....................................................................................................................... 5
Asymmetric Forms.......................................................................................................................... 6
Identify and describe security implications for modern networks. ........................................................ 6
Issues surrounding a company ........................................................................................................... 6
Passive Attacks .................................................................................................................................... 6
Eavesdropping ................................................................................................................................ 7
Man-in-the-Middle Attack ............................................................................................................. 7
Sniffer Attack .................................................................................................................................. 7
Active Attack ....................................................................................................................................... 7
Identity Spoofing (IP Address Spoofing) ........................................................................................ 8
Denial-of-Service Attack................................................................................................................. 8
Issues surrounding Bahrain mini-mail it self ....................................................................................... 8
Methodologies to secure company’s information.............................................................................. 9
Conclusion and Recommendations ...................................................................................................... 10
References ............................................................................................................................................ 11
Introduction

The aim of this report is to discuss and define information security and to find measure to secure
information in relation to cryptographic methods. Moreover, to identify risks that Bahrain Mini-
mail might have in its modern network, provide some solutions and policies implementing
cryptography. Finally to provide some recommendations for the company to have more
secure network.

Define the principles of information security and state measures to secure

information by demonstrating an understanding of cryptographic methods.

What is information security?

The concern about securing the proper information and the personal data is increasing day
by day and the reason behind that is the increase of threats to information security from
hackers and pirates. Many organisation are having these worries about protecting their
important and sensitive data. Information security is the set of policies, standards,
technologies and management practices that are applied to secure the information. (The
Open University, 2016)

Cryptography and information security

Cryptography is one of the approaches that is taken to secure the data from piracy and
make it unreadable for them. In order to secure the stored or transmitted data, it have to be
changed or hidden in a way that the unauthorised individual do not have the ability to know
its true meaning. To accomplish this, specific mathematical equations are applied, which are
difficult to solve unless some standards are met. These equations are creating the basis of
cryptography. (Rouse, 2005)

Information security principles, aims and main components in relation to

cryptography.

The information security principles and aims is represented by the CIA trial, which stands for
“Integrity”,” Confidentiality” and “Authentication”. This CIA is a model to show the main
purposes and goals of the Information security. The modern cryptography concerns itself
with these aims and principles. Firstly, to satisfy the confidentiality, when the encryption is
applied the information cannot be understood by anyone and just readable by the ones who
intended to have the data. Secondly, to meet the integrity, the cryptography restricts the
ability to alter or transit the data in storage without being detected. Thirdly, Authentication
is fulfilled when the encryption make the sender and receiver confirm each other’s identity
and the destination of information. Moreover, Non-repudiation is a concern also. It means
that by encrypting data, the creator and sender cannot deny that they create or transmit
the information. (Rouse, 2014)

Measures to secure information:

To know how to secure information, we have to know the states that the information takes.
Data at rest, Data in use and Data in motion are states that the data take in any organization
system.

Data at Rest
When data at rest it means that the data are in a secure way stored on a hard drive.
Protecting these data by conventional perimeter-based such as anti-virus and firewalls.
However, these defenses are not enough. Additional layers of defense are needed for
protecting sensitive data in case the network is compromised. Encrypting hard drives is one
of the best ways to have more security on these data. (Identity finder, n.d.)

Data-in-Motion:
In this state, the data are at its most vulnerable. The reason is that the data is transmitting
across a network. Example of that is when sending an email. It takes long journey through
the electronic infrastructure at government facilities, universities and other network
locations. A hacker with the right tools can take the data from the email while it moves.
Transmitting data through an encryption platform is a way to have the data more secure.
(Identity finder, n.d.)

