Unit 3 – Physical and Logical Access Controls

Cryptography:
Cryptography is the science and practice of securing communication and data
through techniques that prevent unauthorized access. It involves encoding
and decoding information to ensure confidentiality, integrity, authentication,
and non-repudiation. The word "cryptography" comes from the Greek words
kryptos (meaning "hidden") and grapho (meaning "to write").
Cryptography is fundamental to modern cybersecurity, protecting sensitive
information in various forms—such as digital transactions, email
communication, and confidential data storage.
Goals of Cryptography
The primary goals of cryptography are to:
1. Confidentiality – Ensures that the information is accessible only to
authorized parties.
2. Integrity – Ensures that the information has not been altered during
transmission.
3. Authentication – Verifies the identity of users or systems involved in
communication.
4. Non-repudiation – Ensures that once a transaction or message is sent,
the sender cannot deny sending it.
Types of Cryptography
Cryptography can be classified into several types, based on the technique
used for encryption and decryption. The main types are:
1. Symmetric-Key Cryptography
In symmetric cryptography, the same key is used for both encryption and
decryption. This means the sender and receiver must share a secret key
before they can securely communicate. It is fast and efficient but poses a
challenge in key distribution.
 Example Algorithms:
o AES (Advanced Encryption Standard)
o DES (Data Encryption Standard)
o Blowfish
 Advantages:
o Faster compared to asymmetric methods.
 o Suitable for encrypting large volumes of data.
 Disadvantages:
o Key distribution problem: Both parties must securely share the
key.
o If the key is intercepted, the security is compromised.
2. Asymmetric-Key Cryptography (Public-Key Cryptography)
In asymmetric cryptography, two keys are used: a public key and a private
key. The public key is used for encryption, while the private key is used for
decryption. The public key can be shared openly, but the private key is kept
secret by the receiver. This eliminates the need to securely share a single key,
which is a major advantage over symmetric encryption.
 Example Algorithms:
o RSA (Rivest-Shamir-Adleman)
o ECC (Elliptic Curve Cryptography)
o DSA (Digital Signature Algorithm)
 Advantages:
o Solves the key distribution problem.
o Public keys can be shared openly without compromising security.
 Disadvantages:
o Slower than symmetric encryption.
o More computationally expensive.
Models of Cryptography Systems
A cryptography system can be understood as a set of algorithms, protocols,
and tools used to achieve secure communication and data protection. These
systems generally consist of several core components, such as encryption and
decryption algorithms, keys, and communication protocols. The overall model
of a cryptographic system typically involves processes for encoding and
decoding information to ensure confidentiality, integrity, authenticity, and
non-repudiation.
Let's look at the basic components and models of cryptographic systems:

