Kuliah 1

Slide 1

CSC 4602453
Kriptografi dan Keamanan Informasi

(Cryptography and Information Security )

Kuliah 1

Pengajar

Slide 2

: L. Yohanes Stefanus
email: yohanes@cs.ui.ac.id
kantor: Fasilkom Gedung A Ruang 1200

Tujuan

: Mengajarkan dasar-dasar dan teknik Kriptografi

serta aplikasinya untuk Keamanan Informasi.

Slides/info

: http://scele.cs.ui.ac.id/course/view.php?id=2070
Lihat dokumen rencana pengajaran di SCeLE.

Kuliah 1

References

Andreas M. Antonopoulos.
Mastering Bitcoin: Unlocking Digital Cryptocurrencies.
O'Reilly Media, 2014.

William Stallings.
Cryptography and Network Security: Principles and
Practice. 6th Edition. Prentice Hall, 2013.
Jeffrey Hoffstein, Jill Pipher, J.H. Silverman.
An Introduction to Mathematical Cryptography. Springer, 2010.
Ross J. Anderson.
Security Engineering: A Guide to Building Dependable

Distributed Systems. Second Edition. Wiley, 2008.

Slide 3

Kuliah 1

Slide 4

1
Introduction to Computer Security

Kuliah 1

Slide 5

Tidak ada yang tahu

banknya telah kita
bobol!

Kuliah 1

Slide 6

The above cartoon by Peter Steiner has been reproduced

from page 61 of July 5, 1993 issue of The New Yorker,
(Vol.69 (LXIX) no. 20)only for academic discussion,
evaluation, research and complies with the copyright law of
the United States as defined and stipulated under Title 17
U. S. Code.
http://www.unc.edu/courses/jomc050/idog.html

Kuliah 1

Slide 7

Perlunya Keamanan Informasi

Informasi adalah suatu sumber daya yang strategis
Penggunaan yang luas dari komputer dalam
pemrosesan data/informasi, memerlukan:

computer security
Penggunaan yang luas dari computer networks dan
distributed computing systems, memerlukan:

network/internet security

Kuliah 1

Slide 8

Computer Security
the protection afforded to an automated information
system in order to attain the applicable objectives of
preserving the integrity, availability and confidentiality
of information system resources (includes hardware,
software, firmware, information/data, and
telecommunications).
This definition introduces 3 key objectives of
computer security: confidentiality, integrity, and
availability.

Kuliah 1

Slide 9

Confidentiality
Data confidentiality:
Assures that private or confidential info is not
disclosed to unauthorized individuals.
Privacy:
Assures that individuals control what info related to
them may be collected and stored and by whom and
to whom that info may be disclosed.

Kuliah 1

Slide 10

Integrity
Data Integrity:
Assures that info and programs are changed only in a
specified and authorized manner.
System Integrity:
Assures that a system performs its intended function
in an unimpaired manner, free from deliberate or
inadvertent unauthorized manipulation of the system.

Kuliah 1

Slide 11

Availability
Assures that systems work promptly and service is
not denied to authorized users.

Kuliah 1

Slide 12

The Security Requirements Triad

Kuliah 1

Slide 13

Computer Security Challenges

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

not simple
must consider potential attacks
procedures used counter-intuitive
involve algorithms and secret info
must decide where to deploy mechanisms
battle of wits between attacker / admin
not perceived on benefit until fails
requires regular monitoring
too often an after-thought
regarded as impediment to using system

Kuliah 1

Slide 14

OSI Security Architecture

International Telecommunication Union (ITU)
Telecommunication Standardization Sector (ITU-T)
Recommendation X.800: Security Architecture for
OSI, defines a systematic approach of setting the
requirements for security and characterizing the ways
to satisfying those requirements.
OSI = Open Systems Interconnection
The OSI security architecture is useful to managers
as a way of organizing the task of providing security.

Kuliah 1

Slide 15

OSI Security Architecture

The OSI security architecture focuses on 3 aspects of
information security:
security services

security mechanisms
security attacks

Kuliah 1

Slide 16

Security Services
X.800: a security service is
a service provided by a protocol layer of communicating open
systems, which ensures adequate security of the systems or of
data transfers

RFC 2828: a security service is

a processing or communication service provided by a system
to give a specific kind of protection to system resources

Kuliah 1

Slide 17

Security Services
enhance security of data processing systems and
information transfers of an organization

intended to counter security attacks

using one or more security mechanisms
X.800 divides the security services into 5 categories
and 14 specific services.

Kuliah 1

Slide 18

Category 1: Authentication
=> The assurance that the communicating entity is
the one that it claims to be.

Specific services:
Peer Entity authentication
In a logical connection, to provide confidence in the identity
of the entities connected.
Data origin authentication
In a connectionless transfer, to provide assurance that the
source of received data is as claimed.

Kuliah 1

Slide 19

Category 2: Access Control

=> The prevention of unauthorized use of a resource.
This service controls who can have access to a
resource, under what conditions access can occur,
and what those accessing the resource are allowed
to do.

Kuliah 1

Slide 20

Category 3: Data Confidentiality

=> The protection of data from unauthorized
disclosure.