Cryptographic methods:

Hashing Encryption
By using an algorithm or hash function, the hashes are created. It is an encryption method
where hashing create a unique, fixed-length signature for a message or data set. Hashing
commonly used to compare sets of data. Any minor changes occur to a message, it causes a
huge different hash because the hash is unique to specific message. Because of that alerting
the user is very important. (Linn, 2016)

In hashing, once the data is encrypted, the process cannot be reversed or decrypted and this
is the main difference between hashing, Symmetric cryptography and Asymmetric
cryptography. This means that even if a hacker or attacker could obtain a hash, the attacker
will not have the ability to decrypt the message or know the content of it by using any
decryption method. Examples of hashing algorithms are Secure Hashing Algorithm (SHA)
and Message Digest 5 (MD5). (Linn, 2016)

MD5: it is an extension of MD4 and it is slower because it have 4 rounds unlike the MD4
which have 3. It provide security features with one way hash function. Because of
downloading files from peer to peer (P2P) servers/network, a same name files are
downloaded which make it difficult to know the original one, so having message digits is
very important to know the message authentication and as a result to prove the source
verification. (Gupta & Kumar, 2014)

SHA: It is a hash function cryptography that is used in digital certificate as well as in data
integrity. It is developed by N.I.S.T. as a U.S. Federal Information Processing Standard (FIPS).
SHA is a fingerprint that particulars the data is projected for use with digital signature
applications. Secure Hash algorithms works with messages less than 264 bits. (Gupta &
Kumar, 2014)

Symmetric Methods
Symmetric cryptography or the private-key cryptography, is one of the most secure
encryption methods and one of the oldest. It is called the private-key cryptography because
the key must be private and secured. The reason is that this key is used to encrypt and
decrypt the message, so anyone with this key could see the content of the message. The
process of the encryption is that the sender encodes a message into cipher text using a key,
and the receiver or anyone who have the key could decode it by using the same key. (Linn,
2016)

Stream cipher and block cipher are two different methods that can be used to encrypt a
message when using symmetric cryptography. The stream cipher encryption is encrypting
one character at a time as it is sent or received. On the other hand, the block cipher
encrypts fixed amount of data. Using one method over the other method depends on the
amount of data being encrypted. Examples of symmetric encryption algorithms are
Advanced Encryption Standard (AES) and Data Encryption Standard (DES). (Linn, 2016)

Data Encryption Standard (DES): DES is a block cipher, with a 56bit key and a 64-bit block
size .it contain 16-round series of substitution and permutation. Each round, the data and
key bits are shifted, XORed, permutated, and sent through, 8 s-boxes which is a set of
lookup tables that are important to the DES algorithm. In the reverse way, decryption is
done. (Soni, Agrawal & Sharma, 2012)

Advanced Encryption Standard (AES): 10, 12, or 14 rounds are used by the AES. The key
size can reach 128,192 or 256 bits depends on the number of rounds. Several stages are
made inside each round of several rounds in the AES. AES uses transformations to provide
security. Each round of AES has Substitution permutation, mixing and key adding except the
last round uses the four transformations. (Soni, Agrawal & Sharma, 2012)

Asymmetric Forms
Asymmetric or public key cryptography is encryption methods which is more secure than
the symmetric methods. The reason behind that is that Asymmetric cryptography uses two
keys, a private key and public key to achieve encryption and decryption. Major weakness in
symmetric key cryptography are avoided when using the two keys in Asymmetric key, since
it is difficult to securely manage one key among multiple users. (Linn, 2016)

The public key in Asymmetric cryptography, is available to everyone and used to encrypt
messages before sending. However, to decrypt the messages, just the one who have the
private key could decipher them. Algorithms examples that uses public key encryption is
RSA and Diffie-Hellman. (Linn, 2016)

RSA: this algorithm is based on producing large numbers that have 2 factors which are
prime numbers. It provide public and private key. The public key is available for everyone to
encrypt, but to decrypt just the one who have the private key could do that. It is possible to
generate the private key out of the public key but it is extremely difficult which make the
RSA a good choice to encrypt data. (“RSA Algorithm”, n.d.)

Identify and describe security implications for modern networks.

Issues surrounding a company

First of all, it is very important to understand the attacks and threats that is surrounding any
company or organization and it is the first step to stop these kinds of dangers. Some of the
attacks is going to be demonstrated and discussed which will lead to find some
methodologies to protect the company and its information.