1. Classical Cryptographic System Model

A classical cryptographic system is based on two main processes:
  Encryption: The process of converting plaintext (the original message)
into ciphertext (an unreadable format) using a cryptographic algorithm
and a key.
 Decryption: The reverse process of converting ciphertext back into
plaintext using a corresponding decryption key.
In a simple model, we have:
 Plaintext: The original readable message or data.
 Ciphertext: The encrypted form of the plaintext.
 Encryption Algorithm: A procedure that transforms plaintext into
ciphertext using an encryption key.
 Decryption Algorithm: A procedure that converts ciphertext back into
plaintext using a decryption key.
2. Symmetric-Key Cryptography Model
In symmetric-key cryptography, both the sender and the receiver use the
same secret key for both encryption and decryption. This is the simplest
cryptographic model.
Components:
 Sender: The party that wants to send the encrypted message.
 Receiver: The party who will decrypt and read the message.
 Shared Secret Key: Both sender and receiver have access to the same
key, which is used to encrypt and decrypt messages.
Process:
1. The sender encrypts the plaintext message using the secret key and
sends the ciphertext to the receiver.
2. The receiver decrypts the ciphertext using the same secret key to
retrieve the original message.
3. Asymmetric-Key Cryptography (Public-Key Cryptography) Model
In asymmetric cryptography, a pair of keys is used: a public key and a private
key. The public key is used for encryption, and the private key is used for
decryption. This model solves the key distribution problem inherent in
symmetric-key systems because the public key can be shared openly, while
the private key remains secret.
Components:
 Public Key: A key that is openly shared with everyone. Used for
encryption.
  Private Key: A secret key known only to the receiver. Used for
decryption.
 Sender: The party that wants to send a secure message.
 Receiver: The party that will decrypt the message.
Process:
1. The sender uses the receiver’s public key to encrypt the plaintext
message.
2. The receiver uses their private key to decrypt the ciphertext and
retrieve the original message.
4. Hybrid Cryptosystem Model
A hybrid cryptosystem combines both symmetric and asymmetric
cryptography. The idea is to use asymmetric encryption to securely exchange
a symmetric key, and then use symmetric encryption for the actual data
transmission. This model leverages the strengths of both types of encryption:
the security of asymmetric encryption and the efficiency of symmetric
encryption.
Components:
 Asymmetric Key Pair: Used for securely exchanging the symmetric key.
 Symmetric Key: Used for encrypting the actual data.
 Sender: Uses the recipient's public key to encrypt the symmetric key.
 Receiver: Uses their private key to decrypt the symmetric key and
decrypt the data.
Process:
1. The sender generates a symmetric key for data encryption.
2. The sender encrypts the symmetric key using the receiver's public key.
3. The sender encrypts the actual data using the symmetric key.
4. The receiver uses their private key to decrypt the symmetric key and
then decrypts the actual data.
5. Cryptographic Hash Function Model
A cryptographic hash function does not involve encryption or decryption but
instead takes an input (message) and produces a fixed-length output (hash).
The main goal is to ensure data integrity and provide a "fingerprint" of the
data. Hash functions are commonly used for verifying the integrity of data,
digital signatures, and password hashing.
Components:
  Input: The message or data that needs to be hashed.
 Hash Function: A function that maps the input to a fixed-size hash
value.
 Hash Value: A unique fixed-length output for a given input.
Process:
1. The input (message) is passed through the hash function.
2. The output is a fixed-length hash value that uniquely represents the
input.
Digital Signature: Requirement of a Digital Signature System
A digital signature is a cryptographic technique used to validate the
authenticity and integrity of a message, document, or software. It provides a
secure and verifiable way to ensure that the sender of a message is indeed
who they claim to be and that the message has not been tampered with
during transmission. Digital signatures are commonly used in legal contracts,
email communications, and software distribution, among other applications.
To effectively implement digital signatures, a Digital Signature System (DSS) is
required. This system involves several components and processes to ensure
the security, authenticity, and non-repudiation of messages or documents.
Components of a Digital Signature System
A Digital Signature System typically involves the following components:
1. Public and Private Keys:
o Private Key: Used by the signer to create the digital signature. It
is kept secret by the signer.
o Public Key: Used by the receiver to verify the digital signature. It
can be publicly distributed.
2. Hash Function:
o A cryptographic hash function is used to generate a unique hash
value (or digest) of the message. The hash ensures that any
change to the message will produce a completely different hash,
thus verifying the integrity of the message.
3. Digital Signature Algorithm:
o The signature algorithm is the mathematical procedure used to
generate the digital signature from the message hash. Common
algorithms include RSA, DSA (Digital Signature Algorithm), and
ECDSA (Elliptic Curve Digital Signature Algorithm).
 4. Certificate Authority (CA):
o A Certificate Authority (CA) is a trusted third-party entity that
issues digital certificates. These certificates verify the identity of
the public key holder (i.e., the person or entity whose public key
is associated with the digital certificate). The CA ensures that the
public key belongs to the individual or organization it claims to
represent.
5. Digital Certificates:
o A digital certificate links an individual's identity to their public
key. The certificate is issued by a CA and contains information
about the certificate holder (such as their name, organization,
and public key), along with the CA's digital signature to validate
its authenticity.
Basic Workflow of a Digital Signature
The process of creating and verifying a digital signature typically involves the
following steps:
1. Creating the Digital Signature (Signing Process):
o Step 1: The sender creates a hash of the original message using a
cryptographic hash function (e.g., SHA-256). This hash represents
the unique fingerprint of the message.
o Step 2: The sender then encrypts the hash with their private key
using the digital signature algorithm (e.g., RSA, DSA, or ECDSA).
The encrypted hash is the digital signature.
o Step 3: The original message and the digital signature are sent
together to the receiver.
2. Verifying the Digital Signature (Verification Process):
o Step 1: The receiver uses the sender's public key (either directly
from the sender or from a digital certificate issued by a CA) to
decrypt the digital signature and obtain the hash value.
o Step 2: The receiver then generates the hash of the original
message they received.
o Step 3: The receiver compares the decrypted hash (from the
digital signature) with the newly calculated hash. If the two
hashes match, the signature is valid, meaning:
 The message was not altered in transit (integrity).
  The sender is authenticated (authentication).
 The sender cannot deny having sent the message (non-
repudiation).
Requirements of a Digital Signature System
A digital signature system must satisfy several critical requirements to ensure
that it performs its function of providing authentication, integrity, non-
repudiation, and confidentiality in a secure and reliable manner. The key
requirements are as follows:
1. Confidentiality (Optional)
Although digital signatures primarily ensure authentication and integrity,
they can also be used to enhance confidentiality. For example, digital
signatures are often used in combination with encryption to ensure that both
the content and its signature are confidential.
 Requirement: A digital signature system must allow for the secure
exchange of the private and public keys (through a public-key
infrastructure or PKI) to guarantee confidentiality if needed.
2. Authentication and Identity Verification
A digital signature serves as a proof of identity for the sender of the message
or document. To authenticate the sender, the public key must be associated
with the correct individual or entity.
 Requirement: The system must have a trusted way to ensure that a
public key truly belongs to the signer (e.g., using a digital certificate
issued by a trusted Certificate Authority (CA)).
3. Data Integrity
The system must ensure that the signed data has not been altered during
transmission. Even a minor change in the data should result in a completely
different hash, causing the signature verification to fail.
 Requirement: The system must use a secure cryptographic hash
function (e.g., SHA-256) to generate a hash of the original message.
This ensures that the signed data has integrity and any changes to the
message will result in a mismatch during verification.
4. Non-Repudiation
Non-repudiation ensures that once a message is signed, the sender cannot
deny having signed it. This is crucial in legal or contractual contexts, where a
party may try to claim they did not authorize a transaction or
communication.
 Requirement: The system must ensure that the digital signature is
uniquely linked to the signer’s identity and that only the signer’s
private key can produce that signature. This is achieved through strong
cryptographic algorithms and proper key management.
5. Authenticity of Signature
A digital signature must uniquely identify the sender and prove that the
sender has authorized the message or document.
 Requirement: The digital signature must be tied to a private key, which
is unique to the sender, and it should be impossible for anyone else to
generate the same signature. The public key used to verify the
signature should belong to the person who signed the message, and it
must be valid and verified through a digital certificate.
6. Key Management
A reliable and secure key management system is essential for ensuring that
private keys are kept secure, and public keys are distributed properly to
ensure that they can be used for verification.
 Requirement: The system must include a secure way to generate, store,
and distribute keys. The private key must be kept confidential and
protected from unauthorized access, while the public key should be
easily accessible and verifiable.
Key Points in Digital Signature Mechanism
1. Public and Private Key Pair: The signature is created using a private key
and verified using the corresponding public key. The security of the
system relies on the asymmetry between these two keys.
2. Hashing: The document is hashed before it is signed. The hash ensures
that the signature represents the entire document, not just part of it.
The hash is unique to the content of the message, so even a small
change in the message will change the hash value dramatically.
3. Encryption: The sender's private key encrypts the hash of the
document to create the signature. Only the sender’s private key can
generate this signature, so it uniquely identifies the sender.
4. Digital Certificate: In practice, public keys are often distributed via
digital certificates issued by Certificate Authorities (CAs). The CA
vouches for the authenticity of the public key, ensuring that it belongs
to the purported owner.

