1️⃣ CS Sem 1 2️⃣ CS Sem 2 3️⃣ CS Sem 3 4️⃣ CS Sem 4 5️⃣ CS Sem 5 6️⃣ CS Sem 6 💡 IT Branch 📡 ECE Branch 🏫 Class 9 🎒 Class 10 🔬 Class 11 🧪 Class 12 🎓 MCA / PG 📜 PhD / Research

Information TechnologySEM-6Information Security

Information Security Notes — B.Tech IT Sem 6

✍️ WohoTech Team📅 Last Updated: 2026-03-11📄 50 pages · 2.5 MB

Information Security — Foundation

CIA Triad — Security ke 3 pillars:

| Pillar | Meaning | Attack | Control | |--------|---------|--------|---------| | Confidentiality | Only authorized access | Eavesdropping, data theft | Encryption, access control | | Integrity | Data not tampered | Man-in-middle, corruption | Hash, digital signature | | Availability | System accessible | DDoS, ransomware | Redundancy, backups |

Security Terminology:

Threat — potential harm (hacker, malware)
Vulnerability — weakness in system
Risk = Threat × Vulnerability × Impact
Exploit — taking advantage of vulnerability
Countermeasure — control to reduce risk

1. Cryptography

Symmetric Encryption

Plaintext + Key → [Encrypt] → Ciphertext
Ciphertext + Same Key → [Decrypt] → Plaintext

AES (Advanced Encryption Standard):

Key sizes: 128, 192, 256 bits
Block size: 128 bits
Modes: ECB, CBC, GCM (recommended)
Most used today — WiFi (WPA2), HTTPS data, file encryption

DES (Data Encryption Standard):

56-bit key — now considered WEAK (brute-forceable)
3DES — apply DES 3 times — still used in legacy systems

from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
import base64

key = get_random_bytes(32)  # 256-bit key
cipher = AES.new(key, AES.MODE_GCM)
ciphertext, tag = cipher.encrypt_and_digest(b"Secret Message")
print(base64.b64encode(ciphertext).decode())

Asymmetric Encryption (Public-Key Cryptography)

Public Key (anyone can have) → Encrypt
Private Key (only owner has) → Decrypt

RSA Algorithm:

Choose large primes p, q
n = p × q (modulus)
e = public exponent (usually 65537)
d = private exponent (e×d ≡ 1 mod φ(n))
Public key = (n, e), Private key = (n, d)

Encrypt: C = M^e mod n
Decrypt: M = C^d mod n

Elliptic Curve Cryptography (ECC):

Smaller key size, same security as RSA
RSA-2048 ≈ ECC-256 security
Used in TLS 1.3, Bitcoin, mobile devices

Hash Functions

| Algorithm | Output | Status | |-----------|--------|--------| | MD5 | 128-bit | ❌ Broken (collision found) | | SHA-1 | 160-bit | ❌ Deprecated | | SHA-256 | 256-bit | ✅ Current standard | | SHA-3 | 256/512-bit | ✅ Keccak-based | | bcrypt | 60-char | ✅ Password hashing |

Properties of Cryptographic Hash:

Deterministic — same input → same output always
One-way — hash se original nahi nikalta
Avalanche effect — 1-bit change → completely different hash
Collision resistant — two inputs same hash nahi hona chahiye

2. Digital Signatures & PKI

Digital Signature Process

SIGNING (Sender):
Message → SHA-256 → Hash → [Sign with Private Key] → Signature

VERIFICATION (Receiver):
Received Message → SHA-256 → Hash₁
Signature → [Verify with Sender's Public Key] → Hash₂
If Hash₁ == Hash₂ → Valid ✅

Properties provided:

Authentication — sender ki identity confirm
Non-repudiation — sender baad mein deny nahi kar sakta
Integrity — message tampered nahi hua

PKI (Public Key Infrastructure)

Root CA (Certificate Authority)
    ↓ signs
Intermediate CA
    ↓ signs
End-entity Certificate (website, user)

X.509 Certificate contains:

Subject (domain/person)
Public Key
Issuer (CA name)
Validity period
Digital signature of CA

3. Network Security

SSL/TLS Handshake

Client                              Server
  |                                   |
  |--- ClientHello (TLS version, cipher suites) -->|
  |<-- ServerHello (chosen cipher, certificate) ---|
  |<-- Certificate (public key)        ------------|
  |--- [Verify cert with CA]                       |
  |--- ClientKeyExchange (encrypted pre-master) -->|
  |--- ChangeCipherSpec ----------------------->   |
  |--- Finished (encrypted) ----------------->     |
  |<-- ChangeCipherSpec -----------------------    |
  |<-- Finished (encrypted) ------------------    |
  |====== Encrypted Application Data ============ |

TLS 1.3 improvements over 1.2:

1-RTT handshake (faster)
No RSA key exchange (forward secrecy by default)
Removed weak cipher suites (MD5, SHA-1, RC4)

Firewalls

Types: | Type | Layer | Inspects | Example | |------|-------|----------|---------| | Packet Filter | Network (L3) | IP/Port headers | iptables | | Stateful | Transport (L4) | Connection state | AWS Security Groups | | Application (WAF) | Application (L7) | HTTP content | Cloudflare WAF | | NGFW | All layers | Deep inspection | Palo Alto, Fortinet |

# iptables example — block port 23 (Telnet)
iptables -A INPUT -p tcp --dport 23 -j DROP

# Allow only SSH from specific IP
iptables -A INPUT -p tcp -s 192.168.1.100 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