Passive Attacks
Firstly, passive attack is kind of attacks where the hacker is listening and recording
telecommunication exchanges. A way to do that, by using a protocol analyser or other
packet capturing software, the attacker could sniff network traffic. By plugin into the
network the attacker begins capturing traffic for later analysis. Other way to do that is key
loggers, which are software to record keystrokes such as user password and ID. The aim of
this attack, regardless of the method, is to record and listen to the data passing through.
This attack could be harmful since the data that was gathered by the user is not encrypted.
(Hughes, n.d.). Some types of passive attacks will be discussed:

Eavesdropping
Most of the network communications are unsecure or “cleartext” format, which mean that
the attacker who gained access to your network have the ability to listen or read the traffic
in the data path. It is a major security issue that the administrators face. Without having
good encryption services that is built on strong cryptography, the data is readable by the
attacker while it is traveling in the network. (Microsoft, n.d.)

Man-in-the-Middle Attack
A man in the middle attack happen when there is someone between you and the person
whom you are communicating is capturing, monitoring and controlling your communication
transparently. The attacker could re-route the data exchange because communications at
low levels of network layer might do not give the computers the ability to determine with
whom it is exchanging data.

The attacker act like he is you by assuming your identity in order to read the messages. The
person on the other side might believe that it is you because the attacker is acting in a
professional way that he is you to keep the exchange of data going and getting more
information. (Microsoft, n.d.)

Sniffer Attack
Sniffer attacker is done by a device or an application which can monitor, read, and capture
data exchanges and read network packets. Encrypting data will secure your data from being
seen by the attacker unless he have the key to decrypt it. However if the data are not
encrypted, the attacker will have full view if your important and sensitive packets and data.

Using a sniffer will give the attacker many advantages, for example:

 Gain your information and analyze your network which will lead to crashing or to
currupt your network.
 Read the communications that you have. (Microsoft, n.d.)

Active Attack
Secondly, active attack is established either with the information gathered during passive
attack, such as passwords, or a direct attack by using technological blunt instruments.
Examples of these instruments are email phishing attacks, denial-of services attack,
password cracker, worms and many other malware attacks. The attacker aims in an active
attack is to bring a website down, destroy computing equipment or to steal information.
Even though, if the network administrator use defences against the existing attack tools, the
attacker will develop more powerful tools. (Hughes, n.d.). Some types of active attacks will
be discussed:

Identity Spoofing (IP Address Spoofing)

A valid entity can be identified by networks and operating systems by using the IP address of
a computer. It is possible that the attacker guess or assume the IP address-identity spoofing.
It is also possible that the attacker use special programs to build IP packets that appear to
originate from valid address inside the company intranet. By using the valid IP address, the
attacker can gain access to the network and modify, reroute, or delete the data. Other
attack also can be conducted. (Microsoft, n.d.)

Denial-of-Service Attack

The main purpose of the denial-of-service attack is to prevent the valid users to use the
computer or network in normal way. After getting access to the network, the attacker can
do several things from the following:

 Make the internal Information Systems staff attention dispersed so that they do not
see the intrusion immediately, which gives the attacker more opportunities to make
new attacks.
 Causing abnormal termination or behavior of the applications or services by Sending
invalid data to them.
 Torrent a computer or the entire network with traffic until shutting down because of
the overload.
 Authorized user loss the access to network resources because of blocking traffic.
(Microsoft, n.d.)

Issues surrounding Bahrain mini-mail it self

1-While the company is sending data in and out of the company, it mean that it have data in
motion. As explained previously the data in this state is in its top vulnerability. Any hacker
could sniff or listen to this sensitive information while it is moving.

2- The company has many third party clients, which are not trusted to steal or to sniff the
important data while communicating with the company (man in the middle).
3-The Company is using variety of computers and operating systems to access network,
which means that it is difficult to use the same methodologies of cryptography and ways of
encryption.

4-The employees at the company are using a user name and passwords that have been
issued by the It department. If these passwords and user names are not encrypted while it is
in the data base it will cause damage for the company. This issue is less important because
the data is at rest.

5- Allowing the free exchange of information and all users have access to most data is
another issue that the company is facing. If the information that is most important is not
encrypted it would be a problem if an employee distributed it or capture it.