Physical Security: Meaning

Physical security refers to the measures and strategies designed to
protect people, property, and assets from physical threats, including
theft, vandalism, natural disasters, unauthorized access, and terrorism.
It focuses on safeguarding tangible assets such as buildings, equipment,
data centers, and personnel through physical barriers, monitoring
systems, and access control measures.

The goal of physical security is to prevent unauthorized access and

mitigate risks that could lead to physical harm, financial loss, or
disruption of operations.

Needs for Physical Security

Protection of Assets:

Safeguarding equipment, infrastructure, and sensitive data from

damage or theft.
Safety of Personnel:

Ensuring the physical safety of employees, customers, and visitors in

the facility.
Prevention of Unauthorized Access:

Restricting access to sensitive areas to prevent tampering, espionage,

or sabotage.
Mitigation of Threats:

Reducing risks from natural disasters, such as fires, floods, and

earthquakes, by employing protective measures like fire suppression
systems or reinforced structures.
Compliance with Regulations:
Adhering to industry standards and legal requirements for security and
safety.
Business Continuity:

Ensuring the uninterrupted operation of critical processes by reducing

vulnerabilities to physical threats.
Brand and Reputation Protection:

Preventing incidents that could damage public trust and organizational

credibility.

Importance of Disaster and Control Systems

Minimizing Losses: Protects lives, assets, and resources.
Enhancing Resilience: Ensures quick recovery and continuity of
operations.
Legal Compliance: Meets regulatory and insurance requirements.
Boosting Stakeholder Confidence: Demonstrates preparedness and
responsibility.

Disaster and Control Systems

Disasters can be categorized as natural, man-made, or technological
events that disrupt operations, cause damage to infrastructure, or
endanger lives. Disaster control systems are strategies, tools, and
practices implemented to manage and mitigate the impact of such
events.

Types of Disasters
Natural Disasters:

Examples: Earthquakes, floods, hurricanes, wildfires, and pandemics.

Characteristics: Typically unpredictable and uncontrollable; require
mitigation and preparedness.
Man-Made Disasters:

Examples: Terrorist attacks, industrial accidents, and vandalism.