VPN (Virtual Private Network)

Site-to-Site VPN:

Office A ←—— Encrypted Tunnel ——→ Office B
(10.0.0.0/24)   (Internet)      (10.1.0.0/24)

Protocols:

IPSec — Network layer, site-to-site
OpenVPN — TLS-based, flexible
WireGuard — Modern, fast, simple
SSL VPN — Browser-based, remote access

4. OWASP Top 10 Web Vulnerabilities

A01 — Broken Access Control

// Vulnerable — user can access any order
GET /api/orders/12345

// Fix — verify ownership
if (order.userId !== currentUser.id) {
    return res.status(403).json({ error: 'Forbidden' });
}

A02 — Cryptographic Failures

# WRONG — MD5 for password
import hashlib
password_hash = hashlib.md5(password.encode()).hexdigest()

# CORRECT — bcrypt
import bcrypt
hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))

A03 — SQL Injection

# VULNERABLE
query = f"SELECT * FROM users WHERE username = '{username}'"
# Attacker input: admin' OR '1'='1 → bypasses auth!

# SECURE — parameterized query
cursor.execute("SELECT * FROM users WHERE username = %s", (username,))

A07 — Authentication Failures

Weak passwords allowed
No brute-force protection
Session tokens in URL
Insecure "Remember Me"

Fixes:

# Rate limiting login attempts
from flask_limiter import Limiter
limiter = Limiter(app)

@app.route('/login', methods=['POST'])
@limiter.limit("5 per minute")
def login():
    pass

# Session security
app.config['SESSION_COOKIE_SECURE'] = True      # HTTPS only
app.config['SESSION_COOKIE_HTTPONLY'] = True     # No JS access
app.config['SESSION_COOKIE_SAMESITE'] = 'Strict' # CSRF protection

A08 — Software & Data Integrity Failures

Untrusted CDN scripts
No package integrity checking
Insecure deserialization

<!-- SRI — Subresource Integrity check -->
<script
  src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.min.js"
  integrity="sha384-..."
  crossorigin="anonymous">
</script>

5. Attacks & Countermeasures

| Attack | Description | Prevention | |--------|-------------|-----------| | DDoS | Flood server with requests | CDN, rate limiting, WAF | | XSS | Inject JS into web pages | Output encoding, CSP headers | | CSRF | Trick user into unwanted action | CSRF tokens, SameSite cookies | | Phishing | Fake websites to steal creds | MFA, email filtering, training | | Man-in-Middle | Intercept communication | HTTPS, certificate pinning | | Brute Force | Try all passwords | Account lockout, CAPTCHA, MFA | | Ransomware | Encrypt files, demand payment | Backups, EDR, least privilege |

Exam Important Questions

CIA triad explain karo with real-world examples
Symmetric aur Asymmetric encryption compare karo
RSA algorithm ka working explain karo step by step
Digital signature kaise kaam karta hai? PKI explain karo
TLS handshake process diagram ke saath explain karo
OWASP Top 10 mein se 5 vulnerabilities explain karo with fixes
Firewall types aur unka difference explain karo
SQL Injection attack aur uska prevention explain karo

Viva Questions

Q: Perfect Forward Secrecy kya hai? A: Har session ke liye naya session key generate hota hai (Diffie-Hellman Ephemeral). Agar private key compromise ho bhi jaye, past sessions decrypt nahi ho sakte.

Q: Zero-Day vulnerability kya hoti hai? A: Ek aisi vulnerability jo vendor ko pata nahi hai ya patch available nahi hai. Attack before patch = zero-day exploit.

Q: Kyu MD5 ab password hashing ke liye use nahi karte? A: MD5 fast hai aur GPU se quickly brute-force ho sakta hai. Rainbow tables exist karti hain. bcrypt/Argon2 intentionally slow hain aur salt use karte hain.

📄 Download Complete PDF Notes

Complete Information Security notes for B.Tech IT Sem 6 — Cryptography, Network Security, Firewalls, VPN, SSL/TLS, OWASP Top 10, Digital Signatures, and exam prep.

50 pages · 2.5 MB · Updated 2026-03-11

Free Download ↓

❓ Frequently Asked Questions

Symmetric aur Asymmetric encryption mein kya fark hai?▾

Symmetric: same key for encrypt/decrypt (AES, DES) — fast. Asymmetric: public+private key pair (RSA, ECC) — slow but secure key exchange. HTTPS dono use karta hai — handshake asymmetric, data symmetric.

Digital Signature kaise kaam karta hai?▾

Sender apna private key use karke message hash sign karta hai. Receiver sender ki public key se verify karta hai. Non-repudiation provide karta hai.

SQL Injection kya hai aur kaise bachein?▾

User input directly SQL query mein inject ho jata hai. Prevention: Prepared statements / parameterized queries, input validation, least privilege DB user.

Firewall aur IDS mein kya fark hai?▾

Firewall traffic block/allow karta hai rules ke basis pe (preventive). IDS (Intrusion Detection System) suspicious activity detect karta hai aur alert karta hai (detective).

HTTPS mein kya hota hai ek request ke dauran?▾

TLS Handshake: server certificate verify, session key exchange (asymmetric), phir data symmetric encryption se jaata hai. HTTP/2 modern HTTPS use karta hai.

📌 Related Notes

itSEM-1

Digital Electronics — Complete Notes IT Sem 1

Digital Electronics

ITSEM-3

Java Programming — Complete Notes for B.Tech IT Semester 3

Java Programming