Methodologies to secure company’s information

 The most thorough procedure is full-disk encryption. Most of the files are
permanently encrypted, even the temporary files created by the system or
applications. Also encrypt swap or hibernation files. The encryption is done
immediately while the employees are accessing new data. Using full-disk encryption
is also useful when a laptop is stolen because the hardware could be removed and
attached to another computer and allow easy access to data. (Carey, 2015)
 Using Strong passwords and changing it weekly is good method for authentication.
(PANDEY, 2011)
 Using robust password when using a wireless connection. (PANDEY, 2011)
 Robust data encryption is effective way to secure the data in motion. (PANDEY,
2011)
 Using HTTP encrypts the connection between the system and the website visited.
The HTTPS is not a guarantee that the site is save, but it can prevent the hackers
from accessing to the system through the network. (Mediati, 2011)
 File encryption is another way to protect the data at rest and data in motion.
Because the file existing in an encrypted form, even if the network is not encrypted,
the file is encrypted which protect its content.
Conclusion and Recommendations

In the conclusion, a security assessment summarization will be provided. The main issues
that the company is having is the data that is moving in and out of the company, and
allowing the free exchange of the data with allowing access to most data because the
information is on motion and it will be easily captured or sniffed by the competitors. The
second less danger problems are having variety of computers and operating systems, not
updating and encrypting passwords and usernames of the employees. This data should be
secured by anti-virus and firewalls and also encrypting them because the data are at rest.

It is recommended that the company encrypt its data by using full-disk encryption, file
encryption, connected encryption and robust data encryption which will lead to have more
save data at rest and data in motion. While the company is depending on sending emails
and moving data through the network Strong encryption methods as mention is essential.

Word count: 2856

 References
Carey, R. (2015). How Encryption and Other Tactics Can Protect Your Company Data. Retrieved 5
January 2017, from http://www.middlemarketcenter.org/expert-perspectives/how-
encryption-and-other-tactics-can-protect-your-company-data

Gupta, P. & Kumar, S. (2014). A Comparative Analysis of SHA and MD5 Algorithm. Retrieved 4
January 2017, from http://ijcsit.com/docs/Volume%205/vol5issue03/ijcsit20140503398.pdf

Hughes, A. (n.d.). The Difference between Passive & Active Attacks on a Computer. Retrieved 5
January 2017, from https://www.techwalla.com/articles/the-difference-between-passive-
active-attacks-on-a-computer

Identity finder. (n.d.).Data Loss Prevention: Data-at-Rest vs. Data-in-Motion. Retrieved 5 January
2017, from
http://www.pronovus.nl/documenten/identyfinder/whitepaper_identityfinder_dlp.pdf

Linn, M. (2016). What are the Different Types of Encryption Methods? Retrieved 5 January 2017,
from http://www.wisegeek.org/what-are-the-different-types-of-encryption-methods.htm

Mediati, N. (2011). How to Use an HTTPS-Encrypted Connection When Browsing. Retrieved 5 January
2017, from
http://www.pcworld.com/article/226791/use_an_https_encrypted_connection_when_bro
wsing.html

Microsoft. (n.d.).Common Types of Network Attacks. Retrieved 4 January 2017, from

https://technet.microsoft.com/en-us/library/cc959354.aspx

PANDEY, S. (2011). MODERN NETWORK SECURITY: ISSUES AND CHALLENGES. Retrieved 4 January
2017, from http://www.ijest.info/docs/IJEST11-03-05-208.pdf

Rouse, M. (2005). Cryptology. Retrieved 5 January 2017, from

http://searchsecurity.techtarget.com/definition/cryptology

Rouse, M. (2014). Cryptography. Retrieved 3 January 2017, from

http://searchsoftwarequality.techtarget.com/definition/cryptography

RSA Algorithm.(n.d.). Retrieved January 2017, from

http://pajhome.org.uk/crypt/rsa/contrib/RSA_Project.pdf

Soni, S., Agrawal, H., & Sharma, M. (2012). Analysis and Comparison between AES and DES
Cryptographic Algorithm. Retrieved 5 January 2017, from
http://www.ijeit.com/vol%202/Issue%206/IJEIT1412201212_64.pdf

The Open University. (2016). An introduction to information security. Retrieved 6 January 2017, from
http://www.open.edu/openlearn/science-maths-technology/computing-and-
ict/introduction-information-security/content-section-1