Characteristics: Result from human actions, either intentional or
accidental.
Technological Disasters:

Examples: Cyberattacks, power outages, and system failures.

Characteristics: Result from the failure of technology or critical
infrastructure.
Control Systems for Disaster Management
Disaster control systems focus on minimizing the impact of disasters
and ensuring rapid recovery. These systems are typically divided into
four key phases:

1. Mitigation:
Objective: Reduce the likelihood or impact of disasters.
Key Measures:
Risk assessments.
Implementing structural safeguards (e.g., flood barriers, earthquake-
resistant buildings).
Training and awareness programs.
2. Preparedness:
Objective: Ensure readiness to respond effectively to disasters.
Key Measures:
Developing disaster recovery plans (DRP).
Conducting drills and simulations.
Installing early warning systems (e.g., weather alerts, fire alarms).
3. Response:
Objective: Take immediate action to minimize harm and manage the
crisis.
Key Measures:
Emergency evacuation protocols.
First responder coordination (police, fire departments, medical teams).
Communication systems for real-time updates.
4. Recovery:
Objective: Restore normalcy after a disaster.
Key Measures:
Repairing or rebuilding infrastructure.
Restoring essential services (power, water, communication).
Post-incident reviews to improve future responses.
Technological and Physical Control Systems
Technological Controls:
Surveillance Systems: CCTV and drones for monitoring and assessment.
Communication Systems: Emergency notification systems and satellite
phones.
Data Backup: Offsite and cloud backups to safeguard information.
Power Systems: Generators and UPS to ensure continuous operation.
Physical Controls:
Barriers: Floodwalls, fire doors, and reinforced buildings.
Safety Equipment: Fire extinguishers, first aid kits, and personal
protective equipment (PPE).
Access Control: Restricted access to sensitive areas to prevent
unauthorized actions.
Biometrics System: Meaning
A biometric system is a technology-based method for identifying or
verifying an individual's identity using unique physical or behavioral
traits. These traits, which are nearly impossible to duplicate, include
fingerprints, facial features, iris patterns, voice, and even gait or typing
patterns.

Biometric systems are widely used in various applications, including

security, healthcare, banking, and attendance management, to
enhance authentication and identification processes.

How Biometric Systems Work

Enrollment:

The individual’s biometric data is captured and stored in a database.

The data is converted into a digital format (templates) for easy
processing.
Verification/Authentication:
The system compares the captured biometric data against stored
templates.
A match confirms the individual's identity.
Identification:

Involves comparing an individual’s biometric data against all stored

templates to find a match.
Benefits of Biometric Systems
1. Enhanced Security
Biometrics are unique to each individual, making them harder to forge
or steal than traditional passwords or PINs.
Prevents unauthorized access and identity fraud.
2. Convenience
Eliminates the need for remembering passwords or carrying access
cards.
Quick and seamless authentication for users.
3. Improved Accuracy
Reduces human error in identification and verification.
High precision in distinguishing individuals even in large populations.
4. Cost-Effectiveness
Reduces administrative costs associated with managing passwords, ID
cards, or security tokens.
Long-term savings despite initial setup costs.
5. Non-Repudiation
Provides undeniable proof of identity, crucial for legal and financial
transactions.
6. Scalability
Can handle large databases for mass identification purposes, suitable
for government and enterprise applications

Criteria for Selection of Biometrics

Selecting the appropriate biometric system requires careful
consideration of the application's requirements, environmental
conditions, and user population. The following criteria are essential for
evaluating and choosing a biometric system:
1. Accuracy and Reliability
False Accept Rate (FAR): The probability of incorrectly accepting an
unauthorized person. Lower FAR indicates better security.
False Reject Rate (FRR): The probability of rejecting an authorized
individual. Lower FRR ensures user convenience.
Equal Error Rate (EER): The point where FAR and FRR are equal; a lower
EER indicates a more accurate system.
2. Uniqueness
The biometric trait should be highly distinctive and unique to each
individual (e.g., fingerprints, iris patterns).
Redundancy or overlap in characteristics should be minimal to ensure
precise identification.
3. Universality
The selected biometric trait should be applicable to the majority of the
population.
Traits like fingerprints or face recognition are commonly universal,
whereas DNA or retinal scans may face limitations.
4. Acceptability
Users must be comfortable using the biometric system.
Traits like fingerprints or face scans are generally more acceptable
compared to invasive techniques like retina or DNA sampling.
5. Scalability
The system should support a growing user base without significant
degradation in performance.
Essential for large-scale applications such as national ID programs or
large enterprises.
6. Speed and Throughput
Enrollment Time: The time required to capture and register a user’s
biometric data.
Verification/Authentication Time: How quickly the system identifies or
verifies a person.
The system should operate efficiently to avoid delays, especially in
high-traffic environments.