Specific services:
Connection confidentiality
Connectionless confidentiality
Selective field confidentiality
Traffic flow confidentiality

Kuliah 1

Slide 21

Category 4: Data Integrity

=> The assurance that data received are exactly as
sent by an authorized entity (i.e., contain no modification, insertion, deletion, or replay).
Specific services:
Connection integrity with recovery
Connection integrity without recovery
Selective field connection integrity
Connectionless integrity
Selective field connectionless integrity

Kuliah 1

Slide 22

Category 5: Nonrepudiation
=> Protection against denial by one of the entities
involved in a communication of having participated in
all or part of the communication.
Specific services:
Origin Nonrepudiation
Proof that the message was sent by the specified party.
Destination Nonrepudiation
Proof that the message was received by the specified party.

Kuliah 1

Slide 23

Protocol
A protocol is an algorithm (a series of steps), involving
two or more parties, designed to accomplish a task.

Every party involved in the protocol must know all of the

steps to follow in advance.
Every party involved in the protocol must agree to follow
it.
The protocol must be unambiguous.
The protocol must be complete; there must be a specified
action for every possible situation.

Kuliah 1

Slide 24

Security Mechanisms
Security mechanism: a feature designed to detect,
prevent, or recover from a security attack.
Specific Security Mechanisms (specific to the
appropriate protocal layer):
Encipherment, Digital Signature,
Access Control, Data Integrity,
Authentication exchange,
Traffic padding, Routing control,
Notarization

Kuliah 1

Slide 25

Security Mechanisms
Pervasive Security Mechanisms (not specific to any
particular OSI security service or protocol layer):

Trusted functionality,
Security label,
Event detection,
Security audit trail,
Security recovery

Kuliah 1

Slide 26

Relationship between
Security Services and Mechanisms

Kuliah 1

Slide 27

Security Attack
Security attack: any action that compromises the
security of information owned by an organization.

Information security is about how to prevent attacks,

or failing that, to detect attacks on information-based
systems.
There are two generic types of attacks:
passive
active

Kuliah 1

Slide 28

Security Attacks
1. Passive attacks:
are in the nature of eavesdropping on, or monitoring
of, transmissions.
The goal of the opponent is to obtain information
that is being transmitted.
Two types of passive attacks:
release of message contents
traffic analysis
Passive attacks are very difficult to detect because
they do not involve any alteration of the data. The
emphasis in dealing with passive attacks is on
prevention rather than detection.

Kuliah 1

Slide 29

Passive Attacks (a)

Kuliah 1

Slide 30

Passive Attacks (b)

Kuliah 1

Slide 31

Security Attacks
2. Active attacks:
Active attacks involve some modification of the data
stream or the creation of a false stream.
Active attacks can be divided into four categories:
masquerade
replay
modification of messages
denial of service

It is quite difficult to prevent active attacks, so it is

better to focus on detection.

Kuliah 1

Slide 32

Active Attacks (a)

Kuliah 1

Slide 33

Active Attacks (b)

Kuliah 1

Slide 34

Active Attacks (c)

Kuliah 1

Slide 35

Active Attacks (d)

Kuliah 1

Slide 36

A Model for Network Security

Kuliah 1

Slide 37

This general model shows that there are four basic

tasks in designing a particular security service:
1. Design an algorithm for performing the securityrelated transformation.

2. Generate the secret information to be used with the

algorithm.
3. Develop methods for the distribution and sharing of
the secret information.
4. Specify a protocol to be used by the two principals
(sender and recipient) that makes use of the security
algorithm and the secret information to achieve a
particular security service.

Kuliah 1

Slide 38

Network Access Security Model

(protecting an information system from unwanted access)

Kuliah 1

Slide 39

Security Threats
Threats can come from a range of sources. Results
from various surveys:
55% human error
10% disgruntled employees
10% dishonest employees
10% outsider access
also have "acts of nature" (fire, flood etc)
Note that in the end, it always comes back to
PEOPLE. Technology can only assist so much, always
need to be concerned about the role of people in the
threat equation - who and why.

Kuliah 1

Slide 40

Threats and Attacks

Threat
A potential for violation of security, which exists when
there is a circumstance, capability, action, or event that
could breach security and cause harm. That is, a threat is
a possible danger that might exploit a vulnerability.
Attack
An assault on system security that derives from an
intelligent threat; that is, an intelligent act that is a
deliberate attempt (especially in the sense of a method or
technique) to evade security services and violate the
security policy of a system.
[RFC 2828, Internet Security Glossary]

Kuliah 1

Slide 41

Response to Threats
identify key assets
evaluate threat posed to assets

implement suitable countermeasures

manage implementation
use cryptography as a key technology

Kuliah 1

Slide 42

Cryptography
Cryptography is the study of secret (crypto-) writing
(-graphy).

Cryptography is the art or science encompassing the

principles and methods of transforming an intelligible
message into one that is unintelligible, and then
retransforming that message back to its original
form.

Kuliah 1

Slide 43

Cryptography
concerned with developing algorithms which may be
used to:
conceal a message from all except the sender and recipient
(privacy or secrecy), and/or
verify the correctness of a message to the recipient
(authentication or integrity)

basis of many technological solutions to information

security problems

Kuliah 1

Slide 44

Cryptanalysis (codebreaking)
the study of principles and methods of transforming
an unintelligible message back into an intelligible
message without knowledge of the key.

Cryptology
the field encompassing both cryptography
and cryptanalysis